pvpanic, qemufwcfg, and qemupciserial are self signed with a bad basic constraint

[jborean93]

Describe the bug The drivers for pvpanic, qemufwcfg, and qemupciserial in virtio-win 0.1.217 are signed with a self signed certificate. As well as this it has a CA constraint set which stops you from importing the self signed cert as a trusted root authority and then installing the driver.

Here is the certificate used for pvpanic as a PEM file

-----BEGIN CERTIFICATE-----
MIIFfzCCA2egAwIBAgIQ71SLoHAVzrtEjztcjLJ7iTANBgkqhkiG9w0BAQsFADA6MRMwEQYDVQQK
Ewp2aXJ0aW8td2luMQwwCgYDVQQLEwNEZXYxFTATBgNVBAMTDFJlZCBIYXQgSW5jLjAeFw0yMjAx
MTMxMTE5MjdaFw0zOTEyMzEyMzU5NTlaMDoxEzARBgNVBAoTCnZpcnRpby13aW4xDDAKBgNVBAsT
A0RldjEVMBMGA1UEAxMMUmVkIEhhdCBJbmMuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEAxMvr0k21d+COYanxQfDBZNyp9clJWg3Fh9S9ty0npM+EZIjUyN+Psr83/Ln5NMgUPpNSmRjX
FwNJ+/31swPHm4+QpUbl2iyF8Lj9c4g85APu9dJD6i3Hma86lO+rpUVmuQnklO/9H2ee2Ss1qCoX
HyLsQC54mqpC7awe0TBEszoGN86eiHO2Sl/HvmxgEMxtiQIHcZ+YR4bdASWc7EWcv8MPaznb8yEy
kYCxY0nQG/24ecrNUn9+sLmvrnPwE6Lrl7sAK3quUmK9Zl0gElY4eJi01xHyXlgxsaDtv7IsPf3U
LR2vHRb65ZzIbURro7EOYoB8ggYCGQB8UDG2uow0LYmDlBC2+HCSqia8DYYOKMB9DzKv2Pa0lpzl
R4N7npfxW0xPfOWYfafZM0s4yNE043eAx1VAe3GTfdRHIkRMH4CevT1CqvcEFa9MLELZUIS/RECc
rpnvg5pEhE6IICE4geJO9zFYxRDk3zO2lN2RlYNVOeLLqV9qY4LXxNEP1AuLC1YM1R0NxXxnFh78
GJY4O7/9D+P8W1yWI6+7YIDJOWDH+1HTG+3S+oTVC6snNqqTlLSQG/GfU3CTS0jc6Qca20srQGvf
rP5SuVCF0oXTKMX9Nea3U6L8CpUz8EYnpCcc0VlKUuLDeeI9osjvu5lxBYPbrmBHRUXKI6XBPvym
yvECAwEAAaOBgDB+MA8GA1UdEwEB/wQFMAMBAf8wawYDVR0BBGQwYoAQzPQihzig+fTivgwwp5O1
EKE8MDoxEzARBgNVBAoTCnZpcnRpby13aW4xDDAKBgNVBAsTA0RldjEVMBMGA1UEAxMMUmVkIEhh
dCBJbmMughDvVIugcBXOu0SPO1yMsnuJMA0GCSqGSIb3DQEBCwUAA4ICAQA9gaMgb0HuI+CzFqcP
KeKx5B/MWX05CJWu/Th8gpAQxDjP2XKDdj+BE9qjY1mNdebAFEl1ITib+0LBo6COTVd8o+NBOkcy
anV88MPa/Gwkhp7/AKYIYrwXQJl9cGdt3jBKqO8bDtU0Vrv5PvWQTz1Fv8JDHsIZLxqf5RLSFAag
khDaTF2vxr8Nwkzgmt9/u/aLSrVHFBbXoScKt82TWgtbfBK99Pz8XDnojH28cFszAp4hW11o9J8Z
94iWbkfPGUCtX9JREFWyykcZGfb6Isln2pdvOrPKBWp9vQvHnGln2tvkQ05vcUbTNz/laHLYq38v
AoAu2m74u63GK0hIMygMMW9wz3fiAwyNmQ+/EHSQYXSlBojYVUoM8EcceXSBHsxcDp2Ht+e0Zzbs
uaZsXADWkNefzVPAG+T2hFeyo9C4UCI2mn3to3ZA+i08dcLpz4XnTklZ740XeTIC9arJMR52r1T4
qM6UTUQPxUOeAho+wcpKfEVqWu1bRe+gocJbWv8FkpLvgBqUSrh0x0iGy4ohO9mXwdFjrdxiWKuh
Ffl70/zzu3BWlPSwd6D4S1oNWWDquSMhSejg3KLxdEWfMrQ+f26YBQYhEHcCSgAynwk3I5kKsiyb
NlAIWKPLwIZ00D2NW+OUTihDnuTdEuL7TUz5RFqd3orEsHVtSgjOhoX7UA==
-----END CERTIFICATE-----

