The following table summarizes the different types of certificates and the signing options for various components.
Certificates Used During Playback of Protected Content that Requires PMP
Component
|
Certificate type required
|
Certificate
use
|
Example playback scenarios enabled
|
Options for signing
|
Participating kernel-mode display device driver
|
Code signing
|
Code signing
|
HD DVD
|
KMCS1, WHQL2
|
PVP-OPM
|
Challenge-response
|
HD DVD on integrated graphics adapters
|
MFPMP3
|
PVP-UAB
|
Challenge-response
|
HD DVD on discrete graphics adapters
|
MFPMP
|
PVP-OPM legacy mode
|
Challenge-response
|
Content that required COPP on Windows XP
|
MFPMP
|
Non-participating kernel-mode driver
|
Code signing
|
Code signing
|
HD DVD
|
KMCS, WHQL
|
Participating user‑mode display driver component
|
PMP-PE
|
Code signing
|
Playback of protected content through the PMP
|
WHQL, MFPMP
|
Participating kernel-mode audio driver components
|
PUMA
|
Code signing
|
SAP content when audio service providers turn on this requirement.
|
WHQL
|
Participating user-mode audio driver components or audio processing objects (APOs)
|
PMP-PE
|
Code signing
|
Components or APOs can process protected content.
|
WHQL, MFPMP
|
Media Foundation pipeline plug-ins (codecs, mf‑transforms)
|
PMP-PE
|
Code signing
|
Plug-ins can process protected content
|
MFPMP
|
1 KMCS process, using a code-signing certificate and a cross certificate.
2 Windows Hardware Quality Labs testing program.
3 Media Foundation Protected Media Path (for details, send e‑mail to
pmpcert@microsoft.com).
|
This section provides instructions and recommendations for obtaining the certificates that PMP requires.
PVP-OPM and PVP-UAB Certificates
The process for obtaining a PVP-OPM or PVP-UAB certificate includes signing a license and providing a set of information files to Microsoft. Manufacturers who must obtain certificates should send an e-mail request to wmla@microsoft.com.
PMP-PE Certificates
If your company is a Media Foundation technology adoption program (TAP) participant and you believe that you require a PMP-PE certificate for the Beta 2 timeframe, send an e‑mail to pmpcert@microsoft.com to be considered as a candidate for the PMP-PE certificate. See also "Requesting Multiple Certificates" later in this paper.
Note: This PMP PE certificate process is available only during the Windows Vista Beta 2 timeframe. For information about new processes after the beta testing of Windows Vista concludes, go to the "Driver Signing" page on the WHDC Web site.
Best Practices for Code Signing PMP Components
This section provides recommendations from Microsoft for planning and managing the code-signing processes for components that will run in the PE for playback of protected media.
Safeguarding Code-Signing Keys
The cryptographic keys that are at the heart of the code-signing process must be well protected. These keys represent a company’s identity and should be treated with the same care as a company’s most valuable assets. Any code that is signed with these keys appears to Windows as if it contains a valid digital signature that can be traced to the company. If the keys are stolen, they could be used to fraudulently sign malicious code and possibly result in the delivery of code that contains a Trojan or virus that appears to come from a legitimate publisher.
Your company can request multiple PMP-PE certificates from Microsoft. However, consider the following factors:
Certification overhead. Microsoft is striving to streamline the certification process. However, some overhead is still associated with obtaining a PMP-PE certificate, making it less than optimal to obtain a certificate from Microsoft for every product release, update, or quick-fix engineering (QFE).
Recommendation: Obtain a certificate for each product line and use the same certificate to sign subsequent releases of these products.
Impact of revocation. All components in the Protected Media Path, including MIG plug-ins, are revocable. Both the component’s signing certificate and the component’s hash can be revoked. Revoking a signing certificate invalidates all components that were signed by using that certificate or that certificate chain.
Recommendation: Because of its over-arching impact, certificate revocation is rare. We recommend that you request different certificates for each product line. In that case, in the rare catastrophic situation when a certificate must be revoked, you will invalidate only a subset of your products. You should also provide a mechanism to renew compromised components through the Windows Update Service or a private Web site.
For PC systems that will play premium content, all kernel-mode code must be signed for identity. Kernel-mode code that loads at boot time must be signed with an embedded certificate.
Recommendation: Embedded sign all boot drivers through the KMCS process. For information about embedded signing through the KMCS process, see the "Driver Signing" page on the WHDC Web site.
Test Signing Kernel-Mode Code
Kernel modules signed with a test certificate are considered untrusted by the Windows Vista PE Authority. This means that the kernel is reported as "not identified" and premium content that requires an identified kernel will not play back.
Understanding the User Experience with Protected Content
This section presents some user experience issues that have been raised about protected content playback and Windows Vista by both industry and consumer communities.
PMP-PE enforcement does not stop devices from working.
The PMP PE Authority can stop the flow of data to media applications, but it does not disable the DVD drive or the hard disk.
