-
-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signed driver #13
Comments
I don't think so. Certification costs money which I'm not going to spend. The second reason is that the driver is actively developing and there are still a lot of changes. |
The certification will be the primary goal when the driver will become stable. |
I see. That is unfortunate. Thanks for the prompt reply. |
Consider that many games with anti-cheat enabled won't run if they detect Windows is in Test Mode. @vadimgrn Is there any reasonable workaround for PCs that want to trust this driver to not have to be run in Windows Test Mode? It seems like test mode is required whenever actively attaching a binded device. |
There is no workaround. A certification costs money, at least Extended Validation (EV) Code Signing Certificate must be purchased. Its cost is about $700 per year (https://www.digicert.com/order/order-1.php). |
Thanks @vadimgrn! Do you think it is possible for a fork with the willingness to pay for its own certificate [and set up a MS account and other obligatory tasks] and get this to work? I had recently been reading those and related links before you posted them. :) Is there any such a thing as "evaluation" EV code signing certs to try this out with to confirm if it will work and would be worth paying the money for? I suspect not, thinking the ability to legitimately sign code with an evaluation cert would defeat the purpose of code signing. |
I'm sure that a certificate evaluation isn't available. The simplest way is to make Windows 10 attestation signed drivers. This means a driver can be used without enabling Test Signing Mode. You don't have to initiate Hardware Certification process which could take much time and efforts. |
Hello, I am looking for a stable & easy version of USBIP for windows, the last "cezanne" release works great for me (used for laser engraver and its camera), except once disconnection/reconnection wich is unstable and does require to reboot either windows and sometime the raspberry server, but this version does not require Test mode wich is great, from what I understood if the version require test mode it is require to stay in test mode as long as we need to use it ? that's it ? what rour plan for the futur of your version ? this is a really great product, do you have any stable release date ? |
I do not have any release dates. The WDM driver is pretty stable. Signing requires money to buy certificate which I'm not going to spend. Develop branch has UDE driver which is stable too, but some devices don't work. |
Seems logical, maybe it could be funded via GitHub sponsorship ? or a different kind of crowdfunding ? (or even selling this product once it is no more stamped as " probable BSOD"), I would understand to have to pay a bit to use it in a non-test mode |
Those interested in a signed driver can donate to purchase EV Code Signing Certificate. I added two sponsorship methods. |
An EV certificate is only sold to companies, not individuals, in case you didn't know. Also you will need an Azure AD tenant and register a Microsoft Partner account, those at least come with no costs as of writing. Also the EV cert only grants you submission to Microsoft, it is no longer possible to self-sign kernel drivers with the EV cert directly, it has been killed off quite a while ago. Cheers |
Thank you for the information. If I can't buy EV certificate, this driver will never be signed. |
I shall keep my eye on this project then 😉 |
There is no hope to release a signed driver :( |
This had me spit out my coffee laughing 🤣 I have followed the official fails of components by Microsoft, the "professionals" in this case, and as an open source developer myself have reported countless bugs and fixes to them over the years. This is why I avoid OSR, the elitism is so cringy, it hurts. |
I may try to use a driver signing service once you feel it's stable enough that it's worth investigating |
As far as I know, such services are no longer an option since Win10. |
Correct, only one way is left and that is via EV through Microsoft. |
Cheapest EV code signing certificate I have found: €749.00 gross for 3 years. |
Also make sure the cert provider is listed as supported by MS as documented here which Certum appears to be. |
Oh, I overlooked IdenTrust, it's even cheaper.
But my problem is that there is no Windows server stub driver (cezanne) which is signed. And I don't want to set a production system in test signing mode. The cezanne attestation signed vhci driver for the client works fine. Trying to pass a SmartCard reader from Server 2022 Hyper-V host to Server 2016 Hyper-V guest. Guess I have to buy a software like USB Redirector. The whole certification process seems to be quite the hassle according to this blog post: https://billauer.co.il/blog/2021/05/windows-drivers-attestation-signing/ |
While working on something completely different I just stumbled upon WinBtrfs and was reminded of usbip-win2 when I saw that their driver is apparently signed. I searched/skimmed the relevant issues and found these: Thought I'd just drop these here, maybe they help? |
My two cents on these topics since I've walked the walk since Windows 7...
