Kernel Enhancements Kernel Enhancements For Windows Server For Windows Server Longhorn Longhorn

Mike TrickerMike TrickerProgram ManagerProgram ManagerWindows Core Platform ArchitectureWindows Core Platform ArchitectureMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

Kernel enhancements for Windows Kernel enhancements for Windows Server Codename “Longhorn”Server Codename “Longhorn”

Pointers to other relevant Pointers to other relevant sessions and materialsessions and material

Future ideas we’re consideringFuture ideas we’re considering

Call to actionCall to action

Moving To 64-bit OnlyMoving To 64-bit OnlyFuture releases of Windows ServerFuture releases of Windows Server

Windows Server Longhorn is planned toWindows Server Longhorn is planned tobe the last 32-bit release of Windows Serverbe the last 32-bit release of Windows Server

Except for Service Packs and QFEs of courseExcept for Service Packs and QFEs of course

Windows Server Longhorn R2 is planned Windows Server Longhorn R2 is planned to be 64-bit onlyto be 64-bit only

We expect that all Enterprise Server-class We expect that all Enterprise Server-class processors on sale in 2007/8 will be processors on sale in 2007/8 will be 64-bit capable64-bit capable

This will affect your drivers and This will affect your drivers and your hardwareyour hardware

Kernel Driver SigningKernel Driver Signing

Unsigned 64-bit kernel drivers will not loadUnsigned 64-bit kernel drivers will not loadon Windows Vista or Windows Server Longhornon Windows Vista or Windows Server Longhorn

The unsigned driver pop-up is no longer a The unsigned driver pop-up is no longer a “get out of jail free” card“get out of jail free” card

From now on they must be signed by a From now on they must be signed by a recognized signing authorityrecognized signing authority

See this link for more detailsSee this link for more details

http://www.microsoft.com/whdc/system/platform/64bit/http://www.microsoft.com/whdc/system/platform/64bit/kmsigningFAQ.mspxkmsigningFAQ.mspx

For more details please see the slides for the sessionFor more details please see the slides for the sessionIntroduction to the WDK: A Comprehensive Driver Development Introduction to the WDK: A Comprehensive Driver Development Solution in the Device Driver Fundamentals trackSolution in the Device Driver Fundamentals track

PatchGuardPatchGuard

64-bit on x6464-bit on x64

Targeting root kits and other malwareTargeting root kits and other malware

If critical system structures get changed the system will If critical system structures get changed the system will bugcheck, for examplebugcheck, for example

System service tablesSystem service tables

IDTIDT

GDTGDT

Kernel stacks not allocated by the kernelKernel stacks not allocated by the kernel

Patching any part of the kernelPatching any part of the kernel

So if you have drivers that modify (or create) such kernel So if you have drivers that modify (or create) such kernel structures they will cause the system to bugcheckstructures they will cause the system to bugcheck

Together with Windows Defender it’s increasing Together with Windows Defender it’s increasing Windows robustnessWindows robustness

The HALThe HAL

No more uni-processor (UP) HALs No more uni-processor (UP) HALs And thus no UP kernel eitherAnd thus no UP kernel either

Single threaded (versus single processor) server Single threaded (versus single processor) server systems are becoming increasingly raresystems are becoming increasingly rare

No support for non-ACPI HALsNo support for non-ACPI HALsACPI has been required for logo since 1998ACPI has been required for logo since 1998

Now Windows Vista and Windows Server Longhorn Now Windows Vista and Windows Server Longhorn will fail to install on a non-ACPI BIOSwill fail to install on a non-ACPI BIOS

No HAL kitNo HAL kitRelatively low impact Relatively low impact

The New Boot EnvironmentThe New Boot EnvironmentIncluding UEFI supportIncluding UEFI support

Say goodbye to boot.ini, ARC paths and using Say goodbye to boot.ini, ARC paths and using Notepad to make boot option changes!Notepad to make boot option changes!

64-bit x64 Windows Server Longhorn will support 64-bit x64 Windows Server Longhorn will support booting via UEFI 2.0booting via UEFI 2.0

IA-64 supports both EFI 1.1 and UEFI 2.0IA-64 supports both EFI 1.1 and UEFI 2.0

For more details please see the slides For more details please see the slides for the session:for the session:

Inside the Windows Pre-Boot and Boot Inside the Windows Pre-Boot and Boot EnvironmentEnvironment in the System Fundamentals – Core in the System Fundamentals – Core Platform Architecture and Security trackPlatform Architecture and Security track

Native PCI Express SupportNative PCI Express Support

Windows Vista and Windows Server Longhorn have Windows Vista and Windows Server Longhorn have native support fornative support for

MSI and MSI-XMSI and MSI-XExtended configuration space Extended configuration space SegmentsSegmentsCustom propertiesCustom propertiesAdvanced error reporting Advanced error reporting Native hot plugNative hot plugActive state power managementActive state power managementNative power management eventsNative power management events

For more details please see the slides for the sessionFor more details please see the slides for the sessionPCI Express in Depth for Windows Vista and BeyondPCI Express in Depth for Windows Vista and Beyond in the in the System Fundamentals – Core Platform Architecture and System Fundamentals – Core Platform Architecture and Security trackSecurity track

Dynamic PartitioningDynamic PartitioningReliability, Availability, ServiceabilityReliability, Availability, Serviceability

Support for Hot Add of processorsSupport for Hot Add of processorsContinued support for Hot Add memoryContinued support for Hot Add memory

And the planned addition of Hot Add I/O APIC support And the planned addition of Hot Add I/O APIC support

Hot Add Processor is available for test todayHot Add Processor is available for test today

Support for Hot Replace of processors and memorySupport for Hot Replace of processors and memoryAvailable in a later Beta of Windows Server LonghornAvailable in a later Beta of Windows Server Longhorn

No support for Hot Remove of processors or memory in No support for Hot Remove of processors or memory in Windows Server LonghornWindows Server Longhorn

Native hot plug of PCI Express devicesNative hot plug of PCI Express devices

Dynamic PartitioningDynamic Partitioning

1.1. Partition Manager provides Partition Manager provides the UI for partition creation the UI for partition creation and managementand management

2. 2. Service Processor controls Service Processor controls the inter processor and the inter processor and IO connectionsIO connections

3. 3. Platforms partitionable to the Platforms partitionable to the socket level; virtualization used for socket level; virtualization used for sub socket partitioningsub socket partitioning

4. 4. Support for dynamic partitioning Support for dynamic partitioning and socket replacementand socket replacement

Memory

Memory Memory

Memory

IO Bridge

Service Processor

Partition ManagerPartition ManagerPCI ExpressPCI Express

Core Core

Cache

…… Core Core

Cache

……

Core Core

Cache

……Core Core

Cache

……

. . .. . .

IO Bridge

. . .. . .

IO Bridge

. . .. . .

IO Bridge

. . .. . .

Windows Server Windows Server Longhorn dynamic Longhorn dynamic

hardware hardware partitioning features partitioning features

are focused are focused on improving on improving server RASserver RAS

Future Hardware Partitionable ServerFuture Hardware Partitionable Server

Dynamic PartitioningDynamic Partitioning Impact on driversImpact on drivers

Per-processor data structuresPer-processor data structures

Memory high-water mark usageMemory high-water mark usage

ISR and DPC routingISR and DPC routing

User mode IOCTL coordination between applications User mode IOCTL coordination between applications and their associated driversand their associated drivers

Supporting S4 transitionsSupporting S4 transitions

Registering for Hot Add notificationsRegistering for Hot Add notifications

Affinity Mask manipulationAffinity Mask manipulation

Supporting dynamic rebalanceSupporting dynamic rebalance

NUMA behaviorsNUMA behaviors

Memory ManagerMemory Manager EnhancementsEnhancements

Initial non-paged pool now NUMA aware, with separate Initial non-paged pool now NUMA aware, with separate VA ranges for each nodeVA ranges for each node

