In our less than gentle age any packet-processing task, whether it be for a low-bandwidth connection to an embedded systems or for a multi-Gigabit network router, brings with it the need for security processing. But needs differ—primarily by the packet size distribution, packet rate, and the security protocols involved. So there is quite a range of crypto-processing IP available to SoC designers, from pure software solutions to very substantial hardware engines.
This week one of the mainstays of the crypto IP market, Elliptic Technologies, filled an important spot in their product line: an autonomous hardware engine, optimized for multi-protocol security processing involving concurrent packet streams from multiple contexts. The block is intended for packet rates from hundreds of Megabits/s to perhaps 1 Gbit. That rather detailed list of specifications actually describes a number of important SoC applications, including LTE-Advanced base stations, picocell routers, and home media gateways.
The new core, officially the CLP-630 Multi-Packet manager, is designed to work autonomously from the SoC’s CPUs, reading a linked list of command blocks from shared memory and transferring data via secure DMA. A number of features both improve traffic flow between the 630 and the CPUs and decrease the chance of attacks breaking into the system. For one example, the IP core caches keys, so the keys are not continually crossing the SoC bus, even in encrypted form. For another, the engine includes both cipher and hash processors, so protocols that require both algorithms can be processed in a single pass with no need to copy the data twice. And the scatter/gather DMA engine is quite clever at grouping transfers into bursts, reducing bus loading and the need to do preliminary memory-to-memory copies to prepare data for the engine. These features of course improve energy efficiency as well.
The feature that sets the 630 apart in Elliptic’s product line is its ability to handle multiple packet streams concurrently, each with its own keys, protocols, and in some cases it own quality-of-service requirements. The latter point can be very important in, for example, base stations, according to Elliptic CTO Mike Borza. “We are seeing base stations implement crypto at multiple levels. For instance, the processor might be handling one protocol on the air side with virtually hard real-time requirements, and then something like IPsec on the wire side with much more relaxed latency requirements. Ideally for high integration, you’d like to be able to handle both sets of streams from a single engine with its own QoS queues.”
The CLP-630 security processor IP core
Elliptic is disclosing little about the hardware beyond a conceptual block diagram; for most users the IP will be a black box supported by an elaborate host-side software development environment. Senior product manager Dana Neustadter said the synthesized size of the block varies from about 120K gates to support only LTE-Advanced, to around 300K gates for a full multiprotocol configuration that can support just about anything you can throw at it. Both figures exclude memory, which can be substantial. Elliptic can provide the block with any of several bus interfaces, from AXI-4 to vanilla AHB to the company’s own Wishbone-derived “Elbone.”
As you might expect, the CLP-630 is not an off-the-shelf product. Elliptic works with the customer to create an Interface Control Document, which then serves as a requirements definition. Elliptic then assembles the necessary blocks and control structures—there is no user-visible microcode or firmware, according to Borza—and delivers Verilog, cycle-accurate SystemC models, a test bench, synthesis scripts, and an integration guide. Borza explained that assembling the IP internally, rather than handing the customer a library and a wizard, allowed Elliptic to fully verify each configuration before shipment.
The CLP-630 is available now for customer engagement.