High-speed interfaces like PCI Express® (PCIe®) 5.0 and Compute Express Link™ (CXL™) 2.0 deliver the high throughput and low latency needed to support the real-time demands of cloud applications. As data traverses the interfaces from device to data center servers, it can be corrupted, replaced, modified, or stolen by malicious actors. Attackers might aim to profit from secrets learned, interfere with the operations of a targeted company, or obstruct a government agency, for example.
Both PCIe 5.0 and CXL 2.0 are integrated with integrity and data encryption (IDE) functions that enhance the level of security available from each. For PCIe 5.0, the IDE functions provide confidentiality, integrity, and replay protection for transaction layer packets (TLPs). According to PCI-SIG, the cryptographic mechanisms are aligned to current industry best practices and can be extended as security requirements evolve. The security model considers threats from physical attacks on links. In CXL 2.0, the CXL Consortium has added link-level IDE to provide confidentiality, integrity, and replay protection for data transiting the CXL link.
Synopsys recently announced the industry’s first embedded security modules for protecting data in high-performance computing (HPC) systems-on-chip (SoCs) that use the PCIe 5.0 or CXL 2.0 protocols. DesignWare® IDE Security Modules provide a robust security solution that makes it faster and easier for designers to protect against data tampering and physical attacks on links while complying with the latest versions of these protocols. The Security Modules are designed and validated with DesignWare Controller IP to accelerate SoC integration while providing the configurability needed to adjust to the design’s specific use case.
With standards-compliant, plug-and-play DesignWare IDE Security Modules, designers can take advantage of:
- Flexible controller data bus widths and the same clock configurations as the controllers for seamless integration
- Efficient encryption, decryption, and authentication for TLPs for PCIe and flow control units (FLITs) for CXL based on 256-bit AES-GCM encryption
- Configurable widths for cipher and hash algorithms for area-optimized solutions
- Efficient, on-the-fly key refresh for seamless changes of keys in the systems
While security for data center applications is multi-faceted, protecting data over the high-speed interfaces is a very important aspect. For example, network firewalls offer a security mechanism; however, firewalls on their own are not enough for strong protection and can also become bottlenecks that hamper data center performance. In the IDE Security Modules, the AES-GCM cryptographic algorithm provides the assurance that no one has seen or modified the data as it travels across the interfaces in a multitenant server. What’s more, the Security Modules also assure the low latency needed to keep up with performance demands of HPC and cloud applications.