search

valinet / ssde

SSDE is a collection of utilities that help in having Windows load your custom signed kernel drivers when Secure Boot is on and you own the system's platform key, instead of using test mode.
MIT License
174 stars 36 forks source link

Improved CKS Enablement Scheme. #10

Open DavidXanatos opened 2 months ago

DavidXanatos commented 2 months ago

I had a lot of headache with ssde_enable.exe and I came up with a much more convenient solution.

  1. Setup everything, Own PK & Co, Policy, etc...
  2. Reboot to UEFI and disable Secure Boot
  3. Install the ssde Driver
  4. Enable test signing and reboot twice
  5. Check Licensed == 1 and ssde driver running
  6. Reboot to UEFI and enable Secure Boot Voila nothing but the driver needed and very reliable.
793359277 commented 1 month ago

I tested this project and the driver was loaded successfully, but some drivers that were supposed to be loaded could not be loaded (not all), such as the leaked signature, and even many regular drivers. When loading the driver, it prompted "Your organization uses device guard to block this app". I decided not to use this item anymore, and finally deleted the SiPolicy.pb7 file in the EFI partition. These abnormal drivers can be loaded again. Why? Is it my fault?

793359277 commented 1 month ago

Strange things happened again. After I regenerated the binary file of the Enterprise Edition, the driver can be loaded normally. Is it because it was generated in the Professional Edition before? After using ssde_enable.exe once, why can the self-signed driver be loaded normally every time the computer is started? I don't even use ssde.sys. Shouldn't this be restored after restarting?

DavidXanatos commented 1 month ago

Did you generate your own SiPolicy xml with powershell or did you use a pre made one by some one else? In my experience the pre made once are missing some root certs so they are not always suitable for every system, and the symptom is as you saw egotistic 3rd party drivers not loading.

If you have sppsvc service stopped I think the license data are not restored anymore.

793359277 commented 1 month ago

Did you generate your own SiPolicy xml with powershell or did you use a pre made one by some one else? In my experience the pre made once are missing some root certs so they are not always suitable for every system, and the symptom is as you saw egotistic 3rd party drivers not loading.

If you have sppsvc service stopped I think the license data are not restored anymore.

I regenerated the xml myself and there was no problem. Thanks for your reply!