On 3/28/2015 12:42 PM, Jeffrey Altman wrote: > > I will provide additional details as I obtain them.
Today I was a part of a briefing on Microsoft's plans regarding digital signature requirements for kernel mode drivers on client and server platforms. Many of the details such as release schedules are covered under NDA so please do not ask me to comment on when some of these requirements are going to go into effect. I simply cannot offer more details than what I feel comfortable relaying here. Microsoft is under significant pressure to make their operating systems as secure and stable as possible. To that extent they are putting in place policies that are going to make the lives of kernel mode developers very uncomfortable. Effective after the release to manufacturing of Windows 10 (client) all drivers will need to be signed according to new driver signing model. As mentioned in the prior e-mail, all drivers will need to be signed by Microsoft (not the developer) and the developer will require an EV certificate with a hardware token to sign submissions to Microsoft for signing. Microsoft will only sign certified drivers. In the past an organization would work to certify a driver once and then was permitted to self sign all subsequent modified versions. For Windows 10 and ServerNext certification must be performed for each release and certification must be obtained separately for each OS version. To release a driver for Win 7, Win 8, Win 8.1, Win 10 and the equivalent server platforms there will be eight certifications obtained before the driver will be signed by Microsoft and marked as certified for each of the OS versions. Microsoft will *not* sign drivers for OS versions that Microsoft no longer supports. When an OS reaches end of life that will be the end of life for all new drivers for that platform. The server platforms will have an additional set of testing requirements beyond those for client systems. A driver approved for servers will also load on clients but not vice versa. Server platforms will simply not load drivers that are not marked certified for that platform. For client platforms there is an option to load and run drivers that are self signed with an EV cert and the cross signing certificate provided that they were signed before the release of Windows 10. That option will not exist for servers. As an additional wrinkle there is no standard file system driver certification program. Each file system will need to be evaluated on a case by case basis to determine what the certification requirements will be. This is solely my opinion but after listening to the talks this week I do not believe that the current AFS redirector driver architecture will be granted certification. Understanding what their security goals are, I believe there is at least six months of effort to redesign the driver before a valid case could be made to approve it. It is also likely that there are features that Microsoft would determine to be required of a certified file system driver that are not currently implemented. The only alternative option to running certified signed drivers is to configure the OS to run in test mode. This is not an option that most users are going to want to do. Some universities scan computers attached to their networks to ensure they are not in test mode. I can't think of any Enterprise or Government institution that would permit it. The bottom line is that going forward developing file systems for Windows cannot be performed as a hobby. The costs associated with developing, testing, certifying and signing drivers are increasing significantly. Microsoft repeated many times that the QA Test / Certification process is from now on going to be continuous. It is not a once per major operating system activity. Organizations that include a driver in their product must plan for this role to be fully staffed. Microsoft understands that these requirements are probably the end of open source and student driver development for the Windows platform. They feel that given the post-Snowden, post-Target world in which we live that they must lean towards overreacting on the side of securing their operating system for their customers even if it severely restricts the freedom of developers. In summary here are the deadlines which I can share: * As of 10 March 2015 Windows Update pushed a patch to permit Windows 7 and Server 2008 R2 to permit the new SHA-256 EV certificate signing and the new Microsoft issued signatures. * Effective 1 January 2016 all self-signed signatures for new driver releases targeted at Win7, Win8.* will require SHA-256 EV signatures. * Effective on or after the release to manufacturing of Windows 10 the new Microsoft signatures and certification requirements will go into effect. From press reports Windows 10 is anticipated sometime this Summer but the RTM date is typically 6 to 8 weeks before that. Here are some back of napkins estimates for what I believe will be required to support the Windows client going forward: * Initial certification for Win7 through Win10 and ServerNext technical preview: $150,000 * Testing, certification, and release management for each subsequent release: $12,000 * Annual expenses including EV certificate, insurance, dev tools, plugfests, conferences (WinHEC, Build, etc.): $25,000 These costs do not include the developer time necessary to write the code and the QA manager that will need to monitor and respond to Error Reports from the Online Crash Analysis system. In one form or another these costs will be borne by the end user community. How that will happen remains to be seen. If someone found a bucket of gold this past St Patty's Day and is willing to share, please drop me a note. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
