Addressing the growing need for data security in the PCI Express protocol with virtual ICE.
The protection and integrity of data is a key challenge for organizations and businesses as human interactions with computers have expanded enormously. This has created a vast amount of information and led to the age of “Big Data” where massive, rich data sets are collected and analyzed to advance knowledge and progress in multiple fields. The security of this data has become a critical need.
According to the Identity Theft Resource Center’s 2021 Data Breach Report, there were 1,862 data breaches in 2021, a 68 percent increase over 2020 and the highest total ever.
Data security is concerned with the access and protection of data from unauthorized users through different forms of encryption, key management, and authentication. It provides protection for key assets, such as those related to the following entities:
Protection must deter attacks against supply chains, physical attacks, persistent attacks, and malicious components.
Although a great deal of focus is spent on protecting against attacks on software that is vulnerable to data security attacks, hardware is also increasingly vulnerable, such as in the semiconductor chips that are used in today’s electronic products and components.
Fig. 1: Data breaches are a growing global threat that cost large organizations almost $18 million to resolve.
Complex devices, or systems-on-a-chip (SoC), typically use many different protocol hardware interfaces. For instance, Ethernet, video, audio, memory, and PCI Express are used widely across multiple applications.
These interfaces represent a vulnerability to the SoC designs through which a potential attacker can breach security. To protect against attackers, data security mechanisms need to be built-in with each protocol. If we look at the wide variety of chip designs and their associated applications, a huge number of these chips are using the PCI Express protocol across multiple market sectors. As a result, PCI Express represents a very large target for would-be attackers.
Fig. 2: PCI Express is the dominant interface protocol in systems-on-a-chip.
To address the growing need for data security in the PCI Express protocol, in December 2020 the Peripheral Component Interface Special Interest Group (PCI-SIG) created an additional feature for PCI Express version 5.0 to add Integrity and Data Encryption (IDE). This IDE capability has now been incorporated as part of the recently released PCI Express 6.0 version.
IDE is a security mechanism on top of PCI Express to provide confidentiality, integrity and replay protection for PCI Express Transaction-Layer Packets (TLPs). IDE supports a wide variety of PCI Express use modes and is an extensible solution that aligns to industry-best practices for data security. In addition, it secures against physical attacks on PCI Express links, the reading of confidential data, modifying TLP contents and reordering and/or deletion of TLPs via:
Figure 3 shows how encryption is applied to PCI Express TLP packets to provide a secure exchange of data between PCI Express devices. The IDE functionality leverages industry-standard AES-GCM1 encryption protection to provide authentication integrity protection of the entire TLP. These encrypted TLP packets are then transmitted over a standard link to the PCI Express receiving device, which then decrypts the TLP data. Finally, the secured TLP data is then safely passed to the rest of the system.
Fig. 3: IDE encryption/decryption flow for PCI Express TLP packets. Source: PCI-SIG.
Verification solutions are established tools used in the system development flow for electronic components. They are widely used in the pre-silicon verification of SoCs, and model the behavior of industry-standard protocols, such as PCI Express, so that verification engineers can stimulate their pre-silicon design in RTL with realistic vectors in environments that closely match those of the actual chip in its real environment.
Verification solutions are now available in multiple forms, from simulation-based software solutions running on standard computers, known as verification IP, to hardware-based solutions running on dedicated hardware, known as in-circuit solutions (ICE). These ICE solutions connect to a hardware-assisted verification platform where the user’s design is running, boosting the verification performance by up to 1,000s of times than what is achievable in pure software simulation.
In the last decade, pioneering solutions have been developed that can match the performance of in-circuit solutions, but instead of delivering them with dedicated hardware, they are available as software-only verification components, or virtual ICE solutions. Figure 4 shows the types of solutions currently available to digital engineers in their task of pre-silicon verification.
Fig. 4: Verification solutions are a cornerstone of digital design.
Each of the verification solution types offer their own “sweet-spot” for digital engineers to use in their verification process, depending upon their environment, functionality, and overall verification goals for the SoC design.
The trend over the last decade is to move towards virtual ICE solutions, since these offer the most flexibility in terms of performance, debug, and user experience in verification.
Pioneering this virtual trend, Siemens EDA created a portfolio of virtual solutions as part of their VirtuaLAB suite to enable pre-silicon verification of SoCs.
VirtuaLAB transforms the hardware-assisted verification world due to the advantages it inherently possesses:
Fig. 5: The VirtuaLAB revolution in verification from LAB to DataCenter.
To bring the power of VirtuaLAB to the PCI Express world, Siemens EDA created the VirtuaLAB PCI Express to address the needs of pre-silicon verification of SoCs.
The VirtuaLAB PCI Express solution models a real PCI Express root complex for pre-silicon system level verification of PCI Express endpoints and switches. The solution is driven and operated by a PCI Express host system modelled using a virtual machine (VM). A guest operating system software running on the VM sees the user’s design-under-test (DUT) as an upstream PCI Express device on the PCI Express bus hierarchy. This allows the user’s application software to interact with the DUT as it would with real hardware.
In addition, the VirtuaLAB solution provides an interactive graphical protocol analyzer tool to provide full stack visibility and analysis for the PCI Express protocol. It monitors, traces, decodes, and visualizes the PCIe protocol packets at different layers. In offering runtime visibility for the entire PCI Express packet exchanged with DUT it delivers powerful debug and analysis capabilities to help the user debug and analyze PCI Express protocol problems during a verification run.
Fig. 6: Virtual PCI Express solution for hardware-assisted verification of PCIe SoCs.
VirtuaLAB PCI Express implements IDE inside the PCI Express root complex, enabling the verification of the user’s endpoint IDE design alongside the device driver development in a pre-silicon environment.
As the VirtuaLAB solution implements IDE in software, it reduces the need for complex modelling of the function in hardware, thus reducing the resource needs of the hardware verification platform.
Fig. 7: VirtuaLAB PCI Express: IDE implementation.
The IDE key programming is performed by the host operating system and device drivers for both the PCI Express root port and end-point devices.
In the VirtuaLAB PCI Express solution, the root port can bypass the security protocol and data model (SPDM) and bind directly with the data object exchange (DOE) for ease of use in the verification process. For the user’s PCI Express endpoint DUT device, the IDE key programming can be done through the SPDM or any other mechanism supported by the DUT. For ease of deployment in a user environment, the VirtuaLAB PCI Express solution also delivers a memory endpoint example design.
Additionally, the VirtuaLAB PCI Express solution provides an integrated protocol analyzer tool for enhanced visibility and analysis to assist the digital verification engineer in debugging their design under test.
Siemens’ VirtuaLAB PCI Express is transforming the way verification is done for PCI Express-based SoC designs. The addition of IDE capabilities gives users a solution that can verify the secure data exchange between a PCI Express host model and their endpoint device in a standard PCI Express environment.
The verification horsepower is provided using hardware-assisted verification on the Veloce emulation and prototyping platforms. These hardware-assisted platforms are supercomputers that can run verification suites on hardware models of the silicon chips. It runs thousands of times faster than standard simulation, making full verification possible in the timeframe needed to bring competitive designs to a competitive market.
Combined with Siemens’ hardware-assisted verification tools and applications, the VirtuaLAB PCI Express solution provides:
The result is new, innovative verification of PCI Express designs that include secure data exchange in a standard PCI Express environment, with highest performance to enable development more efficiently and brought to market much faster.
Reference
 |
 |
 |
 |
 |
 |
 |
 |
 |
Leave a Reply