X64 Windows Vista to require signed drivers

With little fanfare, Microsoft just announced that the X64 version of
Windows Vista will REQUIRE all kernel-mode code to be digitally signed. The
details are here:
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx. This is
very different than the current WHQL program, where the user ultimately
decides how they want to handle unsigned drivers.

Vista driver developers must obtain a Publisher Identity Certificate (PIC)
from Microsoft. Microsoft says they won’t charge for it, but they require
that you have a Class 3 Commercial Software Publisher Certificate from
Verisign. This costs $500 per year, and as the name implies, is only
available to commercial entities.

This change in Vista will effectively kill any open source kernel modules,
since individual developers are unlikely to obtain the required Verisign
certificate. I’ll give Microsoft the benefit of the doubt and assume this
isn’t their intention, but clearly, it will be the effect. I know NTDEV
isn’t particularly supportive of open source, but you don’t need to buy into
Stallmanism to see the problem here.

If Microsoft controls who can write software for Windows, Windows is no
longer an open platform. If Microsoft gets away with this for drivers, what
will stop them from imposing signing on applications some day? I don’t see
that happening soon, but you never know what .NET 5.0 will bring. Say that
it’s being done in the name of security, and a lot of users will simply nod
their heads and go along with it.

Express yourself instantly with MSN Messenger! Download today - it’s FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

See the OSR Online article on this topic: http://www.osronline.com/article.cfm?article=435

I personally think the policy of requiring X64 drivers be signed to be loaded is wrong-headed. At a time when Microsoft should be concerned promoting the X64 platform, a program like this seems to make it MORE difficult to adopt the platform (cuz, if the software I need isn’t signed, it’s not likely that I’m going to be moving to X64).

While I personally don’t like the new policy for X64, I think that your post makes some odd – and incorrect – points. Specifically:

This just doesn’t make any sense. I don’t see anything in the Microsoft program that does anything to harm the open source movement. Folks can continue to share source code – However, the supplier of the module to an end-user customer will have to get the executable signed.

If your point is that some high school kid that writes a driver in his room instead of doing his homework won’t be able to supply drivers to the industry, well… I think that’s probably the only GOOD thing about this Microsoft program.

Like, Windows is an open platform now?? Huh??

Peter
OSR

I also don’t agree with the current policy, it is going to possibly drive me
out of the business. I do most of my work through various contracting
firms. I don’t have a corporate enttity so even though I write drivers, and
in some cases am the Windows Kernel Software Team for some tiny companies
who pay me for the drivers and support, I have never been on WinQual.

My problem is that with the tax structure of Massachusetts, I would have
lost money rather than made it the last two (very lean years) since between
business costs and my taxes as a corporate entity I would have gone negative
on my income. I suggest to my customers to go the Verisign route, but most
of them balk saying we don’t want to give you our key, get your own. I have
talked to folks I contract through, and they say sure you can use our key,
as long as we own all the drivers you write.

For four years I have been complaining about this to Microsoft. I point out
I have secure access to the Windows source and this does not require
Verisign, so why should driver signing and getting driver bug reports
require it. At every conference since 2002 they have promised to look into
this, and when I query this a few months later they go say, just get
incorporated. When I point out the hidden costs, they go “we did not know
that” and promise again, and so the cycle continues.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

Another thing I really love about the new policy is the ways to override it
as a developer:

· Attaching a kernel debugger. Attaching an active kernel debugger
to the target computer disables the enforcement module in Windows Vista and
allows the driver to load.

· Using the F8 option. An F8 boot option introduced with Windows
Vista-“Disable Driver Signature Enforcement”-is available to disable the
kernel-signing enforcement only for the current boot session. This setting
does not persist across boot sessions.

Well using the debugger can impact (admittly slightly) the way a driver
runs, so I never consider it a valid final test to have the debugger on the
syste,.

Of course having to remember that I must choose an F8 boot option, and be by
machine everytime it reboots to manually do this is going to be lots of fun.
I wonder how this will work for testing an unsigned driver needed to boot
windows? I also wonder how it will work with the WDK image provisioning and
testing an unsigned driver, gee does that mean in the middle of the
automated process, I need a program to wake me up at 2AM to choose the F8
option?

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

Don,

While I’m not a tax lawyer, I do tend to follow taxation law rather
closely and thus was surprised by your assertion. Further, the MA
Department of Revenue web site seems to disagree
(http://www.massdor.com/rul_reg/tir/tir_97_8.htm). Admittedly there is
a cost associated with creating an LLC (MA is expensive - $500) but
there are no tax ramifications to such an entity (assuming it does not
choose to be treated as a corporation.)

*I* am horrified by Microsoft’s decision to exclusively choose Verisign
(in the past, we’ve used Thawte for code signing certs, but apparently
some large number are more equal than other large numbers, for whatever
reason.)

However, this has become very off-topic for the forum, and this becomes
another cost of doing business in the Windows space - much like
subscribing to MSDN each year. And even if you ignore it for the Vista
timeframe, this probably won’t be an option for Longhorn server given
Microsoft’s announcements about dropping 32-bit support for most of the
reasons people BUY servers (e.g., Exchange will be 64-bit only.)

Bottom line: be prepared for signing your drivers. Don’t count on
Microsoft changing the policy, their exclusive arrangement with Verisign
or any other aspect of this policy decision. If Microsoft requires
Verisign, and Verisign suddenly decides that in order to get a cert from
them you have to incorporate in Belize, you basically have *no choice*
in the matter. If this policy doesn’t work for you, I fear you’ll have
no choice but to leave the space. While I think this stinks of
anti-trust problems, Microsoft’s lawyers have already determined that
this is ok.

Drivers cause tremendous problems for them, so perhaps Microsoft’s goal
is to “squeeze out” more people from writing a driver. (I’ve heard the
security arguments and am not persuaded - look at how trivially easy
people have found it to work around the patch guard code.) Of course,
if they REALLY wanted to improve driver quality, they’d require some
sort of certification for driver writers (you can be certified to
administer Windows systems, but not to write drivers for them) before
you are allowed to get your very own cert. Then you’d sign your
drivers when you decided they were wrong.

I think of it along the lines of how engineers certify drawings - they
might work for a firm but it is the *engineer* who applies his stamp to
the drawings. If we did the same thing for drivers, people would take
this a lot more seriously - they’d be staking their own professional
reputations on the drivers that they write.

Not going to happen anytime soon, though.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Saturday, January 21, 2006 12:51 PM
To: ntdev redirect
Subject: Re:[ntdev] X64 Windows Vista to require signed drivers

I also don’t agree with the current policy, it is going to possibly
drive me
out of the business. I do most of my work through various contracting
firms. I don’t have a corporate enttity so even though I write drivers,
and
in some cases am the Windows Kernel Software Team for some tiny
companies
who pay me for the drivers and support, I have never been on WinQual.

My problem is that with the tax structure of Massachusetts, I would have

lost money rather than made it the last two (very lean years) since
between
business costs and my taxes as a corporate entity I would have gone
negative
on my income. I suggest to my customers to go the Verisign route, but
most
of them balk saying we don’t want to give you our key, get your own. I
have
talked to folks I contract through, and they say sure you can use our
key,
as long as we own all the drivers you write.

For four years I have been complaining about this to Microsoft. I point
out
I have secure access to the Windows source and this does not require
Verisign, so why should driver signing and getting driver bug reports
require it. At every conference since 2002 they have promised to look
into
this, and when I query this a few months later they go say, just get
incorporated. When I point out the hidden costs, they go “we did not
know
that” and promise again, and so the cycle continues.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

>>This change in Vista will effectively kill any open source kernel

>modules, since individual developers are unlikely to obtain the
>required Verisign certificate.
This just doesn’t make any sense. I don’t see anything in the
Microsoft program that does anything to harm the open source
movement. Folks can continue to share source code – However,
the supplier of the module to an end-user customer will have to
get the executable signed.

Few open source developers will qualify for the Verisign cert, and fewer
still will fork over $500 a year to get it. That comes pretty close to
killing open source kernel code right there. Further, a key benefit of open
source is that everybody is free to modify the code and run their modified
version.

If your point is that some high school kid that writes a driver in
his room instead of doing his homework won’t be able to supply
drivers to the industry, well… I think that’s probably the only GOOD
thing about this Microsoft program.

Hey! I resemble that remark! 25 years ago I was a kid writing
software in my bedroom (on a machine with an 8-bit CPU and 48K of RAM).

In all seriousness, I have two objections to your statement…

First, it’s not Microsoft’s place to decide that kids in their bedroom
shouldn’t be able to “supply drivers to the industry”. That’s a choice for
the free market to make. I’m not saying that high school hackers are a good
source of quality drivers – I’m saying it’s not up to Microsoft to make
that decision.

Second, everybody should have the right to run software of their choosing on
their own machine. It isn’t Microsoft’s computer – it’s mine. I paid for
it. The OS shouldn’t dictate what software I’m allowed to run. I think the
current WHQL program is reasonable – it forces people to think about
loading unsigned drivers, but leaves the ultimate decision with the owner of
the computer.

>If Microsoft controls who can write software for Windows,
>Windows is no longer an open platform.

Like, Windows is an open platform now?? Huh??

Yes, Windows is currently an open platform. Microsoft made this claim a lot
during their antitrust trial (e.g.
http://www.microsoft.com/billgates/columns/oped/11-10wsjoped.asp).

“Open platform” means anybody can write programs that run on Windows.
Contrast that with video game consoles, cable TV boxes, or cell phones,
where the platform vendor decides who is allowed to write software, and what
software they’re allowed to write.

Is your PC infected? Get a FREE online computer virus scan from McAfee®
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

Tony,

My town taxes LLC’s as business property this means the building (my
house) and the capital equipment. At the moment we have a single tax rate,
but that is likely to change. I am friends with the tax assessor, she
estimates I would only take a 8K tax hit. Then throw in the LLC cost, and
the accountant cost and this is getting pricy.

Now the real problem is, I a number of people I know enjoy the ability
to work for myself, while not having to deal with the joys of the accounting
and other PITA things. Of course to do this I put up with giving somenthing
off the top to various firms and agencies I run my contracts through. But
since I bring them customers (not normal but I’ve done it several times) I
can negotiate a very good rate, since they know I and the customer can pick
up and go elsewhere.

I only know a couple other driver writers who do this, but lots of
other developers who choose this model. Basically, Microsoft’s decision
threathens the way I do business.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Tony Mason” wrote in message news:xxxxx@ntdev…
Don,

While I’m not a tax lawyer, I do tend to follow taxation law rather
closely and thus was surprised by your assertion. Further, the MA
Department of Revenue web site seems to disagree
(http://www.massdor.com/rul_reg/tir/tir_97_8.htm). Admittedly there is
a cost associated with creating an LLC (MA is expensive - $500) but
there are no tax ramifications to such an entity (assuming it does not
choose to be treated as a corporation.)

I am horrified by Microsoft’s decision to exclusively choose Verisign
(in the past, we’ve used Thawte for code signing certs, but apparently
some large number are more equal than other large numbers, for whatever
reason.)

However, this has become very off-topic for the forum, and this becomes
another cost of doing business in the Windows space - much like
subscribing to MSDN each year. And even if you ignore it for the Vista
timeframe, this probably won’t be an option for Longhorn server given
Microsoft’s announcements about dropping 32-bit support for most of the
reasons people BUY servers (e.g., Exchange will be 64-bit only.)

Bottom line: be prepared for signing your drivers. Don’t count on
Microsoft changing the policy, their exclusive arrangement with Verisign
or any other aspect of this policy decision. If Microsoft requires
Verisign, and Verisign suddenly decides that in order to get a cert from
them you have to incorporate in Belize, you basically have no choice
in the matter. If this policy doesn’t work for you, I fear you’ll have
no choice but to leave the space. While I think this stinks of
anti-trust problems, Microsoft’s lawyers have already determined that
this is ok.

Drivers cause tremendous problems for them, so perhaps Microsoft’s goal
is to “squeeze out” more people from writing a driver. (I’ve heard the
security arguments and am not persuaded - look at how trivially easy
people have found it to work around the patch guard code.) Of course,
if they REALLY wanted to improve driver quality, they’d require some
sort of certification for driver writers (you can be certified to
administer Windows systems, but not to write drivers for them) before
you are allowed to get your very own cert. Then you’d sign your
drivers when you decided they were wrong.

I think of it along the lines of how engineers certify drawings - they
might work for a firm but it is the engineer who applies his stamp to
the drawings. If we did the same thing for drivers, people would take
this a lot more seriously - they’d be staking their own professional
reputations on the drivers that they write.

Not going to happen anytime soon, though.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Saturday, January 21, 2006 12:51 PM
To: ntdev redirect
Subject: Re:[ntdev] X64 Windows Vista to require signed drivers

I also don’t agree with the current policy, it is going to possibly
drive me
out of the business. I do most of my work through various contracting
firms. I don’t have a corporate enttity so even though I write drivers,
and
in some cases am the Windows Kernel Software Team for some tiny
companies
who pay me for the drivers and support, I have never been on WinQual.

My problem is that with the tax structure of Massachusetts, I would have

lost money rather than made it the last two (very lean years) since
between
business costs and my taxes as a corporate entity I would have gone
negative
on my income. I suggest to my customers to go the Verisign route, but
most
of them balk saying we don’t want to give you our key, get your own. I
have
talked to folks I contract through, and they say sure you can use our
key,
as long as we own all the drivers you write.

For four years I have been complaining about this to Microsoft. I point
out
I have secure access to the Windows source and this does not require
Verisign, so why should driver signing and getting driver bug reports
require it. At every conference since 2002 they have promised to look
into
this, and when I query this a few months later they go say, just get
incorporated. When I point out the hidden costs, they go “we did not
know
that” and promise again, and so the cycle continues.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

>While I think this stinks of anti-trust problems, Microsoft’s

lawyers have already determined that this is ok.

Would those be the same lawyers who signed off on activities that later got
Microsoft convicted of anti-trust? I wouldn’t assume that Microsoft is free
and clear. I could see somebody bringing legal action – it doesn’t take
much to file a lawsuit these days. That might not even be required – all
it may take is filing a complaint with the judge overseeing the consent
decree. And what about the EU? They already have Microsoft in their
crosshairs.

On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement

“Mr. GUID” wrote in
message news:xxxxx@ntdev…
>
> Few open source developers will qualify for the Verisign cert, and fewer
> still will fork over $500 a year to get it. That comes pretty close to
> killing open source kernel code right there. Further, a key benefit of
> open source is that everybody is free to modify the code and run their
> modified version.
>

I will generalize what you said. Microsoft has said that an individual can
no longer ship a driver for the general populace except through a
corporation. Basically, they are barring outright the ability of the
individual programmer to ship for pay or for free. Personally, I view this
as a very poor policy.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

Interesting comments, and well thought out a431cc41-4147-4027-bbdb-ded89ff92775 (do me a favor and change the name you use on the form… it’s just too long).

There IS one good thing about a policy that would require drivers to be signed: When a customer gets a driver package, they know (a) who it’s from, and (b) that the driver and INF have not been modified since release. Of course, this would be accomplishable by simply requiring the driver be SIGNED, not signed under certain constraints and in a certain way, as currently defined by Microsoft.

I agree. That’s a very good point. There should be a global way for a customer to by-pass this.

Wanna bet there’ll be a way for corporations to bypass this by locally signing drivers with their domain’s certificate and pushing a group policy? I hasten to add that I DO NOT have any information that indicates this is the case, but I bet it’s going to be the eventual outcome. If J-Random-Big Incorporated decides to deploy about 10,000 64-bit Windows graphic workstations, and one of the drivers they need doesn’t happen to be signed, I’m thinkin’ some bypass policy gets implemented by Microsoft rather quickly.

Are you missing my point? So, Charlie the Computer Whiz goes home and wanders to his bedroom to make some earth-shattering modifications to – I don’t know – SOME X64 only driver. He releases this onto the world. Nobody but other devs who have debugers hooked up can load it. This is only a good thing in my opinion. Some company picks it up to include in their suite of X64-related Windows shite. This COMPANY signs it. Charlie doesn’t need a Verisign ID.

Don, you know I respect you. ANYthing is possible, but this policy having ANY impact on your business is highly unlikely. You write drivers for hardware manufacturer Z. THOSE guys sign the driver, not you.

Don, with all due respect, I think you’re seriously misguided and STRONGLY urge you to get a good tax attorney. Not your family lawyer. Not your uncle’s friend’s cousin’s brother who took a few tax courses. Not your accountant. A real, bona fide, tax attorney.

If you do, I think you’ll find you’re wrong about a lot of your assumptions.

(a) As Tony pointed out, if you’re an LLC, you can choose to have your income passed-through to you just like a sole proprietorship.

(b) There is no reason on God’s Green Globe that your HOUSE would be considerd business property. In fact, the IRS regs – and your town – probably won’t ALLOW you to consider your house business property (is your house in an area that’s zoned commercial?). You own the house personally (just like I own my house). Your business owns whatever property it owns. Yes, if you live in a residential zone, depnding on your town, you MIGHT need to bother to get yourself permission for a “home occupation” but given that you NEVER meet customers at your home, produce no waste of any kind, etc, this is typically a formality.

Seriously, check into it. You shouldn’t be in business without being incorporated in any case, for the purpose of protecting your own assets.

But, as Tony said, this discussion belongs on the Tax Issues and Consulting usenet group, not here.

P

>Wanna bet there’ll be a way for corporations to bypass this by locally

signing drivers with their domain’s certificate and pushing a group policy?
I hasten to add that I DO NOT have any information that indicates this is
the case, but I bet it’s going to be the eventual outcome. If J-Random-Big
Incorporated decides to deploy about 10,000 64-bit Windows graphic
workstations, and one of the drivers they need doesn’t happen to be signed,
I’m thinkin’ some bypass policy gets implemented by Microsoft rather
quickly.

This sounds like Authenticode signing, which is already supported in Windows
Server 2003. The problem is it’s only enforced when a PnP driver is
installed, not when the driver is loaded. Enforcement at load time is more
difficult. All the certificate store API’s are in user-mode, so the kernel
can’t easily validate an arbitrary root certificate. In the scheme proposed
for Vista, the kernel only needs to carry a copy of Microsoft’s public key.

>Few open source developers will qualify for the Verisign cert, and fewer
>still will fork over $500 a year to get it. That comes pretty close to
>killing open source kernel code right there.

Are you missing my point?

Perhaps we are talking past each other on this point, but I’d like to give
it another try.

So, Charlie the Computer Whiz goes home and wanders to his bedroom to make
some earth-shattering modifications to – I don’t know – SOME X64 only
driver.

I’ll stipulate that Charlie probably isn’t writing a driver for a physical
piece of hardware. More likely he’s writing a filter or some kind of
kernel-mode service. Scary as it sounds, maybe he’s writing a file system.
Either way, it doesn’t really change the principles involved.

He releases this onto the world. Nobody but other devs who have debuggers
hooked up can load it. This is only a good thing in my opinion.

I’m very conservative about what I run on my production machines, and I
probably wouldn’t load Charlie’s driver. However, I absolutely reserve the
right to do so. This is about the freedom to use one’s own computer, and
who gets to decide what’s a “good thing” or not.

Some company picks it up to include in their suite of X64-related Windows
shite. This COMPANY signs it. Charlie doesn’t need a Verisign ID.

For most open source projects there is no “company” –- there’s just Charlie
posting his code on SourceForge.

Express yourself instantly with MSN Messenger! Download today - it’s FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Yeah…

Precisely! And I’m all for authenticode signing. That’s exactly what I was talking about, in place of this misbegotten policy.

You say load-time authenticode validation can’t be done easily. We must have different ideas of the meaning of “easily” – Calling out to user-mode when a driver’s loaded isn’t likely to be TRIVIAL, but by the same token, consider that this is precisely how most anti-virus programs work (intercepting the file open, and passing the file spec to a user-mode scanning program). Given the frequency with which drivers are loaded, it’s not like this is a high-performance path.

I could give you the names of at least a half dozen devs in 26 or 28 that’d be up to the task. If they’re too busy keeping themselves out of bug jail, I’m sure Don would be happy to write the code… for a very reasonble fee

P

>You say load-time authenticode validation can’t be done easily.

We must have different ideas of the meaning of “easily” – Calling
out to user-mode when a driver’s loaded isn’t likely to be TRIVIAL,
but by the same token, consider that this is precisely how most
anti-virus programs work (intercepting the file open, and passing
the file spec to a user-mode scanning program). Given the frequency
with which drivers are loaded, it’s not like this is a high-performance
path.

I think signature enforcement is more difficult than AV scanning. I’m not
saying it can’t be done – just that it presents some unique challenges.
The big problem is that driver loads need to happen long before Win32
starts. Microsoft even plans to have ntldr verify signatures of boot
drivers (that’s why boot driver .sys files need to be signed directly, and
not just referenced in a catalog). I suspect that the only way to robustly
support Authenticode in the kernel is to support it IN the kernel.

Express yourself instantly with MSN Messenger! Download today - it’s FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

I assume that for testing purposes you can still install test root
certificates on your test systems and sign your drivers with your own test
signatures. I could be wrong of course, but I would be surprised if that
were not the case.

=====================
Mark Roddy DDK MVP
Windows 2003/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Saturday, January 21, 2006 1:23 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] X64 Windows Vista to require signed drivers

Another thing I really love about the new policy is the ways
to override it as a developer:

. Attaching a kernel debugger. Attaching an active
kernel debugger
to the target computer disables the enforcement module in
Windows Vista and allows the driver to load.

. Using the F8 option. An F8 boot option introduced
with Windows
Vista-“Disable Driver Signature Enforcement”-is available to
disable the kernel-signing enforcement only for the current
boot session. This setting does not persist across boot sessions.

Well using the debugger can impact (admittly slightly) the
way a driver runs, so I never consider it a valid final test
to have the debugger on the syste,.

Of course having to remember that I must choose an F8 boot
option, and be by machine everytime it reboots to manually do
this is going to be lots of fun.
I wonder how this will work for testing an unsigned driver
needed to boot windows? I also wonder how it will work with
the WDK image provisioning and testing an unsigned driver,
gee does that mean in the middle of the automated process, I
need a program to wake me up at 2AM to choose the F8 option?

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting Remove
StopSpam from the email to reply

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@hollistech.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

maybe I can add another point to this discussion that hasn’t yet been
voiced.

