Microsoft introduces new driver preproduction signing level feature


  • Staff
Background

Prior to the deprecation of the cross-certificate program (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-...), many partners were leveraging their cross-certificates to sign content for engineering bring up scenarios, and internal testing. While this was convenient it also presented a risk to our mutual customers. Cross-certificate signatures are trusted by the Windows kernel, and thus signing early in-development drivers with them meant that engineering content, and drivers that had yet to complete security reviews could be weaponized against the Windows userbase. With the end of the cross-certificate program came a gap in testing capabilities when looking at the signing levels offered by HDC.

Preproduction driver signing support

Microsoft is releasing a new driver signing feature via Hardware Dev Center. The goal is to allow our partners to safely test preproduction content with OS security features like Secure Boot enabled. Leveraging preproduction signed content our partners can perform higher fidelity testing of drivers that are under active development and have not completed the normal security validations.

The table below maps out the four driver signing levels available in HDC, and the Windows operating system configurations that support each signing level.

Signature TypeRetail Windows OSPreProd Signing EnabledTest Signing Enabled
Driver Install
Test SignedNONOYES
Preprod SignedNOYESYES
Attestation SignedYESYESYES
WHQL SignedYESYESYES
Driver Load
Test SignedNONOYES
Preprod SignedNOYESYES
Attestation SignedYESYESYES
WHQL SignedYESYESYES
Driver Load - PE
Test SignedNONOYES SL150
Preprod SignedNOYES SL150YES SL150
Attestation SignedYES SL2000+YES SL2000+YES SL2000+
WHQL SignedYES SL2000+YES SL2000+YES SL2000+

The table below identifies support for various security features when the OS is configured to trust the different driver signing levels supported by HDC.

OS Security FeatureRetail Windows OSPreProd Signing EnabledTest Signing Enabled
Hypervisor based Code Integrity (HVCI)SupportedSupportedSupported
Secure BootSupportedSupportedOff
Kernel mode Code IntegritySupportedSupportedOff
User mode Code IntegritySupportedSupportedOff

The following sections detail the preproduction signing feature in Hardware Dev Center, collateral availability in the Windows Driver Kit (WDK), and a pointer to public documentation for configuring your test machines to trust the preproduction signatures.

Hardware Dev Center

The preproduction signing feature in Hardware Dev Center is currently only available via our REST API service. Preproduction signed drivers cannot be published to Windows Update, nor can they be shared with a partner via Shipping Label at this time. This is a simple signing only feature. As this feature is intended to sign drivers that are not “retail” ready. We do not scrutinize preproduction submissions with INFverif, or API validator. Your INFs must be properly formed, but we do not require /w, /u, or /k compliance.

Input file type

Driver submissions must be submitted in a CAB archive. The CAB must be signed with a certificate that has been associated with your Partner Center account. Build your CABs in the same manner you would for an attestation submission.

Supported driver signature attributes
  • ELAM
  • HalExt
  • PETrust
  • DRM
  • WindowsHello
Symbol submissions

Symbol submission and indexing are not supported by the preproduction signing feature.

Availability

Preproduction signing via HDC is currently in private beta. General Availability date to be announced in the near future. Look for announcements on the HDC Blog: Hardware Dev Center

Windows Driver Kit

The Windows Driver Kit beginning with Windows Insider Preview WDK version 22557 contains the provisioning tools, and collateral needed to properly configure your test hosts running retail versions of Windows to trust this new signature. If you are using EEAP drops of Windows in your testing. Those builds will not require any special configuration to trust the new preproduction signature type.

Public documentation is also available here: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/preproduction-driver-signing-and-i...


Source:
 
Any idea what that means for us end users?
 

My Computer

System One

  • OS
    Windows 11 Pro + Win11 Canary VM.
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Zenbook 14
    CPU
    I9 13th gen i9-13900H 2.60 GHZ
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB soldered
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    laptop OLED screen
    Screen Resolution
    2880x1800 touchscreen
    Hard Drives
    1 TB NVME SSD (only weakness is only one slot)
    PSU
    Internal + 65W thunderbolt USB4 charger
    Case
    Yep, got one
    Cooling
    Stella Artois (UK pint cans - 568 ml) - extra cost.
    Keyboard
    Built in UK keybd
    Mouse
    Bluetooth , wireless dongled, wired
    Internet Speed
    900 mbs (ethernet), wifi 6 typical 350-450 mb/s both up and down
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    TPM 2.0, 2xUSB4 thunderbolt, 1xUsb3 (usb a), 1xUsb-c, hdmi out, 3.5 mm audio out/in combo, ASUS backlit trackpad (inc. switchable number pad)

    Macrium Reflect Home V8
    Office 365 Family (6 users each 1TB onedrive space)
    Hyper-V (a vm runs almost as fast as my older laptop)
Back
Top Bottom