Using the OPM DDI
The Microsoft DirectX graphics kernel subsystem (Dxgkrnl.sys) uses the OPM DDI to create OPM protected outputs, destroy OPM protected outputs, get certificates, configure protected outputs, get information about protected outputs, and get information about the graphics adapter. The DirectX graphics kernel subsystem gets pointers to the OPM DDI functions when it calls the display miniport driver's DxgkDdiQueryInterface function to query for the interface that is identified by GUID_DEVINTERFACE_OPM and DXGK_OPM_INTERFACE_VERSION_1. The following sequence describes how the OPM DDI is typically used to create, manipulate, and destroy OPM protected outputs:
The DirectX graphics kernel subsystem calls the DxgkDdiOPMCreateProtectedOutput function to create an OPM protected output. An OPM protected output always corresponds to exactly one physical video output. DxgkDdiOPMCreateProtectedOutput returns a handle to the newly created output.
The DirectX graphics kernel subsystem calls the DxgkDdiOPMGetCertificateSize and DxgkDdiOPMGetCertificate functions to get the display miniport driver's OPM certificate or COPP certificate and its size.
Note
DxgkDdiOPMCreateProtectedOutput, DxgkDdiOPMGetCertificateSize, and DxgkDdiOPMGetCertificate are the only OPM DDI functions that the DirectX graphics kernel subsystem does not pass a protected output handle to.
The DirectX graphics kernel subsystem calls the DxgkDdiOPMGetRandomNumber function to get the protected output's random number.
The DirectX graphics kernel subsystem passes a 256-byte buffer in a call to the DxgkDdiOPMSetSigningKeyAndSequenceNumbers function. The buffer contains data that is encrypted with one of the display miniport driver's public keys. For more information about public keys, download the Output Content Protection document from the Output Content Protection and Windows Vista website. The public key that is used depends on the semantics of the protected output. The public key in the display miniport driver's OPM certificate is used if the protected output has OPM semantics. The public key in the display miniport driver's COPP certificate is used if the protected output has COPP semantics. The encryption scheme that is used to encrypt the data also depends on the protected output's semantics. The data is encrypted with the standard RSA algorithm if the protected output has COPP semantics and with the RSAES-OAEP encryption scheme if the protected output has OPM semantics. For information about RSA, AES, and RSAES-OAEP, see the RSA Laboratories website. The display miniport driver uses the appropriate private key and decryption method to decrypt the data. A random number, two random sequence numbers, and a 128-bit AES key are in the decrypted data. The display miniport drive ensures that the random number matches the random number that the driver returned when its DxgkDdiOPMGetRandomNumber function was called. The driver then stores the two sequence numbers and the 128-bit AES key.
The DirectX graphics kernel subsystem can now call the DxgkDdiOPMGetInformation or DxgkDdiOPMGetCOPPCompatibleInformation function to get information from a protected output. The DirectX graphics kernel subsystem can also call DxgkDdiOPMConfigureProtectedOutput to configure a protected output. DxgkDdiOPMGetInformation can be called only if the output has OPM semantics and DxgkDdiOPMGetCOPPCompatibleInformation can be called only if the output has COPP semantics. Typically, the DirectX graphics kernel subsystem calls DxgkDdiOPMGetInformation or DxgkDdiOPMGetCOPPCompatibleInformation to get information about the output and then calls DxgkDdiOPMConfigureProtectedOutput one or more times to configure the output. Then, the DirectX graphics kernel subsystem calls DxgkDdiOPMGetInformation or DxgkDdiOPMGetCOPPCompatibleInformation again. The DirectX graphics kernel subsystem can get the following types of information by calling DxgkDdiOPMGetInformation or DxgkDdiOPMGetCOPPCompatibleInformation:
- The output's connector type.
- The types of content protection that the output supports. Outputs can currently support:
- The output's current virtual protection level for a particular protection type.
- The physical output's actual protection level for a particular protection type.
- The version of the HDCP System Renewability Message (SRM) that the output currently uses. For more information about HDCP SRM, see the HDCP Specification Revision 1.1. Only DxgkDdiOPMGetInformation can get this information.
- The connected HDCP device's key-selection vector (KSV) and whether the HDCP device is a repeater. Only DxgkDdiOPMGetCOPPCompatibleInformation can get this information. For more information about HDCP repeaters and KSVs, see the HDCP Specification Revision 1.1.
- The type of expansion bus that the graphics adapter uses. PCI and AGP are examples of expansion buses.
- The format of the images that are sent from the physical connector that is associated with the protected output to a monitor.
- The CGMS-A and ACP signaling standards that the protected output supports. Only DxgkDdiOPMGetCOPPCompatibleInformation can get this information.
- The identifier of the output.
- The electrical characteristics of a Digital Video Interface (DVI) output connector.
The DirectX graphics kernel subsystem can change the following settings by calling DxgkDdiOPMConfigureProtectedOutput:
- The current protection level of one of the output's protection types. For example, DxgkDdiOPMConfigureProtectedOutput can enable or disable HDCP and can turn off ACP protection or change the current ACP protection level.
- The current HDCP SRM that the protected output uses.
- The current signaling standard that the protected output uses. This change can be done only if the output has COPP semantics.
The DirectX graphics kernel subsystem calls DxgkDdiOPMDestroyProtectedOutput when it finishes using the protected output object.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for