Driver Signing

[larsiusprime]

Hey there! I'm very interested in this tool, I work with the HaxeFlixel team and I'm currently working on adding Wii Remote support. I was previously using the DolphinBar accessory's built-in support, but it has some limitations when used in Gamepad Mode (Mode 3) and I'm wondering if your tool might be the best option. That said, for us to really use this project "officially" it would have to be something that a HaxeFlixel game developer could ship with their game as part of the installation process, and that means a properly signed driver -- I certainly don't mind booting into safe mode, but a regular end-user can't be expected to do that.

I understand that getting a signed driver can be a bit of a challenge so I'd just like to step in and offer to help -- what's standing in your way to getting an officially signed driver? Paperwork? Money?

There's probably enough people interested in seeing this solution be more widely available that I could try to make some connections to speed the process up. Just let me know what you need.

[jloehr]

Hi, thanks for you interest.

I am looking into the Driver Signing as well. The main problem currently is the charge for an appropriate signing certificate. For drivers a Level 3 Code Signing Certificate is needed that is accepted by Microsoft as kernel driver signature. The supported ones are from Symantec and DigiCert, but the charge for a one year valid certificate is around $500 or $1250 for three years (the certificate only needs to be valid when the driver is build and signed). There are some cheaper certificate providers but they may not work or only on certain systems.

That is for a standard certificate for Windows Vista to Windows 8.1. Starting with Windows 10 Microsoft changed their driver signing policy. So first of all a EV Code Signing Certificate is required, which does cost a little bit more than the standard certificate, plus requires some paperwork for the validation. But the EV Certificate is not enough, a Mircosoft Hardware Dev Account is required to submit the driver and get it additional signed by Microsoft. And AFAIK private persons/hobby programmers are not eligible for such Hardware Dev Account. So that would indeed require some connections and maybe a self-employment to qualify for it.

[jloehr]

Oh ok, just checked DigiCert, their certificates are much cheaper. $111,- for a one year standard certificate ($267 for three years) $224,- for a one year EV certificate ($500 for three years)

And it seems like everyone with an EV certificate can register/create a Hardware Dev Account.

[larsiusprime]

Cool, that's not too bad, maybe we could put together a little collection. Will DigiCert work for Windows 7, 8, and 10?

[jloehr]

I think so. Ah, DigiCert has 50% off when starting the purchase with the Microsoft link.

For UEFI Secure Boot platforms a WHQL signature is required as well, but i don't know how hard it is to get one. On the other hand how many system that are used for gaming have Secure Boot enabled. https://msdn.microsoft.com/en-us/library/windows/hardware/ff548231(v=vs.85).aspx

[larsiusprime]

Well, I think if we just start with basic support that will be enough for most people, and can help drive adoption of your tool. I'd wait for actual real-world users to start complaining about needing secure boot compatibility before worrying about that too much.

[hgustafsson]

Have you considered contacting The ReactOS Foundation for help with signing the driver?

According to https://www.reactos.org/wiki/Driver_Signing they have a certificate and offer to help open source projects that wish to distribute signed 64bit drivers for Windows.

[jloehr]

I did back then, when this project was not Open-Source yet. However for Windows 10 you need to cross-sign the driver with an Microsoft Certificate and therefore need a Hardware Dev Account. I don't know whether they have one and are able to sign for Windows 10.

I may contact them for the next major release. One issue would be releasing Hotfixes, as they are going to build the driver themselfs. So it would increase release time. Additional they do a code review and my driver still lacks some "good driver practices", like IRQL checking and code paging. However on the other hand, its better than no signing at all.

[mirh]

nefarius/ScpToolkit#273 is really worth a read

[Papermanzero]

Could a Kickstarter project or Patreon project support? A extension of the project to add a configuration application with different mapping possibilities could rise attention.

[nefarius]

I consider starting a Patreon Campaign for my own projects since my collection of kernel-mode stuff keeps growing rapidly :smile: I've even figured out all this signing BS and a partner company that would help me purchase one. We could join forces on that.

[jloehr]

@Papermanzero That's my plan when the major update is released.

@nefarius That sound great! :smile:

[larsiusprime]

Let me know! Would love to help!

On Wed, Aug 10, 2016 at 2:57 PM, Julian Löhr notifications@github.com wrote:

@Papermanzero https://github.com/Papermanzero That's my plan when the major update is released.

@nefarius https://github.com/nefarius That sound great! 😄

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jloehr/HID-Wiimote/issues/5#issuecomment-238985106, or mute the thread https://github.com/notifications/unsubscribe-auth/AAtG-PZv_RB0txDKB21srjMue4FQyKnZks5qei0zgaJpZM4FW1M3 .

www.fortressofdoors.com -- Games, Art, Design

[mirh]

.. I wonder if you couldn't sign old damn x64 TAGES .sys drivers at this point. EDIT: which is totally OT, but something I was still wondering

[axfelix]

Has there been any progress on this? Just curious, as I'd still love to see this get signed.

