Intel publishes PCIe Device Security Enhancements spec

PCIe Device Security Enhancements Specification

PCI Express (PCIe) Devices may be composed of hardware (immutable) and firmware (immutable and mutable) components. Presently, Vendor ID/Device ID/Revision ID registers convey the hardware identify of a PCIe* Device and there is no defined mechanism to convey the firmware identity of a PCIe Device. In addition to the Device identity, PCIe specification defines various types of capability structures to convey PCIe Device features capabilities. Both the Device Identity and capability can be spoofed and used maliciously by an advanced adversary. This specification introduces the notion of PCIe* Device Firmware Measurement, a method of exposing the identity of Device firmware. The Device Firmware Measurement mechanism used in isolation, however, is subject to supply chain attacks such as counterfeiting and can also be spoofed by an advanced adversary. Additionally this specification introduces the notion of PCIe Device Authentication, which uses public key cryptography to defend against such attacks and to provide higher assurance about the hardware and firmware identities and capabilities. PCIe Device Authentication adapts the USB Authentication mechanism to PCIe—the new elements are the specific PCIe register interface and the associated mechanisms, plus some details that are necessarily specific to PCIe. PCIe Device Authentication result can be used in various scenarios such as: 1) a data center administrator can ensure all PCIe Devices are running appropriate firmware versions 2) system software can ensure a trusted Device is plugged in before enabling the PCIe Address Translation Services (ATS) for the Device. PCIe Device Authentication provides platforms with a way to make trust decisions about specific Devices. This in turn provides value to Device vendors because the Authentication feature is itself a valuable Device feature, and supports the detection of counterfeit and potentially malicious Devices. This specification details the requirements, interface and protocol for PCIe Device Firmware Measurement and PCIe Device Authentication. It also provides general guidelines for implementing these technologies in practice.


One thought on “Intel publishes PCIe Device Security Enhancements spec

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s