Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp2440731rdb;
        Thu, 21 Sep 2023 20:47:24 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGKhInU+AvO2etFSObp1GgGxRPOwmTh31UjgLWDXu80mHsbkHCq6+z09oht2ENarBdo1arl
X-Received: by 2002:a17:90b:3149:b0:274:729a:bcd9 with SMTP id ip9-20020a17090b314900b00274729abcd9mr7294374pjb.43.1695354444274;
        Thu, 21 Sep 2023 20:47:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695354444; cv=none;
        d=google.com; s=arc-20160816;
        b=RN3tx/ZDLG6f+JA8YRo6De8jVJZwJ5UfBCFUv+rgBaZJjdxSms/YhPXclKB9c2/YFk
         klrNhpqwE5eFrsXdFGGnQtiAX4T4pZ9BZcVwzGFFSqSXFkzuJTLAW9nXdneW/MhTV0ye
         vdG5ER8dwp4GrnSVkx7ZsdATvQLrzw7wj+DQcsp0tkhlwhy8sx+WG3Va5izmkKB1JI2k
         19Eqec8+DjQmRdRNqEb1gT5D8D0ZvrndUhg2Cc588cLFqqylCvUyyXlzT2D2eWbIRrft
         oSw9hn6UXVzcutPzSYdRkzLxC6uGujlFN+3T+Zv1kLOmCgk7iWuL05ZOeRO0TSAeP/vV
         OgBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent
         :content-transfer-encoding:references:in-reply-to:date:cc:to:from
         :subject:message-id:dkim-signature;
        bh=4+oNZNK0XdjRL1qDfy6VTGyZlo5uW17/8FO5Qfepexc=;
        fh=0YNmWYgHfYM67Mw6JPrBpZUm1WNMopNtiP6Bx3Rx69Q=;
        b=WurazvlOBKVaUKsXBoIbx59KfnRs8ICYjWBX1NdMBxQ6J+q3iAIgWkTu7d9RTkhNhc
         guP6xY3mlreYJREikyOeYVa2tlf1qvKWD90LhMP1gq7neYNmOh5uwNpKod4lJhtQiSol
         xqFwG4JCn4hFgDMhszwgJEXlALu4TnMe0gFxmIJXo9L0tOr9h6NAcQCUwpXy41yHbsPW
         5WQm4s5ireZOej1faAL/Kkn1UsRRmKo05TqEI6dapDDws9gW/zKaLH+y4KYwjUOmFE0V
         XsV/ciLGvzqbKWGJTfdSQBgzVE+hw2w4pDMdnuBWzVAqwyEH6x06F2JfZp8els9m3jR0
         n+sw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@collabora.com header.s=mail header.b=AAgC+As4;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8])
        by mx.google.com with ESMTPS id g23-20020a17090adb1700b0026f75d932a8si2850456pjv.185.2023.09.21.20.47.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 21 Sep 2023 20:47:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@collabora.com header.s=mail header.b=AAgC+As4;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by fry.vger.email (Postfix) with ESMTP id 4C89683ADCB3;
	Thu, 21 Sep 2023 14:14:26 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232496AbjIUVNl (ORCPT <rfc822;bh1scw@gmail.com> + 99 others);
        Thu, 21 Sep 2023 17:13:41 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57870 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231674AbjIUVNJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 21 Sep 2023 17:13:09 -0400
Received: from madras.collabora.co.uk (madras.collabora.co.uk [IPv6:2a00:1098:0:82:1000:25:2eeb:e5ab])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7AB655279;
        Thu, 21 Sep 2023 10:08:21 -0700 (PDT)
Received: from nicolas-tpx395.localdomain (unknown [IPv6:2606:6d00:15:bae9::7a9])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
        (No client certificate requested)
        (Authenticated sender: nicolas)
        by madras.collabora.co.uk (Postfix) with ESMTPSA id 8589D660731D;
        Thu, 21 Sep 2023 16:46:49 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com;
        s=mail; t=1695311211;
        bh=qmLDWY/AuDZBwTiEH6bdhLx9MgWdAsDslzLfx3DOK4A=;
        h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
        b=AAgC+As4Cy0TIyhqMYWvMkMILzrYGP2tdMFpvtrvDNPf0KcxzcZjzMOSK4Rq+GWMQ
         EIpWb+TvGWirRWMOZCnECZJb8onvByXZBGwfeB6ZhIC0oO7BjgjViiHxqwDixdY78Z
         K42MnJB5KJsEJ7fPabAtJvrBf8vDCD1DZ6xRKVOKXgDp7Ecy6k7Slj/HvSyvE2VWMK
         QntErYDk3VwsgkkGUd4sx9fDC1P8XVhFchzQ+LnlHzDVJAEldAUAFC1OeR/4l+Gdi4
         F7SL1J42s1DO+HX9UVMY1uNhlaX6g2/4RjNBE3XNQIveR7GF+dQxCVD4Z0bz0/rViQ
         EvIPcMHnu1ptg==
Message-ID: <c7cd83c49a9226e72c272365653dc8b998b6adcb.camel@collabora.com>
Subject: Re: [PATCH 12/14] media: medkatek: vcodec: set secure mode to
 decoder driver
From:   Nicolas Dufresne <nicolas.dufresne@collabora.com>
To:     Jeffrey Kardatzke <jkardatzke@google.com>,
        Hans Verkuil <hverkuil-cisco@xs4all.nl>
Cc:     Yunfei Dong =?UTF-8?Q?=28=E8=91=A3=E4=BA=91=E9=A3=9E=29?= 
        <Yunfei.Dong@mediatek.com>,
        "nhebert@chromium.org" <nhebert@chromium.org>,
        "benjamin.gaignard@collabora.com" <benjamin.gaignard@collabora.com>,
        "nfraprado@collabora.com" <nfraprado@collabora.com>,
        "angelogioacchino.delregno@collabora.com" 
        <angelogioacchino.delregno@collabora.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "linux-mediatek@lists.infradead.org" 
        <linux-mediatek@lists.infradead.org>,
        "frkoenig@chromium.org" <frkoenig@chromium.org>,
        "stevecho@chromium.org" <stevecho@chromium.org>,
        "wenst@chromium.org" <wenst@chromium.org>,
        "linux-media@vger.kernel.org" <linux-media@vger.kernel.org>,
        "devicetree@vger.kernel.org" <devicetree@vger.kernel.org>,
        "daniel@ffwll.ch" <daniel@ffwll.ch>,
        Project_Global_Chrome_Upstream_Group 
        <Project_Global_Chrome_Upstream_Group@mediatek.com>,
        "hsinyi@chromium.org" <hsinyi@chromium.org>,
        "linux-arm-kernel@lists.infradead.org" 
        <linux-arm-kernel@lists.infradead.org>
Date:   Thu, 21 Sep 2023 11:46:40 -0400
In-Reply-To: <CA+ddPcPbox=mknpmDkwfYTfDMca49wU10SNF3mJspYu=5T64FQ@mail.gmail.com>
References: <20230911125936.10648-1-yunfei.dong@mediatek.com>
         <20230911125936.10648-13-yunfei.dong@mediatek.com>
         <1df3e79b84933dda0313d0d9719220dbc06c9022.camel@collabora.com>
         <d4cedcb0-32ed-495d-a8cd-a635d5105824@xs4all.nl>
         <5307203d79c0d90cc742a315bb161fa796b9960f.camel@mediatek.com>
         <bafc37e8-96e8-41c0-b805-c6477f0d7c4a@xs4all.nl>
         <CA+ddPcN6EaFERC60_Z_-ZmWzqyUEwxiDCZwt_U6Y-gpaAu76tA@mail.gmail.com>
         <ff7aa575-c820-4dfa-853f-77438b8b149a@xs4all.nl>
         <b7d661637eacbda3e83d192b1126fc3970c4f50d.camel@collabora.com>
         <c3d14f64-bf04-46b9-ac7b-af7ef9014335@xs4all.nl>
         <CA+ddPcPbox=mknpmDkwfYTfDMca49wU10SNF3mJspYu=5T64FQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.48.4 (3.48.4-1.fc38) 
MIME-Version: 1.0
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Thu, 21 Sep 2023 14:14:26 -0700 (PDT)

