3D accelerated machines crash on reboot

Discussions related to using VirtualBox on Windows hosts.
sbrblz
Posts: 6
Joined: 26. Jan 2021, 04:25

Re: 3D accelerated machines crash on reboot

Post by sbrblz »

Will those of us running VirtualBox with older video cards no longer be able to use 3d acceleration? The last driver for my card, 560m was 391.35 released in 2018. Because of stupid hardening issues 3d acceleration doesn't work and the guest crashes. I had originally thought it was a problem with my Windows 7 guest but after setting up a Windows 10 guest I decided to look into this crash and came upon several threads about recent Nvidia drivers having certificate issues. Unfortunately since my video driver is old it is considered expired so it seems it will never be accepted by VirtualBox. Seems a bit stupid the way that Oracle set up hardening in VirtualBox.

Code: Select all

00:00:06.956780 supR3HardenedErrorV: supR3HardenedScreenImage/LdrLoadDll: rc=VERR_CR_PKCS7_KEY_USAGE_MISMATCH fImage=1 fProtect=0x0 fAccess=0x0 \Device\HarddiskVolume2\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll: fKeyUsage=0x0, missing 0x1: \Device\HarddiskVolume2\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll
00:00:06.956991 supR3HardenedErrorV: supR3HardenedMonitor_LdrLoadDll: rejecting 'C:\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll' (C:\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll): rcNt=0xc0000190
00:00:06.957540 supR3HardenedErrorV: supR3HardenedScreenImage/NtCreateSection: cached rc=VERR_CR_PKCS7_KEY_USAGE_MISMATCH fImage=1 fProtect=0x2 fAccess=0x5 cHits=1 \Device\HarddiskVolume2\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll
00:00:06.957835 supR3HardenedErrorV: supR3HardenedScreenImage/NtCreateSection: cached rc=VERR_CR_PKCS7_KEY_USAGE_MISMATCH fImage=1 fProtect=0x2 fAccess=0x5 cHits=2 \Device\HarddiskVolume2\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll

Code: Select all

1874.714: \Device\HarddiskVolume2\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll: Owner is administrators group.
1874.714: \Device\HarddiskVolume2\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll: Signature #1/2: Unknown Status -23303 (0xffffa4f9) w/ timestamp=0x5ab58293/link.
1874.714: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffb6cc40000 'C:\Windows\system32\rsaenh.dll'
1874.714: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffb6dc80000 'C:\Windows\System32\crypt32.dll'
1874.714: supHardenedWinVerifyImageByHandle: -> -23303 (\Device\HarddiskVolume2\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll) WinVerifyTrust
1874.714: Error (rc=0):
1874.714: supR3HardenedScreenImage/LdrLoadDll: rc=Unknown Status -23303 (0xffffa4f9) fImage=1 fProtect=0x0 fAccess=0x0 \Device\HarddiskVolume2\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll: fKeyUsage=0x0, missing 0x1: \Device\HarddiskVolume2\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll
1874.714: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll
1874.714: Error (rc=0):
1874.714: supR3HardenedMonitor_LdrLoadDll: rejecting 'C:\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll' (C:\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll): rcNt=0xc0000190
1874.714: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0xc0000190 'C:\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll'
1874.714: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffb6f630000 'C:\Windows\System32\gdi32.dll'
1874.714: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status -23303 (0xffffa4f9)) on \Device\HarddiskVolume2\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll
1874.714: Error (rc=0):
1874.714: supR3HardenedScreenImage/NtCreateSection: cached rc=Unknown Status -23303 (0xffffa4f9) fImage=1 fProtect=0x2 fAccess=0x5 cHits=1 \Device\HarddiskVolume2\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll
1874.714: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status -23303 (0xffffa4f9)) on \Device\HarddiskVolume2\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll
1874.714: Error (rc=0):
1874.714: supR3HardenedScreenImage/NtCreateSection: cached rc=Unknown Status -23303 (0xffffa4f9) fImage=1 fProtect=0x2 fAccess=0x5 cHits=2 \Device\HarddiskVolume2\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_1474122a0ce2f241\nvldumdx.dll
Asking elsewhere I was recommended "Thincast Workstation", which is a fork of VIrtualBox by the FreeRDP guys with a redesigned 3d layer that supposedly adds DirectX support to guests and I believe gives direct access to host GPU. Apparently this only is only for Windows 7 and up guests only and I'm not sure if they have any sort of 3d support for other operating systems such as Linux, which might not make it worth it if you have both Linux and Windows guests. It's hard to find more information about this fork besides their website and I'm surprised I didn't find any mentions in the VirtualBox forums.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: 3D accelerated machines crash on reboot

Post by mpack »

The problem discussed above has nothing to do with the choice of graphics card.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: 3D accelerated machines crash on reboot

Post by scottgus1 »

sbrblz wrote:Seems a bit stupid the way that Oracle set up hardening in VirtualBox.
The "Hardening" link at the beginning of this topic explains what hardening is, why it is needed and how it works. It comes down to there being bad guys with computers in this world, and the likelihood of these bad guys not publicly identifying their nasty programs by security-signing them.

