Method to acquire a code signing certificate for ELAM driver

Our organization wants to integrate ELAM driver based security in our solution and for that we need code signing certificate that can sign ELAM driver.
Is there an option for academic research groups to be a part of Microsoft Virus Initiative. If no, then what can be the possibility for non commercial security research groups to obtain such a code signing certificate?

On Jun 1, 2018, at 5:28 PM, xxxxx@gmail.com wrote:
>
> Our organization wants to integrate ELAM driver based security in our solution and for that we need code signing certificate that can sign ELAM driver.
> Is there an option for academic research groups to be a part of Microsoft Virus Initiative. If no, then what can be the possibility for non commercial security research groups to obtain such a code signing certificate?

The certificate requirements for ELAM drivers are the same as those for other drivers. You have to submit for WHQL, which means you need a dashboard account, which means you need an EV certificate. You’ll need to go survey some certificate authorities to see if any of them are willing to issue one to your university.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On Fri, Jun 1, 2018 at 7:28 PM, xxxxx@gmail.com wrote:
> Our organization wants to integrate ELAM driver based security in our solution and for that we need code signing certificate that can sign ELAM driver.
> Is there an option for academic research groups to be a part of Microsoft Virus Initiative. If no, then what can be the possibility for non commercial security research groups to obtain such a code signing certificate?
>

Can you turn on testsigning? Can you have your IT department install a
key on all machines?

I have heard testsigning has quit working (e.g. mandatory signing with
your own key). If so I recommend paying for an EV cert and then
sending Microsoft a notice of dispute. If it fails, I recommend suing
them in small claims court for the costs you incurred.

Cheers,
R0b0t1

Yes I have tested the solution by enabling test signing and installing self
signed certificate. But it is not feasible to enable test signing and push
self signed certificate on all machines of all campuses. We need to have a
genuine ELAM code signing certificate. I am in touch with a couple of
vendors to obtain an EV code signing and will follow the steps
mentioned by Tim.
I hope this would work.

On Mon, Jun 4, 2018 at 10:22 AM, xxxxx@gmail.com
wrote:

> On Fri, Jun 1, 2018 at 7:28 PM, xxxxx@gmail.com
> wrote:
> > Our organization wants to integrate ELAM driver based security in our
> solution and for that we need code signing certificate that can sign ELAM
> driver.
> > Is there an option for academic research groups to be a part of
> Microsoft Virus Initiative. If no, then what can be the possibility for non
> commercial security research groups to obtain such a code signing
> certificate?
> >
>
> Can you turn on testsigning? Can you have your IT department install a
> key on all machines?
>
> I have heard testsigning has quit working (e.g. mandatory signing with
> your own key). If so I recommend paying for an EV cert and then
> sending Microsoft a notice of dispute. If it fails, I recommend suing
> them in small claims court for the costs you incurred.
>
> Cheers,
> R0b0t1
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

I am planning to sign my service binary with the same elam driver signing
certificate. Does that mean that I have to upload my service exe to WHQL
portal as well or this applies to drivers only?

On Mon, Jun 4, 2018 at 11:00 AM, Berouz A wrote:

> Yes I have tested the solution by enabling test signing and installing
> self signed certificate. But it is not feasible to enable test signing and
> push self signed certificate on all machines of all campuses. We need to
> have a genuine ELAM code signing certificate. I am in touch with a couple
> of vendors to obtain an EV code signing and will follow the steps mentioned
> by Tim. I hope this would work.
>
> On Mon, Jun 4, 2018 at 10:22 AM, xxxxx@gmail.com
> wrote:
>
>> On Fri, Jun 1, 2018 at 7:28 PM, xxxxx@gmail.com
>> wrote:
>> > Our organization wants to integrate ELAM driver based security in our
>> solution and for that we need code signing certificate that can sign ELAM
>> driver.
>> > Is there an option for academic research groups to be a part of
>> Microsoft Virus Initiative. If no, then what can be the possibility for non
>> commercial security research groups to obtain such a code signing
>> certificate?
>> >
>>
>> Can you turn on testsigning? Can you have your IT department install a
>> key on all machines?
>>
>> I have heard testsigning has quit working (e.g. mandatory signing with
>> your own key). If so I recommend paying for an EV cert and then
>> sending Microsoft a notice of dispute. If it fails, I recommend suing
>> them in small claims court for the costs you incurred.
>>
>> Cheers,
>> R0b0t1
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at: http:>> lists.cfm?list=ntdev>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>
>
></http:></http:>

xxxxx@gmail.com wrote:

I am planning to sign my service binary with the same elam driver
signing certificate. Does that mean that I have to upload my service
exe to WHQL portal as well or this applies to drivers only?

There is no such thing as an “ELAM driver signing certificate”.  All EV
code signing certificates are the same.  Submitting your ELAM driver is
exactly the same as submitting any other driver, except that when you
submit the package, you’ll check the box saying the driver is for ELAM
purposes.

WHQL doesn’t test services, and unless things have changed dramatically,
user-mode services do not have to be signed.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

It is my experience that the EV certificate is only required to create the MS Hardware account. Once the account is created, you can add a Class3 certificate to it and use the Class3 to sign the drivers.

You may want to find out if another organization on your campus already has a Microsoft Hardware account. If so, and they are friendly and helpful, you can add your Class3 Code Signing Certificate to their account. This does not require either party to share any keys. You may be able to avoid the expense and trouble of acquiring an EV certificate, which is both more expensive and a real nuisance to manage. I would be very interested in knowing if this works.

xxxxx@nlited.com wrote:

It is my experience that the EV certificate is only required to create
the MS Hardware account. Once the account is created, you can add a
Class3 certificate to it and use the Class3 to sign the drivers.

Yes – this is an excellent point.  In my 3-person office, these are
considerations I don’t think about.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

I’m not familiar with the history of this thread, but are you writing a
protected service to pair with your ELAM driver?

mm

On Mon, Jun 4, 2018 at 8:55 AM, xxxxx@nlited.com wrote:

> It is my experience that the EV certificate is only required to create the
> MS Hardware account. Once the account is created, you can add a Class3
> certificate to it and use the Class3 to sign the drivers.
>
>
>
> You may want to find out if another organization on your campus already
> has a Microsoft Hardware account. If so, and they are friendly and helpful,
> you can add your Class3 Code Signing Certificate to their account. This
> does not require either party to share any keys. You may be able to avoid
> the expense and trouble of acquiring an EV certificate, which is both more
> expensive and a real nuisance to manage. I would be very interested in
> knowing if this works.
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

On Mon, Jun 4, 2018 at 10:52 AM, xxxxx@probo.com wrote:
> xxxxx@gmail.com wrote:
>> I am planning to sign my service binary with the same elam driver
>> signing certificate. Does that mean that I have to upload my service
>> exe to WHQL portal as well or this applies to drivers only?
>
> There is no such thing as an “ELAM driver signing certificate”. All EV
> code signing certificates are the same. Submitting your ELAM driver is
> exactly the same as submitting any other driver, except that when you
> submit the package, you’ll check the box saying the driver is for ELAM
> purposes.
>
> WHQL doesn’t test services, and unless things have changed dramatically,
> user-mode services do not have to be signed.
>

With an ELAM driver the service signature key (and signature?) are
baked into the driver and the service is signed.

Someone else’s suggestion that only one EV certificate is needed was
very helpful, thank you. They’re still a bit pricey.