• How to Obtain Certificates
  • Best Practices for Code Signing PMP Components
  • When to Request Multiple Certificates
  • Code Signing Boot Drivers
  • Test Signing Kernel-Mode Code
  • Summary and Call to Action
  • References
  • Summary of Certificates and Signing Options




    Download 422,5 Kb.
    bet11/11
    Sana01.04.2021
    Hajmi422,5 Kb.
    #13820
    1   2   3   4   5   6   7   8   9   10   11

    Summary of Certificates and Signing Options


    The following table summarizes the different types of certificates and the signing options for various components.

    Certificates Used During Playback of Protected Content that Requires PMP

    Component

    Certificate type required

    Certificate
    use

    Example playback scenarios enabled

    Options for signing

    Participating kernel-mode display device driver

    Code signing

    Code signing

    HD DVD

    KMCS1, WHQL2

    PVP-OPM

    Challenge-response

    HD DVD on integrated graphics adapters

    MFPMP3

    PVP-UAB

    Challenge-response

    HD DVD on discrete graphics adapters

    MFPMP

    PVP-OPM legacy mode

    Challenge-response

    Content that required COPP on Windows XP

    MFPMP

    Non-participating kernel-mode driver

    Code signing

    Code signing

    HD DVD

    KMCS, WHQL

    Participating user‑mode display driver component

    PMP-PE

    Code signing

    Playback of protected content through the PMP

    WHQL, MFPMP

    Participating kernel-mode audio driver components

    PUMA

    Code signing

    SAP content when audio service providers turn on this requirement.

    WHQL

    Participating user-mode audio driver components or audio processing objects (APOs)

    PMP-PE

    Code signing

    Components or APOs can process protected content.

    WHQL, MFPMP

    Media Foundation pipeline plug-ins (codecs, mf‑transforms)

    PMP-PE

    Code signing

    Plug-ins can process protected content

    MFPMP

    1 KMCS process, using a code-signing certificate and a cross certificate.

    2 Windows Hardware Quality Labs testing program.

    3 Media Foundation Protected Media Path (for details, send e‑mail to
    pmpcert@microsoft.com).



    How to Obtain Certificates


    This section provides instructions and recommendations for obtaining the certificates that PMP requires.

    PVP-OPM and PVP-UAB Certificates

    The process for obtaining a PVP-OPM or PVP-UAB certificate includes signing a license and providing a set of information files to Microsoft. Manufacturers who must obtain certificates should send an e-mail request to wmla@microsoft.com.


    PMP-PE Certificates

    If your company is a Media Foundation technology adoption program (TAP) participant and you believe that you require a PMP-PE certificate for the Beta 2 timeframe, send an e‑mail to pmpcert@microsoft.com to be considered as a candidate for the PMP-PE certificate. See also "Requesting Multiple Certificates" later in this paper.



    Note: This PMP PE certificate process is available only during the Windows Vista Beta 2 timeframe. For information about new processes after the beta testing of Windows Vista concludes, go to the "Driver Signing" page on the WHDC Web site.

    Best Practices for Code Signing PMP Components


    This section provides recommendations from Microsoft for planning and managing the code-signing processes for components that will run in the PE for playback of protected media.

    Safeguarding Code-Signing Keys


    The cryptographic keys that are at the heart of the code-signing process must be well protected. These keys represent a company’s identity and should be treated with the same care as a company’s most valuable assets. Any code that is signed with these keys appears to Windows as if it contains a valid digital signature that can be traced to the company. If the keys are stolen, they could be used to fraudulently sign malicious code and possibly result in the delivery of code that contains a Trojan or virus that appears to come from a legitimate publisher.

    When to Request Multiple Certificates


    Your company can request multiple PMP-PE certificates from Microsoft. However, consider the following factors:

    • Certification overhead. Microsoft is striving to streamline the certification process. However, some overhead is still associated with obtaining a PMP-PE certificate, making it less than optimal to obtain a certificate from Microsoft for every product release, update, or quick-fix engineering (QFE).

    Recommendation: Obtain a certificate for each product line and use the same certificate to sign subsequent releases of these products.

    • Impact of revocation. All components in the Protected Media Path, including MIG plug-ins, are revocable. Both the component’s signing certificate and the component’s hash can be revoked. Revoking a signing certificate invalidates all components that were signed by using that certificate or that certificate chain.

    Recommendation: Because of its over-arching impact, certificate revocation is rare. We recommend that you request different certificates for each product line. In that case, in the rare catastrophic situation when a certificate must be revoked, you will invalidate only a subset of your products. You should also provide a mechanism to renew compromised components through the Windows Update Service or a private Web site.

    Code Signing Boot Drivers


    For PC systems that will play premium content, all kernel-mode code must be signed for identity. Kernel-mode code that loads at boot time must be signed with an embedded certificate.

    Recommendation: Embedded sign all boot drivers through the KMCS process. For information about embedded signing through the KMCS process, see the "Driver Signing" page on the WHDC Web site.

    Test Signing Kernel-Mode Code


    Kernel modules signed with a test certificate are considered untrusted by the Windows Vista PE Authority. This means that the kernel is reported as "not identified" and premium content that requires an identified kernel will not play back.

    Understanding the User Experience with Protected Content


    This section presents some user experience issues that have been raised about protected content playback and Windows Vista by both industry and consumer communities.

    PMP-PE enforcement does not stop devices from working.

