diff -Nru libva-2.10.0/configure.ac libva-2.11.0/configure.ac --- libva-2.10.0/configure.ac 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/configure.ac 2021-03-23 10:54:35.000000000 +0000 @@ -27,7 +27,7 @@ # - reset micro version to zero when minor version is incremented # - reset minor version to zero when major version is incremented m4_define([va_api_major_version], [1]) -m4_define([va_api_minor_version], [10]) +m4_define([va_api_minor_version], [11]) m4_define([va_api_micro_version], [0]) m4_define([va_api_version], @@ -75,7 +75,7 @@ [m4_eval(libva_binary_age - libva_interface_age)]) # libdrm minimun version requirement -m4_define([libdrm_version], [2.4]) +m4_define([libdrm_version], [2.4.60]) # Wayland minimum version number # 1.11.0 for wl_proxy_create_wrapper diff -Nru libva-2.10.0/debian/changelog libva-2.11.0/debian/changelog --- libva-2.10.0/debian/changelog 2020-12-06 15:55:03.000000000 +0000 +++ libva-2.11.0/debian/changelog 2021-07-14 22:31:59.000000000 +0000 @@ -1,3 +1,17 @@ +libva (2.11.0-1~kisak~h) hirsute; urgency=medium + + * No change backport to hirsute + + -- kisak Wed, 14 Jul 2021 18:31:59 -0400 + +libva (2.11.0-1) experimental; urgency=medium + + * New upstream version 2.11.0 + * debian/control: Provide new driver ABI + * debian/libva2.symbols: Add new symbols + + -- Sebastian Ramacher Thu, 25 Mar 2021 22:16:36 +0100 + libva (2.10.0-1) unstable; urgency=medium * New upstream release diff -Nru libva-2.10.0/debian/control libva-2.11.0/debian/control --- libva-2.10.0/debian/control 2020-12-06 15:53:58.000000000 +0000 +++ libva-2.11.0/debian/control 2021-07-14 22:31:22.000000000 +0000 @@ -67,7 +67,8 @@ libva-driver-abi-1.7, libva-driver-abi-1.8, libva-driver-abi-1.9, - libva-driver-abi-1.10 + libva-driver-abi-1.10, + libva-driver-abi-1.11 Description: Video Acceleration (VA) API for Linux -- runtime Video Acceleration API (VA API) is a library ("libVA") and API specification which enables and provides access to graphics hardware (GPU) acceleration for diff -Nru libva-2.10.0/debian/libva2.symbols libva-2.11.0/debian/libva2.symbols --- libva-2.10.0/debian/libva2.symbols 2020-12-06 15:54:53.000000000 +0000 +++ libva-2.11.0/debian/libva2.symbols 2021-07-14 22:31:22.000000000 +0000 @@ -4,6 +4,7 @@ VA_API_0.33.0@VA_API_0.33.0 1.2.0 vaAcquireBufferHandle@Base 1.4.0 vaAssociateSubpicture@Base 1.0.3 + vaAttachProtectedSession@Base 2.11.0 vaBeginPicture@Base 1.0.3 vaBufferInfo@Base 2.0.0 vaBufferSetNumElements@Base 1.0.3 @@ -16,6 +17,7 @@ vaCreateContext@Base 1.0.3 vaCreateImage@Base 1.0.3 vaCreateMFContext@Base 2.1.0 + vaCreateProtectedSession@Base 2.11.0 vaCreateSubpicture@Base 1.0.3 vaCreateSurfaces@VA_API_0.32.0 1.2.0 vaCreateSurfaces@VA_API_0.33.0 1.2.0 @@ -25,8 +27,10 @@ vaDestroyConfig@Base 1.0.3 vaDestroyContext@Base 1.0.3 vaDestroyImage@Base 1.0.3 + vaDestroyProtectedSession@Base 2.11.0 vaDestroySubpicture@Base 1.0.3 vaDestroySurfaces@Base 1.0.3 + vaDetachProtectedSession@Base 2.11.0 vaDisplayIsValid@Base 1.0.3 vaEndPicture@Base 1.0.3 vaEntrypointStr@Base 2.1.0 @@ -49,6 +53,7 @@ vaMaxNumProfiles@Base 1.0.3 vaMaxNumSubpictureFormats@Base 1.0.3 vaProfileStr@Base 2.2.0 + vaProtectedSessionExecute@Base 2.11.0 vaPutImage@Base 1.0.3 vaQueryConfigAttributes@Base 2.1.0 vaQueryConfigEntrypoints@Base 2.2.0 diff -Nru libva-2.10.0/doc/Makefile.am libva-2.11.0/doc/Makefile.am --- libva-2.10.0/doc/Makefile.am 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/doc/Makefile.am 2021-03-23 10:54:35.000000000 +0000 @@ -44,6 +44,7 @@ $(VA_HEADER_DIR)/va_dec_jpeg.h \ $(VA_HEADER_DIR)/va_dec_vp8.h \ $(VA_HEADER_DIR)/va_dec_vp9.h \ + $(VA_HEADER_DIR)/va_prot.h \ $(VA_HEADER_DIR)/va_vpp.h \ $(NULL) diff -Nru libva-2.10.0/doc/meson.build libva-2.11.0/doc/meson.build --- libva-2.10.0/doc/meson.build 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/doc/meson.build 2021-03-23 10:54:35.000000000 +0000 @@ -16,6 +16,7 @@ 'va_dec_jpeg.h', 'va_dec_vp8.h', 'va_dec_vp9.h', + 'va_prot.h', 'va_vpp.h' ] diff -Nru libva-2.10.0/.github/workflows/freebsd.yml libva-2.11.0/.github/workflows/freebsd.yml --- libva-2.10.0/.github/workflows/freebsd.yml 1970-01-01 00:00:00.000000000 +0000 +++ libva-2.11.0/.github/workflows/freebsd.yml 2021-03-23 10:54:35.000000000 +0000 @@ -0,0 +1,26 @@ +name: freebsd + +on: + push: + paths-ignore: + - '.github/workflows/**' + - '!.github/workflows/freebsd.yml' + pull_request: + paths-ignore: + - '.github/workflows/**' + - '!.github/workflows/freebsd.yml' + +jobs: + freebsd: + runs-on: macos-latest + steps: + - uses: actions/checkout@v2 + - name: test + uses: vmactions/freebsd-vm@v0.1.2 + with: + prepare: | + pkg install -y meson pkgconf libdrm libXext libXfixes wayland + pkg install -y -x '^mesa($|-libs)' + run: | + meson _build + meson compile -C _build diff -Nru libva-2.10.0/.github/workflows/ubuntu.yml libva-2.11.0/.github/workflows/ubuntu.yml --- libva-2.10.0/.github/workflows/ubuntu.yml 1970-01-01 00:00:00.000000000 +0000 +++ libva-2.11.0/.github/workflows/ubuntu.yml 2021-03-23 10:54:35.000000000 +0000 @@ -0,0 +1,84 @@ +name: ubuntu + +on: + push: + paths-ignore: + - '.github/workflows/**' + - '!.github/workflows/ubuntu.yml' + pull_request: + paths-ignore: + - '.github/workflows/**' + - '!.github/workflows/ubuntu.yml' + +jobs: + ubuntu-latest: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: install prerequisites + run: | + sudo apt-get update + sudo apt-get install -y \ + libdrm-dev \ + libegl1-mesa-dev \ + libgl1-mesa-dev \ + libx11-dev \ + libxext-dev \ + libxfixes-dev \ + libwayland-dev + - name: configure + run: ./autogen.sh --prefix=/usr + - name: build + run: make + - name: check + run: make check + - name: install + run: sudo make install + + ubuntu-20-04: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - name: install prerequisites + run: | + sudo apt-get update + sudo apt-get install -y \ + libdrm-dev \ + libegl1-mesa-dev \ + libgl1-mesa-dev \ + libx11-dev \ + libxext-dev \ + libxfixes-dev \ + libwayland-dev + - name: configure + run: ./autogen.sh --prefix=/usr + - name: build + run: make + - name: check + run: make check + - name: install + run: sudo make install + + ubuntu-18-04: + runs-on: ubuntu-18.04 + steps: + - uses: actions/checkout@v2 + - name: install prerequisites + run: | + sudo apt-get update + sudo apt-get install -y \ + libdrm-dev \ + libegl1-mesa-dev \ + libgl1-mesa-dev \ + libx11-dev \ + libxext-dev \ + libxfixes-dev \ + libwayland-dev + - name: configure + run: ./autogen.sh --prefix=/usr + - name: build + run: make + - name: check + run: make check + - name: install + run: sudo make install diff -Nru libva-2.10.0/meson.build libva-2.11.0/meson.build --- libva-2.10.0/meson.build 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/meson.build 2021-03-23 10:54:35.000000000 +0000 @@ -7,7 +7,7 @@ # - reset micro version to zero when VA-API major or minor version is changed project( 'libva', 'c', - version : '2.10.0', + version : '2.11.0', meson_version : '>= 0.37.0', default_options : [ 'warning_level=1', 'buildtype=debugoptimized' ]) @@ -19,7 +19,7 @@ # - reset micro version to zero when minor version is incremented # - reset minor version to zero when major version is incremented va_api_major_version = 1 -va_api_minor_version = 10 +va_api_minor_version = 11 va_api_micro_version = 0 va_api_version = '@0@.@1@.