|  | // Copyright lowRISC contributors. | 
|  | // Licensed under the Apache License, Version 2.0, see LICENSE for details. | 
|  | // SPDX-License-Identifier: Apache-2.0 | 
|  | // | 
|  | // kmac_pkg | 
|  |  | 
|  | package kmac_pkg; | 
|  | parameter int MsgWidth = sha3_pkg::MsgWidth; | 
|  | parameter int MsgStrbW = sha3_pkg::MsgStrbW; | 
|  |  | 
|  | // Message FIFO depth | 
|  | // | 
|  | // Assume entropy is ready always (if Share is reused as an entropy in Chi) | 
|  | // Then it takes 72 cycles to complete the Keccak round. While Keccak is in | 
|  | // operation, the module need to store the incoming messages to not degrade | 
|  | // the throughput. | 
|  | // | 
|  | // Based on the observation from HMAC case, the core usually takes 5 clocks | 
|  | // to fetch data and store into KMAC. So the core can push at most 14.5 X 4B | 
|  | // which is 58B. After that, Keccak can fetch the data from MSG_FIFO faster | 
|  | // rate than the core can push. To fetch 58B, it takes around 7~8 cycles. | 
|  | // For that time, the core only can push at most 2 DW. After that Keccak | 
|  | // waits the incoming message. | 
|  | // | 
|  | // So Message FIFO doesn't need full block size except the KMAC case, which | 
|  | // is delayed the operation by processing Function Name N, customization S, | 
|  | // and secret keys. But KMAC doesn't need high throughput anyway (72Mb/s). | 
|  | parameter int RegIntfWidth = 32; // 32bit interface | 
|  | parameter int RegLatency   = 5;  // 5 cycle to write one Word | 
|  | parameter int Sha3Latency  = 72; // Expected masked sha3 processing time 24x3 | 
|  |  | 
|  | // Total required buffer size while SHA3 is in processing | 
|  | parameter int BufferCycles   = (Sha3Latency + RegLatency - 1)/RegLatency; | 
|  | parameter int BufferSizeBits = RegIntfWidth * BufferCycles; | 
|  |  | 
|  | // Required MsgFifoDepth. Adding slightly more buffer for margin | 
|  | parameter int MsgFifoDepth   = 2 + ((BufferSizeBits + MsgWidth - 1)/MsgWidth); | 
|  | parameter int MsgFifoDepthW  = $clog2(MsgFifoDepth+1); | 
|  |  | 
|  | parameter int MsgWindowWidth = 32; // Register width | 
|  | parameter int MsgWindowDepth = 512; // 2kB space | 
|  |  | 
|  | // Key related definitions | 
|  | // If this value is changed, please modify the logic inside kmac_core | 
|  | // that assigns the value into `encoded_key` | 
|  | parameter int MaxKeyLen = 512; | 
|  |  | 
|  | // size of encode_string(Key) | 
|  | // $ceil($clog2(MaxKeyLen+1)/8) | 
|  | parameter int MaxEncodedKeyLenW = $clog2(MaxKeyLen+1); | 
|  | parameter int MaxEncodedKeyLenByte = (MaxEncodedKeyLenW + 8 - 1) / 8; | 
|  | parameter int MaxEncodedKeyLenSize = MaxEncodedKeyLenByte * 8; | 
|  |  | 
|  | //                             Secret Key  left_encode(len(Key)) | 
|  | //                             ----------  ------------------------ | 
|  | parameter int MaxEncodedKeyW = MaxKeyLen + MaxEncodedKeyLenSize + 8; | 
|  |  | 
|  | // key_len is SW configurable CSR. | 
|  | // Current KMAC allows 5 key length options. | 
|  | // This value determines the KMAC core how to map the value | 
|  | // from Secret Key register to key size block | 
|  | typedef enum logic [2:0] { | 
|  | Key128 = 3'b 000, // 128 bit secret key | 
|  | Key192 = 3'b 001, // 192 bit secret key | 
