hw/ip/csrng/data/csrng_sec_cm_testplan.hjson - 3p/lowrisc/opentitan - Git at Google

 // Copyright lowRISC contributors.
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0

 // Security countermeasures testplan extracted from the IP Hjson using reggen.
 //
 // This testplan is auto-generated only the first time it is created. This is
 // because this testplan needs to be hand-editable. It is possible that these
 // testpoints can go out of date if the spec is updated with new
 // countermeasures. When `reggen` is invoked when this testplan already exists,
 // It checks if the list of testpoints is up-to-date and enforces the user to
 // make further manual updates.
 //
 // These countermeasures and their descriptions can be found here:
 // .../csrng/data/csrng.hjson
 //
 // It is possible that the testing of some of these countermeasures may already
 // be covered as a testpoint in a different testplan. This duplication is ok -
 // the test would have likely already been developed. We simply map those tests
 // to the testpoints below using the `tests` key.
 //
 // Please ensure that this testplan is imported in:
 // .../csrng/data/csrng_testplan.hjson
 {
   testpoints: [
     {
       // Since CTRL and ERR_CODE_TEST registers are excluded from some automated CSRs tests (CsrExclWrite), test points 1) and 2) are verified using a directed test.
       name: sec_cm_config_regwen
       desc: '''
             Verify the countermeasure(s) CONFIG.REGWEN.
             Verify that:
             1) REGWEN cannot be set back to 1 after being set to 0 once.
             2) If REGWEN is not set, the CTRL and ERR_CODE_TEST registers cannot be modified.
             '''
       stage: V2S
       tests: ["csrng_csr_rw", "csrng_regwen"]
     }
     {
       name: sec_cm_config_mubi
       desc: '''
             Verify the countermeasure(s) CONFIG.MUBI.
             Verify that upon writing invalid MUBI values to the CTRL register:
             1) the DUT signals a recoverable alert and sets the correct bit in the RECOV_ALERT_STS register, and
             2) the DUT can be configured back to a safe configuration and the RECOV_ALERT_STS register can be cleared.
             '''
       stage: V2S
       tests: ["csrng_alert"]
     }
     {
       name: sec_cm_intersig_mubi
       desc: '''
             Verify the countermeasure(s) INTERSIG.MUBI.
             Verify that unless the otp_en_csrng_sw_app_read input signal is equal to MuBi8True and CTRL.SW_APP_ENABLE or CTRL.READ_INT_STATE is set to kMultiBitBool4True the DUT doesn't allow reading the genbits or the internal state from the GENBITS or INT_STATE_VAL register, respectively.
             '''
       stage: V2S
       tests: ["csrng_stress_all"]
     }
     {
       name: sec_cm_main_sm_fsm_sparse
       desc: '''
             Verify the countermeasure(s) MAIN_SM.FSM.SPARSE.
             The csrng_intr and csrng_err tests verify that if the FSM state is forced to an illegal state encoding 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
             They currently don't check whether the DUT actually triggers a fatal alert.
             Alert connection and triggering are verified through automated FPV.
             '''
       stage: V2S
       tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
     }
     {
       name: sec_cm_update_fsm_sparse
       desc: '''
             Verify the countermeasure(s) UPDATE.FSM.SPARSE.
             The csrng_intr and csrng_err tests verify that if the FSM state is forced to an illegal state encoding 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
             They currently don't check whether the DUT actually triggers a fatal alert.
             Alert connection and triggering are verified through automated FPV.
             '''
       stage: V2S
       tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
     }
     {
       name: sec_cm_blk_enc_fsm_sparse
       desc: '''
             Verify the countermeasure(s) BLK_ENC.FSM.SPARSE.
             The csrng_intr and csrng_err tests verify that if the FSM state is forced to an illegal state encoding 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
             They currently don't check whether the DUT actually triggers a fatal alert.
             Alert connection and triggering are verified through automated FPV.
             '''
       stage: V2S
       tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
     }
     {
       name: sec_cm_outblk_fsm_sparse
       desc: '''
             Verify the countermeasure(s) OUTBLK.FSM.SPARSE.
             The csrng_intr and csrng_err tests verify that if the FSM state is forced to an illegal state encoding 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
             They currently don't check whether the DUT actually triggers a fatal alert.
             Alert connection and triggering are verified through automated FPV.
             '''
       stage: V2S
       tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
     }
     {
       name: sec_cm_gen_cmd_ctr_redun
       desc: '''
             Verify the countermeasure(s) GEN_CMD.CTR.REDUN.
