Re[2]: Driver Verifier - Code Integrity Check

Peter_Scott · July 13, 2015, 10:06pm

+1

Pete

Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com http:</http:>
866.263.9295

------ Original Message ------
From: xxxxx@osr.com
To: “Windows System Software Devs Interest List”
Sent: 7/13/2015 1:29:39 PM
Subject: RE:[ntdev] Driver Verifier - Code Integrity Check

>

>
>Look: The bottom line is that until something forces us to adopt a
>change like this… stop, look into it, and make some code changes and
>learn for the future… we’re all too damn busy to follow every
>development. It’s tough to sort through the ones we DO know about just
>to decide if we care. And while we here at OSR try to do a lot of this
>sorting and parsing for the community, even if you READ about it in our
>blog or The NT Insider the info is likely to go right past you… until
>you have a specific need for that information.
>
>This NonPagedPoolNx stuff was well publicized around Windows 8.
>Remember all those confusing POOL_NX_OPTIN and POOL_NX_OPTOUT (or
>whatever they are) settings? I remember them all very clearly. Well,
>I remember very clearly being confused… and also having something to
>actually DO that had a deadline that prevented me from worrying about
>POOL_NX_SOMETHING_ELSE… And that was that. I haven’t once typed the
>term NonPagePoolNx before right now. In fact, I hadn’t given it a
>second thought until you (Mr. Roberts) mentioned it in passing last
>week here on NTDEV (“oh, yeah… NonPagedPoolNx… I should probably DO
>something about that sometime”).
>
>Is that Microsoft’s fault? Of course not. Is it OSR’s fault for not
>writing a special article in The NT Insider about NX? Of course not.
>
>You don’t care until you care. And what makes you care is needing the
>information. Forcing you to need the info is passing some test, or
>some client requirement.
>
>I can’t wait to hear people wail about Win10 Client driver signing. I
>CAN’T WAIT. “Why didn’t you guys warn me.” Right… the MINUTE
>(literally) the rules were public OSR published multiple statements on
>this. I guarantee you people will start whining in about 6 weeks when
>they try to sign their drivers. “Nobody told us. You didn’t warn
>me…”
>
>Peter
>OSR
>@OSRDrivers
>
>
>—
>NTDEV is sponsored by OSR
>
>Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
>OSR is HIRING!! See http://www.osr.com/careers
>
>For our schedule of WDF, WDM, debugging and other seminars visit:
>http://www.osr.com/seminars
>
>To unsubscribe, visit the List Server section of OSR Online at
>http://www.osronline.com/page.cfm?name=ListServer

mm1 · July 13, 2015, 10:13pm

Agreed
On Jul 13, 2015 10:04 PM, “PScott” wrote:

> +1
>
> Pete
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com http:</http:>
> 866.263.9295
>
>
>
> ------ Original Message ------
> From: xxxxx@osr.com
> To: “Windows System Software Devs Interest List”
> Sent: 7/13/2015 1:29:39 PM
> Subject: RE:[ntdev] Driver Verifier - Code Integrity Check
>
>

>>
>> Look: The bottom line is that until something forces us to adopt a change
>> like this… stop, look into it, and make some code changes and learn for
>> the future… we’re all too damn busy to follow every development. It’s
>> tough to sort through the ones we DO know about just to decide if we care.
>> And while we here at OSR try to do a lot of this sorting and parsing for
>> the community, even if you READ about it in our blog or The NT Insider the
>> info is likely to go right past you… until you have a specific need for
>> that information.
>>
>> This NonPagedPoolNx stuff was well publicized around Windows 8.
>> Remember all those confusing POOL_NX_OPTIN and POOL_NX_OPTOUT (or whatever
>> they are) settings? I remember them all very clearly. Well, I remember
>> very clearly being confused… and also having something to actually DO
>> that had a deadline that prevented me from worrying about
>> POOL_NX_SOMETHING_ELSE… And that was that. I haven’t once typed the
>> term NonPagePoolNx before right now. In fact, I hadn’t given it a second
>> thought until you (Mr. Roberts) mentioned it in passing last week here on
>> NTDEV (“oh, yeah… NonPagedPoolNx… I should probably DO something about
>> that sometime”).
>>
>> Is that Microsoft’s fault? Of course not. Is it OSR’s fault for not
>> writing a special article in The NT Insider about NX? Of course not.
>>
>> You don’t care until you care. And what makes you care is needing the
>> information. Forcing you to need the info is passing some test, or some
>> client requirement.
>>
>> I can’t wait to hear people wail about Win10 Client driver signing. I
>> CAN’T WAIT. “Why didn’t you guys warn me.” Right… the MINUTE (literally)
>> the rules were public OSR published multiple statements on this. I
>> guarantee you people will start whining in about 6 weeks when they try to
>> sign their drivers. “Nobody told us. You didn’t warn me…”
>>
>> Peter
>> OSR
>> @OSRDrivers
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Daniel_Terhell · July 14, 2015, 7:38am

I suppose a hardware blog is not appropriate for file system developers. But
if they would just post anywhere about the actual deadline and the
implications that would be nothing but fair play. In my book they are either
obfuscating the truth or it must show they are not much pretty convinced
themselves.