Per-node look-asides for full pagesPer-node look-asides for full pages

Page table allocation for system PTEs, the system cache, Page table allocation for system PTEs, the system cache, etc., distributed across nodesetc., distributed across nodes

More even localityMore even locality

Avoids exhausting free pages from the boot node Avoids exhausting free pages from the boot node

NUMA-related APIs for device driversNUMA-related APIs for device driversMmAllocateContiguousMemorySpecifyCacheNodeMmAllocateContiguousMemorySpecifyCacheNode

MmAllocatePagesForMdlExMmAllocatePagesForMdlEx

Default if no node is specified has been changedDefault if no node is specified has been changedFrom current processor to the thread’s ideal processor From current processor to the thread’s ideal processor

Memory Manager Memory Manager EnhancementsEnhancements

Win32 APIs that specify nodes for allocations and Win32 APIs that specify nodes for allocations and mapped views on per VAD and per section basismapped views on per VAD and per section basis

VirtualAllocExNumaVirtualAllocExNuma

CreateFileMappingExNumaCreateFileMappingExNuma

MapViewOfFileExNumaMapViewOfFileExNuma

Scalable queryScalable queryQueryWorkingSetExQueryWorkingSetEx

Higher performance for very physically sparse machinesHigher performance for very physically sparse machinesExample: very large IA-64 systemsExample: very large IA-64 systems

1TB gaps between chunks of physical memory1TB gaps between chunks of physical memory

PFN database and initial non-paged pool always mapped with PFN database and initial non-paged pool always mapped with large pages regardless of physical memory sparsenesslarge pages regardless of physical memory sparseness

Memory ManagerMemory Manager EnhancementsEnhancements

Much faster large page allocations Much faster large page allocations in kernel and userin kernel and user

Support for cache-aligned pool Support for cache-aligned pool allocation directivesallocation directives

Data structures describing non-paged pool free Data structures describing non-paged pool free list converted from linked list to bitmaplist converted from linked list to bitmap

Significantly reduced lock contentionSignificantly reduced lock contention

Bitmaps can be searched opportunistically lock-freeBitmaps can be searched opportunistically lock-free

Costly combining of adjacent allocations on free Costly combining of adjacent allocations on free no longer necessaryno longer necessary

Transactional RegistryTransactional Registry

Needed for “all or none” semantics when Needed for “all or none” semantics when changing a group of settingschanging a group of settings

Adds ACID semantics to a group of Adds ACID semantics to a group of registry operations registry operations

Integrates with TxF and any other resource Integrates with TxF and any other resource manager which participates in KTM transactionsmanager which participates in KTM transactions

A transaction can span across file system and A transaction can span across file system and Registry operations Registry operations

Provides easier way for applications to clean Provides easier way for applications to clean up on error pathup on error path

Registry VirtualizationRegistry Virtualization

Enable legacy applications to run as non-adminEnable legacy applications to run as non-adminApplications that want to write to keys that require Applications that want to write to keys that require admin privilegesadmin privileges

Redirect globally impactful registry write Redirect globally impactful registry write to a per-user virtual keyto a per-user virtual key

Only keys under HKLM\Software are virtualizedOnly keys under HKLM\Software are virtualized

Redirection is transparent to callersRedirection is transparent to callers

Applications use the user’s virtual key while runningApplications use the user’s virtual key while running

Is not platform support for sandboxingIs not platform support for sandboxingShould be treated as an assistance technologyShould be treated as an assistance technology

Registry VirtualizationRegistry VirtualizationWhat is not virtualized?What is not virtualized?