             The csrng_intr and csrng_err tests verify that if there is a mismatch in the redundant counters of the Generate command counter 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
             They currently don't check whether the DUT actually triggers a fatal alert.
             Alert connection and triggering are verified through automated FPV.
             '''
       stage: V2S
       tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
     }
     {
       // All counter errors are collected in ERR_CODE.CMD_GEN_CNT_ERR.
       name: sec_cm_drbg_upd_ctr_redun
       desc: '''
             Verify the countermeasure(s) DRBG_UPD.CTR.REDUN.
             The csrng_intr and csrng_err tests verify that if there is a mismatch in the redundant counters of the CTR_DRBG update counter 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
             They currently don't check whether the DUT actually triggers a fatal alert.
             Alert connection and triggering are verified through automated FPV.
             '''
       stage: V2S
       tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
     }
     {
       // All counter errors are collected in ERR_CODE.CMD_GEN_CNT_ERR.
       name: sec_cm_drbg_gen_ctr_redun
       desc: '''
             Verify the countermeasure(s) DRBG_GEN.CTR.REDUN.
             The csrng_intr and csrng_err tests verify that if there is a mismatch in the redundant counters of the CTR_DRBG generate counter 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
             They currently don't check whether the DUT actually triggers a fatal alert.
             Alert connection and triggering are verified through automated FPV.
             '''
       stage: V2S
       tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
     }
     {
       name: sec_cm_ctrl_mubi
       desc: '''
             Verify the countermeasure(s) CTRL.MUBI.
             Verify that upon writing an Application Interface Command Header for an Instantiate or Reseed command to the CMD_REQ register with an invalid MUBI value in the FLAG0 field, the DUT signals a recoverable alert and sets the correct bit in the RECOV_ALERT_STS register.
             '''
       stage: V2S
       tests: ["csrng_alert"]
     }
     {
       name: sec_cm_main_sm_ctr_local_esc
       desc: '''
             Verify the countermeasure(s) MAIN_SM.CTR.LOCAL_ESC.
             Verify that upon a mismatch in any of the redundant counters the main FSM enters a terminal error state and that the DUT signals a fatal alert.
             '''
       stage: V2S
       tests: ["csrng_intr", "csrng_err"]
     }
     {
       name: sec_cm_constants_lc_gated
       desc: '''
             Verify the countermeasure(s) CONSTANTS.LC_GATED.
             Verify that the RndCnstCsKeymgrDivNonProduction seed diversification constant can be used if and only if the lc_hw_debug_en input signal is driven to On and that RndCnstCsKeymgrDivProduction is used otherwise.
             '''
       stage: V2S
       tests: ["csrng_stress_all"]
     }
     {
       name: sec_cm_sw_genbits_bus_consistency
       desc: '''
             Verify the countermeasure(s) SW_GENBITS.BUS.CONSISTENCY.
             Verify that if two subsequent read requests to the SW application interface obtain the same data, the DUT signals a recoverable alert and sets the correct bit in the RECOV_ALERT_STS register.
             Verify that the RECOV_ALERT_STS register can be cleared.
             '''
       stage: V2S
       tests: ["csrng_alert"]
     }
     {
       name: sec_cm_tile_link_bus_integrity
       desc: "Verify the countermeasure(s) TILE_LINK.BUS.INTEGRITY."
       stage: V2S
       tests: ["csrng_tl_intg_err"]
     }
     {
       name: sec_cm_aes_cipher_fsm_sparse
       desc: '''
             Verify the countermeasure(s) AES_CIPHER.FSM.SPARSE.
             The csrng_intr and csrng_err tests verify that if the FSM state is forced to an illegal state encoding 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
             They currently don't check whether the DUT actually triggers a fatal alert.
             Alert connection and triggering are verified through automated FPV.
             '''
       stage: V2S
       tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
     }
     {
       // This is already fully verified as part of AES V2S.
       name: sec_cm_aes_cipher_fsm_redun
       desc: '''
             Verify the countermeasure(s) AES_CIPHER.FSM.REDUN.
             It is ensured that upon forcing the state of any of the independent, redundant logic rails of the AES cipher core FSM to a different valid encoding, 1) this signals a fatal alert, 2) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 3) the corresponding bit in the ERR_CODE register is set.