We did have some issues where for one reason or another the security signing hashes for some Nvidia drivers were not valid anymore. The devs apparently found a way around some of the problem and new drivers from Nvidia were needed.

If you can't get new drivers from Nvidia or convince them that they need to re-sign the driver dll's fingered in the error message, then yes you won't be able to run 3D acceleration in Virtualbox.
sbrblz
Posts: 6
Joined: 26. Jan 2021, 04:25

Re: 3D accelerated machines crash on reboot

Post by sbrblz »

scottgus1 wrote: The "Hardening" link at the beginning of this topic explains what hardening is, why it is needed and how it works. It comes down to there being bad guys with computers in this world, and the likelihood of these bad guys not publicly identifying their nasty programs by security-signing them.

We did have some issues where for one reason or another the security signing hashes for some Nvidia drivers were not valid anymore. The devs apparently found a way around some of the problem and new drivers from Nvidia were needed.

If you can't get new drivers from Nvidia or convince them that they need to re-sign the driver dll's fingered in the error message, then yes you won't be able to run 3D acceleration in Virtualbox.
The problem isn't so much hardening but the way that Oracle decided to implement it. There is no way to whitelist or bypass the issue for dlls that we need to load. Based on the other threads, the fix that Oracle implemented was that as long as it had 1 valid signature, it would accept the dll, since the case was always that the Nvidia certificate was invalid but the Microsoft one was ok. The file that gets flagged in my case has a valid signature from Microsoft, the only reason I can see that it would get flagged is because the certificate says it's valid until 11/1/18. We can't expect manufacturers to keep supporting old video cards indefinitely and the last driver to be released for this video card works perfectly fine. In fact 3d acceleration did work at one point years ago with Virtualbox hardening.
mpack wrote:The problem discussed above has nothing to do with the choice of graphics card.
Can you elaborate? When I stated old video cards I meant video cards that no longer receive driver updates. I'm assuming old drivers have expired certificates and hence why VirtualBox would refuse to load the dlls. The dll in my case has a Microsoft certificate. I would assume the proper way to handle old drivers would be to see if the certificate was valid at the time of signing and the "valid to" date would be irrelevant. If new drivers need to be issued by Nvidia it implies there's a certificate issue correct? Can't say I know too much on how certificate signing works for drivers so if I'm way off base any proper guidance would be appreciated. The general feel I'm getting is that barring any new drivers 3d acceleration is most likely no longer an option for me with VirtualBox, which is very unfortunate since guests interfaces tend to get laggy without it. I had to add another virtual cpu to Windows 10 guest to offset it a bit.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: 3D accelerated machines crash on reboot

Post by mpack »

The validity of a certificate has nothing to do with the age of the driver. If the certificate was valid when used, it is valid forever.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: 3D accelerated machines crash on reboot

Post by fth0 »

mpack wrote:The validity of a certificate has nothing to do with the age of the driver. If the certificate was valid when used, it is valid forever.
Not exactly. The code signing certificate is only valid as long as the timestamping certificate is valid, which usually has a much longer validity (e.g. 10, 15 or 20 years). And in reality, even that is debatable: For example, would you trust a certificate today which was (allegedly) signed with MD5 15 years ago?

But I think we have a different situation here:
sbrblz wrote:VERR_CR_PKCS7_KEY_USAGE_MISMATCH
Can you provide the complete log files VBox.log and VBoxHardening.log?
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: 3D accelerated machines crash on reboot

Post by mpack »

If it's a different situation then sbrblz needs to start his own topic.
sbrblz
Posts: 6
Joined: 26. Jan 2021, 04:25