I am a software engineer fo a small consulting company. Device drivers are
not our business. In fact, it is just something that i started to learn
because I think it is interesting.

any device driver that i write will likely be just for personal use, like a
small USB or PCI IO interface to do some simple things for a demo or
whatever.
It would be perfectly normal for me to want a driver or kernel service to be
loaded on my system for whatever reason.

maybe this does not seem important to professional developers, but for
people like me it can become really problematic. why shouldn’t i be able to
do this in a normal way?

and even if it was just a one time cost i could understand (like a vendor
ID), but now you have to keep paying each year. for some of us, this is
difficult to justify with our bosses. (not to mention having to explain why
we need to do business with verisign)

kind regards,
Bruno.

>Precisely! And I’m all for authenticode signing. That’s exactly what I was

talking about, in place of this misbegotten policy.

I am for authenticode with my own signature, but not Microsoft’s one.
Apparently, there is a guy or two in Microsoft pushing their stupid ideas
about driver signing.

There’s absolutely no point to check driver signatures at boot time, when
the root certificates are not available. The signatures should be checked
while the drivers are installed. Installed drivers should be hashed and the
checksums stored somewhere. At boot time, Windows just re-checks the
checksums not bothering with signatures.

One can say that someone can hack the checksums stored. Well, if one can
hack the checksums, they can easily hack the code that validates the
signatures, too.

My guess is, the Microsoft/Verisign monopoly’s idea of signing drivers with
their own signatures is nothing more than an attempt to suck out hundreds of
dollars a year from developers. Just another way to get money flowing in.

–
http://www.cristalink.com

wrote in message news:xxxxx@ntdev…
Yeah…

Precisely! And I’m all for authenticode signing. That’s exactly what I was
talking about, in place of this misbegotten policy.

You say load-time authenticode validation can’t be done easily. We must
have different ideas of the meaning of “easily” – Calling out to user-mode
when a driver’s loaded isn’t likely to be TRIVIAL, but by the same token,
consider that this is precisely how most anti-virus programs work
(intercepting the file open, and passing the file spec to a user-mode
scanning program). Given the frequency with which drivers are loaded, it’s
not like this is a high-performance path.

I could give you the names of at least a half dozen devs in 26 or 28 that’d
be up to the task. If they’re too busy keeping themselves out of bug jail,
I’m sure Don would be happy to write the code… for a very reasonble fee


P

>

“Mr. GUID” wrote in
> message news:xxxxx@ntdev…
> >
> > Few open source developers will qualify for the Verisign cert, and fewer
> > still will fork over $500 a year to get it. That comes pretty close to
> > killing open source kernel code right there. Further, a key benefit of
> > open source is that everybody is free to modify the code and run their
> > modified version.
> >
>
> I will generalize what you said. Microsoft has said that an individual can
> no longer ship a driver for the general populace except through a
> corporation. Basically, they are barring outright the ability of the
> individual programmer to ship for pay or for free. Personally, I view this
> as a very poor policy.

Would following scenario be feasable :

1. Someone develops and provides an UNSIGNED device driver ( open source or not ) to a company.
2. The same developer provides all support , scripts or even a program that calls the signing tools, to
the company
3. If the company has a valid code signing certificate , signing of the just “just purchased” driver is a 5 minutes
job,
4. if the company has NO valid signing certificate , he buys one for $500 and signs the driver with it.

Reaction appreciated …

Christiaan

>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@compaqnet.be
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

this will only shift the problem. nobody is going to provide 3d party
signing out of the kindness of their hearts. so instead of paying per year,
you’ll pay someone else per signature.

and then it might not even be legal to do this. it could be against the eula
that you no doubt have to agree to before getting the PIC.

kind regards,
Bruno.

