This change renames the IMemory raw pointer accessors to
unsecure*() to make it apparent to coders and code reviewers
that the returned buffer may potentially be shared with
untrusted processes, who may, after the fact, attempt to
read and/or modify the contents. This may lead to hard to
find security bugs and hopefully the rename makes it harder
to forget.
The change also attempts to fix all the callsites to make
everything build correctly, but in the processes, wherever the
callsite code was not obviously secure, I added a TODO requesting
the owners to either document why it's secure or to change the
code. Apologies in advance to the owners if there are some false
positives here - I don't have enough context to reason about all
the different callsites.
Test: Completely syntactic change. Made sure code still builds.
Change-Id: I5fb99aa797c488406083178a6b05355d98710d3b
Since these were combined into libhidlbase.
Bug: 135686713
Test: build only (libhwbinder/libhidltransport are empty)
Change-Id: I6cc85a91afb603e31b85090917f9f3b59d82a4d1
This does two things:
- makes sure that HALs configured as lazy HALs will be retrieved
- will detect bad manifest entries earlier
Bug: 131703193
Test: boot
Change-Id: I69fb80b023cc17f94e4f6a10203ee077a5e61e19
Fix inconsistent naming of offline license states
bug:120489407
bug:120488811
test:cts and gts media tests
Change-Id: I8473211d96383977ad33e4bd770fc4c71d9bd15f
When the system partition is a later version than vendor,
new MediaDrm APIs will not have HAL implementations. In
this case throw java.lang.UnsupportedOperationException.
bug:110701831
bug:123375769
test: cts media test cases, gts media tests
Change-Id: Ib631bf4d4d245d857e61bd3fe0e5808e430a034d
To support lazy drm HALs, libmediadrm needs to list all available HALs
that are defined in the manifest. Otherwise, it will only list HALs that
are currently running. This change is necessary because lazy HALs do not
run until they are requested. Without this change, libmediadrm would not
be aware that the lazy HALs are present, and it would not know to call
getService() to start them.
Test: Run gts
Bug: 112386116
Change-Id: I9b41c60d574b9c8c857b8838a5bbdc64388c9ddb
New codes are being added to handle resource
contention, lost session state, frame size too
large and insufficient security level for
decryption. Also cleans up inconsistent use of
tamper detected error where invalid state error
should have been used.
bug:111504510
bug:111505796
test:cts and gts media test cases
Change-Id: I28ca04cdc8ce64047d189fcf4d59bab24208e1a7
Before, it was possible for mPlugin, mPluginV1_1, and mPluginV1_2 to be
assigned to different plugins. Now, they are guaranteed to always point
to the same object. Also to be safe, mPlugin is set to NULL if there is
an initailization error.
Test: Run gts on blueline
Bug: 112386116
Bug: 121382196
Change-Id: Ie3ff7369e0c66d4502fab3f4a1d18b2882140143
When clearHeapBase is called after a plugin is
closed, a null pointer is dereferenced. Protect
against it with a null pointer check.
Test: GTS media tests, check logcat for faults
bug:80434750
Change-Id: Ib568694c44fe22887c3db4f88e67cb598fd9e36a
CryptoHal in mediadrmserver was not releasing the
shared memory allocated remotely in the drm HAL
module until the HAL was closed, which could cause
shared memory allocation failures in situations
where multiple memory regions get mapped during
playback. This change releases the shared mapping
in the HAL when it is no longer needed.
bug:80104026
test:
1. manual tests with logging to ensure
shared memory is released
2. gts media tests on walleye
Change-Id: Ie2f306bce6aec697ae584da3f55b3cf72edaa07b
CryptoHal was not checking that the memory heap set by setHeap
was the same one that was actually used for the decrypt call, allowing
the caller to spoof the decrypt call into accessing arbitrary memory.
bug:76221123
test: mediadrmserverpoc included in the bug & GTS media tests
Change-Id: I35214a1a6d0a4b864123e147d1a1adc2377bfbc5
Merged-in: I4ae6d1080be406bf53e3617c59c75206cc5066c6
CryptoHal was not checking that the memory heap set by setHeap
was the same one that was actually used for the decrypt call, allowing
the caller to spoof the decrypt call into accessing arbitrary memory.
bug:76221123
test: mediadrmserverpoc included in the bug & GTS media tests
Change-Id: I35214a1a6d0a4b864123e147d1a1adc2377bfbc5
A method in CryptoHal was not checking the
hidl transaction status which causes an abort
if the transaction fails.
bug:79170524
test:gts media tests, netflix playback
Change-Id: Ia58500f0f2c64f987809360d3d7ead810ee01180
This is a trivial fix for an incorrect check.