|  | Key256 = 3'b 010, // 256 bit secret key | 
|  | Key384 = 3'b 011, // 384 bit secret key | 
|  | Key512 = 3'b 100  // 512 bit secret key | 
|  | } key_len_e; | 
|  |  | 
|  |  | 
|  | // kmac_cmd_e defines the possible command sets that software issues via | 
|  | // !!CMD register. This is mainly to limit the error scenario that SW writes | 
|  | // multiple commands at once. | 
|  | typedef enum logic [3:0] { | 
|  | CmdNone      = 4'b 0000, | 
|  | CmdStart     = 4'b 0001, | 
|  | CmdProcess   = 4'b 0010, | 
|  | CmdManualRun = 4'b 0100, | 
|  | CmdDone      = 4'b 1000 | 
|  | } kmac_cmd_e; | 
|  |  | 
|  | // Timer | 
|  | parameter int unsigned TimerPrescalerW = 10; | 
|  | parameter int unsigned EdnWaitTimerW   = 16; | 
|  |  | 
|  | // Entropy Mode Selection : Should be matched to register package Enum value | 
|  | typedef enum logic [1:0] { | 
|  | EntropyModeNone = 2'h 0, | 
|  | EntropyModeEdn  = 2'h 1, | 
|  | EntropyModeSw   = 2'h 2 | 
|  | } entropy_mode_e; | 
|  |  | 
|  | // PRNG (kmac_entropy) | 
|  | parameter int unsigned EntropyLfsrW = 800; | 
|  | parameter int unsigned ChunkSizeEntropyLfsr = 32; | 
|  | parameter int unsigned NumChunksEntropyLfsr = EntropyLfsrW / ChunkSizeEntropyLfsr; | 
|  |  | 
|  | // We use a single seed that is split down into chunks internally. | 
|  | // These LFSR parameters have been generated with | 
|  | // $ ./util/design/gen-lfsr-seed.py --width 800 --seed 3369807298 --prefix "" | 
|  | typedef logic [EntropyLfsrW-1:0] lfsr_seed_t; | 
|  | typedef logic [EntropyLfsrW-1:0][$clog2(EntropyLfsrW)-1:0] lfsr_perm_t; | 
|  | parameter lfsr_seed_t RndCnstLfsrSeedDefault = { | 
|  | 32'h34a19ca3, | 
|  | 256'he514d8e17a5630c287247dff3d354c022f581ace4b6c5736b5efa4160261ab0f, | 
|  | 256'h6cb2915197ab3588982bcffc9cf3b46a250cebf728c0e76f0e680420d7f428f2, | 
|  | 256'h092c1e308f7c8f9d8bacc20cd18fd586d58879654aa4851de224033bfdcbc578 | 
|  | }; | 
|  | parameter lfsr_perm_t RndCnstLfsrPermDefault = { | 
|  | 64'hb1a3e87aeb4e69f0, | 
|  | 256'h2d8a6ee2c9ac567b2aa401a639a2a8ea2553614c0a8daf672c06546fc0d35267, | 
|  | 256'hc4572024bc116458dd0f1c10a8aef5c4ad9a788968d0d7ca7345c6b8f277a5d3, | 
|  | 256'hec5da20f261826ed3c8992724e70db897060be51b07a96902e14a42d12d320f8, | 
|  | 256'h187049b6c25f35d0e485cc4b9ef01dad2865b5e558926f380718b74394fe0f82, | 
|  | 256'hd5395a7d0aa4845af814e8681107a4c793758572c9467493bf1248a48f1b40c2, | 
|  | 256'h09319b55111d0401819685a43a06f0da441021a8c220b14f01d44e49c1683a82, | 
|  | 256'hafeb980964aa050641f4205131d9d4741eb5dd658e603b8ed438cb1096628d42, | 
|  | 256'h62c9d75ced78ed09a3ddbb60f533eef10aa5a54b478d61a06a4b326eb3402105, | 
|  | 256'hc27d562c6d91b48440d6d06e543be9871628a4aa9b3d2e51fa0ac2eb89a17f6d, | 
|  | 256'h207ad96caf25d1fcffab210c1aff12252346fe4d56a7cd9b8605c7fa638895a9, | 
|  | 256'h60158cd3a1ce4f2f6cf5d48579ac14b1e5219ca8914e0507b635dc712554f6bb, | 
|  | 256'h0ae412943a7596f4644a0c13646adc91d02c406a10d232791d3de9919eec5424, | 
|  | 256'haa2cac5f556c15c647eb29365062daf6aa848e10b3f665abccca713036d9f1cb, | 
|  | 256'h1c9bd4aaeb19c5ac01b1805e0d5479860870da49a55e8f386ca8232c728e2f61, | 
|  | 256'h3007aa420758818e5312401372eaa00d21c70c7e1158d2e08a1b6ac0b820cb67, | 
|  | 256'hf0ba4b5c0865ff04f0f9d0175817c65d81918e43e14b2f83d574bfa9c6e6deae, | 