             '''
       stage: V2S
       tests: ["csrng_intr", "csrng_err"]
     }
     {
       // This is already fully verified as part of AES V2S.
       name: sec_cm_aes_cipher_ctrl_sparse
       desc: '''
             Verify the countermeasure(s) AES_CIPHER.CTRL.SPARSE.
             It is ensured that upon forcing the value of an important critical control signal inside the AES cipher core to an invalid encoding, 1) this signals a fatal alert, 2) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 3) the corresponding bit in the ERR_CODE register is set.
             '''
       stage: V2S
       tests: ["csrng_intr", "csrng_err"]
     }
     {
       name: sec_cm_aes_cipher_fsm_local_esc
       desc: '''
             Verify the countermeasure(s) AES_CIPHER.FSM.LOCAL_ESC.
             Upon detecting a local alert condition inside the AES cipher core FSM, the FSM stops processing data and locks up.
             The DUT must 1) signal a fatal alert, 2) report this with a cs_fatal_err interrupt in the INTR_STATE register and 3) set corresponding bit in the ERR_CODE register.
             '''
       stage: V2S
       tests: ["csrng_intr", "csrng_err"]
     }
     {
       // This is already fully verified as part of AES V2S.
       name: sec_cm_aes_cipher_ctr_redun
       desc: '''
             Verify the countermeasure(s) AES_CIPHER.CTR.REDUN.
             It is ensured that upon forcing the value of any of the independent, redundant logic rails of round counter inside the AES cipher core FSM, the FSM stops processing data and locks up.
             The DUT must 1) signal a fatal alert, 2) report this with a cs_fatal_err interrupt in the INTR_STATE register and 3) set corresponding bit in the ERR_CODE register.
             '''
       stage: V2S
       tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
     }
     {
       name: sec_cm_aes_cipher_data_reg_local_esc
       desc: '''
             Verify the countermeasure(s) AES_CIPHER.DATA_REG.LOCAL_ESC.
             SVAs inside the testbench are used to ensure that upon local escalation triggered through FI the AES cipher core doesn't release intermediate state into other CSRNG registers.
             '''
       stage: V2S
       tests: ["csrng_intr", "csrng_err"]
     }
   ]
 }
	// Copyright lowRISC contributors.
	// Licensed under the Apache License, Version 2.0, see LICENSE for details.
	// SPDX-License-Identifier: Apache-2.0

	// Security countermeasures testplan extracted from the IP Hjson using reggen.
	//
	// This testplan is auto-generated only the first time it is created. This is
	// because this testplan needs to be hand-editable. It is possible that these
	// testpoints can go out of date if the spec is updated with new
	// countermeasures. When `reggen` is invoked when this testplan already exists,
	// It checks if the list of testpoints is up-to-date and enforces the user to
	// make further manual updates.
	//
	// These countermeasures and their descriptions can be found here:
	// .../csrng/data/csrng.hjson
	//
	// It is possible that the testing of some of these countermeasures may already
	// be covered as a testpoint in a different testplan. This duplication is ok -
	// the test would have likely already been developed. We simply map those tests
	// to the testpoints below using the `tests` key.
	//
	// Please ensure that this testplan is imported in:
	// .../csrng/data/csrng_testplan.hjson
	{
	testpoints: [
	{
	// Since CTRL and ERR_CODE_TEST registers are excluded from some automated CSRs tests (CsrExclWrite), test points 1) and 2) are verified using a directed test.
	name: sec_cm_config_regwen
	desc: '''
	Verify the countermeasure(s) CONFIG.REGWEN.
	Verify that:
	1) REGWEN cannot be set back to 1 after being set to 0 once.
	2) If REGWEN is not set, the CTRL and ERR_CODE_TEST registers cannot be modified.
	'''
	stage: V2S
	tests: ["csrng_csr_rw", "csrng_regwen"]
	}
	{
	name: sec_cm_config_mubi
	desc: '''
	Verify the countermeasure(s) CONFIG.MUBI.
	Verify that upon writing invalid MUBI values to the CTRL register:
	1) the DUT signals a recoverable alert and sets the correct bit in the RECOV_ALERT_STS register, and
	2) the DUT can be configured back to a safe configuration and the RECOV_ALERT_STS register can be cleared.
	'''
	stage: V2S
	tests: ["csrng_alert"]
	}
	{
	name: sec_cm_intersig_mubi
	desc: '''
	Verify the countermeasure(s) INTERSIG.MUBI.