//Daniel

Peter_Viscarola_OSR · July 14, 2015, 8:59am

and

What Mr. Roberts said.

“All the changes” would mean WHAT, exactly. That new USB support functions were added. That the Energy Monitoring Interface (or is it the Energy Measurement Interface) has been added? That driver WPP trace messages are now saved in a circular buffer? That the driver-specific Code Analysis stuff and SDV *still work* (if you know anything about the VS 2015 compiler re-working regarding how AST generation has changed, you now this is not a trivial issue)? That there’s something new called “Modern Standby” in addition to “Connected Standby”? That there are built-in GPIO drivers and an associated GPIO namespace in C# for use by programmers on Win10 IoT? That there are new tools that make generating your own ASL methods easier?

These are just a few, a very few, of the things that I can think of in Win10 that effect driver devs… off the top of my head, after one cup of coffee on a Tuesday morning.

You see… there are an almost infinite number of changes in any given release that could be interesting and important to individual members of the driver development community.

Some people care about changes in Windows Hardware Compatibility tests and signing (it’s not called certification or even Logo testing anymore… another change). Some people care about Visual Studio (new SKUs with new functionality… Upper/Lower case menu items by default (something *I* certainly care about)… Some people care about C++ (did you SEE all the C++ 14 and 17 features that are being added?). Some people care about C# (caas… Roslyn FTW!).

All the things I listed above are public, and have been announced by Microsoft.

We TRY to cull through the vast mass of detritus and call folks attention to what’s changed/changing. But it’s a tough job. And it’s not like the community pays us to do it. That’s why I take serious umbrage when people complain that “OSR didn’t warn us”… I would be surprised if this doesn’t irritate our friends at Microsoft mightily as well.

There are multiple teams and hundreds of people involved in putting together what the community might think of as “changes that driver devs care about.” I just don’t see how they could even be identified (“you think they’d care about this?” “Yeah… put that on the list”), never mind all be listed in one place.

As Mr. Roberts said: “It’s a no-win situation. …we all learn about the issues
when we run up against them. That’s just the way it is.”

Peter
OSR
@OSRDrivers

Peter_Viscarola_OSR · July 14, 2015, 9:05am

The “actual deadline” is Win10 RTM. After that time, you need an EV Cert. Full stop.

So… if you want to avoid annoyance and last minute problems, you do what OSR did. The day this was announced, you applied for your EV Cert and started using it for everything possible from that day forward. Made sure your procedures were established and everything worked.

Now you have nothing to be concerned about, and whether they throw the switch today, tomorrow, a month from next Tuesday, you don’t care. Because you’re already good to go.

Anything other course of action… you’re playing dice.

Peter
OSR
@OSRDrivers

Don_Burn · July 14, 2015, 2:21pm

At the risk of pissing off Peter again, I did want to respond to two points
on this discussion.

First there is a mention of using the latest tools, and how you can build
Windows XP drivers with the latest tools. The rule I always use is to “Use
the latest WDK that supports the earliest Windows version needed”. Now, yes
with care one can use a Visual Studio based WDK to build with XP, but
Microsoft does not officially support this model. I find this very similar
to the early C++ in the kernel arguments, this list spent a lot of time
arguing whether it was good or bad, and the final answer was never resolved
till Microsoft added real support.

At present I build projects with all the WDK’s from Windows 7 onward, the
specific WDK is dependent on the client. There are people who insist on XP,
I may think they are wrong but their customers are still using XP. There
are people who have me build with VS2012/Win8 WDK, not because of the
drivers, but because the rest of their software is currently wedded to
VS2012 and they don’t want to mix the two versions of Visual Studio.
Mostly, I use VS2013/Win8.1 and will shift to VS2015/Win10 ASAP. Unless, I
want to tell a lot of my customers to go elsewhere, I will still be using
Windows 7 WDK for a good long time.

The other point was the comparison to the Windows 10 Driver Signing. I
think this is a poor comparison since almost from the second that Microsoft
announced this at WinHEC, OSR and NTDEV have been on top of it. Search for
“Windows 10 driver signing” and you get a ton of relevant hits , including
the OSR Blog on the day it was announced. This was my real problem with the
Verifier change, not that it happened, but that it was not highlighted to
the community. At one point additions to the Verifier were a “big thing”
and were “shouted from the roof tops”. I’m hoping Microsoft will go back
to this model of communication; driver development is poorer without it.

Don Burn

Windows Driver Consulting

Website: http://www.windrvr.com http:</http:>

Peter_Viscarola_OSR · July 14, 2015, 5:53pm

Are you SURE of that? Because I’m not. Not at all.

