Name

    EXT_protected_content

Name Strings

    EGL_EXT_protected_content

Contributors

    Ramesh Viswanathan
    Brian Ellis
    Colin Sharp
    Rajeev Kulkarni
    Mohan Maiya
    Maurice Ribble
    Craig Donner
    Jan-Harald Fredriksen
    Daniel Koch
    Michael Golds
    Ray Smith

Contacts

    Maurice Ribble (mribble 'at' qti.qualcomm.com)

IP Status

    No known IP claims.

Status

    Complete.

Version

    Version 13, December 6, 2021

Number

    EGL Extension #97

Dependencies

    Requires EGL 1.4.

    Interactions with EGL_KHR_image_base extension.

    This extension is written against the wording of the EGL 1.4.
    Specification (12/04/2013)

    This extension has interactions with EGL_EXT_protected_surface if that
    extension is supported.  The interactions are described in the main text.

Overview

    This extension introduces the concept of protected contexts and protected
    resources, specifically surfaces and EGLImages. Applications can choose at
    creation time whether a context, surface or EGLImage is protected or not.

    A protected context is required to allow the GPU to operate on protected
    resources, including protected surfaces and protected EGLImages.

    An explanation of undefined behavior in this extension: Several places
    in this extension mention undefined behavior can result, which can
    include program termination. The reason for this is because one way
    to handle protected content is by using a protected virtual to physical
    memory translation layer. With this sort of solution a system may generate
    read or write faults when a non-protected source tries to access a protected
    buffer. Depending on the system these faults might be ignored or they might
    cause process termination. This undefined behavior should not include
    actually allowing a transfer of data from a protected surface to a
    non-protected surface.

New Types

    None

New Procedures and Functions

    None

New Tokens

    Accepted as an attribute name in the <attrib_list> parameter of
    eglCreateContext, eglCreateWindowSurface, and eglCreateImageKHR;
    and as an parameter of eglQuerySurface and eglQueryContext:

        EGL_PROTECTED_CONTENT_EXT               0x32C0
        

Add a new section 2.7 entitled "Protected Content" at the end of Chapter 2 (EGL
Operation)

   "The attribute EGL_PROTECTED_CONTENT_EXT can be applied to EGL contexts,
    EGL surfaces and EGLImages. If the attribute EGL_PROTECTED_CONTENT_EXT
    is set to EGL_TRUE by the application, then the newly created EGL object
    is said to be protected. A protected context is required to allow the
    GPU to operate on protected resources, including protected surfaces and
    protected EGLImages.

    GPU operations are grouped into pipeline stages. Pipeline stages can be
    defined to be protected or not protected. Each stage defines
    restrictions on whether it can read or write protected and unprotected
    resources, as follows:

    When a GPU stage is protected, it:
    - Can read from protected resources
    - Can read from unprotected resources
    - Can write to protected resources
    - Can NOT write to unprotected resources

    When a GPU stage is not protected, it:
    - Can NOT read from protected resources
    - Can read from unprotected resources
    - Can NOT write to protected resources
    - Can write to unprotected resources

    Any accesses not following these restrictions will result in undefined
    behavior.

    This extension does not specify which pipeline stages of a protected
    context are protected or not. This is left to a client API extension to
    define. All stages in a regular (not protected) context are not
    protected. However, if EGL_EXT_protected_surface is also supported, a
    regular (not protected) context will execute stages where one or more
    protected resources is accessed as if it were a protected context.

    Note that the protection state of a stage may be left implementation
    defined by a client API extension. This means that no guarantees can be
    made about whether the stage will be protected or not protected.
    Practically this means that the permitted operations for such a stage
    are the intersection of the allowed operations for protected and not
    protected stages, i.e it:

    - Can NOT read from protected resources
    - Can read from unprotected resources
    - Can NOT write to protected resources
    - Can NOT write to unprotected resources

    Since this is not a very useful set of operations refer to the client API
    extension to see what operations are actually allowed.

    This extension does not guarantee the implementation abides by a
    system's digital rights management requirements. It must be verified
    beyond the existence of this extension that the implementation of this
    extension is trustworthy according to the requirements of a content
    protection system."

Additions to Chapter 3 of the EGL 1.4 Specification (Rendering Contexts)

    Change the fifth paragraph in section 3.7.1 Creating Rendering Contexts:

        "attrib list specifies a list of attributes for the context. The
        list has the same structure as described for eglChooseConfig.
        Attributes that can be specified in attrib list include
        EGL_CONTEXT_CLIENT_VERSION and EGL_PROTECTED_CONTENT_EXT. The
        EGL_CONTEXT_CLIENT_VERSION attribute may only be specified when
        creating a OpenGL ES context (e.g. when the current rendering API is
        EGL_OPENGL_ES_API)."

    Add the following paragraph in section 3.7.1 on p. 44 before "attrib list
    may be NULL or empty (first attribute is EGL_NONE), in which case
    attributes assume their default values as described below."

       "EGL_PROTECTED_CONTENT_EXT specifies the protected state of the new
        context. If its value is EGL_TRUE, then the context is said to be
        protected. If its value is EGL_FALSE, then the context is not
        protected. See section 2.7 (Protected Content) for more information
        about protected contexts.

        The default value of EGL_PROTECTED_CONTENT_EXT is EGL_FALSE."

    Add the following paragraph in section 3.7.4 Context Queries. Add after
    the last paragraph after eglQueryContext queries.
    
        "Querying EGL_PROTECTED_CONTENT_EXT returns the current value"

Additions to Chapter 3 of the EGL 1.4 Specification (Rendering Surfaces)

    Change the second paragraph in section 3.5 on p. 28 (describing
    eglCreateWindowSurface):

        "Attributes that can be specified in attrib list include
        EGL_RENDER_BUFFER, EGL_PROTECTED_CONTENT_EXT, EGL_VG_COLORSPACE, and
        EGL_VG_ALPHA_FORMAT."

    Add the following paragraph in section 3.5 on p. 28 before
    "EGL_VG_COLORSPACE specifies the color space used by OpenVG" (describing
    eglCreateWindowSurface(attrib_list):

        "EGL_PROTECTED_CONTENT_EXT specifies the protected state of the
        window surface. If its value is EGL_TRUE, then the surface content
        is said to be protected. If its value is EGL_FALSE, then the surface
        content is not protected. See section 2.7 (Protected Content) for
        more information about protected and non-protected surfaces.

        Client APIs will not allow contents of protected surfaces to be
        accessed by non-protected contexts in the system (including
        non-secure software running on the CPU). Such operations will result
        in undefined behavior.

        Calling eglSwapBuffers on such a protected surface will succeed, but
        the contents may or may not be posted successfully depending on
        whether those parts of the pipeline are capable of handling
        protected content. Any disallowed operation will fail and result in
        undefined behavior.

        The default value of EGL_PROTECTED_CONTENT_EXT is EGL_FALSE."

    Add the following paragraph in section 3.5.6 Surface Attributes. Add after
    the last paragraph after eglQuerySurface attribute queries.
    
        "Querying EGL_PROTECTED_CONTENT_EXT returns the current value"

Additions to EGL_KHR_image_base extension specification

    Add to section 2.5.1 Table bbb:
      +-----------------------------+-------------------------+---------------+
      | Attribute                   | Description             | Default Value |
      +-----------------------------+-------------------------+---------------+
      | EGL_NONE                    | Marks the end of the    | N/A           |
      |                             | attribute-value list    |               |
      | EGL_IMAGE_PRESERVED_KHR     | Whether to preserve     | EGL_FALSE     |
      |                             | pixel data              |               |
      | EGL_PROTECTED_CONTENT_EXT   | Content protection      | EGL_FALSE     |
      |                             | state                   |               |
      +-----------------------------+-------------------------+---------------+
       Table bbb.  Legal attributes for eglCreateImageKHR <attrib_list>
       parameter

    Add the following paragraph to section 2.5.1 before "Errors" (describing
    eglCreateImageKHR):

        "If the value of attribute EGL_PROTECTED_CONTENT_EXT is EGL_TRUE
        and the EGLImage sources can be guaranteed to be protected, then the
        EGLImage is said to be protected. See section 2.7 (Protected Content)
        for more information about protected resources including EGLImages.

