Welcome to the wonderful and cryptic world of secured traffic with CXL being the latest specification to adopt it. As attacks on high-performance data centers become more sophisticated, the security standards must continuously adapt to better protect sensitive data and communications and ultimately protect our connected world. To this end, the CXL standards organization added the security requirement of Integrity and Data Encryption (IDE) to the CXL 2.0 specification.
The CXL 2.0 specification introduces IDE schematics for both CXL.io & CXL.cache/CXL.mem protocols. CXL.io pathway uses PCIe specification defined IDE, while CXL.cache/CXL.mem related updates are introduced in CXL 2.0 specification. In this blog we’ll provide a overview of what a secure setup looks like and the strategies adopted by CXL for Security.
CXL IDE can be used to secure traffic using a TEE (Trusted Execution Environment). A TEE is an isolated & secure environment where sensitive data is stored and processed. The TEE performs authentication and key management for the IDE.
The IDE provides confidentiality, integrity and replay protection for Transaction Layer Packets (TLPs) for CXL.io and Datalink layer protocol Flits for CXL.cache/CXL.mem protocols, ensuring that data on the wire is secure from observation, tampering, deletion, insertion and replay of packets. Both CXL.io and CXL.cache/mem IDE are based on the AES-GCM cryptographic algorithm and receive keys from the Authentication & Key Management security component, which includes the TEE.
When working with a TEE, CXL IDE protects the transactions (both data & metadata) exchanged between the two devices on the physical link by using symmetric crypto keys (CXL chooses 256-bit key length for AES GCM).
Each secure component in a TEE implements a TCB (Trusted Computing Base) which has protection mechanisms for hardware, firmware, software, and any combination of these for enforcing a security policy. For CXL, TCB includes:
Synopsys recently announced the industry’s first security modules for protecting data in high-performance computing SoCs that use the CXL 2.0 protocol. The DesignWare® IDE Security Module IP for CXL 2.0 is already being deployed with hyperscaler cloud providers. The robust IDE Security Modules make it faster and easier for designers to protect against data tampering and physical attacks on links while complying with the latest versions of the interconnect protocols. The IDE Security Modules are designed and validated with DesignWare Controller IP for CXL to accelerate SoC time-to-market while providing the configurability needed to adjust to the design’s specific use case.
Verifying Interoperability of IDE Features
For verification of interoperability of IDE features, Synopsys VIP supports CXL.cache-mem IDE out-of-box as laid out in Chapter 11 of CXL 2.0 specification and IDE Link establishment. VIP has various controls to allow user to tweak VIP behavior for features like:
AES-GCM crypto engine requires 3 inputs (AAD, P, PText) and here is a snippet of VIPs TX & RX path outputs of the crypto engine. Below are the snippets for sample traffic flows and IDE specific Flit format (H6) for MAC.
AES GCM data flow:
In the next blog we’ll discuss in detail the intricacies of AES-GCM data flows. Stay tuned.
Synopsys continues to provide Industry’s first and most comprehensive Verification IP solutions, please visit us https://www.synopsys.com/verification/verification-ip/subsystems/compute-express-link.html to learn about CXL and other leading Verification IP Solutions.