What does “Microsoft… officially support” mean in this case, anyhow… when we’re talking about XP? Are you saying if you find a bug in the Windows XP Build Envrionment in the Win7 WDK, you expect Microsoft to fix that for you because it’s “supported”? Cuz that’s obviously not going to happen.

Or are you saying that Microsoft’s on record saying “Do not build drivers for Windows XP using the Windows 7 Build Environment, using any WDK later than the Win 7 WDK.” Because I don’t believe that to be the case either.

Oh, BTW: Letting your client dictate the tools you use is not a wise path. If clients really knew the best tools to use, they would be writing their drivers themselves. Clients use consultants to benefit from their experience and wisdom in a specialized area. If best practices dictates using a different set of tools than the client may prefer, it might be inconvenient for them today… but down the road they’ll thank you. Or not. But at least you’ll have done your best for them.

Peter
OSR
@OSRDrivers

Don_Burn · July 14, 2015, 8:26pm

Peter,

On the question of Visual Studio based WDK’s, I have used the reference
https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/dde00840-0d4d-
4c57-a15c-2498d250e22c/is-windows-xp-is-not-suitable-for-windows-driver-fram
ework?forum=wdk where Doron indicates that KMDF 1.11 does not support XP,
and various other threads on the Microsoft forums where it is still the
recommendation to use the Win7 WDK. No using a new WDK to support older
OS’es is not absolutely prohibited, this is why I compared this to the old
C++ in the kernel discussions.

Letting my client dictate the tools is unfortunately a fact of life.
My clients get the source, and expect to maintain it themselves. Most of my
clients these days are smaller than OSR (both revenues and employees), and
in good years have a profit less than most OSR contracts I know of. I
strongly urge them to use the latest tools, but in the end I can choose to
give them a quality driver using the best toolset I can, or having them use
things like Direct-IO or DriverX and hacking something that is unstable.
Personally, I think giving them a good driver is a better idea, not to
mention that then I get paid.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
Sent: Tuesday, July 14, 2015 5:52 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Re[2]: Driver Verifier - Code Integrity Check

Are you SURE of that? Because I’m not. Not at all.

What does “Microsoft… officially support” mean in this case, anyhow…
when we’re talking about XP? Are you saying if you find a bug in the
Windows XP Build Envrionment in the Win7 WDK, you expect Microsoft to fix
that for you because it’s “supported”? Cuz that’s obviously not going to
happen.

Or are you saying that Microsoft’s on record saying “Do not build drivers
for Windows XP using the Windows 7 Build Environment, using any WDK later
than the Win 7 WDK.” Because I don’t believe that to be the case either.

Oh, BTW: Letting your client dictate the tools you use is not a wise path.
If clients really knew the best tools to use, they would be writing their
drivers themselves. Clients use consultants to benefit from their
experience and wisdom in a specialized area. If best practices dictates
using a different set of tools than the client may prefer, it might be
inconvenient for them today… but down the road they’ll thank you. Or not.
But at least you’ll have done your best for them.

Peter
OSR
@OSRDrivers

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Peter_Viscarola_OSR · July 14, 2015, 8:51pm

KMDF V1.11 does NOT support XP. You need to use KMDF V1.9… Which is entirely supported in the Win8.1 Update WDK. Target Win 7.

Having a single binary built for a later OS target has been officially supported forever… This allows you to use new features up level and not use those features down rev. That’s what you’re doing when you use KMDF 1.9 and target Win7.

Peter
OSR
@OSRDrivers

Alex_Ionescu-2 · July 19, 2015, 7:55pm

Peter, the deadline is within 90 days of RTM, just FYI, not RTM proper.

–
Best regards,
Alex Ionescu

Peter_Viscarola_OSR · July 20, 2015, 10:16am

Thank you, Mr. Ionescu.

As I stated, I’m just reporting what was announced at WinHEC, and have not looked into it since that time.

I’m surprised at the reaction to this over the past week. In March, I thought it was a pretty big deal, but to my surprise nobody seemed to really give a shit.

Peter
OSR
@OSRDrivers

Alex_Ionescu-2 · July 20, 2015, 10:21am

Forgot to source my statement. “I reverse engineered the kernel” doesn’t count – but I can confirm that too

http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx

"Additionally, starting 90 days after the release of Windows 10, the portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (?EV?) Code Signing Certificate.’

The wording here makes it seem like a portal thing, but it’s enforced by the boot loader and later CI. The 90 day period applies either on the timestamp (if you have one) or the cert’s expiry (if you don’t have a timestamp).

Interestingly, CI also checks for a special registry key which indicates if this was an “updated platform”, and allows non-EV certs if so.

–
Best regards,
Alex Ionescu

Daniel_Terhell · July 20, 2015, 10:51am

>The wording here makes it seem like a portal thing, but it’s enforced by

the boot loader and later CI. The 90 >day period applies either on the
timestamp (if you have one) or the cert’s expiry (if you don’t have a
>timestamp).

Are you sure that the boot loader cannot (and will not) distinguish between
non-EV signed drivers signed by the portal and those not ?

//Daniel