Minifilter File Encryption | Minifilter source code | Transparent File Encryption | APIHook File Encryption | On-the-fly File Encryption

Professional Development Tookit About
Transparent File Encryption
Runtime Application Self Protection

Windows

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot

Secure boot

Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.

The OEM can use instructions from the firmware manufacturer to create Secure boot keys and to store them in the PC firmware. When you add UEFI drivers, you'll also need to make sure these are signed and included in the Secure Boot database.

Secure boot requirements

In order to support Secure boot, you must provide the following.

Hardware requirement Details
UEFI Version 2.3.1 Errata C variables Variables must be set to SecureBoot=1 and SetupMode=0 with a signature database (EFI_IMAGE_SECURITY_DATABASE) necessary to boot the machine securely pre-provisioned, and including a PK that is set in a valid KEK database. For more information, search for the System.Fundamentals.Firmware.UEFISecureBoot system requirements in PDF download of the Windows Hardware Compatibility Program Specifications and Policies.
UEFI v2.3.1 Section 27 The platform must expose an interface that adheres to the profile of UEFI v2.3.1 Section 27.
UEFI signature database The platform must come provisioned with the correct keys in the UEFI Signature database (db) to allow Windows to boot. It must also support secure authenticated updates to the databases. Storage of secure variables must be isolated from the running operating system such that they cannot be modified without detection.
Firmware signing All firmware components must be signed using at least RSA-2048 with SHA-256.
Boot manager When power is turned on, the system must start executing code in the firmware and use public key cryptography as per algorithm policy to verify the signatures of all images in the boot sequence, up to and including the Windows Boot Manager.
Rollback protection The system must protect against rollback of firmware to older versions.
EFI_HASH_PROTOCOL The platform provides the EFI_HASH_PROTOCOL (per UEFI v2.3.1) for offloading cryptographic hash operations and the EFI_RNG_PROTOCOL (Microsoft defined) for accessing platform entropy.

Signature Databases and Keys

Before the PC is deployed, you as the OEM store the Secure Boot databases on the PC. This includes the signature database (db), revoked signatures database (dbx), and Key Enrollment Key database (KEK). These databases are stored on the firmware nonvolatile RAM (NV-RAM) at manufacturing time.

The signature database (db) and the revoked signatures database (dbx) list the signers or image hashes of UEFI applications, operating system loaders (such as the Microsoft Operating System Loader, or Boot Manager), and UEFI drivers that can be loaded on the device. The revoked list contains items that are no longer trusted and may not be loaded. If an image hash is in both databases, the revoked signatures database (dbx) takes precedent.

The Key Enrollment Key database (KEK) is a separate database of signing keys that can be used to update the signature database and revoked signatures database. Microsoft requires a specified key to be included in the KEK database so that in the future Microsoft can add new operating systems to the signature database or add known bad images to the revoked signatures database.

After these databases have been added, and after final firmware validation and testing, the OEM locks the firmware from editing, except for updates that are signed with the correct key or updates by a physically present user who is using firmware menus, and then generates a platform key (PK). The PK can be used to sign updates to the KEK or to turn off Secure Boot.

You should contact your firmware manufacturer for tools and assistance in creating these databases.

Boot sequence

  1. After the PC is turned on, the signature databases are each checked against the platform key.

  2. If the firmware is not trusted, the UEFI firmware must initiate OEM-specific recovery to restore trusted firmware.

  3. If there is a problem with Windows Boot Manager, the firmware will attempt to boot a backup copy of Windows Boot Manager. If this also fails, the firmware must initiate OEM-specific remediation.

  4. After Windows Boot Manager has started running, if there is a problem with the drivers or NTOS kernel, Windows Recovery Environment (Windows RE) is loaded so that these drivers or the kernel image can be recovered.

  5. Windows loads antimalware software.

  6. Windows loads other kernel drivers and initializes the user mode processes.

On X64 based Windows operation system, unless a kernel mode driver is signed by a commercial digital certificate, windows will not load this driver module. Etefsm.sys is not signed by this type of certificate. You should change the operation system to testing mode to make windows kernel load etefsm.sys. This article shows how to enable debugging mode for windows.

Open a CMD console window, then input the following command line:

bcdedit  /set  testsigning  on 

 

 

If this command executes successfully, you must reboot Windows. 

Drivers should be test-signed with a digital signature during development and test for the following reasons:

  • To facilitate and automate installation. 