@2@'.format(va_api_major_version, @@ -75,7 +75,7 @@ cc = meson.get_compiler('c') dl_dep = cc.find_library('dl', required : false) -libdrm_dep = dependency('libdrm', version : '>= 2.4') +libdrm_dep = dependency('libdrm', version : '>= 2.4.60') WITH_DRM = not get_option('disable_drm') diff -Nru libva-2.10.0/NEWS libva-2.11.0/NEWS --- libva-2.10.0/NEWS 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/NEWS 2021-03-23 10:54:35.000000000 +0000 @@ -1,6 +1,24 @@ -libva NEWS -- summary of user visible changes. 2020-12-03 +libva NEWS -- summary of user visible changes. 2021-03-23 Copyright (C) 2009-2020 Intel Corporation +version 2.11.0 - 23.Mar.2021 +* add: LibVA Protected Content API +* add: Add a configuration attribute to advertise AV1d LST feature +* fix: wayland: don't try to authenticate with render nodes +* autotools: use shell grouping instead of sed to prepend a line +* trace: Add details data dump for mpeg2 IQ matrix. +* doc: update docs for VASurfaceAttribPixelFormat +* doc: Libva documentation edit for AV1 reference frames +* doc: Modify AV1 frame_width_minus1 and frame_height_minus1 comment +* doc: Remove tile_rows and tile_cols restriction to match AV1 spec +* doc: Format code for doxygen output +* doc: AV1 decode documentation edit for superres_scale_denominator +* ci: upgrade FreeBSD to 12.2 +* ci: disable travis build +* ci: update cache before attempting to install packages +* ci: avoid running workloads on other workloads changes +* ci: enable github actions + version 2.10.0 - 04.Dec.2020 * add: Pass offset and size of pred_weight_table * add: add vaCopy interface to copy surface and buffer diff -Nru libva-2.10.0/.travis.yml libva-2.11.0/.travis.yml --- libva-2.10.0/.travis.yml 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/.travis.yml 1970-01-01 00:00:00.000000000 +0000 @@ -1,107 +0,0 @@ -dist: xenial -sudo: required - -language: c -compiler: gcc -os: linux - -env: - global: - - NUM_THREADS=4 - # The next declaration is the encrypted COVERITY_SCAN_TOKEN, created - # via the "travis encrypt" command using the project repo's public key - - secure: "Eu+ys+LW614J1wU1+i2qpfbSq9gFPvPq09XBgkK2hkDIEuouOX+G4ydpqc7Wg7+pv/P38KiUdbyoJtPxryvlwFYmuL/MEHPzjqVmxHuS0TpqwYE7Fh/44d/N9slGjD9Iv//pbabVrcrTptuJIRwH76GVsmec564uXd+yZGlR0c0=" - - -before_install: - - test "${TRAVIS_BRANCH}" != 'coverity_scan' -o "${TRAVIS_JOB_NUMBER##*.}" = '1' || exit 0 - - echo -n | openssl s_client -connect scan.coverity.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sudo tee -a /etc/ssl/certs/ca- - - | - sudo systemctl stop apt-daily.service && - sudo systemctl kill --kill-who=all apt-daily.service && - while ! (systemctl list-units --all apt-daily.service | fgrep -q dead) ; do - sleep 1 - done - - pip install --user cpp-coveralls - - sudo apt-get -qq update - - sudo apt-get install -y build-essential - - sudo apt-get install -y autoconf - - sudo apt-get install -y automake - - sudo apt-get install -y libtool - - sudo apt-get install -y m4 - - sudo apt-get install -y lcov - - sudo apt-get install -y perl - - sudo apt-get install -y pkg-config - - sudo apt-get install -y libdrm-dev - - sudo apt-get install -y autoconf - - sudo apt-get install -y libegl1-mesa-dev - - sudo apt-get install -y libgl1-mesa-dev - - sudo apt-get install -y libwayland-dev - - sudo apt-get install -y libx11-dev - - sudo apt-get install -y libxext-dev - - sudo apt-get install -y libxfixes-dev - -addons: - coverity_scan: - project: - name: "intel/libva" - description: "Build submitted via Travis CI" - notification_email: intel-media-security@lists.01.org - build_command_prepend: "./autogen.sh; ./configure --prefix=/usr" - build_command: "make -j4" - branch_pattern: coverity_scan - -script: - - if [[ "${COVERITY_SCAN_BRANCH}" == 1 ]]; - then - echo "Don't build on coverty_scan branch."; - exit 0; - fi - - if [[ -n "$(find -name '*.[ch]' -executable)" ]]; - then - echo "Error, a source code file(s) has the execute bit set:" >&2; - find -name '*.[ch]' -executable; - exit 1; - fi - - ./autogen.sh - - ./configure --prefix=/usr - - make -j4 ; sudo make install - - make check - -jobs: - include: - - os: linux - - os: freebsd - compiler: clang - before_install: - - sudo pkg install -y meson pkgconf libdrm libXext libXfixes wayland - - sudo pkg install -y -x '^mesa($|-libs)' - script: - - meson _build - - meson compile -C _build - after_success: skip - -after_success: - - coveralls --exclude lib --exclude tests --gcov-options '\-lp' - -notifications: -# Emails are sent to the committer's git-configured email address by default, -# but only if they have access to the repository. To enable Travis on your -# public project, just go to travis-ci.org and flip the switch on for -# your project. To configure your git email address, use: -# git config --global user.email me@example.com - email: - on_success: always - on_failure: always - -# Slack notifications -# - slack: intel-media:p0wZO3fWJ1ouSsF0RNKbOl5G - -# IRC notifications disabled by default. -# Uncomment next 5 lines to send notifications to chat.freenode.net#caffe -# irc: -# channels: -# - "chat.freenode.net#intel-media" -# template: -# - "%{repository}/%{branch} (%{commit} - %{author}): %{message}" diff -Nru libva-2.10.0/va/Makefile.am libva-2.11.0/va/Makefile.am --- libva-2.10.0/va/Makefile.am 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/va/Makefile.am 2021-03-23 10:54:35.000000000 +0000 @@ -41,6 +41,7 @@ libva_source_h = \ va.h \ va_backend.h \ + va_backend_prot.h \ va_backend_vpp.h \ va_compat.h \ va_dec_av1.h \ @@ -62,6 +63,7 @@ va_str.h \ va_tpi.h \ va_version.h \ + va_prot.h \ va_vpp.h \ $(NULL) diff -Nru libva-2.10.0/va/meson.build libva-2.11.0/va/meson.build --- libva-2.10.0/va/meson.build 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/va/meson.build 2021-03-23 10:54:35.000000000 +0000 @@ -20,6 +20,7 @@ libva_headers = [ 'va.h', 'va_backend.h', + 'va_backend_prot.h', 'va_backend_vpp.h', 'va_compat.h', 'va_dec_hevc.h', @@ -40,6 +41,7 @@ 'va_enc_vp9.h', 'va_str.h', 'va_tpi.h', + 'va_prot.h', 'va_vpp.h', version_file, ] diff -Nru libva-2.10.0/va/va_backend.h libva-2.11.0/va/va_backend.h --- libva-2.10.0/va/va_backend.h 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/va/va_backend.h 2021-03-23 10:54:35.000000000 +0000 @@ -637,7 +637,14 @@ void (*info_callback)(VADriverContextP pDriverContext, const char *message); - unsigned long reserved[38]; /* reserve for future add-ins, decrease the subscript accordingly */ + /** + * \brief The VA/Protected implementation hooks. + * + * This structure is allocated from libva with calloc(). + */ + struct VADriverVTableProt *vtable_prot; + + unsigned long reserved[37]; /* reserve for future add-ins, decrease the subscript accordingly */ }; #define VA_DISPLAY_MAGIC 0x56414430 /* VAD0 */ diff -Nru libva-2.10.0/va/va_backend_prot.h libva-2.11.0/va/va_backend_prot.h --- libva-2.10.0/va/va_backend_prot.h 1970-01-01 00:00:00.000000000 +0000 +++ libva-2.11.0/va/va_backend_prot.h 2021-03-23 10:54:35.000000000 +0000 @@ -0,0 +1,81 @@ +/* + * Copyright (c) 2020 Intel Corporation. All Rights Reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sub license, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice (including the + * next paragraph) shall be included in all copies or substantial portions + * of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. + * IN NO EVENT SHALL INTEL AND/OR ITS SUPPLIERS BE LIABLE FOR + * ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +#ifndef VA_BACKEND_PROT_H +#define VA_BACKEND_PROT_H + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** \brief VTable version for VA/PROTECTION hooks. */ +#define VA_DRIVER_VTABLE_PROT_VERSION 1 + +struct VADriverVTableProt { + unsigned int version; + + VAStatus + (*vaCreateProtectedSession)( + VADriverContextP ctx, + VAConfigID config_id, + VAProtectedSessionID *protected_session + ); + + VAStatus + (*vaDestroyProtectedSession)( + VADriverContextP ctx, + VAProtectedSessionID protected_session + ); + + VAStatus + (*vaAttachProtectedSession)( + VADriverContextP ctx, + VAContextID context, + VAProtectedSessionID protected_session + ); + + VAStatus + (*vaDetachProtectedSession)( + VADriverContextP ctx, + VAContextID context + ); + + VAStatus + (*vaProtectedSessionExecute)( + VADriverContextP ctx, + VAProtectedSessionID protected_session, + VABufferID buf_id + ); + + /** \brief Reserved bytes for future use, must be zero */ + unsigned long reserved[VA_PADDING_MEDIUM]; +}; + +#ifdef __cplusplus +} +#endif + +#endif /* VA_BACKEND_PROT_H */ diff -Nru libva-2.10.0/va/va.c libva-2.11.0/va/va.c --- libva-2.10.0/va/va.c 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/va/va.c 2021-03-23 10:54:35.000000000 +0000 @@ -26,6 +26,7 @@ #include "sysdeps.h" #include "va.h" #include "va_backend.h" +#include "va_backend_prot.h" #include "va_backend_vpp.h" #include "va_internal.h" #include "va_trace.h" @@ -495,6 +496,7 @@ } else { struct VADriverVTable *vtable = ctx->vtable; struct VADriverVTableVPP *vtable_vpp = ctx->vtable_vpp; + struct VADriverVTableProt *vtable_prot = ctx->vtable_prot; vaStatus = VA_STATUS_SUCCESS; if (!vtable) { @@ -513,6 +515,15 @@ } ctx->vtable_vpp = vtable_vpp; + if (!vtable_prot) { + vtable_prot = calloc(1, sizeof(*vtable_prot)); + if (vtable_prot) + vtable_prot->version = VA_DRIVER_VTABLE_PROT_VERSION; + else + vaStatus = VA_STATUS_ERROR_ALLOCATION_FAILED; + } + ctx->vtable_prot = vtable_prot; + if (init_func && VA_STATUS_SUCCESS == vaStatus) vaStatus = (*init_func)(ctx); @@ -778,6 +789,8 @@ old_ctx->vtable = NULL; free(old_ctx->vtable_vpp); old_ctx->vtable_vpp = NULL; + free(old_ctx->vtable_prot); + old_ctx->vtable_prot = NULL; if (old_ctx->override_driver_name) { free(old_ctx->override_driver_name); @@ -2306,3 +2319,116 @@ va_status = ctx->vtable->vaCopy( ctx, dst, src, option); return va_status; } + +/* Protected content */ +#define VA_PROT_INIT_CONTEXT(ctx, dpy) do { \ + CHECK_DISPLAY(dpy); \ + ctx = CTX(dpy); \ + if (!ctx) \ + return VA_STATUS_ERROR_INVALID_DISPLAY; \ + } while (0) + +#define VA_PROT_INVOKE(dpy, func, args) do { \ + if (!ctx->vtable_prot->va##func) \ + return VA_STATUS_ERROR_UNIMPLEMENTED; \ + status = ctx->vtable_prot->va##func args; \ + } while (0) + +VAStatus vaCreateProtectedSession( + VADisplay dpy, + VAConfigID config_id, + VAProtectedSessionID *protected_session +) +{ + VADriverContextP ctx; + VAStatus status; + + VA_PROT_INIT_CONTEXT(ctx, dpy); + VA_PROT_INVOKE( + ctx, + CreateProtectedSession, + (ctx, config_id, protected_session) + ); + VA_TRACE_RET(dpy, status); + + return status; +} + +VAStatus vaDestroyProtectedSession( + VADisplay dpy, + VAProtectedSessionID protected_session +) +{ + VADriverContextP ctx; + VAStatus status; + + VA_PROT_INIT_CONTEXT(ctx, dpy); + VA_PROT_INVOKE( + ctx, + DestroyProtectedSession, + (ctx, protected_session) + ); + VA_TRACE_RET(dpy, status); + + return status; +} + +VAStatus vaAttachProtectedSession( + VADisplay dpy, + VAContextID context, + VAProtectedSessionID protected_session +) +{ + VADriverContextP ctx; + VAStatus status; + + VA_PROT_INIT_CONTEXT(ctx, dpy); + VA_PROT_INVOKE( + ctx, + AttachProtectedSession, + (ctx, context, protected_session) + ); + VA_TRACE_RET(dpy, status); + + return status; +} + +VAStatus vaDetachProtectedSession( + VADisplay dpy, + VAContextID context +) +{ + VADriverContextP ctx; + VAStatus status; + + VA_PROT_INIT_CONTEXT(ctx, dpy); + VA_PROT_INVOKE( + ctx, + DetachProtectedSession, + (ctx, context) + ); + VA_TRACE_RET(dpy, status); + + return status; +} + +VAStatus vaProtectedSessionExecute( + VADisplay dpy, + VAProtectedSessionID protected_session, + VABufferID data +) +{ + VADriverContextP ctx; + VAStatus status; + + VA_PROT_INIT_CONTEXT(ctx, dpy); + VA_PROT_INVOKE( + ctx, + ProtectedSessionExecute, + (ctx, protected_session, data) + ); + VA_TRACE_RET(dpy, status); + + return status; +} + diff -Nru libva-2.10.0/va/va_dec_av1.h libva-2.11.0/va/va_dec_av1.h --- libva-2.10.0/va/va_dec_av1.h 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/va/va_dec_av1.h 2021-03-23 10:54:35.000000000 +0000 @@ -38,6 +38,26 @@ extern "C" { #endif +/** Attribute value for VAConfigAttribDecAV1Features. + * + * This attribute decribes the supported features of a AV1 + * decoder configuration. + * + */ +typedef union VAConfigAttribValDecAV1Features { + struct { + /** large scale tile + * + * This conveys whether AV1 large scale tile is supported by HW. + * 0 - unsupported, 1 - supported. + */ + uint32_t lst_support : 2; + /* Reserved for future use. */ + uint32_t reserved : 30; + } bits; + uint32_t value; +} VAConfigAttribValDecAV1Features; + /** * \brief AV1 Decoding Picture Parameter Buffer Structure * @@ -305,7 +325,6 @@ /** \brief Picture resolution minus 1 * Picture original resolution. If SuperRes is enabled, * this is the upscaled resolution. - * The value may not be multiple of 8. * value range [0..65535] */ uint16_t frame_width_minus1; @@ -322,7 +341,7 @@ * * Contains a list of uncompressed frame buffer surface indices as references. * Application needs to make sure all the entries point to valid frames - * except for the key frame by checking ref_frame_id[]. If missing frame + * except for intra frames by checking ref_frame_id[]. If missing frame * is identified, application may choose to perform error recovery by * pointing problematic index to an alternative frame buffer. * Driver is not responsible to validate reference frames' id. @@ -334,10 +353,10 @@ * Contains a list of indices into ref_frame_map[8]. * It specifies the reference frame correspondence. * The indices of the array are defined as [LAST_FRAME – LAST_FRAME, - * LAST2_FRAME – LAST_FRAME, …, ALTREF2_FRAME – LAST_FRAME], where each + * LAST2_FRAME – LAST_FRAME, …, ALTREF_FRAME – LAST_FRAME], where each * symbol is defined as: * enum{INTRA_FRAME = 0, LAST_FRAME, LAST2_FRAME, LAST3_FRAME, GOLDEN_FRAME, - * BWDREF_FRAME, ALTREF_FRAME}; + * BWDREF_FRAME, ALTREF2_FRAME, ALTREF_FRAME}; */ uint8_t ref_frame_idx[7]; @@ -356,8 +375,7 @@ VAFilmGrainStructAV1 film_grain_info; /** \brief tile structure - * When uniform_tile_spacing_flag == 1, the value of tile_cols and - * tile_rows need to be power of 2, and width_in_sbs_minus_1[] and + * When uniform_tile_spacing_flag == 1, width_in_sbs_minus_1[] and * height_in_sbs_minus_1[] should be ignored, which will be generated * by driver based on tile_cols and tile_rows. */ @@ -424,7 +442,8 @@ } pic_info_fields; /** \brief Supper resolution scale denominator. - * value range [9..16] + * When use_superres=1, superres_scale_denominator must be in the range [9..16]. + * When use_superres=0, superres_scale_denominator must be 8. */ uint8_t superres_scale_denominator; diff -Nru libva-2.10.0/va/va.h libva-2.11.0/va/va.h --- libva-2.10.0/va/va.h 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/va/va.h 2021-03-23 10:54:35.000000000 +0000 @@ -126,6 +126,7 @@ * - \ref api_dec_vp9 * - \ref