undefined | Better HN

0 pointssudosysgen2y ago0 comments

You've never used Widevine? If you ever tried to use a streaming website, you almost certainly did.

EDIT: To clarify, Widevine doesn't actually use the TPM, but Widevine L2 uses a TEE for key exchange and decryption, which are all things that modern TPMs support. The use a crypto coprocessor for key exchange and decryption is widely used.

0 comments

lxgr2y ago

Are you sure Widevine uses the attestation functionalities of a TPM on Windows?

I thought Widevine on computers (whether Windows, macOS or Linux) is always L3, i.e. software only, and L1 needs a TEE on Android or an embedded OS such as on a set top box or streaming dongle.

sudosysgenOP2y ago

Indeed, it doesn't use it on Windows. Widevine L2 however uses the TEE in exactly the same way as a TPM is used, for attestation and for cryptography (you can do AES decryption using a TPM).

lxgr2y ago

A TPM isn't the same thing as a TEE at all. You can't run copy protection logic in a TPM, for example. The two are complementary, though:

A TEE can run "trusted" logic, such as DRM decryption code, and you can use a TPM-like device to hold the attestation keys and measurement funcitonalities for the TEE. I'm saying "TPM-like" because some TEEs have their own proprietary or embedded secure elements and don't need a TPM proper. (I'm actually not sure if TPMs are "TEE-aware", which would be required to e.g. only let some keys be used from the secure context, as otherwise storing DRM keys in the generally-accessible portion defeats the purpose.)

Without a TEE (and a TPM itself does not imply one on x86), what you can do is declare your entire system a TEE, and then use the TPMs measurements as an assertion over that system's untampered state.

This is pretty infeasible to do securely though, given the size of the codebase of most OSes, which is why the "DRM in TEE" approach is much more common. That's what Android does, for example.

tredre32y ago

Please stop spreading FUD.

j / k navigate · click thread line to collapse

0 comments

lxgr2y ago

Are you sure Widevine uses the attestation functionalities of a TPM on Windows?

I thought Widevine on computers (whether Windows, macOS or Linux) is always L3, i.e. software only, and L1 needs a TEE on Android or an embedded OS such as on a set top box or streaming dongle.

sudosysgenOP2y ago

Indeed, it doesn't use it on Windows. Widevine L2 however uses the TEE in exactly the same way as a TPM is used, for attestation and for cryptography (you can do AES decryption using a TPM).

lxgr2y ago

A TPM isn't the same thing as a TEE at all. You can't run copy protection logic in a TPM, for example. The two are complementary, though:

This is pretty infeasible to do securely though, given the size of the codebase of most OSes, which is why the "DRM in TEE" approach is much more common. That's what Android does, for example.

tredre32y ago

Please stop spreading FUD.

j / k navigate · click thread line to collapse