[edn/rtl] D2S review updates Feedback from the D2S review reflected back into the design. Signed-off-by: Mark Branstad <mark.branstad@wdc.com>
diff --git a/hw/ip/edn/data/edn.hjson b/hw/ip/edn/data/edn.hjson index 9d52af9..abcafcf 100644 --- a/hw/ip/edn/data/edn.hjson +++ b/hw/ip/edn/data/edn.hjson
@@ -57,12 +57,18 @@ { name: "CONFIG.MUBI" desc: "Registers have multi-bit encoded fields." } - { name: "FSM.SPARSE" - desc: "Sparse state machine implementation." + { name: "MAIN_SM.FSM.SPARSE" + desc: "The EDN main state machine uses a sparse state encoding." + } + { name: "ACK_SM.FSM.SPARSE" + desc: "The EDN ACK state machine uses a sparse state encoding." } { name: "CTR.REDUN" desc: "Counter hardening on the generate command maximum requests counter." } + { name: "MAIN_SM.CTR.LOCAL_ESC" + desc: "A mismatch detected inside any EDN counter moves the main state machine into a terminal error state." + } { name: "CS_RDATA.BUS.CONSISTENCY" desc: "Comparison on successive bus values for genbits returned from csrng that will destribute over the endpoint buses." }
diff --git a/hw/ip/edn/doc/_index.md b/hw/ip/edn/doc/_index.md index 0c9f67b..d44e9bd 100644 --- a/hw/ip/edn/doc/_index.md +++ b/hw/ip/edn/doc/_index.md
@@ -65,6 +65,19 @@ Note that when the `EDN_ENABLE` field is cleared or the `BOOT_REQ_MODE` field is cleared, an `uninstantiate` command needs to be sent by firmware to destroy the instance in csrng. Note that the EDNs and CSRNG should always be reset together to ensure proper instantiation or uninstantiation of state variables. +### Security + +All module assets and countermeasures performed by hardware are listed in the hjson countermeasures section. +Labels for each instance of asset and coutermeasure are located throughout the RTL source code. + +The receiving FIFO for genbits from CSRNG will have a hardware check on the output bus. +This is done to make sure repeated values are not occurring. +Only 64 bits (out of 128 bits) are checked, since this is statistically significant, and more checking would cost more silicon. +It is expected that an endpoint requiring high-quality entropy will do an additional consistency hardware check on the 32 bit data bus. +Additionally the FIPS signal on the endpoint bus should also be checked for high-quality entropy consumers. +Boot request mode is an example where the FIPS signal will not be ever be set, and consuming endpoint of low-quality entropy do not need to check this signal. + + ## Example Topology In general, the OpenTitan random number subsystem consists of one `entropy_src`, one CSRNG, and one or more EDNs. The `entropy_src` only supports one connection to a CSRNG, but the CSRNG has multiple application interface ports for connecting to EDN's or other hardware blocks. @@ -190,12 +203,12 @@ ### Interrupts -The EDN module has two interrupts: `edn_cmd_req_done` and `edn_fifo_err`. +The EDN module has two interrupts: `edn_cmd_req_done` and `edn_fatal_err`. -The `es_cmd_req_done` interrupt should be used when a CSRNG command is issued and firmware is waiting for completion. +The `edn_cmd_req_done` interrupt should be used when a CSRNG command is issued and firmware is waiting for completion. -The `es_fifo_err` interrupt will fire when a FIFO has a malfunction. -The conditions that cause this to happen are either when there is a push to a full FIFO or a pull from an empty FIFO. +The `edn_fatal_err` interrupt will fire when a fatal error has been detected. +The conditions that cause this to happen are FIFO error, a state machine error state transition, or a prim_count error. #### Waveforms
diff --git a/hw/ip/edn/rtl/edn_ack_sm.sv b/hw/ip/edn/rtl/edn_ack_sm.sv index 0c9d73d..9ac94b3 100644 --- a/hw/ip/edn/rtl/edn_ack_sm.sv +++ b/hw/ip/edn/rtl/edn_ack_sm.sv
@@ -53,7 +53,6 @@ // flops in order to prevent FSM state encoding optimizations. - // SEC_CM: FSM.SPARSE prim_sparse_fsm_flop #( .StateEnumT(state_e), .Width(StateWidth),
diff --git a/hw/ip/edn/rtl/edn_core.sv b/hw/ip/edn/rtl/edn_core.sv index 0888704..73a13b6 100644 --- a/hw/ip/edn/rtl/edn_core.sv +++ b/hw/ip/edn/rtl/edn_core.sv
@@ -47,15 +47,17 @@ localparam int CSGenBitsWidth = 128; localparam int EndPointBusWidth = 32; localparam int RescmdFifoIdxWidth = $clog2(RescmdFifoDepth); + localparam int EdnEnableCopies = 31; + localparam int FifoRstCopies = 4; + localparam int BootReqCopies = 3; // signals logic event_edn_cmd_req_done; logic event_edn_fatal_err; - logic edn_enable; - logic edn_enable_pfe; + logic [EdnEnableCopies-1:0] edn_enable_fo; + logic [FifoRstCopies-1:0] cmd_fifo_rst_fo; + logic [BootReqCopies-1:0] boot_request_fo; logic edn_enable_pfa; - logic cmd_fifo_rst; - logic cmd_fifo_rst_pfe; logic cmd_fifo_rst_pfa; logic packer_arb_valid; logic packer_arb_ready; @@ -90,8 +92,6 @@ logic packer_cs_rvalid; logic packer_cs_rready; logic [CSGenBitsWidth-1:0] packer_cs_rdata; - logic boot_request; - logic boot_req_mode_pfe; logic boot_req_mode_pfa; logic boot_wr_cmd_reg; logic boot_wr_cmd_genfifo; @@ -151,6 +151,15 @@ // unused logic unused_err_code_test_bit; + import prim_mubi_pkg::mubi4_t; + import prim_mubi_pkg::mubi4_test_true_strict; + import prim_mubi_pkg::mubi4_test_invalid; + + prim_mubi_pkg::mubi4_t [EdnEnableCopies-1:0] mubi_edn_enable_fanout; + prim_mubi_pkg::mubi4_t [FifoRstCopies-1:0] mubi_cmd_fifo_rst_fanout; + prim_mubi_pkg::mubi4_t [BootReqCopies-1:0] mubi_boot_req_mode_fanout; + prim_mubi_pkg::mubi4_t [1:0] mubi_auto_req_mode_fanout; + // flops logic [31:0] cs_cmd_req_q, cs_cmd_req_d; logic cs_cmd_req_vld_q, cs_cmd_req_vld_d; @@ -242,7 +251,7 @@ assign event_edn_cmd_req_done = csrng_cmd_ack_gated; // set the interrupt sources - assign event_edn_fatal_err = (edn_enable && ( + assign event_edn_fatal_err = (edn_enable_fo[0] && ( sfifo_rescmd_err_sum || sfifo_gencmd_err_sum || edn_ack_sm_err_sum || @@ -277,16 +286,16 @@ // set the err code source bits assign hw2reg.err_code.sfifo_rescmd_err.d = 1'b1; - assign