sf: vds: Add support for secure virtual displaysnext

1. Propagate secure flag on display creation In SurfaceFlinger we have information that tells us whether a display is secure or not. We need to propagate this information when creating the corresponding virtual display, allowing us to configure output buffers with the correct (secure) usage flags. 2. Use secure heap only for sessions that need HW level protection Use MM heap only if the secure session needs hardware level protection. At the present moment we are assuming that only displays with the GRALLOC_USAGE_HW_ENCODER need hardware level protection. Change-Id: I7e0d42ba3a81d1f5c42b1074e3018826b38b7a8d
author: Tatenda Chipeperekwa <tatendac@codeaurora.org> 2013-11-06 15:05:31 -0800
committer: Steve Kondik <shade@chemlab.org> 2014-04-05 15:20:33 -0700
commit: a4574911a4ec4e8bc2a31e21aeec2995ffdfb0ae (patch)
tree: 8d90e1e39747c725131defb3fabeadaa5e55c08e
parent: e53500ffbc7f889a78c516f1def41d7626d93831 (diff)
download: android_frameworks_native-next.tar.gz
android_frameworks_native-next.tar.bz2
android_frameworks_native-next.zip
3 files changed, 39 insertions, 7 deletions
diff --git a/services/surfaceflinger/DisplayHardware/VirtualDisplaySurface.cpp b/services/surfaceflinger/DisplayHardware/VirtualDisplaySurface.cpp
index 1ce450f58..40794a6a0 100644
--- a/services/surfaceflinger/DisplayHardware/VirtualDisplaySurface.cpp
+++ b/services/surfaceflinger/DisplayHardware/VirtualDisplaySurface.cpp
@@ -46,7 +46,8 @@ VirtualDisplaySurface::VirtualDisplaySurface(HWComposer& hwc,
         int32_t &hwcDisplayId,
         const sp<IGraphicBufferProducer>& sink,
         const sp<BufferQueue>& bq,
-        const String8& name)
+        const String8& name,
+        bool secure)
 :   ConsumerBase(bq),
     mHwc(hwc),
     mDisplayId(NO_MEMORY),
@@ -55,7 +56,8 @@ VirtualDisplaySurface::VirtualDisplaySurface(HWComposer& hwc,
     mProducerSlotSource(0),
     mDbgState(DBG_STATE_IDLE),
     mDbgLastCompositionType(COMPOSITION_UNKNOWN),
-    mForceHwcCopy(false)
+    mForceHwcCopy(false),
+    mSecure(false)
 {
     mSource[SOURCE_SINK] = sink;
     mSource[SOURCE_SCRATCH] = bq;
@@ -79,6 +81,11 @@ VirtualDisplaySurface::VirtualDisplaySurface(HWComposer& hwc,
     {
         mDefaultOutputFormat = HAL_PIXEL_FORMAT_IMPLEMENTATION_DEFINED;
         mForceHwcCopy = true;
+        //Set secure flag only if the session requires HW protection, currently
+        //there is no other way to distinguish different security protection levels
+        //This allows Level-3 sessions(eg.simulated displayes) to get
+        //buffers from IOMMU heap and not MM (secure) heap.
+        mSecure = secure;
     }
 
     // XXX: With this debug property we can allow screenrecord to be composed
@@ -103,6 +110,7 @@ VirtualDisplaySurface::VirtualDisplaySurface(HWComposer& hwc,
     VDS_LOGV("creation: sinkFormat: 0x%x sinkUsage: 0x%x mForceHwcCopy: %d",
             mOutputFormat, sinkUsage, mForceHwcCopy);
 
+    setOutputUsage();
     resetPerFrameState();
 
     ConsumerBase::mName = String8::format("VDS: %s", mDisplayName.string());
@@ -115,6 +123,22 @@ VirtualDisplaySurface::VirtualDisplaySurface(HWComposer& hwc,
 VirtualDisplaySurface::~VirtualDisplaySurface() {
 }
 
+// helper to update the output usage when the display is secure
+void VirtualDisplaySurface::setOutputUsage() {
+    mOutputUsage = GRALLOC_USAGE_HW_COMPOSER;
+    if (mSecure) {
+        //TODO: Currently, the framework can only say whether the display
+        //and its subsequent session are secure or not. However, there is
+        //no mechanism to distinguish the different levels of security.
+        //The current solution assumes WV L3 protection.
+        mOutputUsage |= GRALLOC_USAGE_PROTECTED;
+#ifdef QCOM_BSP
+        mOutputUsage |= GRALLOC_USAGE_PRIVATE_MM_HEAP |
+                        GRALLOC_USAGE_PRIVATE_UNCACHED;
+#endif
+    }
+}
+
 status_t VirtualDisplaySurface::beginFrame() {
     if (mDisplayId < 0)
         return NO_ERROR;
@@ -171,7 +195,7 @@ status_t VirtualDisplaySurface::prepareFrame(CompositionType compositionType) {
         // format/usage and get a new buffer when the GLES driver calls
         // dequeueBuffer().
         mOutputFormat = mDefaultOutputFormat;
-        mOutputUsage = GRALLOC_USAGE_HW_COMPOSER;
+        setOutputUsage();
         refreshOutputBuffer();
     }
 
