1 / 25

Protected Media Path and Driver Interoperability Requirements

Protected Media Path and Driver Interoperability Requirements . Anton Kucer Program Manager Digital Media Division Microsoft Corporation. Session Outline. Protected Media Path (PMP) Overview Media Interoperability Gateway (MIG) Protected Environment (PE) Protected Video Path (PVP)

bonifacy
Download Presentation

Protected Media Path and Driver Interoperability Requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protected Media Path and Driver Interoperability Requirements Anton Kucer Program Manager Digital Media Division Microsoft Corporation

  2. Session Outline • Protected Media Path (PMP) Overview • Media Interoperability Gateway (MIG) • Protected Environment (PE) • Protected Video Path (PVP) • Protected User Mode Audio (PUMA) • Revocation and renewability overview • Participating vs. non-participating drivers overview • Participating driver requirements • Non-participating driver requirements • Best practices for Kernel Mode Components • PMP availability

  3. Objective DRM or CP LP DRM or CP DRM or LP DRM or CP DRM or LP LP Network Enable the PC to play and interoperate with premium content in 2006 and beyond LP or CA CA – Conditional Access CP – Copy Protection DRM – Digital Rights Management LP – Link Protection

  4. Protected Media Path (PMP) Benefits • Strengthen platform robustness for next-generation content (AACS, DTCP, etc.) • Vastly improved protection against content piracy • Protects content crossing user accessible buses • Improves protection and control of PC AV outputs • Architecture for interoperating with other protection systems

  5. PMP Overview • Media Interoperability Gateway • Extensible platform for sourcing, sinking and • manipulating protected media content • Governs policy usage • Run media in separate process Application Command / Control Protected Environment (PE) Protected Video Path Media Interoperability Gateway PE Video Decryptor Video Decoder Video Sink Video Compositor Kernel Graphics Device Media Source Input Trust Authority Output Trust Authority Policy Engine Protected User Mode Audio Input Trust Authority Output Trust Authority PE User Mode Audio Kernel Audio Decryptor Audio Decoder Audio Sink Audio Device

  6. PMP Overview • Protected Environment • Secure the kernel to trusted modules • Run protected media in a separate process • Protect that process against other processes • Verify components loaded into a secure process Application Protected Environment Command / Control Protected Environment (PE) Protected Video Path Media Interoperability Gateway PE Video Decryptor Video Decoder Video Sink Video Compositor Kernel Graphics Device Media Source Input Trust Authority Output Trust Authority Policy Engine Protected User Mode Audio Input Trust Authority Output Trust Authority PE User Mode Audio Kernel Audio Decryptor Audio Decoder Audio Sink Audio Device Protected Environment

  7. PMP Overview • Input Trust Authority • Implements specific content protection system • Defines output policy • Specifies minimum version # for revocation list • Supplies decryptor if needed Application Command / Control Protected Environment (PE) Protected Video Path Media Interoperability Gateway PE Video Decryptor Video Decoder Video Sink Video Compositor Kernel Graphics Device Media Source Input Trust Authority Output Trust Authority Policy Engine Protected User Mode Audio Input Trust Authority Output Trust Authority PE User Mode Audio Kernel Audio Decryptor Audio Decoder Audio Sink Audio Device

  8. PMP Overview • Output Trust Authority • Represents and enforces and output Protection • System (e.g. HDCP, Macrovision, etc.) Application Command / Control Protected Environment (PE) Protected Video Path Media Interoperability Gateway PE Video Decryptor Video Decoder Video Sink Video Compositor Kernel Graphics Device Media Source Input Trust Authority Output Trust Authority Policy Engine Protected User Mode Audio Input Trust Authority Output Trust Authority PE User Mode Audio Kernel Audio Decryptor Audio Decoder Audio Sink Audio Device

  9. PMP Overview • Policy Engine • Negotiates policy • Ensures only trusted components are loaded • Defines output policy Application Command / Control Protected Environment (PE) Protected Video Path Media Interoperability Gateway PE Video Decryptor Video Decoder Video Sink Video Compositor Kernel Graphics Device Media Source Input Trust Authority Output Trust Authority Policy Engine Protected User Mode Audio Input Trust Authority Output Trust Authority PE User Mode Audio Kernel Audio Decryptor Audio Decoder Audio Sink Audio Device

  10. PMP Overview • Protected Video Path • Securely delivers video to graphics card and beyond… Application Command / Control Protected Environment (PE) Protected Video Path Media Interoperability Gateway PE Video Decryptor Video Decoder Video Sink Video Compositor Kernel Graphics Device Media Source Input Trust Authority Output Trust Authority Policy Engine Protected User Mode Audio Input Trust Authority Output Trust Authority PE User Mode Audio Kernel Audio Decryptor Audio Decoder Audio Sink Audio Device

  11. PMP Overview Application Command / Control Protected Environment (PE) Protected Video Path Media Interoperability Gateway PE Video Decryptor Video Decoder Video Sink Video Compositor Kernel Graphics Device Media Source Input Trust Authority Output Trust Authority Policy Engine Protected User Mode Audio Input Trust Authority Output Trust Authority PE User Mode Audio Kernel Audio Decryptor Audio Decoder Audio Sink Audio Device • Protected User Mode Audio • Audio Engine within the Protected Environment