hw2reg.err_code.sfifo_rescmd_err.de = edn_enable && sfifo_rescmd_err_sum; + assign hw2reg.err_code.sfifo_rescmd_err.de = edn_enable_fo[1] && sfifo_rescmd_err_sum; assign hw2reg.err_code.sfifo_gencmd_err.d = 1'b1; - assign hw2reg.err_code.sfifo_gencmd_err.de = edn_enable && sfifo_gencmd_err_sum; + assign hw2reg.err_code.sfifo_gencmd_err.de = edn_enable_fo[2] && sfifo_gencmd_err_sum; assign hw2reg.err_code.edn_ack_sm_err.d = 1'b1; - assign hw2reg.err_code.edn_ack_sm_err.de = edn_enable && edn_ack_sm_err_sum; + assign hw2reg.err_code.edn_ack_sm_err.de = edn_enable_fo[3] && edn_ack_sm_err_sum; assign hw2reg.err_code.edn_main_sm_err.d = 1'b1; - assign hw2reg.err_code.edn_main_sm_err.de = edn_enable && edn_main_sm_err_sum; + assign hw2reg.err_code.edn_main_sm_err.de = edn_enable_fo[4] && edn_main_sm_err_sum; assign hw2reg.err_code.edn_cntr_err.d = 1'b1; assign hw2reg.err_code.edn_cntr_err.de = edn_cntr_err_sum; @@ -297,13 +306,13 @@ // set the err code type bits assign hw2reg.err_code.fifo_write_err.d = 1'b1; - assign hw2reg.err_code.fifo_write_err.de = edn_enable && fifo_write_err_sum; + assign hw2reg.err_code.fifo_write_err.de = edn_enable_fo[5] && fifo_write_err_sum; assign hw2reg.err_code.fifo_read_err.d = 1'b1; - assign hw2reg.err_code.fifo_read_err.de = edn_enable && fifo_read_err_sum; + assign hw2reg.err_code.fifo_read_err.de = edn_enable_fo[6] && fifo_read_err_sum; assign hw2reg.err_code.fifo_state_err.d = 1'b1; - assign hw2reg.err_code.fifo_state_err.de = edn_enable && fifo_status_err_sum; + assign hw2reg.err_code.fifo_state_err.de = edn_enable_fo[7] && fifo_status_err_sum; // Error forcing @@ -326,44 +335,73 @@ }; // check for illegal enable field states, and set alert if detected - import prim_mubi_pkg::mubi4_t; - import prim_mubi_pkg::mubi4_test_true_strict; - import prim_mubi_pkg::mubi4_test_invalid; // SEC_CM: CONFIG.MUBI mubi4_t mubi_edn_enable; assign mubi_edn_enable = mubi4_t'(reg2hw.ctrl.edn_enable.q); - assign edn_enable_pfe = mubi4_test_true_strict(mubi_edn_enable); - assign edn_enable_pfa = mubi4_test_invalid(mubi_edn_enable); + assign edn_enable_pfa = edn_enable_fo[30]; assign hw2reg.recov_alert_sts.edn_enable_field_alert.de = edn_enable_pfa; assign hw2reg.recov_alert_sts.edn_enable_field_alert.d = edn_enable_pfa; + for (genvar i = 0; i < EdnEnableCopies; i = i+1) begin : gen_mubi_en_copies + assign edn_enable_fo[i] = mubi4_test_true_strict(mubi_edn_enable_fanout[i]); + end : gen_mubi_en_copies + + prim_mubi4_sync #( + .NumCopies(EdnEnableCopies), + .AsyncOn(0) + ) u_prim_mubi4_sync_edn_enable ( + .clk_i, + .rst_ni, + .mubi_i(mubi_edn_enable), + .mubi_o(mubi_edn_enable_fanout) + ); + // SEC_CM: CONFIG.MUBI mubi4_t mubi_cmd_fifo_rst; assign mubi_cmd_fifo_rst = mubi4_t'(reg2hw.ctrl.cmd_fifo_rst.q); - assign cmd_fifo_rst_pfe = mubi4_test_true_strict(mubi_cmd_fifo_rst); - assign cmd_fifo_rst_pfa = mubi4_test_invalid(mubi_cmd_fifo_rst); + assign cmd_fifo_rst_pfa = cmd_fifo_rst_fo[3]; assign hw2reg.recov_alert_sts.cmd_fifo_rst_field_alert.de = cmd_fifo_rst_pfa; assign hw2reg.recov_alert_sts.cmd_fifo_rst_field_alert.d = cmd_fifo_rst_pfa; + for (genvar i = 0; i < FifoRstCopies; i = i+1) begin : gen_mubi_rst_copies + assign cmd_fifo_rst_fo[i] = mubi4_test_true_strict(mubi_cmd_fifo_rst_fanout[i]); + end : gen_mubi_rst_copies + + prim_mubi4_sync #( + .NumCopies(FifoRstCopies), + .AsyncOn(0) + ) u_prim_mubi4_sync_cmd_fifo_rst ( + .clk_i, + .rst_ni, + .mubi_i(mubi_cmd_fifo_rst), + .mubi_o(mubi_cmd_fifo_rst_fanout) + ); + // counter errors assign edn_cntr_err = max_reqs_cnt_err; - // master module enable - assign edn_enable = edn_enable_pfe; - assign cmd_fifo_rst = cmd_fifo_rst_pfe; - //-------------------------------------------- // sw register interface //-------------------------------------------- // SEC_CM: CONFIG.MUBI mubi4_t mubi_auto_req_mode; assign mubi_auto_req_mode = mubi4_t'(reg2hw.ctrl.auto_req_mode.q); - assign auto_req_mode_pfe = mubi4_test_true_strict(mubi_auto_req_mode); - assign auto_req_mode_pfa = mubi4_test_invalid(mubi_auto_req_mode); + assign auto_req_mode_pfe = mubi4_test_true_strict(mubi_auto_req_mode_fanout[0]); + assign auto_req_mode_pfa = mubi4_test_invalid(mubi_auto_req_mode_fanout[1]); assign hw2reg.recov_alert_sts.auto_req_mode_field_alert.de = auto_req_mode_pfa; assign hw2reg.recov_alert_sts.auto_req_mode_field_alert.d = auto_req_mode_pfa; + prim_mubi4_sync #( + .NumCopies(2), + .AsyncOn(0) + ) u_prim_mubi4_sync_auto_req_mode ( + .clk_i, + .rst_ni, + .mubi_i(mubi_auto_req_mode), + .mubi_o(mubi_auto_req_mode_fanout) + ); + // SW interface connection // cmd req @@ -373,7 +411,7 @@ assign hw2reg.sum_sts.req_mode_sm_sts.de = 1'b1; assign hw2reg.sum_sts.req_mode_sm_sts.d = seq_auto_req_mode; assign hw2reg.sum_sts.boot_inst_ack.de = 1'b1; - assign hw2reg.sum_sts.boot_inst_ack.d = csrng_cmd_ack && boot_request; + assign hw2reg.sum_sts.boot_inst_ack.d = csrng_cmd_ack && boot_request_fo[1]; assign max_reqs_between_reseed_load = reg2hw.max_num_reqs_between_reseeds.qe; assign max_reqs_between_reseed_bus = reg2hw.max_num_reqs_between_reseeds.q; @@ -385,24 +423,24 @@ assign generate_cmd_bus = reg2hw.generate_cmd.q; assign cs_cmd_req_d = - (!edn_enable) ? '0 : + (!edn_enable_fo[8]) ? '0 : boot_wr_cmd_reg ? boot_ins_cmd : sw_cmd_req_load ? sw_cmd_req_bus : cs_cmd_req_q; assign cs_cmd_req_vld_d = - (!edn_enable) ? '0 : + (!edn_enable_fo[9]) ? '0 : (sw_cmd_req_load || boot_wr_cmd_reg); // cmd reg write assign cs_cmd_req_out_d = - (!edn_enable) ? '0 : + (!edn_enable_fo[10]) ? '0 : (!seq_auto_req_mode) ? cs_cmd_req_q : send_rescmd ? sfifo_rescmd_rdata : send_gencmd ? sfifo_gencmd_rdata : cs_cmd_req_out_q; assign cs_cmd_req_vld_out_d = - (!edn_enable) ? '0 : + (!edn_enable_fo[11]) ? '0 : seq_auto_req_mode ? (send_rescmd || send_gencmd) : cs_cmd_req_vld_q; @@ -415,7 +453,7 @@ assign hw2reg.sw_cmd_sts.cmd_rdy.d = cmd_rdy; assign cmd_rdy = !sw_cmd_req_load && sw_rdy_sts_q; assign sw_rdy_sts_d = - !edn_enable ? 