[entropy complex/security] countermeasure lists and labels updated
For all entropy complex blocks, the countermeasure lists for all assets have been updated.
Instant labels have also been assigned near each asset within the RTL.
Signed-off-by: Mark Branstad <mark.branstad@wdc.com>
diff --git a/hw/ip/csrng/data/csrng.hjson b/hw/ip/csrng/data/csrng.hjson
index 9b3541b..48cea57 100644
--- a/hw/ip/csrng/data/csrng.hjson
+++ b/hw/ip/csrng/data/csrng.hjson
@@ -86,16 +86,25 @@
}
],
countermeasures: [
+ { name: "CONFIG.REGWEN"
+ desc: "Registers are protected from writes."
+ }
+ { name: "CONFIG.MUBI"
+ desc: "Registers have multi-bit encoded fields."
+ }
+ { name: "INTERSIG.MUBI"
+ desc: "OTP signal used to enable software access to registers."
+ }
{ name: "FSM.SPARSE"
desc: "Sparse state machine implementation."
}
{ name: "CTR.REDUN"
desc: "Counter hardening for generate command counter."
}
- { name: "LOGIC.INTEGRITY"
+ { name: "SW_GENBITS.BUS.CONSISTENCY"
desc: "Comparison on successive bus values for genbits returned on the software channel."
}
- { name: "BUS.INTEGRITY"
+ { name: "TILE_LINK.BUS.INTEGRITY"
desc: "Tilelink end-to-end bus integrity scheme."
}
],
diff --git a/hw/ip/csrng/rtl/csrng.sv b/hw/ip/csrng/rtl/csrng.sv
index ebc6466..73a350d 100644
--- a/hw/ip/csrng/rtl/csrng.sv
+++ b/hw/ip/csrng/rtl/csrng.sv
@@ -24,6 +24,7 @@
output tlul_pkg::tl_d2h_t tl_o,
// OTP Interface
+ // SEC_CM: INTERSIG.MUBI
input prim_mubi_pkg::mubi8_t otp_en_csrng_sw_app_read_i,
// Lifecycle broadcast inputs
@@ -64,6 +65,9 @@
logic [NumAlerts-1:0] intg_err_alert;
assign intg_err_alert[0] = 1'b0;
+ // SEC_CM: CONFIG.REGWEN
+ // SEC_CM: TILE_LINK.BUS.INTEGRITY
+
csrng_reg_top u_reg (
.clk_i,
.rst_ni,
diff --git a/hw/ip/csrng/rtl/csrng_cmd_stage.sv b/hw/ip/csrng/rtl/csrng_cmd_stage.sv
index 520749b..1360f9b 100644
--- a/hw/ip/csrng/rtl/csrng_cmd_stage.sv
+++ b/hw/ip/csrng/rtl/csrng_cmd_stage.sv
@@ -174,6 +174,7 @@
cmd_gen_1st_req ? {sfifo_cmd_rdata[11:0]} :
cmd_gen_cmd_q;
+ // SEC_CM: CTR.REDUN
prim_count #(
.Width(GenBitsCntrWidth),
.OutSelDnCnt(1'b1), // count down
diff --git a/hw/ip/csrng/rtl/csrng_core.sv b/hw/ip/csrng/rtl/csrng_core.sv
index 3300e0f..efad39f 100644
--- a/hw/ip/csrng/rtl/csrng_core.sv
+++ b/hw/ip/csrng/rtl/csrng_core.sv
@@ -703,6 +703,8 @@
import prim_mubi_pkg::mubi4_test_invalid;
// check for illegal enable field states, and set alert if detected
+
+ // SEC_CM: CONFIG.MUBI
mubi4_t mubi_cs_enable;
assign mubi_cs_enable = mubi4_t'(reg2hw.ctrl.enable.q);
assign cs_enable_pfe = mubi4_test_true_strict(mubi_cs_enable);
@@ -710,6 +712,7 @@
assign hw2reg.recov_alert_sts.enable_field_alert.de = cs_enable_pfa;
assign hw2reg.recov_alert_sts.enable_field_alert.d = cs_enable_pfa;
+ // SEC_CM: CONFIG.MUBI
mubi4_t mubi_sw_app_enable;
