64 GT_s 带宽下的信任：PCIe 6 交换机部署的安全考量.pdf

《64 GT_s 带宽下的信任：PCIe 6 交换机部署的安全考量.pdf》由会员分享，可在线阅读，更多相关《64 GT_s 带宽下的信任：PCIe 6 交换机部署的安全考量.pdf（18页珍藏版）》请在三个皮匠报告上搜索。

1、Avdhesh ChhodavdiaTechnologist at Astera LabsTrust at 64 GT/sSecurity Considerations for PCIe 6 Switch DeploymentsFlowSCOPELINKIDESWITCHDEPLOYMENTEXAMPLEAI compute unit is growing from server-scale to rack-scale while staying disaggregatedAdditional connectivity components additional attack surfaceS

2、ystem protection mechanisms must protect connectivityWhyIncreased ScaleLarger surfaceProtect ConnectivityPCIe SystemData in Use/StoreData in Use/StoreEndPointRoot CompSwitchSignal ConditionerEndPointEndPointSwitchSignal ConditionerEndPointScopeData in Use/StoreData in Use/StoreData in TransitEndPoin

3、tRoot CompSwitchSignal ConditionerEndPointEndPointSwitchSignal ConditionerEndPointLink SecurityEndPointRoot CompSwitchSignal ConditionerEndPointEndPointSwitchSignal ConditionerEndPointProtection MechanismSecurity PropertyIntegrity and Data Encryption(IDE)Packet Confidentiality&IntegrityIDE Control P

4、lane FlowTXRXSecure Channel1.Establish secure channel(typically secured SPDM session in-band or out-of-band)2.Share a symmetric key122IDE Data Plane Flow1.TX creates Protected TLP(Transaction Layer Packet)2.Protected TLP is sent over the link3.RX authenticates and extracts Plaintext TLPTXRXLink123Ro

5、utingConversionSwitch Functionality Gen 5 and prior use variable length TLP-“Non-Flit Mode”(NFM)Gen 6 speeds use fixed length Flow control unit-“Flit Mode”(FM)A Flit can have multiple TLPs;a TLP can be split across multiple Flits NFM FM translation involves extraction and repackingEndPointRoot CompS

6、ignal ConditionerEndPointEndPointSignal ConditionerEndPointRoutingConversionSwitch SecurityEndPointRoot CompSignal ConditionerEndPointEndPointSignal ConditionerEndPointPlainPlainProtection MechanismSecurity PropertyDevice ResiliencySwitch AvailabilitySelective IDE(Switch is pass through)Packet Confi