summaryrefslogtreecommitdiffstats
path: root/src/VBox/HostDrivers/Support/win
diff options
context:
space:
mode:
Diffstat (limited to 'src/VBox/HostDrivers/Support/win')
-rw-r--r--src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h5
-rw-r--r--src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp12
-rw-r--r--src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp4
-rw-r--r--src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp58
4 files changed, 54 insertions, 25 deletions
diff --git a/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h b/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h
index 0f953e38..a14ee4a7 100644
--- a/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h
+++ b/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h
@@ -151,8 +151,9 @@ DECLHIDDEN(int) supHardenedWinVerifyImageByLdrMod(RTLDRMOD hLdrMod, PCRTUTF16 p
# define SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT RT_BIT(2)
/** Whether to allow image verification by catalog file. */
# define SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION RT_BIT(3)
-/** The file owner must be TrustedInstaller on Vista+. */
-# define SUPHNTVI_F_TRUSTED_INSTALLER_OWNER RT_BIT(4)
+/** The file owner must be TrustedInstaller, Builtin\\Administrators
+ * (S-1-5-32-544) or local system (S-1-5-21) on Vista+. */
+# define SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER RT_BIT(4)
/** Ignore the image architecture (otherwise it must match the verification
* code). Used with resource images and such. */
# define SUPHNTVI_F_IGNORE_ARCHITECTURE RT_BIT(30)
diff --git a/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp b/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp
index 747d975e..c05d0210 100644
--- a/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp
+++ b/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp
@@ -807,7 +807,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u
pwsz = pwszName + cwcOther + 1;
/* Must be owned by trusted installer. (This test is superfuous, thus no relaxation here.) */
- if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER)
+ if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER)
&& !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName))
return rc;
@@ -868,7 +868,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u
return rc;
/* Must be owned by trusted installer. */
- if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER)
+ if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER)
&& !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName))
return rc;
return VINF_LDRVI_NOT_SIGNED;
@@ -885,7 +885,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u
cwcOther = g_System32NtPath.UniStr.Length / sizeof(WCHAR); /* ASSUMES System32 is called System32. */
pwsz = pwszName + cwcOther + 1;
- if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER)
+ if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER)
&& !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName))
return rc;
@@ -933,7 +933,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u
# endif
)
{
- if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER)
+ if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER)
&& !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName))
return rc;
return VINF_LDRVI_NOT_SIGNED;
@@ -943,7 +943,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u
/*
* Anything that's owned by the trusted installer.
*/
- if ( (fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER)
+ if ( (fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER)
|| supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName))
return VINF_LDRVI_NOT_SIGNED;
@@ -1379,7 +1379,7 @@ DECLHIDDEN(int) supHardenedWinVerifyImageByLdrMod(RTLDRMOD hLdrMod, PCRTUTF16 pw
*/
/** @todo Since we're now allowing Builtin\\Administrators after all, perhaps we
* could drop these system32 + winsxs hacks?? */
- if ( (pNtViRdr->fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER)
+ if ( (pNtViRdr->fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER)
&& !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(pNtViRdr->hFile, pwszName))
{
if (supHardViUtf16PathStartsWithEx(pwszName, (uint32_t)RTUtf16Len(pwszName),
diff --git a/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp b/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp
index ec6b6a0a..f7ef4408 100644
--- a/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp
+++ b/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp
@@ -2147,7 +2147,7 @@ static int supHardNtLdrCacheNewEntry(PSUPHNTLDRCACHEENTRY pEntry, const char *ps
* for this image.
*/
uint32_t fFlags = fDll
- ? SUPHNTVI_F_TRUSTED_INSTALLER_OWNER | SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION
+ ? SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER | SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION
: SUPHNTVI_F_REQUIRE_BUILD_CERT;
if (f32bitResourceDll)
fFlags |= SUPHNTVI_F_IGNORE_ARCHITECTURE;
@@ -2394,10 +2394,12 @@ static int supHardNtVpCheckExe(PSUPHNTVPSTATE pThis)
"NtQueryInformationProcess/ProcessImageInformation failed: %#x hProcess=%#x",
rcNt, pThis->hProcess);
}
+#ifndef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT /* A kernel code signing cert is only via way to use /IntegrityCheck. */
if ( !(ImageInfo.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY))
return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_MISSING_FORCE_INTEGRITY,
"EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY to be set.",
ImageInfo.DllCharacteristics);
+#endif
if (!(ImageInfo.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE))
return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_MISSING_DYNAMIC_BASE,
"EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE to be set.",
diff --git a/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp b/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp
index a7dccfd9..ada99ee5 100644
--- a/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp
+++ b/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp
@@ -1477,33 +1477,46 @@ supR3HardenedScreenImage(HANDLE hFile, bool fImage, bool fIgnoreArch, PULONG pfA
#ifndef VBOX_PERMIT_EVEN_MORE
/*
* Check the path. We don't allow DLLs to be loaded from just anywhere:
- * 1. System32 - normal code or cat signing, owner TrustedInstaller.
