Private bug reported:
PCIe Link-Level Encryption provides security for data transmitted over
PCIe interconnects by ensuring confidentiality and integrity of traffic
between PCIe components such as root complexes, switches, and endpoints.
This capability protects against physical attacks, bus snooping,
tampering, and replay attacks on PCIe links.
This feature is standardized as part of PCIe security enhancements
(e.g., IDE – Integrity and Data Encryption), enabling encryption and
authentication of Transaction Layer Packets (TLPs) at the link level. It
operates transparently below the software stack, securing data in
transit without requiring application-level changes.
Link-level encryption is especially important in modern systems with
shared infrastructure, external PCIe devices, composable architectures,
and confidential computing environments. It ensures that sensitive data
remains protected even when traversing untrusted or exposed
interconnects.
In the Linux kernel, support for PCIe link-level encryption involves
detection of device capabilities, configuration of secure links, key
management coordination, and integration with security frameworks. While
encryption is handled by hardware, the OS is responsible for enabling,
monitoring, and managing these capabilities.
Feature Request:
Requested details to be enabled on OS:
Enable detection of PCIe link-level encryption (IDE) capabilities in devices.
Provide OS interfaces to configure and enable encrypted PCIe links.
Integrate with key management frameworks for secure key provisioning and rotation.
Support encryption across endpoints, root ports, and PCIe switches.
Expose link security status and metrics via sysfs/debugfs.
Integrate with confidential computing frameworks (e.g., SEV-SNP, TDX).
Support secure DMA and device communication over encrypted links.
Provide error handling and recovery mechanisms for encryption failures.
Enable attestation of secure PCIe links.
Support PCIe Gen5/Gen6 and CXL environments.
Provide validation and debugging tools for encrypted link flows.
Document configuration, deployment, and interoperability guidelines.
Business Justification:
Protects data in transit across PCIe interconnects.
Prevents unauthorized access and tampering of PCIe traffic.
Enables secure use of external and shared PCIe devices.
Supports confidential computing and zero-trust architectures.
Meets regulatory and compliance requirements for data protection.
Aligns with industry standards for secure interconnects.
References:
PCI-SIG PCIe Specification (IDE – Integrity and Data Encryption)
Confidential Computing Architecture (SEV-SNP, Intel TDX)
Linux Kernel PCI Subsystem Documentation
Industry Security Guidelines for Secure Interconnect Security
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Public to Private
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2146718
Title:
Request for Security Support – PCIe Link-Level Encryption in Ubuntu
26.04
Status in linux package in Ubuntu:
New
Bug description:
PCIe Link-Level Encryption provides security for data transmitted over
PCIe interconnects by ensuring confidentiality and integrity of
traffic between PCIe components such as root complexes, switches, and
endpoints. This capability protects against physical attacks, bus
snooping, tampering, and replay attacks on PCIe links.
This feature is standardized as part of PCIe security enhancements
(e.g., IDE – Integrity and Data Encryption), enabling encryption and
authentication of Transaction Layer Packets (TLPs) at the link level.
It operates transparently below the software stack, securing data in
transit without requiring application-level changes.
Link-level encryption is especially important in modern systems with
shared infrastructure, external PCIe devices, composable
architectures, and confidential computing environments. It ensures
that sensitive data remains protected even when traversing untrusted
or exposed interconnects.
In the Linux kernel, support for PCIe link-level encryption involves
detection of device capabilities, configuration of secure links, key
management coordination, and integration with security frameworks.
While encryption is handled by hardware, the OS is responsible for
enabling, monitoring, and managing these capabilities.
Feature Request:
Requested details to be enabled on OS:
Enable detection of PCIe link-level encryption (IDE) capabilities in devices.
Provide OS interfaces to configure and enable encrypted PCIe links.
Integrate with key management frameworks for secure key provisioning and rotation.
Support encryption across endpoints, root ports, and PCIe switches.
Expose link security status and metrics via sysfs/debugfs.
Integrate with confidential computing frameworks (e.g., SEV-SNP, TDX).
Support secure DMA and device communication over encrypted links.
Provide error handling and recovery mechanisms for encryption failures.
Enable attestation of secure PCIe links.
Support PCIe Gen5/Gen6 and CXL environments.
Provide validation and debugging tools for encrypted link flows.
Document configuration, deployment, and interoperability guidelines.
Business Justification:
Protects data in transit across PCIe interconnects.
Prevents unauthorized access and tampering of PCIe traffic.
Enables secure use of external and shared PCIe devices.
Supports confidential computing and zero-trust architectures.
Meets regulatory and compliance requirements for data protection.
Aligns with industry standards for secure interconnects.
References:
PCI-SIG PCIe Specification (IDE – Integrity and Data Encryption)
Confidential Computing Architecture (SEV-SNP, Intel TDX)
Linux Kernel PCI Subsystem Documentation
Industry Security Guidelines for Secure Interconnect Security
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2146718/+subscriptions
Комментариев нет:
Отправить комментарий