The contents decoded by OpenSSL are

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
             (Negative)10:ab:74:5f:8f:ea:31:44:bb:70:c4:a3:73:4d:84:77
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = virtio-win, OU = Dev, CN = Red Hat Inc.
        Validity
            Not Before: Jan 13 11:19:27 2022 GMT
            Not After : Dec 31 23:59:59 2039 GMT
        Subject: O = virtio-win, OU = Dev, CN = Red Hat Inc.
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:c4:cb:eb:d2:4d:b5:77:e0:8e:61:a9:f1:41:f0:
                    c1:64:dc:a9:f5:c9:49:5a:0d:c5:87:d4:bd:b7:2d:
                    27:a4:cf:84:64:88:d4:c8:df:8f:b2:bf:37:fc:b9:
                    f9:34:c8:14:3e:93:52:99:18:d7:17:03:49:fb:fd:
                    f5:b3:03:c7:9b:8f:90:a5:46:e5:da:2c:85:f0:b8:
                    fd:73:88:3c:e4:03:ee:f5:d2:43:ea:2d:c7:99:af:
                    3a:94:ef:ab:a5:45:66:b9:09:e4:94:ef:fd:1f:67:
                    9e:d9:2b:35:a8:2a:17:1f:22:ec:40:2e:78:9a:aa:
                    42:ed:ac:1e:d1:30:44:b3:3a:06:37:ce:9e:88:73:
                    b6:4a:5f:c7:be:6c:60:10:cc:6d:89:02:07:71:9f:
                    98:47:86:dd:01:25:9c:ec:45:9c:bf:c3:0f:6b:39:
                    db:f3:21:32:91:80:b1:63:49:d0:1b:fd:b8:79:ca:
                    cd:52:7f:7e:b0:b9:af:ae:73:f0:13:a2:eb:97:bb:
                    00:2b:7a:ae:52:62:bd:66:5d:20:12:56:38:78:98:
                    b4:d7:11:f2:5e:58:31:b1:a0:ed:bf:b2:2c:3d:fd:
                    d4:2d:1d:af:1d:16:fa:e5:9c:c8:6d:44:6b:a3:b1:
                    0e:62:80:7c:82:06:02:19:00:7c:50:31:b6:ba:8c:
                    34:2d:89:83:94:10:b6:f8:70:92:aa:26:bc:0d:86:
                    0e:28:c0:7d:0f:32:af:d8:f6:b4:96:9c:e5:47:83:
                    7b:9e:97:f1:5b:4c:4f:7c:e5:98:7d:a7:d9:33:4b:
                    38:c8:d1:34:e3:77:80:c7:55:40:7b:71:93:7d:d4:
                    47:22:44:4c:1f:80:9e:bd:3d:42:aa:f7:04:15:af:
                    4c:2c:42:d9:50:84:bf:44:40:9c:ae:99:ef:83:9a:
                    44:84:4e:88:20:21:38:81:e2:4e:f7:31:58:c5:10:
                    e4:df:33:b6:94:dd:91:95:83:55:39:e2:cb:a9:5f:
                    6a:63:82:d7:c4:d1:0f:d4:0b:8b:0b:56:0c:d5:1d:
                    0d:c5:7c:67:16:1e:fc:18:96:38:3b:bf:fd:0f:e3:
                    fc:5b:5c:96:23:af:bb:60:80:c9:39:60:c7:fb:51:
                    d3:1b:ed:d2:fa:84:d5:0b:ab:27:36:aa:93:94:b4:
                    90:1b:f1:9f:53:70:93:4b:48:dc:e9:07:1a:db:4b:
                    2b:40:6b:df:ac:fe:52:b9:50:85:d2:85:d3:28:c5:
                    fd:35:e6:b7:53:a2:fc:0a:95:33:f0:46:27:a4:27:
                    1c:d1:59:4a:52:e2:c3:79:e2:3d:a2:c8:ef:bb:99:
                    71:05:83:db:ae:60:47:45:45:ca:23:a5:c1:3e:fc:
                    a6:ca:f1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            2.5.29.1:
                0b....".8......0.....<0:1.0...U.
.
virtio-win1.0
..U....Dev1.0...U....Red Hat Inc....T..p...D.;\..{.
    Signature Algorithm: sha256WithRSAEncryption
         3d:81:a3:20:6f:41:ee:23:e0:b3:16:a7:0f:29:e2:b1:e4:1f:
         cc:59:7d:39:08:95:ae:fd:38:7c:82:90:10:c4:38:cf:d9:72:
         83:76:3f:81:13:da:a3:63:59:8d:75:e6:c0:14:49:75:21:38:
         9b:fb:42:c1:a3:a0:8e:4d:57:7c:a3:e3:41:3a:47:32:6a:75:
         7c:f0:c3:da:fc:6c:24:86:9e:ff:00:a6:08:62:bc:17:40:99:
         7d:70:67:6d:de:30:4a:a8:ef:1b:0e:d5:34:56:bb:f9:3e:f5:
         90:4f:3d:45:bf:c2:43:1e:c2:19:2f:1a:9f:e5:12:d2:14:06:
         a0:92:10:da:4c:5d:af:c6:bf:0d:c2:4c:e0:9a:df:7f:bb:f6:
         8b:4a:b5:47:14:16:d7:a1:27:0a:b7:cd:93:5a:0b:5b:7c:12:
         bd:f4:fc:fc:5c:39:e8:8c:7d:bc:70:5b:33:02:9e:21:5b:5d:
         68:f4:9f:19:f7:88:96:6e:47:cf:19:40:ad:5f:d2:51:10:55:
         b2:ca:47:19:19:f6:fa:22:c9:67:da:97:6f:3a:b3:ca:05:6a:
         7d:bd:0b:c7:9c:69:67:da:db:e4:43:4e:6f:71:46:d3:37:3f:
         e5:68:72:d8:ab:7f:2f:02:80:2e:da:6e:f8:bb:ad:c6:2b:48:
         48:33:28:0c:31:6f:70:cf:77:e2:03:0c:8d:99:0f:bf:10:74:
         90:61:74:a5:06:88:d8:55:4a:0c:f0:47:1c:79:74:81:1e:cc:
         5c:0e:9d:87:b7:e7:b4:67:36:ec:b9:a6:6c:5c:00:d6:90:d7:
         9f:cd:53:c0:1b:e4:f6:84:57:b2:a3:d0:b8:50:22:36:9a:7d:
         ed:a3:76:40:fa:2d:3c:75:c2:e9:cf:85:e7:4e:49:59:ef:8d:
         17:79:32:02:f5:aa:c9:31:1e:76:af:54:f8:a8:ce:94:4d:44:
         0f:c5:43:9e:02:1a:3e:c1:ca:4a:7c:45:6a:5a:ed:5b:45:ef:
         a0:a1:c2:5b:5a:ff:05:92:92:ef:80:1a:94:4a:b8:74:c7:48:
         86:cb:8a:21:3b:d9:97:c1:d1:63:ad:dc:62:58:ab:a1:15:f9:
         7b:d3:fc:f3:bb:70:56:94:f4:b0:77:a0:f8:4b:5a:0d:59:60:
         ea:b9:23:21:49:e8:e0:dc:a2:f1:74:45:9f:32:b4:3e:7f:6e:
         98:05:06:21:10:77:02:4a:00:32:9f:09:37:23:99:0a:b2:2c:
         9b:36:50:08:58:a3:cb:c0:86:74:d0:3d:8d:5b:e3:94:4e:28:
         43:9e:e4:dd:12:e2:fb:4d:4c:f9:44:5a:9d:de:8a:c4:b0:75:
         6d:4a:08:ce:86:85:fb:50

