Slashdot Mirror
All Windows 10 Kernel Mode Drivers Must Be Digitally Signed By Microsoft (i-programmer.info)
"Last year, we announced that beginning with the release of Windows 10, all new Windows 10 kernel mode drivers must be submitted to the Windows Hardware Developer Center Dashboard portal to be digitally signed by Microsoft," reads a MSDN blog post. "However, due to technical and ecosystem readiness issues, this was not enforced by Windows Code Integrity and remained only a policy statement. Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal."
Slashdot reader mikejuk quotes a report from i-programmer.info which argues "the control of what software users can run on their machines is becoming ever tighter," and compares Microsoft's proposal to an XKCD cartoon: Before you start to panic about backward compatibility with existing drivers the lockdown is only going to be enforced on new installations of Windows 10. If you simply upgrade an existing system then the OS will take over the drivers that are already installed... Only new installations, i.e. installing all drivers from scratch, will enforce the new rules from Windows 10 version 1607... Be warned, if you need to do a fresh install of Windows 10 in the future you might find that your existing drivers are rejected.
Slashdot reader mikejuk quotes a report from i-programmer.info which argues "the control of what software users can run on their machines is becoming ever tighter," and compares Microsoft's proposal to an XKCD cartoon: Before you start to panic about backward compatibility with existing drivers the lockdown is only going to be enforced on new installations of Windows 10. If you simply upgrade an existing system then the OS will take over the drivers that are already installed... Only new installations, i.e. installing all drivers from scratch, will enforce the new rules from Windows 10 version 1607... Be warned, if you need to do a fresh install of Windows 10 in the future you might find that your existing drivers are rejected.
You cannot imagine how excited I am to be submitting my drivers to the Windows Hardware Developer Center Dashboard portal. Talk about boner killer.
For 97% of Windows 10 users (yes, I made that figure up) this is a total non-issue. It may even be a benefit to protect them from themselves. Many can't distinguish between safe and not so safe web sites from which to download programs and such. These folks may not even know how to uninstall drivers that don't uninstall automatically when a related piece of software is uninstalled. If you are a registered developer, this isn't an issue either as MS gives you a way around it.
For the rest of us, well, there aren't enough who haven't already migrated to iOS or Linux so MS doesn't give a shit.
Right now, if secured boot is off, this policy doesn't kick in. That may change of course. For the vast majority of Windows users, this is fine, but for power users, kind of a pain.
Thanks for not even giving people the choice to run an unsigned driver, since there's lots and lots of hardware out there that will instantly be made 'obsolete' by this policy.
Just cruising through this digital world at 33 1/3 rpm...
Also, Submitting drivers to the Dev center now requires EV CODE SIGNING CERTIFICATE.
Even though Microsoft will sign the final result, you have to have an EV CERT from a small list of approved CAs to
sign your code before their portal will sign it per the new policy.
In case you have not noticed, the cheapest of the EV Certs is $1000 a Year; Only organizations can obtain these certificates, not individual developers.
Also, all EV Code signing certs require Smartcard/Token-Based Storage of your certificate's private key to ensure credentials cannot be shared, and you cannot automate the digital signing process.
Thus is a move to make sure Open Source software developers and individuals cannot produce Kernel mode drivers.
No. MS wants to "xbox" Windows. MS actually hates lusers. So, rather than teying to find a happy medium, where we lusers still feel like we have a modicum of control of our systems, no. MS wants to control it all, just like Xbox.
how much independent Xbox apps are there? I'll argue, none. MS could snuff Netflix. right now, Netflix attracts users, so it isn't in MS interests to hijack Nwtflix too bad on Xbox. But Netflix writes to MS' rules on Xbox. Comcast (aka Universal Studios...) as a content license owner could easily get MS to effectively reduce Netflix's app to oblivion once Comcast figures out a better business model with MS (that has enough sideband $$$ coming to MS, so that MS feels confident they can afford to "lose" to Netflix at some point in court...)
I guess I saw this starting to happen in the 90's. Stewart Allsop did too back then, too.
The scales are finally tipped in MS' favor to finally start doing it. We're more or less conditioned to it now: cell phones, the Apple way, Xbox, etc.
Windows 7 is/was the last freedom-enabled OS from Microsoft.
Actually I think they are in cahoots with the movie and music ownership industry. This move is all about enforcing DRM.
Intel and AMD want Microsoft to make the OS have CPU busting features .. Like I dunno 3D animated window management, voice control, fingerprint recognition etc.