    If a driver is not signed, the Plug and Play (PnP) driver installation policy of Windows Vista and later versions of Windows require that a system administrator manually authorize the installation of an unsigned driver, adding an extra step to the installation process. This extra step can adversely affect the productivity of developers and testers. This requirement cannot be overridden.

  • To be able to load kernel-mode drivers on 64-bit versions of Windows Vista and later versions of Windows.

    By default, the kernel-mode code signing policy for 64-bit versions of Windows Vista and later versions of Windows require that a kernel-mode driver be signed in order for the driver to be loaded. This requirement can be temporarily overridden to facilitate the development or debugging of a driver.

  • To play back certain types of next-generation premium content, all kernel-mode components in Windows Vista and later versions of Windows must be signed. In addition, all the user-mode and kernel-mode components in the Protected Media Path (PMP) must comply with PMP signing policy. For information about PMP signing policy, see the white paper Code-signing for Protected Media Components in Windows Vista.

For these reasons, drivers for Windows Vista and later versions of Windows should be test-signed with a digital certificate that is created by using Microsoft Authenticode. Such a digital certificate is referred to as a test certificate and a signature generated with a test certificate is referred to as a test signature.

Note Windows Vista and later versions of Windows support test-signed drivers only for development and testing purposes. Test signatures must not be used for production purposes or released to customers.

A development and test team can participate in the WHQL Test Signature program, where the Windows Hardware Quality Labs (WHQL) will sign PnP driver packages for testing purposes. Alternatively, a development and test team can manage their own in-house signing process and use the following types of test certificates to test-sign drivers:

For information about how a test team signs a driver package after the team creates, obtains, or is provided a test certificate, see Test-Signing Driver Packages.

For information about how to install driver packages that are test-signed, see Installing Test-Signed Driver Packages.

To facilitate early driver development and debugging, you can temporarily disable the kernel-mode code signing requirement to load and test an unsigned kernel-mode driver. However, you cannot disable the PnP driver installation policy that requires a system administrator to authorize the installation of an unsigned driver. For more information about how to install an unsigned driver, see Installing an Unsigned Driver during Development and Test.

For information about the most appropriate tools to use to test-sign driver packages, see Tools for Signing Drivers.

Note To get a better understanding of the steps that are involved in test-signing driver packages, see How to Test-Sign a Driver Package. This topic provides a summary of the test-signing process, and steps through many examples of test-signing by using the ToastPkg sample driver package within the Windows Driver Kit (WDK).

 

1 Introduction  

In computer programming, the term hooking covers a range of techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components. Code that handles such intercepted function calls, events or messages is called a hook.

Hooking is used for many purposes, including debugging and extending functionality. Examples might include intercepting keyboard or mouse event messages before they reach an application, or intercepting operating system calls in order to monitor behavior or modify the function of an application or other component. It is also widely used in benchmarking programs, for example frame rate measuring in 3D games, where the output and input is done through hooking.

Hooking can also be used by malicious code. For example, rootkits, pieces of software that try to make themselves invisible by faking the output of API calls that would otherwise reveal their existence, often use hooking techniques. A wallhack is another example of useful functionality that can stem from hooking techniques. It is done by intercepting function calls in a computer game and altering what is shown to the player to allow them to gain an unfair advantage over other players.

2 Methods

Typically hooks are inserted while software is already running, but hooking is a tactic that can also be employed prior to the application being started. Both these techniques are described in greater detail below.

  • Physical modification

By physically modifying an executable or library before an application is running, through techniques of reverse engineering, you can also achieve hooking. This is typically used to intercept function calls to either monitor or replace them entirely.

For example, by using a disassembler, the entry point of a function within a module can be found. It can then be altered to instead dynamically load some other library module and then have it execute desired methods within that loaded library. If applicable, another related approach by which hooking can be achieved is by altering the import table of an executable. This table can be modified to load any additional library modules as well as changing what external code is invoked when a function is called by the application.

An alternative method for achieving function hooking is by intercepting function calls through a wrapper library. When creating a wrapper, you make your own version of a library that an application loads, with all the same functionality of the original library that it will replace. That is, all the functions that are accessible are essentially the same between the original and the replacement. This wrapper library can be designed to call any of the functionality from the original library, or replace it with an entirely new set of logic.

