Last year, we announced that beginning with the release of Windows 10, all new Windows 10 kernel mode drivers must be submitted to the Windows Hardware Developer Center Dashboard portal (Dev Portal) to be digitally signed by Microsoft. However, due to technical and ecosystem readiness issues, this was not enforced by Windows Code Integrity and remained only a policy statement.
Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change.
Pay us! Pay us now, or you don’t get to distribute your driver!
Still think Windows 10 was “free” for a year?
Just like other commercial OSes out there that want to insure a stable stack.
Secure Boot is utterly pointless if you can ask the kernel to load unsigned code after it loads.
And, interestingly enough, this only applies to systems with Secure Boot enabled.
Edited 2016-08-02 17:26 UTC
Drumhellar,
Unsigned drivers were already prohibited since vista (except in test mode). The change here is that now the drivers have to be submitted to microsoft for their approval. This is a new requirement, previously developers who bought their own windows driver code signing certificates could sign their own drivers to be distributed with their hardware or downloaded from their website (or whatever the case may be).
Edited 2016-08-02 18:15 UTC
And usually is the OS House who get the flames at crashes.
Does this mean that people with older hardware no longer getting driver updates are screwed, because that is what it sounds like.
Edited 2016-08-02 16:32 UTC
Looks like you can get around this by turning off secure boot – also suggesting that anything not EFI will also be able to skate…
Zoidberg,
It’s saying these changes are for our own security, but they don’t want people to notice that they’re shifting control away from owners and further into microsoft’s grip. MS is redefining the PC from an open platform into a controlled platform with microsoft being the gatekeepers. The windows PC is much less open than it was a few years ago.
Exactly. And how long do you think it will be before Microsoft requires that all new Windows machines shipped by OEMs remove the ability to disable SecureBoot?
I think that will be a VERY long time, because one of the Windows 10 requirements is actually that OEMS have to provide the ability to enable SecureBoot*.
This isn’t about shifting grip to Microsoft but about protecting users. That is why the few people that really want/need this feature can still make it work but by default it is more secure
(*on X86, not on ARM/Mobile)
avgalen,
The controversy isn’t over having security features, it’s having security features where the owner is controlled rather than in control. Neither owners nor competitors should be at the mercy of microsoft. These power plays make me uncomfortable because they do exactly that.
Edited 2016-08-03 11:57 UTC
Nothing is stopping Microsoft from forcing it on their own Microsoft Surfaces, but they haven’t forced it. That makes it seem that your suspicion isn’t warranted. You also seem to confuse where SecureBoot comes from and who controls it. PC manufacturers (Google ChromeBook for example) could put SecureBoot on their hardware and only allow it to boot ChromeOS while disallowing it to run Windows. Nobody will be at the mercy of Microsoft in the future because of SecureBoot, we are already at the mercy of hardware manufacturers because of SecureBoot at the moment.
Wow, it goes in one eye and out the other with you, doesn’t it? If you want to believe Microsoft, that’s your prerogative. Don’t expect all of us to trust them with the same blind loyalty you display, however. They’ve demonstrated enough times that they don’t deserve to be trusted, and they don’t care a whit about their users.
I’ll try one more time. Here’s the chain: Windows 7 and below–everyone can boot whatever they want. Windows 8–Secure Boot is mandatory for OEMs, but it’s also mandatory that we be allowed to turn it off. Windows 10–Secure Boot is mandatory for OEMs, and there is no longer a requirement for us to be permitted to disable it though OEMs can opt to allow us to do so. Think, now, rather than trust. What’s the next logical step in this chain of events?
As with most of your post you overflow with hyperbole again: “blind loyalty, me believing them while they clearly cannot be trusted and don’t care about their users”. But you don’t respond to any facts that I mention and instead just post some assumptions.
Let’s say that Microsoft would do what you assume is the next logical step in your chain. If they would require that SecureBoot cannot be turned of to run Windows none of the roughly 1.5 billion computers currently in use would be able to run Windows anymore, including their own Surface Devices. That would be an instant kill of the Windows future! and even IF PC-manufacturers would start to sell those kind of machines nothing would stop them from providing a couple of Linux certificates in there. They might even slip an accidental public certificate in there that they cannot withdraw while still adhering to the Microsoft-Controls-Everything-Doomsday-Action.
