Longhorn Output Content Protection Dave Marsh Program Manager Windows Media Technologies Microsoft Corporation Session Outline APP PVP-OPM (Protected Video Path - Output Protection Management) Planned for Windows.
Download ReportTranscript Longhorn Output Content Protection Dave Marsh Program Manager Windows Media Technologies Microsoft Corporation Session Outline APP PVP-OPM (Protected Video Path - Output Protection Management) Planned for Windows.
Longhorn Output Content Protection Dave Marsh Program Manager Windows Media Technologies Microsoft Corporation Session Outline APP PVP-OPM (Protected Video Path - Output Protection Management) Planned for Windows codenamed “Longhorn” PMP Authenticate the hardware Control output protection mechanisms and turn off unprotected outputs Content Industry robustness rules for hardware implementations Protected Environment MIG PVP-UAB (Protected Video Path – User Accessible Bus) Planned for post-Longhorn PUMA Enhanced Authentication of hardware (linked to Session Key) Encrypt video samples to mitigate stealing as they pass over PCIe bus PUMA (Protected User Mode Audio) Planned for Longhorn User Mode Audio engine within the Protected Environment PVPOPM PVPUAB Control the various audio outputs PAP (Protected Audio Path) Many years in the future, if it becomes necessary Authenticate the audio codec Encrypt audio samples to mitigate stealing as they pass over the various audio user accessible buses PAP Why do it? Objective Enable the PC to play premium content in 2006 and beyond Content Protection Landscape The Requirement Enable Premium Content on PC Platform Meet requirements of HD / Blu-Ray-DVD and DTCP (5C) Protect against stealing content from system or video memory (Software attack) Protect and control PC AV outputs (Hardware attack) Protect content on user accessible buses (Hardware attack) Appliance-like user experience Safeguard user privacy PVP-OPM (Protected Video Path – Output Protection Management) Longhorn planned feature that provides hardware authentication and robust control of the outputs Authentication Content Authentication of Operating System by the Content ITA represents Content and decides whether to remove content delivery encryption OS Driver HFS GPU Authentication of Graphics Driver by Operating System Authentication by Driver that Graphics Chip really is valid hardware PVP-OPM Certificate in driver Proves to PVP-OPM software: • Driver identity • It’s unmodified • Graphics vendor has signed PVP-OPM license testifying to having met OPM and content industry rules • Driver is talking to conformant hardware Hardware Functionality Scan (HFS): Driver exercises complex inner workings of the chip and checks for correct response IHV Driver HFS - Hardware Functionality Scan Questions Answers Authentication by driver that graphics chip really is valid hardware Hardware Functionality Scan (HFS) For Discrete: Exercises complex internal chip functionality that it would be extremely difficult for an imposter to emulate Uses randomly generated seed to mitigate replay attacks Conforms to ‘PVP-OPM Authentication for Discrete’ guidelines For Integrated: Checks internal graphics ID and other features Conforms to ‘PVP-OPM Authentication for Integrated’ guidelines If ever required, additional HFS tests can be added via driver revoke and renew Obfuscation required where HFS uses chip secrets PVP-OPM Sequence Diagram - Init ITA OPM OTA OPM (EVR) Graphics Driver Graphics Hardware HFS questions HFS answers OPM user mode component establishes user Enabled outputs, Protection mechanisms, and whether UAB is present Certificate Verified Channel Attributes? ITA = Input Trust Authority OTA = Output Trust Authority EVR = Enhanced Video Renderer Outputs, Protections, States, UAB PVP-OPM Sequence Diagram - Play OPM OTA ITA Policy Object OPM (EVR) OPM Commands OK OK Graphics Driver OPM OMAC Commands Output OMAC States Graphics Hardware OPM Commands Output States (Robust) OPM turns on output protection as requested by a particular piece of content PC Output Types DVI (Digital) High-speed, high-quality, digital pixel interface to monitors When protected by HDCP, it’s great for premium content When unprotected it may be turned off for premium content HDMI (Digital) HDCP protection Built by CE industry using DVI electricals Includes digital audio, but video resolution a bit limited VGA (Analog) Content owners also concerned about high resolution analog Ubiquitous, so some concessions Information content will be ‘Constricted’ when content policy requires it YPbPr High Resolution (Analog) The CE industry’s first attempt at an interface to HD displays No real protection available, less concessions (even for regular DVD) TV-Out interfaces Analog SD component, S-Video, composite, & TV modulated Macrovision and CGMS-A required or else output will be disabled for premium content Protection Mechanisms HDCP PVP-OPM passes SRMs to IHV KM Driver IHV Kernel Mode Driver dynamically finds attached monitor KSVs Monitor KSV matching and monitor blocking done in driver Status (e.g. Blocked) reported back to PVP-OPM HDCP ‘upstream protocol’ no longer needed Resolution Constriction For premium content, OPM and EVR components command IHV KM Driver to pass video through a ‘Constrictor’ to limit its information content (i.e. Downscale then Upscale) Constrictor aperture determined by content owner rules Specified in terms of total number of allowed pixels e.g. 520,000 for 5C and ARIB Macrovision and CGMS-A Content Industry Agreement Hardware Robustness Rules Up to graphics IHV to meet card robustness requirements as interpreted from content industry agreement requirements Signing PVP-OPM license says IHV has interpreted content industry agreement hardware robustness requirements and complied Microsoft only recommends (to minimize revocation necessity): If unprotected digital outputs provided from graphics chip, then card design verified by graphics chip vendor Best to apply the protection in the graphics chip HFS should exercise hardware features of the board (not just chip) No headers to access digital content Do not use a video side-port in output mode with a published pin-out Input to TV-out chip or DVI chip is a problem area Graphics IHVs validate board vendor implementations to ensure they meet content industry agreement hardware robustness rules MIG = Media Interoperability Gateway HDCP = High BW Digital Content Protection EVR = Enhanced Video Renderer AACS = Advanced Access Content System DVI = Digital Visual Interface DWM = Desktop Window Manager TA = Trust Authority DH = Diffie Hellman PVP = Protected Video Path PVP-OPM Architecture App Process Premium Content App User Mode eg HD/Blu-Ray DVD MIGSession eg AACS Protected Infrastructure User Mode Protected Environment Input TA MIG Engine Source Proxy Avalon COPP Emulator Decrypter uDWM OPM OTA PolicyEngine Decode or Pre-Process Sink (EVR) OPM DWM Protected DXVA Media Session Mixer Presenter uDWM User Mode Graphics Driver Drivers Kernel Mode Protected Environment Mouse Driver ID XYZ Driver Disk Driver ID Other OPM Longhorn Direct3D Driver OPM Kernel Mode Graphics Driver Output Output Command Status Graphics Chip Hardware Display Hardware Code Integrity OPM Cert Auth HFS Graphics Chip HDCP Microsoft ISV IHV DVI/HDMI HDCP HDCP Auth = Content Path = Authentication = Policy = Control Other Media Source Plug-in Audio Engine Unprotected Infrastructure PVP-OPM Status Implementation well under way PVP-OPM planned to ship in Longhorn Beta 2 expected to include PVP-OPM PVP-OPM only requires LDDM Basic Scheduler But will also work with Advanced Scheduler Compared with PVP-UAB, most of the work is driver-related Don’t forget your hardware responsibilities Content industry agreement hardware robustness rules Output protection mechanisms Ability to turn off outputs Revocation is principal correction mechanism… …but best avoided PVP-UAB (Protected Video Path – User Accessible Bus) A planned feature after Longhorn that provides bus encryption for Discrete Graphics Encryption AES 128-bit Counter Mode encryption of compressed premium content on the PCIe bus Uses 50MByte/sec (or better) hardware AES engine in graphics chip Also applies to partial compression cases (and uncompressed when necessary) AES 128-bit Counter Mode is a base level requirement High Bandwidth Cipher encryption of uncompressed premium content on the PCIe bus Providing a High Bandwidth Cipher is optional (regular AES can be used instead) Video specific encryption that’s much faster than regular AES Preferred High Bandwidth Cipher is Intel’s Cascaded Cipher Uncompressed premium content typically doesn’t need to be sent over the PCIe bus Even Cascaded Cipher takes lots of CPU power Provide Motion Comp and Inverse DCT codec functionality in graphics chips, so semi compressed can be sent instead IHV Driver Establishing a Session Key DH DH Exchange DH Can’t just pass a key over the wire Too expensive to require embedded unique keys Foundation for Session Key established using 2048-bit Diffie Hellman AES Davies Meyer hash turns 2048-bit Diffie Hellman number into 128bit Session Key Diffie Hellman Exchange 128 bit 2048 bit AES Davies Meyer Hash Enhanced Authentication Seed IHV Driver DH DH Exchange DH HFS Questions HFS Answers Authentication by graphics driver that graphics chip really is valid hardware All the PVP-OPM authentication requirements, plus… Uses 6 or more bits of the Diffie Hellman key as a seed to lock DH to authentication, to mitigate Man In The Middle attacks Authentication of graphics driver by PMP-UAB software PVP-UAB Certificate stored in driver Proves to PMP software the driver identity, the fact that it’s unmodified, and that graphics IHV has signed PVP-UAB license, testifying to having met PVP-UAB and content industry rules Key Hierarchy