Signing cyusb driver for Windows Vista/7 64-bit

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
Anonymous
Not applicable

We use Cypress USB controllers for an our own product that should work under Windows Vista/7 64-bit. As I discovered in this forum we need a signed driver for x64 OS from Vista on. Now I would like to know the step I need to sign the driver. I would like to sign the driver because (if I'm not wrong) the cost is not too high (according to what I found here the certificate costs 99$).

   


   

I learned from the Microsoft guide on kernel-mode code signing walkthrough how to: 1) obtain a Software Publisher Certificate (SPC) from a commercial CA (Certificate Autorithy); 2) create a .CAT file starting from the driver file (.SYS) and the driver setup information file (.INF); 3) use the SPC to sign the CAT file in order to be able to use the driver under Windows Vista/7 64-bit.

   


   

Installing Cypress USB Generic Driver (3.4.6) I got the cyusb.sys and cyusb.inf files (under C:\Program Files\Cypress\Cypress Suite USB 3.4.6\Driver\wlh). These work fine for our product (for the moment only disabling the driver signature enforcement).

   


   

Now I feel to miss some information on the steps I need to have our own signed driver that will work with our XXX product so that once plugged in our product to a computer that has the driver installed, the product is automatically recognized as the XXX product.

   


   

First of all I guess I have to change on the USB controller and on the cyusb.inf the VID and the PID, isn't it? I guess these values have to be provided by Microsoft and I cannot use any values, isn't it? In this case how do I get them from Microsoft? Then if I do not modify the cyusb.sys driver do I need to follow the procedure that Cypress indicates for having the WHQL certificate? If I do not need this WHQL signing procedure, should I simply follow the instructions on the  kernel-mode code signing walkthrough provided my Microsoft?

   


   

Please details as much as possible the steps needed for different scenarios.

0 Likes
22 Replies
Anonymous
Not applicable

Winqual have all the steps, just follow it, you will get signed drivers.

   

1, Buy verisign, and sign your driver.

   

2, Test The signed driver on 64bit system using WHQL test tools(Not easy),  and subscribe the succeded test result to Winqual.

   

3, wait for signed cat files.

   

Find a WHQL suppotor will be easier. .

0 Likes
Anonymous
Not applicable

 VID is provided by USB-IF (please look at http://www.usb.org/home), Once you own a VID you can assign and maintain PID by yourself.

   

You can WHQL sign the driver or use a 3rd party certificate to sign the driver (SPC). WHQL signing involves testing so it takes care that the hardware software interaction is right. So this is the one we've been recommending.

   

I'm working on documenting the steps involved in signing using 3rd party certificate. Will update here once I have it ready.

   

Regards,

   

Anand

0 Likes
Anonymous
Not applicable

Test the driver using WHQL test tools means to setup firstly a network (server, workstation, test PC), isn't it? Since we are a startup company and we do not want to spend all that time, how should we do?

   
   



   
   

aasi, you say that instead of WHQL sign I can use a SPC, but in the Cypress AN5297 document there is written "[...] Driver quality signature allows the driver to load in Windows with compatibility and reliability requirements defined by Microsoft.  The driver cannot be loaded in Windows 7 and  Vista 64-bit  operating systems (OS) without driver quality signature in normal mode [...]". So which is the real difference between WHQL and SPC sign? What will happen in practice when the driver will be staged (DIFx) or installed on another PC?

   
   



   
   

And please can you give me more details on this cyusb.sys signed driver for Windows 7 64-bit? I guess it is WHQL signed, isn't it? May I use this .sys signed driver and by myself sign with SPC only the .cat file that I will construct starting from the .inf file (where I'll put our VID/PID) and the .sys signed by you? Would this be enough?

   
   



   
   

We use EZ-USB FX2 CY7C68013 and the goal is to install on other machines the driver programmatically and with as less as possible user interaction.

