Announcement

**Luke** · 21 December 2016, 12:46 AM

Originally posted by starshipeleven View Post

this thing is in the GPU, how does it change the boot path?

From what I've heard, when a PSP enabled APU (no pure CPUs yet, it's not on AM3+) is powered on, it's the Platform Security Processor (PSP) that loads the initial instructions and then hands off to the real CPU. Trouble is, controlling the first instruction is the power to control ALL instructions, and if the NSA has AMD's key they could make a modified version that diverts this code to a keylogger hidden anywhere. Preventing this would require being able to run the PSP with no firmware on disk (only burned into it) and that burned-in firmware being known by audit (even audit under NDA by mutually opposing parties) not to contain any code that could substitute bootloaders, enable UEFI keylogging, etc.

It's this initial boot function (powerup loading) that I am concerned with, it sounds like when DRM is not used it is supposed sit there doing nothing. Netflix is more than welcome not to send anything to any machine I control, as I do not have or want any paid accounts anywhere anyway. Like I said-my machines are free software for free content, only.

**M@yeulC** · 21 December 2016, 03:01 AM

Well, security is not a bad thing *per se*, even HDCP could have its uses. It is however useless for me if I cannot set the various keys to the ones I want and own. And it's not designed this way: You will probably never find a TV with a changeable encryption key. That would allow to make a trusted connection from the application to the display, with no spoofing "possible" in between.

As for HDCP, someone will break it at some point. They already did it in the past, IIRC. It is virtually impossible to hand you the content and the keys to decrypt it, while guaranteeing that you won't be able to access either.

**vitalif** · 21 December 2016, 05:35 AM

Every kind of DRM is definitely an anti-feature (anti-user feature) and it should only be implemented in linux and other FOSS at the same time with means of bypassing it :-) and the best would be to have linux GPL3 licensed, of course

**Serafean** · 21 December 2016, 05:40 AM

Originally posted by Mystro256 View Post

I'm not sure what BFU stands for, but the implementation isn't for most FOSS end users. It doesn't work if the OS and HW aren't locked down all the way from boot (i.e. HW based Secure boot) to the monitor connection (HDCP). If you break the chain anywhere, the PSP just shuts down and disallows protected content if the vender (Hulu, Netflix, etc.) requests it. For example, this is needed for 4K on Netflix to work; every company has it's desired security level we need to implement various levels of widevine (Linux) and Playready (Windows) to meet these needs.

As I said, it's not forced on anyone, it's just implemented. If your system is one of those OEM locked down systems, it will work, but if your system is customized in anyway, it's just a dead code path that doesn't affect you what so ever, aside from venders denying you content because you don't have the DRM available.

What kind of bullshit is this? The moment I change the wireless adapter in my laptop netflix will disallow streaming 4K (if the laptop boots up at all...)? If I build an HTPC system from separate components, no Netflix for me?
Is this a return to the pre IBM-PC era, where all that was available were all in one systems, that allowed the user to do nothing but one thing with them? (two if you count throwing it out)

I'd like to say I'm not judging you for implementing it, but I am. This is dangerous remote control territory we're going into. (Govt doesn't like tor? PSP disallows it -> see Turkey)

I mean seriously, how would people be pissed if their cars refused to drive on non constructor approved roads?

BTW : BFU stands for Basic Fucking User. ( Politically correct is "Average Joe" )

**starshipeleven** · 21 December 2016, 07:29 AM

Originally posted by M@yeulC View Post

Well, security is not a bad thing *per se*, even HDCP could have its uses. It is however useless for me if I cannot set the various keys to the ones I want and own. And it's not designed this way: You will probably never find a TV with a changeable encryption key. That would allow to make a trusted connection from the application to the display, with no spoofing "possible" in between.

Why the hell would you need to change encryption key of HDCP anyway? They are all generated from a master key somewhere so they are all functionally identical.

As for HDCP, someone will break it at some point. They already did it in the past, IIRC. It is virtually impossible to hand you the content and the keys to decrypt it, while guaranteeing that you won't be able to access either.

pssible/impossible is irrelevant, what matters is practical/impractical. Doing what you said with HDCP is not practical.

Does not mean it is an issue though. Easy way to spoof it is using some chinese "hdmi splitter" boxes that either have their own key on one side and don't check on the others, or don't report themselves at all in the system so as long as ONE receiving device attached to it is HDCP-compliant you can see stuff on others too.

