Change in signing policy for 64-bit drivers for Vista and Longhorn

Change in signing policy for 64-bit drivers for Vista and Longhorn: Posted by Don Burn on January 23rd, 2006; If you are not aware of it Microsoft announced a change in its policy on
drivers for Vista last week. See the paper at
http://www.microsoft.com/whdc/system...kmsigning.mspx The
change here is that prior to this while drivers needed to be signed an
administrator could sign a driver for a computer or a domain.

Many people in the driver development community are disturbed by this change
since makes it harder for a small firm to ship and support drivers. In
particular a lot of the freeware tools that have a kernel component will
probably never make it to Vista 64-bit. Also, I know of small firms that
are reconsidering their product plans for Vista. For those who want to see
the discussion in the driver development community, go to
http://www.osronline.com and sign up for the NTDEV newgroup, then look for
"X64 Windows Vista to require signed drivers"

At the end of the paper is the feedback email address for this stuff. If
enough of
us make rational comments to that address, Microsoft may realize there is a
problem.

--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply; Posted by Mark Roddy on January 23rd, 2006; On Mon, 23 Jan 2006 16:38:15 -0500, "Don Burn" <burn@stopspam.acm.org>
wrote:

I want to thank Don for bringing this to the attention of the
development community, and I urge all of you to read the paper and
understand its implications for how you and your organization do
business.

=====================
Mark Roddy DDK MVP
Windows Vista/2003/XP/2000 Consulting
Device and Filesystem Drivers
Hollis Technology Solutions 603-321-1032
www.hollistech.com; Posted by 440gtx@email.com on January 24th, 2006; So what happens in cases Microsoft does not have signing process such
as many types of drivers that are not tied to any particular hardware?
Will it impossible to run such products? Is the only workaround going
to be to tell users to install 32-bit Vista?; Posted by Maxim S. Shatskih on January 24th, 2006; What is required for load is a PIC, not a WHQL signature.

PIC is obtained without submitting your driver to MS for testing. PIC is
issued by MS on basis of _the Verisign certificate_ only, not your binaries.

After you have a PIC, you can sign drivers with it without submitting them
to MS.

The only question is about the boot-loaded filter drivers (we lots of them
in, say, AV and security products) which do not belong to PnP at all and thus
to specified device class GUIDs. Such drivers will have some hardships.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com; Posted by 440gtx@email.com on January 24th, 2006; We have SATA controller filter driver that must be loaded very early
(System Bus Extender). Can someone elaborate if and how this can be
accomodated in Vista x64?; Posted by Stephan Wolf [MVP] on January 24th, 2006; Mark Roddy wrote:
Couldn't agree more.

I guess we will see major changes wrt system security in the near
future. This is also due to new technical features like support for
virtualization in hardware (Intel Vanderpool "VT" and AMD Pacifica),
which in theory allow to run drivers in separate "partitions" of the
system. So if a driver crashes, only the partition will fail but the
rest of the system will stay alive. I hope that upcoming versions of
x86 operating systems will make use of this new feature in one or
another way.

Stephan
MVP - Windows DDK; Posted by Philip Doragh on January 24th, 2006; <440gtx@email.com> wrote in message
news:1138096152.969477.28700@o13g2000cwo.googlegro ups.com...
According to the document, boot drivers must embed the PIC as part of the
driver module.... process to embed and test embedded signature is documented
starting on page 11 of the document....

Phil; Posted by Pavel A. on January 25th, 2006; "Stephan Wolf [MVP]" <stewo68@hotmail.com> wrote in message news:1138100303.488842.54390@g44g2000cwa.googlegro ups.com...
There was a saying, "You can have security or freedom, but not both" ?

--PA; Posted by Tierrie on January 25th, 2006; "Those who would give up Essential Liberty to purchase a little
Temporary Safety, deserve neither Liberty nor Safety" -- Ben Frankllin

http://en.wikiquote.org/wiki/Benjamin_Franklin; Posted by Pavel A. on January 25th, 2006; "Tierrie" wrote:
Thanks ) but there's a difference: what one deserves - and what one
gets...

--PA; Posted by Stephan Wolf [MVP] on January 25th, 2006; I've been watching the progress in the security field wrt drivers for
years now. Here are some interesting papers:

"Analysis of the Intel Pentium's Ability to Support a Secure Virtual
Machine Monitor"

http://www.cs.nps.navy.mil/people/fa...nix00-0611.pdf
[this paper was written before hardware support for virtualization was
available in the x86]

"Safe Hardware Access with the Xen Virtual Machine Monitor"
http://www.cl.cam.ac.uk/Research/SRG...oasis-ngio.pdf

Stephan
---
Pavel A. wrote:; Posted by Chandra sekar on February 2nd, 2006; Thanks a lot Don.
Though i have some doubts in MS new cocept. How it will affect audio /sound
card related drivers in futute ?
I waiting for you ideas !

"Philip Doragh" wrote:

Similar Posts

Longhorn is now Vista (Computers & Technology) by FML
Longhorn wel Vista beta 1 (Security & Administration) by pkraj
Longhorn (Vista) available on mybittorrent.com (Computers & Technology) by Don
longhorn 'inbox' drivers (Drivers) by notcompsci
Setting Driver Signing policy programatically (Drivers) by Gordy