Application is identified as an “admin application”Application is identified as an “admin application”

Key is not changeable by adminsKey is not changeable by adminsKey is Windows Resource ProtectedKey is Windows Resource Protected

Caller is kernel mode Caller is kernel mode

Caller is using ImpersonationCaller is using Impersonation

Any 64-bit applicationAny 64-bit application

Keys marked as ‘Do Not Virtualize’Keys marked as ‘Do Not Virtualize’HKLM\Software\ClassesHKLM\Software\Classes

Registry FilteringRegistry Filtering

Certain classes of applications have the Certain classes of applications have the need for filtering registry callsneed for filtering registry calls

Anti-virus, Management applications etc.Anti-virus, Management applications etc.

Kernel mode callback model to allow for Kernel mode callback model to allow for filtering registry operationsfiltering registry operations

Allows monitoring and blocking of registry Allows monitoring and blocking of registry operationsoperationsMultiple drivers can register callbacksMultiple drivers can register callbacks

LimitationsLimitationsNo support for modifying parameters or No support for modifying parameters or redirecting callsredirecting callsNo concept of No concept of altitudesaltitudes

Windows Vista Windows Vista Enhanced Registry FilteringEnhanced Registry Filtering

Also applies to Windows Server LonghornAlso applies to Windows Server LonghornIntroduces a layered model with altitudes for Introduces a layered model with altitudes for callback registrationcallback registration

Consistent with the file system mini-filter modelConsistent with the file system mini-filter modelAltitudes have to be registered with MicrosoftAltitudes have to be registered with Microsoft

Ability to modify parameters and re-direct callsAbility to modify parameters and re-direct callsSupports three modes of operation – Monitor, Block Supports three modes of operation – Monitor, Block and Modifyand Modify

Compatible with existing registry callbacksCompatible with existing registry callbacksLegacy callbacks will be registered at a default Legacy callbacks will be registered at a default altitudealtitudeFirst come first served registration semantics First come first served registration semantics retained for these legacy callbacksretained for these legacy callbacks

Windows Service HardeningWindows Service Hardening

MotivationMotivationServices are attractive targets for malwareServices are attractive targets for malware

Running on a large number of systemsRunning on a large number of systems

Services typically are higher privileged than usersServices typically are higher privileged than users

Worms target services; e.g., Sasser, Code Red, etc.Worms target services; e.g., Sasser, Code Red, etc.

GoalsGoalsRun with least privilege necessaryRun with least privilege necessary

Use only resources needed by the service Use only resources needed by the service

Reduce the damage potential and number of critical Reduce the damage potential and number of critical vulnerabilities in servicesvulnerabilities in services

Extend existing security model for more Extend existing security model for more granular controlgranular control

Windows Service HardeningWindows Service HardeningRunning with least privilegeRunning with least privilege

Privilege strippingPrivilege strippingEnables a service to run with least privilegeEnables a service to run with least privilege

Use only required privilegesUse only required privilegesExpress required privileges during service configuration Express required privileges during service configuration

SeBackupPrivilege, SeRestorePrivilegeSeBackupPrivilege, SeRestorePrivilege, etc., etc.

ChangeServiceConfig2ChangeServiceConfig2 API (sc.exe can be used as well) API (sc.exe can be used as well)

SCM computes union of all hosted service required privileges SCM computes union of all hosted service required privileges Permanently removes unnecessary privileges from process token Permanently removes unnecessary privileges from process token when service process startswhen service process starts

No privileges are addedNo privileges are addedTarget account must support required privileges; e.g., a service in Target account must support required privileges; e.g., a service in LocalService account cannot get LocalService account cannot get SeTCBPrivilegeSeTCBPrivilege

Windows Service HardeningWindows Service HardeningService isolationService isolation

Service-specific SIDService-specific SID1:1 mapping between service name and SID1:1 mapping between service name and SID

Use to ACL objects the service needs to allow access Use to ACL objects the service needs to allow access only to service-specific SIDonly to service-specific SID

Use Use ChangeServiceConfig2ChangeServiceConfig2, sc.exe to control service SID, sc.exe to control service SID

Set ServiceSidType to Set ServiceSidType to SERVICE_SID_TYPE_UNRESTRICTEDSERVICE_SID_TYPE_UNRESTRICTED

