hw/ip/keymgr/data/keymgr_testplan.hjson - 3p/lowrisc/opentitan - Git at Google

 // Copyright lowRISC contributors.
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 {
   name: "keymgr"
   import_testplans: ["hw/dv/tools/dvsim/testplans/csr_testplan.hjson",
                      "hw/dv/tools/dvsim/testplans/intr_test_testplan.hjson",
                      "hw/dv/tools/dvsim/testplans/alert_test_testplan.hjson",
                      "hw/dv/tools/dvsim/testplans/tl_device_access_types_testplan.hjson",
                      "hw/dv/tools/dvsim/testplans/stress_all_with_reset_testplan.hjson"]
   testpoints: [
     {
       name: smoke
       desc: '''
             Smoke test accessing a major datapath within the keymgr.
             Test operations (advance, gen-id and gen-sw-out) in every state

             Stimulus:
             - Go through state from `StReset` to `StDisabled`.
             - Issue gen-id, gen-sw-output operation in each state, including invalid operations in
               states other than normal operating states (`StCreatorRootKey`, `StOwnerIntKey` and
               `StOwnerRootKey`).

             Checks:
             - Check STATUS reg for each operation.
             - Check interrupts `op_done` is triggered when operation is done.
             - Check `err` and alert `recov_operation_err` are triggered after invalid operation.
             - Check KMAC key, KMAC data and output SW data for correctness.
             - For invalid operations, check KMAC key, KMAC data and output SW data don't match to
               any of saved meaningful data, which are collected from valid operations. This
               checking method is also applied to other error cases.
             '''
       milestone: V1
       tests: ["keymgr_smoke"]
     }
     {
       name: random
       desc: '''
             Extend from smoke to randomize all SW input data
             - Fully randomize SW input: rom_ext_desc_*, software_binding_*, salt_*, max_*_key_ver,
               *_key_ver_en.
             - Randomize key_version any value less than max_*_key_ver, to avoid triggerring
               `invalid_kmac_input` error.
             - Fully randomize HW input from flash, otp and life cycle.

             Most of other sequences are derived from this to have similar init and sequence.

             Stimulus and checks are the same as smoke.
             '''
       milestone: V1
       tests: ["keymgr_random"]
     }
     {
       name: cfgen_during_op
       desc: '''
             CFGEN is RO reg and it gates bunch of write access of other registers, which isn't
             tested in common CSR tests.

             Stimulus and checks:
             Test command and reg access gated by CFGEN is ignored during operation.
             '''
       milestone: V2
       tests: ["keymgr_cfg_regwen"]
     }
     {
       name: cfgen_at_st_random
       desc: '''
             `StRandom` is a temporary state during init operation, which will set CSR CFGEN.

             Stimulus and checks:
             Test command and reg access gated by CFGEN is ignored during `StRandom`.
             '''
       milestone: V2
       tests: ["keymgr_cfg_regwen"]
     }
     {
       name: sideload
       desc: '''
             Keymgr contains HW sideload interfaces to output keys for KMAC, HMAC, AES.

             Stimulus:
             Generate a keymgr output to HW sideload interface, excising all the sideload interfaces.

             Checks:
             Verify the sideload data and status for correctness.
             '''
       milestone: V2
       tests: ["keymgr_sideload", "keymgr_sideload_kmac",
               "keymgr_sideload_aes", "keymgr_sideload_otbn"]
     }
     {
       name: init_n_start
       desc: '''
             Stimulus and checks:
             Verify all combinations of `init` and `start`.
             - If both are set in `StReset`, check `INVALID_OP` error is triggered.
             - If it's in other state, `init` is ignored.
             '''
       milestone: V2
       tests: ["keymgr_random"]
     }
     {
       name: direct_to_disabled_state
       desc: '''
             Stimulus and checks:
             Directly go to `StDisabled` from any state and check `StDisabled` is entered correctly.
             '''
       milestone: V2
       tests: ["keymgr_direct_to_disabled"]
     }
     {
       name: lc_disable
       desc: '''
             Life cycle can disable keymgr and let keymgr wipe secret immediately.

             Stimulus:
             Test life cycle disables keymgr in any state.

             Checks:
             - If keymgr is not initialized, check it can't be initialized until life cycle enables
               keymgr.
             - If keymgr is in a valid state after init, key output to KMAC is wiped immediately and
               SW output will be invalid after OP is done.
             - If keymgr in disabled state, check the behavior is consistent with normal behavior.
             '''
       milestone: V2
       tests: ["keymgr_lc_disable"]
     }
     {
       name: invalid_cmd
       desc: '''
             Verify `keymgr` security countermeasures on fault injection.

