Encryption Standardization for NVDIMM-N class PMEM devices (E11d)
A non-volatile DIMM (NVDIMM) is a Dual In-line Memory Module (DIMM) that maintains the contents of Synchronous Dynamic Random Access Memory (SDRAM) during power loss. An NVDIMM-N class of device can be integrated into a standard compute or storage platforms to provide non-volatility of the data in DIMM. NVDIMM relies on byte addressable energy backed function to preserve the data in case of power failure. A Byte Address Energy Backed Function is backed by a combination of SDRAM and non-volatile memory (e.g., NAND flash) on the NVDIMM-N. JESD245C Byte-Addressable Energy Backed Interface (BAEBI) defines the programming interface for NVDIMM-N class of devices.
An NVDIMM-N achieves non-volatility by:
* performing a Catastrophic Save operation to copy SDRAM contents into NVM when host power is lost using an Energy Source managed by either the module or the host; and
* performing a Restore operation to copy contents from the NVM to SDRAM when power is restored
An NVDIMM-N device may be a of self-encrypting device (SED) type that protects data at rest. This means the NVDIMM-N controller:
* encrypts data during a Catastrophic Save operation
* decrypts data during a Restore operation
and the data is:
* plaintext while sitting in SDRAM
* ciphertext while sitting in NVM (e.g., flash memory).
Typically, an NVDIMM-N device may be used within the storage controller for performance acceleration against storage workloads or as a sundry storage to preserve debug information in case of power failure. When NVDIMM-N device is used as a caching layer, transient data is staged in NVDIMM-N device before the data is persisted/committed to the storage media. NVDIMM-N devices are also used as persistent storage media for staging memory dump files when critical failures occur at storage subsystem level before the system goes down.
During ICMC18, we presented challenges involved in supporting standardized encryption scheme for protecting data-at-rest staged within the scope of PMEM class of devices under conference session “”The FIPS 140-2 CM overall rating: What’s [not] in it for me?””. This talk addresses some of the challenges presented within that session towards supporting an industry-standard oriented encryption scheme for PMEM class of devices.
The NVDIMM-N encryption standardization proposal involves cross-pollination between JEDEC (proposed BAEBI extensions to define security protocols in conjunction with encryption capability on the device) and TCG standards (proposed TCG Storage Interface Interactions Specifications content for handling self-encrypting NVDIMM-Ns plus adapting TCG Ruby SSC for NVDIMM-N devices) with industry sponsorship from HPE and NetApp.
The talk will begin with brief overview of NVDIMM-N device and associated storage-centric use cases followed by an overview of NVDIMM-N encryption scheme, and proposed self-encrypting device standardization approach for NVDIMM-N devices, which involves the following:
1. Extensions to BAEBI specification to accommodate security protocol definitions in consequence with encryption capability in NVDIMM-N devices
2. Extensions to TCG Storage Interface Specifications defining the Security Protocol Typed Block for handling interactions with NVDIMM-N devices.
3. Adapting TCG Ruby SSC standard for accommodating NVDIMM-N class devices
The talk will conclude by summarizing current state of the standardization proposal and approval process with JEDEC and TCG WG’s.