Widevine* L3 Integration Guide
Introduction
This section explains the process to integrate the Widevine v15 libraries into Celadon. It contains the following:
- Library and APKs integration
- Services integration
- Verification methods
- Troubleshooting
The target audience includes system integrators and testers for the Widevine function and GTS/VTS.
Terminology
| Acronym | Description |
| Widevine | DRM solution which is used in Google* Android* by default. |
| GTS | GMS Test Suite. |
| VTS | Google Vendor Test Suite. |
| CiV | Celadon in VM |
Widevine libraries integration
Sources
Check out the Celadon code base according to the Celadon release note on https://01.org/projectceladon/.
The version we verified for Android 10 has the last commit of .repo/manifests/r1 as shown below (the newer version should be OK):
commit 50bafa394758150137f1f89e499fbce812443d50
Refs: {origin/cactus/celadon-r2/candidates/mergerequest}, {origin/cactus/celadon-r1/can
Author: rnaidu <ramya.v.naidu@intel.com>
AuthorDate: Wed Apr 29 18:50:24 2020 +0530
Commit: buildslave <ctbbot@intel.com>
CommitDate: Tue May 5 07:25:05 2020 +0000
Upgrading the aosp for civ
Change-Id: Id41d20e11de0f349bddccb8b6b8c3a7a2a23a8b6
The version we verified for Android 11 was manifest-android_r_staging-2020_WW36_A-r1-generated.xml.
Customers should get the widevine DRM package from Google. Normally, it contains:
├── Android.mk
├── CleanSpec.mk
├── libwvdrmengine
│ ├── Android.mk
│ ├── build_and_run_all_unit_tests.sh
│ ├── cdm
│ ├── docs
│ ├── include
│ ├── include_hidl
│ ├── level3
│ ├── mediacrypto
│ ├── mediadrm
│ ├── move_widevine_data.sh
│ ├── oem_certificate_generator
│ ├── oemcrypto
│ ├── run_all_unit_tests.sh
│ ├── src
│ ├── src_hidl
│ ├── test
│ └── vts
└── tests
└── Android.mk
The latest commit on our code base that was verified is shown below. Newer versions also should be acceptable.
commit 387e21ac55064cc523102130bcaa4773de3959b6
Refs: {origin/mirror/pdk/q-fs-release}
Merge: 7a8e7dc 367befa
Author: android-build-team Robot <android-build-team-robot@google.com>
AuthorDate: Sun Jun 2 23:08:40 2019 +0000
Commit: android-build-team Robot <android-build-team-robot@google.com>
CommitDate: Sun Jun 2 23:08:40 2019 +0000
Snap for 5627676 from 367befa3b7bffac8f9c569e269adafe7c906f343 to qt-release*
Change-Id: I43b1a334b936dbd81dfbaa99371fa835a7b9efdc*
It is normally put under
vendor/widevine/.Intel provides the following information in this document for customer integration.
- Mixins setting reference
- Sepolicy config reference
- Enablement flag for each project
Changes to be made in Celadon
Mixins for the Widevine module should be created under project
device/intel/mixins/cd device/intel/mixins/groups/
mkdir -p widevine/false
mkdir -p widevine/L3_Gen
ln -s L3_Gen default
touch widevine/false/empty_dir
touch widevine/L3_Gen/BoardConfig.mk
touch widevine/L3_Gen/product.mk
touch groups/widevine/doc.spec
Sepolicy for Widevine module, under project
device/intel/sepolicy/cd device/intel/sepolicy
mkdir -p widevine/gen/gen_common/
touch widevine/gen/gen_common/file.te
touch widevine/gen/gen_common/file_contexts
touch widevine/gen/gen_common/hal_drm_widevine.te
Enable widevine level 3 in project mixins, which is a one line change in the project related mixins file, such as
device/intel/project-celadon/caas/mixins.spec
Create mixins files and fill the content
Add the text below to widevine/doc.spec (this step is optional):
# device/intel/mixins/groups/widevine/doc.spec
=== Overview
widevine is used to enable/disable the Android DRM widevine feature and
set the relatedsecure level.
