Microsoft® Windows Vista? plans to enable the playback of next-generation premium content such as HD DVD and other formats that are licensed under the Advanced Access Content System (AACS) specification for all systems that it trust. Microsoft plans to work behind the scenes to help end-users systems become trusted and continue to be trusted by Microsoft and thus be able to enjoy the premium content they have purchased and are entitled to the "fair use" of, while assuming ownership of the content is the content providers and not the end-users.
To ensure access to this new content, systems must support the requirements that are defined by the AACS specification and the requirements of content providers.
Windows Vista fulfills one of these requirements through code signing.
System and device manufacturers must follow new code-signing requirements for systems that will support the playback of premium content. These requirements include:
All kernel-mode code must be code signed for a PC system to be able to play back next-generation premium content.
Components that run within the Windows Vista Protected Media Path (PMP) must be signed for the PMP to ensure access to premium content.
Display device drivers must include an embedded certificate that verifies a robust pipeline throughout the video processing engine.
Premium-content owners require a higher level of access protection than was previously necessary. PC systems and devices that do not comply with the policies that are associated with a given piece of content will not be able to play back that content. An example of such a requirement is that content can only be served to an identified kernel when it flows through the PC. An identified kernel has all of its modules signed by a trusted source
Systems must support the protection policy requirements as defined by the premium-content owners. System and device manufacturers are working with Microsoft to meet these requirements. In general, content protection encompasses multiple technologies, such as copy protection, link protection, conditional access, and digital rights management (DRM). Each of these technologies attempts to ensure that content can be used only in a way that is consistent with what the content owner intended.
Terminology:
Advanced Access Content System (AACS)is a specification for managing content that is stored on the next generation of prerecorded and recorded optical media for consumer use with PCs and consumer electronic devices.
Certification authority (CA)is an authority that provides certificates to confirm that the public key is from the subject who claims to have sent the public key.
Code-signing certificate is a certificate that is issued for the purpose of signing binaries.
Cross certification is the process of issuing subordinate CA certificates for existing CAs that link two root CAs.
Cross-certification authority certificate is a certificate that is issued by one CA for another CA's signing key pair (that is, for another CA's public verification key). Also known as cross certificate.
DRM attribute is a code-signing attribute that is provided by the Windows Logo Program. It verifies that the driver complies with Universal Audio Architecture (UAA) audio hardware requirements and allows the driver to handle protected content.
Discrete versus integrated graphics - A discrete graphics adapter is a stand-alone device, typically a plug-in board. An integrated graphics adapter is embedded in the system board chipset.
Identified kernel is a kernel in which all kernel-mode drivers on the system are signed by a source that Microsoft trusts.
Kernel-mode code signing (KMCS)the process of digitally signing software so that it meets the system requirements to be loaded in kernel mode. When used by vendors, KMCS combines standard code signing with an additional cross certificate that verifies the code's identity.
Media Interoperability Gateway (MIG)an extensible multimedia pipeline that is built on top of the new Media Foundation API and running inside the Protected Environment (PE).
MIG plug-in Media processing or content protection components that are meant to be hosted inside the MIG pipeline and PE to process protected premium content. Examples of MIG plug-ins are codecs and content-protection components such as decryptors.
Participating driver is any user-mode component that loads into the PMP PE and has access to unencrypted protected content that flows through a PC system to a final destination, such as a monitor.
Protected content is any content that is protected by some form of DRM.
Premium content is next-generation media content such as an HD DVD and other formats that are protected under the AACS standard.
Protected Environment (PE)is the protected execution environment in which PMP components run.
Protected Media Path (PMP)is an umbrella term for the collection of platform technologies that provide content processing. PMP is a platform for sourcing, sinking, and manipulating protected media content. Technologies that constitute the Protected Media Path include Protected Video Path (PVP), Protected User-Mode Audio (PUMA), and the PE. The PMP runs inside the PE.