   
0 Likes
Anonymous
Not applicable

I've seen companies provide this as a service you might wanna look at that approach as well.

   

The difference between SPC and WHQL is that SPC does not involve testing. So WHQL signed would give more confidence in terms of quality.

   

I've not got a chance to play around with SPC signed drivers to see the behavior of the OS but based on MS documents my understanding is that SPC signed driver will behave the same way and can be distributed.

   

Win 7 and Vista x64 will not allow writing files to system folder unless they are signed. 

   

Signing kind of has to do with hash code and stuff. When you change the inf file the hash code will be broken so you'll not be able to use the .cat file. You can generate it using inf2cat after making the necessary modifications to the inf file.

   

If you sign the driver and place it in the appropriate system folder, no user intervention will be needed while using the driver.

   

Regards,

   

Anand

0 Likes
Anonymous
Not applicable
      Sorry I'm still missing information on      this cyusb.sys      signed driver for Windows 7 64-bit. I read somewhere that it is possible to sign either the .sys, the .cat or both of them. In this link are both signed? And are they both signed with WHQL?   
   
    
   
   
     Because if yes, is it possible to keep your.sys signed with WHQL and use our .cat signed with SPC? In this way we might just opt for the fast SPC signing method and keep mantaining the benefit of the WHQL signing.   
   
    
   
   
     thanks in advance   
0 Likes
Anonymous
Not applicable

It is WHQL signed and it has signed the .sys and .inf as a whole package. The .cat contains the signature. So I don't think you would be able to use it in the fashion that you're proposing.

   

Regards,

   

Anand

0 Likes
Anonymous
Not applicable

 Thanks aasi for your reply. Just last thing (hopefully), if it is signed with WHQL why do I get the following warning when trying to install it in windows 7 64-bit: "Installing this device is not recommended because Windows cannot verify that it is compatible with your hardware...."

0 Likes
Anonymous
Not applicable

 1. Are you using the files as is?

   

2. Does your device have a firmware running in it or are you connecting a unprogrammed FX2LP?

   

Regards,

   

Anand

0 Likes
Anonymous
Not applicable

If you don´t want to spend so much time and money on signing the CyUSB.sys driver, consider switching to WinUSB oder LibUSB driver. We use WinUSB driver and the effort to change the application software war about one day of work. This is much less then the effort for WHQL. WinUSB is signed by MS and if you want to get only a blue message (Do you want to trust the vendor...) from UAC while install all you need is the Verisign ID (99US$). The universal driver works on all Windows Systems beginning with XP SP2 and is stable as a rock. AFAIK the LibUSB is now signed, too and can also be used without WHQL even on 64 bit systems.

0 Likes
Anonymous
Not applicable

Hi,

   

Regarding difference between SPC and WHQL signed drivers - if you plan to install your driver silently (without user intervention/dialog boxes etc, in the way most hardware providers does) you MUST have WHQL signed driver. This point is not documented very well, we came to this when we bought SPC certificate from GlobalSign, signed our driver, then tried to install our properly signed driver package via dpinst.exe - Windows pops up a dialog asking do you trust the publisher and do you really want to install the driver. However, if user will allow this - driver works ok on all Windows, but that dialog make installation process not so nice...

   

Later we tried to move to WHQL but the point is that it accepts certificate only from Verisign, our owned from GlobalSign cant be used there. So we have to buy one more certificate now 🙂

   

Best regards, Arturas

0 Likes
Anonymous
Not applicable

 thanks to all of you guys! Now I've ideas a bit more clear (but still not completely).

   

 

   

We have got a SPC for the moment, since going for the WHQL signing is too long and complicated. Hence for the moment we settle for a non complete silent driver installation by requiring the user to accept to install the driver (a pop-up window asking to either trust or not the publisher). And for the moment we are using the Cypress general driver.

   

 

   

Now, what is the advantage of the WinUSB driver? Also the WinUSB should be signed (creating the CAT and then sign it), hence I guess that if we sign through SPC we still have the pop-up window, isn't it? 

0 Likes
Anonymous
Not applicable

It doesn't support isochronous. Other than that I'm not aware of any difference between WinUSB and CyUSB.sys.

   

From what I know in terms of speed both should be almost same.

   

Regards,

   

Anand

0 Likes
Anonymous
Not applicable

http://www.cypress.com/?docID=32167 has a table discussing this.

   

Regards,

   

Anand

0 Likes
Anonymous
Not applicable

Hi,

   

This Chris R.'s information about WinUSB is interesting. I could give it a try but I don't know how to implement firmware downloading using WinUSB. Any ideas anyone?

   

Regards,

   

Dmitry

0 Likes
Anonymous
Not applicable

Firmware download via WinUSB is no problem. All the source code is provided by Cypress and can be adapted to WinUSB. Take a look at the AppNote for vendor commands: http://www.cypress.com/?rID=34485 in this you find all information for loading the second stage loader. Further you can look into the source code of fx2load. You have to write some vendor requests over the Control Endpoint, stop the CPU, load the RAM with new firmware (from the appnote) and run the CPU, after this you can write the small or large eeprom. It works great and with no need of CyUSB.sys and addionally you can read back the eeprom content.

0 Likes
Anonymous
Not applicable

Thanks Chris. May I ask is there a published version of the firmware loader on winusb? I don't want to sound lazy but rewriting the same typical stuff again and again... making the same bugs... this sounds inefficient.

   

And also first order question. Assuming that I have all-winusb implementation for my cypress device - how does it help in the 64-bit signing struggle? In other words, does it make custom start on F8 redundant or just simplifies the certification process? I can live with red colored dialogs but I would like not to disable driver signing and not to tune windows (with the bcdedit.exe or alikes).

   

Sorry for the possibly newbie questions but I've just got into 64-bit. Not feeling myself comfortable yet.

   

Regards,

   

Dmitry

0 Likes
Anonymous
Not applicable

Sorry, I cannot provide the source code, as I wrote this on work. But I can give you hints. Is is not really difficult.

   

With the WinUSB driver you can run your device without any modifications on Windows x64, no F8 pressing. If you dont have any signature, you get a red warning while install, that´s all. You can buy a verisign code signing signature for USD 99 and signe the cat file with this, so you get only a message "Do you want to trust...?" where you can also choose "Ever trust.".

0 Likes
lock attach
Attachments are accessible only for community members.
Anonymous
Not applicable

Hi Dmitry,

   

I'm posting a beta version of CyAPI.lib based host application I had developed for firmware download. You can use this as reference to develop your code.

   

Regards,

   

Anand

0 Likes
Anonymous
Not applicable

It interfaces with CyUSB.sys for getting handle and sending vendor requests. Replacing those 2 parts with WinUSB equivalents should get you up and running quicker.

   

Regards,

   

Anand

0 Likes
Anonymous
Not applicable

The app note (http://www.cypress.com/?rID=34253) of which the code I posted is a part of has been uploaded to our site. You should be able to get the needed explanation from there.

   

Regards,

   

Anand

0 Likes
Anonymous
Not applicable

Dmitry: If you only want to program the firmware the first time on unprogrammed FX2 devices, you can use the signed x64 driver from cypress: http://www.cypress.com/?id=4&rID=53338 together with CyConsole.

0 Likes
lock attach
Attachments are accessible only for community members.
Anonymous
Not applicable

Hi aasi,

   

Are you sure that the CyUSB does not support Isochrounous transfer?  I need to convert our 32bit app running on an AN2131 which uses ISO channels.

   

I have a sheet of IOCTLS comparing EZUSB to CyUSB and it seems that EZUSB_IO_READ and .._WRITE are now contained in IOCTL_ADAPT_SEND_NON_EPO_TRANSFER or .._DIRECT

0 Likes