Why Chiplet Security Boundaries Are Harder to Draw Than Chip Boundaries

Monolithic chips have a clean security story. Everything inside the die boundary shares a manufacturing provenance, a single physical inspection surface, and one set of tamper-detection assumptions. Disaggregate that same chip into four chiplets from three different foundries, and every one of those assumptions breaks simultaneously.

Photo by Joshua Brown on Pexels.

That's not a hypothetical. It's what happens every time a chiplet-based product ships with dies sourced from separate supply chains, which, for cost and yield reasons, is increasingly the point.

The Interface Is Now the Attack Surface

On a monolithic SoC, the bus between a CPU complex and a memory controller never leaves the die. Probing it requires decapping the package, navigating metal layers under electron microscopy, and getting very lucky. Die-to-die interconnects, whether they run across a silicon interposer, through an EMIB bridge, or over a direct hybrid-bonded interface, move that traffic somewhere physically accessible in ways that weren't true before.

UCIe, for all its virtues as an interoperability standard, doesn't mandate encryption on the physical layer. The spec leaves security implementation to the link layer and above. That's a deliberate choice, adding mandatory encryption at PHY would hurt latency and power, but it means a die sourced from Supplier A talking to a die from Supplier B over UCIe is doing so in plaintext unless both teams independently agreed to do something about it.

Most don't. At least not yet.

Multi-Source Chiplets Introduce Provenance Problems

Consider a data-center accelerator built from a compute die taped out at one foundry and an HBM controller die from a second. If the HBM controller came from a compromised mask or carries an inserted hardware Trojan, the compute die has no reliable way to detect it at boot. The authentication surface between chiplets is effectively the interconnect protocol, and most die-to-die protocols weren't designed with adversarial supply chains in mind.

This isn't paranoia. DARPA's TRUST and SHIELD programs spent years on exactly this problem for individual ICs. Chiplets make it structurally harder: more dies, more vendors, more opportunities for substitution or modification between tape-out and final assembly.

Here's what a minimal chiplet trust model has to contend with:

graph TD
    A[Compute Chiplet] --> B{Die-to-Die Interface}
    B --> C[IO Chiplet]
    B --> D[Memory Controller Chiplet]
    E[Attacker] --> B
    F[Provenance Verification] --> A
    F --> C
    F --> D
    G((Root of Trust?)) --> F

The uncomfortable question that diagram raises: where does the root of trust live when there's no single die that owns the full system?

Confidential Computing Gets Complicated

Intel TDX and AMD SEV-SNP both root confidential VM attestation in a specific processor die. That works cleanly when the processor is monolithic. In a chiplet product, the "processor" might span a compute tile, a fabric tile, and an I/O tile, each from a different manufacturing run, possibly different fabs entirely.

Attestation flows that terminate at a single die now have to either trust that the other chiplets in the package haven't been tampered with (a significant assumption) or extend attestation across the die-to-die fabric itself. Neither option has a clean industry solution today. The Confidential Computing Consortium has working groups circling this, but shipping silicon is ahead of the standards.

What Engineers Are Actually Doing

Practical responses tend to fall into three buckets. First, some teams add lightweight challenge-response authentication at die-to-die link bring-up, essentially a handshake that verifies a shared secret baked into each die at manufacturing time. Second, organizations with vertical control over the supply chain (a hyperscaler building its own accelerator, say) simply constrain chiplet sourcing to trusted fabs and treat provenance as a procurement problem rather than a silicon problem. Third, and most defensively, a few designs are routing all sensitive traffic through an on-die security enclave on a single "anchor" chiplet, even if that creates a bandwidth bottleneck.

None of these are satisfying. The first is only as strong as the key management story. The second breaks the business case for heterogeneous integration. The third wastes exactly the throughput gains that motivated disaggregation in the first place.

The Deeper Issue

Semiconductor security thinking was built for a world where a chip had one owner, one designer, and one fab. Chiplets shatter that model on purpose, that's the whole economic argument. But security boundaries don't automatically redraw themselves when you slice the silicon.

The packaging community solved the signal integrity problem across die interfaces. Power delivery is getting there. Thermal management is a known hard problem with active research. Security across heterogeneous, multi-source chiplet assemblies is at least two years behind all of those, and the attack surface is growing faster than the defenses are forming.