proudly powered by 3dfxzone.it
NewsHeadlinesRicerca

Vista x64 to require digital signatures for many drivers

Condividi su Facebook Condividi su Twitter Condividi su WhatsApp Condividi su reddit

23.01.2006 - Vista x64 to require digital signatures for many drivers
is committed to implementing new ways to help restrict the spread of malicious software. Digital signatures for kernel-mode software are an important way to ensure security on computer systems.

Digital signatures allow the administrator or end user who is installing Windows-based software to know whether a legitimate publisher has provided the software package. When users choose to send Windows Error Reporting data to Microsoft after a fault or other error occurs, Microsoft can analyze the data to know which publishers' software was running on the system at the time of the error. Software publishers can then use the information provided by Microsoft to find and fix problems in their software.

What this means for Windows Vista. To increase the safety and stability of the Microsoft Windows platform, beginning with Windows Vista:

•

Users who are not administrators cannot install unsigned device drivers.

•

Drivers must be signed for devices that stream protected content. This includes audio drivers that use Protected User Mode Audio (PUMA) and Protected Audio Path (PAP), and video device drivers that handle protected video path-output protection management (PVP-OPM) commands.

•

Unsigned kernel-mode software will not load and will not run on x64-based systems.

Note: Even users with administrator privileges cannot load unsigned kernel-mode code on x64-based systems. This applies for any software module that loads in kernel mode, including device drivers, filter drivers, and kernel services.

•

To optimize the performance of driver verification at boot time, boot-driver binaries must have an embedded Publisher Identity Certificate (PIC) in addition to the signed .cat file for the package.

What this means for software publishers. For vendors who publish kernel-mode software, this policy has the following effects:

•

For any kernel-mode component that is not already signed, publishers must obtain and use a PIC to sign all 64-bit kernel-mode software that will run on x64-based systems running Windows Vista. This includes kernel-mode services software.

•

Publishers who provide 64-bit device driver or other kernel-mode software that is already signed through the Windows Logo Program or that has a Driver Reliability Signature do not need to take additional steps— except for the special case of boot-start drivers.

•

Drivers for boot-start devices must include an embedded PIC. This requirement applies for these devices: CD-ROM, disk drivers, ATA/ATAPI controllers, mouse and other pointing devices, SCSI and RAID controllers, and system devices.

This information applies for the following operating systems:
Microsoft Windows Vista (for x64-based systems)
Microsoft Windows Server code name "Longhorn"

Included in this white paper:

•

Introduction

•

Digital Signatures as a Best Practice

•

Best Practices for Code Signing through Development, Test, and Release

•

How to Manage the Signing Process

•

How to Obtain a PIC

•

How to Safeguard Code Signing Keys

•

How to Disable Signature Enforcement during Development

•

How to Create a Signed Driver Package

•

How to Use a PIC to Create a Signed .cat File

•

How to Install a Signed .cat File

•

Resources

Future versions of this preview information will be provided in the Windows Driver Kit (WDK), under the topic "Signing Drivers for Development and Test (Windows Vista and Later)."





Collegamenti
 Pagina Precedente News successiva Pagina Successiva


Versione per desktop di atizone.it


Copyright 2024 - atizone.it - E' vietata la riproduzione del contenuto informativo e grafico. Note Legali. Privacy