In today’s hyper-connected world of seamlessly integrated devices, systems and infrastructure, cybersecurity threats are becoming more sophisticated every day. It is important that the industry continue to improve security protection starting at the hardware level. PCI Express® (PCIe®) technology can help address many of the unique security challenges that the enterprise IT industry faces.

In this blog, I will discuss the benefits of PCIe security features Integrity and Data Encryption (IDE) and Trusted Execution Environment Device Interface Security Protocol (TDISP), and how they will continue to evolve to meet the industry’s needs.

How PCIe Specification Security Features Address Security Challenges

The IDE and TDISP security features address security challenges by allowing protection of the PCIe Transaction Layer Packets (TLPs) for confidentiality, data integrity and replay. Transmitting TLPs across different chips or links and through switches or retimers requires protection to be carried across the entire PCIe network. Prompted by the industry’s drive to support disaggregated compute, PCIe connectivity is extending beyond the direct connect to a CPU across servers and server racks, and these links need to be protected against security risks.

PCIe architecture has primarily been used for local connectivity of peripherals to server CPUs, but in today’s advanced data centers, many peripherals now provide compute offload and transmit confidential data. We are also entering the age of disaggregation in compute, storage and other applications across the PCIe bus. Spreading out endpoints and hosts inadvertently provides the opportunity for attackers to interrupt or corrupt data transmissions for nefarious reasons, but PCIe architecture includes security features that address the need to protect the transmitted data.

The IDE engine uses a standard cryptography mode of operation referred to as AES-GCM. The PCIe communication packets are associated with different IDE streams. Each stream contains three sub-streams and each of these sub-streams could have its own encryption for authentication. The three sub-streams can be used to group TLP traffic as posted, non-posted or completion. These are three traffic profiles in PCIe technology that have different rules with respect to ordering and are used to optimize performance.  The three sub-streams allow the PCIe traffic performance to be optimized in the controller in a way that also works for the AES-GCM.

In conjunction with IDE, TDISP defines how the selective streams and respective encryption keys ensure secure management of the end-to-end interconnect between endpoints and host systems. This feature is important when the endpoint is not connected directly to the host but is downstream through PCIe retimer and/or switches. The TDISP allows the encryption key to follow the packets through the retimer and switch to the final destination, which is the endpoint, or from the endpoint back to the host.

Additionally, as part of TDISP, the TEE Security Manager (TSM) in the host and the Device Security Manager (DSM) in the device work together to measure and lock down Trusted Device Interfaces (TDIs) in the device. Functions provided by the DSM include authentication of device identities and measurement reporting, and configuring the IDE encryption keys in the device.

The DSM also provides device interface management for locking TDI configuration, reporting TDI configurations, attaching, and detaching TDIs from TVMs (Trusted Execution Environment Virtual Machine). Lastly, the DSM implements access control and security mechanisms to isolate TVM provided data from entities not in the TCB (Trusted Computing Base) of the TVM.   

Functions of the TSM include providing interfaces to the VMM (Virtual Machine Monitors) to assign memory, CPU, and TDI resources to TVMs; implementing security mechanisms and access controls to protect confidentiality and integrity of the data; using the TDISP protocol to manage the security state of the TDIs; and establishing/managing IDE encryption keys for the host and, if needed, scheduling key refreshes.

Evolution of PCIe Security Features

The PCIe specification security features will continue to advance as the industry learns more about PCIe technology connectivity and security. As security threats become more sophisticated every day, implementations of the specification will also expand proactively and reactively to thwart these threats.

The PCIe specification will further evolve to improve the usability and adoptability of the security standard, as well as to address performance implications because of adding security. For example, the PCIe 6.x specification introduced an Engineering Change Notice (ECN) describing enhanced downstream link security and improvements, including partial header encryption and FLIT mode support. Improving security protection at the hardware level in the security stack will help to keep data more secure and respond threats.

Learn More about PCIe Technology Security

For more information, view the following PCI-SIG resources:

• My new video “PCIe Technology and Security”
• The PCI-SIG webinar “Integrity and Data Encryption (IDE) ECN Deep Dive”
• The IDE and IO Security Updates blog
• The Trusted Execution Environments (TEEs) blog

Join PCI-SIG to learn more and contribute to the development of new PCIe security updates.