[PATCH] dt-bindings: Add Google Widevine initialization parameters

[PATCH] dt-bindings: Add Google Widevine initialization parameters

[Yi Chou]

The necessary fields to initialize the widevine related functions in
OP-TEE.

Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Reviewed-by: Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
---
 .../bindings/options/google,widevine.yaml     | 124 ++++++++++++++++++
 1 file changed, 124 insertions(+)
 create mode 100644 Documentation/devicetree/bindings/options/google,widevine.yaml

diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml b/Documentation/devicetree/bindings/options/google,widevine.yaml
new file mode 100644
index 0000000000000..bf2b834cb1454
--- /dev/null
+++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
@@ -0,0 +1,124 @@
+# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/options/google,widevine.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: Google Widevine initialization parameters.
+
+maintainers:
+  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
+  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
+
+description:
+  The necessary fields to initialize the widevine related functions in
+  OP-TEE. This node does not represent a real device, but serves as a
+  place for passing data between firmware and OP-TEE.
+  The public fields (e.g. tpm-auth-public-key & root-of-trust-cert) can
+  be ignored because it's safe to pass the public information with the
+  other methods(e.g. userland OP-TEE plugins).
+
+properties:
+  compatible:
+    const: google,widevine
+
+  hardware-unique-key:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description: |
+      The hardware-unique key of the Widevine OP-TEE. It will be used
+      to derive the secure storage key. The length should be 32 bytes.
+      For more information, please reference:
+      https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html#hardware-unique-key
+
+  tpm-auth-public-key:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description: |
+      The TPM auth public key. Used to communicate the TPM from OP-TEE.
+      The format of data should be TPM2B_PUBLIC.
+      For more information, please reference the 12.2.5 section:
+      https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part2_Structures_pub.pdf
+
+  root-of-trust:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description: |
+      The Widevine root of trust secret. Used to sign the widevine
+      request in OP-TEE. The length should be 32 bytes. The value
+      is an ECC NIST P-256 scalar.
+      For more information, please reference the G.1.2 section:
+      https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf
+
+  root-of-trust-cert:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description: |
+      The X.509 certificate of the Widevine root of trust on this
+      device. Used to provision the device status with the Widevine
+      server in OP-TEE.
+      For more information, please reference:
+      https://www.itu.int/rec/T-REC-X.509
+
+required:
+  - compatible
+  - hardware-unique-key
+  - root-of-trust
+
+additionalProperties: false
+
+examples:
+  - |+
+    options {
+      widevine {
+        compatible = "google,widevine";
+        hardware-unique-key = [
+          12 f7 98 d2 0e d2 85 92 a5 82 bf 98 b8 99 2b c0
+          c6 6f 19 85 79 86 65 18 55 eb ff 9b 6c c0 ac 27
+        ];
+        tpm-auth-public-key = [
+          00 76 00 23 00 0b 00 02 04 b2 00 20 e1 47 bf 27
+          e1 74 30 c8 16 ab 72 4d 5c 77 e1 5c 61 2d 56 81
+          b3 35 cd 9d eb 67 41 37 69 f0 32 41 00 10 00 10
+          00 03 00 10 00 20 70 9a df 50 f9 0f d5 f4 40 e0
+          ea 2c e8 f2 26 9f 0e 5c 02 70 16 c3 6c c1 83 03
+          2d 04 10 bd 85 7a 00 20 83 03 c2 66 6e 01 32 34
+          5c 5e 80 22 c7 48 24 3c 70 6b b8 e4 24 42 74 a9
+          cf fc ab f8 30 e9 de 51
+        ];
+        root-of-trust = [
+          ac 0d 86 c3 d7 b5 b7 a2 6f c3 d9 93 f7 de bc bb
+          d5 c4 25 9b 21 5f 36 af b5 dd 6d 29 9d 08 c0 10
+        ];
+        root-of-trust-cert = [
+          30 82 01 f4 30 82 01 9b a0 03 02 01 02 02 10 11
+          01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 30
+          0a 06 08 2a 86 48 ce 3d 04 03 02 30 0f 31 0d 30
+          0b 06 03 55 04 03 0c 04 54 69 35 30 30 22 18 0f
+          32 30 30 30 30 31 30 31 30 30 30 30 30 30 5a 18
+          0f 32 30 39 39 31 32 33 31 32 33 35 39 35 39 5a
+          30 0f 31 0d 30 0b 06 03 55 04 03 0c 04 54 69 35
+          30 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 08
+          2a 86 48 ce 3d 03 01 07 03 42 00 04 ec ef cb 0c
+          68 7e 30 f4 d5 8f 2c 88 16 f4 7f b5 8b 5b 06 77
+          d7 47 fe 1e 91 4c a3 c5 a1 54 f5 40 9c f8 a5 4e
+          85 a0 fa 05 1a 01 98 da e4 b1 e5 ff 95 0d cf 8f
+          d9 c1 ce 28 0f 91 75 ca 06 e4 91 3b a3 81 d4 30
+          81 d1 30 1a 06 0a 2b 06 01 04 01 d6 79 02 01 21
+          04 0c 5a 53 5a 56 a5 ac a5 a9 7f 7f 00 00 30 0f
+          06 0a 2b 06 01 04 01 d6 79 02 01 22 04 01 21 30
+          2e 06 0a 2b 06 01 04 01 d6 79 02 01 23 04 20 23
+          e1 4d d9 bb 51 a5 0e 16 91 1f 7e 11 df 1e 1a af
+          0b 17 13 4d c7 39 c5 65 36 07 a1 ec 8d d3 7a 30
+          2e 06 0a 2b 06 01 04 01 d6 79 02 01 24 04 20 00
+          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30
+          2e 06 0a 2b 06 01 04 01 d6 79 02 01 25 04 20 00
+          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30
+          12 06 0a 2b 06 01 04 01 d6 79 02 01 26 04 04 00
+          00 00 00 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03
+          47 00 30 44 02 20 62 a8 d3 23 db 1e 9c 64 91 49
+          45 5e b3 49 8d cc 1a ae 76 70 e3 12 d2 25 65 69
+          df f1 7e bc 4b d8 02 20 25 99 7c 36 cb b3 fd ce
+          6e 84 ee d7 ea eb 05 cf 69 cf 72 75 20 f3 ba 7f
+          8b 9f 06 f3 e4 11 bc cd
+        ];
+      };
+    };
-- 
2.42.0.283.g2d96d420d3-goog