Le mercredi 20 septembre 2023 =C3=A0 11:20 -0700, Jeffrey Kardatzke a =C3=
=A9crit=C2=A0:
> > >=20
> > > Also, regarding MTK, these are stateless decoders. I think it would b=
e nice to
> > > show use example code that can properly parse the un-encrypted header=
, pass the
> > > data to the decryptor and decode. There is a bit of mechanic in there=
 that lacks
> > > clarification, a reference implementation would clearly help. Finally=
, does this
> > > platform offers some clearkey implementation (or other alternative) s=
o we can do
> > > validation and regression testing? It would be very unfortunate to ad=
d feature
> > > upstream that can only be tested by proprietary CDM software.
> >=20
>=20
> It would be possible to use this with clearkey w/ some additional work
> on our end. If this is then part of the public ChromiumOS build, would
> that be satisfactory? (the TEE would have some binary blob components
> like firmware does though)

From my point of view, this would fully cover my concern. To clarify this
concern, the  decryption into secure memory currently only ever take place =
in
proprietary code that implements the protection (Widewine CDM). With clear =
key,
we can have an open source CDM (made for testing purpose) so that we don't =
have
to have hidden code to test the entire pipeline. So appart from the TEE
firmware, which is just a firmware like all the others, we could have open
source tests in kernelCI and other CI, and we could extend these test to
eventually support other vendors.

Note that currently, with other proposal, one could allocate and fill a nor=
mal
buffer, and "secure" that buffer to test the CODECs and display, but on thi=
s
specific architecture, with the limitation on the number of secure regions,=
 this
feature isn't available.

Alternatives to this end-to-end solution, we could consider a TA (Trusted
Application) that simply copy data from a untrusted chunk of memory into a
trusted chunk of memory. That seems like a cross-platform solution. It woul=
d be
even better if this get standardized in TEEs for course (or at least requir=
ed
with all secure memory implementation). Then copying from untrusted to trus=
ted
could easily become an ioctl generic to all TEE drivers. That to me would b=
e
equally acceptable, and perhaps easier to use.

Nicolas=20