| // Copyright lowRISC contributors. |
| // Licensed under the Apache License, Version 2.0, see LICENSE for details. |
| // SPDX-License-Identifier: Apache-2.0 |
| |
| // Security countermeasures testplan extracted from the IP Hjson using reggen. |
| // |
| // This testplan is auto-generated only the first time it is created. This is |
| // because this testplan needs to be hand-editable. It is possible that these |
| // testpoints can go out of date if the spec is updated with new |
| // countermeasures. When `reggen` is invoked when this testplan already exists, |
| // It checks if the list of testpoints is up-to-date and enforces the user to |
| // make further manual updates. |
| // |
| // These countermeasures and their descriptions can be found here: |
| // .../keymgr/data/keymgr.hjson |
| // |
| // It is possible that the testing of some of these countermeasures may already |
| // be covered as a testpoint in a different testplan. This duplication is ok - |
| // the test would have likely already been developed. We simply map those tests |
| // to the testpoints below using the `tests` key. |
| // |
| // Please ensure that this testplan is imported in: |
| // .../keymgr/data/keymgr_testplan.hjson |
| { |
| testpoints: [ |
| { |
| name: sec_cm_bus_integrity |
| desc: "Verify the countermeasure(s) BUS.INTEGRITY." |
| stage: V2S |
| tests: ["keymgr_tl_intg_err"] |
| } |
| { |
| name: sec_cm_config_shadow |
| desc: "Verify the countermeasure(s) CONFIG.SHADOW." |
| stage: V2S |
| tests: ["keymgr_shadow_reg_errors"] |
| } |
| { |
| name: sec_cm_op_config_regwen |
| desc: '''Verify the countermeasure(s) OP.CONFIG.REGWEN." |
| |
| X-ref'ed with `cfgen_during_op`.''' |
| stage: V2S |
| tests: ["keymgr_cfg_regwen"] |
| } |
| { |
| name: sec_cm_reseed_config_regwen |
| desc: '''Verify the countermeasure(s) RESEED.CONFIG.REGWEN. |
| |
| X-ref'ed with `random`.''' |
| stage: V2S |
| tests: ["keymgr_random", "keymgr_csr_rw"] |
| } |
| { |
| name: sec_cm_sw_binding_config_regwen |
| desc: '''Verify the countermeasure(s) SW_BINDING.CONFIG.REGWEN. |
| |
| Test that `sw_binding_regwen` gates the *_sw_binding and |
| `sw_binding_regwen` will be cleared after a successful advance operation. |
| X-ref'ed with `random`.''' |
| stage: V2S |
| tests: ["keymgr_random", "keymgr_csr_rw"] |
| } |
| { |
| name: sec_cm_max_key_ver_config_regwen |
| desc: '''Verify the countermeasure(s) MAX_KEY_VER.CONFIG.REGWEN. |
| |
| X-ref'ed with `random`.''' |
| stage: V2S |
| tests: ["keymgr_random", "keymgr_csr_rw"] |
| } |
| { |
| name: sec_cm_lc_ctrl_intersig_mubi |
| desc: '''Verify the countermeasure(s) LC_CTRL.INTERSIG.MUBI. |
| |
| X-ref'ed with `lc_disable`.''' |
| stage: V2S |
| tests: ["keymgr_lc_disable"] |
| } |
| { |
| name: sec_cm_constants_consistency |
| desc: '''Verify the countermeasure(s) CONSTANTS.CONSISTENCY. |
| |
| X-ref'ed with `invalid_hw_input`.''' |
| stage: V2S |
| tests: ["keymgr_hwsw_invalid_input"] |
| } |
| { |
| name: sec_cm_intersig_consistency |
| desc: '''Verify the countermeasure(s) INTERSIG.CONSISTENCY. |
| |
| Test `otp diversification` input with all 0s or 1s. |
| X-ref'ed with `invalid_hw_input`.''' |
| stage: V2S |
| tests: ["keymgr_hwsw_invalid_input"] |
| } |
| { |
| name: sec_cm_hw_key_sw_noaccess |
| desc: '''Verify the countermeasure(s) HW.KEY.SW_NOACCESS. |
| |
| The CSRs `sw_share*_output` are checked with expected values, which |
| should never match to HW sideload keys.''' |
| stage: V2S |
| tests: ["keymgr_random"] |
| } |
| { |
| name: sec_cm_output_keys_ctrl_redun |
| desc: '''Verify the countermeasure(s) OUTPUT_KEYS.CTRL.REDUN. |
| |
| 1. Randomly advance to a functional state and start a sideload operation. |
| 2. Flip either data_sw_en or data_valid. |
| 3. Read sw_share* for check: |
| - if hw_key_sel is flipped but data_sw_en is not, it doesn't match either the |
| previously flopped value or the sideload value. |
| - if hw_key_sel is not flipped but data_en is, you should see the previous value.''' |
