[PATCH RFC wayland-protocols] Add secure output protocol

scott.anderson at collabora.com scott.anderson at collabora.com
Mon Nov 19 03:21:40 UTC 2018 

From: Scott Anderson <scott.anderson at collabora.com>

This protocol allows a client to ask the compositor to only allow it to
be displayed on a "secure" output (e.g. HDCP).

This is based on a chromium protocol of the same name [1].

This protocol is mostly useful for closed systems, where the client can
trust the compositor, such as set-top boxes. This is not a way to
implement any kind of Digital Rights Management on desktops. The
protocol deliberately doesn't define what a "secure output" is, and the
compositor would be free to lie to the client anyway.

Signed-off-by: Scott Anderson <scott.anderson at collabora.com>

[1] https://chromium.googlesource.com/chromium/src/+/master/third_party/wayland-protocols/unstable/secure-output/secure-output-unstable-v1.xml
---

Intel has proposed a similar protocol as a Weston merge request [2].
I believe these two protocols should be compared and merged to try and
come up with a general solution that everybody is happy with.

While this protocol is currently intended for using HDCP, I don't
believe it should be tied to HDCP in any way. If any other similar
technology is developed, it would be nice to not need to define a new
protocol or modify this one.

I don't think it's necessary for the client to know what type of
protection the compositor is providingi or if the protection status of
an output changes. It's up to the compositor to choose and negotiate
what kind of protection is required, and all the client needs to do is
trust that the compositor is putting their content on a secure output.
Clients should have no control or knowledge of how/where they're
presented.

The protocol also should be per wl_surface, instead of any type of
global client state. A client can have multiple surfaces, and they could
need to be treated differently. For example, one surface may be the
protected content which uses this interface, and the other may be a
dialog box which could be placed anywhere.

[2] https://gitlab.freedesktop.org/wayland/weston/blob/bb546cbbaaf6257ce018e7392747cc0fbdc1639f/protocol/content-protection.xml

 Makefile.am                                   |   1 +
 unstable/secure-output/README                 |   4 +
 .../secure-output-unstable-v1.xml             | 119 ++++++++++++++++++
 3 files changed, 124 insertions(+)
 create mode 100644 unstable/secure-output/README
 create mode 100644 unstable/secure-output/secure-output-unstable-v1.xml

diff --git a/Makefile.am b/Makefile.am
index 345ae6a..4d94747 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -23,6 +23,7 @@ unstable_protocols =								\
 	unstable/xdg-decoration/xdg-decoration-unstable-v1.xml	\
 	unstable/linux-explicit-synchronization/linux-explicit-synchronization-unstable-v1.xml \
 	unstable/primary-selection/primary-selection-unstable-v1.xml		\
+	unstable/secure-output/secure-output-unstable-v1.xml		\
 	$(NULL)
 
 stable_protocols =								\
diff --git a/unstable/secure-output/README b/unstable/secure-output/README
new file mode 100644
index 0000000..3251af9
--- /dev/null
+++ b/unstable/secure-output/README
@@ -0,0 +1,4 @@
+Secure output protocol
+
+Maintainers:
+David Reveman <reveman at chromium.org>
diff --git a/unstable/secure-output/secure-output-unstable-v1.xml b/unstable/secure-output/secure-output-unstable-v1.xml
new file mode 100644
index 0000000..63a2cdf
--- /dev/null
+++ b/unstable/secure-output/secure-output-unstable-v1.xml
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<protocol name="secure_output_unstable_v1">
+
+  <copyright>
+    Copyright 2016 The Chromium Authors.
+    Copyright 2018 Collabora, Ltd.
+
+    Permission is hereby granted, free of charge, to any person obtaining a
+    copy of this software and associated documentation files (the "Software"),
+    to deal in the Software without restriction, including without limitation
+    the rights to use, copy, modify, merge, publish, distribute, sublicense,
+    and/or sell copies of the Software, and to permit persons to whom the
+    Software is furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice (including the next
+    paragraph) shall be included in all copies or substantial portions of the
+    Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+    THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+    DEALINGS IN THE SOFTWARE.
+  </copyright>
+
+  <description summary="Protocol for providing secure output">
+    This protocol specifies a set of interfaces used to prevent surface
+    contents from appearing in screenshots or from being visible on non-secure
+    outputs.
+
+    In order to prevent surface contents from appearing in screenshots or from
+    being visible on non-secure outputs, a client must first bind the global
+    interface "wp_secure_output" which, if a compositor supports secure output,
+    is exposed by the registry. Using the bound global object, the client uses
+    the "get_security" request to instantiate an interface extension for a
+    wl_surface object. This extended interface will then allow surfaces
+    to be marked as only visible on secure outputs.
+
+    Warning! The protocol described in this file is experimental and backward
+    incompatible changes may be made. Backward compatible changes may be added
+    together with the corresponding interface version bump. Backward
+    incompatible changes are done by bumping the version number in the protocol
+    and interface names and resetting the interface version. Once the protocol
+    is to be declared stable, the 'z' prefix and the version number in the
+    protocol and interface names are removed and the interface version number is
+    reset.
+  </description>
+
+  <interface name="zwp_secure_output_v1" version="1">
+    <description summary="secure output">
+      The global interface exposing secure output capabilities is used
+      to instantiate an interface extension for a wl_surface object.
+      This extended interface will then allow surfaces to be marked as
+      as only visible on secure outputs.
+    </description>
+
+    <request name="destroy" type="destructor">
+      <description summary="unbind from the secure output interface">
+	Informs the server that the client will not be using this
+	protocol object anymore. This does not affect any other objects,
+	security objects included.
+      </description>
+    </request>
+
+    <enum name="error">
+      <entry name="security_exists" value="0"
+	     summary="the surface already has a security object associated"/>
+    </enum>
+
+    <request name="get_security">
+      <description summary="extend surface interface for security">
+	Instantiate an interface extension for the given wl_surface to
+	provide surface security. If the given wl_surface already has
+	a security object associated, the security_exists protocol error
+	is raised.
+      </description>
+
+      <arg name="id" type="new_id" interface="zwp_security_v1"
+	   summary="the new security interface id"/>
+      <arg name="surface" type="object" interface="wl_surface"
+	   summary="the surface"/>
+    </request>
+  </interface>
+
+  <interface name="zwp_security_v1" version="1">
+    <description summary="security interface to a wl_surface">
+      An additional interface to a wl_surface object, which allows the
+      client to specify that a surface should not appear in screenshots
+      or be visible on non-secure outputs.
+
+      If the wl_surface associated with the security object is destroyed,
+      the security object becomes inert.
+
+      If the security object is destroyed, the security state is removed
+      from the wl_surface. The change will be applied on the next
+      wl_surface.commit.
+    </description>
+
+    <request name="destroy" type="destructor">
+      <description summary="remove security from the surface">
+	The associated wl_surface's security state is removed.
+	The change is applied on the next wl_surface.commit.
+      </description>
+    </request>
+
+    <request name="only_visible_on_secure_output">
+      <description summary="set the only visible on secure output state">
+	Constrain visibility of wl_surface contents to secure outputs.
+	See wp_secure_output for the description.
+
+	The only visible on secure output state is double-buffered state,
+	and will be applied on the next wl_surface.commit.
+      </description>
+    </request>
+  </interface>
+
+</protocol>
-- 
2.19.1

More information about the wayland-devel mailing list