Fear-mongering is easy, but using logic to see the consequences of what you propose shouldn’t be so hard. If you think Microsoft is the devil you will look at everything they do as an evil deed.
One bit missing from the chain you so well described is the dropping of support (providing fixes) for any pre-Windows 10 running on a 6th generation processor (Skylake for Intel).
With the majority of systems sold nowadays being mostly non-upgradable notebooks, a locked-down on what can/can`t be modified in terms of the operating system is not surprising. Isn`t this the path opened-up with the MacBooks and Chromebooks with limited numbers of fixed configurations?
I am curious about one thing: is-it possible to flash a custom BIOS-ROM on a system configured with Secure Boot?
BlueofRainbow,
The secure boot spec covers this case and you cannot flash a new bios unless secure boot is disabled first or it is signed with the right keys.
If you have physical access, a flash programmer, an unlocked flash image, and soldering skills, you could get around it. I’ve even seen some inplace programmers that attach to flash chips without removing them. In theory the integrity of firmware could be validated by the CPU, but “secure boot” doesn’t have anything in place at that level.
Edit: While this is technically possible, the skill to do it would be out of the ordinary unless you are a hacker, which is a bit ironic if you think about it.
Edited 2016-08-04 18:00 UTC
These are procedures which only the most adventurist, fearless, and skilled hobbyist would ponder at breakfast on a Saturday morning.
From this, I am starting to better appreciate the security model implemented in the chromebooks and chromeboxes. Well described for the C$48, Pixel 2013, and Pixel 2015, there is a physical jumper which one must alter to be able to re-flash the boot ROM.
In theory, this makes it extremely difficult, if not impossible, for a malware having gained access to the inwards of the operating system to re-flash the boot ROM. In practice, who knows.
The system must be torn-down to access this physical jumper. The YouTube tear-down videos of gadgets are so numerous that one could acquire sufficient knowledge to consider doing it.
BlueofRainbow,
I had not put the pieces together, but this is actually very insightful.
It -used- to be the case that when you bought new system components, the manufacturer would provide the windows drivers. Whatever microsoft says about supporting new devices is completely irrelevant because 3rd party manufacturers and not microsoft provided those drivers!
However it just occurred to me that with the changes discussed in the article, manufacturers are no longer free to supply drivers to consumers, going forward they have no choice but to go through microsoft, which gives them a new veto power over drivers that run on more machines than microsoft wants to allow.
Microsoft to manufacturer: “Guys, our testers discovered that your windows drivers still work with windows 7/8. Microsoft policy states that this hardware shall only work with windows 10, we decline to sign the drivers until you are compliant with our policy”.
Edited 2016-08-04 18:20 UTC
Ouch. Hadn’t even thought things out to that end. It’s worse than I realized.
But of course it’s all for our protection, right? Right?
Skylake sounds to a great, great leyend maybe our children will hear about. ANYTHING could go inside a contemporaneous CPU/Chipset.
avgalen,
But that’s part of the problem too, the very design of secure boot is at fault because the owners should be the ones in control, not the manufactures and not microsoft! I’d say the same thing about google keys too. Not for nothing but who’s keys do you think are being shipped on desktop systems? It’s microsoft’s keys.
I strongly hope it remains possible to disable secure boot on every PC, but you can read tons of complaints from users who can’t figure it out. Even I had trouble getting into the bios at first because some modern computers jump strait into windows – the bios is only accessible after changing settings from within windows itself.
Regardless of your opinion about them, you can’t deny that these impediments favor MS and give them an enormous amount of control over competitors. Take for example that Ubuntu and RedHat have actually submitted to microsoft for the right to boot hassle free on most computers shipping with MS keys. You might argue this “collaboration” is good, but it puts microsoft in an incredibly powerful position for it’s competitors to be directly dependent upon it. They’ll be able to use that as a bargaining chip “you don’t wanna play ball with us? Hmm, well remember that time when we signed your OS loader…”
If the situation were reversed and microsoft needed to beg someone else like redhat for permission to run windows, you would rightfully call secure boot BS, because it is. It would be disingenuous to pretend otherwise.