Protected User-Mode Audio (PUMA)is the new User-Mode Audio (UMA) engine in the PE. It checks that the enabled outputs are consistent with what the premium content provider allows. PUMA-compliant code is identified to the system through the DRM attribute.
Protected Video Path (PVP)is an umbrella term for the protection mechanisms that operate within the Protected Environment on your PC to ensure that the various video outputs from the PC?such as Digital Video Interface (DVI), video graphics array (VGA), and TV-out?are properly controlled or protected in accordance with the content?s policy. PVP components include PVP-OPM and PVP-UAB.
Protected video path-output protection management (PVP_OPM)is a component that ensures that the PC's video outputs have the required protection for the Content providers or that they are turned off for the end user if such protection is not available.
PVP-OPM Legacy Mode Certificate is a certificate that replaces the Windows XP Certified Output Protection Protocol (COPP) certificate. From an engineering standpoint, this is a COPP format certificate. It is intended for use on Windows Vista only to allow COPP legacy applications to function.
Protected video path-user accessible bus (PVP_UAB)is a component that provides encryption of premium content as it passes over the PCI Express (PCIe) bus to the graphics adapter to keep the end user from accessing this content in any way that might conflict with the desires of the content provider and thereby true content owner per Microsoft.
Secure Audio Path (SAP)is the mechanism introduced in Microsoft Windows XP to protect audio content rendering. Windows Vista replaces SAP with PUMA. SAP-compliant code is identified to the system through the DRM attribute.
The PMP and Output Protection
The PMP consists of four primary components, MIG, PVP-OPM, PVP-UAB, and PUMA:
MIG provides content protection for Media Foundation applications. It is an extensible platform for sourcing, sinking, and manipulating protected media content. MIG governs policy usage and runs media in a separate process to ensure that media content is used only in a way that is consistent with the intent of the content provider.
PVP-OPM ensures that a PC?s integrated graphics adapter outputs have the protection that is required under license agreement with content owners. It provides reliable control of output protection schemes such as high-bandwidth digital content protection (HDCP), Macrovision, and Copy Generation Management System-Analog (CGMS-A).
PVP-UAB encrypts premium content as it passes over the PCI Express (PCIe) bus to a discrete graphics adapter. This encryption is required when a content owner?s policy regards the PCIe bus as a user-accessible bus.
PUMA provides a safer environment for audio playback, as well as checking that the enabled outputs are consistent with what the premium content provider allows. PUMA includes the same level of audio output protection management that SAP provided in Windows XP, but it is handled in a completely different way and takes advantage of the PE.
Manufacturers of graphics adapters must implement the required protection mechanisms on card outputs and must ensure that the associated drivers have robust control of those outputs. Manufacturers must sign a PVP-OPM or PVP-UAB license agreement to receive a PVP certificate, which must be embedded in their drivers. Without the embedded PVP certificate, Windows Vista is not allowed to pass premium content to the driver.
The following figure provides a quick summary of how components that are discussed in this paper interact in Windows Vista.
PMP Overview
Code-Signing Requirements for PMP Components
This section briefly summarizes the components and methods that are involved in signing code to support premium-content playback on Windows Vista systems.
Components that Must Be Signed
A number of components must be signed. However, the type of signing depends on the particular component and whether it supports next-generation premium content.
To satisfy content-providers? requirement for an "identified kernel," all code that loads into kernel memory in Windows Vista must be signed for identity to allow playback of next-generation premium content.
Display device drivers must have an embedded PVP-OPM or PVP-UAB certificate, in addition to the signing for identity that is required for kernel-mode components.
PVP-OPM certificates are required for all graphics devices.
Where bus encryption is required, PVP-UAB certificates are required.
All user-mode code that loads into the PE must be PMP-PE signed or signed by WHQL with a PE attribute. This requirement includes components that participate in PUMA.
If the content requires PUMA, kernel-mode drivers that load into the audio stack must be signed with the DRM attribute, which ensures that content that is not so protected by using Windows Media DRM cannot be played.
