Kernel support for HDCP
HDCP is based on encryption and authentication. An HDCP-compliant device is not allowed to send high-quality media streams to any other device that cannot authenticate itself under the HDCP protocol and show that it contains a suitable key. In theory, HDCP prevents the extraction of digital media streams from a chain of devices using it; the practice is, as is often the case, a bit less certain. That notwithstanding, various content providers require HDCP to be present before making their offerings available.
Many of the devices implementing HDCP — set-top boxes, televisions, etc. — run Linux, but the kernel itself does not currently have HDCP support. That may be about to change with this patch set from Sean Paul implementing HDCP for Intel i915 graphics. One part of the patch set in particular provides a generic capability in the direct-rendering layer to enable user space to turn on the content protection feature of the hardware; the application can also verify whether the graphics subsystem was able to establish an authenticated connection with the device at the other end of the cable. Said application is likely to use that information to refuse to play content in the absence of an HDCP-compliant device on the line.
This patch is not new; it was first posted
in 2014. Paul noted that: "We [Google] have been using this in
ChromeOS across exynos, mediatek, and rockchip over that time
". So,
in a sense, the kernel has had HDCP support for some time, it just hasn't
found its way into the mainline.
Naturally, some developers might prefer that such a feature not get into
the mainline now either. Pavel Machek, in particular, questioned the value of HDCP support, asking
when the user of a machine would ever want to turn this feature on. Alex
Deucher replied that it could be used to
protect sensitive video streams in governmental offices (though Alan Cox questioned that idea). Paul said: "We have a lot of Chrome OS users
who would really like to enjoy premium hd content on their tvs
".
There is truth in that latter claim. Just like many users didn't see a
Linux system as being usable without the ability to play MP3 files
regardless of that format's patent issues, others
want to use their systems to play content that is only available through
HDCP-protected streams.
The defenders of HDCP also made the point that the hardware has the
content-protection capability already; the kernel patches are merely
exposing that capability to user space. They bring the feature in from the
cold and put it where it can be seen; as Paul put it: "Having all of
the code in the open allows users to see what is happening with their
hardware, how is this a bad thing?
" The alternative, he noted,
might be to hide the feature entirely in the firmware or in a user-space
binary blob.
The real complaint, arguably, is not that the patch makes an undesirable feature available. User space can instruct current kernels to do no end of unpleasant things already. Instead, consider this reply from Daniel Vetter explaining that the HDCP feature is not a full content-protection implementation:
Machek complained that having the feature
available would lead to the creation of more systems that are locked down
in just this manner. "That is evil, and [a] direct threat to [the] free
software movement
", he said. No doubt, others will agree with that
sentiment.
The problem with this argument, of course, is that those systems already exist, and the kernel patches that enable hardware DRM capabilities already exist. Hardware vendors have not proved to be even slightly reluctant to apply out-of-tree patches to their kernels, so keeping this feature out of the mainline is unlikely to have any measurable effect on the number of locked-down systems in the market. The technology exists, and content providers seem to be of the opinion that it will prevent their precious shows from being pirated, so it will be shipped in consumer devices regardless of the state of mainline kernel support.
What keeping this code out of the kernel would do is to make a statement that digital rights management technologies are unwelcome in general. That is an unlikely position for the kernel community to take, though. It is worthwhile to take a look back at Linus Torvalds's 2003 "DRM is perfectly OK with Linux!" posting for the policy that he applies to kernel code implementing this sort of feature. Beyond that, one should remember that the bulk of kernel development is supported by companies working in this area; such companies have proved remarkably reluctant to take this kind of philosophical position.
So the end result is almost certainly that this patch set will go in
without a whole lot of fuss. In
the distant future, when consumer-electronics device vendors upgrade their
kernels, they'll have one less out-of-tree patch to apply in the process.
Beyond that, it is unlikely that anybody will notice any difference.
Posted Dec 8, 2017 3:46 UTC (Fri)
by pabs (subscriber, #43278)
[Link] (4 responses)
https://freedom-to-tinker.com/2010/09/16/understanding-hd...
