| Name |
| |
| EXT_protected_surface |
| |
| Name Strings |
| |
| EGL_EXT_protected_surface |
| |
| Contributors |
| |
| Frido Garritsen, Vivante |
| Yanjun Zhang, Vivante |
| Pontus Lidman, Marvell |
| Jesse Hall, Google |
| |
| Contacts |
| |
| Frido Garritsen (frido 'at' vivantecorp.com) |
| Yanjun Zhang (yzhang 'at' vivantecorp.com) |
| |
| Notice |
| |
| Copyright 2013 Vivante Corporation |
| |
| IP Status |
| |
| No known IP claims. |
| |
| Status |
| |
| Draft |
| |
| Version |
| |
| #7, January 20, 2014 |
| |
| Number |
| |
| EGL Extension #67 |
| |
| Dependencies |
| |
| Requires EGL 1.4 and EGL_KHR_image_base extension |
| |
| This extension is written against the wording of the EGL 1.4 |
| Specification (12/04/2013), and EGL_KHR_image_base spec. version 6. |
| |
| Overview |
| |
| This extension adds a new EGL surface attribute EGL_PROTECTED_CONTENT_EXT |
| to indicate if the content in the surface buffer is protected or not. |
| If surface attribute EGL_PROTECTED_CONTENT_EXT is EGL_TRUE, then the |
| surface content is only accessible to secure accesses. Any attempt to access |
| the buffer content non-securely will fail and result in undefined behavior |
| up to and including program termination. Also, any copy operations from the |
| protected surface to any non-protected surface by GPU are considered illegal. |
| |
| New Types |
| |
| None |
| |
| New Procedures and Functions |
| |
| None |
| |
| New Tokens |
| |
| New EGLSurface attribute name: |
| |
| EGL_PROTECTED_CONTENT_EXT 0x32C0 |
| |
| |
| Additions to Chapter 3 of the EGL 1.4 Specification (Rendering Surfaces) |
| |
| Change the second paragraph in section 3.5 on p. 28 (describing eglCreateWindowSurface): |
| |
| "Attributes that can be specified in attrib list include EGL_RENDER_BUFFER, |
| EGL_PROTECTED_CONTENT_EXT, EGL_VG_COLORSPACE, and EGL_VG_ALPHA_FORMAT." |
| |
| Add the following paragraph in section 3.5 on p. 28 before "EGL_VG_COLORSPACE |
| specifies the color space used by OpenVG" (describing eglCreateWindowSurface |
| attrib_list): |
| |
| "EGL_PROTECTED_CONTENT_EXT specifies the protection state of the window |
| surface. If its value is EGL_TRUE, then the surface content resides in a |
| secure memory region. Secure surfaces may be written to by client APIs |
| using any combination of protected and non-protected input data. EGL and |
| client APIs will not allow contents of protected surfaces to be accessed |
| by non-secure devices in the system (including non-secure software |
| running on the CPU). They will also not allow the contents to be copied |
| to non-protected surfaces. Copies within a protected surface, or from one |
| protected surface to another, are allowed. eglSwapBuffers is allowed for |
| protected surfaces if and only if the window system is able to maintain |
| the security of the buffer contents. Any disallowed operation will |
| fail and result in undefined behavior, up to and including program |
| termination. If EGL_PROTECTED_CONTENT_EXT is EGL_FALSE, then the surface |
| content can be accessed by secure or non-secure devices and can be copied |
| to any other surfaces. The definition of secure and non-secure access is |
| up to the implementation and is out of scope of this specification. The |
| default value of EGL_PROTECTED_CONTENT_EXT is EGL_FALSE." |
| |
| Change the second paragraph in section 3.5 on p. 30 (describing |
| eglCreatePbufferSurface): |
| |
| "Attributes that can be specified in attrib list include EGL_WIDTH, |
| EGL_HEIGHT, EGL_LARGEST_PBUFFER, EGL_TEXTURE_FORMAT, EGL_TEXTURE_TARGET, |
| EGL_MIPMAP_TEXTURE, EGL_PROTECTED_CONTENT_EXT, EGL_VG_COLORSPACE, and |
| EGL_VG_ALPHA_FORMAT." |
| |
| Add following the second paragraph in section 3.5 on p. 31 (describing |
| eglCreatePbufferSurface attrib_list): |
| |
| "EGL_PROTECTED_CONTENT_EXT specifies the protection state of the pbuffer |
| surface. If its value is EGL_TRUE, then the surface content resides in a |
| secure memory region. Secure surfaces may be written to by client APIs |
| using any combination of protected and non-protected input data. EGL and |
| client APIs will not allow contents of protected surfaces to be accessed |
| by non-secure devices in the system (including non-secure software |
| running on the CPU). They will also not allow the contents to be copied |
| to non-protected surfaces. Copies within a protected surface, or from one |
| protected surface to another, are allowed. Any disallowed operation will |
| fail and result in undefined behavior, up to and including program |
| termination. If EGL_PROTECTED_CONTENT_EXT is EGL_FALSE, then the surface |
| content can be accessed by secure or non-secure devices and can be copied |
| to any other surfaces. The definition of secure and non-secure access is |
| up to the implementation and is out of scope of this specification. The |
| default value of EGL_PROTECTED_CONTENT_EXT is EGL_FALSE." |
| |
| Add to Table 3.5: Queryable surface attributes and types on p. 37 |
| |
| EGL_PROTECTED_CONTENT_EXT boolean Content protection state |
| |
| Add following the second paragraph in section 3.6 on p. 39 (describing |
| eglQuerySurface): |
| |
| "Querying EGL_PROTECTED_CONTENT_EXT returns the content protection state of |
| the surface. The protection state of window and pbuffer surfaces is specified |
| in eglCreateWindowSurface and eglCreatePbufferSurface. The protection state of |
| pixmap and client buffer (pbuffer) surfaces is always EGL_FALSE." |
| |
| Add following after "if either draw or read are bound to contexts in another thread, |
| an EGL_BAD_ACCESS error is generated." in section 3.7.3 p46 (describing eglMakeCurrent |
| errors): |
| |
| "If EGL_PROTECTED_CONTENT_EXT attributes of read is EGL_TRUE and |
| EGL_PROTECTED_CONTENT_EXT attributes of draw is EGL_FALSE, an |
| EGL_BAD_ACCESS error is generated." |
| |
| Add following after "which must be a valid native pixmap handle." in section 3.9.2 on |
| p. 53 (describing eglCopyBuffers): |
| |
| "If attribute EGL_PROTECTED_CONTENT_EXT of surface has value of EGL_TRUE, then |
| an EGL_BAD_ACCESS error is returned." |
| |
| |
| Additions to EGL_KHR_image_base extension specification |
| |
| Add to section 2.5.1 Table bbb: |
| |
| +-----------------------------+-------------------------+---------------+ |
| | Attribute | Description | Default Value | |
| +-----------------------------+-------------------------+---------------+ |
| | EGL_NONE | Marks the end of the | N/A | |
| | | attribute-value list | | |
| | EGL_IMAGE_PRESERVED_KHR | Whether to preserve | EGL_FALSE | |
| | | pixel data | | |
| | EGL_PROTECTED_CONTENT_EXT | Content protection | EGL_FALSE | |
| | | state | | |
| +-----------------------------+-------------------------+---------------+ |
| Table bbb. Legal attributes for eglCreateImageKHR <attrib_list> parameter |
| |
| Add the following paragraph to section 2.5.1 before "Errors" (describing |
| eglCreateImageKHR): |
| |
| "If the value of attribute EGL_PROTECTED_CONTENT_EXT is EGL_TRUE, then |
| image content is only accessible by secure devices in the system. A |
| complete definition of secure device is implementation-specific, but at |
| minimum a secure device must not expose the contents of a protected image |
| to non-secure devices or allow contents to be copied to non-protected |
| regions of memory. If an EGL client API cannot make such guarantees, |
| attempts to create an EGLImage sibling within that client API will fail |
| with an API-specific error. |
| |
| If the value of attribute EGL_PROTECTED_CONTENT_EXT is EGL_FALSE, then the |
| surface content can be accessed by secure or non-secure devices and can be |
| copied to any other surfaces." |
| |
| Issues |
| |
| 1. Should the spec define the behavior of secure and non-secure access? |
| |
| PROPOSED: No. Different CPU and GPU architectures have different secure access |
| implementations. The behavior of secure access violation is also different. Some |
| architectures will take a CPU exeception. On other architectures, reads will get |
| zeroes and writes will have no effect. This includes DMA transactions. So it is |
| better to leave the defination of illegal operation behavior out of this |
| specification. |
| |
| 2. Should the spec enumerate the legal and illegal operations in client APIs |
| such as OpenGL ES? |
| |
| PROPOSED: No. Enumerating these is possible, but is likely to get out of date |
| as new extensions and client API versions are introduced. Better to state the |
| principles that determine whether an operation is legal or illegal. If a version |
| of this extension is promoted to KHR or core status, enumerating the legal |
| operations because there will be a greater expectation that future extensions |
| will consider interactions. For OpenGL ES 3.0, a non-normative list of examples |
| would be: |
| * glReadPixels is illegal when the READ framebuffer is protected, |
| * glCopyTexImage2D is illegal when the READ framebuffer is protected, |
| * glCopyTexSubImage2D is illegal when the READ framebuffer is protected, unless |
| the target texture is a protected pbuffer, |
| * glBlitFramebuffer is illegal if the READ framebuffer is protected and the |
| DRAW framebuffer is not protected. |
| |
| Revision History |
| |
| Rev. Date Author Changes |
| ---- -------- -------- ------------------------------------------------- |
| 7 01/20/14 Jesse Reword PROTECTED_CONTENT descriptions to be more specific |
| about legality of client API operations. Add issue #2. |
| 6 01/14/14 Yanjun Change the extension from vendor specific to EXT. Add |
| EGL_BAD_ACCESS error to eglMakeCurrent, eglCopyBuffers. |
| 5 01/13/14 Jesse Define illegal operation behavior more broadly. |
| 4 01/10/14 Pontus Update description of illegal operation behavior in |
| terms of secure memory region and secure access. |
| 3 01/03/14 Yanjun Define the GPU and CPU behavior for illegal operations. |
| 2 12/13/13 Yanjun Prohibit GPU illegal copy from the protected surface to |
| non-protected surface. |
| 1 12/11/13 Yanjun Initial draft. |