--- deps
- sepolicy
==== Options
--- L1\_Gen
this option enables widevine level 1 for Gen based devices.
--- code dir
- device/intel/mixins/groups/widevine
- device/intel/sepolicy/widevine
- vendor/widevine
- vendor/intel/liboemcrypto/gen
--- parameters
- widevine\_arch: Graphics arch, gen9 for BXT, gen8 for CHT.
--- L3\_Gen
this option enables widevine level 3 for Gen based devices.
--- code dir
- device/intel/mixins/groups/widevine
- device/intel/sepolicy/widevine
- vendor/widevine
--- default
this option will only enable default drm, when not explicitly selected
in mixins spec file, the default option will be used.
--- code dir
- device/intel/mixins/groups/widevine
- device/intel/sepolicy/drm-default
- hardware/interfaces/drm/1.0/default
Add the text below to device/intel/mixins/groups/widevine/L3_Gen/product.mk:
# device/intel/mixins/groups/widevine/L3\_Gen/product.mk
#enable Widevine drm
PRODUCT\_PROPERTY\_OVERRIDES += drm.service.enabled=true
PRODUCT\_PACKAGES += \\
libwvdrmengine \\
libwvhidl \\
android.hardware.drm@1.2-service.widevine
PRODUCT\_PACKAGES\_ENG += ExoPlayerDemo
BOARD\_WIDEVINE\_OEMCRYPTO\_LEVEL := 3
Replace android.hardware.drm@1.2-service.widevine with android.hardware.drm@1.3-service.widevine for Android 11
Add the text below to device/intel/mixins/groups/widevine/L3_Gen/BoardConfig.mk:
# device/intel/mixins/groups/widevine/L3\_Gen/BoardConfig.
BOARD\_SEPOLICY\_DIRS +=
$(INTEL\_PATH\_SEPOLICY)/widevine/gen/gen\_common
For Android 11, make the following changes, if it’s not updated on your code base:
# device/intel/mixins/groups/default-drm/true/product.mk
#only enable default drm service
PRODUCT\_PACKAGES += android.hardware.drm@1.0-service \\
android.hardware.drm@1.0-impl \\
- android.hardware.drm@1.2-service.clearkey
+ android.hardware.drm@1.3-service.clearkey
Update manifest.xml as follows:
# device/intel/mixins/groups/device-specific/caas/manifest.xml
</interface>
- <fqname>@1.1::ICryptoFactory/clearkey</fqname>
- <fqname>@1.1::IDrmFactory/clearkey</fqname>
- <fqname>@1.1::ICryptoFactory/widevine</fqname>
- <fqname>@1.1::IDrmFactory/widevine</fqname>
+ <fqname>@1.3::ICryptoFactory/clearkey</fqname>
+ <fqname>@1.3::IDrmFactory/clearkey</fqname>
</hal>
Add sepolicy for Widevine
cd device/intel/sepolicy/
mkdir -p widevine/gen/gen_common
touch widevine/gen/gen_common/file_contexts
touch widevine/gen/gen_common/file.te
touch widevine/gen/gen_common/hal_drm_widevine.te
Add the text below to file_contexts:
# device/intel/sepolicy/ widevine/gen/gen\_common/file\_contexts
/(vendor\|system/vendor)/bin/hw/android\\.hardware\\.drm@1\\.2-service.widevine
u:object\_r:hal\_drm\_default\_exec:s0
/data/vendor/mediadrm(/.\*)?
