Widevine* L3 Integration Guide


This section explains the process to integrate the Widevine v15 libraries into Celadon. It contains the following:

  • Library and APKs integration

  • Services integration

  • Verification methods

  • Troubleshooting

The target audience includes system integrators and testers for the Widevine function and GTS/VTS.





DRM solution which is used in Google* Android* by default.


GMS Test Suite.


Google Vendor Test Suite.


Celadon in VM

Widevine libraries integration


  1. Check out the Celadon code base according to the Celadon release note on https://01.org/projectceladon/.

    The version we verified for Android 10 has the last commit of .repo/manifests/r1 as shown below (the newer version should be OK):

    commit 50bafa394758150137f1f89e499fbce812443d50

    Refs: {origin/cactus/celadon-r2/candidates/mergerequest}, {origin/cactus/celadon-r1/can

    Author: rnaidu <ramya.v.naidu@intel.com>

    AuthorDate: Wed Apr 29 18:50:24 2020 +0530

    Commit: buildslave <ctbbot@intel.com>

    CommitDate: Tue May 5 07:25:05 2020 +0000

    Upgrading the aosp for civ

    Change-Id: Id41d20e11de0f349bddccb8b6b8c3a7a2a23a8b6

    The version we verified for Android 11 was manifest-android_r_staging-2020_WW36_A-r1-generated.xml.

  2. Customers should get the widevine DRM package from Google. Normally, it contains:

    ├── Android.mk

    ├── CleanSpec.mk

    ├── libwvdrmengine

    │   ├── Android.mk

    │   ├── build_and_run_all_unit_tests.sh

    │   ├── cdm

    │   ├── docs

    │   ├── include

    │   ├── include_hidl

    │   ├── level3

    │   ├── mediacrypto

    │   ├── mediadrm

    │   ├── move_widevine_data.sh

    │   ├── oem_certificate_generator

    │   ├── oemcrypto

    │   ├── run_all_unit_tests.sh

    │   ├── src

    │   ├── src_hidl

    │   ├── test

    │   └── vts

    └── tests

    └── Android.mk

    The latest commit on our code base that was verified is shown below. Newer versions also should be acceptable.

    commit 387e21ac55064cc523102130bcaa4773de3959b6

    Refs: {origin/mirror/pdk/q-fs-release}

    Merge: 7a8e7dc 367befa

    Author:     android-build-team Robot <android-build-team-robot@google.com>

    AuthorDate: Sun Jun 2 23:08:40 2019 +0000

    Commit:     android-build-team Robot <android-build-team-robot@google.com>

    CommitDate: Sun Jun 2 23:08:40 2019 +0000

    Snap for 5627676 from 367befa3b7bffac8f9c569e269adafe7c906f343 to qt-release*

    Change-Id: I43b1a334b936dbd81dfbaa99371fa835a7b9efdc*

    It is normally put under vendor/widevine/.

  3. Intel provides the following information in this document for customer integration.

    1. Mixins setting reference

    2. Sepolicy config reference

    3. Enablement flag for each project

Changes to be made in Celadon

  • Mixins for the Widevine module should be created under project device/intel/mixins/

    cd device/intel/mixins/groups/

    mkdir -p widevine/false

    mkdir -p widevine/L3_Gen

    ln -s L3_Gen default

    touch widevine/false/empty_dir

    touch widevine/L3_Gen/BoardConfig.mk

    touch widevine/L3_Gen/product.mk

    touch groups/widevine/doc.spec

  • Sepolicy for Widevine module, under project device/intel/sepolicy/

    cd device/intel/sepolicy

    mkdir -p widevine/gen/gen_common/

    touch widevine/gen/gen_common/file.te

    touch widevine/gen/gen_common/file_contexts

    touch widevine/gen/gen_common/hal_drm_widevine.te

  • Enable widevine level 3 in project mixins, which is a one line change in the project related mixins file, such as device/intel/project-celadon/caas/mixins.spec

Create mixins files and fill the content

Add the text below to widevine/doc.spec (this step is optional):

 # device/intel/mixins/groups/widevine/doc.spec

 === Overview

 widevine is used to enable/disable the Android DRM widevine feature and
 set the relatedsecure level.

 --- deps

     - sepolicy

 ==== Options

 --- L1\_Gen

 this option enables widevine level 1 for Gen based devices.

 --- code dir

     - device/intel/mixins/groups/widevine

     - device/intel/sepolicy/widevine

     - vendor/widevine

     - vendor/intel/liboemcrypto/gen

--- parameters

     - widevine\_arch: Graphics arch, gen9 for BXT, gen8 for CHT.

 --- L3\_Gen

 this option enables widevine level 3 for Gen based devices.

--- code dir

    - device/intel/mixins/groups/widevine

    - device/intel/sepolicy/widevine

    - vendor/widevine

 --- default

 this option will only enable default drm, when not explicitly selected
 in mixins spec file, the default option will be used.

