OSR

Windows System Software -- Unique Expertise, Guaranteed Results

Driver Signing and Windows 10

Default Featured Image

In case you’ve been busy worrying about writing code for existing projects and stuff, let me call your attention to some big changes in the realm of driver signing that start with Windows 10.

There’s been an ongoing thread on NTDEV about this topic for more than a month now that has led to some very good information being collected and discussed by the Driver Development Community.

For all the details, you’ll need to read my blog post from the end of July entitled Questions and Answers: Windows 10 Driver Signing.  In that blog post, Microsoft program manager James Murray answers questions from the community on how the Windows 10 driver signing process will work.

Let me try to provide you a quick summary of what’s changing, because you definitely will care:  The big news is that, aside from a short-term exception, a Microsoft signature is required by Windows 10 to load kernel-mode drivers.  To get that signature, you have to sign a submission using an Extended Validation (EV) Code Signing Certificate and upload your driver package to the Microsoft SysDev portal.  You do not need to run or pass any Microsoft certification, logo, or compatibility tests.  You just need to sign your driver package appropriately, agree to some conditions, and submit your package to Microsoft via SysDev for signature.  This procedure is called “attestation signing” because when you upload you declare (that is “attest”) that you’ve tested the driver, will monitor sysdev for driver problems, and will fix any issues that are reported.

So, aside from the exception case, drivers for Windows 10 must have a Microsoft signature obtained through the SysDev portal.  What’s the exception case?  The exception is that Windows 10 Client (not server) systems will load drivers that have been properly signed and cross-signed using the pre-Windows 10 KMCS procedure if the certificate used to sign those drivers was issued prior to the release of Windows 10.  This gives driver developers some “breathing room” to adjust to the new policy.

One really important thing to note is, according to my discussion with Mr. Murray, Windows Server vNext will only load drivers that have passed HLK testing (formerly known as Certification testing or WHQL testing) and have obtained the appropriate signature from the SysDev portal.

Based on the information we learned from Mr. Murray’s Q&A, the community devised the following seven rules about Windows 10 driver signing:

  • A driver signed with the standard SHA-1 certificate issued prior to the 29th of July 2015 and correctly cross-signed according to the pre-Windows 10 KMCS procedures, will work on all platforms Vista through to 10. This is, however, subject to configuration an enterprise-defined code integrity policy that is part of Device Guard (available on Windows 10 Enterprise edition only).  This enterprise-defined policy may be configured to require at least an attestation-signed driver.
  • A driver signed with a SHA-2 certificate (including an EV certificate) issued prior to the 29th of July, and cross-signed according to the pre-Windows 10 KMCS procedure, will work on Windows 8 and above, and will work on Windows 7 / Server 2008R2 if the patch issued through Windows Update earlier this year has been applied. It won’t work on Windows Vista / Server 2008 though.
  • A driver signed with any certificate issued after the 29th of July won’t work on Windows 10, unless the driver is signed with a Microsoft signature available through the SysDev portal.
  • A driver signed with any certificate that expires after the 29th of July will work on Windows 10, assuming that the signature was timestamped at the time of signing. If the signature was not timestamped, the driver will not work after the certificate expires.
  • A portal-signed driver using attestation signing (which requires an EV certificate) will only work on Windows 10, unless also signed with an additional valid certificate and cross-signed according to the pre-Windows 10 KMCS procedure.
  • A portal-signed driver that passes HLK tests will work on Windows 7 through Windows 10. Submitting a package for HLK certification requires the use of an EV certificate.
  • Windows Server vNext will only load portal-signed drivers that have successfully passed the HLK tests.

Thanks to Community members (in order of the date of their first post to the thread) Tim Roberts, Daniel Terhell, Tom McDermott, David Cattley, Mike Fontana, Vikram Parthasarathy, Christiaan Ghijselinck, Alan Adams, Jeff Pages, Jan Bottorff, Gabe Jones, Don Burn, Chris Read, Anton Bassov, Gregory Dyess, James Bellinger, Matt McIntire, Chris Aseltine, Volodymyr M. Shcherbyna, Prokash Sinha, Maxim Shatskih, Phil Barila, Menachem Shapira, and a few others who participated via pseudonym.  Your participation is what got these questions answered for the community. Bravo!

One more time: Don’t rely on my restatements of the policy in this article.  Please read the definitive Q&A on this topic entitled Questions and Answers: Windows 10 Driver Signing.