Digital Rights Management for Audio Drivers
On This Page
 | Digital Rights Management |
| How Windows DRM Support Works |
| Windows DRM and Related Components |
| DRM Signatures and Windows Logo |
| Conditions for DRM Signatures |
Digital Rights Management
Digital Rights Management (DRM) technology allows content providers such as artists and record companies to protect their proprietary music or other data by encrypting digital content and attaching usage rules to it. These rules determine the number of times the content will play, the type of devices upon which it should play, and so on.
In operating systems earlier than Microsoft Windows Millennium Edition (Windows Me), a security limitation related to digital content allowed users to easily load rogue drivers that route the playback of secure content to disk. Windows XP and Windows Me close this security hole by providing the ability to check the validity of audio drivers to ensure that they are "trusted" to properly handle content and not violate usage rules.
A trusted device or driver is one that respects any rules defined in DRM content. A trusted driver does not provide any hooks intended to allow the user to circumvent the security.
Note that trusted audio drivers are only relevant to DRM content that requires this security. For example, a content provider might package a music clip with the rule, "Play this back only on trusted devices," so that the content is not susceptible to third-party audio drivers that route unencrypted audio to disk.
Windows identifies trusted devices by way of a DRM signature in the drivers catalog (CAT) files. This is not the same as the signature already required for Windows drivers. The DRM signature is an additional signature that indicates the device and driver are trusted. Details about the related requirements and testing are described in "DRM Signatures and Windows Logo" later in this article.
If the manufacturer or vendor chooses not to obtain a DRM signature, the device will not be able to play DRM content marked "Play only on trusted devices." The following describes the difference between drivers that have DRM signatures and those that do not.
Drivers with DRM support. Devices with DRM-enabled drivers are considered "trusted." The DRM system will play all encrypted and non-encrypted content on these devices.
Drivers without DRM support. Drivers without DRM signatures can render unencrypted content. These drivers can also play DRM content that does not require a "trusted audio device." However, if the usage rules in the content require that it play only on trusted devices, the DRM system will not play it on a driver without a DRM signature. The Windows DRM system will indicate an error to the application that requested the playback. The choice of how this error is presented to the user is left to the application developer.
How Windows DRM Support Works
Audio content must move through a software signal path before reaching and being rendered by the hardware device. As read from the disk or provided through other means, DRM-encrypted content appears as scrambled. The Windows audio stack includes a DRM descrambler that restores the audio content to its unencrypted state.
The DRM system uses an authentication mechanism to ensure that the software component (audio filter) to which the unencrypted content is handed off is "trusted." The DRM system advises the filter of the rights as expressed in the content by the content provider. The audio filter enforces those rights and advises the DRM system of any downstream filters to which it sends the content. The DRM process continues similarly for each filter in the chain.
Protected kernel components perform the descrambling. Because of this, user-mode audio components such as Microsoft DirectShow and DirectSound� remain largely unaffected by DRM.
Windows DRM and Related Components
DRM is implemented for Windows XP, Windows 2000, Windows 98, and Windows Me. DRM kernel-level security is implemented for audio on Windows Me and Windows XP. DRM will be extended to other media types in future releases. The driver interfaces for DRM support are documented in the Windows DDK; APIs for software are documented in the Windows Media�™ Format SDK.
To play DRM-encrypted content, WDM audio drivers and any associated filter components must be DRM-compliant. Driver modules that handle the audio content must include a DRM signature before they can render protected content. As DRM authentication is performed whenever a new graph is built, a graph will be considered non-compliant if any non-compliant component is contained within the graph.
DRM Signatures and Windows Logo
DRM signatures are required for Windows XP and are optional for Windows Me for the Windows Logo Program for hardware.
Obtaining a DRM signature for a driver is a two-step process:
1. | The device must pass an additional set of tests provided by WHQL to validate the implementation of the DRM functions. |
2. | The hardware vendor must complete an additional DRM-specific contract with WHQL, agreeing to follow the usage rules. |
When a driver passes DRM testing along with other applicable Windows Logo Program tests, the driver package will be signed by way of the CAT file. This signature will contain an additional DRM attribute that will enable the driver to render protected content. Without this attribute in the signature, the driver will not be authenticated by the DRM system. As with all catalog files, this signature is valid only for this driver package.
Conditions for DRM Signatures
Microsoft realizes that not all audio devices are alike, so that it would be impossible to test all aspects of DRM compliance. Therefore, to obtain a DRM signature, the vendor must certify that the driver fully and correctly implements the DRM interface as follows:
1. | When requested, the audio driver must disable the ability to capture the stream currently being played back. That is, whenever Content Copy Protection rights are asserted through the DRM interface: |
2. | When requested, the audio driver must disable the digital audio output on the device. That is, whenever the content asserts Digital Output Disable rights through the DRM interface, the driver must disable all digital audio outputs that could transmit content over a standard interface through a standard interconnection scheme. |
3. | The audio driver must rely only on other components that also contain DRM signatures. The driver must never facilitate the transfer of audio data to any component that does not have a DRM signature. In particular, if the driver passes digital content, the driver must utilize the Windows DRM kernel APIs to make the Windows DRM system aware of the movement of digital content. |
4. | The audio device and driver must not include user-selectable options to defeat or subvert the Windows DRM kernel components. Specifically, the driver must not provide registry settings, user control panels, or other methods of disabling the DRM functions. |
Call to action for DRM audio drivers:
| • | Write DRM-compliant WDM audio drivers, implementing the driver interfaces defined in the "Digital Rights Managment Reference" in the Windows DDK, available through MSDN™ and on the web at: http://www.microsoft.com/whdc/devtools/ddk/default.mspx |
| • | Implement software interfaces as defined in the Windows Media SDK, provided through MSDN. |
| • | Test DRM-compliant audio drivers and submit them to WHQL for driver signing and Windows Logo testing. Send testing inquiries to WHQLSYS@microsoft.com |
| • | For information about test assertions for DRM, see Chapter 16, "Audio Test Specification," in the WHQL Test Specification, available from the WHQL web site at http://www.microsoft.com/whdc/whql/default.mspx |
| • | For information about WMDM and DRM licenses see: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmform/htm/drmprotectionandcontentlicensedistribution.asp |