KMCS Requirements
KMCS is used to ensure that content is served only to an identified kernel when it flows through the PC. Microsoft considers a kernel "identified" if all kernel-mode drivers on the system are signed by a source that Microsoft trusts. KMCS is an important step that helps ensure great consumer experiences by providing increased device reliability and access to next-generation entertainment experiences. System and device manufacturers are urged to get their kernel-mode drivers signed.
Currently, the following signing methods are accepted for kernel-mode modules:
Signed through the WHQL testing program as part of a driver package submission. For further information, see the WHQL Web site, which is listed in "Resources" at the end of this paper.
Signed by the vendor, by using the KMCS process. This process uses the vendor?s code-signing certificate together with the cross certificate.
User-Mode Code-Signing Requirements
PUMA is the new user-mode audio engine in the Windows Vista PE. It provides a safe environment for audio playback and also checks that the enabled outputs are consistent with what the content allows. To be loaded in the PMP PE and process premium content, all user-mode binaries?including codecs, media sources, and media sinks?must be signed with a PE attribute.
Currently, the following signing methods are accepted for user-mode modules:
Signed by WHQL.
If the package that is submitted to WHQL includes a Windows Display Driver Model (WDDM) driver and a related user-mode component, WHQL signs the package with a PE attribute.
If the package that is submitted to WHQL falls into the audio classification program, WHQL signs the package with both PE and DRM attributes.
Signed by the vendor, by using a PMP-PE certificate, obtained from Microsoft. For information on this certificate, see "How to Obtain Certificates" later in this paper.
Revocation and Renewal
After a trusted PE component has been released and installed on users systems, it could for a variety of reasons become untrusted. For example, the signing certificate's private key could be compromised. A component that becomes untrusted is revoked, which means that the PE is no longer allowed to handle premium content.
Microsoft provides a way to renew compromised components with updated trusted versions so that end users can once again enjoy the content they paid for that they are not able to due to Microsoft not trusting their PC's.
There are three renewal scenarios and provision is also made in the event renewal is not possible:
Automatic renewal. By default, Windows Vista automatically downloads and installs all critical and recommended updates.
Component renewal is considered a recommended update, this enables system and component providers access to end user systems to quietly update the component before it can cause any problems for the user without the knowledge of the end-user.
On-demand renewal. If the user has disabled automatic updates or has been off the network for an extended time, thus keeping components from being renewed, the end user may attempt an application to play premium content with an untrusted component. In this case, the application and not the end user will be notified of such an attempt and given the opportunity to initiate the updates the end-user has disabled and will be provided with a URL that allows the application to initiate the renewal process. The process is handled in one of two ways:
The URL references a specific Microsoft Update package. The process downloads the package and launches the Update Installation Wizard to install it or in some cases where the end user is or should be aware of this process, the URL takes the user to a Web site where he or she can manually download the updated version.
Not renewable. In rare cases, an updated version of the component may not be available, for example, the company that implemented the component has gone out of business. If the component is not essential, the PE can work around the issue by not loading the component. If the component is essential, the application is provided with a URL that directs the user to a Web page that has information on the issue.
Summary of Certificates and Signing Options
The following table summarizes the different types of certificates and the signing options for various components.
Certificates Used During Playback of Protected Content that Requires PMP
Component Certificate type required Certificate
use Example playback scenarios enabled Options for signing
Code signing Code signing HD DVD KMCS1, WHQL2
PVP-OPM Challenge-response HD DVD on integrated graphics adapters MFPMP3
PVP-UAB Challenge-response HD DVD on discrete graphics adapters MFPMP
PVP-OPM legacy mode Challenge-response Content that required COPP on Windows XP MFPMP
Non-participating kernel-mode driver Code signing Code signing HD DVD KMCS, WHQL
Participating user-mode display driver component PMP-PE Code signing Playback of protected content through the PMP WHQL, MFPMP
Participating kernel-mode audio driver components PUMA Code signing SAP content when audio service providers turn on this requirement. WHQL
Participating user-mode audio driver components or audio processing objects (APOs) PMP-PE Code signing Components or APOs can process protected content. WHQL, MFPMP
Media Foundation pipeline plug-ins (codecs, mf-transforms) PMP-PE Code signing Plug-ins can process protected content MFPMP
1 KMCS process, using a code-signing certificate and a cross certificate.
2 Windows Hardware Quality Labs testing program.
3 Media Foundation Protected Media Path.
Kernel modules signed with a test certificate are considered untrusted by the Windows Vista PE Authority. This means that the kernel is reported as "not identified" and premium content that requires an identified kernel will not play back.