|  | 256'h64c22c2974a1d5c55e2367004b249d5a02fc566685ea33b6f73aaa0244b34412, | 
|  | 256'hb1a12230adb1748dc1d956f9f10c8e1aa52f4702e06a16680d92226c830ec4ce, | 
|  | 256'h4c2eead21f08c387c3f1de89eb33b983c748e848f68b54f256715221177c5a4a, | 
|  | 256'h0a47d82741955626755ba1cc24e2ba40504111b9e26136be714c5bc0d330c3f7, | 
|  | 256'h75e863de763270a993890d633c6897218e151943edd8b79ae145cf564b774613, | 
|  | 256'h0b0a76c40e7e84c876640dc78260c09a85e92e5ab56c22c0e72a8669fe88ba10, | 
|  | 256'h8b99e437c776f0cea0d144f285b6ab7259e12284f380ae3410171cd6a8b04415, | 
|  | 256'he95081c8c57e3e526ad5b38019a5c1b5505540462157e7c7e68e6a6a16ac460a, | 
|  | 256'h5d5578da28092c7cc927cb9c0ed614a79b0e32b4c5b6a269a40743bef42b5e29, | 
|  | 256'hd9a75ecb5548a29e9d34ddda07c8404aabbf5479456731ece3785f6090c3f862, | 
|  | 256'h6eb1a5119e8b8e56b1455d820b46e20e15bb7d185a636b10ab8565732c59a302, | 
|  | 256'h329925186604edbd5029a9f865268e90003b5b69d3e99240c3432291a60c62a4, | 
|  | 256'hebad1ed028cd021b27260db22089e0c44481b1a4c120134ac63dc52fbc4cafb2, | 
|  | 256'he065add2665fb361665267b53024329d96587d661f724171155ee73a3f0c47a8, | 
|  | 256'h149751a5903c8bbcaf1782e415dfda531eb2af67c25e190330a12000e1fbb9cd | 
|  | }; | 
|  |  | 
|  | // These LFSR parameters have been generated with | 
|  | // $ ./util/design/gen-lfsr-seed.py --width 32 --seed 2336700764 --prefix "" | 
|  | parameter int LfsrFwdWidth = 32; | 
|  | typedef logic [LfsrFwdWidth-1:0][$clog2(LfsrFwdWidth)-1:0] lfsr_fwd_perm_t; | 
|  | parameter lfsr_fwd_perm_t RndCnstLfsrFwdPermDefault = { | 
|  | 160'h7f3ac6d173d78678d84908157fba482e76685704 | 
|  | }; | 
|  |  | 
|  | // Message permutation | 
|  | // These LFSR parameters have been generated with | 
|  | // $ ./util/design/gen-lfsr-seed.py --width 64 --seed 1201202158 --prefix "" | 
|  | // And changed the type name from lfsr_perm_t to msg_perm_t | 
|  | typedef logic [MsgWidth-1:0][$clog2(MsgWidth)-1:0] msg_perm_t; | 
|  | parameter msg_perm_t RndCnstMsgPermDefault = { | 
|  | 128'h382af41849db4cfb9c885f72f118c102, | 
|  | 256'hcb5526978defac799192f65f54148379af21d7e10d82a5a33c3f31a1eaf964b8 | 
|  | }; | 
|  |  | 
|  | /////////////////////////// | 
|  | // Application interface // | 
|  | /////////////////////////// | 
|  |  | 
|  | // Number of the application interface | 
|  | // Currently KMAC has three interface. | 
|  | // 0: KeyMgr | 
|  | // 1: LC_CTRL | 
|  | // 2: ROM_CTRL | 
|  | // Make sure to change `width` of app inter-module signal definition | 
|  | // if this value is changed. | 
|  | parameter int unsigned NumAppIntf = 3; | 
|  |  | 
|  | // Application Algorithm | 
|  | // Each interface can choose algorithms among SHA3, cSHAKE, KMAC | 
|  | typedef enum bit [1:0] { | 
|  | // SHA3 mode doer not nees any additional information. | 
|  | // Prefix will be tied to all zero and not used. | 
|  | AppSHA3   = 0, | 
|  |  | 
|  | // In CShake/ KMAC mode, the Prefix can be determined by the compile-time | 
|  | // parameter or through CSRs. | 
|  | AppCShake = 1, | 
|  |  | 
|  | // In KMAC mode, the secret key always comes from sideload. | 
|  | AppKMAC   = 2 | 
|  | } app_mode_e; | 
|  |  | 
|  | // Predefined encoded_string | 
|  | parameter logic [15:0] EncodedStringEmpty = 16'h 0001; | 
|  | parameter logic [47:0] EncodedStringKMAC = 48'h 4341_4D4B_2001; | 