assign mubi_sw_app_enable = mubi4_t'(reg2hw.ctrl.sw_app_enable.q);
assign sw_app_enable_pfe = mubi4_test_true_strict(mubi_sw_app_enable);
@@ -717,6 +720,7 @@
assign hw2reg.recov_alert_sts.sw_app_enable_field_alert.de = sw_app_enable_pfa;
assign hw2reg.recov_alert_sts.sw_app_enable_field_alert.d = sw_app_enable_pfa;
+ // SEC_CM: CONFIG.MUBI
mubi4_t mubi_read_int_state;
assign mubi_read_int_state = mubi4_t'(reg2hw.ctrl.read_int_state.q);
assign read_int_state_pfe = mubi4_test_true_strict(mubi_read_int_state);
@@ -837,6 +841,8 @@
// an alert for sw to handle
//--------------------------------------------
+ // SEC_CM: SW_GENBITS.BUS.CONSISTENCY
+
// capture a copy of the genbits data
assign cs_rdata_capt_vld = (genbits_stage_vld[NApps-1] && genbits_stage_rdy[NApps-1]);
diff --git a/hw/ip/csrng/rtl/csrng_ctr_drbg_gen.sv b/hw/ip/csrng/rtl/csrng_ctr_drbg_gen.sv
index eeee4b7..6866f13 100644
--- a/hw/ip/csrng/rtl/csrng_ctr_drbg_gen.sv
+++ b/hw/ip/csrng/rtl/csrng_ctr_drbg_gen.sv
@@ -218,6 +218,8 @@
// This primitive is used to place a size-only constraint on the
// flops in order to prevent FSM state encoding optimizations.
+
+ // SEC_CM: FSM.SPARSE
prim_sparse_fsm_flop #(
.StateEnumT(state_e),
.Width(StateWidth),
diff --git a/hw/ip/csrng/rtl/csrng_ctr_drbg_upd.sv b/hw/ip/csrng/rtl/csrng_ctr_drbg_upd.sv
index b1ed3ea..7951a1b 100644
--- a/hw/ip/csrng/rtl/csrng_ctr_drbg_upd.sv
+++ b/hw/ip/csrng/rtl/csrng_ctr_drbg_upd.sv
@@ -186,6 +186,8 @@
// This primitive is used to place a size-only constraint on the
// flops in order to prevent FSM state encoding optimizations.
+
+ // SEC_CM: FSM.SPARSE
prim_sparse_fsm_flop #(
.StateEnumT(blk_enc_state_e),
.Width(BlkEncStateWidth),
@@ -233,6 +235,8 @@
// This primitive is used to place a size-only constraint on the
// flops in order to prevent FSM state encoding optimizations.
+
+ // SEC_CM: FSM.SPARSE
prim_sparse_fsm_flop #(
.StateEnumT(outblk_state_e),
.Width(OutBlkStateWidth),
diff --git a/hw/ip/csrng/rtl/csrng_main_sm.sv b/hw/ip/csrng/rtl/csrng_main_sm.sv
index 6b330c1..3da2ca8 100644
--- a/hw/ip/csrng/rtl/csrng_main_sm.sv
+++ b/hw/ip/csrng/rtl/csrng_main_sm.sv
@@ -76,6 +76,8 @@
// This primitive is used to place a size-only constraint on the
// flops in order to prevent FSM state encoding optimizations.
+
+ // SEC_CM: FSM.SPARSE
prim_sparse_fsm_flop #(
.StateEnumT(state_e),
.Width(StateWidth),
diff --git a/hw/ip/edn/data/edn.hjson b/hw/ip/edn/data/edn.hjson
index 500a5d9..82753e4 100644
--- a/hw/ip/edn/data/edn.hjson
+++ b/hw/ip/edn/data/edn.hjson
@@ -51,16 +51,22 @@
}
],
countermeasures: [
+ { name: "CONFIG.REGWEN"
+ desc: "Registers are protected from writes."
+ }
+ { name: "CONFIG.MUBI"
+ desc: "Registers have multi-bit encoded fields."
+ }
{ name: "FSM.SPARSE"
desc: "Sparse state machine implementation."
