Private bug reported:
PCIe IDE (Integrity and Data Encryption) is a security feature
introduced in modern PCIe specifications to provide link-level
encryption and integrity protection for data transmitted between PCIe
components. It ensures that data exchanged between endpoints (e.g.,
devices, root complexes, switches) is protected against eavesdropping,
tampering, and replay attacks.
PCIe IDE establishes secure communication channels using cryptographic
keys and supports multiple modes such as selective or link-wide
protection. It operates transparently at the PCIe link layer, securing
Transaction Layer Packets (TLPs) without requiring application-level
changes.
In the context of confidential computing, PCIe IDE is critical for
extending trust boundaries beyond CPU and memory to include I/O data
paths. It complements technologies like AMD SEV-SNP and Intel TDX by
ensuring that data moving between trusted compute environments and
external devices remains protected, even in the presence of untrusted
intermediaries such as hypervisors or shared infrastructure.
In the Linux kernel, PCIe IDE support requires coordination across the
PCI subsystem, device drivers, firmware interfaces, and key management
frameworks. While hardware implements encryption, the OS is responsible
for configuration, policy enforcement, device enablement, and
integration with security and attestation mechanisms.
Feature Request:
Requested details to be enabled on OS:
Enable PCIe IDE capability detection and configuration in the OS.
Integrate IDE support within the PCIe subsystem for link-level security
management.
Provide key management interfaces for IDE (key provisioning, rotation,
revocation).
Support IDE enablement for endpoints, root ports, and switches.
Expose IDE status, capabilities, and metrics via sysfs/debugfs.
Integrate IDE with confidential computing frameworks (e.g., SEV-SNP, TDX).
Support IDE-aware device drivers and secure DMA paths.
Enable attestation of secure PCIe links and devices.
Provide error handling and recovery for IDE-related failures.
Support IDE across PCIe Gen5/Gen6 and CXL-enabled devices.
Provide validation, testing, and debugging tools for IDE flows.
Document configuration, deployment, and interoperability considerations.
Business Justification:
Extends data protection to PCIe I/O paths in confidential computing
environments.
Prevents data leakage and tampering across PCIe links.
Enables secure use of shared infrastructure and external devices.
Supports regulatory and compliance requirements for data protection.
Aligns with industry standards for secure interconnects.
Enhances trust in end-to-end secure computing platforms.
References:
PCI-SIG PCIe Specification (IDE – Integrity and Data Encryption)
Confidential Computing Architecture (SEV-SNP, Intel TDX)
Linux Kernel PCI Subsystem Documentation
Industry Security Guidelines for Secure Interconnects
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Public to Private
** Summary changed:
- Request for Confidential Computing Support – PCIe IDE (Integrity and Data
Encryption)
+ Request for Confidential Computing Support – PCIe IDE (Integrity and Data
Encryption) in Ubuntu 26.04
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2146714
Title:
Request for Confidential Computing Support – PCIe IDE (Integrity and
Data Encryption) in Ubuntu 26.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2146714/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
