Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[aes] V2S Signoff #21029

Closed
msfschaffner opened this issue Jan 25, 2024 · 4 comments
Closed

[aes] V2S Signoff #21029

msfschaffner opened this issue Jan 25, 2024 · 4 comments
Assignees
Labels
Component:DV DV issue: testbench, test case, etc. IP:aes Type:Signoff

Comments

@msfschaffner
Copy link
Contributor

msfschaffner commented Jan 25, 2024

Description

Ensure V1 / V2S signoff criteria are fulfilled after focus area changes have landed.

@msfschaffner msfschaffner added this to the Earlgrey-PROD.M2 milestone Jan 25, 2024
@msfschaffner msfschaffner added Component:DV DV issue: testbench, test case, etc. IP:aes and removed IP:aes labels Jan 25, 2024
@vogelpi vogelpi self-assigned this Feb 23, 2024
@vogelpi
Copy link
Contributor

vogelpi commented Feb 23, 2024

Commits since Earlgrey-ES tapeout

$ git log Earlgrey-M2.5.2-RC0..HEAD --oneline hw/ip/lc_ctrl

fa5dc8a [pre_sca] Convert PROLEAD configuration files to Unix format
66472e2 [pre_syn] Include csrng_pkg.sv to re-enable Yosys synthesis
0891b2f [aes,pre_sca] Modify evaluation parameters for PROLEAD
b9afd40 [aes,rtl] Switch to Bivium-based masking PRNG implementation
0726a6d [alma, aes] Add README for the verification flow
7e76564 [aes, alma] Add verification script for AES S-box
82dc6dc [alma] Add yosys template for AES S-box flattening
8354636 [alma] Add patching tool for techlib
25f488d [aes,dv] Fix aes_ctrl_cg sample function declaration
61a237e [util/reggen] reverse order of substruct generation
de31bdf [reggen] Remove the devmode input
895c541 [aes, doc] Clarify availability of sideload, change cryptolib link
ac5a127 [aes, pre_sca] Enable masking evaluation of AES with PROLEAD
5be278b [aes, kmac, otbn] Perform final clean -purge step in Yosys synthesis
2d0887b [aes,SiVal] Add features of AES module
78abd88 [aes, doc] Fix broken links
1b16ca2 [reggen] Add mubi support SWAccess that sets/clears a reg
59f8142 [doc] Moved badges over to using hosted images
7688e71 [reggen] Add initial support for version and cip_id hjson fields
fbd888e Revert "[reggen] Add CIP_IDs and bump all major versions"
ba2ca76 [aes, doc] Mention option of implementing GCM with Ibex and bitmanip
9bc003c [aes, kmac] Replace term aggravate in SCA/FI context
4dc21fb [aes, pre_dv] Add very basic scratch Verilator testbench for cipher core
0ba10b3 [reggen] Add CIP_IDs and bump all major versions
5b12b34 [aes, dv] Enable aes_stress_all(_with_rand_reset) tests
69fa03a [aes, dv] Move end detection of last message from scoreboard to env
3dbbf0b [aes, dv] Rework tracking of good, corrupted, split and skipped messages
af95b78 [aes, dv] Encapsulate vseqs in fork/join_any and disable fork blocks
30aee10 [aes, dv] Add randomization constraints for aes_alert_reset_vseq
f1dcf7a [aes, dv] Reorder test list, add comments to explain grouping
2526b01 [aes, dv] Fix aes_manual_config_err_vseq
cb90c98 [aes, dv] Fix cfg_error_type constraint resolution for aes_message_item
e47df29 [misc] Use lc_tx_t testing functions at endpoints
6744fe2 [aes, dv] Switch from csr_update() to csr_wr() for set_regwen()
f2b781b [aes, dv] Move regwen testing into base sequence
9cb2a1c [aes, dv] Add alert_test testing to aes_alert_reset_test
9d0f701 [aes, dv] Increase manual operation percentage for config error test
89f58b3 [aes, dv] Simplify handling of different modes in process_tl_access()
b392590 [aes, dv] Enable configuration error testing with sideload keys
5255197 [aes, dv] Comment and fix usage of status_fsm() task inside send_msg()
bd45097 [aes, dv] Make sure aes_status_cg.cp_alert_recov is hit
be7bae1 [aes, dv] Always set PRNG reseed rate during setup_dut()

Issues closed since the Earlgrey-ES tapeout

DD (& DV)

DV

Doc

Community support requests

Misc

Currently open issues

DD (& DV)

DV

Misc

Coverage report from 02/21/2024

The following reports have been retrieved from the nightly DV dashboard (based on commit df66f8a).

Masked variant

m2_v2s_signoff_aes_masked

Unmasked variant

m2_v2s_signoff_aes_unmasked

At a first glance, the progress on the sequences seems low. However, upon inspecting the pass/fail rates, one can see that all tests have a pass rate above 90%, meaning the V2S criteria are still met as before. Similarly, coverage metrics are above the threshold.

The last FPV report is from Aug 2023 and all FPV tests were passing for AES. Since then, the only relevant RTL change was the replacement of the PRNG which doesn't touch FPV.

Summary

The only relevant RTL change in this block was #19091 where we replaced the LFSR-based PRNG
with an implementation based on the Bivium stream cipher primitive to prevent brute-forcing attacks on the PRNG state. The change itself is very isolated to the PRNG itself and the relevant DV parts have been adjusted to maintain the coverage metrics and pass rates above the thresholds (in particular the aes_reseed test).

Most test failures are in the FI tests part of V2S. Modeling the expected behavior for these tests would require high effort without a clear benefit, we don't gain more confidence into these FI countermeasures by reaching 100% pass rate. The important work here has been to ensure that the countermeasure isn't optimized away during synthesis and this work has been done a long time ago. Still, the pass rate for all tests is above the V2S threshold of 90%.

Since M2.5.2 there has been some DV work to enable a previously disabled test (stress_all) and some fixes to improve functional coverage. One little and uncritical coverage hole has been discovered since then which is tracked in #20941. All coverage metrics are above the V2S threshold of 90%.

Since the block still fulfills the V2S criteria, I am suggesting to sign this off at V2S directly.

@vogelpi vogelpi changed the title [aes] V1 Signoff [aes] V2S Signoff Feb 23, 2024
@vogelpi
Copy link
Contributor

vogelpi commented Feb 23, 2024

Would you mind taking a look at this @msfschaffner and @andreaskurth please?

@msfschaffner
Copy link
Contributor Author

Thanks for the analysis @vogelpi. Given the amount of verification (both DV and SCA) that has been repeated to cover the PRNG changes, I agree that we can sign this off at V2S directly.

@andreaskurth
Copy link
Contributor

Thanks for the detailed analysis, @vogelpi! I agree with signing off at V2S, too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Component:DV DV issue: testbench, test case, etc. IP:aes Type:Signoff
Projects
None yet
Development

No branches or pull requests

4 participants