TL;DR: there only exist two official ways to get a kernel driver signed for modern Windows editions (ignoring exploits, stolen certificates, timestamp tampering, UEFI hacks and whatnot):
Extra TL;DR: IMHO any approach requiring your user to change stuff like SecureBoot or Code Integrity registry settings or policies, you have already lost. Anti Virus and Anti Cheat solutions more and more look for these options and will cause collateral problems which will force the user to either remove your driver or to give up on their game or whatever DRM protected solution. You can take a guess what most people will abandon first if they're forced to do so 😉 Cheers |
Pass the device to the host then pass it through to the guest ? Then test mode is on on the host allowing the driver/device, then share it using hyper-v to the guest ? (RemoteFX USB device or something) |
Using Hyper-V implicitly turns on features like Code Integrity, Memory Integrity etc. I assume you'd need to have your hypervisor host run in test mode then (I have no idea if that is even possible, never tried it before). Even if so, not practical except for the 5 people world-wide who'd be fine running such a setup. |
The lack of a signed driver is sadly a no go for most people. Is there a possibility for the code to be signed by this organisation? |
This isn't really the case: like IV code signing certificates more broadly, several CAs have been willing to issue EV code signing certs to sole proprietorships, but they've not advertised it. The flow usually goes "buy it, then contact support", though ssl.com is now advertising this: https://www.ssl.com/certificates/iv-ev-code-signing/buy/ While this doesn't require an LLC/Ltd./other distinct corporate entity (or the corresponding usually-annual paperwork/filing fees for one), it can require registering "I am doing business under this name" or similar; for example, you can register a 'doing business as' name with Texas with form 503 for $25 every 10 years. |
SignPath is not (yet?) an option: https://about.signpath.io/product/editions |
thanks for seeing that. Because of all of this and no easy solution, I've taken a different approach. If anyone is interested about 14 years ago we were dealing with hardware security dongles for bank software development and at the time we ended up running with; |
I am looking into attestation signing for another project. |
For those using Windows 11 below 23H2 you might be able to use https://github.com/Flerov/TS-Changer to change signing mode on the fly. |
I think they only sign the binary with the certificate itself. Not through windows hardware certifcating lab. You nned to sign through the WHQL lab for the driver to load. |
I recently learned from an independent dev, and verified it with a senior
MS engineer, that you can sign up for developer accounts for Microsoft
Store that brings you some kind of EV signing path for apps.
It seems to be a one time fee of about 20 USD for an individual dev, about
100 USD for a company.
The trick is that the "Microsoft Store" signs the package, even if the
price is 0 USD.
Once your identity is verified, you, or your buildbot, can upload your
installer package to Microsoft Store, there is some automated vetting, then
it gets signed, apparently with a one-year certificate.
You can point to Microsoft Store, or download the package with WinGet and
put it as a signed package on your own website, - or Github.
Just beware of the expiration date of each installer package.
https://learn.microsoft.com/en-us/windows/apps/publish/partner-center/account-types-locations-and-fees
I have read elsewhere that Microsoft plans to stop distributing third party
drivers with Windows Update.
Instead MS wants vendors to distribute through Microsoft Store, without any
requirement that a package should be a cost to the end user.
But I have not yet tried the Microsoft Store route to code signing myself,
since I am currently on my third month trying to get Azure Trusted Signing
to work for signing my own apps, but that is about 10USD per month -
forever.
/Erik
…On Fri, Oct 25, 2024 at 4:16 PM EBK21 ***@***.***> wrote:
For those using Windows 11 below 23H2 you might be able to use
https://github.com/Flerov/TS-Changer to change signing mode on the fly. I
also found a seller on Taobao supposedly offering EV Signing (782309659071)
for $320US but I did't ask for details.