    The PMP PE Authority can stop the flow of data to media applications, but it does not disable the DVD drive or the hard disk.



    Playback of premium content requires that only identified drivers be loaded on the system.

    When new premium content is loaded on a Windows Vista system, several checks are required to ensure the safety of the system. One check is for the presence of an identified kernel. When requested, the PMP performs this check by verifying that all kernel modules that are loaded on the system have been signed by a source that Microsoft trusts. If this verification fails, the PMP halts playback of that content and sends a message to the media application that includes information to help resolve the issue.



    Existing content is not affected by the PMP requirements.

    Users can continue to play existing content such as recorded television, standard definition DVDs, or MP3s. The policies that control the use of existing content are not affected by the new requirements for premium content.



    Premium content requires signed legacy kernel-mode modules.

    Existing media that can be played on Windows XP can also be played on Windows Vista, regardless of whether the system has an identified kernel. However, premium-content playback that requires an identified kernel cannot be played if the system contains any legacy unsigned kernel-mode drivers. To play this content, consumers must obtain a signed version of the driver from the vendor.


    Summary and Call to Action


    Kernel-mode driver signing helps ensure great consumer experiences by providing increased driver reliability, increased security against malware, and access to next-generation entertainment experiences.

    Call to action for device and system manufacturers:

    Two general recommendations:



    • Sign your code. Even without the issues related to premium content, Microsoft recommends that software and driver vendors sign all their code.

    • Participate in the Windows Vista Logo Program.

    For system and device manufacturers who create products that support Windows Vista premium content experiences, the following code-signing requirements must be met:



    • All kernel-mode code must be code signed. This meets that content-providers’ requirement for an "identified" kernel. This requirement applies to both x86- and x64-based systems and includes both participating and non-participating drivers.

    • All driver and application components that participate in the Windows Vista PE must—at a minimum—be signed by WHQL or with the manufacturer’s certificate. This requirement includes all user-mode components that are part of the PMP.

    • Display device drivers must include an embedded certificate for PVP-OPM (for integrated graphics adapters) or PVP-UAB (for discrete graphics adapters).

    Manufacturers can obtain PVP-OPM, PVP‑UAB, and PMP-PE certificates by contacting Microsoft by e‑mail and signing the related license agreements.

    Tools and guidelines for code signing are provided in the WDK and the Platform SDK, and submission guidelines for driver signing under the WHQL testing program are available on Microsoft.com.

    References


    E-mail contacts for PVP License Agreements:

    PVP-OPM or PVP-UAB certificate: wmla@microsoft.com


    PMP-PE certificate: pmpcert@microsoft.com
    Advanced Access Content System Licensing Administrator (AACS LA):

    http://www.aacsla.com/what/overview
    MSDN:

    Authenticode Signing Process

    http://msdn.microsoft.com/workshop/security/authcode/authenticode_ovw_entry.asp?frame=true

    Using Catalog Files

    http://msdn.microsoft.com/library/default.asp?url=/workshop/delivery/download/overview/catalog.asp

    Using Certified Output Protection Protocol (COPP)

    http://msdn.microsoft.com/library/en-us/dnwmt/html/using_certified_output_protection_protocol_copp__bwjn.asp?frame=true
    TechNet:

    Install an Enterprise Root Certificate Authority

    http://technet2.microsoft.com/WindowsServer/en/Library/4ffc15cf-f42f-43db-8eb9-fcd8c3102d621033.mspx
    WHDC Web site:

    Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista

    http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx

    Driver Signing / File Protection (and supporting white papers)

    http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx

    Output Content Protection and Windows Vista

    http://www.microsoft.com/whdc/device/stream/output_protect.mspx

    Windows Logo Program—hardware and driver requirements

    http://www.microsoft.com/whdc/winlogo/hwrequirements.mspx
    Windows Driver Kit:

    Providing a Driver Package

    http://msdn.microsoft.com/library/en-us/GetStart_g/hh/GetStart_g/gs_install_549976f3-378f-460e-9980-6c9fc8a06335.xml.asp

    COPP Video Miniport Driver Template

    http://msdn.microsoft.com/library/en-us/display_d/hh/Display_d/dxvaguide_f5ae3c0b-ee3b-4d2c-8bd0-4aab18a8c546.xml.asp?frame=true
    Windows Media Device Manager 10 SDK:

    Secure Authenticated Channel Interface

    http://msdn.microsoft.com/library/en-us/wmdm10/htm/secureauthenticatedchannelinterface.asp?frame=true
    Windows Platform SDK:

    http://g.msn.com/9SE/1?http://msdn.microsoft.com/platformsdk/&&DI=6066&IG=8e8172e1b127447eab9e76a30e0267b7&POS=1&CM=WPU&CE=1&CS=AWP&SR=1

    Cryptography

    http://msdn.microsoft.com/library/en-us/security/security/cryptography_portal.asp
    Windows Quality Labs (WHQL) Web site:

    http://www.microsoft.com/whdc/whql/default.mspx

    Digital Signature Benefits

    https://winqual.microsoft.com/help/use_help/digisignaturebenefits_help.aspx

    May 10, 2006
    © 2006 Microsoft Corporation. All rights reserved.

    Download 422,5 Kb.
    1   2   3   4   5   6   7   8   9   10   11




    Download 422,5 Kb.

    Bosh sahifa
    Aloqalar

        Bosh sahifa



    Summary of Certificates and Signing Options

    Download 422,5 Kb.