USBIP Win - Sign by EV CodeSign certificate

[koudis]

Hello all,

it will be really nice to have usbip win driver signed properly. The driver must be signed by EV CodeSign cert which is not cheap.

Once the community agrees that the driver is stable I can discuss with our CEO about signing the driver by our EV Cert.

@cezanne let me known when the EV CodeSign will be needed.

[cezanne]

@koudis: It's great to hear the news from you. EV certificate will be required for using usbip-win at production level.

But usbip-win kernel drivers are still unstable and lacks some functionality such as application compatibility. Current WDM-based vhci does not solve several issues such as #111 even though a commercial virtual USB product has no problem.
Maybe, most application and USB libraries depend on microsoft provided pure root hub(usbhub.sys or usbhub3.sys).

Thus, I’m currently developing a kmdf-based vhci via UDE(USB device emulation).

[hnwentao]

Come on

[Ale268]

@cezanne
When do you expect the Project to be this far?

I am really interested in using this code without breaking my computers security.

Thanks anyway for the work yet done!

[cezanne]

@Ale268 :

When do you expect the Project to be this far?

My hope answers that this project requires 4~6 months until vhci(UDE) deserves an EV certificate. 😕

[saulrh]

Most anti-cheat software complains when driver test signing is on, meaning I can't use usbip until the client drivers are signed for release.

Is there a specific list of issues that are blocking the certification process or a concrete roadmap for a production version? I'd like to see if there's anything I can do, even if I only ever did device drivers on linux and that was years ago.

[septatrix]

My hope answers that this project requires 4~6 months until vhci(UDE) deserves an EV certificate.

Would this also eliminate the need for bcdedit.exe /set TESTSIGNING ON? If so I am very eager to get this as it allows using USBIP on a windows PC with secure boot enabled.

[DocMAX]

You can use EfiGuard!

[mahdibx]

Any news on this topic? could we organize a crowdfunding if the certification is expensive?

[versaloon]

Any progress about the certification?
We want to use usbip binaries in our commercial software, and can help to get the driver signed.
Is there any dedicated time for the code sign certification?

[versaloon]

BTW: we plan to use usbip as PC driver for our wireless USB hardwares

[dpvdberg]

This would be great :)

[koudis]

Hi all :),

we are still waiting for stable version. How it looks, @cezanne ?

[MinHyukPark121]

Hi everyone, do we have any updates on this? Even an update on the estimate would be nice :)

[joaoabreufilho]

Hi everyone, do we have any updates on this? Even an update on the estimate would be nice (:

[TheMohawkNinja]

@cezanne any updates? Once the cross-signed cert gets implemented, I can remove the need for a hardware USB switch for my project.

[kadrim]

very intersted on this topic :-)

[sensiki]

Any news on this topic?

[alexmi256]

This would be nice to have.
These are some prices:
DigiCert $700USD/yr, EV
sectigo $400/yr, EV
certum EV - $426 Cloud based, EV
certum Open Source $55/yr for OSS projects, cloud based, not EV
@cezanne I'd be willing to donate something and I'm sure others would as well

[maxdd]

up

Comodo - $279/yr, EV if for 2yrs

I'm curious though, is anyone using it in a "production" or "connected" environment and still accept the risk?

[forlayo]

Any news on this ? I am happy on contributing with a EV certificate if needed..

[cezanne]

@forlayo: I would appreciate your EV certificate. However, usbip-win vhci drivers should get attestation sign at MS partner portal after the EV certificate is registered in my partner portal. But I'm not sure that an EV certificate can be registered into multiple accounts. If it's not possible, you may be asked to provide your partner account or create my account on your partner portal.
Or you can contribute to sign vhci drivers yourself.

A newly released 0.3.6-dev package has MS signed vhci drivers. I managed to acquire an EV certificate but its validation period will expire soon. Thus, another EV might be needed.

[lebtron]

A newly released 0.3.6-dev package has MS signed vhci drivers. I managed to acquire an EV certificate but its validation period will expire soon. Thus, another EV might be needed.

I confirm this works as expected.

[MinHyukPark121]

A newly released 0.3.6-dev package has MS signed vhci drivers. I managed to acquire an EV certificate but its validation period will expire soon. Thus, another EV might be needed.

Could we know when the current EV Certificate will expire?

[maxdd]

I guess you should wrap

  Enable test signing
  > bcdedit.exe /set TESTSIGNING ON
  reboot the system to apply

in something like "if not a signed release"

[cezanne]

@MinHyukPark121 :

Could we know when the current EV Certificate will expire?

Maybe after 3 months. However, once signed package can be safely installed with no test mode even though the certificate expires. Expiration matters only for package signing.

[cezanne]

@maxdd:

in something like "if not a signed release"

Good comment. thanks.

[paulpv]

Happy to contribute to signing cert!

As an alternative, would something like EfiGuard be of any use to workaround the signing requirement in trusted environments?
https://muffsec.com/blog/how-to-use-efiguard-to-disable-patchguard/

[CpServiceSpb]

If somebody send me OV sign for signing I will try to sign drivers by the sign.
I did it with my OV sign successfully and drivers were installed under Win10 LTSC19 well.