Re: [PATCH] dt-bindings: Add Google Widevine initialization parameters

[Krzysztof Kozlowski]

On 08/09/2023 12:15, Yi Chou wrote:
> The necessary fields to initialize the widevine related functions in
> OP-TEE.
> 
> Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> Reviewed-by: Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> ---
>  .../bindings/options/google,widevine.yaml     | 124 ++++++++++++++++++
>  1 file changed, 124 insertions(+)
>  create mode 100644 Documentation/devicetree/bindings/options/google,widevine.yaml
> 
> diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml b/Documentation/devicetree/bindings/options/google,widevine.yaml
> new file mode 100644
> index 0000000000000..bf2b834cb1454
> --- /dev/null
> +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml

There is no such hardware as "options". What is this supposed to be for?
firmware?

> @@ -0,0 +1,124 @@
> +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> +%YAML 1.2
> +---
> +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> +$schema: http://devicetree.org/meta-schemas/core.yaml#
> +
> +title: Google Widevine initialization parameters.

This is a title, drop full stop.

> +
> +maintainers:
> +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> +
> +description:
> +  The necessary fields to initialize the widevine related functions in
> +  OP-TEE. This node does not represent a real device, but serves as a
> +  place for passing data between firmware and OP-TEE.
> +  The public fields (e.g. tpm-auth-public-key & root-of-trust-cert) can
> +  be ignored because it's safe to pass the public information with the
> +  other methods(e.g. userland OP-TEE plugins).

Then why isn't this a property of optee node?

> +
> +properties:
> +  compatible:
> +    const: google,widevine

From the description I have no clue what is "widevine". The more
surprising is to see it as "not hardware" but having its node and
compatible, like it was a hardware node.

