Background
Prior to the deprecation of the cross-certificate program (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-...), many partners were leveraging their cross-certificates to sign content for engineering bring up scenarios, and internal testing. While this was convenient, it also presented a risk to our mutual customers. Cross-certificate signatures are trusted by the Windows kernel, and thus signing early in-development drivers with them meant that engineering content, and drivers that had yet to complete security reviews could be weaponized against the Windows userbase. With the end of the cross-certificate program came a gap in testing capabilities when looking at the signing levels offered by HDC.
Preproduction driver signing support
Microsoft is releasing a new driver signing feature via Hardware Dev Center. The goal is to allow our partners to safely test preproduction content with OS security features like Secure Boot enabled. Leveraging preproduction signed content our partners can perform higher fidelity testing of drivers that are under active development and have not completed the normal security validations.
The table below maps out the four driver signing levels available in HDC, and the Windows operating system configurations that support each signing level.
|
Signature Type |
Retail Windows OS |
Flight Signed OS + Secure Boot off |
PreProd Signing Enabled |
Test Signing Enabled |
Driver Install |
|
|
|
|
|
Test Signed |
NO |
NO |
NO |
YES |
|
Preprod Signed |
NO |
NO |
YES |
YES |
|
Attestation Signed |
YES |
NO |
YES |
YES |
|
WHQL Signed |
YES |
NO |
YES |
YES |
|
Driver Load |
|
|
|
|
|
Test Signed |
NO |
YES |
NO |
YES |
|
Preprod Signed |
NO |
YES |
YES |
YES |
|
Attestation Signed |
YES |
YES |
YES |
YES |
|
WHQL Signed |
YES |
YES |
YES |
YES |
|
Driver Load - PE |
|
|
|
|
|
Test Signed |
NO |
NO |
NO |
YES SL150 |
|
Preprod Signed |
NO |
NO |
YES SL150 |
YES SL150 |
|
Attestation Signed |
YES SL2000 |
NO |
YES SL2000 |
YES SL2000 |
|
WHQL Signed |
YES SL2000 |
NO |
YES SL2000 |
YES SL2000 |
The table below identifies support for various security features when the OS is configured to trust the different driver signing levels supported by HDC.
OS Security Feature |
Retail Windows OS |
PreProd Signing Enabled |
Test Signing Enabled |
Hypervisor based Code Integrity (HVCI) |
Supported |
Supported |
Supported |
Secure Boot |
Supported |
Supported |
Off |
Kernel mode Code Integrity |
Supported |
Supported |
Off |
User mode Code Integrity |
Supported |
Supported |
Off |
The expected behavior of a Flight Signed OS + Secure Boot on will be the same as retail. One would need to follow the same preproduction provisioning steps. as below.
The following sections detail the preproduction signing feature in Hardware Dev Center, collateral availability in the Windows Driver Kit (WDK), and a pointer to public documentation for configuring your test machines to trust the preproduction signatures.
Hardware Dev Center
The preproduction signing feature in Hardware Dev Center is currently only available via our REST API service. Preproduction signed drivers cannot be published to Windows Update, nor can they be shared with a partner via Shipping Label at this time. This is a simple signing only feature. As this feature is intended to sign drivers that are not “retail” ready. We do not scrutinize preproduction submissions with INFverif, or API validator. Your INFs must be properly formed, but we do not require /w, /u, or /k compliance.
Input file type
Driver submissions must be submitted in a CAB archive. The CAB must be signed with a certificate that has been associated with your Partner Center account. Build your CABs in the same manner you would for an attestation submission.
Supported driver signature attributes
Symbol submissions
Symbol submission and indexing are not supported by the preproduction signing feature.
Availability
Preproduction signing via HDC is GA
Windows Driver Kit
The Windows Driver Kit beginning with Windows Insider Preview WDK version 22557 contains the provisioning tools, and collateral needed to properly configure your test hosts running retail versions of Windows to trust this new signature. If you are using EEAP drops of Windows in your testing. Those builds will not require any special configuration to trust the new preproduction signature type.
Public documentation is also available here: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/preproduction-driver-signing-and-i...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.