[OpenAFS] Microsoft Changing Digital Signature Requirements

Dave Botsch botsch@cnf.cornell.edu
Fri, 3 Apr 2015 15:39:20 -0400

Hi, Jeff.

The updates are very very much appreciated. Certainly, these changes
will make life interesting in the future.

A couple of followup questions, if you know the answers...

When MS implements the new signing changes, whenever that is, is it
expected that existing installations of the AFS client will break? Or
is it expected that those will break? Or that clients up to a certain
version, even if not yet installed, will work?

Also, do you have to wait until MS "flips the switch" to be able to
submit the client for the certification/review process? Or will you be
able to do that earlier and get feedback with some sort of lead time?

Finally, does the certification process itself cost $$?

I'm, of course, wondering if this change will be implemented with some
sort of update we can block. So far, the only publicity w.r.t. signing
I've heard from MS has been on web certs. So, I'm really surprised this
very major change hasn't been more publicized, yet.

Again, thanks so much for the heads up.

On Fri, Apr 03, 2015 at 01:32:50AM -0400, Jeffrey Altman wrote:
> On 3/28/2015 12:42 PM, Jeffrey Altman wrote:
> > 
> > I will provide additional details as I obtain them.
> Today I was a part of a briefing on Microsoft's plans regarding digital
> signature requirements for kernel mode drivers on client and server
> platforms.  Many of the details such as release schedules are covered
> under NDA so please do not ask me to comment on when some of these
> requirements are going to go into effect.  I simply cannot offer more
> details than what I feel comfortable relaying here.
> Microsoft is under significant pressure to make their operating systems
> as secure and stable as possible.  To that extent they are putting in
> place policies that are going to make the lives of kernel mode
> developers very uncomfortable.
> Effective after the release to manufacturing of Windows 10 (client) all
> drivers will need to be signed according to new driver signing model.
> As mentioned in the prior e-mail, all drivers will need to be signed by
> Microsoft (not the developer) and the developer will require an EV
> certificate with a hardware token to sign submissions to Microsoft for
> signing.
> Microsoft will only sign certified drivers.  In the past an organization
> would work to certify a driver once and then was permitted to self sign
> all subsequent modified versions.  For Windows 10 and ServerNext
> certification must be performed for each release and certification must
> be obtained separately for each OS version.  To release a driver for Win
> 7, Win 8, Win 8.1, Win 10 and the equivalent server platforms  there
> will be eight certifications obtained before the driver will be signed
> by Microsoft and marked as certified for each of the OS versions.
> Microsoft will *not* sign drivers for OS versions that Microsoft no
> longer supports.  When an OS reaches end of life that will be the end of
> life for all new drivers for that platform.
> The server platforms will have an additional set of testing requirements
> beyond those for client systems.  A driver approved for servers will
> also load on clients but not vice versa.  Server platforms will simply
> not load drivers that are not marked certified for that platform.  For
> client platforms there is an option to load and run drivers that are
> self signed with an EV cert and the cross signing certificate provided
> that they were signed before the release of Windows 10.  That option
> will not exist for servers.
> As an additional wrinkle there is no standard file system driver
> certification program.   Each file system will need to be evaluated on a
> case by case basis to determine what the certification requirements will be.
> This is solely my opinion but after listening to the talks this week I
> do not believe that the current AFS redirector driver architecture will
> be granted certification.  Understanding what their security goals are,
> I believe there is at least six months of effort to redesign the driver
> before a valid case could be made to approve it.  It is also likely that
> there are features that Microsoft would determine to be required of a
> certified file system driver that are not currently implemented.
> The only alternative option to running certified signed drivers is to
> configure the OS to run in test mode.  This is not an option that most
> users are going to want to do.  Some universities scan computers
> attached to their networks to ensure they are not in test mode.  I can't
> think of any Enterprise or Government institution that would permit it.
> The bottom line is that going forward developing file systems for
> Windows cannot be performed as a hobby.  The costs associated with
> developing, testing, certifying and signing drivers are increasing
> significantly.  Microsoft repeated many times that the QA Test /
> Certification process is from now on going to be continuous.  It is not
> a once per major operating system activity.  Organizations that include
> a driver in their product must plan for this role to be fully staffed.
> Microsoft understands that these requirements are probably the end of
> open source and student driver development for the Windows platform.
> They feel that given the post-Snowden, post-Target world in which we
> live that they must lean towards overreacting on the side of securing
> their operating system for their customers even if it severely restricts
> the freedom of developers.
> In summary here are the deadlines which I can share:
> * As of 10 March 2015 Windows Update pushed a patch to permit
>   Windows 7 and Server 2008 R2 to permit the new SHA-256 EV
>   certificate signing and the new Microsoft issued signatures.
> * Effective 1 January 2016 all self-signed signatures for new
>   driver releases targeted at Win7, Win8.* will require SHA-256
>   EV signatures.
> * Effective on or after the release to manufacturing of Windows 10
>   the new Microsoft signatures and certification requirements will
>   go into effect.  From press reports Windows 10 is anticipated
>   sometime this Summer but the RTM date is typically 6 to 8 weeks
>   before that.
> Here are some back of napkins estimates for what I believe will be
> required to support the Windows client going forward:
> * Initial certification for Win7 through Win10 and ServerNext
>   technical preview:  $150,000
> * Testing, certification, and release management for each
>   subsequent release: $12,000
> * Annual expenses including EV certificate, insurance, dev tools,
>   plugfests, conferences (WinHEC, Build, etc.): $25,000
> These costs do not include the developer time necessary to write the
> code and the QA manager that will need to monitor and respond to Error
> Reports from the Online Crash Analysis system.
> In one form or another these costs will be borne by the end user
> community.  How that will happen remains to be seen.  If someone found a
> bucket of gold this past St Patty's Day and is willing to share, please
> drop me a note.
> Jeffrey Altman

David William Botsch