[otbn,rtl] Add fatal error on bad ack from URND
Signed-off-by: Greg Chadwick <gac@lowrisc.org>
diff --git a/hw/ip/otbn/rtl/otbn_core.sv b/hw/ip/otbn/rtl/otbn_core.sv
index 4d08f7f..d5e13a9 100644
--- a/hw/ip/otbn/rtl/otbn_core.sv
+++ b/hw/ip/otbn/rtl/otbn_core.sv
@@ -245,7 +245,7 @@
core_err_bits_t err_bits_q, err_bits_d;
- logic start_stop_state_error;
+ logic start_stop_internal_error;
logic rf_bignum_predec_error, alu_bignum_predec_error, ispr_predec_error, mac_bignum_predec_error;
logic controller_predec_error;
logic rd_predec_error, predec_error;
@@ -283,9 +283,9 @@
.sec_wipe_mod_urnd_o(sec_wipe_mod_urnd),
.sec_wipe_zero_o (sec_wipe_zero),
- .ispr_init_o (ispr_init),
- .state_reset_o(state_reset),
- .state_error_o(start_stop_state_error)
+ .ispr_init_o (ispr_init),
+ .state_reset_o (state_reset),
+ .internal_error_o(start_stop_internal_error)
);
// Depending on its usage, the instruction address (program counter) is qualified by two valid
@@ -525,7 +525,7 @@
assign err_bits_d = '{
fatal_software: controller_err_bits.fatal_software,
bad_internal_state: |{controller_err_bits.bad_internal_state,
- start_stop_state_error,
+ start_stop_internal_error,
urnd_all_zero,
predec_error},
reg_intg_violation: |{controller_err_bits.reg_intg_violation,
@@ -562,7 +562,7 @@
// appears somewhere in err_bits_o above (checked in ErrBitsIfControllerEscalate_A)
assign controller_escalate_en =
mubi4_or_hi(escalate_en_i,
- mubi4_bool_to_mubi(|{start_stop_state_error, urnd_all_zero, predec_error,
+ mubi4_bool_to_mubi(|{start_stop_internal_error, urnd_all_zero, predec_error,
rf_base_rf_err, lsu_rdata_err, insn_fetch_err,
err_bits_d.reg_intg_violation}));
diff --git a/hw/ip/otbn/rtl/otbn_start_stop_control.sv b/hw/ip/otbn/rtl/otbn_start_stop_control.sv
index 5064ce8..87f6706 100644
--- a/hw/ip/otbn/rtl/otbn_start_stop_control.sv
+++ b/hw/ip/otbn/rtl/otbn_start_stop_control.sv
@@ -57,7 +57,7 @@
output logic ispr_init_o,
output logic state_reset_o,
- output logic state_error_o
+ output logic internal_error_o
);
otbn_start_stop_state_e state_q, state_d;
@@ -104,7 +104,7 @@
sec_wipe_zero_o = 1'b0;
addr_cnt_inc = 1'b0;
secure_wipe_done_o = 1'b0;
- state_error_o = 1'b0;
+ internal_error_o = 1'b0;
unique case (state_q)
OtbnStartStopStateHalt: begin
@@ -186,10 +186,17 @@
end
default: begin
// We should never get here. If we do (e.g. via a malicious glitch), error out immediately.
- state_error_o = 1'b1;
+ internal_error_o = 1'b1;
state_d = OtbnStartStopStateLocked;
end
endcase
+
+ if (urnd_reseed_ack_i && (state_q != OtbnStartStopStateUrndRefresh)) begin
+ // We should never receive an ACK from URND when we're not refreshing the URND. Signal an
+ // error if we see a stray ACK and lock the FSM.
+ internal_error_o = 1'b1;
+ state_d = OtbnStartStopStateLocked;
+ end
end
// Logic separate from main FSM code to avoid false combinational loop warning from verilator
