Windows Hello:提交指纹驱动程序的步骤Windows Hello: Steps to Submit a Fingerprint Driver

提交用于 Windows Hello 兼容性的指纹驱动程序Submitting a fingerprint driver for Windows Hello compatibility

Microsoft 在生物识别传感器上引入了新的要求,以遵守 Windows Hello 质量准则。Microsoft has introduced new requirements on biometric sensors to comply with Windows Hello quality guidelines. 需要新的手动审阅过程才能获得与 Windows Hello 互操作的批准。A new manual review process will be necessary to gain approval to interoperate with Windows Hello. 系统会强制执行该过程,其中包含通过 Windows DevCenter (获取的特定签名的操作系统检查: https://developer.microsoft.com/) 只能通过执行本文档中的过程来获取。The process will be enforced with an OS check for a specific signature obtained through the Windows DevCenter (here: https://developer.microsoft.com/) that can only be obtained by undergoing the process in this document. 6/1/17 之前由 WHQL 创建和签名的驱动程序 grandfathered。Drivers that have been created and signed by WHQL before 6/1/17 are grandfathered. 在此日期之后未获取此签名的新的和更新的驱动程序将不能在 Windows Hello 的 Windows Hello 版本1703或更高版本中使用。New and updated drivers that do not obtain this signature after this date will not work with Windows Hello in Window 10, version 1703 or later after the enforcement date.

驱动程序将始终手动批准以获取 Windows Hello 签名。A driver will always undergo manual approval to obtain the Windows Hello signature. 批准的驱动程序的更新可以引用以前的提交以获得更快的批准。Updates to approved drivers can refer to previous submissions for faster approval. 如果驱动程序适用于新的传感器,或对匹配引擎所做的更改影响到了远、FRR 或表示攻击检测,则必须对其进行新的审核。Drivers must undergo a new review if it applies to a new sensor, or if changes to the matching engine have occurred that impact FAR, FRR, or presentation attack detection.

生物识别签名强制日期为6/1/2017,之后将不会加载不包含 bio 签名的驱动程序,并且这些驱动程序将不再适用于 Windows Hello。The biometric signature enforcement date is 6/1/2017, after which drivers that do not contain the bio signature will not be loaded and will no longer work with Windows Hello.

步骤1:创建生物识别驱动程序Step One: Create a biometric driver

按照此处的说明创建生物识别驱动程序:Follow the instructions here to create a biometric driver:

Windows 生物识别框架Windows Biometric Framework

步骤2:测试传感器和自我验证Step Two: Test your sensor and self-validate

自行验证传感器和驱动程序,确保它们满足 Microsoft 的生物识别要求,并在指纹安全检查模板中报告调查结果。Self validate the sensor and driver to ensure they meet Microsoft’s biometric requirements and report findings in the Fingerprint Security Review Template. 在连接时,可在指纹合作伙伴包中找到要求和模板的文档。Documents for the requirements and template can be found within the Fingerprint partner package on Connect. 如果你没有连接访问权限,请与你的 Microsoft 代表联系。If you do not have access to Connect, contact your Microsoft representative.

步骤3:修改驱动程序配置 xml 文件Step Three: Modify the driver configuration xml file

提交驱动程序时,Windows 10 版本1703指纹检测测试将进行检查,以确保 和 标记包含在以下字段中:When you submit your driver, the Windows 10, version 1703 Fingerprint HLK test will check to ensure that the and tag are included with the following fields:

bugId:包含之前批准的安全审核信息的以前的 HLK 提交 ID 号; 如果提交正在进行全新的安全检查,则为0。bugId: ID number for the previous HLK submission that contains the previously approved security review information or 0 if the submission is undergoing an entirely new security review.

updateExistingSubmission:如果提交作为之前已完成安全检查的提交的更新,则为 true; 否则为 false。updateExistingSubmission: true if the submission serves as an update to a previous submission that has undergone the security review and false if otherwise.

示例Example

<?xml version="1.0" encoding="utf-8"?>
<bioTestConfiguration version="0" runOptional="false" runInteractive="true" abortOnFailure="false" manualStep="false" priority="3" logType="WTT">
 <vendorCompliance>
   <securityReview bugId="12345678" updateExistingSubmission="true"/>
 </vendorCompliance>
 <testSuites>
   <testSuite deviceRequired="false" id="StorageAdapter">
     <library>storagetest.dll</library>
     <description>storage Adapter Test Suite</description>
   </testSuite>
 </testSuites>
 <deviceInfo>
        <sensorAdapterLib>WinbioSensorAdapter.dll</sensorAdapterLib>
        <engineAdapterLib>vcsWBFEngineAdapter.dll</engineAdapterLib>
        <storageAdapterLib>winbiostorageadapter.dll</storageAdapterLib>
        <indicatorSupported>0</indicatorSupported>
        <supportedModes>
            <supportedMode>0x01</supportedMode>
        </supportedModes>
        <supportedPurposes>
            <supportedPurpose>0x01</supportedPurpose>
            <supportedPurpose>0x02</supportedPurpose>
            <supportedPurpose>0x04</supportedPurpose>
        </supportedPurposes>
 </deviceInfo>
</bioTestConfiguration>

