450 likes | 707 Views
Longhorn Output Content Protection. Dave Marsh Program Manager Windows Media Technologies Microsoft Corporation. Session Outline. APP. PVP-OPM (Protected Video Path - Output Protection Management) Planned for Windows codenamed “Longhorn” Authenticate the hardware
E N D
Longhorn Output Content Protection Dave Marsh Program ManagerWindows Media TechnologiesMicrosoft Corporation
Session Outline APP • PVP-OPM (Protected Video Path - Output Protection Management) Planned for Windows codenamed “Longhorn” • Authenticate the hardware • Control output protection mechanisms and turn off unprotected outputs • Content Industry robustness rules for hardware implementations • PVP-UAB (Protected Video Path – User Accessible Bus) Planned for post-Longhorn • Enhanced Authentication of hardware (linked to Session Key) • Encrypt video samples to mitigate stealing as they pass over PCIe bus • PUMA (Protected User Mode Audio) Planned for Longhorn • User Mode Audio engine within the Protected Environment • Control the various audio outputs • PAP (Protected Audio Path) Many years in the future, if it becomes necessary • Authenticate the audio codec • Encrypt audio samples to mitigate stealing as they pass over the various audio user accessible buses PMP Protected Environment MIG PUMA PVP- OPM PVP- UAB PAP
Objective Enable the PC to play premium content in 2006 and beyond
The Requirement • Enable Premium Content on PC Platform • Meet requirements of HD / Blu-Ray-DVD and DTCP (5C) • Protect against stealing content from system or video memory (Software attack) • Protect and control PC AV outputs (Hardware attack) • Protect content on user accessible buses(Hardware attack) • Appliance-like user experience • Safeguard user privacy
PVP-OPM(Protected Video Path –Output Protection Management) Longhorn planned feature that provides hardware authentication and robust control of the outputs
Authentication OS Driver HFS Content GPU Authentication of Graphics Driver by Operating System Authentication by Driver that Graphics Chip really is valid hardware Authentication of Operating System by the Content ITA represents Content and decides whether to remove content delivery encryption • PVP-OPM Certificate in driver Proves to PVP-OPM software: • Driver identity • It’s unmodified • Graphics vendor has signed PVP-OPM license testifying to having met OPM and content industry rules • Driver is talking to conformant hardware Hardware Functionality Scan (HFS): Driver exercises complex inner workings of the chip and checks for correct response
HFS - Hardware Functionality Scan • Authentication by driver that graphics chip really is valid hardware • Hardware Functionality Scan (HFS) • For Discrete: • Exercises complex internal chip functionality that it would be extremely difficult for an imposter to emulate • Uses randomly generated seed to mitigate replay attacks • Conforms to ‘PVP-OPM Authentication for Discrete’ guidelines • For Integrated: • Checks internal graphics ID and other features • Conforms to ‘PVP-OPM Authentication for Integrated’ guidelines • If ever required, additional HFS tests can be added viadriver revoke and renew • Obfuscation required where HFS uses chip secrets Questions IHV Driver Answers
PVP-OPM Sequence Diagram - Init ITA OPM OTA OPM (EVR) Graphics Driver Graphics Hardware HFS questions HFS answers OPM user mode component establishes user Enabled outputs, Protection mechanisms, and whether UAB is present Certificate Verified Channel Attributes? ITA = Input Trust Authority OTA = Output Trust Authority Outputs, Protections, States, UAB EVR = Enhanced Video Renderer
PVP-OPM Sequence Diagram - Play ITA OPM OTA OPM (EVR) Graphics Driver Graphics Hardware Policy Object OPM Commands OPM OMAC Commands OPM Commands Output States (Robust) Output OMAC States OK OPM turns on output protection as requested by a particular piece of content OK
PC Output Types • DVI (Digital) • High-speed, high-quality, digital pixel interface to monitors • When protected by HDCP, it’s great for premium content • When unprotected it may be turned off for premium content • HDMI (Digital) • HDCP protection • Built by CE industry using DVI electricals • Includes digital audio, but video resolution a bit limited • VGA (Analog) • Content owners also concerned about high resolution analog • Ubiquitous, so some concessions • Information content will be ‘Constricted’ when content policy requires it • YPbPr High Resolution (Analog) • The CE industry’s first attempt at an interface to HD displays • No real protection available, less concessions (even for regular DVD) • TV-Out interfaces • Analog SD component, S-Video, composite, & TV modulated • Macrovision and CGMS-A required or else output will be disabled for premium content
Protection Mechanisms • HDCP • PVP-OPM passes SRMs to IHV KM Driver • IHV Kernel Mode Driver dynamically finds attached monitor KSVs • Monitor KSV matching and monitor blocking done in driver • Status (e.g. Blocked) reported back to PVP-OPM • HDCP ‘upstream protocol’ no longer needed • Resolution Constriction • For premium content, OPM and EVR components command IHV KM Driver to pass video through a ‘Constrictor’ to limit its information content (i.e. Downscale then Upscale) • Constrictor aperture determined by content owner rules • Specified in terms of total number of allowed pixels • e.g. 520,000 for 5C and ARIB • Macrovision and CGMS-A
Content Industry AgreementHardware Robustness Rules • Up to graphics IHV to meet card robustness requirements as interpreted from content industry agreement requirements • Signing PVP-OPM license says IHV has interpreted content industry agreement hardware robustness requirements and complied • Microsoft only recommends (to minimize revocation necessity): • If unprotected digital outputs provided from graphics chip, then card design verified by graphics chip vendor • Best to apply the protection in the graphics chip • HFS should exercise hardware features of the board (not just chip) • No headers to access digital content • Do not use a video side-port in output mode with a published pin-out • Input to TV-out chip or DVI chip is a problem area • Graphics IHVs validate board vendor implementations to ensure they meet content industry agreement hardware robustness rules
PVP-OPM Architecture MIG = Media Interoperability Gateway HDCP = High BW Digital Content Protection EVR = Enhanced Video Renderer AACS = Advanced Access Content System DVI = Digital Visual Interface DWM = Desktop Window Manager TA = Trust Authority DH = Diffie Hellman PVP = Protected Video Path App Process Premium Content App User Mode eg HD/Blu-Ray DVD Unprotected Infrastructure MIGSession Media Source Plug-in Avalon DWM COPP Emulator eg AACS Protected Infrastructure MIG Engine Input TA uDWM PolicyEngine OPM OTA Source Proxy Decrypter Decode or Pre-Process User Mode Sink (EVR) Mixer Presenter Protected Environment uDWM Audio Engine Protected DXVA OPM Other Media Session User Mode Graphics Driver OPM Cert Auth Drivers Mouse Driver Code Integrity Kernel Mode ID Longhorn Direct3D Driver XYZ Driver OPM Protected Environment Disk Driver OPM ID Other Kernel Mode Graphics Driver Graphics Chip Output Command Output Status HFS = Content Path Hardware = Authentication Graphics Chip = Policy HDCP = Control DVI/HDMI HDCP Auth Display HDCP Microsoft ISV Hardware IHV
PVP-OPM Status Implementation well under way PVP-OPM planned to ship in Longhorn Beta 2 expected to include PVP-OPM PVP-OPM only requires LDDM Basic Scheduler But will also work with Advanced Scheduler Compared with PVP-UAB, most of the work is driver-related Don’t forget your hardware responsibilities Content industry agreement hardware robustness rules Output protection mechanisms Ability to turn off outputs Revocation is principal correction mechanism… …but best avoided
PVP-UAB(Protected Video Path – User Accessible Bus) A planned feature after Longhorn that provides bus encryption for Discrete Graphics
Encryption AES 128-bit Counter Mode encryption of compressed premium content on the PCIe bus Uses 50MByte/sec (or better) hardware AES engine in graphics chip Also applies to partial compression cases (and uncompressed when necessary) AES 128-bit Counter Mode is a base level requirement High Bandwidth Cipher encryption of uncompressed premium content on the PCIe bus Providing a High Bandwidth Cipher is optional (regular AES can be used instead) Video specific encryption that’s much faster than regular AES Preferred High Bandwidth Cipher is Intel’s Cascaded Cipher Uncompressed premium content typically doesn’t need to be sent over the PCIe bus Even Cascaded Cipher takes lots of CPU power Provide Motion Comp and Inverse DCT codec functionality in graphics chips, so semi compressed can be sent instead
Establishing a Session Key DH DH DH Exchange IHV Driver • Can’t just pass a key over the wire • Too expensive to require embedded unique keys • Foundation for Session Key established using 2048-bit Diffie Hellman • AES Davies Meyer hash turns 2048-bit Diffie Hellman number into 128bit Session Key Diffie Hellman Exchange AES Davies Meyer Hash 2048 bit 128 bit
Enhanced Authentication • Authentication by graphics driver that graphics chipreally is valid hardware • All the PVP-OPM authentication requirements, plus… • Uses 6 or more bits of the Diffie Hellman key as a seed to lock DH to authentication, to mitigate Man In The Middle attacks • Authentication of graphics driver by PMP-UAB software • PVP-UAB Certificate stored in driver • Proves to PMP software the driver identity, the fact that it’s unmodified, and that graphics IHV has signed PVP-UAB license, testifying to having met PVP-UAB and content industry rules DH DH DH Exchange IHV Driver Seed HFS Questions HFS Answers
Key Hierarchy • ProtectedDXVA generates content key using an entropy source • Passes Content Key to Microsoft LDDM Kernel Mode component • LDDM Kernel component encrypts Content Key with Session Key