But this driver move, it seems entirely dreamt up by the DRM crowd. The don't want you to play any video or music that may be similar looking or sounding to anything they own. I mean the browser industry sold out already. How come when ads play in a browser the player controls are limited?
Apple did the same with El Capitan...
> Any good WINE tutorials out there?
I'm sure there are; yet over 17 years on Linux I've used WINE roughly twice. Normally, its not the best solution.
Do you typically use emulation to run the Linux versions of most programs on Windows, or do you run the Windows version on Windows? Running the Windows version on Linux doesn't normally make sense - on Linux, run the Linux software.
A lot of daily use software brands are compiled for Linux, often developed for Linux FIRST, then ported to Windows. Firefox, Chrome, OpenOffice/LibreOffice, etc are all available native for Linux.
If the specific brand of softeware you used to use is Windows-only (and therefore probably proprietary), there is probably other open, free software that does the same job on Linux. Unlike the Windows software, the software designed for Linux doesn't include telemetry, onerous licensing, etc. For example, rather than MS Outlook, there are dozens of other email qnd groupware programs for Linux. Sylpheed Claws / Claws Mail is one.
The single software package most often mentioned as a counter-example is Photoshop. If you're a professional graphic artist, you'll probably be happiest with a Mac. If you want to adjust brightness and color curves of your snapshots, or do any simple to moderate photo editing, you can use one of the tools used by Dreamworks and ILM - Gimp. True, Gimp not exactly the same as Photoshop. However, Gimp is powerful enough to be used by major Hollywood effects studios.
You are allowed to disable theirs though. It's two separate options afaik, but you can turn off both the protected filesystem and signed kext requirements.
You should use Veracrypt instead, but your question still stands open.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
I'm using windows 10 and I cannot figure out how to change a user's password.
The Anonymous Cowards who responded to you have given you the correct answers. It should be noted that the method for administering other local accounts has not changed since Windows 2000. You still use Control Panel->User Accounts as you did back then, although the method of getting to the control panel has changed over time. In Windows 10 you right click on the start button and choose it from the pop up menu.
The command line version of "net user username NewPassword" has not changed at all since Windows NT 4.0 (19 years ago). Of course, if you are not used to Windows then it is quite reasonable that you wouldn't know the command to use, any more than a Windows admin would magically know to misspell the word password on Linux.
I can't speak for the original Xbox, but the Xbox 360 has a pretty respectable library of indie third-party games that can be installed through Xbox Live. In fact, the third-party indie games on my 360 outnumber the retail-boxed games about 3 to 1.
Unholy Heights is a riot.
http://xbox.com/indiegames
What makes you think you still can come next patch?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1) Unlikely. I've seen lots of WHQL drivers that just crash-and-burn but more likely they are "stable" but atrociously useless. Because of the faffing and back-and-forth on them, lots of simple devices (e.g. printers etc.) get one WHQL driver and then just release unofficial ones for everything else. If you're lucky and it's a big printer, they might update the WHQL one every year or so. With ten other releases between.
2) No. They won't know what's going on and things will just stop working. They won't be able to update drivers when suggested and will still have all the problems that they have now. And everything cheap they buy on Amazon just won't work, it's as simple as that.
While the posters here are correct (at large) please don't forget that at the same time, MS has always been urged to close malware attack vectors. So, as Master Yoda would put it: Do or do not. There is no "/. won't complain".
bickerdyke
I thought you need signed drivers at least since windows 7 and this is one of the reasons why for example andlinux isn't available anymore?
Funny, as that's also my experience with my own windows.. But I had to reinstall Ubuntu a couple of times after an upgrade (so the upgrade fubarred it, so I just reinstalled the new version) to get my development enviroment working again..
"But I need Windows for..." *SMACK!* NO! You don't!
LOL! You should typeset it. The Gimp works really well, although most popular Live distros have it by default.
But I still like this one for anime fans and this one for dog lovers . :-)
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
So the next time Kaspersky finds a properly signed rogue driver we would know that the hardware vendor was cooperating. Would it create a liability?
I reinstall Windows as often as I do Linux. No, thinking about it in fact I reinstall Linux more often.
I am not a fan of the fact that you need to spend big money on an expensive certificate, more money on setting up a legal entity that will satisfy those organizations who can issue the right EV code signing certificate that Microsoft will accept and even more money on all the required hardware to actually test your driver or what it means for open source software but this move DOES have some benefits.
It reduces the amount of crappy drivers out there (both because of the testing and because entities who are making crappy drivers tend to be the ones who dont want to spend the money on certificating and signing).
It also makes it harder for anyone wanting to create kernel level malware since either Microsoft will refuse to sign it in the first place or Microsoft will revoke the signature (and blacklist the creator of those drivers).
The increased requirements in terms of the code signing certificate you need to submit drivers to Microsoft also eliminates problems with rogue code signing certificates (i.e. all the times when a code signing certificate was stolen from a major hardware vendor and used to sign malware or other bad things)
I do wonder what this means for government/law enforcement/intelligence agencies though. We know from various leaks and other things that governments and their agencies have used kernel drivers (or things that can only be done with kernel drivers even if its not actually explicit that kernel drivers are being used) as part of their spying/hacking/law enforcement efforts. Will the NSA be given the ability to sign a kernel driver that can run on a standard Windows 10 install? What about the Chinese Government (the censor-ware they wanted to force PC manufacturers to install on new PCs almost certainly requires kernel-level code to do the things it does). Or the German Bundespolizei? (the spyware they have reportedly used to spy on things like Skype may well need kernel code in order to do its job)
You can run sigverif from CLI to check to see what drivers are currently being used on your system not signed by Microsoft.
I welcome any legitimate reason for this behavior requiring Microsoft cross signing when secure boot is enabled. Currently I'm at a loss to come up with one.
It seems when secure boot is not enabled all signature validation can be bypassed by malicious code one way or another if you have admin rights by changing boot settings using bcdedit and rebooting or a million other approaches given admin level access. Signature checks don't have much bite in the real world with secure boot disabled.
With secure boot enabled any effective bypass of driver signature validation is a security bug. Since only kernels trusted databases are used for driver signature validation (regardless of secure boot setting) cross signing to MS is redundant. This is especially true given the blessings seem to be superficial at best and probably nearly fully automated given cross signing does not currently cost money.
Most likely reason for MS to do this I've been able to come up with is that without MS control anyone who develops a kernel driver and gets it signed by one of the supported CAs can break out of a Microsoft walled garden on systems where secure boot is being enforced against the user.
Even if you believe any and all measures to lock down kernel access improves security and therefore unconditionally good regardless of any other considerations... I still fail to see how any actual locking downing is being accomplished here as the MS blessing is superficial and adds nothing. Any malicious actor able to develop a kernel driver and obtain an EV cert is almost certain to also obtain blessing of Microsoft.
The only "benefit" seems to be MS getting a vote to stop execution of drivers paving way for restricting usermode execution against users. (See Windows RT and Windows Phone)
From Microsoft's FAQ: "Enforcement only happens on fresh installations, with Secure Boot on, and only applies to new kernel mode drivers"
In other words, disable secure boot and it's business as usual.
From my point of view, this increases security for the vast majority of users who just buy a computer in a store and need to be protected from themselves. If you don't know enough to disable secure boot, you probably have no business installing unsigned kernel mode drivers anyway. But if you do, you can.
Or, you know, it's to prevent viruses and other such garbage that has plagued windows for years and years, to be able to boot up with windows by masquerading as a driver?
I see nothing wrong with this. If anything it will force manufacturers to get their sh*t together and stop releasing buggy half baked drivers.
For God's sake, read the article you quoted! The vulnerability is an escalation privilege attack, i.e. somebody could get arbitrary admin rights on a computer with TrueCrypt installed. For 99% of computers, if an evildoer has already breached to that point, there's a million other horrible things they could do. The vulnerability DOES NOT, I repeat, DOES NOT endanger any encrypted files.
https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607
Trust me, as a driver developer, this has been causing me an immense amount of headaches, and Windows 10 is only part of the story.
But the blog entry has a key detail which nobody here seems to understand. Existing Drivers signed by a certificate that was issued prior to July 2015 will still be accepted by the kernel. What this means is that the new rollout is not going to cause the entire ecosystem of Windows legacy drivers to implode. If they were signed correctly for 64-bit Windows before, they will continue to work on Windows 10. Really, truly, I've tested this myself on preview editions of the Windows 10 AE
Where you get screwed is when a vendor needs to update a driver going forward. Then things get to be hairy. Logistically, signing became much harder, everything from obtaining a certificate to performing the actual signing. Pain. In. The. Ass.
Our company just released an update of our product just under the wire of when our legacy "get's a free pass" certificate expired so that we'd have some runway to incorporate the new driver signing nightmare into our tool chain. So we're good up until the next showstopper bug comes along, which fortunately is rare. You'll be able to use our latest release just fine on AE, even though it didn't get signed by Microsoft.