Playback of premium content requires that only identified drivers be loaded on the system.
When content is loaded on a system, several checks are required to ensure the safety of the system. One check is for the presence of an identified kernel. When requested, the PMP performs this check by verifying that all kernel modules that are loaded on the system have been signed by a source that Microsoft trusts. If this verification fails, the PMP halts playback of that content and sends a message to the media application that includes information to help resolve the issue.
Premium content requires signed legacy kernel-mode modules.
kernel. Playback that requires an identified kernel cannot be played if the system contains any legacy unsigned kernel-mode drivers. To play this content, consumers must obtain a signed version of the driver from the vendor.
Summary and Call to Action
Kernel-mode driver signing helps ensure that end-users with Microsofts help and Vista will be provided access to next-generation entertainment experiences.
Call to action for device and system manufacturers:
Two general recommendations:
Sign your code. Even without the issues related to premium content, Microsoft recommends that software and driver vendors sign all their code.
Participate in the Windows Vista Logo Program.
For system and device manufacturers who create products that support Windows Vista premium content experiences, the following code-signing requirements must be met:
All kernel-mode code must be code signed. This meets that content-providers? requirement for an "identified" kernel. This requirement applies to both x86- and x64-based systems and includes both participating and non-participating drivers. All driver and application components that participate in the Windows Vista PE must?at a minimum?be signed by WHQL or with the manufacturer?s certificate. This requirement includes all user-mode components that are part of the PMP.
Display device drivers must include an embedded certificate for PVP-OPM (for integrated graphics adapters) or PVP-UAB (for discrete graphics adapters).
as edited and clarified by...
TheStain
To ensure access to this new content, systems must support the requirements that are defined by the AACS specification and the requirements of content providers.
Windows Vista fulfills one of these requirements through code signing.
System and device manufacturers must follow new code-signing requirements for systems that will support the playback of premium content. These requirements include:
All kernel-mode code must be code signed for a PC system to be able to play back next-generation premium content.
Components that run within the Windows Vista Protected Media Path (PMP) must be signed for the PMP to ensure access to premium content.
Display device drivers must include an embedded certificate that verifies a robust pipeline throughout the video processing engine.
Premium-content owners require a higher level of access protection than was previously necessary. PC systems and devices that do not comply with the policies that are associated with a given piece of content will not be able to play back that content. An example of such a requirement is that content can only be served to an identified kernel when it flows through the PC. An identified kernel has all of its modules signed by a trusted source
Systems must support the protection policy requirements as defined by the premium-content owners. System and device manufacturers are working with Microsoft to meet these requirements. In general, content protection encompasses multiple technologies, such as copy protection, link protection, conditional access, and digital rights management (DRM). Each of these technologies attempts to ensure that content can be used only in a way that is consistent with what the content owner intended.
Terminology:
Advanced Access Content System (AACS)is a specification for managing content that is stored on the next generation of prerecorded and recorded optical media for consumer use with PCs and consumer electronic devices.
Certification authority (CA)is an authority that provides certificates to confirm that the public key is from the subject who claims to have sent the public key.
Code-signing certificate is a certificate that is issued for the purpose of signing binaries.
Cross certification is the process of issuing subordinate CA certificates for existing CAs that link two root CAs.
Cross-certification authority certificate is a certificate that is issued by one CA for another CA's signing key pair (that is, for another CA's public verification key). Also known as cross certificate.