Bug: 77262269
Test: Re-ran unit tests and GTS tests. Verified Google Play.
Change-Id: I807d8488f65c60c03779064cb92bbbd6c60267e4
This changes slightly the way metrics are converted from the HIDL
interface to the MediaDrm interface. This provides a cleaner
representation for querying metrics.
Bug: 73724453
Test: New and existing unit tests. Updated and existing GTS. Google Play
manual.
Change-Id: I9be170784a19ca3e89add53cea1cdfcaad6d65eb
Two methods in DrmHal were not checking the
hidl transaction status which causes an abort
if the transaction fails.
Change-Id: Ie4b6d4ae6507f073efa55412c21ceba317e2881d
related-to-bug:78646354
test:gts media tests, netflix playback
In the onTransact DECRYPT case, the allocated subSamples
are not freed when we encounter an error. Use unique_ptr
to manage memory instead.
Test: Play Movies & TV, Netflix
Test: Gts
bug: 73628269
Change-Id: I36b7deeff0380ee3be31ad5f93a5598cfe02e381
Uses an updated proto model that's more efficient for serialization.
Test: Unit tests, google play and CTS tests.
Bug: 73724218
Change-Id: I936bc18216c0c67de580424b4c62344d94be6b38
Some drm HAL methods were not properly checking
their hidl Return<Status> values which would cause
aborts in some cases. This CL adds checks as needed
Test: GTS media tests
bug:73500808
Change-Id: I47ae0f82d4e614b1e78923ed48fbe4c024df5d71
Adds support to fetch metrics from vendor and convert them to a proto
bundle returned from a call to getMetrics.
Bug: 64001676
Test: CTS test for metrics and GPlay test
Change-Id: I05634dd1bf092e64e2d0e77c4c0e243340af48e3
Relocate drm and crypto headers from media
to mediadrm to have finer grained ownership
bug:73556221
Change-Id: I7d1b5944f261f9b1fdeed7605e4c0b4b4ca43e1a
closeAllSessions() was calling into the hidl interface closeSession
directly, and neglected to check the return status which resulted in
an abort. Instead, call the DrmHal::closeSession() method which handles
the hidl return status correctly.
Test: gts media tests
bug:72400509
Change-Id: I697997eb73ef6d8746fe695509671c4695124cee
Adds proto serialization and logging support for media drm framework metrics.
Bug: 64001676
Test: Ran CTS tests, unit tests and Google Play.
Change-Id: Ie350ac93caa6b35610eb63e4acc860c8e8a5cf5b
Some metrics required a conversion to using PersistableBundle to support
slightly richer structure (lists, and nested PBs).
BUG: 64001676
Test: Ran updated CTS test and verified Google Play works.
Change-Id: I8f8d67ba04b234f2ac5ac348a8945e20837f98d6
This change in DrmHal allows us to transfer a PersistableBundle containing
previously unavailable metrics.
Bug: 64001676
Test: CTS test for metrics and GPlay test
Change-Id: I1fa87c76dd980a3f91b4e2d02b37329f6c0a88ec
Vendors implementing the newly added MediaDrm.setSecurityLevel
HAL found that it was difficult to implement properly. Also the
semantics are somewhat ambiguous from the Java platform API
level. This CL binds the security level assignment to openSession
which clarifies the API for apps as well as making it more
natural to implement in HAL modules.
bug:72831697
bug:64001680
test: VtsHalDrmV1_1TargetTest, GTS media tests
Change-Id: Iaa07727be86ec2bc92be907d5a48c92136dc2014
Also check for NULL mDrmPlugin before casting to V1_1.