}
{ name: "CTR.REDUN"
desc: "Counter hardening on the generate command maximum requests counter."
}
- { name: "LOGIC.INTEGRITY"
+ { name: "CS_RDATA.BUS.CONSISTENCY"
desc: "Comparison on successive bus values for genbits returned from csrng that will destribute over the endpoint buses."
}
- { name: "BUS.INTEGRITY"
+ { name: "TILE_LINK.BUS.INTEGRITY"
desc: "Tilelink end-to-end bus integrity scheme."
}
],
diff --git a/hw/ip/edn/rtl/edn.sv b/hw/ip/edn/rtl/edn.sv
index 0be662b..52836c1 100644
--- a/hw/ip/edn/rtl/edn.sv
+++ b/hw/ip/edn/rtl/edn.sv
@@ -47,6 +47,9 @@
assign intg_err_alert[0] = 1'b0;
+ // SEC_CM: CONFIG.REGWEN
+ // SEC_CM: TILE_LINK.BUS.INTEGRITY
+
edn_reg_top u_reg (
.clk_i,
.rst_ni,
diff --git a/hw/ip/edn/rtl/edn_ack_sm.sv b/hw/ip/edn/rtl/edn_ack_sm.sv
index ec2ba42..0c9d73d 100644
--- a/hw/ip/edn/rtl/edn_ack_sm.sv
+++ b/hw/ip/edn/rtl/edn_ack_sm.sv
@@ -51,6 +51,9 @@
// This primitive is used to place a size-only constraint on the
// flops in order to prevent FSM state encoding optimizations.
+
+
+ // SEC_CM: FSM.SPARSE
prim_sparse_fsm_flop #(
.StateEnumT(state_e),
.Width(StateWidth),
diff --git a/hw/ip/edn/rtl/edn_core.sv b/hw/ip/edn/rtl/edn_core.sv
index 0ba2f4e..afde8f2 100644
--- a/hw/ip/edn/rtl/edn_core.sv
+++ b/hw/ip/edn/rtl/edn_core.sv
@@ -329,6 +329,7 @@
import prim_mubi_pkg::mubi4_test_true_strict;
import prim_mubi_pkg::mubi4_test_invalid;
+ // SEC_CM: CONFIG.MUBI
mubi4_t mubi_edn_enable;
assign mubi_edn_enable = mubi4_t'(reg2hw.ctrl.edn_enable.q);
assign edn_enable_pfe = mubi4_test_true_strict(mubi_edn_enable);
@@ -336,6 +337,7 @@
assign hw2reg.recov_alert_sts.edn_enable_field_alert.de = edn_enable_pfa;
assign hw2reg.recov_alert_sts.edn_enable_field_alert.d = edn_enable_pfa;
+ // SEC_CM: CONFIG.MUBI
mubi4_t mubi_cmd_fifo_rst;
assign mubi_cmd_fifo_rst = mubi4_t'(reg2hw.ctrl.cmd_fifo_rst.q);
assign cmd_fifo_rst_pfe = mubi4_test_true_strict(mubi_cmd_fifo_rst);
@@ -353,6 +355,7 @@
//--------------------------------------------
// sw register interface
//--------------------------------------------
+ // SEC_CM: CONFIG.MUBI
mubi4_t mubi_auto_req_mode;
assign mubi_auto_req_mode = mubi4_t'(reg2hw.ctrl.auto_req_mode.q);
assign auto_req_mode_pfe = mubi4_test_true_strict(mubi_auto_req_mode);
@@ -530,6 +533,8 @@
// Maximum requests counter for a generate command
+
+ // SEC_CM: CTR.REDUN
prim_count #(
.Width(RegWidth),
.OutSelDnCnt(1'b1), // count down
@@ -563,6 +568,7 @@
assign cmd_sent = (cmd_fifo_cnt_q == RescmdFifoIdxWidth'(1));
+ // SEC_CM: CONFIG.MUBI
mubi4_t mubi_boot_req_mode;
assign mubi_boot_req_mode = mubi4_t'(reg2hw.ctrl.boot_req_mode.q);
assign boot_req_mode_pfe = mubi4_test_true_strict(mubi_boot_req_mode);
@@ -665,6 +671,8 @@
// an alert for sw to handle
//--------------------------------------------
+ // SEC_CM: CS_RDATA.BUS.CONSISTENCY
+
// capture a copy of the entropy data
assign cs_rdata_capt_vld = (packer_cs_rvalid && packer_cs_rready);
diff --git a/hw/ip/edn/rtl/edn_main_sm.sv b/hw/ip/edn/rtl/edn_main_sm.sv
index f07b7a8..6116bcd 100644
--- a/hw/ip/edn/rtl/edn_main_sm.sv
+++ b/hw/ip/edn/rtl/edn_main_sm.sv
@@ -64,6 +64,8 @@
// This primitive is used to place a size-only constraint on the
// flops in order to prevent FSM state encoding optimizations.
