What is Kernel-Mode Code Signing Certificates [A Step-by-Step Guide]

What is Kenel Mode Code Signing

When it comes to software security, code signing plays a critical role. Code signing is a process in which a software code or driver is signed by a legitimate code-signing certificate as a token of authenticity.

But code signing is also of different types. Based on the type of code, the code signing varies. For example, multi-tenant applications and third-party applications run in the user space of the machine. This mode only runs standard application codes by checking them.

On the other hand, there is a kernel mode where those system applications are signed that directly impact the operating system of the machine. For kernel mode code signing, one has to be super careful, as any unknown driver can impact the system’s health to an extent you may never imagine. Hence, kernel-mode code signing certificates are used.

So, what are kernel-mode code signing certificates, and how do they operate? Let’s read this article and find out!

What is a Kernel Code Signing Certificate?

Kernel mode is the most critical mode of the CPU. Similarly, the functions residing in it are also critical and need to be handled with care. If anything goes wrong in the kernel mode, the damage to the system can be catastrophic.

Now, there is no special kernel code signing certificate. There are two types of code-signing certificates, namely

Though both of these certificates are ideal to be used for code signing, the EV certificate holds higher priority when it comes to signing the kernel drivers or any other kernel code on the machine. Why? Well, here is why!

What is an EV code signing certificate?

An EV code signing certificate is just like the standard code signing certificate with some minor yet significant differences.

First of all, an EV code signing certificate establishes more trust for the users of the driver. On top of that, the CA has to perform more comprehensive, in-depth research to validate the authenticity of the developer or firm.

Having an EV code signing certificate boosts your reputation by providing secure access through Microsoft SmartScreen. Moreover, you also get access to the private key stored on a physical device which ensures security while signing the driver code.

As an EV code signing certificate is the safest, it is used to sign kernel-mode drivers and codes.

Note: Microsoft Windows 10 kernel-mode code signing certificates are used to sign drivers in Microsoft’s Dev Portal.

What are the Kernel-Mode Code Signing Requirements?

If you think that code singing is simple, it is not. There are various conditions that one needs to satisfy to sign the kernel mode drivers.

The code signing requirements are dependent on various aspects like the version of the Windows operating system, installation of a PnP device, and if the driver is signed for public release or by the development team during development and testing.

Public Release Driver Requirements

For a 64-bit version of Windows, the kernel mode driver must be signed as

  • Both PnP and non-PnP kernel-mode boot-start drivers should have the embedded Software Publisher Certificate (SPC).
  • A non-PnP, kernel-mode, non-boot-start driver must have a catalog file with a WHQL release signature, an embedded SPC signature, or a catalog file with an SPC signature.
  • A PnP, kernel-mode, non-boot-start driver should have a driver file with an embedded SPC signature or a catalog file with an SPC signature.

The 32-bit version of Windows applies the kernel-mode driver signing policy for kernel-mode boot-start drivers and those streaming protected media.

Development and Test Driver Needs

For a 64-bit version of Windows, the kernel mode code signing policy requires the following,

  • Test signing should be enabled, and the kernel-mode driver needs to be test-signed.
  • Whether it is a PnP kernel-mode boot-start driver or a non-PnP, both of them need to have an embedded test signature.
  • If it is a non-boot-start driver, whether PnP or non-PnP, both need to have a driver file with an embedded test signature or a test-signed catalog file.

For the 32-bit version, the requirements are the same as for the Public Release Driver.

When it comes to the version of Windows, here are the requirements!

  • For Windows 10 up to version 1511, Windows 8, a driver needs to be signed with SHA1, and the certificate should come from a Certificate Authority that is on Microsoft’s Cross-Certificate List.
  • Windows 10 versions 1607 to 1709 require a signature algorithm of SHA1 or SHA2.
  • If the Windows version is 1803 and higher, the signature algorithm is SHA2, and the signature must come from the root authority of Microsoft.

How to Sign a Kernel Mode Driver?

Now, let’s move on to signing code using the Microsoft kernel-mode code signing certificates. The tech giant suggests that you should not use the PFX certificate file to sign the code. Instead, you should import the certificate to the OS certificate store and then proceed with the code-signing process.

Here is the basic command that you need to type into Command Prompt!

signtool.exe sign /v /n "SubjectName" DriverFile.sys

Here /n is the certificate name. As you will be required to get a certificate from a cross-signed CA for the driver to load successfully in the kernel mode. You can download the necessary Certificate Authority certificate from the Cross-Certificate List. Here is the updated command!

signtool.exe sign /v /n "SubjectName" /ac CrossSignedCARoot.cer DriverFile.sys

Further, the driver is required to be signed with SHA2 and also needs to have a signature timestamp. Here is the updated command for signing the code!

signtool.exe sign /v /n "SubjectName" /ac CrossSignedCARoot.cer /fd sha256 /td sha256 /tr http://timestamp.example.com/rfc3161 DriverFile.sys

Here is another alternate command to sign the code in the kernel mode!

signtool sign /t TIMESTAMP_SERVER_URL /f "path to .pfx file"  /p PASSWORD_OF_PFX "path to driver .cat file"

How to Verify the Signing of a Kernel-Mode Code Signing Certificate?

If you want to verify whether the certificate is signed or not, you can. There are some commands that you can enter into the command prompt and verify.

Here are the commands used to verify the signature!

signtool.exe verify /pa /v DriverFile.sys (the /pa parameter is used to validate plug and play driver)
signtool.exe verify /kp /v DriverFile.sys (the /kp parameter is used to validate the  kernel mode driver)

Conclusion

Kernel-mode code signing certificates are nothing but EV code signing certificates. The only thing that promotes them as a crucial entity is their complex yet necessary requirements. Make sure you Buy Code Signing Certificates that have a long life and are time-stamped.

Moreover, you need to be careful if you are installing a system driver externally. These drivers, if legitimate, will not raise any alert but if they do, check their publisher before installing, as they may harm your system.

Related posts:

  1. How to Sign Driver Files with Kernel Mode Driver Certificate? [A Step-by-Step Guide]
  2. How to Install OV Code Signing Certificates [A Step-by-Step Guide]?
  3. How to Renew Your Code Signing Certificate [A Step-by-Step Guide]
  4. How to Install EV Code Signing Certificate [A Step-by-Step Guide]

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.