Name

    EXT_protected_textures

Name Strings

    GL_EXT_protected_textures

Contributors

    Maurice Ribble
    Mohan Maiya
    Craig Donner
    Alex Wong
    Jan-Harald Fredriksen
    Daniel Koch
    Prabindh Sundareson
    Jesse Hall
    Ray Smith
    Jonathan Putsman

Contact

    Jeff Leger (jleger 'at' qti.qualcomm.com)

IP Status

    No known IP claims.

Status

    Complete

Version

    May 17, 2017

Number

    OpenGL ES Extension #256

Dependencies

    OpenGL ES 3.0 is required.

    This extension requires the EGL_EXT_protected_content extension or
    similar.

    This extension is written against the OpenGL ES 3.2 specification.
    
    Interacts with EXT_sparse_texture.

Overview

    This extension requires another extension like EGL_EXT_protected_content to
    have created a protected context.  A protected context enables the
    driver to put the GPU into a protected mode where it is able to operate on
    protected surfaces.

    This extension enables allocating standard GL textures as protected
    surfaces. Previously these textures would have had to have been created as
    special EGL surfaces.  This allows use-cases such as depth, stencil, or
    mipmapped textures to be supported as destinations for rendering within
    a protected context.

    An explanation of undefined behavior in this extension:  Several places
    in this extension mention undefined behavior can result, which can
    include program termination.  The reason for this is because one way
    to handle protected content is by using a protected virtual to physical
    memory translation layer.  With this sort of solution a system may generate
    read or write faults when a non-protected context tries to access the
    buffer.  Depending on the system these faults might be ignored or they might
    cause process termination.  This undefined behavior should not include
    actually allowing copying any protected content to a non-protected surface.

    This extension does not guarantee that the implementation abides by a
    system's digital rights management requirements.  It must be verified beyond
    the existence of this extension that the implementation of this extension is
    trustworthy according to the requirements of a content protection system.

New Procedures and Functions

    None

New Tokens

    Returned by GetIntegerv when <pname> is CONTEXT_FLAGS:

        GL_CONTEXT_FLAG_PROTECTED_CONTENT_BIT_EXT       0x00000010

    Accepted as a value for <pname> for the TexParameter{if} and
    TexParameter{if}v commands and for the <value> parameter of
    GetTexParameter{if}v:

        GL_TEXTURE_PROTECTED_EXT                        0x8BFA

    Accepted as a value to <param> for the TexParameter{if} and
    to <params> for the TexParameter{if}v commands with a <pname> of
    TEXTURE_PROTECTED_EXT; returned as possible values for <data> when
    GetTexParameter{if}v is queried with a <value> of TEXTURE_PROTECTED_EXT:

        FALSE                                           0x0
        TRUE                                            0x1

Add the following to the end of section 8.18 (Immutable-Format Texture Images)
in the OpenGL ES 3.2 Specification:

    To use protected textures a context must be a protected context.
    To check if your context supports protected content you can
    query the context by calling GetIntegerv with pname CONTEXT_FLAGS, as
    described in section 20.2.

    Texture usage can be specified via the TEXTURE_PROTECTED_EXT value
    for the <pname> argument to TexParameter{if}[v]. In order to take effect,
    the texture usage must be specified before the texture contents are
    defined by TexStorage*.

    Possible values for <params> when <pname> is TEXTURE_PROTECTED_EXT are:

    FALSE - the default. The texture is not protected.

    TRUE - the texture is protected.

    The definition of protected and non-protected access is up to the
    implementation and is out of scope of this specification.  To read/write a
    protected surface, it is required that the context also be protected.

    CONTEXT_FLAG_PROTECTED_CONTENT_BIT_EXT is set when the context is
    created in protected mode with an extension such as
    EGL_EXT_protected_context.

Add a new section "Protected Content" to Chapter 2 "OpenGL ES Operation":

    If the context is protected, the pipeline stages are executed in the
    following manner:
    - The fragment stage is always protected
    - For all other stages, it is implementation defined whether that stage is
    protected or not protected.

