[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [win-pv-devel] Windows 2008 boot problems with signed pv drivers 8.2





On 06/27/2017 12:14 PM, Paul Durrant wrote:
-----Original Message-----
From: win-pv-devel [mailto:win-pv-devel-bounces@xxxxxxxxxxxxxxxxxxxx] On
Behalf Of Peter Milesson
Sent: 26 June 2017 20:10
To: win-pv-devel@xxxxxxxxxxxxxxxxxxxx
Subject: [win-pv-devel] Windows 2008 boot problems with signed pv drivers
8.2

Hi folks,

I had to install a DomU Windows 2008 server x64 SP2, to replace parts of
the functionality of a physical server that suddenly died. I know it's
old stuff, but this is needed in the meantime, until I get new servers.

After installing all the Windows updates (around 230), I downloaded and
installed the signed Windows PV drivers ver. 8.2, starting with xenbus,
and following up with xenif, xenvbd, xenvif, and xennet. After reboot of
the DomU, Windows Boot Manager window popped up after a while, saying:

Windows failed to start. A recent hardware or software change blah,
blah, blah...

In the lower part of the screen it says:

File: \Windows\system32\DRIVERS\xenbus.sys

Status: 0xc0000428

Info: Windows cannot verify the digital signature for this file.

Pressing Enter and booting with advanced options, I choose Disable
Driver Signature Enforcement, and the OS boots normally.

I've tried to use the common tricks for unsigned, or test signed
drivers, but that has got no effect whatsoever. I use the same signed
drivers successfully with Windows 7, and Windows 10.

Anybody got an idea, how I can get it to boot without manual
intervention each time?
Peter,

Unfortunately this is because Windows Server 2008 does not support anything 
other than SHA-1 code signing, and the 8.2 drivers are SHA-256 signed. (There 
are various web pages with information about this... 
https://www.globalsign.com/en/blog/microsoft-announces-updates-sha-1-code-signing-policy/
 seems like a good example).
To work around the problem you could try enabling test-signing... that should 
stop windows requiring a chain of trust for boot-start drivers without you 
needing to manually intervene on each boot.

   Cheers,

     Paul
Thanks for your explanation Paul.

I'll try to install the test signed drivers instead, and run it in test signed mode. It will bridge the gap until I get new hardware in a month.

I wish you a nice day,

Peter


Best regards,

Peter



_______________________________________________
win-pv-devel mailing list
win-pv-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/cgi-bin/mailman/listinfo/win-pv-devel


_______________________________________________
win-pv-devel mailing list
win-pv-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/cgi-bin/mailman/listinfo/win-pv-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.