[forlayo]

@cezanne if you can guide me to set up my certificate on my partner portal to sign the driver I'll be happy on help signing it for you. I've just received my EV certificate today.

[CpServiceSpb]

@forlayo if you can you can try it to your own to sign the drivers using utilities from Visual Studioand DDK and got the EV by you.
Uf you doon' t have the utilities I can send you it which I signed my driver by OV on previous year.

[forlayo]

@CpServiceSpb It is first time I try to sign kernel model drivers so I am a bit lost.

If I set the "Sign Mode" of libdrv project of this repo to "Production Sign" it ask to put a "Cross-Signing Certificate". And as far as I am aware the drivers are now signed without cross-signing certificates, as Microsoft deprecated that way in favor of Windows HLK.

Then I understand the process as:

1. Having a partners account with Microsoft ( done )
2. Having an EV and add it to partners account ( done ).
3. Download Microsoft VHLK -> https://learn.microsoft.com/en-us/windows-hardware/test/hlk/
4. Mount VHLK using Hype-V virtual machine -> https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/get-started/create-a-virtual-machine-in-hyper-v
5. Set the environment with our driver and run the Windows Hardware Compatibility playlist, it's neede to have the tests passing.-> https://learn.microsoft.com/en-us/windows-hardware/test/hlk/
6. Create a submision package (.hlkx)
7. Submit the package on partners portal under hardware, as explained here -> https://www.ssl.com/how-to/signing-kernel-mode-drivers-for-windows-using-evcs-or-ovcs-certificates/

I have no problems on following this path, however I would like to have confirmation from @cezanne about this is the correct path and if possible to know how the driver should be compiled/signed; as apparently I can't set "Production Sign" there.

[forlayo]

I am checking also "Windows 10 attestation signed drivers" possible path, which looks easier.

But not sure if it would suffice, would be great if someone with experience with this sutff confirms :)

[forlayo]

Ok Windows 10 attestation signing works, let me know when you need me to sign usbip-win drivers ( as I saw that 0.3.6 is already signed and published. )

[CpServiceSpb]

@forlayo I signed my drivers by old sign issued on 2021 year worked fin on some W10.
On freshest one I didn' t test.
I did it with cross-signed certificate, not on "new way" .
I can either try to sign drivers by your EV sign if you send it or send you utilities I used.
But some additional lifehacks may be required.

Btw, is there USP-IP freshest driver for Win7 ?
I am still with it also.

[TheMohawkNinja]

@forlayo I signed my drivers by old sign issued on 2021 year worked fin on some W10. On freshest one I didn' t test. I did it with cross-signed certificate, not on "new way" . I can either try to sign drivers by your EV sign if you send it or send you utilities I used. But some additional lifehacks may be required.

Btw, is there USP-IP freshest driver for Win7 ? I am still with it also.

You mention a cross-signed cert. Is that now in the repo? Or did you purchase your own cross-signed cert?

[CpServiceSpb]

I used at those moment curremt cross sign certificate added to certificate storage of localachine. Regards, CpServiceSPb ср, 30 нояб. 2022 г., 05:13 TheMohawkNinja ***@***.***>:

…

@forlayo <https://github.com/forlayo> I signed my drivers by old sign issued on 2021 year worked fin on some W10. On freshest one I didn' t test. I did it with cross-signed certificate, not on "new way" . I can either try to sign drivers by your EV sign if you send it or send you utilities I used. But some additional lifehacks may be required. Btw, is there USP-IP freshest driver for Win7 ? I am still with it also. You mention a cross-signed cert. Is that now in the repo? Or did you purchase your own cross-signed cert? — Reply to this email directly, view it on GitHub <#171 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AD2XQ7HXFBR6F5S5VIRPBNDWK2Z3JANCNFSM4OIUBM6A> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[maxdd]

News here?

[forlayo]

@forlayo I signed my drivers by old sign issued on 2021 year worked fin on some W10. On freshest one I didn' t test. I did it with cross-signed certificate, not on "new way" . I can either try to sign drivers by your EV sign if you send it or send you utilities I used. But some additional lifehacks may be required.
Btw, is there USP-IP freshest driver for Win7 ? I am still with it also.

You mention a cross-signed cert. Is that now in the repo? Or did you purchase your own cross-signed cert?

The cross-signing certificate is a way of sign drivers that was deprecated by Microsoft, then it's needed to use an EV and being enrolled on Microsoft Partner portal. Then you've the option of getting Microsoft attestation which is enough for installing the driver on regular devices, or passing the full validation that needs VHLK and so on.

I am signing other drivers with EV and partner portal, and it's fine for a general usage. I can contribute with this project to sign the driver when it's needed; as right now it has a version already signed that works, then it's not needed to sign it again.

[MKPang]

Hello, I've been using https://woshub.com/how-to-sign-an-unsigned-driver-for-windows-7-x64/ to successfully self sign some old drivers I had for a USB TV Tuner (in Windows 11). Would this help for self signing usbip drivers? I had a go and couldn't get it to work server side (I don't have enough knowledge of Windows drivers). However, if somebody believes this option may work, I can provide a script to carry out the steps (of which, some are erroneous, by the way) mentioned in the provided website.

[maxdd]

@MKPang doesn't it work because we need kernel mode and not user mode? Where are you stuck at?