Memory and storage security protects storage resources and the data stored in them, both in on-premise and external cloud data centers. As the need for higher capacity, faster access, and accelerated processing increases, designers are turning to high-performance, low-latency memory encryption solutions to preserve performance while protecting data over the latest generations of DDR, LPDDR, GDDR, and HBM memory interfaces.

Error correction code (ECC) used to be a popular protection mitigation strategy, but it only provides a limited level of resilience. ECC does not provide security as it leaves more vulnerabilities to undetected corruption, making it a naive approach to integrity protection for memories. Designers would often use ECC as a stop gap before adopting proper cryptographic algorithms.

The best approach to safeguard memory interfaces is to address the confidentiality and integrity of the data by design, with standards-based cryptography. For example, using AES-XTS encryption for data confidentiality, Rowhammer attacks can be prevented. While parity/ECC can catch 1- or 2-bit flips, encryption covers all the bits. With encryption, the data written to memories looks more like random data, and it will be nearly impossible to create Rowhammer patterns. Memory encryption and proper refresh of keys also protect against RAMBleed and cold-boot attacks. In addition to data confidentiality, the security can be augmented with data authenticity that can be addressed by using strategies such as cryptographic hashing algorithms to ensure that data has not been modified by malicious actors.

Making security part of your DDR interface design from the get-go is not without its challenges. Security needs to be done right because one weak link can compromise the overall system and its data. For example, it is critical for keys to be generated and managed in a trusted/secure area of the SoC and distributed via dedicated channels to the encryption module. Readback protection of keys and control configuration also need to be part of the overall security architecture.

Another challenge is that memory encryption comes with a cost, including overhead that will impact power, performance, area (PPA), and latency. Your challenge is to make your DDR interface design secure and standards-compliant, but also highly optimal.

We’ve witnessed a rapid adoption of integrity and data encryption (IDE) security for PCI Express® (PCIe®) and Compute Express Link (CXL) interfaces, and now we are seeing a similar trajectory in memory interfaces, such as DDR and LPDDR. Since technology is ever-changing—criminals get smarter in their approaches, as the engineers design smarter solutions—whatever security strategy you choose, should enable ongoing adaptation to an evolving threat ecosystem.