  • Runtime modification

Operating systems and software may provide the means to easily insert event hooks at runtime. It is available provided that the process inserting the hook is granted enough permission to do so. Microsoft Windows for example, allows you to insert hooks that can be used to process or modify system events and application events for dialogs, scrollbars, and menus as well as other items. It also allows a hook to insert, remove, process or modify keyboard and mouse events. Linux provides another example where hooks can be used in a similar manner to process network events within the kernel through NetFilter.

When such functionality is not provided, a special form of hooking employs intercepting the library function calls made by a process. Function hooking is implemented by changing the very first few code instructions of the target function to jump to an injected code. Alternatively on systems using the shared library concept, the interrupt vector table or the import descriptor table can be modified in memory. Essentially these tactics employ the same ideas as those of physical modification, but instead altering instructions and structures located in the memory of a process once it is already running.

Disabling Secure Boot 

You may need to disable Secure Boot to run some PC graphics cards, hardware, or operating systems such as Linux or previous version of Windows.

Secure Boot helps to make sure that your PC boots using only firmware that is trusted by the manufacturer. You can disable Secure Boot through the PC’s firmware (BIOS) menus, but the way you disable it varies by PC manufacturer. If you are having trouble disabling Secure Boot after following the steps below, contact your manufacturer for help.

For logo-certified Windows RT 8.1 and Windows RT PCs, Secure Boot is required to be configured so that it cannot be disabled.

Warning  

  • After disabling Secure Boot and installing other software and hardware, it may be difficult to re-activate Secure Boot without restoring your PC to the factory state.

  • Be careful when changing BIOS settings. The BIOS menu is designed for advanced users, and it's possible to change a setting that could prevent your PC from starting correctly. Be sure to follow the manufacturer's instructions exactly.

Disable Secure Boot

  1. Before disabling Secure Boot, consider whether it is necessary. From time to time, your manufacturer may update the list of trusted hardware, drivers, and operating systems for your PC. To check for updates, go to Windows Update, or check your manufacturer's website.

  2. Open the PC BIOS menu. You can often access this menu by pressing a key during the bootup sequence, such as F1, F2, F12, or Esc.

    Or, from Windows, hold the Shift key while selecting Restart. Go to Troubleshoot > Advanced Options: UEFI Firmware Settings.

  3. Find the Secure Boot setting, and if possible, set it to Disabled. This option is usually in either the Security tab, the Boot tab, or the Authentication tab.

  4. Save changes and exit. The PC reboots.

  5. Install the graphics card, hardware, or operating system that’s not compatible with Secure Boot.

    In some cases, you may need to change other settings in the firmware, such as enabling a Compatibility Support Module (CSM) to support legacy BIOS operating systems. To use a CSM, you may also need to reformat the hard drive using the Master Boot Record (MBR) format, and then reinstall Windows. For more info, see Windows Setup: Installing using the MBR or GPT partition style.

  6. If you’re using Windows 8.1, you may see a watermark on the desktop alerting you that Secure Boot is not configured correctly. Get this update to remove the Secure Boot desktop watermark.

Re-enable Secure Boot

  1. Uninstall any graphics cards, hardware, or operating systems that aren’t compatible with Secure Boot.

  2. Open the PC BIOS menu. You can often access this menu by pressing a key during the bootup sequence, such as F1, F2, F12, or Esc.

    Or, from Windows: go to Settings charm > Change PC settings > Update and Recovery > Recovery > Advanced Startup: Restart now. When the PC reboots, go to Troubleshoot > Advanced Options: UEFI Firmware Settings.

  3. Find the Secure Boot setting, and if possible, set it to Enabled. This option is usually in either the Security tab, the Boot tab, or the Authentication tab.

    On some PCs, select Custom, and then load the Secure Boot keys that are built into the PC.

    If the PC does not allow you to enable Secure Boot, try resetting the BIOS back to the factory settings.

  4. Save changes and exit. The PC reboots.

  5. If the PC is not able to boot after enabling Secure Boot, go back into the BIOS menus, disable Secure Boot, and try to boot the PC again.

  6. In some cases, you may need to refresh or Remove everything to its original state before you can turn on Secure Boot. For more info, see How to restore, refresh, or Remove everything.

  7. If the above steps don’t work, and you still want to use the Secure Boot feature, contact your manufacturer for help.

    For additional troubleshooting steps for PC manufacturers: see Secure Boot isn't configured correctly: Determine if the PC is in a manufacturing mode (info for manufacturers).

Please publish modules in offcanvas position.