From all above discussions, can we confirm that :
There is still a way to install&load KMCS drivers on Windows 10 client (desktop) version, which MS call that Configurable Code Integrity.
WHQL driver signing is enforced on Server version, and seems they will not change their mind for this restriction.
3.Drivers signed by EV certificate will not be recognized on older Windows platforms like Windows Vista (but Windows 7 can still support).
Please give a clear answer, thanks very much !
> My point was really to just note that by removing a requirement (or relaxing one) MSFT
was just simply enabling more =E2??freedom??? in the market.
You seem to have a prety peculiar understanding of the concepts of "freedom"and “market”, Mr.Cattley. To be honest, I would normally expect such “definitions” from the likes of Mr.Kyler.
Anyway, I digress…
Had they mandated that the Secure Boot Disable option be removed, that would have
been a whole different thing.
Well, they are not THAT stupid, are they - they obviously DO realise that such a move would put them in legal trouble and result in hefty penalties in various jurusdictions(particularly in the EU).Therefore, they prefer to go “indirect way”…
And to our gracious host???s observation that MSFT discounts OEM licensing to
manufacturers that get the logo, well, hey, that is business.
…
I think we can reasonably expect high-end laptop manufacturers to do precisely nothing
that they are not compelled to do.
If you look at your own statement above you will (hopefully) realize that they don’t have to be “compelled” to do things - instead, they may be “enticed” to do them by the offers of larger discountsfrom MSFT…
the customer is ???free??? to choose what sort of OEM platform they will source
for their application.
…apart from the fact that they are not. For example, I happen to be a kind of customer who does not want to have any Windows version pre- installed on his machine altogether due to the natural “MSFT allergy”. Although I would not normally speak for other people in this particular case I can assure you there are quite a few customers like me worldwide. However, practically all the machines that I see have this “MSFT puke” pre-installed by OEMs. Any suggestions, Mr.Cattley?
Anton Bassov
I can only help with number 3. I did not try Vista, but 32-bit versions of XP and 7 worked fine with an EV-signed driver. 64-bit Windows 7 will work as long as KB3033929 is installed.
Matt
Thank you for sharing the test result .
Today I tested our virtual device driver in Windows 10 x64 version, the driver got install & load properly without change any settings. It’s definitely a good news for developers that don’t wanna buy an EV certificate or don’t wanna mix sysdev portal signing into their deployment process. Now I am confused about the actual requirement, why MS said it’s ENFORCED in RTM, but still CONFIGURABLE, even DISABLED by default ?
Excellent points, all, Mr. Cattley. I agree 100%.
Mr. “Advance J” – I’m sorry, but I’m not certain I understand your questions. I’ll try to answer, and you can post back if I don’t give you an answer you need.
I have no idea what “which MS call that Configurable Code Integrity” means in this sentence. But I can tell you that if you cross-sign drivers using a proper Class 3 Code Signing Certificate that was issued prior to Windows 10 RTM, the policy is that your drivers will load on Windows 10.
Assuming you mean that “In order to load drivers on Windows V.Next Server, the drivers will need to pass the HLK Compatibility tests and signed by Microsoft” the answer APPEARS to be “Yes, this is true.”
The first non-NDA statement from MSFT on this topic that I am aware of is from Mr. Murray in my Q&A with him.
As far as whether “seems they will not change their mind for this restriction” there is a lot of time between now and Server V.Next GA. I strongly *suspect* there will be some sort of policy for legacy drivers and devices.
Microsoft establishes these policies and announces them well in advance (under NDA) to allow an opportunity for stakeholders to provide feedback. To their credit, Microsoft can (and has) modified their policies based on that feedback. So, for example, if enough Server OEMs, Enterprise Licensees, key IHVs, and the like raise objections or articulate reasons the announced policy should be altered, that’ll pretty certainly happen.
