This protocol allows a client to ask the compositor to only allow it to be displayed on a "secure" output. This initial version of the protocol supports HDCP. This is loosely based on the chromium secure-output protocol [1]. This protocol is mostly useful for closed system, where the client can trust the compositor, such as set-top boxes. This is not a way to implement any kind of Digital Rights Management on desktops. The compositor would be free to lie to the client, anyway. Signed-off-by: Scott Anderson <scott.anderson@collabora.com> Signed-off-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com> [1] https://chromium.googlesource.com/chromium/src/+/master/third_party/wayland-protocols/unstable/secure-output/secure-output-unstable-v1.xmldev
parent
6ef2d45a2d
commit
06aeb0eae0
@ -0,0 +1,251 @@ |
|||||||
|
<?xml version="1.0" encoding="UTF-8"?> |
||||||
|
<protocol name="weston_content_protection"> |
||||||
|
|
||||||
|
<copyright> |
||||||
|
Copyright 2016 The Chromium Authors. |
||||||
|
Copyright 2018-2019 Collabora, Ltd. |
||||||
|
Copyright © 2018-2019 Intel Corporation. |
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a |
||||||
|
copy of this software and associated documentation files (the "Software"), |
||||||
|
to deal in the Software without restriction, including without limitation |
||||||
|
the rights to use, copy, modify, merge, publish, distribute, sublicense, |
||||||
|
and/or sell copies of the Software, and to permit persons to whom the |
||||||
|
Software is furnished to do so, subject to the following conditions: |
||||||
|
|
||||||
|
The above copyright notice and this permission notice (including the next |
||||||
|
paragraph) shall be included in all copies or substantial portions of the |
||||||
|
Software. |
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL |
||||||
|
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
||||||
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
||||||
|
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER |
||||||
|
DEALINGS IN THE SOFTWARE. |
||||||
|
</copyright> |
||||||
|
|
||||||
|
<description summary="Protocol for providing secure output"> |
||||||
|
This protocol specifies a set of interfaces used to provide |
||||||
|
content-protection for e.g. HDCP, and protect surface contents on the |
||||||
|
secured outputs and prevent from appearing in screenshots or from being |
||||||
|
visible on non-secure outputs. |
||||||
|
|
||||||
|
A secure-output is defined as an output that is secured by some |
||||||
|
content-protection mechanism e.g. HDCP, and meets at least the minimum |
||||||
|
required content-protection level requested by a client. |
||||||
|
|
||||||
|
The term content-protection is defined in terms of HDCP type 0 and |
||||||
|
HDCP type 1, but this may be extended in future. |
||||||
|
|
||||||
|
This protocol is not intended for implementing Digital Rights Management on |
||||||
|
general (e.g. Desktop) systems, and would only be useful for closed systems. |
||||||
|
As the server is the one responsible for implementing |
||||||
|
the content-protection, the client can only trust the content-protection as |
||||||
|
much they can trust the server. |
||||||
|
|
||||||
|
In order to protect the content and prevent surface contents from appearing |
||||||
|
in screenshots or from being visible on non-secure outputs, a client must |
||||||
|
first bind the global interface "weston_content_protection" which, if a |
||||||
|
compositor supports secure output, is exposed by the registry. |
||||||
|
Using the bound global object, the client uses the "get_protection" request |
||||||
|
to instantiate an interface extension for a wl_surface object. |
||||||
|
This extended interface will then allow surfaces to request for |
||||||
|
content-protection, and also to censor the visibility of the surface on |
||||||
|
non-secure outputs. Client applications should not wait for the protection |
||||||
|
to change, as it might never change in case the content-protection cannot be |
||||||
|
achieved. Alternatively, clients can use a timeout and start showing the |
||||||
|
content in lower quality. |
||||||
|
|
||||||
|
Censored visibility is defined as the compositor censoring the protected |
||||||
|
content on non-secure outputs. Censoring may include artificially reducing |
||||||
|
image quality or replacing the protected content completely with |
||||||
|
placeholder graphics. |
||||||
|
|
||||||
|
Censored visibility is controlled by protection mode, set by the client. |
||||||
|
In "relax" mode, the compositor may show protected content on non-secure |
||||||
|
outputs. It will be up to the client to adapt to secure and non-secure |
||||||
|
