Name EXT_protected_content Name Strings EGL_EXT_protected_content Contributors Ramesh Viswanathan Brian Ellis Colin Sharp Rajeev Kulkarni Mohan Maiya Maurice Ribble Craig Donner Jan-Harald Fredriksen Daniel Koch Michael Golds Ray Smith Contacts Maurice Ribble (mribble 'at' qti.qualcomm.com) IP Status No known IP claims. Status Complete. Version Version 12, April 14, 2016 Number EGL Extension #97 Dependencies Requires EGL 1.4. Interactions with EGL_KHR_image_base extension. This extension is written against the wording of the EGL 1.4. Specification (12/04/2013) This extension has interactions with EGL_EXT_protected_surface if that extension is supported. The interactions are described in the main text. Overview This extension introduces the concept of protected contexts and protected resources, specifically surfaces and EGLImages. Applications can choose at creation time whether a context, surface or EGLImage is protected or not. A protected context is required to allow the GPU to operate on protected resources, including protected surfaces and protected EGLImages. An explanation of undefined behavior in this extension: Several places in this extension mention undefined behavior can result, which can include program termination. The reason for this is because one way to handle protected content is by using a protected virtual to physical memory translation layer. With this sort of solution a system may generate read or write faults when a non-protected source tries to access a protected buffer. Depending on the system these faults might be ignored or they might cause process termination. This undefined behavior should not include actually allowing a transfer of data from a protected surface to a non-protected surface. New Types None New Procedures and Functions None New Tokens New EGLSurface attribute name: EGL_PROTECTED_CONTENT_EXT 0x32C0 Add a new section 2.7 entitled "Protected Content" at the end of Chapter 2 (EGL Operation) "The attribute EGL_PROTECTED_CONTENT_EXT can be applied to EGL contexts, EGL surfaces and EGLImages. If the attribute EGL_PROTECTED_CONTENT_EXT is set to EGL_TRUE by the application, then the newly created EGL object is said to be protected. A protected context is required to allow the GPU to operate on protected resources, including protected surfaces and protected EGLImages. GPU operations are grouped into pipeline stages. Pipeline stages can be defined to be protected or not protected. Each stage defines restrictions on whether it can read or write protected and unprotected resources, as follows: When a GPU stage is protected, it: - Can read from protected resources - Can read from unprotected resources - Can write to protected resources - Can NOT write to unprotected resources When a GPU stage is not protected, it: - Can NOT read from protected resources - Can read from unprotected resources - Can NOT write to protected resources - Can write to unprotected resources Any accesses not following these restrictions will result in undefined behavior. This extension does not specify which pipeline stages of a protected context are protected or not. This is left to a client API extension to define. All stages in a regular (not protected) context are not protected. However, if EGL_EXT_protected_surface is also supported, a regular (not protected) context will execute stages where one or more protected resources is accessed as if it were a protected context. Note that the protection state of a stage may be left implementation defined by a client API extension. This means that no guarantees can be made about whether the stage will be protected or not protected. Practically this means that the permitted operations for such a stage are the intersection of the allowed operations for protected and not protected stages, i.e it: - Can NOT read from protected resources - Can read from unprotected resources - Can NOT write to protected resources - Can NOT write to unprotected resources Since this is not a very useful set of operations refer to the client API extension to see what operations are actually allowed. This extension does not guarantee the implementation abides by a system's digital rights management requirements. It must be verified beyond the existence of this extension that the implementation of this extension is trustworthy according to the requirements of a content protection system." Additions to Chapter 3 of the EGL 1.4 Specification (Rendering Contexts) Change the fifth paragraph in section 3.7.1 Creating Rendering Contexts: "attrib list specifies a list of attributes for the context. The list has the same structure as described for eglChooseConfig. Attributes that can be specified in attrib list include EGL_CONTEXT_CLIENT_VERSION and EGL_PROTECTED_CONTENT_EXT. The EGL_CONTEXT_CLIENT_VERSION attribute may only be specified when creating a OpenGL ES context (e.g. when the current rendering API is EGL_OPENGL_ES_API)." Add the following paragraph in section 3.7.1 on p. 44 before "attrib list may be NULL or empty (first attribute is EGL_NONE), in which case attributes assume their default values as described below." "EGL_PROTECTED_CONTENT_EXT specifies the protected state of the new context. If its value is EGL_TRUE, then the context is said to be protected. If its value is EGL_FALSE, then the context is not protected. See section 2.7 (Protected Content) for more information about protected contexts. The default value of EGL_PROTECTED_CONTENT_EXT is EGL_FALSE." Additions to Chapter 3 of the EGL 1.4 Specification (Rendering Surfaces) Change the second paragraph in section 3.5 on p. 28 (describing eglCreateWindowSurface): "Attributes that can be specified in attrib list include EGL_RENDER_BUFFER, EGL_PROTECTED_CONTENT_EXT, EGL_VG_COLORSPACE, and EGL_VG_ALPHA_FORMAT." Add the following paragraph in section 3.5 on p. 28 before "EGL_VG_COLORSPACE specifies the color space used by