blob: 4d728a0d09686c38be55a6a1a35b5dc9fd1161f9 [file] [log] [blame]
// Copyright lowRISC contributors.
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
// SPDX-License-Identifier: Apache-2.0
/**
* 256b General Purpose Register File (GPRs) with integrity code detecting triple bit errors on a
* 32-bit granule (312 bits total).
*
* This wraps two implementations, one for FPGA (otbn_rf_base_fpga) implementation the other for
* ASIC (otbn_rf_base_ff).
*
* Integrity protection uses an inverted (39, 32) Hsaio code providing a Hamming distance of 4.
*
* `wr_data_no_intg_i` supplies data that requires integrity calulation and `wr_data_intg_i`
* supplies data that comes with integrity. `wr_data_intg_sel_i` is asserted to select the data with
* integrity for the write, otherwise integrity is calculated separately from `wr_data_i`.
*
* Features:
* - 2 read ports
* - 1 write port
* - triple error detection
*/
module otbn_rf_bignum
import otbn_pkg::*;
#(
// Register file implementation selection, see otbn_pkg.sv.
parameter regfile_e RegFile = RegFileFF
)(
input logic clk_i,
input logic rst_ni,
input logic [WdrAw-1:0] wr_addr_i,
input logic [1:0] wr_en_i,
input logic wr_commit_i,
input logic [WLEN-1:0] wr_data_no_intg_i,
input logic [ExtWLEN-1:0] wr_data_intg_i,
input logic wr_data_intg_sel_i,
input logic rd_en_a_i,
input logic [WdrAw-1:0] rd_addr_a_i,
output logic [ExtWLEN-1:0] rd_data_a_intg_o,
input logic rd_en_b_i,
input logic [WdrAw-1:0] rd_addr_b_i,
output logic [ExtWLEN-1:0] rd_data_b_intg_o,
output logic intg_err_o,
input rf_predec_bignum_t rf_predec_bignum_i,
output logic predec_error_o,
output logic spurious_we_err_o
);
logic [ExtWLEN-1:0] wr_data_intg_mux_out, wr_data_intg_calc;
logic [1:0] wr_en_internal;
logic [BaseWordsPerWLEN*2-1:0] rd_data_a_err, rd_data_b_err;
logic [NWdr-1:0] expected_rd_en_a_onehot, expected_rd_en_b_onehot;
logic [NWdr-1:0] expected_wr_en_onehot;
logic rd_en_a_mismatch, rd_en_b_mismatch, wr_en_mismatch;
assign wr_en_internal = wr_en_i & {2{wr_commit_i}};
if (RegFile == RegFileFF) begin : gen_rf_bignum_ff
otbn_rf_bignum_ff u_otbn_rf_bignum_inner (
.clk_i,
.rst_ni,
.wr_addr_i,
.wr_en_i(wr_en_internal),
.wr_data_i(wr_data_intg_mux_out),
.rd_addr_a_i,
.rd_data_a_o(rd_data_a_intg_o),
.rd_addr_b_i,
.rd_data_b_o(rd_data_b_intg_o),
.rf_predec_bignum_i,
.we_err_o(spurious_we_err_o)
);
end else if (RegFile == RegFileFPGA) begin : gen_rf_bignum_fpga
otbn_rf_bignum_fpga #(
.WordZeroVal(prim_secded_pkg::SecdedInv3932ZeroWord)
) u_otbn_rf_bignum_inner (
.clk_i,
.rst_ni,
.wr_addr_i,
.wr_en_i(wr_en_internal),
.wr_data_i(wr_data_intg_mux_out),
.rd_addr_a_i,
.rd_data_a_o(rd_data_a_intg_o),
.rd_addr_b_i,
.rd_data_b_o(rd_data_b_intg_o),
.we_err_o(spurious_we_err_o)
);
end
prim_onehot_enc #(
.OneHotWidth(NWdr)
) u_rf_ren_a_onehot_enc (
.in_i (rd_addr_a_i),
.en_i (rd_en_a_i),
.out_o (expected_rd_en_a_onehot)
);
prim_onehot_enc #(
.OneHotWidth(NWdr)
) u_rf_ren_b_onehot_enc (
.in_i (rd_addr_b_i),
.en_i (rd_en_b_i),
.out_o (expected_rd_en_b_onehot)
);
prim_onehot_enc #(
.OneHotWidth(NWdr)
) u_rf_we_onehot_enc (
.in_i (wr_addr_i),
.en_i (|wr_en_i),
.out_o (expected_wr_en_onehot)
);
// SEC_CM: CTRL.REDUN
assign rd_en_a_mismatch = expected_rd_en_a_onehot != rf_predec_bignum_i.rf_ren_a;
assign rd_en_b_mismatch = expected_rd_en_b_onehot != rf_predec_bignum_i.rf_ren_b;
assign wr_en_mismatch = expected_wr_en_onehot != rf_predec_bignum_i.rf_we;
assign predec_error_o = rd_en_a_mismatch | rd_en_b_mismatch | wr_en_mismatch;
// New data can have its integrity from an external source or the integrity can be calculated here
assign wr_data_intg_mux_out = wr_data_intg_sel_i ? wr_data_intg_i : wr_data_intg_calc;
// SEC_CM: RF_BIGNUM.DATA_REG_SW.INTEGRITY
// Separate integrity encode and decode per 32-bit integrity granule
for (genvar i = 0; i < BaseWordsPerWLEN; ++i) begin : g_rf_intg_calc
prim_secded_inv_39_32_enc u_wr_data_intg_enc (
.data_i(wr_data_no_intg_i[i * 32 +: 32]),
.data_o(wr_data_intg_calc[i * 39 +: 39])
);
// Integrity decoders used to detect errors only, corrections (`syndrome_o`/`d_o`) are ignored
prim_secded_inv_39_32_dec u_rd_data_a_intg_dec (
.data_i (rd_data_a_intg_o[i * 39 +: 39]),
.data_o (),
.syndrome_o(),
.err_o (rd_data_a_err[i*2 +: 2])
);
prim_secded_inv_39_32_dec u_rd_data_b_intg_dec (
.data_i (rd_data_b_intg_o[i * 39 +: 39]),
.data_o (),
.syndrome_o(),
.err_o (rd_data_b_err[i*2 +: 2])
);
end
logic intg_err_unbuf, intg_err_buf;
assign intg_err_unbuf = ((|rd_data_a_err) & rd_en_a_i) |
((|rd_data_b_err) & rd_en_b_i);
// This primitive is used to place a constraint for synthesis. It is required to
// ensure that the signal name will be available in the synthesized netlist.
prim_buf #(
.Width(1)
) u_prim_buf (
.in_i(intg_err_unbuf),
.out_o(intg_err_buf)
);
assign intg_err_o = intg_err_buf;
`ASSERT(BlankingBignumRegReadA_A,
!rd_en_a_i |-> rd_data_a_intg_o == '0,
clk_i, !rst_ni || predec_error_o || !wr_commit_i)
`ASSERT(BlankingBignumRegReadB_A,
!rd_en_b_i |-> rd_data_b_intg_o == '0,
clk_i, !rst_ni || predec_error_o || !wr_commit_i)
// Make sure we're not outputting X. This indicates that something went wrong during the initial
// secure wipe.
`ASSERT(OtbnRfBignumRdAKnown, rd_en_a_i && !rd_en_a_mismatch |-> !$isunknown(rd_data_a_intg_o))
`ASSERT(OtbnRfBignumRdBKnown, rd_en_b_i && !rd_en_b_mismatch |-> !$isunknown(rd_data_b_intg_o))
endmodule