Bug 1376048

Summary: [tracking] New Windows 10 driver signing requirements
Product: Red Hat Enterprise Linux 8 Reporter: Ladi Prosek <lprosek>
Component: virtio-winAssignee: Yvugenfi <yvugenfi>
virtio-win sub component: virtio-win-prewhql QA Contact: lijin <lijin>
Status: CLOSED WONTFIX Docs Contact:
Severity: unspecified    
Priority: unspecified CC: ailan, ghammer, jinzhao, lersek, lijin, mtessun, vrozenfe, yvugenfi
Version: 8.0Keywords: Tracking
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-18 10:05:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1682882    
Bug Blocks: 1743480    

Description Ladi Prosek 2016-09-14 14:05:35 UTC
This is a brief description of what's changed in Windows 10 build 1607 (aka Anniversary Update aka Redstone 1) with respect to driver signing.

If the following conditions are met:
- 1607 installed from scratch, i.e. not upgraded
- UEFI secure boot is enabled

the system will not load new (signed with a certificate issued after July
29th 2015) cross-signed drivers. Our upstream/Fedora drivers are cross-signed, our RHEL WHQL-ed drivers are not and will *not* be affected by this change.

Fedora and other users of our pre-WHQL drivers have the following options to work around this:

1. disable secure boot
2. use an older virtio-win build - anything up to and including 102 will work
3. set a special secret registry key to fall back to allowing cross-signed drivers (this has been mentioned in MSFT communication but the specifics are not known at this point)

One possible way of solving this without resorting to work arounds would be using the so called attestation signing to have Fedora Win10 drivers signed by Microsoft without WHQL. This would be limited to client Win10 though, at least based on the information published here:

https://msdn.microsoft.com/en-us/windows/hardware/drivers/develop/attestation-signing-a-kernel-driver-for-public-release

"An attestation signed driver will only work for Windows 10 Desktop, it will not work for other versions of Windows, such as Windows Server 2016, Windows 8.1, or Windows 7."