hw/ip/sram_ctrl/data/sram_ctrl_sec_cm_testplan.hjson

// Copyright lowRISC contributors.
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
// SPDX-License-Identifier: Apache-2.0

// Security countermeasures testplan extracted from the IP Hjson using reggen.
//
// This testplan is auto-generated only the first time it is created. This is
// because this testplan needs to be hand-editable. It is possible that these
// testpoints can go out of date if the spec is updated with new
// countermeasures. When `reggen` is invoked when this testplan already exists,
// It checks if the list of testpoints is up-to-date and enforces the user to
// make further manual updates.
//
// These countermeasures and their descriptions can be found here:
// .../sram_ctrl/data/sram_ctrl.hjson
//
// It is possible that the testing of some of these countermeasures may already
// be covered as a testpoint in a different testplan. This duplication is ok -
// the test would have likely already been developed. We simply map those tests
// to the testpoints below using the `tests` key.
//
// Please ensure that this testplan is imported in:
// .../sram_ctrl/data/sram_ctrl_testplan.hjson
{
  testpoints: [
    {
      name: sec_cm_bus_integrity
      desc: "Verify the countermeasure(s) BUS.INTEGRITY."
      stage: V2S
      tests: ["{name}_tl_intg_err"]
    }
    {
      name: sec_cm_ctrl_config_regwen
      desc: '''Verify the countermeasure(s) CTRL.CONFIG.REGWEN.

            The `ctrl` CSR is excluded in CSR tests, add another test to verify:
             - When `ctrl_regwen` is 1, writting to `ctrl` can take effect.
             - When `ctrl_regwen` is 0, writting to `ctrl` has no effect.
            '''
      stage: V2S
      tests: ["{name}_regwen"]
    }
    {
      name: sec_cm_exec_config_regwen
      desc: "Verify the countermeasure(s) EXEC.CONFIG.REGWEN."
      stage: V2S
      tests: ["{name}_csr_rw"]
    }
    {
      name: sec_cm_exec_config_mubi
      desc: '''Verify the countermeasure(s) EXEC.CONFIG.MUBI.

            Refer to the testpoint `executable` for the detail scenario.
            '''
      stage: V2S
      tests: ["{name}_executable"]
    }
    {
      name: sec_cm_exec_intersig_mubi
      desc: '''Verify the countermeasure(s) EXEC.INTERSIG.MUBI.

            Refer to the testpoint `executable` for the detail scenario.
            `cip_mubi_cov_if` is bound to this port.
            '''
      stage: V2S
      tests: ["{name}_executable"]
    }
    {
      name: sec_cm_lc_hw_debug_en_intersig_mubi
      desc: '''Verify the countermeasure(s) LC_HW_DEBUG_EN.INTERSIG.MUBI.

            Refer to the testpoint `executable` for the detail scenario.
            `cip_mubi_cov_if` is bound to this port.
            '''
      stage: V2S
      tests: ["{name}_executable"]
    }
    {
      name: sec_cm_lc_escalate_en_intersig_mubi
      desc: '''Verify the countermeasure(s) LC_ESCALATE_EN.INTERSIG.MUBI.

            Refer to the testpoint `lc_escalation` for the detail scenario.
            `cip_lc_tx_cov_if` is bound to this port.
            '''
      stage: V2S
      tests: ["{name}_lc_escalation"]
    }
    {
      name: sec_cm_mem_integrity
      desc: "Verify the countermeasure(s) MEM.INTEGRITY."
      stage: V2S
      tests: ["{name}_passthru_mem_tl_intg_err"]
    }
    {
      name: sec_cm_mem_scramble
      desc: '''Verify the countermeasure(s) MEM.SCRAMBLE.

            This is verified in all non-CSR tests.
            '''
      stage: V2S
      tests: ["{name}_smoke"]
    }
    {
      name: sec_cm_addr_scramble
      desc: '''Verify the countermeasure(s) ADDR.SCRAMBLE.

            This is verified in all non-CSR tests.
            '''
      stage: V2S
      tests: ["{name}_smoke"]
    }
    {
      name: sec_cm_instr_bus_lc_gated
      desc: '''Verify the countermeasure(s) INSTR.BUS.LC_GATED."

            Refer to the testpoint `executable` for the detail scenario.
            '''
      stage: V2S
      tests: ["{name}_executable"]
    }
    {
      name: sec_cm_ram_tl_lc_gate_fsm_sparse
      desc: "Verify the countermeasure(s) RAM_TL_LC_GATE.FSM.SPARSE."
      stage: V2S
      tests: ["{name}_sec_cm"]
    }
    {
      name: sec_cm_key_global_esc
      desc: "Verify the countermeasure(s) KEY.GLOBAL_ESC."
      stage: V2S
      tests: ["{name}_lc_escalation"]
    }
    {
      name: sec_cm_key_local_esc
      desc: '''Verify the countermeasure(s) KEY.LOCAL_ESC.

            Besides the stimulus and checks mentioned in `prim_count_check``, also have
            following checks:
            - Check internal key/nonce are reset to the default values.
            - Check SRAM access is blocked after a fault injection.
            '''
      stage: V2S
      tests: ["{name}_sec_cm"]
    }
    {
      name: sec_cm_init_ctr_redun
      desc: '''Verify the countermeasure(s) INIT.CTR.REDUN.

            Besides the stimulus and checks mentioned in `prim_count_check` and
            `sec_cm_key_local_esc`, also have following checks:
            - Check alert and `status.init_error` is set.
            '''
      stage: V2S
      tests: ["{name}_sec_cm"]
    }
    {
      name: sec_cm_scramble_key_sideload
      desc: '''Verify the countermeasure(s) SCRAMBLE.KEY.SIDELOAD.

            Simulation can't really prove that the sideload key is unreachable by SW.
            However, from defined CSRs and memory returned data, there is no way to read
            scramble key by SW.
            '''
      stage: V2S
      tests: ["{name}_smoke"]
    }
    {
      name: sec_cm_tlul_fifo_ctr_redun
      desc: '''Verify the countermeasure(s) TLUL_FIFO.CTR.REDUN.
            '''
      stage: V2S
      tests: ["{name}_sec_cm"]
    }

  ]
}