Peter
OSR
@OSRDrivers
Dear Mr. Peter, I’m sorry for my poor English, and thank you very much for the detailed answers, you are so kind to explain this useful information ! I was considered purchase an EV Certificate instead of renew my Class 3 Code Certificate but now I can just renew the old one.
xxxxx@hotmail.com wrote:
Dear Mr. Peter, I’m sorry for my poor English, and thank you very much for the detailed answers, you are so kind to explain this useful information ! I was considered purchase an EV Certificate instead of renew my Class 3 Code Certificate but now I can just renew the old one.
Actually, I don’t think you can. Read Peter’s statement:
But I can tell you that if you cross-sign drivers using a proper
Class 3 Code Signing Certificate that was issued prior to Windows 10
RTM, the policy is that your drivers will load on Windows 10.
Windows 10 released today. If you renew your certificate now, it will
not qualify.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
The only caveat being that they will still work if the system you are installing on either doesn’t support secure boot or has it disabled. Not that this is something to aim for or force on your users/customers, but it is an interesting piece of information that came out of Peter’s interview with James Murray.
Matt
> instead, they may be “enticed” to do them by the offers of larger
discounts from MSFT…
While I agree in principle that this can (and does) happen, in the singular
case brought up in this thread the OEM can do exactly nothing (e.g. leave
the firmware control to disable secure boot as available) and still be Logo
compliant.
I suspect that absent any compelling reason from the market or enticement
from Redmond that “don’t fix what is not broken” will prevail for the vast
majority of systems.
However, practically all the machines that I see have this “MSFT puke”
pre-installed by OEMs. Any suggestions, Mr.Cattley?
FWIW a quick search located at least a few OEMs (Acer for one) that ship
systems with Linux pre-installed. I’m sure if you want to buy in high
enough volume that most any system VAR will preconfigure whatever you want.
They probably would peel off the Logo sticker too if that was desired.
If the market is large and underserved then maybe this is an opportunity for
you to service it. If the market is not worth pursuing on economic
grounds then you are starting to sound like an old dog laying on a nail that
causes it just enough pain to howl but not enough pain to get up and move.
Regards,
Dave Cattley
However, I don’t “buy in high enough volume”, and I don’t want ANY pre-configuaration (including Linux) either. The only thing that I want is the ability to walk into a store and to buy a “clean” laptop. I don’t want any pre-installed Windows on my machine because I happen to be Linux user, but I can easily imagine some “Windows 7 fanboy” who had purchased his RTM version of Windows 7, paid his $200 -300 (or whatever it costs) to MSFT, so that he does not need any OEM version on his machine either. Am I requesting something extraordinary, Mr.Cattley?
…and this is,again, the kind of an “argument” that I would normally expect from some simpleton
like Mr.Kyler…
Anton Bassov
xxxxx@hotmail.com wrote:
However, I don’t “buy in high enough volume”, and I don’t want ANY pre-configuaration (including Linux) either. The only thing that I want is the ability to walk into a store and to buy a “clean” laptop. I don’t want any pre-installed Windows on my machine because I happen to be Linux user, but I can easily imagine some “Windows 7 fanboy” who had purchased his RTM version of Windows 7, paid his $200 -300 (or whatever it costs) to MSFT, so that he does not need any OEM version on his machine either. Am I requesting something extraordinary, Mr.Cattley?
Using a traditional definition of “extraordinary”, yes, you absolutely
are. There are about 300 million laptops and desktops sold every year.
Of that number, I would hazard a wild guess that perhaps 300 of those
sales encounter the scenario you describe. That definitely qualifies as
“extraordinary”.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Tim,
You need to qualify that, I know of a lot of laptops and desktops for
medium to large scale business that are sold without software (a lot more
than 300). I am not sure if you 300 million number is based on all PC
sales, or consumer/small business PC sales. In the consumer/small business
market it is truly the case you are unlikely to find a clean laptop. Anton,
if you want a clean machine look at the PC manufacturers websites for
Business systems, of course they cost more than the consumer models, so you
may not save anything.