- * 2. WinSxS - normal code or cat signing, owner TrustedInstaller.
- * 3. VirtualBox - kernel code signing and integrity checks.
- * 4. AppPatchDir - normal code or cat signing, owner TrustedInstaller.
- * 5. Program Files - normal code or cat signing, owner TrustedInstaller.
- * 6. Common Files - normal code or cat signing, owner TrustedInstaller.
+ * 1. System32 - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
+ * 2. WinSxS - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
+ * 3. VirtualBox - build with:
+ * - regular code signing cert: build cert code signing, owner TrustedInstaller/Administrators/LocalSystem.
+ * - kernel code signing cert: kernel code signing and integrity checks.
+ * 4. AppPatchDir - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
+ * 5. Program Files - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
+ * 6. Common Files - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
* 7. x86 variations of 4 & 5 - ditto.
+ *
+ * Note! VBOX_WITHOUT_KERNEL_CODE_SIGNING_CERT means the /IntegrityCheck does
+ * work as it doesn't seems like MS has come up with a generally accessible
+ * alternative to the expired kernel code signing scheme for using this
+ * securty enhancement.
*/
uint32_t fFlags = 0;
if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_System32NtPath.UniStr, true /*fCheckSlash*/))
- fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
+ fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_WinSxSNtPath.UniStr, true /*fCheckSlash*/))
- fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
+ fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /*fCheckSlash*/))
+# ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT
+ /** @todo r=bird: See SUPHNTVI_F_REQUIRE_BUILD_CERT comment below (in the
+ * code that's actually used). */
+ fFlags |= SUPHNTVI_F_REQUIRE_BUILD_CERT | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
+# else
fFlags |= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING | SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT;
+# endif
# ifdef VBOX_PERMIT_MORE
else if (supHardViIsAppPatchDir(uBuf.UniStr.Buffer, uBuf.UniStr.Length / sizeof(WCHAR)))
- fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
+ fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_ProgramFilesNtPath.UniStr, true /*fCheckSlash*/))
- fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
+ fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_CommonFilesNtPath.UniStr, true /*fCheckSlash*/))
- fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
+ fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
# ifdef RT_ARCH_AMD64
else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_ProgramFilesX86NtPath.UniStr, true /*fCheckSlash*/))
- fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
+ fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_CommonFilesX86NtPath.UniStr, true /*fCheckSlash*/))
- fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
+ fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
# endif
# endif
# ifdef VBOX_PERMIT_VISUAL_STUDIO_PROFILING
@@ -1531,14 +1544,27 @@ supR3HardenedScreenImage(HANDLE hFile, bool fImage, bool fIgnoreArch, PULONG pfA
#else /* VBOX_PERMIT_EVEN_MORE */
/*
* Require trusted installer + some kind of signature on everything, except
- * for the VBox bits where we require kernel code signing and special
- * integrity checks.
+ * for the VBox bits where we have extra requirements depending on the signing
+ * certificate used:
+ * - regular code signing cert: build cert code signing, owner TrustedInstaller/Administrators/LocalSystem.
+ * - kernel code signing cert: kernel code signing and integrity checks.
*/
uint32_t fFlags = 0;
if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /*fCheckSlash*/))
+# ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT
+ /** @todo r=bird: Since extension packs are installed under
+ * g_SupLibHardenedAppBinNtPath and I'm pretty sure that everything loaded into
+ * a VBox VM process goes thru this validation step at DLL load time, this means
+ * only we can now sign extension packs.
+ *
+ * I suspect we have to relax the signing restrictions on the ExtensionPacks
+ * subdirectory to keep 3rd party extensions working. */
+ fFlags |= SUPHNTVI_F_REQUIRE_BUILD_CERT | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
+# else
fFlags |= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING | SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT;
+# endif
else
- fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
+ fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
#endif /* VBOX_PERMIT_EVEN_MORE */
/*