步骤4:修改驱动程序配置 infStep Four: Modify the driver configuration inf

生物识别驱动程序包需要提交到新的 DevCenter 门户,才能获取所需的 Windows Hello 签名并将其上传到 WU。Biometric driver packages will need to be submitted to the new DevCenter portal to obtain the required Windows Hello signature and be uploaded to WU. 包需要包含驱动程序 INF 文件中的特定属性,以正确指定适配器 dll 获取数字签名。Packages will need to include specific properties in the driver INF file to properly specify the adaptor dll's obtaining the digital signature. 下面的示例演示了用于获取适配器二进制文件的 bio 签名及其相关库的格式设置。The following example demonstrates the formatting to obtain the bio signature on adaptor binaries and their related libraries.

例如,如果驱动程序包中包含一个名为 sensor.dll、engine.dll 和 storage.dll 的传感器、引擎和存储适配器,并且其中一个已加载 stringparser.dll,则若要在每个文件上获取 bio 签名,则 INF 文件必须包含以下组件:For example, if the driver package contained a sensor, engine, and storage adaptor named sensor.dll, engine.dll, and storage.dll respectively, and one loaded stringparser.dll, then to obtain the bio signature on each one, the INF file would have to include the following components:

[SignatureAttributes]
sensor.dll = SignatureAttributes.WindowsHello
engine.dll = SignatureAttributes.WindowsHello
storage.dll = SignatureAttributes.WindowsHello
stringparser.dll = SignatureAttributes.WindowsHello

[SignatureAttributes.WindowsHello]
WindowsHello = true

此步骤最重要的是确保你的驱动程序收到合适的认证。This step is the most important to making sure your driver receives the proper certification. 如果要在提交到 DevCenter 时获得生物识别签名,则所有第三方生物识别适配器文件和这些适配器加载的任何第三方 dll 都需要标记并包含在此方法中。All third party biometric adaptor files and any third party dlls loaded by these adaptors will need to be labeled and included in this manner if they are to obtain the biometric signature when submitted to DevCenter.

步骤5:运行 HLK 测试套件Step Five: Run the HLK test suite

在步骤3和4中,进行的 HLK 测试可确保进行上述修改,如果不存在配置信息,将会失败。The HLK tests will make sure the above modifications have been made in steps 3 and 4 and will fail if the configurations information is not there. 在 HLK studio 中打包最终的 HLK 时,包括在 bug 中提交的安全审阅模板作为补充文件。When packaging the final HLK in HLK studio include the security review template submitted in the bug as a supplemental file.

步骤6:提交驱动程序包和 HLK 日志Step Six: Submit the driver package and HLK logs

将打包的 HLK 文件提交到 DevCenter 进行检查。Submit the packaged HLK file to DevCenter for review. Microsoft 内的功能团队将在收到手动审查过程时收到提交通知。The feature team within Microsoft will be notified of the submission when it reaches the manual review process. 团队将在 HLK 包中查看提交的模板,以确保自我验证的信息满足 Microsoft 的生物识别要求。The team will review the submitted template in the HLK package to make sure the self-validated information meets the Microsoft’s biometric requirements.

步骤7:等待 Microsoft 审批和签名Step Seven: Wait for Microsoft approval and signing

Microsoft 将批准提交,前提是它满足所有的生物识别要求,保证生物识别签名不会对驱动程序使用 Windows Hello 进行认证。Microsoft will approve the submission provided it meets all Biometric requirements Obtaining the biometric signature is not certification that the driver will work with Windows Hello. 例如,可以在检查签名的 inf 配置文件中排除文件。For example, a file could be excluded in the inf configuration file that is checked for the signature. 如果在 OS 强制签名时加载此文件,则加载将失败,并且驱动程序将不能与 Windows Hello 一起运行。If this file is loaded at the time the OS enforces the signature, the load will fail and the driver will not operate with Windows Hello. 已签名的驱动程序应由 IHV 和 OEM 测试,以确保它在总体系统中有效。The signed driver should be tested by the IHV and OEM to ensure it works in the collective system.

步骤8:更新现有的驱动程序Step Eight: Update an existing driver

如果需要对之前签名的驱动程序进行更新,请按照步骤3中的说明填写更新的驱动程序的驱动程序配置 xml 中的 bugId 和 updateExistingSubmission 字段。If an update to a previously signed driver needs to be made, follow the instructions under step 3 for filling in the bugId and updateExistingSubmission fields in the driver configuration xml for the updated driver. 如果正在对 grandfathered 驱动程序进行更新,则应使用相同的步骤。If an update is being made to a grandfathered driver, the same steps should be used. BugId 字段应设置为 grandfathered 驱动程序的提交 ID,updateExistingSubmission 字段应设置为 true。The bugId field should be set to the submission ID of the grandfathered driver and the updateExistingSubmission field should be set to true. 驱动程序配置 xml 应包含在提交的驱动程序包中。The driver configuration xml should be included in the driver package that is submitted.

Windows Hello 面部身份验证Windows Hello face authentication

Windows HelloWindows Hello

生物识别设备设计指南Biometric Devices Design Guide