There are some great roms around. Superceleron has developed awesome Android Tv roms for the vim. The one gap is that nefflix can not be controlled with the Khadas remote and the Netflix Android TV apk needs widevine L1. I found a Widevine L1 repository in the khadas github . has anyone tried it ?
I think it is impossible to do so .
https://storage.googleapis.com/wvdocs/Widevine_DRM_Getting_Started_Devices.pdf
Widevine Client Security Levels
The following security level definitions are used by Widevine:
Security Level 1 (L1) Widevine DRM keys and decrypted content are never exposed to the host CPU. Only security hardware or a protected security co-processor uses clear key values and the media content is decrypted by the secure hardware.
Key requirements of this security level:
Device manufacturers must provide a secure bootloader. The chain of trust from the bootloader must extend through any software or firmware components involved in the security implementation, such as the ARM TrustZone protected application and any components involved in the enforcement of the secure video path.
The Widevine keybox must be encrypted with a device-unique secret key that is not visible to software or probing methods outside of the TrustZone. The Widevine key-box must be installed in the factory or delivered to the device using an approved secure delivery mechanism.
Device manufacturers must provide an implementation of the Widevine Level 1 OEMCrypto API that performs all key processing and decryption in a trusted environment.All content processing, cryptography, and control is performed within the Trusted Execution Environment (TEE). In some implementation models, security processing may be performed in different chips.
This level of security requires factory provisioning of the Widevine keybox or requires the Widevine keybox to be protected by a device key installed at the time of manufacturing.
The ​Device Provisioning Models document​ provides additional information about Widevine device provisioning models.This is the recommended path for any device integration as it provides the highest level of security.
Security Level 2 (L2) The Widevine keys are never exposed to the host CPU. Only security hardware or a protected security co-processor uses clear key values. An AES crypto block performs the high throughput AES decryption of the media stream. The resulting clear media buffers are returned to the CPU for delivery to the video decoder.
Performs cryptography (but not video processing) within the TEE: decrypted buffers are returned to the application domain and processed through separate video hardware or software. At level 2, however, cryptographic information is still processed only within the trusted execution environment.
This level of security requires factory provisioning of the Widevine keybox or requires the Widevine keybox to be protected by a keybox installed at the time of manufacturing.
Key requirements of this security level:
Device manufacturers must provide a secure bootloader. The chain of trust from the bootloader must extend through any software or firmware components involved in the security implementation, such as the TrustZone protected application.
The Widevine keybox must be encrypted with a device-unique secret key that is not visible to software or probing methods outside of the TrustZone.
The Widevine keybox must be installed in the factory or delivered to the device using an approved secure delivery mechanism.
Device manufacturers must provide an implementation of the Widevine Level 2 OEMCrypto API that performs all key processing and decryption in a trusted environment.
Device manufacturers must provide a bootloader that loads signed system images only.For devices that allow users to load a custom operating system or gain root privileges on the device by unlocking the bootloader, device manufacturers must support the following:
Device manufacturers must provide a bootloader that allows a Widevine keybox to be written only when the bootloader is in a locked state.
The Widevine keybox must be stored in a region of memory that is erased or is inaccessible when the device bootloader is in an unlocked state.
Security Level 3 (L3) This security level relies on the secure bootloader to verify the system image. An AES crypto block performs the AES decryption of the media stream and the resulting clear media buffers are returned to the CPU for delivery to the video decoder.
Does not have a TEE on the device. Appropriate measures may be taken to protect the cryptographic information and decrypted content on host operating system. A Level 3 implementation may also include a hardware cryptographic engine, but that only enhances performance, not security.
Device manufacturers must provide a bootloader that loads signed system images only. For devices that allow users to load a custom operating system or gain root privileges on the device by unlocking the bootloader, device manufacturers must support the following:
Device manufacturers must provide a bootloader that allows a Widevine keybox to be written only when the bootloader is in a locked state.
The Widevine keybox must be stored in a region of memory that is erased or is inaccessible when the device bootloader is in an unlocked state.This categorization generally applies to software-only client solutions.