Test: Play Movies and NetFlix
bug: 72687425
Change-Id: I47aa18730332a17860b7e27440d417ffd612810f
This reverts commit 09a90ab544.
Fix for regressed b/72666743
Test: manual test to confirm problem is fixed.
See bug for repro steps.
Change-Id: Ifac9a2c3a3a92063d544e39ace48ab14c90b8050
the 'finalized' concept didn't pan out -- remove references to it.
Simplifies the code flow.
Also purged some uses of generateSessionID().
Bug: 71874686
Test: logcat/dumpsys
Change-Id: I39e48526a5696158d8195f47154881ca6ecda266
Methods are needed to release a secure stop by ID and
return a list of secure stops.
Tests: gts media tests
bug:67361434
bug:64001680
Change-Id: If6cb180cb4d2e3b655028955d105aee0cb8d70b6
The metric names need to be consistent with related APIs (e.g.
MediaCodec#getMetrics). Those APIs use dot separators rather than
slashes.
Bug 64001676
Test: Re-ran CTS, unit tests. Smoke with GPlay Movies.
Change-Id: I606e4c4bcbf630d584b9dea80471ad256764a42b
Adds nearly all of the remaining specified framework level metrics.
Also adds a basic unit test to verify that metrics are exported
correctly. A follow-up CL will update the CTS test to touch all metric
values in DrmHal.
BUG: 64001676
Test: New unit test. Smoke tested with GPlay/Walleye.
Change-Id: I4df90675ae304d3c62b7886537328b3d848fd77c
Adds an EventMetric class, associated unit tests, and an instance of the
EventMetric to DrmHal. Also added a unit test for CounterMetric and
created a class to hold all of the future metric instances.
BUG: 64001676
Test: Added and ran unit tests. Also added a CTS test case.
Change-Id: Ic94bedd5f8293a58a939613a4ae69ce656a772be
closeAllSessions() was calling into the hidl interface closeSession
directly, and neglected to check the return status which resulted in
an abort. Instead, call the DrmHal::closeSession() method which handles
the hidl return status correctly.
Test: gts media tests
bug:72400509
Change-Id: I444be998702aeaca2905ddf560a5138d5775a316
This adds a new class CounterMetric which is used to hold metric
information. It also adds a single use case for recording and
reporting a counter metric.
BUG: 64001676
Test: Added and ran a new test for the specific CounterMetric use case.
Change-Id: I39cab8328f135e579f80b6c2fab721da5f569795
Two additional KeyRequestTypes have been added, None and Update. None
indicates that no key request is needed as keys have already been
loaded. Update indicates that while keys have previously been loaded,
an additional (non-renewal) license request is needed.
Bug: 70335058
Test: GtsMediaTestCases
Change-Id: I36a8b334c70140098a01e4a3bea3159fc0a4584f
Methods for querying HDCP, security levels and
number of sessions
bug:64001680
bug:33657579
Test: cts: MediaDrmMockTest, ClearKeySystemTest
gts: GtsMediaTestCases
Change-Id: I7c84df02ec33d305b6bd5ac7479922f87aa64863
Adds support for the new getMetrics call to the IDrm interface and the
DrmHal implementation. The implementation currently returns a dummy
metric collection. Follow-up CLs will flesh out the implementation.
Bug: 64001676
Test: Ran the new unit test created in a related CL; ran Google Play.
Change-Id: Ia6a3af5b59a30ca55267f7e3ba278a510fc8c81e
change from AString to std::string for how media.metrics handles
strings. This severs the dependency on libstagefright_foundation,
where AString is implemented, so we can integrate into places
which do not want to introduce a dependency on libstagefright_foundation.
Bug: 70805723
Test: compilation/linking, CTS subset
Change-Id: I66de971b6ec354444e06112607a2d7614084cef8
TreeHugger Robot
Edwin Wong
Robert Shih
Marco Nelissen
Ytai Ben-Tsvi
Steven Moreland
Jeff Tinker
Ray Essick
Peter Kalauskas
Chih-hung Hsieh
Adam Stone
Tobias Thierer
Rahul Frias
Wei Jia