At least redhad and ubuntu carry some weight and have some capable laywers, it’s the smaller indy guys who have no leverage and get screwed the worst as PCs become closed devices.
Edited 2016-08-03 17:32 UTC
RedHat needs to ask the OEM for permission to run, just like Microsoft does. Of course this system is very biassed against small players and Microsoft and RedHat would get that permission while VirusWriterOne wouldn’t, that is basically the whole goal. And for those that want to run VirusWriterOne’s (or your own) OS, you should ALWAYS be able to disable SecureBoot or you should never buy that hardware (vote with your wallet)
(Now how do I run Windows 10 Mobile on my OnePlusOne?)
avgalen,
In theory that’s possible, but in practice that’s does not happen and RedHat/Ubuntu have to be to be signed by MICROSOFT’s key because it’s microsoft’s key thats most commonly getting preloaded onto machines. Again, this situation is unacceptable yet that’s where we are at.
Edited 2016-08-04 14:48 UTC
You may as well give up. This individual’s well and truly drunk on the coolaid. Clearly Microsoft can do no wrong. Fortunately, at least some of us are still sober.
“…In theory that’s possible, but in practice that’s does not happen and RedHat/Ubuntu have to be to be signed by MICROSOFT’s key because it’s microsoft’s key thats most commonly getting preloaded onto machines.”
That is the actual, sad case. Exploit here, Corps. side is that they exercise huge pressure -just by being Who they are, financially speaking- to keep the Status Quo as is.
Who dares to be ‘democratic’ when having one, or two dominant monetizing providers?
And on realizing this Oneself can’t less than look as far to the side, expecting to see the shadow of a Regulator, which suspiciously stands out, failing to show.
“… but just think about how severely braindead it is to have a security feature that once compromised, an owner cannot enter re-initialization mode to regain control.”
But He Can…
Just connect to network and the owner can regain control.
Clients & Users are just Guests at the new Status Quo! We are there just for the ‘experience’. Nothing to do with that prehistoric word “ownership”.
As I’ve said before elsewhere, another stage further down the line will be to disallow turning off of Secure Boot – certainly in later and newer hardware.
You’ll find hardware obsoleted much quicker and it’ll be interesting what happens to virtualisation. Microsoft has long hated it since it allowed people to run Windows systems well beyond the lifetime of the physical hardware it was designed to run on.
Microsoft hates virtualisation? You must be kidding right? They basically brought down the whole personal market to 0 dollar from VMWare (WorkStation/Server) by making Virtual Server and Virtual PC 100 dollar during lunchtime and gratis by dinner.
They used that same Virtual PC to provide XPMode into Windows 7 for backwards compatibility
They use AppV/MedV for application virtualisation and now use that to put Win32 programs into the store for easier deployment and isolation
They introduced HyperV into the more recent Pro editions and have special (free, “bare metal”) HyperV Server versions.
They use HyperV to provide all their Mobile Development images
Their whole Azure-Stack is based upon running everything virtual and so is almost everything inside the modern local datacenter.
And they are now making Containers into their preferred deployment methodology.
Without virtualisation there would only be Windows Home/Pro and hardly any Server/Azure or Mobile/Development
IT future is virtual, proxy, agential; a little hell
Not because it should be.
Personally, I blame JAVA/SUN on steering the whole World into this new path.
This affects small oems and cheaper computers and components the most. Once the device is deemed obsolete or legacy, unless the company decides to extend the life, most cheap components will get driver updates for about a year. My question is, does that certification’s digital signature expire? It would suck not being able to use old drivers for a system re-install because of that policy (so right now systems that were upgraded with old hardware are mandated to be backed up or else a painful 2 OS install is in store), and later down the road a future update might render some hardware useless leaving everyone with a bad taste in their mouths.
It happened to apple with some apps in the App Store, but nothing is worse than hardware issues due to this.
I understand the security issues, but this is just a nightmare for IT departments in the near future.