|  | parameter int unsigned NSPrefixW = sha3_pkg::NSRegisterSize*8; | 
|  |  | 
|  | typedef struct packed { | 
|  | app_mode_e Mode; | 
|  |  | 
|  | sha3_pkg::keccak_strength_e Strength; | 
|  |  | 
|  | // PrefixMode determines the origin value of Prefix that is used in KMAC | 
|  | // and cSHAKE operations. | 
|  | // Choose **0** for CSRs (!!PREFIX), or **1** to use `Prefix` parameter | 
|  | // below. | 
|  | bit PrefixMode; | 
|  |  | 
|  | // If `PrefixMode` is 1'b 1, then this `Prefix` value will be used in | 
|  | // cSHAKE or KMAC operation. | 
|  | logic [NSPrefixW-1:0] Prefix; | 
|  | } app_config_t; | 
|  |  | 
|  | parameter app_config_t AppCfg [NumAppIntf] = '{ | 
|  | // KeyMgr | 
|  | '{ | 
|  | Mode:       AppKMAC, // KeyMgr uses KMAC operation | 
|  | Strength:   sha3_pkg::L256, | 
|  | PrefixMode: 1'b 0,   // Use CSR for prefix | 
|  | Prefix:     '0       // Not used in CSR prefix mode | 
|  | }, | 
|  |  | 
|  | // LC_CTRL | 
|  | '{ | 
|  | Mode:       AppCShake, | 
|  | Strength:   sha3_pkg::L128, | 
|  | PrefixMode: 1'b 1,     // Use prefix parameter | 
|  | // {fname: encode_string(""), custom_str: encode_string("LC_CTRL")} | 
|  | Prefix: NSPrefixW'(88'h 4c_5254_435f_434C_3801_0001) | 
|  | }, | 
|  |  | 
|  | // ROM_CTRL | 
|  | '{ | 
|  | Mode:       AppCShake, | 
|  | Strength:   sha3_pkg::L256, | 
|  | PrefixMode: 1'b 1,     // Use prefix parameter | 
|  | // {fname: encode_string(""), custom_str: encode_string("ROM_CTRL")} | 
|  | Prefix: NSPrefixW'(96'h 4c52_5443_5f4d_4f52_4001_0001) | 
|  | } | 
|  | }; | 
|  |  | 
|  | // Exporting the app internal mux selection enum into the package. So that DV | 
|  | // can use this enum in its scoreboard. | 
|  | // Encoding generated with: | 
|  | // $ ./util/design/sparse-fsm-encode.py -d 3 -m 4 -n 5 \ | 
|  | //      -s 713832113 --language=sv | 
|  | // | 
|  | // Hamming distance histogram: | 
|  | // | 
|  | //  0: -- | 
|  | //  1: -- | 
|  | //  2: -- | 
|  | //  3: |||||||||||||||||||| (66.67%) | 
|  | //  4: |||||||||| (33.33%) | 
|  | //  5: -- | 
|  | // | 
|  | // Minimum Hamming distance: 3 | 
|  | // Maximum Hamming distance: 4 | 
|  | // Minimum Hamming weight: 1 | 
|  | // Maximum Hamming weight: 4 | 
|  | // | 
|  | localparam int AppMuxWidth = 5; | 
|  | typedef enum logic [AppMuxWidth-1:0] { | 
|  | SelNone   = 5'b10100, | 
|  | SelApp    = 5'b11001, | 
|  | SelOutLen = 5'b00010, | 
|  | SelSw     = 5'b01111 | 
|  | } app_mux_sel_e ; | 
|  |  | 
|  |  | 
|  |  | 
|  | // MsgWidth : 64 | 
|  | // MsgStrbW : 8 | 
|  | parameter int unsigned AppDigestW = 384; | 
|  | parameter int unsigned AppKeyW = 256; | 
|  |  | 
|  | typedef struct packed { | 
|  | logic valid; | 
|  | logic [MsgWidth-1:0] data; | 
|  | logic [MsgStrbW-1:0] strb; | 
|  | // last indicates the last beat of the data. strb can be partial only with | 
|  | // last. | 
|  | logic last; | 
|  | } app_req_t; | 
|  |  | 
|  | typedef struct packed { | 
|  | logic ready; | 
|  | logic done; | 
|  | logic [AppDigestW-1:0] digest_share0; | 
|  | logic [AppDigestW-1:0] digest_share1; | 
|  | // Error is valid when done is high. If any error occurs during KDF, KMAC | 
|  | // returns the garbage digest data with error. The KeyMgr discards the | 
|  | // digest and may re-initiate the process. | 
|  | logic error; | 