Service-specific SID assigned at start timeService-specific SID assigned at start timeWhen service process startsWhen service process starts

SCM adds service SIDs to process tokenSCM adds service SIDs to process tokenS-1-5-80-XXXXX-YYYYYS-1-5-80-XXXXX-YYYYY

SID enabled/disabled when service starts/stopsSID enabled/disabled when service starts/stops

Service SIDs are local to the machineService SIDs are local to the machine

Windows Service HardeningWindows Service Hardening Reducing damage potentialReducing damage potential

Restricted servicesRestricted servicesUses service SIDs and restricted tokensUses service SIDs and restricted tokens

Write-restricted service processWrite-restricted service processAllows service process write access only to objects Allows service process write access only to objects allowing WRITE for service SIDsallowing WRITE for service SIDs

Reduces the scope of resources accessed on the systemReduces the scope of resources accessed on the system

When service process startsWhen service process startsSCM adds service SID to both normal and restricted SCM adds service SID to both normal and restricted SID list in process tokenSID list in process token

SID enabled/disabled when service starts/stopsSID enabled/disabled when service starts/stops

All services in a process must be restrictedAll services in a process must be restricted

Hardware WatchdogHardware WatchdogVersion 2.0Version 2.0

The watchdog driver resets the count-down timer The watchdog driver resets the count-down timer periodically or else performs a hard restartperiodically or else performs a hard restart

Initial implementation made certain Initial implementation made certain hardware assumptionshardware assumptions

If your hardware didn’t comply it didn’t workIf your hardware didn’t comply it didn’t work

Version 2.0 increases flexibilityVersion 2.0 increases flexibilityYou can define how your hardware is organizedYou can define how your hardware is organized

Or still use the original modelOr still use the original model

Automatically disabled when necessaryAutomatically disabled when necessaryE.g., when writing out a crashdumpE.g., when writing out a crashdump

Available on both client and server if you have Available on both client and server if you have hardware to support that requirementhardware to support that requirement

We do not support IPMI timers natively in We do not support IPMI timers natively in Windows Server LonghornWindows Server Longhorn

Other TechnologiesOther Technologies

SetupSetupAll new and fully graphicalAll new and fully graphical

No text-mode component any moreNo text-mode component any more

Simplified user experience, and faster via use of WIM files Simplified user experience, and faster via use of WIM files installing via RAMDiskinstalling via RAMDisk

WDS replaces RIS for remote network installationWDS replaces RIS for remote network installation

OPK/WAIKOPK/WAIKOEM and Enterprise Administrator custom configuration kitsOEM and Enterprise Administrator custom configuration kits

WDKWDKKMDF for kernel drivers – v1.1 shippedKMDF for kernel drivers – v1.1 shipped

UMDF for user mode driversUMDF for user mode drivers

BitLocker™ and Full Volume EncryptionBitLocker™ and Full Volume EncryptionUse of TPM v1.2 in Branch Office Server scenariosUse of TPM v1.2 in Branch Office Server scenarios

Future TechnologiesFuture Technologies

ISR And DPC RedirectionISR And DPC Redirection

There are performance benefits from running ISRs and There are performance benefits from running ISRs and DPCs on the thread that initiated an I/O operation DPCs on the thread that initiated an I/O operation

Directing Interrupt/ISRDirecting Interrupt/ISR

Directing DPCDirecting DPC

I/O buffer memory allocationI/O buffer memory allocation

Requires the device driver performing I/O to have Requires the device driver performing I/O to have knowledge of where the I/O was initiated knowledge of where the I/O was initiated

Prototyping using MSI-X messages to attempt to route Prototyping using MSI-X messages to attempt to route the request to the initiating processor, so the I/O happens the request to the initiating processor, so the I/O happens on the initiating threadon the initiating thread

We’re working with a number of OEMs and storage We’re working with a number of OEMs and storage device vendors to develop supportdevice vendors to develop support