1'b1 : + !edn_enable_fo[12] ? 1'b1 : sw_cmd_req_load ? 1'b0 : seq_auto_req_mode ? 1'b0 : csrng_cmd_i.csrng_req_ready ? 1'b1 : @@ -448,7 +486,7 @@ // feedback cmd back into rescmd fifo assign send_rescmd_d = - (!edn_enable) ? '0 : + (!edn_enable_fo[13]) ? '0 : send_rescmd; assign sfifo_rescmd_push = @@ -460,8 +498,8 @@ assign sfifo_rescmd_pop = send_rescmd; assign sfifo_rescmd_clr = - (!edn_enable) ? '0 : - (cmd_fifo_rst || auto_req_mode_end); + (!edn_enable_fo[14]) ? '0 : + (cmd_fifo_rst_fo[0] || auto_req_mode_end); assign sfifo_rescmd_err = {(sfifo_rescmd_push && sfifo_rescmd_full), @@ -489,17 +527,17 @@ // feedback cmd back into gencmd fifo assign send_gencmd_d = - (!edn_enable) ? '0 : + (!edn_enable_fo[15]) ? '0 : send_gencmd; assign sfifo_gencmd_push = - (!edn_enable) ? '0 : + (!edn_enable_fo[16]) ? '0 : boot_wr_cmd_genfifo ? 1'b1 : seq_auto_req_mode ? send_gencmd_q : generate_cmd_load; assign sfifo_gencmd_wdata = - (!edn_enable) ? '0 : + (!edn_enable_fo[17]) ? '0 : boot_wr_cmd_genfifo ? boot_gen_cmd : seq_auto_req_mode ? cs_cmd_req_out_q : generate_cmd_bus; @@ -507,8 +545,8 @@ assign sfifo_gencmd_pop = send_gencmd; assign sfifo_gencmd_clr = - (!edn_enable) ? '0 : - (cmd_fifo_rst || auto_req_mode_end); + (!edn_enable_fo[18]) ? '0 : + (cmd_fifo_rst_fo[1] || auto_req_mode_end); assign sfifo_gencmd_err = {(sfifo_gencmd_push && sfifo_gencmd_full), @@ -516,6 +554,8 @@ (sfifo_gencmd_full && !sfifo_gencmd_not_empty)}; // sm to process csrng commands + // SEC_CM: MAIN_SM.FSM.SPARSE + // SEC_CM: MAIN_SM.CTR.LOCAL_ESC edn_main_sm u_edn_main_sm ( .clk_i(clk_i), .rst_ni(rst_ni), @@ -531,6 +571,7 @@ .capt_rescmd_fifo_cnt_o(capt_rescmd_fifo_cnt), .send_rescmd_o(send_rescmd), .cmd_sent_i(cmd_sent), + .local_escalate_i(edn_cntr_err_sum), .main_sm_err_o(edn_main_sm_err) ); @@ -562,8 +603,8 @@ assign cmd_fifo_cnt_d = - (!edn_enable) ? '0 : - (cmd_fifo_rst || !seq_auto_req_mode) ? '0 : + (!edn_enable_fo[19]) ? '0 : + (cmd_fifo_rst_fo[2] || !seq_auto_req_mode) ? '0 : capt_gencmd_fifo_cnt ? (sfifo_gencmd_depth) : capt_rescmd_fifo_cnt ? (sfifo_rescmd_depth) : (send_gencmd || send_rescmd)? (cmd_fifo_cnt_q-1) : @@ -574,22 +615,32 @@ // SEC_CM: CONFIG.MUBI mubi4_t mubi_boot_req_mode; assign mubi_boot_req_mode = mubi4_t'(reg2hw.ctrl.boot_req_mode.q); - assign boot_req_mode_pfe = mubi4_test_true_strict(mubi_boot_req_mode); - assign boot_req_mode_pfa = mubi4_test_invalid(mubi_boot_req_mode); + assign boot_req_mode_pfa = boot_request_fo[2]; assign hw2reg.recov_alert_sts.boot_req_mode_field_alert.de = boot_req_mode_pfa; assign hw2reg.recov_alert_sts.boot_req_mode_field_alert.d = boot_req_mode_pfa; + for (genvar i = 0; i < BootReqCopies; i = i+1) begin : gen_mubi_boot_copies + assign boot_request_fo[i] = mubi4_test_true_strict(mubi_boot_req_mode_fanout[i]); + end : gen_mubi_boot_copies - // boot request - assign boot_request = boot_req_mode_pfe; + prim_mubi4_sync #( + .NumCopies(BootReqCopies), + .AsyncOn(0) + ) u_prim_mubi4_sync_boot_req_mode ( + .clk_i, + .rst_ni, + .mubi_i(mubi_boot_req_mode), + .mubi_o(mubi_boot_req_mode_fanout) + ); + assign boot_req_d[0] = - (!edn_enable) ? '0 : - boot_request ? 