u:object\_r:mediadrm\_vendor\_data\_file:s0
\*Replace @1\\.2-service.widevine with @1\\.3-service.widevine for
Android 11
Add the text below to file.te:
# device/intel/sepolicy/ widevine/gen/gen\_common/file.te
#data/vendor/mediadrm
type mediadrm\_vendor\_data\_file, file\_type, data\_file\_type;
Add the text below to hal_drm_widevine.te:
# device/intel/sepolicy/ widevine/gen/gen\_common/hal\_drm\_widevine.te
vndbinder\_use(hal\_drm\_default)
allow hal\_drm\_default mediadrm\_vendor\_data\_file:dir
create\_dir\_perms;
allow hal\_drm\_default mediadrm\_vendor\_data\_file:file
create\_file\_perms;
allow hal\_drm\_default gpu\_device:dir search;
allow hal\_drm\_default gpu\_device:chr\_file rw\_file\_perms;
allow hal\_drm\_default tmpfs:file { read write map};
For Android 11, make the changes shown below to drm-default/file_contexts if it’s not updated in your code base yet:
# device/intel/sepolicy/drm-default/file\_contexts
-/vendor/bin/hw/android\\.hardware\\.drm@1\\.2-service\\.clearkey
u:object\_r:hal\_drm\_clearkey\_exec:s0
+/vendor/bin/hw/android\\.hardware\\.drm@1\\.3-service\\.clearkey
u:object\_r:hal\_drm\_clearkey\_exec:s0
Add the last line to enable widevine L3 for Celadon caas:
# device/intel/project-celadon/caas/mixins.spec
…
gptbuild: true(size=16G,generate\_craff=false,compress\_gptimage=true)
dynamic-partitions: true(super\_img\_in\_flashzip=true)
dbc: true
atrace: true
firmware: true(all\_firmwares=true)
aaf: true
suspend: never
widevine: L3\_Gen
Checkpoints
Make sure that
vendor/widewine/Android.mkis included in your device’s build process. (Normally, it should be included.)After the build, you should have the following binaries in:
out/target/product/$(TARGET\_DEVICE). vendor/lib/libwvhidl.so vendor/lib/mediadrm/libwvdrmengine.so vendor/bin/hw/android.hardware.drm@1.2-service.widevine vendor/etc/init/android.hardware.drm@1.2-service.widevine.rc <mailto:vendor/etc/init/android.hardware.drm@1.2-service.widevine.rc>`__
For Android 11:
vendor/bin/hw/android.hardware.drm@1.3-service.widevine `` vendor/etc/init/android.hardware.drm@1.3-service.widevine.rc``
Finally, you need to ensure that those files are on the TARGET devices and services are running.
Widevine keybox provision
Level 3 doesn’t need an factory Keybox provision.
Verify Widevine function
Use Exoplayer to check
ExoPlayerDemo.apk can be used to do an end-to-end verification of Modular DRM. To install the ExoPlayer app, which is in source code, execute the following:
adb install vendor/widevine/libwvdrmengine/test/demo/ExoPlayerDemo.apk
To run, launch ExoPlayer, then choose the clip to play. The Widevine-encrypted DASH CENC assets are in the “WIDEVINE DASH GTS” section.:
===WIDEVINE DASH GTS===
| WV:HDCP not specified
| HDCP not requied
| HDCP requied
| Secure video path requied(MP4,H264)
| Secure video path requied (WebM,VP9)
| Secure video path requied (MP4,H265)
| HDCP+Secure video path requied
| 30s license duration(fails at ~30s)
Check the AP log
Check logcat to confirm that the widevine service is running.:
adb logcat \*:s WVCdm:v
D WVCdm : Instantiating CDM.
I WVCdm : [cdm\_engine.cpp(529):QueryStatus] CdmEngine::QueryStatus
I WVCdm : [oemcrypto\_adapter\_dynamic.cpp(636):Initialize] Level 3
Build Info (v15): OEMCrypto Level3 Code 8162 Apr 18 2019 19:27:27
I WVCdm : [(0):] Level3 Library 8162 Apr 18 2019 19:27:27
I WVCdm : [oemcrypto\_adapter\_dynamic.cpp(650):Initialize] L3
Initialized. Trying L1.
W WVCdm : [oemcrypto\_adapter\_dynamic.cpp(662):Initialize] Could not
load liboemcrypto.so. Falling back to L3. dlopen failed: library
"liboemcrypto.so" not found
I WVCdm : [(0):] L3 Terminate.
Run GTS test cases
In the GTS test environment, check the GtsExoPlayerTestCases and GtsMediaTestCases modules to confirm that the widevine service is enabled successfully:
> run gts -m GtsExoPlayerTestCases
> run gts -m GtsMediaTestCases
All test cases in these two modules are expected to pass.