Self Signed Driver Enabler for Windows
SSDE is a collection of utilities that help in having Windows load your self signed (custom signed) drivers when Secure Boot is on and you own the platform key of the system, instead of resorting to running the system in test mode.
This is based off great work by the following:
- Licensed Driver Signing in Windows 10 [1]- original very detailed explanation and PoC
- HyperSine / Windows10-CustomKernelSigners [2] - original working implementation
I recommend reading the 2 resources above before proceeding, at least familiarizing well with what they describe. This README is not step by step, but it includes my observations on how to get this working on current Windows releases starting from the directions set by those.
Disclaimer
This is not entirely new code, but merely an adaptation of work already available in the repositories listed above. For this project, what I did was rewrite the kernel driver needed to maintaining the licensing state starting from Geoff's example and using the essential stuff from the original ckspdrv.sys driver.
Also, I also put together a helper app that interrogates this new driver and obtains the number of times the policy has been enforced on the system (ssde_info
), a helper app that obtains the policy status from the registry in user mode (ssde_query
) and also included the largely unchanged CustomKernelSigner enabler, with only bug fixes so that it does not boot loop anymore (ssde_enable
aka EnableCKS.exe
).
Precompiled binaries
Go to Releases to get precompiled files that you can use.
I have personally tested this and it works on Windows 11 build 22000.1.
How to?
Please follow the tutorial in [2] and apply what I describe in my notes below.
2.3 Build kernel code-sign certificate rules
I recommend using the policy from [1] instead of the one recommended in [2], which is available here and here (already in binary form, so that you do not necessarily require Enterprise or Education editions of Windows).
2.5 Enable CustomKernelSigners
There are 2 ways to do this:
- Use
ssde_enable.exe
method - this will reboot Windows in setup mode, where the policy can be changed from user mode, and then reboot the system; at next boot, the policy will be licensed and enabled (checkHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Protected\Licensed
and withssde_query
) - Use the trick mentioned in the end of article [1], specifically the section "Start Another Windows".
I had succes with both depending on the machines I tested on. Sometimes, you have to repeat the process multiple times. For example, on my Ryzen 5900X machine, what I did was register the ssde
driver service (details below), and then reboot to a preinstallation environment and use 2. After that reboot, and the OS boots fine and loads the driver, but HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Protected\Licensed
was still 0x0. Reboot, try to boot, blue screen because the ssde
driver is signed with a non-Microsoft certificate. Reboot again to PE, redo 2 from above, reboot, booted fine into Windows, checked the registry, now Licensed
is indeed 0x1 and then any subsequent reboot maintains the state and loads my custom ssde
driver just fine. So, your mileage may vary, try a few times before giving up, it can really be hit or miss. Method 2 above works only if you register the driver with start=boot
, because Licensed
affects only drivers loaded by the bootloader, but apparently it is enough to have everything work and the trick function, eventually.
Both of these methods will land you on the desktop being able to load any self signed driver. Do not restart, as the policy change is not permanent and will revert to previous status. You have to install the ssde.sys
driver in the system in order for the status to be preserved on subsequent boots.
The reason the original EnableCKS.exe
boot looped is because on newer Windows versions, only the policy CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners
exists anymore. CodeIntegrity-AllowConfigurablePolicy
is not available anymore and does not seem necessary to add anymore.
2.5 Persist CustomKernelSigners
Here, you have to install the driver. My command for signing it is (do this beforehand getting here, ideally):
signtool sign /fd sha256 /a /ac .\localhost-root-ca.der /f .\localhost-km.pfx /p password /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp ssde.sys
2.6 Persist CustomKernelSigners
The command I use for registering the service is:
sc create ssde binpath=%windir%\system32\drivers\ssde.sys type=kernel start=boot error=normal