Enabling security in embedded system using M.2 SSD

By Jerome Gaysse, Mickael Guyard (IP-Maker)

Storage technologies are evolving at a high speed, thanks to new generations of memories such as Nandflash, ReRAM, MRAM and other flavors. That leads in an incredible performance increase in term of bandwidth and latency. By the way, security and data privacy features are still an important feature for critical storage systems. That is a challenge to perform encryption algorithms and control access management with very high data bandwidth, requiring high computing capabilities. This challenge is definitely a problem for embedded systems where space, power and cost are limited. A full integrated solution is needed. This talk presents how IP-Maker provides a set of hardware accelerated engines on the host side to manage NVMe data transfer and Opal lock/unlock process.

Even if systems are protected by a password, sub-systems are not protected. Unfortunately, as an example, many employees are using a computer where just a password is mandatory to access the data content. If the computer is stolen, then it is easy to take the disk drive, then accessing the data which are not protected. A solution is to add data protection at the drive level Data encryption can be done by the host system itself but it adds a lot of complexity in data transfer and disks should remain asserted in the dedicated system environment. In order to benefit from data protection and portability of the system, the idea it to let the storage class to protect its content.

The solution is to use self-encrypted drives (SED). A built-in engine in the SSD ensures the encryption of the data. Therefore, even if you can take the SSD out of the system, if you don’t have the password, then the SSD can’t be read or written. In addition to the SED, another piece is required in the system : the dedicated driver on the host side to be able to be in good light to establish communication. As mentioned in the introduction, the challenge is to perform the driver management at a high speed (e.g. for NVMe drives), with limited computing resources.

System overview

IP-Maker proposes a complete set of hardware IP in order to accelerate the processing time of the NVMe Management and the encryption processing. It is based on the NVMe Host IP, where benefits are been demonstrated for both embedded and server systems, coupled with an OPAL engine for the encryption part.

System block diagram

NVMe Host IP

The NVMe host IP manages the data transfer between the host side and the NVMe drives. It is suited to be used in a FPGA. It completes the initialization and configuration phases, then the queue management manages the data transfer. The NVMe host IP from IP-Maker comes as a RTL IP. There is no need of any software for the NVMe command & data transfer management, therefore delivering low latency. The IP features AXI and Avalon interfaces, and four main blocks: a control unit with its configuration registers, a NVMe command manager for the NVMe transaction setup, a data transfer manager, and an auto-init engine. The data buffer can be a memory or a FIFO for streaming uses cases. On the other side it is connected to the PCIe root complex controller (PCIe Gen3x8 capable). Few instances of this IP can be done for a higher total bandwidth. The only limitation will be the available PCIe lanes on the FPGA.

NVMe Host IP block diagram

Opal Acceleration Engine

The Opal acceleration engine is based on the Opal 2.0 specification, configured as 1 user and 1 namespace, for a full hardware mechanism.

From the user point view there is no difference between a non-protected drive and the use of a Opal-based SED. Combined with the NVMe Host IP and the Opal accelerator engine, the only additional resource required is an embedded memory (inside of the FPGA) that stores the Opal parameters of the drive. As soon as the NVMe Host IP has performed the initialization and configuration of the NVMe SSD (as explained above), then the Opal engine starts its process to unlock the drive. At the power off of the system, then the Opal engine automatically locks the drive.

Theory of operation

An NVMe SED uses specific NVMe commands: security send and security receives. While AES encryption algorithms are still performed on the SSD side, the lock and unlock process of the SSD are managed by the IPs on the host side. The password and protocol setup still need to be done on a computer.

At power-up the drive is locked and requires an authentication process to allow read and write accesses. It is managed by the Opal acceleration engine, including: discovery, properties identification, life cycle / AES mechanism / authority table check, user authentication and LBA range unlock for the right user.

Benefits

The set of IPs allow to design FPGA-based systems requiring high performance and secure storage features. That combines off-the shelf commercial OPAL-based self-encrypted drives, and FPGA control board, leading in an optimized system design, providing high bandwidth, low latency and a high level of data security, without using high-end expensive and power angry CPU. That also allows the user to benefit from high performance storage and high level of security without any software changes, using an industry standard data protection protocol (Opal)

That solution is perfect for embedded systems requiring a high level of security, including military applications with critical data, medical devices with personal information, or any other systems using self-encrypting drives. That solutions can also be used for edge serves, or even for the data center markets.

The solution explained above, based on hardware accelerated NVMe Host and Opal engines designed by IP-Maker, is a new step in the technology evolution for storage systems. It is a unique way to make no compromise between performance, security and system integration. Since it is based on a full hardware architecture, optimizing the data transfer latency at the maximum level, this solution is also ready for the support of next generation of fast SSD, based on storage class memories.

×
Semiconductor IP