Options for OpenSource codesign?

Hello all!

Perhaps I could get some feedback with this series of assumptions. Working on a port of OpenZFS, so it is a file-system with kernel driver component.


** Problem

When users want to try a build I make, they have to change Windows into “Test Mode”. Which requires a reboot (and may have other side-effects a novice Windows users might not be aware of)


** Desired Outcome

Have users to able to install a release that I create without needing to reboot / change to “Test Mode”.

If you are to use ZFS, you should probably use x64. So that is the main focus.

Latest Windows is 10 (at the time of this document) so it should support Win 10 x64 at least, since that is presumably the direction Microsoft is taking Windows, and any requirements here will be true for future versions of Windows.

Support of older Windows builds would be nice, but secondary.


** Assumptions

From Microsoft’s list of issuers, I picked DigiCert.


Which is “a tad” out of my budget for this Hobby.

Did I get those assumptions correct? What options do I have?

When users want to try a build I make, they have to change Windows into “Test Mode”. Which requires a reboot (and may have other >side-effects a novice Windows users might not be aware of)

I think you are just dealing with the imagined “problem”…

To be honest, I just don’t see any reason why a novice Windows user may want to try something that is yet at the development stage,
in the first place, and I most certainly cannot see any reason why a typical non-technical Windows user would want to try something as advanced as ZFS. I would say that, for the time being, a typical user would be a system-level programmer is interested in the project in itself.

To codesign Win10 x64 I must first get EV certificate, it can not be Standard.

They are speaking about the desktop editions. Even when (and if) your project reaches a production-grade stage, I would say that it will mainly apply to higher-grade Windows Server versions anyway. Let’s face it - ZFS has been designed with the assumption of a higher-end hardware platform with lots of memory and CPU power, so that it is not really suitable for a guy who runs Home Edition of Windows on his laptop. If such user is interested in ZFS-grade data management capabilities, they are more likely to buy a standalone NAS device that runs some FreeBSD derivative or Illumos distro ( and, hence, is ZFS-capable), rather than directly installing ZFS on their Windows machines. I think that a typical user of ZFS for Windows is going to be a corporate one who runs a server-grade Windows system, so that you will be able to use a Standard signing certificate.

In any case, for the time being you are so far away from this stage that it does not really make sense to even think about it…

Anton Bassov

To be honest, I just don’t see any reason why a novice Windows user may want to try something that is yet at the development stage,
Sure, but whether that is next week, in 6 months, or 6 years doesn’t really matter, it needs to be addressed. Sure I’m all for making it future-lundman’s problem. But there is no urgency as well, I am merely researching what needs to be done.

Even when (and if) your project reaches a production-grade stage, I would say that it will mainly apply to higher-grade Windows Server versions anyway. Let’s face it - ZFS has been designed with the assumption of a higher-end hardware platform with lots of memory and CPU power

Yes and no. You are right, that those who run SAN/NAS should use ZFS, and will spend money on it. Absolutely. However I doubt highly that anyone on Windows would use ZFS on Windows for that. There probably are people now who will correct me and say running SAN products on Windows Server is great - which is cool and all, but wasn’t actually my reason to port it to Windows. I did not imagine it being used as such, but it would be awesome if people tried it though.

But there is a second type of user. Those who want to have high compatibility. ZFS has become the filesystem to use between systems, on nearly all platforms, and is considerably better than FAT. It then also has huge advantages of checksumming, compression, encryption, snapshots, send/recv, DDT etc etc - even if you are not using redundancy (but you should) - ZFS is definitely the better choice over all over filesystems when it comes to cross platform usage - or even just portable-disk usage. Sure, brave statement perhaps, but I believe that to be true.

As for the quality of the project? We are about to go from Alpha to Beta. It is starting to be a challenge to make it crash. So, I wanted to research codesigning, so that the targeted user goes from adrenalin junkie developers, to fearless beta testers. Ie, I’m willing to spend money on it now, to buy certificates - just not $13,000 - I even bought a copy of Windows for my DevStudio compiles. I know, for me, shocking. :slight_smile:

Yes and no. You are right, that those who run SAN/NAS should use ZFS, and will spend money on it. Absolutely.
However I doubt highly that anyone on Windows would use ZFS on Windows for that.

Actually, I think that a demand for ZFS may be quite high in higher-end domain. For example, consider a Hyper-V system where all actual disk access is reserved to the root partition, while the unprivileged ones deal with the virtual disks that are physically stored as VHDX files in the root partition’s local FS. Therefore, all guest data is going to be lost if this FS gets screwed up. Would not it be great if these VHDX files were stored on a locally-attached ZFS pool that is managed by the root partition, effectively ensuring data integrity?

In fact, ZFS seems to be the best option for anyone who values his data, don’t you think…

Those who want to have high compatibility. ZFS has become the filesystem to use between systems,

I think this is just a direct consequence of the very obvious fact of ZFS being the most advanced and feature-rich FS that has ever been designed, at least up to this point. But in any case, its use seems to be prevalent only among more technically-inclined and/or higher-end users. The “average Joe” seems to be more interested in porting his data between his lower-end laptop and mobile phone, rather than between Illumos or Linux distro, FreeBSD derivative and Windows PC…

Anton Bassov

Because of IDs and valid address, I then have to register in Japan.

