1. An apparatus comprising:
transaction layer logic comprising hardware circuitry to:
associate the secure TLP with a secure stream;
encode a transaction layer packet (TLP) with integrity protection and encrypt data payload of the TLP with data encryption for form a secure TLP; and
transmit the secure TLP across the secure stream to the link partner.

2. The apparatus of claim 1, further comprising transaction layer logic circuitry to:
read an extended capability register indicating a capability to support IDE; and
determine that the apparatus and the link partner support integrity protection and data encryption for TLP encoding.

3. The apparatus of claim 2, further comprising transaction layer logic circuitry to:
set in a control register indicating that the apparatus and the link partner support a secure stream using integrity protection or data encryption.

4. The apparatus of claim 1, wherein the transaction layer logic encodes the secure TLP with a secure stream number, the secure stream number unique to the secure stream that the secure TLP will transit.

5. The apparatus of claim 1, further comprising an encryption engine comprising hardware circuitry to encrypt the TLP.

6. The apparatus of claim 5, wherein the encryption engine uses an encryption standard based on an American Encryption Standard Galois counter mode (AES-GCM) encryption protocol.

7. The apparatus of claim 1, further comprising a data integrity protection engine comprising hardware circuitry to implement data integrity protection to the TLP.

8. The apparatus of claim 7, wherein the data integrity protection engine uses an integrity protocol based on an American Encryption Standard Galois Counter Mode (AES-GCM) protocol.

9. The apparatus of claim 1, further comprising transaction layer logic circuitry to:
augment the TLP with a information indicating that the TLP comprises integrity protection and data encryption.

10. The apparatus of claim 9, wherein the information is contained in one of a TLP prefix or a TLP header.

11. The apparatus of claim 9, wherein the information comprises an L bit that when set indicates that the TLP is a last secure TLP on the secure stream and that subsequent TLPs received on the secure stream are to have a new encryption key set.

12. The apparatus of claim 1, wherein the secure stream comprises one or more substreams, the one or more secure substreams comprising a secure substream for posted requests, non-posted requests, or completions.

13. The apparatus of claim 12, further comprising transaction layer logic circuitry to:
construct an initialization vector (IV) that includes a fixed field unique to a device and an invocation field unique to the data to be transmitted.

14. The apparatus of claim 13, wherein the IV comprises a 96b IV and wherein:
the fixed field are in bits 95:64 of the IV, wherein bits 95:92 comprise a fixed value indicating the Sub-Stream (encoded as defined above); and
the invocation field are in bits 63:0 of the IV, containing the value of an linear feedback shift register with taps at positions 64, 63, 61 and 60, initially set to the value 0000_0001h.

15. The apparatus of claim 1, further comprising transaction layer logic circuitry to:
determine that the TLP is to transmit to a link partner on a selective secure stream or a link secure stream; and
selectively encode one or more TLPs in the secure stream and/or selectively encrypt data payload of one or more TLPs.

16. A method comprising:
determining, by logic circuitry at a transaction layer of a protocol stack of a device, that a packet is to traverse to a link partner on a secure stream;
authenticating a receiving port of the link partner;
configuring a transaction layer packet (TLP) prefix to identify the TLP as a secure TLP;
associating the secure TLP with the secure stream;
applying integrity protection and data encryption to the Secure TLP; and
transmitting the secure TLP across the secure stream to the link partner.

17. The method of claim 16, further comprising:
associating the secure stream with an authentication key; and
associating the authentication key with a key identifier (Key ID), the Key ID unique to each of data encryption and integrity protection.

18. The method of claim 16, wherein associating the secure TLP with the secure stream comprises associating the secure TLP with a secure stream number, the secure stream number encoded into the TLP prefix.

19. The method of claim 16, wherein the data encryption is performed using Advanced Encryption Standard Galois Counter mode (AES-GCM) encryption.

20. The method of claim 16, wherein the integrity protection is performed using an American Encryption Standard Galois Counter Mode (AES-GCM) integrity protection.

21. A system comprising:
a root complex comprising a root port;
an endpoint device comprising an upstream port;
an interconnect coupling the root port with the upstream port;
the root port comprising a protocol stack comprising a transaction layer, the transaction layer comprising hardware circuitry to:
encode a transaction layer packet (TLP) with a secure TLP prefix, the secure TLP prefix indicating that the TLP is to transit the interconnect on a secure stream;
associate the TLP with the secure stream;
perform data encryption on data payload of the TLP and integrity protection on the TLP; and
transmit the TLP to the endpoint device.

22. The system of claim 21, wherein the root port is directly linked to the upstream port and wherein the secure TLP prefix comprises a local TLP prefix.

23. The system of claim 22, wherein associating the TLP with the secure stream comprises setting a secure stream identifier to zero in a TLP header.

24. The system of claim 21, further comprising a switch complex comprising a downstream switch port coupled to the upstream port and an upstream switch port coupled to the root port, the transaction layer comprising hardware circuitry to secure the TLP for transmission through the switch complex to the endpoint based on a requester identifier (RID) and address association register setting.

25. The system of claim 21, wherein the secure TLP prefix comprises:
a first bit indicating a last TLP in the secure stream;
a second bit indicating whether the TLP originated from a trusted environment;
a third bit indicating that the TLP includes a message authentication code (MAC); and
a counter value indicating TLP count for non-posted requests and completions.