This section describes the various PC outputs and drills down into the details of a couple of the protection schemes.
PC Output Types
Content protection rules vary, depending on the output connector type on the PC. The following reviews the connector types and discusses the various protection schemes.
|
| DVI (Digital)
DVI is a high-speed, high-quality, digital pixel interface, developed by the PC industry. It is used in place of analog VGA to connect to PC monitors. It can provide very high resolutions by paralleling separate channels.
Intel’s HDCP protection is available for DVI, but is not always implemented by hardware manufacturers. HDCP is approved by the content industry, so DVI with HDCP is a great output solution for protected content.
In contrast, DVI without HDCP is definitely not liked by content owners, because it provides a pristine digital interface that can be captured cleanly. When playing premium content such as HD-DVD and Blu-Ray DVD, PVP-OPM will be required to turn off or constrict the quality of unprotected DVI. As a result, a regular DVI monitor will either get slightly fuzzy or go black, with a polite message explaining that it doesn’t meet security requirements.
HDMI (Digital)
For video, HDMI is approximately the same as DVI, so when HDCP is used it will be great for premium content. HDMI is the CE industry-led standard, built on DVI electricals. It includes digital audio multiplexed into the video blanking intervals. One draw back is that its video resolution is a little limited, so it is not suitable for some of the ultra high-resolution displays starting to appear in the PC industry.
VGA (Analog)
Analog VGA is the traditional way to connect a PC to a monitor, and consists of three analog RGB signals. There is no protection scheme available for analog VGA, and it is a high-resolution signal, so some content owners have significant concerns.
There have been some successes in getting content owners to make some allowances for this ubiquitous interface. Consumers would certainly be unhappy if it were immediately outlawed; so instead, many content owners are requiring that its resolution be constricted when certain types of premium content are being played. Eventually they may require that analog VGA outputs be turned off completely; but for the moment, it is possible to provide the necessary level of protection by constricting the information content.
YPbPr High Resolution (Analog)
Analog YPbPr component was the CE industry’s first attempt at an interface to HD displays. However, apart from CGMS-A signaling, it doesn’t provide any protection mechanism. PVP-OPM will be required to turn off or constrict it for premium content such as HD-DVD or Blu-Ray DVD.
High-resolution analog YPbPr is even a problem today with existing DVDs. The CSS license specifies that the video from a regular DVDs cannot be scaled to beyond 480p, when outputting on analog YPbPr.
It is strongly recommended that YPbPr not be promoted to users as a connection method to HD displays—customers will be unhappy when the PVP-OPM component is required to tell the driver to constrict or even turn off HD analog YPbPr outputs.
TV-Out Interfaces (Analog)
It is not required to implement any particular types of TV-out protection, but it is required that the vendor-supplied driver report the mechanisms available, even if the answer is that none are available. It is also a requirement that if it is reported that a particular scheme is implemented, then that scheme must be fully implemented as defined in the specification—for example, with no restrictions as to which scan lines the information is provided on.
The TV-out class includes a range of standard definition connector types, including standard-definition YPbPr component, S-Video, Composite, and TV modulated. TV-out is a low-resolution analog interface, so the risk to premium content is not that great. Even so, protection is typically required. Macrovision provides a protection mechanism to disrupt VCRs, and there is a signaling mechanism called CGMS-A.
Outputs that do not provide a specific protection mechanism specified by the content will be turned off—the PVP-OPM component will send the appropriate command to the driver. The driver is then required to turn off the hardware output and pass back a confirmation that it has actually been turned off, before premium content will be allowed to flow.
The Macrovision and CGMS-A functionality will be dynamically turned on and off by the PVP-OPM component, depending on the content being played. It will only be turned on when the content specifically signals that it should be turned on, and it will be turned off as soon as the signal is no longer present in the content.
Protection Mechanisms
This section focuses on two of the protection mechanisms available: HDCP and resolution constriction.
HDCP
HDCP is the Intel protection scheme for DVI and HDMI, and has been approved by the content industry. Implementations of HDCP need to conform to the Intel specification and must be licensed.
For today’s PC implementations of HDCP, an additional specification, “HDCP Upstream Protocol,” is available to go all the way up to the application, but this is not necessary in Windows Vista because the PVP-OPM component includes the necessary functionality to fully and reliably control HDCP.
PVP-OPM uses policy information from the content and, with the help of the graphics driver, it implements all the revocation aspects and the handling of repeaters.
|
|
HDCP requires each graphics card to have a unique set of secret keys. Sometimes these are stored in a protected PROM on the card that only the graphics chip can read, because giving different keys to each instance of a graphics chip would require the use of expensive on-chip nonvolatile memory and the addition of a significant manufacturing step to program it.
The more common solution is to use a separate DVI chip from a specialized vendor, with the unique keys already inside the chip. The HDCP unique keys on the graphics cards cannot be used for anything other than HDCP, for contractual and legal reasons. Also, making a unique key readable by software would present a privacy risk.
HDCP has a revocation mechanism. Each display has a unique 40-bit Key Selection Vector (KSV) permanently baked in when the display is manufactured. HDCP uses revocation lists called System Renewability Messages (SRMs), and these contain a list of display KSVs that are no longer allowed to play the content. SRM files can either be in the root directory (for example, on DVD disks) or can be broadcast as part of streaming content. The display reports its KSV, and if a match is found with an entry in the SRM list, then content flow must be blocked to that particular display.