presentation. In "enforce" mode, the compositor will censor the parts of |
||||||
|
protected content that would otherwise show on non-secure outputs. |
||||||
|
</description> |
||||||
|
|
||||||
|
<interface name="weston_content_protection" version="1"> |
||||||
|
<description summary="content protection global interface"> |
||||||
|
The global interface weston_content_protection is used for exposing the |
||||||
|
content protection capabilities to a client. It provides a way for clients |
||||||
|
to request their wl_surface contents to not be displayed on an output |
||||||
|
below their required level of content-protection. |
||||||
|
Using this interface clients can request for a weston_protected_surface |
||||||
|
which is an extension to the wl_surface to provide content-protection, and |
||||||
|
set the censored-visibility on the non-secured-outputs. |
||||||
|
</description> |
||||||
|
|
||||||
|
<request name="destroy" type="destructor"> |
||||||
|
<description summary="unbind from the content protection interface"> |
||||||
|
Informs the server that the client will not be using this |
||||||
|
protocol object anymore. This does not affect any other objects, |
||||||
|
protected_surface objects included. |
||||||
|
</description> |
||||||
|
</request> |
||||||
|
|
||||||
|
<enum name="error"> |
||||||
|
<entry name="surface_exists" value="0" |
||||||
|
summary="the surface already has a protected surface associated"/> |
||||||
|
</enum> |
||||||
|
|
||||||
|
<request name="get_protection"> |
||||||
|
<description summary="extend surface interface for protection"> |
||||||
|
Instantiate an interface extension for the given wl_surface to |
||||||
|
provide surface protection. If the given wl_surface already has |
||||||
|
a weston_protected_surface associated, the surface_exists protocol |
||||||
|
error is raised. |
||||||
|
</description> |
||||||
|
<arg name="id" type="new_id" interface="weston_protected_surface" |
||||||
|
summary="new object id for protected surface"/> |
||||||
|
<arg name="surface" type="object" interface="wl_surface" |
||||||
|
summary="the surface"/> |
||||||
|
</request> |
||||||
|
</interface> |
||||||
|
|
||||||
|
<interface name="weston_protected_surface" version="1"> |
||||||
|
<description summary="content protection interface to a wl_surface"> |
||||||
|
An additional interface to a wl_surface object, which allows a client to |
||||||
|
request the minimum level of content-protection, request to change the |
||||||
|
visibility of their contents, and receive notifications about changes in |
||||||
|
content-protection. |
||||||
|
|
||||||
|
A protected surface has a 'status' associated with it, that indicates |
||||||
|
what type of protection it is currently providing, specified by |
||||||
|
content-type. Updates to this status are sent to the client |
||||||
|
via the 'status' event. Before the first status event is sent, the client |
||||||
|
should assume that the status is 'unprotected'. |
||||||
|
|
||||||
|
A client can request a content protection level to be the minimum for an |
||||||
|
output to be considered secure, using the 'set_type' request. |
||||||
|
It is responsibility of the client to monitor the actual |
||||||
|
content-protection level achieved via the 'status' event, and make |
||||||
|
decisions as to what content to show based on this. |
||||||
|
|
||||||
|
The server should make its best effort to achieve the desired |
||||||
|
content-protection level on all of the outputs the client's contents are |
||||||
|
being displayed on. Any changes to the content protection status should be |
||||||
|
reported to the client, even if they are below the requested |
||||||
|
content-protection level. If the client's contents are being displayed on |
||||||
|
multiple outputs, the lowest content protection level achieved should be |
||||||
|
reported. |
||||||
|
|
||||||
|
A client can also request that its content only be displayed on outputs |
||||||
|
that are considered secure. The 'enforce/relax' requests can achieve this. |
||||||
|
In enforce mode, the content is censored for non-secure outputs. |
||||||
|
The implementation of censored-visibility is compositor-defined. |
||||||
|
In relax mode there are no such limitation. On an attempt to show the |
||||||
|
client on unsecured output, compositor would keep on showing the content |
||||||
|
and send the 'status' event to the client. Client can take a call to |
||||||
|
downgrade the content. |
||||||
|
|
||||||
|
If the wl_surface associated with the protected_surface is destroyed, |
||||||
|
the protected_surface becomes inert. |
||||||
|
</description> |
||||||
|
|
||||||
|
<enum name="error"> |
||||||
|
<entry name="invalid_type" value="0" |
