Cloud native EDA tools & pre-optimized hardware platforms
The tremendous data and bandwidth growth in the era of supercomputing is driving technological advances across markets and is reshaping system-on-chip (SoC) designs supporting new compute architectures, more acceleration, and more storage. As high bandwidth interfaces including DDR, PCIe, CXL, Ethernet, HDMI and DisplayPort are proliferating and evolving from one generation to another, so does the security of the data and the systems involved. With more sensitive and private information collected and moved between devices and the cloud, it is critical to ensure a strong level of protection and alignment with the latest standards and regulations.
Whether protecting data-in-transit or data-at-rest in HPC, mobile, IoT and automotive SoCs, the security implementations need to be optimal, preserving the performance of the interfaces, while reducing the impact on latency and area.
Security is now taking center stage in the semiconductor industry, and all interfaces and data that move across them need to be secured. After all, an SoC is only as secure as its weakest entry point. This article describes some of the key secure interfaces that designers can leverage to protect SoCs in today’s connected world.
Figure 1: High Level SoC Diagram
For chip-to-chip and device-to-device connectivity, PCIe and CXL have added security such as Integrity and Data Encryption (IDE) which enables data confidentiality, integrity, and replay protection with AES-GCM cryptography. Memory interfaces such as DDR, and LPDDDR, rely on AES-XTS cryptography for data encryption to ensure confidentiality. Ethernet for wired network connectivity which is now expanding to cars relies on Media Access Control Security (MACsec) for confidentiality, integrity, origin authentication, and replay protection. HDMI, DisplayPort and USB Type-C interfaces used for various displays require the latest version of the High-Bandwidth Digital Content Protection (HDCP v2.3) for high level protection of premium audio/video content which in addition to strong cryptography, also requires more stringent security mechanisms including hardware root of trust, hardened execution environment, and runtime integrity checking. Off-chip flash storage like eMMC is leveraging AES-XTS for data confidentiality. In addition, there are new security standards for protocols such as MIPI and UCIe that the industry is defining.
Typically interface security involves two main components. One component for authentication and key management applies to the control plane and as the name implies it handles functions like authentication, creating and distributing keys, and access control. These functions need to run in a secure environment. The other component addresses the bulk integrity and data encryption between the endpoints. This is related to the data plane, where the solutions are required to support the specific interface bandwidths, but with optimal latency, area, and power.
The sections below describe some of the key interfaces with integrated security features.
Figure 2: Synopsys Secure DDR5 Controller (DDRC) Block Diagram
Figure 3: Synopsys HDCP 2.3 Embedded Security Modules Integrated with Controllers
When configured for multi-port use cases, the HDCP ESMs include a single Authentication Engine which services multiple ports in the Content Encryption / Decryption Engine for the most optimal area. The crypto cores are independently instantiated per content port to support the maximum transmission rates of HDMI 2.0, HDMI 2.1, DisplayPort 1.4 and DisplayPort 2.0 interfaces.