Any Widevine L1 development or workarounds yet?
Posted by BigBig5@reddit | linux | View on Reddit | 62 comments
Since most major streaming platforms now require Widevine L1 for HD or 4K playback, I’m wondering if there have been any developments toward enabling true L1 support on Linux. Also, are there any known methods or workarounds that are official or unofficial that allow users to bypass the L1 requirement entirely on Linux systems, rather than just settling for L3 fallback or relying on alternate devices like streaming devices, Android, Apple devices, or Windows.
UNF0RM4TT3D@reddit
If I'm not mistaken L1 needs hardware signing through the entire chain, which would require a signed kernel, secure boot, Chrome, and the compositor (X11 is completely out of the question) would have to insure that no recording can take place, and I almost forgot that HDCP needs to also be verified.
friciwolf@reddit
Actually, I believe we have the best chance of Widevine L1 support on "mainstream" Linux via the newly announced Steam Machine running SteamOS due to the latter being an immutable distro.
But I could be mistaken.
Ieris19@reddit
Couldn’t the “recorder” just pretend to be a monitor? Once video signal is out of the PC I don’t see why firmware on the “screen” can’t record it instead of displaying it on pixels on a screen
RPGcraft@reddit
That's called a capture card. You can find an HDMI one with decent quality for about 10-20$. However, you need a one with HDCP support to actually fool the worst of DRMs.
Ieris19@reddit
Do monitors need to support HDCP too? I use many older monitors and never had an issue
UNF0RM4TT3D@reddit
Well yes, that's how they used to do it with Blu-ray (before MakeMKV). Basically all of the DRM mechanisms have already been cracked, the industry just pretends it's not.
Krunch007@reddit
Interesting. I have gone through the process of setting up secure boot, signing the bootloader, kernel, etc. How would one go about signing a browser executable or compositor? Same principle?
But also, the keys enrolled in secure boot are personal generated keys. I doubt it would just work like that, probably need keys from an authority right?
UNF0RM4TT3D@reddit
Well that's where the industry fails us, you don't. Whilst I didn't specify it, the signing would have to probably be done by Google, so have a Google signed chain, since widevine is Google's fault. Also currently there's no compositor which can do DRM (digital rights management) content or afaik HDCP either (don't quote me on this one).
Although there are set top boxes running on Linux that can do Widevine. But these use drm (direct rendering manager) to draw it and the whole image is signed.
ScratchHistorical507@reddit
At least Weston does support HDCP, but beyond that only whatever compositor ChromeOS uses supports HDCP (and for all I know ChromeOS should support L1). But even if they all did, there isn't any protocol (and most likely no plans for one) to handle the digital rights management. And even then, I only know that Google submitted patches to the Linux Kernel for that support back in 2023, but no idea if that was ever merged.
elmagio@reddit
And all that is for nothing too since every single piece of content that gets uploaded to streaming services still gets ripped in near source quality as soon as it's out. Just punishing people who are actually subscribed to those services without hurting pirates in the slightest.
UNF0RM4TT3D@reddit
I'm not saying it's effective. But large media companies' shareholders won't jump onto something that doesn't have anything, and the companies themselves are too lazy to try something else.
alexforencich@reddit
Not possible, but not for any technical reason. These DRM systems require handing over the keys to your system to a major corporation like Microsoft. Secure boot and signature verification at every step using vendor keys, and potentially enabling features like SGX. So you'd basically have to turn your Linux box into a Windows or Mac box. Or possibly a Chromebook. Maybe a company like Canonical could do it if they really wanted to, but it would require locking everything down and taking away the ability to run whatever you want and tinker with the kernel and such.
ScratchHistorical507@reddit
I doubt very much Widevine has anything to do with secure boot and their signatures, it may not even be a requirement. You need dedicated signatures from Google of every piece of software in that pipeline, so testing for secure boot additionally wouldn't make much sense, it would simply stop working when you swap out some software. That's why only Chrome and some Chromium browsers are capable of playing L1.
alexforencich@reddit
How else would they enforce signature verification without secure boot? If you can run whatever software you want, you can modify the verifier, and then the signatures are pointless.
ScratchHistorical507@reddit
Why does the BIOS have to verify the signatures when the program playing back the content - or maybe just some framework of Windows - needs to check every part of the chain either way, which is far more than just the signed bootloader?
alexforencich@reddit
How do you ensure windows itself hasn't been tampered with, and that it's actually doing the signature validation correctly?
ScratchHistorical507@reddit
If it had been tampered with, its own signature wouldn't match already. But in the end it's not impossible that Windows itself may disallow access to the infrastructure needed for L1 support if you disable Secure Boot, I can't speak on that. You'd have to install a modified Windows 11 image where you disabled the requirement for Secure Boot, test out if you can use L1 with Secure Boot enabled, and then disable it and see if it disables L1 support.
alexforencich@reddit
If it has been tampered with, then it can lie about its signature, that's the whole point.
ScratchHistorical507@reddit
Not how signatures work. You can't lie about signatures, either they can be verified or not. There is no third option.
alexforencich@reddit
Well, you can interfere with the verification process. Compute the signature for the original unmodified file, or present different file contents for execution and for verification. Secure boot and hardware root of trust are the only options to prevent this.
ScratchHistorical507@reddit
This is not possible. Please refrain from spreading your lack of knowlegde any further. Thanks.
alexforencich@reddit
Lots of stuff is possible with a kernel mode driver, hypervisor, emulator, or otherwise tampering with the OS. Read up on how, say, a root kit can hide itself by hooking operating system API calls and then "removing" itself from the process list, filesystem, etc. Yes you can't break the actual cryptography and forge a signature without access to the private key. But unless the verification is done inside SGX with secure remote attestation or you have an unbroken verification chain from secure boot with vendor keys, it will always be possible to either patch out the check or to fake out the verification process by "hiding" the patch from the verifier.
ScratchHistorical507@reddit
Literally why Widevine L1 requires the presence of a secure execution environment, fully negating anything you're trying to sell off as facts here.
alexforencich@reddit
Right, SGX is controlled by Intel, not by the user. Which is exactly my point - you need to give up control of your system at the hardware level for this kind of DRM scheme to work.
ScratchHistorical507@reddit
No, your point was that you need secure boot. Absolutely nowhere is this a requirement. For years basically every processor came out with some kind of secure execution environment, so not really an argument.
alexforencich@reddit
The point is you need to give up control of your system, either via secure boot or something like SGX. Which is rather counter to the whole point of Linux, where the user has control of their own system.
ScratchHistorical507@reddit
Worst case with the TPM. Also, I never claimed that you won't need some kind of secured execution environment. But that changes absolutely nothing about the user still being in control. You just proved that yourself by just disabling SGX.
alexforencich@reddit
TPM isn't a substitute for a secure execution environment, it just does the cryptography. Without the secure execution environment or secure boot, you can just lie to the TPM by feeding it different hashes.
And yes you can disable SGX and secure boot, but then these DRM schemes will refuse to run. So you have to choose: do you want control of your system, or do you want to watch Netflix, etc.
Professional-Disk-93@reddit
You might not like it, but this is what peak media consumption looks like: https://thepiratebay.org/
douggle@reddit
Tbp lol ya I don’t like dmca letters don’t use public trackers
archiekane@reddit
Do use VPN or Usenet instead.
douggle@reddit
Or I could just avoid public trackers
maqbeq@reddit
Or use a Debrid provider and forget about VPN and the like and just DDL (or steam if you prefer)
Obnomus@reddit
Stremio is a great option too, like if you wanna sign in with your subscrption then you can but the better option is always there.
natermer@reddit
When you have friends over, they want to watch something, and ask you:
"What service subscriptions do you have?"
The only proper answer is:
"None of them and all of them. What do you want to watch?".
My personal feelings are that if I use a service I'll pay for it. It is only right. However I am not going to tolerate installing their shitty spyware or giving them control over my firmware in order to do it.
To be a corporate victim requires two parties. I choose "No".
TheOneTrueTrench@reddit
What service subscriptions do you have?
> Seagate and Western Digital.
When they are confused, I show them the 42U rack.
Literallyapig@reddit
pirate bay is not well-moderated (not even skull users can be trusted) and should not be used. while i doubt you could get malware by downloading video files, there are much better alternatives including ones with DDLs, which many people prefer for convenience. i recommend you to access fmhy, its a megathread thats constantly updated and well-moderated that includes resources not only for pirated movies but for anything else really :D
githman@reddit
I have nothing against that other site you mentioned (and saved the link in case I need an alternative) but I've been using TPB for 20 years with zero issues. Not in any way related to its admins, mods, whatever; just a regular user giving credit where credit is due. Arrgh.
Literallyapig@reddit
pirate bay is not well-moderated (not even skull users can be trusted) and should not be used. while i doubt you could get malware by downloading video files, there are much better alternatives including ones with DDLs, which many people prefer for convenience. i recommend you to access fmhy, its a megathread thats constantly updated and well-moderated that includes resources not only for pirated movies but for anything else really :D
Gotxi@reddit
Waterfox has widevine license. I can watch Netflix, HBO and others in any Operating System, not only because of the free linux pass.
arthursucks@reddit
Amazon limited to 480p and Peacock nothing.
MatchingTurret@reddit
In 4K? I doubt that...
Gotxi@reddit
Ok, I see, it has a license but only supports L3, not L1. I can see videos at 1080p but no more than that. I cannot confirm it because I don't have a 4K subscription.
nightblackdragon@reddit
Widevine L1 is basically impossible to support on open platforms like Linux.
ScratchHistorical507@reddit
Not impossible, ChromeOS is doing it for all I know. But simply undesired. From both sides.
Ieris19@reddit
It’s virtually impossible.
From another thread, you’d need secure boot, signed kernel and even compositor and browser, and they would have to be trusted keys by Widevine so probably Google has to do it, and then distribute the signed binaries or something like that.
ChromeOS is much like Android, it technically is the Linux kernel underneath, but it’s still a platform supported by big tech, that isn’t often installed on custom hardware, where Google still has a great deal of control over hardware and software and whatnot.
The problem is not the “open” platform, is support and control
ScratchHistorical507@reddit
Literally not, just nobody wants to do it, as nobody wants to give Google all the control, and it's probably very expensive.
It's not a requirement, merely the simplest solution.
It's owned by the makers of Widevine, that's all. And there isn't really anything custom about their hardware.
Ieris19@reddit
Again, no one said you need custom hardware, or that it isn’t possible.
The issue is no matter how hard you try, Google can never control a platform that runs on supercomputers like it runs on toasters the way they control ChromeOS.
You simply can’t control Linux like that, and it’s all about control and support
kombiwombi@reddit
Widevine L1 is deliberately designed to be very difficult to reverse engineer. Which is why it has not been.
You've basically got to break Intel's trusted execution environment.
Of course there is no shortage of inconvenient ways of capturing the output, you can pick up the necessary HDMI chip from any e-waste pallet. Criminals then on-sell these, and they eventually make their way to the free pirate sites with no DRM of regional locking.
Literallyapig@reddit
widevine l1 differs in its use of the TEE (trusted execution environment) for video decryption (in contrast to l1 that uses software only), a region of the processor that forbids external actors from reading data or replacing code running there, so youd need, at minimum, a processor with some sort of exploitable TEE.
breaking l1 is pratically impossible for people that arent in the scene, and even then not everyone can do it. idk the exacts of why it doesn't work under linux to begin with, but your best bet is, funny enough, consuming pirated media instead. the megathread is extremely well-moderated (no malicious links) and has links to not only movies but to anything else if you need :D.
WSuperOS@reddit
drm sucks anyway,
https://www.defectivebydesign.org/
it's not effective (movie piracy still very much exists), it only hurts paying customers, it is non-free in 99% of the cases, it consumes hardware resources that could be used elsewhere and forces you to use specific hardware, OS and even browser in order to make use of it.
it is the play integrity of media content, it sucks.
however, i can see why people have to put up with drm to use streaming services. It sucks nonetheless though, i'd rather buy blurays and rip them :)
anotheridiot-@reddit
https://phrack.org/issues/71/6#article and piracy.
ScratchHistorical507@reddit
Any DRM system is defective by design. If you can view protected content, it can be copied, simple as that.
silentjet@reddit
pretty much every modern TV, including a Smart ones are running linux. Typically, internally DirectFB or Wayland(try to guess why there are "community ask for Wayland" and "X11 is too old" statements flying around), or some proprietary are used. Plus some hw level tricks which are interfaced via blob drivers. And all of that later is being certified and secured via signing and chain of trust manner loading... Nothing new, servers are using this tech since at least 20 years, smartphones since 15 years, cars since 10 years, TV and watches since 5 years...
ScratchHistorical507@reddit
I doubt anything of this is true. Some TVs are running an Android version, Android, which never supported X11 or Wayland, or Tizen, which does support both, but it's questionable if that's even used here, or Titan OS with inknown compositor, or VIDAA OS with the same, or any number of non-wayland/x11 systems. Only on LG TVs with WebOS you're using Wayland, but that's not what you'll be using on the desktop.
Those have nothing to do with TVs whatsoever.
Tanglesome@reddit
It's a proprietary digital rights management (DRM) system. We'll never see native Widevine L1 in Linux. And, since L1's tied to hardware, you can't even implement it via a Blob, the way you can with Widevine L3.
RAMChYLD@reddit
Technically tho, Android and ChromeOS runs Linux and it gets L1.
So it is possible. Just not with general desktop distros.
mrvictorywin@reddit
I don't think ChromeOS has L1, can you point out any service that supports 4K HDR on ChromeOS?
Scheeseman99@reddit
It does. Netflix notably falls back to L3 but that's a choice Netflix made.
mrvictorywin@reddit
Wow they did implent L1. Still, do you know any streaming service that allows 4K on ChromeOS?
https://www.intel.com/content/www/us/en/developer/articles/news/bring-premium-protected-content-to-chrome-os.html
BigBig5@reddit (OP)
Not all L1 streaming services work in ChromeOS.
mort96@reddit
Your best bet for high quality video playback on hardware you control ... is probably gonna be piracy. In their battle to stop piracy, these absolute geniuses are giving honest consumers literally no other choice than to pirate.