Private bug reported:
PCIe IDE (Integrity and Data Encryption) is a security feature
introduced in modern PCIe specifications to provide link-level
encryption and integrity protection for data transmitted between PCIe
components. It ensures that data exchanged between endpoints (e.g.,
devices, root complexes, switches) is protected against eavesdropping,
tampering, and replay attacks.
PCIe IDE establishes secure communication channels using cryptographic
keys and supports multiple modes such as selective or link-wide
protection. It operates transparently at the PCIe link layer, securing
Transaction Layer Packets (TLPs) without requiring application-level
changes.
In the context of confidential computing, PCIe IDE is critical for
extending trust boundaries beyond CPU and memory to include I/O data
paths. It complements technologies like AMD SEV-SNP and Intel TDX by
ensuring that data moving between trusted compute environments and
external devices remains protected, even in the presence of untrusted
intermediaries such as hypervisors or shared infrastructure.
In the Linux kernel, PCIe IDE support requires coordination across the
PCI subsystem, device drivers, firmware interfaces, and key management
frameworks. While hardware implements encryption, the OS is responsible
for configuration, policy enforcement, device enablement, and
integration with security and attestation mechanisms.
Feature Request:
Requested details to be enabled on OS:
Enable PCIe IDE capability detection and configuration in the OS.
Integrate IDE support within the PCIe subsystem for link-level security management.
Provide key management interfaces for IDE (key provisioning, rotation, revocation).
Support IDE enablement for endpoints, root ports, and switches.
Expose IDE status, capabilities, and metrics via sysfs/debugfs.
Integrate IDE with confidential computing frameworks (e.g., SEV-SNP, TDX).
Support IDE-aware device drivers and secure DMA paths.
Enable attestation of secure PCIe links and devices.
Provide error handling and recovery for IDE-related failures.
Support IDE across PCIe Gen5/Gen6 and CXL-enabled devices.
Provide validation, testing, and debugging tools for IDE flows.
Document configuration, deployment, and interoperability considerations.
Business Justification:
Extends data protection to PCIe I/O paths in confidential computing environments.
Prevents data leakage and tampering across PCIe links.
Enables secure use of shared infrastructure and external devices.
Supports regulatory and compliance requirements for data protection.
Aligns with industry standards for secure interconnects.
Enhances trust in end-to-end secure computing platforms.
References:
PCI-SIG PCIe Specification (IDE – Integrity and Data Encryption)
Confidential Computing Architecture (SEV-SNP, Intel TDX)
Linux Kernel PCI Subsystem Documentation
Industry Security Guidelines for Secure Interconnects
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Public to Private
** Summary changed:
- Request for Confidential Computing Support – PCIe IDE (Integrity and Data Encryption)
+ Request for Confidential Computing Support – PCIe IDE (Integrity and Data Encryption) in Ubuntu 26.04
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2146714
Title:
Request for Confidential Computing Support – PCIe IDE (Integrity and
Data Encryption) in Ubuntu 26.04
Status in linux package in Ubuntu:
New
Bug description:
PCIe IDE (Integrity and Data Encryption) is a security feature
introduced in modern PCIe specifications to provide link-level
encryption and integrity protection for data transmitted between PCIe
components. It ensures that data exchanged between endpoints (e.g.,
devices, root complexes, switches) is protected against eavesdropping,
tampering, and replay attacks.
PCIe IDE establishes secure communication channels using cryptographic
keys and supports multiple modes such as selective or link-wide
protection. It operates transparently at the PCIe link layer, securing
Transaction Layer Packets (TLPs) without requiring application-level
changes.
In the context of confidential computing, PCIe IDE is critical for
extending trust boundaries beyond CPU and memory to include I/O data
paths. It complements technologies like AMD SEV-SNP and Intel TDX by
ensuring that data moving between trusted compute environments and
external devices remains protected, even in the presence of untrusted
intermediaries such as hypervisors or shared infrastructure.
In the Linux kernel, PCIe IDE support requires coordination across the
PCI subsystem, device drivers, firmware interfaces, and key management
frameworks. While hardware implements encryption, the OS is
responsible for configuration, policy enforcement, device enablement,
and integration with security and attestation mechanisms.
Feature Request:
Requested details to be enabled on OS:
Enable PCIe IDE capability detection and configuration in the OS.
Integrate IDE support within the PCIe subsystem for link-level security management.
Provide key management interfaces for IDE (key provisioning, rotation, revocation).
Support IDE enablement for endpoints, root ports, and switches.
Expose IDE status, capabilities, and metrics via sysfs/debugfs.
Integrate IDE with confidential computing frameworks (e.g., SEV-SNP, TDX).
Support IDE-aware device drivers and secure DMA paths.
Enable attestation of secure PCIe links and devices.
Provide error handling and recovery for IDE-related failures.
Support IDE across PCIe Gen5/Gen6 and CXL-enabled devices.
Provide validation, testing, and debugging tools for IDE flows.
Document configuration, deployment, and interoperability considerations.
Business Justification:
Extends data protection to PCIe I/O paths in confidential computing environments.
Prevents data leakage and tampering across PCIe links.
Enables secure use of shared infrastructure and external devices.
Supports regulatory and compliance requirements for data protection.
Aligns with industry standards for secure interconnects.
Enhances trust in end-to-end secure computing platforms.
References:
PCI-SIG PCIe Specification (IDE – Integrity and Data Encryption)
Confidential Computing Architecture (SEV-SNP, Intel TDX)
Linux Kernel PCI Subsystem Documentation
Industry Security Guidelines for Secure Interconnects
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2146714/+subscriptions
Комментариев нет:
Отправить комментарий