Additional Information for Windows Vista x64 Users Only
|
This section applies to the PC version of FreeOTFE, when run under the 64 bit (x64) version of Windows Vista only. This section does not apply to 64 bit PCs running the 32 bit version of Windows Vista, or when running the x64 version of Windows XP.
|
In order to protect its revenue streams generated by DRM protected content, Microsoft saw fit to require all drivers running under the 64 bit (x64) version of Windows Vista be digitally signed by Microsoft's root certificate.
Understandably, this presents a major problem for the overwhelming majority of free software projects which make use of kernel mode drivers which, for obvious reasons, don't such a have a digital certificate (read: haven't paid Microsoft, or one of their resellers, for such a certificate) to sign their drivers with.
For the same reason, FreeOTFE's drivers are not currently signed with a Microsoft certificate.
Fortunately, there are a number of methods of loading unsigned drivers under Windows Vista x64, without having to pay for a digital certificate, and these are summarised below.
As a consequence, it is possible to use FreeOTFE under Vista x64 by using the methods shown as be successful below
A more long term solution (Microsoft signing) is being investigated.
Summary of Different Methods
Below is a table summarising the different methods of configuring Windows Vista x64 to allow it to run FreeOTFE.
For most users, Method 3: TESTSIGNING ON is recommended
"Test Mode" on wallpaper
The method with "Yes" marked in this column indicates that the words "Test Mode" will be shown in each of the four corners of the desktop wallpaper. This is largely a cosmetic issue, and can be resolved using the directions indicated in the description of this method.
Junk messages shown on manual start
Those methods with "Yes" marked in this column indicate that MS Windows will pop up a message stating: "Windows requires a digitally signed driver" for each and every driver loaded - even though the drivers are digitally signed (albeit using self-certification).
If the drivers are started automatically on booting, these messages will not appear.
However, if the FreeOTFE drivers are started from the GUI (e.g. by starting portable mode). Since FreeOTFE's flexible architecture employs multiple drivers, this is hardly ideal as the user gets peppered with junk messages telling them what they're doing - as if they didn't already know!
The number of these messages shown can be minimised by removing all unused hash and cypher drivers.
Method 1: NOINTEGRITYCHECKS ON
Instructions:
- Open an elevated command prompt by either:
- Clicking the "Start" button on the Windows taskbar, type CMD in the search box, and then press to run CMD with administrator privileges), or
- Locating "cmd.exe" under C:\Windows\System32 in Windows Explorer, rightclicking on this executable and selecting "Run as Administrator" from the context menu
- Click "continue" or enter the administrator's password as appropriate and click "OK", when asked for permission to continue.
- In the command prompt window which appears, type:
bcdedit.exe /set nointegritychecks ON
- Reboot the PC
Method 2: DDISABLE_INTEGRITY_CHECKS
Instructions:
- Open an elevated command prompt by either:
- Clicking the "Start" button on the Windows taskbar, type CMD in the search box, and then press to run CMD with administrator privileges), or
- Locating "cmd.exe" under C:\Windows\System32 in Windows Explorer, rightclicking on this executable and selecting "Run as Administrator" from the context menu
- Click "continue" or enter the administrator's password as appropriate and click "OK", when asked for permission to continue.
- In the command prompt window which appears, type:
bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS
(Note: That's "DDISABLE", with two Ds, for "Driver Disable")
- Reboot the PC
This method will work, however installing Windows Vista x64 Service Pack 1 (SP1), or any of the following Windows Vista "hotfixes" will cause this method to cease working:
Uninstalling the above should allow this method to work again, though is hardly ideal.
Note: This list of hotfixes was compiled from information taken from the following WWW sites:
Method 3: TESTSIGNING ON
Instructions:
- Open an elevated command prompt by either:
- Clicking the "Start" button on the Windows taskbar, type CMD in the search box, and then press to run CMD with administrator privileges), or
- Locating "cmd.exe" under C:\Windows\System32 in Windows Explorer, rightclicking on this executable and selecting "Run as Administrator" from the context menu
- Click "continue" or enter the administrator's password as appropriate and click "OK", when asked for permission to continue.
- In the command prompt window which appears, type:
bcdedit.exe /set TESTSIGNING ON
- Reboot the PC
This method is probably the best solution, and allows FreeOTFE to run correctly. However, it does have a trivial side effect: The words "Test Mode" are shown in the four corners of the Desktop wallpaper after rebooting.
Although only a cosmetic issue, the words "Test Mode" may be removed from your background by using one the following methods:
Alternatively, using Windows DreamScene (which allows videos to be shown as an animated desktop "wallpaper", instead of a static image) will prevent the "Test Mode" watermark being shown. DreamScene is intended for use with "Ultimate" edition of Windows Vista, though other animated desktop solutions are available for users with other editions (e.g. Home or Business).
Method 4: <F8> while booting
Instructions:
- Reboot the PC
- At the start of the boot sequence, press <F8>
- When prompted, select the "Disable Driver Signature Enforcement" option and press <ENTER>
Note: This method is not persistent, and its effect will cease the next time the PC is rebooted, unless this procedure is carried out again while rebooting. However, the "ReadyDriver Plus" method described below may be used to carry it out automatically.
Method 5: ReadyDriver Plus
"ReadyDriver Plus" is a piece of boot loader software which automatically carries out the "<F8> while booting" method of enabling driver loading.
Instructions:
- Download a copy of "ReadyDriver Plus" (v1.1 or later) from Citadel Industries
- Install the software
- Reboot the PC
Method 6: EasyBCD
Instructions:
- Download a copy of "EasyBCD" (v1.7 or later; tested with v1.7.2) from NeoSmart Technologies
- Install the software
- Run EasyBCD
- Click the "Advanced Options" button
- Check the "Allow unsigned driver installation on Vista 64-Bit Edition" checkbox
- Click "Apply Settings"
- Reboot the PC
Although NeoSmart Technologies implemented some functionality to allow the use of "unsigned" drivers under Windows Vista x64, testing shows this appears limited to setting DDISABLE_INTEGRITY_CHECKS (see method above) via a pretty GUI - despite their change log claims to "Allow 100% of unsigned drivers to run on Vista 64-Bit Edition". Support for this functionality was effectively dropped in August 2008
Because of this, it is recommended that Method 2: DDISABLE_INTEGRITY_CHECKS be employed, rather than EasyBCD; since it offers no significant advantages.
Method 7: Signing with a Microsoft certificate
This method requires signing the FreeOTFE drivers with a Microsoft certificate, as opposed to the self certified signature currently used in the release.
There are currently two ways of signing the FreeOTFE drivers:
- Find someone with a digital certificate, and ask them to sign the release (not ideal).
- Find someone prepared to finance buying a digital certificate (circa 450 EUR for three years?!!) which could be used.
The latter would probably be the best long term solution; offers of help would be gratefully received - please get in contact!
|