             Stimulus:
             Force one of these or both
             - Force advance, gen_id and gen_out to not one-hot
               - Path: `dut.u_ctrl.adv_en_o/id_en_o/gen_en_o`
             - Force KMAC FSM to default branch to trigger FSM error
               - Path: `dut.u_kmac_if.state_d`

             Checks:
             - Check interrupts `err` is triggered.
             - Check alert `fatal_fault_err` is triggered and err_code is `INVALID_CMD`.
             - Check KMAC output key and output data to SW are corrupted, also keymgr enters
               StDisabled.
             '''
       milestone: V2
       tests: ["keymgr_cmd_invalid"]
     }
     {
       name: kmac_error_response
       desc: '''
             Verify `keymgr` behavior on error response received from `KMAC` after sending data to
             it.

             Stimulus:
             Drive error from KMAC interface when VALID is high.

             Checks:
             Same as above entry - "invalid_cmd".
             '''
       milestone: V2
       tests: ["keymgr_kmac_rsp_err"]
     }
     {
       name: invalid_kmac_input
       desc: '''
             Verify `keymgr` behavior with invalid key version.

             Stimulus:
             Randomize KEY_VERSION and MAX_*_VER registers.

             Checks:
             when KEY_VERSION > MAX_*_VER
             - Check interrupts `err` is triggered.
             - Check alert `recov_operation_err` is triggered and err_code is `INVALID_KMAC_INPUT`.
             - Check KMAC output key is corrupted and working state remains the same.
             '''
       milestone: V2
       tests: ["keymgr_sw_invalid_input"]
     }
     {
       name: invalid_kmac_data
       desc: '''
             Verify `keymgr` behavior with invalid data patterns.

             Stimulus:
             Use all 0s or 1s as KMAC input digest data

             Checks:
             - Check interrupts `err` is triggered.
             - Check alert `recov_operation_err` is triggered and err_code is `INVALID_KMAC_DATA`.
             - Check SW output isn't updated and working state remains the same.
             '''
       milestone: V2
       tests: ["keymgr_hwsw_invalid_input"]
     }
     {
       name: stress_all
       desc: '''
             - Combine above sequences in one test to run sequentially, except csr sequence and
               keymgr_cfg_regwen (requires zero_delays)
             - Randomly add reset between each sequence'''
       milestone: V2
       tests: ["keymgr_stress_all"]
     }
   ]
 }
	// Copyright lowRISC contributors.
	// Licensed under the Apache License, Version 2.0, see LICENSE for details.
	// SPDX-License-Identifier: Apache-2.0
	{
	name: "keymgr"
	import_testplans: ["hw/dv/tools/dvsim/testplans/csr_testplan.hjson",
	"hw/dv/tools/dvsim/testplans/intr_test_testplan.hjson",
	"hw/dv/tools/dvsim/testplans/alert_test_testplan.hjson",
	"hw/dv/tools/dvsim/testplans/tl_device_access_types_testplan.hjson",
	"hw/dv/tools/dvsim/testplans/stress_all_with_reset_testplan.hjson"]
	testpoints: [
	{
	name: smoke
	desc: '''
	Smoke test accessing a major datapath within the keymgr.
	Test operations (advance, gen-id and gen-sw-out) in every state

	Stimulus:
	- Go through state from `StReset` to `StDisabled`.
	- Issue gen-id, gen-sw-output operation in each state, including invalid operations in
	states other than normal operating states (`StCreatorRootKey`, `StOwnerIntKey` and
	`StOwnerRootKey`).

	Checks:
	- Check STATUS reg for each operation.
	- Check interrupts `op_done` is triggered when operation is done.
	- Check `err` and alert `recov_operation_err` are triggered after invalid operation.
	- Check KMAC key, KMAC data and output SW data for correctness.
	- For invalid operations, check KMAC key, KMAC data and output SW data don't match to
	any of saved meaningful data, which are collected from valid operations. This
	checking method is also applied to other error cases.
	'''
	milestone: V1
	tests: ["keymgr_smoke"]
	}
	{
	name: random
	desc: '''
	Extend from smoke to randomize all SW input data
	- Fully randomize SW input: rom_ext_desc_, software_binding_, salt_, max__key_ver,
	*_key_ver_en.
	- Randomize key_version any value less than max_*_key_ver, to avoid triggerring
	`invalid_kmac_input` error.
	- Fully randomize HW input from flash, otp and life cycle.

	Most of other sequences are derived from this to have similar init and sequence.

	Stimulus and checks are the same as smoke.
	'''
	milestone: V1
	tests: ["keymgr_random"]
	}
	{
	name: cfgen_during_op
	desc: '''
	CFGEN is RO reg and it gates bunch of write access of other registers, which isn't
	tested in common CSR tests.