You can verify that the issuer and subject match and the basic constraints has set CA:TRUE.

To Reproduce Attempt to install one of these drivers on Windows will fail. The security details show the chain is not signed by a trusted root authority.

When manually trusting the cert by importing it into the root store it still fails due to the basic constraints being violated (CA cert being used as an end entity).

Expected behavior The driver(s) to be installable like the other drivers in the virtio package, or even if self signed the basic constraints being set properly to allow it to be trusted and installed manually.

I'm unsure what the policy is behind signing these drivers and whether it is possible to sign these 3 like the rest of them but it should be possible to install these drivers somehow.

Screenshots Added above in line where mentioned.

Host:

• Disto: [e.g. Fedora, Ubuntu, Proxmox]: N/A
• Kernel version: N/A
• QEMU version: N/A
• QEMU command line: N/A
• libvirt version: N/A
• libvirt XML file: N/A

VM:

• Windows version: Windows Server 2022
• Which driver has a problem: pvpanic, qemufwcfg, qemupciserial
• Driver version or commit hash that was used to build the driver: 0.1.217-1

Additional context Add any other context about the problem here.

[YanVugenfirer]

Hi @jborean93 ,

If you are looking for immediate workaround, you can enable test signing on the VM. Run with administrator rights:

bcdedit /set testsigning on

and reboot

[jborean93]

Thanks for the workaround, I'm attempting to see if I can just resign them myself with my own certificate. Currently working through New-FileCatalog and generating my cert, will let you know how I go.

[jborean93]

Just noticed that viostor for 2k12 and 2k12R2 are also affected by this same problem. Unfortunately that's even more difficult to deal with as these are needed to install windows on a virtio backed hdd.