        If the value of attribute EGL_PROTECTED_CONTENT_EXT is EGL_FALSE then:

        - If EGLImage sources are not protected, the EGLImage is said to be
          not protected. See section 2.7 (Protected Content) for more
          information about non-protected resources including EGLImages.
        - If EGLImage sources are protected then the EGLImage content will
          be inaccessible to any client context irrespective of whether the
          context is protected or not. Trying to access such an EGLImage's
          content will result in undefined behavior."

   Add the following to the Errors list in section 2.5.1

        "If the value specified in <attrib_list> for EGL_PROTECTED_CONTENT_EXT
        is EGL_TRUE, and EGL and its client is unable to make guarantees
        regarding the protected state of the EGLImage source, the error
        EGL_BAD_ACCESS is generated."

Issues
    1) Can a protected context be shared with a non-protected context?

    RESOLVED - Yes. The rule that protected surfaces can only be used by
    protected contexts still applies. An example use case is where
    someone wants to render to unprotected textures within an unprotected
    context and then share it with a protected context to be used as a texture.

    2) Should all surfaces within a protected context be protected by default?

    RESOLVED - No, several implementations have limited amounts of protected
    memory, so the API will require opting into protected memory.

    3) Can these protected surfaces be used by stages other than fragment
    shader stage?

    RESOLVED - Some hardware can't handle this so this behavior is undefined
    unless there is explicit working in some new spec saying the behavior is
    defined.  This is put as an issue because this is an EGL extension and
    should not be controlling OpenGL functionality.

    4) Why is EGL_PROTECTED_CONTENT_EXT flag needed for EGLImages?

    RESOLVED - A few reasons for having an explicit flag instead
    of inferring the protected status from EGLImage sources -

      1) There are multiple EGL image extensions (EGL QCOM image, EGL
        android image and so on) that accept buffers from external modules
        instead of client resources or allow internally allocated memory.
        For these use cases a protected attribute is useful, so we want to
        keep this flag.
      2) An implementation might have a few non-standard setup steps that
        need to be completed before a protected EGL image can be accessed.
        This attribute along with a corresponding protected buffer will act
        as a signal for the graphics driver to initiate/complete any such
        steps.
      3) An application creating an image from an external resource may not
        be aware of the fact that the resource is protected or may be unable
        to access its content. The successful mapping of and access to a
        protected buffer through an EGLImage will be predicated on the
        buffer being protected, having a protected context and the intent of
        the application to access that buffer by passing in EGL_TRUE for the
        attribute EGL_PROTECTED_CONTENT_EXT.


Revision History

    Rev.    Date     Author    Changes
    ----  --------  --------  ----------------------------------------------
     1    09/24/14   Ramesh   Initial draft.
     2    11/20/14   Rajeev   Second draft.
     3    03/07/16   mribble  Make EXT and clean up for release.
     4    03/10/16   mribble  Cleanup.
     5    03/18/16   mribble  Fix issues brought up by Khronos group.
     6    03/24/16   mribble  Resolved some small issues found by Jan-Harald.
     7    03/25/16   mribble  Fix createContext wording.
     8    03/30/16   mribble  Added issue 5.
     9    04/05/16   mribble  Added issue 6 and better defined eglImage case.
     10   04/08/16   rsmith   - Added general section on protected content.
                              Protected context, surface and image creation now
                              refer to the general protected content principles.
                              - Added explicit definition of which stages are
                              protected, including allowing for the protected
                              state of a stage to be undefined.
                              - Formalised interactions with
                              EGL_EXT_protected_surface.
                              - Removed references to the GPU protected mode,
                              including issue 3.
     11   04/10/16   mribble  Merge and cleanup.
     12   04/14/16  Jon Leech Cleanup formatting, reflow paragraphs and
                              quote additions consistently. Assign extension
                              number.
     13   12/06/21 Jeff Vigil Add queries for protected content attribute.
