Secure buffer proxy for ARC OEMCrypto

This adds support for sending a GPU Mojo interface to the OEMCrypto
daemon so that it can communicate with the GPU to get access to secure
buffers for storing decrypted content. The actual implementation of the
Mojo interface will be done in another CL.

BUG=b:62576736
TEST=E2E test w/ & w/out secure buffers work (used prototype for secure)

Change-Id: Ifb4677e3349530efd5115c0a81249e71cbdb2e2b
Reviewed-on: https://chromium-review.googlesource.com/671412Reviewed-by: Greg Kerr <kerrnel@chromium.org>
Reviewed-by: Ken Rockot <rockot@chromium.org>
Reviewed-by: Luis Hector Chavez <lhchavez@chromium.org>
Commit-Queue: Jeffrey Kardatzke <jkardatzke@google.com>
Cr-Commit-Position: refs/heads/master@{#502914}

chrome/browser/chrome_content_gpu_manifest_overlay.json

@@ -9,6 +9,7 @@
           "arc::mojom::VideoEncodeAccelerator",
           "arc::mojom::VideoEncodeClient",
           "chrome::mojom::ResourceUsageReporter",
+          "media::mojom::ProtectedBufferManager",
           "profiling::mojom::MemlogClient"
         ]
       }

chrome/browser/chromeos/arc/oemcrypto/arc_oemcrypto_bridge.cc

@@ -11,6 +11,8 @@
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "components/arc/arc_bridge_service.h"
 #include "components/arc/arc_browser_context_keyed_service_factory_base.h"
+#include "components/arc/common/protected_buffer_manager.mojom.h"
+#include "content/public/browser/gpu_service_registry.h"
 #include "mojo/edk/embedder/embedder.h"
 #include "mojo/edk/embedder/outgoing_broker_client_invitation.h"
 #include "mojo/edk/embedder/platform_channel_pair.h"
@@ -78,11 +80,11 @@ void ArcOemCryptoBridge::OnBootstrapMojoConnection(
     // it as an error.
     DVLOG(1) << "ArcOemCryptoBridge had a failure in D-Bus with the daemon";
     // Reset this so we don't think it is bound on future calls to Connect.
-    oemcrypto_host_ptr_.reset();
+    oemcrypto_host_daemon_ptr_.reset();
     return;
   }
   DVLOG(1) << "ArcOemCryptoBridge succeeded with Mojo bootstrapping.";
-  oemcrypto_host_ptr_->Connect(std::move(request));
+  ConnectToDaemon(std::move(request));
 }
 
 void ArcOemCryptoBridge::Connect(mojom::OemCryptoServiceRequest request) {
@@ -105,9 +107,9 @@ void ArcOemCryptoBridge::Connect(mojom::OemCryptoServiceRequest request) {
     return;
   }
 
-  if (oemcrypto_host_ptr_.is_bound()) {
+  if (oemcrypto_host_daemon_ptr_.is_bound()) {
     DVLOG(1) << "Re-using bootstrap connection for OemCryptoService Connect";
-    oemcrypto_host_ptr_->Connect(std::move(request));
+    ConnectToDaemon(std::move(request));
     return;
   }
   DVLOG(1) << "Bootstrapping the OemCrypto connection via D-Bus";
@@ -126,12 +128,13 @@ void ArcOemCryptoBridge::Connect(mojom::OemCryptoServiceRequest request) {
   // Bind the Mojo pipe to the interface before we send the D-Bus message
   // to avoid any kind of race condition with detecting it's been bound.
   // It's safe to do this before the other end binds anyways.
-  oemcrypto_host_ptr_.Bind(
-      mojo::InterfacePtrInfo<mojom::OemCryptoHost>(std::move(server_pipe), 0u));
-  DVLOG(1) << "Bound remote OemCryptoHost interface to pipe";
-  oemcrypto_host_ptr_.set_connection_error_handler(
-      base::Bind(&mojo::InterfacePtr<mojom::OemCryptoHost>::reset,
-                 base::Unretained(&oemcrypto_host_ptr_)));
+  oemcrypto_host_daemon_ptr_.Bind(
+      mojo::InterfacePtrInfo<arc_oemcrypto::mojom::OemCryptoHostDaemon>(
+          std::move(server_pipe), 0u));
+  DVLOG(1) << "Bound remote OemCryptoHostDaemon interface to pipe";
+  oemcrypto_host_daemon_ptr_.set_connection_error_handler(base::Bind(
+      &mojo::InterfacePtr<arc_oemcrypto::mojom::OemCryptoHostDaemon>::reset,
+      base::Unretained(&oemcrypto_host_daemon_ptr_)));
   chromeos::DBusThreadManager::Get()
       ->GetArcOemCryptoClient()
       ->BootstrapMojoConnection(
@@ -140,4 +143,14 @@ void ArcOemCryptoBridge::Connect(mojom::OemCryptoServiceRequest request) {
                      weak_factory_.GetWeakPtr(), base::Passed(&request)));
 }
 