DRM attribute is a code-signing attribute that is provided by the Windows Logo Program. It verifies that the driver complies with Universal Audio Architecture (UAA) audio hardware requirements and allows the driver to handle protected content.
Discrete versus integrated graphics - A discrete graphics adapter is a stand-alone device, typically a plug-in board. An integrated graphics adapter is embedded in the system board chipset.
Identified kernel is a kernel in which all kernel-mode drivers on the system are signed by a source that Microsoft trusts.
Kernel-mode code signing (KMCS)the process of digitally signing software so that it meets the system requirements to be loaded in kernel mode. When used by vendors, KMCS combines standard code signing with an additional cross certificate that verifies the code's identity.
Media Interoperability Gateway (MIG)an extensible multimedia pipeline that is built on top of the new Media Foundation API and running inside the Protected Environment (PE).
MIG plug-in Media processing or content protection components that are meant to be hosted inside the MIG pipeline and PE to process protected premium content. Examples of MIG plug-ins are codecs and content-protection components such as decryptors.
Participating driver is any user-mode component that loads into the PMP PE and has access to unencrypted protected content that flows through a PC system to a final destination, such as a monitor.
Protected content is any content that is protected by some form of DRM.
Premium content is next-generation media content such as an HD DVD and other formats that are protected under the AACS standard.
Protected Environment (PE)is the protected execution environment in which PMP components run.
Protected Media Path (PMP)is an umbrella term for the collection of platform technologies that provide content processing. PMP is a platform for sourcing, sinking, and manipulating protected media content. Technologies that constitute the Protected Media Path include Protected Video Path (PVP), Protected User-Mode Audio (PUMA), and the PE. The PMP runs inside the PE.
Protected User-Mode Audio (PUMA)is the new User-Mode Audio (UMA) engine in the PE. It checks that the enabled outputs are consistent with what the premium content provider allows. PUMA-compliant code is identified to the system through the DRM attribute.
Protected Video Path (PVP)is an umbrella term for the protection mechanisms that operate within the Protected Environment on your PC to ensure that the various video outputs from the PC?such as Digital Video Interface (DVI), video graphics array (VGA), and TV-out?are properly controlled or protected in accordance with the content?s policy. PVP components include PVP-OPM and PVP-UAB.
Protected video path-output protection management (PVP_OPM)is a component that ensures that the PC's video outputs have the required protection for the Content providers or that they are turned off for the end user if such protection is not available.
PVP-OPM Legacy Mode Certificate is a certificate that replaces the Windows XP Certified Output Protection Protocol (COPP) certificate. From an engineering standpoint, this is a COPP format certificate. It is intended for use on Windows Vista only to allow COPP legacy applications to function.
Protected video path-user accessible bus (PVP_UAB)is a component that provides encryption of premium content as it passes over the PCI Express (PCIe) bus to the graphics adapter to keep the end user from accessing this content in any way that might conflict with the desires of the content provider and thereby true content owner per Microsoft.
Secure Audio Path (SAP)is the mechanism introduced in Microsoft Windows XP to protect audio content rendering. Windows Vista replaces SAP with PUMA. SAP-compliant code is identified to the system through the DRM attribute.
The PMP and Output Protection
The PMP consists of four primary components, MIG, PVP-OPM, PVP-UAB, and PUMA:
MIG provides content protection for Media Foundation applications. It is an extensible platform for sourcing, sinking, and manipulating protected media content. MIG governs policy usage and runs media in a separate process to ensure that media content is used only in a way that is consistent with the intent of the content provider.
PVP-OPM ensures that a PC?s integrated graphics adapter outputs have the protection that is required under license agreement with content owners. It provides reliable control of output protection schemes such as high-bandwidth digital content protection (HDCP), Macrovision, and Copy Generation Management System-Analog (CGMS-A).
PVP-UAB encrypts premium content as it passes over the PCI Express (PCIe) bus to a discrete graphics adapter. This encryption is required when a content owner?s policy regards the PCIe bus as a user-accessible bus.