> +
> +  hardware-unique-key:
> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description: |
> +      The hardware-unique key of the Widevine OP-TEE. It will be used
> +      to derive the secure storage key. The length should be 32 bytes.
> +      For more information, please reference:
> +      https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html#hardware-unique-key

Why would you store it in DT? This is world readable... or you mean this
is some seed?

> +
> +  tpm-auth-public-key:
> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description: |
> +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> +      The format of data should be TPM2B_PUBLIC.
> +      For more information, please reference the 12.2.5 section:
> +      https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part2_Structures_pub.pdf
> +
> +  root-of-trust:
> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description: |
> +      The Widevine root of trust secret. Used to sign the widevine
> +      request in OP-TEE. The length should be 32 bytes. The value
> +      is an ECC NIST P-256 scalar.
> +      For more information, please reference the G.1.2 section:
> +      https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf
> +
> +  root-of-trust-cert:
> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description: |
> +      The X.509 certificate of the Widevine root of trust on this
> +      device. Used to provision the device status with the Widevine
> +      server in OP-TEE.
> +      For more information, please reference:
> +      https://www.itu.int/rec/T-REC-X.509
> +
> +required:
> +  - compatible
> +  - hardware-unique-key
> +  - root-of-trust
> +
> +additionalProperties: false
> +
> +examples:
> +  - |+

Why + ?

> +    options {

There is no such node as "options".


Best regards,
Krzysztof

Re: [PATCH] dt-bindings: Add Google Widevine initialization parameters

[Yi Chou]

On Sun, Sep 17, 2023 at 4:40 PM Krzysztof Kozlowski
<krzysztof.kozlowski-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org> wrote:
>
> On 08/09/2023 12:15, Yi Chou wrote:
> > The necessary fields to initialize the widevine related functions in
> > OP-TEE.
> >
> > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > Reviewed-by: Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > ---
> >  .../bindings/options/google,widevine.yaml     | 124 ++++++++++++++++++
> >  1 file changed, 124 insertions(+)
> >  create mode 100644 Documentation/devicetree/bindings/options/google,widevine.yaml
> >
> > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > new file mode 100644
> > index 0000000000000..bf2b834cb1454
> > --- /dev/null
> > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
>
> There is no such hardware as "options". What is this supposed to be for?
> firmware?

These DT fields would not be consumed by the OS.
https://www.spinics.net/lists/devicetree-spec/msg01195.html
The previous discussion tended to use the "options" node.
Do we have any better place for these widevine related fields?

>
> > @@ -0,0 +1,124 @@
> > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > +%YAML 1.2
> > +---
> > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > +
> > +title: Google Widevine initialization parameters.
>
> This is a title, drop full stop.

Got it, will be fixed in the next patch.

>
> > +
> > +maintainers:
> > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > +
> > +description:
> > +  The necessary fields to initialize the widevine related functions in
> > +  OP-TEE. This node does not represent a real device, but serves as a
> > +  place for passing data between firmware and OP-TEE.
> > +  The public fields (e.g. tpm-auth-public-key & root-of-trust-cert) can
> > +  be ignored because it's safe to pass the public information with the
> > +  other methods(e.g. userland OP-TEE plugins).
>
> Then why isn't this a property of optee node?

Are you talking about the /firmware/optee node?
If I understand correctly, that node was talking about how the kernel
communicates with the OP-TEE.
But what we are doing here is passing some secrets from trusted
firmware into OP-TEE, and the data would not go through the linux
kernel.
I'm not sure if it is a good idea to mix two different purpose fields
in the same node...

>
> > +
> > +properties:
> > +  compatible:
> > +    const: google,widevine
>
> From the description I have no clue what is "widevine". The more
> surprising is to see it as "not hardware" but having its node and
> compatible, like it was a hardware node.

We already have a "chosen" node that is "not hardware" in the DT.
Should we just remove the compatible field from this node?

BTW, Widevine is a digital rights management (DRM) system to make sure
the video stream can only be decoded on the valid devices.

>
> > +
> > +  hardware-unique-key:
> > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > +    description: |
> > +      The hardware-unique key of the Widevine OP-TEE. It will be used
> > +      to derive the secure storage key. The length should be 32 bytes.
> > +      For more information, please reference:
> > +      https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html#hardware-unique-key
>
> Why would you store it in DT? This is world readable... or you mean this
> is some seed?

We will not pass this node to the linux kernel.
This DT node is only intended to be used between the ARM trusted
firmware(BL31) and the OPTEE.

>
> > +
> > +  tpm-auth-public-key:
> > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > +    description: |
> > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > +      The format of data should be TPM2B_PUBLIC.
> > +      For more information, please reference the 12.2.5 section:
> > +      https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part2_Structures_pub.pdf
> > +
> > +  root-of-trust:
> > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > +    description: |
> > +      The Widevine root of trust secret. Used to sign the widevine
> > +      request in OP-TEE. The length should be 32 bytes. The value
> > +      is an ECC NIST P-256 scalar.
> > +      For more information, please reference the G.1.2 section:
> > +      https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf
> > +
> > +  root-of-trust-cert:
> > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > +    description: |
> > +      The X.509 certificate of the Widevine root of trust on this
> > +      device. Used to provision the device status with the Widevine
> > +      server in OP-TEE.
> > +      For more information, please reference:
> > +      https://www.itu.int/rec/T-REC-X.509
> > +
> > +required:
> > +  - compatible
> > +  - hardware-unique-key
> > +  - root-of-trust
> > +
> > +additionalProperties: false
> > +
> > +examples:
> > +  - |+
>
> Why + ?

The extra "+" will be removed in the next patch.

>
> > +    options {
>
> There is no such node as "options".

This is a new node that was suggested in this thread:
https://www.spinics.net/lists/devicetree-spec/msg01195.html

>
>
> Best regards,
> Krzysztof
>

Thanks,
Yi

Re: [PATCH] dt-bindings: Add Google Widevine initialization parameters

[Krzysztof Kozlowski]

On 18/09/2023 06:20, Yi Chou wrote:
> On Sun, Sep 17, 2023 at 4:40 PM Krzysztof Kozlowski
> <krzysztof.kozlowski-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org> wrote:
>>
>> On 08/09/2023 12:15, Yi Chou wrote:
>>> The necessary fields to initialize the widevine related functions in
>>> OP-TEE.
>>>
>>> Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
>>> Reviewed-by: Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
>>> ---
>>>  .../bindings/options/google,widevine.yaml     | 124 ++++++++++++++++++
>>>  1 file changed, 124 insertions(+)
>>>  create mode 100644 Documentation/devicetree/bindings/options/google,widevine.yaml
>>>
>>> diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml b/Documentation/devicetree/bindings/options/google,widevine.yaml
>>> new file mode 100644
>>> index 0000000000000..bf2b834cb1454
>>> --- /dev/null
>>> +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
>>
>> There is no such hardware as "options". What is this supposed to be for?
>> firmware?
> 
> These DT fields would not be consumed by the OS.
> https://www.spinics.net/lists/devicetree-spec/msg01195.html
> The previous discussion tended to use the "options" node.
> Do we have any better place for these widevine related fields?

I'll let Rob comment on this in such case.

> 
>>
>>> @@ -0,0 +1,124 @@
>>> +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
>>> +%YAML 1.2
>>> +---
>>> +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
>>> +$schema: http://devicetree.org/meta-schemas/core.yaml#
>>> +
>>> +title: Google Widevine initialization parameters.
>>
>> This is a title, drop full stop.
> 
> Got it, will be fixed in the next patch.
> 
>>
>>> +
>>> +maintainers:
>>> +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
>>> +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
>>> +
>>> +description:
>>> +  The necessary fields to initialize the widevine related functions in
>>> +  OP-TEE. This node does not represent a real device, but serves as a
>>> +  place for passing data between firmware and OP-TEE.
>>> +  The public fields (e.g. tpm-auth-public-key & root-of-trust-cert) can
>>> +  be ignored because it's safe to pass the public information with the
>>> +  other methods(e.g. userland OP-TEE plugins).
>>
>> Then why isn't this a property of optee node?
> 
> Are you talking about the /firmware/optee node?
> If I understand correctly, that node was talking about how the kernel
> communicates with the OP-TEE.
> But what we are doing here is passing some secrets from trusted
> firmware into OP-TEE, and the data would not go through the linux
> kernel.
> I'm not sure if it is a good idea to mix two different purpose fields
> in the same node...
> 
>>
>>> +
>>> +properties:
>>> +  compatible:
>>> +    const: google,widevine
>>
>> From the description I have no clue what is "widevine". The more
>> surprising is to see it as "not hardware" but having its node and
>> compatible, like it was a hardware node.
> 
> We already have a "chosen" node that is "not hardware" in the DT.
> Should we just remove the compatible field from this node?
> 
> BTW, Widevine is a digital rights management (DRM) system to make sure
> the video stream can only be decoded on the valid devices.

Then describe it in the description.

Best regards,
Krzysztof

Re: [PATCH] dt-bindings: Add Google Widevine initialization parameters

[Rob Herring]

On Fri, Sep 08, 2023 at 06:15:39PM +0800, Yi Chou wrote:
> The necessary fields to initialize the widevine related functions in
> OP-TEE.
> 
> Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> Reviewed-by: Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> ---
>  .../bindings/options/google,widevine.yaml     | 124 ++++++++++++++++++
>  1 file changed, 124 insertions(+)
>  create mode 100644 Documentation/devicetree/bindings/options/google,widevine.yaml

I don't think this belongs in the kernel. Weren't earlier versions 
targeting dtschema? I'm okay with taking some stuff there, but if this 
is the beginning of a bunch of things for OP-TEE, then they should go in 
OP-TEE repo.

> 
> diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml b/Documentation/devicetree/bindings/options/google,widevine.yaml
> new file mode 100644
> index 0000000000000..bf2b834cb1454
> --- /dev/null
> +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> @@ -0,0 +1,124 @@
> +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> +%YAML 1.2
> +---
> +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> +$schema: http://devicetree.org/meta-schemas/core.yaml#
> +
> +title: Google Widevine initialization parameters.
> +
> +maintainers:
> +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> +
> +description:
> +  The necessary fields to initialize the widevine related functions in
> +  OP-TEE. This node does not represent a real device, but serves as a
> +  place for passing data between firmware and OP-TEE.
> +  The public fields (e.g. tpm-auth-public-key & root-of-trust-cert) can
> +  be ignored because it's safe to pass the public information with the
> +  other methods(e.g. userland OP-TEE plugins).
> +
> +properties:
> +  compatible:
> +    const: google,widevine
> +
> +  hardware-unique-key:

These all need a 'google,' prefix (or whoever they are specific too). 
Unless we're saying, for example, 'root-of-trust-cert' will always 
(globally) be an X.509 cert and in the same form.

> +    $ref: /schemas/types.yaml#/definitions/uint8-array

maxItems: 32

> +    description: |
> +      The hardware-unique key of the Widevine OP-TEE. It will be used
> +      to derive the secure storage key. The length should be 32 bytes.

And drop the text defining the length.

> +      For more information, please reference:
> +      https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html#hardware-unique-key
> +
> +  tpm-auth-public-key:

'tcg,' prefix here since this is defined by TCG.

> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description: |
> +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> +      The format of data should be TPM2B_PUBLIC.
> +      For more information, please reference the 12.2.5 section:
> +      https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part2_Structures_pub.pdf

maxItems: 65537

(Maybe something less, but since the size field is uint16, it can't be 
more than that)

> +
> +  root-of-trust:
> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description: |
> +      The Widevine root of trust secret. Used to sign the widevine
> +      request in OP-TEE. The length should be 32 bytes. The value

maxItems: 32

> +      is an ECC NIST P-256 scalar.
> +      For more information, please reference the G.1.2 section:
> +      https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf
> +
> +  root-of-trust-cert:
> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description: |
> +      The X.509 certificate of the Widevine root of trust on this
> +      device. Used to provision the device status with the Widevine
> +      server in OP-TEE.
> +      For more information, please reference:
> +      https://www.itu.int/rec/T-REC-X.509

Size?

> +
> +required:
> +  - compatible
> +  - hardware-unique-key
> +  - root-of-trust
> +
> +additionalProperties: false
> +
> +examples:
> +  - |+
> +    options {
> +      widevine {
> +        compatible = "google,widevine";
> +        hardware-unique-key = [
> +          12 f7 98 d2 0e d2 85 92 a5 82 bf 98 b8 99 2b c0
> +          c6 6f 19 85 79 86 65 18 55 eb ff 9b 6c c0 ac 27
> +        ];
> +        tpm-auth-public-key = [
> +          00 76 00 23 00 0b 00 02 04 b2 00 20 e1 47 bf 27
> +          e1 74 30 c8 16 ab 72 4d 5c 77 e1 5c 61 2d 56 81
> +          b3 35 cd 9d eb 67 41 37 69 f0 32 41 00 10 00 10
> +          00 03 00 10 00 20 70 9a df 50 f9 0f d5 f4 40 e0
> +          ea 2c e8 f2 26 9f 0e 5c 02 70 16 c3 6c c1 83 03
> +          2d 04 10 bd 85 7a 00 20 83 03 c2 66 6e 01 32 34
> +          5c 5e 80 22 c7 48 24 3c 70 6b b8 e4 24 42 74 a9
> +          cf fc ab f8 30 e9 de 51
> +        ];
> +        root-of-trust = [
> +          ac 0d 86 c3 d7 b5 b7 a2 6f c3 d9 93 f7 de bc bb
> +          d5 c4 25 9b 21 5f 36 af b5 dd 6d 29 9d 08 c0 10
> +        ];
> +        root-of-trust-cert = [
> +          30 82 01 f4 30 82 01 9b a0 03 02 01 02 02 10 11
> +          01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 30
> +          0a 06 08 2a 86 48 ce 3d 04 03 02 30 0f 31 0d 30
> +          0b 06 03 55 04 03 0c 04 54 69 35 30 30 22 18 0f
> +          32 30 30 30 30 31 30 31 30 30 30 30 30 30 5a 18
> +          0f 32 30 39 39 31 32 33 31 32 33 35 39 35 39 5a
> +          30 0f 31 0d 30 0b 06 03 55 04 03 0c 04 54 69 35
> +          30 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 08
> +          2a 86 48 ce 3d 03 01 07 03 42 00 04 ec ef cb 0c
> +          68 7e 30 f4 d5 8f 2c 88 16 f4 7f b5 8b 5b 06 77
> +          d7 47 fe 1e 91 4c a3 c5 a1 54 f5 40 9c f8 a5 4e
> +          85 a0 fa 05 1a 01 98 da e4 b1 e5 ff 95 0d cf 8f
> +          d9 c1 ce 28 0f 91 75 ca 06 e4 91 3b a3 81 d4 30
> +          81 d1 30 1a 06 0a 2b 06 01 04 01 d6 79 02 01 21
> +          04 0c 5a 53 5a 56 a5 ac a5 a9 7f 7f 00 00 30 0f
> +          06 0a 2b 06 01 04 01 d6 79 02 01 22 04 01 21 30
> +          2e 06 0a 2b 06 01 04 01 d6 79 02 01 23 04 20 23
> +          e1 4d d9 bb 51 a5 0e 16 91 1f 7e 11 df 1e 1a af
> +          0b 17 13 4d c7 39 c5 65 36 07 a1 ec 8d d3 7a 30
> +          2e 06 0a 2b 06 01 04 01 d6 79 02 01 24 04 20 00
> +          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> +          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30
> +          2e 06 0a 2b 06 01 04 01 d6 79 02 01 25 04 20 00
> +          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> +          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30
> +          12 06 0a 2b 06 01 04 01 d6 79 02 01 26 04 04 00
> +          00 00 00 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03
> +          47 00 30 44 02 20 62 a8 d3 23 db 1e 9c 64 91 49
> +          45 5e b3 49 8d cc 1a ae 76 70 e3 12 d2 25 65 69
> +          df f1 7e bc 4b d8 02 20 25 99 7c 36 cb b3 fd ce
> +          6e 84 ee d7 ea eb 05 cf 69 cf 72 75 20 f3 ba 7f
> +          8b 9f 06 f3 e4 11 bc cd
> +        ];
> +      };
> +    };
> -- 
> 2.42.0.283.g2d96d420d3-goog
>