“Christiaan Ghijselinck” wrote in
message news:xxxxx@ntdev…
>
>
>>
>> “Mr. GUID” wrote in
>> message news:xxxxx@ntdev…
>> >
>> > Few open source developers will qualify for the Verisign cert, and
>> > fewer
>> > still will fork over $500 a year to get it. That comes pretty close to
>> > killing open source kernel code right there. Further, a key benefit of
>> > open source is that everybody is free to modify the code and run their
>> > modified version.
>> >
>>
>> I will generalize what you said. Microsoft has said that an individual
>> can
>> no longer ship a driver for the general populace except through a
>> corporation. Basically, they are barring outright the ability of the
>> individual programmer to ship for pay or for free. Personally, I view
>> this
>> as a very poor policy.
>
>
> Would following scenario be feasable :
>
> 1. Someone develops and provides an UNSIGNED device driver ( open source
> or not ) to a company.
> 2. The same developer provides all support , scripts or even a program
> that calls the signing tools, to
> the company
> 3. If the company has a valid code signing certificate , signing of the
> just “just purchased” driver is a 5 minutes
> job,
> 4. if the company has NO valid signing certificate , he buys one for $500
> and signs the driver with it.
>
> Reaction appreciated …
>
> Christiaan
>
>
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Remove StopSpam from the email to reply
>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as:
>> xxxxx@compaqnet.be
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>

I suggested this to a customer who I wrote a driver for (this wasn’t even to
sign if was just for WinQual access). Now one of the things I do is provide
drivers for customers who can best be described as almost non-technical,
they can do a little “C”, some Visual Basic and that is about it. What my
customers want is access to something that is easy to do in the kernel, and
hard or impossible in user space.

Anyway I pointed the customer at WinQual, they came back confused enough to
tell me to do it. I said I would need their VeriSign ID, but Verisign
emphasises that this is your identity keep it safe, so the customer was
terrified of giving to me. End result they are shipping a driver, I’m
supporting it, but no WinQual data on failures ever gets accesses.

Note for a number of these folks, the price I charge is small enough, that
cost of changing my business practices to have the Verisign ID, would make
the cost to them impractical. In a couple cases, the work I have done was
to replace what was close to a malware approach, because they found a hacker
who had an approach like hooking to do what has a blessed approach.

“Christiaan Ghijselinck” wrote in
message news:xxxxx@ntdev…
>
>
>>
>> “Mr. GUID” wrote in
>> message news:xxxxx@ntdev…
>> >
>> > Few open source developers will qualify for the Verisign cert, and
>> > fewer
>> > still will fork over $500 a year to get it. That comes pretty close to
>> > killing open source kernel code right there. Further, a key benefit of
>> > open source is that everybody is free to modify the code and run their
>> > modified version.
>> >
>>
>> I will generalize what you said. Microsoft has said that an individual
>> can
>> no longer ship a driver for the general populace except through a
>> corporation. Basically, they are barring outright the ability of the
>> individual programmer to ship for pay or for free. Personally, I view
>> this
>> as a very poor policy.
>
>
> Would following scenario be feasable :
>
> 1. Someone develops and provides an UNSIGNED device driver ( open source
> or not ) to a company.
> 2. The same developer provides all support , scripts or even a program
> that calls the signing tools, to
> the company
> 3. If the company has a valid code signing certificate , signing of the
> just “just purchased” driver is a 5 minutes
> job,
> 4. if the company has NO valid signing certificate , he buys one for $500
> and signs the driver with it.
>
> Reaction appreciated …
>
> Christiaan
>
>
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Remove StopSpam from the email to reply
>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as:
>> xxxxx@compaqnet.be
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>

And you are missing the other problem. Part of the reason to have the ID is
to log on to WinQual and find out that your driver is crashing. Microsoft
reports this for all drivers whether signed or not. One wonders how many
crashes would be cleaned up, if the small companies and third party
developers had access to the data on their drivers.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Bruno van Dooren” wrote in message
news:xxxxx@ntdev…
> this will only shift the problem. nobody is going to provide 3d party
> signing out of the kindness of their hearts. so instead of paying per
> year, you’ll pay someone else per signature.
>
> and then it might not even be legal to do this. it could be against the
> eula that you no doubt have to agree to before getting the PIC.
>
> kind regards,
> Bruno.