Home | History | Annotate | Download | only in devices
      1 page.title=DRM
      2 @jd:body
      3 
      4 <!--
      5     Copyright 2010 The Android Open Source Project     
      6 
      7     Licensed under the Apache License, Version 2.0 (the "License");    
      8     you may not use this file except in compliance with the License.   
      9     You may obtain a copy of the License at    
     10 
     11         http://www.apache.org/licenses/LICENSE-2.0
     12 
     13     Unless required by applicable law or agreed to in writing, software    
     14     distributed under the License is distributed on an "AS IS" BASIS,    
     15     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   
     16     See the License for the specific language governing permissions and    
     17     limitations under the License.   
     18 -->
     19 
     20 <div id="qv-wrapper">
     21   <div id="qv">
     22     <h2>In this document</h2>
     23     <ol id="auto-toc">
     24     </ol>
     25   </div>
     26 </div>
     27 
     28 <p>This document introduces Widevine DRM security levels
     29   and certification requirements. It explains how to integrate and distribute Widevine DRM
     30   for your product. Android provides the Widevine DRM solution with a royalty-free
     31   license and we recommend that you use it for
     32   your protected playback solution. </p>
     33 
     34 <h2 id="overview">Overview</h2>
     35 <p>
     36 Availability of rich digital content is important to users on mobile devices. To make their content widely available,
     37 Android developers and digital content publishers need a consistent DRM implementation supported across the Android
     38 ecosystem. In order to make that digital content available on Android devices and to ensure that there is at least
     39 one consistent DRM available across all devices, Google provides Widevine DRM for free on compatible Android devices.
     40 On Android 3.0 and higher platforms, the Widevine DRM plugin is integrated with the Android DRM framework and uses
     41 hardware-backed protection to secure movie content and user credentials.
     42 </p>
     43 
     44 <p>
     45 The content protection provided by the Widevine DRM plugin depends on the security and content protection capabilities of the underlying hardware platform. The hardware capabilities of the device include hardware secure boot to establish a chain of trust of security and protection of cryptographic keys. Content protection capabilities of the device include protection of decrypted frames in the device and content output protection via a trusted output protection mechanism. Not all hardware platforms support all the above security and content protection features. Security is never implemented in a single place in the stack, but instead relies on the integration of hardware, software, and services. The combination of hardware security functions, a trusted boot mechanism, and an isolated secure OS for handling security functions is critical to provide a secure device.</p>
     46 
     47 
     48 <h3 id="framework">Android DRM Framework</h3>
     49 <p>Android 3.0 and higher platforms provide an extensible DRM framework that lets applications manage protected content using a
     50     choice of DRM mechanisms. For application developers, the framework offers an
     51     abstract, unified API that simplifies the management of protected content.
     52     The API hides the complexity of DRM operations and allows a consistent operation mode for both protected and unprotected
     53     content across a variety of DRM schemes. For device manufacturers, content owners, and Internet digital media providers
     54     the DRM framework plugin API provides a means of adding support for a DRM scheme of choice into the Android system, for
     55     secure enforcement of content protection.
     56 
     57     <p><strong>Note:</strong> We recommend that you integrate the Widevine
     58     solution as it is already implemented and ready for you to use. </p>
     59 </p>
     60 
     61 <h3 id="plugin">Widevine DRM Plugin</h3>
     62 
     63 <p>
     64 Built on top of the Android DRM framework, the Widevine DRM plugin offers DRM and advanced copy protection features on Android devices. Widevine DRM is available in binary form under a royalty free license from Widevine. The Widevine DRM plugin provides the capability to license, securely distribute, and protect playback of multimedia content. Protected content is secured using an encryption scheme based on the open AES (Advanced Encryption Standard). An application can decrypt the content only if it obtains a license from the Widevine DRM licensing server for the current user. Widevine DRM functions on Android in the same way as it does on other platforms. Figure 1 shows how the WideVine Crypto Plugin fits into the Android stack:</p>
     65 
     66 
     67  <img src="images/drm_hal.png" alt="" />
     68 
     69  <p class="img-caption"><strong>Figure 1.</strong> Widevine Crypto Plugin</p>
     70 
     71 
     72 <h2 id="integrating">Integrating Widevine into Your Product</h2>
     73 
     74 <p>The following sections go over the different security levels that Widevine supports and the requirements that your product must meet to
     75 support Widevine. After reading the information, you need to determine the security level for your target hardware, integration, and Widevine keybox provisioning requirements.
     76 </p>
     77 <p >
     78 To integrate and distribute Widevine DRM on Android devices, contact your Android technical account manager to begin Widevine DRM integration.
     79 We recommend you engage early in your device development process with the Widevine team to provide the highest level of content protection on the device. 
     80 Certify devices using the Widevine test player and submit results to your Android technical account manager for approval.
     81 </p>
     82 
     83 <h3 id="security">
     84 Widevine DRM security levels
     85 </h3>
     86 
     87 <p>Security is never implemented in a single place in the stack, but instead relies on the integration of hardware, software, and services. The combination of hardware security functions, a trusted boot mechanism, and an isolated secure OS for handling security functions is critical to provide a secure device.</p>
     88 
     89 <p>
     90 At the system level, Android offers the core security features of the Linux kernel, extended and customized for mobile devices. In the application framework, Android provides an extensible DRM framework and system architecture for checking and enforcing digital rights. The Widevine DRM plugin integrates with the hardware platform to leverage the available security capabilities. The level of security offered is determined by a combination of the security capabilities of the hardware platform and the integration with Android and the Widevine DRM plugin. Widevine DRM security supports the three levels of security shown in the table below. 