The Windows XP COPP implementation of HDCP has some limitations. It only reports the KSV of the first connected display, and therefore it cannot play content if a repeater is present. With PVP-OPM in Windows Vista, the entire tree of display devices and repeaters is found by the vendor-supplied driver. This includes displays on the other side of repeaters.
The PVP-OPM component will pass the list of revoked KSVs from the policy engine to the vendor-supplied graphics driver. The driver will check whether any of the KSVs found in the tree match any of the revoked KSVs, and then will block content to the DVI output—that is, to all HDCP displays on that DVI output—if a match is found. It will also block content to displays that are not HDCP compliant.
If a block is necessary, then the vendor-supplied kernel-mode driver will also pass a status message to the PVP-OPM user-mode Windows component. The PVP-OPM component will inform the MIG, so that the MIG can decide what to do. The usual action will be for the MIG software in Windows Vista to stop playing premium content. When the “HDCP no longer required” OPM command tells the vendor-supplied driver that there is no longer any premium content being sent, then it will remove the block.
The tree reporting and matching process done by the vendor-supplied driver is intended to be dynamic. If one or more revoked displays are connected to a DVI output, then that DVI output will be blocked. When the offending display is unplugged, the event is detected by the vendor-supplied driver, and it will remove the block, and start feeding content to the remaining displays (assuming no others are revoked displays).
If the graphics card has two independent DVI or HDMI outputs, then ideally the driver should handle the revocation separately for each— that is, attaching of a revoked display to one of the DVI outputs should not affect the other one. It is acceptable for the vendor-supplied driver to take a more conservative approach—for example, blocking all content to all monitors until the revoked monitor is unplugged—but this is up to the particular vendor. The important thing is that premium content is always blocked to the offending display.
In the case of two digital outputs, there are effectively two streams inside the graphics chip that potentially both came from the single stream that passed through the operating system; so the driver is in the best position to handle them separately. Handling the stream-blocking in the driver allows the overall system to be more dynamic when handling real-time display configuration changes. It also provides graphics manufacturers with the flexibility necessary to implement various value-add features.
The vendor-supplied driver knows that premium content is present, because it will have received a PVP-OPM command saying that HDCP must be turned on until further notice. When premium content is no longer present, then the driver will receive a PVP‑OPM command saying that HDCP is no longer required. This mechanism is also verified by the vendor-supplied driver reporting whether HDCP is currently on.
It can take ~150 milliseconds to turn on HDCP, with an additional 100 milliseconds for each repeater hop. To avoid this delay it is best if HDCP is turned on for HDCP-compliant monitors when the PC is first turned on or when a hot-plug event happens. Then the driver can report immediately that HDCP is on when it receives a “turn on HDCP” command.
If the user has a revoked monitor, then the system will still boot up, and it will display the Windows desktop. When the user attempts to play premium content that requires HDCP, then the driver will block the content and display a bitmap from the driver saying “HDCP Revoked Display.”
The driver will report to the operating system that it needed to block the content. Windows Vista will then remove the premium content from the screen (that is, stop trying to play it), and tell the driver that HDCP is no longer required, so it can remove the block to show the desktop again. The whole process is likely to take only a second or two.
Resolution Constriction
This section discusses a different protection mechanism: the ability to reduce the information content in a signal by using a constrictor.
|
|
In the future, some types of premium content— through its content policy—will specify that a full-resolution analog VGA output is not allowed and that the resolution must be reduced. It is not practical to change the actual scanning rate of the display, particularly because some displays are fixed resolution. But what is important is that the information content of the signal is reduced to the resolution specified by the content owner. Basically, a high-resolution picture needs to be degraded to make it soft and fuzzy.
Constriction is the process of downscaling the picture to the required resolution—for example, 520K pixels—and then scaling it back up to the original resolution. The result is a picture with an unchanged scanning raster, but it is now a bit fuzzy, because the information content of the picture has been reduced to degrade the picture. Constriction is done by putting a downscaler and an upscaler in series in the content path.
The content owner’s constriction requirement is likely to be specified in terms of total number of pixels allowed to pass through the constrictor. For example, rather than specifying 840x630, the content owner will specify a maximum of 520K pixels. This way of specifying allows more flexibility when handling widescreen content. The “total number of pixels” limit is translated into a specific resolution that the graphics chip is required to constrict to.
The PVP-OPM software in Windows Vista decides whether to say that premium content can play based on, among other things, the state of the outputs as reported by OPM. The OPM OTA will request that the resolution constrictor be set to a particular resolution, and when it receives notice, by way of the OPM verified-channel mechanism, that the resolution constrictor has been successfully applied, and then it will allow the premium content to flow.
Performing constriction on the graphics chip does take graphics resources (for example, memory bandwidth), but this is not expected to be a problem. The scaling is done by the graphics hardware rather than in software, so the CPU usage will be minimal. No special features are needed in the graphics chip or driver. The graphics chip can be directed to scale down and then separately directed later to scale up.
For improved flexibility for graphics manufacturers, a “Constrictor” DDI is available that combines the downscale and upscale functions into a single call, as this will provide manufacturers with implementation flexibility. There is no security risk associated with whether the manufacturer implements the constrictor properly (rather than just ignoring the call), because by signing the PVP-OPM license agreement, the hardware manufacturer is legally committing to implement the PVP-OPM features.
The quality of the scaling matters, but it will be left to graphics chip manufacturers to differentiate their product based on video quality.
|