Windows Vista and Driver Signing

There's been quite a hullabaloo about Windows Vista's new requirements for driver signing. Mainly because people don't seem to know what those requirements are.

The issue is that Microsoft has made two related but different policy changes. And they both relate to the 64-bit versions of Windows Vista (what Microsoft refers to as the x64 version). Combine this with the fantastic amount of misinformation being spread about Windows Vista, and you have a recipe for disaster.

Driver Signing

The first change is that kernel-mode drivers must be signed by their manufacturer in order to be used in 64-bit Windows Vista. The goal here is to restrict what software runs in kernel mode. It's worth noting that the restriction actually applies to all kernel mode software.

Notice, though, that this software needs to be signed by the manufacturer. This is different from WHQL (Windows Hardware Quality Labs) signing. Microsoft provides some details (the DOC file is where all the meat is) on the signing process. The gist of it is that driver developers need to obtain a certificate (SPC) in order to sign their own drivers. Companies like Verisign, Thawte, and Comodo can provide the certificate needed, for a fee. Developers may also choose to put their drivers through the WHQL testing process.

Non-kernel mode drivers (and other software) do not have to be digitally signed. However, unsigned non-kernel mode drivers can only be installed by a user with Administrator privileges. In 32-bit Windows Vista, unsigned kernel mode drivers similarly require Administrator credentials to install.

The goal of all this is actually not quite the same as WHQL. WHQL does include driver signing, but is largely intended to ensure drivers meet a quality standard. The new signing requirements in 64-bit Windows Vista don't actually address this. These requirements are simply meant to ensure that drivers really are from who they say they are from. No quality testing is required, though presumably driver developers will do some anyway. It's all part of Microsoft's drive to lock down the kernel, and restrict access as much as possible. That motivated the decision to prevent kernel patches from third parties on 64-bit systems, as well.

New Rules for WHQL Certification

The other side of this is that Microsoft is now requiring developers submit both 32-bit and 64-bit drivers when seeking WHQL logo certification of their devices. This is the certification that lets manufacturers use "Works with Windows Vista" or "Certified for Windows Vista" (depending on which one they get) in their marketing.

The requirement is fairly straightforward: if you want your 32-bit drivers to get the Windows Vista logo certification, you must also submit 64-bit drivers (and your 64-bit drivers must pass testing). The 32-bit drivers are actually optional; that is, you can submit only 64-bit drivers and still get certification, but you cannot submit only 32-bit drivers. There is an exception for devices that will never be used with a 64-bit operating system (for instance, an integrated device on a motherboard that will not support a 64-bit processor).

For the exact phrasing, see DEVFUND-0014 in the Windows Vista Logo Program Device Requirements (PDF). You can also get all of the requirements for logo testing from Microsoft if you like. There's also a note echoing the same thing in the Vista Logo FAQ, under Hardware Logo Program Requirements.

The goal of this requirement is different altogether. Microsoft wants to expedite the transition from 32-bit processors to 64-bit processors, and they intend to do that by exerting pressure this way. A lot of the most important hardware in a computer (video cards, for instance) normally goes through logo testing. Thus, Microsoft can ensure that the most critical stuff has 64-bit drivers as quickly as possible (and more importantly, that those drivers start maturing as soon as possible).

  • RSS feed StumbleUpon del.icio.us Digg Yahoo! My Web 2.0