|
Disclosure date: |
 Severity rating: 3.0 Low |
Industry-wide severity ratings can be found in the National Vulnerability Database |
Related Content
Overview
PCIe Integrity and Data Encryption (PCIe IDE) is an industry-standard protocol which was first introduced in the PCI Express (PCIe) Base Specification Revision 6.0. IDE is used by Intel® Trust Domain Extensions Connect (Intel® TDX Connect) to protect data transmitted between Trust Domains (TDs) and the TEE Device Interfaces (TDIs) exposed by some PCIe devices. Among other enforcement policies, PCIe IDE is designed to enforce ordering properties that permit write requests (also called Posted Requests or PRs) to bypass read requests (also called Non-Posted Requests or NPRs) but prohibit read requests from bypassing write requests. The current PCIe IDE specification contains a limitation in its ordering enforcement that can allow read requests to bypass write requests in certain circumstances, potentially causing the requester to unknowingly consume stale data (an integrity violation). This vulnerability is known as Forbidden IDE Reordering (FIR). Intel is collaborating with PCI-SIG and industry partners to author a revision to the PCIe specification that introduces a mitigation called IDE Escort.
Intel recommends that programmable PCIe switches should not be used in Intel TDX Connect and IDE deployments that involve an affected processor; see Affected Products.
FIR has been assigned non-Intel issued CVE-2025-9612 with a base score of 3.0 Low CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N.
Background
FIR is caused by IDE Sync messages, which are used by a transmitter and a receiver to synchronize hardware counters that are intended to immediately detect forbidden IDE reordering. The transmitter sends an IDE Sync message whenever one of its PR_Sent_Counter values is about to overflow. Since the transmitter’s counters are 8 bits wide and other routine events (for example, sending an NPR or Completion1) synchronize and reset these counters, IDE Sync messages are sent rarely and constitute at most 0.4% of IDE traffic.
After an IDE Sync message is sent, two different circumstances can prevent FIR from being detected immediately:
- Late Detection: If the next Transaction Layer Packet (TLP) sent after the IDE Sync is a PR, then a subsequent NPR or Completion may be reordered (for example, by a malicious switch) to precede the IDE Sync. If the receiver’s NPR counter is less than the PR_Sent_Counter value in the reordered NPR (or if the receiver’s Completion counter is less than the PR_Sent_Counter value in the reordered Completion), this reordering will be detected immediately by the receiver, which is how IDE is intended to operate. However, if the receiver’s NPR (or Completion) counter is greater than or equal to the PR_Sent_Counter value in the reordered NPR (or Completion), then the reordering will not be detected immediately. Instead, the reordering will be detected at the latest when the IDE Sync is received, or possibly sooner when another NPR (or Completion) is received.
- Missed Detection: If the next TLP sent after the IDE Sync is not a PR, then any subsequent NPRs or Completions that are sent before the first PR that follows the IDE Sync may be reordered to precede any TLP sent before the IDE Sync, and these violations will not be detected by the receiver.
Impact
On potentially affected Intel® platforms, FIR only affects software that uses IDE to protect PCIe traffic, such as Intel® Trust Domain Extensions (Intel® TDX) Trust Domains that use Intel® TDX Connect to communicate with PCIe devices.
An exploit of FIR requires physical access, unless the data path between the host and device includes a PCIe switch that can be reprogrammed by the host to maliciously re-order PCIe traffic, such as a switch with an integrated FPGA controller.
A FIR that is detected late or is undetected can only impact data integrity if an NPR is reordered to precede a PR that requested a write to the same location (for example, an MMIO register) for which the NPR requested a read. If these conditions are satisfied, then the receiver may furnish a Completion with stale data, and consequently the requester may consume stale data when it receives the Completion.
Although a Completion may also be reordered to bypass a PR, this scenario is less likely to impact data integrity because MMIO regions are typically mapped as uncacheable (UC), and thus Completion data is not automatically written back to caches or DRAM by the CPU.
FIR may also impact the efficacy of PCIe flushes (also known as zero-length reads) that are sometimes used by software to ensure that all PRs that were sent prior to a flush have been received by the device and are no longer lingering in the PCIe fabric. Software initiates a flush by sending an NPR to read zero or more bytes from a register on the device; the flush is complete when the software receives the corresponding Completion. This flush primitive relies on the PCIe property that prohibits NPRs from bypassing PRs: Since the NPR cannot bypass any of the PRs that were sent before it, the device can only receive the NPR and respond with a Completion after it has received all the PRs that were sent before the NPR. However, FIR can introduce circumstances that violate this property, and therefore a PCIe flush may not guarantee that all older PRs have been received by the device.
Mitigation
Intel is collaborating with PCI-SIG and industry partners to author a revision to the PCIe specification that introduces a hardware-based mitigation called IDE Escort. This new feature will enhance PCIe IDE to ensure that any forbidden TLP re-ordering that occurs between the transmitter and receiver is detected immediately by the receiver, thus mitigating FIR. Future Intel® processors may support this feature. IDE Escort can only be enabled for an IDE Stream when the host processor and its connected partner device both support the IDE Escort feature.
Intel recommends that programmable PCIe switches should not be used in Intel TDX Connect deployments that involve processors and/or TEE-IO-capable devices that do not support IDE Escort. Note that this approach may not prevent physical attacks on a PCIe link, such as using a purpose-built interposer instead of a programmable switch to maliciously re-order IDE traffic. Physical attacks such as this one are within the scope of the IDE standard’s threat model.
Intel and its industry partners continue to study FIR, and Intel may provide further guidance to harden affected Intel processors.
Footnotes
- A Completion is a response to an NPR. For example, if the host sends an NPR that requests data at an address X that belongs to a partner device, the device responds to the NPR with a Completion that contains the data at address X.