api_dec_av1 * - \ref api_vpp + * - \ref api_prot * - FEI (H264, HEVC) * - \ref api_fei * - \ref api_fei_h264 @@ -153,6 +154,7 @@ * the encoding operation, while synchronizing the use of a common pool of * surfaces. * + * \code * // Initialization * dpy = vaGetDisplayDRM(fd); * vaInitialize(dpy, ...); @@ -216,7 +218,7 @@ * vaEndPicture(dpy, encode_context); * } * } - * + * \endcode */ /** @@ -503,7 +505,9 @@ VAProfileHEVCSccMain444 = 31, VAProfileAV1Profile0 = 32, VAProfileAV1Profile1 = 33, - VAProfileHEVCSccMain444_10 = 34 + VAProfileHEVCSccMain444_10 = 34, + /** \brief Profile ID used for protected video playback. */ + VAProfileProtected = 35 } VAProfile; /** @@ -562,6 +566,18 @@ * and VAStatsMVBufferType) are needed for this entry point. **/ VAEntrypointStats = 12, + /** + * \brief VAEntrypointProtectedTEEComm + * + * A function for communicating with TEE (Trusted Execution Environment). + **/ + VAEntrypointProtectedTEEComm = 13, + /** + * \brief VAEntrypointProtectedContent + * + * A function for protected content to decrypt encrypted content. + **/ + VAEntrypointProtectedContent = 14, } VAEntrypoint; /** Currently defined configuration attribute types */ @@ -893,6 +909,53 @@ * this setting also could be update by \c VAContextParameterUpdateBuffer */ VAConfigAttribContextPriority = 41, + /** \brief AV1 decoding features. Read-only. + * + * This attribute describes the supported features of an + * AV1 decoder configuration. The value returned uses the + * VAConfigAttribValDecAV1Features type. + */ + VAConfigAttribDecAV1Features = 42, + /** \brief TEE could be any HW secure device. Read-only */ + VAConfigAttribTEEType = 43, + /** \brief TEE type client is a specific module supporting specific functions in TEE. Read-only*/ + VAConfigAttribTEETypeClient = 44, + /** + * \brief Cipher algorithm of the protected content session. + * + * This attribute specifies the cipher algorithm of the protected content session. It + * could be \c VA_PC_CIPHER_AES, etc.... + */ + VAConfigAttribProtectedContentCipherAlgorithm = 45, + /** + * \brief Cipher block size of the protected content session. + * + * This attribute specifies the block size of the protected content session. It could be + * \c VA_PC_BLOCK_SIZE_128, \c VA_PC_BLOCK_SIZE_192, or \c VA_PC_BLOCK_SIZE_256, etc.... + */ + VAConfigAttribProtectedContentCipherBlockSize = 46, + /** + * \brief Cipher mode of the protected content session. + * + * This attribute specifies the cipher mode of the protected content session. It could + * be \c VA_PC_CIPHER_MODE_ECB, \c VA_PC_CIPHER_MODE_CBC, \c VA_PC_CIPHER_MODE_CTR, etc... + */ + VAConfigAttribProtectedContentCipherMode = 47, + /** + * \brief Decryption sample type of the protected content session. + * + * This attribute specifies the decryption sample type of the protected content session. + * It could be \c VA_PC_SAMPLE_TYPE_FULLSAMPLE or \c VA_PC_SAMPLE_TYPE_SUBSAMPLE. + */ + VAConfigAttribProtectedContentCipherSampleType = 48, + /** + * \brief Special usage attribute of the protected session. + * + * The attribute specifies the flow for the protected session could be used. For + * example, it could be \c VA_PC_USAGE_DEFAULT, \c VA_PC_USAGE_WIDEVINE, etc.... + */ + VAConfigAttribProtectedContentUsage = 49, + /**@}*/ VAConfigAttribTypeMax } VAConfigAttribType; @@ -1273,6 +1336,38 @@ uint32_t value; }VAConfigAttribValContextPriority; +/** @name Attribute values for VAConfigAttribProtectedContentCipherAlgorithm */ +/** \brief AES cipher */ +#define VA_PC_CIPHER_AES 0x00000001 + +/** @name Attribute values for VAConfigAttribProtectedContentCipherBlockSize */ +/** \brief 128 bits block size */ +#define VA_PC_BLOCK_SIZE_128 0x00000001 +/** \brief 192 bits block size */ +#define VA_PC_BLOCK_SIZE_192 0x00000002 +/** \brief 256 bits block size */ +#define VA_PC_BLOCK_SIZE_256 0x00000004 + +/** @name Attribute values for VAConfigAttribProtectedContentCipherMode */ +/** \brief AES ECB */ +#define VA_PC_CIPHER_MODE_ECB 0x00000001 +/** \brief AES CBC */ +#define VA_PC_CIPHER_MODE_CBC 0x00000002 +/** \brief AES CTR */ +#define VA_PC_CIPHER_MODE_CTR 0x00000004 + +/** @name Attribute values for VAConfigAttribProtectedContentCipherSampleType */ +/** \brief Full sample */ +#define VA_PC_SAMPLE_TYPE_FULLSAMPLE 0x00000001 +/** \brief Sub sample */ +#define VA_PC_SAMPLE_TYPE_SUBSAMPLE 0x00000002 + +/** @name Attribute values for VAConfigAttribProtectedContentUsage */ +/** \brief Default usage */ +#define VA_PC_USAGE_DEFAULT 0x00000000 +/** \brief Widevine */ +#define VA_PC_USAGE_WIDEVINE 0x00000001 + /** @name Attribute values for VAConfigAttribProcessingRate. */ /**@{*/ /** \brief Driver does not support processing rate report */ @@ -1457,14 +1552,13 @@ typedef enum { VASurfaceAttribNone = 0, /** - * \brief Pixel format (fourcc). + * \brief Pixel format as a FOURCC (int, read/write). * - * The value is meaningful as input to vaQuerySurfaceAttributes(). - * If zero, the driver returns the optimal pixel format for the - * specified config. Otherwise, if non-zero, the value represents - * a pixel format (FOURCC) that is kept as is on output, if the - * driver supports it. Otherwise, the driver sets the value to - * zero and drops the \c VA_SURFACE_ATTRIB_SETTABLE flag. + * When vaQuerySurfaceAttributes() is called, the driver will return one + * PixelFormat attribute per supported pixel format. + * + * When provided as an input to vaCreateSurfaces(), the driver will + * allocate a surface with the provided pixel format. */ VASurfaceAttribPixelFormat, /** \brief Minimal width in pixels (int, read-only). */ @@ -1890,6 +1984,19 @@ * \c VAContextParameterUpdateBuffer */ VAContextParameterUpdateBufferType = 58, + /** + * \brief Protected session execution buffer type + * + * It's for TEE execution usage (vaProtectedSessionExecute()). The buffer structure is in + * \c VAProtectedSessionExecuteBuffer + */ + VAProtectedSessionExecuteBufferType = 59, + + /** \brief Encryption parameters buffer for protected content session. + * + * Refer to \c VAEncryptionParameters + */ + VAEncryptionParameterBufferType = 60, VABufferTypeMax } VABufferType; @@ -1917,6 +2024,90 @@ } VAContextParameterUpdateBuffer; /** + * These ENCRYPTION_TYPEs are used for the attribute values for + * \c VAConfigAttribEncryption and for encryption_type in + * VAEncryptionParameters. + * + * When used for \c VAConfigAttribEncryption, it be used via + * vaQueryConfigEntrypoints to check which type are supported for specific + * profile or not. + * + * When used for encryption_type in VAEncryptionParameters, it tells driver + * the parameters in VAEncryptionParameters are used for which encryption type. + */ +#define VA_ENCRYPTION_TYPE_FULLSAMPLE_CTR 0x00000001 /* AES CTR fullsample */ +#define VA_ENCRYPTION_TYPE_FULLSAMPLE_CBC 0x00000002 /* AES CBC fullsample */ +#define VA_ENCRYPTION_TYPE_SUBSAMPLE_CTR 0x00000004 /* AES CTR fullsample */ +#define VA_ENCRYPTION_TYPE_SUBSAMPLE_CBC 0x00000008 /* AES CBC fullsample */ + +/** \brief structure for encrypted segment info. */ +typedef struct _VAEncryptionSegmentInfo { + /** \brief The offset relative to the start of the bitstream input in + * bytes of the start of the segment */ + uint32_t segment_start_offset; + /** \brief The length of the segments in bytes */ + uint32_t segment_length; + /** \brief The length in bytes of the remainder of an incomplete block + * from a previous segment*/ + uint32_t