[evilC]

@jloehr Come join the HidWizards Discord Channel - It's a channel for developers of remapping apps/drivers etc.
@nefarius is in there, he has a cert.
There are other people in and around there that we know with certs.
I organized Shaul's first cert for vJoy back in the day from my user-base, we got the money in like a week. Have a much larger user-base now, so one way or another we should be able to sort this pretty quickly and spread the cost.

[markwkidd]

Is this still a viable possibility?

[cgarz]

To be honest I personally don't think Microsoft should get any money for this.

It would be better if they made it easier for users to decide for themselves what they want to trust and run.

But they instead are all but straight up entirely blocking user choice, so imo they are entirely undeserving of yet more money.

Is there no way to circumvent the issue besides test mode?

[mirh]

You aren't paying microsoft, but certificate authorities. And you can't just use a self-signed certificate out of the box, because if everybody could do that on a whim, then you wouldn't have a chain of trust.

But you are free to run in test mode, if you don't care about such security measure? What's the deal? Situation is unlucky, but necessary (or better yet, W10 requires big beefy and even more expensive certificates now, but that's a quantitative issue if any).

I wonder if the mini-HID driver couldn't be implemented in UMDF though?

[cgarz]

Ah, I was under the impression it was Microsoft, apologies.

Microsoft has certainly forced the issue more than they should have however. I believe that the end user should have the final say on what runs on their machine without paying exorbitant fees. So imo such behavior shouldn't be encouraged. Test mode is not a reasonable compromise. It's tedious and unnecessarily complicated to activate, not to mention it puts ugly watermarks on your screen.

UMDF certainly looks worth further reading thanks.

[mirh]

Test mode is set and forget AFAIK And the watermark is kind of a security measure in itself, though I'm told Universal Watermark Disabler should be able to do something to it.

[cgarz]

That linked article itself mentions compatibility issues. There are probably other similar issues as well. Test mode really doesn't seem like a proper solution at all. Even the name implies that it should be temporary at best.

Method 2 looks interesting, I figured that unsigned stuff wouldn't work if windows wasn't running normally but this seems to indicate that only the installation needs to be done in an altered state, after which you can return to normal. Although, that process looks even more unnecessarily tedious and cumbersome.

If only windows was open source, we could create an issue requesting that they fix this glaring user choice problem and even make a fork when they inevitably ignore it.

[mirh]

They aren't "issues". They are security-sensitive applications that refuse to run in a potentially compromised enviorment. Besides anticheat, I'm not aware of anything else requiring this.

And it's called test mode because indeed normal gullible people aren't meant to run daily this way.

but this seems to indicate that only the installation needs to be done in an altered state, after which you can return to normal.

No. It wouldn't make sense (because you would have to store somewhere the "state" of the installation, and that would be vulnerable to attacks) It just means that the setting doesn't stick. Every single reboot, you either force your way into to the windows boot options, or it will boot normally.

If only windows was open source, we could create an issue requesting that they fix this glaring user choice problem and even make a fork when they inevitably ignore it.

If windows was open source, you'd have different forks with different root trusts, which would have to be whitelisted independently by anticheat software.

[cgarz]

Oh my, so it actually won't run? So you would have to do that silly dance every time you dare to run something that you have decided to grant trust on your own authority? So disappointing. It really seemed like only the installation part was the issue from my quick read but I should have known better I guess.

What a terrible position to put your users in. Either fork over lumps of cash, run in weird modes that cause weird issues, or jump through 50 hoops on every single boot. Just for daring to have the audacity to take some agency over the machine you own? :man_facepalming:

There are ways to have both security and user freedom. Sure, ignorant users may make that more difficult. But punishing those capable due to the existence of those incapable is extremely dubious.

[mirh]

So you would have to do that silly dance every time you dare to run something that you have decided to grant trust on your own authority?

Because there's nothing actually differentiating "you" the legit user from "you" malware? Until Secure Boot was created, that is at least, but they cannot rely for that on older systems.

Test mode is what you want. Anticheat not running is in fact the same situation you'd get in linux. You are overthinking this.

[cgarz]

We'll have to agree to disagree I guess as we are getting off topic now. Thanks for the information anyway.

As for the issue at hand. My opinion to not encourage having to pay even a penny extra to exercise agency on your own machine, remains. Unsigned UMDF or something similar would be what I would recommend.

[nefarius]

Just to chime in; porting/rewriting to UMDF v2 would really be a nice idea if possible (no kernel features required). You can self-sign an UMDF driver with a "cheap" Authenticode cert or the "expensive" EV cert without the need to upload every driver version to Microsofts Partner Portal (like I did with DsHidMini - shameless plug 😉 )

[mirh]

Yes, that's what I had in mind. But.. is it possible here though? I think to remember you had said quite many operations weren't available (put aside the debatably reduced performance).

[nefarius]

I just had a brief look at the code again to refresh what was going on and the existing design can unfortunately not be ported to UMDF without looking for alternative implementations first, because the internal IOCTLs to communicate with the Bluetooth stack is only available to kernel drivers.

As for performance... you can't tell the difference so why worry 😉