Why, specifically, Japan? Is it because you live/work in Japan, Mr. Lundman?

Peter

Jorgen_Lundman wrote:

* To avoid Test Mode, the Driver (kernel component) has to be codesigned.
(Is this the correct assumption? It is not entirely clear - I don’t mind the Smartscreen warning, or having to click “trust this anyway” as long as it can be done without Test Mode and reboot.)

* To codesign Win10 x64 I must first get EV certificate, it can not be Standard.

The facts are rather convoluted.

Prior to Windows 10, you could sign your drivers with your own
certificate (not necessarily EV), and cross-sign it with the Microsoft
cross certificate.  No “test mode” required.

In Windows 10, when “Secure Boot” is enabled, that’s no longer enough. 
The driver has to be signed BY Microsoft.  You can either do the full
HCK/HLK testing and submit for the WHQL signature (which is now free),
or submit for “attestation signing”, where you just promise that you
have done due diligence.  In order to create the dashboard account so
you can submit for WHQL signing or attestation signing, you must have an
EV certificate.  That EV certificate is not fundamentally part of the
signing process.

However, if “Secure Boot” is not set in the BIOS, then the old
cross-signing method works just like it always has.  Thus, one
alternative is to tell your users to turn off “Secure Boot” in their
BIOS.  That’s something local IT departments aren’t likely to approve.

From Microsoft’s list of issuers, I picked DigiCert.

* DigiCert had me show 2 IDs, 2 Skype video calls to fill in forms together, but I must also have a Registered Company. (Not non-profit, nor Organization - they check with Government)

Because of IDs and valid address, I then have to register in Japan.

It’s true that EV certificates are issued only to corporations. The
primary purpose for a certificate is to ensure that you can be found in
case your driver injures someone and there is a lawsuit, and individuals
are not sufficiently traceable.

* To register a company in Japan costs about $13,000.

You have a decimal problem.  150,000 Yen is about $1,300.

Did I get those assumptions correct? What options do I have?

Your options are few.  Windows drives hundreds of millions of computers
in companies all over the world.  Microsoft is not particularly
interested in hobby driver developers.

@“Peter_Viscarola_(OSR)” said:

Because of IDs and valid address, I then have to register in Japan.

Why, specifically, Japan? Is it because you live/work in Japan, Mr. Lundman?

That is correct, my IDs had to have valid addresses, which are in Japan.

Prior to Windows 10, you could sign your drivers with your own certificate (not necessarily EV), and cross-sign it with the Microsoft cross certificate. No “test mode” required.

I guess I’m not sure what this means? Does that refer to getting a Standard certificate? Or, simply a self-signed certificate?

How is it affected by, if at all, the paragraph:
“Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change.”

Which makes it sound like (and I am guessing) that old style will not work for newer installs ?

So can you really get away with a simpler procedure if “Safe Boot” disabled is acceptable?

You have a decimal problem. 150,000 Yen is about $1,300.

Yes and no, the Healy URL listed $13,000 - as the cheapest option and I lazily quoted that. But that probably includes their services and in English. The 2nd URL (juridique) lists 50,000 + 40,000 + 60,000 (if GK is sufficient, 150,000 for KK) but they are put as “minimum” fees. But yes, potentially, only 150,000 or 210,000. Which is only $1500 - $2100 or so (handwaving exchange rates).

Microsoft is not particularly interested in hobby driver developers.

That is true and never expected them to be. But getting a clear answer was more challenging than I thought it would be. Thank you for your reply.

Jorgen_Lundman wrote:

I guess I’m not sure what this means? Does that refer to getting a Standard certificate? Or, simply a self-signed certificate?

It means a Class 3 Code-Signing Certificate, purchased from one of the
certificate authorities for whom Microsoft has a cross-certificate.

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing

How is it affected by, if at all, the paragraph:

“Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change.”

Which makes it sound like (and I am guessing) that old style will not work for newer installs ?

That paragraph should all be conditional on the phrase “when Secure Boot
is enabled in the BIOS”.

So can you really get away with a simpler procedure if “Safe Boot” disabled is acceptable?

Yep.

Sounds like my first step would be to ignore SafeBoot for now, and go with a Class 3 certificate. If eventually we get far enough, stable enough, to warrant Safe Boot I will look into this again.

But yes, potentially, only 150,000 or 210,000. Which is only $1500 - $2100 or so (handwaving exchange rates).

https://www.venturejapan.com/business-in-japan/doing-business-in-japan/how-to-start-a-company-in-japan/setting-up-with-gk-godo-kaisha/

  • A Japanese GK godo kaisha only needs JPY1 paid-in capital, but we recommend JPY1,000,000 or more as the GK will spend that much on incorporation and in the first few months of business.

So not entirely sure how much a GK would be.

I have now codesigned the project and it loads without Test Mode - thanks for the help everyone.