se-4087, leveraging hw-based content security, by dan wong

LEVERAGING HW-BASED CONTENT SECURITY

DAN WONG NOV 2013

| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 2

OBJECTIVES

Brief media ISVs about HW based content security in AMD products

Describe the API/SDK that AMD offers to simplify solution enablement

Explain the process for SDK access


REASONS FOR HW BASED CONTENT SECURITY

Enable high value premium content on AMD processor-based platforms

Higher robustness == less revocation == less support cost

Content reach is restrained by piracy concerns


AGENDA

Design philosophy

Enablement framework for Windows®

Q&A


AGENDA

Design philosophy


Q&A


DESIGN PHILOSOPHY

H/W protects keys and video bitstreams

Non-invasive: Minimize changes to s/w architecture

‒ Provide robust solution to decryption offload

‒ No change to decode / render / present pipelines

H/W implementation details encapsulated from app

Content protection services exposed thru host accessible APIs


SOLUTION FRAMEWORK

H/W root-of-trust for

‒ Protected environment for security subsystem

‒ Device key locking

H/W protected execution environment for

‒ Key handling

‒ Bitstream handling

‒ Output protection policies

Implementation details abstracted from applications


HW ROOT OF TRUST IN AMD PRODUCTS

Independent HW resources for security

‒ Embedded processor

‒ Embedded memory for Trusted O/S

‒ AES encrypted memory for “overflow”

Protected execution environment ‒ Integrity verifiable security stack

‒ All transactions to/from memory protected by runtime generated AES keys.

HW implementation details abstracted from application layer


AGENDA

Design philosophy


Q&A


HARDWARE CONTENT PROTECTION API

Device provisioning

Key management

Content decryption / transcryption

Output management


MAPPING TO COMPONENTS IN DRM CLIENT


CONNECTING REE TO TEE

Rich OS execution environment

Trusted execution environment

Includes AMD h/w components


PROTECTED PLAYBACK (GENERIC SOLUTION)


PROTECTED PLAYBACK (WITH AMD CONTENT PROTECTION SDK)


KEY PROTECTION

All keys runtime restored and stayed in AMD h/w

No software exposure anytime anywhere


BITSTREAM PROTECTION

Bitstreams protected by AMD h/w

No exposure of in-the-clear bitstreams anytime anywhere


END-TO-END SECURITY FLOW


RENEWAL

Class certificate – maintained by AMD

Device certificate – maintained by server

Class revocation – requires all devices tied to class certificate to be renewed after f/w update

Device revocation – no renewal possible to purposely compromised device(s)


GETTING ACCESS TO AMD CONTENT PROTECTION SDK

Cost: Free, but must abide by export/import controls

API for use with media apps only

Require licensing agreement in place to get access to

‒ Documentations

‒ Header files

Contact email: [email protected]


AGENDA

Design philosophy


Q&A


DISCLAIMER & ATTRIBUTION

The information presented in this document is for informational purposes only and may contain technical inaccuracies, omissions and typographical errors.

The information contained herein is subject to change and may be rendered inaccurate for many reasons, including but not limited to product and roadmap changes, component and motherboard version changes, new model and/or product releases, product differences between differing manufacturers, software changes, BIOS flashes, firmware upgrades, or the like. AMD assumes no obligation to update or otherwise correct or revise this information. However, AMD reserves the right to revise this information and to make changes from time to time to the content hereof without obligation of AMD to notify any person of such revisions or changes.

AMD MAKES NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE CONTENTS HEREOF AND ASSUMES NO RESPONSIBILITY FOR ANY INACCURACIES, ERRORS OR OMISSIONS THAT MAY APPEAR IN THIS INFORMATION.

AMD SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT WILL AMD BE LIABLE TO ANY PERSON FOR ANY DIRECT, INDIRECT, SPECIAL OR OTHER CONSEQUENTIAL DAMAGES ARISING FROM THE USE OF ANY INFORMATION CONTAINED HEREIN, EVEN IF AMD IS EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

ATTRIBUTION

© 2013 Advanced Micro Devices, Inc. All rights reserved. AMD, the AMD Arrow logo and combinations thereof are trademarks of Advanced Micro Devices, Inc. in the United States and/or other jurisdictions. Windows® is a trademark of Microsoft Corp. Other names are for informational purposes only and may be trademarks of their respective owners.

se-4087, leveraging hw-based content security, by dan wong

Technology