### 2025 DESIGN AND VERIFICATION M DVC DDVC CONFERENCE AND EXHIBITION

### UNITED STATES

SAN JOSE, CA, USA FEBRUARY 24-27, 2025

### Guardians of the Chip: Mastering Next-Gen Security for SoCs and IPs

Jagata Sridevi, Cadence Design Systems, India Vishnu Prasad K V, Cadence Design Systems, India Deep Mehta, Cadence Design Systems, India



# The Silent Security Flaw: The Error That No One Sees—Until It's Too Late

What Happens When an Invisible Error Gets Through?

- AI models fail to predict correctly
- Cloud workloads corrupt sensitive data
- Autonomous vehicles misinterpret surroundings.

### Actual GPS location data spoofing Real Trajectory Spoofed Trajectory

### The Problem:

 A single verification blind spot can break encryption, corrupt transactions, and disrupt entire systems

"How do we verify that security flaws in high-speed SoCs and IPs are caught before deployment?"



## What Verification Engineers Can Take Away

#### This Presentation at a Glance

- Unveiling critical blind spots in high-speed protocol verification
- Introducing five techniques that enhance security & debug efficiency
- Learning how these methods bridge gaps in security verification
- What You'll Take Away Today?
  - A fresh way to identify and fix hidden verification blind spots.
  - These techniques can be applied to other high-speed protocols and SoC/IP verification.
  - Smarter debugging, stronger security, and a higher verification confidence level.
    - By recognizing and addressing hidden blind spots, engineers can improve design robustness and accelerate debugging





### What is IDE in PCIe?

- IDE is a security feature in PCIe that ensures **data integrity** and **confidentiality** over the PCIe link for TLP's.
  - Protect data from tampering (integrity).
  - Prevent unauthorized access (encryption)



#### PCIe/CXL with IDE and Authentication??

- Physical Link as a Possible Source of Attacks and
- The PCIe or CXL component, handles encrypted data transmission.
- Uses AES-GCM for data confidentiality.
- Key Management: Handles secure key generation, exchange, and refresh.
- Using CMA and SPDM, we establish a secure communication channel and Prevents unauthorized access.
- DOE to exchange security-related messages, including authentication and key exchange processes.



# IDE Streams and Data Flow

#### Link IDE Stream (Yellow)

- Encrypts all traffic over a PCIe/CXL link,
- This approach **adds encryption overhead**, which may impact performance

#### Selective IDE Stream (Blue)

- Secures only specific traffic (e.g., based on address or transaction type).
- This helps balance performance and security, allowing non-sensitive data to flow unencrypted.
- More flexible, as encryption is applied only to selected streams, optimizing performance.









### IDE Capability Discovery & Register Structure

How is IDE Capability Advertised and Discovered?

- Devices supporting IDE announce their capability in PCIe/CXL Configuration Space.
- The IDE register structure includes repeating blocks, which allow
  - Link IDE Register Blocks 8 times
  - Selective IDE Stream Register Blocks 255 times
  - **IDE Address Association Blocks** to be repeated **as needed** (allowing dynamic mapping of encryption).

Hosts can dynamically associate addresses or RIDs with IDE for flexibility and efficiency.





# Layered IDE Security Framework and Techniques

### Layered IDE Packet Security Framework

**Initialize IDE Settings and Configure Secure Stream** – Establish foundational security parameters and Define conditions for secure data exchange.

Key Management and Exchange – Establish, refresh, and distribute encryption keys securely

**Secure Stream Enablement and Initialization** –TEE enters a secure state



### Layered IDE Packet Security Framework(Contd.)

**IDE Packet Verification** – Determines whether the packet is IDE encrypted.

**Stream Verification, PCRC and MAC** – Ensures the packet belongs to an authenticated stream and Checks data integrity using Message Authentication Code.



### 1)State Machine for IDE Capability Discovery

A structured Finite State Machine (FSM) approach to streamline IDE capability discovery in complex configurations like linkbased and selective streams.

Structured & Predictable – Organizes IDE discovery into distinct states.

Automation & Efficiency – FSM automates IDE checks, reducing manual intervention.

☑ Improved Verification Accuracy – Ensures compliance with the IDE specification.

☑ Enhanced Team Alignment – Provides a clear framework for verification teams.



Indication of

| <pre>Port Function state CAP_BEGIN =&gt; IDE_BEGIN Port Function state IDE BEGIN =&gt; IDE LINK STR</pre> |
|-----------------------------------------------------------------------------------------------------------|
| Port Function state IDE BEGIN => IDE LINK STR                                                             |
|                                                                                                           |
| <pre>Port Function state IDE_LINK_STR =&gt; IDE_SEL_STR</pre>                                             |
| <pre>Port Function state IDE_SEL_STR =&gt; IDE_SEL_ADDR</pre>                                             |
| <pre>Port Function state IDE_SEL_ADDR =&gt; IDE_SEL_STR</pre>                                             |
| <pre>Port Function state IDE_SEL_STR =&gt; IDE_SEL_END</pre>                                              |
| <pre>Port Function state IDE_SEL_END =&gt; IDE_SEL_STR</pre>                                              |
| <pre>Port Function state IDE_SEL_STR =&gt; IDE_SEL_ADDR</pre>                                             |
| <pre>Port Function state IDE_SEL_ADDR =&gt; CAP_END</pre>                                                 |
| <pre>Port Function state CAP_END =&gt; CAP_BEGIN</pre>                                                    |

Indication of state transitions



# State Machine for IDE Capability Discovery(Contd.)

### **Capability Discovery Process**

Port Function state CAP\_BEGIN => IDE\_BEGIN Port Function state IDE\_BEGIN => IDE\_LINK\_STR Port Function state IDE\_LINK\_STR => IDE\_SEL\_STR Port Function state IDE\_SEL\_STR => IDE\_SEL\_END Port Function state IDE\_SEL\_END => CAP\_END

- The FSM moves through CAP\_BEGIN → IDE\_BEGIN → IDE\_LINK\_STR → IDE\_SEL\_STR → IDE\_SEL\_ADDR and so on, meaning it's discovering what IDE capabilities exist for the given port or function.
- IDE\_SEL\_STR (Selective Stream Mode) and IDE\_SEL\_ADDR (Address-Based Selection Mode) appear multiple times, suggesting that the FSM is dynamically evaluating different modes.

### **Looping Nature of the FSM**

- The FSM loops back from CAP\_END to CAP\_BEGIN, indicating that capability discovery for control, status and Address association blocks is a recurring process rather than a one-time setup.
- Transitioning back to CAP\_END suggests that once all possible configurations are evaluated, the FSM finalizes the IDE settings.



# 2)Operation Codes in IDE Context

**Issue:** Multiple APIs for IDE operations → **Inefficiency & fragmentation** 

Solution: Unified OpCode-Based API

Simplified API – One structure for all operations
 Scalable & Flexible – Easy future expansion
 Faster Debugging – OpCodes streamline testing
 Improved Readability – Clear & structured approach

- OpCodes mapped to specific IDE operations.
- Each operation has a unique identifier prefixed with "PCIE\_IDE\_OPCODE\_"
- Instead of using multiple APIs, each function is assigned a unique opcode for streamlined execution.



Standard Prefix and meaningful for all OPCODE's

IDE OPCODE SetLnkStrCtrl = 1,

IDE OPCODE SetSelStrCtrl = 3,

IDE OPCODE GetIdeStatus = 10

\_IDE\_OPCODE\_SetSelStrRidAssoReg = 4, IDE OPCODE SetSelStrAddrAssoReg = 5,

PCIE IDE OPCODE SetSelStrCap = 2,

PCIE\_IDE\_OPCODE\_SetUserKey = 6, PCIE IDE OPCODE SetIniv = 7,

PCIE\_IDE\_OPCODE\_EnableEnc = 8,
PCIE IDE OPCODE DisableEnc = 9,

### Operation Codes in IDE Context (Contd.)

- The below execution shows how the defined OpCodes are being used in real operations.
- The system updates different registers like IDE\_OPCODE reg, IDE\_DATA reg using OpCodes.
- Also, opcodes are used dynamically at runtime to manage IDE operations efficiently.
- Data Written to the Opcode indicates that values are being assigned to registers based opcode operations.





### 3)White Box Logging

• The below execution shows how the defined OpCodes are being used in real operations.





# White Box Logging (Contd.)

×Limitations of Black Box Logging Only captures inputs and outputs without revealing what happens internally, So debugging is difficult as there's no visibility into intermediate steps <sup>3</sup>White Box Logging is an advanced debugging approach that provides deep visibility into internal operations

**✓Faster Debugging** – Trace security & performance issues easily

☑ **Data Integrity Validation** – Ensures correctness of transformations

- ☑ **Reliable Tracking** Essential for high-security applications
- ☑ Enhanced Error Detection Combine with protocol checks for compliance

White Box Logging ensures full transparency, making security debugging faster, accurate, and reliable!



### 4) Modular Debug Hooks

Modular debug hooks provide structured **traceability and transparency** within **layered architectures** like **PCIe and CXL**, enhancing **debug efficiency** while maintaining minimal overhead.

- Captures transactions at entry & exit
- Logs movement from TL to DL layer.
- Simulates issues like corrupted TLPs & misrouted data.
- Reduces manual log inspection by correlating transaction points.







# 5) Flexible Verification Methods for IDE Functionality

This technique provides alternative verification approaches when the **DUT lacks full IDE support**, such as authentication and key management.

### **Authentication Bypass (Front-Door Approach)**

• VIP initiates authentication independently using a front-door opcode mechanism.

### Backdoor Key Management (KM Bypass)

• Directly injects IDE keys into the environment, bypassing standard KM protocols.

Allows full IDE testing even with **partial feature availability, and** Works **independently of DUT's IDE maturity**, accelerating verification.





# (a) Handling Invalid Routing ID and Error Classification

- The RX side may not have a well-defined behavior for handling invalid Routing IDs, leading to security risks or misrouted packets.
- Incorrect error classification can occur if multiple fields (e.g., Routing ID, PCRC, MAC) are corrupted simultaneously due to the dependency

#### Mitigation Strategy:

- Inject invalid Routing IDs and verify consistent RX behavior.
- Use fine-grained error injection to isolate field-specific corruption and prevent misdiagnosed.
   Risk:

◎A PCIe Root Complex forwards TLPs with an incorrect Routing ID. The Endpoint doesn't have a clear rule—should it discard, flag, or forward them? If mishandled, this can lead to unauthorized memory accesses or silent data corruption in an SoC





# (b)Handling Pending Packets in Secure-to-Insecure Transitions

- Pending IDE packets or non-IDE Packets may be misrouted or processed when transitioning from secure to insecure mode which compromise security
- Selective and Link IDE Streams precedence issues may result in unprotected transactions when both are active.

#### Mitigation Strategy:

- Ensure pending TLPs and Non-IDE TLP's are properly flushed or reclassified before security mode changes to Insecure.
- Define clear Selective vs. Link IDE precedence rules in the verification plan as per spec's.

#### Risk:

◎ A PCIe in an SoC downgrades to Insecure mode during link reinitialization. If pending encrypted TLPs aren't flushed, some TLPs may be exposed in plaintext before reaching the host, leading to potential data leaks.





# (c)Credit and Counter Management Under Error Conditions

- Improper credit tracking during error handling may cause protocol deadlocks.
- Underflow conditions must be managed, and overflow testing (2^1024 TLPs) is impractical.

#### Mitigation Strategy:

- Use white-box logging to monitor credit updates during error-handling scenarios.
- Implement independent RX and TX counters on **both** DUT and VIP sides to validate underflow conditions and overflow conditions to avoid performance overhead as well.

#### **Risk:**

◎ A PCIe switch handling IDE-encrypted TLPs discards a corrupted packet but forgets to update the credit counter. This eventually leads to a transaction stall, as the root complex believes credits are exhausted.



# (d) Multi-Stream IDE Verification in Mixed Traffic Classes

- Verifying transactions across multiple Stream IDs with a mix of link and selective encryption.
- Ensuring encryption enforcement, integrity checks, and protocol compliance across random traffic class (TC) transactions

#### Mitigation Strategy (Extended):

• The recommendation here would be to initiate transactions for different traffic classes in a random fashion with a mix of encrypted and unencrypted TLPs for good path testing.

