Modern vehicles need an interconnect with high bandwidth, extreme reliability, and robust security.
Just over two decades ago, the introduction of PCI Express 1.0 marked the industry’s transition from then-ubiquitous parallel to serial interfaces. Back in 2002, the potential of “PCIe” in automotive applications was unforeseen – given the then-current state of in-vehicle computation and PCIe’s primary focus on desktop and data center use. Today, however, with the advent of connected vehicles with near-human (dare I say super-human?) self-driving abilities, it’s less of a question of “Why incorporate PCIe in automobiles now?” and more “Why did it take so long for the automobile industry to use PCIe?”
Every year we see increasing complexity in automotive electronics. Adaptive cruise-control (where one’s vehicle adjusts its speed to maintain a set distance from the vehicle in front of it) was not long ago exclusive to high-end luxury vehicles. Today that seems a quaint gimmick in a world where a middle-class family can purchase a car which steers itself in and around traffic, finds and occupies a parking space for itself and waits there until called for by its owner. The amount of sensor data, camera imagery, and sheer computational power to accomplish this is simply staggering, with some researchers calculating that data throughput in a single vehicle approaches 200Gbps!
Reliability has always been a fundamental requirement for automotive systems. Car advertisements of yesteryear touted a brand’s ability to get you safely to your destination, and consumers flocked to vehicles which spent more time on the road than in a mechanic’s shop. With consumers and their families now dependent not just on their vehicle’s ability to keep running, but on its ability to make critical decisions and to perform driving feats beyond the capacity of humans, the focus on reliability has never been higher. Adding the heat produced by all these advanced electronics to the already challenging and rapidly changing temperature, humidity, and vibration of an automobile environment makes a daunting task for automotive designers. Consumers who accept rebooting their smartphones for the occasional “crash” are unsurprisingly unforgiving of the same glitches in their automotive electronics – where the result could easily be a real-world crash with correspondingly severe consequences. Sadly, those same consumers have reluctantly accepted that cybercrime and “hacking” are more and more an unpleasant reality of their daily lives, but here again the consequences are so much more severe than even the most egregious identity theft.
Thus, it’s clear that modern vehicles need an interconnect with high bandwidth, extreme reliability, and robust security – all attributes common to PCI Express 6.0!
From its inception, PCI Express has been focused on delivering state-of-the-art bandwidth, so it’s no surprise that the current PCIe 6.0 specification provides for up to 256GB/s when running the widest (x16) links at the highest (64GT/s) speed available. With apologies to another long-ago automobile advertisement, the new FLIT mode and PAM4 signaling defined in PCIe 6.0 mean “PCIe 6.0 is not your father’s PCI Express specification!” With full backwards compatibility being maintained to previous PCIe generations, new PAM4 signaling is used only at 64GT/s and traditional NRZ signaling remains in use at 32GT/s and below. Challenges with maintaining acceptable bit error rates at this new speed led to significant changes in the PCIe protocol, which may actually make it even more appealing to reliability-focused automotive designers.
A new fixed-size FLIT (FLow control unIT) structure allows the use of Forward Error Correction (FEC), which improves the effective bit error rate by correcting multiple errors within a FLIT before the data is processed by classic PCIe error handling mechanisms. This new FLIT mode is required when PCIe links operate at 64GT/s but is permitted at any defined PCIe link speed. While the development of PCIe FLITs was required for error correction, a pleasant side-effect is an improvement in link efficiency in many cases. By consolidating per-packet overhead into per-FLIT overhead, multiple small packets can be transferred inside a single FLIT even more efficiently than in previous generations of PCIe.
PCIe 6.0 devices can take advantage of the highest possible bandwidth whether operating at the latest 64GT/s link speed or one of the lower link speeds still fully defined and supported in the PCIe 6.0 Base Specification.
Since its first release, PCIe has offered an inherently reliable delivery mechanism. Every PCIe packet includes a link-level cyclic redundancy check (LCRC) which is verified immediately upon receipt. An ACK/NAK (Acknowledged/Not-Acknowledged) protocol provides seamless hardware retransmission of erroneous packets and includes timeouts to ensure broken links do not go unnoticed. As noted above, when a PCIe link is operating in FLIT mode, there’s an additional layer of protection provided by the use of FEC which is applied, and errors potentially corrected, even before the LCRC is checked. Packets which fail these checks are NAK’ed by the receiver, and trigger automatic retransmission by the transmitter. This hardware management of data transfers frees software developers to use PCIe-connected devices as if they were directly connected to the CPU, without the need to worry about the delivery of individual transfers.
PCIe 6.0 includes the Lane Margining feature (introduced with PCIe 4.0) which provides a standardized mechanism for all PCIe components to report the amount of margin they have between the “good” signals they’re receiving and the point of failure. With this feature, it’s possible to track potential signal quality degradation over the life of a component and trigger proactive failure mitigation such as retuning of signaling parameters, reduction in link speed, or even calling for pre-failure preventative component replacement.
PCI Express offers the option of utilizing Vendor Defined Messages (VDMs) to expand the PCIe protocol in numerous ways. Automotive designers may use these VDMs for heartbeat information, in-band management, and many other functions which can contribute to the reliability of the overall PCIe automotive system.
In the automotive realm, the phrase “interface security” may conjure up visions of movie secret agents assassinating evil geniuses by hacking their self-driving cars to drive off cliffs and explode in spectacular fashion, but there are actually multiple real-world scenarios behind the move to secure PCIe links. In a world where nations have been caught using cyberattacks to disrupt other nations’ weapons, we shouldn’t completely rule out the “hack vehicle for assassination” movie plot, but a far simpler profit motivation of theft would give savvy thieves an incentive for such hacking. As automotive manufacturers have closed more and more security vulnerabilities in traditional anti-theft mechanisms like Radio Frequency remote unlocking systems, thieves will necessarily have to turn their attention deeper inside the vehicle where PCIe interconnects might otherwise become an attractive point of attack. Often overlooked as well is the idea of interface security to enforce Digital Rights Management – where the “attacker” may be the vehicle owner with unlimited time and free access to the vehicle under “attack” who is intent on unlocking paid features such as autonomous driving.
These and other factors mean automotive designers now need to consider all of their internal interfaces as possible attack vectors. PCI Express includes a feature called Integrity and Data Encryption (IDE) which allows PCIe devices to perform hardware encryption and integrity checking on packets transferred across PCIe links. Fundamentally, IDE protects against hardware-level attacks conducted by skilled attackers with sophisticated tools and direct access to their victim systems. PCIe packets are individually encrypted and authenticated with an AES-GCM cryptographic algorithm to provide data confidentiality and integrity. Mechanisms within the IDE specification work throughout the PCIe protocol stack to protect against PCIe-specific attacks, such as forcing retries and injecting bad packets in attempts to force repeated transmission of the same data to expose the cryptographic keys being used. Due to these low-level protocol interactions, IDE must be implemented hand-in-hand with a PCIe controller to get the full benefit of the protection mechanisms and provide optimal solutions. As a result of the integrity checks, PCIe links secured by IDE also benefit from yet one more layer of reliability checking, since even a non-malicious modification of an IDE-protected PCIe packet will trigger a system-level response.
Fig. 1: Synopsys IDE implementation example within a PCIe controller.
Today’s connected vehicles rely on computational platforms and architectures which require interconnects with high bandwidth, extreme reliability, and robust security. PCI Express 6.0 is uniquely positioned to fulfill those requirements by combining signaling up to 64GT/s per lane, numerous hardware mechanisms for reliable delivery, and full data encryption with integrity checks. Synopsys offers PCIe 6.0 and 5.0 Controllers with IDE Security Modules to help SoC designers protect data transfers on PCIe against tampering and physical attacks, along with options for ISO 26262 and ASIL certification. Synopsys IP for PCI Express supports all these features to enable automotive designers to make use of PCIe 6.0 in their next products.
Leave a Reply