ISR And DPC Redirection ISR And DPC Redirection Hypothetical NUMA systemHypothetical NUMA system

Node X

Y Y*

Y* Y*

Node Y

Z Z*

Z* Z*

Node Z

Mem YI/O XMem X Mem ZI/O Y I/O Z

ISR And DPC RedirectionISR And DPC Redirection

Interrupt redirection choices (in order)Interrupt redirection choices (in order)1.1. ISR comes back to core that initiated I/OISR comes back to core that initiated I/O

2.2. ISR comes back to processor that initiated I/OISR comes back to processor that initiated I/O

3.3. ISR comes back to NUMA node that initiated I/OISR comes back to NUMA node that initiated I/O

4.4. ISR comes to node containing the HBAISR comes to node containing the HBA

DPC redirectionDPC redirectionISR must know the core/processor/node that initiated the I/OISR must know the core/processor/node that initiated the I/O

Requires multiple DPCs per adapter Requires multiple DPCs per adapter (one per core/processor/node)(one per core/processor/node)

Memory redirection – where to allocate I/O buffersMemory redirection – where to allocate I/O buffersInitiator’s nodeInitiator’s node

ISR nodeISR node

DPC nodeDPC node

Consumer’s node (for incoming data)Consumer’s node (for incoming data)

64 Logical Threads64 Logical Threads

Multiple cores per processor will make the 64 logical Multiple cores per processor will make the 64 logical thread limit very restrictivethread limit very restrictive

E.g., cores and hyperthreadsE.g., cores and hyperthreads

Prototyping support for more than 64 logical threadsPrototyping support for more than 64 logical threadsProposed mechanism isn’t restricted to a specific numberProposed mechanism isn’t restricted to a specific number

There are many compatibility issues to be resolved There are many compatibility issues to be resolved before this can be releasedbefore this can be released

Both applications and device driversBoth applications and device drivers

The affinity mask is currently limited and we can’t “just” grow itThe affinity mask is currently limited and we can’t “just” grow it

Need to measure scalability beyond 64 threadsNeed to measure scalability beyond 64 threads

This isn’t just a case of changing a This isn’t just a case of changing a #define#define ! !

Call To ActionCall To Action

Prepare for 64-bit-only Server in future releasesPrepare for 64-bit-only Server in future releases

Ensure that your 64-bit kernel drivers are signedEnsure that your 64-bit kernel drivers are signed

Ensure that your drivers don’t change kernel Ensure that your drivers don’t change kernel data structures, or Windows will bugcheckdata structures, or Windows will bugcheck

Learn about the many new features available in Learn about the many new features available in Windows Server Longhorn and Windows VistaWindows Server Longhorn and Windows Vista

And how they may benefit or impact your And how they may benefit or impact your drivers and hardwaredrivers and hardware

Please talk to us if you have questions about Please talk to us if you have questions about the potential impact of these changes on the potential impact of these changes on your productsyour products

Additional ResourcesAdditional Resources

Web resourcesWeb resourcesDynamic Partitioning homepageDynamic Partitioning homepage

http://www.microsoft.com/whdc/system/platform/server/dhp.mspxhttp://www.microsoft.com/whdc/system/platform/server/dhp.mspx

WhitepapersWhitepapers

http://www.microsoft.com/whdc/system/vista/kernel-en.mspxhttp://www.microsoft.com/whdc/system/vista/kernel-en.mspx

Kernel patching FAQKernel patching FAQ

http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx 

Related sessionsRelated sessionsIntroduction to the WDK: A Comprehensive Driver Introduction to the WDK: A Comprehensive Driver Development SolutionDevelopment Solution

Inside the Windows Pre-Boot EnvironmentInside the Windows Pre-Boot Environment

PCI Express In Depth For Windows Vista and BeyondPCI Express In Depth For Windows Vista and Beyond

Microsoft BitLocker™ Drive Encryption Hardware Microsoft BitLocker™ Drive Encryption Hardware Enhanced Data ProtectionEnhanced Data Protection

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,

it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.