Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Followup: Microsoft: No More Updates Allowed for Drivers on Win 7, Win 8, Win 8.1

Matthias_LehmannMatthias_Lehmann Member Posts: 14
edited January 26 in NTDEV

@Peter_Viscarola_(OSR)

Hello Peter, as you closed the origianal post about the topic in this headline, but I have interessing news, I open this one here with mostly the same titel.
Feel free to move this information into the orignal post, or where ever it suites best.

My Information is the following:
Our Company managed to still order a code signing certificate with kernel mode signing caps in december last year. The certificate itself expires in 2025 and the cross certificate it chaines to expires in Dez 2023.
Thus we managed to be able to sign Win 7 kernel mode drivers and load them sucessfully until Dez 2023.
At least for us, this shoudl be sufficient we hope, to ugrade our hardwar in the field to win 10 .-)

But, it was quite hard to get this certificate. We had to ask 3 CAs. Digicert and Verising weren't able to fullfill our needs. But Entrust did a good job.

And as far as I understand Microsofts policy, this is compliant, as the state: ".. your existing certificate will function until it expires ...".
So for us in Dez 2023, and we are fine with that ;-)

Greetings Matthias

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,313

    Let's move this to the NTDEV, shall we? Then we can continue there...

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,313

    ... as long as the CROSS CERT doesn't expire... or Windows decides to not load drivers that are cross-signed.

    The real solution here isn't to find a certificate; The REAL solution is to school Microsoft in all the reasons that this is bad policy, and to work hard to get them to reverse this decision.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Matthias_LehmannMatthias_Lehmann Member Posts: 14

    @Peter_Viscarola_(OSR) said:
    Let's move this to the NTDEV, shall we? Then we can continue there...

    Peter

    yes ;)

  • Matthias_LehmannMatthias_Lehmann Member Posts: 14
    edited January 26

    @Peter_Viscarola_(OSR)

    @Peter_Viscarola_(OSR) said:
    ... as long as the CROSS CERT doesn't expire... or Windows decides to not load drivers that are cross-signed.

    If you tell me Microsft gonna do this? How should the prevent drivers from loading on Win 7 Systems without Windows Updates possible any more?

    The real solution here isn't to find a certificate; The REAL solution is to school Microsoft in all the reasons that this is bad policy, and to work hard to get them to reverse this decision.

    Yes I agree, there policy is foolish, but I think its wasting time in this war between david and Goliat :disappointed: . At least our company is way to small to have an impact.

    Post edited by Matthias_Lehmann on
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,313

    but I think its wasting time in this war between david and Goliat :disappointed: . At least our company is way to small to have an impact.

    You are mistaken.

    As I have said numerous times before, we have changed similar policies in the past -- all working together.

    MSFT doesn't intend to cause OEMs/IHVs/ISVs pain... they NEVER do. It's just that they don't always see the far-reaching consequences of their actions. They "do the right thing" to fix one thing, or avoid one serious problem... but that action has side-effects that they don't really anticipate, understand, or (having already implemented their "fix") have a great way to solve.

    And it has to do with "domains" -- The guy who "owns" the cross-signing issue, doesn't "own" everything to do with drivers being authorized on Windows. So, he doesn't really have a way to force (or even meaningfully encourage) the guys who "own" attestation signing to extend it to down-level platforms (cuz that'd take time and dev resources and cost money). So, one guys makes his little decision... and there's nobody to work cross-discipline to make the right thing happen for the community....

    UNTIL WE ALL MAKE A FUSS ABOUT IT.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Matthias_LehmannMatthias_Lehmann Member Posts: 14

    @Peter_Viscarola_(OSR)

    Yes, I understand what you wanna point out. I'm personally also would like to push MSFT to the right direction. And I really tried to get someone in my company to open up a support query at MSFT side or just get one the phone from radmond.
    So I really tried but at some point in time gave up, as I've got other stuff to do.

    Sorry :dizzy:

  • Matthias_LehmannMatthias_Lehmann Member Posts: 14

    @Peter_Viscarola_(OSR)

    But still im interested in the answer to the follwing port of my questions above?!

    @Matthias_Lehmann said:
    @Peter_Viscarola_(OSR)

    @Peter_Viscarola_(OSR) said:
    ... as long as the CROSS CERT doesn't expire... or Windows decides to not load drivers that are cross-signed.

    If you tell me Microsft gonna do this? How should the prevent drivers from loading on Win 7 Systems without Windows Updates possible any more?

    Any answer to this?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,313

    Any answer to this?

    With all due respect, I'm not sure what the question is.

