The new cloud, AI, Analytics, and Edge usage models with exponential data growth and connection drive the evolution of high-bandwidth PCIe (Peripheral Component Interconnect Express) version 5.0 and 6.0, CXL (Computer Express Link) version 2.0 and 3.0. Every component can be envisioned as an attack vector in modern computational systems, especially PCIe and CXL components, which are part of the system HW root-of-trust chain. Protecting key assets such as the data integrity and confidentiality of consumers, businesses, and governments is the cornerstones of PCIe/CXL technology and architecture.
Imagining attacks using a logic analyzer or interposer type device, including, e.g., “rogue” Retimers, where the attack devices attempt to inject, delete, snoop, reorder, reply or modify the packet headers and observe payload data. Example attacks include delaying a flag write to bypass a data write, causing stale data to be accepted, or postpone a read to bypass a write to the exact location, causing a stale value to be read.
IDE (Integrity and Data Encryption) provides security robustness against physical attacks and improves security link-to-link packets transmitted and received between two ports. It flexibly supports a variety of use models while providing broad interoperability. The cryptographic mechanisms are aligned to industry best practices and can be extended as security requirements evolve.
PCIe and CXL IDE Authentication
New ECNs CMA (Component Measurement and Authentication) and DOE (Data Object Exchange) are introduced, and the SPDM (Security Protocol and Data Model) leverages DMTF (Distributed Management Task Force) ecosystem. SPDM defines a “toolkit” of message format and sequences for authentication, measurement, and other security capabilities. CMA defines how SPDM is applied to PCIe devices/systems. DOE supports Data Object transport between host CPUs & PCIe components over PCIe. Using DOE mailbox registers on the component. Here are three steps of PCIe authentication while CXL follows PCIe IDE ECN.
- The first step is to establish the authenticity and identity of the components containing the two partner ports to be the IDE terminuses of the IDE Stream, which are done using CMA/SPDM by implementation-specific means in some cases implicitly.
- The second step is to establish the IDE Stream keys via the IDE_KM (IDE Key Management) builds upon SPDM.
- Third, the secure connection must be configured, and, finally, the establishment of the IDE Stream is triggered.
PCIe and CXL IDE Data Encryption
IDE provides confidentiality, integrity, and replay protection for TLPs for PCIe and FLIT (Flow Control Units) for CXL. IDE relies on AES-GCM for encryption of TLP Data Payload and authenticated integrity protection of entire TLP. Both PCIe and CXL support MAC aggregations to optimize the bandwidth utilized. Additionally,
- PCIe supports Link IDE Stream which applies to all TLP traffic and Selective IDE Stream applying to TLPs selectively and can pass through Switches. Each IDE Stream includes Sub-Streams distinguished by TLP type and direction with Posted Requests, Non-Posted Requests, and Completions.
- CXL.io IDE follows PCIe IDE ECN. CXL.cache and CXL.mem IDE operate on FLIT granularity, all protocol FLITs are encrypted and integrity protected, supporting Containment mode and Skid mode.
IDE is a key feature that would help make PCIe Links secure. IDE adds additional latency and complexity to the existing PCIe IP stack and will be enhanced for the upcoming PCIe 6.0 and CXL 3.0 with the FLIT revisions. The IDE further increased the complexity of intricated PCIe and CXL protocols, and Cadence offers comprehensive Verification IP solutions to both authentication and encryption help you to speed up the verification project while relying on the highest quality and maturity verification tools in the market.
More Information:
- For more info on how Cadence PCIe Verification IP and TripleCheck enables users to confidently verify these new disruptive changes, see our VIP for PCI Express, VIP for Compute Express Link for and TripleCheck for PCI Express
- For more information on PCIe in general, and on the various PCI standards, see the PCI-SIG website.