se-4087, leveraging hw-based content security, by dan wong
DESCRIPTION
Presentation SE-4087, Leveraging HW-based content security, by Dan Wong, at the AMD Developer Summit (APU13) November 11-13, 2013.TRANSCRIPT
LEVERAGING HW-BASED CONTENT SECURITY
DAN WONG NOV 2013
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 2
OBJECTIVES
Brief media ISVs about HW based content security in AMD products
Describe the API/SDK that AMD offers to simplify solution enablement
Explain the process for SDK access
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 3
REASONS FOR HW BASED CONTENT SECURITY
Enable high value premium content on AMD processor-based platforms
Higher robustness == less revocation == less support cost
Content reach is restrained by piracy concerns
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 4
AGENDA
Design philosophy
Enablement framework for Windows®
Q&A
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 5
AGENDA
Design philosophy
Enablement framework for Windows®
Q&A
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 6
DESIGN PHILOSOPHY
H/W protects keys and video bitstreams
Non-invasive: Minimize changes to s/w architecture
‒ Provide robust solution to decryption offload
‒ No change to decode / render / present pipelines
H/W implementation details encapsulated from app
Content protection services exposed thru host accessible APIs
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 7
SOLUTION FRAMEWORK
H/W root-of-trust for
‒ Protected environment for security subsystem
‒ Device key locking
H/W protected execution environment for
‒ Key handling
‒ Bitstream handling
‒ Output protection policies
Implementation details abstracted from applications
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 8
HW ROOT OF TRUST IN AMD PRODUCTS
Independent HW resources for security
‒ Embedded processor
‒ Embedded memory for Trusted O/S
‒ AES encrypted memory for “overflow”
Protected execution environment ‒ Integrity verifiable security stack
‒ All transactions to/from memory protected by runtime generated AES keys.
HW implementation details abstracted from application layer
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 9
AGENDA
Design philosophy
Enablement framework for Windows®
Q&A
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 10
HARDWARE CONTENT PROTECTION API
Device provisioning
Key management
Content decryption / transcryption
Output management
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 11
MAPPING TO COMPONENTS IN DRM CLIENT
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 12
MAPPING TO COMPONENTS IN DRM CLIENT
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 13
CONNECTING REE TO TEE
Rich OS execution environment
Trusted execution environment
Includes AMD h/w components
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 14
PROTECTED PLAYBACK (GENERIC SOLUTION)
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 15
PROTECTED PLAYBACK (WITH AMD CONTENT PROTECTION SDK)
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 16
KEY PROTECTION
All keys runtime restored and stayed in AMD h/w
No software exposure anytime anywhere
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 17
BITSTREAM PROTECTION
Bitstreams protected by AMD h/w
No exposure of in-the-clear bitstreams anytime anywhere
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 18
END-TO-END SECURITY FLOW
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 19
RENEWAL
Class certificate – maintained by AMD
Device certificate – maintained by server
Class revocation – requires all devices tied to class certificate to be renewed after f/w update
Device revocation – no renewal possible to purposely compromised device(s)
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 20
GETTING ACCESS TO AMD CONTENT PROTECTION SDK
Cost: Free, but must abide by export/import controls
API for use with media apps only
Require licensing agreement in place to get access to
‒ Documentations
‒ Header files
Contact email: [email protected]
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 21
AGENDA
Design philosophy
Enablement framework for Windows®
Q&A
| LEVERAGING HW-BASED CONTENT SECURITY | NOVEMBER 13, 2013 | CONFIDENTIAL 22
DISCLAIMER & ATTRIBUTION
The information presented in this document is for informational purposes only and may contain technical inaccuracies, omissions and typographical errors.
The information contained herein is subject to change and may be rendered inaccurate for many reasons, including but not limited to product and roadmap changes, component and motherboard version changes, new model and/or product releases, product differences between differing manufacturers, software changes, BIOS flashes, firmware upgrades, or the like. AMD assumes no obligation to update or otherwise correct or revise this information. However, AMD reserves the right to revise this information and to make changes from time to time to the content hereof without obligation of AMD to notify any person of such revisions or changes.
AMD MAKES NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE CONTENTS HEREOF AND ASSUMES NO RESPONSIBILITY FOR ANY INACCURACIES, ERRORS OR OMISSIONS THAT MAY APPEAR IN THIS INFORMATION.
AMD SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT WILL AMD BE LIABLE TO ANY PERSON FOR ANY DIRECT, INDIRECT, SPECIAL OR OTHER CONSEQUENTIAL DAMAGES ARISING FROM THE USE OF ANY INFORMATION CONTAINED HEREIN, EVEN IF AMD IS EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
ATTRIBUTION
© 2013 Advanced Micro Devices, Inc. All rights reserved. AMD, the AMD Arrow logo and combinations thereof are trademarks of Advanced Micro Devices, Inc. in the United States and/or other jurisdictions. Windows® is a trademark of Microsoft Corp. Other names are for informational purposes only and may be trademarks of their respective owners.