	Verify that unless the otp_en_csrng_sw_app_read input signal is equal to MuBi8True and CTRL.SW_APP_ENABLE or CTRL.READ_INT_STATE is set to kMultiBitBool4True the DUT doesn't allow reading the genbits or the internal state from the GENBITS or INT_STATE_VAL register, respectively.
	'''
	stage: V2S
	tests: ["csrng_stress_all"]
	}
	{
	name: sec_cm_main_sm_fsm_sparse
	desc: '''
	Verify the countermeasure(s) MAIN_SM.FSM.SPARSE.
	The csrng_intr and csrng_err tests verify that if the FSM state is forced to an illegal state encoding 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
	They currently don't check whether the DUT actually triggers a fatal alert.
	Alert connection and triggering are verified through automated FPV.
	'''
	stage: V2S
	tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
	}
	{
	name: sec_cm_update_fsm_sparse
	desc: '''
	Verify the countermeasure(s) UPDATE.FSM.SPARSE.
	The csrng_intr and csrng_err tests verify that if the FSM state is forced to an illegal state encoding 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
	They currently don't check whether the DUT actually triggers a fatal alert.
	Alert connection and triggering are verified through automated FPV.
	'''
	stage: V2S
	tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
	}
	{
	name: sec_cm_blk_enc_fsm_sparse
	desc: '''
	Verify the countermeasure(s) BLK_ENC.FSM.SPARSE.
	The csrng_intr and csrng_err tests verify that if the FSM state is forced to an illegal state encoding 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
	They currently don't check whether the DUT actually triggers a fatal alert.
	Alert connection and triggering are verified through automated FPV.
	'''
	stage: V2S
	tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
	}
	{
	name: sec_cm_outblk_fsm_sparse
	desc: '''
	Verify the countermeasure(s) OUTBLK.FSM.SPARSE.
	The csrng_intr and csrng_err tests verify that if the FSM state is forced to an illegal state encoding 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
	They currently don't check whether the DUT actually triggers a fatal alert.
	Alert connection and triggering are verified through automated FPV.
	'''
	stage: V2S
	tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
	}
	{
	name: sec_cm_gen_cmd_ctr_redun
	desc: '''
	Verify the countermeasure(s) GEN_CMD.CTR.REDUN.
	The csrng_intr and csrng_err tests verify that if there is a mismatch in the redundant counters of the Generate command counter 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
	They currently don't check whether the DUT actually triggers a fatal alert.
	Alert connection and triggering are verified through automated FPV.
	'''
	stage: V2S
	tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
	}
	{
	// All counter errors are collected in ERR_CODE.CMD_GEN_CNT_ERR.
	name: sec_cm_drbg_upd_ctr_redun
	desc: '''
	Verify the countermeasure(s) DRBG_UPD.CTR.REDUN.
	The csrng_intr and csrng_err tests verify that if there is a mismatch in the redundant counters of the CTR_DRBG update counter 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
	They currently don't check whether the DUT actually triggers a fatal alert.
	Alert connection and triggering are verified through automated FPV.
	'''
	stage: V2S
	tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
	}
	{
	// All counter errors are collected in ERR_CODE.CMD_GEN_CNT_ERR.
	name: sec_cm_drbg_gen_ctr_redun
	desc: '''
	Verify the countermeasure(s) DRBG_GEN.CTR.REDUN.
	The csrng_intr and csrng_err tests verify that if there is a mismatch in the redundant counters of the CTR_DRBG generate counter 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
	They currently don't check whether the DUT actually triggers a fatal alert.
	Alert connection and triggering are verified through automated FPV.
	'''
	stage: V2S
	tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
	}
	{
	name: sec_cm_ctrl_mubi
	desc: '''
	Verify the countermeasure(s) CTRL.MUBI.
	Verify that upon writing an Application Interface Command Header for an Instantiate or Reseed command to the CMD_REQ register with an invalid MUBI value in the FLAG0 field, the DUT signals a recoverable alert and sets the correct bit in the RECOV_ALERT_STS register.
	'''
	stage: V2S
	tests: ["csrng_alert"]
	}
	{
	name: sec_cm_main_sm_ctr_local_esc
	desc: '''
	Verify the countermeasure(s) MAIN_SM.CTR.LOCAL_ESC.
	Verify that upon a mismatch in any of the redundant counters the main FSM enters a terminal error state and that the DUT signals a fatal alert.
	'''
	stage: V2S
	tests: ["csrng_intr", "csrng_err"]
	}
	{
	name: sec_cm_constants_lc_gated
	desc: '''
	Verify the countermeasure(s) CONSTANTS.LC_GATED.
	Verify that the RndCnstCsKeymgrDivNonProduction seed diversification constant can be used if and only if the lc_hw_debug_en input signal is driven to On and that RndCnstCsKeymgrDivProduction is used otherwise.
	'''
	stage: V2S
	tests: ["csrng_stress_all"]
	}
	{
	name: sec_cm_sw_genbits_bus_consistency
	desc: '''
	Verify the countermeasure(s) SW_GENBITS.BUS.CONSISTENCY.
	Verify that if two subsequent read requests to the SW application interface obtain the same data, the DUT signals a recoverable alert and sets the correct bit in the RECOV_ALERT_STS register.
	Verify that the RECOV_ALERT_STS register can be cleared.
	'''
	stage: V2S
	tests: ["csrng_alert"]
	}
	{
	name: sec_cm_tile_link_bus_integrity
	desc: "Verify the countermeasure(s) TILE_LINK.BUS.INTEGRITY."
	stage: V2S
	tests: ["csrng_tl_intg_err"]
	}
	{
	name: sec_cm_aes_cipher_fsm_sparse
	desc: '''
	Verify the countermeasure(s) AES_CIPHER.FSM.SPARSE.
	The csrng_intr and csrng_err tests verify that if the FSM state is forced to an illegal state encoding 1) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 2) the corresponding bit in the ERR_CODE register is set.
	They currently don't check whether the DUT actually triggers a fatal alert.
	Alert connection and triggering are verified through automated FPV.
	'''
	stage: V2S
	tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
	}
	{
	// This is already fully verified as part of AES V2S.
	name: sec_cm_aes_cipher_fsm_redun
	desc: '''
	Verify the countermeasure(s) AES_CIPHER.FSM.REDUN.
	It is ensured that upon forcing the state of any of the independent, redundant logic rails of the AES cipher core FSM to a different valid encoding, 1) this signals a fatal alert, 2) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 3) the corresponding bit in the ERR_CODE register is set.
	'''
	stage: V2S
	tests: ["csrng_intr", "csrng_err"]
	}
	{
	// This is already fully verified as part of AES V2S.
	name: sec_cm_aes_cipher_ctrl_sparse
	desc: '''
	Verify the countermeasure(s) AES_CIPHER.CTRL.SPARSE.
	It is ensured that upon forcing the value of an important critical control signal inside the AES cipher core to an invalid encoding, 1) this signals a fatal alert, 2) this is reported with a cs_fatal_err interrupt in the INTR_STATE register and 3) the corresponding bit in the ERR_CODE register is set.
	'''
	stage: V2S
	tests: ["csrng_intr", "csrng_err"]
	}
	{
	name: sec_cm_aes_cipher_fsm_local_esc
	desc: '''
	Verify the countermeasure(s) AES_CIPHER.FSM.LOCAL_ESC.
	Upon detecting a local alert condition inside the AES cipher core FSM, the FSM stops processing data and locks up.
	The DUT must 1) signal a fatal alert, 2) report this with a cs_fatal_err interrupt in the INTR_STATE register and 3) set corresponding bit in the ERR_CODE register.
	'''
	stage: V2S
	tests: ["csrng_intr", "csrng_err"]
	}
	{
	// This is already fully verified as part of AES V2S.
	name: sec_cm_aes_cipher_ctr_redun
	desc: '''
	Verify the countermeasure(s) AES_CIPHER.CTR.REDUN.
	It is ensured that upon forcing the value of any of the independent, redundant logic rails of round counter inside the AES cipher core FSM, the FSM stops processing data and locks up.
	The DUT must 1) signal a fatal alert, 2) report this with a cs_fatal_err interrupt in the INTR_STATE register and 3) set corresponding bit in the ERR_CODE register.
	'''
	stage: V2S
	tests: ["csrng_sec_cm", "csrng_intr", "csrng_err"]
	}
	{
	name: sec_cm_aes_cipher_data_reg_local_esc
	desc: '''
	Verify the countermeasure(s) AES_CIPHER.DATA_REG.LOCAL_ESC.
	SVAs inside the testbench are used to ensure that upon local escalation triggered through FI the AES cipher core doesn't release intermediate state into other CSRNG registers.
	'''
	stage: V2S
	tests: ["csrng_intr", "csrng_err"]
	}
	]
	}