Posted Dec 12, 2017 11:53 UTC (Tue)
by daniels (subscriber, #16193)
[Link] (2 responses)
Posted Dec 12, 2017 16:08 UTC (Tue)
by excors (subscriber, #95769)
[Link] (1 responses)
HDCP support by itself isn't sufficient for implementing a secure video path (i.e. proper hard-to-break DRM), but it's a necessary step towards it. It seems rational for people who object to DRM to object to every step towards it, hoping they can increase the cost of supporting DRM to be so high that its proponents decide it's no longer worthwhile and stop using DRM.
(On the other hand it appears to be far too late for that, since device manufacturers already consider the value of supporting DRM to be greater than the cost of maintaining out-of-tree patches, so objecting at this point won't stop DRM and will just increase costs with no benefit.)
Posted Dec 12, 2017 16:47 UTC (Tue)
by farnz (subscriber, #17727)
[Link]
On the other hand, HDCP support has uses outside DRM, thanks to buggy sinks that require HDCP before they handle the data at all (this is not just a hypothetical - I've encountered an A/V amp that would only play HDMI Basic Audio unless the source had HDCP, which was fun to debug when both ends said they had valid audio data - and all my "consumer" kit does HDCP if the sink supports it, so a normal user won't know that their sink has this bug until they switch to a free OS).
So, while this might well be the first step towards a protected video path, it's also got other uses beyond DRM, thanks to buggy kit that's already in the wild.
Posted Dec 8, 2017 6:43 UTC (Fri)
by Otus (subscriber, #67685)
[Link] (14 responses)
Might as well just add the interface that always says encryption is enabled. Would amount to the same thing DRM-wise.
(If there really is a non-DRM use case it's another matter of course.)
Posted Dec 8, 2017 8:03 UTC (Fri)
by blackwood (guest, #44174)
[Link] (13 responses)
Posted Dec 8, 2017 21:56 UTC (Fri)
by dsommers (subscriber, #55274)
[Link] (1 responses)
How to do that is quite well described here:
The issues DRM (thus HDCP) tries to resolve can not be resolved fully by technical limitations. But lawyers and other non-techs coming up with these ideas initially are not capable of fully comprehend this. I wish they would learn at some point, but I doubt it.
Posted Dec 8, 2017 23:32 UTC (Fri)
by nybble41 (subscriber, #55106)
[Link]
Your machine used Secure Boot but was not fully locked down. On a locked-down system there would be no mechanism for installing additional keys. Even in systems which are not locked down, installing your own keys might disable support for DRM. For example, witness all the problems people have with SafetyNet on Android—just unlocking the bootloader can be enough to trigger it, even if you don't modify any of the software.
One area where this interface to enable HDCP might come in handy, outside of a locked-down system, is supplying Dolby TrueHD audio over HDMI. The relevant standards mandate that TrueHD audio can only be carried over HDMI interfaces which have HDCP enabled. It makes no difference that the _source_ of the audio was not encumbered by DRM—without HDCP, a compliant receiver won't accept TrueHD input.
Posted Dec 9, 2017 10:51 UTC (Sat)
by Otus (subscriber, #67685)
[Link] (10 responses)
How does the software know whether that's the case?
I mean if you have a piece of software that only comes preinstalled on, say, Chrome OS devices, then maybe you can assume that. But a media streaming app that is supposed to work on any device cannot. Firefox cannot. Those are the interesting applications for users.
Posted Dec 9, 2017 12:30 UTC (Sat)
by excors (subscriber, #95769)
[Link]
Firefox might still need to know about HDCP so it can enable it when desired, present meaningful error messages to the user, etc, so it needs APIs for that; but it can't subvert the DRM, since that's enforced at lower levels.
