diff --git a/libwvdrmengine/cdm/core/src/oemcrypto_adapter_dynamic.cpp b/libwvdrmengine/cdm/core/src/oemcrypto_adapter_dynamic.cpp
index 07d138f5..19cac07a 100644
--- a/libwvdrmengine/cdm/core/src/oemcrypto_adapter_dynamic.cpp
+++ b/libwvdrmengine/cdm/core/src/oemcrypto_adapter_dynamic.cpp
@@ -122,6 +122,8 @@ typedef OEMCryptoResult (*L1_WrapKeybox_t)(const uint8_t* keybox,
                                            size_t transportKeyLength);
 typedef OEMCryptoResult (*L1_InstallKeyboxOrOEMCert_t)(const uint8_t* keybox,
                                                        size_t keyBoxLength);
+typedef OEMCryptoResult (*L1_FactoryInstallBCCSignature_t)(
+    const uint8_t* signature, size_t signature_length);
 typedef OEMCryptoResult (*L1_LoadTestKeybox_t)(const uint8_t* buffer,
                                                size_t length);
 typedef OEMCryptoResult (*L1_IsKeyboxOrOEMCertValid_t)();
@@ -339,6 +341,7 @@ struct FunctionPointers {
   L1_CopyBuffer_t CopyBuffer;
   L1_WrapKeybox_t WrapKeybox;
   L1_InstallKeyboxOrOEMCert_t InstallKeyboxOrOEMCert;
+  L1_FactoryInstallBCCSignature_t FactoryInstallBCCSignature;
   L1_LoadTestKeybox_t LoadTestKeybox;
   L1_IsKeyboxOrOEMCertValid_t IsKeyboxOrOEMCertValid;
   L1_GetDeviceID_t GetDeviceID;
@@ -967,6 +970,7 @@ class Adapter {
     LOOKUP_ALL(12, GetProvisioningMethod,      OEMCrypto_GetProvisioningMethod);
     LOOKUP_ALL( 8, GetRandom,                  OEMCrypto_GetRandom);
     LOOKUP_ALL( 8, InstallKeyboxOrOEMCert,     OEMCrypto_InstallKeyboxOrOEMCert);
+    LOOKUP_ALL(18, FactoryInstallBCCSignature, OEMCrypto_FactoryInstallBCCSignature);
     LOOKUP_ALL(10, IsAntiRollbackHwPresent,    OEMCrypto_IsAntiRollbackHwPresent);
     LOOKUP_ALL( 8, IsKeyboxOrOEMCertValid,     OEMCrypto_IsKeyboxOrOEMCertValid);
     LOOKUP( 8, 15, LoadDeviceRSAKey,           OEMCrypto_LoadDeviceRSAKey);
@@ -2252,6 +2256,16 @@ extern "C" OEMCryptoResult OEMCrypto_InstallKeyboxOrOEMCert(
   return OEMCrypto_InstallKeyboxOrOEMCert(keybox, keyBoxLength, kLevelDefault);
 }
 
+extern "C" OEMCryptoResult OEMCrypto_FactoryInstallBCCSignature(
+    const uint8_t* signature, size_t signature_length) {
+  if (!gAdapter) return OEMCrypto_ERROR_UNKNOWN_FAILURE;
+  const FunctionPointers* fcn = gAdapter->GetFunctionPointers(kLevelDefault);
+  if (!fcn) return OEMCrypto_ERROR_INVALID_SESSION;
+  if (fcn->FactoryInstallBCCSignature == nullptr)
+    return OEMCrypto_ERROR_NOT_IMPLEMENTED;
+  return fcn->FactoryInstallBCCSignature(signature, signature_length);
+}
+
 extern "C" OEMCryptoResult OEMCrypto_LoadTestKeybox(const uint8_t* buffer,
                                                     size_t length) {
   if (!gAdapter) return OEMCrypto_ERROR_UNKNOWN_FAILURE;
diff --git a/libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h b/libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h
index 0d6d60c5..3c8a767b 100644
--- a/libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h
+++ b/libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h
@@ -3,7 +3,7 @@
 // License Agreement.
 
 /**
- * @mainpage OEMCrypto API v18.2
+ * @mainpage OEMCrypto API v18.3
  *
  * OEMCrypto is the low level library implemented by the OEM to provide key and
  * content protection, usually in a separate secure memory or process space. The
@@ -712,6 +712,7 @@ typedef enum OEMCrypto_SignatureHashAlgorithm {
 #define OEMCrypto_GetSignatureHashAlgorithm   _oecc139
 #define OEMCrypto_EnterTestMode               _oecc140
 #define OEMCrypto_GetDeviceSignedCsrPayload   _oecc141
+#define OEMCrypto_FactoryInstallBCCSignature  _oecc142
 // clang-format on
 
 /// @addtogroup initcontrol
@@ -2996,6 +2997,41 @@ OEMCryptoResult OEMCrypto_WrapKeyboxOrOEMCert(
 OEMCryptoResult OEMCrypto_InstallKeyboxOrOEMCert(const uint8_t* keybox_or_cert,
                                                  size_t keybox_or_cert_length);
 
+/**
+ * Install a factory generated signature for the BCC. This is for devices that
+ * use Provisioning 4.0, with the signing option in the factory. With the
+ * signing option, the BCC is extracted from the device in the factory. Instead
+ * of being uploaded to the Widevine server, the BCC is signed by a certificate
+ * that the manufacturer shares with Widevine. The signature is then installed
+ * on the device is a secure location. The signature must not be erased during
+ * factory reset.
+ *
+ * This signature should be returned as `addition_signature` in a call to the
+ * function `OEMCrypto_GetBootCertificateChain()`.
+ *
+ * Devices that do not support Provisioning 4.0, or only support Provisioning
+ * 4.0 Option 1 should return OEMCrypto_ERROR_NOT_IMPLEMENTED.
+ *
+ *
+ * @param[in] signature: pointer to data as input
+ * @param[in] signature_length: length of the data in bytes
+ *
+ * @retval OEMCrypto_SUCCESS success
+ * @retval OEMCrypto_ERROR_INSUFFICIENT_RESOURCES
+ * @retval OEMCrypto_ERROR_NOT_IMPLEMENTED
+ * @retval OEMCrypto_ERROR_SYSTEM_INVALIDATED
+ *
+ * @threading
+ *   This is an "Initialization and Termination Function" and will not be
+ *   called simultaneously with any other function, as if the CDM holds a write
+ *   lock on the OEMCrypto system.
+ *
+ * @version
+ *   This method is new in API version 18.3.
+ */
+OEMCryptoResult OEMCrypto_FactoryInstallBCCSignature(const uint8_t* signature,
+                                                     size_t signature_length);
+
 /**
  * This function is for OEMCrypto to tell the layer above what provisioning
  * method it uses: keybox or OEM certificate.