OSR Dev Blog:Only Signed Drivers To Run on Vista X64

Everything Windows Driver Development

Sat, 25 May 2013 98615 members

About This Site
What's New?
OSR Dev Blog
The NT Insider
The Basics
File Systems
Downloads
ListServer / Forum
Driver Jobs
Store


	Express Links

	·	WdfSend: Are There REALLY Three Useful Variants?
	·	Turning a Breakpoint into a Busypoint
	·	Investigating a NULL Pointer Dereference
	·	Understanding WDFMEMORY Objects
	·	Using WinDbg to hunt for strings

OSR DEV BLOG

Only Signed Drivers To Run on Vista X64
Hector J. Rodriguez | Published: 19-Jan-06| Modified: 19-Jan-06
In the latest shocker to hit the driver development community, it seems that Microsoft has decdied that only signed drivers will be loadable on 64-bit Windows Vista systems.

In a paper released today (19 January) on the WHDC website Microsoft indicated that for Windows Vista "unsigned kernel-mode software will not load and will not run on x64-based systems." This is in addition to the fact the users without administrator privilege, on any Vista system (32-bit or 64-bit) will not be able to load unsigned drivers.

These announcements, which took most of the driver development community by surprise, follow closely last month's announcement that KMDF would not run on Windows 2000 systems. While the KMDF decision is being "reconsidered" according to Microsoft sources, we can't imagine the same happening for Vista driver signing.

Note that Microsoft's statements do not mean that drivers must pass WHQL testing to be loaded. While getting the Design For Windows logo by passing the WHQL tests is one option, developers can obtain a Publisher Identify Certificate (PIC) from Microsoft and use that to sign their code. Prerequisite to obtaining a PIC is an organization having a Class 3 Commercial Software Publisher Certificate issued by Verisign. What? Your org doesn't use Verisign for their PKI infrastructure? Apparently that's just too bad. The necessary certification is only $500 (valid for a year), which shouldn't present a burden for most companies.

With bombshells like this one being dropped only months before Vista's release, we can't wait to see what the next few months will bring.

User Comments
Rate this article and give us feedback. Do you find anything missing? Share your opinion with the community!
Post Your Comment

"It's not all that bad..."
Let's be honest. The number of people that will really *need* to install unsigned 64-bit drivers is miniscule in comparison with number of uneducated users who don't understand that double-clicking that "way cool attachment" they got via email will install rootkits on their system. If professionals can't afford $400 per year, I think they need to reconsider their business model. And for the students and hobbyists out there who don't have a budget -- just plug in the kernel debugger or hit F8 before boot.

Re: Ouch

I think you were on the wrong page. Code signing certificates are only $499/year. Take a look here:

http://www.verisign.com/products-services/security-services/code-signing/digital-ids-code-signing/index.html

I think Microsoft leverages Verisign's "due diligence" process to make sure some bozon virus writer won't end up with a PIC. Or at least, if they do, there will be an evidence trail leading directly to the culprit.

Re: Chilling

If you have a driver for a piece of old hardware that needs to be signed, you can buy one certificate and timestamp the file(s) you're signing, so the signature is good even after the certificate expires.

Rating:
01-Mar-06, Dan Germann

"Chilling"
I'm surprised there seems to be so much acceptance of this.

I can understand having an option to reject unsigned kernel mode code that administrators can choose to employ, but for MS to tell me what I can and can't run on my own PC...That's not right.

I've written a driver for a piece of hardware whose manufacturer is long gone. Now MS is telling me that if I want to run this driver on my PC in Vista x64, I have to pay hundreds of dollars to Verisign each year?

Be careful. The road we're on likely ends with future versions of Windows requiring _all_ code to be signed. That'll have chilling effects on open source, independent and shareware developers.

25-Feb-06, Marc Klenotic

"Only Signed Drivers To Run on Vista X64"
It sucks. Another reason MS will go into oblivion. I hate to say this but Linux is the way to go.

Rating:
22-Feb-06, John Chiu

"Signing filter driver"
That's great but what about the non-AV file system filters? We don't have a program.

Rating:
10-Feb-06, Jerry Kelley

"Ouch"
What's with the insistence on verisign?

Their certificates are far from cheap... Clicking on 'buy' presents you will a nice bill for $1,295. I pay $100 a year for our non-verisign ones that work perfectly.

btw. the only place I can find 'Class 3 Commercial Software Publisher Certificate' is in their insurance plan.. they don't appear to sell them under that name on their website.

08-Feb-06, Tony Hoyle

"Test Test Test"
Let's hope that the quality of the software tests from Microsoft that we need to pass increase too! What about making some to the tests open source so that we as Developers can develop better test and then supply the changed code to Microsoft?

Rating:
03-Feb-06, William Jones

"One more result of viral attacks on the OS"
This shouldn't really be unexpected (although the timing sucks); it's just one more way that the big M is responding to criticism about the security of the OS.

It's interesting to speculate that we'll see is an increased push by MSFT to move everyone to 64-bit hardware, whether they need it or not. They have a lot more headroom to support things like prohibiting hooking and requiring signing (and supporting the memory necessary for the new Vista UI) with 64-bit hardware.

Rating:
24-Jan-06, David Beaver