Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Vista x64 To Require Signed Drivers

Posted by ScuttleMonkey on from the circumvented-in-3-2-1 dept.

Anonymous Coward writes "With little fanfare, Microsoft just announced that the x64 version of Windows Vista will require all kernel-mode code to be digitally signed. This is very different than the current WHQL program, where the user ultimately decides how they want to handle unsigned drivers. Vista driver developers must obtain a Publisher Identity Certificate (PIC) from Microsoft. Microsoft says they won't charge for it, but they require that you have a Class 3 Commercial Software Publisher Certificate from Verisign. This costs $500 [EUR 412] per year, and as the name implies, is only available to commercial entities."

6 of 326 comments (clear)

  1. It's all about the DRM. by TripMaster+Monkey · · Score: 5, Informative

    The summary is a bit brief (as well as being plagarized verbatim from OSNews.com, but a brief perusal of the cited Microsoft article is rather illuminating:
    • Drivers must be signed for devices that stream protected content. This includes audio drivers that use Protected User Mode Audio (PUMA) and Protected Audio Path (PAP), and video device drivers that handle protected video path-output protection management (PVP-OPM) commands.
    • Unsigned kernel-mode software will not load and will not run on x64-based systems.
    • Note: Even users with administrator privileges cannot load unsigned kernel-mode code on x64-based systems. This applies for any software module that loads in kernel mode, including device drivers, filter drivers, and kernel services.
    (Boldface mine.)


    It would seem that Microsoft cares more about the profits of the record companies than it does about the ability of its users to be able to use its software. Just one more reason to switch to Linux.
    --
    ____

    ~ |rip/\/\aster /\/\onkey

  2. You will be able to disable verification by aapold · · Score: 3, Informative

    Its in the white paper attatched. Is it perfect? no... but it won't absolutely prevent you from doing stuff. Here's the relevent text:


    How to Disable Signature Enforcement during Development
    During the early stages of development, developers can disable enforcement in Windows so that driver signing is not necessary. The following options are available for developers to disable digital signature enforcement temporarily so that Windows will load an unsigned driver.
    Attaching a kernel debugger. Attaching an active kernel debugger to the target computer disables the enforcement module in Windows Vista and allows the driver to load.
    Using the F8 option. An F8 boot option introduced with Windows Vista--"Disable Driver Signature Enforcement"--is available to disable the kernel-signing enforcement only for the current boot session. This setting does not persist across boot sessions.
    Setting the boot configuration. A boot configuration setting is available for prerelease builds that allows the suppression of the enforcement module in Windows to be persisted across boot sessions. Windows Vista includes a command-line tool, BCDedit, which can be used to set this option. To use BCDedit, the user must have Elevated User or Administrator privileges on the system. The most straightforward approach is to create a desktop shortcut to cmd.exe, and then right-click -> Run Elevated. The following shows an example of running BDCedit at the command prompt:

    // Disable enforcement - no signing checks
    Bcdedit.exe -set nointegritychecks ON

    // Enable enforcement - signing checks apply
    Bcdedit.exe -set nointegritychecks OFF


    // Disabling integrity check on an alternate OS
    // specified by a GUID for the system ID
    Bcdedit.exe -set {4518fd64-05f1-11da-b13e-00306e386aee} nointegritychecks ON

    --
    "Waste not one watt!" - CZ
  3. Re:Not true... by 99BottlesOfBeerInMyF · · Score: 5, Informative

    if you actually read the MSDN page on this subject you will find that non administrators will be prevented from installing unsigned drivers.

    This is not true. From the article, "Even users with administrator privileges cannot load unsigned kernel-mode code on x64-based systems." On 32 bit systems, only admins can load unsigned drivers. on 64-bit, no one can.

  4. Re:All this will do... by Randolpho · · Score: 3, Informative

    Actually, nearly all hardware emulation drivers, along with most general purpose device drivers, can still be unsigned.

    I suggest folks RTFA. Hell, just read the tagline for /. article. It says "kernel mode", folks, not "user mode". You need a digital signature to write kernel-mode drivers (and, BTW, to stream protected content), but user-mode unlicensed drivers are fair game.

    Frankly, IMO, most drivers *should* be user-mode -- if you're writing your driver in kernel mode, you should re-think your design. Yeah, there's always the necessary exception, but if it's that important, go get a digital signature.

    --
    "Times have not become more violent. They have just become more televised."
    -Marilyn Manson
  5. Re:Not true... by 99BottlesOfBeerInMyF · · Score: 4, Informative

    User-mode drivers (which most drivers *should* be) are still fair game. It's only kernel-mode that's at issue, and they're only really necessary for stringent timing requirements and legacy hardware.

    Except for drivers for "CD-ROM, disk drivers, ATA/ATAPI controllers, mouse and other pointing devices, SCSI and RAID controllers, and system devices." as the article says. I'd say that is a good portion of the drivers, wouldn't you?

  6. Re:All this will do... by mrchaotica · · Score: 3, Informative

    No, it'll screw over all OSS drivers in general, because if you modify it, it won't work anymore. It defeats the entire point of having the source code in the first place!

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz