// Copyright 2022-2024 The Khronos Group Inc. // // SPDX-License-Identifier: CC-BY-4.0 = VK_EXT_pipeline_protected_access :toc: left :refpage: https://www.khronos.org/registry/vulkan/specs/1.3-extensions/man/html/ :sectnums: This proposal regards pipeline access to protected memory, and provides the means for applications to distinguish between pipelines that do and do not access protected memory. == Problem Statement Currently, access to protected memory is enabled with the `VkPhysicalDeviceProtectedMemoryFeatures::protectedMemory` feature. As this feature is enabled on the device, every pipeline created by the driver may be used to access protected memory. For some vendors, this has negative ramifications on the performance of pipeline creation and/or execution. Some applications may require access to protected memory in a handful of pipelines while the rest of the pipelines do not. In some cases, it may not be known at device creation time whether protected memory access would be necessary, for example in an OpenGL layer over Vulkan. Enabling the `protectedMemory` feature in such applications could lead to reduced performance with every pipeline instead of only those that do in fact access protected memory. This proposal addresses this problem by allowing applications to specify protected memory access in pipeline granularity. == Solution Space The proposed solution is a new Vulkan extension that allows the application to specify whether and how each individual pipeline may access protected memory. === Per Pipeline Protected Access Flag A `VkPipelineCreateFlagBits` flag can be specified to disallow the pipeline from being used in a protected command buffer and submission. An additional `VkPipelineCreateFlagBits` flag could restrict the usage of a pipeline to protected command buffers. Pros: - Simple to use Cons: - If protected access is required for only one kind of resource, for example a protected buffer, the use of a single boolean disallows optimizations that could be applicable to access to other kinds of resources. === Per Usage Access Flags An alternative could be to provide the usages that may require protected memory access when creating a pipeline; a set of `VkBufferUsageFlags` and `VkImageUsageFlags` flags. Pros: - Specifying protected access to one usage does not disallow optimizations to accesses to unprotected resources that are used differently. Cons: - If many resources with the same usage are accessed, but not all need to be protected, access to all of them may be suboptimal. === Per Resource Access Flags Ultimately, the application could specify exactly which resources may be protected; a flag for each render pass attachment, a flag for each binding in the descriptor set layout, a flag for each vertex binding, etc. Pros: - This can theoretically lead to the most efficient pipeline that only pays a potential penalty for access to the exact resources that use protected memory. Cons: - This is considerably more complex, requiring flags added to numerous places. == Proposal In practice, pipelines that actually access protected memory are scarce and rarely, if ever, access a mixture of protected and unprotected resources of the same kind. Additionally, on some hardware, not all combinations of protected access for input and output resources are possible. As such, the first solution is adopted in this extension, serving the needs of all known users without introducing unnecessary complexity. === Features [source,c] ---- typedef struct VkPhysicalDevicePipelineProtectedAccessFeaturesEXT { VkStructureType sType; void* pNext; VkBool32 pipelineProtectedAccess; } VkPhysicalDevicePipelineProtectedAccessFeaturesEXT; ---- - `pipelineProtectedAccess` specifies that per-pipeline protected access can be specified. When this feature is enabled, pipelines can be flagged as not accessing protected resources (as otherwise is assumed by the `protectedMemory` feature). Such pipelines are not allowed to be bound to protected command buffers. Conversely, they can be flagged such that they can only be bound to protected command buffers. === Pipeline Creation To create a pipeline that will not access protected memory, and that cannot be used in a protected command buffer and submission, specify the `VK_PIPELINE_CREATE_NO_PROTECTED_ACCESS_BIT_EXT` create flag. To create a pipeline that may access protected memory, and that cannot be used in a non-protected command buffer and submission, specify the `VK_PIPELINE_CREATE_PROTECTED_ACCESS_ONLY_BIT_EXT` create flag. == Issues === RESOLVED: How should the `pipelineProtectedAccess` feature interact with `protectedMemory`? The `pipelineProtectedAccess` feature allows pipelines to be restricted to or excluded from access to protected resources. Without the `protectedMemory` feature, there cannot be any protected resources to begin with. As such, enabling the `pipelineProtectedAccess` feature without the `protectedMemory` is ineffective, but is nevertheless not incorrect. === RESOLVED: Should the `pipelineProtectedAccess` feature allow pipelines to opt into protected access or out of it? Both, with the default retaining current Vulkan behavior. This is necessary to make sure that the mere act of enabling the `pipelineProtectedAccess` feature does not break existing code. Opt-in is supported in addition to opt-out to help platforms where the specific knowledge that a pipeline is only used with protected command buffers leads to possible optimizations. === RESOLVED: Should links between protected and unprotected pipeline libraries be allowed? No. The linked pipeline could not be considered protected in that case, as parts of it has been created without the necessary flag. And if the result is an unprotected pipeline, it is not useful (or efficient) to create parts of it as protected.