partial_aes_block_size; + /** \brief The length in bytes of the initial clear data */ + uint32_t init_byte_length; + /** \brief This will be AES counter for secure decode and secure encode + * when numSegments equals 1, valid size is specified by + * \c key_blob_size */ + uint8_t aes_cbc_iv_or_ctr[64]; + /** \brief Reserved bytes for future use, must be zero */ + uint32_t va_reserved[VA_PADDING_MEDIUM]; +} VAEncryptionSegmentInfo; + +/** \brief Encryption parameters buffer for VAEncryptionParameterBufferType */ +typedef struct _VAEncryptionParameters { + /** \brief Encryption type, refer to \c VA_ENCRYPTION_TYPE_FULLSAMPLE_CTR, + * \c VA_ENCRYPTION_TYPE_FULLSAMPLE_CBC, \c VA_ENCRYPTION_TYPE_SUBSAMPLE_CTR, + * or \c VA_ENCRYPTION_TYPE_SUBSAMPLE_CBC */ + uint32_t encryption_type; + /** \brief The number of sengments */ + uint32_t num_segments; + /** \brief Pointer of segments */ + VAEncryptionSegmentInfo *segment_info; + /** \brief The status report index reserved for CENC fullsample workload. + * The related structures and definitions are vendor specific. + */ + uint32_t status_report_index; + /** \brief CENC counter length */ + uint32_t size_of_length; + /** \brief Wrapped decrypt blob (Snd)kb, valid size is specified by + * \c key_blob_size */ + uint8_t wrapped_decrypt_blob[64]; + /** \brief Wrapped Key blob info (Sne)kb, valid size is specified by + * \c key_blob_size */ + uint8_t wrapped_encrypt_blob[64]; + /** \brief key blob size + * It could be \c VA_PC_BLOCK_SIZE_128, \c VA_PC_BLOCK_SIZE_192, or + * \c VA_PC_BLOCK_SIZE_256 + */ + uint32_t key_blob_size; + /** \brief Indicates the number of 16-byte BLOCKS that are encrypted in any + * given encrypted region of segments. + * If this value is zero: + * 1. All bytes in encrypted region of segments are encrypted, i.e. the + * CENC or CBC1 scheme is being used + * 2. blocks_stripe_clear must also be zero. + * If this value is non-zero, blocks_stripe_clear must also be non-zero. + */ + uint32_t blocks_stripe_encrypted; + /** \brief Indicates the number of 16-byte BLOCKS that are clear in any given + * encrypted region of segments, as defined by the CENS and CBCS schemes in + * the common encryption spec. + * If this value is zero, all bytes in encrypted region of segments are + * encrypted, i.e. the CENC or CBC1 scheme is being used. + */ + uint32_t blocks_stripe_clear; + /** \brief Reserved bytes for future use, must be zero */ + uint32_t va_reserved[VA_PADDING_MEDIUM]; +} VAEncryptionParameters; + +/** * Processing rate parameter for encode. */ typedef struct _VAProcessingRateParameterEnc { @@ -4945,6 +5136,7 @@ #include #include #include +#include /**@}*/ diff -Nru libva-2.10.0/va/va_prot.h libva-2.11.0/va/va_prot.h --- libva-2.10.0/va/va_prot.h 1970-01-01 00:00:00.000000000 +0000 +++ libva-2.11.0/va/va_prot.h 2021-03-23 10:54:35.000000000 +0000 @@ -0,0 +1,515 @@ +/* + * Copyright (c) 2020 Intel Corporation. All Rights Reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sub license, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice (including the + * next paragraph) shall be included in all copies or substantial portions + * of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. + * IN NO EVENT SHALL INTEL AND/OR ITS SUPPLIERS BE LIABLE FOR + * ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +/** + * \file va_prot.h + * \brief Protected content API. + * + * This file contains the \ref api_prot "Protected content API". + */ + +#ifndef VA_PROT_H +#define VA_PROT_H + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \defgroup api_prot Protected content API + * + * @{ + * \section prolouge Prolouge + * Video streaming is ubiquitous and the support for video streaming is widely + * available across client open systems such as PCs, MACs, Chromebooks etc. and + * closed systems such as settop box, smart TVs, DVDs etc. By default, + * video streaming is not considered premium due to various constraints such as + * resolution, quality, production cost etc. but recently streaming of premium + * video(1080p+) has become norm. The streaming of premium video in open systems + * such as PCs, MACs, Chromebooks etc. makes video particularly susceptible to + * piracy (due to non-video playback usages of such systems) resulting in + * millions of dollars of loss to content creators. + * + * Digital Rights Management(DRM) has been proposed to stop piracy of premium + * video streams across a wide spectrum. There are some known open/closed DRM + * standards such as [Widevine by Google](https://www.widevine.com/), + * [PlayReady by Microsoft](https://www.microsoft.com/playready/), + * [FairPlay by Apple](https://developer.apple.com/streaming/fps/), + * [Merlin by Sony](https://www.marlin-community.com/), etc... Each DRM + * standard has its properties but all DRM standards support a common + * mechanism. This common mechanism involves cryptographical method for + * authenticating the client system, delivering bitstream and required + * cryptographic assets to client system and then cryptographically processing + * bitstream in client system. The cryptographic methods used in these steps + * are asymmetric such as RSA, DH etc. and symmetric such as AES CTR, CBC etc. + * encryption mechanisms. The authentication of client system, delivery of + * bitstream and cryptographic assets to client system is performed using + * asymmetric cryptographic mechanism while bitstream is encrypted and processed + * using symmetric cryptographic. In DRM world, authentication of client system, + * delivery of bitstream and required cryptographic assets to client system is + * loosely called provisioning and license acquisition while the processing of + * cryptographically secure bitstream is divided as video decryption/decoding, + * audio decryption/playback, video display. Besides DRM standards, Video/Audio + * bitstream encryption standard such as + * [Common Encryption Standard(CENC)](https://www.iso.org/standard/76597.html) + * provides a mechanism to normalize bitstream encryption methods across vendors + * while providing flexibility. + * + * \section DRM Pipeline + * Most DRM standards execute the following deep pipeline to playback + * contents on client systems from streaming servers - provisioning uses + * provisioning servers, licence aquisition uses license servers, video + * bitstream delivery uses content servers and decryption/decoding, audio + * bitstream delivery uses content servers and decyption/playback, + * display/playback. The system level HWDRM sequence diagram is following - + * ![HWDRM sequence diagram](https://user-images.githubusercontent.com/75039699/102427278-df284e80-3fc5-11eb-9a3e-129b5f6b567a.png) + * and HWDRM pipeline view is following - + * ![HWDRM pipeline view](https://user-images.githubusercontent.com/75039699/102427357-04b55800-3fc6-11eb-8b8c-f34fc44ec061.png) + * + * \section LibVA Protected Content APIs + * The LibVA Protected APIs are designed to enable DRM capabilities or + * facilitate isolated communicaiton with TEE. + * The VAEntrypointProtectedTEEComm is to define interfaces for Application + * to TEE direct communication to perform various TEE centric operations + * such as standalone provisioning of platform at factory or provisioning + * TEE for other usages, providing TEE capabilities etc. + * The VAEntrypointProtectedContent is to define interfaces for protected + * video