Did you check that link before you posted it? I'm getting page not found errors on it. (kind of ironic)
Sounds plausible to me, but to answer GP:
I don't think Intel and AMD have anything to do with this, as it is a move by Microsoft to demand signing of Windows drivers. CPU design is not really involved here, although the goals of this move may have some overlap with the goals of introducing TPM.
Also, both Intel and AMD have so far been reasonably supportive of Linux development, which suggests they are not trying to help Microsoft control all PC hardware.
This said, people who have an interest in tinkering with their OS should probably switch to Linux or BSD entirely instead of trying to somehow keep Windows from locking them out.
C - the footgun of programming languages
As an owner of a computer service company who works on everything from residential to multinational corporation computers, I can say that I have not run into driver based kernel space malware more than a couple of times since I started my company in 2001.
This will not prevent hardware makers from releasing buggy drivers. It has absolutely NOTHING to do with the quality of the driver.
This is simply a means to force consumers to purchase NEW hardware to replace their old reliable still working fine piece of hardware because there is no longer a driver for it. It is simply a way for MS and their partner hardware manufacturing companies to separate consumers from their money.
I really doubt that's it. The next version of Windows 10 includes a provision to kill off the ability to disable certain "features" (or more specifically, annoyances) and it would make sense if they want to enforce that, and things like telemetry, by banning CA signed drivers.
This is a complete non-issue for anyone that actually needs to run unsigned drivers.
Hobbyist developer: Disable the setting in your machine, unsigned drivers work fine.
Business with obscure/legacy hardware: Generate your own signing key pair, sign the driver yourself then push your public key to all users machines by GPO.
Real driver dev: Generate local signing keys for test, get key from MS and apply to WHQL for release.
This is a security setting that is on by default, but easily disabled or worked around by anyone with the knowledge to safely do so.
No. If that were the goal, then it would merely require that drivers be signed by the machine's admin or whatever parties they have signed as delegates, not such a distant third party as Microsoft.
"Believe me!" -- Donald Trump
Drivers as a source of viruses? Talk about unreasonable. The fact that Microsoft's is Hollywood's BITCH is far more plausible.
A Pirate and a Puritan look the same on a balance sheet.
Just who are you trying to kid? Do you know who you're talking to? A rootkit doesn't need anything quite that low level.
This entire approach to the "problem" is like putting a band-aid on a bullet wound after the victim has already been shot full of holes. He never should have gotten shot to begin with.
A Pirate and a Puritan look the same on a balance sheet.
...and all of that is unadulterated bullshit. The underlying operating system is FAR more dangerous because it's a piece of shit engineered to spy on the user. It's always been a piece of shit because Microsoft always puts marketing and other "business" objectives ahead of the product (far ahead). They only reason anyone uses their virus infested product is because they managed to corner the market in the days of MS-DOS.
The fact that the OS is swiss cheese is far more of a problem than "the user making the wrong choice".
If you're gotten to the point of showing such obvious contempt for the end user then you're doing it wrong.
A Pirate and a Puritan look the same on a balance sheet.
Or, you know, it's to prevent viruses and other such garbage that has plagued windows for years and years, to be able to boot up with windows by masquerading as a driver?
Actually the GP is right, and Microsoft calls it out themselves:
To play back certain types of next-generation premium content, all kernel-mode components in Windows Vista and later versions of Windows must be signed. In addition, all the user-mode and kernel-mode components in the Protected Media Path (PMP) must comply with PMP signing policy.
Besides, the only way to install kernel mode drivers is to be running as administrator. If malicious code is allowed to run on your computer with administrative credentials, you're already screwed in any number of ways. Installation of a kernel driver is just one avenue.
I see nothing wrong with this.
I see everything wrong with this. Microsoft is now dictating what software can be run on my computer. That alone is enough of a reason to vehemently reject this, but think also of the F/OSS software impacted. There are plenty of software tools out there which run a driver as part of their operation and not all of these will want to or be able to get their drivers signed.
I have been trying to decide lately if I'll ever bite the bullet and move from Windows 7 to Windows 10, or if I'll start looking migrating to Linux. The decision just got a lot easier.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
That's a really nice [graphics|printer|pointer|raid] driver you've got there.
Would be a shame if something ... happened to it.
-=This sig has nothing to do with my comment. Move along now=-
I was talking to an anonymous coward. Most rootkits I've dealt with intercept file-system calls to hide the files and the signature of the modified file. That requires kernel-level access. And they've usually been a modified ntfs.sys - tell me that's not kernel-mode. Sometimes kbd.sys.
FYI - you don't need Kernel-level drivers to do that. It helps but it's not necessary; there's enough hooks into the kernel from user-space it can be done in userspace without issue.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)