Announcement

Collapse
No announcement yet.

An AMDGPU Branch For Security PSP / HDCP Support

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • vitalif
    replied
    Every kind of DRM is definitely an anti-feature (anti-user feature) and it should only be implemented in linux and other FOSS at the same time with means of bypassing it :-) and the best would be to have linux GPL3 licensed, of course

    Leave a comment:


  • M@yeulC
    replied
    Well, security is not a bad thing *per se*, even HDCP could have its uses. It is however useless for me if I cannot set the various keys to the ones I want and own. And it's not designed this way: You will probably never find a TV with a changeable encryption key. That would allow to make a trusted connection from the application to the display, with no spoofing "possible" in between.

    As for HDCP, someone will break it at some point. They already did it in the past, IIRC. It is virtually impossible to hand you the content and the keys to decrypt it, while guaranteeing that you won't be able to access either.

    Leave a comment:


  • Luke
    replied
    Originally posted by starshipeleven View Post
    this thing is in the GPU, how does it change the boot path?
    From what I've heard, when a PSP enabled APU (no pure CPUs yet, it's not on AM3+) is powered on, it's the Platform Security Processor (PSP) that loads the initial instructions and then hands off to the real CPU. Trouble is, controlling the first instruction is the power to control ALL instructions, and if the NSA has AMD's key they could make a modified version that diverts this code to a keylogger hidden anywhere. Preventing this would require being able to run the PSP with no firmware on disk (only burned into it) and that burned-in firmware being known by audit (even audit under NDA by mutually opposing parties) not to contain any code that could substitute bootloaders, enable UEFI keylogging, etc.

    It's this initial boot function (powerup loading) that I am concerned with, it sounds like when DRM is not used it is supposed sit there doing nothing. Netflix is more than welcome not to send anything to any machine I control, as I do not have or want any paid accounts anywhere anyway. Like I said-my machines are free software for free content, only.

    Leave a comment:


  • Mystro256
    replied
    Originally posted by bibaheu View Post

    Thanks for explaining all that, always nice to get comments from driver developers

    As far as I know Netflix limits video playback to 720p on Widevine (low security mode?). You need a Microsoft browser or a locked device (like a PS3) to get 1080p and more.

    Will the CPU boot at all if the PSP is disabled somehow in the BIOS? That's the main complain with modern Intel machines, at it will reboot itself if the Intel Management Engine wasn't initialized by the firmware.
    Indeed, that seems about right. Depending on how "secured" the machine is, depends on how much content providers are willing to send you. I doubt using "a Microsoft browser" would make a lot of difference unless you locked down portions of your software stack

    As for the CPU stuff, sorry, I couldn't really answer that for you as I focus mostly on GPU stuff.

    Leave a comment:


  • juno
    replied
    Originally posted by tomtomme View Post

    they are not developing those, just implenting them. if they won´t do that the users would cry: "why is hdmi-audio not working. where is my netflix?"
    wouldn´t you?
    lol, netflix.
    They only give you crap quality, unless you are using the latest MS OS with the latest MS browser with the latest Intel CPU/IGP for no reason. If this is the case, you get "UHD", ok-ish quality.
    People should wake up.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by Luke View Post
    I wish that when PSP was not intentionally used it was possible to verify that it was all the way off, staying off-and that it had not changed any part of your boot path by say, activating a keylogger to get your disk encryption passphrase.
    this thing is in the GPU, how does it change the boot path?

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by jf33 View Post
    Hopefully this will never make it into the Linux kernel. I would be fine if it's just for AMDGPU-Pro, but I don't want any copy protection crap on my computer.
    Any half-modern hardware has it.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by triangle View Post
    Can't wait till someone cracks/hacks/leaks the golden keys to the PSP or IME.
    Unnecessary, easy way to get pirated content is using a random chinese HDCP spoofer you can buy for cheap, because HDCP is bullshit.

    Leave a comment:


  • Luke
    replied
    I wish that when PSP was not intentionally used it was possible to verify that it was all the way off, staying off-and that it had not changed any part of your boot path by say, activating a keylogger to get your disk encryption passphrase. It may be that it does not, but I cannot verify that. In my case it is intentional that my machines cannot be trusted by netflix or any DRM content provider. A computer cannot be trusted by two or more mutually opposing parties even with open code, so long as any one of those parties can change the code or run their own code. I need to trust my computer and anyone who knows my systems knows that they cannot run Netflix or any similar content site and that I don't even want such sites connecting to my machines on the assumption that they might attempt to database hardware information. The only reason I don't 127.0.0.1 all of them out in /etc/hosts is that emails and other websites don't link to netflix and attempt to load netflix sharing buttons like they do with Facebook and Google. I do in fact block both Facebook and Google due to the sharing buttons and routine embedding and linking of those sites. Those I know who use my systems and also use things like Netflix exile the latter to dedicated systems doing nothing else, on a "free software for free uses, pay software for paid content" model. Lastly, I would remind the movie studios that Bittorrent works just fine on fully free systems-and that Internet regulation will only spur a future of impenetrable onion-routed encrypted darknets. Those will give utter filesharing impunity for all and could put things like netflix and maybe even the movie studios out of business entirely. Hollywood should focus on the actual movie theater only, in resolutions so large a download would take a month and a corrupt theater employee would be the only source of a rerender to a sharable resolution. This is rather like the way my limited Internet bandwidth means no online attacker could attempt to exfiltrate my raw clips without saturating the connection and giving himself away.

    Leave a comment:


  • bibaheu
    replied
    Originally posted by Mystro256 View Post



    I'm not sure what BFU stands for, but the implementation isn't for most FOSS end users. It doesn't work if the OS and HW aren't locked down all the way from boot (i.e. HW based Secure boot) to the monitor connection (HDCP). If you break the chain anywhere, the PSP just shuts down and disallows protected content if the vender (Hulu, Netflix, etc.) requests it. For example, this is needed for 4K on Netflix to work; every company has it's desired security level we need to implement various levels of widevine (Linux) and Playready (Windows) to meet these needs.

    As I said, it's not forced on anyone, it's just implemented. If your system is one of those OEM locked down systems, it will work, but if your system is customized in anyway, it's just a dead code path that doesn't affect you what so ever, aside from venders denying you content because you don't have the DRM available.

    Realistically we have Windows and Linux customers that pay us money to implement it, so we implement it. Not having it available in Linux is just silliness, as these Linux customers in turn fund a lot of development of the AMDGPU (as in FOSS) driver.

    EDIT: Note that widevine does work without the PSP or other HW equivalent, but at in a "lower security mode". Some some vendors allow it, such as netflix, but will likely limit your connection; for example, I believe Netflix will limit your quality settings depending video you select (I'm assuming depending on the movie studio) and probably also throttle your connection.
    Thanks for explaining all that, always nice to get comments from driver developers

    As far as I know Netflix limits video playback to 720p on Widevine (low security mode?). You need a Microsoft browser or a locked device (like a PS3) to get 1080p and more.

    Will the CPU boot at all if the PSP is disabled somehow in the BIOS? That's the main complain with modern Intel machines, at it will reboot itself if the Intel Management Engine wasn't initialized by the firmware.

    Leave a comment:

Working...
X