Microsoft Ignite: Windows driver development news

NTDEV
1

Just in case you missed the future of Windows driver development:

Preventing incidents through driver resiliency

...

In short, we’re raising the bar for driver signing and making it easier to build reliable drivers for Windows.

What’s changing:

  • Driver signing will require a higher security and resiliency bar with many new certification tests.

  • We are expanding Microsoft-provided Windows in-box drivers and APIs so partners can replace many custom kernel drivers with standardized Windows drivers or move logic to user mode.

  • Over the coming years, we expect a significant reduction in code that runs in kernel mode across driver classes such as networking, cameras, USB, printers, batteries, storage and audio.

We will continue to support third-party kernel mode drivers. We will not limit partners from innovating where we don’t have Windows in-box drivers, or from using kernel mode drivers where required to help ensure a great Windows experience and for scenarios without in-box coverage. Graphics drivers, for example, will continue to run in kernel mode for performance reasons.

For kernel-mode drivers, we’re adding practical guardrails that improve quality and contain faults before they become outages. These include new mandatory compiler safeguards to constrain driver behavior, driver isolation to limit blast radius, and DMA-remapping to prevent accidental driver access to kernel memory.

...

That almost sounds like a charm offensive for us. However, I have a feeling that this doesn't mean we'll have less work to do, but who knows, let's stay positive.

2 Likes
2

We will continue to support third-party kernel mode drivers.

Considering the experience of those locked out of the hardware dashboard the word ‘continue’ is a bit of a slap in the face.

3

Driver signing will require a higher security and resiliency bar with many new certification tests.

I’d like to see some greatly expanded explanation of this.

  • How is the driver signing process changing?
  • What are the new certification tests?
    • Do we have a new HLK version that is required to be used to execute these certification tests?

These include new mandatory compiler safeguards to constrain driver behavior, driver isolation to limit blast radius

  • What are the new compiler settings which will be required?
  • What is the minimum version of Visual C++ that is needed to use them?
  • What are the constraints on driver behavior that are being implemented
  • What is “driver isolation”, how is it enforced and what impact does it have on device driver design & implementation?
4

Driver signing will require a higher security and resiliency bar with many new certification tests.

I really hope this does not mean the end of attestation signing.

5