valinet / ssde Goto Github PK

Hi, sorry! Newb here. I am trying to run a driver that no longer works outside of test mode. I don't wish to leave test mode enabled. This program seems like a solution but the instructions are very confusing and seem to start in the middle of the process. is there a slightly more noob friendly readme? I'm pretty smart in general, but the language in the readme seems to be assuming information I'm clearly missing. Thank you so much for your time!

Hi,
I've tested the method, and it worked fine when I generated the keys directly using this guide. Then I tried to export all the related keys to a new system:

// self-signed root CA certificate
localhost-root-ca.der
localhost-root-ca.pfx

// kernel mode certificate issued by self-signed root CA
localhost-km.der
localhost-km.pfx

// UEFI Platform Key certificate issued by self-signed root CA
localhost-pk.der
localhost-pk.pfx

I imported all the above certificates into the new system. Then I ran the ssde_enable and it worked as the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Protected\Licensed is still 1. The ssde.sys signature is trusted and valid. But when I want to start its service (sc start ssde) I get the signature failure error. I am really unsure what the cause of the problem is, but I am pretty sure that the certificate shouldn't be a problem as all the related certificates are installed in the same exact locations. Any help would be appreciated.

Hello Valinet,

so I get pretty much to the end of the process before I run into trouble. I created the certificates and changed my motherboard's PK no problem, but towards the end when I run SSDE_Enable, the computer reboots and runs the cmd stuff, then it reboots again and the registry key has a value of 1, and ssde_query confirms this. So I create the service that I'm supposed to in the final step, 2.6, and it says service created successfully. But now when I reboot the regedit value is back to 0 which implies its not working anymore. Also on one of my reboots windows would no longer start no matter what I did so I had to restore from an image I took before I tried this. I have not been able to recreate that issue though srttrail.tx said the issue was with sipolicy.p7b I'm not sure if there's a relation between the two issues though. Any ideas or input would be great, thanks again

UPDATE: regedit still shows a clear 0, but ssde_query says "1" .

Does this still work? Win 10 22H2

Hello valinet!
Can you please implement Github Actions to build binaries?

As of at least Windows 11 23H2, it's possible to install the ConfigCI powershell module without needing Education/Enterprise editions:
gci $Env:SystemRoot\servicing\Packages\*ConfigCI*.mum | % { dism /online /norestart /add-package:"$_" }
This makes it much easier to customize and recompile SiPolicy.xml, which is preferable to the currently reccomended method of using the generic policy binary.
There's also a GUI interface called WDAC wizard to help make the policy editing process a little easier; generating the base policy this way also means you don't need to worry about scanning any system folders either.

As an example, this is what my current working SiPolicy.xml looks like:

<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.2.2.1</VersionEx>
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Advanced Boot Options Menu</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Inherit Default Policy</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Update Policy No Reboot</Option>
    </Rule>
  </Rules>
  <EKUs>
    <EKU ID="ID_EKU_WINDOWS" Value="010A2B0601040182370A0306" FriendlyName="" />
    <EKU ID="ID_EKU_ELAM" Value="010A2B0601040182373D0401" FriendlyName="" />
    <EKU ID="ID_EKU_HAL_EXT" Value="010A2B0601040182373D0501" FriendlyName="" />
    <EKU ID="ID_EKU_WHQL" Value="010A2B0601040182370A0305" FriendlyName="" />
  </EKUs>
  <FileRules />
  <Signers>
    <Signer Name="Microsoft Product Root 2010 Windows EKU" ID="ID_SIGNER_WINDOWS_PRODUCTION_0">
      <CertRoot Type="Wellknown" Value="06" />
      <CertEKU ID="ID_EKU_WINDOWS" />
    </Signer>
    <Signer Name="Microsoft Product Root 2010 ELAM EKU" ID="ID_SIGNER_ELAM_PRODUCTION_1">
      <CertRoot Type="Wellknown" Value="06" />
      <CertEKU ID="ID_EKU_ELAM" />
    </Signer>
    <Signer Name="Microsoft Product Root 2010 HAL EKU" ID="ID_SIGNER_HAL_PRODUCTION_2">
      <CertRoot Type="Wellknown" Value="06" />
      <CertEKU ID="ID_EKU_HAL_EXT" />
    </Signer>
    <Signer Name="Microsoft Product Root 2010 WHQL EKU" ID="ID_SIGNER_WHQL_SHA2_3">
      <CertRoot Type="Wellknown" Value="06" />
      <CertEKU ID="ID_EKU_WHQL" />
    </Signer>
    <Signer Name="Microsoft Product Root WHQL EKU SHA1" ID="ID_SIGNER_WHQL_SHA1_4">
      <CertRoot Type="Wellknown" Value="05" />
      <CertEKU ID="ID_EKU_WHQL" />
    </Signer>
    <Signer Name="Microsoft Product Root WHQL EKU MD5" ID="ID_SIGNER_WHQL_MD5_5">
      <CertRoot Type="Wellknown" Value="04" />
      <CertEKU ID="ID_EKU_WHQL" />
    </Signer>
    <Signer Name="MincryptKnownRootMicrosoftCodeVerificationRoot2006" ID="ID_SIGNER_MICROSOFT_CODEVERIFICATION_2006_0_0">
      <CertRoot Type="Wellknown" Value="08" />
    </Signer>
    <Signer Name="Localhost Kernel Mode Driver Certificate" ID="ID_SIGNER_LOCALHOST_0">
      <CertRoot Type="TBS" Value="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />
      <CertPublisher Value="Localhost Kernel Mode Driver Certificate" />
    </Signer>
  </Signers>
  <SigningScenarios>
    <SigningScenario ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 02-06-2024" Value="131">
      <ProductSigners>
        <AllowedSigners>
          <AllowedSigner SignerId="ID_SIGNER_WINDOWS_PRODUCTION_0" />
          <AllowedSigner SignerId="ID_SIGNER_ELAM_PRODUCTION_1" />
          <AllowedSigner SignerId="ID_SIGNER_HAL_PRODUCTION_2" />
          <AllowedSigner SignerId="ID_SIGNER_WHQL_SHA2_3" />
          <AllowedSigner SignerId="ID_SIGNER_WHQL_SHA1_4" />
          <AllowedSigner SignerId="ID_SIGNER_WHQL_MD5_5" />
          <AllowedSigner SignerId="ID_SIGNER_MICROSOFT_CODEVERIFICATION_2006_0_0" />
          <AllowedSigner SignerId="ID_SIGNER_LOCALHOST_0" />
        </AllowedSigners>
      </ProductSigners>
    </SigningScenario>
  </SigningScenarios>
  <UpdatePolicySigners />
  <CiSigners />
  <HvciOptions>0</HvciOptions>
  <Settings />
</SiPolicy>

Hi,
I just followed all the steps from the main article and used your suggested policy file. I ran the ssde_enable, and the logs were fine, but when I got into windows, I saw that the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Protected\Licensed is set to 1, but the ssde_query shows zero. On the other hand, I can't start any self-signed driver and face the verify the digital signature error. I also tried to run your ssde driver, but as I said, I can't even start that too because, in the first place, I can't bypass the signature check. I think the ssde_enable is the problem because if it were fine, I would be able to start the driver immediately after system boot, but I can't do it.
I would appreciate it if you help me get through this.

IMPORTANT

This laptop loses the PK EVERY time one changes any setting in the UEFI program (which is really annoying). A quick fix is this:

1. After changing the setting in the UEFI, reboot into Windows, which will have Secure Boot turned off:

Confirm-SecureBootUEFI // <- will return False
sc delete ssde
uuidgen --random > GUID.txt
openssl pkcs12 -in PK.pfx -nocerts -out PK.key
openssl pkcs12 -in PK.pfx -clcerts -nokeys -out PK.crt
cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.unsigned.esl
sign-efi-sig-list -k PK.key -c PK.crt PK PK.unsigned.esl PK.esl
Set-SecureBootUEFI -Name PK -SignedFilePath PK.esl -ContentFilePath PK.unsigned.esl -Time $(Get-Date -Format "o")

If everything goes well, final output from PowerShell should be something like this:

Name Bytes              Attributes
---- -----              ----------
PK   {230, 7, 9, 14...} NON VOLATILE...

2. Run ssde_enable.exe. Let it reboot in Setup mode.
3. Windows will finally reboot onto the desktop. Confirm-SecureBoot will return True. Register back and start ssde:

sc create ssde binpath=%windir%\system32\drivers\ssde.sys type=kernel start=boot error=normal
sc start ssde

Original write up below:

This is the way I go about setting this up on my XPS 15 7590. Maybe you can use this as general guidance and customize according to your own configuration. The way to set the PK in the UEFI of your machine varies between BIOS brands, so a generic way is hard to list, but you can adapt this guide to suit your needs.

First off, I have a ventoy pen drive where I keep KeyTool.efi (KeyTool is part of the efitools package; the link takes you there; download the deb file, unpack it and find the UEFI application under data.tar\.\usr\lib\efitools\x86_64-linux-gnu\). I highly recommend doing this as it is very convenient.

Steps:

• Prepare an auth file for KeyTool based on your PK.pfx (localhost-pk.pfx) that you have from following this. I also assume that you have the certificates installed into your system root after following the linked tutorial. Under a Linux distro (you can use WSL), run this (on Ubuntu, install efitools package using sudo apt install efitools):

uuidgen --random > GUID.txt
openssl pkcs12 -in PK.pfx -nocerts -out PK.key
openssl pkcs12 -in PK.pfx -clcerts -nokeys -out PK.crt
cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth

Credits: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot and https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file

The commands will ask for the PFX password, which you have set when you exported it, and also for a passphrase for the CRT file, which I recommend setting the same as the password for the PFX file.

• Go into the BIOS (F2 at boot). Go to Secure Boot - Expert Key Management, choose PK and click Delete.
• Go to Secure Boot in BIOS and enable it. Disregard the warning about the system not having a PK, you will install it next.
• Boot the ventoy pen drive and from there KeyTool.efi. In there, enroll the PK using the auth file you have generated above. When done, Ctrl+Alt+Del to reboot the machine.
• Boot into the BIOS and make sure your settings stuck: you have Secure Boot enabled. Optionally, verify with KeyTool.efi again that the PK was accepted.
• Boot into Windows. Open PowerShell as admin and make sure Secure Boot is indeed enabled: Confirm-SecureBootUEFI should return True.
• Install the SiPolicy.p7b file (open an administrative command prompt window in the folder where you have the policy file):

mountvol x: /s
copy SiPolicy.p7b x:\EFI\Microsoft\Boot\SiPolicy.p7b
shutdown /t 00 /r

This mounts the EFI partition at X:, installs the policy file and reboots the system.

• Execute ssde_enable.exe. The system will reboot in Setup mode, where the program finishes its job.
• When rebooted, make sure the system is "licensed" to use the feature: open Registry Editor and go to HKEY_LOCAL_MACHINE\system_c\ControlSet001\Control\CI\Protected and check if the Licensed entry is set to 1. If it is, it's all good, if not, try again with ssde_enable.exe or reboot into a WinPE environment (you can throw in a Windows ISO on the ventoy pendrive and boot that), press Shift+F10 to get to a command prompt; in there, type regedit, then select the HKLM key on the left, File - Load Hive and locate the HKLM\System datastore from you Windows install at letter:\Windows\System32\config\System and load that. Try to change the Licensed entry from there and reboot and see if it stuck.
• When you are confident you have Licensed set to 1 and that Secure Boot is enabled (Confirm-SecureBootUEFI) and that the policy file is installed on the EFI partition, then you can move on with installing the ssde.sys driver which should work just fine now and load easily:

1. Compile the ssde.sys driver or download the pre-compiled one here.
2. Sign the downloaded driver using signtool.exe. This either comes with the Windows SDK, either use these instructions to only extract it and install it alone from the SDK: signtool sign /fd sha256 /a /ac .\localhost-root-ca.der /f .\localhost-km.pfx /p password /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp ssde.sys. Replace "password" with the password you have set when you exported the PFX file.
3. Now, copy the signed ssde.sys into C:\Windows\System32\drivers.
4. Install the driver: sc create ssde binpath=%windir%\system32\drivers\ssde.sys type=kernel start=boot error=normal.
5. Start the driver: sc start ssde.

If everything went fine and you did it correctly, the driver will show its status as running:

SERVICE_NAME: ssde
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

If you did something wrong, you will get the famous driver signature error when you will query the status. Make sure to check again all the steps mentioned above. Again, from what I have seen, the conditions for drivers to load successfully and not throw the signature error are:

• Have the main certificate that you have generated installed into the trusted root certificate store of the machine (localhost-root-ca).
• Have the PK certificate installed as the PK of the machine, a certificate that's a descendant (direct child) of the main certificate you have in the trusted root of the machine (localhost-pk).
• Have any driver that you plan on loading be signed with a certificate that's a descendant (direct child) of the main certificate you have in the trusted root of the machine (localhost-km).
• Have Secure Boot enabled (execute Confirm-SecureBootUEFI in PowerShell to confirm).
• Have a proper policy file (SiPolicy.p7b) copied at the proper location (\EFI\Microsoft\Boot\SiPolicy.p7b) on the EFI partition.
• Have the system be licensed for this functionality: HKEY_LOCAL_MACHINE\system_c\ControlSet001\Control\CI\Protected\Licensed is 1. To maintain this state (the value is reset on every reboot), after we initially trick Windows into having it set to 1 (using ssde_enable.exe or the WinPE trick I described above), we have to load the ssde driver in the system (and have it load on every boot); ssde is a very simple driver which monitors the kernel for changes to the licensed status of this feature and reverts it to being licensed when something in the system changes it (because, with the SKUs of Windows we have, we are not really licensed by Microsoft for this - only the Chinese Government is, so as to spy on its people). This driver is a sure way to have the system always be licensed for this functionality.

To check the status of the driver:

• Execute ssde_info.exe which reports the number of times the licensed status for this feature has been reverted, plus some other info.
• Execute ssde_query.exe to query the licensed status for this feature.

Also note that the XPS 15 seems to forget this custom PK if we mess with settings in the BIOS after we set it up, so after each change, all I do is boot into KeyTool.efi, renroll the PK and reenable Secure Boot in the BIOS, and it seems wot work and Windows continues to load my own signed drivers.

Hope this helps shade more light on how to run this.

Why not SiPolicy.p7b to xml, then edit sign in xml,last use
https://aka.ms/refreshpolicy refresh it.

https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules