[otbn] Add FSM-related CM labels
Signed-off-by: Andreas Kurth <adk@lowrisc.org>
diff --git a/hw/ip/otbn/data/otbn.hjson b/hw/ip/otbn/data/otbn.hjson
index 74b6f53..ea5db47 100644
--- a/hw/ip/otbn/data/otbn.hjson
+++ b/hw/ip/otbn/data/otbn.hjson
@@ -127,9 +127,39 @@
{ name: "BUS.INTEGRITY",
desc: "End-to-end bus integrity scheme."
}
+ { name: "CONTROLLER.FSM.GLOBAL_ESC",
+ desc: "The controller FSM moves to a terminal error state upon global escalation."
+ }
+ { name: "CONTROLLER.FSM.LOCAL_ESC",
+ desc: '''
+ The controller FSM moves to a terminal error state upon local escalation.
+ Can be triggered by CONTROLLER.FSM.SPARSE, SCRAMBLE_CTRL.FSM.SPARSE, and START_STOP_CTRL.FSM.SPARSE.
+ '''
+ }
+ { name: "CONTROLLER.FSM.SPARSE",
+ desc: "The controller FSM uses a sparse state encoding."
+ }
{ name: "SCRAMBLE.KEY.SIDELOAD",
desc: "The scrambling key is sideloaded from OTP and thus unreadable by SW."
}
+ { name: "SCRAMBLE_CTRL.FSM.LOCAL_ESC",
+ desc: '''
+ The scramble control FSM moves to a terminal error state upon local escalation.
+ Can be triggered by SCRAMBLE_CTRL.FSM.SPARSE.
+ '''
+ }
+ { name: "SCRAMBLE_CTRL.FSM.SPARSE",
+ desc: "The scramble control FSM uses a sparse state encoding."
+ }
+ { name: "START_STOP_CTRL.FSM.LOCAL_ESC",
+ desc: '''
+ The start-stop control FSM moves to a terminal error state upon local escalation.
+ Can be triggered by START_STOP_CTRL.FSM.SPARSE.
+ '''
+ }
+ { name: "START_STOP_CTRL.FSM.SPARSE",
+ desc: "The start-stop control FSM uses a sparse state encoding."
+ }
]
regwidth: "32"
diff --git a/hw/ip/otbn/data/otbn_sec_cm_testplan.hjson b/hw/ip/otbn/data/otbn_sec_cm_testplan.hjson
index 0b822ca..9a6a1e0 100644
--- a/hw/ip/otbn/data/otbn_sec_cm_testplan.hjson
+++ b/hw/ip/otbn/data/otbn_sec_cm_testplan.hjson
@@ -30,10 +30,52 @@
tests: []
}
{
+ name: sec_cm_controller_fsm_global_esc
+ desc: "Verify the countermeasure(s) CONTROLLER.FSM.GLOBAL_ESC."
+ milestone: V2S
+ tests: []
+ }
+ {
+ name: sec_cm_controller_fsm_local_esc
+ desc: "Verify the countermeasure(s) CONTROLLER.FSM.LOCAL_ESC."
+ milestone: V2S
+ tests: []
+ }
+ {
+ name: sec_cm_controller_fsm_sparse
+ desc: "Verify the countermeasure(s) CONTROLLER.FSM.SPARSE."
+ milestone: V2S
+ tests: []
+ }
+ {
name: sec_cm_scramble_key_sideload
desc: "Verify the countermeasure(s) SCRAMBLE.KEY.SIDELOAD."
milestone: V2S
tests: []
}
+ {
+ name: sec_cm_scramble_ctrl_fsm_local_esc
+ desc: "Verify the countermeasure(s) SCRAMBLE_CTRL.FSM.LOCAL_ESC."
+ milestone: V2S
+ tests: []
+ }
+ {
+ name: sec_cm_scramble_ctrl_fsm_sparse
+ desc: "Verify the countermeasure(s) SCRAMBLE_CTRL.FSM.SPARSE."
+ milestone: V2S
+ tests: []
+ }
+ {
+ name: sec_cm_start_stop_ctrl_fsm_local_esc
+ desc: "Verify the countermeasure(s) START_STOP_CTRL.FSM.LOCAL_ESC."
+ milestone: V2S
+ tests: []
+ }
+ {
+ name: sec_cm_start_stop_ctrl_fsm_sparse
+ desc: "Verify the countermeasure(s) START_STOP_CTRL.FSM.SPARSE."
+ milestone: V2S
+ tests: []
+ }
]
}
diff --git a/hw/ip/otbn/rtl/otbn_controller.sv b/hw/ip/otbn/rtl/otbn_controller.sv
index 74e3e0d..26ebe25 100644
--- a/hw/ip/otbn/rtl/otbn_controller.sv
+++ b/hw/ip/otbn/rtl/otbn_controller.sv
@@ -377,6 +377,7 @@
end
default: begin
// We should never get here. If we do (e.g. via a malicious glitch), error out immediately.
+ // SEC_CM: CONTROLLER.FSM.LOCAL_ESC
state_d = OtbnStateLocked;
state_error = 1'b1;
end
@@ -389,6 +390,7 @@
insn_fetch_resp_clear_o = 1'b1;
if (fatal_err) begin
+ // SEC_CM: CONTROLLER.FSM.GLOBAL_ESC
state_d = OtbnStateLocked;
end else begin
state_d = OtbnStateHalt;
@@ -500,6 +502,7 @@
`ASSERT(NoStallOnBranch,
insn_valid_i & insn_dec_shared_i.branch_insn |-> state_q != OtbnStateStall)
+ // SEC_CM: CONTROLLER.FSM.SPARSE
`PRIM_FLOP_SPARSE_FSM(u_state_regs, state_d, state_q, otbn_state_e, OtbnStateHalt)
assign insn_cnt_clear = state_reset_i | (state_q == OtbnStateLocked) | insn_cnt_clear_i;
diff --git a/hw/ip/otbn/rtl/otbn_scramble_ctrl.sv b/hw/ip/otbn/rtl/otbn_scramble_ctrl.sv
index f35de58..f7f2113 100644
--- a/hw/ip/otbn/rtl/otbn_scramble_ctrl.sv
+++ b/hw/ip/otbn/rtl/otbn_scramble_ctrl.sv
@@ -132,6 +132,7 @@
end
end
+ // SEC_CM: SCRAMBLE_CTRL.FSM.SPARSE
`PRIM_FLOP_SPARSE_FSM(u_state_regs, state_d, state_q, scramble_ctrl_state_e, ScrambleCtrlIdle)
always_comb begin
@@ -203,6 +204,7 @@
end
end
ScrambleCtrlError: begin
+ // SEC_CM: SCRAMBLE_CTRL.FSM.LOCAL_ESC
// Terminal error state
state_error_o = 1'b1;
end
diff --git a/hw/ip/otbn/rtl/otbn_start_stop_control.sv b/hw/ip/otbn/rtl/otbn_start_stop_control.sv
index dabfe5a..44054e3 100644
--- a/hw/ip/otbn/rtl/otbn_start_stop_control.sv
+++ b/hw/ip/otbn/rtl/otbn_start_stop_control.sv
@@ -62,6 +62,7 @@
logic addr_cnt_inc;
logic [4:0] addr_cnt_q, addr_cnt_d;
+ // SEC_CM: START_STOP_CTRL.FSM.SPARSE
`PRIM_FLOP_SPARSE_FSM(u_state_regs, state_d, state_q,
otbn_start_stop_state_e, OtbnStartStopStateHalt)
@@ -153,6 +154,7 @@
state_d = OtbnStartStopStateHalt;
end
OtbnStartStopStateError: begin
+ // SEC_CM: START_STOP_CTRL.FSM.LOCAL_ESC
// Terminal error state
state_error_o = 1'b1;
end