|  | } app_rsp_t; | 
|  |  | 
|  | parameter app_req_t APP_REQ_DEFAULT = '{ | 
|  | valid: 1'b 0, | 
|  | data: '0, | 
|  | strb: '0, | 
|  | last: 1'b 0 | 
|  | }; | 
|  | parameter app_rsp_t APP_RSP_DEFAULT = '{ | 
|  | ready: 1'b1, | 
|  | done:  1'b1, | 
|  | digest_share0: AppDigestW'(32'hDEADBEEF), | 
|  | digest_share1: AppDigestW'(32'hFACEBEEF), | 
|  | error: 1'b1 | 
|  | }; | 
|  |  | 
|  |  | 
|  | //////////////////// | 
|  | // Error Handling // | 
|  | //////////////////// | 
|  |  | 
|  | // Error structure is same to the SHA3 one. The codes do not overlap. | 
|  | typedef enum logic [7:0] { | 
|  | ErrNone = 8'h 00, | 
|  |  | 
|  | // ErrSha3SwControl occurs when software sent wrong flow signal. | 
|  | // e.g) Sw set `process_i` without `start_i`. The state machine ignores | 
|  | //      the signal and report through the error FIFO. | 
|  | //ErrSha3SwControl = 8'h 80 | 
|  |  | 
|  | // ErrKeyNotValid: KeyMgr interface raises an error if the secret key is | 
|  | // not valid when KeyMgr initiates KDF. | 
|  | ErrKeyNotValid = 8'h 01, | 
|  |  | 
|  | // ErrSwPushMsgFifo: Sw writes data into Msg FIFO abruptly. | 
|  | // This error occurs in below scenario: | 
|  | //   - Sw does not send "Start" command to KMAC then writes data into | 
|  | //     Msg FIFO | 
|  | //   - Sw writes data into Msg FIFO when KeyMgr is in operation | 
|  | ErrSwPushedMsgFifo = 8'h 02, | 
|  |  | 
|  | // ErrSwIssuedCmdInAppActive | 
|  | //  - Sw writes any command while AppIntf is in active. | 
|  | ErrSwIssuedCmdInAppActive = 8'h 03, | 
|  |  | 
|  | // ErrWaitTimerExpired | 
|  | // Entropy Wait timer expired. Something wrong on EDN i/f | 
|  | ErrWaitTimerExpired = 8'h 04, | 
|  |  | 
|  | // ErrIncorrectEntropyMode | 
|  | // Incorrect Entropy mode when entropy is ready | 
|  | ErrIncorrectEntropyMode = 8'h 05, | 
|  |  | 
|  | // ErrUnexpectedModeStrength | 
|  | ErrUnexpectedModeStrength = 8'h 06, | 
|  |  | 
|  | // ErrIncorrectFunctionName "KMAC" | 
|  | ErrIncorrectFunctionName = 8'h 07, | 
|  |  | 
|  | // ErrSwCmdSequence | 
|  | ErrSwCmdSequence = 8'h 08, | 
|  |  | 
|  | // Error Shadow register update | 
|  | ErrShadowRegUpdate = 8'h C0, | 
|  |  | 
|  | // Error due to lc_escalation_en_i or fatal fault | 
|  | ErrFatalError = 8'h C1 | 
|  | } err_code_e; | 
|  |  | 
|  | typedef struct packed { | 
|  | logic        valid; | 
|  | err_code_e   code; // Type of error | 
|  | logic [23:0] info; // Additional Debug info | 
|  | } err_t; | 
|  |  | 
|  | typedef struct packed { | 
|  | logic [AppDigestW-1:0] digest_share0; | 
|  | logic [AppDigestW-1:0] digest_share1; | 
|  | } rsp_digest_t; | 
|  | /////////////////////// | 
|  | // Library Functions // | 
|  | /////////////////////// | 
|  |  | 
|  | // Endian conversion functions (32-bit, 64-bit) | 
|  | function automatic logic [31:0] conv_endian32( input logic [31:0] v, input logic swap); | 
|  | logic [31:0] conv_data = {<<8{v}}; | 
|  | conv_endian32 = (swap) ? conv_data : v ; | 
|  | endfunction : conv_endian32 | 
|  |  | 
|  | function automatic logic [63:0] conv_endian64( input logic [63:0] v, input logic swap); | 
|  | logic [63:0] conv_data = {<<8{v}}; | 
|  | conv_endian64 = (swap) ? conv_data : v ; | 
|  | endfunction : conv_endian64 | 
|  |  | 
|  | endpackage : kmac_pkg |