// Copyright lowRISC contributors.
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
// SPDX-License-Identifier: Apache-2.0
{
  name: "keymgr"
  import_testplans: ["hw/dv/tools/dvsim/testplans/csr_testplan.hjson",
                     "hw/dv/tools/dvsim/testplans/intr_test_testplan.hjson",
                     "hw/dv/tools/dvsim/testplans/alert_test_testplan.hjson",
                     "hw/dv/tools/dvsim/testplans/tl_device_access_types_testplan.hjson",
                     "hw/dv/tools/dvsim/testplans/shadow_reg_errors_testplan.hjson",
                     "hw/dv/tools/dvsim/testplans/sec_cm_count_testplan.hjson",
                     "hw/dv/tools/dvsim/testplans/sec_cm_fsm_testplan.hjson",
                     "hw/dv/tools/dvsim/testplans/stress_all_with_reset_testplan.hjson",
                     "keymgr_sec_cm_testplan.hjson"]
  testpoints: [
    {
      name: smoke
      desc: '''
            Smoke test accessing a major datapath within the keymgr.
            Test operations (advance, gen-id and gen-sw-out) in every state

            Stimulus:
            - Go through state from `StReset` to `StDisabled`.
            - Issue gen-id, gen-sw-output operation in each state, including invalid operations in
              states other than normal operating states (`StCreatorRootKey`, `StOwnerIntKey` and
              `StOwnerRootKey`).
            - Randomize `CDI_SEL` and `DEST_SEL`.
            - Use default/fixed values for HW/SW inputs.

            Checks:
            - Check STATUS reg for each operation.
            - Check interrupts `op_done` is triggered when operation is done.
            - Check `err` and alert `recov_operation_err` are triggered after invalid operation.
            - Check KMAC key, KMAC data and output SW data for correctness.
            - For invalid operations, check KMAC key, KMAC data and output SW data don't match to
              any of saved meaningful data, which are collected from valid operations. This
              checking method is also applied to other error cases.
            '''
      milestone: V1
      tests: ["keymgr_smoke"]
    }
    {
      name: random
      desc: '''
            Extend from smoke to randomize all SW input data
            - Fully randomize SW inputs: rom_ext_desc_*, software_binding_*, salt_*, max_*_key_ver,
              *_key_ver_regwen.
            - Randomize key_version any value less than max_*_key_ver, to avoid triggerring
              `invalid_kmac_input` error.
            - Fully randomize HW inputs from flash, otp and life cycle.
            - Randomize *sw_binding_regwen. Ensure this gates the *_sw_binding and it will
              be cleared after a successful advance operation.

            Most of other sequences are derived from this to have similar init and sequence.

            Stimulus and checks are the same as smoke.
            '''
      milestone: V1
      tests: ["keymgr_random"]
    }
    {
      name: cfgen_during_op
      desc: '''
            `cfg_regwen` is RO reg and it gates bunch of write access of other registers, which is
            not tested in common CSR tests.

            Stimulus and checks:
            Test command and reg access gated by `cfg_regwen` is ignored during operation.
            '''
      milestone: V2
      tests: ["keymgr_cfg_regwen"]
    }
    {
      name: sideload
      desc: '''
            Keymgr contains HW sideload interfaces to output keys for KMAC, AES, OTBN.

            Stimulus:
            - Generate a keymgr output to HW sideload interface, exercising all the sideload
              interfaces.
            - Randomly program any value to Sideload_clear after any operation.

            Checks:
            Verify the sideload data and status for correctness.
            '''
      milestone: V2
      tests: ["keymgr_sideload", "keymgr_sideload_kmac",
              "keymgr_sideload_aes", "keymgr_sideload_otbn"]
    }
    {
      name: direct_to_disabled_state
      desc: '''
            Stimulus and checks:
            Directly go to `StDisabled` from any state and check `StDisabled` is entered correctly.
            '''
      milestone: V2
      tests: ["keymgr_direct_to_disabled"]
    }
    {
      name: lc_disable
      desc: '''
            Life cycle can disable keymgr and let keymgr wipe secret immediately.

            Stimulus:
            Test life cycle disables keymgr in any state.

            Checks:
            - If keymgr is not initialized, check it can't be initialized until life cycle enables
              keymgr.
            - If keymgr is in a valid state after `StReset`, key output to KMAC is wiped immediately
              and SW output will be invalid after OP is done.
            - If keymgr in disabled state, check the behavior is consistent with normal behavior.
            '''
      milestone: V2
      tests: ["keymgr_lc_disable"]
    }
    {
      name: kmac_error_response
      desc: '''
            Verify `keymgr` behavior on error response received from `KMAC` after sending data to
            it.

            Stimulus:
            Drive error from KMAC interface when VALID is high.

            Checks:
            Same as above entry - "invalid_cmd".
            '''
      milestone: V2
      tests: ["keymgr_kmac_rsp_err"]
    }
    {
      name: invalid_kmac_input
      desc: '''
            Verify `keymgr` behavior with invalid key version.

