Properly install into a new system

[masoudr]

Hi,
I've tested the method, and it worked fine when I generated the keys directly using this guide. Then I tried to export all the related keys to a new system:

// self-signed root CA certificate
localhost-root-ca.der
localhost-root-ca.pfx

// kernel mode certificate issued by self-signed root CA
localhost-km.der
localhost-km.pfx

// UEFI Platform Key certificate issued by self-signed root CA
localhost-pk.der
localhost-pk.pfx

I imported all the above certificates into the new system. Then I ran the ssde_enable and it worked as the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Protected\Licensed is still 1. The ssde.sys signature is trusted and valid. But when I want to start its service (sc start ssde) I get the signature failure error. I am really unsure what the cause of the problem is, but I am pretty sure that the certificate shouldn't be a problem as all the related certificates are installed in the same exact locations. Any help would be appreciated.

[valinet]

Have you placed the policy file in the EFI partition?

[masoudr]

@valinet Yes, I did. I've followed up on all the steps in the main article except for generating the keys. The real strange thing is that the ssde.sys is fully trusted, and when I check its signature, it is valid. But I can't run it as a kernel driver service.

[valinet]

Having a certificate in the certificate store is a different matter than the kernel choosing to load your driver or not, signed or not signed. Windows does not load drivers signed with any certificate, even not self signed certificates.

As I said, maybe check if you have put the SiPolicy.p7x in the EFI partition at the right place and in the right EFI partition, if the case. The thing is kind of a hack altogether, but it works once all the pieces click together. For me, usually the tough part is getting the Licensed value in the registry to stick.

[masoudr]

I'm using VMware for testing and I have a snapshot that everything is OK. I even copied the exact SiPolicy.pb7 file to the new machine but still no luck. Every time I run the ssde_enable, I get the value 1 for Licensed. To be honest, I'm not sure what is the cause of the problem, a problem with certificates or with the CustomKernelSigners. I kinda think the problem is with the CustomKernelSigners. Currently, I'm using the following procedure:

1. Add the signatures
2. Copy signed SiPolicy.pb7 to EFI partition
3. Start ssde_enable.exe and reboot
4. Copy and Install ssde driver service with sc create ssde binpath= %windir%\system32\drivers\ssde.sys type= kernel start= boot error= normal
5. start service manually with sc start ssde
   Another weird thing is that even the value of Licensed is 1 (by manually checking with the registry editor) but with ssde_query I get 0 value. Do you think maybe this is the problem? Because in a working environment I get 1 for this app.

[agnieszkao]

I have the same problem as @masoudr, but I have only one environment - own Windows 10 Professional - for testing - and I stuck at the same point, so Licensed is 1, but I cannot enable the service and I get 577 error from sc.exe start ssde.
I used this policy bin file linked from the other page, cause I don't have neither Enterprise nor Education license. I've downloaded the bin file, change name to SiPolicy.bin (as I read that this name is the only proper one), I've signed it and move to EFI partition. I also checked - it's really there :) The only difference for me is that I couldn't use e.g. %windir% variable in binpath - when I used it and tried to start service there was an error 3 (The system cannot find the path specified) - so now I use the absolute path instead and I get this 577 error.

Actually there is also a second difference, because when I use the command signtool I have to add /td sha256, because there is an error telling me that /td option is also obligatory.

Btw. for me this ssde_query.exe and ssde_info.exe don't work - what is the result of them that I should expect?

Btw. 2 - @masoudr you wrote that

The real strange thing is that the ssde.sys is fully trusted, and when I check its signature, it is valid

how did you check that?

[masoudr]

how did you check that?

I just checked the file properties, and in the signature list tab, it should say, "The digital signature is OK."

[agnieszkao]

how did you check that?

I just checked the file properties, and in the signature list tab, it should say, "The digital signature is OK."

Thanks, so I have the same. No idea why it doesn't work :(

[agnieszkao]

Well, @masoudr I know what I've missed. I didn't set PK in UEFI firmware. Now I tried to do it and replace PK from localhost-pk.der file, but I got an error "Error replacing key. Please make sure that the new key is properly formatted with signature list and serialization headers". Maybe you have the same problem as before you used VM like in the example?

[masoudr]

@agnieszkao, I'm not sure what you missed. But I didn't miss anything. It seems that it is a problem with my OS or something that I don't know. Anyway, I tried it on other systems, and it worked just fine.

[agnieszkao]

@agnieszkao, I'm not sure what you missed. But I didn't miss anything. It seems that it is a problem with my OS or something that I don't know. Anyway, I tried it on other systems, and it worked just fine.

Can you tell me how did you set the PK in your computer? I tried to set it with Set-SecureBootUEFI-Name PK but I've got an error "Incorrect authentication data" so I stuck at this point.

[masoudr]

@agnieszkao I've used the VM and used the mentioned method.

[RibShark]

Getting the same issue here. Licensed is 1, ssde_query.exe returns 1, selfsign.p7b is signed and is in /EFI/Microsoft/Boot. ssde.sys signature has an error "A certificate's basic constraint extension has not been observed." and the service cannot load.

EDIT: Renaming the p7b file to SiPolicy.p7b fixed the issue, the signature still has an error but the service is loading on boot.

[masoudr]

@RibShark For the VM, I fixed the issue by deleting all pre-existing keys, and it kind of works, on the other hand, I am still unable to use it in a real machine, where I can't just simply delete the old keys.

[soleera]

Just a heads up for anyone struggling with this; double check that SiPolicy.p7b and ssde.sys were actually signed with Localhost UEFI Platform Key Certificate and Localhost Kernel Mode Driver Certificate respectivley, and NOT the Localhost Root Certification Authority. When I first exported the private keys from certlm.msc I had left "Include all certificates in the certification path if possible" checked, which meant the root CA got pulled in, and signtool.exe /a was auto-selecting THAT cert, and not the one I actually wanted to use!

I also had to change start=boot back to start=auto as in HyperSine's guide , as start=boot is only valid for device drivers, so the service was being stopped automatically as there was no device associated with ssde.sys.

I also noticed sc seemed to be very finicky about the value of binpath; I had to use binpath=%SystemRoot%\System32\drivers\ssde.sys for the service to work (i.e. NOT binpath=%WinDir%\System32\drivers\ssde.sys or binpath=C:\Windows\System32\drivers\ssde.sys)

So TLDR:

• Uncheck "Include all certificates in the certification path if possible" when exporting private keys from certlm.msc
• Don't use the /a flag with signtool.exe
• Register the service with sc create ssde binpath=%SystemRoot%\System32\drivers\ssde.sys type=kernel start=auto error=normal

OS: Windows 11 Version 23H2 Build 22631.3085
HW: RoG Zephyrus G14 (GA401QC) w/ AMD Ryzen 7 5800HS CPU