Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista Updated: January 19, 2006 * * http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx * *
For Windows Vista and later versions of the Windows family of operating systems, kernel-mode software must have a digital signature to load on x64-based computer systems. This paper describes how to manage the signing process for kernel-mode code for Windows Vista, including how to obtain a Publisher Identity Certificate (PIC), guidelines for protecting keys, and how to sign a driver package by using tools that are provided in the Windows Driver Kit (WDK). Why digital signatures? For both consumer and enterprise users of Windows around the world, protecting personal and corporate data remains a top concern. Microsoft is committed to implementing new ways to help restrict the spread of malicious software. Digital signatures for kernel-mode software are an important way to ensure security on computer systems. Digital signatures allow the administrator or end user who is installing Windows-based software to know whether a legitimate publisher has provided the software package. When users choose to send Windows Error Reporting data to Microsoft after a fault or other error occurs, Microsoft can analyze the data to know which publishers' software was running on the system at the time of the error. Software publishers can then use the information provided by Microsoft to find and fix problems in their software. What this means for Windows Vista. To increase the safety and stability of the Microsoft Windows platform, beginning with Windows Vista: Users who are not administrators cannot install unsigned device drivers. Drivers must be signed for devices that stream protected content. This includes audio drivers that use Protected User Mode Audio (PUMA) and Protected Audio Path (PAP), and video device drivers that handle protected video path-output protection management (PVP-OPM) commands. Unsigned kernel-mode software will not load and will not run on x64-based systems. Note: Even users with administrator privileges cannot load unsigned kernel-mode code on x64-based systems. This applies for any software module that loads in kernel mode, including device drivers, filter drivers, and kernel services. To optimize the performance of driver verification at boot time, boot-driver binaries must have an embedded Publisher Identity Certificate (PIC) in addition to the signed .cat file for the package. What this means for software publishers. For vendors who publish kernel-mode software, this policy has the following effects: For any kernel-mode component that is not already signed, publishers must obtain and use a PIC to sign all 64-bit kernel-mode software that will run on x64-based systems running Windows Vista. This includes kernel-mode services software. Publishers who provide 64-bit device driver or other kernel-mode software that is already signed through the Windows Logo Program or that has a Driver Reliability Signature do not need to take additional steps except for the special case of boot-start drivers. Drivers for boot-start devices must include an embedded PIC. This requirement applies for these devices: CD-ROM, disk drivers, ATA/ATAPI controllers, mouse and other pointing devices, SCSI and RAID controllers, and system devices. This information applies for the following operating systems: Microsoft Windows Vista (for x64-based systems) Microsoft Windows Server code name "Longhorn" You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
