|  | // Copyright lowRISC contributors. | 
|  | // Licensed under the Apache License, Version 2.0, see LICENSE for details. | 
|  | // SPDX-License-Identifier: Apache-2.0 | 
|  | { | 
|  | name: "chip" | 
|  |  | 
|  | // TODO: remove the common testplans if not applicable | 
|  | import_testplans: ["hw/dv/tools/dvsim/testplans/csr_testplan.hjson", | 
|  | // TODO #5484, comment these 2 lines out because spi host memory is dummy | 
|  | // "hw/dv/tools/dvsim/testplans/mem_testplan.hjson", | 
|  | // Integrity error is tested in a SW test. | 
|  | "hw/dv/tools/dvsim/testplans/tl_device_access_types_wo_intg_testplan.hjson", | 
|  | "hw/ip/tlul/data/tlul_testplan.hjson", | 
|  | "sw/device/silicon_creator/rom/data/rom_e2e_testplan.hjson", | 
|  | "hw/top_earlgrey/data/chip_conn_testplan.hjson"] | 
|  |  | 
|  | testpoints: [ | 
|  | /////////////////////////////////////////////////////////////////////////// | 
|  | // IO Peripherals                                                        // | 
|  | // UART, GPIO, I2C, SPIDEV, SPIHOST, USB, PINMUX & PADCTRL, PATTGEN, PWM // | 
|  | /////////////////////////////////////////////////////////////////////////// | 
|  |  | 
|  | // UART (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_uart_tx_rx | 
|  | desc: '''Verify transmission of data over the TX and RX port. | 
|  |  | 
|  | SW test sends a known payload over the TX port. The testbench, at the same time | 
|  | sends a known payload over RX. On reception, both payloads are checked for integrity. | 
|  | SW validates the reception of TX watermark, RX watermark, and the TX empty interrupts. | 
|  | Choosing the max supported baud rate for the UART is sufficient. | 
|  |  | 
|  | Verify each UART instance at the chip level independently. Verify there is no aliasing | 
|  | on all UART ports across the instances. | 
|  | ''' | 
|  | stage: V1 | 
|  | tests: ["chip_sw_uart_tx_rx"] | 
|  | tags: ["gls"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_uart_rx_overflow | 
|  | desc: '''Verify the RX overflow interrupt. | 
|  |  | 
|  | The testbench sends a random payload of size greater than the RX fifo size (32). The SW | 
|  | ignores the received the data to allow the RX overflow interrupt to assert. | 
|  |  | 
|  | Verify each UART instance at the chip level independently. Verify there is no aliasing | 
|  | on all UART ports across the instances. | 
|  | ''' | 
|  | stage: V1 | 
|  | tests: ["chip_sw_uart_tx_rx", "chip_sw_uart_tx_rx_idx1", "chip_sw_uart_tx_rx_idx2", | 
|  | "chip_sw_uart_tx_rx_idx3"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_uart_rand_baudrate | 
|  | desc: '''Verify UART transmission of data at various speeds. | 
|  |  | 
|  | Randomly pick one of the UART instances and configure it to run with any of these baud | 
|  | rates - 9600bps, 115200bps, 230400bps, 128Kbps, 256Kbps, 1Mkbps, 1.5Mkbps. | 
|  |  | 
|  | ''' | 
|  | stage: V1 | 
|  | tests: ["chip_sw_uart_rand_baudrate"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_uart_tx_rx_alt_clk_freq | 
|  | desc: '''Verify the transmission of UART via using external clock as uart core clock. | 
|  |  | 
|  | Extend from chip_sw_uart_rand_baudrate with following added settings. | 
|  | - Configure LC to RMA state, so that it allows clkmgr to use external clock. | 
|  | - Configure clkmgr to select external clock. | 
|  | - Randomize `HI_SPEED_SEL`, so that uart core clock frequency can be either | 
|  | ext_clk_freq / 4 or ext_clk_freq / 2. | 
|  | ''' | 
|  | stage: V1 | 
|  | tests: ["chip_sw_uart_tx_rx_alt_clk_freq", "chip_sw_uart_tx_rx_alt_clk_freq_low_speed"] | 
|  | } | 
|  |  | 
|  | // GPIO (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_gpio_out | 
|  | desc: '''Verify GPIO outputs. | 
|  |  | 
|  | SW test configures the GPIOs to be in the output mode. The test walks a 1 through the | 
|  | pins. The testbench checks the value for correctness and verifies that there is no | 
|  | aliasing between the pins. | 
|  | ''' | 
|  | stage: V1 | 
|  | tests: ["chip_sw_gpio"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_gpio_in | 
|  | desc: '''Verify GPIO inputs. | 
|  |  | 
|  | The SW test configures the GPIOs to be in input mode. The testbench walks a 1 through | 
|  | the pins. SW test ensures that the GPIO values read from the CSR is correct. | 
|  | ''' | 
|  | stage: V1 | 
|  | tests: ["chip_sw_gpio"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_gpio_irq | 
|  | desc: '''Verify GPIO interrupts. | 
|  |  | 
|  | The SW test configures the GPIOs to be in input mode and enables all of them to generate | 
|  | an interrupt. The testbench walks a 1 through the pins. SW test ensures that the | 
|  | interrupt corresponding to the right pin is seen. | 
|  | ''' | 
|  | stage: V1 | 
|  | tests: ["chip_sw_gpio"] | 
|  | } | 
|  |  | 
|  | // SPI_DEVICE (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_spi_device_tx_rx | 
|  | desc: '''Verify the transmission of data on the chip's SPI device port in firmware mode with | 
|  | single mode. | 
|  |  | 
|  | - The testbench sends a known payload over the chip's SPI device input port. | 
|  | - The SW test, at the same time sends a known payload out over the chip's SPI device | 
|  | output port. | 
|  | - On reception, both payloads are checked for integrity. | 
|  | - SW validates the reception of RX fifo full, RX fifo over level, TX fifo under level, | 
|  | RX overflow and TX underflow interrupts. | 
|  | - Run with min (6MHz), typical (30-48Mhz) and max(48MHz) SPI clk frequencies. | 
|  | should use | 
|  | - Also, ensure that the spi_device does not receive transactions when the csb is high. | 
|  | - TODO, consider to test this mode with a real use case. The actual use case of this | 
|  | mdoe is not clear right now. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_spi_device_tx_rx"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_spi_device_flash_mode | 
|  | desc: '''Verify the SPI device in flash mode. | 
|  |  | 
|  | - SW puts the SPI device in flash mode | 
|  | - Load a firmware image (bootstrap) through flash commands to the spi_device memory. | 
|  | - SW verifies the integrity of the image upon reception by reading the spi_device | 
|  | memory. | 
|  | - Ensure the image is executed correctly | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_uart_tx_rx_bootstrap"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_spi_device_pass_through | 
|  | desc: '''Verify the pass through mode from an end-to-end perspective. | 
|  |  | 
|  | - Configure the SPI device and host in pass through mode. | 
|  | - Program the cmd_filter_* CSRs to filter out random commands. | 
|  | - Configure and enable both spi_host0 and spi_host1 | 
|  | - Send a random flash commands over the SPI device interface (chip IOs) from the | 
|  | testbench. | 
|  | - Verify the flash commands which pass through spi_host0, are received on chip IOs. | 
|  | - Verify that only the payloads that are not filtered show up on the SPI host interface | 
|  | at chip IOs. | 
|  | - Verify spi_host1 doesn't send out any data from spi_device | 
|  | - Run with min (6MHz), typical (24Mhz) and max (30MHz) SPI clk frequencies. | 
|  | - Run with single, dual and quad SPI modes. | 
|  | - Testbench should test the following commands: | 
|  | - Read Normal, Fast Read, Fast Dual, Fast Quad, Chip Erase, Program | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_spi_device_pass_through"] | 
|  | } | 
|  |  | 
|  | { | 
|  | name: chip_sw_spi_device_pass_through_flash_model | 
|  | desc: '''Verify the command filtering mechanism in passthrough mode. | 
|  |  | 
|  | - Extend the chip_spi_device_pass_through test. | 
|  | - Connect with a real flash model on spi_host | 
|  | - Verify that the flash commands are received and interpreted correctly in the flash | 
|  | model | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  |  | 
|  | { | 
|  | name: chip_sw_spi_device_pass_through_collision | 
|  | desc: '''Verify the collisions on driving spi_host is handled properly | 
|  |  | 
|  | - Enable upload related interrupts and configure the spi_device in passthrough mode. | 
|  | - Configure a command slot to enable upload for a flash program/erase command. | 
|  | - Excecute two parallel threads: | 
|  | 1. SPI host agent. | 
|  | - Send this command via an upstream SPI host agent, then the agent keeps sending | 
|  | read_status to poll the busy bit. | 
|  | - When the busy bit is low, issue a read command to read data from the downstream | 
|  | SPI port, and check data correctness. | 
|  | 2. A SW process. | 
|  | - SW receives an upload interrupt and reads the command in the upload fifo to check. | 
|  | - SW configures the SPI host that shows the same downstream port, to send the | 
|  | uploaded command to the downstream SPI port. | 
|  | - SW clears busy bit to allow the upstream SPI host to proceed to the next command. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_spi_device_pass_through_collision"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_spi_device_tpm | 
|  | desc: '''Verify the basic operation of the spi tpm mode.. | 
|  |  | 
|  | - The testbench sends a known payload over the chip's SPI device tpm input port. | 
|  | - The testbench sends a read command. | 
|  | - The software test should playback the data received in the write command as the read | 
|  | response. | 
|  | - The testbench should check if the written and read data match. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_spi_device_tpm"] | 
|  | } | 
|  |  | 
|  | // SPI_HOST (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_spi_host_tx_rx | 
|  | desc: '''Verify the transmission of data on the chip's SPI host port. | 
|  |  | 
|  | - Program the SPI host to send a known payload out of the chip on the SPI host ports. | 
|  | - The testbench receives the payload and plays it back to the SPI host interface. | 
|  | - The SW verifies the sent payload matches the read response and services SPI event | 
|  | interrupts. | 
|  | - Run with min and max SPI clk frequencies and with single, dual and quad SPI modes. | 
|  |  | 
|  | Verify all SPI host instances in the chip. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_spi_host_tx_rx"] | 
|  | } | 
|  |  | 
|  | // I2C (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_i2c_host_tx_rx | 
|  | desc: '''Verify the transmission of data over the chip's I2C host interface. | 
|  |  | 
|  | - Program the I2C to be in host mode. | 
|  | - The SW test writes a known payload over the chip's I2C host interface, which is | 
|  | received by the testbench. | 
|  | - The testbench then loops this data back to the chip's I2C host and exercises the | 
|  | read interface. | 
|  | - SW validates the reception of FMT watermark and trans complete interrupts. | 
|  | - SW validates that the data read matches the original data written. | 
|  | - Verify the virtual / true open drain capability. | 
|  |  | 
|  | Verify all instances of I2C in the chip. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_i2c_host_tx_rx", | 
|  | "chip_sw_i2c_host_tx_rx_idx1", | 
|  | "chip_sw_i2c_host_tx_rx_idx2"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_i2c_device_tx_rx | 
|  | desc: '''Verify the transmission of data over the chip's I2C device interface. | 
|  |  | 
|  | - Program the I2C to be in device mode. | 
|  | - The testbench writes a known payload over the chip's I2C device interface, which is | 
|  | received and verified by the SW test for correctness. | 
|  | - The testbench reads and verifies a known payload over the chip's I2C device interface, | 
|  | - SW validates the reception of tx empty and trans complete interrupts. | 
|  | - Verify the virtual / true open drain capability. | 
|  |  | 
|  | Verify all instances of I2C in the chip. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_i2c_device_tx_rx"] | 
|  | } | 
|  |  | 
|  | // USB (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_usb_fs_tx_rx | 
|  | desc: '''Verify the transmission of single-ended data over the USB at full speed. As a part of | 
|  | this test, the enablement of USB pullup is also expected to be verified. | 
|  |  | 
|  | - Set `tx_differential_mode` to single-ended and `rx_differential_mode` to | 
|  | differential. The other modes are not supported in OpenTitan. | 
|  | - configure Link state to `Active`. | 
|  | - Send and receive packets to fill the entire buffer. Ensure all the packets are | 
|  | correct. | 
|  | - Check interrupts (connected, pkt_received, pkt_sent, av_empty, rx_full) are triggered | 
|  | correcly. | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  | { | 
|  | name: chip_sw_usb_vbus | 
|  | desc: '''Verify that the USB device can detect the presence of VBUS from the USB host. | 
|  |  | 
|  | - This test extends from `chip_usb_fs_df_tx_rx`, add below at the end of the sequence. | 
|  | - VBUS is controlled by SW, through programming CSRs (`override_pwr_sense_en` and | 
|  | `override_pwr_sense_val`) to connect / disconnect the USB. | 
|  | - Disconnect the USB to trigger `disconnected` interrupt. | 
|  | - Then reconnect it and check the `connected` interrupt. | 
|  | - Re-enable data transfer and ensure data correctness. | 
|  | - Observe valid reference pulse usb_ref_val/pulse_o. | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  | { | 
|  | name: chip_sw_usb_suspend | 
|  | desc: '''Verify that the USB device can detect the presence of VBUS from the USB host. | 
|  |  | 
|  | - This test extends from `chip_usb_fs_df_tx_rx`, add below at the end of the sequence. | 
|  | - Configure USB device to enter `Suspend` state and ensure `link_suspend` interrupt is | 
|  | triggered. | 
|  | - Test these 2 power modes. | 
|  | - Normal sleep: | 
|  | - Configure pwrmgr to enter normal sleep mode, then clocks are disable while powers | 
|  | are kept on. | 
|  | - Resume the device through pinmux and check the `link_resume` interrupt. | 
|  | - Ensure that previously enumerated information is kept. | 
|  | - Deep sleep: | 
|  | - Before entering deep sleep, store previously enumerated information in retention | 
|  | RAM. (optional) | 
|  | - Configure pwrmgr to enter deep sleep mode, and powers are turned off. | 
|  | - Resume the device through pinmux and check the `link_resume` interrupt. | 
|  | - Ensure that previously enumerated information and configuration (non-default | 
|  | values) are wiped, as USB has been reset before wakeup. | 
|  | - Restore previously enumerated information (if it's stored) or re-enumerate the | 
|  | USB. | 
|  | - Re-enable data transfer and ensure data correctness. | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  | { | 
|  | name: chip_usb_sof | 
|  | desc: '''Verify that USB can detect SOF and respond with `usb_ref_pulse_o` and | 
|  | `usb_ref_val_o`. | 
|  |  | 
|  | - Configure to enable `usb_ref_disable`. | 
|  | - Send a frame with the same frame number as the USB device to trigger `frame` | 
|  | interrupt. | 
|  | - Ensure `usb_ref_pulse_o` and `usb_ref_val_o` behave correctly. | 
|  | - Stop sending any frame and check the `host_lost` interrupt. Ensure `use_ref_*` behave | 
|  | correctly. | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  | { | 
|  | name: chip_usb_wake_debug | 
|  | desc: '''Verify that `usb_state_debug_i` can be read from the CSR | 
|  |  | 
|  | - Drive random value on `usb_state_debug_i`. | 
|  | - Ensure the CSR `wake_debug` returns correctly value. | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  | { | 
|  | name: chip_usb_enumeration | 
|  | desc: '''Verify USB enumeration. Details are not clear. | 
|  |  | 
|  | - TODO | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  |  | 
|  | // PINMUX & PADRING (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_pin_mux | 
|  | desc: '''Verify the MIO muxing at input and output sides. | 
|  |  | 
|  | - Enable `stub_cpu` mode. | 
|  | - Add a forcing interface to pinmux's pad-facing DIO and MIO ports, including the output | 
|  | enables; and a sampling interface for the peripheral facing DIO and MIO ports. | 
|  | - Similarly, add a driving / sampling interface for all DIOs and MIOs at the chip pads. | 
|  | - In the output direction: | 
|  | - Program all MIO outsel and pad attribute registers to random values. | 
|  | - Force the pad-facing pinmux MIO ports and output enables to random values. | 
|  | - Verify all MIO pad values for correctness. | 
|  | - For the input direction: | 
|  | - Program all MIO insel and pad attribute registers to random values. | 
|  | - Drive the MIO pads to random values. | 
|  | - Probe and sample the peripheral facing MIO ports of the pinmux and verify the values | 
|  | for correctness. | 
|  | - Follow a similar testing procedure for DIOs. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_padctrl_attributes"] | 
|  | } | 
|  | { | 
|  | name: chip_padctrl_attributes | 
|  | desc: '''Verify pad attribute settings for all MIO and DIO pads. | 
|  |  | 
|  | - Follow the same procedure as the `chip_pin_mux` test, ensuring the padctrl attribute | 
|  | registers for all MIOs and DIOs are also randomized when verifying the outcomes. | 
|  | - Verify weak pull enable, output inversion and virtual open drain and drive strength | 
|  | (bit 0) signaling in the output direction. | 
|  | - Verify weak pull enable and input inversion in the input direction. | 
|  | - Verify multiple pad attributes for each pad set at the same time through | 
|  | randomization. | 
|  |  | 
|  | Cross-references the `chip_pin_mux` test. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_padctrl_attributes"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sleep_pin_mio_dio_val | 
|  | desc: '''Verify the MIO output values in any sleep states. | 
|  |  | 
|  | - Pick between normal sleep and deep sleep randomly | 
|  | - Pick between tie-0, tie-1, or High-Z randomly for all muxed, | 
|  | dedicated outputs coming from non-AON IPs. | 
|  |  | 
|  | SW programs the MIO OUTSEL CSRs to ensure that in sleep it randomly picks | 
|  | between tie-0, tie-1 or hi-Z for all muxed outputs coming from non-AON IPs. If an AON | 
|  | peripheral output is muxed, then that peripheral's output is selected to ensure in deep | 
|  | sleep the peripheral can continue its signaling even in deep sleep. The testbench | 
|  | verifies the correctness of the reflected values once the chip goes into deep sleep. | 
|  | This is replicated for DIO pins as well. | 
|  |  | 
|  | In this test, passthrough feature is not tested. The feature is | 
|  | covered in other tests such as chip_sw_sleep_pwm_pulses. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sleep_pin_mio_dio_val"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sleep_pin_wake | 
|  | desc: '''Verify pin wake up from any sleep states. | 
|  |  | 
|  | Verify one of the 8 possible MIO or DIO pad inputs (randomly configured) can cause the | 
|  | chip to wake up from sleep state. Verifying wake on posedge is sufficient for the chip | 
|  | level integration testing. Upon wake up, SW reads the wake cause CSR to verify | 
|  | correctness. | 
|  |  | 
|  | For V3, enhance this test to configure all wakeup detectors rather than configure only | 
|  | one, then have the host randomly pick one of the IOs configured for wakeup in one of | 
|  | those detectors. Also, randomize and test all wakeup modes and enable debounce filter. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sleep_pin_wake"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sleep_pin_retention | 
|  | desc: '''Verify the retention logic in pinmux that is activated during deep sleep. | 
|  |  | 
|  | - Pick a pin (such as GPIO0) and enable it in output mode. Set a known value to it (0 or | 
|  | 1) and verify the correctless of the value on the chip IO.. | 
|  | - Program the pin's retention value during deep sleep to be opposite of the active power | 
|  | value programmed in the previous step. | 
|  | - Reuse an existing deep sleep / low power wake up test, such as | 
|  | `chip_sw_sleep_pin_wake` test to enter low power. | 
|  | - Once the chip enters the deep sleep state, verify that this pin holds the correct | 
|  | retention value throughout the low power state. | 
|  | - Wake up the chip from sleep using the chosen method. | 
|  | - Verify the pin value at the chip IOs is no longer holding the retention value once the | 
|  | chip is back in active power. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sleep_pin_retention"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_tap_strap_sampling | 
|  | desc: '''Verify tap accesses in different LC states. | 
|  |  | 
|  | Verify pinmux can select the life_cycle, RISC-V, and DFT taps after reset. | 
|  | Verify that in TEST_UNLOCKED* and RMA states, pinmux can switch between the three TAPs | 
|  | without issuing reset. | 
|  | Verify in PROD state, only the LC tap can be selected. | 
|  | Verify in DEV state, only the LC tap and RISC-V taps can be selected. | 
|  | Verify DFT test mode straps are sampled and output to AST via | 
|  | top_earlgrey.dft_strap_test_o in TEST_UNLOCKED* and RMA states. | 
|  | Verify top_earlgrey.dft_strap_test_o is always 0 in the states other than TEST_UNLOCKED* | 
|  | and RMA, regardless of the value on DFT SW straps. | 
|  | Verify loss of DFT functionality when DFT straps are deasserted on the next POR cycle. | 
|  |  | 
|  | Note: these tests require the ROM init stage to complete. So a test ROM image is loaded, | 
|  | but the software does not test anything. The CPU boots and runs to completion while the | 
|  | host (SV testbench) performs these stimulus / checks. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_tap_straps_dev", "chip_tap_straps_prod", "chip_tap_straps_rma"] | 
|  | } | 
|  |  | 
|  | // PATTGEN (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_pattgen_ios | 
|  | desc: '''Verify pattern generation to chip output pads. | 
|  |  | 
|  | - Program the pattgen to generate a known pattern in each lane. | 
|  | - Program the pinmux to route the chosen output to the chip IOs. | 
|  | - Verify that the correct pattern is seen on the IOs by hooking up the pattgen monitor. | 
|  | - Validate the reception of the done interrupt. | 
|  | - Verify both pattgen channels independently. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pattgen_ios"] | 
|  | } | 
|  |  | 
|  | // PWM (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_sleep_pwm_pulses | 
|  | desc: '''Verify PWM signaling to chip output pads during deep sleep. | 
|  |  | 
|  | - Program each PWM output to pulse in a known pattern. | 
|  | - Program the pinmux to route the chosen PWM output to the chip IOs. | 
|  | - Program the pwrmgr to go to deep sleep state, with AON timer wakeup. | 
|  | - Initiate the sleep state by issuing a WFI. | 
|  | - Verify that in the sleep state, the PWM signals are active and pulsing correctly, by | 
|  | hooking up the PWM monitor. | 
|  | - Repeat the steps for all 6 PWM signals. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sleep_pwm_pulses"] | 
|  | } | 
|  |  | 
|  | ////////////////////////////////////////////////////////////////////////////////////// | 
|  | // System Peripherals                                                               // | 
|  | // XBAR, RV_DM, RV_TIMER, AON_TIMER, PLIC, CLK/RST/PWR MGR, ALERT_HANDLER, LC_CTRL, // | 
|  | // ADC_CTRL, SYSRST_CTRL                                                            // | 
|  | ////////////////////////////////////////////////////////////////////////////////////// | 
|  |  | 
|  | // XBAR (pre-verified IP) tests: | 
|  | { | 
|  | name: chip_sw_data_integrity | 
|  | desc: ''' | 
|  | Verify the alert signaling mechanism due to integrity violations of load ops. | 
|  |  | 
|  | An SW test which performs the following on main and retention SRAMs to verify the memory | 
|  | end-to-end integrity scheme: | 
|  | - Corrupt a random data / integrity bit in the memory using SV force. | 
|  | - SW reads that address and the corrupted data is sent to ibex. | 
|  | - Verify that ibex detects the integrity violation and triggers an alert. | 
|  | - Check the alert up to the NMI phase and make sure that the alert cause is from Ibex. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_data_integrity_escalation"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_instruction_integrity | 
|  | desc: ''' | 
|  | Verify the alert signaling mechanism due to integrity violations of instruction fetches. | 
|  |  | 
|  | An SW test which performs the following on main SRAM to verify the memory end-to-end | 
|  | integrity scheme: | 
|  | - Corrupt a data / integrity bit in a test function in the main SRAM using SV force. | 
|  | - SW jumps to that test function in the main SRAM. | 
|  | - Verify that ibex detects the integrity violation and triggers an alert. | 
|  | - Check the alert up to the NMI phase and make sure that the alert cause is from Ibex. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_data_integrity_escalation"] | 
|  | } | 
|  |  | 
|  | // RV_DM (JTAG) tests: | 
|  | { | 
|  | name: chip_jtag_csr_rw | 
|  | desc: ''' | 
|  | Verify accessibility of all the CSRs in the chip over JTAG. | 
|  |  | 
|  | - Shuffle the list of CSRs first to remove the effect of ordering. | 
|  | - Write all CSRs via JTAG interface with a random value. | 
|  | - Shuffle the list of CSRs yet again. | 
|  | - Read all CSRs back and check their values for correctness while adhering to the CSR's | 
|  | access policies. | 
|  | - Accesses to CSRs external to `rv_dm` go through RV_DM SBA interface into the `xbar`. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_jtag_csr_rw"] | 
|  | } | 
|  | { | 
|  | name: chip_jtag_mem_access | 
|  | desc: ''' | 
|  | Verify accessibility of all the memories in the chip over JTAG. | 
|  |  | 
|  | This test will target the following memories in the chip: | 
|  | sram_main, sram_ret, otbn i|dmem, ROM | 
|  |  | 
|  | - Shuffle the list of memories first to remove the effect of ordering. | 
|  | - Write a location in a randomly chosen set of addresses within each memory via JTAG | 
|  | interface with random values. | 
|  | - For read-only memories, preload the memory with random data via backdoor. | 
|  | - Shuffle the list of memories again. | 
|  | - Read the previously written addresses in the memories back again and check the read | 
|  | value for correctness. Pick some random addresses to verify in case of read-only | 
|  | memories. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_jtag_mem_access"] | 
|  | } | 
|  | { | 
|  | name: chip_rv_dm_perform_debug | 
|  | desc: ''' | 
|  | - X-ref'ed with rom_e2e_jtag_inject from rom testplan. | 
|  | - X-ref'ed with chip_sw_flash_lc_iso_part_sw_wr_en. | 
|  | - X-ref'ed with manuf_cp_device_info_flash_wr from manufacturing testplan. | 
|  | - Using the sram injection mechanism from rom_e2e_jtag_inject, load a SRAM program that | 
|  | writes to isolated flash partition while the device is in TEST_UNLOCKED state. | 
|  | - After writing, verify that the test program cannot read back the written value. | 
|  |  | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: ["rom_e2e_jtag_debug_test_unlocked0", "rom_e2e_jtag_debug_dev", | 
|  | "rom_e2e_jtag_debug_rma"] | 
|  | } | 
|  | { | 
|  | name: chip_rv_dm_ndm_reset_req | 
|  | desc: '''Verify non-debug reset request initiated from RV_DM when the chip is awake. | 
|  |  | 
|  | - Program some CSRs / mem that are under life cycle reset tree and system reset tree. | 
|  | - Configure RV_DM to send NDM reset request to reset sytem reset tree. | 
|  | - While NDM reset is ongoing, ensure the RV_DM debug module registers can still be | 
|  | accessed. | 
|  | - Read the programmed CSRs / mem to ensure that everything under system reset tree is | 
|  | reset to the original values, while values under life cycle reset will be preserved. | 
|  | - Read CSRs / mem in the debug domain to ensure that the values survive the reset. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_rv_dm_ndm_reset_req"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rv_dm_ndm_reset_req_when_cpu_halted | 
|  | desc: '''Verify non-debug reset request initiated from RV_DM when the CPU  is in halted state. | 
|  |  | 
|  | - Initialize the DUT in a HW-debug enabled life cycle state. | 
|  | - Activate the RISCV debug module. | 
|  | - Run some SW test on the CPU. | 
|  | - Initiate a CPU halt request via JTAG. | 
|  | - Wait for the CPU to be in halted state via JTAG by polling dmstatus.anyhalted. | 
|  | - Deassert the CPU haltreq and verify that we are still in halted state. | 
|  | - (Optional) Using the abstract command, read the dcsr register to verify the cause | 
|  | reflects the debug halt request. | 
|  | - Issue an NDM reset request. All non-debug parts of the chip should reset. Read the | 
|  | dmstatus.anyhalted / dvstatus.allhalted and verify that they are cleared. | 
|  | - Verify that the debug logic is fully accessible during this time, while the NDM reset | 
|  | is being processed and the chip is rebooted, by continuously accessing the DMI | 
|  | register space in `rv_dm` over JTAG. | 
|  | - De-assert the NDM reset request and wait for the CPU to reboot and finish the post-NDM | 
|  | reset phase of the test. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rv_dm_ndm_reset_req_when_cpu_halted"] | 
|  | } | 
|  | { | 
|  | name: chip_rv_dm_access_after_wakeup | 
|  | desc: '''Verify RV_DM works after wakes up from sleep. | 
|  |  | 
|  | - Put the chip into sleep mode and then wake up (both deep sleep and normal sleep). | 
|  | - If waking up from normal sleep, an activation should not be required for RV_DM CSR | 
|  | accesses to work. | 
|  | - If waking up from deep sleep, an activation is required for RV_DM CSR accesses to work. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rv_dm_access_after_wakeup"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rv_dm_access_after_hw_reset | 
|  | desc: '''Verify RV_DM works after a watchdog or escalated reset. | 
|  |  | 
|  | - Access some RV_DM CSRs both before and after resets. | 
|  | - An activation would be required, and the tap strap would also be sampled again. | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: ["chip_sw_rv_dm_access_after_escalation_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rv_dm_jtag_tap_sel | 
|  | desc: '''Verify ability to select all available TAPs. | 
|  |  | 
|  | - Put life cycle on Test or RMA state, so that TAPs can be selected between life cycle | 
|  | RV_DM and DFT. | 
|  | - Verify the TAP is selected correctly. | 
|  | - X-ref'ed with chip_sw_tap_strap_sampling. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_tap_straps_rma"] | 
|  | } | 
|  | { | 
|  | name: chip_rv_dm_lc_disabled | 
|  | desc: '''Verify that the debug capabilities are disabled in certain life cycle stages. | 
|  |  | 
|  | - Put life cycle in a random life cycle state. | 
|  | - Verify that the rv_dm bus device is inaccessible from the CPU as well as external | 
|  | JTAG if the life cycle state is not in TEST_UNLOCKED*, DEV or RMA. | 
|  | - The bus access check is performed by randomly reading or writing a CSR inside the | 
|  | RV_DM and checking whether the TL-UL bus errors out. | 
|  | - The JTAG access check is performed by writing and then reading a register that is | 
|  | accessible via the TAP/DMI inside the RV_DM. If the JTAG wires are gated, it is | 
|  | expected that the RV_DM returns all-zero instead of the written value. | 
|  | - X-ref'ed with `chip_tap_strap_sampling` | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_rv_dm_lc_disabled"] | 
|  | } | 
|  |  | 
|  | // RV_TIMER (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_timer | 
|  | desc: '''Verify the timeout interrupt assertion. | 
|  |  | 
|  | - Configure the RV_TIMER to generate interrupt after a set timeout. | 
|  | - Issue a WFI to wait for the interrupt to trigger. | 
|  | - Service the interrupt when it triggers; verify that it came from rv_timer. | 
|  | - Verify that the interrupt triggered only after the timeout elapsed. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rv_timer_irq"] | 
|  | } | 
|  |  | 
|  | // AON_TIMER (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_aon_timer_wakeup_irq | 
|  | desc: '''Verify the AON timer wake up interrupt in normal operating state. | 
|  |  | 
|  | - Program the PLIC to let the AON timer wake up interrupt the CPU. | 
|  | - Program the AON timer to generate the wake up timeout interrupt after some time. | 
|  | - Issue a WFI to wait for the interrupt to trigger. | 
|  | - Service the interrupt when it triggers; verify that it came from AON timer. | 
|  | - Verify that the interrupt triggered only after the timeout elapsed. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_aon_timer_irq"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_aon_timer_sleep_wakeup | 
|  | desc: '''Verify that AON timer can wake up the chip from a deep sleep state. | 
|  |  | 
|  | - Read the reset cause register in rstmgr to confirm that the SW is in the POR reset | 
|  | phase. | 
|  | - Program the pwrmgr to go to deep sleep state (clocks off, power off). | 
|  | - Program the AON timer to wake up the chip in a reasonable amount of time. | 
|  | - Have the CPU issue WFI to signal the pwrmgr to go into sleep state. | 
|  | - Verify via assertion checks, the wake up request occurs after the timeout has elapsed. | 
|  | - After reset followed by AON timer wake up, read the reset cause register to confirm | 
|  | the AON timer wake up phase. | 
|  | - After the test sequence is complete, read the wake up threshold register - it should | 
|  | not be reset. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_smoketest"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_aon_timer_wdog_bark_irq | 
|  | desc: '''Verify the watchdog bark reception in normal state. | 
|  |  | 
|  | - Program the PLIC to let the wdog bark signal interrupt the CPU. | 
|  | - Program the AON timer wdog to 'bark' after some time and enable the bark interrupt. | 
|  | - Service the bark interrupt upon reception. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_aon_timer_irq"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_aon_timer_wdog_lc_escalate | 
|  | desc: '''Verify that the LC escalation signal disables the AON timer wdog. | 
|  |  | 
|  | - Program the AON timer wdog to 'bark' after some time and enable the bark interrupt. | 
|  | - Start the escalation process and fail the test in the interrupt handler in case the | 
|  | bark interrupt is fired. | 
|  | - Program the alert handler to escalate on alerts upto phase 2 (i.e. reset) but the | 
|  | phase 1 (i.e. wipe secrets) should occur and last during the time the wdog is | 
|  | programed to bark and bite. | 
|  | - Trigger an alert to cause an escalation condition before the bark signal asserts. | 
|  | - After the reset ensure that the reset cause was due to the escalation to prove that | 
|  | the wdog was disabled. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_aon_timer_wdog_lc_escalate"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_aon_timer_wdog_bite_reset | 
|  | desc: '''Verify the watchdog bite causing reset in the normal state. | 
|  |  | 
|  | - Read the reset cause register in rstmgr to confirm that the SW is in the POR reset | 
|  | phase. | 
|  | - Program the AON timer wdog to 'bark' after some time. | 
|  | - Let the bark escalate to bite, which should result in a reset request. | 
|  | - After reset, read the reset cause register in rstmgr to confirm that the SW is now in | 
|  | the wdog reset phase. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_aon_timer_wdog_bite_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_aon_timer_sleep_wdog_bite_reset | 
|  | desc: '''Verify the watchdog bite causing reset in sleep state. | 
|  |  | 
|  | - Repeat the steps in chip_aon_timer_wdog_bite_reset test, but with following changes: | 
|  | - Program the pwrmgr to go to deep sleep state (clocks off, power off). | 
|  | - Issue a WFI after programming the wdog, so that the reset request due to bite occurs | 
|  | during deep sleep state. | 
|  | - After reset, read the reset cause register in rstmgr to confirm that the SW is now in | 
|  | the wdog reset phase. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_aon_timer_wdog_bite_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_aon_timer_sleep_wdog_sleep_pause | 
|  | desc: '''Verify that the wdog can be paused in sleep state. | 
|  |  | 
|  | - Repeat the steps in chip_aon_timer_sleep_wakeup test, but with following changes: | 
|  | - Program the wdog to 'bite' a little sooner than the AON timer wake up. | 
|  | - Also, program the wdog to pause during sleep. | 
|  | - Issue a WFI after programming the wdog, so that the reset request occurs during deep | 
|  | sleep state. | 
|  | - After reset followed by AON timer wake up, read the reset cause register to confirm | 
|  | that the AON timer woke up the chip, not the wdog reset. | 
|  | - Un-pause the wdog and service the bark interrupt. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_aon_timer_sleep_wdog_sleep_pause"] | 
|  | } | 
|  |  | 
|  | // PLIC integration tests: | 
|  | { | 
|  | name: chip_sw_plic_all_irqs | 
|  | desc: '''Verify all interrupts from all peripherals aggregated at the PLIC. | 
|  |  | 
|  | The automated SW test enables all interrupts at the PLIC to interrupt the core. It uses | 
|  | the `intr_test` CSR in each peripheral to mock assert an interrupt, looping through all | 
|  | available interrupts in that peripheral. The ISR verifies that the right interrupt | 
|  | occurred. This is used as a catch-all interrupt test for all peripheral integration | 
|  | testing within which functionally asserting an interrupt is hard to achieve or not of | 
|  | high value. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_plic_all_irqs"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_plic_sw_irq | 
|  | desc: '''Verify the SW interrupt to the CPU. | 
|  |  | 
|  | Enable all peripheral interrupts at PLIC. Enable all types of interrupt at the CPU core. | 
|  | Write to the MSIP CSR to generate a SW interrupt to the CPU. Verify that the only | 
|  | interrupt that is seen is the SW interrupt. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_plic_sw_irq"] | 
|  | } | 
|  | { | 
|  | name: chip_plic_fatal_alert | 
|  | desc: '''Verify that the fatal alert is fired from PLIC due to bus integrity violation. | 
|  |  | 
|  | - PLIC is a non-preverified IP, so it is necessary to test the assertion of fatal alert | 
|  | via fault injection. | 
|  | - In stub CPU mode, read a register in PLIC. | 
|  | - Intercept the access in the SystemVerilog testbench and using force, inject an | 
|  | integrity error on the command channel. | 
|  | - Verify that the fatal alert fired on the PLIC output. | 
|  | - Reboot the chip and this time, inject a fatal alert through violation of the reg | 
|  | write-enable one hot check using the standardized sec_cm_pkg framework. | 
|  | - Verify that the fatal alert fired on the PLIC output. | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  | { | 
|  | name: chip_sw_plic_alerts | 
|  | desc: '''Verify alerts from PLIC due to both, TL intg and reg WE onehot check faults. | 
|  |  | 
|  | - Since PLIC is not pre-verified in a DV environment, we need to ensure these are tested | 
|  | separately. | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  |  | 
|  | // CLKMGR tests: | 
|  | { | 
|  | name: chip_sw_clkmgr_idle_trans | 
|  | desc: '''Verify the ability to turn off the transactional clock via SW. | 
|  |  | 
|  | Ensure that the clock to transactional units will be turned off after any activity | 
|  | completes in the transactional IP.  Verify it is off via spinwait in hints_status CSR. | 
|  | Verify that turning off this clock does not affect the other derived clocks. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_aes_idle", | 
|  | "chip_sw_hmac_enc_idle", | 
|  | "chip_sw_kmac_idle", | 
|  | "chip_sw_otbn_randomness"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_clkmgr_off_trans | 
|  | desc: '''Verify the turned off transactional units. | 
|  |  | 
|  | Verify CSR accesses do not complete in units that are off.  Using the watchdog timers, | 
|  | turn off a transactional unit's clock, issue a CSR access to that unit, verify a | 
|  | watchdog event results, and verify the rstmgr crash dump info records the CSR address. | 
|  |  | 
|  | A stretch goal is to check the PC corresponds to the code performing the CSR access | 
|  | (stretch since it could be difficult to maintain this check). | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_clkmgr_off_aes_trans", | 
|  | "chip_sw_clkmgr_off_hmac_trans", | 
|  | "chip_sw_clkmgr_off_kmac_trans", | 
|  | "chip_sw_clkmgr_off_otbn_trans"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_clkmgr_off_peri | 
|  | desc: '''Verify the ability to turn off the peripheral clock via SW. | 
|  |  | 
|  | Verify CSR accesses do not complete in peripherals that are off.  Using the watchdog | 
|  | timers, turn off a peripheral's clock, issue a CSR access to that peripheral, verify a | 
|  | watchdog event results, and verify the rstmgr crash dump info records the CSR address. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_clkmgr_off_peri"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_clkmgr_div | 
|  | desc: '''Verify clk division logic is working correctly. | 
|  |  | 
|  | The IP level checks the divided clocks via SVA, and these are also bound at chip level. | 
|  | Connectivity tests check peripherals are connected to the clock they expect. | 
|  | Use the clkmgr count measurement feature to verify clock division. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_clkmgr_external_clk_src_for_sw_fast", | 
|  | "chip_sw_clkmgr_external_clk_src_for_sw_slow", | 
|  | "chip_sw_clkmgr_external_clk_src_for_lc"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_clkmgr_external_clk_src_for_lc | 
|  | desc: '''Verify the clkmgr requests ext clk src during certain LC states. | 
|  |  | 
|  | On POR lc asserts lc_clk_byp_req on some LC states, and de-asserts | 
|  | it when lc_program completes. This also triggers divided clocks to step down. It may be | 
|  | best to verify this via SVA, unless we implement clock cycle counters. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_clkmgr_external_clk_src_for_lc"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_clkmgr_external_clk_src_for_sw | 
|  | desc: '''Verify SW causes the clkmgr requests ext clk src during certain LC states. | 
|  |  | 
|  | In RMA and TEST_UNLOCKED lc states the external clock is enabled in response to | 
|  | `extclk_ctrl.sel` CSR writes. In addition `extclk_ctrl.hi_speed_sel` CSR causes the | 
|  | divided clocks to step down. Verify this via SVA bound to clkmgr, and clock cycle | 
|  | counters. | 
|  |  | 
|  | Disable external clock source and verify the AST reliably falls back to the internal | 
|  | clock. Ensure the chip operates normally. | 
|  | X-ref with chip_sw_uart_tx_rx_alt_clk_freq, which needs to deal with this as well. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_clkmgr_external_clk_src_for_sw_fast", | 
|  | "chip_sw_clkmgr_external_clk_src_for_sw_slow"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_clkmgr_jitter | 
|  | desc: '''Verify the clock jitter functionality. | 
|  |  | 
|  | Enable clock jitter setting the clkmgr `jitter_enable` CSR high. This causes the | 
|  | jitter_o clkmgr output to toggle. Verify this output is connected to AST's | 
|  | clk_src_sys_jen_i input using formal. | 
|  |  | 
|  | X-ref with various specific jitter enable tests. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_clkmgr_jitter", | 
|  | "chip_sw_flash_ctrl_ops_jitter_en", | 
|  | "chip_sw_flash_ctrl_access_jitter_en", | 
|  | "chip_sw_otbn_ecdsa_op_irq_jitter_en", | 
|  | "chip_sw_aes_enc_jitter_en", | 
|  | "chip_sw_hmac_enc_jitter_en", | 
|  | "chip_sw_keymgr_key_derivation_jitter_en", | 
|  | "chip_sw_kmac_mode_kmac_jitter_en", | 
|  | "chip_sw_sram_ctrl_scrambled_access_jitter_en", | 
|  | "chip_sw_edn_entropy_reqs_jitter"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_clkmgr_extended_range | 
|  | desc: '''Verify that the system can run at a reduced, calibrated clock frequency. | 
|  |  | 
|  | This test should check that the system can run at a reduced, calibrated clock frequency | 
|  | (70MHz) with jitter enabled (which can lower the frequency down to ~55 MHz | 
|  | momentarily). This option is intended as a fall-back in case there are issues running | 
|  | the system with at 100MHz (calibrated). | 
|  |  | 
|  | This testpoint can be covered by extending the DV environment to support the extended | 
|  | range clock option via a flag, and running several existing chip-level tests with that | 
|  | option. | 
|  |  | 
|  | Test the following functionalities with reduced clock: | 
|  |  | 
|  | - flash_ctrl initialization | 
|  | - flash_ctrl program, read and erase operations | 
|  | - AES, HMAC, KMAC and OTBN operations | 
|  | - Keymgr key derivation | 
|  | - Scramble-enabled access from the main SRAM | 
|  | - Csrng edn concurrency | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_clkmgr_jitter_reduced_freq", | 
|  | "chip_sw_flash_ctrl_ops_jitter_en_reduced_freq", | 
|  | "chip_sw_flash_ctrl_access_jitter_en_reduced_freq", | 
|  | "chip_sw_otbn_ecdsa_op_irq_jitter_en_reduced_freq", | 
|  | "chip_sw_aes_enc_jitter_en_reduced_freq", | 
|  | "chip_sw_hmac_enc_jitter_en_reduced_freq", | 
|  | "chip_sw_keymgr_key_derivation_jitter_en_reduced_freq", | 
|  | "chip_sw_kmac_mode_kmac_jitter_en_reduced_freq", | 
|  | "chip_sw_sram_ctrl_scrambled_access_jitter_en_reduced_freq", | 
|  | "chip_sw_flash_init_reduced_freq", | 
|  | "chip_sw_csrng_edn_concurrency_reduced_freq"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_clkmgr_deep_sleep_frequency | 
|  | desc: '''Verify the frequency measurement through deep sleep. | 
|  |  | 
|  | Enable clock cycle counts. Put the chip in deep sleep. Upon wakeup reset the | 
|  | clock measurements should be off, but the recoverable fault status should not | 
|  | be cleared. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_ast_clk_outputs"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_clkmgr_sleep_frequency | 
|  | desc: '''Verify the frequency measurement through shallow sleep. | 
|  |  | 
|  | Enable clock cycle counts. Put the chip in shallow sleep with pwrmgr's CONTROL CSR | 
|  | keeping some clocks disabled. Upon wakeup the clock measurements should be on, and the | 
|  | recoverable fault status should show no errors for the disabled clocks. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_clkmgr_sleep_frequency"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_clkmgr_reset_frequency | 
|  | desc: '''Verify the frequency measurement through reset. | 
|  |  | 
|  | Enable clock cycle counts, configured to cause errors. Trigger a chip reset via SW. | 
|  | After reset the clock measurements should be off and the recoverable fault status | 
|  | should be cleared. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_clkmgr_reset_frequency"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_clkmgr_escalation_reset | 
|  | desc: '''Verify the clock manager resets to a clean state after an escalation reset. | 
|  |  | 
|  | Trigger an internal fatal fault for the regfile onehot checker and let it escalate to | 
|  | reset. Upon alert escalation reset, the internal status should be clear and clkmgr | 
|  | should not attempt to send out more alerts. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_all_escalation_resets"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_ctrl_escalation_reset | 
|  | desc: '''Verify the flash ctrl fatal error does not disturb escalation process | 
|  | and operation of ibex core. | 
|  |  | 
|  | Trigger an internal fatal fault (host_gnt_err) from flash_ctrl | 
|  | and let it escalate to reset. Upon alert escalation reset, | 
|  | the internal status should be clean and should not send out more alerts. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_flash_crash_alert"] | 
|  | } | 
|  |  | 
|  | // PWRMGR tests: | 
|  | { | 
|  | name: chip_sw_pwrmgr_external_full_reset | 
|  | desc: '''Verify the cold boot sequence by wiggling of chip's `POR_N`. | 
|  |  | 
|  | This ensures that both FSMs are properly reset on the POR signal. The check  is that | 
|  | the processor ends up running. Also verify, the rstmgr recorded POR in `reset_info` CSR | 
|  | by checking retention SRAM for reset_reason. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_full_aon_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_random_sleep_all_wake_ups | 
|  | desc: '''Verify that the chip can go into random low power states and be woken up by ALL wake | 
|  | up sources. | 
|  |  | 
|  | This verifies ALL wake up sources. This also verifies that the pwrmgr sequencing is | 
|  | working correctly as expected. X-ref'ed with all individual IP tests. For each wakeup | 
|  | source clear and enable `wake_info` CSR, enable the wakeup from that source with the | 
|  | `wakeup_en` CSR, bring the chip to both normal and low power sleep, optionally | 
|  | disabling the source's clock, have the source issue a wakeup event and verify | 
|  | `wake_info` indicates the expected wakeup. | 
|  |  | 
|  | Each test should perform a minimum of 2 low power transitions to ensure there are no | 
|  | state dependent corner cases with wakeup interactions. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_random_sleep_all_wake_ups"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_normal_sleep_all_wake_ups | 
|  | desc: '''Verify that the chip can go into normal sleep state and be woken up by ALL wake up | 
|  | sources. | 
|  |  | 
|  | This verifies ALL wake up sources. This also verifies that the pwrmgr sequencing is | 
|  | working correctly as expected. X-ref'ed with all individual IP tests. For each wakeup | 
|  | source clear and enable `wake_info` CSR, enable the wakeup from that source with the | 
|  | `wakeup_en` CSR, bring the chip to normal sleep, optionally disabling the source's | 
|  | clock, have the source issue a wakeup event and verify `wake_info` indicates the | 
|  | expected wakeup. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_normal_sleep_all_wake_ups"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_sleep_all_reset_reqs | 
|  | desc: '''Verify that the chip can go into normal sleep state and be reset by ALL reset req | 
|  | sources. | 
|  |  | 
|  | This verifies ALL reset sources. This also verifies that the pwrmgr sequencing is | 
|  | working correctly as expected. X-ref'ed with all individual IP tests. For each reset | 
|  | source, enable the source and bring the chip to low power, issue a reset, and verify the | 
|  | rstmgr's `reset_info` indicated the expected reset by checking retention SRAM for | 
|  | reset_reason. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_aon_timer_wdog_bite_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_deep_sleep_all_wake_ups | 
|  | desc: '''Verify that the chip can go into deep sleep state and be woken up by ALL wake up | 
|  | sources. | 
|  |  | 
|  | This verifies ALL wake up sources. This also verifies that the pwrmgr sequencing is | 
|  | working correctly as expected. X-ref'ed with all individual IP tests. Similar to | 
|  | chip_pwrmgr_sleep_all_wake_ups, except `control.main_pd_n` is set to 0. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_deep_sleep_all_wake_ups"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_deep_sleep_all_reset_reqs | 
|  | desc: '''Verify that the chip can go into deep sleep state and be reset up by ALL reset req | 
|  | sources. | 
|  |  | 
|  | This verifies ALL reset sources. | 
|  | - 7 resets are generated randomly with deep sleeps | 
|  | - POR (HW PAD) reset, SW POR, sysrst, wdog timer reset, esc rst, SW req | 
|  | - esc reset is followd by normal mode because it does not work with sleep mode | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_deep_sleep_all_reset_reqs"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_normal_sleep_all_reset_reqs | 
|  | desc: '''Verify that the chip can go into normal sleep state and be reset up by ALL reset req | 
|  | sources. | 
|  |  | 
|  | This verifies ALL reset sources. | 
|  | - 7 resets are generated randomly with normal sleeps | 
|  | - POR (HW PAD) reset, SW POR, sysrst, wdog timer reset, esc rst, SW req | 
|  | - esc reset is followed by normal mode and cleared by reset because it does not work | 
|  | with sleep mode | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_normal_sleep_all_reset_reqs"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_wdog_reset | 
|  | desc: '''Verify that the chip can be reset by watchdog timer reset source. | 
|  |  | 
|  | This verifies watchdog timer reset source. This also verifies that the pwrmgr sequencing | 
|  | is working correctly as expected. X-ref'ed with all individual IP tests. Similar to | 
|  | chip_pwrmgr_sleep_all_reset_reqs, except the chip is not put in low power mode. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_wdog_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_aon_power_glitch_reset | 
|  | desc: '''Verify the cold boot sequence through an AON power glitch. | 
|  |  | 
|  |  | 
|  | Pulsing the AST vcaon_supp_i input causes an AON power glitch which becomes a POR. | 
|  | This ensures that both FSMs are properly reset on the POR signal. The check is that | 
|  | the processor ends up running. Also verify, the rstmgr recorded POR in `reset_info` CSR | 
|  | by checking retention SRAM for reset_reason. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_full_aon_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_main_power_glitch_reset | 
|  | desc: '''Verify the effect of a glitch in main power rail. | 
|  |  | 
|  | The vcmain_supp_i AST input is forced to drop once the test is running. This triggers | 
|  | a MainPwr reset request, which is checked by reading retention SRAM's reset_reason to | 
|  | see that the reset_info CSR's POR bit is not set when the test restarts. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_main_power_glitch_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_random_sleep_power_glitch_reset | 
|  | desc: '''Verify the effect of a glitch in main power rail in random sleep states. | 
|  |  | 
|  | The vcmain_supp_i AST input is forced to drop right after putting the chip in a random | 
|  | sleep state. This triggers a MainPwr reset request, which is checked by reading | 
|  | retention SRAM's reset_reason to show that the reset_info CSR's POR bit is not set when | 
|  | the test restarts. | 
|  |  | 
|  | Note: the glitch has to be sent in a very narrow window: | 
|  | - If sent too early the chip won't have started to process deep sleep. | 
|  | - If too late the hardware won't monitor main power okay so the glitch will have no | 
|  | effect, and the test will timeout. | 
|  |  | 
|  | Each test should perform a minimum of 2 low power transitions to ensure there are no | 
|  | state dependent corner cases with power glitch handling. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_random_sleep_power_glitch_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_deep_sleep_power_glitch_reset | 
|  | desc: '''Verify the effect of a glitch in main power rail in deep sleep. | 
|  |  | 
|  | The vcmain_supp_i AST input is forced to drop right after putting the chip in deep | 
|  | sleep. This triggers a MainPwr reset request, which is checked by reading retention | 
|  | SRAM's reset_reason to show that the reset_info CSR's POR bit is not set when the test | 
|  | restarts. | 
|  |  | 
|  | Note: the glitch has to be sent in a very narrow window: | 
|  | - If sent too early the chip won't have started to process deep sleep. | 
|  | - If too late the hardware won't monitor main power okay so the glitch will have no | 
|  | effect, and the test will timeout. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_deep_sleep_power_glitch_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_sleep_power_glitch_reset | 
|  | desc: '''Verify the effect of a glitch in main power rail in shallow sleep. | 
|  |  | 
|  | The vcmain_supp_i AST input is forced to drop after putting the chip in shallow sleep. | 
|  | This triggers a MainPwr reset request, which is checked by reading the retention SRAM's | 
|  | reset_reason shows that the reset_info CSR's POR bit is not set when the | 
|  | test restarts. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_sleep_power_glitch_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_random_sleep_all_reset_reqs | 
|  | desc: '''Verify that this chip can be reset by All available reset sources. | 
|  |  | 
|  | - 12 resets are generated randomly with normal/deep sleeps | 
|  | - POR (HW PAD) reset, SW POR, sysrst, wdog timer reset, esc rst, SW req | 
|  | - esc reset is followd by normal mode because it does not work with sleep mode | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_random_sleep_all_reset_reqs"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_sysrst_ctrl_reset | 
|  | desc: '''Verify the effect of a sysrst_ctrl output in main power rail. | 
|  |  | 
|  | - Read the reset cause register in rstmgr to confirm that the SW is in the POR reset | 
|  | phase. | 
|  | - After sysrst reset is generated by forcing, read the reset cause register in rstmgr to | 
|  | confirm that the SW is now in the sysrst reset phase. | 
|  | - Generate sysrst by driving input PAD. | 
|  | - After reset, read the reset cause register in rstmgr to confirm that the SW is now in | 
|  | the sysrst reset phase. | 
|  | - Program the AON timer wdog to 'bark' after some time. | 
|  | - Let the bark escalate to bite, which should result in a reset request. | 
|  | - After reset, read the reset cause register in rstmgr to confirm that the SW is now in | 
|  | the wdog reset phase. | 
|  | - Program the AON timer wdog to 'bark' after some time. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_sysrst_ctrl_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_b2b_sleep_reset_req | 
|  | desc: '''Verify that the pwrmgr sequences sleep_req and reset req coming in almost at the same | 
|  | time, one after the other. Use POR_N PAD to trigger reset. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_b2b_sleep_reset_req"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_sleep_disabled | 
|  | desc: '''Verify that the chip does not go to sleep on WFI when low power hint is 0. | 
|  |  | 
|  | This calls WFI with low_power_hint disabled and pwrmgr interrupts enabled, | 
|  | and fails if the pwrmgr ISR is called. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_sleep_disabled"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_escalation_reset | 
|  | desc: '''Verify the power manager resets to a clean state after an escalation reset. | 
|  |  | 
|  | Trigger an internal fatal fault for the regfile onehot checker and let it escalate to | 
|  | reset. Upon alert escalation reset, the internal status should be clear and pwrmgr | 
|  | should not attempt to send out more alerts. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_all_escalation_resets"] | 
|  | } | 
|  |  | 
|  | // RSTMGR tests: | 
|  | { | 
|  | name: chip_sw_rstmgr_non_sys_reset_info | 
|  | desc: '''Verify the `reset_info` CSR register for lc or higher resets. | 
|  |  | 
|  | Generate the 5 types of reset at `lc` level or higher, and check the retention SRAM's | 
|  | reset_reason to show that `reset_info` CSR is as expected. This and other rstmgr | 
|  | testpoints that require different resets cross-reference the individual IP tests that | 
|  | generate those resets, and this testpoint merely adds reset checks in them. Those IP | 
|  | blocks are `pwrmgr`, `alert_handler`, `aon_timer`, and `sysrst_ctrl`. | 
|  |  | 
|  | This should also check the reset's destination IP to make sure some reset side-effect | 
|  | is present. Setting some `intr_enable` CSR bit when the test starts and checking it | 
|  | after reset seems suitable. The `spi_host` IPs receive multiple resets so they will | 
|  | need special consideration. | 
|  | TODO(maturana) Add specific tests once they are developed. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_smoketest"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rstmgr_sys_reset_info | 
|  | desc: '''Verify the `reset_info` CSR register for sys reset. | 
|  |  | 
|  | Generate reset triggered by `rv_dm`, which results in a sys level reset, and check the | 
|  | retention SRAM's reset_reason to show that the `reset_info` CSR is as expected. This | 
|  | testpoint cross-reference the `rv_dm` tests that generate this reset, and this | 
|  | testpoint merely adds reset checks in them. | 
|  |  | 
|  | This should also check the reset's destination IP to make sure some reset side-effect | 
|  | is present. Setting some `intr_enable` CSR bit when the test starts and checking it | 
|  | after reset seems suitable. The `spi_host` IPs receive multiple resets so they will | 
|  | need special consideration. | 
|  |  | 
|  | X-ref with chip_rv_dm_ndm_reset_req. | 
|  |  | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_rv_dm_ndm_reset_req"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rstmgr_cpu_info | 
|  | desc: '''Verify the expected values from the `cpu_info` CSR on reset. | 
|  |  | 
|  | For some software induced resets we can predict the expected contents of `cpu_info`; | 
|  | reads of writes to unmapped addresses for example. Generate these resets and verify | 
|  | the `cpu_info` register contents when reset is handled. | 
|  | Refer to `chip_*sys_rstmgr_reset_info`. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rstmgr_cpu_info"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rstmgr_sw_req_reset | 
|  | desc: '''Verify software requested device reset. | 
|  |  | 
|  | Generate a reset request by directly writing the `reset_req` CSR. | 
|  | The reset created should be identical to those caused by hardware sources. | 
|  | After reset, the retention SRAM's reset_reason should show that the `reset_info` CSR | 
|  | reflects that a software request was the reset cause. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rstmgr_sw_req"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rstmgr_alert_info | 
|  | desc: '''Verify the expected values from the `alert_info` CSR on reset. | 
|  |  | 
|  | Various alerts can be created, for example, timeouts, and integrity errors, and at | 
|  | least part of the `alert_info` CSR can be predicted. To cause some of these to | 
|  | cause a reset, mask the relevant processor interrupts. Trigger these resets and | 
|  | verify the `alert_info` register contents when reset is handled. | 
|  | Refer to `chip_*sys_rstmgr_reset_info`. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rstmgr_alert_info"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rstmgr_sw_rst | 
|  | desc: '''Verify `sw_rst_ctrl_n` CSR resets individual peripherals. | 
|  |  | 
|  | - Pick a rw type CSR in each peripheral and program arbitrary value | 
|  | that does not cause any adverse side-effects. | 
|  | - Pulse the reset to the peripheral via software. | 
|  | - Read the resister after reset and verify it returns the reset value. | 
|  | - Repeat these steps for each of these software resettable peripherals: | 
|  | `spi_device`, `spi_host0`, `spi_host1`, `usb`, `i2c0`, `i2c1`, `i2c2`. | 
|  |  | 
|  | Notice the two `spi_host` IPs receive two different resets, `spi_host*`. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rstmgr_sw_rst"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rstmgr_escalation_reset | 
|  | desc: '''Verify the reset manager resets to a clean state after an escalation reset. | 
|  |  | 
|  | Trigger an internal fatal fault for the regfile onehot checker and let it escalate to | 
|  | reset. Upon alert escalation reset, the internal status should be clear and rstmgr | 
|  | should not attempt to send out more alerts. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_all_escalation_resets"] | 
|  | } | 
|  |  | 
|  | // ALERT_HANDLER (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_alert_handler_alerts | 
|  | desc: '''Verify all alerts coming into the alert_handler. | 
|  |  | 
|  | An automated SW test, which does the following (applies to all alerts in all IPs): | 
|  | - Program the alert_test CSR in each block to trigger each alert one by one. | 
|  | - Ensure that all alerts are properly connected to the alert handler and cause the | 
|  | escalation paths to trigger. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_alert_test"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_alert_handler_escalations | 
|  | desc: '''Verify all alert escalation paths. | 
|  |  | 
|  | Verify all escalation paths triggered by an alert. | 
|  | - Verify the first escalation results in NMI interrupt serviced by the CPU. | 
|  | - Verify the second results in device being put in scrap state, via the LC JTAG TAP. | 
|  | - Verify the third results in chip reset. | 
|  | - Ensure that all escalation handshakes complete without errors. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_alert_handler_escalation"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_all_escalation_resets | 
|  | desc: '''Verify escalation from all unit integrity errors | 
|  |  | 
|  | Inject integrity errors in any unit that has a one-hot checker for CSR register | 
|  | writes, and verify escalation is triggered. Allow escalation to go through reset. | 
|  | Use the rstmgr alert info and the unit's fault CSRs to check the alert cause is right. | 
|  | Each run of the test randomly chooses some one-hot checker for the error to be injected. | 
|  | Keep state across resets in flash to check the expected interrupts and the right number | 
|  | of resets occur. | 
|  | - Verify the integrity error results in a regular interrupt. | 
|  | - Verify the first escalation results in NMI serviced by the CPU. | 
|  | - Verify the alert id in both these interrupts. | 
|  | - Verify the unit's fault CSR correctly captured the fault kind. | 
|  | - Verify any timer interrupts are disabled by escalation. | 
|  | - Verify after the escalation reset all faults are cleared, and that the alert | 
|  | info captured the correct alert. | 
|  | - Check that no additional resets occur. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_all_escalation_resets"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_alert_handler_irqs | 
|  | desc: '''Verify all classes of alert handler interrupts to the CPU. | 
|  |  | 
|  | X-ref'ed with the automated PLIC test. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_plic_all_irqs"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_alert_handler_entropy | 
|  | desc: '''Verify the alert handler entropy input to ensure pseudo-random ping timer. | 
|  |  | 
|  | - Force `alert_handler_ping_timer` input signal `wait_cyc_mask_i` to `8'h07` to | 
|  | shorten the simulation time. | 
|  | - Verify that the alert_handler can request EDN to provide entropy. | 
|  | - Ensure that the alert ping handshake to all alert sources and escalation receivers | 
|  | complete without errors. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_alert_handler_entropy"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_alert_handler_crashdump | 
|  | desc: '''Verify the alert handler crashdump signal. | 
|  |  | 
|  | When the chip resets due to alert escalating to cause the chip to reset, verify the | 
|  | reset cause to verify the alert crashdump. | 
|  |  | 
|  | Xref'ed with chip_sw_rstmgr_alert_info. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rstmgr_alert_info"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_alert_handler_ping_timeout | 
|  | desc: '''Verify the alert senders' ping timeout. | 
|  |  | 
|  | Set alert_handler's ping timeout cycle to 2 and enable alert_senders. Verify that | 
|  | alert_handler detects the ping timeout and reflects it on the `loc_alert_cause` | 
|  | register. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_alert_handler_ping_timeout"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_alert_handler_lpg_sleep_mode_alerts | 
|  | desc: '''Verify alert_handler can preserve alerts during low_power mode. | 
|  |  | 
|  | - Trigger fatal alerts for all IPs but configure alert_handler so it won't trigger | 
|  | reset. | 
|  | - Randomly enter normal or deep sleep mode. | 
|  | - Wait random cycles then wake up from the sleep mode. | 
|  | - After wake up from normal sleep mode, clear all alert cause registers and check that | 
|  | all alerts are still firing after waking up. | 
|  | - Repeat the previous steps for random number of iterations. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_alert_handler_lpg_sleep_mode_alerts"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_alert_handler_lpg_sleep_mode_pings | 
|  | desc: '''Verify alert_handler's ping mechanism works correctly during sleep and wake up. | 
|  |  | 
|  | There are two scenarios to check: | 
|  | - Configure alert_handler's ping timeout register to a reasonble value that won't cause | 
|  | ping timeout in normal cases. | 
|  | Then randomly enter and exit normal or deep sleep modes. | 
|  | Check that no local alerts triggered in alert_handler. | 
|  | This scenario ensures that ping mechanism won't send out spurious failure. | 
|  | - Configure alert_handler's ping timeout register to a small value that will always | 
|  | causes ping timeout. | 
|  | Then randomly enter and exit normal or deep sleep modes. | 
|  | Clear local alert cause register and check that alert ping timeout continue to fire | 
|  | after wake up. | 
|  | This scenario ensures the ping mechanism will continue to send out pings after waking | 
|  | up from sleep modes. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_alert_handler_lpg_sleep_mode_pings"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_alert_handler_lpg_clock_off | 
|  | desc: '''Verify alert_handler's works correctly when sender clock is turned off. | 
|  |  | 
|  | - Configure clkmgr to randomly turn off one of the IP's clock and check alert_handler | 
|  | won't trigger a ping timeout error on that block. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_alert_handler_lpg_clkoff"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_alert_handler_lpg_reset_toggle | 
|  | desc: '''Verify alert_handler's works correctly when sender reset is toggled. | 
|  |  | 
|  | - Configure rstmgr to randomly toggle one IP block's SW reset and check alert_handler | 
|  | won't trigger a ping timeout error on that block. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_alert_handler_lpg_reset_toggle"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_alert_handler_reverse_ping_in_deep_sleep | 
|  | desc: '''Verify escalation reverse ping timer disabled in sleep mode. | 
|  |  | 
|  | Check that escalation receivers located inside always-on blocks do not auto-escalate | 
|  | due to the reverse ping feature while the system is in deep sleep. | 
|  |  | 
|  | ## Reverse ping timeout calculation | 
|  |  | 
|  | The reverse ping timeout calculation is done using the following formula available in | 
|  | `prim_esc_receiver`: | 
|  |  | 
|  | ``` | 
|  | 4  * N_ESC_SEV * (2 * 2 * 2^PING_CNT_DW) | 
|  | ``` | 
|  |  | 
|  | `pwrmgr` is the only block consuming the `N_ESC_SEV` and `PING_CNT_DW` compile time | 
|  | parameters: | 
|  |  | 
|  | ``` | 
|  | alert_handler_reg_pkg::N_ESC_SEV = 4 | 
|  | alert_handler_reg_pkg::PING_CNT_DW = 16 | 
|  | ``` | 
|  |  | 
|  | The alert escalation responder inside `pwrmgr` is connected to the `io_div4` clock, | 
|  | yielding a target 24MHz frequency. The result expected timeout based on the above | 
|  | parameters is thus: | 
|  |  | 
|  | ``` | 
|  | reverse_ping_timeout = 0.175s = (4 * 4 ( 2 * 2 * 2^16)) / 24e6 | 
|  | ``` | 
|  |  | 
|  | ## Procedure | 
|  |  | 
|  | - On POR reset: | 
|  | - Enable all alerts assigning them to ClassA. | 
|  | - Enable all local alerts and assign to ClassB. | 
|  | - Set escalation configuration to trigger before test wake up time. | 
|  | - Set ping timeout to a time less than wake up time. | 
|  | - Lock alert configuration and enable ping mechanism. | 
|  | - Wait for polling counters to cycle through by busy polling on Ibex for | 
|  | `reverse_ping_timeout >> 2` usec. | 
|  | - Configure AON to wake up device at a later time, making sure it is greater than the | 
|  | `reverse_ping_timeout` calculated in the previous section. | 
|  | - Enter deep sleep. | 
|  | - On wake up from sleep: | 
|  | - Ensure reset status is low power exit. A `kDifRstmgrResetInfoEscalation` signals | 
|  | that there was a local escalation and should result in test failure. | 
|  | - Disable AON timer. | 
|  | - Check there are no flagged local alerts. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_alert_handler_reverse_ping_in_deep_sleep"] | 
|  | } | 
|  |  | 
|  | // LC_CTRL (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_lc_ctrl_alert_handler_escalation | 
|  | desc: '''Verify that the escalation signals from the alert handler are connected to LC ctrl. | 
|  |  | 
|  | - Trigger an alert to initiate the escalations. | 
|  | - Check that the escalation signals are connected to the LC ctrl: | 
|  | - First escalation has no effect on the LC ctrl.  Read LC_STATE CSR to confirm | 
|  | this is the case. | 
|  | - Second escalation should cause the `lc_escalation_en` output to be asserted and for | 
|  | the LC_STATE to transition to scrap state.  Confirm by reading the LC_STATE CSR | 
|  | - Verify that all decoded outputs except for escalate_en are | 
|  | disabled. X-ref'ed with the respective IP tests that consume these signals. | 
|  |  | 
|  | X-ref'ed with chip_sw_lc_ctrl_broadcast test, which verifies the connectivity of the LC | 
|  | decoded outputs to other IPs. | 
|  | X-ref'ed with alert_handler's escalation test. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_alert_handler_escalation"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_lc_ctrl_jtag_access | 
|  | desc: '''Verify enable to access LC ctrl via JTAG. | 
|  |  | 
|  | Using the JTAG agent, write and read LC ctrl CSRs, verify the read value for | 
|  | correctness. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_tap_straps_dev", "chip_tap_straps_prod", "chip_tap_straps_rma"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_lc_ctrl_otp_hw_cfg | 
|  | desc: '''Verify the device_ID and ID_state CSRs | 
|  |  | 
|  | - Preload the hw_cfg partition in OTP ctrl with random data. | 
|  | - Read the device ID and the ID state CSRs to verify their correctness. | 
|  | - Reset the chip and repeat the first 2 steps to verify a different set of values. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_lc_ctrl_otp_hw_cfg"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_lc_ctrl_init | 
|  | desc: '''Verify the LC ctrl initialization on power up. | 
|  |  | 
|  | Verify that the chip powers up correctly on POR. | 
|  | - The pwrmgr initiates a handshake with OTP ctrl and later, with LC ctrl in subsequent | 
|  | FSM states. Ensure that the whole power up sequence does not hang. | 
|  | - Verify with connectivity assertion checks, the handshake signals are connected. | 
|  | - Ensure that no interrupts or alerts are triggered. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_lc_ctrl_transition"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_lc_ctrl_transitions | 
|  | desc: '''Verify the LC ctrl can transit from one state to another valid state with the | 
|  | correct tokens. | 
|  |  | 
|  | - Preload OTP image with a LC state and required tokens to transfer to next state. | 
|  | - Initiate an LC ctrl state transition via SW if CPU is enabled, or via JTAG interface | 
|  | if CPU is disable. | 
|  | - Ensure that the LC program request is received by the OTP ctrl. | 
|  | - Verify the updated data output from OTP ctrl to LC ctrl is correct. | 
|  | - Ensure that there is no background or otp_init error. | 
|  | - Verify that the LC ctrl has transitioned to the programmed state after a reboot. | 
|  | Re-randomize the lc_transition tokens and repeat the sequence above. | 
|  |  | 
|  | X-ref'ed chip_sw_otp_ctrl_program. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_lc_ctrl_transition"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_lc_ctrl_kmac_req | 
|  | desc: '''Verify the token requested from KMAC. | 
|  |  | 
|  | - For conditional transition, the LC ctrl will send out a token request to KMAC. | 
|  | - Verify that the KMAC returns a hashed token, which should match one of the | 
|  | transition token CSRs. | 
|  |  | 
|  | X-ref'ed with chip_kmac_lc_req. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_lc_ctrl_transition"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_lc_ctrl_key_div | 
|  | desc: '''Verify the keymgr div output to keymgr. | 
|  |  | 
|  | - Verify in different LC states, LC ctrl outputs the correct `key_div_o` to keymgr. | 
|  | - Verify that the keymgr uses the given `key_div_o` value to compute the keys. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_keymgr_key_derivation_prod"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_lc_ctrl_broadcast | 
|  | desc: '''Verify broadcast signals from lc_ctrl. | 
|  |  | 
|  | - Preload the LC partition in the otp_ctrl with the following states: RMA, DEV, | 
|  | TEST_LOCKED[N] & SCRAP. | 
|  | - Verify that the following broadcast signals are having the right effect in the | 
|  | respective IPs that consume them: | 
|  | - lc_dft_en_o: impacts pinmux, pwrmgr, otp_ctrl, AST | 
|  | - lc_hw_debug_en_o: impacts pinmux, pwrmgr, sram_ctrl (main and ret) & the rv_dm | 
|  | - lc_keymgr_en_o: impacts keymgr | 
|  | - lc_clk_byp_req_o: impacts clkmgr (handshake with lc_clk_byp_ack_i) | 
|  | - lc_flash_rma_req_o: impacts flash_ctrl (handshake with lc_flash_ram_ack_i) | 
|  | - lc_flash_rma_seed_o: impacts flash_ctrl | 
|  | - lc_check_byp_en_o: impacts otp_ctrl | 
|  | - lc_creator_seed_sw_rw_en_o: impacts flash_ctrl & otp_ctrl | 
|  | - lc_owner_seed_sw_rw_en_o: impacts flash_ctrl | 
|  | - lc_iso_part_sw_rd_en_o: impacts flash_ctrl | 
|  | - lc_iso_part_sw_wr_en_o: impacts flash_ctrl | 
|  | - lc_seed_hw_rd_en_o: impacts flash_ctrl & otp_ctrl | 
|  | - These outputs are enabled per the | 
|  | [life cycle architecture spec](doc/security/specs/device_life_cycle/README.md#architecture). | 
|  |  | 
|  | X-ref'ed with the respective IP tests that consume these signals. | 
|  |  | 
|  | Note that the following signals are already verified with connectivity tests and SVAs: | 
|  | - lc_dft_en_o (AST connection) | 
|  | - lc_cpu_en_o (rv_core_ibex) | 
|  | - lc_nvm_debug_en_o (flash_ctrl) | 
|  | - lc_escalate_en_o (multiple) | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: [ | 
|  | "chip_prim_tl_access",                         // lc_dft_en_o: otp_ctrl | 
|  | "chip_tap_straps_dev",                         // lc_dft_en_o, lc_hw_debug_en_o: pinmux | 
|  | "chip_tap_straps_prod",                        // lc_dft_en_o, lc_hw_debug_en_o: pinmux | 
|  | "chip_tap_straps_rma",                         // lc_dft_en_o, lc_hw_debug_en_o: pinmux | 
|  | "chip_sw_rom_ctrl_integrity_check",            // lc_dft_en_o, lc_hw_debug_en_o: pwrmgr | 
|  | "chip_sw_clkmgr_external_clk_src_for_sw_fast", // lc_hw_debug_en_o: clkmgr | 
|  | "chip_sw_clkmgr_external_clk_src_for_sw_slow", // lc_hw_debug_en_o: clkmgr | 
|  | "chip_sw_sram_ctrl_execution_main",            // lc_hw_debug_en_o: sram_ctrl main | 
|  | "chip_rv_dm_lc_disabled"                       // lc_hw_debug_en_o: rv_dm | 
|  | "chip_sw_keymgr_key_derivation",               // lc_keymgr_en_o: keymgr | 
|  | "chip_sw_clkmgr_external_clk_src_for_lc",      // lc_clk_byp_req_o: clkmgr | 
|  | "chip_sw_flash_rma_unlocked",                  // lc_flash_rma_req_o, lc_flash_rma_seed_o: flash_ctrl | 
|  | "chip_sw_lc_ctrl_transition",                  // lc_check_byp_en_o: otp_ctrl | 
|  | "chip_sw_flash_ctrl_lc_rw_en",                 // lc_creator*, lc_seed*, lc_owner*, lc_iso*: flash_ctrl | 
|  | "chip_sw_otp_ctrl_lc_signals_test_unlocked0",  // lc_seed_hw_rd_en_i, lc_creator_seed_sw_rw_en_i, lc_keymgr_en_i: otp_ctrl | 
|  | "chip_sw_otp_ctrl_lc_signals_dev",             // lc_seed_hw_rd_en_i, lc_creator_seed_sw_rw_en_i, lc_keymgr_en_i: otp_ctrl | 
|  | "chip_sw_otp_ctrl_lc_signals_prod",            // lc_seed_hw_rd_en_i, lc_creator_seed_sw_rw_en_i, lc_keymgr_en_i: otp_ctrl | 
|  | "chip_sw_otp_ctrl_lc_signals_rma",             // lc_seed_hw_rd_en_i, lc_creator_seed_sw_rw_en_i, lc_keymgr_en_i: otp_ctrl | 
|  | ] | 
|  | } | 
|  | { | 
|  | name: chip_sw_lc_ctrl_kmac_error | 
|  | desc: ''' | 
|  | Verify the effect of KMAC returning an error during the hash generation of LC tokens. | 
|  |  | 
|  | - Follow the steps in `chip_sw_lc_ctrl_kmac_req` test. | 
|  | - While the KMAC is actively computing the digest, glitch the KMAC app sparse FSM to | 
|  | trigger a fault. | 
|  | - Verify that KMAC returns an error signal to the LC controller. | 
|  | - TBD | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  |  | 
|  |  | 
|  | // SYSRST_CTRL (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_sysrst_ctrl_inputs | 
|  | desc: '''Verify that the SYSRST ctrl input pin values can be read. | 
|  |  | 
|  | - Drive a known value on ac_reset, ec_rst_l, flash_wp_l, pwrb, lid_open and key* pins at | 
|  | the chip inputs. | 
|  | - Read the pin_in_value CSR to check for correctness. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sysrst_ctrl_inputs"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sysrst_ctrl_outputs | 
|  | desc: '''Verify that the SYSRST ctrl output pin values can be set. | 
|  |  | 
|  | - Drive a known value on ac_reset, ec_rst_l, flash_wp_l, pwrb, lid_open and key* pins | 
|  | at the chip inputs. | 
|  | - Verify that SYSRST ctrl correctly loops them back to the chip outputs. | 
|  | - Write the pin_allowed_ctl register to allow some of the pins to be overridden with | 
|  | either 0 or 1 or both. | 
|  | - Write the pin_out_ctl register to enable the override on some of the pins. | 
|  | - Write the pin_out_value register to set known values on those pins. | 
|  | - Verify that at the chip outputs, pins on which override should be active is | 
|  | reflecting the overridden values. All others should reflect the values driven on chip | 
|  | inputs. | 
|  | - Via assertion checks (or equivalent) verify that the transitions at the inputs | 
|  | immediately reflect at the outputs, if not intercepted / debounced by sysrst_ctrl. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sysrst_ctrl_outputs"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sysrst_ctrl_in_irq | 
|  | desc: '''Verify the SYSRST ctrl can detect an input combination to signal an interrupt. | 
|  |  | 
|  | - Program a specific combination of transitions on pwrb, key*, ac_present and ec_reset_l | 
|  | pins to trigger an interrupt by writing to key_intr_ctl register. | 
|  | - Program the key_intr_debounce_ctl register to debounce an appropriate time. | 
|  | - Enable the interrupt at SYSRST ctrl as well as at the PLIC. | 
|  | - Create glitches only for some time less than detection time and check that there is no | 
|  | - interrupt triggered. | 
|  | - Glitch the inputs at the chip IOs before stabilizing on the programmed transitions. | 
|  | - SW services the interrupt when triggered, verifies the pin input value and | 
|  | key_intr_status for correctness and clears the interrupt status. | 
|  | - Verify separately, each key combination sufccessfully generates an interrupt. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sysrst_ctrl_in_irq"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sysrst_ctrl_sleep_wakeup | 
|  | desc: '''Verify the SYSRST ctrl can wake up the chip from deep sleep. | 
|  |  | 
|  | - Read the reset cause register in rstmgr to confirm we are in POR reset phase. | 
|  | - Program one of the com_sel_ctl_* CSRs to choose a set of inputs to be detected as | 
|  | a low power wakeup signal for the pwrmgr. | 
|  | - Program the associated detection timer. | 
|  | - Program the detection outcome CSR's (com_out_ctl) interrupt bit to 1. | 
|  | - Program the pwrmgr to put the chip in deep sleep state and wake up on chip wake up | 
|  | event. | 
|  | - Issue a WFI to bring the chip in low power state. | 
|  | - After the chip has entered low power mode, set the SYSRST ctrl inputs at the chip IOs | 
|  | to the programmed combination for the duration of the detection timer. | 
|  | - Read the reset cause register to confirm wake up from low power exit phase. | 
|  | - Read the pwrmgr wake up status register to confirm chip wake up. | 
|  | - Read the pin input value and the combo_intr_status CSRs to verify the correct | 
|  | combination on inputs woke up the chip from sleep. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sysrst_ctrl_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sysrst_ctrl_reset | 
|  | desc: '''Verify the SYSRST ctrl can reset the chip from normal state. | 
|  |  | 
|  | - Read the reset cause register in rstmgr to confirm we are in POR reset phase. | 
|  | - Program one of the com_sel_ctl_* CSRs to choose a set of inputs to be detected as | 
|  | the chip reset signal. | 
|  | - Program the associated detection timer. | 
|  | - Program the detection outcome CSR's (com_out_ctl) chip reset bit to 1. | 
|  | - After some time, set the SYSRST ctrl inputs at the chip IOs to the programmed | 
|  | combination for the duration of the detection timer. | 
|  | - The pwrmgr will power cycle the chip once it receives the chip reset input. | 
|  | - Check that ec_rst_l and flash_wp_l (on pads IOR8 and IOR9) are asserted right after | 
|  | the pwrmgr has power cycled the system. | 
|  | - Read the reset cause register after boot up to confirm peripheral reset phase. | 
|  | - Read the pwrmgr reset status register to confirm chip reset. | 
|  | - Read the com_sel_ctl_* CSR in SYSRST ctrl we programmed earlier - it should have been | 
|  | reset. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sysrst_ctrl_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sysrst_ctrl_sleep_reset | 
|  | desc: '''Verify the SYSRST ctrl can reset the chip from deep sleep. | 
|  |  | 
|  | - Read the reset cause register in rstmgr to confirm we are in POR reset phase. | 
|  | - Program one of the com_sel_ctl_* CSRs to choose a set of inputs to be detected as | 
|  | the chip reset signal. | 
|  | - Program the associated detection timer. | 
|  | - Program the detection outcome CSR's (com_out_ctl) chip reset bit to 1. | 
|  | - Program the pwrmgr to put the chip in deep sleep state and allow it to be reset by the | 
|  | chip reset bit. | 
|  | - Issue a WFI to bring the chip in low power state. | 
|  | - After the chip has entered low power mode, set the SYSRST ctrl inputs at the chip IOs | 
|  | to the programmed combination for the duration of the detection timer. | 
|  | - The pwrmgr will power cycle the chip from the deep sleep state once it receives the | 
|  | chip reset input. | 
|  | - Read the reset cause register after boot up to confirm peripheral reset phase. | 
|  | - Read the pwrmgr reset status register to confirm chip reset. | 
|  | - Read the com_sel_ctl_* CSR in SYSRST ctrl we programmed earlier - it should have been | 
|  | reset. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sysrst_ctrl_reset"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sysrst_ctrl_ec_rst_l | 
|  | desc: '''Verify that the ec_rst_l stays asserted on power-on-reset until SW can control it. | 
|  |  | 
|  | - Verify that ec_rst_l stays asserted as the chip is brought out of reset. | 
|  | - Verify that the pin continues to remain low until SW is alive. | 
|  | - Have the SW write to pin_allowed|out_ctrl CSRs to control the ec_rst_l value and | 
|  | verify the value at the chip output. | 
|  | - Optionally, also verify ec_rst_l pulse stretching by setting the ec_rst_ctl register | 
|  | with a suitable pulse width. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sysrst_ctrl_ec_rst_l"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sysrst_ctrl_flash_wp_l | 
|  | desc: '''Verify that the flash_wp_l stays asserted on power-on-reset until SW can control it. | 
|  |  | 
|  | - Exactly the same as chip_sysrst_ctrl_ec_rst_l, but covers the flash_wp_l pin. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sysrst_ctrl_ec_rst_l"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sysrst_ctrl_ulp_z3_wakeup | 
|  | desc: '''Verify the z3_wakeup signaling. | 
|  |  | 
|  | - Start off with ac_present = 0, lid_open = 0 and pwrb = 0 at the chip inputs. | 
|  | - Program the ulp_ac|lid|pwrb_debounce_ctl registers to debounce these inputs for an | 
|  | appropriate time. | 
|  | - Enable the ULP wakeup feature by writing to the ulp_ctl register. | 
|  | - Read the ulp_wakeup register and verify that no wakeup event is detected, after some | 
|  | amount of delay. | 
|  | - Glitch the lid_open input at the chip IOs before stabilizing on value 1. | 
|  | - Read the ulp_wakeup register to verify that the wakeup event is detected this time. | 
|  | - Verify that the z3_wakeup output at the chip IOs is reflecting the value of 1. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: [ | 
|  | "chip_sw_adc_ctrl_sleep_debug_cable_wakeup", | 
|  | "chip_sw_sysrst_ctrl_ulp_z3_wakeup" | 
|  | ] | 
|  | } | 
|  |  | 
|  | // ADC_CTRL (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_adc_ctrl_debug_cable_irq | 
|  | desc: '''Verify that the ADC correctly detects the voltage level programmed for each channel. | 
|  |  | 
|  | - Program both ADC channels to detect mutually exclusive range of voltages. Setting only | 
|  | one filter CSR is sufficient. | 
|  | - Program the ADC intr ctrl CSR to detect the selected filter on both channels. | 
|  | Enable the debug cable interrupt at ADC ctrl as well as PLIC. | 
|  | - Enable the ADC ctrl to run with defaults in normal mode (depending on simulation | 
|  | runtime). | 
|  | - Verify through assertion checks, the ADC with AST stays powered down periodically in | 
|  | slow scan mode. | 
|  | - After some time, force the ADC output of AST to be a value within the programmed range | 
|  | for each channel. Glitch it out of range for some time before stabilizing to ensure | 
|  | that debouce logic works. | 
|  | - Service the debug cable irq. Read the intr status register to verify that the selected | 
|  | filter caused the interrupt to fire. Read the ADC channel value register to verify the | 
|  | correctness of the detected value that was forced in the AST for each channel. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_adc_ctrl_sleep_debug_cable_wakeup"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_adc_ctrl_sleep_debug_cable_wakeup | 
|  | desc: '''Verify that in deep sleep, ADC ctrl can signal the ADC within the AST to power down. | 
|  |  | 
|  | - Read the reset cause register in rstmgr to confirm we are in POR reset phase. | 
|  | - Follow the same steps as chip_adc_ctrl_debug_cable_irq, but instead of programming the | 
|  | selected filter to interrupt, program it to wake up the chip from sleep. | 
|  | - Program the pwrmgr to put the chip in deep sleep state and wake up on debug cable | 
|  | detection. | 
|  | - Issue a WFI to bring the chip in low power state. | 
|  | - After some time, force the ADC output of AST to be a value within the programmed | 
|  | filter range. That should cause the pwrmgr to wake up. | 
|  | - Read the reset cause register to confirm wake up from low power exit phase. | 
|  | - Read the pwrmgr wake up status register to confirm wake up was due to debug cable | 
|  | detection. | 
|  | - Read the ADC channel value register to verify the correctness of the detected value | 
|  | that was forced in the AST. | 
|  | - Repeat for both ADC channels. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_adc_ctrl_sleep_debug_cable_wakeup"] | 
|  | } | 
|  |  | 
|  | /////////////////////////////////////////////////////// | 
|  | // Security Peripherals                              // | 
|  | // AES, HMAC, KMAC, CSRNG, ENTROPY_SRC, KEYMGR, OTBN // | 
|  | /////////////////////////////////////////////////////// | 
|  |  | 
|  | // AES (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_aes_enc | 
|  | desc: '''Verify the AES operation. | 
|  |  | 
|  | Write a 32-byte key and a 16-byte plain text to the AES registers and trigger the AES | 
|  | computation to start. Wait for the AES operation to complete by polling the status | 
|  | register. Check the digest registers for correctness against the expected digest value. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_aes_enc", | 
|  | "chip_sw_aes_enc_jitter_en"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_aes_entropy | 
|  | desc: '''Verify the AES entropy input used by the internal PRNGs. | 
|  |  | 
|  | - Write the initial key share, IV and data in CSRs (known combinations). | 
|  | - Configure the entropy_src to generate entropy in LFSR mode. | 
|  | - Write the PRNG_RESEED bit to reseed the internal state of the PRNG. | 
|  | - Poll the status idle bit to ensure reseed operation is complete. | 
|  | - Trigger the AES operation to run and wait for it to complete. | 
|  | - Check the digest against the expected value. | 
|  | - Write the KEY_IV_DATA_IN_CLEAR and DATA_OUT_CLEAR trigger bits to 1 and wait for it to | 
|  | complete by polling the status idle bit. | 
|  | - Read back the data out CSRs - they should all read garbage values. | 
|  | - Assertion check verifies that the IV are also garbage, i.e. different from the | 
|  | originally written values. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_aes_entropy"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_aes_idle | 
|  | desc: '''Verify AES idle signaling to clkmgr. | 
|  |  | 
|  | - Write the AES clk hint to 0 within clkmgr to indicate AES clk can be gated and | 
|  | verify that the AES clk hint status within clkmgr reads 0 (AES is disabled). | 
|  | - Write the AES clk hint to 1 within clkmgr to indicate AES clk can be enabled. | 
|  | - Initiate an AES operation with a known key, plain text and digest, write AES clk | 
|  | hint to 0 and verify that the AES clk hint status within clkmgr now reads 1 (AES | 
|  | is enabled), before the AES operation is complete. | 
|  | - After the AES operation is complete verify that the AES clk hint status within | 
|  | clkmgr now reads 0 again (AES is disabled). | 
|  | - Write the AES clk hint to 1, read and check the AES output for correctness. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_aes_idle"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_aes_sideload | 
|  | desc: '''Verify the AES sideload mechanism. | 
|  |  | 
|  | - Configure the keymgr to generate an aes key. | 
|  | - Configure the AES to use the sideloaded key. | 
|  | - Load the plaintext into the AES. | 
|  | - Trigger the AES encryption and wait for it to complete. | 
|  | - Verify that the ciphertext is different from the plaintext. | 
|  | - Load the ciphertext into the AES. | 
|  | - Trigger the AES decryption and wait for it to complete. | 
|  | - Verify that the output is equal to the plain text. | 
|  | - Clear the key in the keymgr and decrypt the ciphertext again. | 
|  | - Verify that output is not equal to the plain text. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_keymgr_sideload_aes"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_aes_masking_off | 
|  | desc: '''Verify the AES masking off feature for ES. | 
|  |  | 
|  | - Perform known-answer test using CSRNG SW application interface. | 
|  | - Verify CSRNG produces the deterministic seed leading to an all-zero output of the AES | 
|  | masking PRNG. | 
|  | - Configure EDN to perform a CSRNG instantiate followed by repeated generate and reseed | 
|  | commands using the maximum amount of additional data and no entropy input in automatic | 
|  | mode. | 
|  | - Let CSRNG produce and forward to EDN the deterministic seed leading to an all-zero | 
|  | output of the AES masking PRNG. | 
|  | - Initialize AES and set the force_masks configuration bit. | 
|  | - Configure an AES key of which the second share is zero. | 
|  | - Trigger a reseed operation of the masking PRNG inside AES to load the deterministic | 
|  | seed produced by CSRNG and distributed by EDN. | 
|  | - Verify that the masking PRNG outputs an all-zero vector. | 
|  | - Encrypt a message of multiple blocks using AES. | 
|  | - Verify that the second share of the initial, intermediate and output state is zero. | 
|  | - Verify that the second share of the SubBytes input and output is zero. | 
|  | - Verify that the produced cipher text is correct. | 
|  | ''' | 
|  | stage: V2S | 
|  | tests: ["chip_sw_aes_masking_off"] | 
|  | } | 
|  |  | 
|  | // HMAC (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_hmac_enc | 
|  | desc: '''Verify HMAC operation. | 
|  |  | 
|  | SW test verifies an HMAC operation with a known key, plain text and digest (pick one of | 
|  | the NIST vectors). SW test verifies the digest against the pre-computed value. Verify | 
|  | the HMAC done and FIFO empty interrupts as a part of this test. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_hmac_enc", | 
|  | "chip_sw_hmac_enc_jitter_en"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_hmac_idle | 
|  | desc: '''Verify the HMAC clk idle signal to clkmgr. | 
|  |  | 
|  | - Write the HMAC clk hint to 0 within clkmgr to indicate HMAC clk can be gated and | 
|  | verify that the HMAC clk hint status within clkmgr reads 0 (HMAC is disabled). | 
|  | - Write the HMAC clk hint to 1 within clkmgr to indicate HMAC clk can be enabled. | 
|  | Verify that the HMAC clk hint status within clkmgr reads 1 (HMAC is enabled). | 
|  | - Initiate an HMAC operation with a known key, plain text and digest. | 
|  | Write HMAC clock hint to 0 and verify the HMAC clk hint status within clkmgr reads 1 | 
|  | (HMAC is enabled), before the HMAC operation is complete. | 
|  | - After the HMAC operation is complete, verify the digest for correctness. Verify that | 
|  | the HMAC clk hint status within clkmgr now reads 0 again (HMAC is disabled). | 
|  | - This process is repeated for two hmac operations needed to verify the resulting hmac | 
|  | digest. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_hmac_enc_idle"] | 
|  | } | 
|  |  | 
|  | // KMAC pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_kmac_enc | 
|  | desc: '''Verify the SHA3 operation. | 
|  |  | 
|  | SW test verifies SHA3 operation with a known key, plain text and digest (pick one of | 
|  | the NIST vectors). SW validates the reception of kmac done and fifo empty interrupts. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_kmac_mode_cshake", "chip_sw_kmac_mode_kmac", | 
|  | "chip_sw_kmac_mode_kmac_jitter_en"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_kmac_app_keymgr | 
|  | desc: '''Verify the keymgr interface to KMAC. | 
|  |  | 
|  | - Configure the keymgr to start sending known message data to the KMAC. | 
|  | - Keymgr should transmit a sideloaded key to the KMAC as well. | 
|  | - KMAC should finish hashing successfully (not visible to SW) and return digest to | 
|  | keymgr. | 
|  | - This digest is compared against the known digest value for correctness. | 
|  | - Verify that the keymgr has received valid output from the KMAC. | 
|  |  | 
|  | X-ref'ed with keymgr test. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_keymgr_key_derivation"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_kmac_app_lc | 
|  | desc: '''Verify the LC interface to KMAC. | 
|  |  | 
|  | - Configure the LC_CTRL to start a token hash using KMAC interface. | 
|  | - KMAC should finish hashing successfully (not visible to SW) and return digest to | 
|  | LC_CTRL. | 
|  |  | 
|  | X-ref'ed with LC_CTRL test/env. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_lc_ctrl_transition"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_kmac_app_rom | 
|  | desc: '''Verify the ROM interface to KMAC. | 
|  |  | 
|  | - Backdoor initialize ROM memory immediately out of reset. | 
|  | - ROM will send message to the KMAC containing its memory contents, | 
|  | - KMAC will hash and return the digest to the ROM. | 
|  | - ROM will compare received digest against its first 8 logical memory lines for | 
|  | correctness. | 
|  |  | 
|  | X-ref'ed with ROM_CTRL test/env. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_kmac_app_rom"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_kmac_entropy | 
|  | desc: '''Verify the EDN interface to KMAC. | 
|  |  | 
|  | Requires `EnMasking` parameter to be enabled. | 
|  | SW randomly configures the KMAC in any hashing mode/strength, and enable EDN mode. | 
|  | Randomly enable/disable the `entropy_refresh`. | 
|  | Randomly configure `wait_timer` values (zero for disable, non-zero for timer expire). | 
|  | - Program `wait_timer` to a small value. | 
|  | Check if EDN timeout error occurs after issuing the hashing op. | 
|  | - Adjust `wait_timer` greater than expected EDN latency (with correct `prescaler` | 
|  | too). Then check if Digest is correct. | 
|  | KMAC should send EDN request after `entropy_ready` is set. | 
|  | KMAC also should send out another request to EDN when either: | 
|  | - kmac hash counter hits the configured threshold (assuming it is non-zero) | 
|  | - Hash count exceeds the threshold. | 
|  | SW verifies that KMAC produces the correct digest value. | 
|  |  | 
|  | TODO: This is pending security review discussion. It is unclear if this feature will be | 
|  | implemented. | 
|  |  | 
|  | X-ref'ed with EDN test/env. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_kmac_entropy"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_kmac_idle | 
|  | desc: '''Verify the KMAC idle signaling to clkmgr. | 
|  |  | 
|  | - Write the KMAC clk hint to 0 within clkmgr to indicate KMAC clk can be gated and | 
|  | verify that the KMAC clk hint status within clkmgr reads 0 (KMAC is disabled). | 
|  | - Write the KMAC clk hint to 1 within clkmgr to indicate KMAC clk can be enabled. | 
|  | Verify that the KMAC clk hint status within clkmgr reads 1 (KMAC is enabled). | 
|  | - Initiate a KMAC operation with a known key, plain text and digest. | 
|  | Write KMAC clock hint to 0 and verify the KMAC clk hint status within clkmgr reads 1 | 
|  | (KMAC is enabled), before the KMAC operation is complete. | 
|  | - After the KMAC operation is complete, verify the digest for correctness. Verify that | 
|  | the KMAC clk hint status within clkmgr now reads 0 again (KMAC is disabled). | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_kmac_idle"] | 
|  | } | 
|  |  | 
|  | // ENTROPY_SRC (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_entropy_src_ast_rng_req | 
|  | //TODO(#13460): A dv enginner should add an assertion to check the connectivity for this test. | 
|  | desc: '''Verify the RNG req to ast. | 
|  |  | 
|  | - Program the entropy src in normal RNG mode. | 
|  | - Route the entropy data received from RNG to the FIFO. | 
|  | - Verify that the FIFO depth is non-zero via SW - indicating the reception of data over | 
|  | the AST RNG interface. | 
|  | - Verify the correctness of the received data with assertion based connectivity checks. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_entropy_src_ast_rng_req"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_entropy_src_csrng | 
|  | desc: '''Verify the transfer of entropy bits to CSRNG. | 
|  |  | 
|  | Verify the entropy valid interrupt. | 
|  | At the CSRNG, validate the reception of entropy req interrupt. | 
|  |  | 
|  | - Disable edn0, edn1, csrng and entropy_src, as these are enabled by the test ROM. | 
|  | - Enable entropy_src in fips mode routing data to csrng. | 
|  | - Enable csrng and enable the entropy request interrupt. | 
|  | - Issue csrng instantiate and reseed commands. Check that for each csrng command, | 
|  | there is a corresponding entropy request interrupt. | 
|  | - Generate output and ensure the data output is valid, and that csrng is not reporting | 
|  | any errors. | 
|  | - Issue instantiate and reseed commands from edn0 and edn1. Check that for each | 
|  | command, there is a corresponding entropy request interrupt. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_entropy_src_csrng"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_entropy_src_cs_aes_halt | 
|  | desc: '''Verify the `entropy_src`'s aes halt handshake with CSRNG. | 
|  |  | 
|  | - Through one of the application interfaces of CSRNG, issue a reseed command. This can | 
|  | be done via a hardware peripheral requesting entropy via EDN. | 
|  | - Through the SW application interface, issue a generate command. | 
|  | - While the CSRNG is performing the generate operation, issue another reseed command | 
|  | via the first application interface. Verify via backdoor probes, the SHA3 in the | 
|  | entropy_src module is triggered at the same time the AES engine in CSRNG is | 
|  | performing an operation. | 
|  | - The second reseed command should trigger the entropy_src to request that the CSRNG | 
|  | halts the AES engine until entropy is available. Verify via assertion checks, the halt | 
|  | request successfully completed. Also verify that the AES engine is indeed paused | 
|  | during this time. | 
|  |  | 
|  | Note: There may be existing tests that already create this scenario. It should be | 
|  | sufficient to augment those tests with the backdoor / assertion checks. | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  | { | 
|  | name: chip_sw_entropy_src_fuse_en_fw_read | 
|  | desc: '''Verify the fuse input entropy_src. | 
|  |  | 
|  | - Initialize the OTP with the fuse that controls whether the SW can read the entropy src | 
|  | enabled. | 
|  | - Read the OTP and verify that the fuse is enabled. | 
|  | - Read the entropy_data_fifo via SW and verify that it reads valid values. | 
|  | - Reset the chip, but this time, initialize the OTP with with the fuse disabled. | 
|  | - Read the OTP and verify that fuse is disabled. | 
|  | - Read the internal state via SW and verify that the entropy valid bit is zero. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_entropy_src_fuse_en_fw_read_test"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_entropy_src_known_answer_tests | 
|  | desc: '''Verify our ability to run known-answer tests in SW. | 
|  |  | 
|  | - Configure the device in firmware-bypass mode. | 
|  | - Feed NIST test-defined entropy sequences into the conditioner | 
|  | - Read the entropy_data_fifo via SW; verify that it reads the expected values. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_entropy_src_kat_test"] | 
|  | } | 
|  |  | 
|  | // CSRNG (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_csrng_edn_cmd | 
|  | desc: '''Verify incoming command interface from EDN. | 
|  |  | 
|  | - Have each EDN instance issue an instantiate, reseed and generate command to CSRNG. | 
|  | - On each command done, verify the reception of edn cmd req done interrupt. | 
|  | - Run OTBN randomness test to test the output from EDN0 and EDN1. | 
|  | - Check the data returned to EDN via connectivity assertion checks. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_entropy_src_csrng"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_csrng_fuse_en_sw_app_read | 
|  | desc: '''Verify the fuse input to CSRNG. | 
|  |  | 
|  | - Initialize the OTP with the fuse that control whether the SW can read the CSRNG state | 
|  | enabled. | 
|  | - Issue an instantiate command to request entropy. | 
|  | - Verify that SW can read the internal state values. | 
|  | - Reset the chip and repeat the steps above, but this time, initialized the OTP with | 
|  | fuse disabled. | 
|  | - Verify that the SW reads back all zeros when reading the internal state values. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_csrng_fuse_en_sw_app_read_test"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_csrng_lc_hw_debug_en | 
|  | desc: '''Verify the effect of LC HW debug enable on CSRNG. | 
|  |  | 
|  | lc_hw_debug_en is used to diversify the csrng seed. | 
|  | - Configure entropy_src into bypassing the conditioner and directly inject known | 
|  | entropy. | 
|  | - Instantiate CSRNG with the known entropy while in TEST state (hw_debug_en = 1). | 
|  | - Retrieve entropy from csrng and save it in flash and reset the system. | 
