1Name 2 3 EXT_protected_surface 4 5Name Strings 6 7 EGL_EXT_protected_surface 8 9Contributors 10 11 Frido Garritsen, Vivante 12 Yanjun Zhang, Vivante 13 Pontus Lidman, Marvell 14 Jesse Hall, Google 15 16Contacts 17 18 Frido Garritsen (frido 'at' vivantecorp.com) 19 Yanjun Zhang (yzhang 'at' vivantecorp.com) 20 21Notice 22 23 Copyright 2013 Vivante Corporation 24 25IP Status 26 27 No known IP claims. 28 29Status 30 31 Draft 32 33Version 34 35 #7, January 20, 2014 36 37Number 38 39 EGL Extension #67 40 41Dependencies 42 43 Requires EGL 1.4 and EGL_KHR_image_base extension 44 45 This extension is written against the wording of the EGL 1.4 46 Specification (12/04/2013), and EGL_KHR_image_base spec. version 6. 47 48Overview 49 50 This extension adds a new EGL surface attribute EGL_PROTECTED_CONTENT_EXT 51 to indicate if the content in the surface buffer is protected or not. 52 If surface attribute EGL_PROTECTED_CONTENT_EXT is EGL_TRUE, then the 53 surface content is only accessible to secure accesses. Any attempt to access 54 the buffer content non-securely will fail and result in undefined behavior 55 up to and including program termination. Also, any copy operations from the 56 protected surface to any non-protected surface by GPU are considered illegal. 57 58New Types 59 60 None 61 62New Procedures and Functions 63 64 None 65 66New Tokens 67 68 New EGLSurface attribute name: 69 70 EGL_PROTECTED_CONTENT_EXT 0x32C0 71 72 73Additions to Chapter 3 of the EGL 1.4 Specification (Rendering Surfaces) 74 75 Change the second paragraph in section 3.5 on p. 28 (describing eglCreateWindowSurface): 76 77 "Attributes that can be specified in attrib list include EGL_RENDER_BUFFER, 78 EGL_PROTECTED_CONTENT_EXT, EGL_VG_COLORSPACE, and EGL_VG_ALPHA_FORMAT." 79 80 Add the following paragraph in section 3.5 on p. 28 before "EGL_VG_COLORSPACE 81 specifies the color space used by OpenVG" (describing eglCreateWindowSurface 82 attrib_list): 83 84 "EGL_PROTECTED_CONTENT_EXT specifies the protection state of the window 85 surface. If its value is EGL_TRUE, then the surface content resides in a 86 secure memory region. Secure surfaces may be written to by client APIs 87 using any combination of protected and non-protected input data. EGL and 88 client APIs will not allow contents of protected surfaces to be accessed 89 by non-secure devices in the system (including non-secure software 90 running on the CPU). They will also not allow the contents to be copied 91 to non-protected surfaces. Copies within a protected surface, or from one 92 protected surface to another, are allowed. eglSwapBuffers is allowed for 93 protected surfaces if and only if the window system is able to maintain 94 the security of the buffer contents. Any disallowed operation will 95 fail and result in undefined behavior, up to and including program 96 termination. If EGL_PROTECTED_CONTENT_EXT is EGL_FALSE, then the surface 97 content can be accessed by secure or non-secure devices and can be copied 98 to any other surfaces. The definition of secure and non-secure access is 99 up to the implementation and is out of scope of this specification. The 100 default value of EGL_PROTECTED_CONTENT_EXT is EGL_FALSE." 101 102 Change the second paragraph in section 3.5 on p. 30 (describing 103 eglCreatePbufferSurface): 104 105 "Attributes that can be specified in attrib list include EGL_WIDTH, 106 EGL_HEIGHT, EGL_LARGEST_PBUFFER, EGL_TEXTURE_FORMAT, EGL_TEXTURE_TARGET, 107 EGL_MIPMAP_TEXTURE, EGL_PROTECTED_CONTENT_EXT, EGL_VG_COLORSPACE, and 108 EGL_VG_ALPHA_FORMAT." 109 110 Add following the second paragraph in section 3.5 on p. 31 (describing 111 eglCreatePbufferSurface attrib_list): 112 113 "EGL_PROTECTED_CONTENT_EXT specifies the protection state of the pbuffer 114 surface. If its value is EGL_TRUE, then the surface content resides in a 115 secure memory region. Secure surfaces may be written to by client APIs 116 using any combination of protected and non-protected input data. EGL and 117 client APIs will not allow contents of protected surfaces to be accessed 118 by non-secure devices in the system (including non-secure software 119 running on the CPU). They will also not allow the contents to be copied 120 to non-protected surfaces. Copies within a protected surface, or from one 121 protected surface to another, are allowed. Any disallowed operation will 122 fail and result in undefined behavior, up to and including program 123 termination. If EGL_PROTECTED_CONTENT_EXT is EGL_FALSE, then the surface 124 content can be accessed by secure or non-secure devices and can be copied 125 to any other surfaces. The definition of secure and non-secure access is 126 up to the implementation and is out of scope of this specification. The 127 default value of EGL_PROTECTED_CONTENT_EXT is EGL_FALSE." 128 129 Add to Table 3.5: Queryable surface attributes and types on p. 37 130 131 EGL_PROTECTED_CONTENT_EXT boolean Content protection state 132 133 Add following the second paragraph in section 3.6 on p. 39 (describing 134 eglQuerySurface): 135 136 "Querying EGL_PROTECTED_CONTENT_EXT returns the content protection state of 137 the surface. The protection state of window and pbuffer surfaces is specified 138 in eglCreateWindowSurface and eglCreatePbufferSurface. The protection state of 139 pixmap and client buffer (pbuffer) surfaces is always EGL_FALSE." 140 141 Add following after "if either draw or read are bound to contexts in another thread, 142 an EGL_BAD_ACCESS error is generated." in section 3.7.3 p46 (describing eglMakeCurrent 143 errors): 144 145 "If EGL_PROTECTED_CONTENT_EXT attributes of read is EGL_TRUE and 146 EGL_PROTECTED_CONTENT_EXT attributes of draw is EGL_FALSE, an 147 EGL_BAD_ACCESS error is generated." 148 149 Add following after "which must be a valid native pixmap handle." in section 3.9.2 on 150 p. 53 (describing eglCopyBuffers): 151 152 "If attribute EGL_PROTECTED_CONTENT_EXT of surface has value of EGL_TRUE, then 153 an EGL_BAD_ACCESS error is returned." 154 155 156Additions to EGL_KHR_image_base extension specification 157 158 Add to section 2.5.1 Table bbb: 159 160 +-----------------------------+-------------------------+---------------+ 161 | Attribute | Description | Default Value | 162 +-----------------------------+-------------------------+---------------+ 163 | EGL_NONE | Marks the end of the | N/A | 164 | | attribute-value list | | 165 | EGL_IMAGE_PRESERVED_KHR | Whether to preserve | EGL_FALSE | 166 | | pixel data | | 167 | EGL_PROTECTED_CONTENT_EXT | Content protection | EGL_FALSE | 168 | | state | | 169 +-----------------------------+-------------------------+---------------+ 170 Table bbb. Legal attributes for eglCreateImageKHR <attrib_list> parameter 171 172 Add the following paragraph to section 2.5.1 before "Errors" (describing 173 eglCreateImageKHR): 174 175 "If the value of attribute EGL_PROTECTED_CONTENT_EXT is EGL_TRUE, then 176 image content is only accessible by secure devices in the system. A 177 complete definition of secure device is implementation-specific, but at 178 minimum a secure device must not expose the contents of a protected image 179 to non-secure devices or allow contents to be copied to non-protected 180 regions of memory. If an EGL client API cannot make such guarantees, 181 attempts to create an EGLImage sibling within that client API will fail 182 with an API-specific error. 183 184 If the value of attribute EGL_PROTECTED_CONTENT_EXT is EGL_FALSE, then the 185 surface content can be accessed by secure or non-secure devices and can be 186 copied to any other surfaces." 187 188Issues 189 190 1. Should the spec define the behavior of secure and non-secure access? 191 192 PROPOSED: No. Different CPU and GPU architectures have different secure access 193 implementations. The behavior of secure access violation is also different. Some 194 architectures will take a CPU exeception. On other architectures, reads will get 195 zeroes and writes will have no effect. This includes DMA transactions. So it is 196 better to leave the defination of illegal operation behavior out of this 197 specification. 198 199 2. Should the spec enumerate the legal and illegal operations in client APIs 200 such as OpenGL ES? 201 202 PROPOSED: No. Enumerating these is possible, but is likely to get out of date 203 as new extensions and client API versions are introduced. Better to state the 204 principles that determine whether an operation is legal or illegal. If a version 205 of this extension is promoted to KHR or core status, enumerating the legal 206 operations because there will be a greater expectation that future extensions 207 will consider interactions. For OpenGL ES 3.0, a non-normative list of examples 208 would be: 209 * glReadPixels is illegal when the READ framebuffer is protected, 210 * glCopyTexImage2D is illegal when the READ framebuffer is protected, 211 * glCopyTexSubImage2D is illegal when the READ framebuffer is protected, unless 212 the target texture is a protected pbuffer, 213 * glBlitFramebuffer is illegal if the READ framebuffer is protected and the 214 DRAW framebuffer is not protected. 215 216Revision History 217 218 Rev. Date Author Changes 219 ---- -------- -------- ------------------------------------------------- 220 7 01/20/14 Jesse Reword PROTECTED_CONTENT descriptions to be more specific 221 about legality of client API operations. Add issue #2. 222 6 01/14/14 Yanjun Change the extension from vendor specific to EXT. Add 223 EGL_BAD_ACCESS error to eglMakeCurrent, eglCopyBuffers. 224 5 01/13/14 Jesse Define illegal operation behavior more broadly. 225 4 01/10/14 Pontus Update description of illegal operation behavior in 226 terms of secure memory region and secure access. 227 3 01/03/14 Yanjun Define the GPU and CPU behavior for illegal operations. 228 2 12/13/13 Yanjun Prohibit GPU illegal copy from the protected surface to 229 non-protected surface. 230 1 12/11/13 Yanjun Initial draft. 231