I think they only sign the binary with the certificate itself. Not through
windows hardware certifcating lab. You nned to sign through the WHQL lab
for the driver to load.
—
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJUSVBB4A3YS6RXZ5XVDFTZ5JHCHAVCNFSM6AAAAABQTMHLZOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMZXHEZTKNZVGQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
As another user stated https://signpath.org/ is free for open source and looks like it is easy to use with github @vadimgrn Any plans for this? TY. |
kernel signing requires a EV certificate and it's only for company. |
@vadimgrn consider lock or move the issue to a discussion and clarify that personal certification is useless for driver signing. |
There is nothing to discuss, only a company may purchase EV certificate. The most realistic way that someone who owns the company will build and sign the driver out of goodwill or for the price of an EV certificate. |
Maybe I know someone who knows someone... |
In the meantime,there are other way to load the driver without a ev signer. Allow you load unsigned/self signed drivers without test mode: https://github.com/Mattiwatti/EfiGuard |
DO NOT USE ANY OF THESE OPTIONS. THEY BRICKED MY SYSTEM! |
This only means you didn't follow the guide correctly or fully check the readme. Me and the hack makers are using it without any issue. |
I ran the executable, it prompted me to restart and then started boot looping and somehow messed up my grid for that vm which shouldn't be possible |
I suppose you are trying ssde? |
Less unrelated spam in this thread please, problems with the linked tools should be discussed in their respective support channels. |
Hello I don´t understand in which way this version should be better than the cezanne/usbip-win version which runs perfectly with no need to go into server testsigning mode. And if there are advantages why is it not possible to use the driver from this project? |
Start you own Discussion then instead of hijacking unrelated conversations, thank you. |
First of all, use what works for you. cezanne/usbip-win is abandoned, the development was halted three years ago. It has tons of bugs, poor performance, poor quality of code, absence of GUI and installer, etc. The only reason to use it today is that the driver is signed. |
Hi there, im from the Project Babble team https://github.com/Project-Babble/ProjectBabble which is an application for VR mouth tracking. We'd be more than happy to put the money upfront for a signed driver. We also are a company that has the ability to build and sign the driver, so with some assistance we should be able to get something up and running soon. |
If you can build and sign the driver, it will be the best option. |
User-mode drivers don't need to be signed by Microsoft. Porting the project from KMDF to UMDF would be pretty tedious I assume - but it should run on vanilla Windows without needing an EV certificate then |
User-mode driver signing requirements will only further tighten as time and Windows Updates advance. Also UDE is and never will be available to user-mode, so no, 90% of this project in fact can not be ported to UMDF. |
I am not very familiar with the code of this project. There are multiple drivers in the project, do I need to sign all of them? |
usbip-win2\x64\Release\package contains all drivers to sign |
It looks like you may have an offer (thanks @SummerSigh!), but if it doesn't pan out here's another idea I haven't seen proposed above. There are RedHat folks involved with https://www.linux-kvm.org/page/WindowsGuestDrivers / https://github.com/virtio-win/kvm-guest-drivers-windows who regularly make signed releases. Interest in usbip device pass-through to windows guests seems like it might overlap quite a bit with other kvm paravirtualization needs, so perhaps they would be interested in a similar collaboration. Redhat provides WHQL signed signed stable releases of those virtio drivers to paying customers as part of RHEL, and donates attestation-signed builds of each upstream release to the public via https://fedorapeople.org/groups/virt/virtio-win. This at least means they already have all the certificates and other Microsoft account setup for driver signing, and some operation in that space. I don't have any direct connection, but @vrozenfe and @crobinso are names I in the https://fedorapeople.org/groups/virt/virtio-win/CHANGELOG making releases for virtio. It might be worth trying to reach out to them and see if any similar collaboration would be possible... Or if anyone here looking for usbip is already an customer for the RHEL virtualization tools, customers making feature requests would probably carry more weight than github discussion... |
Is there any hope of getting a signed driver? My organization has policies set which disallow use of test signed drivers.
The text was updated successfully, but these errors were encountered: