i.mx8mq DRM

i_MX51 · ‎06-21-2021

您好請問下面的問題

文件版本	Document Number: ADRMPUG 2.3.1 Rev.0 , 05/2020
問題一	Q1: 我想問一下, 當設 USE_TEST_KBOX=true時, 是否將一組預設的KEYBOX寫入, 那這樣是不是就可以將SECURITY LEVEL從1提升到3, 但是我設定後查DRM INFO還是LEVEL3 , DRMINFO顯示security LEVEL是 L3; 若要跑LEVEL1 這樣的設定是否要改變
問題二	Q2: 在裝置中，從DRM INFO的apk下去看，目前是LEVEL 3，從Exoplayer去撥放影片 a.Widevine DASH b.Clear Content ，但是 PlayReady 類的都不能播放，並顯示(This device does not support required DRM scheme)
問題三	Q3:若要跑LEVEL1, 1-7點的設定是否正確 1. CFG_RDC_SECURE_DATA_PATH=y 2. CFG_DRM_SECURE_DATA_PATH=y 3. CFG_SECURE_HANTRO_VPU=n 4. CFG_RPMB_WRITE_KEY=y 5. CFG_RPMB_FS=y 6. CFG_OBFUSCATION=y 7. USE_TEST_KBOX=true
問題四	Q4:持續出現下述的debug message ,是否正常 [ 2714.496560] libprocessgroup: Successfully killed process cgroup uid 1000 pid 5367 in 0ms [ 2719.381734] init: starting service 'vendor.keymaster-3-0-optee'... [ 2719.422030] init: Service 'vendor.keymaster-3-0-optee' (pid 5368) exited with status 255 [ 2719.430250] init: Sending signal 9 to service 'vendor.keymaster-3-0-optee' (pid 5368) process group...
問題5	在這份文件下第16頁 Widevine API to install a new keybox 要怎樣將keybox放置到BSP下，文件上的說明步驟，不是很清楚，可以再提供更好的文件說明檔嗎?
問題6	下面這行指令 provisioning -w name=wv_key.enc,nonce=168c50b0e99c56,tag=340143bdbe4b1cf425bfd9c6de0dda51 ，其中 wv_key.enc 這個是怎麼來的?

附件是logcat and debug_msg_drm

Zhiming_Liu · ‎07-07-2021

Hi @i_MX51

Please share me your volume and our NXP sales contact . Thank you.

i_MX51 · ‎07-14-2021

Spoiler

請問有提他的文件嗎? 按照這份文件是無法達成 Level 1 ?

或是可以有台灣的FAE可以支援?

請問有提他的文件嗎? 按照這份文件是無法達成 Level 1 ?或是可以有台灣的FAE可以支援?

Zhiming_Liu · ‎07-14-2021

Hi @i_MX51

We need to know the expected volume of your project to see if we need to involve pro-support to further support this issue. Please provide your volume.I need provide this to R&D team

Best Regards

Zhiming

i_MX51 · ‎07-08-2021

We contact sales in Taiwan

Karen Huang 黃秀莉
Field Sales Engineer
T: +886 2 7703 8185 | M: +886 921 165 405
E: karen.huang@arrowasia.com
Arrow Electronics | arrow.com

and FAE

Apollo
Can you give us some more documents through FAE

Thank

Zhiming_Liu · ‎07-05-2021

Hi @i_MX51

Please offer me more details to provide R&D team

Q1: I want to ask, when setting USE_TEST_KBOX=true, whether to write a set of preset KEYBOX, then can the SECURITY LEVEL be increased from 1 to 3, but after I set it, check DRM INFO or LEVEL3, DRMINFO shows that the security LEVEL is L3; do you want to change the setting such as LEVEL1?

>> R&D. Did they ask Widevine to provide them L1 Keybox ? Then they have to install L1 production keybox into the rpmb partitition, then device will be seen as L1.

Q2: On the device, from the apk of DRM INFO, it is currently LEVEL 3. From Exoplayer to play the video a.Widevine DASH b.Clear Content, but the PlayReady category cannot be played, and it displays (This device does not support required DRM scheme)

>> R&D. The PlayReady DRM is not supported by the package AEROVISION AVIONICS,INC requested (they asked for Widevine only). To get PlayReady, they have to be PlayReady licensee, then do the request to NXP to get the package.

Q3: To run LEVEL1, is the setting of 1-7 points correct?

CFG_RDC_SECURE_DATA_PATH=y
CFG_DRM_SECURE_DATA_PATH=y
CFG_SECURE_HANTRO_VPU=n
CFG_RPMB_WRITE_KEY=y
CFG_RPMB_FS=y
CFG_OBFUSCATION=y
USE_TEST_KBOX=true

>> R&D :

CFG_RPMB_WRITE_KEY=y shall be used only during Widevine L1 Keybox provisioning, then set to CFG_RPMB_WRITE_KEY=n. Write the RPMB key is a One Time Operation, based on fuse. So when done one time, no need to be redo.

USE_TEST_KBOX shall be set to false to take into account the L1 Keybox, after keybox provisioning has been done.

Q4: The following debug message continues to appear, is it normal?

[2714.496560] libprocessgroup: Successfully killed process cgroup uid 1000 pid 5367 in 0ms

[2719.381734] init: starting service'vendor.keymaster-3-0-optee'...

[2719.422030] init: Service'vendor.keymaster-3-0-optee' (pid 5368) exited with status 255

[2719.430250] init: Sending signal 9 to service'vendor.keymaster-3-0-optee' (pid 5368) process group...

>> R&D: looks like keymaster is not able to start. Did they perform Android attestation provisioning ( page 33 of document: provisioning -a rsa,name=dev1_key_rsa.enc,nonce=5c766f3667ca0c,tag=1200918318e0bcf8d3ef93994f4dfb7a)

The script we will share will also take care of Android Attestation key provisioning, but they should have received Android attestation keys from Google. There is no link with Widevine L1 and Android attestation key. Attestation key are Android only related,

If they did keymaster provisioning then could you ask then to enable OPTEE log and keymaster TA log.

Edit android_build/device/fsl/imx8m/optee-packages.mk, then PTEE_EXTRA_FLAGS ?= CFG_TEE_CORE_LOG_LEVEL=3 CFG_TEE_TA_LOG_LEVEL=1 DEBUG=1
Edit android_build/external/kmgk/keymaster/ta/Makefile CFG_TEE_TA_LOG_LEVEL ?= 3

Q5:On page 16 of this document, Widevine API to install a new keybox How to put the keybox under the BSP, the instructions on the document are not very clear. Can you provide a better document description file?

>> R&D:

They have to use the script xml2bin.py located in android_build/external/optee-widevine-ref/xml2bin.py to generate wv_key.bin. It is to convert the xlm file they should have received from Widevine.

Then all the commands are provided in the document. If they execute the command one by one, it should work. wv_key.enc wv_nonce.bin wv_tag.bin are generated by the python script, and the code is part of the document.

evk_8mq:/ # cd /data

evk_8mq:/data # su

evk_8mq:/data # provisioning -p mp.bin

evk_8mq:/data # ls -al mp.bin

---------- 1 root root 32 2019-02-15 07:45 mp.bin

evk_8mq:/data # adb pull /data/mp.bin .

evk_8mq:/python aes-256-ccm-enc.py mp.bin wv_key.bin wv_key.enc wv_nonce.bin wv_tag.bin

We did a script

Q6:The following command provisioning -w name=wv_key.enc, nonce=168c50b0e99c56,tag=340143bdbe4b1cf425bfd9c6de0dda51, where did wv_key.enc come from?

>> R&D: Did they follow the Usage example page 20 ? wv_key.enc is generated by the python script provided page 21.

Best Regards,

i_MX51 · ‎07-06-2021

Q1:我使用xml2bin.py 我有做一個Widevine.kbox (widevine.zip)是否是將這個檔案直接改檔名成wv_key.bin 呢?.

Q2: xml2bin.py located in android_build/external/optee-widevine-ref/xml2bin.py to generate wv_key.bin. 可以請您提供一個測試的xml的檔給我(我來轉換) 和您做好的wv_key.bin檔給我嗎? ./xml2bin.py XMLFILENAME，

Q3: 再VMWare下，pdf檔Page18已做完，執行page19會顯示下面的錯誤訊息(我去做一個wv_key.bin)，我將aes-256-ccm-enc.py 加在附檔evk@ubuntu:~/android_pie_evk_8mq/android_build$ python3 aes-256-ccm-enc.py mp.bin wv_key.bin wv_key.enc wv_nonce.bin wv_tag.bin
Traceback (most recent call last):
File "aes-256-ccm-enc.py", line 8, in <module>
parser.add_argument('key', type=file)
NameError: name 'file' is not defined
evk@ubuntu:~/android_pie_evk_8mq/android_build$

Q4:已經將image燒到emmc下並開機去執行下面的provisioning 會顯示 Aborted 130|evk_8mq:/ $ su
130|evk_8mq:/ $ provisioning -w name=wv_key.enc,nonce=168c50b0e99c56,tag=340143bdbe4b1cf425bfd9c6de0dda51
130|evk_8mq:/ $
130|evk_8mq:/ $ provisioning -a rsa,name=dev1_key_rsa.enc,nonce=5c766f3667ca0c,tag=1200918318e0bcf8d3ef93994f4dfb7a
Aborted
130|evk_8mq:/ $provisioning -c rsa,name=dev1_cert0_rsa.enc,nonce=870affeee0687b,tag=00a0c5a64fb7105ea82971b61c8396e1
Aborted

怎麼會都是Aborted ?

Q5:

export CFG_SECURE_HANTRO_VPU=n
export CFG_RPMB_WRITE_KEY=n
export USE_TEST_KBOX=false

再將這三個設定好後，重build後，應該就可以是Level1?

(把Q2解決應該就可以了)對嗎?

Q6: 我用DRM INFO.apk看見的如附檔所示，Security Level 是L3

Zhiming_Liu · ‎07-07-2021

Please note that the keybox shall not be shared by email and community, please delete the keybox file ASAP.

Please check below reply from internal R&D team

Q1:

xml2bin.py shall be used with aes-256-ccm-enc.py

- provisioning -p mp.bin -> get mp.bin file

- xml2bin.py to convert xml file received from Widevine a binary file. File name doesn’t matter. It has to come from xml2bin.py

- python aes-256-ccm-enc.py mp.bin wv_key.bin wv_key.enc wv_nonce.bin wv_tag.bin -> to encrypt the wv_key.bin using mp.bin, ang generate wv_key.enc wv_nonce.bin wv_tag.bin

- then use provisioning -w as per page 22 of the documentation

Q2:

we can not share xml files. They should receive xml files from Widevine. Until the L1 provisioning is not correct, device will fall back to L3.

Q3:

probably because they use python3 to run the script. Script is a python2 one (page 22 : python aes-256-ccm-enc.py mp.bin wv_key.bin wv_key.enc wv_nonce.bin wv_tag.bin).

Q4:

We need logs to figure out what is wrong.

Q5:

Settings are correct, but till L1 provisioning is not correct, device will fall back to L3.

i_MX51 · ‎07-08-2021

Q1:附件是輸入provisioning -w -a -c 的log，再請確認為何會是Aborted

130|evk_8mq:/ $ provisioning -a rsa,name=dev1_key_rsa.enc,nonce=5c766f3667ca0c,tag=1200918318e0bcf8d3ef93994f4dfb7a
Aborted
130|evk_8mq:/ $provisioning -c rsa,name=dev1_cert0_rsa.enc,nonce=870affeee0687b,tag=00a0c5a64fb7105ea82971b61c8396e1
Aborted

Q2:問個問題，從這包BSP去做成image，並燒錄到emmc，然後開機，再從機器上取的 /data/mp.bin ，再重bulid一次這樣會取的機器的key，然後build一次，就可以有 level1層級(從DRMINFO取得)?在BSP下是否可以先確認呢?

Q3,可以跟您詢問您mail，或是可以遠端確認哪邊是否沒有做好呢?

i_MX51 · ‎06-28-2021

沒有設selinux, 我曾經在BOARDCONFIG.mk 嘗試增加androidboot.selinux=permissive但會造成無法開機, 所以我就拿掉了

附件是 Android_DRM_Project_User_s_Guide_2_3_1_rev0.pdf 檔

Zhiming_Liu · ‎06-28-2021

Hi @i_MX51

Did you set selinux permission in uboot?

Can you attach the document:ADRMPUG 2.3.1 Rev.0 , 05/2020?

Best Regards

Zhiming

i.mx8mq DRM

i.mx8mq DRM

i.MX 8 Family | i.MX 8QuadMax (8QM) | 8QuadPlus