Playback of premium content requires that only identified drivers be loaded on the system.
When new premium content is loaded on a Windows Vista system, several checks are required to ensure the safety of the system. One check is for the presence of an identified kernel. When requested, the PMP performs this check by verifying that all kernel modules that are loaded on the system have been signed by a source that Microsoft trusts. If this verification fails, the PMP halts playback of that content and sends a message to the media application that includes information to help resolve the issue.
Existing content is not affected by the PMP requirements.
Users can continue to play existing content such as recorded television, standard definition DVDs, or MP3s. The policies that control the use of existing content are not affected by the new requirements for premium content.
Premium content requires signed legacy kernel-mode modules.
Existing media that can be played on Windows XP can also be played on Windows Vista, regardless of whether the system has an identified kernel. However, premium-content playback that requires an identified kernel cannot be played if the system contains any legacy unsigned kernel-mode drivers. To play this content, consumers must obtain a signed version of the driver from the vendor.
Summary and Call to Action
Kernel-mode driver signing helps ensure great consumer experiences by providing increased driver reliability, increased security against malware, and access to next-generation entertainment experiences.
Call to action for device and system manufacturers:
Two general recommendations:
Sign your code. Even without the issues related to premium content, Microsoft recommends that software and driver vendors sign all their code.
Participate in the Windows Vista Logo Program.
For system and device manufacturers who create products that support Windows Vista premium content experiences, the following code-signing requirements must be met:
All kernel-mode code must be code signed. This meets that content-providers’ requirement for an "identified" kernel. This requirement applies to both x86- and x64-based systems and includes both participating and non-participating drivers.
All driver and application components that participate in the Windows Vista PE must—at a minimum—be signed by WHQL or with the manufacturer’s certificate. This requirement includes all user-mode components that are part of the PMP.
Display device drivers must include an embedded certificate for PVP-OPM (for integrated graphics adapters) or PVP-UAB (for discrete graphics adapters).
Manufacturers can obtain PVP-OPM, PVP‑UAB, and PMP-PE certificates by contacting Microsoft by e‑mail and signing the related license agreements.
Tools and guidelines for code signing are provided in the WDK and the Platform SDK, and submission guidelines for driver signing under the WHQL testing program are available on Microsoft.com.
References
E-mail contacts for PVP License Agreements:
PVP-OPM or PVP-UAB certificate: wmla@microsoft.com
PMP-PE certificate: pmpcert@microsoft.com
Advanced Access Content System Licensing Administrator (AACS LA):
http://www.aacsla.com/what/overview
MSDN:
Authenticode Signing Process
http://msdn.microsoft.com/workshop/security/authcode/authenticode_ovw_entry.asp?frame=true
Using Catalog Files
http://msdn.microsoft.com/library/default.asp?url=/workshop/delivery/download/overview/catalog.asp
Using Certified Output Protection Protocol (COPP)
http://msdn.microsoft.com/library/en-us/dnwmt/html/using_certified_output_protection_protocol_copp__bwjn.asp?frame=true
TechNet:
Install an Enterprise Root Certificate Authority
http://technet2.microsoft.com/WindowsServer/en/Library/4ffc15cf-f42f-43db-8eb9-fcd8c3102d621033.mspx
WHDC Web site:
Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx
Driver Signing / File Protection (and supporting white papers)
http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx
Output Content Protection and Windows Vista
http://www.microsoft.com/whdc/device/stream/output_protect.mspx
Windows Logo Program—hardware and driver requirements
http://www.microsoft.com/whdc/winlogo/hwrequirements.mspx
Windows Driver Kit:
Providing a Driver Package
http://msdn.microsoft.com/library/en-us/GetStart_g/hh/GetStart_g/gs_install_549976f3-378f-460e-9980-6c9fc8a06335.xml.asp
COPP Video Miniport Driver Template
http://msdn.microsoft.com/library/en-us/display_d/hh/Display_d/dxvaguide_f5ae3c0b-ee3b-4d2c-8bd0-4aab18a8c546.xml.asp?frame=true
Windows Media Device Manager 10 SDK:
Secure Authenticated Channel Interface
http://msdn.microsoft.com/library/en-us/wmdm10/htm/secureauthenticatedchannelinterface.asp?frame=true
Windows Platform SDK:
http://g.msn.com/9SE/1?http://msdn.microsoft.com/platformsdk/&&DI=6066&IG=8e8172e1b127447eab9e76a30e0267b7&POS=1&CM=WPU&CE=1&CS=AWP&SR=1
Cryptography
http://msdn.microsoft.com/library/en-us/security/security/cryptography_portal.asp
Windows Quality Labs (WHQL) Web site:
http://www.microsoft.com/whdc/whql/default.mspx
Digital Signature Benefits
https://winqual.microsoft.com/help/use_help/digisignaturebenefits_help.aspx
May 10, 2006
© 2006 Microsoft Corporation. All rights reserved.
|