nvd3dumx.dll certificate not valid

[Seth-Griffin]

I have installed the latest GeForce GTX 680 driver (451.67 WHQL) and after that i cannot use the Oracle Virtual Box in 3D acceleration mode, it gives a warning message that my VM is running in software rendering mode when using Cinnamon desktop environment.

My VBox settings:

• VRAM: 128 MB
  3D Acceleration: Enabled
  VM: Debian (Buster) 64 bits
  VBox Guest Additions: 6.1.12 r139181
  Virtual Box: 6.1.12 r139181

The Virtual Box log says that it cannot load the nvd3dumx.dll because the certificate is not valid, i checked this dll in System32 directory and found that the certification of the nvd3dumx.dll is not really valid.
Is there a solution for this problem so i can use the 3D acceleration mode in Virtual Box?

[mpack]

It's not lying. You need to upgrade or downgrade your NVidia drivers, or disable 3D acceleration.

[scottgus1]

Nvidia's file is missing a portion of its security signing. This has been showing up here for a week-ish. Get on Nvidia's help channels or forums to see if someone has let them know and add your voice.

If you cannot downgrade the Nvidia drivers, you will have to turn off 3D acceleration to get the guests running again.

[fth0]

Get on Nvidia's help channels or forums to see if someone has let them know

NVIDIA knows about the problem since the 1st of July, see nVidia Driver 451.48 appears to break VirtualBox 3D Acceleration on Windows 10 1909.

[Seth-Griffin]

I have also posted this same issue in the NVidia Forum. The Guest Additions is working because i can set Full Screen, only 3D acceleration doesn't. If there was a way to turn off the VBox certification check it would be nice.
Here is older drivers for my VGA i'll try to downgrade and i will post here the results as soon as i get them.

[fth0]

The driver version 446.14 will probably work, whereas the driver versions 451.(48|58|67|85) and 452.06 will not.

[Seth-Griffin]

The driver version 446.14 will probably work, whereas the driver versions 451.48, 451.58 and 451.67 will not.

Exactly! I installed 446.14 and it works swiftly! I also noted that the Signatory Name of the nvd3dumx.dll of this version is different: GlobalSign TSA for MS Authenticode - G2
For the latest version the Sinatory Name is Symantec Time...

[squall leonhart]

This problem is actually a defect in Oracles hardening implementation, but a driver change has caused it to rear its ugly head again.

The rejection is due to a half arsed signature verification that relies only on access to the certificate root store,
Similarly when you view the certificate chain of the NVIDIA Corporation-PE-Prod-Sha1 in Properties, it displays that the chain cannot be verified because of this fact.

The Root Authority that cannot be verified is in fact embedded in the kernel, in ci.dll to be exact, this is the case right back to Windows Vista and remains the case in Windows 10.

The root authority to be specific is "Microsoft Digital Media Authority 2005"

CzPKk-YXUAAD_pf[1].jpg (122.55 KiB) Viewed 18401 times

If the oracle dev who originally introduced this hardening was worth his salt, he would have checked against subsequent digital signatures (in this case, the sha256 WHQL certificate) before rejecting the file, or loading ci.dll for its exported root authorities as well to have access to the whole set of Microsoft trusted root certificates.

Nvidia's file is missing a portion of its security signing.

no it isn't.

[fth0]

signature verification that relies only on access to the certificate root store

Your analysis is not correct IMHO. The root authority "Microsoft Digital Media Authority 2005" doesn't pose a problem. Otherwise, the older NVIDIA drivers would also be rejected.

The real problem (as you've also mentioned) is that VirtualBox requires all signatures to be valid, not only one of them. Whether this makes sense from an overly hardening point of view, is of course debatable.

[scottgus1]

Nvidia's file is missing a portion of its security signing.

no it isn't.

Yeah, fth0 also mentioned that there's more to it than my basic understanding of the problem. But I suspect that the average Virtualbox user is down near my level of understanding of the subject.

For the average folks, I figure a quick "the file is bad get a new or older one" hopefully will get their Virtualbox going again.

[squall leonhart]

signature verification that relies only on access to the certificate root store

Your analysis is not correct IMHO. The root authority "Microsoft Digital Media Authority 2005" doesn't pose a problem. Otherwise, the older NVIDIA drivers would also be rejected.

The real problem (as you've also mentioned) is that VirtualBox requires all signatures to be valid, not only one of them. Whether this makes sense from an overly hardening point of view, is of course debatable.

Digital signing is a multitier thing, the expiry on one certificate is made irrelevant by additional countersignatures on the file, where windows is concerned the single sha1 would fail to start on its own on windows but the countersignatures and being from a kernel root authority makes the expiration ignored.

Review: https://stackoverflow.com/questions/347 ... the-kernel

Check the rejected dll with signtool with the /all /pa or /all /kp switches and you will now see that all is fine, it is Virtualbox that is using a minimalistic and easily broken method of verifying signatures.

If Virtualbox was checking up the entire certificate chain, it would see all is fine, the countersignatures are timestamped which keep the nvidia prod certificate valid.

Nvidia's file is missing a portion of its security signing.

no it isn't.

Yeah, fth0 also mentioned that there's more to it than my basic understanding of the problem. But I suspect that the average Virtualbox user is down near my level of understanding of the subject.

For the average folks, I figure a quick "the file is bad get a new or older one" hopefully will get their Virtualbox going again.

Trouble is, the file isn't old,

[fth0]

Ok, I now see that the two of us can go into even more detail.

First of all, I've overlooked the aspect that the older NVIDIA drivers can still be used today (as a workaround), so I must have understood something wrong reading the VirtualBox source code. Rethinking the situation, I now come to a new conclusion regarding the handling of the NVIDIA certificates and the corresponding countersignatures. Please tell me if the following matches your understanding:

1. The older NVIDIA drivers (446.14) are signed by the newer but expired NVIDIA certificate (valid until June 2020). The countersignature was created during the validity period of the NVIDIA certificate. The NVIDIA drivers are accepted by the VirtualBox hardening code in July 2020 (as is the root authority "Microsoft Digital Media Authority 2005").

2. The newer NVIDIA drivers (451.48|58|67) are signed by the older and expired NVIDIA certificate (valid until July 2019). The countersignature was created after the validity period of the NVIDIA certificate (July 2020). The NVIDIA drivers are rejected by the VirtualBox hardening code in July 2020.

Do you know any information source that discusses countersigning signatures created with already expired certificates?

[jacobd]

As discussed in this thread: viewtopic.php?f=3&t=98777
NVIDIA are advising that their digital signing is not incorrect and that VirtualBox should take a look at the way the hardening code is implemented to resolve this issue.

I can see we have a bug report open here: https://www.virtualbox.org/ticket/19743
If anyone has something in writing from NVIDIA discussing the issue would be great to add it to that bug.

[jacobd]

New NVIDIA hotfix driver just released, if anyone has time to take a look and see if the issue persists: https://nvidia.custhelp.com/app/answers ... /a_id/5046

[fth0]

NVIDIA are advising that their digital signing is not incorrect

Where exactly is this stated?

New NVIDIA hotfix driver just released

NVIDIA still used the expired certificate when signing the 451.85 NVIDIA drivers.

Note that I don't take sides regarding this topic. NVIDIA and Oracle both do things that are debatable, and both could do better IMHO. I'm just trying to stick to the facts.