[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [win-pv-devel] [Xen-devel] Windows PV drivers and Windows 10 / Windows Server 2016



> -----Original Message-----
> From: win-pv-devel [mailto:win-pv-devel-bounces@xxxxxxxxxxxxxxxxxxxx] On
> Behalf Of Steven Haigh
> Sent: 13 December 2017 06:06
> To: Paul Durrant <Paul.Durrant@xxxxxxxxxx>
> Cc: win-pv-devel@xxxxxxxxxxxxxxxxxxxx
> Subject: Re: [win-pv-devel] [Xen-devel] Windows PV drivers and Windows
> 10 / Windows Server 2016
> 
> On Wednesday, 13 December 2017 2:20:54 AM AEDT Paul Durrant wrote:
> > > -----Original Message-----
> > > From: Steven Haigh [mailto:netwiz@xxxxxxxxx]
> > > Sent: 12 December 2017 15:12
> > > To: Paul Durrant <Paul.Durrant@xxxxxxxxxx>
> > > Cc: win-pv-devel@xxxxxxxxxxxxxxxxxxxx
> > > Subject: Re: [Xen-devel] Windows PV drivers and Windows 10 / Windows
> > > Server 2016
> > >
> > > On Wednesday, 13 December 2017 2:05:43 AM AEDT Paul Durrant wrote:
> > >
> > > > Moving xen-devel to bcc and addressing win-pv-devel list...
> > > >
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Xen-devel [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxxx]
> On
> > >
> > > Behalf
> > >
> > > > > Of Steven Haigh
> > > > > Sent: 12 December 2017 11:33
> > > > > To: xen-devel@xxxxxxxxxxxxx
> > > > > Subject: [Xen-devel] Windows PV drivers and Windows 10 / Windows
> > >
> > > Server
> > >
> > > > > 2016
> > > > >
> > > > >
> > > > >
> > > > > Hi all,
> > > > >
> > > > >
> > > > >
> > > > > Re the Windows PV drivers - I've tried v8.2.0 on Windows 10, and it
> > > > > required
> > >
> > >  me to put Windows into TEST MODE to still load the drivers.
> > >
> > > > > Bringing it out of test mode results in the Xen PV drivers being
> > > > > uninstalled.
> > > > >
> > > > >
> > > > >
> > > > > I now have to create a Windows Server 2016 DomU and I'm
> wondering if
> > > > > there is
> > > > > any way without living in TEST MODE for the rest of its life to
> > > > > install
> > > > > the PV
> > >
> > >  drivers?
> > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > > That is strange. The 8.2.0 drivers are release signed with an EV token
> > > > that
>  should mean they deploy on Windows 10 without the need for
> > > > testsigning mode. It's possible Microsoft have changed something in
> > > > recent Windows 10... which version of Windows 10 are you using? (Also
> I
> > > > assume you downloaded drivers from
> > > > https://xenbits.xen.org/pvdrivers/win/8.2.0/). I just double checked
> > > > xenbus.sys and xenbus.cat and they are certainly both signed with the
> > > > correct certificate (Linux Foundation SHA256) and properly
> > > > time-stamped. Could you verify those files in your copy of the tarball?>
> > >
> > > Thanks Paul,
> > >
> > > I did actually just try installing the drivers on Windows Server 2016 -
> > > and
>  was surprised that they installed without an issue.
> > >
> > > I did get the 8.2.0 drivers when we were trying Windows 10 - however
> work
> > > has
> > > requested I replace the Win10 VM with WS2016....
> > >
> >
> >
> > Did you somehow manage to get a copy of the drivers before they were
> release
> > signed? The tarballs *should* be dated 28th Feb 2017.
> 
> >
> > > The install was from an ISO "Win10_1703_English_x64.iso" - and then
> > > upgraded
> > > to the latest release via Windows Update.
> > >
> >
> >
> > Ok. I've certainly let VMs go through that cycle and have not seen a
> > problem.
> 
> >
> > > I turned on TEST SIGNING mode, rebooted Windows, installed the 8.2.0
> > > drivers,
> > > turned off TEST SIGNING mode and rebooted. Windows 10 then said it
> was
> > > recovering from a problem and once it was completed, the PV drivers
> were
> > > nowhere to be found.
> > >
> >
> >
> > Maybe Windows cleans up any driver installed whilst testsigning was on,
> even
> > if the driver was signed? Anyway, if the drivers are properly signed then
> > they should install cleanly without using testsigning mode. If you get some
> > sort of warning at that stage then the log in setupapi.dev.log (in
> > c:\windows\inf) can sometimes be enlightening as to the reason.
> 
> At this point in time, I'm almost willing to put it down to Windows 10 being
> Windows.
> 
> As I mentioned, things worked perfectly on Windows Server 2016 - no
> untrusted
> driver installation prompts or other issues. I did get the red UNTRUSTED
> DRIVER bit on Windows 10 - and install failed the first time around until in
> the test signing mode. Maybe a certain update level needs to be reached
> before
> it likes the PV signed drivers?

I wonder if some certificate in the Linux Foundation's chain of trust expired. 
I recall similar things happening with Citrix's code signing certificate on 
Windows 7 because some Verisign cross-signing cert had expired. IIRC there was 
a patch issued via Windows Update which fixed the issue but it meant that folks 
ran into problems unless they fully Windows-Updated *before* trying to install 
drivers.

One option might be to use the drivers from XenServer as these are logo-signed 
and I'd hope that Microsoft are careful enough not to allow their own signing 
certs not to expire!

Cheers,

  Paul

> 
> Now Windows Server 2016 is stuck at installing a Windows Defender update -
> which I think is also just Windows being Windows :\
> 
> --
> Steven Haigh
> 
> 📧 netwiz@xxxxxxxxx       💻 http://www.crc.id.au
> 📞 +61 (3) 9001 6090    📱 0412 935 897
_______________________________________________
win-pv-devel mailing list
win-pv-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/win-pv-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.