Page-Outs • Page-Outs happen based on priority • Page-Outs of video are rare, but possible • Need to encrypt paged-out data over UAB • Use Bi-directional AES engine on graphics chip • Surfaces tagged as Premium Content • Page-Out encryption always AES counter mode • Page Key passed encrypted to graphics chip • Page Key can be restored after hibernation
Using System Memory GBytes/sec • New class of graphics card without much local memory • Each frame goes backwards and forwards over bus • Premium content needs protection over UAB • Encryption requirement is massive, even for pure hardware • Need to meet AACS and 5C DTCP rules • Graphics IHV's responsibility • Needs to be secure enough to avoid any possibleneed for revocation
PVP-UAB Sequence (1)To establish robust communication betweenMIG and graphics hardware 0) Driver identity verified. 1) Diffie Hellman used between graphics hardware and IHV’s kernel mode graphics driver to establish the 2048 bit Diffie Hellman key. 2) IHV's kernel mode driver passes 2048 bit Diffie Hellman key to Microsoft LDDM kernel mode component that then does an AES Davies Meyer hash to produce 128 bit Session Key. Graphics hardware also does AES Davies Meyer hash to also obtain the Session Key. 3) Graphics driver exercises complex internal workings of graphics chip (HFS) to authenticate graphics hardware. Uses 6 or more bits from the Diffie Hellman key as seed value to tie together the authentication with the DH process. Protected Environment happy for driver to be on the system. Now have a key established that is known only to the graphics hardware and the IHV’s driver. A Man in the middle attack has not yet been ruled out. Now have Session Key established that is known only to the graphics hardware and the Microsoft LDDM kernel mode component. A Man in the middle attack has not yet been ruled out. Graphics driver now trusts that graphics hardware is genuine. Also knows that DH process was not subject to a man in the middle attack, i.e. Session Key is OK.
4) ProtectedDXVA software component checks the PVP-UAB Certificate in the driver to establish trust that the driver is genuine and conforms to all the PVP-UAB requirements. 5) ProtectedDXVA component creates a Content Key and sends it to the graphics hardware, whenever a new one is required for a new premium video stream, by having the Microsoft LDDM kernel component encrypt the Content Key with the Session Key. 6) ProtectedDXVA component encrypts a premium video stream using the Content Key, then streams this to the graphics hardware where it is decrypted on receipt. PVP-UAB Sequence (2)To establish robust communication betweenMIG and graphics hardware MIG software can now trust the graphics hardware. Now the Content Key is known to the ProtectedDXVA software component and the graphics hardware. The premium content has now been safely delivered from the MIG software Protected Environment to the graphics hardware.
PVP-UAB Status • Graphics IHVs are well advanced with PVP-UAB graphics chips for 2006 • First boards for test by end of 2005 • PVP-UAB is planned to ship with LDDM Advanced Scheduler • Planned for after Longhorn • An Advanced Scheduler driver and chip is required for PVP-UAB • DDIs for PVP-UAB expected to be fully stabilized by Longhorn launch
Certification PVP OPM • Sign the license, get the certificate • Legal promise that you’ve done everything spec requires • Compliance Rules • These are just a summary of the requirements stated in the spec • If it turns out the requirements have not been properly met then: • Revocation • Other remedies
When PVP-UAB + PVP-OPMand when just PVP-OPM? Is there a User Accessible Bus? • Integrated Graphics • No need for PVP-UAB as no UAB • Do need PVP-OPM: • Output Protection Management • Authentication (simpler form) • Content industry agreement Hardware Robustness Rules • Discrete Graphics on Motherboard • No need for PVP-UAB if soldered down • But HFS must be able to robustly determine the difference, e.g.: • Different secrets • Bonding options, e.g.,ROM chip select • Bios arrangements • Discrete Graphics Card • PVP-UAB is required
PUMA(Protected User Mode Audio) Longhorn planned feature that provides‘SAP Equivalence’ audio protection
New Audio Engine for Longhorn • Longhorn provides a User Mode Audio engine • In Windows XP the audio is kernel mode • Doing it in User Mode is better, because: • More robust • More extensible • Designed to work well with UAA compliant audio devices • Microsoft also providing Class Driver Diagram courtesy Alex Goyen’s WinHEC05 talk
Protected User Mode Audio • Longhorn provides a software Protected Environment • Mitigates against software attacks • Some types of premium content will not play if a rogue component is present on the system • Protected Environment protects the User Mode Audio engine, just like it protects the MIG (Media Interoperability Gateway) • Protected environment + User Mode Audio • Audio is actually in a separate protected process • SAP (Secure Audio Path) equivalence • SAP content will play using MIG/PE P + UMA = PUMA
