Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Yet Another Signing Change?? (AKA: Will MSFT *REMOVE* Ability To Sign Win7/8/8.1 Drivers by 2021?)

Tim_RobertsTim_Roberts Member - All Emails Posts: 13,103
edited September 18 in NTDEV

Have any of you seen this gem yet?

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificate

If I read this correctly, and it's not entirely clear that I am, it looks to me like Microsoft finally intends to terminate the option to sign drivers using the cross-certificate technique, which today is still quite useful for systems with Secure Boot turned off. But they are not doing so by closing a loophole in new kernels, which would be sensible. Instead, it looks like they are shutting down the entire "Microsoft Code Verification Root" CA, thereby making it impossible to cross-sign driver packages at all.

To me, this look like yet another example of the Redmond bubble, in which people don't have to live in the Real World. In the Real World, MANY of us are still writing drivers that have to run on Windows 7, 8, and 8.1, where attestation signing is entirely useless and cross-signing is required.

If I am reading this right, and I invite those with Microsoft contacts to correct me I'm wrong, then I can only hope that an industry outcry will once again convince them that major policy decisions cannot be made in a bubble.

Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.

Post edited by Peter_Viscarola_(OSR) on

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,443

    /shakes head slowly

    I read this the same way you do. If we're reading it right, this could be a "really, really, huge deal"...

    I've sent an initial inquiry to an MSFT colleague and I'll post back if/when I have something more definitive to add.

    If we're reading this correctly, we HAVE been successful at getting mistaken policies changed in the past. But, I have to believe that we're missing something. They CAN'T take away the ability to release new production Win 7 drivers. Or Win 8. Or Win 8.1 -- they just CAN'T.

    Peter
    OSR

    Peter Viscarola
    OSR
    @OSRDrivers

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,443
    edited September 18

    [I added to the title of Mr. Roberts' original post to call more attention to it. If Mr. Roberts objects, I'll remove the addition.]

    Peter Viscarola
    OSR
    @OSRDrivers

  • RourkeRourke Member Posts: 41
    edited September 19

    Surely they'll add a checkbox on attestation signing for these operating systems? No way they would flip a switch and all our software products wither on the vine. There have been a lot of bad driver signing policy decisions over the years, but in this case the software and hardware development outfits all over the world have too much money and commitments on the line and even MS would not stoop this low and hurt its customers and platform this badly. I am waiting for the clarification on this announcement. I expect that yes signing will get harder (that's what they always do), but we'll be able to do it.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,103

    No way they would flip a switch and all our software products wither on the vine.

    For Windows 7, 8, and 8.1? I'm not so sure. Big parts of Microsoft want to pretend those systems don't really exist in the wild.

    However, I've been contacted by a member of the team that developed the policy, and they've asked me for feedback. That's encouraging, and I'll let you know what comes of it.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • SweetLowSweetLow Member Posts: 28

    If I read this correctly

    Q: Is there a way to run production driver packages without exposing it to Microsoft?
    A: No, all production driver packages must be submitted to, and signed by Microsoft.

    IMHO it is clear enough...

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,443

    They have two years to unfuck this.

    I predict they’ll just expand attestation signing as Mr. Rourke has suggested. That’ll be OK.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • SweetLowSweetLow Member Posts: 28

    @Peter_Viscarola_(OSR) said:

    I predict they’ll just expand attestation signing as Mr. Rourke has suggested.

    But attestation signing IS exposing driver package to MS, isn't it? And MS will the only product drivers signer from 2021 as FAQ states. No matter is it HLK tests or attestation signing or anything else.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,443

    But attestation signing IS exposing driver package to MS, isn't it?

    Sure. But I don't care about that. Not even a little bit.

    And MS will the only product drivers signer from 2021 as FAQ states

    Well, sure. But, again, I don't care. Attestation signing completely satisfies me for Win10, and -- as long as they don't change any of the rules and will sign without question ANY driver we upload -- it will completely satisfy me if they provide it for Win7 and later.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,103

    The point, @SweetLow, is that there are many drivers that don't fit into WHQL, and attestation signing doesn't work prior to Windows 10. I haven't done a lot of WHQL submissions, but every time I have, it has required a multi-week tech support session to get a variance.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE