What is the process to get our Device UEFI driver signed? RRS feed

  • Question

  • Hi,

    We have our device driver for UEFI environment. But that needs to be signed by MS using WHCK. I know there is Secure Boot Logo manual Test kit for this. But, this I think does not test our device rather it tests the BIOS Secure Boot implementation. Our Device needs to have Signed UEFI drivers. please suggest what to do.



    Wednesday, December 5, 2012 10:48 AM

All replies

  • When you log in to, there is a "Create UEFI Submission" link on the main Dashboard page. Please let me know if that doesn't provide the info you need.



    Saturday, December 8, 2012 1:21 AM
  • Hi Jake,

    We saw this, but the steps provided just say that we have to run UEFI manual Logo tests.  But to me it does not test our device in particular. To explain more in detail it as below:

    Ours is a Fingerprint Device. We have our EFI Driver loader integrated in to BIOS. Now when we boot, we get a Preboot Authentication Screen. In this place, the user can authenticate himself by either entering his Password or by giving his enrolled Fingerprint.

    So to make the Device available in Preboot environment, we have our FP driverloader for EFI environment integrated in to the system BIOS and this Loader loads the driver from Device Flash memory to the EFI environment..

    Now the question is how can we get the Microsoft Signing for our UEFI Driver for our Fingerprint Reader device?



    Tuesday, December 11, 2012 7:27 AM
  • BTW: as I stated above our EFI driver stays in the device Flash. This driver we want to do WHCK signing for UEFI. Howcan we do that?



    Tuesday, December 11, 2012 8:34 AM
  • Hi Babu,

    Prior to using Sysdev to sign a UEFI driver or app, you should test sign your driver and verify it using the following process.  This helps you determine up front if your EFI driver/app is signable and if it works after being signed. 

    To test sign and verify UEFI module follow the steps below.  Do not submit test-signed UEFI modules to Sysdev, submitted modules should be unsigned or else they will fail.

      •      Procure a UEFI Secure Boot capable target system
      •       In the BIOS configuration, enable Secure Boot “Custom Mode” and clear the Secure Boot keys and certificates.   Note that some Secure Boot systems ignore authentication of certain image paths such as Option ROMs – this should be re-enabled if this is what you are testing.
      •       Install the Windows Hardware Certification Kit for Windows 8 on a Server 2008R2 system and uncompress “C:\Program Files (x86)\Windows Kits \8.0\Hardware Certification Kit\Tests\amd64\secureboot\” to a USB drive
      •       On the target system, boot to Windows 8, launch Powershell as Administrator, and execute “Set-ExecutionPolicy Bypass –force”
      •       Next execute “ManualTests\tests\00-EnableSecureBoot\EnableSecureBoot.ps1” followed by “ManualTests\tests\01-AllowNewCertificate\append_LostCA_db.ps1 ” and reboot the system.  This enables Secure Boot with the “Lost” certificate chain in the allow “db” database.
      •       Follow the example at “ManualTests\generate\TestCerts\Lost\signApps.bat” to learn how to sign EFI modules using the Lost certificate chain
        1.       signtool sign /fd sha256 /a /f “ManualTests\generate\TestCerts\Lost\Lost.pfx” <module.efi>
          1. You may need to import the Lost*.cer into your Certificate Store) – open explorer at ManualTests\generate\TestCerts\Lost\ , right-click on each .cer file and select “Install”.
          2. You will need to set your system clock back to 1/1/2012 to sign using the Lost certificate
          3. If the system used for signing is running Windows Vista or older Windows OS, then you will need to execute signtool.exe from the SDK directory where it is installed.  It depends on manifests and DLLs in that SDK directory for the "/fd" option to function properly.
    1. Test the test-signed application or driver.  Install the test-signed driver either into your Option ROM or via DRIVER#### and it should load and execute properly on the next reboot (similar to the test applications inside the Manual Test package).

    After this is working, you should be ready to submit to SysDev.  The instructions are here:

    I hope that helps!

    Best Regards, J Cox [Microsoft] “This posting is provided AS IS with no warranties, and confers no rights.”

    • Proposed as answer by JJ Cox Wednesday, January 2, 2013 11:24 PM
    Wednesday, January 2, 2013 11:23 PM
  • Hi,

    Can you suggest any UEFI Secure Boot capable target system?


    Wednesday, May 8, 2013 9:24 AM