[lc_ctrl/top_earlgrey] Disable RAW unlock feature and additional DV checks #21320
Conversation
msfschaffner
force-pushed
the
lc-ctrl-volatile-unlock
branch
11 times, most recently
from
55dc53f to
ef8c8ea
Compare
This addresses the design side of lowRISC#18250 Signed-off-by: Michael Schaffner <[email protected]>
msfschaffner
force-pushed
the
lc-ctrl-volatile-unlock
branch
6 times, most recently
from
5761280 to
bb144fe
Compare
msfschaffner
force-pushed
the
lc-ctrl-volatile-unlock
branch
2 times, most recently
from
b544a9f to
3508d05
Compare
This addresses the block-level DV parts of lowRISC#18250. Signed-off-by: Michael Schaffner <[email protected]>
When we are in RMA or PROD_END state, we can't inject a transition error since the only valid transition is into SCRAP (and that transition is always allowed, no matter the transition counter). While we make sure to not initialize the DUT with RMA or PROD_END if we intend to inject such an error, it can happen that we end up in one of these states when running multiple transactions back-to-back. In those cases we need to catch the corner case and make sure we skip the life cycle transition attempt. Signed-off-by: Michael Schaffner <[email protected]>
Some CSR accesses via JTAG take a long time, hence the timeout in wait_to_issue_reset() needs to be higher so that the function does not error out unexpectedly. Signed-off-by: Michael Schaffner <[email protected]>
msfschaffner
force-pushed
the
lc-ctrl-volatile-unlock
branch
from
3508d05 to
06055dc
Compare
| cfg.set_test_phase(LcCtrlBadNextState); | ||
| // wait at least two clks for scb to finish checking lc outputs | ||
| cfg.clk_rst_vif.wait_clks($urandom_range(10, 2)); | ||
| end |
There was a problem hiding this comment.
This looks like a big change, but what it really does is move this else leg towards the end of the test, so that either we perform a transition and do all the checking, or we skip the transition and go straight to the LcCtrlBadNextState phase.
| // In RAW state the ROM should halt as RomExecEn is not set yet. | ||
| `DV_WAIT(cfg.sw_test_status_vif.sw_test_status == SwTestStatusInBootRomHalt) | ||
| // If we're expecting the feature to be enabled, the device should boot. | ||
| if (exp_volatile_raw_unlock_en) begin |
There was a problem hiding this comment.
no change below, just made the rest of the test conditional on exp_volatile_raw_unlock_en
msfschaffner
requested review from
rswarbrick and
jdonjdon
and removed request for
a team
msfschaffner
force-pushed
the
lc-ctrl-volatile-unlock
branch
2 times, most recently
from
7575851 to
2590c33
Compare
msfschaffner
force-pushed
the
lc-ctrl-volatile-unlock
branch
3 times, most recently
from
c47ddbe to
8087405
Compare
Besides being able to test the volatile RAW unlock mechanism, we should also be able to test whether the case where that mechanism has been disabled in HW. This patch adds a plusarg that allows to parameterize the test with our expectation. In production silicon this mechanism should be disabled, for example. Signed-off-by: Michael Schaffner <[email protected]>
msfschaffner
force-pushed
the
lc-ctrl-volatile-unlock
branch
from
8087405 to
9c78061
Compare
| @@ -478,6 +478,9 @@ impl CommandDispatch for VolatileRawUnlock { | |||
| /*use_external_clk=*/ true, | |||
| /*post_transition_tap=*/ JtagTap::LcTap, | |||
| &self.jtag_params, | |||
| // whether we expect the RAW unlock feature to be present or not. | |||
| // on prod silicon this should be disabled. | |||
| false, | |||
There was a problem hiding this comment.
@timothytrippel can you take a look at this here?
we do not expect this to work on production silicon, and we need to test this because if it were supported, that would be a bad loophole.
We may want to feed in some global target configuration at some point so that this remains compatible with multiple top-levels/targets.
There was a problem hiding this comment.
yep this looks good to keep the testing path open. Thanks @msfschaffner !
msfschaffner
force-pushed
the
lc-ctrl-volatile-unlock
branch
from
893b593 to
639a1a0
Compare
| @@ -478,6 +478,9 @@ impl CommandDispatch for VolatileRawUnlock { | |||
| /*use_external_clk=*/ true, | |||
| /*post_transition_tap=*/ JtagTap::LcTap, | |||
| &self.jtag_params, | |||
| // whether we expect the RAW unlock feature to be present or not. | |||
| // on prod silicon this should be disabled. | |||
| false, | |||
There was a problem hiding this comment.
yep this looks good to keep the testing path open. Thanks @msfschaffner !
msfschaffner
force-pushed
the
lc-ctrl-volatile-unlock
branch
3 times, most recently
from
ef0ef2f to
f8101a1
Compare
This updates the manuf_cp_volatile_unlock_raw test so that we can indicate whether we expect the target to support volatile RAW unlock or not. Signed-off-by: Michael Schaffner <[email protected]>
msfschaffner
force-pushed
the
lc-ctrl-volatile-unlock
branch
from
f8101a1 to
db8f9b8
Compare
There was a problem hiding this comment.
Thanks for the PR and thanks for splitting it up into individual, clearly separated commits. This LGTM.
After inspecting fda744c (the commit which introduced the RAW unlock feature) I am convinced that disabling done here is done in a robust / secure way. It looks so simple because it changes just a single parameter :-)
|
Thanks for the reviews. Due to increased CI latency, I will close this PR in favor of #21372 which adds just one commit to this chain that makes the life cycle key manager diversification constants unique per life cycle state. |
This disables the volatile unlock feature in
top_earlgreyfor the production stepping and enhances the block-level DV environment to test bothlc_ctrlvariants. The PR also parameterizes the corresponding top-level test so that the expectation whether the mechanism is supported or not can be indicated via a plusarg.This fixes part of #18250.