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Thursday, July 30, 2015 12:54 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Driver Signing Practical Info
xxxxx@hotmail.com wrote:
However, I don’t “buy in high enough volume”, and I don’t want ANY
pre-configuaration (including Linux) either. The only thing that I want is
the ability to walk into a store and to buy a “clean” laptop. I don’t want
any pre-installed Windows on my machine because I happen to be Linux user,
but I can easily imagine some “Windows 7 fanboy” who had purchased his RTM
version of Windows 7, paid his $200 -300 (or whatever it costs) to MSFT, so
that he does not need any OEM version on his machine either. Am I requesting
something extraordinary, Mr.Cattley?
Using a traditional definition of “extraordinary”, yes, you absolutely are.
There are about 300 million laptops and desktops sold every year.
Of that number, I would hazard a wild guess that perhaps 300 of those sales
encounter the scenario you describe. That definitely qualifies as
“extraordinary”.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> There are about 300 million laptops and desktops sold every year. Of that number,
I would hazard a wild guess that perhaps 300 of those sales encounter the scenario you describe.
Oh, I see - now I know that, all in all, there are 300 Linux users and retail Windows license holders in the entire world combined…
Anton Bassov
> Anton, if you want a clean machine look at the PC manufacturers websites for Business systems,
But I don’t need a “Business system” - once I buy it for myself I want a laptop with USB ports,a wireless card, webcam and other things that a “Business system” is more than likely to lack due to the potential security risks that these features may pose in a corporate environment…
Anton Bassov
anton bassov wrote:
But I don’t need a “Business system” - once I buy it
for myself I want a laptop with USB ports,a wireless
card, webcam and other things that a “Business system”
is more than likely to lack due to the potential security risks
that these features may pose in a corporate environment…
http://krebsonsecurity.com/wp-content/uploads/2015/07/fb-wifisense.png
I’ve had no reply to my email to sysdev on Monday, but I did perform an
experiment this morning, creating a portal submission which included a cat
file tagged for all 64-bit operating systems from Vista to 10.
The portal submission all worked, but the signed cat file that came back is
only tagged for 10 and won’t install on any of the earlier systems. This
confirms the most recent statement that the portal will only sign drivers
for Windows 10, but contradicts what was in the blog post back in April. I
guess they changed their minds.
Jeff
On Jul 30, 2015, at 6:21 PM, Jeff Pages wrote:
>
> The portal submission all worked, but the signed cat file that came back is
> only tagged for 10 and won’t install on any of the earlier systems.
Was the CAT the only file that was signed? Not the SYS? That’s what I expect, but that represents a showstopper for non-PnP drivers. James mentioned this during his interview with Peter, but his suggested workaround (add a fake INF) doesn’t solve the problem at all.
—
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
It’s complicated.
The attestation signature program is limited to Win10 by design, according to Mr. Murray.
If you pass the Win10 HLK tests, your package can be signed for Win10 AND down level… Again, according to Mr Murray.
What type of submission did you create?
Peter
OSR
@OSRDrivers
> Was the CAT the only file that was signed? Not the SYS? That?s what I expect, but that represents
a showstopper for non-PnP drivers. James mentioned this during his interview with Peter, but his
suggested workaround (add a fake INF) doesn?t solve the problem at all.
We’ve tried both a PnP driver package and a non-PnP kernel service with a dummy INF. In both cases, we signed the .sys and the .cat with our existing (SHA1 cross-signing) cert before uploading. The returned driver package had both our old signature and the Microsoft signature on the .sys file. The .cat file had only a Microsoft signature.
–
Gabe
> Was the CAT the only file that was signed? Not the SYS?
I’ll check when I’m back in the office on Monday, Tim.
The attestation signature program is limited to Win10 by design, according to
Mr. Murray.
If you pass the Win10 HLK tests, your package can be signed for Win10 AND down
level… Again, according to Mr Murray.
What type of submission did you create?
It was an attestation package, Peter. I know Mr Murray said it’s limited to Win10, but the April 1 blog said it was “simple” to use the portal to sign drivers for all platforms so I wanted to see which one was right.
Jeff