ProtectedDXVA generates content key using an entropy source Passes Content Key to Microsoft LDDM Kernel Mode component LDDM Kernel component encrypts Content Key with Session Key Page-Outs Page-Outs happen based on priority Page-Outs of video are rare, but possible Need to encrypt paged-out data over UAB Use Bi-directional AES engine on graphics chip Surfaces tagged as Premium Content Page-Out encryption always AES counter mode Page Key passed encrypted to graphics chip Page Key can be restored after hibernation Using System Memory New class of graphics card without much local memory Each frame goes backwards and forwards over bus Premium content needs protection over UAB Encryption requirement is massive, even for pure hardware Need to meet AACS and 5C DTCP rules Graphics IHV's responsibility Needs to be secure enough to avoid any possible need for revocation GBytes/sec PVP-UAB Sequence (1) To establish robust communication between MIG and graphics hardware 0) Driver identity verified. 1) Diffie Hellman used between graphics hardware and IHV’s kernel mode graphics driver to establish the 2048 bit Diffie Hellman key. 2) IHV's kernel mode driver passes 2048 bit Diffie Hellman key to Microsoft LDDM kernel mode component that then does an AES Davies Meyer hash to produce 128 bit Session Key. Graphics hardware also does AES Davies Meyer hash to also obtain the Session Key. 3) Graphics driver exercises complex internal workings of graphics chip (HFS) to authenticate graphics hardware. Uses 6 or more bits from the Diffie Hellman key as seed value to tie together the authentication with the DH process. Protected Environment happy for driver to be on the system. Now have a key established that is known only to the graphics hardware and the IHV’s driver. A Man in the middle attack has not yet been ruled out. Now have Session Key established that is known only to the graphics hardware and the Microsoft LDDM kernel mode component. A Man in the middle attack has not yet been ruled out. Graphics driver now trusts that graphics hardware is genuine. Also knows that DH process was not subject to a man in the middle attack, i.e. Session Key is OK. PVP-UAB Sequence (2) To establish robust communication between MIG and graphics hardware 4) ProtectedDXVA software component checks the PVP-UAB Certificate in the driver to establish trust that the driver is genuine and conforms to all the PVP-UAB requirements. 5) ProtectedDXVA component creates a Content Key and sends it to the graphics hardware, whenever a new one is required for a new premium video stream, by having the Microsoft LDDM kernel component encrypt the Content Key with the Session Key. 6) ProtectedDXVA component encrypts a premium video stream using the Content Key, then streams this to the graphics hardware where it is decrypted on receipt. MIG software can now trust the graphics hardware. Now the Content Key is known to the ProtectedDXVA software component and the graphics hardware. The premium content has now been safely delivered from the MIG software Protected Environment to the graphics hardware. PVP-UAB Architecture PVP-UAB Status Graphics IHVs are well advanced with PVP-UAB graphics chips for 2006 First boards for test by end of 2005 PVP-UAB is planned to ship with LDDM Advanced Scheduler Planned for after Longhorn An Advanced Scheduler driver and chip is required for PVP-UAB DDIs for PVP-UAB expected to be fully stabilized by Longhorn launch Certification Sign the license, get the certificate PVP OPM Legal promise that you’ve done everything spec requires Compliance Rules These are just a summary of the requirements stated in the spec If it turns out the requirements have not been properly met then: Revocation Other remedies When PVP-UAB + PVP-OPM and when just PVP-OPM? Is there a User Accessible Bus? Integrated Graphics No need for PVP-UAB as no UAB Do need PVP-OPM: Output Protection Management Authentication (simpler form) Content industry agreement Hardware Robustness Rules Discrete Graphics on Motherboard No need for PVP-UAB if soldered down But HFS must be able to robustly determine the difference, e.g.: Different secrets Bonding options, e.g.,ROM chip select Bios arrangements Discrete Graphics Card PVP-UAB is required PUMA (Protected User Mode Audio) Longhorn planned feature that provides ‘SAP Equivalence’ audio protection New Audio Engine for Longhorn Longhorn provides a User Mode Audio engine In Windows XP the audio is kernel mode Doing it in User Mode is better, because: More robust More extensible Designed to work well with UAA compliant audio devices Microsoft also providing Class Driver Diagram courtesy Alex Goyen’s WinHEC05 talk Protected User Mode Audio Longhorn provides a software Protected Environment Mitigates against software attacks Some types of premium content will not play if a rogue component is present on the system Protected Environment protects the