PUMA provides a safer environment for audio playback, as well as checking that the enabled outputs are consistent with what the premium content provider allows. PUMA includes the same level of audio output protection management that SAP provided in Windows XP, but it is handled in a completely different way and takes advantage of the PE.
Manufacturers of graphics adapters must implement the required protection mechanisms on card outputs and must ensure that the associated drivers have robust control of those outputs. Manufacturers must sign a PVP-OPM or PVP-UAB license agreement to receive a PVP certificate, which must be embedded in their drivers. Without the embedded PVP certificate, Windows Vista is not allowed to pass premium content to the driver.
The following figure provides a quick summary of how components that are discussed in this paper interact in Windows Vista.
PMP Overview
Code-Signing Requirements for PMP Components
This section briefly summarizes the components and methods that are involved in signing code to support premium-content playback on Windows Vista systems.
Components that Must Be Signed
A number of components must be signed. However, the type of signing depends on the particular component and whether it supports next-generation premium content.
To satisfy content-providers? requirement for an "identified kernel," all code that loads into kernel memory in Windows Vista must be signed for identity to allow playback of next-generation premium content.
Display device drivers must have an embedded PVP-OPM or PVP-UAB certificate, in addition to the signing for identity that is required for kernel-mode components.
PVP-OPM certificates are required for all graphics devices.
Where bus encryption is required, PVP-UAB certificates are required.
All user-mode code that loads into the PE must be PMP-PE signed or signed by WHQL with a PE attribute. This requirement includes components that participate in PUMA.
If the content requires PUMA, kernel-mode drivers that load into the audio stack must be signed with the DRM attribute, which ensures that content that is not so protected by using Windows Media DRM cannot be played.
KMCS Requirements
KMCS is used to ensure that content is served only to an identified kernel when it flows through the PC. Microsoft considers a kernel "identified" if all kernel-mode drivers on the system are signed by a source that Microsoft trusts. KMCS is an important step that helps ensure great consumer experiences by providing increased device reliability and access to next-generation entertainment experiences. System and device manufacturers are urged to get their kernel-mode drivers signed.
Currently, the following signing methods are accepted for kernel-mode modules:
Signed through the WHQL testing program as part of a driver package submission. For further information, see the WHQL Web site, which is listed in "Resources" at the end of this paper.
Signed by the vendor, by using the KMCS process. This process uses the vendor?s code-signing certificate together with the cross certificate.
User-Mode Code-Signing Requirements
PUMA is the new user-mode audio engine in the Windows Vista PE. It provides a safe environment for audio playback and also checks that the enabled outputs are consistent with what the content allows. To be loaded in the PMP PE and process premium content, all user-mode binaries?including codecs, media sources, and media sinks?must be signed with a PE attribute.
Currently, the following signing methods are accepted for user-mode modules:
Signed by WHQL.
If the package that is submitted to WHQL includes a Windows Display Driver Model (WDDM) driver and a related user-mode component, WHQL signs the package with a PE attribute.
If the package that is submitted to WHQL falls into the audio classification program, WHQL signs the package with both PE and DRM attributes.
Signed by the vendor, by using a PMP-PE certificate, obtained from Microsoft. For information on this certificate, see "How to Obtain Certificates" later in this paper.
Revocation and Renewal
After a trusted PE component has been released and installed on users systems, it could for a variety of reasons become untrusted. For example, the signing certificate's private key could be compromised. A component that becomes untrusted is revoked, which means that the PE is no longer allowed to handle premium content.
Microsoft provides a way to renew compromised components with updated trusted versions so that end users can once again enjoy the content they paid for that they are not able to due to Microsoft not trusting their PC's.
There are three renewal scenarios and provision is also made in the event renewal is not possible:
Automatic renewal. By default, Windows Vista automatically downloads and installs all critical and recommended updates.
Component renewal is considered a recommended update, this enables system and component providers access to end user systems to quietly update the component before it can cause any problems for the user without the knowledge of the end-user.