playback using HWDRM. This entry point co-ordinates assets across + * TEE/GPU/Display for HWDRM playback. + * + * The difference between Protected Content and Protected TEE Communication + * is that Protected Content Entrypoint does not provide isolated entry + * point for TEE and invokes TEE only from HWDRM perspective. + * + * Protected Content Entrypoint + * The most of DRM standards execute following deep pipeline to playback + * contents on client systems from streaming servers - provisioning uses + * provisioning servers, licence aquisition uses license servers, video + * bitstream delivery uses content servers and decryption/decoding, audio + * bitstream delivery uses content servers and decyption/playback, + * display/playback. + * + * The Provisioning and License aquisition implementations are Independent + * Hardware Vendor (IHV) specific but most IHVs use some form of Trusted + * Execution Environment (TEE) to prepare client platform or system for DRM + * content playback. The provisioning operations use provisioning servers (as + * instructed in DRM standard) and client system TEE. The communication between + * provisioning servers and client system TEE uses asymmetic cryptographic + * mechanism. This step provides a way to establish root-of-trust between + * client system and streaming servers. Once root-of-trust is established then + * client system requests for license aquisition for a particular streaming + * title. The license aquisition involves communication between licensing + * servers and TEE using asymmetic cryptographic mechanism. At end of this step, + * client system TEE has required assets to decrypt/decode. Although these + * communication does not direcly involve video aspect of GPU but **facilitate + * GPU required assets to playback premium contents**. + * + * To support DRM standard requirements in playback pipeline, OSes and HWs + * incorporate various methods to protect full playback pipeline. These + * methods of protection could be SW based or HW based. The SW based protection + * mechanism of DRMs is called SWDRM while HW based protection mechanism is + * called HWDRM. There is no previous support in LibVA to support either DRM + * mechanism. + * + * For DRM capabilities, APIs inolve creation of protected session to + * communicate with TEE and then using these protected sessions to process + * video/audio data. The philophashy behind these API is to leverage existing + * LibVA infrastructure as much as possible. + * + * Note: TEE could be any secure HW device such as ME-FW or FPGA Secure + * Enclave or NPU Secure Enclave. There are 2 concepts here – TEE Type such + * as ME-FW or FPGA or NPU; TEE Type Client such as for AMT or HDCP or + * something else etc. + * + * \section description Detailed Description + * The Protected content API provides a general mechanism for opening + * protected session with TEE and if required then \ref priming GPU/Display. + * The behavior of protected session API depends on parameterization/ + * configuration of protected session. Just for TEE tasks, protected + * session is parameterized/configured as TEE Communication while for + * HWDRM, protected session is parameterized/confgured as Protected + * Content. + * + * TEE Communication Entrypoint + * With TEE Communication parameterization/configuration, client + * executes TEE workloads in TEE with TEE Communication protected + * session. + * + * Protected Content Entrypoint + * With Protected Content parameterization/configuration, client + * executes HWDRM playback workloads HW accelerating protected video + * content decryption/decoding with protected content session. + * + * Before calling vaCreateProtectedSession, VAConfigID is obtained using + * existing libva mechanism to determine configuration parameters of + * protected session. The VAConfigID is determined in this way so that + * Protected Session implementation aligns with existing libva implementation. + * After obtaining VAConfigID, Protected Session needs to be created but + * note this is a session and not a context. Refer VAProtectedSessionID + * for more details. + * + * Note:- Protected session represents session object that has all security + * information needed for Secure Enclave to operate certain operations. + * + * \subsection priming Priming + * Priming is used to refer various types of initializations. For example, + * if license acquisition is being performed then priming means that TEE is + * already provisioned aka TEE has some sort of "cryptographic" whitelist of + * servers that TEE will use to do license acquisition for video playback. If + * HWDRM video playback is being performed then priming means that HWDRM + * eco-system TEE/GPU/Display has proper keys to do proper video playback etc. + * + * Protected content API uses the following paradigm for protected content + * session: + * - \ref api_pc_caps + * - \ref api_pc_setup + * - \ref api_pc_exec + * - \ref api_pc_attach + * + * \subsection api_pc_caps Query for supported cipher mode, block size, mode + * + * Checking whether protected content is supported can be performed with + * vaQueryConfigEntrypoints() and the profile argument set to + * #VAProfileProtected. If protected content is supported, then the list of + * returned entry-points will include #VAEntrypointProtectedContent + * + * \code + * VAEntrypoint *entrypoints; + * int i, num_entrypoints, supportsProtectedContent = 0; + * + * num_entrypoints = vaMaxNumEntrypoints(); + * entrypoints = malloc(num_entrypoints * sizeof(entrypoints[0]); + * vaQueryConfigEntrypoints(va_dpy, VAProfileProtected, entrypoints, + * &num_entrypoints); + * + * for (i = 0; !supportsProtectedContent && i < num_entrypoints; i++) { + * if (entrypoints[i] == VAEntrypointProtectedContent) + * supportsProtectedContent = 1; + * } + * \endcode + * + * Then, the vaGetConfigAttributes() function is used to query the protected + * session capabilities. + * + * \code + * VAConfigAttrib attribs; + * attribs[0].type = VAConfigAttribProtectedContentCipherAlgorithm; + * attribs[1].type = VAConfigAttribProtectedContentCipherBlockSize; + * attribs[2].type = VAConfigAttribProtectedContentCipherMode; + * attribs[3].type = VAConfigAttribProtectedContentCipherSampleType; + * attribs[4].type = VAConfigAttribProtectedContentUsage; + * vaGetConfigAttributes(va_dpy, VAProfileProtected, + * VAEntrypointProtectedContent, attribs, 5); + * if ((attribs[1].value & VA_PC_CIPHER_AES) == 0) { + * // not find desired cipher algorithm + * assert(0); + * } + * if ((attribs[2].value & VA_PC_BLOCK_SIZE_128) == 0) { + * // not find desired block size + * assert(0); + * } + * if ((attribs[3].value & VA_PC_CIPHER_MODE_CBC) == 0) { + * // not find desired counter mode + * assert(0); + * } + * if ((attribs[4].value & VA_PC_SAMPLE_TYPE_SUBSAMPLE) == 0) { + * // not find desired sample type + * assert(0); + * } + * if ((attribs[5].value & VA_PC_USAGE_WIDEVINE) == 0) { + * // not find desired usage + * assert(0); + * } + * \endcode + * + * \subsection api_pc_setup Set up a protected content session + * + * TEE Communication Entrypoint + * The protected content session provides a TEE session that is used to extract + * TEE information. This information could be used to peform TEE operations. + * + * Protected Content Entrypoint + * The protected content session can be attached to VA decode/encode/vp context + * to do