User Mode Audio engine, just like it protects the MIG (Media Interoperability Gateway) Protected environment + User Mode Audio Audio is actually in a separate protected process SAP (Secure Audio Path) equivalence SAP content will play using MIG/PE SAR = Streaming Audio Renderer VAD = Virtual Audio Device VAS = Virtual Audio Server VPO = Virtual Protected Output POC = Protected Output Controller PUMA Architecture = Protected Content Path = Authentication = Policy = Control Non-Premium Content App Premium Content App App Process User Mode Unprotected Infrastructure MIGSession Media Source Plug-in VAD eg CPPM Source Proxy User Mode Protected Environment PolicyEngine Decrypter Transform SAR Output TA Audio Engine WAS API VAS VPO VAS VPO Post-Mix AEC Constrictor Audio Engine APO POC Media Session End Point Drivers Kernel Mode Mouse Driver Protected Environment Code Integrity ID XYZ Driver Disk Driver Output Command Output Status UAA Class Driver ID Other Motherboard or PCI(e) Southbridge Chip Hardware HD-Audio / 0ther buses HD-Audio, Other buses Codec Hardware Microsoft ISV IHV Codec Other Input TA MIG Engine uDWM (Video / Graphics) Protected Infrastructure Always in the mix There’s always a mix in progress With an audio mix comes the need for a policy mix Policy changes dynamically Policy is a stream that must be kept approximately in sync Windows XP SAP Limited adoption Thwarts some recent DRM breaches Will not work for Longhorn audio architecture SAP replaced by PUMA in Longhorn Makes life easier for third party apps PUMA provides the protection that content owners desire HDMI HDCP protects the audio when the video is premium video New connector, new rules Need HDMI audio codec type HDMI is happening e.g. Audio Video Receivers with HDMI in and out PCIe Bus Problem potentially affects: Discrete audio and discrete graphics cards HD & Blu-Ray DVD playback Pushing for a grace period like SPDIF But it may only be a requirement delay Eventually would be done with an Output Encryption APO PUMA – A Necessary Step Down the Path What’s not in PUMA in Longhorn Encryption over digital audio cables HDMI has encryption, but only when video is premium Encryption over PCIe User Accessible Bus Not expected to be necessary DVD-Audio playback But ISVs could provide ITA plug-in to MIG with analog outputs Watermark detection High on content owner agenda, but tricky issues HFS authentication of hardware Might be a useful long term addition Now 2005 Longhorn Years in future, only if required No protection SAP protection (SAP not turned on) (If turned on) PUMA Protected Environment PAP e.g. HFS & Encryption PAP (Protected Audio Path) A possible future set of features that would provide the additional protection needed for Audio User Accessible Buses to codec chips SAR = Streaming Audio Renderer VAD = Virtual Audio Device VAS = Virtual Audio Server VPO = Virtual Protected Output POC = Protected Output Controller PAP Architecture = Protected Content Path = Authentication = Policy = Control Non-Premium Content App Premium Content App App Process User Mode Unprotected Infrastructure MIGSession Media Source Plug-in VAD eg CPPM Source Proxy User Mode Protected Environment PolicyEngine Decrypter Transform SAR Output TA VAS Audio Engine WAS API VPO VAS Audio Engine POC Media Session Output Encryption APO PAP HFS MKey VPO Post-Mix AEC Constrictor AES AES Kc End Point Drivers Kernel Mode Mouse Driver Protected Environment ID Output Status UAA Class Driver PUMA Other North South Link not UAB, PCIe is UAB Southbridge Chip Hardware Codec Hardware Code Integrity ID XYZ Driver Disk Driver Output Command HFS MKey Microsoft ISV IHV Kc’ HD-Audio / 0ther buses HD-Audio, Other buses AES/MKey/A MKey AES Codec chip AES Other Input TA MIG Engine uDWM (Video / Graphics) Protected Infrastructure Call To Action Implement industry-standard protection mechanisms on graphics card outputs, and get a PVP-OPM license for your graphics driver For discrete graphics cards, implement PVP-UAB decryption and key mechanism etc in your chip, and get a PVP-UAB license for your driver If you make audio codec chips, then come talk with us about future possibilities Additional Resources PVP-OPM and PVP-UAB questions to: PVP @ microsoft.com PUMA and PAP questions to: PUMA @ microsoft.com WinHEC whitepaper Longhorn Output Content Protection Full write-up of this talk with lots of additional information Other WinHEC sessions Protected Media Path and Driver Interoperability Requirements Describes the Protected Environment used to mitigate software attacks Longhorn Audio Describes the new Longhorn user mode audio engine Windows Graphics Overview Describes the LDDM new graphics driver model Windows XP COPP info http://msdn.microsoft.com/library/default.asp?url=/library/en-us/graphics/hh/ graphics/dxvaguide_6bdc2bbd-b55a-44e1-9e6b-638589e319f1.xml.asp © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.