Content Industry Agreement Hardware Robustness Rules
Content industry agreement robustness rules refer to, among other things, how a hardware manufacturer lays out and generally implements circuit boards. The rules are determined by the content industry in discussion with implementers, and are described in, for example, the 5C DTCP and AACS documents, which are referred to in this paper as “Content Industry Agreement” documents.
The intent of the hardware robustness rules is to make it very difficult for hackers to use the graphics card or motherboard to extract video data. Interpretation is required for some of these documents, and it is sometimes difficult to determine conclusively what is allowed.
Content Industry Agreement hardware robustness rules must be interpreted by the graphics hardware manufacturer. Vendors should work to ensure that their implementations will not be revoked for playback of high-level premium content, as the result of a valid complaint from the content owners.
Circuit Board Implementations for Hardware Robustness
Graphics cards (or motherboards, for integrated graphics) need to conform to Content Industry Agreement hardware robustness rules. There must be no easy places for a hacker to use hardware to snoop the content. The graphics chip manufacturer must attest that the Content Industry Agreement rules have been met for any third-party board manufacturer implementations that will use their chip-and-driver combination.
It is the responsibility of the graphics chip manufacturer to ensure that their chips are not used to manufacture “hacker friendly” graphics cards or motherboards. If someone does try to manufacture such a card, then the graphics manufacturer should refuse to sell chips to that board manufacturer.
The requirement to validate board designs only exists in cases where the graphics chip is giving out premium video in an unprotected form. For example, if the graphics chip is applying HDCP protection inside the chip before feeding it out, and if there were no other outputs from the chip, then there would be no need to validate the board design, because there would be no way to copy the content, even if the board manufacturer were to include a header.
In the case of an unprotected standard-definition TV-style analog output from the graphics chip, it would probably not be necessary to extensively validate the board design for this, because the value of the content in that form is low enough not to warrant it. However, it would be necessary to properly validate board designs in the case of an unprotected digital feed from the graphics chip to an external TV-out chip.
If it is found—for example, reported by Hollywood—that a graphics chip manufacturer is allowing “hacker friendly” cards to be manufactured with their chips, and if that chip manufacturer is unwilling or unable to stop those cards being manufactured, then the final recourse would be the revocation of the driver for that chip. The PC industry needs to work together to avoid that outcome.
Boards are not required to have a cryptographically secure authenticity certificate that is read by the driver. However, vendors could decide to do this for other reasons, or just to make it easier to guarantee board authenticity. A more economic mechanism is for HFS code to be added to the driver to identify board types, or at least board classes.
Recommended Practices for Hardware Robustness
It is the responsibility of the graphics hardware manufacturer to interpret the Content Industry Agreement hardware robustness rules. However, Microsoft has several recommendations to help ensure robust output content protection.
Integrated TV-out
Integrated TV-out circuitry on the graphics chip should be used, rather than an external chip. Using a custom external chip that doesn’t have a published pin-out interface is also a viable option. Another good option is using a chip package that doesn’t have user-accessible pins (for example, pins underneath the package). These recommendations also apply to SCART encoders.
No video side port
The use of a video side port in output mode, with a published pin-out, is not recommended. It is a particular problematic design if the side port is used as a mechanism for attaching external digital encoder chips.
Integrated DVI circuitry
Integrated DVI circuitry on the graphics chip should be used, rather than using an external chip. Using a custom external chip that doesn’t have a published pin-out interface is also a good solution, as is using a chip package that doesn’t have user-accessible pins.
On-chip DVI to advance DVI adoption
Not using external DVI chips makes it less likely for DVI to be made an optional item on graphics cards, which would slow adoption of DVI and HDMI. The wide adoption of DVI and HDMI, both with HDCP, is important to the PC platform being safer for premium content.
HDCP applied inside the graphics chip
It is preferable that HDCP is applied inside the graphics chip, to remove the need to route unprotected digital signals to an external DVI chip.
PVP-UAB: Protected Video Path – User-Accessible Bus
PVP-UAB is designed to protect video samples from unauthorized access as they pass over a user-accessible bus. Some content owners regard the PCIe bus as a user-accessible bus. PVP-UAB is not needed for integrated graphics, because there is no PCIe bus to the graphics, but it is likely to be necessary for allowing discrete graphics cards to meet the HD-DVD and Blu-Ray DVD requirements, and 5C DTCP requirements.
|
|
PVP-UAB provides the last internal link in the Windows Vista content protection chain, to ensure that the premium video content reliably makes it from the Windows Vista Protected Environment to being rendered on the card without a copy of the content being stolen.
Addressing the threat of a hacker snooping the PCIe bus involves complex key mechanisms, authentication, and encryption.
The plan is for PVP-UAB to be part of the Advanced Scheduler Windows Vista Driver Model release, which is planned for after the initial release of Windows Vista.
|