Background
Prior to the deprecation of the cross-certificate program (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-...), many partners were leveraging their cross-certificates to sign content for engineering bring up scenarios, and internal testing. While this was convenient it also presented a risk to our mutual customers. Cross-certificate signatures are trusted by the Windows kernel, and thus signing early in-development drivers with them meant that engineering content, and drivers that had yet to complete security reviews could be weaponized against the Windows userbase. With the end of the cross-certificate program came a gap in testing capabilities when looking at the signing levels offered by HDC.
Preproduction driver signing support
Microsoft is releasing a new driver signing feature via Hardware Dev Center. The goal is to allow our partners to safely test preproduction content with OS security features like Secure Boot enabled. Leveraging preproduction signed content our partners can perform higher fidelity testing of drivers that are under active development and have not completed the normal security validations.
The table below maps out the four driver signing levels available in HDC, and the Windows operating system configurations that support each signing level.
Signature Type Retail Windows OS PreProd Signing Enabled Test Signing Enabled Driver Install Test Signed NO NO YES Preprod Signed NO YES YES Attestation Signed YES YES YES WHQL Signed YES YES YES Driver Load Test Signed NO NO YES Preprod Signed NO YES YES Attestation Signed YES YES YES WHQL Signed YES YES YES Driver Load - PE Test Signed NO NO YES SL150 Preprod Signed NO YES SL150 YES SL150 Attestation Signed YES SL2000+ YES SL2000+ YES SL2000+ WHQL Signed YES SL2000+ YES SL2000+ YES SL2000+
The table below identifies support for various security features when the OS is configured to trust the different driver signing levels supported by HDC.
OS Security Feature Retail Windows OS PreProd Signing Enabled Test Signing Enabled Hypervisor based Code Integrity (HVCI) Supported Supported Supported Secure Boot Supported Supported Off Kernel mode Code Integrity Supported Supported Off User mode Code Integrity Supported Supported Off
The following sections detail the preproduction signing feature in Hardware Dev Center, collateral availability in the Windows Driver Kit (WDK), and a pointer to public documentation for configuring your test machines to trust the preproduction signatures.
Hardware Dev Center
The preproduction signing feature in Hardware Dev Center is currently only available via our REST API service. Preproduction signed drivers cannot be published to Windows Update, nor can they be shared with a partner via Shipping Label at this time. This is a simple signing only feature. As this feature is intended to sign drivers that are not “retail” ready. We do not scrutinize preproduction submissions with INFverif, or API validator. Your INFs must be properly formed, but we do not require /w, /u, or /k compliance.
Input file type
Driver submissions must be submitted in a CAB archive. The CAB must be signed with a certificate that has been associated with your Partner Center account. Build your CABs in the same manner you would for an attestation submission.
Supported driver signature attributes
Symbol submissions
- ELAM
- HalExt
- PETrust
- DRM
- WindowsHello
Symbol submission and indexing are not supported by the preproduction signing feature.
Availability
Preproduction signing via HDC is currently in private beta. General Availability date to be announced in the near future. Look for announcements on the HDC Blog: Hardware Dev Center
Windows Driver Kit
The Windows Driver Kit beginning with Windows Insider Preview WDK version 22557 contains the provisioning tools, and collateral needed to properly configure your test hosts running retail versions of Windows to trust this new signature. If you are using EEAP drops of Windows in your testing. Those builds will not require any special configuration to trust the new preproduction signature type.
Public documentation is also available here: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/preproduction-driver-signing-and-i...
Source:
Introducing preproduction signing level
Background Prior to the deprecation of the cross-certificate program..
techcommunity.microsoft.com