64-bit mandatory driver signing -- a huge mistake and a stupid idea

[infamous]

I don't really know the best place to post this, so I'm going to talk
about it here:

Windows Vista 64-bit's enforcement of mandatory driver signing was,
is, and will always be a bad idea. The only realistic way to disable
it was through an obscure hack using bcdedit, and now even that has
been taken away from us.

I have a computer full of hardware that I cannot use now, unless I
reboot and make sure I hit the F8 key.

Things were intolerable enough when using the bcdedit trick
arbitrarily killed hi-def DRM support -- but whatever, I don't use
DRMed content and I refuse to let it pollute my computer. But now,
even the bcdedit trick is gone, and users like myself are left with
computers full of hardware that, despite the availability of drivers
that meet *our* requirements, do not meet requirements of the media
lapdogs at Microsoft who imagined this dreadful system.

I understand there's an argument for security, but let's face it: the
real reason Vista64's signing requirement is to appease Hollywood, in
order to prove that Windows(tm) Vista(tm) is a Safe Platform For
Protected Media(tm). The evidence is clear, in editorials, current
events, and even hardware's product manuals.

This "mandatory driver signature" crap needs to be shown the door.
Now. I can't afford -- nor do I care to -- update all of my hardware
to parts that have Microsoft's blessing. The situation is compounded
even worse when companies like E-MU (aka Creative Professional) are
withholding Vista64 support because the proper driver signature
*requires* DRM in products that not only have no use for it. (The
manual for my shiny new E-MU 0202 USB plainly states that it will
likely not see Vista x64 support because it can't meet the driver
signature's DRM requirement.)

So, long story short: take out the 64-bit driver signature
enforcement. Take it out now. This is intolerable.

I hope that this reaches someone sufficiently influential at
Microsoft.

Regards,

Tom

PS: The following is short list of the various hardware and drivers
that, arbitrarily, I can not use. Note that all of these things are
current (the first two are available for purchase at Fry's) and have
no real reason to be blocked:

EMU 0202 USB Audio Interface (EMU plainly admits that signing is
impossible due to DRM requirement)
Turtle Beach Riviera (CMI8738) PCI Soundcard (no mfr but excellent
homebrew drivers available)
XBCD Homebrew USB Xbox controller driver (works a bit better than MS'
equivalents)

PPS: Yes, I know I can dual-boot into XP. In fact, that's what I do.
But I shouldn't have to tie up two seperate windows licenses just to
get current 64-bit support (vista) and run "legacy" hardware (xp).

 

[Andre Da Costa[ActiveWin]]

Well, if its too much for you, use Vista 32 bit then. Microsoft wanted to
started a clean slate with proper drivers written for Windows Vista, 64-bit
Vista gave them opportunity to do that.

 

[Peter Lawton]

The non-MS line on this might of course be that MS would have forced it on
32bit Vista as well if it wasn't for the fact that if they had even the few
people who have bought it so far would have taken it back for a refund.

Driver signing enforcement is entirely about DRM enforcement and nothing
else, otherwise why take away with patches etc the few existing ways to
disable it if the user wants to.

MS should have learned from Sony that it's customers don't want DRM and
definitely don't want an OS that's painfully slow because of it

Peter Lawton

 

[Andre Da Costa[ActiveWin]]

Driver signing is specifically meant to guarantee the device driver you
install is safe and 'will' work, nothing else. You really don't know how
much the end user benefits from this.

 

[Peter Lawton]

Driver signing guarantees the device driver you install is safe and 'will'
work ?

<FX: Ducks to avoid flying pig>

All driver signing actually guarantees is that MS can have the signing
certificate revoked of any company that's attempting to do anything that MS
don't like.

Peter Lawton

 

[Paul Smith]

The non-MS line on this might of course be that MS would have forced it on
32bit Vista as well if it wasn't for the fact that if they had even the
few people who have bought it so far would have taken it back for a
refund.

Not practical with the amount of old drivers which do work, but that
wouldn't be updated for Windows Vista. If they were going to do that, they
might as well of scrapped the 32-bit versions and just released 64-bit, the
impact on compatibility would be similar.

Driver signing enforcement is entirely about DRM enforcement and nothing
else, otherwise why take away with patches etc the few existing ways to
disable it if the user wants to.

I don't believe DRM was the primary driving force behind this, but
reliability and security. If you install a malicious driver that claims to
be for your webcam yet isn't. You've effectively given control of your
machine over to somebody else, that driver can disable your firewall, create
a service listening for outside connections, record all your keystrokes you
name it, there's probably a way to do it.

MS should have learned from Sony that it's customers don't want DRM and
definitely don't want an OS that's painfully slow because of it

How does a driver being signed (no different than from how a website is
signed if you're using SSL) slow the machine down?

The state of drivers needed to be cleaned up, this is one step in the right
direction.

--
Paul Smith,
Yeovil, UK.
Microsoft MVP Windows Shell/User.
http://www.dasmirnov.net/blog/
http://www.windowsresource.net/

*Remove nospam. to reply by e-mail*

 

[infamous]

Driver signing is specifically meant to guarantee the device driver you
install is safe and 'will' work, nothing else. You really don't know how
much the end user benefits from this.

