android/libwvdrmengine/oemcrypto/CHANGELOG.md

# Widevine OEMCrypto, ODK, and OPK Changelog

[TOC]

## [Version 17.1][v17.1]

This release contains a major change to the build process for the OP-TEE port,
a new ODK minor version, handling for v16.4.x licenses with clear key control
block, provisioning 4.0 in the wtpi_reference code, and various small changes.

The build process for the OP-TEE port has been simplified. Previously, the OPK
components were compiled with their own makefiles, compiler flags, and
toolchain; a platform-specific build system would then need to link those
components into the final application. Now, a list of all OPK files is
provided in the new `tee-sources.mk` file for inclusion in the target platform's
build system. This guarantees that the OPK code will be compiled with the same
build flags and toolchain as the rest of the TA. The OP-TEE port has been
modified to use this new list of source files, and the generated makefiles from
previous versions have been removed.

The ODK has been updated to v17.1. A new function has been added,
`ODK_PrepareCoreRenewedProvisioningRequest()`, for use with renewing deleted or
compromised keyboxes. An out of bounds buffer error was fixed in
`CreateCoreLicenseResponse()`.

A unit test has been added to test against the issue where certain 16.4.x SDK
versions return a clear key control block (KCB) in the license response. An
OEMCrypto v17.1+ implementation should be able to handle the clear KCB in the
16.4.x response and load the license correctly.

Provisioning 4.0 is now supported in oemcrypto_ta and the WTPI reference code.
The `WTPI_GetProvisioningMethod()` config function should return
`OEMCrypto_BootCertificateChain` to enable this.

`WTPI_ED25519Sign()` has been removed from the WTPI layer.

All oemcrypto_unittests now pass for the OP-TEE port running on NXP iMX8.
Provisioning 4.0 is not yet supported on the OP-TEE port.

Please note that no changes have been made to the Trusty port code. As a result,
the Trusty port may not compile against the latest changes to the rest of OPK.

## [Version 17 plus test updates and OPK v17][v17+test-updates+opk+mk]

Add makefiles to partner visible git repo.

## [Version 17 plus test updates and OPK v17][v17+test-updates+opk]

This release contains the first partner release version of OPK, which is also
the first version of OPK to support OEMCrypto v17. OPK v17 represents a
considerable upgrade from the previous beta releases and makes many significant
changes to the WTPI. This release includes sample ports to both the OP-TEE and
Trusty TEE OSes. The Trusty port has been tested on the Pixel 6 and the OP-TEE
port has been tested on the NXP iMX8 reference board. See their respective
README.md files for platform-specific instructions and an explanation of any
failing tests.

This release of OPK still uses Provisioning 2.0 (keyboxes). Provisioning 4.0 has
not yet been tested, and support for it is incomplete. We expect there to be
another release with updates to support Provisioning 4.0 in the near future. Our
intention is to continue to support both Provisioning 2.0 and 4.0. Devices that
plan to use Provisioning 4.0 must support ECC and have enough entropy to
generate ephemeral keys on the device.

Beyond OPK, this release contains several small updates to OEMCrypto and ODK:

- ODK has been updated to use version 17 core messages by default.
- `ERROR_INVALID_RSA_KEY` has been renamed to `ERROR_INVALID_KEY` in order to
  make it clearer that this error also applies when the key is an elliptic curve
  key.
- The deprecated SRM update functions have been removed from the OEMCrypto
  header.

This release also contains several updates to the OEMCrypto unit tests:

- The fuzz tests have been updated to be compatible with OEMCrypto v17.
- A test has been added that verifies the device can load at least as many DRM
  keys as promised by its resource rating tier.
- A test has been added to verify that loading invalid usage entries fails.
- An issue in `TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths` where the
  test attempted to load the license before encrypting and sigining it has been
  addressed.
- An issue where some tests were not including a nonce in all license requests
  has been fixed.

## [Version 17][v17-initial-release]

Initial release of OEMCrypto v17 unit tests and documentation.
See https://developers.google.com/widevine/drm/client/oemcrypto/v17/delta for
changes since v16.


## [Version 16.4 plus opk beta 2][v16.4+opk-beta2]

Second beta release of the OEMCrypto Porting Kit (OPK), supporting OEMCrypto v16.

The following changes are included with this update:
- Add makefiles to build OEMCrypto TA and host apps for OP-TEE. See
  `oemcrypto/opk/ports/optee/README.md` for information on how to build with make
- Update missing and outdated files such as `odk_message.h` and
  `OEMCryptoCENCCommon.h`
- Rename WTPI interface files with common WTPI prefix
- Add more WTPI unit tests for crypto functions
- Replace DER parsing code in OEMCrypto TA OPTEE port with mbedtls
  implementation
- Update oemcrypto unittests

Using the default make settings and an external OP-TEE repository setup, the
OEMCrypto TA port is now buildable for QEMU. Slight changes to environment
variables will enable STM32MP1 and NXP iMX8 targets. Keep in mind that the
performance capabilities of QEMU and the STM32MP1 platforms do not meet the
timing requirements for many oemcrypto unittests; so far we have only passed all
tests on the NXP hardware.

This update does not include any Trusty port code.

## [Version 16.4 plus opk beta][v16.4+opk-beta]

Initial beta release of the OEMCrypto Porting Kit (OPK), supporting OEMCrypto v16.

## [Version 16.4 doc updates][v16.4+doc-updates]

Documentation updates. All headers have been updated so that documentation may
be extracted using Doxygen. Documentation can now be found at
https://developers.google.com/widevine/drm/client/oemcrypto


## [Version 16.4 plus extra tests][v16.4+extra-test]

We have added several new tests to the OEMCrypto test suite in order to identify
and fix certain types of security issues that are being discovered and disclosed
by security researchers.  Widevine strongly recommends these additional security
tests, in order to minimize the risk and exposure from external security
research.

Most of the new tests are checking for buffer overflow and off-by-one
errors. They verify that OEMCrypto correctly handles the case where input
buffers are larger than output buffers; total subsamples are larger than
samples; and message buffers are much larger than required. OEMCrypto is
expected to accept bad input and fail gracefully. Failing these tests is an
indication that there might be a security risk.

Because buffer overflow bugs might crash the device or cause a seg fault, these
tests might fail and then stop running. For this reason, you cannot assume that
your device is passing all of the tests if you don't see FAIL in the
output. Instead, you should look for a summary at the end of the test suite
output saying that all the tests passed.  See the README.md in oemcrypto/test
for more details.


## [Version 16.4][v16.4]

Public release for OEMCrypto API and ODK library version 16.4.



[v16.4]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v16.4
[v16.4+extra-test]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v16.4+extra-tests
[v16.4+doc-updates]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v16.4+doc-updates
[v16.4+opk-beta]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v16.4+opk-beta
[v16.4+opk-beta2]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v16.4+opk-beta2
[v17-initial-release]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17-initial-release
[v17+test-updates+opk]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17+test-updates+opk
[v17+test-updates+opk+mk]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17+test-updates+opk+mk
[v17.1]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17.1