1'b1 : + (!edn_enable_fo[20]) ? '0 : + boot_request_fo[0] ? 1'b1 : boot_req_q[0]; assign boot_req_d[3:1] = - (!edn_enable) ? '0 : + (!edn_enable_fo[21]) ? '0 : boot_req_q[2:0]; assign boot_wr_cmd_reg = !boot_req_q[1] && boot_req_q[0]; @@ -597,13 +648,13 @@ assign boot_auto_req = !boot_req_q[3] && boot_req_q[2]; assign boot_auto_req_wack_d = - (!edn_enable) ? '0 : + (!edn_enable_fo[22]) ? '0 : boot_auto_req ? 1'b1 : csrng_cmd_ack ? 1'b0 : boot_auto_req_wack_q; assign boot_auto_req_dly_d = - (!edn_enable) ? '0 : + (!edn_enable_fo[23]) ? '0 : boot_auto_req_wack_q; @@ -655,7 +706,7 @@ .depth_o () ); - assign packer_cs_clr = !edn_enable; + assign packer_cs_clr = !edn_enable_fo[24]; assign packer_cs_push = csrng_cmd_i.genbits_valid; assign packer_cs_wdata = csrng_cmd_i.genbits_bus; assign csrng_cmd_o.genbits_ready = packer_cs_wready; @@ -663,7 +714,7 @@ assign packer_arb_ready = packer_cs_rvalid; assign csrng_fips_d = - !edn_enable ? 1'b0 : + !edn_enable_fo[25] ? 1'b0 : (packer_cs_push && packer_cs_wready) ? csrng_cmd_i.genbits_fips : csrng_fips_q; @@ -682,7 +733,7 @@ assign cs_rdata_capt_d = cs_rdata_capt_vld ? packer_cs_rdata[63:0] : cs_rdata_capt_q; assign cs_rdata_capt_vld_d = - !edn_enable ? 1'b0 : + !edn_enable_fo[26] ? 1'b0 : cs_rdata_capt_vld ? 1'b1 : cs_rdata_capt_vld_q; @@ -718,12 +769,12 @@ .depth_o () ); - assign packer_ep_clr[i] = !edn_enable; + assign packer_ep_clr[i] = !edn_enable_fo[27]; assign packer_ep_push[i] = packer_arb_valid && packer_ep_wready[i] && packer_arb_gnt[i]; assign packer_ep_wdata[i] = packer_cs_rdata; // fips indication - assign edn_fips_d[i] = !edn_enable ? 1'b0 : + assign edn_fips_d[i] = !edn_enable_fo[28] ? 1'b0 : (packer_ep_push[i] && packer_ep_wready[i]) ? csrng_fips_q : edn_fips_q[i]; assign edn_o[i].edn_fips = edn_fips_q[i]; @@ -732,10 +783,11 @@ assign edn_o[i].edn_ack = packer_ep_ack[i]; assign edn_o[i].edn_bus = packer_ep_rdata[i]; + // SEC_CM: ACK_SM.FSM.SPARSE edn_ack_sm u_edn_ack_sm_ep ( .clk_i (clk_i), .rst_ni (rst_ni), - .enable_i (edn_enable), + .enable_i (edn_enable_fo[29]), .req_i (edn_i[i].edn_req), .ack_o (packer_ep_ack[i]), .fifo_not_empty_i (packer_ep_rvalid[i]),
diff --git a/hw/ip/edn/rtl/edn_main_sm.sv b/hw/ip/edn/rtl/edn_main_sm.sv index afd608c..119694a 100644 --- a/hw/ip/edn/rtl/edn_main_sm.sv +++ b/hw/ip/edn/rtl/edn_main_sm.sv
@@ -22,6 +22,7 @@ output logic capt_rescmd_fifo_cnt_o, output logic send_rescmd_o, input logic cmd_sent_i, + input logic local_escalate_i, output logic main_sm_err_o ); @@ -65,7 +66,6 @@ // flops in order to prevent FSM state encoding optimizations. - // SEC_CM: FSM.SPARSE prim_sparse_fsm_flop #( .StateEnumT(state_e), .Width(StateWidth), @@ -139,6 +139,9 @@ end default: state_d = Error; endcase + if (local_escalate_i) begin + state_d = Error; + end end endmodule