| stage: V2S |
| tests: ["keymgr_sideload_protect"] |
| } |
| { |
| name: sec_cm_ctrl_fsm_sparse |
| desc: "Verify the countermeasure(s) CTRL.FSM.SPARSE." |
| stage: V2S |
| tests: ["keymgr_sec_cm"] |
| } |
| { |
| name: sec_cm_data_fsm_sparse |
| desc: "Verify the countermeasure(s) DATA.FSM.SPARSE." |
| stage: V2S |
| tests: ["keymgr_sec_cm"] |
| } |
| { |
| name: sec_cm_ctrl_fsm_local_esc |
| desc: '''Verify the countermeasure(s) CTRL.FSM.LOCAL_ESC. |
| |
| X-ref'ed with `sec_cm_additional_check`.''' |
| stage: V2S |
| tests: ["keymgr_sec_cm"] |
| } |
| { |
| name: sec_cm_ctrl_fsm_consistency |
| desc: '''Verify the countermeasure(s) CTRL.FSM.CONSISTENCY. |
| |
| - Set `ral.control_shadowed` to OpDisable, so that no Advance or Generate operation |
| is selected. |
| - Force internal `tb.dut.u_ctrl.adv_en_o` or `tb.dut.u_ctrl.gen_en_o` to 1. |
| - Check the fatal alert is triggered and `fault_status.ctrl_fsm_chk` is set.''' |
| stage: V2S |
| tests: ["keymgr_custom_cm"] |
| } |
| { |
| name: sec_cm_ctrl_fsm_global_esc |
| desc: '''Verify the countermeasure(s) CTRL.FSM.GLOBAL_ESC. |
| |
| X-ref'ed with `lc_disable`.''' |
| stage: V2S |
| tests: ["keymgr_lc_disable"] |
| } |
| { |
| name: sec_cm_ctrl_ctr_redun |
| desc: "Verify the countermeasure(s) CTRL.CTR.REDUN." |
| stage: V2S |
| tests: ["keymgr_sec_cm"] |
| } |
| { |
| name: sec_cm_kmac_if_fsm_sparse |
| desc: "Verify the countermeasure(s) KMAC_IF.FSM.SPARSE." |
| stage: V2S |
| tests: ["keymgr_sec_cm"] |
| } |
| { |
| name: sec_cm_kmac_if_ctr_redun |
| desc: "Verify the countermeasure(s) KMAC_IF.CTR.REDUN." |
| stage: V2S |
| tests: ["keymgr_sec_cm"] |
| } |
| { |
| name: sec_cm_kmac_if_cmd_ctrl_consistency |
| desc: '''Verify the countermeasure(s) KMAC_IF_CMD.CTRL.CONSISTENCY. |
| |
| - Inject one of these faults: |
| - Verify violation of $onehot0 property of the ctrl bits leads to a fault: |
| - Force {u_ctrl.adv_en_o, u_ctrl.id_en_o, u_ctrl.gen_en_o} to a non-onehot and |
| non-zero value. |
| - Verify the modification of the ctrl bits during an active operation leads to a fault: |
| - Start a valid operation, then force {u_ctrl.adv_en_o, u_ctrl.id_en_o, u_ctrl.gen_en_o} |
| to a different onehot value during the operation. This simulates that an operation |
| is flipped to another operation before it finishes. |
| - Check the fatal alert is triggered and `fault_status.cmd` is set.''' |
| stage: V2S |
| tests: ["keymgr_custom_cm"] |
| } |
| { |
| name: sec_cm_kmac_if_done_ctrl_consistency |
| desc: '''Verify the countermeasure(s) KMAC_IF_DONE.CTRL.CONSISTENCY. |
| |
| - Set `kmac_data_i.done` when it's not in a valid done period. |
| - Valid done period is between dut sending out the last data and kmac returning |
| a response with `done`. |
| - Check the fatal alert is triggered and `fault_status.kmac_done` is set.''' |
| stage: V2S |
| tests: ["keymgr_custom_cm"] |
| } |
| { |
| name: sec_cm_reseed_ctr_redun |
| desc: "Verify the countermeasure(s) RESEED.CTR.REDUN." |
| stage: V2S |
| tests: ["keymgr_sec_cm"] |
| } |
| { |
| name: sec_cm_side_load_sel_ctrl_consistency |
| desc: '''Verify the countermeasure(s) SIDE_LOAD_SEL.CTRL.CONSISTENCY. |
| |
| - Clear all sideload keys, and issue a sideload operation. |
| - Force `u_sideload_ctrl.valids` to a different and none-zero value, so that it enables |
| more sideload interfaces than expected. |
| - Check the fatal alert is triggered and `fault_status.side_ctrl_sel` is set.''' |
| stage: V2S |
| tests: ["keymgr_custom_cm"] |
| } |
| { |
| name: sec_cm_sideload_ctrl_fsm_sparse |
| desc: "Verify the countermeasure(s) SIDELOAD_CTRL.FSM.SPARSE." |
| stage: V2S |
| tests: ["keymgr_sec_cm"] |
| } |
| { |
| name: sec_cm_ctrl_key_integrity |
| desc: '''Verify the countermeasure(s) CTRL.KEY.INTEGRITY. |
| |
| - Flip up to 2 bits of the internal key (u_ctrl.key_state_q). |
| - Check the fatal alert is triggered and `fault_status.key_ecc` is set.''' |
| stage: V2S |
| tests: ["keymgr_custom_cm"] |
| } |
| ] |
| } |
