HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ZeroWidthJoiner

no profile record

Submissions

Custom kernel mode code signing policies on Windows

learn.microsoft.com
1 points·by ZeroWidthJoiner·vor 4 Monaten·1 comments

comments

ZeroWidthJoiner
·letzten Monat·discuss
The root of trust in Secure Boot is typically an OEM certificate, not Microsoft's, which is probably even worse: https://www.binarly.io/blog/pkfail-untrusted-platform-keys-u...

In any case, you're free to remove Microsoft's certificates and enroll your own.
ZeroWidthJoiner
·vor 4 Monaten·discuss
This enables hardware owners to specify custom kernel driver signing requirements, enabling kernel mode code to run without having to submit it to Microsoft for signing.

For an in-depth discussion on the topic of driver signing on Windows see Geoff Chappell's excellent write-up: https://www.geoffchappell.com/notes/windows/license/customke... (RIP)
ZeroWidthJoiner
·vor 11 Monaten·discuss
Yeah, that original name is corroborated by Raymond Chen: https://devblogs.microsoft.com/oldnewthing/20171114-00/?p=97...
ZeroWidthJoiner
·vor 12 Monaten·discuss
Search results for "best font ever" has an easter egg as well.
ZeroWidthJoiner
·letztes Jahr·discuss
The backside fingerprint reader could even be used as an input device on some models for scrolling, or pulling down/up the notification bar. Great for scrolling through content or swiping through screens without having to cover your display for gesture input: https://www.androidauthority.com/miss-rear-fingerprint-scann...
ZeroWidthJoiner
·letztes Jahr·discuss
Even before the virtualization-based security feature was introduced this has been the Hyper-V architecture, on server and client SKUs. The management OS is referred to as the "parent partition" or "root partition," and it runs on top of the hypervisor: https://learn.microsoft.com/en-us/virtualization/hyper-v-on-...
ZeroWidthJoiner
·letztes Jahr·discuss
This is true for certification, which is mandatory for Server OS, distributing through Windows Update, or certain classes of drivers such as anti-malware or biometric authentication, but you can still submit drivers to Microsoft for "attestation signing" that will load without warnings on desktop OS without having to run them through the testing suite.

In any case, running the certification tests does not provide runtime protection for drivers running in kernel mode, as demonstrated by CrowdStrike. Only Windows 10 started introducing hardware virtualization-based isolation of kernel components (to provide isolation of security subsystems, not runtime checks to prevent crashes): https://learn.microsoft.com/en-us/windows-hardware/design/de...
ZeroWidthJoiner
·letztes Jahr·discuss
Driver Verifier is a tool that developers can choose to use for testing and debugging purposes.

It's not used on production machines and it does nothing to prevent a badly written driver from crashing the kernel.
ZeroWidthJoiner
·vor 2 Jahren·discuss
> They actually advise OEMs not to install this second key by default ("Secured Core" PCs), and some vendors have followed the advice, such as Lenovo. Resulting in yet another hoop to install non-MS OSes.

True, 3rd party not trusted by default is a "Secured-Core PC" requirement, but so is the BIOS option for enabling that trust [0]. On my "Secured-Core" ARM ThinkPad T14s it's a simple toggle option.

> Even recently, a Windows updated added a number of Linux distributions to the Secure Boot blacklist, resulting in working dual boot systems being suddenly cripped. Of course, _ancient_ MS OSes are never going to be blacklisted.

Actually they are in the process of blacklisting their currently used 2011 Windows certificate, i.e. the Microsoft cert installed on every pre-~2024 machine, also invalidating all Windows boot media not explicitly created with the new cert. It's a manually initiated process for now, with an automatic rollout coming later [1].

It'll be very interesting to watch how well that's going to work on such a massive scale. :)

[0] https://learn.microsoft.com/en-us/windows-hardware/design/de...

[1] https://support.microsoft.com/en-us/topic/kb5025885-how-to-m...
ZeroWidthJoiner
·vor 2 Jahren·discuss
> I think drivers are going to be the biggest PITA for ARM-based PC users for the first couple years — for example, Google Drive doesn't work for that reason.

Google Drive does ship with Arm64 drivers, and patching the platform check out of the installer gets them installed just fine (40 84 f6 74 08 -> 40 84 f6 90 90).

No idea why they're blocking the install.
ZeroWidthJoiner
·vor 3 Jahren·discuss
> MORE PADDING everywhere

It's so ridiculous. You ever wanted Explorer's "details" file list view to have horizontal blank space between rows so rather than selecting the nearest item you could just click through the list into a blank void and select nothing? Yeah, that's what the default setting is now. For a list view. It's like making up unusable space between cells in Excel for no reason.
ZeroWidthJoiner
·vor 3 Jahren·discuss
This was initially reported over 2 months ago when it first showed up in canary builds.

Microsoft, at the time: "This is an issue in the latest Canary Channel build and the loc folks are working on a fix" (https://twitter.com/JenMsft/status/1643599284120723456)