Introducing preproduction signing level

Published Jun 08 2022 10:56 AM 856 Views
Microsoft

Background

Prior to the deprecation of the cross-certificate program (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-...), many partners were leveraging their cross-certificates to sign content for engineering bring up scenarios, and internal testing. While this was convenient it also presented a risk to our mutual customers. Cross-certificate signatures are trusted by the Windows kernel, and thus signing early in-development drivers with them meant that engineering content, and drivers that had yet to complete security reviews could be weaponized against the Windows userbase. With the end of the cross-certificate program came a gap in testing capabilities when looking at the signing levels offered by HDC.

 

Preproduction driver signing support

Microsoft is releasing a new driver signing feature via Hardware Dev Center. The goal is to allow our partners to safely test preproduction content with OS security features like Secure Boot enabled. Leveraging preproduction signed content our partners can perform higher fidelity testing of drivers that are under active development and have not completed the normal security validations.

 

The table below maps out the four driver signing levels available in HDC, and the Windows operating system configurations that support each signing level.

 

 

Signature Type

Retail Windows OS

PreProd Signing Enabled

Test Signing Enabled

Driver Install

 

 

 

 

Test Signed

NO

NO

YES

Preprod Signed

NO

YES

YES

Attestation Signed

YES

YES

YES

WHQL Signed

YES

YES

YES

Driver Load

 

 

 

 

Test Signed

NO

NO

YES

Preprod Signed

NO

YES

YES

Attestation Signed

YES

YES

YES

WHQL Signed

YES

YES

YES

Driver Load - PE

 

 

 

 

Test Signed

NO

NO

YES SL150

Preprod Signed

NO

YES SL150

YES SL150

Attestation Signed

YES SL2000+

YES SL2000+

YES SL2000+

WHQL Signed

YES SL2000+

YES SL2000+

YES SL2000+

 

The table below identifies support for various security features when the OS is configured to trust the different driver signing levels supported by HDC.

 

OS Security Feature

Retail Windows OS

PreProd Signing Enabled

Test Signing Enabled

Hypervisor based Code Integrity (HVCI)

Supported

Supported 

Supported

Secure Boot

Supported

Supported

Off

Kernel mode Code Integrity

Supported

Supported

Off

User mode Code Integrity

Supported

Supported

Off

 

The following sections detail the preproduction signing feature in Hardware Dev Center, collateral availability in the Windows Driver Kit (WDK), and a pointer to public documentation for configuring your test machines to trust the preproduction signatures.

 

Hardware Dev Center

The preproduction signing feature in Hardware Dev Center is currently only available via our REST API service. Preproduction signed drivers cannot be published to Windows Update, nor can they be shared with a partner via Shipping Label at this time. This is a simple signing only feature. As this feature is intended to sign drivers that are not “retail” ready. We do not scrutinize preproduction submissions with INFverif, or API validator. Your INFs must be properly formed, but we do not require /w, /u, or /k compliance.

 

Input file type

Driver submissions must be submitted in a CAB archive. The CAB must be signed with a certificate that has been associated with your Partner Center account. Build your CABs in the same manner you would for an attestation submission.

 

Supported driver signature attributes

  • ELAM
  • HalExt
  • PETrust
  • DRM
  • WindowsHello

 

Symbol submissions

Symbol submission and indexing are not supported by the preproduction signing feature.

 

Availability

Preproduction signing via HDC is currently in private beta. General Availability date to be announced in the near future. Look for announcements on the HDC Blog: https://techcommunity.microsoft.com/t5/hardware-dev-center/bg-p/HardwareDevCenter

 

Windows Driver Kit

The Windows Driver Kit beginning with Windows Insider Preview WDK version 22557 contains the provisioning tools, and collateral needed to properly configure your test hosts running retail versions of Windows to trust this new signature. If you are using EEAP drops of Windows in your testing. Those builds will not require any special configuration to trust the new preproduction signature type.

Public documentation is also available here: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/preproduction-driver-signing-and-i...

 

Co-Authors
Version history
Last update:
‎Jun 08 2022 10:56 AM
Updated by: