Widevine DRM Security Levels

Trusted Execution Environment (TEE)

The Trusted Execution Environment (TEE) is an essential component within a primary processor, designed to safeguard code and data against unauthorized access and ensure their confidentiality and integrity. In the realm of Digital Rights Management (DRM), TEE plays a pivotal role in enhancing security measures, particularly in the protection of decryption keys and the prevention of video content leaks.

Widevine DRM security levels explained

Google's Widevine DRM technology offers three distinct security levels — L1, L2, and L3 — each designed to cater to different requirements of content protection. These levels are critical in determining the quality of content that can be securely streamed and accessed on various devices.

L1 security level

L1 represents the highest level of security provided by Widevine. It mandates that devices meet specific L1 security criteria to stream High Definition (HD) content.

All operations involving video rendering, hardware-level decryption, and content decoding are executed within the Trusted Execution Environment. This level is crucial for Over-The-Top (OTT) platforms, such as Netflix and Amazon Prime Video, which restrict HD content playback to devices certified with L1 security. The primary advantage of L1 is its ability to entirely prevent screen captures by mobile applications.

Devices and platforms that typically support L1 include:

  • Android apps
  • Samsung and LG Smart TVs
  • Android TV
  • Fire TV

L2 security level

The L2 security level involves content decoding and rendering through a secure hardware component or a protected co-processor.

While media decryption occurs within the TEE, security keys and decrypted media remain inaccessible to the host CPU. It is worth noting that L2 is not designed for mobile device applications.

L3 security level

L3 is a software-only security solution, providing the lowest tier of Widevine's DRM security.

Decryption processes are handled in a software Content Decryption Module (CDM), without the benefit of TEE. Due to its minimal security provisions, devices operating at L3 are often restricted from accessing HD video content by content providers.

📘

Important

A notable exception in Widevine DRM support is found with desktop browsers like Chrome and Firefox on Windows or macOS, which only support the L3 security level, employing software-based DRM mechanisms.

Supporting Widevine levels across devices

Most environments, including various smart TVs, Android devices, and Fire TV, are capable of supporting the L1 level, ensuring broad compatibility for HD content streaming. However, specific desktop browsers such as Chrome and Firefox are limited to the L3 level, reflecting the varied landscape of device capabilities and DRM requirements.

Custom settings for content distribution

Bunny Stream MediaCage Enterprise DRM uniquely supports all three Widevine security levels (L1-L3) by default. Additionally, it offers customizable settings that allow content distributors to restrict the distribution of HD content to L3 clients, thereby safeguarding against potential content leakage. These settings can be adjusted via the Stream API or through direct contact with Support services.