|
WHQL and Digital Signature
considerations
Revision 1.2 – 2ndh July 2008 |
|||||||||
|
|
|||||||||
Short for Windows Hardware Quality Labs, WHQL is a Microsoft facility that tests and certifies third-party hardware and driver products for compatibility with Windows operating systems. Products that meet the compatibility requirements are then allowed to display Windows logos on product packaging, advertising and collateral and other marketing materials, indicating that the product has met the standards of Microsoft and that the product has been designed to work with the Windows operating systems. Once a product has received the WHQL logo it is listed on the Microsoft Hardware Compatibility List. This subject is covered in full at the Microsoft WHQL web site.
Drivers cannot pass the WHQL tests in isolation; they have to be submitted with suitable hardware. It is our understanding that digital signatures are only available for PnP devices. USB devices by their very nature are PnP compatible. The other devices mainly supported by UPDD are serial and very few of these devices are PnP. Serial PnP device specification is described in the Serial PnP specification document. It is our understanding that you cannot get approval if the submitted software supports a non-PnP device.
A driver that passes the tests is allocated a ‘digital signature’ and as such is considered ‘signed’. Drivers that have not been submitted for testing or have failed the tests are considered ‘unsigned’. Depending on the Driver Signing setting in the Hardware Tab of the system applet in the Control Panel, unsigned drivers can be blocked, approved (most common setting) or ignored.
This setting will result in the following dialog being shown when the hardware, handled by the unsigned driver, is used for the first time:
The Microsoft Winlogo web site has further information on the Windows Default system policy for unsigned drivers. Given that the UPDD driver supports 100’s of pointer devices, mostly unsigned, then most UPDD driver run ‘unsigned’. Signed drivers can only be utilised with hardware used in the signing process.
In most cases installing an unsigned driver is acceptable and many Windows drivers are unsigned. Given that UPDD has been signed it is proven to be a driver of good quality. However, in some cases it is required to supply signed drivers, especially for use on complete systems that need all components to be Microsoft approved so that the complete system can carry the ‘Designed for Windows’ logo.
Signing procedure
In very basic terms the WHQL hardware compatibility tests are downloaded and installed and are run against a driver and controller combination. The tests have to be undertaken on a system that has passed WHQL and will not cause any conflicts during testing. Tests are performed for both 32 and 64 bit drivers.
The tests generate logs which are processed and are submitted for review and approval. They can only be submitted by companies that have obtained a VeriSign Class 3 code-signing ID. Once approved a .cat file, containing the digital signature, is returned for distribution with the driver and controller combination.
Thereafter, the operating system performs signature detection whenever
an INF file is referenced to install hardware from a device class that is
subject to signature detection: that is, during any Plug and Play operation,
when the user runs the Add New Hardware wizard in the Control Panel, and so on.
The system always installs the driver that is the closest match for the
hardware, whether or not that driver is signed; however, given drivers of equal
rank, the system installs the signed driver rather than the unsigned driver.
During driver installation, Windows compares the hashes contained in
the driver's CAT file with the computed hash of the driver binaries to
determine whether the binaries have changed since the CAT file was created. If
a driver fails the signature check or there is no CAT file the driver is
considered unsigned. Given this, once signed, no changes can be made to any
binaries used in the signing process. For this reason most companies that offer
signed drivers also offer the unsigned drivers with the latest development.
Further information about the signing procedure can be found on the web and a good place to start is the WHQL Getting Started web page.
Given the level of knowledge required to undertake the signing procedure many companies use a third party WHQL services company to undertake this work.
Signing service
Starting with UPDD 4.1.4 we now offer an in-house facility to sign UPDD with a specific controller. As part of our production system we will maintain the digital signature files associated with each signed controller and UPDD build. This will allow us to offer signed drivers where available for specific controllers and yet continue further UPDD development.
The new UPDD 4.1.x design has minimized the code used in kernel mode (the signed element of the driver) allowing us to add further functionality and maintain the UPDD utility programs outside of the signing process. We are hopeful that very few, if any, changes will be made to the kernel element thus maintaining the signed certification across new driver releases.
UPDD Signed controller combinations
The following table lists the signed UPDD driver and controller combinations:
|
Date |
Controller |
PNP identification (how to
identify) |
|
|
|
|
Vendor id |
Product id |
|
9th July 08 |
eGalax and derivatives |
EFF |
1 |
Costs
The cost of this
service is GBP 1500.00. This covers 2
days to process the tests against a supplied controller and GBP500 paid to
Microsoft as part of the WHQL acceptance process and digital signature
generation. Controller specific tests are also run as part of the WHQL
procedure and any failures with the pointer device hardware will prohibit the
allocation of a digital signature.
Before
requesting a UPDD digital signature the hardware must pass all Microsoft
hardware compatibility tests. If a failure occurs due to a compatibility error
then we will provide a report on the nature of the error and will perform 1
retest free of charge, so long as the retest is within one week of the original
test.
We
can perform a compatibility testing service for GBP 1000, in which we will run
tests on a single platform (usually Windows Vista 32 bit) and provide results
as many times as required in a 2 week period. In this case, assuming the final
test run is successful this can be used for a WHQL submission and submission
cost will be GBP 1000.
It
is important to note that the signature is for a specific kernel driver version
and in the event that a later kernel driver version is required then a new
digital signature will be required. The same charges will apply.
Contact
For further information or technical assistance please email the technical support team at technical@touch-base.com