• Discovery & configuration: enumeration, configuration space, capability gating.
• Resource mapping: BAR sizing/mapping, interrupt delivery (MSI/MSI-X) at the control-plane level.
• Data movement semantics: MMIO doorbells, DMA visibility basics, IOMMU interaction (concept-level).
• Feature responsibilities: ATS/PRI, SR-IOV, error reporting and recovery ownership.
• Operational stability: reset/power semantics from the controller view (what changes, what must be restored).

• PHY / SerDes / SI: eye/jitter, insertion loss, equalization tuning, layout rules.
• Retimer / Redriver design: CDR/DFE/CTLE device selection and channel extension strategy.
• Switch deep dive: port fan-out design, switch silicon policies, detailed ACS/ARI behavior.
• Compliance workflows: official PCI-SIG test flows and lab procedures.

Use this page to decide what the controller must do; use sibling pages to solve how the link meets electrical requirements.

Role distinctions (control-plane semantics)

Typical system patterns (kept at navigation depth)

This pattern stresses enumeration policy, resource sizing, and operational recovery. If a device “disappears”, start from the RC policy chain (bus numbering → windowing → capability gating) before assuming an electrical issue.

Role boundaries can blur in SoC/FPGA designs. Bring-up becomes easier when responsibilities are explicit: a single owner for enumeration, a single owner for DMA visibility rules, and a single owner for recovery actions.

Capability index (what to look for, not a keyword dump)

Jump navigation (when symptoms point outside this page)

PHY / SerDes

Go if: eye margin collapses, equalization swings wildly, BER changes with trace length. Get: jitter/loss budgets and electrical closure logic.

Retimer / Redriver

Go if: long channel needs cleanup, link trains only at lower gen, margins depend on cable/backplane. Get: device choice and channel extension strategy.

Switch / Bifurcation

Go if: multi-port fan-out, isolation policy, topology-driven enumeration issues. Get: port routing, partitioning, and fabric policy depth.

Compliance & Test Hooks

Go if: official test coverage, margining workflows, PRBS/loopback validation. Get: compliance-oriented test planning.

Pass criteria (page-level contract)

• Posted requests (typical writes): do not require a completion. The system can appear “fast” while still being wrong if the producer signals too early (doorbell before data visibility).
• Non-posted requests (typical reads and some control paths): require a completion. These transactions are completion-bound and expose congestion, backpressure, or policy errors as stalls.
• Completions are the controller’s truth source for “did it really happen”. A system that “hangs” frequently fails at the completion boundary (timeouts, replays, poisoned data).

A “hang” can be a controller waiting at a completion boundary. Treat timeouts and retries as accounting signals: something prevented the completion from arriving in time.

• Completion timeout: the request left, but the completion did not return in the allowed window. Common controller-side causes include congestion/backpressure, blocked routing, or recovery policy that never converges.
• Replay / retry behavior: repeated attempts inflate latency and can look like instability under load. The key is whether retries correlate with resource pressure (queues, interrupt moderation, reset loops).
• ECRC / poisoned data: indicates an integrity concern at the transaction level. The correct first step is to classify the event and decide a recovery action, not to immediately rewrite the electrical design.

Many controller bring-up failures are not “data corruption” but visibility mismatches. The producer and consumer observe different timelines unless ordering rules are enforced.

• Rule 1 — Separate data and control: data buffers can be written (posted writes) while control registers (doorbells) signal readiness. If the signal arrives first, the consumer reads incomplete or stale data.
• Rule 2 — Completion is a barrier for non-posted paths: reads/config are naturally gated by completions; writes need explicit discipline (barriers, sequencing, queue protocol).
• Rule 3 — DMA visibility depends on the platform contract: IOMMU policy and cache coherency determine what is visible when. Treat visibility as a first-class design requirement.

Control-plane flow (what “usable” requires)

A) Checklist — the first 8 fields to read (lspci-style)

• All expected functions appear with stable IDs across X cold boots.
• Bridge subordinate ranges cover full scan depth; no “missing behind bridge” events in X cycles.
• BARs are non-zero, aligned, and reachable; MMIO reads/writes complete without stalls over X minutes.

B) BAR sizing playbook (card list, no tables)

C) Capability map (feature → enable action → verify signal)

• Capabilities remain enabled as intended across X hot resets with no regressions.
• BAR placement and bridge windows remain compatible after VF creation or policy changes (0 overlaps, 0 unreachable apertures).

• Legacy interrupts are limited for modern multi-queue devices and often collapse under load.
• MSI improves routing, but vector count and isolation may still limit per-queue scaling.
• MSI-X enables per-queue vectors so hot queues can be isolated, moderated, and distributed across CPUs.

• Vector budget: allocate enough vectors for the active queues (Q0..Qn).
• Mapping determinism: keep queue-to-vector mapping stable across reset and mode changes.
• Isolation intent: avoid funneling multiple hot queues into one vector unless that is explicitly intended.

Interrupt frequency should track useful work. Too many notifications create storms; too few increase tail latency. Use policy knobs in this order:

1. Fix mapping first: ensure queue → vector mapping reflects the intended parallelism.
2. Then moderate: apply coalescing/moderation to cap interrupt rate (X).
3. Then distribute: set affinity so hot vectors do not pile onto one CPU core.

A) DMA bring-up shortest path (minimum viable demo)

• Pattern: fixed-size buffer (e.g., X KB) filled with a known signature and checksum.
• Alignment: enforce X-byte alignment; keep a separate “misaligned” variant for later.
• Boundary controls: create a “cross-page” variant (buffer spans two pages) to trigger mapping edge cases.

• 64-bit DMA enable: confirm the device consumes the full DMA address width (avoid high-bit truncation).
• IOVA/PA sanity: record the DMA address used by the device and the backing physical placement (for correlation).
• No surprise remap: pin or otherwise stabilize the mapping during the demo to isolate variables (X).

• CPU → device: ensure data/descriptor writes become visible before ringing a doorbell (flush or barrier as required).
• Device → CPU: ensure CPU reads see device writes (invalidate or coherent path).
• Descriptor discipline: treat descriptors as control-plane; keep them separate from large data buffers.

• Pattern checksum matches after X DMA read/write cycles (no corruption, no stale reads).
• Cross-page variant completes with 0 unexpected faults over X iterations.
• High-address placement remains correct (no truncation) across X resets.

B) IOMMU fault triage (fault → locate → fix)

1. Not-present / unmapped: the IOVA has no valid translation at the time of access.
2. Permission: mapping exists but violates R/W permissions or device domain policy.
3. Address width / format: the device issued a truncated or malformed DMA address (common with 64-bit not enabled).
4. Lifetime mismatch: mapping was torn down or reused while the device still uses it (stale mapping).
5. Cross-page edge: first page mapped, second page missing; faults only on certain buffer sizes.

• 0 IOMMU faults across X hours of peak DMA load.
• Fault recovery (if intentionally injected) converges within X ms (p99), no retry storms.

C) Coherency strategy (when flush/invalidate is mandatory)

• Non-coherent: software must manage cache visibility explicitly (flush/invalidate), or stale reads are expected.
• Coherent interconnect: data visibility is largely automatic, but ordering between data and signals still matters.
• Mixed: some buffers are coherent while others are streaming; inconsistent policy causes “only sometimes” failures.

A) Feature gate (platform prerequisites)

B) Bring-up checklist (minimum proof: ATS + invalidate + fault recovery)

C) Pass criteria (quantified thresholds — placeholders)

A) SR-IOV enable playbook (firmware → platform → OS stack)

1. Gate: confirm SR-IOV capability is visible and permitted by platform policy (X).
   Quick check: capability present; platform does not block VF creation.
2. Enable: set the VF count and provision VF resource windows (BAR space, vector budget).
   Quick check: VF count reflects the intended number; resource window sizing does not collide.
3. Enumerate: verify VFs appear consistently across resets and hot resets (X).
   Quick check: VF enumeration success ≥ X% over X cycles.
4. Validate: verify per-VF queues, interrupts, and counters are functional and isolated.
   Quick check: per-VF counters increment only for the target VF; vector/queue mapping matches policy.

• VFs enumerate successfully ≥ X% across X reset cycles.
• Per-VF BAR windows are conflict-free (0 overlaps), and VF MMIO is accessible without errors.
• Per-VF MSI-X vectors deliver interrupts to the intended CPUs with stable distribution (X).

B) Operability contract (per-VF counters / reset / firmware compatibility)

C) Failure scenarios library (symptom → first check → direction)

A) Reset decision tree (symptom → pick reset type)

• Config/functional corruption but link is up: prefer FLR / function reset to keep the impact bounded.
  Verify after reset: enumeration intact, BAR/MMIO usable, error counters converge (X).
• Link training or enumeration is unstable: prefer Hot Reset first, then escalate to PERST# if instability persists.
  Verify after reset: link stays up for X minutes under load; enumeration success ≥ X%.
• SR-IOV VF recovery: reset selection must account for whether VF provisioning state is cleared and must be re-applied (X).
  Verify after reset: VF count restored, per-VF queues/interrupts/counters are functional.

B) Power states tuning order (ASPM/L1SS without “device missing”)

1. Baseline (no deep power states): prove 24h stability (0 device-missing events, error counters converge).
   Metrics: recovery time, enumeration success, AER counters (X).
2. Enable shallow savings: turn on one mechanism at a time; measure exit latency impact (X).
   Check: no increase in completion timeouts; no surprise retrains/resets.
3. Enable deeper states (L1SS): validate wake/exit timing and device readiness within platform budgets (X ms).
   Check: “device missing” remains 0/24h; p99 latency stays within X.

• First check: exit latency and readiness timing vs platform timeout budgets (X).
• Second check: unexpected re-enumeration or resource reshuffle after wake.
• Direction: back off to the last stable state; then re-enable stepwise with metrics.

C) Pass criteria (recovery time, enumeration success, counter convergence)

• Recovery time: ≤ X ms (p95) and ≤ X ms (p99) for the selected reset path.
• Re-enumeration: success ≥ X% across X cycles (including hot resets).
• Device missing: 0 / 24h under peak traffic + power-state toggling.
• Error convergence: fatal = 0; correctable ≤ X after stabilization window (X minutes).
• State consistency: power state transitions do not change functional resource layout unexpectedly.

A) Minimal observability panel (10 key signals)

• AER Correctable: rate (X / min) and burstiness (p95/p99 window X).
• AER Non-fatal: count per hour (X) and correlation with workload/power states.
• AER Fatal: 0 tolerated; always capture a full snapshot window (pre/post).
• Replay counter: indicates retransmit pressure; track vs throughput (X).
• Completion timeout: indicates blocked completions; track vs queue depth (X).

• ECRC errors: treat as integrity evidence; correlate with retries and resets (X).
• Poisoned TLP: indicates corrupted payload propagated upward; always log context (X).

• Device-missing events: must be 0 / 24h under stress (X).
• Reset counters: per type (PERST#/hot reset/FLR) with recovery time p95/p99 (X ms).
• Re-enumeration success: ≥ X% across X cycles, including power transitions.

B) Attribution matrix (no tables; if/then cards)

• THEN: congestion / backpressure / software queueing is more likely than a raw channel defect.
• CAPTURE: replay + timeout trend vs throughput + queue depth (window X).
• NEXT: jump to software stack gating and queue strategy (H2-10); only later validate channel via compliance page.

• THEN: treat as integrity evidence requiring preservation and controlled reproduction.
• CAPTURE: AER class + ECRC/poison counters + state snapshot (pre/post window X).
• NEXT: validate with PHY/retimer and compliance workflows (links only; do not expand here).

• THEN: control-plane timing / recovery budgets are suspect (exit latency, readiness).
• CAPTURE: timestamped events + recovery time distribution + device-missing count (X).
• NEXT: jump to reset/power state-machine tuning (H2-8) and stack gating (H2-10).

C) Event retention (field log schema recommendations)

• Timestamp + severity: AER class (correctable/non-fatal/fatal) and burst window ID (X).
• Counter snapshot: replay, completion timeout, ECRC, poison, reset counts (pre/post window X).
• Configuration snapshot: negotiated speed/width, power state (ASPM/L1SS), enabled features (ATS/PRI/SR-IOV) as on/off or counts.
• Load context: throughput, queue depth, and tail latency (p95/p99 placeholders X).
• Action taken: record-only / degrade / reset (type) + recovery time (X ms).

A) Bring-up path (firmware → OS → driver → application)

B) Feature gating (ATS/PRI/SR-IOV requires a chain)

C) Upgrade / rollback strategy (field-safe operations)

• Pre-check: enforce a known-good compatibility matrix (firmware + PF + VF stack) with bounds (X).
• Rollout gates: stage by fleet fraction; watch device-missing (0/24h), AER fatal (0), and replay/timeout trends (X).
• Rollback triggers: any fatal increase, recovery time drift, or VF enumeration instability beyond X.
• Post-check: run a reset/power transition suite; confirm observability panel remains consistent (H2-9 linkage).

• ☐ Resource budget for BAR aperture, MSI-X vectors, queues, and DMA descriptors. Pass criteria: X% headroom across worst-case SKUs.
• ☐ Refclk strategy (SRNS/SRIS assumption, spread-spectrum tolerance, clock-domain ownership). Pass criteria: jitter budget meets X and remains stable across power states.
  Example MPNs (clocking)

  Jitter cleaner: Silicon Labs Si5341 / Si5345
  Clock generator: Si5332
  PCIe-grade clock buffer (example family): Renesas/IDT 9FGV series
• ☐ Reset policy (PERST#/hot reset/FLR selection rules + recovery budgets). Pass criteria: recovery p95 ≤ X ms, p99 ≤ X ms.
  Example MPNs (reset supervision)

  Reset supervisor: TI TPS386000 / MAXIM MAX16052
• ☐ RAS policy (AER severity actions: record / degrade / reset; evidence retention schema). Pass criteria: fatal = 0; correctable rate bounded by X / min.
• ☐ Virtualization partition plan (PF/VF budget: queues, vectors, BAR windows, per-VF counters). Pass criteria: VF isolation holds under fault injection (X).
• ☐ Non-volatile config for board ID / straps / feature defaults (if required by design). Pass criteria: deterministic configuration across cold/warm boots.
  Example MPNs (EEPROM / GPIO)

  I²C EEPROM: Microchip 24AA02E64 / 24LC64
  I²C GPIO expander: TI TCA9539

• ☐ Enumerate: device visible and stable across warm reboot. Pass criteria: 0 device-missing in X cycles.
• ☐ Config & BAR: BAR sizing and mapping consistent after reset. Pass criteria: BAR layout stable; no overlaps; X% headroom.
• ☐ Interrupts: MSI-X routing correct for at least one queue (then scale). Pass criteria: interrupt count matches workload within X%.
• ☐ DMA: host memory read/write correctness under stress patterns. Pass criteria: 0 data mismatch across X GB transferred.
• ☐ IOMMU: DMA mapping correctness with faults observable. Pass criteria: faults detected and recovered within X ms.
• ☐ SR-IOV: VF enumeration stable; per-VF queue/interrupt/counters validated. Pass criteria: VF stability ≥ X% across reset cycles.
• ☐ ATS/PRI (if used): translation cache + invalidation + controlled page-fault recovery. Pass criteria: ATC hit-rate X; recovery ≤ X ms.

• ☐ Telemetry always-on: AER severity trends, replay/timeout, ECRC/poison, reset counters. Pass criteria: fatal = 0; correctable bounded by X / min.
• ☐ Alert hygiene: thresholds, suppression, and action mapping (record/degrade/reset). Pass criteria: no alert storms; signal-to-noise ≥ X.
• ☐ Compatibility matrix: firmware + driver + feature gating combinations. Pass criteria: controlled rollout gates (X) and rollback triggers defined.
• ☐ Regression suite mapped to three gates (design assumptions, bring-up chain, production KPIs). Pass criteria: suite run-time ≤ X and catches known failure modes.

Use-case buckets (what the control-plane must provide)

• Must-have: stable enumeration, large resource windows, MSI-X scale, AER/RAS, robust reset/power recovery.
• Nice-to-have: SR-IOV manageability, strong observability tooling, deterministic downgrade policy.
• Example MPNs (RC SoC families): NXP LS1046A, NXP LS2088A, Marvell CN9130

• Must-have: predictable BAR model, doorbells/queues, MSI-X mapping, correct DMA + fault visibility.
• Nice-to-have: SR-IOV capability (or partition equivalent), built-in counters for attribution.
• Example MPNs (FPGA with PCIe hard IP options): AMD Xilinx XCKU5P, AMD Xilinx XCVU9P, Intel Agilex AGF014, Microchip PolarFire MPF300T

• Must-have: large queue model + MSI-X scale, robust RAS evidence chain, stable recovery.
• Virtualization: SR-IOV (VF count, per-VF counters), IOMMU-aware DMA paths.
• ATS/PRI: consider when translation overhead dominates tail latency; validate invalidation + fault convergence.
• Example MPNs (endpoint controllers): Broadcom BCM57414 (PCIe NIC controller), Intel I225-LM (PCIe GbE controller), Phison PS5026-E26 (NVMe SSD controller), Phison PS5018-E18 (NVMe SSD controller), Silicon Motion SM2264 (NVMe SSD controller), InnoGrit IG5236 (NVMe SSD controller)

• Must-have: strong observability, predictable downgrade behavior, recovery budgets with zero device-missing.
• Go deeper (examples, not expanded here): PCIe switch: Broadcom PEX88096 / Microchip Switchtec PFX100x; PCIe redriver: TI DS80PCI810 (details belong to dedicated pages).

Selection rubric (scorecards, no tables)

• Must-have: deterministic negotiation and stable operation after downgrade.
• Verify: negotiated speed/width stays stable across resets and power transitions (X).
• Risk: flapping links that appear SI-like but are policy/timeout driven.

• Must-have: per-queue interrupt mapping and measurable coalescing behavior.
• Verify: interrupt distribution and tail latency p95/p99 bounded (X).
• Risk: performance cliffs misdiagnosed as link quality issues.

• Must-have: correct DMA under IOMMU policy and observable faults.
• Nice-to-have: ATS/PRI when translation overhead dominates.
• Verify: invalidation works; fault recovery converges ≤ X ms.
• Risk: stale mappings and silent data corruption.

• Must-have: VF stability, per-VF counters, predictable reset domains.
• Verify: VF enumeration success ≥ X% across reset/power suites.
• Risk: tenant instability and un-debuggable incidents.

• Must-have: counters usable for attribution and retention fields for incident replay.
• Verify: correctable bounded; fatal = 0; recovery time distributions stable.
• Risk: SI vs control-plane ambiguity becomes unresolvable.

• Must-have: stable driver support and field-diagnostic hooks aligned to the telemetry panel.
• Verify: upgrade/rollback works with clear regression gates (X).
• Risk: features exist on paper but cannot be safely enabled in production.

Go deeper (linked pages only)

BOM note

Listed MPNs are examples for planning and cross-checking. Final selection must match platform requirements (lane count, Gen target, clocking mode, feature gates) and be validated by datasheets + lab bring-up.

Measurement rule

If a check mentions a counter/log/register, capture it with a timestamp and a workload label so trends and correlations are reproducible.