
Driver Signing changes in Windows 10, version 1607 - doppp
https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/
======
ufmace
For one of my previous employers, I was in charge of getting drivers for some
of our custom in-house hardware working on Windows 7. This hardware was never
sold on any open market, only used by company employees on company-imaged
systems. We didn't want to bother with sending the hardware off for the
standard consumer-level certification, so I was able to get a code signing
certificate from a third-party vendor and use a cross-signing certificate to
get a driver that would work.

I tried to check out this dashboard that they're talking about, but it doesn't
look like I can get it without being associated with a registered company. I
am wondering how hard it would be under the new policy to do something like
this again - what's the cheapest and simplest way to get a driver that will
work with a fully secure Windows 10 install? Including if the hardware
associated will never be sold to the general public?

It's probably moot in the particular case I dealt with, at least. I doubt the
company in question will be upgrading to 10 anytime soon, plus the hardware in
question was being slowly phased out. It used Firewire - the guy who chose
that told me that it seemed like a good idea at the time - and I had already
done the testing for the replacement device which used TCP/IP over Ethernet
instead.

But I still wonder if it's getting gradually harder to do anything with any
kind of custom hardware without already being part of a multi-billion dollar
company that's willing to invest millions of dollars in getting hardware and
drivers properly certified.

~~~
paploopi
Yet another reason to use Linux/BSD. Literally anything but Windows.

~~~
ksk
>Literally anything but Windows.

While in the case of general software that would be true, its not really
useful to do that in the case of drivers because someone has to maintain the
source code across kernel ABI/API changes. Its just easier on Windows.

------
MilnerRoute
There were some good points about this on Slashdot. The biggest one is that it
costs at least $1,000 to get a driver certified by Microsoft. (And someone
also suggests that it's really only open to organizations and not individual
developers.) So this could change things in ways we haven't foreseen....

[https://tech.slashdot.org/story/16/07/31/2146234/all-
windows...](https://tech.slashdot.org/story/16/07/31/2146234/all-
windows-10-kernel-mode-drivers-must-be-digitally-signed-by-microsoft)

~~~
Someone1234
The $1000 figure has nothing to do with Microsoft, and will fall.

At the moment there are two kinds of commonly available certificates, EV
certificates, and non-EV Code Signing certificates. But rarely do the two
meet.

This scheme, per the Secure Boot standard, requires an EV Code Signing
certificate which as of the time of writing is only sold by five vendors.

In the future as these become more in demand we should expect to see prices
fall. The requirements to get any EV certificate are the same, and flagging it
for code signing is free, so there's no real reason any EV certificate cannot
also be a code signing certificate.

I doubt it will fall below $100-200 ever however, as that is how much EV
certificates cost and the process is similar.

edit: DigiCert already sell them for $224-165/year:
[https://www.digicert.com/friends/sysdev/](https://www.digicert.com/friends/sysdev/)

------
jbb555
Getting less and less able to run what we like on our own machines without
someone elses permission...

~~~
bramblerose
There is nothing stopping you from running your own drivers, but you either
have to turn safe boot off [1], or you have to test-sign the driver [2]. This
is a completely reasonable change for 99% of users (because it will stop them
from installing a malware driver), and there are well-documented ways around
it for the 1% of users that need to side-load drivers.

[1] OP, under 'How do I sign drivers during development and testing?'

[2] [https://msdn.microsoft.com/en-
us/windows/hardware/drivers/in...](https://msdn.microsoft.com/en-
us/windows/hardware/drivers/install/signing-drivers-during-development-and-
test--windows-vista-and-later-)

~~~
Lan
I disagree. I think Microsoft's current driver policies are unreasonable. Most
end-users don't want to run their PC in testing mode, and will look for an
easier way around it. This has a negative effect on free and open-source
software. For example, there is software out there that allows you to use
Playstation 3 controllers with your PC. In the past, there were pretty much
two software solutions for Windows. One driver was unsigned, and the other was
signed. Many people used the latter because it was much easier to get working.
The problem is that it also installed alongside Chinese malware. Driver
signing didn't save anyone there. If anything, it made the issue worse.

