[Fuchsia] Use protected buffers in FuchsiaVideoDecoder

Previously FuchsiaVideoDecoder wasn't using protected memory even when
decoding protected content. Now it will use protected IO buffers for
protected content when protected graphics is enabled. Also added
force-protected-video flag in web_engine_config, which allows to
force protected buffers for video output buffers for all content.

Bug: 1014835
Change-Id: Id02bf310804ea05dea2deae7aa5ec47aa6010926
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1910283
Commit-Queue: Sergey Ulanov <sergeyu@chromium.org>
Reviewed-by: David Dorwin <ddorwin@chromium.org>
Reviewed-by: Xiaohan Wang <xhwang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#714785}

fuchsia/engine/browser/web_engine_content_browser_client.cc

@@ -22,6 +22,7 @@
 #include "fuchsia/engine/common/web_engine_content_client.h"
 #include "fuchsia/engine/common/web_engine_url_loader_throttle.h"
 #include "fuchsia/engine/switches.h"
+#include "media/base/media_switches.h"
 #include "services/network/public/mojom/network_service.mojom.h"
 
 namespace {
@@ -137,7 +138,9 @@ void WebEngineContentBrowserClient::AppendExtraCommandLineSwitches(
   constexpr char const* kSwitchesToCopy[] = {
       switches::kContentDirectories,
       switches::kDisableSoftwareVideoDecoders,
+      switches::kEnableProtectedVideoBuffers,
       switches::kEnableWidevine,
+      switches::kForceProtectedVideoOutputBuffers,
       switches::kPlayreadyKeySystem,
   };
 

fuchsia/engine/context_provider_impl.cc

@@ -44,6 +44,7 @@
 #include "fuchsia/engine/switches.h"
 #include "gpu/command_buffer/service/gpu_switches.h"
 #include "media/base/key_system_names.h"
+#include "media/base/media_switches.h"
 #include "net/http/http_util.h"
 #include "services/service_manager/sandbox/fuchsia/sandbox_policy_fuchsia.h"
 #include "third_party/widevine/cdm/widevine_cdm_common.h"
@@ -314,6 +315,13 @@ void ContextProviderImpl::Create(
 
   if (enable_protected_graphics) {
     launch_command.AppendSwitch(switches::kEnforceVulkanProtectedMemory);
+    launch_command.AppendSwitch(switches::kEnableProtectedVideoBuffers);
+    bool force_protected_video_buffers =
+        web_engine_config.FindBoolPath("force-protected-video-buffers")
+            .value_or(false);
+    if (force_protected_video_buffers) {
+      launch_command.AppendSwitch(switches::kForceProtectedVideoOutputBuffers);
+    }
   }
 
   if (enable_widevine) {

media/base/media_switches.cc

@@ -42,7 +42,7 @@ const char kReportVp9AsAnUnsupportedMimeType[] =
 const char kAlsaInputDevice[] = "alsa-input-device";
 // The Alsa device to use when opening an audio stream.
 const char kAlsaOutputDevice[] = "alsa-output-device";
-#endif
+#endif  // defined(OS_LINUX) || defined(OS_FREEBSD) || defined(OS_SOLARIS)
 
 #if defined(OS_WIN)
 // Use exclusive mode audio streaming for Windows Vista and higher.
@@ -64,12 +64,23 @@ const char kTrySupportedChannelLayouts[] = "try-supported-channel-layouts";
 
 // Number of buffers to use for WaveOut.
 const char kWaveOutBuffers[] = "waveout-buffers";
-#endif
+#endif  // defined(OS_WIN)
+
+#if defined(OS_FUCHSIA)
+// Enables protected buffers for encrypted video streams.
+const char kEnableProtectedVideoBuffers[] = "enable-protected-video-buffers";
+
+// Forces protected memory for all output video buffers generated by
+// FuchsiaVideoDecoder, including unencrypted streams. Ignored unless
+// --enable-protected-video-buffers is also specified.
+const char kForceProtectedVideoOutputBuffers[] =
+    "force-protected-video-output-buffers";
+#endif  // defined(OS_FUCHSIA)
 
 #if defined(USE_CRAS)
 // Use CRAS, the ChromeOS audio server.
 const char kUseCras[] = "use-cras";
-#endif
+#endif  // defined(USE_CRAS)
 
 // For automated testing of protected content, this switch allows specific
 // domains (e.g. example.com) to skip asking the user for permission to share

media/base/media_switches.h

@@ -49,6 +49,11 @@ MEDIA_EXPORT extern const char kTrySupportedChannelLayouts[];
 MEDIA_EXPORT extern const char kWaveOutBuffers[];
 #endif
 
