hw/ip/keymgr/data/keymgr_testplan.hjson - 3p/lowrisc/opentitan - Git at Google

 // Copyright lowRISC contributors.
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 {
   name: "keymgr"
   import_testplans: ["hw/dv/tools/dvsim/testplans/csr_testplan.hjson",
                      "hw/dv/tools/dvsim/testplans/intr_test_testplan.hjson",
                      "hw/dv/tools/dvsim/testplans/alert_test_testplan.hjson",
                      "hw/dv/tools/dvsim/testplans/tl_device_access_types_testplan.hjson"]
   entries: [
     {
       name: smoke
       desc: '''
             Basic smoke test accessing a major datapath within the keymgr.
             Most of other sequences are derived from this to have similar init and sequence.

             Stimulus:
             - During init, configure ROM_EXT_DESC_*, SOFTWARE_BINDING_*, Salt_*, key_version.
             - Go through state from `StReset` to `StDisabled`.
             - Issue SW and HW operation in each state, including invalid operations below
               - advance state in `StDisabled`.
               - generate output in states other than normal operating states (`StCreatorRootKey`,
                 `StOwnerIntKey` and `StOwnerIntKey`).

             Checks:
             - Check STATUS reg for each operation.
             - Check interrupts `op_done` is triggered when operation is done.
             - Check `err` and alert `operation_err` are triggered after invalid operation.
             - Check KMAC key, KMAC data and output SW data for correctness.
             '''
       milestone: V1
       tests: ["keymgr_smoke"]
     }
     {
       name: cfgen_during_op
       desc: '''
             CFGEN is RO reg and it gates bunch of write access of other registers, which isn't
             tested in common CSR tests.

             Stimulus and checks:
             Test command and reg access gated by CFGEN is ignored during operation.
             '''
       milestone: V2
       tests: []
     }
     {
       name: op_at_wipe_state
       desc: '''
             `StWipe` is a temporary state during init operation, which will set CSR CFGEN.

             Stimulus and checks:
             Test command and reg access gated by CFGEN is ignored during `StWipe`.
             '''
       milestone: V2
       tests: []
     }
     {
       name: hw_sideload
       desc: '''
             Keymgr contains HW sideload interfaces to output keys for KMAC, HMAC, AES.

             Stimulus:
             Generate a keymgr output to HW sideload interface, excising all the sideload interfaces.

             Checks:
             Verify the sideload data and status for correctness.
             '''
       milestone: V2
       tests: []
     }
     {
       name: init_n_start
       desc: '''
             Stimulus and checks:
             Verify all combinations of `init` and `start`.
             - If both are set in `StReset`, check `INVALID_OP` error is triggered.
             - If it's in other state, `init` is ignored.
             '''
       milestone: V2
       tests: []
     }
     {
       name: direct_to_disabled_state
       desc: '''
             Stimulus and checks:
             Directly go to `StDisabled` from any state and check `StDisabled` is entered correctly.
             '''
       milestone: V2
       tests: []
     }
     {
       name: lc_disable
       desc: '''
             Life cycle can disable keymgr and let keymgr wipe secret immediately.

             Stimulus:
             Test life cycle disables keymgr in any state.

             Checks:
             - If keymgr is not initialized, check it can't be initialized until life cycle enables
               keymgr.
             - If keymgr is in a valid state after init, key output to KMAC is wiped immediately and
               SW output will be invalid after OP is done.
             - If keymgr in disabled state, check the behavior is consistent with normal behavior.
             '''
       milestone: V2
       tests: []
     }
     {
       name: invalid_cmd
       desc: '''
             Verify `keymgr` security countermeasures on fault injection.

             Stimulus:
             Force one of these or both
             - force advance, gen_id and gen_out to not one-hot
             - force KMAC FSM to default branch to trigger FSM error

             Checks:
             - Check interrupts `err` is triggered.
             - Check alert `fault_err` is triggered and err_code is `INVALID_CMD`.
             - Check KMAC output key and output data to SW are corrupted, also keymgr enters
               StDisabled.
             '''
       milestone: V2
       tests: []
     }
     {
       name: kmac_error
       desc: '''
             Verify `keymgr` behavior on error response received from `KMAC` after sending data to
             it.

             Stimulus:
             Drive error from KMAC interface when VALID is high.

             Checks:
             Same as above entry - "invalid_cmd".
             '''
       milestone: V2
       tests: []
     }
     {
       name: invalid_kmac_input
       desc: '''
             Verify `keymgr` behavior with invalid key version.

             Stimulus:
             Randomize KEY_VERSION and MAX_*_VER registers.

             Checks:
             when KEY_VERSION > MAX_*_VER
             - Check interrupts `err` is triggered.
             - Check alert `operation_err` is triggered and err_code is `INVALID_KMAC_INPUT`.
             - Check KMAC output key is corrupted and working state remains the same.
             '''
       milestone: V2
       tests: []
     }
     {
       name: invalid_kmac_data
       desc: '''
             Verify `keymgr` behavior with invalid data patterns.

             Stimulus:
             Use all 0s or 1s as KMAC input digest data

             Checks:
             - Check interrupts `err` is triggered.
             - Check alert `operation_err` is triggered and err_code is `INVALID_KMAC_DATA`.
             - Check KMAC output key is corrupted and working state remains the same.
             '''
       milestone: V2
       tests: []
     }
   ]
 }
	// Copyright lowRISC contributors.
	// Licensed under the Apache License, Version 2.0, see LICENSE for details.
	// SPDX-License-Identifier: Apache-2.0
	{
	name: "keymgr"
	import_testplans: ["hw/dv/tools/dvsim/testplans/csr_testplan.hjson",
	"hw/dv/tools/dvsim/testplans/intr_test_testplan.hjson",
	"hw/dv/tools/dvsim/testplans/alert_test_testplan.hjson",
	"hw/dv/tools/dvsim/testplans/tl_device_access_types_testplan.hjson"]
	entries: [
	{
	name: smoke
	desc: '''
	Basic smoke test accessing a major datapath within the keymgr.
	Most of other sequences are derived from this to have similar init and sequence.

	Stimulus:
	- During init, configure ROM_EXT_DESC_, SOFTWARE_BINDING_, Salt_*, key_version.
	- Go through state from `StReset` to `StDisabled`.
	- Issue SW and HW operation in each state, including invalid operations below
	- advance state in `StDisabled`.
	- generate output in states other than normal operating states (`StCreatorRootKey`,
	`StOwnerIntKey` and `StOwnerIntKey`).

	Checks:
	- Check STATUS reg for each operation.
	- Check interrupts `op_done` is triggered when operation is done.
	- Check `err` and alert `operation_err` are triggered after invalid operation.
	- Check KMAC key, KMAC data and output SW data for correctness.
	'''
	milestone: V1
	tests: ["keymgr_smoke"]
	}
	{
	name: cfgen_during_op
	desc: '''
	CFGEN is RO reg and it gates bunch of write access of other registers, which isn't
	tested in common CSR tests.

	Stimulus and checks:
	Test command and reg access gated by CFGEN is ignored during operation.
	'''
	milestone: V2
	tests: []
	}
	{
	name: op_at_wipe_state
	desc: '''
	`StWipe` is a temporary state during init operation, which will set CSR CFGEN.

	Stimulus and checks:
	Test command and reg access gated by CFGEN is ignored during `StWipe`.
	'''
	milestone: V2
	tests: []
	}
	{
	name: hw_sideload
	desc: '''
	Keymgr contains HW sideload interfaces to output keys for KMAC, HMAC, AES.

	Stimulus:
	Generate a keymgr output to HW sideload interface, excising all the sideload interfaces.

	Checks:
	Verify the sideload data and status for correctness.
	'''
	milestone: V2
	tests: []
	}
	{
	name: init_n_start
	desc: '''
	Stimulus and checks:
	Verify all combinations of `init` and `start`.
	- If both are set in `StReset`, check `INVALID_OP` error is triggered.
	- If it's in other state, `init` is ignored.
	'''
	milestone: V2
	tests: []
	}
	{
	name: direct_to_disabled_state
	desc: '''
	Stimulus and checks:
	Directly go to `StDisabled` from any state and check `StDisabled` is entered correctly.
	'''
	milestone: V2
	tests: []
	}
	{
	name: lc_disable
	desc: '''
	Life cycle can disable keymgr and let keymgr wipe secret immediately.

	Stimulus:
	Test life cycle disables keymgr in any state.

	Checks:
	- If keymgr is not initialized, check it can't be initialized until life cycle enables
	keymgr.
	- If keymgr is in a valid state after init, key output to KMAC is wiped immediately and
	SW output will be invalid after OP is done.
	- If keymgr in disabled state, check the behavior is consistent with normal behavior.
	'''
	milestone: V2
	tests: []
	}
	{
	name: invalid_cmd
	desc: '''
	Verify `keymgr` security countermeasures on fault injection.

	Stimulus:
	Force one of these or both
	- force advance, gen_id and gen_out to not one-hot
	- force KMAC FSM to default branch to trigger FSM error

	Checks:
	- Check interrupts `err` is triggered.
	- Check alert `fault_err` is triggered and err_code is `INVALID_CMD`.
	- Check KMAC output key and output data to SW are corrupted, also keymgr enters
	StDisabled.
	'''
	milestone: V2
	tests: []
	}
	{
	name: kmac_error
	desc: '''
	Verify `keymgr` behavior on error response received from `KMAC` after sending data to
	it.

	Stimulus:
	Drive error from KMAC interface when VALID is high.

	Checks:
	Same as above entry - "invalid_cmd".
	'''
	milestone: V2
	tests: []
	}
	{
	name: invalid_kmac_input
	desc: '''
	Verify `keymgr` behavior with invalid key version.

	Stimulus:
	Randomize KEY_VERSION and MAX_*_VER registers.

	Checks:
	when KEY_VERSION > MAX_*_VER
	- Check interrupts `err` is triggered.
	- Check alert `operation_err` is triggered and err_code is `INVALID_KMAC_INPUT`.
	- Check KMAC output key is corrupted and working state remains the same.
	'''
	milestone: V2
	tests: []
	}
	{
	name: invalid_kmac_data
	desc: '''
	Verify `keymgr` behavior with invalid data patterns.

	Stimulus:
	Use all 0s or 1s as KMAC input digest data

	Checks:
	- Check interrupts `err` is triggered.
	- Check alert `operation_err` is triggered and err_code is `INVALID_KMAC_DATA`.
	- Check KMAC output key is corrupted and working state remains the same.
	'''
	milestone: V2
	tests: []
	}
	]
	}