99 lines
7 KiB
Plaintext
99 lines
7 KiB
Plaintext
; crypto.txt
|
|
;
|
|
; This data file shows all files that require CSP signing or are involved with
|
|
; the high encryption pack. It is used by the following scripts to drive processing.
|
|
; 1) public\tools\crypto.cmd (TS cert stuffing, CSP-signing, encrypted installers)
|
|
; 2) bldrules\ispu.cmd (encryption pack generation)
|
|
; 3) encryption pack propagation script
|
|
; 4) miscellaneous verification scripts
|
|
;
|
|
; Need Test sign
|
|
; Path rela- Needs Needs on EP Modify on these
|
|
; tive to Encrypted Local- to be to be Add TS Prod releas for platforms
|
|
;File %binaries% Installer izable? MACd? Signd? Cert? Type share? Intl? where 5=yes
|
|
;[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
|
|
;----------- ---------- ------------ ------- ------ ------ ------ ---- ------ ------ ---------
|
|
|
|
; 128-bit binaries
|
|
dssenh.dll . instdss5.dll no yes yes no wks no no i386:ia64:amd64
|
|
ipsec.sys . instips5.dll no no no no wks no can -
|
|
lsasrv.dll . instlsa5.dll yes no no no wks no yes -
|
|
ndiswan.sys . instndi5.dll no no no no wks no can -
|
|
rsaenh.dll . instrsa5.dll yes yes yes no wks yes no i386:ia64:amd64
|
|
|
|
; 40/56-bit binaries
|
|
gpkcsp.dll . - no no yes no wks no no i386:ia64:amd64
|
|
sccbase.dll . - no no yes no wks no no i386:ia64:amd64
|
|
sccsccp.dll . - no no yes no wks no no i386:ia64:amd64
|
|
slbcsp.dll . - no no yes no wks no no i386:ia64:amd64
|
|
|
|
; additional high encryption pack files
|
|
encpack.sed encpack - yes no no no - no yes -
|
|
encpack.inf encpack - yes no no no wks no yes -
|
|
enceula.txt noexport - yes no no no wks yes yes -
|
|
encread.txt noexport - yes no no no wks yes yes -
|
|
|
|
; generated high encryption pack self extracting exe
|
|
encpack.exe noexport - no no no no wks yes yes -
|
|
|
|
; Add TS certificate to Terminal Services Binaries
|
|
termdd.sys . - no no no yes srv no can -
|
|
tdasync.sys . - no no no yes srv no can -
|
|
tdipx.sys . - no no no yes srv no can -
|
|
tdnetb.sys . - no no no yes srv no can -
|
|
tdpipe.sys . - no no no yes srv no can -
|
|
tdspx.sys . - no no no yes srv no can -
|
|
tdtcp.sys . - no no no yes srv no can -
|
|
tsddd.dll . - no no no yes srv no can -
|
|
rdpdd.dll . - no no no yes srv no can -
|
|
rdpwd.sys . - no no no yes srv no can -
|
|
rdpwsx.dll . - no no no yes srv no can -
|
|
|
|
;
|
|
; Column Key
|
|
;
|
|
; [1] Files involved with crypto signing and/or the high encryption pack encpack.exe creation.
|
|
; [2] Path to file after binplacing it, relative to %binaries%.
|
|
; [3] Encrypted installers contain an encrypted version of their associated 128-bit binary as
|
|
; a resource; they ship in all languages of the product, but will only install their
|
|
; 128-bit binary if the trigger file rsaenhs.dll exists on the machine. The trigger
|
|
; file gets installed upon running encpack.exe. There is a one-to-one correspondence
|
|
; between 128-bit files and encrypted installers.
|
|
; [4] Attribute of 128-bit file, not the encrypted installer; version-stamp only ==> no
|
|
; [5] Crypto MACed (an internal cryptographic checksum requred by FIPS). maccsp is run on image.
|
|
; [6] Crypto signed (not to be confused with PRS/catalog signing). Yes implies the following:
|
|
; ==> Cryptographic signature added to the image by one of the following methods:
|
|
; a) test signature via US build process public\tools\crypto.cmd (from enigma server)
|
|
; b) real signature via crypto team for final build (from the bbn box in the vault)
|
|
; ==> This files is either a CSP (cryptographic service provider) or security package
|
|
; ==> International languages need to release these files binary-identical to what US releases
|
|
; Change column [11]'s fields to turn on/off test signing on a per-platform basis. Any
|
|
; file requiring a signature, no matter how it gets signed, needs to have the value 'yes'
|
|
; in this column.
|
|
; [7] Terminal services certificate added to image. Verify with idw\tscrtvfy.exe.
|
|
; [8] Applicable product types.
|
|
; srv ==> bla, sbs, srv, ent, dtc; installed via tsocenc.inf; they're for terminal services
|
|
; wks ==> wks, per, bla, sbs, srv, ent, dtc; installed via encinst.inf
|
|
; - ==> not applicable to any product, perhaps used to generate sfx
|
|
; [9] Files that need to be on the encryption pack release share.
|
|
; yes ==> needed for media or test installs
|
|
; the media creation script is orville\razzle -p setup\bom\encpack.bat
|
|
; no ==> won't hurt to be present, may be useful for testing purposes
|
|
;[10] Derived info from other columns to clarify what's needed for international languages.
|
|
; Don't have scripts use this column; use the other columns directly instead.
|
|
; no <== the file gets crypto signed
|
|
; can <== the file does not get crypto signed or localized so intl langs have no restrictions
|
|
; yes <== the file does not get crypto signed AND the file gets localized or is
|
|
; necessarily rebuilt for intl
|
|
;[11] This column only applies to files that require signing ([6]==yes).
|
|
; Valid values: any combination of the following: { i386,amd64,ia64 }
|
|
; Test sign binaries on the specified platforms via signcsp.exe and enigma. Otherwise,
|
|
; these files need to be checked in already vault-signed with real signatures for RTM.
|
|
; Platforms need to be colon-delimited with no spaces.
|
|
; Note that when checking in vault-signed files, the idea is that nothing modifies them
|
|
; afterward.
|
|
; a) avoid rebasing by adding to public\tools\never.reb
|
|
; b) let the perf team know to avoid re-optimizing
|
|
; c) crypto.cmd already marks the file not-to-be-rebound
|
|
; d) these files should not be localized, independent of test or real signing.
|