diff --git a/services/surfaceflinger/DisplayHardware/VirtualDisplaySurface.h b/services/surfaceflinger/DisplayHardware/VirtualDisplaySurface.h
index 4a8a0eadd..0ba00d7f7 100644
--- a/services/surfaceflinger/DisplayHardware/VirtualDisplaySurface.h
+++ b/services/surfaceflinger/DisplayHardware/VirtualDisplaySurface.h
@@ -74,7 +74,8 @@ public:
     VirtualDisplaySurface(HWComposer& hwc, int32_t &hwcDisplayId,
             const sp<IGraphicBufferProducer>& sink,
             const sp<BufferQueue>& bq,
-            const String8& name);
+            const String8& name,
+            bool secure);
 
     //
     // DisplaySurface interface
@@ -117,6 +118,7 @@ private:
     void updateQueueBufferOutput(const QueueBufferOutput& qbo);
     void resetPerFrameState();
     status_t refreshOutputBuffer();
+    void setOutputUsage();
 
     // Both the sink and scratch buffer pools have their own set of slots
     // ("source slots", or "sslot"). We have to merge these into the single
@@ -145,6 +147,9 @@ private:
     // or not.
     int32_t mDisplayId;
 
+    // secure flag
+    bool mSecure;
+
     //
     // Inter-frame state
     //
diff --git a/services/surfaceflinger/SurfaceFlinger.cpp b/services/surfaceflinger/SurfaceFlinger.cpp
index d9323cc00..df7b67309 100644
--- a/services/surfaceflinger/SurfaceFlinger.cpp
+++ b/services/surfaceflinger/SurfaceFlinger.cpp
@@ -1333,7 +1333,8 @@ void SurfaceFlinger::configureVirtualDisplay(int32_t &hwcDisplayId,
         if(!wfdVirtual) {
             // This is for non-wfd virtual display scenarios(e.g. SSD/SR/CTS)
             sp<VirtualDisplaySurface> vds = new VirtualDisplaySurface(*mHwc,
-                    hwcDisplayId, state.surface, bq, state.displayName);
+                    hwcDisplayId, state.surface, bq, state.displayName,
+                    state.isSecure);
             dispSurface = vds;
             // There won't be any interaction with HWC for this virtual display.
             // so the GLES driver can pass buffers directly to the sink.
@@ -1352,7 +1353,8 @@ void SurfaceFlinger::configureVirtualDisplay(int32_t &hwcDisplayId,
                 // WFD virtual display instance gets valid hwcDisplayId and
                 // SSD/SR will get invalid hwcDisplayId
                 sp<VirtualDisplaySurface> vds = new VirtualDisplaySurface(*mHwc,
-                        hwcDisplayId, state.surface, bq, state.displayName);
+                        hwcDisplayId, state.surface, bq, state.displayName,
+                        state.isSecure);
                 dispSurface = vds;
                 // There won't be any interaction with HWC for this virtual
                 // display, so the GLES driver can pass buffers directly to the
@@ -1368,7 +1370,8 @@ void SurfaceFlinger::configureVirtualDisplay(int32_t &hwcDisplayId,
         // mForceHwcCopy (which is based on Usage Flags)
 
         sp<VirtualDisplaySurface> vds = new VirtualDisplaySurface(*mHwc,
-                hwcDisplayId, state.surface, bq, state.displayName);
+                hwcDisplayId, state.surface, bq, state.displayName,
+                state.isSecure);
         dispSurface = vds;
         if (hwcDisplayId >= 0) {
             producer = vds;
author	Tatenda Chipeperekwa <tatendac@codeaurora.org>	2013-11-06 15:05:31 -0800
committer	Steve Kondik <shade@chemlab.org>	2014-04-05 15:20:33 -0700
commit	a4574911a4ec4e8bc2a31e21aeec2995ffdfb0ae (patch)
tree	8d90e1e39747c725131defb3fabeadaa5e55c08e
parent	e53500ffbc7f889a78c516f1def41d7626d93831 (diff)
download	android_frameworks_native-next.tar.gz android_frameworks_native-next.tar.bz2 android_frameworks_native-next.zip