Protecting Data over PCIe & CXL in Cloud Computing

Dana Neustadter, Sr. Product Marketing Manager for Security IP, Synopsys

Introduction

As more devices enter the market and drive exponential growth of data in the cloud, cloud computing is going through a significant overhaul. The increasing presence of “hyperscale” cloud providers for big data and analytics, 5G for rapid IoT connectivity, and the wide use of AI for natural data processing and for extracting insights, are compounding both the amount of connected data and the data vulnerability.

To keep up with the rapid data growth, designers are driving innovation in interface and storage technologies to support increased capacity and performance, as well as more acceleration and new compute architectures. High-speed interfaces like PCI Express® (PCIe®) 5.0/6.0 and Compute Express Link™ (CXL™) 2.0 are proliferating:

  • Faster data rates for cloud-based computing systems are setting the stage for PCIe 5.0 and PCIe 6.0, which are replacing  PCIe 4.0 interfaces
  • Storage/SSDs are moving to PCIe 5.0/6.0 interfaces
  • Data centers that typically deal with many bandwidth-hungry devices and vast shared memory pools are moving to CXL 2.0 interfaces 

How can system architects protect cloud data that contains confidential, sensitive, or critical information that can be corrupted, replaced, modified, or stolen by malicious actors? I/O interconnects need to implement security from the start of the design. With limited security, attackers might aim to profit from secrets learned, interfere with the operations of a targeted company, or obstruct a government agency. The types of hacks differ in nature and continue to evolve, like attacks from malicious peripherals delivered over PCIe links, or root access attacks to access memory of other processes to capture secrets and/or alter code execution.

In addition, industry is faced with increasing laws and regulations such as:

  • GDPR (Global Data Protection Regulation) in Europe that imposes steep fines on corporations if private user data is compromised
  • Health Insurance Portability and Accountability Act (HIPAA) in the US that stipulates how Personally Identifiable Information (PII) maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft
  • Payment Card Industry Data Security Standard, and many others

As the attacks become more sophisticated, the security standards have to continuously adapt to better protect sensitive data and communications and ultimately protect our connected world. To this end, the PCI-SIG and CXL standards organizations added security requirements like Integrity and Data Encryption to PCIe 5.0 and CXL 2.0 specifications in late 2020. Security is expected to continue to be adopted for the next generation PCIe 6.0 and CXL 3.0 interconnects as well.

PCIe and CXL Security System Components

Security for PCI and CXL interfaces has two main components: 1) Authentication & Key Management, and 2) Integrity and Data Encryption (IDE), as depicted in Figure 1. 

PCIe & CXL security system level view

Figure 1: PCIe & CXL security system level view

Authentication & Key Management

Authentication and key management include functions like authentication, attestation, measurement, identification, and key exchange, all running in a trusted execution environment / secure module.

The main reference standard for authentication and key management is the Security Protocol and Data Module (SPDM) that is managed by the Distributed Management Task Force (DMTF). SPDM defines messages, data objects and sequences for performing message exchanges between devices over various transport and physical media and enables efficient access to security capabilities and operations. The message exchanges’ description includes authentication of hardware and measurement of firmware identities.

The PCI-SIG introduced two Engineering Change Notices (ECNs) for authentication and key management:

  • Component Measurement and Authentication (CMA) defines how SPDM is applied to PCIe/CXL systems
  • Data Object Exchange (DOE) supports data object transport over different interconnects

Integrity and Data Encryption (IDE)

IDE provides confidentiality, integrity and replay protection for Transaction Layer Packets (TLPs) for PCIe and Flow Control UnITs (FLITs) for CXL, ensuring that data on the wire is secure from observation, tampering, deletion, insertion and replay of packets. IDE is based on the AES-GCM cryptographic algorithm and receives keys from the Authentication & Key Management security component.

  • Reference standards
    • PCI-SIG: PCIe IDE ECN
    • CXL 2.0: IDE for CXL.cache/mem protocols. CXL.io protocol refers to PCIe IDE ECN.

PCIe & CXL IDE IP Solutions

When looking for PCIe and CXL solutions with security, it is important to consider optimized solutions from trusted IP providers that offer highest performance, lowest latency and optimal area, compliance with the latest standards and backed by experts.

Synopsys recently announced the industry’s first security modules for protecting data in high-performance computing systems-on-chip (SoCs) that use the PCIe 5.0 or CXL 2.0 protocols. The DesignWare® IDE Security Module IP for PCIe 5.0 or CXL 2.0 are already being deployed with hyperscaler cloud providers. The robust IDE Security Modules make it faster and easier for designers to protect against data tampering and physical attacks on links while complying with the latest versions of the interconnect protocols. The IDE Security Modules are designed and validated with DesignWare Controller IP for PCIe/CXL to accelerate SoC time-to-market while providing the configurability needed to adjust to the design’s specific use case.

With standards-compliant, plug-and-play DesignWare IDE Security Modules, designers can take advantage of:

  • Maximum throughput full-duplex for receiver and transmitter directions
  • Seamless integration with flexible data bus widths and the same clock configurations as the controllers
  • Efficient encryption, decryption, and authentication for TLPs for PCIe and FLITs for CXL, based on the AES-GCM cryptographic algorithm with 256-bit key size
  • Configurable widths for cipher and hash algorithms for area and latency optimized solutions
  • Efficient inflight key refresh for seamless changes of keys in the system
  • Low latency in-order bypass mode for non-protected traffic

Figure 2 depicts the DesignWare IDE Security Module for PCIe 5.0 block diagram, as well as the seamless pre-verification with the DesignWare PCIe 5.0 Controller IP to provide full solution, low risk and fast time-to-market for SoC designers.

DesignWare PCIe IDE Security Module block diagram & Integration with DesignWare PCIe Controller

Figure 2: DesignWare PCIe IDE Security Module block diagram & integration with DesignWare PCIe Controller

Similarly, Figure 3 depicts the DesignWare IDE Security Module for CXL 2.0 block diagram, as well as its pre-verification with the DesignWare CXL Controller.

DesignWare CXL IDE Security Module block diagram & integration with DesignWare CXL Controller

Figure 3: DesignWare CXL IDE Security Module block diagram & integration with DesignWare CXL Controller

Conclusion

With the tremendous data growth in our connected world, security is essential to protect private and sensitive information in data as it transfers across systems, including over high performance interconnects such as PCIe and CXL. Synopsys is uniquely positioned in the market with complete standards-compliant secure interface solutions that align with the latest technology demands and enable SoC designers to quickly implement the required security with low risk and fast time to market.

In addition to PCIe and CXL IDE Security Modules, Synopsys provides a broad portfolio of highly integrated security IP solutions that use a common set of standards-based building blocks and security concepts to enable the most efficient silicon design and highest levels of security for a range of products in the mobile, automotive, digital home, IoT and cloud computing markets.

Synopsys’ highly configurable security IP solutions include hardware secure modules with Root of Trust, content protection, cryptography, and security protocol accelerators for integration into SoCs. These integrated solutions enable the heart of many security standards, supporting confidentiality, data integrity, user/system authentication, non-repudiation, and positive authorization. Combined, Synopsys’ security IP solutions help prevent a wide range of evolving threats in connected devices such as theft, tampering, side channels attacks, malware and data breaches.