**starshipeleven** · 21 December 2016, 07:40 AM

Originally posted by Serafean View Post

What kind of bullshit is this? The moment I change the wireless adapter in my laptop netflix will disallow streaming 4K (if the laptop boots up at all...)? If I build an HTPC system from separate components, no Netflix for me?
Is this a return to the pre IBM-PC era, where all that was available were all in one systems, that allowed the user to do nothing but one thing with them? (two if you count throwing it out)

The entertainment businness has always been nazi-like, nothing new in that. You remember the bullshit region codes in disks? So that you could not see a disk for a different region on a device coded to another region? (While a PC didn't give a fuck about these regions at all)

I'd like to say I'm not judging you for implementing it, but I am. This is dangerous remote control territory we're going into. (Govt doesn't like tor? PSP disallows it -> see Turkey)

No, it's still DRM.
If the program you use to see netflix sees that you don't have X and Y or if their servers don't get the right user agent string, or stuff like that, then you can't see stuff.

PSP is used on your PC while you are seeing things to ensure that you cannot pirate them through the PC as it keeps the keys or does decryption or something like that.

But they have no way to have your PC disallow arbitrary applications or services they don't control.

**duby229** · 21 December 2016, 12:03 PM

Originally posted by Mystro256 View Post

I'm not sure what BFU stands for, but the implementation isn't for most FOSS end users. It doesn't work if the OS and HW aren't locked down all the way from boot (i.e. HW based Secure boot) to the monitor connection (HDCP). If you break the chain anywhere, the PSP just shuts down and disallows protected content if the vender (Hulu, Netflix, etc.) requests it. For example, this is needed for 4K on Netflix to work; every company has it's desired security level we need to implement various levels of widevine (Linux) and Playready (Windows) to meet these needs.

As I said, it's not forced on anyone, it's just implemented. If your system is one of those OEM locked down systems, it will work, but if your system is customized in anyway, it's just a dead code path that doesn't affect you what so ever, aside from venders denying you content because you don't have the DRM available.

Realistically we have Windows and Linux customers that pay us money to implement it, so we implement it. Not having it available in Linux is just silliness, as these Linux customers in turn fund a lot of development of the AMDGPU (as in FOSS) driver.

EDIT: Note that widevine does work without the PSP or other HW equivalent, but at in a "lower security mode". Some some vendors allow it, such as netflix, but will likely limit your connection; for example, I believe Netflix will limit your quality settings depending video you select (I'm assuming depending on the movie studio) and probably also throttle your connection.

That's perfectly fine, but I vote that absolutely every distribution configure it out of the compiled binaries so that none of them use any implementations of this crap. The fact is I can't ait for the PSP to get cracked so that oss code can be written to operate that hardware beyond the control of any content industry. (And it will happen someday, you can bet your balls on it.)

**Mystro256** · 21 December 2016, 12:52 PM

Originally posted by Serafean View Post

What kind of bullshit is this? The moment I change the wireless adapter in my laptop netflix will disallow streaming 4K (if the laptop boots up at all...)? If I build an HTPC system from separate components, no Netflix for me?
Is this a return to the pre IBM-PC era, where all that was available were all in one systems, that allowed the user to do nothing but one thing with them? (two if you count throwing it out)

I'd like to say I'm not judging you for implementing it, but I am. This is dangerous remote control territory we're going into. (Govt doesn't like tor? PSP disallows it -> see Turkey)

I mean seriously, how would people be pissed if their cars refused to drive on non constructor approved roads?

BTW : BFU stands for Basic Fucking User. ( Politically correct is "Average Joe" )

Well realistically, I would never lock down my computer just to satisfy some DRM requirement... but customers are customers (OEM and "BFU"). They want their devices to stream 4K and movie studios make these DRM agreements with content providers (such as Netflix). Don't shoot the messenger, as they say; I don't make this crap, I just let the products work with this crap if the user so wishes

Plus, I think I already said this... these customers help fund development, so I would be more inclined to make them happy than spit in their face.

**Mystro256** · 21 December 2016, 01:27 PM

Originally posted by duby229 View Post

That's perfectly fine, but I vote that absolutely every distribution configure it out of the compiled binaries so that none of them use any implementations of this crap. The fact is I can't ait for the PSP to get cracked so that oss code can be written to operate that hardware beyond the control of any content industry. (And it will happen someday, you can bet your balls on it.)

I doubt any kernel PSP stuff will be pulled into the mainline kernel... or at least I think so? I'm probably the worst person to ask on this as I'm not involved with distribution. I'm at the part of development where it's still pretty platform agnostic.

AFAIK, I'm only aware of one Linux customer needing this and they use a patched version of an LTS kernel on their devices. Possibly this "amd-staging-security-opensource-4.4" branch is for them? Yet again, worst person to ask about this.

**Danny3** · 24 December 2016, 10:16 AM

Originally posted by tomtomme View Post

they are not developing those, just implenting them. if they won´t do that the users would cry: "why is hdmi-audio not working. where is my netflix?"
wouldn´t you?

Whatever, implementing is worse than developing.
I said I will never buy anything with DRM and now they're implementing at hardware level. Assholes.

Announcement

An AMDGPU Branch For Security PSP / HDCP Support

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment