To prevent connection failure with local USB devices on a Windows 7 client machine, update the Windows machine with Microsoft Security Update KB3033929 before installing the USB Development Kit Driver (spice-usbdk-win). Failure to apply this update before installing the spice-usbdk-win driver otherwise results in USB connection loss and an error reporting an unsigned driver.
See https://technet.microsoft.com/en-us/library/security/3033929 for more information on this security update.
DescriptionAndrei Stepanov
2016-02-15 16:29:51 UTC
Created attachment 1127334[details]
Warning spice-usbdk-win-1.0-12 driver is not signed. Nevertherless, spice-usbdk-win 1.0-10 didn't show such warning.
Client loses connection with all local USB devices after installing spice-usbdk-win.
Client - is Windows 7 64 SP1 installed on bare-metal machine.
rpm -qf /usr/share/spice/usbdk-x64.msi
rhevm-spice-client-x64-msi-3.6-6.el6.noarch
rpm -q --changelog rhevm-spice-client-x64-msi | head -n 7
* Mon Jan 04 2016 Uri Lublin <uril> - 3.6-6
- mingw-virt-viewer 2.0.8
- mingw-spice-gtk 0.26-10
- mingw-libusbx 1.0.20-1
- spice-usbdk-win 1.0-10
- Send requests to usbdk asynchronously (rhbz#1144043)
How reproducible: Always.
Steps to Reproduce:
1. In www-browser go to home page "Red Hat Enterprise Virtualization Manager"
2. Click at select "Downloads -> Console Client Resources"
3. Download and install "UsbDk for 64-bit Windows"
4. Reboot client.
Actual results: After reboot, keyboard/mouse/usb_flash_driver connected to client machine doesn't respond.
Hint to recovery from this state: reboot the client, at startup press F8, select "Disable Driver Signature Enforcement", uninstall UsbDK.
Also, I have tested a build: spice-usbdk-win-1.0-12. Got the same result + warning about driver is not signed. (spice-usbdk-win 1.0-10 didn't show such warning).
Please note, that bug should be closed only as rhevm-spice-client-x64-msi RPM gets correct version of spice-usbdk-win.
A short update:
I reproduced this issue on my Win7 machine. Indeed the problem is related to UsbDk driver digital signature.
I verified digital signature of UsbDk.sys, it is absolutely fine but Windows cannot verify it for an unknown reason.
Continuing the investigation...
UsbDk.sys driver is signed by SHA-2 code certificate received by RedHat from Symantec.
There is a problem on Windows 7/2008R2 with SHA-2 code signing certificates. In some cases SHA-2 signed drivers fail to load on these systems while the signature is perfectly valid. Microsoft fixed this issue by security update 3033929. This update needs to be downloaded and installed in order to load such drivers.
The update may be downloaded from https://technet.microsoft.com/en-us/library/security/3033929.
Installation of this update fixed the problem I observe on my test systems.
Andrei, please verify that it fixes the problem you observe as well.
Thanks,
Dmitry
Created attachment 1127334 [details] Warning spice-usbdk-win-1.0-12 driver is not signed. Nevertherless, spice-usbdk-win 1.0-10 didn't show such warning. Client loses connection with all local USB devices after installing spice-usbdk-win. Client - is Windows 7 64 SP1 installed on bare-metal machine. rpm -qf /usr/share/spice/usbdk-x64.msi rhevm-spice-client-x64-msi-3.6-6.el6.noarch rpm -q --changelog rhevm-spice-client-x64-msi | head -n 7 * Mon Jan 04 2016 Uri Lublin <uril> - 3.6-6 - mingw-virt-viewer 2.0.8 - mingw-spice-gtk 0.26-10 - mingw-libusbx 1.0.20-1 - spice-usbdk-win 1.0-10 - Send requests to usbdk asynchronously (rhbz#1144043) How reproducible: Always. Steps to Reproduce: 1. In www-browser go to home page "Red Hat Enterprise Virtualization Manager" 2. Click at select "Downloads -> Console Client Resources" 3. Download and install "UsbDk for 64-bit Windows" 4. Reboot client. Actual results: After reboot, keyboard/mouse/usb_flash_driver connected to client machine doesn't respond. Hint to recovery from this state: reboot the client, at startup press F8, select "Disable Driver Signature Enforcement", uninstall UsbDK. Also, I have tested a build: spice-usbdk-win-1.0-12. Got the same result + warning about driver is not signed. (spice-usbdk-win 1.0-10 didn't show such warning). Please note, that bug should be closed only as rhevm-spice-client-x64-msi RPM gets correct version of spice-usbdk-win.