Learning about PCIe (PCI Express)

I think that a growing portion of computer systems will be devoted to moving data within the confines of centimeters to meters. I think that PCIe has made a significant contribution to solving this problem, but I think the design of PCIe has paid too little attention to the problem of trusting the assembled hardware.

PCIe is quite complex. At this point I usually claim that there is a simpler way but I do not claim that here; PCIe is a network design and networks are inherently complex as far as I know. Nonetheless, I have some design proposals for simpler security arguments and perhaps marginally simpler hardware.

I see a “computer system” to include those elements connected by PCIe to the “root complex”. This describes a lap top, a smart phone or other common products. A secure computer system, I presume, needs a security kernel. That kernel is responsible for information flow within the computer system even while that flow does not pass thru the root complex. External data plugs on the computer such as USB, Thunderbolt etc, should not assume that the external device plays by the rules set out by PCIe. For many security purposes even units internal to the computer system should not be assumed to conform.

Some portion of main memory (in the root complex) must be securely protected by a centralized security kernel where the kernel and its data reside. I presume that all root complex DRAM is so protected. The Sun SPARC was the first machine with an IOMMU which moderated all DRAM access by IO devices. Privileged kernel instructions had exclusive write access to control the MMU and IOMMU. Controlling the IOMMU allows the kernel to grant different memory access authority to different devices. When a request comes in from some device to the root complex the identity of the device must be trust worthy which excludes the current design whereby the requestor of a store identifies itself.

An earlier generation of mainframes, at least the large IBM systems, included DMA like function “within the trusted CPU box” and ‘external plugs’ did not carry main memory addresses. This plan would not have been suitable to taday’s GPU’s.

The issue I consider in my notes is access to memory of PCIe components not in the DRAM of the “root complex” such as a network interface card asserting false authority to write the memory of another network interface card. This can happen even when the root complex is powered down. I do not see that PCIe prevents this.

PCIe presumes, properly I think, that some manufactures produce hardware specific to the PCIe fabric, and others specialize on the PCIe ‘endpoints’ which perform specialized data processing and need low latency high bandwidth access to other processing components. Various sorts of memory are prominent among these components. Even when the same company does both, and puts their two products on the same chip, complexity dictates a conceptual separation so that we may understand the system. The stake holders for this design include:

These notes focus on the last category.

I take this to be the price list for the official documentation. I count up over $100,000 for the documents. Retired, as I am, I have not read the official definitions for PCIe. Such a barrier is itself a reason for suspicion. I wonder if there are anti-trust issues here.


Fears
Intel’s Virtualized IO is relevant for what it reveals about PCIe and the x86 IOMMU.
Proposed Plans
Politics
PCIe has ideas a bit like Tymnet logic. My proposals push this a bit farther.

Similar worries