--- code dir

    - device/intel/mixins/groups/widevine

    - device/intel/sepolicy/drm-default

    - hardware/interfaces/drm/1.0/default

Add the text below to device/intel/mixins/groups/widevine/L3_Gen/product.mk:

# device/intel/mixins/groups/widevine/L3\_Gen/product.mk

#enable Widevine drm

PRODUCT\_PROPERTY\_OVERRIDES += drm.service.enabled=true


  libwvdrmengine \\

  libwvhidl \\




Replace android.hardware.drm@1.2-service.widevine with android.hardware.drm@1.3-service.widevine for Android 11

Add the text below to device/intel/mixins/groups/widevine/L3_Gen/BoardConfig.mk:

# device/intel/mixins/groups/widevine/L3\_Gen/BoardConfig.


For Android 11, make the following changes, if it’s not updated on your code base:

# device/intel/mixins/groups/default-drm/true/product.mk

#only enable default drm service

PRODUCT\_PACKAGES += android.hardware.drm@1.0-service \\

                     android.hardware.drm@1.0-impl \\

-         android.hardware.drm@1.2-service.clearkey

+         android.hardware.drm@1.3-service.clearkey

Update manifest.xml as follows:

# device/intel/mixins/groups/device-specific/caas/manifest.xml


-        <fqname>@1.1::ICryptoFactory/clearkey</fqname>

-        <fqname>@1.1::IDrmFactory/clearkey</fqname>

-        <fqname>@1.1::ICryptoFactory/widevine</fqname>

-        <fqname>@1.1::IDrmFactory/widevine</fqname>

+        <fqname>@1.3::ICryptoFactory/clearkey</fqname>

+        <fqname>@1.3::IDrmFactory/clearkey</fqname>


Add sepolicy for Widevine

cd device/intel/sepolicy/

mkdir -p widevine/gen/gen_common

touch widevine/gen/gen_common/file_contexts

touch widevine/gen/gen_common/file.te

touch widevine/gen/gen_common/hal_drm_widevine.te

Add the text below to file_contexts:

# device/intel/sepolicy/ widevine/gen/gen\_common/file\_contexts



\*Replace @1\\.2-service.widevine with @1\\.3-service.widevine for
Android 11

Add the text below to file.te:

# device/intel/sepolicy/ widevine/gen/gen\_common/file.te


type mediadrm\_vendor\_data\_file, file\_type, data\_file\_type;

Add the text below to hal_drm_widevine.te:

# device/intel/sepolicy/ widevine/gen/gen\_common/hal\_drm\_widevine.te


allow hal\_drm\_default mediadrm\_vendor\_data\_file:dir

allow hal\_drm\_default mediadrm\_vendor\_data\_file:file

allow hal\_drm\_default gpu\_device:dir search;

allow hal\_drm\_default gpu\_device:chr\_file rw\_file\_perms;

allow hal\_drm\_default tmpfs:file { read write map};

For Android 11, make the changes shown below to drm-default/file_contexts if it’s not updated in your code base yet:

# device/intel/sepolicy/drm-default/file\_contexts



Add the last line to enable widevine L3 for Celadon caas:

# device/intel/project-celadon/caas/mixins.spec


gptbuild: true(size=16G,generate\_craff=false,compress\_gptimage=true)

dynamic-partitions: true(super\_img\_in\_flashzip=true)

dbc: true

atrace: true

firmware: true(all\_firmwares=true)

aaf: true

suspend: never

widevine: L3\_Gen


  1. Make sure that vendor/widewine/Android.mk is included in your device’s build process. (Normally, it should be included.)

  2. After the build, you should have the following binaries in:

    vendor/etc/init/android.hardware.drm@1.2-service.widevine.rc <mailto:vendor/etc/init/android.hardware.drm@1.2-service.widevine.rc>`__

    For Android 11:

    vendor/bin/hw/android.hardware.drm@1.3-service.widevine ``
  3. Finally, you need to ensure that those files are on the TARGET devices and services are running.

Widevine keybox provision

Level 3 doesn’t need an factory Keybox provision.

Verify Widevine function

Use Exoplayer to check

ExoPlayerDemo.apk can be used to do an end-to-end verification of Modular DRM. To install the ExoPlayer app, which is in source code, execute the following:

adb install vendor/widevine/libwvdrmengine/test/demo/ExoPlayerDemo.apk

To run, launch ExoPlayer, then choose the clip to play. The Widevine-encrypted DASH CENC assets are in the “WIDEVINE DASH GTS” section.:


| WV:HDCP not specified
| HDCP not requied
| HDCP requied
| Secure video path requied(MP4,H264)
| Secure video path requied (WebM,VP9)
| Secure video path requied (MP4,H265)
| HDCP+Secure video path requied
| 30s license duration(fails at ~30s)

Check the AP log

Check logcat to confirm that the widevine service is running.:

adb logcat \*:s WVCdm:v

D WVCdm : Instantiating CDM.

I WVCdm : [cdm\_engine.cpp(529):QueryStatus] CdmEngine::QueryStatus

I WVCdm : [oemcrypto\_adapter\_dynamic.cpp(636):Initialize] Level 3
Build Info (v15): OEMCrypto Level3 Code 8162 Apr 18 2019 19:27:27

I WVCdm : [(0):] Level3 Library 8162 Apr 18 2019 19:27:27

I WVCdm : [oemcrypto\_adapter\_dynamic.cpp(650):Initialize] L3
Initialized. Trying L1.

W WVCdm : [oemcrypto\_adapter\_dynamic.cpp(662):Initialize] Could not
load liboemcrypto.so. Falling back to L3. dlopen failed: library
"liboemcrypto.so" not found

I WVCdm : [(0):] L3 Terminate.

Run GTS test cases

In the GTS test environment, check the GtsExoPlayerTestCases and GtsMediaTestCases modules to confirm that the widevine service is enabled successfully:

>  run gts -m GtsExoPlayerTestCases

>  run gts -m GtsMediaTestCases

All test cases in these two modules are expected to pass.