~~~
sievebrain
Free and open source software can still be signed.

~~~
IshKebab
Not really if it costs $1000.

~~~
Someone1234
It doesn't cost $1000 even today, and as EV Code Signing certificates become
more popular the price will fall.

A non-Code Signing EV certificate is "only" $100-200 right now from tons of
vendors. All we need is for them to flag it for Code Signing which is "free."

~~~
Lan
Until you convince those CAs to start signing for code, they still cost $400+.
And remember, that's per year. The driver will continue to function after that
year, but they will either need to cough up another $400 the next year, or
cease development. Even at $100-200 per year that's still an unreasonable cost
for hobby projects.

------
0x0
The weirdest thing is how there's a different policy for machines that have
been upgraded vs new installs. Sounds like trouble for new customers trying to
install random old hardware down the road.

------
pedrow
Does anyone know the status of drivers using WinUSB[0] under this policy?

Also, have there been many instances of malware in device drivers recently
that would require a tightening up of the rules?

[0]: Microsoft's user-mode USB driver, which did (IIRC) need a signed .inf
file but you didn't need to submit it for validation since all the actual code
was Microsoft's ([https://msdn.microsoft.com/en-
gb/library/windows/hardware/ff...](https://msdn.microsoft.com/en-
gb/library/windows/hardware/ff540196\(v=vs.85\).aspx))

~~~
gtirloni
Once malicious code gets into the kernel address space, the sky is the limit.
I don't think it matters if there has been one or a million occurrences of
kernel-space malware.

Look for more details on "ModPOS" for a particularly disastrous one.

------
voltagex_
There goes my ability to use adb/fastboot/emergency download on the Xiaomi
Mi4c - although, that phone never had signed drivers and did something strange
during install to make it work.

~~~
Namidairo
I believe Koushik Dutta (koush/clockworkmod) signs adb drivers for this
reason.

You may want to doublecheck the inf to see if your device's usb VID/PID are
listed.

------
pasbesoin
So, I took advantage of the "free" upgrade of a couple of "Professional" level
licenses, at the last minute.

I'm left wondering whether and for what timeframe I can legitimately
"downgrade" back to Win 7 Pro, if I need to.

I initially thought I had an open-ended option to. But the other day, I saw
brief and incomplete mention of a 30 day window.

I just can't keep up with the dribbling of fractured news/information, so...
asking this of anyone already familiar with this aspect of the "downgrade"
question".

I don't have a need to, right now. As it is, those Windows partitions mostly
sit idle. But if I only have 30 days to go back (while keeping a future 10 re-
upgrade possible / tied to those licenses), then maybe I'd better do so, now,
as a hedge against e.g. some legacy driver issue that may crop up in the
future. Especially as I would intend to do a fresh Win 10 installation for
each of those licenses, eventually (negating any "it's already on the system"
grandfathering Win 10 may continue to permit).

~~~
JonathonW
You can legitimately downgrade anytime; your Win 7 license is still valid
(just not to be used at the same time at 10, since the Win 10 license is an
upgrade license). You can then re-upgrade to Windows 10 at any point, as long
as it's on the same hardware (either doing a clean install using your Windows
7 key or no key, or doing another upgrade install).

The 30 day window is the period of time where you can uninstall and revert to
7 from within Windows 10, without having to do a clean install of 7. Windows
10 removes files from the old version of Windows after 30 days.

~~~
pasbesoin
Thank you. Exactly what I was looking to understand. :-)

------
fithisux
FOSS drivers would have solved this problem.

------
rafaelvasco
Finally. Windows is catching up.

~~~
cptskippy
To whom in this case?

~~~
jasonkostempski
Apple maybe? They're pretty good at making sure you don't get to use hardware
they don't approve.

