⬆️ ⬇️

All kernel mode drivers for Windows 10 (1607) should now be signed by Microsoft





Drivers signed by Microsoft can be installed without the permission of the laptop owner, Microsoft certificate is enough (Source: xkcd.com)



Last year, Microsoft announced that with the release of Windows 10, all new kernel-mode drivers would need to be verified by the Windows Hardware Developer Center to get a Microsoft digital signature. Due to a number of problems, this innovation did not take effect, remaining only a notification.



Now the company decided to implement this change. Starting with version 1607 of the Windows 10 operating system, the OS will not load new kernel-mode drivers that are not signed into the Windows Hardware Developer Center. We are talking only about clean installations of the operating system, and not about upgrades of previous versions of Windows OS to Windows 10. In this case, version 1607 is not affected by changes in policies.



The corporation claims that changes are required in order to make Windows a more secure operating system. According to Microsoft, with the introduction of the boot mode of only signed kernel drivers, the risk of maligning the system is significantly reduced.

')

If you are a driver developer, then to sign your driver, you must perform the following steps:

1. Make sure you send the Microsoft driver through the Windows Hardware Developer Center .

2. Begin the driver certification process using the Extended Validation (EV) Code Signing Certificate procedure. All drivers that are planned to be downloaded for verification must be signed with an EV certificate.



Microsoft has published a number of answers to additional questions that may arise from the developer or user.



One of the questions concerns exceptions and drivers with cross certificates:



As for other versions of Windows, the changes are relevant only for Windows 10 version 1607. At the same time, you can download the driver to the Windows Hardware Developer Center only if you have an EV certificate.



In any case, now, if a developer decided to test the driver on a test machine, he would have to turn off Secure Boot mode and sign the certificate himself, installing the driver with the appropriate tool.

Source: https://habr.com/ru/post/306862/



All Articles