Re: 3D accelerated machines crash on reboot

Post by sbrblz »

fth0 wrote:Can you provide the complete log files VBox.log and VBoxHardening.log?
I recently upgraded to the latest version of VirtualBox and reinstalled graphics drivers just in case. With 3d acceleration on, guest managed to boot albeit at 1024x768 resolution and then blue screened, after which the guest crashed in VirtualBox. Logs attached. Previously the guest would boot ok but the VirtualBox graphics card would show the yellow exclamation mark in device manager and would crash on reboot.
mpack wrote:If it's a different situation then sbrblz needs to start his own topic.
I posted in this topic since I was facing similar issues (guest crashed on reboot with 3d acceleration), similar graphics card and drivers (630m on drivers 391.35 for OP vs 560m on drivers 391.35 for mine) with the same error in the logs (VERR_CR_PKCS7_KEY_USAGE_MISMATCH for an Nvidia dll). I probably misunderstood the problem but I felt it was redundant to open a new topic with so many similarities. I feel we both have the same issue. Of course I can start a new thread if need be.
Attachments
vbox-logs.zip
(59.05 KiB) Downloaded 10 times
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: 3D accelerated machines crash on reboot

Post by fth0 »

Well, after taking a second look, I can confirm that both users have the same problem, but it's not exactly the problem that was solved in VirtualBox 6.1.16, but (*) rather another problem with invalid certificates:

NVIDIA used a certificate with a KeyUsage extension without any of the key usage bits set. A certificate without the KeyUsage extension may be used for all purposes, but a certificate with the KeyUsage extension may only be used for the key usages indicated. Therefore, the NVIDIA certificate is not a valid code signing certificate, and rejected by the VirtualBox hardening implementation.

(*) In the German language, I would have used the words "aber" and "sondern" instead of using "but" twice. What would be a better English language construction?
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: 3D accelerated machines crash on reboot

Post by scottgus1 »

fth0 wrote:What would be a better English language construction?
I'd go with 2 sentences:
fth0 wrote: I can confirm that both users have the same problem. However it's not exactly the problem that was solved in VirtualBox 6.1.16, but rather another problem with invalid certificates
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: 3D accelerated machines crash on reboot

Post by fth0 »

@scottgus1: "However" sounds much better, even to my ears. Thanks for the lesson. ;)
sbrblz
Posts: 6
Joined: 26. Jan 2021, 04:25

Re: 3D accelerated machines crash on reboot

Post by sbrblz »

fth0 wrote:Well, after taking a second look, I can confirm that both users have the same problem, but it's not exactly the problem that was solved in VirtualBox 6.1.16, but (*) rather another problem with invalid certificates:

NVIDIA used a certificate with a KeyUsage extension without any of the key usage bits set. A certificate without the KeyUsage extension may be used for all purposes, but a certificate with the KeyUsage extension may only be used for the key usages indicated. Therefore, the NVIDIA certificate is not a valid code signing certificate, and rejected by the VirtualBox hardening implementation.
That's a bummer, I guess the takeaway is that a company as big as Nvidia should know how to sign their drivers properly, and Oracle should allow us to whitelist drivers/dls, or other similar action. Shouldn't the fix introduced in VirtualBox recently be able to fix this though? It was my understanding that VirtualBox would use the alternate Microsoft certificate if the first Nvidia one was invalid.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: 3D accelerated machines crash on reboot

Post by fth0 »

sbrblz wrote:Shouldn't the fix introduced in VirtualBox recently be able to fix this though? It was my understanding that VirtualBox would use the alternate Microsoft certificate if the first Nvidia one was invalid.
It looks like VirtualBox distinguishes between different types of errors: Using an otherwise valid certificate outside of its validity period is one thing, but using a certificate that is not standard compliant (RFC 5280, X.509) is something else. I'll admit that you could call it picky, though.

Since the Oracle VirtualBox development is clearly profit oriented - I've read that several times in the VirtualBox forums -, and older NVIDIA graphics cards will probably not create a relevant business case, I wouldn't hold my breath.
sbrblz
Posts: 6
Joined: 26. Jan 2021, 04:25

Re: 3D accelerated machines crash on reboot

Post by sbrblz »

fth0 wrote:Since the Oracle VirtualBox development is clearly profit oriented - I've read that several times in the VirtualBox forums -, and older NVIDIA graphics cards will probably not create a relevant business case, I wouldn't hold my breath.
You would think that it would be the other way around, since businesses/corporations like to keep old systems/legacy hardware running for a long time, accommodations for such cases would seem to be a given. Same reason why enterprise versions of Windows 10 easily allowed postponing updates/disabling updates compared to home versions, since stability is preferred to the latest features.
bird
Oracle Corporation
Posts: 127
Joined: 10. May 2007, 10:27

Re: 3D accelerated machines crash on reboot

Post by bird »

I've relaxed the code so it shouldn't get upset when it sees this problematic nvldumpx.dll (and other similar ones). Will just ignore the nvidia signature and use the 2nd signature from microsoft to verify the DLL. Hope to put out a test build next week, the fix will be included in the next release.

Cheers,
bird.
Knut St. Osmundsen
Oracle Corporation
Post Reply