||||||
|
summary="provided type was not valid"/> |
||||||
|
</enum> |
||||||
|
|
||||||
|
<enum name="type"> |
||||||
|
<description summary="content types"> |
||||||
|
Description of a particular type of content protection. |
||||||
|
|
||||||
|
A server may not necessarily support all of these types. |
||||||
|
|
||||||
|
Note that there is no ordering between enum members unless specified. |
||||||
|
Over time, different types of content protection may be added, which |
||||||
|
may be considered less secure than what is already here. |
||||||
|
</description> |
||||||
|
<entry name="unprotected" value="0" summary="no protection required"/> |
||||||
|
<entry name="hdcp_0" value="1" summary="HDCP type 0"/> |
||||||
|
<entry name="hdcp_1" value="2" |
||||||
|
summary="HDCP type 1. This is a more secure than HDCP type 0."/> |
||||||
|
</enum> |
||||||
|
|
||||||
|
<request name="destroy" type="destructor"> |
||||||
|
<description summary="remove security from the surface"> |
||||||
|
If the protected_surface is destroyed, the wl_surface desired protection |
||||||
|
level returns to unprotected, as if set_type request was sent with type |
||||||
|
as 'unprotected'. |
||||||
|
</description> |
||||||
|
</request> |
||||||
|
|
||||||
|
<request name="set_type"> |
||||||
|
<description summary="set the acceptable level of content protection"> |
||||||
|
Informs the server about the type of content. The level of |
||||||
|
content-protection depends upon the content-type set by the client |
||||||
|
through this request. Initially, this is set to 'unprotected'. |
||||||
|
|
||||||
|
If the requested value is not a valid content_type enum value, the |
||||||
|
'invalid_type' protocol error is raised. It is not an error to request |
||||||
|
a valid protection type the compositor does not implement or cannot |
||||||
|
achieve. |
||||||
|
|
||||||
|
The requested content protection is double-buffered, see |
||||||
|
wl_surface.commit. |
||||||
|
</description> |
||||||
|
<arg name="type" type="uint" enum="type" |
||||||
|
summary="the desired type of content protection"/> |
||||||
|
</request> |
||||||
|
|
||||||
|
<request name="enforce"> |
||||||
|
<description summary="enforce censored-visibility constrain"> |
||||||
|
Censor the visibility of the wl_surface contents on non-secure outputs. |
||||||
|
See weston_protected_surface for the description. |
||||||
|
|
||||||
|
The force constrain mode is double-buffered, see wl_surface.commit |
||||||
|
</description> |
||||||
|
</request> |
||||||
|
|
||||||
|
<request name="relax"> |
||||||
|
<description summary="relax the censored-visibility constrain"> |
||||||
|
Do not enforce censored-visibility of the wl_surface contents on |
||||||
|
non-secure-outputs. See weston_protected_surface for the description. |
||||||
|
|
||||||
|
The relax mode is selected by default, if no explicit request is made |
||||||
|
for enforcing the censored-visibility. |
||||||
|
|
||||||
|
The relax mode is double-buffered, see wl_surface.commit |
||||||
|
</description> |
||||||
|
</request> |
||||||
|
|
||||||
|
<event name="status"> |
||||||
|
<description summary="security status changed"> |
||||||
|
This event is sent to the client to inform about the actual protection |
||||||
|
level for its surface in the relax mode. |
||||||
|
|
||||||
|
The 'type' argument indicates what that current level of content |
||||||
|
protection that the server has currently established. |
||||||
|
|
||||||
|
The 'status' event is first sent, when a weston_protected_surface is |
||||||
|
created. |
||||||
|
|
||||||
|
Until this event is sent for the first time, the client should assume |
||||||
|
that its contents are not secure, and the type is 'unprotected'. |
||||||
|
|
||||||
|
Possible reasons the content protection status can change is due to |
||||||
|
change in censored-visibility mode from enforced to relaxed, a new |
||||||
|
connector being added, movement of window to another output, or, |
||||||
|
the client attaching a buffer too large for what the server may secure. |
||||||
|
However, it is not limited to these reasons. |
||||||
|
|
||||||
|
A client may want to listen to this event and lower the resolution of |
||||||
|
their content until it can successfully be shown securely. |
||||||
|
|
||||||
|
In case of "enforce" mode, the client will not get any status event. |
||||||
|
If the mode is then changed to "relax", the client will receive the |
||||||
|
status event. |
||||||
|
</description> |
||||||
|
<arg name="type" type="uint" enum="type" |
||||||
|
summary="the current content protection level"/> |
||||||
|
</event> |
||||||
|
</interface> |
||||||
|
|
||||||
|
</protocol> |
Loading…
Reference in new issue