decryption/protection in the pipeline. + * Before creating a protected content session, it needs to create a config + * first via vaCreateConfig(). Then using this config id to create a protected + * content session via vaCreateProtectedSession(). + * + * The general control flow is demonstrated by the following pseudo-code: + * \code + * // Create config + * VAConfigID config_id; + * + * attribs[0].value = VA_PC_CIPHER_AES; + * attribs[1].value = VA_PC_BLOCK_SIZE_128; + * attribs[2].value = VA_PC_CIPHER_MODE_CBC; + * attribs[3].value = VA_PC_SAMPLE_TYPE_SUBSAMPLE; + * attribs[4].value = VA_PC_USAGE_WIDEVINE; + * va_status = vaCreateConfig(va_dpy, VAProfileProtected, + * VAEntrypointProtectedContent, attribs, 5, &config_id); + * CHECK_VASTATUS(va_status, "vaCreateConfig"); + * \endcode + * + * Once the config is set up, we can create protected content session via + vaCreateProtectedSession(). + * \code + * // Create a protected session + * VAProtectedSessionID crypto_session; + * + * va_status = vaCreateProtectedSession(va_dpy, config_id, &crypto_session); + * CHECK_VASTATUS(va_status, "vaCreateProtectedSession"); + * \endcode + * + * \subsection api_pc_exec TEE communication via vaProtectedSessionExecute() + * + * TEE Communication Entrypoint + * App needs to communicate with TEE to get TEE information or \ref priming + * "prime" TEE with information that will be utilized for future TEE + * operations/tasks. + * + * Protected Content Entrypoint + * Before starting decryption/encryption operation in GPU, app may need to + * communicate with TEE to get encrypted assets for \ref priming HWDRM pipeline + * for decryption. App need to call vaProtectedSessionExecute() to get this + * asset. The following pseudo-code demonstrates getting session assets via + * vaProtectedSessionExecute() as an example. + * + * In this example, the vaCreateBuffer is called with exec_buffer mainly becasue TEE + * Communication Entrypoint buffers are CPU bound and buffer size is small enough to + * have extra copy operation without impacting performance. + * + * \code + * uint32_t app_id = 0xFF; + * VABufferID buffer; + * VAProtectedSessionExecuteBuffer exec_buff = {0}; + * + * exec_buff.function_id = GET_SESSION_ID; + * exec_buff.input.data = nullptr; + * exec_buff.input.data_size = 0; + * exec_buff.output.data = &app_id; + * exec_buff.output.max_data_size = sizeof(app_id); + * va_status = vaCreateBuffer( + * va_dpy, + * crypto_session, + * (VABufferType) VAProtectedSessionExecuteBufferType, + * sizeof(exec_buff), + * 1, + * &exec_buff, + * &buffer); + * + * va_status = vaProtectedSessionExecute(va_dpy, crypto_session, buffer); + * + * vaDestroyBuffer(va_dpy, buffer); + * \endcode + * + * \subsection api_pc_attach Attach/Detach protected content session to the VA + * context which want to enable/disable decryption/protection + * + * Protected content session is attached to VA decode/encode/vp context to + * enable protected decoding/encoding/video processing per frame or entire + * stream. If protected session attached per frame then application has 2 + * options for decoding/encoding skip processing i.e. accomodating clear + * frames - 1. Application could do detach after each frame is processed + * to process clear frame 2. Application could remains attached to decode/ + * encode session but specify enryption byte length to 0. + * The video processing does not has option #2 mainly because API does + * not provide skip processing. + * + * \code + * vaAttachProtectedSession(va_dpy, decode_ctx, crypto_session); + * foreach (iteration) { + * vaBeginPicture(va_dpy, decode_ctx, surface); + * ... + * vaRenderPicture(va_dpy, decode_ctx, &buf_id1, 1); + * vaRenderPicture(va_dpy, decode_ctx, &buf_id2, 1); + * // Buffer holding encryption parameters, i.e. VAEncryptionParameterBufferType buffer + * vaRenderPicture(va_dpy, decode_ctx, &buf_id_enc_param, 1); + * ... + * vaEndPicture(va_dpy, decode_ctx); + * } + * vaDetachProtectedSession(va_dpy, decode_ctx); + * \endcode + * + * or it could be frame-by-frame attaching/detaching as following: + * + * \code + * foreach (iteration) { + * if (encrypted) + * vaAttachProtectedSession(va_dpy, decode_ctx, crypto_session); + + * vaBeginPicture(va_dpy, decode_ctx, surface); + * ... + * vaRenderPicture(va_dpy, decode_ctx, &buf_id1, 1); + * vaRenderPicture(va_dpy, decode_ctx, &buf_id2, 1); + * // Buffer holding encryption parameters, i.e. VAEncryptionParameterBufferType buffer + * vaRenderPicture(va_dpy, decode_ctx, &buf_id_enc_param, 1); + * ... + * vaEndPicture(va_dpy, decode_ctx); + * + * if (encrypted) + * vaDetachProtectedSession(va_dpy, decode_ctx); + + * // check encrypted variable for next frame + * } + * \endcode + */ + +/** + * ProtectedSessions and Contexts + * + * According to #VAContextID, Context represents a "virtual" video decode, + * encode or video processing pipeline. Surfaces are render targets for a given + * context. The data in the surfaces are not accessible to the client except if + * derived image is supported and the internal data format of the surface is + * implementation specific. Application can create a video decode, encode or + * processing context which represents a "virtualized" hardware device. + * + * Since Protected Session does not virtualize any HW device or build any + * pipeline but rather accessorize existing virtualized HW device or pipeline + * to operate in protected mode so we decided to create separate function. + * Beside this, a virtualized HW device or pipeline could own several protected + * sessions and operate in those protected modes without ever re-creating + * virtualization of HW device or re-building HW pipeline (an unique protected + * environment multiplexing capability in Intel HW). + * + * The returned protected_session represents a notion of Host and TEE clients + * while representing protection status in GPU and Display. + * + * Both contexts and protected sessions are identified by unique IDs and its + * implementation specific internals are kept opaque to the clients + */ +typedef VAGenericID VAProtectedSessionID; + +/** \brief TEE Execucte Function ID. */ +typedef enum _VA_TEE_EXEC_FUNCTION_ID { + VA_TEE_EXECUTE_FUNCTION_ID_PASS_THROUGH = 0x00000001, + VA_TEE_EXECUTE_FUNCTION_ID_GET_FIRMWARE_VERSION = 0x00000002, + +} VA_TEE_EXECUTE_FUNCTION_ID; + +/** \brief Input/Output buffer of VAProtectedSessionExecuteBuffer */ +typedef struct _VAProtectedSessionBuffer { + /* + * This is used when this buffer refer to output buffer. The maximum size of + * data that the driver can return in the output buffer. It is not used for + * input buffer. + */ + uint32_t max_data_size; + /* + * If it is used for input buffer, it is the size of the input data. If it is + * used for output buffer, it is the returns size of the output data written + * by the driver. + */ + uint32_t data_size; + /* + * data pointer of this buffer + */ + void *data; + uint32_t va_reserved[VA_PADDING_LOW]; +} VAProtectedSessionBuffer; + +/** \brief Buffer for vaProtectedSessionExecute() */ +typedef struct _VAProtectedSessionExecuteBuffer { + /** \brief Specify the function to execute. It is IHV's implementation + * specific */ + uint32_t function_id; + /** \brief Input buffer */ + VAProtectedSessionBuffer input; + /** \brief Output buffer */ + VAProtectedSessionBuffer output; + /** \brief Return the result of this function. The status result is