I have a Dell Precision 690 workstation:
It uses an add-on board to allow SLI video cards in specific mother-ship-approved-only-configurations – in this case only with nVidia Quadro video cards since the Dell Precision 690 was a workstation-class computer.
However, I found myself gaming a lot more and I wanted to experiment with SLI video cards with consumer-grade GeForce cards. This turns out to be very difficult because of several factors – most notably that even though SLI is certainly possible (with very expensive Quadro video cards), it’s been disabled in software.
Some searching of the internet revealed a project that patches the nVidia driver to allow SLI on unsupported motherboards and in unsupported configurations – https://github.com/EmberVulpix/DifferentSLIAuto
However, after going through the installer batch file, it looks like it creates a self-signed certificate, puts Windows into a configuration to allow the self-signed certificate, and then installed the patched driver file.
Beyond the security implications of allowing untrusted and self-signed driver packages to be installed, it also puts Windows into a mode where your background is modified with an obnoxious TEST MODE banner:
Sorry. Nope, not having any of that.
Before we start, note the list of required materials:
- An OpenSSL installation (to generate CSRs (Certificate Signing Requests)) and compile your PFX (Personal File Exchange) file.
- A code-signing certificate from a CA (Certificate Authority) that Microsoft recognizes – more on this below
- The Microsoft Windows SDK package installed on your computer (for signtool.exe – to digitally sign files)
- DifferentSLI patcher package located on Github
First order of business is to get a code-signing certificate from any of the CAs (Certificate Authorities) that Microsoft recognizes:
- AddTrust External CA Root
- Certum Trusted Network CA
- DigiCert Assured ID Root CA
- DigiCert Global Root CA
- DigiCert High Assurance EV Root CA
- Entrust.net Certification Authority (2048)
- GeoTrust Primary Certification Authority
- GeoTrust Primary Certification Authority – G3
- GlobalSign Root CA
- GoDaddy Class 2 Certification Authority
- Go Daddy Root Certificate Authority – G2
- NetLock Arany (Class Gold)
- NetLock Platina (Class Platinum)
- Security Communication RootCA1
- Starfield Class 2 Certification Authority
- Starfield Root Certificate Authority – G2
- StartCom Certification Authority
- TC TrustCenter Class 2 CA II
- Thawte Primary Root CA
- Thawte Primary Root CA – G3
- VeriSign Class 3 Public Primary Certification Authority – G5
- VeriSign Universal Root Certification Authority
Of all these, you’ll probably recognize Verisign and Thawte as the “good old guys” from the certificate industry, but now that this technology has been around for so long there are many more to choose from.
I already had a StartCom certificate which I use to secure services on a few of my other servers, and their certificates are CHEAP. Regular plain Jane class-1 certificates are free (yes, FREE) and class 2 certificates (which require identity validation) only cost a one-time $60 validation fee. What’s important here is that you’ll need to obtain a class-2 or higher level of verification before StartCom will issue you a code-signing certificate.
Once you get your identity verified and pay the verification fee, you will need to generate a code-signing certificate. I used a Linux server with OpenSSL to generate my CSR (Certificate Signing Request) and private key:
openssl req -new -newkey rsa:4096 -keyout mykey.pem -out myreq.pem
OpenSSL will ask you a bunch of questions, but in my case none of the responses mattered except for the password for the private key because my CA will replace all the information with what they have on file for me as part of the identity verification. Just make sure to set a secure password for the private key that you can remember or put in your password manager.
At this point you will have your private key (mykey.pem) and your CSR (myreq.pem). Copy them to where you have DifferentSLI extracted to. They are just regular old text files, so now open up the CSR (myreq.pem) with notepad and copy the contents into your clipboard.
Go back to your CA and generate a new Code Signing Certificate. They will ask you to put in your CSR – paste in the CSR (myreq.pem) that you generated with OpenSSL After a little bit of churning, your CA will return with another block of text, which is your Code Signing Certificate. Save this certificate as “mycert.pem” along with your private key (mykey.pem) and CSR (myreq.pem).
After you have your certificate (mycert.pem), you need to generate the PKCS#12 certificate that Microsoft’s Signtool recognizes:
openssl pkcs12 -export -out mycert.pfx -inkey mykey.pem -in mycert.pem
Depending on which CA you used, you’ll need to download the corresponding intermediate chain certificate from Microsoft here. Save this file in the same location as your certificate file (mycert.pem). You can rename it to mychain.crt to simplify the next step.
Now, we need to locate the original nvlddmkm.sys driver file on your computer. On my Windows 7 64-bit Ultimate installation, it was here:
Copy that file to where you have DifferentSLI extracted to and run the patcher.
The patcher will patch back up the original driver file, and then patch it. Once we have the patched nvlddmkm.sys file – we need to sign it so Windows will load it. Without a digital signature, Windows will only load the driver if you enable self-signed certificates and enable Test Mode. However, we we saw before, this places an annoying banner on the desktop and also is generally an insecure setting because now anyone can load kernel modules with a self-signed certificate which could lead to root kits and other nasty software that you don’t want.
Open up a Command Prompt window where you extracted DifferentSLI – I found the quickest way to do this is to go up one directory, then right-click the folder where DifferentSLI is installed while holding the SHIFT key. In the menu that pops up, select “Open command window here”
At this point, you should have your PFX certificate (mycert.pfx), your Microsoft chain-certification (mychain.crt), and your nVidia driver file (nvlddmkm.sys) in the same directory as where DifferentSLI was extracted.
In your command prompt window, run the following command to digitally sign the modified nVidia driver file:
tools\signtool.exe sign /f mycert.pfx /tr "<URL to your Certificate Authority's Time Stamp Server>" /ac mychain.pem /v nvlddmkm.sys
Here’s what the expected output should look like, and you can see at the top where Microsoft’s chain certificate was linked in the certificate chain:
If you compare the original nvlddmkm.sys file to the modified file, you can see the original file is signed by nVidia and the new one is signed with my certificate:
Copy the new modified nvlddmkm.sys to C:\Windows\System32\drivers\ – overwriting your original file, click through the UAC prompt, and reboot your computer. When your computer comes back up, check your nVidia display settings, and you should see SLI options are now displayed!