DRM

Overview

Availability of rich digital content is important to users on mobile devices. To make their
content widely available, Android developers and digital content publishers need a
consistent DRM implementation supported across the Android ecosystem. In order to
make that digital content available on Android devices and to ensure that there is at
least one consistent DRM available across all devices, Google provides Widevine DRM
for free on compatible Android devices. On Android 3.0 and higher platforms, the
Widevine DRM plugin is integrated with the Android DRM framework and uses
hardware-backed protection to secure movie content and user credentials.
The content protection provided by the Widevine DRM plugin depends on the security
and content protection capabilities of the underlying hardware platform. The hardware
capabilities of the device include hardware secure boot to establish a chain of trust of
security and protection of cryptographic keys. Content protection capabilities of the
device include protection of decrypted frames in the device and content output
protection via a trusted output protection mechanism. Not all hardware platforms support
all the above security and content protection features. Security is never implemented in
a single place in the stack, but instead relies on the integration of hardware, software,
and services. The combination of hardware security functions, a trusted boot
mechanism, and an isolated secure OS for handling security functions is critical to
provide a secure device.
Android DRM Framework
Android 3.0 and higher platforms provide an extensible DRM framework that lets
applications manage protected content using a choice of DRM mechanisms. For
application developers, the framework offers an abstract, unified API that simplifies the
management of protected content. The API hides the complexity of DRM operations and
allows a consistent operation mode for both protected and unprotected content across a
variety of DRM schemes. For device manufacturers, content owners, and Internet digital
media providers the DRM framework plugin API provides a means of adding support for
a DRM scheme of choice into the Android system, for secure enforcement of content
protection.
Note: We recommend that you integrate the Widevine solution as it is already
implemented and ready for you to use.
Widevine DRM Plugin
Built on top of the Android DRM framework, the Widevine DRM plugin offers DRM and
advanced copy protection features on Android devices. Widevine DRM is available in
binary form under a royalty free license from Widevine. The Widevine DRM plugin
provides the capability to license, securely distribute, and protect playback of multimedia
content. Protected content is secured using an encryption scheme based on the open
AES (Advanced Encryption Standard). An application can decrypt the content only if it
obtains a license from the Widevine DRM licensing server for the current user. Widevine
DRM functions on Android in the same way as it does on other platforms. Figure 1
shows how the WideVine Crypto Plugin fits into the Android stack:

Figure 1. Widevine Crypto Plugin
Integrating Widevine into Your Product

The following sections go over the different security levels that Widevine supports and
the requirements that your product must meet to support Widevine. After reading the
information, you need to determine the security level for your target hardware,
integration, and Widevine keybox provisioning requirements.
To integrate and distribute Widevine DRM on Android devices, contact your Android
technical account manager to begin Widevine DRM integration. We recommend you
engage early in your device development process with the Widevine team to provide the
highest level of content protection on the device. Certify devices using the Widevine test
player and submit results to your Android technical account manager for approval.
Widevine DRM security levels
Security is never implemented in a single place in the stack, but instead relies on the
integration of hardware, software, and services. The combination of hardware security
functions, a trusted boot mechanism, and an isolated secure OS for handling security
functions is critical to provide a secure device.
At the system level, Android offers the core security features of the Linux kernel,
extended and customized for mobile devices. In the application framework, Android
provides an extensible DRM framework and system architecture for checking and
enforcing digital rights. The Widevine DRM plugin integrates with the hardware platform
to leverage the available security capabilities. The level of security offered is determined
by a combination of the security capabilities of the hardware platform and the integration
with Android and the Widevine DRM plugin. Widevine DRM security supports the three
levels of security shown in the table below.
Securit
y Level
Secure
Bootloade
r
Widevine
Key
Provisionin
g
Security
Hardwar
e or
ARM
Trust
Zone
Widevine
Keybox
and Video
Key
Processin
g
Hardwar
e Video
Path
Level 1 Yes Factory
provisione
d Widevine
Keys
Yes Keys
never
exposed
in clear to
host CPU
Hardwar
e
protecte
d video
path
Level 2 Yes Factory
provisione
d Widevine
Keys
Yes Keys
never
exposed
in clear to
host CPU
Hardwar
e
protecte
d video
path
Level 3 Yes* Field
provisione
d Widevine
Keys
No Clear
keys
exposed
to host
CPU
Clear
video
streams
delivere
d to
video
decoder
*Device implementations may use a trusted bootloader, where in the bootloader is
authenticated via an OEM key stored on a system partition.
Security level details
Level 1
In this implementation Widevine DRM keys and decrypted content are never exposed to
the host CPU. Only security hardware or a protected security co-processor uses clear
key values and the media content is decrypted by the secure hardware. This level of
security requires factory provisioning of the Widevine key-box or requires the Widevine
key-box to be protected by a device key installed at the time of manufacturing. The
following describes some key points to this security level:
Device manufacturers must provide a secure bootloader. The chain of trust
from the bootloader must extend through any software or firmware
components involved in the security implementation, such as the ARM
TrustZone protected application and any components involved in the
enforcement of the secure video path.
The Widevine key-box must be encrypted with a device-unique secret key that
is not visible to software or probing methods outside of the TrustZone.
The Widevine key-box must be installed in the factory or delivered to the
device using an approved secure delivery mechanism.
Device manufacturers must provide an implementation of the Widevine Level 1
OEMCrypto API that performs all key processing and decryption in a trusted
environment.
Level 2
In this security level, the Widevine keys are never exposed to the host CPU. Only
security hardware or a protected security co-processor uses clear key values. An AES
crypto block performs the high throughput AES decryption of the media stream. The
resulting clear media buffers are returned to the CPU for delivery to the video decoder.
This level of security requires factory provisioning of the Widevine key-box or requires
the Widevine key box to be protected by a key-box installed at the time of
manufacturing. The following list describes some key requirements of this security level:
Device manufacturers must provide a secure bootloader. The chain of trust
from the bootloader must extend through any software or firmware
components involved in the security implementation, such as the TrustZone
protected application.
The Widevine key-box must be encrypted with a device-unique secret key that
is not visible to software or probing methods outside of the TrustZone.
The Widevine key-box must be installed in the factory or delivered to the
device using an approved secure delivery mechanism.
Device manufacturers must provide an implementation of the Widevine Level 2
OEMCrypto API that performs all key processing and decryption in a trusted
environment.
Device manufacturers must provide a bootloader that loads signed system
images only. For devices that allow users to load a custom operating system
or gain root privileges on the device by unlocking the bootloader, device
manufacturers must support the following:
o Device manufacturers must provide a bootloader that allows a
Widevine key-box to be written only when the bootloader is in a
locked state.
o The Widevine key-box must be stored in a region of memory that is
erased or is inaccessible when the device bootloader is in an
unlocked state.
Level 3
This security level relies on the secure bootloader to verify the system image. An AES
crypto block performs the AES decryption of the media stream and the resulting clear
media buffers are returned to the CPU for delivery to the video decoder.
Device manufacturers must provide a bootloader that loads signed system images only.
For devices that allow users to load a custom operating system or gain root privileges on
the device by unlocking the bootloader, device manufacturers must support the
following:
Device manufacturers must provide a bootloader that allows a Widevine key-
box to be written only when the bootloader is in a locked state.
The Widevine key-box must be stored in a region of memory that is erased or
is inaccessible when the device bootloader is in an unlocked state.