  12. Revocation & Renewability Overview • Revocation: A previously trusted component is no longer considered trustworthy • Renewal: Process by which a revoked component is replaced with a trustworthy equivalent • Protected Media Path (PMP) revocation • All components that can be used or compromised to circumvent content protection can be revoked • Includes all kernel components and user components loaded in a PE • Revoked component can prevent playback of next generation content • Enforced by Global Revocation List (GRL) • Minimum version # of GRL can be mandated by Input Trust Authority (ITA) • Can be indicated by content or license • Secure service provides secure access to latest version of GRL • Output Trust Authority (OTA) enforces downstream revocation

  13. Revocation & Renewability Overview • Protected Media Path (PMP) Renewability • All PMP components are renewable • If renewal fails, either component is no longer provided access to content or some next generation premium content does not play • Unprotected content still plays • Non-media scenarios can still work • Facilitate intuitive user experience for easy renewal of revoked components

  14. Simplified PE Trust Flow Other binaries in MIG process Other Kernel Binaries Protected Environment Protected Environment Media Interoperability Gateway Downstream Process e.g. User Mode Audio Input Trust Authority Output Trust Authority User Mode Kernel Mode Kernel Core (CI.sys, Process Manager) Participating Video Driver Verify binary before loading Challenge response

  15. Driver Policy Overview • Robustness via “driver/software signing” • “Participating Software” • Allowed to manipulate protected content • Behavior governed by explicit licensing • PE license requirements • Participating driver license requirements • Protected Video Path (PVP) & Protected User Mode Audio (PUMA) • Breached components can be revoked • “Non-Participating Drivers” • Not allowed to manipulate protected content • Playback of next generation premium content requires signing • Next generation premium content will not play when unsigned/revoked driver is running

  16. Participating Software Requirements • Robustness and Compliance requirements • Mandatory guidelines and rules for PE • Legally binding • Classes of robustness rules • Any binary loaded in a PE • Input trust authorities and decryptors • Output trust authorities and encryptors • Rules for all components include • No managed code • Minimize buffer and integer overflow vulnerabilities • Maintain isolation of PE and PE assets • Safe exposure of services • Security aware messages • Memory safety • Do not invoke debug breakpoints such as ASSERT

  17. Non-Participating Driver Requirements • Playback of next generation premium content requires non-participating drivers to be signed • Class 3 certificate required from a Microsoft Root Certificate Program Member • Will NOT require licensing with Microsoft • No requirement to assert conformance to compliance/robustness rules • Protected Media Path and Longhorn Logo Program • Premium and Standard Level • All kernel components must be signed • Class 3 certificate required

  18. Revoking/Disabling Non-Participating Drivers • Non-Participating driver can be revoked • Next generation premium content will not play when unsigned/revoked driver is running • Consumer provided choice to disable unsigned/revoked drivers • Mitigating consumer impact • Evangelism to industry • Consumer friendly notice • Facilitate solution when possible

  19. Best Practices for Kernel Mode Components • Incorporate threat modeling in design process • Guard illegal access to kernel space to prevent attacks and possible driver revocation • Use LoadModule to load in additional code to kernel space • Clean up IOCTL functions • No backdoor to kernel code • No unnecessary code in release versions, e.g. codefor debugging • Do not map kernel addresses to user space • Do not take user code to execute in kernel space • Do not map user code to execute from kernel space

  20. MIG/PE Availability • Planned Windows codenamed “Longhorn” RTM feature • Only available in Longhorn • Extensibility APIs planned for available in Beta 2

  21. Call To Action • Security for next generation premium content requires PMP • Enable an ecosystem in which the majority of Longhorn PCs are able to play back next generation premium content: • Ensure that all your kernel mode components are signed • Longhorn Logo Program Standard and Premium Level requirement • Follow best practices when developing kernel components • For all kernel components follow best practices to avoid revocation • For participating components understand and follow PMP Robustness and Compliance rules

  22. Community Resources • Windows Hardware & Driver Central (WHDC) • www.microsoft.com/whdc/default.mspx • Technical Communities • www.microsoft.com/communities/products/default.mspx • Non-Microsoft Community Sites • www.microsoft.com/communities/related/default.mspx • Microsoft Public Newsgroups • www.microsoft.com/communities/newsgroups • Technical Chats and Webcasts • www.microsoft.com/communities/chats/default.mspx • www.microsoft.com/webcasts • Microsoft Blogs • www.microsoft.com/communities/blogs

  23. Additional Resources • Email: PMPath @ microsoft.com • Related Sessions • Longhorn Output Content Protection • Provides details on PVP, PUMA, and Protected Audio Path (PAP) • The Next Generation Designed for Windows Logo Program: An introduction • Longhorn Partner Logo Program:The Next Generation of “Designed for Windows”

  24. © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

More Related