OpenVG" (describing eglCreateWindowSurface(attrib_list): "EGL_PROTECTED_CONTENT_EXT specifies the protected state of the window surface. If its value is EGL_TRUE, then the surface content is said to be protected. If its value is EGL_FALSE, then the surface content is not protected. See section 2.7 (Protected Content) for more information about protected and non-protected surfaces. Client APIs will not allow contents of protected surfaces to be accessed by non-protected contexts in the system (including non-secure software running on the CPU). Such operations will result in undefined behavior. Calling eglSwapBuffers on such a protected surface will succeed, but the contents may or may not be posted successfully depending on whether those parts of the pipeline are capable of handling protected content. Any disallowed operation will fail and result in undefined behavior. The default value of EGL_PROTECTED_CONTENT_EXT is EGL_FALSE." Additions to EGL_KHR_image_base extension specification Add to section 2.5.1 Table bbb: +-----------------------------+-------------------------+---------------+ | Attribute | Description | Default Value | +-----------------------------+-------------------------+---------------+ | EGL_NONE | Marks the end of the | N/A | | | attribute-value list | | | EGL_IMAGE_PRESERVED_KHR | Whether to preserve | EGL_FALSE | | | pixel data | | | EGL_PROTECTED_CONTENT_EXT | Content protection | EGL_FALSE | | | state | | +-----------------------------+-------------------------+---------------+ Table bbb. Legal attributes for eglCreateImageKHR parameter Add the following paragraph to section 2.5.1 before "Errors" (describing eglCreateImageKHR): "If the value of attribute EGL_PROTECTED_CONTENT_EXT is EGL_TRUE and the EGLImage sources can be guaranteed to be protected, then the EGLImage is said to be protected. See section 2.7 (Protected Content) for more information about protected resources including EGLImages. If the value of attribute EGL_PROTECTED_CONTENT_EXT is EGL_FALSE then: - If EGLImage sources are not protected, the EGLImage is said to be not protected. See section 2.7 (Protected Content) for more information about non-protected resources including EGLImages. - If EGLImage sources are protected then the EGLImage content will be inaccessible to any client context irrespective of whether the context is protected or not. Trying to access such an EGLImage's content will result in undefined behavior." Add the following to the Errors list in section 2.5.1 "If the value specified in for EGL_PROTECTED_CONTENT_EXT is EGL_TRUE, and EGL and its client is unable to make guarantees regarding the protected state of the EGLImage source, the error EGL_BAD_ACCESS is generated." Issues 1) Can a protected context be shared with a non-protected context? RESOLVED - Yes. The rule that protected surfaces can only be used by protected contexts still applies. An example use case is where someone wants to render to unprotected textures within an unprotected context and then share it with a protected context to be used as a texture. 2) Should all surfaces within a protected context be protected by default? RESOLVED - No, several implementations have limited amounts of protected memory, so the API will require opting into protected memory. 3) Can these protected surfaces be used by stages other than fragment shader stage? RESOLVED - Some hardware can't handle this so this behavior is undefined unless there is explicit working in some new spec saying the behavior is defined. This is put as an issue because this is an EGL extension and should not be controlling OpenGL functionality. 4) Why is EGL_PROTECTED_CONTENT_EXT flag needed for EGLImages? RESOLVED - A few reasons for having an explicit flag instead of inferring the protected status from EGLImage sources - 1) There are multiple EGL image extensions (EGL QCOM image, EGL android image and so on) that accept buffers from external modules instead of client resources or allow internally allocated memory. For these use cases a protected attribute is useful, so we want to keep this flag. 2) An implementation might have a few non-standard setup steps that need to be completed before a protected EGL image can be accessed. This attribute along with a corresponding protected buffer will act as a signal for the graphics driver to initiate/complete any such steps. 3) An application creating an image from an external resource may not be aware of the fact that the resource is protected or may be unable to access its content. The successful mapping of and access to a protected buffer through an EGLImage will be predicated on the buffer being protected, having a protected context and the intent of the application to access that buffer by passing in EGL_TRUE for the attribute EGL_PROTECTED_CONTENT_EXT. Revision History Rev. Date Author Changes ---- -------- -------- ---------------------------------------------- 1 09/24/14 Ramesh Initial draft. 2 11/20/14 Rajeev Second draft. 3 03/07/16 mribble Make EXT and clean up for release. 4 03/10/16 mribble Cleanup. 5 03/18/16 mribble Fix issues brought up by Khronos group. 6 03/24/16 mribble Resolved some small issues found by Jan-Harald. 7 03/25/16 mribble Fix createContext wording. 8 03/30/16 mribble Added issue 5. 9 04/05/16 mribble Added issue 6 and better defined eglImage case. 10 04/08/16 rsmith - Added general section on protected content. Protected context, surface and image creation now refer to the general protected content principles. - Added explicit definition of which stages are protected, including allowing for the protected state of a stage to be undefined. - Formalised interactions with EGL_EXT_protected_surface. - Removed references to the GPU protected mode, including issue 3. 11 04/10/16 mribble Merge and cleanup. 12 04/14/16 Jon Leech Cleanup formatting, reflow paragraphs and quote additions consistently. Assign extension number.