2,791 questions
Hello, AFAIK VBS enclave will load images signed by a specific certificate which is available only to MSFT internal users.
I want to create a vbs enclave module, but LoadEnclaveImageW return 557, how can i get the digital certificate?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 52%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
mivv micv
0
Reputation points
I want to create a vbs enclave module(Virtualization-based security (VBS) memory enclaves), but there is no develop guide in msdn, I just get the api here.
- i dont known how to config IMAGE_ENCLAVE_CONFIG64 data, i just find the linker option /ENCLAVE here, there is no more information, also the /ENCALVE only work in vs2022, and msdn has no information for /ENCLAVE.
- when i call LoadEnclaveImageW to load the enclave module, it return 577, i known maybe the module should signed by special digital certificate. but there is no any document to introduce it, how can i get the digital certificate and what type of digital certificate.
I need help, Thank you very much!!
Windows development | Windows API - Win32
Windows for business | Windows Client for IT Pros | Storage high availability | Virtualization and Hyper-V
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
4 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 36%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESY%3C/text%3E%3C/svg%3E)
Shawn Ye 5 Reputation points Microsoft Employee2023-09-12T05:16:39.9466667+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Limitless Technology 44,766 Reputation points2023-05-23T11:15:35.2533333+00:00 Hi,
I'd be happy to help you out with your question. Sorry for the inconvenience caused.
Regarding the error code you mentioned (557), it indicates that the LoadEnclaveImageW function encountered an error. However, without more context or code, it's difficult to determine the exact cause of the error. You may need to provide more information or consult the Microsoft documentation and developer resources for troubleshooting guidance specific to VBS enclave modules.
In terms of the digital certificate required for signing the enclave module, Microsoft usually provides specific guidelines and requirements for the certificate. However, as there is no official documentation available for VBS enclave modules, it's challenging to provide specific instructions.
In general, when signing code or modules, you typically need a digital certificate issued by a trusted certificate authority (CA). The type of certificate required can vary depending on the specific security requirements and configurations of VBS. Microsoft often provides guidance on the type of certificate to use for different scenarios.
To obtain a digital certificate, you would typically follow these steps:
- Generate a cryptographic key pair: This involves generating a public-private key pair, where the private key remains secure and protected.
- Create a certificate signing request (CSR): The CSR contains your public key and other identifying information. You can generate a CSR using tools or libraries provided by your certificate authority or through programming interfaces.
- Submit the CSR to a certificate authority: You would need to choose a trusted certificate authority and follow their specific procedures for submitting the CSR and obtaining a digital certificate. This process often involves verifying your identity and paying any applicable fees.
- Receive and install the digital certificate: Once the certificate authority validates your request, they will issue a digital certificate. You would receive the certificate file and typically install it on the system or environment where you're working with VBS.
Please note that the process described above is a general overview, and the actual steps and requirements may vary depending on the certificate authority and the specific security requirements of VBS enclave modules. It's important to refer to the official documentation or developer resources for accurate and up-to-date information on creating VBS enclave modules and obtaining the required digital certificate.
If you have any other questions or need assistance with anything, please don't hesitate to let me know. I'm here to help.
If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.
-
mivv micv 0 Reputation points
2023-05-23T12:28:15.7233333+00:00 Thank you so much.
The problem is that i can't search any documents for developing VBS enclave modules by google search.
Msdn just provides the API document for enclave.
https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/
So also you cant get any other documents of VBS enclave while you are the people in Microsoft?
I known the SgrmEnclave_secure.dll in windows is an VBS enclave module, it can be loaded success into system.
It's enhanced key usage:
Protected Process Verification (1.3.6.1.4.1.311.10.3.24)
Isolated User Mode (IUM) (1.3.6.1.4.1.311.10.3.37)
Windows System Component Verification (1.3.6.1.4.1.311.10.3.6)
Code Signing (1.3.6.1.5.5.7.3.3)
so how can I get these enhanced key usage for my encalve module?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 34%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXY%3C/text%3E%3C/svg%3E)
Xiaopo Yang - MSFT 12,731 Reputation points Microsoft External Staff2023-05-24T02:07:28.1433333+00:00 It seems VBS Enclaves is still under construction. See https://learn.microsoft.com/en-us/answers/questions/690951/virtualization-based-security-(vbs)-enclave-image
-
mivv micv 0 Reputation points
2023-05-24T02:50:21.9266667+00:00 @Xiaopo Yang - MSFT oh, thanks. the question created in Jan 11, 2022, almost one years later, is there any more new progress?
VBS enclave is a so magical abilities, so many people want to make it work for many projects.
Sign in to comment -
-
Xiaopo Yang - MSFT 12,731 Reputation points Microsoft External Staff
2023-05-29T08:07:56.7033333+00:00 @mivv micv , you can send feedback to Microsoft with the Feedback Hub app about the concern and before that, you can consult @Hilal Asmat for a possible response.