How to Sign Driver Files with Kernel Mode Driver Certificate? [A Step-by-Step Guide]

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 4.75 out of 5)
loadingLoading...
Sign Driver Files with Kernel Mode

In this article, you will get step-by-step guide on how to sign Driver Files with Kernel Mode Driver certificate.

The kernel mode driver signing certificate exercise allows the users to get into the depths of an operating system and get authenticated from Microsoft.

The kernel mode is meant to verify and authenticate the code of driver packages that run our programs and software on the system. The signature files of the kernel mode code are secured in the security catalog (CAT files).

The purpose of getting this certificate signed is to create a policy whereby the kernel-mode drivers must always load for the system to run smoothly.

The kernel mode driver signing certification process depends on the version of the operating system. In this blog, we will share the process of getting the signing certificate in kernel mode for drivers.

What is Kernel Mode Driver Signing Certificate?

The Kernel Mode in an operating system represents the core program on which all the other programs on the operating systems rely. The basic purpose of using this mode is to access the hardware components of the operating system and schedule processes that will run the system.

Even the regular programs, when they have to access computer hardware, must establish the connection via the kernel mode.

When you want to run a code-signing exercise with the kernel mode, you can choose two methods, the Extended Validation (EV) code signing or the Organization Validation (OV) code signing certificate. The kernel mode code has a .sys extension, and for these drivers to load properly, they must be signed effectively with the security catalog (CAT).

So any driver that must be inducted into the operating system needs to be validated with the right code signing certificate. In this case, we are discussing the kernel mode code driver signing certificate because these drivers establish the connection between a user’s program and the underlying hardware powering the program.

Also, note that starting from Windows 10, it will not load new kernel mode drivers in case they are not signed by the Dev Portal. So, at the beginning of the driver signing process, you need to register at the Windows Hardware Dev Center Program.

With the new Windows versions, the requirements for driver signing have become more stringent.

Microsoft’s Driver Signing Policy

  • For Windows 7, 8, and 10 going up to version 1511, all the drivers must be signed with SHA1 encryption. Plus, the digital certificate must be provided by a certificate authority that is listed in Microsoft’s Cross-Certificate List.
  • For Windows 10 (versions 1607 till 1709), the encryption standard must be SHA1 or SHA2.
  • For Windows 10 (version 1803 and higher), only the SHA2 encryption standard is feasible.

Also, the signature on the driver or code must come from Microsoft’s root authority. All this means that if a kernel driver is not signed by Windows by Microsoft Hardware Dev Center, it will not load on Windows 10 (version 1607 and above).

In addition to this, for the public release of the kernel mode driver, the digital certificate signing requirements are as follows;

  • The kernel-mode boot driver needs to have an embedded Software Publisher Certificate (SPC) signature. The exact process applies to a PnP or non-PnP kernel-mode boot-start driver.
  • The non-PnP kernel-mode drivers that do not qualify as boot-start drivers must have an embedded SPS signature, a catalog file marked with a WHQL release signature, or an SPS signature.

This was for the time when the driver is to be released. At the time of testing, there are some requirements that must be followed.

  • At the testing stage, the kernel-mode boot-start driver must have an embedded test signature. The same is applicable for PnP and non-PnP kernel-mode drivers.
  • Second, the kernel-mode driver that is not a boot-start driver has to have a test-signed catalog file or the driver file.

With the requirements clear, let’s move on to the process of kernel mode driver signing certificate.

The Process of Sign Driver Files with Kernel Mode Driver Certificate

Operating systems must make a distinction between the user’s space and the internal system’s space. This in-between space is called the kernel space. The normal programs or applications an end-user engages with do not have access to this internal system.

Moreover, the driver code meant for the kernel space has better access to the operating system and may even have an influence over the same. It establishes the stability of the operating system and can determine its welfare. Hence, the kernel-mode code and driver signing certificate require better attention and higher caution.

Let’s see how to complete the process.

First, Get an MS Cross Certificate

Cross-certificates are also provided by a Certificate Authority (CA), and they are used to add signatures and verify the public key meant to operate the root certificate provided by another CA.

This cross certificate completes the chain of trust that will authenticate the transactions from a single, trusted, and Root CA to other different CAs.

For the purpose of this process, the cross-certificates allow an operating system’s kernel to access a single trusted Microsoft root authority. These cross-certificates are integrated with the Windows Driver Kit (WDK) code-signing tools leading to effective kernel-mode software signing.

To get the cross-certificate, follow these steps;

  1. Go to Microsoft Management Console (MMC), following by adding the certificates span in. For MMC, go to start and type “mmcfollowed by clicking on Yeswhen the User Account Control dialog box appears. Go to the File menu, select Snap-in, and select Certificates Snap-in, followed by clicking on Add.

From here, select My User Account and click on Finish. Once again, navigate to Certificates snap-in, and click on Add, followed by selecting Computer account and clicking on Next. Lastly, select the Local Computer from here and then click on Finish.

  1. Next, find your SPC in the certificate store, and by double-clicking on it, you will find your certificate listed in the Current User or Local Computer list.
  1. In the dialog box of the certificate, select Certification Path and select the certificate on the top. From here, you will get the CA issuing the root certificate.
  1. For viewing the root authority certificate, click on the View Certificate button and click on Details.
  1. Here you will find the Issuer and the Thumbprint for the requested certificate, and with this, you can locate the corresponding entry of the CA for the certificate in question.
  1. In the last step, you can download the cross-certificate for the CA and use it with the SPS to digitally sign the kernel-mode driver.

Process for Kernel-Mode Driver Signing

To sign the driver in kernel mode, you first need to get the Sign Tool from Microsoft. This is a utility tool obtained from the Windows SDK. A good practice is to always use the latest version of the SDK.

For signing driver packages, another tool is required, Inf2Cat. This tool is required to create the Security Catalog (CAT) file that you can sign with the signtool. Keep the EC or OV digital certificate you have obtained and the MS Cross-Certificate details in hand before moving forward.

  • Open command prompt and give this command; signtool.exe sign /v /n “SubjectName” DriverFile.sys

* Replace “n” with the certificate’s common name and select it from the details of the cross-certificate CA.

  • This will load the driver in kernel mode. As it is required by Windows, the certificates for Windows 10 programs must be signed with SHA2.
  • You also need to ensure that your certificate has a time stamp. Use this command to ensure the same. signtool.exe sign /v /n “SubjectName” /ac
CrossSignedCARoot.cer /fd sha256 /td sha256/tr http://timestamp.example.com/rfc3161DriverFile.sys

The next step is verifying the signature, and for this process, you need to use the Sign Tool.

  • Start by giving the following command, signtool.exe verify /kp /v DriverFile.sys.

This command will help ensure that the chain of trust of your certificate goes back to the root.

Conclusion

The kernel mode driver signing certificate process is essential to establish a secure connection between the system’s hardware and the programs. Once signed, the developers and end-users will be able to interact and connect with an assured sense of security and confidence.

However, with the diverse and dynamic requirements set by Windows, it is essential to have the proper credentials and encryption standards if you want the certificate to pass the verification.

Comodo Code Signing Certificate

Related posts:

  1. What is Kernel-Mode Code Signing Certificates [A Step-by-Step Guide]
  2. Step by Step Guide to Sign an EXE or Windows Application
  3. How to Renew Your Code Signing Certificate [A Step-by-Step Guide]
  4. How to Install EV Code Signing Certificate [A Step-by-Step Guide]

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.