From f94a8dfac9291ca5b1fa84006e90061e7287647c Mon Sep 17 00:00:00 2001 From: Cong Lin Date: Mon, 11 Dec 2023 10:47:15 -0800 Subject: [PATCH] Update documentation for BCC signature generation Including the option of signing by keybox and some disclaimers.. Bug: 297918188 Change-Id: Ic6294ea9f04f6fa6dd721242c8539341157c1292 --- libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h b/libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h index 8cd5ae66..46d1649d 100644 --- a/libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h +++ b/libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h @@ -2952,10 +2952,12 @@ OEMCryptoResult OEMCrypto_InstallKeyboxOrOEMCert(const uint8_t* keybox_or_cert, * Install a factory generated signature for the BCC. This is for devices that * use Provisioning 4.0, with the signing option in the factory. With the * signing option, the BCC is extracted from the device in the factory. Instead - * of being uploaded to the Widevine server, the BCC is signed by a certificate - * that the manufacturer shares with Widevine. The signature is then installed - * on the device is a secure location. The signature must not be erased during - * factory reset. + * of being uploaded to the Widevine server, the BCC is signed by either a + * certificate that the manufacturer shares with Widevine, or the keybox on the + * device. The signature is then installed on the device in a secure location. + * The signature must not be erased during factory reset. Please work with your + * Widevine Partner Engineer before implementing this function to make sure the + * installed signature is in the expected format. * * This signature should be returned as `addition_signature` in a call to the * function `OEMCrypto_GetBootCertificateChain()`. @@ -4905,8 +4907,10 @@ OEMCryptoResult OEMCrypto_ShrinkUsageTableHeader(uint32_t new_entry_count, * output, the number of bytes written into the buffer. * @param[out] additional_signature: pointer to the buffer that receives * additional device key signature (certificate chain). This field is only - * used by the signing model where a vendor certificate is available on the - * device. + * used by the signing model where either a vendor certificate or a keybox is + * available on the device. Please work with your Widevine Partner Engineer + * before implementing this field to make sure the generated signature is in the + * expected format. * @param[in,out] additional_signature_length - on input, size of the caller's * additional_signature buffer. On output, the number of bytes written into * the buffer.