Dave Marsh, Program Manager
Windows Media Technologies
This paper discusses the details of the new output content protection mechanisms in the Microsoft® Windows Vista™ operating system. The goal for these new capabilities is to help ensure that the PC is a safer place for premium content.
For readers unfamiliar with A/V and content protection terminology, an acronym reference is provided at the end of this paper. The current version of this paper is maintained on the Web at: http://www.microsoft.com/whdc/
In this paper
1 Overview 4
2 PVP-OPM: Protected Video Path – Output Protection Management 6
2.1 Graphics Subsystem Authentication 8
2.2 HFS: Hardware Functionality Scan 8
2.3 PVP-OPM Initialization and Play Sequences 12
2.4 PC Outputs and Protection Mechanisms 15
2.5 Content Industry Agreement Hardware Robustness Rules 19
3 PVP-UAB: Protected Video Path – User-Accessible Bus 21
3.1 PVP-UAB and Encryption 21
3.2 Establishing the Session Key 25
3.3 Enhanced Authentication 26
3.4 Key Hierarchy 26
3.5 Page-outs 26
3.6 Using System Memory 27
3.7 PVP-UAB Sequence 28
3.8 PVP-UAB Status 30
3.9 PVP-OPM and PVP-UAB Certification 30
3.10 PVP-OPM – With and Without PVP-UAB 31
4 Protected User Mode Audio: PUMA 33
4.1 New Audio Engine for Windows Vista 33
4.2 Windows Vista Protected Environment 34
4.3 PUMA Security Architecture 36
4.4 Audio Mix 38
4.5 Windows XP SAP vs. PUMA 38
4.6 HDMI Audio on the PC 39
4.7 PCIe Bus and PUMA 40
4.8 PUMA Summary 41
5 Protected Audio Path: PAP 42
6 Summary 43
6.1 Additional Resources 44
6.2 Acronym Reference 45
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
Foreword on Microsoft’s commitment to content protection
Demand for new entertainment experiences is driven by improved access to content, new devices to play that content, and the ability to enjoy and manage content on the device you want, when you want. Delivering these experiences requires significant coordination from technology companies, entertainment companies, government regulators, and service providers – but no amount of coordination will be successful unless it’s designed with the needs of the consumer in mind.
Microsoft believes that a good user experience is a requirement for adoption – and that this can be accomplished in a way that supports the creation and acceptance of new business rules around the usage of digital content.
Consumers want to easily create, use, manage and share digital media content across the traditional PC/CE boundaries. Without this, there will be reduced demand for new content or new hardware to play content. Content owners need to be able to specify how others access their Intellectual Property or else there will be no incentive for them to allow content to flow across different distribution vehicles and throughout the home to provide the new experiences everyone seeks.
To date the Windows Media Format, and the Windows Media DRM platform have been key enablers of new experiences on the PC, and on a growing number of device types. While this ecosystem continues to grow, any company can take advantage of the open architecture of the PC and Windows to develop their own DRM system or media format – and many have.
We are working actively to ensure that a Windows Vista PC supports the needs of both consumers and content owners, and that it works seamlessly across a broad range of other devices, networks, and protocols. As we move towards the next evolution in the distribution and consumption of content, we are working on many fronts to create new experiences that drive the industry forward. This requires the ability to respect business rules across many dimensions, including:
Content coming into a PC from cable, satellite, over the Internet, or on physical media such as next-generation DVDs.
Management of the content on the PC – including providing a robust infrastructure that allows ISVs to add value without needing to worry about supporting DRM natively in their applications.
Respecting business rules as content leaves the PC.
This paper talks about one aspect of the content protection work. It addresses increasing the security associated with video and audio rendering on the Windows Vista PC platform.
This paper discusses the mechanisms to protect against hardware attacks when playing premium content that are planned for the Microsoft® Windows Vista™ operating system and future versions of Microsoft Windows®.
These output protection mechanisms complement the protection against software attacks provided by the Protected Environment in Windows Vista. Output protection is concerned with how to as safely as possible get content from the software Protected Environment and deliver it to its final destination—the display and speakers. This collection of protecttion mechanisms helps make the Windows Vista PC a much safer place for premium content:
Protected Video Path - Output Protection Management (PVP-OPM) makes sure that the PC’s video outputs have the required protection or that they are turned off if such protection is not available.
Protected Video Path - User-Accessible Bus (PVP-UAB) provides encryption of premium content as it passes over the PCI Express (PCIe) bus to the graphics adapter. This is required when the content owner’s policy regards the PCIe bus as a user-accessible bus.
Protected User Mode Audio (PUMA) is the new User Mode Audio (UMA) engine in the Windows Vista Protected Environment that provides a safer environment for audio playback, as well as checking that the enabled outputs are consistent with what the content allows.
Protected Audio Path (PAP) is a future initiative, under investigation for how to provide encryption of audio over user accessible buses.
The top objective for these mechanisms is to enable the Windows-based PC to play premium content in 2006 and beyond, offsetting any content-owners fears that high-value content could be pirated if played on a PC. Currently, the PC cannot play some classes of premium content. For example, a PC cannot receive 5C Digital Transmission Content Protection (DTCP) content or playback pay-per-view movies from a cable or satellite provider. An important reason for this is that the content owners don’t currently trust the PC enough.
A consumer-electronics (CE) device is a closed box. Users can’t load software onto it or add cards to capture content—at least, that is the current perception of premium-content providers—though it might not be true for future CE devices.
By contrast, the Windows-based PC is designed to be an open platform. Anyone can load software on it; it is easy to write software for it, because all the interfaces are well defined and published; and there are many good software tools available. The PC buses are also well defined, and anyone can design cards to plug into these buses.
The openness of the hardware platform is essential to a vibrant PC ecosystem. In the current world, however, the industry is also working to prevent hackers from using that openness to pirate copyrighted content. The goal is to make the Windows-based PC a safer place for premium content, so that content providers will be happy to allow Windows-based PCs to play their content.
The term “premium content” is used in this paper to refer to valuable content that needs to be protected from stealing. Each content type has its own particular policy that defines what the user can and cannot do with it. The term “high-level premium content” is used to refer to the most valuable content types, such as High Definition (HD) DVD and Blu-Ray DVD.
The content industry may introduce robustness rules and testing that would effectively lock out PCs from premium content, by not allowing PCs a license key for the encryption used by conditional-access systems or HD-DVD and Blu-Ray DVD. These protection schemes will be very strong in the future, based on Advanced Encryption Standard (AES), Rivest-Shamir-Adleman (RSA), and so on. Under these future rules, a PC would only be granted a licensed to play the content if it is at least as secure as a CE appliance.
To make the PC safer for premium content, Microsoft has been working with members of the PC industry to solve the technical issues in hardware and software. Our key partners in this work have been Intel, ATI, NVidia, S3, and Matrox.
While preserving the general openness of the PC hardware platform, new solutions must be able to resist attacks against protected content. These solutions must also preserve the Windows experience for legitimate users, particularly without jeopardizing their privacy.
Three classes of attacks must be addressed to meet the requirements of protected-content delivery mechanisms such as HD-DVDs and Blu-Ray DVDs, and 5C DTCP: