opentitan icon indicating copy to clipboard operation
opentitan copied to clipboard

Published 20 hours ago verified publisher icon lowRISC

[otp_ctrl] V1 Signoff

Open msfschaffner opened this issue 1 year ago • 1 comments

Description

Ensure V1 signoff criteria are fulfilled after focus area changes have landed.

msfschaffner avatar Jan 25 '24 02:01 msfschaffner

Commits since Earlgrey-ES tapeout

$ git rev-parse --short HEAD

dc51cb9b1d

$ git log Earlgrey-M2.5.2-RC0..HEAD --oneline hw/ip/otp_ctrl
  • 446aab2908 [dv,otp_ctrl] Fix formatting
    • DV cleanup
  • dd041b9180 [dv,otp_ctrl] Fix issues related to random resets
    • DV fixes to increase pass rates
  • 8d74044ba8 [dv/otp_ctrl] increased default spinwait timeout duration for otp_ctrl_parallel_lc_req_vseq
    • DV fix to increase pass rates
  • 6bd9e8b128 [otp_ctrl/dv] Update UNR file
    • DV update for coverage closure
  • a08791a6eb [otp_ctrl] Fix OTP_CTRL enums
    • Fixes a VCS warning (no functional change)
  • c6107c4857 [otp_ctrl] Add SW partitions for ROM keys
    • OTP memory map update according to RFC
  • 8c36f2a658 [regtool/otp_ctrl] Line length optimizations
    • Long partition names can cause lint issues due to long lines, which is fixed in this commit.
  • 06bd802092 [otp_ctrl] Add second HW_CFG partition
    • Split chicken switches into a separate HW_CFG partition to align the memory map with the intended provisioning flow.
  • d4aa1a0eeb [otp_ctrl] Filter ECC errors in partitions with no integrity
    • This is added to make the OTP_CTRL backwards compatible with the already existing closed source wrapper implementation from Nuvoton.
  • 5e35d3f4f3 Revert "[dv,top_earlgrey] Remove dv flag to set OTP ast_init"
    • Reversion of previous commit
  • 3f447cc12b [otp_ctrl] Remove entropy_src chicken switches
    • Removes unused chicken switches that will always be set to True for Earlgrey.PROD
  • 370540586a [otp_ctrl] Differentiate between owner and creator keys
    • Introduce the option to choose which life cycle access control signal is used to lock associated key material (e.g. the owner vs creator key material). This feature is not used in Earlgrey.PROD. The DV environment has been updated accordingly.
  • 114807de2b [dv,top_earlgrey] Remove dv flag to set OTP ast_init
    • No effect since the change is reverted further above
  • 1c9adba488 [otp_ctrl] Make DAI registers software-lockable
    • This improvement was requested so that ROM/ROM_EXT can choose to lock down OTP programming access without having to use any ePMP entries. The OTP_CTRL DV scoreboard has been updated accordingly.
  • 56399241e7 Revert "[edn] Move prim_edn_req out of prim"
    • Reversion of previous commit.
  • c721c51c13 [rtl, prim] Add 'commit' functionality to prim_count
    • This primitive update added a new port to prim_count. The new functionality is not used in OTP_CTRL, so this is not a functional change.
  • 87814b0e2c [otp_ctrl] Minor alignments
    • Minor alignments to fix things that were missed during the batch carry-over from integrated_dev.
  • 0397477f31 [otp_ctrl/lint] Correct lint error
    • lint cleanup
  • 37cbc501d8 [otp_ctrl/lint] Update range comparisons
    • lint cleanup
  • c470b98876 [otp_ctrl/lint] Unused signals cleanup
    • lint cleanup
  • a80586653e [otp_ctrl/dif] Distinguish LC and SW partitions with no digest
    • refactoring to make DIFs more parametric
  • b2e1f3b588 [otp_ctrl,gen] Parameterize OTP size
    • refactor to make RTL more parametric
  • eba675279e [otp_ctrl,dv] fix parallel sequence test
    • DV fix
  • cbd5679ed9 [otp_ctrl/dv] Update template for env_cov
    • refactoring to make DV environment more parametric
  • 8b416b9185 [otp_ctrl,gen] Fix handling of partitions with digest
    • refactoring to make DIFs more parametric
  • d09cb158c3 [otp_ctrl,gen] Fix comment in dif_ctrl.h.tpl
    • refactoring to make DIFs more parametric
  • a30fd54a5d [otp_ctrl,gen] Add templates for difs
    • refactoring to make DIFs more parametric
  • 76a9169913 [otp_ctrl,gen] Improve descriptions in hjson partition map
    • documentation improvement
  • 908487a712 [otp_ctrl,gen] Fix some issues in generators
    • refactoring to make DV environment more parametric
  • efd00fbf63 [otp_ctrl,gen] Fix error code coverage collection
    • refactoring to make DV environment more parametric
  • 41496e95cf [otp_ctrl/dv] Update scoreboard template
    • refactoring to make DV environment more parametric
  • c63f443fe3 [otp_ctrl/dv] Update sequence templates
    • refactoring to make DV environment more parametric
  • 394e21a4a5 otp_ctrl/dv] Add templates for some sequences
    • refactoring to make DV environment more parametric
  • 9100be2342 [otp_ctrl/dv] Update template for otp_ctrl_if
    • refactoring to make DV environment more parametric
  • 496ea05ee0 [otp_ctrl/dv] Add template for otp_ctrl_if
    • refactoring to make DV environment more parametric
  • fb46782194 [otp_ctrl/dv] Update to reduce line lengths
    • refactoring to make DV environment more parametric
  • c89d1f4221 [otp_ctrl/dv] Update template for covergroup defs
    • refactoring to make DV environment more parametric
  • 977ce71396 [otp_ctrl/dv] Add template for covergroup defs
    • refactoring to make DV environment more parametric
  • 1f75034ade [dv/otp_ctrl] Update templates to support parts without digest
    • refactoring to make DV environment more parametric
  • a0735050d0 [otp_ctrl,rtl] Fix logic bug in keymgr key output
    • bugfix for issue introduced by previous changes
  • 9e79e1fbe0 [otp_ctrl/dv] Update scoreboard template
    • refactoring to make DV environment more parametric
  • 60c82fc74b [otp_ctrl] Make secret partition LC lock more generic
    • refactoring to make RTL environment more parametric
  • 978233e828 [otp_ctrl/dv] Update otp_ctrl_env_pkg template
    • refactoring to make DV environment more parametric
  • d69f033a27 [otp_ctrl/dv] Make a template for otp_ctrl_env_pkg
    • refactoring to make DV environment more parametric
  • fa224ad0d3 [otp_ctrl/dv] Replace hardcoded offsets with templating
    • refactoring to make DV environment more parametric
  • 42646972a1 [otp_ctrl/dv] Use more generated constants in DV env
    • refactoring to make DV environment more parametric
  • 3953d17bb6 [otp_ctrl/dv] Add missing sram_pull_agent in check_otp_idle
    • DV alignment for previous commit
  • a6995cf493 [otp_ctrl] Add a scrambling key slot for the mbox SRAM
    • this provisions an extra key slot for the mailbox SRAM for integrated settings. the slot will be tied off in Earlgrey.PROD.
  • e81b5885e5 [keymgr/otp_ctrl] Add support for creator/owner seeds
    • this adds support for storing the seeds in a separate SECRET* partition. this feature is not used in Earlgrey.PROD, but it was needed for Darjeeling, where the seeds cannot be kept in on-chip flash anymore.
  • af72751720 [otp_ctrl,gen] Generate cov_bind and scoreboard files from template
    • refactoring to make DV environment more parametric
  • d37182c2da [otp_ctrl,gen] Move otp_ctrl_part_pkg.sv.tpl to data
    • refactoring to make DV environment more parametric
    • refactoring to make DV environment more parametric
  • 3b811a6bfb [otp_ctrl,gen] Create templates for cov_bind and scoreboard
    • refactoring to make DV environment more parametric
  • 61a237e197 [util/reggen] reverse order of substruct generation
    • generic reggen change that is transparent
  • fc8484601e [reggen,hw] Create index parameter for registers windows
    • generic reggen change that is transparent
  • d15e6bd6d5 [otp_ctrl] Ensure broadcast valid is flopped
    • ensures the proper latency on that signal
  • 914dee73b3 [otp_ctrl] Fix UNKNOWN error due to array indexing
    • fixing a bug introduced by the sequence of changes
  • 2ba74d6a61 [otp_ctrl] Fix OOB error in DAI
    • this bug was not relevant for Earlgrey since the array sizes just aligned so that this could not occur. it was uncovered with the Darjeeling configuration.
  • be3312f5f7 [otp_ctrl/dv] Fix xcelium compile errors
    • cleanup for xcelium, mostly around usage of SV types which is checked more strictly
  • c939d9a6d5 [otp_ctrl] Add support for multiple HW_CFG partitions
    • this is a preparatory step to splitting the HW_CFG partition into two partitions
  • ce648ca68e [ipgen.pwrmgr] Change core files to vlnv naming and label as virtual
    • IPgen update touches the core file of OTP_CTRL, no RTL impact
  • 4c8050f572 [otp_ctrl/lint] Fix lint error
    • as description says
  • c04a5bb08e [otp_ctrl] Make ERR_CODE register non-compact
    • this changes the CSR layout to make it more amenable for parameterization, and a larger number of partitions (where one 32bit register would not be sufficient anymore to store compacted error codes). the DV is updated accordingly.
  • 5f4c0c92dc [otp_ctrl/doc] Update documentation
    • doc update, no RTL impact
  • dc9da97149 [otp_ctrl] Add option to disable integrity on a partition
    • some partitions such as partitions with strike counters do not need ECC integrity. this adds support for such partitions. in Earlgrey.PROD, only the VENDOR_TEST partition will use this feature. the DV is updated accordingly.
  • db4f0fa77a [otp_ctrl/dv] Remove obsolete behavior
    • DV cleanup
  • 1321b6f2b9 [otp_ctrl] Support SW partitions without digest
    • some SW partitions (e.g. strike counters) do not need a digest. this adds support for such partitions, but this attribute is not used within Earlgrey. the DV is updated accordingly.
  • c1d2c274ad [otp_ctrl] Make CSR read-enables assignment parametric
    • RTL refactor to make RTL more parameterizable
  • 07fc07d3a7 [otp_ctrl] Make digest CSR assignment parameterizable
    • RTL refactor to make RTL more parameterizable
  • 3bbdcb2d11 [otp_ctrl] Bump version to 2.0.0 and move back to D1/V1
    • version increase due to changes that are coming
  • 3b4e36e01c [edn] Move prim_edn_req out of prim
    • this change is reverted above
  • de31bdf1c2 [reggen] Remove the devmode input
    • this change removes the devmode input in all generated register nodes. no functional change since the alternative mode with devmode set to 0 was never used.
  • 963a5006cc [doc] Minor tweak to md sanitisation code
    • doc fix
  • 15396a3871 [sku] Update prodc to match sival_bringup sku configuration.
    • sival test updates, no RTL change
  • 613ca17354 [silicon] Add prodc OTP configuration.
    • OTP image update, no RTL change
  • 88508d82f9 [otp_ctrl,doc] Document scrambling keys being ephemeral if seed_valid=0
    • documentation update, no RTL change
  • f485d6da4f [manuf] remove raw unlock step from CP stage
    • manuf test updates, no RTL change
  • ed1019fa16 [sival] Add SiVal SKU
    • sival test updates, no RTL change
  • b04bcf3b7d [sival] SiVal Bring-Up SKU
    • sival test updates, no RTL change
  • 5f9ef53ea7 [rom_ext, sival] Build & Sign configuration for SiVAL ROM_EXT
    • sival test updates, no RTL change
  • d07ac983f3 [sival] add RMA SiVal OTP images
    • sival test updates, no RTL change
  • 4d16600f8e [sival] update _personalized otp image names to match doc
    • sival test updates, no RTL change
  • 975a6eb927 [adc_ctrl,dv] Tidy up access to intr_state in env_cfg files
    • DV cleanup touching many comportable IPs, no RTL change
  • 2589d2e5e2 [manuf] send attestation TCB measurements to device over console
    • sival test updates, no RTL change
  • 5b41922605 [sival] Update SiVal OTP target names.
    • sival test updates, no RTL change
  • 88a8ea0b50 [sival] Add SiVal dev guide.
    • sival test updates, no RTL change
  • 6c8969147e [sival] Update flash_ctrl_rma_test to use sival infra.
    • sival test updates, no RTL change
  • 1e44656be1 [sival] Define set of OTP profiles.
    • sival test updates, no RTL change
  • bf6a1a6cfa [sival,otp_ctrl] sival testplan update for otp_ctrl
    • sival test updates, no RTL change
  • c393406206 [sival] Add SiVal OTP SKU.
    • sival test updates, no RTL change
  • ccefe9d07f [sival] Move default earlgrey a0 otp config
    • sival test updates, no RTL change
  • cfaa932246 [manuf] split CREATOR_SW_CFG OTP provisioning into several sub-steps
    • manufacturing test updates, no RTL change
  • c2ea8e2fe8 [otp] add flash data region config to generic SKU image
    • manufacturing test updates, no RTL change
  • cb61338dd9 [manuf] move SECRET1 provisioning to the personlize lib
    • manufacturing test updates, no RTL change
  • 011901a922 [manuf] switch LC state individualize functest runs at
    • manufacturing test updates, no RTL change
  • 005363a4d2 [sival] Add OTP and bitstream docs.
    • OTP image definition updates, no RTL impact
  • 1987f83b1b [otp] add OTP CREATOR_* and OWNER_SW_CFG definitions for ES
    • OTP image definition updates, no RTL impact
  • bf0457f5d8 [otp] move default fixed secret0 overlay to shared location
    • build system change for generating OTP images, no RTL impact
  • 3f88a55120 [pwrmgr,ipgen] Generate pwrmgr ip_autogen files with topgen
    • this only affected a link in the OTP_CTRL docs
  • 1b16ca2122 [reggen] Add mubi support SWAccess that sets/clears a reg
    • MuBi support in reggen, no impact on OTP_CTRL
  • 4fb9ab5f31 [otp_ctrl,dv] Add virtual to uncorr comp function
    • DV update to accommodate closed source testing
  • 59f8142826 [doc] Moved badges over to using hosted images
    • doc update
  • adb520099b [doc] otp_ctrl registers and interfaces now use CMDGEN
    • doc generator update
  • 2d61350be6 Integrate DRG3 class for generating randomness
    • update to RNG mechanism for compile-time random constant generation. while this has RTL impact, generation is automatic, similar to changing the constants as part of the closed source ingestion process. DV adapts automatically to this change.
  • 44a6dc61c4 [otp_ctrl,dv] fix parallel sequence test
    • no RTL impact
  • 025c510622 [manuf] rename individualize_preop lib
    • no RTL impact
  • d35c795ed5 [manuf] make OTP image consts a link-time dep
    • no RTL impact
  • d67e35d864 [reggen] Generate constants for only the main block
    • no RTL impact
  • 7688e714e8 [reggen] Add initial support for version and cip_id hjson fields
    • Hjson support for CIP_ID, no RTL change
  • fbd888eea8 Revert "[reggen] Add CIP_IDs and bump all major versions"
    • reversion of previous commit
  • 0ba10b3cd3 [reggen] Add CIP_IDs and bump all major versions
    • no RTL impact since reverted in the next commit
  • 5581931355 [hw] Rename OTP item: OWNER_SW_CFG_ROM_EXT_BOOTSTRAP_EN
    • SW item in the memory map, no RTL impact
  • e47df29f3e [misc] Use lc_tx_t testing functions at endpoints
    • cleanup refactor with no functional change
  • 0be5abcf44 [hw] Disable ROM_EXT recovery by default
    • SW item in the memory map, no RTL impact
  • 71fa8dbda5 [hw] New OTP item: OWNER_SW_CFG_ROM_EXT_RECOVERY_EN
    • SW item in the memory map, no RTL impact

Issues closed since the Earlgrey-ES tapeout

  • #20830
    • this led to many RTL and DV refactorings as can be seen above, but basically no functional changes for Earlgrey, with a few exceptions as described in the summary below.
  • #20348
    • minor RTL change to make the DAI lockable via a CSR. this has been requested so that ROM/ROM_EXT can lock access to the OTP programming interface without having to blow ePMP entries. The functionality has been modeled in the scoreboard.
  • #17779
    • This issue had no effect on RTL.
  • #16689
    • Enablement of CDC instrumentation for all DV environments, no RTL impact.
  • #15622
    • Bazel issue, no RTL impact.
  • #13201
    • Documentation fix, no RTL impact
  • #10434
    • Has been closed as not planned
  • #6404
    • This issue has not been closed in a long time even though the fix was already implemented for ES. No impact on RTL therefore.

Currently open issues

  • #21265
    • This DV issue has been spawned for PROD.M4/M5. We need to double check that the VENDOR_TEST partition behaves as expected in the closed source environment.
  • #21204
    • Open RFC that proposes to move the ROM keys into OTP for flexibility (and to save space in ROM, since there is a lot of unused space in the Earlgrey OTP). The RFC has not been fully implemented on the ROM side yet, but the partition change has already been carried out. This basically led to the addition of a few new SW partitions, and the refactored OTP RTL and DV environment enabled fully automatic generation of the associated RTL and DV collateral. This hence had RTL impact, but the DV was updated automatically alongside.
  • #19823
    • this is a multi-top issue, not relevant here
  • #19505
    • this issue pertains to how the alert configuration datastructure is assembled. while this is stored in a SW partition inside OTP, it does not affect the OTP RTL for Earlgrey.
  • #17798
    • DV enhancement, potentially useful for V3 but not required
  • #15337
    • Build system issue, no impact on RTL
  • #13858
    • Checklist enhancement, no impact on RTL
  • #8440
    • This is a multitop issue, not required for Earlgrey.PROD
  • #5027
    • Issue due to limitation of Verible linter on DV code. Not important for Earlgrey.PROD

Coverage Results from 03/09/2024

DV

image

Formal (CMs)

name pass_rate stimuli_cov coi_cov prove_cov
otp_ctrl_sec_cm 100.00 % N/A N/A N/A

Summary

The OTP_CTRL has undergone quite some refactoring in order to make generation of RTL and DV collateral possible, given an Hjson memory map description. This refactoring was carried out on the integrated_dev branch for Darjeeling in order to accommodate different OTP_CTRL memory map layouts. Since the memory map for Earlgrey.PROD needed some alignments, these refactorings have been carried over from the integrated_dev branch in order to make these changes more straightforward.

While overall the functionality is largely unchanged, the series of patches do change a few things:

  • it is now possible to define partitions with and without integrity support. while this new functionality does not affect most partitions in Earlgrey, the VENDOR_TEST partition is now using this new attribute. The open-source DV environment models this behavior, and an extra issue has been spawned to double check compatibility with the closed source wrapper in a later milestone: #21265
  • it is now possible to define SW partitions that are not lockable (i.e., that do not have a digest), although the Earlgrey configuration does not make use of this feature.
  • the Earlgrey memory map has been changed in the following ways:
    • the HW_CFG partition has been split into two partitions (HW_CFG0 and HW_CFG1) in order to better accommodate the provisioning flow. HW_CFG0 now contains only the DEVICE_ID and the MANUF_STATE, whereas the HW_CFG1 partition contains chicken switches for the design. The chicken switches for ENTROPY_SRC have been removed since they will always be set to True going forward.
    • The ERR_CODE CSR has been made non-compact to make the design more parametric, and allow for a larger number of partitions (otherwise we can get corner cases that are annoying to implement in a parametric way in the DIF and DV, e.g. once the error codes cannot be compacted into a single 32bit register anymore).
    • Functionality for sideloading more key material from OTP into keymgr. This also comes with the option to modulate write access to this partition with either the lc_creator_seed_sw_rw_en_i or the lc_owner_seed_sw_rw_en_i life cycle signal. The mechanism is however not used in the Earlgrey configuration.
    • new SW partitions have been added as per #21204

The OTP_CTRL IP has seen quite some RTL changes, but the associated DV tests have been updated alongside. The coverage is still above 90% across the board and the formal countermeasure FPV proofs all pass.

Note that this is a "focus block" and hence the PROD.M2 requirement would be a V1 signoff. However, since no countermeasures have been changed / removed in the series of patches, and since the coverage is still fulfilling V2S requiremetns, the recommendation is to sign this block off at V2S instead.

msfschaffner avatar Feb 23 '24 18:02 msfschaffner

@vogelpi @andreaskurth @matutem PTAL

msfschaffner avatar Mar 11 '24 16:03 msfschaffner

There is a D2S issue that still needs to be fixed https://github.com/lowRISC/opentitan/pull/21953. The patch is here: #21953

From a DV perspective, this is however tested implicitly and impact to coverage numbers should be minimal (if at all, since we have pretty high toggle coverage).

We can wait for the Tuesday regression to make sure everything is still good.

msfschaffner avatar Mar 11 '24 18:03 msfschaffner

The regression is looking good, with V2(S) pass rates all above 90%.

image

msfschaffner avatar Mar 13 '24 17:03 msfschaffner

@rswarbrick @matutem PTAL

msfschaffner avatar Mar 15 '24 05:03 msfschaffner

Update on regression results on 03/18/2024:

Screenshot from 2024-03-18 17-18-09

matutem avatar Mar 19 '24 00:03 matutem

Note: OTP_CTRL has effectively be signed off at V2S. I've now corrected the issue title and first comment accordingly.

vogelpi avatar Apr 23 '24 07:04 vogelpi