    I'm not even sure what it is you're trying to accomplish: Simply sign a driver today that'll work forever on Windows? Well, you just need a code signing cert that's valid as of today, and that gets you as close as you're gonna get... unless MSFT changes their policy.

    Be able to sign drivers in the future? Well, you need your cert to be valid and the cross-cert to be valid. And I was under the impression the issue was that the CROSS CERTS were going to expire. Whether or not you could get somebody to issue you a code signing cert wasn't really the issue... at least the way I understand the problem.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,313

    I really tried but at some point in time gave up, as I've got other stuff to do.

    Hmmmm... I've got other stuff to do, as well. It's not like I get paid to answer the questions you post here, right?

    Community, dude. It's important.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 399
    via Email
    Hmm, is that an EV SHA256 cert you were issued?
    Does it load on Windows 10 without attestation signing?

    > Our Company managed to still order a code signing certificate with kernel
    > mode signing caps in december last year. The certificate itself expires in
    > 2025 and the cross certificate it chaines to expires in Dez 2023.
    >
    > Thus we managed to be able to sign Win 7 kernel mode drivers and load them
    > sucessfully until Dez 2023.
  • Matthias_LehmannMatthias_Lehmann Member Posts: 14

    @Dejan_Maksimovic :smile:

    nope its an OV Certificate.

    I think it's not possible to get a driver singed by ureself (without attestation) which loads under windows 10, secure boot on, version > 1603

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 399
    via Email
    I see no point then, unless you get it for free on top of an EV cert.

    Is it SHA2 at least?
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,313

    I see no point then

    I suspect the POINT is that the driver will load on down-rev OS versions. Which is, after all, the whole point of cross-signing.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Matthias_LehmannMatthias_Lehmann Member Posts: 14

    @Peter_Viscarola_(OSR) said:

    I see no point then

    I suspect the POINT is that the driver will load on down-rev OS versions. Which is, after all, the whole point of cross-signing.

    Peter

    exactly, thats the point

    And EV Certifivates are only useable together with HW Dongles, which makes usage more complex, especially in Corona Home Office, and it's more expensive ;)

  • Matthias_LehmannMatthias_Lehmann Member Posts: 14

    @Peter_Viscarola_(OSR) said:

    I'm not even sure what it is you're trying to accomplish: Simply sign a driver today that'll work forever on Windows? Well, you just need a code signing cert that's valid as of today, and that gets you as close as you're gonna get... unless MSFT changes their policy.

    Be able to sign drivers in the future? Well, you need your cert to be valid and the cross-cert to be valid. And I was under the impression the issue was that the CROSS CERTS were going to expire. Whether or not you could get somebody to issue you a code signing cert wasn't really the issue... at least the way I understand the problem.

    What I intend to, is to have a code signing certificate which I can be totally sure to be able to sign drivers for win 7 at leat until end of this year (2021).
    And as I got a certificate from entrust which together with its cross singing cert is valid till 2023, I'm just wondering if MSFT can do anthing to prevent me from signing such drivers till 2023?

    as you said above:
    >

    ... or Windows decides to not load drivers that are cross-signed ...

    >

    So I asking myself (and the community): Is it possible for MSFT to revoke my nicely singend driver which is cross singed and timestamped properly today or any later time this year, anyway from loading under Win 7. How would they do that without Windows Updates possible on Win7?
    And can they prevent me to sign such drivers until 2023 with the certificate I already purches today, which is vailid until 2023 including the it's cross cert.

    Greeting Matthias

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,313

    which I can be totally sure to be able to sign drivers for win 7 at leat until end of this year (2021)

    Yeah, well... "totally sure" is a pretty high standard, so I won't go there. But as long as you have a cert and a cross cert that are valid until the end of 2021, you should have a very good chance that you'll be able to do what you want during that time.

    How would they do that without Windows Updates possible on Win7

    I'm not sure what "without Windows Updates possible on Win7" means. If you mean that the target systems that will be loading your driver will not be connected to the Internet (or you will otherwise be set to disable any possibility of getting a Windows Update)... yes, I think you're safe. If you're saying "Microsoft has said they won't do any Windows Updates for Win7" .... well, whether that's what they DO or not is entirely up to them, isn't it?

    And can they prevent me to sign such drivers until 2023 with the certificate I already purches today,

    It's their operating system. They can do anything they want. As we see from this whole mess... But the point isn't "prevent me to sign such drivers" -- the ultimate point is "refusing to load such drivers" after you've signed them, right? Who knows what logic lurks in the various versions of the Win7 driver signing/authorization code? What little things they have that might expire, and when? This code is among the most closely guarded in Windows and I, for one, have never seen it.

    Have you considered passing the Win7 WHQL tests? That would save you from having to worry about all this nonsense. It seems like you've expended as much effort as it might require for you to setup, run, and maybe pass those tests...

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,823

    From where did you get a cross-certificate valid until 2023? The cross certificates have to be issued by Microsoft, and it was my understanding they were not going to issue or renew any that lasted beyond June 2021.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Matthias_LehmannMatthias_Lehmann Member Posts: 14

    @Tim_Roberts said:
    From where did you get a cross-certificate valid until 2023? The cross certificates have to be issued by Microsoft, and it was my understanding they were not going to issue or renew any that lasted beyond June 2021.

    From Entrust. It's evben documented on MSFT's home page:
    https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing
    Entrust Root Certification Authority – G2 ‎d8 fc 24 87 48 58 5e 17 3e fb fb 30 75 c4 b4 d6 0f 9d 8d 08 2025/07/07 Download

  • Matthias_LehmannMatthias_Lehmann Member Posts: 14

    @Peter_Viscarola_(OSR) said:

    How would they do that without Windows Updates possible on Win7

    I'm not sure what "without Windows Updates possible on Win7" means. If you mean that the target systems that will be loading your driver will not be connected to the Internet (or you will otherwise be set to disable any possibility of getting a Windows Update)... yes, I think you're safe. If you're saying "Microsoft has said they won't do any Windows Updates for Win7" .... well, whether that's what they DO or not is entirely up to them, isn't it?

    Rather the later one, but you're right, it's up to them, what tehy do or don't do on their Win 7.

    And can they prevent me to sign such drivers until 2023 with the certificate I already purches today,

    It's their operating system. They can do anything they want. As we see from this whole mess... But the point isn't "prevent me to sign such drivers" -- the ultimate point is "refusing to load such drivers" after you've signed them, right? Who knows what logic lurks in the various versions of the Win7 driver signing/authorization code? What little things they have that might expire, and when? This code is among the most closely guarded in Windows and I, for one, have never seen it.

    "refusing to load such drivers" --> yes that's what I exactly mean. Yes and maybe they have some special code in the depths o their windows 7 OS waiting to get active and start revoking cross signed driver after June 2021 ;) We never know (until June :smile: ).
    But from your answer I read, that you don't know for sure about such code/feature. It's all just guessing.
    So I'm fine with that and take the risk for know.

    Have you considered passing the Win7 WHQL tests? That would save you from having to worry about all this nonsense. It seems like you've expended as much effort as it might require for you to setup, run, and maybe pass those tests...

    Yes sure, we looked into HLK already for Win 10 and even managed to pass some of our drivers. But then wie figured out that we need HCK for Win 7 drivers, which is another hassel to setup. But anyway, we are still investigating that as well.

    But that's not my job in my company. Other people doing that.
    I just have to job to find a backup plan, if we miss to pass HCK, which is very likley as I read in many other posts here ;)

    Thanks for your help and expertise Peter, so far.

    Matthias

  • Yan_Vugenfirer-4Yan_Vugenfirer-4 Member Posts: 13

    ...

    The real solution here isn't to find a certificate; The REAL solution is to school Microsoft in all the reasons that this is bad policy, and to work hard to get them to reverse this decision.

    Hi Peter,

    I am virtio-win maintainer.
    How can I help?
    Should we approach MS through development support or do you know other ways to approach MS to discuss the "update-apocalypse" with them?

    Best regards,
    Yan.

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,396
    via Email
    thwaite and geo-whatever expire on 2.22 so it should be an
    interesting month. Digicert and many others expire early april. I happen to
    know that some very large companies have no clue this is happening. I

    Mark Roddy
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,313

    Should we approach MS through development support

    You should approach MSFT through whatever mechanisms are available to you.

    If your company has executives that have Quarterly Reviews with MSFT higher-ups, then that's a good place to bring this issue. If you have interactions with folks in MSFT Premier Support, then by all means raise the issue there. If you have buddies (devs or PMs) who happen to work in one of the product groups, that's a good place. If all you have is per-incident support, then go that way.

    The key is for as many people as possible to raise the issue.

    There ARE people internally who want to fix this, but they don't have the clout to manage it themselves and therefore need folks from outside of MSFT to provide ammunition. Without breaking any confidences, I can tell you that I had one PM tell me that there are folks internally who do not believe that there are a legit subset of drivers that are correct, but will never be able to pass the WHQL tests. Internally, the mantra has been "WTF are they so upset about? This isn't an issue. Just pass WHQL and be done with it."

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE