4 replies to this topic

[Olof Lagerkvist]

The current method up to Windows 8.1 uses a cross-signing certificate trusted by Microsoft that, together with a company certificate, can sign a new driver such that it will be accepted and loaded by Windows kernels. Beginning with Windows 10 however, a quite different approach will be used and a lot more verifications and costs will be required to get a driver signed.

 

http://blogs.msdn.co...windows-10.aspx

 

In short, each new driver will need to:

1. First, be digitally signed with a software signing certificate that has gone through an Extended Verification process. Such certificates take longer time to get, are more expensive and requires further verification of company registration documents and similar.
2. Then, the driver needs to be sent to a web portal to be signed by Microsoft to verify that the certificate used in step 1 has not been withdrawn for whatever reason.

To use this web portal for signing, a company needs to first have been registered at Windows Dev Center Hardware Dashboard. They only accept certificates from Symantec, so my good old GlobalSign certificate is no good for it. Also, even if you could register the company there with an old Symantec Class 3 certificate, the web portal will refuse to sign drivers for Windows 10 until a Extended Verification certificate has been used to identify the company. So essentially all driver developers, it is time to buy a new and more expensive certificate...

 

There is some "legacy support" thing that "relaxes" this requirement for a while though.

What about existing drivers?  Do I need to re-sign these drivers to get them to work with Windows 10?
No, existing drivers do not need to be re-signed.  To ensure backwards compatibility, drivers which are properly signed by a valid cross-signing certificate that was issued before the release of Windows 10 will continue to pass signing checks on Windows 10.

 

This is interesting, because it means that one can use an old certificate to sign now before Windows 10 is finally released and that those drivers will load on final version of Windows 10 as well.

 

Then about testing, it looks like test signing will be accepted in a similar way as with earlier Windows versions.

[Wonko the Sane]

I guess that by the time Windows 15 will come out any driver developer will need to be personally introduced to Satya Nadella and submit no less than two letters of recommendation of which at least one must come from any among a member of a Royal Family, an ex-president of the US or from a billionaire cited at least three times on either Fortune or Forbes.

Additionally a bail guarantee for US$ 1,000 per byte of the .sys file will need to be provided, non-cumulative, for each release of the driver, redeemable three months after the developer proves that the specific version has been replaced on all machines automagically by the additional, compulsory service, integrated in Windows Update, which will however have a cost of 3.00 (three) US$ per copy delivered.

 

The good news being that both .inf and installers will be exempted.

 

Wonko 

[v77]

To use this web portal for signing, a company needs to first have been registered at Windows Dev Center Hardware Dashboard. They only accept certificates from Symantec, so my good old GlobalSign certificate is no good for it.

Symantec? I can see here that there is also DigiCert. And it's likely a matter of time to see other companies that do it. As long as there is money to make, you will find a "service".
So, if you wait a bit, you will probably find a less expensive certificate.
I think it is urgent to wait...

Anyway, it is obvious that all this has nothing to do with the security. Even now, who will be fool enough to build a driver just for putting a malware on some machines, when a simple batch file can be as destructive?
Coincidentally, I have read that they plan to remove the Win32 API in some years. Of course! We can already do almost everything with it, this is a big problem for a company that wants to have a total control on our machines.

[Olof Lagerkvist]

Symantec? I can see here that there is also DigiCert.

No, that's just for the code signing. For registering the company for using the web portal, a Symantec certificate is needed and without the web portal you cannot complete the last step for signing the driver online.
https://sysdev.micro...ardware/signup/
 

The Symantec Authentication will be analyzed and the company name and ID number will be extracted from the file. Detailed instruction are in the readme when you download Winqual.exe.

You download a file and sign it with your Symantec certificate and upload it again to confirm that you can sign with a valid Symantec certificate. Other certificates that could be used for code signing in other scenarios are not valid for this step.

[Brito]

Great, even more difficult and expensive to get drivers loaded.

 

Even now, who will be fool enough to build a driver just for putting a malware on some machines, when a simple batch file can be as destructive?

 

Actually, what malware guys have been doing is to install certified driver files that have exploits. This way you can install a useless driver that gets loaded and then raises your privileges to do whatever intended: https://www.scaprepo...&relationId=781

 

Doesn't seem fair that normal developers have to pay so much money and go through such hassle. I might as well adopt a similar approach and get things done.