+void ArcOemCryptoBridge::ConnectToDaemon(
+    mojom::OemCryptoServiceRequest request) {
+  // Get the Mojo interface from the GPU for dealing with secure buffers and
+  // pass that to the daemon as well in our Connect call.
+  media::mojom::ProtectedBufferManagerPtr gpu_buffer_manager;
+  content::BindInterfaceInGpuProcess(mojo::MakeRequest(&gpu_buffer_manager));
+  oemcrypto_host_daemon_ptr_->Connect(std::move(request),
+                                      std::move(gpu_buffer_manager));
+}
+
 }  // namespace arc

chrome/browser/chromeos/arc/oemcrypto/arc_oemcrypto_bridge.h

@@ -11,6 +11,7 @@
 
 #include "chromeos/dbus/dbus_method_call_status.h"
 #include "components/arc/common/oemcrypto.mojom.h"
+#include "components/arc/common/oemcrypto_daemon.mojom.h"
 #include "components/arc/instance_holder.h"
 #include "components/keyed_service/core/keyed_service.h"
 #include "mojo/public/cpp/bindings/binding.h"
@@ -46,10 +47,11 @@ class ArcOemCryptoBridge
  private:
   void OnBootstrapMojoConnection(mojom::OemCryptoServiceRequest request,
                                  chromeos::DBusMethodCallStatus result);
+  void ConnectToDaemon(mojom::OemCryptoServiceRequest request);
 
   ArcBridgeService* const arc_bridge_service_;  // Owned by ArcServiceManager.
   mojo::Binding<mojom::OemCryptoHost> binding_;
-  mojom::OemCryptoHostPtr oemcrypto_host_ptr_;
+  arc_oemcrypto::mojom::OemCryptoHostDaemonPtr oemcrypto_host_daemon_ptr_;
 
   // WeakPtrFactory to use for callbacks.
   base::WeakPtrFactory<ArcOemCryptoBridge> weak_factory_;

components/arc/BUILD.gn

@@ -172,10 +172,12 @@ mojom("arc_bindings") {
     "common/notifications.mojom",
     "common/obb_mounter.mojom",
     "common/oemcrypto.mojom",
+    "common/oemcrypto_daemon.mojom",
     "common/policy.mojom",
     "common/power.mojom",
     "common/print.mojom",
     "common/process.mojom",
+    "common/protected_buffer_manager.mojom",
     "common/scale_factor.mojom",
     "common/screen_rect.mojom",
     "common/storage_manager.mojom",

components/arc/common/oemcrypto.mojom

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// The original version of this file lives in the Chrome OS repository at:
-// src/platform/arc-oemcrypto/mojo/oemcrypto.mojom
+// The original version of this file lives in the Chromium repository at:
+// src/components/arc/common/oemcrypto.mojom
 
 // This file defines the mojo interface between Android, Chrome and the
 // Chrome OS daemon for the Widevine L1 OEMCrypto implementation used in ARC++.
@@ -56,9 +56,11 @@ enum OemCryptoResult {
 };
 
 struct OemCryptoSecureBuffer {
-  // TODO(jkardatzke): Add a comment which explains what the buffer_handle
-  // means once the specific implementation is determined.
-  uint64 buffer_handle;
+  // buffer_handle should be passed to the ProtectedBufferManager service in
+  // the GPU in order to retrieve the shared memory handle that corresponds
+  // to the actual secure buffer. It should then be mapped and data written at
+  // offset up until offset + max_length.
+  handle buffer_handle;
   uint32 max_length;
   uint32 offset;
 };
@@ -125,6 +127,8 @@ enum OemCryptoHdcpCapability {
   HDCP_NO_DIGITAL_OUTPUT = 0xFF,
 };
 
+// This is the interface that implements all the calls that map to the
+// OEMCrypto API itself.
 // Next method ID: 36
 interface OemCryptoService {
   Initialize@0() => (OemCryptoResult result);

components/arc/common/oemcrypto_daemon.mojom

+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// The original version of this file lives in the Chromium repository at:
+// src/components/arc/common/oemcrypto_daemon.mojom
+
+// This file defines the mojo interface used between Chrome and the Chrome OS
+// daemon for establishing the connection from Android to the Chrome OS
+// daemon. This is used so Chrome can proxy the OemCryptoService implementation
+// over to the daemon and then also hand the daemon a Mojo connection to the
+// GPU process for dealing with secure buffers.
+
+module arc_oemcrypto.mojom;
+
+import "oemcrypto.mojom";
+import "protected_buffer_manager.mojom";
+
+// OemCryptoHostDaemon is implemented by the OemCrypto daemon running in
+// Chrome OS and has Connect called from the Browser process in Chrome.
+// Next Method ID: 1
+interface OemCryptoHostDaemon {
+  Connect@0(arc.mojom.OemCryptoService& oemcryptor,
+            media.mojom.ProtectedBufferManager protected_buffer_manager);
+};

components/arc/common/protected_buffer_manager.mojom

+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// The original version of this file lives in the Chromium repository at:
+// src/components/arc/common/protected_buffer_manager.mojom
+
+module media.mojom;
+
+// This interface is exposed by the GPU process for translating dummy handles
+// for secure buffers into a usable shared memory handle. The output of a
+// decryption operation can then be written to that shared memory and will be
+// consumed by the video decoder in the GPU.
+// NOTE: This does not use a shared memory handle for the return type
+// because of incompatibilities between Chrome and Chrome OS mojo versions
+// regarding the structure used for sending shared memory handles.
+// Next Method ID: 1
+interface ProtectedBufferManager {
+  GetProtectedSharedMemoryFromHandle@0(handle dummy_handle)
+      => (handle shared_memory_handle);
+};