Integrity and Data Encryption (IDE) and IO Security Updates
With the ever-growing importance of security, we continue to see strong industry interest in Integrity and Data Encryption (IDE). As with any new technology, questions have been raised and addressed through new errata. This blog is intended to help ensure awareness and alignment regarding the updates throughout the PCI-SIG® community.
First, since the publication of the IDE Engineering Change Request (ECN) in December 2020, several errata have been noted and corrected. The new errata have been integrated into a revised version of the ECN and published as Revision A. This is not a new ECN, but simply the application of individual errata items. The errata are also documented individually in the recently published update of errata for the PCI Express® (PCIe®) 5.0 Base Specification and are incorporated in the recently released PCI Express 6.0 Base Specification.
There have been several questions raised about the IDE Fail Message mechanism. In an actual attack scenario, an attacker could suppress the IDE Fail Message, other Messages and other Link traffic. Therefore, the IDE Fail Message is more of an aid in debugging incorrectly configured systems and not the first line of defense against real-world attacks.
DMTF has released Version 1.2.0 of the Security Protocol and Data Model (SPDM) specification, and I would encourage everyone interested in security to review this latest version. Because CMA/SPDM was developed to be a “profile” of SPDM, most SPDM changes can be adopted into PCIe devices without requiring modifications in CMA/SPDM. However, the PCI-SIG Protocol Workgroup is planning to revise CMA/SPDM, along with Data Object Exchange (DOE) to define a variety of backwards compatible enhancements. This work is just getting underway in the workgroup, so member review should begin around mid-2022.
Finally, the Protocol Workgroup has been developing a specification for devices that support Composed Trusted Execution Environments. We hope to see this move to Draft ECN status and be sent out for PCI-SIG Member review within the coming months.
As an industry, we have made significant steps in developing technologies for improved IO security. But there is still much work to do in bringing those technologies to market and in developing additional capabilities. 2022 looks to be an exciting year for PCIe security!