Two weeks ago I delivered my Windows Vista System Integrity presentation at the TechEds in New Zealand (Auckland) and Australia (Sydney). It was largely the same as the presention at TechEds in America and India, but updated to reflect changes made in the product between the time I wrote the presentation and now.
Pre-release software is like that: it changes. And when you give presentations on beta software, you rely on the details you have to give the most accurate information possible. But there is, of course, no guarantee that functionality as explained in the presentation will exactly match what's delivered when the final product is released. And indeed, in my post on mandatory integrity control, I mentioned some changes.
Code integrity and signatures
The latest version of the presentation includes more details on code integrity and code signing. Previously I had described code integrity as applying to all binaries in the operating system; in fact, code integrity applies to the following:
- All code loaded into a protected process
- Modules implementing cryptographic functions
- Modules loaded into the software licensing service
Kernel mode creates special cases that vary depending on the edition of Windows. For 64-bit:
- All kernel mode code loaded anywhere at any time must be signed -- applies to drivers and non-drivers
For 32-bit, non-driver kernel mode code doesn't require a signature. For drivers, the allow/warn/block behavior of prior versions of Windows is gone. Windows Vista raises a warning if you attempt to install a driver without a signature (only if you're an administrator; standard users can't install unsigned drivers). Drivers with signatures install without prompts. Signatures can come in three forms:
- Manufacturers can obtain WHQL signatures from Microsoft as part of the Windows logo program; this indicates a certain level of quality
- Manufacturers can sign drivers themselves; this indicates authenticity but nothing about quality
- IT departments can self-sign drivers; this allows organizations to silently deploy approved drivers, even if they otherwise lack signatures
Protected processes and high definition content
The Protected Media Path (PMP), part of the new Windows Media Foundation, contains two protected processes. PMP provides a more robust playback environment for high definition rights-protected content. Code integrity checks that all protected processes have valid certificates and that they haven't been revoked.
Based on some details provided to me, I stated that in only 32-bit Windows Vista, next generation high definition protected content will not play at all; 64-bit is the platform for playing back such content. Then I added some conjecture: the media companies wanted this because the risk of unsigned kernel mode code present in memory could thwart content protection.
Turns out that my information and my conjecture weren't correct. Windows will never decide not to play content. PMP itself isn't monitored by code integrity, but it does consume the output of a report generated by the operating system about unsigned code in memory. When you load next generation high definition protected content into a playback application, Windows reports the status of kernel mode drivers loaded into memory: the names of the drivers and whether each of those drivers is signed.
Based on that report, the playback application -- not Windows -- decides what to do: it will either play the content or raise an error and refuse to play. It's also possible for the content itself to indicate what to do, based on instructions contained within the content's embedded license.
Unfortuantely, my initial explanation sparked the interest of a journalist. Originally he was going to write that Microsoft has dropped support for BluRay and HD-DVD movies. I never said that, of course, although I can see how it's easy to leap to that conclusion. Even after I met with the journalist, to ensure he understood the details (as I knew them at the time), his article still generated some controversy: I got Slashdotted!
Keeping you informed
I guess that's the risk you take in a job like mine. It's a risk I'm willing to take, because I still believe I have the coolest job in the world: helping you learn everything you can about how to design and operate environments using Microsoft technology as safely and securely as possible.
Fortunately, mechanisms like this blog allow us to ensure that you, our customers, get the most up-to-date information we can give you. Now that I understand how PMP functions with respect to code integrity, I can let all of you know here, as well as ensure that future deliveries of the system integrity presentation will be as accurate as possible.
As always, I extend my sincere gratitute to everyone who takes time to attend my presentations. It means more to me than you'll ever know. I look forward to continuing to see familiar faces at events around the world, and also meeting new folks too. 🙂