All Windows 10 Kernel Mode Drivers Must Be Digitally Signed By Microsoft

"Last year, we announced that beginning with the release of Windows 10, all new Windows 10 kernel mode drivers must be submitted to the Windows Hardware Developer Center Dashboard portal to be digitally signed by Microsoft," reads a MSDN blog post. "However, due to technical and ecosystem readiness issues, this was not enforced by Windows Code Integrity and remained only a policy statement. Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal."

Slashdot reader mikejuk quotes a report from i-programmer.info which argues "the control of what software users can run on their machines is becoming ever tighter," and compares Microsoft's proposal to an XKCD cartoon: Before you start to panic about backward compatibility with existing drivers the lockdown is only going to be enforced on new installations of Windows 10. If you simply upgrade an existing system then the OS will take over the drivers that are already installed... Only new installations, i.e. installing all drivers from scratch, will enforce the new rules from Windows 10 version 1607... Be warned, if you need to do a fresh install of Windows 10 in the future you might find that your existing drivers are rejected.

Re:Not MS target demographic

How is it beneficial to *any* users to remove the choice? Why not let the user decide if they want to run a driver that is not signed? It's not like the user is going to be asked every day. If you get a new device, you install the (presumably signed) driver from the CD or manufacturers website or MS website. If you want to run that super old piece of hardware, you can install the unsigned driver. Win-win.

Not really about safety. Mostly about control.

Gee thanks

[JustAnotherOldGuy]

Thanks for not even giving people the choice to run an unsigned driver, since there's lots and lots of hardware out there that will instantly be made 'obsolete' by this policy.

Re: Worse and worse

No. MS wants to "xbox" Windows. MS actually hates lusers. So, rather than teying to find a happy medium, where we lusers still feel like we have a modicum of control of our systems, no. MS wants to control it all, just like Xbox.

how much independent Xbox apps are there? I'll argue, none. MS could snuff Netflix. right now, Netflix attracts users, so it isn't in MS interests to hijack Nwtflix too bad on Xbox. But Netflix writes to MS' rules on Xbox. Comcast (aka Universal Studios...) as a content license owner could easily get MS to effectively reduce Netflix's app to oblivion once Comcast figures out a better business model with MS (that has enough sideband $$$ coming to MS, so that MS feels confident they can afford to "lose" to Netflix at some point in court...)

I guess I saw this starting to happen in the 90's. Stewart Allsop did too back then, too.
The scales are finally tipped in MS' favor to finally start doing it. We're more or less conditioned to it now: cell phones, the Apple way, Xbox, etc.
Windows 7 is/was the last freedom-enabled OS from Microsoft.

Re: Worse and worse

[backslashdot]

Actually I think they are in cahoots with the movie and music ownership industry. This move is all about enforcing DRM.

Intel and AMD want Microsoft to make the OS have CPU busting features .. Like I dunno 3D animated window management, voice control, fingerprint recognition etc.

But this driver move, it seems entirely dreamt up by the DRM crowd. The don't want you to play any video or music that may be similar looking or sounding to anything they own. I mean the browser industry sold out already. How come when ads play in a browser the player controls are limited?

Re:Worse and worse

[x0ra]

Apple did the same with El Capitan...

Re:Tied to Secure Boot...

[SuricouRaven]

One day they will decree that Secure Boot cannot be turned off. It would only be a continuation of an existing trend.

Re:Worse and worse

[x0ra]

If what is written further below, so can you here. But I get it, it's easy to puke on Microsoft. You wouldn't sadden all the Apple fanboys around here...

Re:Not MS target demographic

Cost is an issue. And so is the difficulty for non-incorporated individuals, or contractors developing on behalf of a company, to deal with EV certificates. Don't take my word for it, take it from experts in developing NT drivers from the well known NTDEV list:

https://www.osronline.com/showthread.cfm?link=265064
https://www.osronline.com/showthread.cfm?link=268241
https://www.osronline.com/showthread.cfm?link=275593

But hey, I'm sure your snarky ass will dismiss anything anyway.

Re:you can also turn off secure boot

[Opportunist]

What makes you think you still can come next patch?

How to check

[WaffleMonster]

You can run sigverif from CLI to check to see what drivers are currently being used on your system not signed by Microsoft.

I welcome any legitimate reason for this behavior requiring Microsoft cross signing when secure boot is enabled. Currently I'm at a loss to come up with one.

It seems when secure boot is not enabled all signature validation can be bypassed by malicious code one way or another if you have admin rights by changing boot settings using bcdedit and rebooting or a million other approaches given admin level access. Signature checks don't have much bite in the real world with secure boot disabled.

With secure boot enabled any effective bypass of driver signature validation is a security bug. Since only kernels trusted databases are used for driver signature validation (regardless of secure boot setting) cross signing to MS is redundant. This is especially true given the blessings seem to be superficial at best and probably nearly fully automated given cross signing does not currently cost money.

Most likely reason for MS to do this I've been able to come up with is that without MS control anyone who develops a kernel driver and gets it signed by one of the supported CAs can break out of a Microsoft walled garden on systems where secure boot is being enforced against the user.

Even if you believe any and all measures to lock down kernel access improves security and therefore unconditionally good regardless of any other considerations... I still fail to see how any actual locking downing is being accomplished here as the MS blessing is superficial and adds nothing. Any malicious actor able to develop a kernel driver and obtain an EV cert is almost certain to also obtain blessing of Microsoft.

The only "benefit" seems to be MS getting a vote to stop execution of drivers paving way for restricting usermode execution against users. (See Windows RT and Windows Phone)

Re: Worse and worse

Or, you know, it's to prevent viruses and other such garbage that has plagued windows for years and years, to be able to boot up with windows by masquerading as a driver?
I see nothing wrong with this. If anything it will force manufacturers to get their sh*t together and stop releasing buggy half baked drivers.

Re: Worse and worse

[jedidiah]

Drivers as a source of viruses? Talk about unreasonable. The fact that Microsoft's is Hollywood's BITCH is far more plausible.

Re: Worse and worse

[jedidiah]

Just who are you trying to kid? Do you know who you're talking to? A rootkit doesn't need anything quite that low level.

This entire approach to the "problem" is like putting a band-aid on a bullet wound after the victim has already been shot full of holes. He never should have gotten shot to begin with.