(9 votes, average: 4.89 out of 5)
In this article, you will get step-by-step guide on how to sign Driver Files with Kernel Mode Driver certificate.
The kernel mode driver signing certificate exercise allows the users to get into the depths of an operating system and get authenticated from Microsoft.
The kernel mode is meant to verify and authenticate the code of driver packages that run our programs and software on the system. The signature files of the kernel mode code are secured in the security catalog (CAT files).
The purpose of getting this certificate signed is to create a policy whereby the kernel-mode drivers must always load for the system to run smoothly.
The kernel mode driver signing certification process depends on the version of the operating system. In this blog, we will share the process of getting the signing certificate in kernel mode for drivers.
The Kernel Mode in an operating system represents the core program on which all the other programs on the operating systems rely. The basic purpose of using this mode is to access the hardware components of the operating system and schedule processes that will run the system.
Even the regular programs, when they have to access computer hardware, must establish the connection via the kernel mode.
When you want to run a code-signing exercise with the kernel mode, you can choose two methods, the Extended Validation (EV) code signing or the Organization Validation (OV) code signing certificate. The kernel mode code has a .sys extension, and for these drivers to load properly, they must be signed effectively with the security catalog (CAT).
So any driver that must be inducted into the operating system needs to be validated with the right code signing certificate. In this case, we are discussing the kernel mode code driver signing certificate because these drivers establish the connection between a user’s program and the underlying hardware powering the program.
Also, note that starting from Windows 10, it will not load new kernel mode drivers in case they are not signed by the Dev Portal. So, at the beginning of the driver signing process, you need to register at the Windows Hardware Dev Center Program.
With the new Windows versions, the requirements for driver signing have become more stringent.
Also, the signature on the driver or code must come from Microsoft’s root authority. All this means that if a kernel driver is not signed by Windows by Microsoft Hardware Dev Center, it will not load on Windows 10 (version 1607 and above).
In addition to this, for the public release of the kernel mode driver, the digital certificate signing requirements are as follows;
This was for the time when the driver is to be released. At the time of testing, there are some requirements that must be followed.
With the requirements clear, let’s move on to the process of kernel mode driver signing certificate.
Operating systems must make a distinction between the user’s space and the internal system’s space. This in-between space is called the kernel space. The normal programs or applications an end-user engages with do not have access to this internal system.
Moreover, the driver code meant for the kernel space has better access to the operating system and may even have an influence over the same. It establishes the stability of the operating system and can determine its welfare. Hence, the kernel-mode code and driver signing certificate require better attention and higher caution.
Let’s see how to complete the process.
Cross-certificates are also provided by a Certificate Authority (CA), and they are used to add signatures and verify the public key meant to operate the root certificate provided by another CA.
This cross certificate completes the chain of trust that will authenticate the transactions from a single, trusted, and Root CA to other different CAs.
For the purpose of this process, the cross-certificates allow an operating system’s kernel to access a single trusted Microsoft root authority. These cross-certificates are integrated with the Windows Driver Kit (WDK) code-signing tools leading to effective kernel-mode software signing.
To get the cross-certificate, follow these steps;
From here, select My User Account and click on Finish. Once again, navigate to Certificates snap-in, and click on Add, followed by selecting Computer account and clicking on Next. Lastly, select the Local Computer from here and then click on Finish.
To sign the driver in kernel mode, you first need to get the Sign Tool from Microsoft. This is a utility tool obtained from the Windows SDK. A good practice is to always use the latest version of the SDK.
For signing driver packages, another tool is required, Inf2Cat. This tool is required to create the Security Catalog (CAT) file that you can sign with the signtool. Keep the EC or OV digital certificate you have obtained and the MS Cross-Certificate details in hand before moving forward.
* Replace “n” with the certificate’s common name and select it from the details of the cross-certificate CA.
CrossSignedCARoot.cer /fd sha256 /td sha256/tr http://timestamp.example.com/rfc3161DriverFile.sys
The next step is verifying the signature, and for this process, you need to use the Sign Tool.
This command will help ensure that the chain of trust of your certificate goes back to the root.
The kernel mode driver signing certificate process is essential to establish a secure connection between the system’s hardware and the programs. Once signed, the developers and end-users will be able to interact and connect with an assured sense of security and confidence.
However, with the diverse and dynamic requirements set by Windows, it is essential to have the proper credentials and encryption standards if you want the certificate to pass the verification.