CXL: Secured Network Traffic Specification

VIP Expert

Nov 12, 2020 / 1 min read

Welcome to the wonderful and cryptic world of secured traffic with CXL being the latest specification to adopt it. CXL2.0 specification introduces integrity & data encryption (IDE) schematics for both CXL.io & CXL.cachemem protocols. CXL.io pathway uses PCIe specification defined IDE, while CXL.cachemem related updates are introduced in CXL2.0 specifications. In this blog we’ll provide a broad overview of what a secure setup looks like and the strategies adopted by CXL for the same.

CXL IDE can be used to secure traffic via the AES-GCM algorithm (more on this in upcoming blogs) within a TTE (Trusted Execution Environment). In a nutshell, TTE is an isolated and secure environment that runs parallel to OS, where sensitive data is stored and processed.

When running over a TTE, CXL IDE protects the transactions, both data and metadata, exchanged between the two devices on the physical link by using symmetric crypto keys (CXL chooses 256-bit key length for AES-GCM).

Each secure component in a TTE implements a TCB (Trusted Computing Base) which has protection mechanisms for hardware, firmware, software and any other combination to enforce a security policy. For CXL, TCB includes:

  • Hardware blocks that implement encryption algorithms
  • Modules that configure crypto engines (AES-GCM for CXL)
  • Any other block that directly or indirectly communicates with the above two blocks

For verification of interoperability of IDE features, Synopsys VIP supports CXL.cache-mem IDE out-of-the-box as laid out in Chapter 11 of the  CXL 2.0 specification (this would tentatively be named as Compute Express Link Specification Revision 2.0). VIP has various controls to allow user to tweak VIP behavior for features like:

  • TX and RX key programming, which in turn refers to SPDM (Security Protocol and Data Model) specification)
  • TX and RX Truncation Delay
  • Aggregation Mode
  • Key Refresh time

CXL VIP supports IDE to help validate DUT (Design Under Test) compliance with the CXL IDE specification and debug hooks to enable speedy and efficient debugging.

Stay tuned, in our next blog we’ll discuss in detail the intricacies of AES-GCM for CXL.

Synopsys continues to provide the industry’s first and most comprehensive Verification IP solutions. For more information on Synopsys VIP, visit https://www.synopsys.com/verification/verification-ip.html

Continue Reading