UHD Blu-ray Denies Your Freedom
The UHD (Ultra High Definition, also known as 4K) Blu-ray standard involves several types of restrictions, both at the hardware and the software levels, which make “legitimate” playback of UHD Blu-ray media impossible on a PC with free/libre software.
Companies that restrict your freedom
The main DRM that restricts playback of Blu-ray media is the Advanced Access Content System (AACS). It is developed and enforced by AACS LA, a consortium of megacorporations that want to achieve total control over the distribution and playback of high-definition optical disks. The founding members are IBM, Intel, Microsoft, Panasonic, Sony, Toshiba, Walt Disney and Warner Bros.
As it travels across connections, the audio/video data is subjected to the High-bandwidth Digital Content Protection (HDCP) DRM, which is developed by Intel.
Hardware requirements
Playing a UHD Blu-ray disk on a PC requires (1) an AACS-certified optical drive, (2) an Intel CPU made between 2015 and 2022, with integrated graphics (not found in every model) and a number of DRM-imposing or otherwise malicious anti-features, and (3) support for HDCP, the sole purpose of which is to make exact copying of the audio/video stream impossible. Such a computer does not respect users' freedom, and denies them control over it.
- UHD-compatible optical drive
Not only are the technical requirements to read the UHD Blu-ray format very demanding, but the drive needs to be certified by AACS LA. This makes replacement of its firmware with free software impossible.
- Intel SGX
The PC must have an Intel CPU that supports the Intel Software Guard Extensions (SGX). SGX essentially creates a “trusted” execution environment called enclave, which is designed to prevent users from tampering with imposed restrictions. Intel introduced this “feature” in 2015, but deprecated and discontinued it from their mainstream CPUs in 2022, due to a series of reported security vulnerabilities. The playback software will refuse to play a movie if Intel SGX is not enabled in the BIOS, which means your new PC will not play the UHD Blu-ray disk you just purchased.
A group of researchers was able to exploit the security holes in Intel SGX and play a UHD Blu-ray disk without restrictions. However, such exploitation is likely impossible for an average user to accomplish.
- Intel ME
The Intel Management Engine (ME) is also required. If its version is too old, the software will refuse to play. The ME is a proprietary embedded system that resides in every Intel CPU. Users have no control over it; they cannot replace it with a free system nor can they write free software for it. As the CPU cannot boot without the ME, this is the perfect tool for remote access and surveillance through a backdoor.
- Integrated graphics
The Graphics Processing Unit (GPU) must be integrated into the CPU. Why insist on integrated graphics, which is typically less capable than dedicated GPUs? Presumably because the integrated GPU shares the SGX enclave with the CPU, thereby minimizing the chances that users will access and copy audio/video data.
- HDCP compliance
The integrated GPU, monitor and audio/video cable must support HDCP 2.2 over the HDMI 2.0a/DisplayPort 1.3 interface, and be HDCP-certified. One of the requirements is that the monitor should be unable to record the audio/video stream, except in a very degraded form.
HDCP authenticates the two devices and encrypts the stream between them. It can also revoke the keys of devices that have been “compromised” (i.e., that users have liberated).
The AACS DRM
AACS is a set of cryptographically complex standards for encrypting high-definition media and restricting their playback, which currently applies to HD DVD, Blu-ray, and UHD Blu-ray disks. The flavor of AACS used by UHD Blu-ray further attacks users' freedom (and possibly privacy) by forcing them to connect to a company server to download the decryption keys.
Decryption proceeds in several steps, the first one being the mutual authentication of the player and optical drive to make sure they both carry valid certificates, issued by AACS LA. This organization can arbitrarily revoke certificates, making the affected devices or software unusable with AACS-restricted media.
But the worst blow to users' freedom is that certification requires the developers of software players to sign a license agreement that prohibits free sofware.
- The Adopter Agreement
While regular Blu-ray disks are encrypted with AACS 1.0, UHD Blu-ray disks are encrypted with AACS 2.0 or 2.1. Unlike version 1.0, versions 2.0 and 2.1 of the specifications are unpublished, and the developers can only obtain them after signing a license agreement with AACS LA, and paying huge “administrative” fees ($25,000 per year in 2009 according to Exhibit B of the AACS 1 Adopter Agreement).
More importantly, the agreement is incompatible with the freedom to study how the program works and change it (freedom 1), and therefore prohibits free software. See for example this excerpt from Section 7 (our emphasis):
Such implementation shall:
7.6.4.1. Comply with Section 7.4 above […], provided further that maintaining confidentiality of Device Keys […] shall be implemented by a reasonable method that effectively and uniquely associates those values with a single device […] and that effectively isolates those values from exposure by mere use of programming instructions or data […]; and, in addition, in every case of implementation in Software, using techniques of obfuscation clearly designed to effectively disguise and hamper attempts to discover the approaches used; and
7.6.4.2. Be designed so as to perform or ensure checking of the integrity of its component parts such that unauthorized modifications will be expected to result in a failure of the implementation to provide the authorized authentication and/or decryption function. […] - Disabling the player
If the player certificate has been “compromised” according to AACS LA, this organization issues a revocation certificate, which is burned into all new UHD Blu-ray disks as part of a list of all the revocation certificates issued so far. When playback of a new disk is attempted, the revocation list is automatically loaded into the drive firmware, and from then on, the drive refuses to interact with the newly revoked player; it becomes impossible to play AACS-restricted disks, old ones as well as new ones. This method is also used by AACS 1.0 for regular Blu-ray disks. What a nice backdoor in the drive firmware! This is reminiscent of the Orwellian erasure of 1984 from users' Swindles by Amazon.
- Tethering
UHD Blu-ray actually uses an “enhanced” flavor of AACS 2.0/2.1 that does not allow shipping encryption keys with certified playback software. Instead, the keys must be downloaded from a remote server. This makes repeated updates and internet connections a requirement if the user purchases several UHD Blu-ray disks over time. Moreover, fetching the encryption keys from a remote server that users have no control over exposes the user's viewing history.
In short, the UHD Blu-ray standard is fundamentally incompatible with user freedom. Therefore, we need to take action to defend this freedom: we must boycott media, services, and players that implement AACS or other forms of DRM, and call for legislation to prohibit these.