+#if defined(OS_FUCHSIA)
+MEDIA_EXPORT extern const char kEnableProtectedVideoBuffers[];
+MEDIA_EXPORT extern const char kForceProtectedVideoOutputBuffers[];
+#endif
+
 #if defined(USE_CRAS)
 MEDIA_EXPORT extern const char kUseCras[];
 #endif

media/filters/fuchsia/fuchsia_video_decoder.cc

@@ -14,6 +14,7 @@
 #include "base/bind.h"
 #include "base/bits.h"
 #include "base/callback_helpers.h"
+#include "base/command_line.h"
 #include "base/fuchsia/default_context.h"
 #include "base/fuchsia/fuchsia_logging.h"
 #include "base/location.h"
@@ -30,6 +31,7 @@
 #include "media/base/bind_to_current_loop.h"
 #include "media/base/cdm_context.h"
 #include "media/base/decryptor.h"
+#include "media/base/media_switches.h"
 #include "media/base/video_decoder.h"
 #include "media/base/video_decoder_config.h"
 #include "media/base/video_frame.h"
@@ -422,6 +424,20 @@ void FuchsiaVideoDecoder::Initialize(const VideoDecoderConfig& config,
       return;
   }
 
+  if (base::CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kEnableProtectedVideoBuffers)) {
+    if (decryptor_) {
+      decoder_params.set_secure_input_mode(
+          fuchsia::mediacodec::SecureMemoryMode::ON);
+    }
+
+    if (decryptor_ || base::CommandLine::ForCurrentProcess()->HasSwitch(
+                          switches::kForceProtectedVideoOutputBuffers)) {
+      decoder_params.set_secure_output_mode(
+          fuchsia::mediacodec::SecureMemoryMode::ON);
+    }
+  }
+
   decoder_params.set_promise_separate_access_units_on_input(true);
   decoder_params.set_require_hw(!enable_sw_decoding_);
 

media/fuchsia/cdm/fuchsia_cdm.cc

@@ -4,12 +4,14 @@
 
 #include "media/fuchsia/cdm/fuchsia_cdm.h"
 
+#include "base/command_line.h"
 #include "base/fuchsia/fuchsia_logging.h"
 #include "base/logging.h"
 #include "base/optional.h"
 #include "fuchsia/base/mem_buffer_util.h"
 #include "media/base/callback_registry.h"
 #include "media/base/cdm_promise.h"
+#include "media/base/media_switches.h"
 
 #define REJECT_PROMISE_AND_RETURN_IF_BAD_CDM(promise, cdm)         \
   if (!cdm) {                                                      \
@@ -266,8 +268,9 @@ std::unique_ptr<FuchsiaSecureStreamDecryptor> FuchsiaCdm::CreateVideoDecryptor(
     FuchsiaSecureStreamDecryptor::Client* client) {
   fuchsia::media::drm::DecryptorParams params;
 
-  // TODO(crbug.com/997853): Enable secure mode when it's implemented in sysmem.
-  params.set_require_secure_mode(false);
+  bool secure_mode = base::CommandLine::ForCurrentProcess()->HasSwitch(
+      switches::kEnableProtectedVideoBuffers);
+  params.set_require_secure_mode(secure_mode);
 
   params.mutable_input_details()->set_format_details_version_ordinal(0);
   fuchsia::media::StreamProcessorPtr stream_processor;

ui/ozone/platform/scenic/sysmem_buffer_collection.cc

@@ -447,6 +447,7 @@ bool SysmemBufferCollection::InitializeInternal(
   DCHECK(buffers_info_.settings.has_image_format_constraints);
 
   buffer_size_ = buffers_info_.settings.buffer_settings.size_bytes;
+  is_protected_ = buffers_info_.settings.buffer_settings.is_secure;
 
   // CreateVkImage() should always be called on the same thread, but it may be
   // different from the thread that called Initialize().
@@ -459,6 +460,7 @@ void SysmemBufferCollection::InitializeImageCreateInfo(
     VkImageCreateInfo* vk_image_info,
     gfx::Size size) {
   *vk_image_info = {VK_STRUCTURE_TYPE_IMAGE_CREATE_INFO};
+  vk_image_info->flags = is_protected_ ? VK_IMAGE_CREATE_PROTECTED_BIT : 0u;
   vk_image_info->imageType = VK_IMAGE_TYPE_2D;
   vk_image_info->format = VkFormatForBufferFormat(format_);
   vk_image_info->extent = VkExtent3D{size.width(), size.height(), 1};

ui/ozone/platform/scenic/sysmem_buffer_collection.h

@@ -119,6 +119,7 @@ class SysmemBufferCollection
   THREAD_CHECKER(vulkan_thread_checker_);
 
   size_t buffer_size_ = 0;
+  bool is_protected_ = false;
 
   base::OnceClosure on_deleted_;