SYNOPSYS IP DATASHEET

Synopsys Inline Memory Encryption (IME)

Security Module

Highlights Overview
• Data confidentiality with independent As our connected world expands, the technological advances in
cryptographic support for read & high-performance computing (HPC) are reshaping system-on-chip (SoC)
write channels designs to address the need for more acceleration, more storage capacity, new
• Standards compliant: NIST SP800-38E, compute architectures, and increased bandwidths for faster data movement.
IEEE Std. 1619-2018 High bandwidth interfaces such as DDR/LPDDR are proliferating, and their
speeds continue to grow from generation to generation.
• FIPS 140-3 certification support
• Per region protection (index or At the same time, the security of data and systems is paramount, driven by
address based) multiple factors, including significant growth in confidential and sensitive
• Modes: AES-XTS, AES-ECB (test mode) information, laws, regulations, and standards evolution.

• Encryption/decryption Synopsys Inline and Memory Encryption (IME) Security Module IP provides
• Support for 128-bit and 256-bit keys confidentiality of data in use or stored in off-chip memory over memory
interfaces. It integrates seamlessly with Synopsys DDR and LPDDR IP
• Support for different datapath widths
Controllers for most optimal solutions in the industry with latency as low
(128/256/512-bit)
as 2 cycles, accelerating SoC integration and reducing risk.
• Efficient key control & refresh
• Key readback protection
Synopsys IME Security Module
• SRAM zeroization
The Synopsys IME Security Module is a configurable solution with independent
• Mission mode bypass
cryptographic support for read and write channels, and it’s scalable to match
• Pass-through mode various memory interfaces bandwidths with optimal area, power, and ultra low
• RAS SRAM ECC latency. It is based on the AES-XTS symmetric cryptographic algorithm
• Configurable for optimal PPA & latency as defined by NIST SP800-38E and IEEE Std 1619-2008 specifications, that by
its nature allows for pipelined architectures that can scale the performance
• Solution standalone or integrated with
to support the latest memory interfaces bandwidths.
Synopsys memory interface controllers
• Ultra low latency: IME latency overhead
as low as 2 cycles when integrated with
IME Security Module APB4
Synopsys DDR Controllers int cfg_lock key_lock test*
Registers
clk_core

rst IME Write Channel

Applications WrTweak IF
Control FIPS Test Wrapper Control
Logic; Logic; WrCipher IF
• Data centers / Servers Region
AES-XTS
(tweak encrypt, data encrypt) Region
WrPlain IF Control Control
• Networking
Bypass Channel
• Storage
IME Read Channel
• Artificial Intelligence FIPS Test Wrapper
RdTweak IF
Control Control
RdPlain IF Logic; Logic;
• Mobile / IoT Region
AES-XTS
(tweak encrypt, data encrypt) Region RdTweak IF
Control Control
• Automotive
Bypass Channel

Figure 1: Synopsys IME Security Module block diagram

synopsys.com/ip
The IME Security Module supports per region protection with context/key selection index or address based, and on-the-fly bypass
selection for non-encrypted regions for both read and write channels. An APB4 interface provides the integrators with a flexible
connection to any trusted execution environment for key control and programming.

The configurable IP supports a variety of features including:

• Scalable throughput, including DDR5/LPDDR5

• Scalable datapath widths: 128-bit, 256-bit or 512-bit
• Configurable data unit block size, up to 1024-bits
• AES-XTS encryption/decryption
• AES-ECB encryption/decryption for Test Modes
• Option for SM4-XTS
• 128-bit and 256-bit keys
• Per region encryption/decryption
• Up to 16 address-based regions
• Up to 1024K index-based selection
• Configurable number of tweak value contexts for write and read paths
• In-order latency optimized bypass channel
• FIPS 140-3 support
• SRAM zeroization
• Configuration and key programming locking inputs
• Data Counters for key freshness monitoring
• Mission mode key swap support for addressed-based key selection or single memory region environments
• RAS SRAM ECC and Single Port SRAM Support
• Area & latency optimization options
– Multiple AES rounds/cycle
– LUT or GF AES Sbox selection

Security Solution Integrates Seamlessly with Controllers

The most optimal security solutions for memory interfaces are inline and tightly integrated with the associated controllers, close
to the PHY interface, and operating on DRAM bursts. The security solutions need to efficiently handle encryption and decryption
for all key sizes, manage tweaks and keys, and overlap tasks with the memory controller as much as possible to further reduce the
overall latency.

Synopsys Secure DDR/LPDDR Controllers with integrated IME Security Modules (Figure 2) provide data confidentiality with
standards-compliant independent cryptographic support for read/write channels, per region encryption/decryption, and are highly
optimized for area, performance, and latency. The encryption/decryption latency overhead for the Synopsys Secure DDR/LPDDR
Controllers is as low as 2 clock cycles.

2
 Secure/ Secure Secure Test
SV/UM Interrupts Port for Mode
for HSM HSM
Secure DDR
Controller
DDRC External IME sINT APB External DDRC
SRAM SRAM
(plan Key Handler (secure
data) data)
Crypto Ultra AES-XTS
FSM Encrypt

Data Crypto Ultra AES-XTS ECC and CRC

Handling FSM Decrypt Control

Figure 2: Synopsys Secure DDR Controller with IME Security Module

Deliverables
• Synthesizable RTL developed in compliance with the IEEE1364 Verilog-2005 standard
• Verilog integration testbench
• Sample synthesis script and constraints
• Sample simulation script
• Databook
• Hardware user guide
• Hardware installation guide

Related Synopsys IP
Protect your SoCs from physical attacks and tampering using Synopsys’ broad secure interface IP products built specifically for
high-performance computing (HPC), mobile, automotive, and IoT SoCs. Silicon-proven Synopsys Controllers for the most widely used
protocols integrated with Security features offer low-risk solutions for optimal security, latency, performance, and area. Ultimately,
these solutions allow SoC designers to quickly address and implement security with low risk and quick time-to-market.

About Synopsys IP
Synopsys is a leading provider of high-quality, silicon-proven IP solutions for SoC designs. The broad Synopsys IP portfolio
includes logic libraries, embedded memories, PVT sensors, embedded test, analog IP, wired and wireless interface IP,
security IP, embedded processors, and subsystems. To accelerate prototyping, software development and integration of IP
into SoCs, Synopsys’ IP Accelerated initiative offers IP prototyping kits, IP software development kits, and IP subsystems.
Synopsys’ extensive investment in IP quality, comprehensive technical support and robust IP development methodology
enable designers to reduce integration risk and accelerate time-to-market.

For more information on Synopsys IP, visit synopsys.com/ip .

©2023 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is
available at http://www.synopsys.com/copyright.html . All other names mentioned herein are trademarks or registered trademarks of their respective owners.
01/05/23.CS1026985298-Security-IP-IME-DS.