	Stimulus and checks:
	Test command and reg access gated by CFGEN is ignored during operation.
	'''
	milestone: V2
	tests: ["keymgr_cfg_regwen"]
	}
	{
	name: cfgen_at_st_random
	desc: '''
	`StRandom` is a temporary state during init operation, which will set CSR CFGEN.

	Stimulus and checks:
	Test command and reg access gated by CFGEN is ignored during `StRandom`.
	'''
	milestone: V2
	tests: ["keymgr_cfg_regwen"]
	}
	{
	name: sideload
	desc: '''
	Keymgr contains HW sideload interfaces to output keys for KMAC, HMAC, AES.

	Stimulus:
	Generate a keymgr output to HW sideload interface, excising all the sideload interfaces.

	Checks:
	Verify the sideload data and status for correctness.
	'''
	milestone: V2
	tests: ["keymgr_sideload", "keymgr_sideload_kmac",
	"keymgr_sideload_aes", "keymgr_sideload_otbn"]
	}
	{
	name: init_n_start
	desc: '''
	Stimulus and checks:
	Verify all combinations of `init` and `start`.
	- If both are set in `StReset`, check `INVALID_OP` error is triggered.
	- If it's in other state, `init` is ignored.
	'''
	milestone: V2
	tests: ["keymgr_random"]
	}
	{
	name: direct_to_disabled_state
	desc: '''
	Stimulus and checks:
	Directly go to `StDisabled` from any state and check `StDisabled` is entered correctly.
	'''
	milestone: V2
	tests: ["keymgr_direct_to_disabled"]
	}
	{
	name: lc_disable
	desc: '''
	Life cycle can disable keymgr and let keymgr wipe secret immediately.

	Stimulus:
	Test life cycle disables keymgr in any state.

	Checks:
	- If keymgr is not initialized, check it can't be initialized until life cycle enables
	keymgr.
	- If keymgr is in a valid state after init, key output to KMAC is wiped immediately and
	SW output will be invalid after OP is done.
	- If keymgr in disabled state, check the behavior is consistent with normal behavior.
	'''
	milestone: V2
	tests: ["keymgr_lc_disable"]
	}
	{
	name: invalid_cmd
	desc: '''
	Verify `keymgr` security countermeasures on fault injection.

	Stimulus:
	Force one of these or both
	- Force advance, gen_id and gen_out to not one-hot
	- Path: `dut.u_ctrl.adv_en_o/id_en_o/gen_en_o`
	- Force KMAC FSM to default branch to trigger FSM error
	- Path: `dut.u_kmac_if.state_d`

	Checks:
	- Check interrupts `err` is triggered.
	- Check alert `fatal_fault_err` is triggered and err_code is `INVALID_CMD`.
	- Check KMAC output key and output data to SW are corrupted, also keymgr enters
	StDisabled.
	'''
	milestone: V2
	tests: ["keymgr_cmd_invalid"]
	}
	{
	name: kmac_error_response
	desc: '''
	Verify `keymgr` behavior on error response received from `KMAC` after sending data to
	it.

	Stimulus:
	Drive error from KMAC interface when VALID is high.

	Checks:
	Same as above entry - "invalid_cmd".
	'''
	milestone: V2
	tests: ["keymgr_kmac_rsp_err"]
	}
	{
	name: invalid_kmac_input
	desc: '''
	Verify `keymgr` behavior with invalid key version.

	Stimulus:
	Randomize KEY_VERSION and MAX_*_VER registers.

	Checks:
	when KEY_VERSION > MAX_*_VER
	- Check interrupts `err` is triggered.
	- Check alert `recov_operation_err` is triggered and err_code is `INVALID_KMAC_INPUT`.
	- Check KMAC output key is corrupted and working state remains the same.
	'''
	milestone: V2
	tests: ["keymgr_sw_invalid_input"]
	}
	{
	name: invalid_kmac_data
	desc: '''
	Verify `keymgr` behavior with invalid data patterns.

	Stimulus:
	Use all 0s or 1s as KMAC input digest data

	Checks:
	- Check interrupts `err` is triggered.
	- Check alert `recov_operation_err` is triggered and err_code is `INVALID_KMAC_DATA`.
	- Check SW output isn't updated and working state remains the same.
	'''
	milestone: V2
	tests: ["keymgr_hwsw_invalid_input"]
	}
	{
	name: stress_all
	desc: '''
	- Combine above sequences in one test to run sequentially, except csr sequence and
	keymgr_cfg_regwen (requires zero_delays)
	- Randomly add reset between each sequence'''
	milestone: V2
	tests: ["keymgr_stress_all"]
	}
	]
	}