#### Risk:

◎ Unencrypted TLPs may be incorrectly forwarded in encrypted paths which Potential data leakage and integrity failures.



# (e)IDE Key Management and Synchronization Issues

- Key Mismatch During Transitions: When switching between encryption key sets (e.g., from k=0 to k=1), there may be desynchronization between the sender and receiver, causing decryption failures.
- If the encryption key is expired or incorrectly rotated, TLPs may be unintentionally dropped or misrouted.

#### Mitigation Strategy:

- Implement controlled key switching mechanisms and track key synchronization events.
- Verify that both the DUT and VIP handle key mismatches gracefully without silent data loss.
   Risk:

◎ A PCIe endpoint key shifts for encryption, but the RC fails to update the decryption key in time. As a result, the host discards all incoming encrypted TLPs, breaking the data flow.



# Addressing Blind Spots with Targeted Techniques

| Technique                                                 | Testbench Application                                                                                 | SoC/IP Verification Impact                                                                                     | Challenges Addressed                                                                                                 |
|-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
| State Machine for<br>IDE Capability<br>Discovery          | Ensures seamless state<br>transitions, preventing<br>security misconfigurations.                      | Ensures correct IDE activation<br>across multiple IPs and maintains<br>consistency in security<br>enforcement. | Handling complex IDE state<br>transitions and preventing<br>misalignment between security<br>states.                 |
| Operation Codes in<br>IDE Context                         | Validates secure OpCode<br>processing, eliminating<br>protocol violations and<br>security risks.      | Detects opcode misrouting and prevents unauthorized access or manipulation.                                    | Ensuring protocol compliance and preventing side-channel attacks due to incorrect OpCode handling.                   |
| White Box Logging                                         | Provides deep visibility into<br>IDE transactions, tracking<br>encryption integrity in real-<br>time. | Enables real-time monitoring of IDE transactions.                                                              | Tracking encrypted transactions<br>without exposing sensitive data<br>and maintaining real-time<br>traceability.     |
| Modular Debug<br>Hooks                                    | Enables targeted debugging<br>and anomaly detection,<br>ensuring correct IDE<br>behavior.             | Allows selective activation of debugging features for runtime security verification.                           | Providing efficient debugging<br>mechanisms without interfering<br>with the secure execution of IDE<br>transactions. |
| Flexible Verification<br>Methods for IDE<br>Functionality | Adapts to dynamic test<br>conditions and directed<br>testing                                          | Ensures IDE security remains robust.                                                                           | Maintaining verification scalability.                                                                                |





# Eliminating Blind Spots in IDE Verification for PCIe & CXL

Bug 1: Protocol Flit Transmission

• Flits from the next MAC Epoch transmitted **before TMAC flit**, violating spec.

Bug 2: Mixing IDE & Non-IDE TLPs in the Same Flit

- Selective Streams allowed IDE & Non-IDE TLPs together but lacked clear differentiation.
- Bug 3: Address Association Block Register Reconfiguration Issue
  - Address Association Block Register locked post-initialization, reducing runtime flexibility.
- Bug 4: Flushing queue (non-IDE + IDE traffic in pending queue)
  - Handling buffer resets without data loss or security issues when both encrypted (IDE) and non-encrypted traffic are in the queue



### Innovative Verification Methodology & Impact

- **Targeted Blind Spot Elimination** Applied state-aware validation, protocol-specific error injection, and adaptive debugging.
- **97% IDE Verification Coverage** Achieved using ML-driven regression, improving test efficiency and accuracywithin a very less span of Verification Timelines.
- Significant Debugging & Manual Effort Reduction Improved testbench automation and real-time error traceability.
- Scalability Beyond PCIe & CXL Techniques extend to Ethernet, HDMI, MIPI, and future high-speed protocols.



### Conclusion

- These five techniques enhance multi-layered IDE verification by enabling stateaware security validation, deep transaction visibility, and adaptive debugging in testbenches.
- They ensure **seamless encryption-decryption flows, error resilience, and robust security compliance** across SoC and IP verification.
- They ensure preventing security blind spots in PCIe and CXL environments



### Questions



