The security components are divided 3 components

• SPDM - Security Protocol and Data Model: A standard defined by [2][DMTF] for key management
• CMA - Component Measurement and Authentication: defined by PCI SIG and It’s adaptation of SPDM
• DOE - Data Object Exchange: defines by PCI SIG, CMA defines DOE to transport SPDM messages between requester and responder for key/cert exchange.

Note that CMA and SPDM are lumped together in the spec as I see it CMA is basically SPDM with extra requirement or rules. DOE is just extended capability in the configuration address space where it allows the host and device to exchange messages using 2 mailboxes registers.

So, when does IDE come in?

Basically, IDE defines the following two main stages:

• Key management using SPDM
• AES-GCM encryption for body of TLP and Integrity MAC for whole TLP

IDE Key management Link to heading

Key manages uses SPDM/CMA messages over DEO. Which follows the following steps

IDE TLP transfer Link to heading

The AES-GCM specification is defines by [3][NIST] and [4][NIST] but the spec how address and data gets into MAC and cipher.