            Stimulus:
            Randomize KEY_VERSION and MAX_*_VER registers.

            Checks:
            when KEY_VERSION > MAX_*_VER
            - Check interrupts `err` is triggered.
            - Check alert `recov_operation_err` is triggered and err_code is `INVALID_KMAC_INPUT`.
            - Check KMAC output key is corrupted and working state remains the same.
            '''
      milestone: V2
      tests: ["keymgr_sw_invalid_input"]
    }
    {
      name: invalid_kmac_data
      desc: '''
            Verify `keymgr` behavior with invalid data patterns.

            Stimulus:
            Use all 0s or 1s as KMAC input digest data

            Checks:
            - Check interrupts `err` is triggered.
            - Check alert `recov_operation_err` is triggered and err_code is `INVALID_KMAC_DATA`.
            - Check SW output isn't updated and working state remains the same.
            '''
      milestone: V2
      tests: ["keymgr_hwsw_invalid_input"]
    }
    {
      name: sync_async_fault_cross
      desc: '''
            Verify `keymgr` behavior with invalid data patterns.

            Stimulus:
            Create these 2 direct tests:
            - Sync (transactional) fault occurs followed by async (non-transactional) fault.
            - Async (non-transactional) fault occurs followed by sync (transactional) fault.

            Checks:
            - Check interrupts `err` is triggered.
            - Check alert `fatal_fault_err` is triggered.
            - Check `fault_status` is updated correctly.
            '''
      milestone: V2
      tests: ["keymgr_sync_async_fault_cross"]
    }
    {
      name: stress_all
      desc: '''
            - Combine above sequences in one test to run sequentially, except csr sequence and
              keymgr_cfg_regwen (requires zero_delays).
            - Randomly add reset between each sequence.
            '''
      milestone: V2
      tests: ["keymgr_stress_all"]
    }
    {
      name: sec_cm_additional_check
      desc: '''
            Verify the outcome of injecting faults to security countermeasures.

            Stimulus:
            As mentioned in `prim_count_check`, `prim_one_hot_check` and `prim_fsm_check`.

            Checks:
            - Besides checking alert and `fault_status`, issue an operation after injecting faults,
              then ensure that `op_status` is failed and design enters `StInvalid`.
            '''
      milestone: V2S
      tests: ["keymgr_sec_cm"]
    }
  ]
  covergroups: [
    {
      name: state_and_op_cg
      desc: '''
            - Cover all operations with `cdi_sel`, `dest_sel` and `op_status` (only fail or success)
            at any of all working_states.
            - This is sampled once an operation is done.'''
    }
    {
      name: lc_disable_cg
      desc: '''
             - Cover LC disable occurs at any of all the states or during any of all the
             operations.
             - This is sampled once LC disables keymgr.'''
    }
    {
      name: sideload_clear_cg
      desc: '''
            - Cover all the `sideload_clear` values are used after any of all the operations and in
            any of all the states.
            - Cover `sideload_clear` with any combination of availability of 3 sideload interfaces.
            - This is sampled once sideload_clear is programmed after an operation.'''
    }
    {
      name: reseed_interval_cg
      desc: '''
            - Cover small values of reseed_interval are used, so that TB can actually check EDN
              request is sent in the right interval.
            - Also Cover some large values to ensure all bits are toggled.'''
    }
    {
      name: keymgr_sw_input_cg
      desc: '''
            - Cover all bits of SW inputs are toggled.
            - SW input includes these CSRS: `*_sw_binding`, `salt`, `key_version`, `max_*_key_ver*`.
            - Cross with the corresponding regwen.'''
    }
    {
      name: control_w_regwen_cg
      desc: '''
            - Similar to keymgr_sw_input_cg, create a separate cg as there are some reserved fields
              scattered in the CSR.
            '''
    }
    {
      name: err_code_cg
      desc: '''
            - Cover `err_codes` values except `invalid_shadow_update` as that is tested in a common
              direct test.
            - This is sampled when `err_codes` is read.'''
    }
    {
      name: hw_invalid_input_cg
      desc: '''
            Cover all HW invalid inputs, including
            - all ones/zeros on OTP root key.
            - OTP root key valid is low.
            - all ones/zeros on LC keymgr health state.
            - all ones/zeros on ROM degist.
            - ROM degist valid is low.
            - all ones/zeros on flash creator seeds.
            - all ones/zeros on flash owner seeds.'''
    }
    {
      name: key_version_compare_cg
      desc: '''
            - Cover comparison results (equal, less, greater) of key_version and current max value.
            - Cross with state and operation (gen-sw-out or gen-hw-out).'''
    }
    {
      name: fault_status_cg
      desc: '''
            - Cover fault_status` values except `REGFILE_INTG` and `SHADOW` as they are tested in
              a common direct test.
            - This is sampled when `fault_status` is read.'''
    }
    {
      name: sync_async_fault_cross_cg
      desc: '''
            - Cover sync and async fault cross with each other, including 2 cases - sync fault
              occurs first and async fault occurs first.
            - This is sampled after `fault_status` is read in the sequence.'''
    }
  ]
}