windows-nt/Source/XPSP1/NT/tools/postbuildscripts/crypto.txt

99 lines
7 KiB
Plaintext
Raw Normal View History

2020-09-26 03:20:57 -05:00
; crypto.txt
;
; This data file shows all files that require CSP signing or are involved with
; the high encryption pack. It is used by the following scripts to drive processing.
; 1) public\tools\crypto.cmd (TS cert stuffing, CSP-signing, encrypted installers)
; 2) bldrules\ispu.cmd (encryption pack generation)
; 3) encryption pack propagation script
; 4) miscellaneous verification scripts
;
; Need Test sign
; Path rela- Needs Needs on EP Modify on these
; tive to Encrypted Local- to be to be Add TS Prod releas for platforms
;File %binaries% Installer izable? MACd? Signd? Cert? Type share? Intl? where 5=yes
;[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
;----------- ---------- ------------ ------- ------ ------ ------ ---- ------ ------ ---------
; 128-bit binaries
dssenh.dll . instdss5.dll no yes yes no wks no no i386:ia64:amd64
ipsec.sys . instips5.dll no no no no wks no can -
lsasrv.dll . instlsa5.dll yes no no no wks no yes -
ndiswan.sys . instndi5.dll no no no no wks no can -
rsaenh.dll . instrsa5.dll yes yes yes no wks yes no i386:ia64:amd64
; 40/56-bit binaries
gpkcsp.dll . - no no yes no wks no no i386:ia64:amd64
sccbase.dll . - no no yes no wks no no i386:ia64:amd64
sccsccp.dll . - no no yes no wks no no i386:ia64:amd64
slbcsp.dll . - no no yes no wks no no i386:ia64:amd64
; additional high encryption pack files
encpack.sed encpack - yes no no no - no yes -
encpack.inf encpack - yes no no no wks no yes -
enceula.txt noexport - yes no no no wks yes yes -
encread.txt noexport - yes no no no wks yes yes -
; generated high encryption pack self extracting exe
encpack.exe noexport - no no no no wks yes yes -
; Add TS certificate to Terminal Services Binaries
termdd.sys . - no no no yes srv no can -
tdasync.sys . - no no no yes srv no can -
tdipx.sys . - no no no yes srv no can -
tdnetb.sys . - no no no yes srv no can -
tdpipe.sys . - no no no yes srv no can -
tdspx.sys . - no no no yes srv no can -
tdtcp.sys . - no no no yes srv no can -
tsddd.dll . - no no no yes srv no can -
rdpdd.dll . - no no no yes srv no can -
rdpwd.sys . - no no no yes srv no can -
rdpwsx.dll . - no no no yes srv no can -
;
; Column Key
;
; [1] Files involved with crypto signing and/or the high encryption pack encpack.exe creation.
; [2] Path to file after binplacing it, relative to %binaries%.
; [3] Encrypted installers contain an encrypted version of their associated 128-bit binary as
; a resource; they ship in all languages of the product, but will only install their
; 128-bit binary if the trigger file rsaenhs.dll exists on the machine. The trigger
; file gets installed upon running encpack.exe. There is a one-to-one correspondence
; between 128-bit files and encrypted installers.
; [4] Attribute of 128-bit file, not the encrypted installer; version-stamp only ==> no
; [5] Crypto MACed (an internal cryptographic checksum requred by FIPS). maccsp is run on image.
; [6] Crypto signed (not to be confused with PRS/catalog signing). Yes implies the following:
; ==> Cryptographic signature added to the image by one of the following methods:
; a) test signature via US build process public\tools\crypto.cmd (from enigma server)
; b) real signature via crypto team for final build (from the bbn box in the vault)
; ==> This files is either a CSP (cryptographic service provider) or security package
; ==> International languages need to release these files binary-identical to what US releases
; Change column [11]'s fields to turn on/off test signing on a per-platform basis. Any
; file requiring a signature, no matter how it gets signed, needs to have the value 'yes'
; in this column.
; [7] Terminal services certificate added to image. Verify with idw\tscrtvfy.exe.
; [8] Applicable product types.
; srv ==> bla, sbs, srv, ent, dtc; installed via tsocenc.inf; they're for terminal services
; wks ==> wks, per, bla, sbs, srv, ent, dtc; installed via encinst.inf
; - ==> not applicable to any product, perhaps used to generate sfx
; [9] Files that need to be on the encryption pack release share.
; yes ==> needed for media or test installs
; the media creation script is orville\razzle -p setup\bom\encpack.bat
; no ==> won't hurt to be present, may be useful for testing purposes
;[10] Derived info from other columns to clarify what's needed for international languages.
; Don't have scripts use this column; use the other columns directly instead.
; no <== the file gets crypto signed
; can <== the file does not get crypto signed or localized so intl langs have no restrictions
; yes <== the file does not get crypto signed AND the file gets localized or is
; necessarily rebuilt for intl
;[11] This column only applies to files that require signing ([6]==yes).
; Valid values: any combination of the following: { i386,amd64,ia64 }
; Test sign binaries on the specified platforms via signcsp.exe and enigma. Otherwise,
; these files need to be checked in already vault-signed with real signatures for RTM.
; Platforms need to be colon-delimited with no spaces.
; Note that when checking in vault-signed files, the idea is that nothing modifies them
; afterward.
; a) avoid rebasing by adding to public\tools\never.reb
; b) let the perf team know to avoid re-optimizing
; c) crypto.cmd already marks the file not-to-be-rebound
; d) these files should not be localized, independent of test or real signing.