Wayland content-protection extension

Pekka Paalanen ppaalanen at gmail.com
Mon Jun 18 08:04:42 UTC 2018 

On Sat, 16 Jun 2018 12:50:52 +0530
Ramalingam C <ramalingam.c at intel.com> wrote:

> On Friday 15 June 2018 04:16 PM, Nautiyal, Ankit K wrote:
> >
> > Hi Pekka,
> >
> > Thanks for the suggestions. Please find my responses inline:
> >
> > On 6/15/2018 1:16 PM, Pekka Paalanen wrote:  
> >> On Wed, 13 Jun 2018 10:34:45 +0000
> >> "Nautiyal, Ankit K"<ankit.k.nautiyal at intel.com>  wrote:
> >>  
> >>> Hi All,
> >>>
> >>> I am working on wayland content-protection protocol extension, to
> >>> enable content-protection (HDCP1.4, HDCP2.2) in wayland. DRM layer
> >>> already has support for HDCP1.4 and patches for HDCP2.2 are in
> >>> review :https://patchwork.freedesktop.org/series/39596/
> >>>

> >>  From what I heard, the hardware will continuously or periodically
> >> confirm the protection status of the display data stream on the wire,
> >> and it is possible that the hardware status will change at runtime. The
> >> very least hotplug is a thing.  
> >
> > Yes agreed. The app will have a listener to content protection status.
> > It makes sense to have the even named as on/off.  
> Yes. HDCP Link status can change in run time for any connector.
> So Compositor is expected to check the current HDCP status of all 
> connectors on those protected surface is rendered.
> And inform the client with runtime cumulative HDCP protection for that 
> protected surface.

How does the kernel signal to userspace that the HDCP status has
changed? Do you piggyback on the hotplug event?

Anything that would require userspace to repeatedly re-read properties
without any events triggering it is bad design. If nothing is
happening, the compositor needs to be able to stay asleep.

> > As I understand the SRM messages will be delivered with content, to 
> > the kernel.
> > There is a separate Connector proprty of type blob for this.
> > SRM can be transmitted with a cable TV signal. It might be keep on 
> > getting updated as more devices, keep on adding to the table.
> >  
> 
> SRM table will be updated by DCP LLC as and when device is revocated. 
> And updated SRM table will be shared to all protected content providers.
> So the protected content player needs to supply the SRM to the kernel 
> for the revocation step in authentication, through compositor.
> 
> Compositor has to store the latest version in non-volatile memory and 
> expected to provide this information as a
> blob to all the connector for the authentication at the kernel. Storing 
> in non-volatile is required to fulfill the HDCP spec.

That sounds like the SRM table should not be part of a Wayland extension.

Let's say you have two apps: A and B. Vendor of A is shipping an
updated SRM table. Vendor of B is not shipping it yet, so it has an
outdated SRM table.

A user launches app A, then app B, to watch both. A trivial protocol
implementation will have app B overwrite the SRM table with an outdated
version.

The SRM table smells very much like compositor configuration,
especially because a) it is global state: you cannot program two
different tables to the same connector, and b) the compositor is
required to save it and use it later for all clients(?). One can also
envision a security issue, if a system allows third party apps: an app
could install a fake SRM table with a fake date.

So I would recommend keeping the SRM table updates out of this protocol
extension and work on that separately.

Also, do you have a way or requirement to authenticate the SRM table?
Is it signed? How do you install the verification key?


> >  
> >>> *       Downstream topology handling by the compositor, in case of,
> >>> HDCP repeaters.  
> >> Why would that be an issue affecting the protocol?  
> >
> > The topology information needs to be sent to client, in case of repeater.
> > I thin Ram can shed more light on it.  
> This interface is required to implement the repeater using the intel 
> platforms.
> In such scenario, each connectors will be considered as one HDCP 
> downstream ports.
> Compositor and kernel will be used for the HDCP authentication of the 
> downstream devices.
> And a userspace module can implement upstream port's HDCP authentication 
> through wireless/wired channel.
> 
> So this interface will be used for collecting the downstream devices in 
> each ports and provide them
> to the upstream hdcp device for the repeater authentication step.
> 
> I will try to compose complete flow in a mail. That will help us to be 
> in sync about the design we need and feasible.

Good, because I really didn't quite understand who does what now in
there.


Thanks,
pq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20180618/e24e6a36/attachment.sig>

More information about the wayland-devel mailing list