    Permitted operations in protected and not protected mode are out of the
    scope of this specification. Refer to EGL_EXT_protected_context, if
    applicable, for more information.

Add a new row to Table 8.19 (Texture parameters and their values):

    Name                  | Type | Legal Values
    ------------------------------------------------------------
    TEXTURE_PROTECTED_EXT | bool | FALSE, TRUE

Errors

    If TexParameter{if} or TexParamter{if}v is called with a <pname>
    of TEXTURE_PROTECTED_EXT and the value of <param> or <params> is not
    TRUE or FALSE the error INVALID_VALUE is generated.

    [[ The following is only added if EXT_sparse_texture is supported. ]]
    
    Add to the errors that may be generated by TexStorage*:

        An INVALID_OPERATION error is generated if the texture's
        TEXTURE_SPARSE_EXT parameter is TRUE and the value of its
        TEXTURE_PROTECTED_EXT parameter is TRUE.  

Issues
    1) Should this work with all texture functions or only the new texture
    storage allocations?

    RESOLVED - Only supporting a new texture storage allocation method is much
    simpler than trying to alter every texture-related entry-point.


    2) Some paths like TexSubImage may have GPU and CPU paths.  Should those
    types of operations be supported in this extension.

    PROPOSED - Yes.  While protected surfaces can't be updated with
    non-secure GPU/CPU operations, an implementation is expected to either use
    trusted GPU or CPU operations to accomplish this.

    3) What target should all the texture bind and parameter setting API calls
    use?

    RESOLVED - They will use the non *_PROTECTED targets.  This was done to
    reduce the amount of code change in apps.  The only calls using *_PROTECTED
    targets are the texStorage allocation calls.

    4) What happens if readPixels is performed on a protected surface?

    RESOLVED - Results will not actually get the surface data, but
    otherwise the results are undefined up to and including app termination.

    5) Can you create an EGLImage from a protected texture?

    RESOLVED - Yes, but only if the EGLImage is created in a protected context.

    6) Should all textures on a protected context be protected by default?

    RESOLVED - No, several implementations have limited amounts of protected
    memory so the API will require opting into protected memory.

    7) How should protected memory be exposed?

    RESOLVED - Options discussed where target *_PROTECTED, using
    TexStorage*WithFlags, and adding a new texture parameter.  The group decided
    to add a new texture parameter.

    8) If an FBO attachment is protected, must all of the attachments be
    protected?

    RESOLVED - Yes, if any of the FBO attachments are protected then they all
    must be protected or the results are undefined.  If this is being used
    in conjunction with the EGL_EXT_protected_content extension that extension
    states all outputs must be protected for a protected context, and that
    inputs can be mixed.

    9) Are occlusion, timer, and other types of queries allowed when using the
    the EGL_EXT_protected_content extension?

    RESOLVED - No, these will result in undefined behavior with this extension.
    These features require writing to a buffer and a protected context can only
    write to a protected surface.  There are no protected buffers so this isn't
    possible.  Even if there were protected buffers that data wouldn't be
    visible on the CPU.

    10) What is the interaction between EXT_protected_textures and
    EXT_sparse_texture?

    RESOLVED - It is forbidden to create a texture which is both protected and
    sparse.   This is problematic on some platforms and there is no known
    compelling use case.

Revision History

    Rev.    Date     Author    Changes
    ----  --------  --------  ----------------------------------------------
     1    03/07/16  mribble   Initial draft.
     2    03/10/16  mribble   Cleanup.
     3    03/18/16  mribble   Fix issues brought up by Khronos group.
     4    03/25/16  mribble   Changed to tex parameter method.  Other cleanup.
     5    03/30/16  mribble   Added issues 8 and 9.  Other cleanup.
     6    04/08/16  rsmith    Added section on Protected Content defining the
                              protection state of each pipeline stage, as
                              required by EGL_EXT_protected_content.
     7    04/10/16  mribble   Minor cleanup.
     8    04/11/16  mribble   Clarify issue 9.
     9    04/11/16  Jon Leech Add missing _EXT suffix to context flag.
     10   05/17/17  jleger    Add issue 10 and the corresponding error.