PUMA Architecture SAR = Streaming Audio Renderer VAD = Virtual Audio Device VAS = Virtual Audio Server VPO = Virtual Protected Output POC = Protected Output Controller = Protected Content Path = Authentication = Policy = Control App Process Premium Content App Non-Premium Content App User Mode Unprotected Infrastructure MIGSession Media Source Plug-in VAD eg CPPM Protected Infrastructure MIG Engine Input TA Output TA Audio Engine VAS PolicyEngine Post-Mix AEC Constrictor Source Proxy Decrypter Trans- form SAR WAS API VAS VPO Audio Engine User Mode uDWM (Video / Graphics) Protected Environment POC APO VPO Other Media Session End Point Output Command Drivers Mouse Driver Code Integrity Kernel Mode Output Status ID XYZ Driver Protected Environment Disk Driver UAA Class Driver ID Other Motherboard or PCI(e) Southbridge Chip Hardware HD-Audio / 0ther buses HD-Audio, Other buses Codec Microsoft ISV Hardware IHV Codec
Always in the mix • There’s always a mix in progress • With an audio mix comes the need for a policy mix • Policy changes dynamically • Policy is a stream that must be kept approximately in sync
Windows XP SAP • Limited adoption • Thwarts some recent DRM breaches • Will not work for Longhorn audio architecture SAP replaced by PUMA in Longhorn Makes life easier for third party apps PUMA provides the protection that content owners desire
HDMI • HDCP protects the audio when the video is premium video • New connector, new rules • Need HDMI audio codec type HDMI is happening e.g. Audio Video Receivers with HDMI in and out
PCIe Bus • Problem potentially affects: • Discrete audio and discrete graphics cards • HD & Blu-Ray DVD playback • Pushing for a grace period like SPDIF • But it may only be a requirement delay • Eventually would be done with anOutput Encryption APO
PUMA – A Necessary Step Down the Path • What’s not in PUMA in Longhorn • Encryption over digital audio cables • HDMI has encryption, but only when video is premium • Encryption over PCIe User Accessible Bus • Not expected to be necessary • DVD-Audio playback • But ISVs could provide ITA plug-in to MIG with analog outputs • Watermark detection • High on content owner agenda, but tricky issues • HFS authentication of hardware • Might be a useful long term addition Years in future, only if required Now 2005 Longhorn No protection (SAP not turned on) SAP protection (If turned on) PUMA Protected Environment PAP e.g. HFS & Encryption
PAP(Protected Audio Path) A possible future set of features that would provide the additional protection needed for Audio User Accessible Buses to codec chips
PAP Architecture SAR = Streaming Audio Renderer VAD = Virtual Audio Device VAS = Virtual Audio Server VPO = Virtual Protected Output POC = Protected Output Controller = Protected Content Path = Authentication = Policy = Control App Process Premium Content App Non-Premium Content App User Mode Unprotected Infrastructure MIGSession Media Source Plug-in VAD eg CPPM Protected Infrastructure MIG Engine Input TA Output TA Audio Engine VAS PolicyEngine Post-Mix AEC Constrictor Source Proxy Decrypter Trans- form SAR WAS API VAS VPO Audio Engine User Mode uDWM (Video / Graphics) POC Output Encryption APO Protected Environment PAP VPO HFS AES AES Kc Other MKey Media Session End Point Output Command Drivers Mouse Driver Code Integrity Kernel Mode Output Status ID XYZ Driver Protected Environment Disk Driver UAA Class Driver PUMA ID Other North South Link not UAB, Southbridge Chip PCIe is UAB Kc’ Hardware HFS MKey HD-Audio / 0ther buses HD-Audio, Other buses Codec AES/MKey/A Microsoft ISV Hardware MKey AES AES IHV Codec chip
Call To Action • Implement industry-standard protection mechanisms on graphics card outputs, and get a PVP-OPM license for your graphics driver • For discrete graphics cards, implement PVP-UAB decryption and key mechanism etc in your chip, and get a PVP-UAB license for your driver • If you make audio codec chips, then come talk with us about future possibilities
Additional Resources • PVP-OPM and PVP-UAB questions to: PVP @ microsoft.com • PUMA and PAP questions to: PUMA @ microsoft.com • WinHEC whitepaper • Longhorn Output Content Protection • Full write-up of this talk with lots of additional information • Other WinHEC sessions • Protected Media Path and Driver Interoperability Requirements • Describes the Protected Environment used to mitigate software attacks • Longhorn Audio • Describes the new Longhorn user mode audio engine • Windows Graphics Overview • Describes the LDDM new graphics driver model • Windows XP COPP info http://msdn.microsoft.com/library/default.asp?url=/library/en-us/graphics/hh/graphics/dxvaguide_6bdc2bbd-b55a-44e1-9e6b-638589e319f1.xml.asp
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.