On-demand renewal. If the user has disabled automatic updates or has been off the network for an extended time, thus keeping components from being renewed, the end user may attempt an application to play premium content with an untrusted component. In this case, the application and not the end user will be notified of such an attempt and given the opportunity to initiate the updates the end-user has disabled and will be provided with a URL that allows the application to initiate the renewal process. The process is handled in one of two ways:
The URL references a specific Microsoft Update package. The process downloads the package and launches the Update Installation Wizard to install it or in some cases where the end user is or should be aware of this process, the URL takes the user to a Web site where he or she can manually download the updated version.
Not renewable. In rare cases, an updated version of the component may not be available, for example, the company that implemented the component has gone out of business. If the component is not essential, the PE can work around the issue by not loading the component. If the component is essential, the application is provided with a URL that directs the user to a Web page that has information on the issue.
Summary of Certificates and Signing Options
The following table summarizes the different types of certificates and the signing options for various components.
Certificates Used During Playback of Protected Content that Requires PMP
Component Certificate type required Certificate
use Example playback scenarios enabled Options for signing
Code signing Code signing HD DVD KMCS1, WHQL2
PVP-OPM Challenge-response HD DVD on integrated graphics adapters MFPMP3
PVP-UAB Challenge-response HD DVD on discrete graphics adapters MFPMP
PVP-OPM legacy mode Challenge-response Content that required COPP on Windows XP MFPMP
Non-participating kernel-mode driver Code signing Code signing HD DVD KMCS, WHQL
Participating user-mode display driver component PMP-PE Code signing Playback of protected content through the PMP WHQL, MFPMP
Participating kernel-mode audio driver components PUMA Code signing SAP content when audio service providers turn on this requirement. WHQL
Participating user-mode audio driver components or audio processing objects (APOs) PMP-PE Code signing Components or APOs can process protected content. WHQL, MFPMP
Media Foundation pipeline plug-ins (codecs, mf-transforms) PMP-PE Code signing Plug-ins can process protected content MFPMP
1 KMCS process, using a code-signing certificate and a cross certificate.
2 Windows Hardware Quality Labs testing program.
3 Media Foundation Protected Media Path.
Kernel modules signed with a test certificate are considered untrusted by the Windows Vista PE Authority. This means that the kernel is reported as "not identified" and premium content that requires an identified kernel will not play back.
Playback of premium content requires that only identified drivers be loaded on the system.
When content is loaded on a system, several checks are required to ensure the safety of the system. One check is for the presence of an identified kernel. When requested, the PMP performs this check by verifying that all kernel modules that are loaded on the system have been signed by a source that Microsoft trusts. If this verification fails, the PMP halts playback of that content and sends a message to the media application that includes information to help resolve the issue.
Premium content requires signed legacy kernel-mode modules.
kernel. Playback that requires an identified kernel cannot be played if the system contains any legacy unsigned kernel-mode drivers. To play this content, consumers must obtain a signed version of the driver from the vendor.
Summary and Call to Action
Kernel-mode driver signing helps ensure that end-users with Microsofts help and Vista will be provided access to next-generation entertainment experiences.
Call to action for device and system manufacturers:
Two general recommendations:
Sign your code. Even without the issues related to premium content, Microsoft recommends that software and driver vendors sign all their code.
Participate in the Windows Vista Logo Program.
For system and device manufacturers who create products that support Windows Vista premium content experiences, the following code-signing requirements must be met:
All kernel-mode code must be code signed. This meets that content-providers? requirement for an "identified" kernel. This requirement applies to both x86- and x64-based systems and includes both participating and non-participating drivers. All driver and application components that participate in the Windows Vista PE must?at a minimum?be signed by WHQL or with the manufacturer?s certificate. This requirement includes all user-mode components that are part of the PMP.
Display device drivers must include an embedded certificate for PVP-OPM (for integrated graphics adapters) or PVP-UAB (for discrete graphics adapters).
as edited and clarified by...
TheStain
Facebook
Twitter