[jgottula]

What's funny, is that qemufwcfg, qemupciserial, and smbus are completely unchanged in actual substance between 0.1.215-2 and 0.1.217-1. Yet in the latter version, the same exact driver files (literally just .infs for these) are now self-signed, rather than signed with a valid certificate.

(pvpanic maybe has somewhat of an actual excuse, since I think the driver file was actually changed in some actual manner between 0.1.215-2 and 0.1.217-1.)

It's a bit silly to release a new version and have several drivers go from valid-signature status to self-signed status when nothing in those drivers actually changed.

---

Oh and because of the self-signed-ness, the installer gets pissed off and refuses to complete the installation. (I don't have test signing turned on; presumably if I did, the installation would succeed.) MSI log excerpt:

[...]
DIFXAPP: ENTER: InstallDriverPackages()
DIFXAPP: INFO: 'CustomActionData' property 'DIFxApp Version' is '2.1'.
DIFXAPP: INFO: 'CustomActionData' property 'UI Level' is '5'.
DIFXAPP: INFO: 'CustomActionData' property 'componentId' is '{544B33DA-A7E0-44D2-9DB0-CACA3B842DA3}'.
DIFXAPP: INFO: 'CustomActionData' property 'componentPath' is 'C:\Program Files\Virtio-Win\Pvpanic\'.
DIFXAPP: INFO: 'CustomActionData' property 'flags' is 0x6.
DIFXAPP: INFO: 'CustomActionData' property 'installState' is '2'.
DIFXAPP: INFO: 'CustomActionData' property 'ProductName' is 'Virtio-win-driver-installer'.
DIFXAPP: INFO: 'CustomActionData' property 'ManufacturerName' is 'Red Hat, Inc.'.
DIFXAPP: INFO: user SID of user performing the install is 'S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1001'.
DIFXAPP: INFO: opening HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1001\Software\Microsoft\Windows\CurrentVersion\DIFxApp\Components\{544B33DA-A7E0-44D2-9DB0-CACA3B842DA3} (User's SID: 'S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1001') ...
DIFXAPP: INFO:   ENTER:  DriverPackageInstallW
DIFXAPP: INFO:   RETURN: DriverPackageInstallW  (0xE0000247)
DIFXAPP: ERROR: encountered while installing driver package 'C:\Program Files\Virtio-Win\Pvpanic\pvpanic.inf'
DIFXAPP: ERROR: InstallDriverPackages failed with error 0xE0000247
DIFXAPP: RETURN: InstallDriverPackages() 3758096967 (0xE0000247)
CustomAction MsiInstallDrivers returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 21:28:23: InstallFinalize. Return value 3.
MSI (s) (D8:F0) [21:28:23:902]: Note: 1: 2265 2:  3: -2147287035 
MSI (s) (D8:F0) [21:28:23:902]: User policy value 'DisableRollback' is 0
MSI (s) (D8:F0) [21:28:23:902]: Machine policy value 'DisableRollback' is 0
MSI (s) (D8:F0) [21:28:23:979]: Note: 1: 2318 2:  
MSI (s) (D8:F0) [21:28:23:991]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1421650826,LangId=1033,Platform=589824,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (D8:F0) [21:28:23:991]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (D8:F0) [21:28:23:994]: Executing op: DialogInfo(Type=1,Argument=Virtio-win-driver-installer)
MSI (s) (D8:F0) [21:28:24:001]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
Action 21:28:24: Rollback. Rolling back action:
[...]

So basically what's happening here is that DriverPackageInstallW is returning ERROR_DRIVER_STORE_ADD_FAILED, presumably because the signature isn't valid. And then the installer helpfully does a complete rollback of everything it had done up to that point and tells the user to go do something productive with their life instead of trying to install virtio drivers.

[vrozenfe]

The problem with Win10 pvpanic and stub-drivers should be fixed in https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.217-2/virtio-win-gt-x64.msi Win8 drivers need enabling testsigning in the BCD and our test-signing cert to be installed in the root and trustedpublisher certificate stores. I'm going to add this certificate to the virtio-win package in the next (latest) build.

Best, Vadim.

[jborean93]

Can you confirm that the self signed cert you are now using will not have the following constraint

X509v3 Basic Constraints: critical
    CA:TRUE

This makes it impossible to trust the certificate manually rather than enabling test signing.

[vrozenfe]

@jborean93

Confirmed.The new certification was created without "-cy authority" flag to make sure that it has no Base Constraint property. This change was required to fix the embedded signature issue https://bugzilla.redhat.com/show_bug.cgi?id=2082021 The new certificate is effective from build 221 which planned to be used as the base for the next "latest" rpm.

Vadim.

[jborean93]

Awesome, thanks for the confirmation.