Is it possible to load a self-signed driver on Windows 10 without Test Mode?
I am referring to the latest x64 build of Windows 10 Pro version 1809. The machine in question can have Secure Boot either enabled or disabled, and is capable of custom secure boot keys.
The driver in question must be loaded at boot, and is one I have written for my personal use on my daily-driver laptop, hence I am hesitant to use Test Mode for security reasons, or to go through the hassle and cost of a paid certificate.
Is there some sort of facility to load a driver signed by my own key, where said key can be manually trusted in Windows and in Secure Boot, without blanket-allowing all drivers (i.e. Test Mode)?
There is an article that suggests this is possible - https://www.geoffchappell.com/notes/windows/license/customkernelsigners.htm - however there is a tidbit at the bottom that, for me, invalidates the approach:
This happy circumstance of your having your own driver executing despite its having your own signature will persist through sleeps and hibernations until you next restart Windows.
Has anyone been successful in persistently loading a self-signed driver using this or a similar approach?
In the link you gave, Geoff Chappell said that your self-signed driver will be able to load until you next restart Windows. However, this limitation happens because the key flag, a registry value called Licensed
in HKEY_LOCAL_MACHINE\System\ControlSet001\Control\CI\Protected
, will be reset after you restart Windows.
If you want to keep your self-signed driver loaded after you reboot, you must keep the registry value Licensed
set after you reboot. And that could only be done by enabling CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners
, which is a product policy of Windows.
In this repo, it provides a way to enable CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners
, so that the key flag could be persisted and therefore your self-signed driver can be loaded persistently.