Slashdot Mirror
Windows Vista x64 To Require Signed Drivers
Anonymous Coward writes "With little fanfare, Microsoft just announced that the x64 version of Windows Vista will require all kernel-mode code to be digitally signed. This is very different than the current WHQL program, where the user ultimately decides how they want to handle unsigned drivers. Vista driver developers must obtain a Publisher Identity Certificate (PIC) from Microsoft. Microsoft says they won't charge for it, but they require that you have a Class 3 Commercial Software Publisher Certificate from Verisign. This costs $500 [EUR 412] per year, and as the name implies, is only available to commercial entities."
All this is going to do is prevent software that emulate hardware (Daemon Tools for example) from working properly under Vista. As I recall these types of software pretend to be hardware using unsigned drivers, so this won't work unless they get the drivers signed somehow. Looks like a way to enforce DRM to me.
Some software of that variety takes the approach of acting as an iSCSI device. So long as the OS has native iSCSI support, the application need not install its driver.
I'm considerably more worried about the impact on projects like OpenVPN.
That's it no open source drivers on Windows Vista.
It's not unlike the early "Analog Hole" legislation beinbg proposed by "Fritz" Hollings. The legislation attempted to link DRM and national security and, in one form, would have required a license to program a computer, possibly even certification of each binary prior to development.
The question is, how long until a workaround is found? When developing code I don't like the idea of signing each interim binary before testing it that would just lengthen the whole cycle pointlessly. Sooner or later somebody will find a way around this but not without much frustration, perhaps a specially signed "Developer Edition" of the OS.
No wonder there wasn't much fanfaire.
I'm a pretty strong MS backer. All things considered they have done some amazing things and brought products to the people. But I must agree with you, by putting this limitation into applications it will likely drive a lot of the younger crowd, especially developers, to linux (the future of Ubuntu looks bright).
.Net app? Or do I need to create a corporate entity to get a license for my own undistributed application?
I would have to see how it plays out at the application level to know more. Can I use the Windows API and play a CD's audio tracks from a home brew
If the application level is unaffected by this, then its not that bad. And it will likely be good for security. But if they are enforcing restrictions to the application layer, this could really stiffle non-professional windows development.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
I'm thinking thst much what's behind this are the big PC OEMs, specifically Dell. Make it harder to run Vista on clone hardware, and OEM hardware sales go up. Dell is a whole lot bigger customer for M$ (primarily through enterprise contracts for hardware and OS) than the media content companies.
I think this was first tried with XP -- back in the XP beta days, it became clear to me that XP was designed to be wholly compatible with Dell hardware, but with other hardware you just *hoped* it worked right.
~REZ~ #43301. Who'd fake being me anyway?
Heck - some of the smaller commercial outfits might even balk at having to spend that kind of money on the certificate.
... $500/year for corporations.
Yes, because $500 a year will easily put any corporation out of business.
I, for one, think this is great. It now *forces* companies like Creative, NVidia, ATI, RealTek, and other big hardware vendors to make their drivers go through and pass Windows Hardware Quality Labs testing. I know that doesn't guarantee it 100% perfectly working driver, but in my experience it does mean generally better drivers, which in turn means a more stable system. That's a good thing for millions of consumers, coming at the cost of
I find it both ironic and hypocritical that the community here is constantly bashing corporate America; that is, until Microsoft makes certain corporations pay to make get their system-critical software tested and verified. Oh, then we're all sad for those poor corporations that have to pay $500 a year. Mercy me...
Tech, life, family, faith: Give me a visit
This is the beginning of microsoft's death. Anyone who's read "In the beginning was the command line" by Neal Stephenson should recognize these early signs. It's the same reason apple never got really big: they used proprietary hardware and therefore limited the amount of users that could use their OS. Therefore, prices stayed relatively high, and most users chose the more flexible PC platform. Microsoft is requiring their users to use (sort of) proprietary software and drivers. This will of course result in the fact that other (more flexible) OS's will become more popular. I'm just now getting to see the usefulness in Linux. I've used it off and on for the past 6 years, but now it's getting to the point where my machine is in Linux mode for a week at a time before I need to do some Maple or Matlab stuff. All I can say is that I will most definitely have a dual-boot system from now on, and that the more restrictive MS gets, the more I will stay in Linux to rip MY OWN FRIGGIN CD's and whatever else they consider potentially unlawful at MS. It's a self-stabilizing situation within the market, so don't worry too much about it. It's the beginning of a new era where Windows will not have the majority of the market.
If all the drivers are signed with certs, does that mean I can maintain a black list of driver manufacturers that I don't want to install on my machine? For example, Sony's rootkit driver? :)
Kormac
RTFWP! You not only have to sign everything, but you must get a Publisher Identification Certificate (PIC) from Microsoft for any kernel driver. Creating your own cert for local testing might be possible, but faking a Microsoft-authenticated PIC seems like a much bigger challenge.
But reading through the paper, I don't see any particular restrictions on obtaining a PIC. It sounds like you just get your Verisign code signing cert and then do an automated process with Microsoft to get a PIC. So why couldn't one person buy a cert and then offer a (free) signing service for anyone's code? Obviously any sane corporation concerned about security wouldn't want to trust such a service, but the white paper doesn't seem to prohibit it.
You do realize that to hack the Treacherous Computing system, you need either a multi-million dollar laboratory to disassemble the chip and read the key directly from the circuits, or a spy to steal the master key directly from Microsoft (or Verisign or whoever), right?
Oh, and by the way: once you go to all this trouble to get the key, they can just use Remote Attestation to disable it (along with the hardware itself).
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
>There is a way round the problem, but it puts you at risk from the DMCA as (by definition) it is circumventing security technology. By having a hypervisor-like OS running at the lowest level, and then having Vista run on top of that, you can make any piece of physical hardware look like any other piece of hardware that you like. Nothing Vista can do about it, as it can't see the hardware directly, all it can see is the results of pushing data of one type in one direction, then pulling data of another type in the opposite direction.
Unfortunately, even that won't work once trusted computing takes over. Trusted hardware protects trusted firmware which in turn protects a trusted OS. IMHO, that's what MS is gambling at.
Drivers aren't the biggest security issue - as incompleted TCP handshakes were not.
This is for Disney's "security" - not ours. Like the "USA Patriot" act: the target of the restriction is the average person, not the "evildoer".
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
For those that cannot or did not RTFA, here is a quote from the article that clearly states this topic is not just about DRIVERS:
:-)
------
"Digital signatures allow the administrator or end user who is installing Windows-based software to know whether a legitimate publisher has provided the software package."
Nuff said
This has been another valuable and informative opinion from:
Catahoula!
So, about the whole $500 deal in order to get your drivers signed...why couldn't the GNU community or someone buy one. Then, when someone comes out with some nice piece of code submit it to the owners. Then, he or she could get it signed and distribute the signed code? Or is that somewhere on page 17623875 of the EULA?