+
+ // SEC_CM: FSM.SPARSE
prim_sparse_fsm_flop #(
.StateEnumT(state_e),
.Width(StateWidth),
diff --git a/hw/ip/entropy_src/data/entropy_src.hjson b/hw/ip/entropy_src/data/entropy_src.hjson
index b4b7846..d3a6797 100644
--- a/hw/ip/entropy_src/data/entropy_src.hjson
+++ b/hw/ip/entropy_src/data/entropy_src.hjson
@@ -88,16 +88,22 @@
{ name: "CONFIG.MUBI"
desc: "Registers have multi-bit encoded fields."
}
+ { name: "CONFIG.REDUN"
+ desc: "Threshold register has an inverted copy to compare against."
+ }
+ { name: "INTERSIG.MUBI"
+ desc: "OTP signal used to enable software access to registers."
+ }
{ name: "FSM.SPARSE"
desc: "Sparse state machine implementation."
}
{ name: "RNG.BKGN_CHK"
- desc: "Random number generater is protected with continuous background health checks."
+ desc: "Random number generator is protected with continuous background health checks."
}
{ name: "CTR.REDUN"
desc: "Counter hardening for all health test counters."
}
- { name: "ESFINAL_RDATA.BUS.INTEGRITY"
+ { name: "ESFINAL_RDATA.BUS.CONSISTENCY"
desc: "Comparison on successive bus values for the post-conditioned entropy seed bus."
}
{ name: "TILE_LINK.BUS.INTEGRITY"
diff --git a/hw/ip/entropy_src/rtl/entropy_src.sv b/hw/ip/entropy_src/rtl/entropy_src.sv
index 3056ce8..b109cb1 100644
--- a/hw/ip/entropy_src/rtl/entropy_src.sv
+++ b/hw/ip/entropy_src/rtl/entropy_src.sv
@@ -24,7 +24,9 @@
output tlul_pkg::tl_d2h_t tl_o,
// OTP Interface
+ // SEC_CM: INTERSIG.MUBI
input mubi8_t otp_en_entropy_src_fw_read_i,
+ // SEC_CM: INTERSIG.MUBI
input mubi8_t otp_en_entropy_src_fw_over_i,
// RNG Interface
diff --git a/hw/ip/entropy_src/rtl/entropy_src_core.sv b/hw/ip/entropy_src/rtl/entropy_src_core.sv
index 22d37dd..97fe1c3 100644
--- a/hw/ip/entropy_src/rtl/entropy_src_core.sv
+++ b/hw/ip/entropy_src/rtl/entropy_src_core.sv
@@ -1780,6 +1780,7 @@
assign hw2reg.alert_summary_fail_counts.d = any_fail_count;
// signal an alert
+ // SEC_CM: CONFIG.REDUN
assign alert_threshold = reg2hw.alert_threshold.alert_threshold.q;
assign alert_threshold_inv = reg2hw.alert_threshold.alert_threshold_inv.q;
assign es_thresh_cfg_alert = (~alert_threshold_inv != alert_threshold);
@@ -2241,7 +2242,7 @@
// an alert for sw to handle
//--------------------------------------------
- // SEC_CM: ESFINAL_RDATA.BUS.INTEGRITY
+ // SEC_CM: ESFINAL_RDATA.BUS.CONSISTENCY
// capture a copy of the entropy data
assign es_rdata_capt_vld = (sfifo_esfinal_pop && sfifo_esfinal_not_empty);
