Content protection relies on several security mechanisms: (i) encryption to prevent access to the content during transport, (ii) trusted computation environment to prevent access during decoding, and we can also add (iii) forensic watermarking to deter content re-acquisition at rendering. With the advent of next generation video and the ever increasing popularity of embedded devices for content consumption, there is a need for new content protection solutions that rely less on hardware. In this context, we propose an architecture that combines the ARM TrustZone technology, an hypervised environment built on Genode and a bit stream watermarking algorithm that inserts serialization marks on the fly in an embedded device. As a result, an attacker cannot get access to video assets in clear form and not watermarked. Reported performances measurements indicate that the induced computational overhead is reasonable.