Posted Dec 9, 2017 13:32 UTC (Sat)
by emunson (subscriber, #44357)
[Link] (8 responses)
*Caveats apply about trusting firmware, etc
Posted Dec 9, 2017 20:28 UTC (Sat)
by mjg59 (subscriber, #23239)
[Link] (7 responses)
Posted Dec 10, 2017 3:27 UTC (Sun)
by emunson (subscriber, #44357)
[Link] (2 responses)
Posted Dec 11, 2017 11:53 UTC (Mon)
by matthias (subscriber, #94967)
[Link]
Posted Dec 12, 2017 12:20 UTC (Tue)
by farnz (subscriber, #17727)
[Link]
I've encountered A/V gear that will only handle 48 kHz, 16 bit stereo PCM or lower quality audio without HDCP - it simply outputs silence if you give it anything else. Without this change, Linux is limited to low quality audio; with it, it can send bitstream audio to that device (Dolby Digital, DTS and friends), or it can send anything up to 192 kHz 8 channel 24 bit PCM and have it heard.
So, that's one gain - better interoperability with buggy gear.
Posted Dec 11, 2017 13:45 UTC (Mon)
by mageta (subscriber, #89696)
[Link] (3 responses)
TPM designed a way for this: EK certificates. The EK private portion is saved on the TPM, the public part is signed on a certificate by a third party and proves that the key-pair belongs to a real TPM. If the DRM software would verify this, then it'll be hard for you to "fake" a TPM in software, w/o also convincing the signing party that your software TPM is "real".
At least that is my somewhat outdated understanding (last time I did something with TPM was 3 years ago).
Posted Dec 11, 2017 19:37 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link] (2 responses)
Posted Dec 11, 2017 21:43 UTC (Mon)
by mageta (subscriber, #89696)
[Link] (1 responses)
Anyway. I am by no means an expert in making tamper proof/resistant software. I just knew that for the one case you mentioned, there was a solution. How to build that into a closed complete stack is too much for my limited knowledge.
Posted Dec 11, 2017 21:59 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link]
Posted Dec 8, 2017 15:18 UTC (Fri)
by JFlorian (guest, #49650)
[Link] (5 responses)
Posted Dec 8, 2017 17:20 UTC (Fri)
by mageta (subscriber, #89696)
[Link] (1 responses)
Showing "goodwill" here buys us nothing.
But I guess its the practical thing to do...
Posted Dec 8, 2017 19:29 UTC (Fri)
by JFlorian (guest, #49650)
[Link]
Posted Dec 9, 2017 6:24 UTC (Sat)
by flussence (guest, #85566)
[Link] (2 responses)
Now the same spotlight will be shining on AMD and nVidia, who've both just lost the #1 excuse for, respectively, gerrymandering radeonhd/avivo to death and being nVidia. If they won't shape up, the hacker subculture that's currently tearing Intel ME to shreds will probably answer for them without the mercy of an NDA. Who knows what skeletons are in their blob firmware closets?
Posted Dec 10, 2017 0:54 UTC (Sun)
by pabs (subscriber, #43278)
[Link] (1 responses)
The only WiFi vendor I know of who did that was Atheros before they were bought by Qualcomm (ar9170.fw and open-ath9k-htc-firmware). The Free Software advocate who was responsible for that left the company before the sale IIRC, so it seems unlikely Qualcomm would start releasing code.
The WiFi firmware reverse engineering efforts I'm aware of are not doing very well. The last OpenFWWF release was one year ago. p54u is completely dead and the source code seems gone from the Internet.
Posted Dec 15, 2017 8:27 UTC (Fri)
by flussence (guest, #85566)
[Link]
My point is that by having HDCP in-kernel, there's another nail in the coffin for proprietary graphics driver blobs (Broadcom/Qualcomm are awful in this area too). Closed firmware is still Evil™ but it's usually tiny compared to drivers, thus much easier to figure out what's being kept hidden and put targeted pressure on the vendors.
Kernel support for HDCP
http://www.zdnet.com/blog/hardware/high-bandwidth-digital...
https://web.archive.org/web/20101126154314/http://pastebi...
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
https://access.redhat.com/documentation/en-us/red_hat_ent...
Kernel support for HDCP
> I've compiled my own kernel module with Secure Boot enabled. I had to do some tricks with SHIM to install an additional key though.
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
Kernel support for HDCP
They didn't, but for a long time they clung to regulatory laws as an excuse for having proprietary *drivers* too - that's the whole charade CRDA was built to shoot down, and it was mostly successful. We no longer need b43-fwcutter because there's no driver blob to cut the firmware out of.