Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2082021

Summary: [virtio-win][vioscsi][viostor] Job "DF - Embedded Signature Verification Test" Failed with virtio-win-prewhql-218
Product: Red Hat Enterprise Linux 9 Reporter: Peixiu Hou <phou>
Component: virtio-winAssignee: Vadim Rozenfeld <vrozenfe>
virtio-win sub component: virtio-win-prewhql QA Contact: Peixiu Hou <phou>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: urgent CC: coli, jinzhao, juzhang, menli, qizhu, vrozenfe, xiagao
Version: 9.0Keywords: Regression, Triaged
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: x86_64   
OS: Windows   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 10:46:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peixiu Hou 2022-05-05 08:44:37 UTC 
Description of problem:
With virtio-win-p-rewhql-218, vioscsi whql Job "DF - Embedded Signature Verification Test" Failed

Error massage as:
Context Index:   1598874168 
Current:   vioscsi 
Parent:   WTTLOG 
Start Test 4/28/2022 4:00:06.425 AM vioscsi 
Error 4/28/2022 4:00:06.553 AM The Driver C:\Windows\System32\drivers\vioscsi.sys is not a signed driver 

And tested with other non-booted drivers, this job can be passed, the signature check will skip, info as follows:
Result:   Pass 
Repro:   Test is not applicable. The Driver virtiofsdrv is a non boot start type driver


Version-Release number of selected component (if applicable):
kernel-5.14.0-70.13.1.el9_0.x86_64
qemu-kvm-6.2.0-11.el9_0.2.x86_64
virtio-win-prewhql-218
seabios-bin-1.15.0-1.el9.noarch
edk2-ovmf-20220126gitbb1bba3d77-3.el9.noarch

How reproducible:
100%

Steps to Reproduce:
1.Boot a vm up with vioscsi device.
2.submit the job "DF - Embedded Signature Verification Test"  from HLK studio.
3.Check the result.

Actual results:
Failed

Expected results:
Passed

Additional info:
Comment 1 Vadim Rozenfeld 2022-05-05 11:23:37 UTC 
Hi Peixiu

Can you please upload the HLK log file?

Thanks,
Vadim.
Comment 2 Vadim Rozenfeld 2022-05-06 02:05:50 UTC 
Another question
Can you please confirm that the test certificate was installed to the Trusted Root Certification Authorities certificate store 
and the Trusted Publishers certificate store before running the test?
https://github.com/MicrosoftDocs/windows-driver-docs/blob/staging/windows-driver-docs-pr/install/installing-a-test-certificate-on-a-test-computer.md

Thanks, Vadim.
Comment 7 menli@redhat.com 2022-05-06 09:49:34 UTC 
hit the same issue with viostor.
Comment 23 Peixiu Hou 2022-05-26 10:26:36 UTC 
Hi Vadim,

I tested all guests for vioscsi with virtio-win-prewhql-221 build, all can be passed. Just there are some difference between different guests.

Details as follows:
1) On win2022, win2019, win2016, we can pass the job without adding new cert file, run directly and then passed. checked the certmgr.msc found no original cert file show in root/trustedpublisher dir.

2) On win8.1-32/64, win10-32/64, win2012-64, win11-64, we passed this case need to aditional add new cert file, otherwise, the job cannot be passed. checked the certmgr.msc, also none original cert file show in root/trustedpublisher dir.

3) On win2012-r2, the certmgr.msc include an original cert file, delete it then add the new cert, passed this job.

I wonder what's the reason for these different? and if possible they can be unified as 1) situation or be added with the driver installation automatically? 

And, this command "signtool verify /v /pa /c x:\builds\b221\bin\Win10\amd64\viostor.cat x:\builds\b221\bin\Win10\amd64\viostor.sys x:\builds\b221\bin\Win10\amd64\viostor.inf", only when we added the new cert file, it'll work yes?

Thanks~
Peixiu
Comment 24 Vadim Rozenfeld 2022-05-27 01:00:09 UTC 
(In reply to Peixiu Hou from comment #23)
> Hi Vadim,
> 
> I tested all guests for vioscsi with virtio-win-prewhql-221 build, all can
> be passed. Just there are some difference between different guests.
> 
> Details as follows:
> 1) On win2022, win2019, win2016, we can pass the job without adding new cert
> file, run directly and then passed. checked the certmgr.msc found no
> original cert file show in root/trustedpublisher dir.
> 
> 2) On win8.1-32/64, win10-32/64, win2012-64, win11-64, we passed this case
> need to aditional add new cert file, otherwise, the job cannot be passed.
> checked the certmgr.msc, also none original cert file show in
> root/trustedpublisher dir.
> 
> 3) On win2012-r2, the certmgr.msc include an original cert file, delete it
> then add the new cert, passed this job.
> 
> I wonder what's the reason for these different? and if possible they can be
> unified as 1) situation or be added with the driver installation
> automatically? 
> 
I wonder if all the guest were installed similarly, using the same procedure?
 

> And, this command "signtool verify /v /pa /c
> x:\builds\b221\bin\Win10\amd64\viostor.cat
> x:\builds\b221\bin\Win10\amd64\viostor.sys
> x:\builds\b221\bin\Win10\amd64\viostor.inf", only when we added the new cert
> file, it'll work yes?
> 
Yes we need the new cert to be added to the trustedpublisher repository. Otherwive
the test will fail.

Best regards,
Vadim.

> Thanks~
> Peixiu
Comment 32 errata-xmlrpc 2022-11-15 10:46:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virtio-win bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8261