     91 </p>
     92 
     93 <table>
     94 
     95 <tr>
     96 <th>Security Level</th>
     97 <th>Secure Bootloader</th>
     98 <th>Widevine Key Provisioning</th>
     99 <th>Security Hardware or ARM Trust Zone</th>
    100 <th>Widevine Keybox and Video Key Processing</th>
    101 <th>Hardware Video Path</th>
    102 </tr>
    103 <tr>
    104   <td>Level 1</td>
    105   <td>Yes</td>
    106   <td>Factory provisioned Widevine Keys</td>
    107   <td>Yes</td>
    108   <td>Keys never exposed in clear to host CPU</td>
    109   <td>Hardware protected video path</td>
    110 <tr>
    111 
    112 <tr>
    113   <td>Level 2</td>
    114   <td>Yes</td>
    115   <td>Factory provisioned Widevine Keys</td>
    116   <td>Yes</td>
    117   <td>Keys never exposed in clear to host CPU</td>
    118   <td>Hardware protected video path</td>
    119 <tr>
    120 
    121 <tr>
    122   <td>Level 3</td>
    123   <td>Yes*</td>
    124   <td>Field provisioned Widevine Keys</td>
    125   <td>No</td>
    126   <td>Clear keys exposed to host CPU</td>
    127   <td>Clear video streams delivered to video decoder</td>
    128 <tr>
    129 
    130 </table>
    131 
    132 <p><superscript>*</superscript>Device implementations may use a trusted bootloader, where in the bootloader is authenticated via an OEM key stored on a system partition.</p>
    133 
    134 <h3 id="security-details">
    135 Security level details
    136 </h3>
    137 <h4>
    138 Level 1
    139 </h4>
    140 <p>In this implementation Widevine DRM keys and decrypted content are never exposed to the host CPU. Only security hardware or a protected security co-processor uses clear key values and the media content is decrypted by the secure hardware. This level of security requires factory provisioning of the Widevine key-box or requires the Widevine key-box to be protected by a device key installed at the time of manufacturing. The following describes some key points to this security level:
    141 </p>
    142 
    143 <ul>
    144   <li>Device manufacturers must provide a secure bootloader. The chain of trust from the bootloader must extend through any software or firmware components involved in the security implementation, such as the ARM TrustZone protected application and any components involved in the enforcement of the secure video path. </li>
    145   <li>The Widevine key-box must be encrypted with a device-unique secret key that is not visible to software or probing methods outside of the TrustZone.</li>
    146   <li>The Widevine key-box must be installed in the factory or delivered to the device using an approved secure delivery mechanism.</li>
    147   <li>Device manufacturers must provide an implementation of the Widevine Level 1 OEMCrypto API that performs all key processing and decryption in a trusted environment.</li>
    148 </ul>
    149 
    150 <h4>Level 2</h4>
    151 <p>
    152   In this security level, the Widevine keys are never exposed to the host CPU. Only security hardware or a protected security co-processor uses clear key values. An AES crypto block performs the high throughput AES decryption of the media stream.  The resulting clear media buffers are returned to the CPU for delivery to the video decoder. This level of security requires factory provisioning of the Widevine key-box or requires the Widevine key box to be protected by a key-box installed at the time of manufacturing.
    153   The following list describes some key requirements of this security level:
    154 </p>
    155 
    156 <ul>
    157   <li>Device manufacturers must provide a secure bootloader. The chain of trust from the bootloader must extend through any software or firmware components involved in the security implementation, such as the TrustZone protected application. </li>
    158   <li>The Widevine key-box must be encrypted with a device-unique secret key that is not visible to software or probing methods outside of the TrustZone.</li>
    159   <li>The Widevine key-box must be installed in the factory or delivered to the device using an approved secure delivery mechanism.</li>
    160   <li>Device manufacturers must provide an implementation of the Widevine Level 2 OEMCrypto API that performs all key processing and decryption in a trusted environment.</li>
    161   <li>Device manufacturers must provide a bootloader that loads signed system images only. For devices that allow users to load a custom operating system or gain root privileges on the device by unlocking the bootloader, device manufacturers must support the following:
    162     <ul>
    163       <li>Device manufacturers must provide a bootloader that allows a Widevine key-box to be written only when the bootloader is in a locked state.</li>
    164       <li>The Widevine key-box must be stored in a region of memory that is erased or is inaccessible when the device bootloader is in an unlocked state.</li>
    165     </ul>
    166   </li>
    167 </ul>
    168 
    169 <h4>Level 3</h4>
    170 <p>
    171 This security level relies on the secure bootloader to verify the system image. An AES crypto block performs the AES decryption of the media stream and the resulting clear media buffers are returned to the CPU for delivery to the video decoder.
    172 </p>
    173 
    174 <p>Device manufacturers must provide a bootloader that loads signed system images only. For devices that allow users to load a custom operating system or gain root privileges on the device by unlocking the bootloader, device manufacturers must support the following:</p>
    175     <ul>
    176       <li>Device manufacturers must provide a bootloader that allows a Widevine key-box to be written only when the bootloader is in a locked state.</li>
    177       <li>The Widevine key-box must be stored in a region of memory that is erased or is inaccessible when the device bootloader is in an unlocked state.</li>
    178     </ul>
    179