IHV's + * implementation specific */ + uint32_t status; + uint32_t va_reserved[VA_PADDING_LOW]; +} VAProtectedSessionExecuteBuffer; + +/** + * \brief Create a protected session + * + * Create a protected session + * + * @param[in] dpy the VA display + * @param[in] config_id configuration for the protected session + * @param[out] protected_session created protected session id upon return + */ +VAStatus vaCreateProtectedSession(VADisplay dpy, VAConfigID config_id, + VAProtectedSessionID *protected_session); + +/** + * \brief Destroy a protected session + * + * Destroy a protected session + * + * @param[in] dpy the VA display + * @param[in] protected_session protected session to be destroyed + */ +VAStatus vaDestroyProtectedSession(VADisplay dpy, + VAProtectedSessionID protected_session); + +/** + * \brief Attach a protected content session to VA context + * + * Attach a protected content session to the context to enable + * decryption/protection + * + * @param[in] dpy the VA display + * @param[in] id the VA decode/encode/vp context + * @param[in] protected_session the protected session to attach + */ +VAStatus vaAttachProtectedSession(VADisplay dpy, VAGenericID id, + VAProtectedSessionID protected_session); + +/** + * \brief Detach the protected content session from the VA context + * + * Detach protected content session of the context to disable + * decryption/protection + * + * @param[in] dpy the VA display + * @param[in] id TEE client id to be detached + */ +VAStatus vaDetachProtectedSession(VADisplay dpy, VAGenericID id); + +/** + * \brief Execute provides a general mechanism for TEE client tasks execution. + * + * vaProtectedSessionExecute provides a mechanism for TEE clients to execute + * specific tasks. The implementation may differ between IHVs. + * This is a synchronous API. + * + * @param[in] dpy the VA display + * @param[in] protected_session the protected session + * @param[in,out] buf_id the VA buffer + */ +VAStatus vaProtectedSessionExecute(VADisplay dpy, + VAProtectedSessionID protected_session, + VABufferID buf_id); + +/**@}*/ + +#ifdef __cplusplus +} +#endif + +#endif /* VA_PROT_H */ diff -Nru libva-2.10.0/va/va_str.c libva-2.11.0/va/va_str.c --- libva-2.10.0/va/va_str.c 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/va/va_str.c 2021-03-23 10:54:35.000000000 +0000 @@ -64,6 +64,7 @@ TOSTR(VAProfileAV1Profile0); TOSTR(VAProfileAV1Profile1); TOSTR(VAProfileHEVCSccMain444_10); + TOSTR(VAProfileProtected); default: break; } return ""; @@ -84,6 +85,8 @@ TOSTR(VAEntrypointVideoProc); TOSTR(VAEntrypointFEI); TOSTR(VAEntrypointStats); + TOSTR(VAEntrypointProtectedTEEComm); + TOSTR(VAEntrypointProtectedContent); } return ""; } @@ -130,6 +133,14 @@ TOSTR(VAConfigAttribPredictionDirection); TOSTR(VAConfigAttribMultipleFrame); TOSTR(VAConfigAttribContextPriority); + TOSTR(VAConfigAttribDecAV1Features); + TOSTR(VAConfigAttribTEEType); + TOSTR(VAConfigAttribTEETypeClient); + TOSTR(VAConfigAttribProtectedContentCipherAlgorithm); + TOSTR(VAConfigAttribProtectedContentCipherBlockSize); + TOSTR(VAConfigAttribProtectedContentCipherMode); + TOSTR(VAConfigAttribProtectedContentCipherSampleType); + TOSTR(VAConfigAttribProtectedContentUsage); case VAConfigAttribTypeMax: break; } return ""; @@ -180,6 +191,8 @@ TOSTR(VAEncFEICURecordBufferType); TOSTR(VASubsetsParameterBufferType); TOSTR(VAContextParameterUpdateBufferType); + TOSTR(VAProtectedSessionExecuteBufferType); + TOSTR(VAEncryptionParameterBufferType); case VABufferTypeMax: break; } return ""; diff -Nru libva-2.10.0/va/va_trace.c libva-2.11.0/va/va_trace.c --- libva-2.10.0/va/va_trace.c 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/va/va_trace.c 2021-03-23 10:54:35.000000000 +0000 @@ -1794,6 +1794,7 @@ { VAIQMatrixBufferMPEG2 *p=(VAIQMatrixBufferMPEG2 *)data; DPY2TRACECTX(dpy, context, VA_INVALID_ID); + int i; va_TraceMsg(trace_ctx,"VAIQMatrixBufferMPEG2\n"); @@ -1801,11 +1802,55 @@ va_TraceMsg(trace_ctx,"\tload_non_intra_quantiser_matrix = %d\n", p->load_non_intra_quantiser_matrix); va_TraceMsg(trace_ctx,"\tload_chroma_intra_quantiser_matrix = %d\n", p->load_chroma_intra_quantiser_matrix); va_TraceMsg(trace_ctx,"\tload_chroma_non_intra_quantiser_matrix = %d\n", p->load_chroma_non_intra_quantiser_matrix); - va_TraceMsg(trace_ctx,"\tintra_quantiser_matrix = %p\n", p->intra_quantiser_matrix); - va_TraceMsg(trace_ctx,"\tnon_intra_quantiser_matrix = %p\n", p->non_intra_quantiser_matrix); - va_TraceMsg(trace_ctx,"\tchroma_intra_quantiser_matrix = %p\n", p->chroma_intra_quantiser_matrix); - va_TraceMsg(trace_ctx,"\tchroma_non_intra_quantiser_matrix = %p\n", p->chroma_non_intra_quantiser_matrix); - va_TraceMsg(trace_ctx, NULL); + va_TraceMsg (trace_ctx, "\tintra_quantiser_matrix[] = {\n"); + for (i = 0; i < 64; i++) { + if (i % 8 == 0) { + if (i) + va_TracePrint (trace_ctx, "\n"); + va_TraceMsg (trace_ctx, "\t %3d", p->intra_quantiser_matrix[i]); + } else { + va_TracePrint (trace_ctx, " %3d", p->intra_quantiser_matrix[i]); + } + } + va_TracePrint (trace_ctx, "}\n"); + + va_TraceMsg (trace_ctx, "\tnon_intra_quantiser_matrix[] = {\n"); + for (i = 0; i < 64; i++) { + if (i % 8 == 0) { + if (i) + va_TracePrint (trace_ctx, "\n"); + va_TraceMsg (trace_ctx, "\t %3d", p->non_intra_quantiser_matrix[i]); + } else { + va_TracePrint (trace_ctx, " %3d", p->non_intra_quantiser_matrix[i]); + } + } + va_TracePrint (trace_ctx, "}\n"); + + va_TraceMsg (trace_ctx, "\tchroma_intra_quantiser_matrix[] = {\n"); + for (i = 0; i < 64; i++) { + if (i % 8 == 0) { + if (i) + va_TracePrint (trace_ctx, "\n"); + va_TraceMsg (trace_ctx, "\t %3d", p->chroma_intra_quantiser_matrix[i]); + } else { + va_TracePrint (trace_ctx, " %3d", p->chroma_intra_quantiser_matrix[i]); + } + } + va_TracePrint (trace_ctx, "}\n"); + + va_TraceMsg (trace_ctx, "\tchroma_non_intra_quantiser_matrix[] = {\n"); + for (i = 0; i < 64; i++) { + if (i % 8 == 0) { + if (i) + va_TracePrint (trace_ctx, "\n"); + va_TraceMsg ( + trace_ctx, "\t %3d", p->chroma_non_intra_quantiser_matrix[i]); + } else { + va_TracePrint ( + trace_ctx, " %3d", p->chroma_non_intra_quantiser_matrix[i]); + } + } + va_TracePrint (trace_ctx, "}\n"); return; } diff -Nru libva-2.10.0/va/wayland/Makefile.am libva-2.11.0/va/wayland/Makefile.am --- libva-2.10.0/va/wayland/Makefile.am 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/va/wayland/Makefile.am 2021-03-23 10:54:35.000000000 +0000 @@ -70,8 +70,9 @@ %-client-protocol-export.c : %.xml $(AM_V_GEN)$(WAYLAND_SCANNER) code < $< > $@ %-client-protocol.c: %-client-protocol-export.c - $(AM_V_GEN)$(SED) -e $$'1i\\\n#include "sysdeps.h"\n' \ - -e 's@WL_EXPORT@DLL_HIDDEN@g' < $< > $@ + $(AM_V_GEN){ echo '#include "sysdeps.h"'; $(SED) \ + -e 's@WL_EXPORT@DLL_HIDDEN@g' \ + < $<; } > $@ EXTRA_DIST = \ wayland-drm.xml \ diff -Nru libva-2.10.0/va/wayland/va_wayland_drm.c libva-2.11.0/va/wayland/va_wayland_drm.c --- libva-2.10.0/va/wayland/va_wayland_drm.c 2020-12-03 21:15:12.000000000 +0000 +++ libva-2.11.0/va/wayland/va_wayland_drm.c 2021-03-23 10:54:35.000000000 +0000 @@ -78,8 +78,15 @@ } drm_state->fd = fd; - drmGetMagic(drm_state->fd, &magic); - wl_drm_authenticate(wl_drm_ctx->drm, magic); + + int type = drmGetNodeTypeFromFd(fd); + if (type != DRM_NODE_RENDER) { + drmGetMagic(drm_state->fd, &magic); + wl_drm_authenticate(wl_drm_ctx->drm, magic); + } else { + wl_drm_ctx->is_authenticated = 1; + drm_state->auth_type = VA_DRM_AUTH_CUSTOM; + } } static void