Here's my theory as to how it works:
The CPU generates a session key, encrypts it using the video site's public key (which comes from a certificate signed by Intel which is verified by the CPU) and sends this encrypted session key to the video site.
The video site then decrypts the encrypted session key using their private key, and then uses the session key to encrypt the video stream.
The CPU then takes the encrypted video stream, decrypts it with the session key, then produces an HDCP stream which is sent out over the video ports.
All you need for this is instructions for:
- init_session(certificate_signed_by_intel) -> (context, session_key_encrypted_by_cert_public_key)
- convert_stream_block_to_hdcp(context, encrypted_stream_block) -> hdcp_stream_block
and since the session key never leaves the CPU unencrypted, and the stream is never emitted unencrypted there's nothing to tap.
: yes HDCP is broken, but Intel barely admits that.