Yes, driver signing is wonderful for reliability. BUT! _It should not
be so mandatory that perfectly good hardware doesn't work because of
signing issues._ Power users need to have a permanent option of
switching it off, or certificates need to become far more widely
available. The current solution of locking users out of their own
hardware is hardly acceptable.

 

[Paul Smith]

Driver signing guarantees the device driver you install is safe and 'will'
work ?

It guarantees the driver is from who ever signed it.

All driver signing actually guarantees is that MS can have the signing
certificate revoked of any company that's attempting to do anything that
MS don't like.

Wrong.

--
Paul Smith,
Yeovil, UK.
Microsoft MVP Windows Shell/User.
http://www.dasmirnov.net/blog/
http://www.windowsresource.net/

*Remove nospam. to reply by e-mail*

 

[infamous]

Well, if its too much for you, use Vista 32 bit then. Microsoft wanted to
started a clean slate with proper drivers written for Windows Vista, 64-bit
Vista gave them opportunity to do that.

XP doesn't properly recognize the total amount of RAM in my system,
hence the move to 64. I own licenses for XP Pro RTL and Vista RTL. Is
my only other option purchasing a copy of XP x64?

 

[Tom Lake]

On Jan 3, 4:48 am, "Andre Da Costa[ActiveWin]" <[email protected]>
wrote:

Yes, driver signing is wonderful for reliability. BUT! _It should not
be so mandatory that perfectly good hardware doesn't work because of
signing issues._ Power users need to have a permanent option of
switching it off, or certificates need to become far more widely
available. The current solution of locking users out of their own
hardware is hardly acceptable.

Using the free software VistaBootPro, you can turn off driver signing.

http://www.vistabootpro.org/

Tom Lake

 

[infamous]

On Jan 3, 4:48 am, "Andre Da Costa[ActiveWin]" <[email protected]>
wrote:
Yes,driversigning is wonderful for reliability. BUT! _It should not
be so mandatory that perfectly good hardware doesn't work because of
signing issues._ Power users need to have a permanent option of
switching it off, or certificates need to become far more widely
available. The current solution of locking users out of their own
hardware is hardly acceptable.

Using the free software VistaBootPro, you can turn offdriversigning.

http://www.vistabootpro.org/

Tom Lake

That trick no longer works, as it was disabled by a recent update. All
vistabootpro did to fix that was enable DDISABLE_INTEGRITY_CHECKS(sp?)
for you.

 

[Peter Lawton]

Personal views inline

Not practical with the amount of old drivers which do work, but that
wouldn't be updated for Windows Vista. If they were going to do that,
they might as well of scrapped the 32-bit versions and just released
64-bit, the impact on compatibility would be similar.

If MS didn't plan to enforce signing on 32bit versions as well as soon as
they can get away with it I doubt they'd have bothered doing it on 64bit
versions, they already enforce signing on 32bit vista where DRM is involved
I think

I don't believe DRM was the primary driving force behind this, but
reliability and security. If you install a malicious driver that claims
to be for your webcam yet isn't. You've effectively given control of your
machine over to somebody else, that driver can disable your firewall,
create a service listening for outside connections, record all your
keystrokes you name it, there's probably a way to do it.

I would have agreed with you if signing was enforced on ALL drivers, however
it looks to me, although I'm not an expert, as if driver signing is only
enforced on the subset of drivers that could bypass DRM. Boot start, kernel
and Protected Media Path.
But if DRM wasn't the primary driving force then why remove the users
ability to disable driver signing enforcement if they chose to by editing
the boot config

How does a driver being signed (no different than from how a website is
signed if you're using SSL) slow the machine down?

No, the signing doesn't affect speed in any way, it's the DRM infestation
that's affecting speed with all the check that are being continually done.

 

[Tom Lake]

That trick no longer works, as it was disabled by a recent update. All
vistabootpro did to fix that was enable DDISABLE_INTEGRITY_CHECKS(sp?)
for you.

Curses! Foiled again! 8^(

Tom Lake

 

[infamous]

Personal views inline





If MS didn't plan to enforce signing on 32bit versions as well as soon as
they can get away with it I doubt they'd have bothered doing it on 64bit
versions, they already enforce signing on 32bit vista where DRM is involved
I think





I would have agreed with you if signing was enforced on ALL drivers, however
it looks to me, although I'm not an expert, as if driver signing is only
enforced on the subset of drivers that could bypass DRM. Boot start, kernel
and Protected Media Path.
But if DRM wasn't the primary driving force then why remove the users
ability to disable driver signing enforcement if they chose to by editing
the boot config





No, the signing doesn't affect speed in any way, it's the DRM infestation
that's affecting speed with all the check that are being continually done.

My thoughts exactly. Users need to be allowed override control on
*their* computers. I don't mind the 64-bit driver signing, and its
implementation makes sense -- but if I can't turn it off, then the
whole point of *personal* computers is lost.

I understand some users want security and stability. That's fine. But
many of us here are smarter than that, and do not appreciate the
software-enforced nanny-state hand-holding.