ACS (Access Control Services) Complete Guide

1. What is ACS?

What is Access Control Services?

Access Control Services (ACS) is a set of security controls implemented in PCIe switches and Root Complexes to ensure that peer-to-peer (P2P) transactions are properly controlled, validated, and routed. ACS is essential for virtualization environments where device isolation is critical.

ACS Purpose

Device Isolation: Prevent unauthorized P2P communication
IOMMU Integration: Route P2P traffic through IOMMU for translation/validation
Virtualization Security: Isolate devices assigned to different VMs
Traffic Control: Control which traffic can flow P2P vs via RC

2. Why ACS is Needed

Peer-to-Peer Attack Scenario

    WITHOUT ACS:
    
    ┌──────────────────────────────────────────────────────┐
    │                     HOST SYSTEM                       │
    │  ┌──────────────┐    ┌──────────────┐               │
    │  │     VM A     │    │     VM B     │               │
    │  │  (Device A)  │    │  (Device B)  │               │
    │  └──────────────┘    └──────────────┘               │
    │         ▲                    ▲                       │
    │         │                    │                       │
    │     ┌───┴────────────────────┴───┐                  │
    │     │      PCIe Switch           │                  │
    │     │                            │                  │
    │     │   A ══════════════════► B  │ ← P2P attack!    │
    │     │   (bypasses IOMMU)         │                  │
    │     └────────────────────────────┘                  │
    │                                                      │
    │   Device A can directly access Device B's memory    │
    │   without going through the IOMMU for validation    │
    └──────────────────────────────────────────────────────┘

With ACS Protection

    WITH ACS (P2P Redirect to IOMMU):
    
    ┌──────────────────────────────────────────────────────┐
    │                     HOST SYSTEM                       │
    │  ┌──────────────┐    ┌──────────────┐               │
    │  │     VM A     │    │     VM B     │               │
    │  │  (Device A)  │    │  (Device B)  │               │
    │  └──────────────┘    └──────────────┘               │
    │         ▲                    ▲                       │
    │         │                    │                       │
    │     ┌───┴────────────────────┴───┐                  │
    │     │      PCIe Switch           │                  │
    │     │        (ACS)               │                  │
    │     │   A ───► Redirect ───► RC  │                  │
    │     └────────────┬───────────────┘                  │
    │                  │                                   │
    │                  ▼                                   │
    │            ┌─────────┐                              │
    │            │  IOMMU  │ ← Validates/Blocks           │
    │            └─────────┘                              │
    └──────────────────────────────────────────────────────┘

3. ACS Control Bits

Control	Abbreviation	Function
ACS Source Validation	V	Validate TLP Requester ID against port
ACS Translation Blocking	B	Block transactions with AT field set
ACS P2P Request Redirect	R	Redirect P2P requests to RC
ACS P2P Completion Redirect	C	Redirect P2P completions to RC
ACS Upstream Forwarding	U	Forward all traffic upstream to RC
ACS P2P Egress Control	E	Block P2P based on egress control vector
ACS Direct Translated P2P	T	Allow P2P for translated transactions
ACS Enhanced Capability	-	Indicates enhanced ACS support

4. ACS Source Validation (V)

What it Does

Validates that the Requester ID in incoming TLPs matches what is expected for that port:

Prevents device spoofing
Ensures device cannot claim another device's ID
Validates against configured device/function numbers

Validation Mechanism

Check Requester ID Bus Number against secondary bus
Check Device/Function against expected values
Invalid TLPs treated as Malformed

5. ACS Translation Blocking (B)

What it Does

Blocks transactions that have the Address Type (AT) field set, indicating they carry translated addresses:

Prevents devices from bypassing IOMMU by claiming pre-translated addresses
Forces all traffic through normal translation flow

AT Field Values

AT Value	Meaning	Blocked?
00b	Untranslated	No
01b	Translation Request	No
10b	Translated	Yes (if B enabled)
11b	Reserved	Yes

6. ACS P2P Request Redirect (R)

What it Does

Redirects peer-to-peer Memory Requests upstream toward the Root Complex instead of forwarding directly to the peer device:

Forces P2P traffic through IOMMU
Enables address translation and validation
Essential for virtualization isolation

Affected Traffic

Memory Read Requests
Memory Write Requests
AtomicOp Requests

7. ACS P2P Completion Redirect (C)

What it Does

Redirects peer-to-peer Completions upstream toward the Root Complex:

Ensures completion traffic also goes through IOMMU
Prevents completion-based attacks

When Used

When devices may send completions to each other
Multi-function devices with P2P completion paths

8. ACS Upstream Forwarding (U)

What it Does

Forces all egress traffic upstream, regardless of destination address:

Most restrictive setting
No P2P traffic allowed at all
All traffic goes to Root Complex

Use Case

Maximum security environments where no P2P communication is acceptable.

9. ACS P2P Egress Control (E)

What it Does

Fine-grained control over which peer ports can receive P2P traffic from this port:

Uses Egress Control Vector
One bit per potential egress port
Allows selective P2P between specific ports

Egress Control Vector

Bit N = 1: Allow P2P to port N
Bit N = 0: Block P2P to port N (redirect upstream)

10. ACS Extended Capability Structure

Offset	Register
00h	Extended Capability Header (ID = 000Dh)
04h	ACS Capability Register
06h	ACS Control Register
08h	Egress Control Vector (variable size)

11. System Configuration

ACS Configuration for Virtualization

Enumerate all switches in hierarchy
Enable ACS Source Validation (V) on all ports
Enable ACS Translation Blocking (B)
Enable ACS P2P Request Redirect (R) on switch ports
Enable ACS P2P Completion Redirect (C) if needed
Configure Egress Control Vector for selective P2P

IOMMU Integration

ACS ensures traffic reaches IOMMU
IOMMU performs address translation
IOMMU enforces VM isolation
Both ACS and IOMMU required for full isolation