|  | - Run the process again and ensure the exact same result can be reproduced (similar to | 
|  | KAT). | 
|  | - Advance the device to PROD or DEV state. | 
|  | - Again configure entropy_src to bypass the conditioner and use direct injection. | 
|  | - Instantiate CSRNG with the same fixed seed and fetch entropy again while in the NEW | 
|  | state. | 
|  | - The newly fetched entropy and the old entropy stored in flash should not match. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_csrng_lc_hw_debug_en_test"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_csrng_known_answer_tests | 
|  | desc: '''Verify our ability to run known-answer tests in SW. | 
|  |  | 
|  | - Configure the software instance with the expected seed (as per | 
|  | the NIST-specified test for CTR_DRBG operation). Compare the | 
|  | DRBG internal K and V state against the test vector expected | 
|  | values. | 
|  | - Perform generate operations as required by the test vector. | 
|  | - Compare the results to test expectations. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_csrng_kat_test"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_csrng_edn_error | 
|  | desc: '''Verify the outcome of an error response generated by CSRNG when processing an EDN | 
|  | request. | 
|  |  | 
|  | - Inject a fault in CSRNG while it is processing a request from EDN so that it returns | 
|  | an error response to EDN. | 
|  | - TODO(#16516): How does EDN respond to the error? | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  |  | 
|  | // EDN (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_edn_entropy_reqs | 
|  | desc: '''Verify the entropy requests from all peripherals. | 
|  |  | 
|  | Verify that there are no misconnects between each peripheral requesting entropy. | 
|  | TODO: system level scenario: have all entropy sources request entropy in the same test | 
|  | one after to show boot to post boot load, cycling all entropy blocks off and on again. | 
|  | Ensure there are no deadlocks and everything works as expected. | 
|  | X'ref'ed with each IP test that requsts entropy from EDN. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_edn_entropy_reqs", | 
|  | "chip_sw_csrng_edn_concurrency"] | 
|  | } | 
|  |  | 
|  | // KEYMGR (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_keymgr_key_derivation | 
|  | desc: '''Verify the keymgr advances to all states and generate identity / SW output. | 
|  |  | 
|  | - In the SW test, write fixed value to OTP for root_key and write creator and owner | 
|  | seeds in flash. And then roboot the chip. | 
|  | - In the SV sequence, backdoor read Device ID and ROM digest through CSRs. | 
|  | - For HardwareRevisionSecret, use the constant values in design. | 
|  | - Configure the keymgr and advance to `CreatorRootKey` and `OwnerIntermediateKey`. | 
|  | - Check keymgr internal keys after advance operations. | 
|  | - Generate identity / SW output for the Sealing CDI. | 
|  | - No need to test the Attestation CDI in chip-level as the only difference is to | 
|  | use another set of CSR values, and the rest of inputs are the same as the Sealing | 
|  | CDI. | 
|  | - KMAC should finish hashing successfully (not visible to SW) and return digest to | 
|  | keymgr. | 
|  | - Read keymgr CSRs `SW_SHARE*` and verify the return values. | 
|  | - Advance to `Disabled` and verify keymgr enters the state successfully. | 
|  |  | 
|  | - For each operation, wait for the interrupt `op_done` to be triggered and check CSR | 
|  | `op_status` is `DONE_SUCCESS`. | 
|  |  | 
|  | - Note: there are 3 ways of calculating the expected digest for comparison. Any of them | 
|  | is acceptable. | 
|  | - Use SW to calculate that, and it will also exercise the Ibex. | 
|  | - SW sends all the keys through CSRs to KMAC to generate the degist data. | 
|  | - DV calls C functions to generate and backdoor load to a specific memory location | 
|  | for SW. (Adpot this approach.) | 
|  |  | 
|  | X-ref'ed with kmac test. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_keymgr_key_derivation", "chip_sw_keymgr_key_derivation_jitter_en"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_keymgr_sideload_kmac | 
|  | desc: '''Verify the keymgr sideload interface to KMAC. | 
|  |  | 
|  | - Configure the keymgr and advance to the `OwnerIntKey` state. | 
|  | - Request keymgr to generate hw key for KMAC sideload key slot. | 
|  | - Request KMAC operation with sideload key configuration. | 
|  | - Verify the digest for correctness (should match the DV-side result). | 
|  | - Clear keymer's KMAC sideload key slot. | 
|  | - Request KMAC operation with sideload key configuration. | 
|  | - Verify the digest value has changed. | 
|  | - Request keymgr to derive the same key for the KMAC sideload key slot. | 
|  | - Request KMAC operation with sideload key configuration. | 
|  | - Verify the digest for correctness (should match the DV-side result again). | 
|  |  | 
|  | X-ref'ed with chip_kmac_app_keymgr test. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_keymgr_sideload_kmac"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_keymgr_sideload_aes | 
|  | desc: '''Verify the keymgr sideload interface to AES. | 
|  |  | 
|  | Same as `chip_keymgr_sideload_kmac`, except, sideload to AES. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_keymgr_sideload_aes"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_keymgr_sideload_otbn | 
|  | desc: '''Verify the keymgr sideload interface to OTBN. | 
|  |  | 
|  | Load OTBN binary image, the rest is similar to `chip_keymgr_sideload_kmac`, except | 
|  | sideloading to otbn. | 
|  |  | 
|  | Clear the sideload key once done. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_keymgr_sideload_otbn"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_keymgr_sideload_kmac_error | 
|  | desc: ''' | 
|  | Verify the effect of KMAC returning an error during a keymgr operation. | 
|  |  | 
|  | - Configure keymgr to enter any of the 3 working states. | 
|  | - Issue a keymgr operation. | 
|  | - While the KMAC is actively computing the digest, glitch the KMAC app sparse FSM to | 
|  | trigger a fault. | 
|  | - Verify that KMAC returns an error signal to the keymgr via checking keymgr CSRs, when | 
|  | the operation is done: | 
|  | - Check `op_status` is set to `DONE_ERROR`. | 
|  | - Check `fault_status.kmac_done` is set to 1. | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  |  | 
|  | // OTBN (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_otbn_op | 
|  | desc: '''Verify an OTBN operation. | 
|  |  | 
|  | - SW test directs the OTBN engine to perform an ECDSA operation. | 
|  | - SW validates the reception of the otbn done interrupt once the operation is complete. | 
|  | - SW verifies the correctness of the result with the expected value which is | 
|  | pre-computed using a reference model. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_otbn_ecdsa_op_irq", | 
|  | "chip_sw_otbn_ecdsa_op_irq_jitter_en"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_otbn_rnd_entropy | 
|  | desc: '''Verify OTBN can fetch RND numbers from the entropy src. | 
|  |  | 
|  | - SW initializes the entropy subsystem to generate randomness. | 
|  | - SW loads an OTBN app that executes instructions to read the RND bits. | 
|  | - The OTBN app ensures that the values when read consequtively do not match, and its not | 
|  | all 0s or all 1s, as a basic measure to ensure that the entropy subsystem is returning | 
|  | some data. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_otbn_randomness"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_otbn_urnd_entropy | 
|  | desc: '''Verify OTBN can fetch URND numbers from the entropy src. | 
|  |  | 
|  | - Similar to chip_otbn_rnd_entropy, but verifies the URND bits. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests:  ["chip_sw_otbn_randomness"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_otbn_idle | 
|  | desc: '''Verify the OTBN idle signal to clkmgr. | 
|  |  | 
|  | - Write the OTBN clk hint to 0 within clkmgr to indicate OTBN clk can be gated | 
|  | and verify that the OTBN clk hint status within clkmgr reads 0 (OTBN is disabled). | 
|  | - Write the OTBN clk hint to 1 within clkmgr to indicate OTBN clk can be enabled. | 
|  | Verify that the OTBN clk hint status within clkmgr reads 1 (OTBN is enabled). | 
|  | - Start an OTBN operation, write the OTBN clk hint to 0 within clkmgr and verify that | 
|  | the OTBN clk hint status within clkmgr reads 1 (OTBN is enabled) before the | 
|  | OTBN operation is complete. | 
|  | - After the OTBN operation is complete, verify that the OTBN clk hint status within | 
|  | clkmgr now reads 0 again (OTBN is disabled). | 
|  | - Write the OTBN clk hint to 1, read and check the OTBN output for correctness. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_otbn_randomness"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_otbn_mem_scramble | 
|  | desc: '''Verify the OTBN can receive keys from the OTP to scramble the OTBN imem and dmem. | 
|  |  | 
|  | - Initialize the entropy_src subsystem to enable OTP_CTRL fetch random data (already | 
|  | done by the test_rom startup code). | 
|  | - Extract random address offsets from RV_CORE_IBEX_RND_DATA. | 
|  | - Wait for OTBN to be idle. | 
|  | - Write random address offsets in OTBN imem and dmem. | 
|  | - Read back the written address offsets and compare against expected values. All values | 
|  | must match, no integrity errors must be triggered. | 
|  | - Have OTBN fetch new keys and nonces from the OTP_CTRL. | 
|  | - Wait for OTBN to be idle. | 
|  | - Read back the written address offsets. Most reads should trigger integrity errors. It | 
|  | is possible that after re-scrambling the integrity bits are still valid. But this is | 
|  | expected to happen rarely. If the number of observed integrity errors is below a | 
|  | chosen threshold, the test fails. | 
|  | - Verify the validity of EDN's output to OTP_CTRL via assertions | 
|  | (unique, non-zero data). | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_otbn_mem_scramble"] | 
|  | } | 
|  |  | 
|  | ///////////////////////////////////////////////////// | 
|  | // Memory & Controllers                            // | 
|  | // ROM_CTRL, RAM, FLASH, FLASH_CTRL, OTP, OTP_CTRL // | 
|  | ///////////////////////////////////////////////////// | 
|  |  | 
|  | // ROM_CTRL (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_rom_access | 
|  | desc: '''Verify that the CPU can access the rom contents. | 
|  |  | 
|  | - Verify that the CPU can fetch instructions from the ROM. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rom_ctrl_integrity_check"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rom_ctrl_integrity_check | 
|  | desc: '''Verify that the ROM ctrl performs the integrity check of the ROM on power up. | 
|  |  | 
|  | - In non-PROD LC state, the computed digest does not have to match the top 8 words in | 
|  | the ROM. Verify that we can successfully power up the chip in this case. | 
|  | - In PROD LC state, verify that the pwrmgr does not fully power up if the computed | 
|  | digest does not match the top 8 words of the ROM. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rom_ctrl_integrity_check"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rom_ctrl_kmac_error | 
|  | desc: ''' | 
|  | Verify the effect of KMAC reporting an error during ROM digest computation. | 
|  |  | 
|  | - Backdoor load a valid test ROM image and bring the DUT out of reset. | 
|  | - During the ROM checker pwrmgr FSM state, while the ROM controller is actively sending | 
|  | data to KMAC for the digest computation, glitch the KMAC app sparse FSM to trigger a | 
|  | fault. | 
|  | - Verify that KMAC returns an error signal to the ROM controller. | 
|  | - Verify that the ROM controller itself transitions to invalid state and the chip is | 
|  | effectively dead. | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  |  | 
|  | // SRAM (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_sram_scrambled_access | 
|  | desc: '''Verify scrambled memory accesses to both main and retention SRAMs. | 
|  |  | 
|  | - Initialize the entropy_src subsystem to enable OTP_CTRL fetch random data (already | 
|  | done by the test_rom startup code). | 
|  | - Trigger both SRAMs to fetch a new key and nonce from the OTP_CTRL | 
|  | - Drive the CPU to perform random accesses to both RAMs and verify these operations | 
|  | complete successfully by using the backdoor interface | 
|  | - Fetch a new key from the OTP_CTRL and ensure that the previous contents cannot be | 
|  | read anymore. | 
|  | - Verify the validity of EDN's output to OTP_CTRL via assertions | 
|  | (unique, non-zero data). | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sram_ctrl_scrambled_access", | 
|  | "chip_sw_sram_ctrl_scrambled_access_jitter_en"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sleep_sram_ret_contents | 
|  | desc: '''Verify that the data within the retention SRAM survives low power entry-exit and reset. | 
|  |  | 
|  | Ensure that the data within the retention SRAM survives as described in this table. | 
|  | |             Mode             | Scrambled | Data Preserved | | 
|  | |:----------------------------:|:---------:|:--------------:| | 
|  | |          Normal sleep        |    No     |       Yes      | | 
|  | |           Deep sleep         |    No     |       Yes      | | 
|  | | Reset due to a reset request |    No     |       Yes      | | 
|  | |          Normal sleep        |    Yes    |       Yes      | | 
|  | |           Deep sleep         |    Yes    |       Yes      | | 
|  | | Reset due to a reset request |    Yes    |       No       | | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sleep_sram_ret_contents"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sram_execution | 
|  | desc: '''Verify that CPU can fetch instructions from SRAM if enabled. | 
|  |  | 
|  | - Create the following combinations of 8 scenarios: | 
|  | - The fetch enable bit in the HW_CFG partition of OTP controller set and not set. | 
|  | - A life cycle state that enables (TEST_UNLOCKED, DEV or RMA) and disables (PROD) | 
|  | hardware debug. | 
|  | - The execution CSR programmed to be enabled and disabled. | 
|  |  | 
|  | - For both, main and the retention SRAM in each of these 8 scenarios: | 
|  | - Load instruction data into the SRAMs. | 
|  | - If the instruction execution is enabled, verify that the CPU can fetch and execute | 
|  | the instruction from the SRAM correctly. | 
|  | - If the instruction execution is not enabled, verify that the SRAM throws an error | 
|  | response via an exception handler. | 
|  |  | 
|  | The following table indicates in which of these scenarios should the instruction | 
|  | execution be enabled, for both, main and the retention SRAM instances. | 
|  |  | 
|  | | OTP HW_CFG[IFETCH] | HW_DEBUG_EN via LC state | EXEC CSR | MAIN SRAM | RET SRAM | | 
|  | |:------------------:|:------------------------:|:--------:|:---------:|:--------:| | 
|  | |          0         |             0            |     0    |  disabled | disabled | | 
|  | |          0         |             0            |     1    |  disabled | disabled | | 
|  | |          0         |             1            |     0    |  enabled  | disabled | | 
|  | |          0         |             1            |     1    |  enabled  | disabled | | 
|  | |          1         |             0            |     0    |  disabled | disabled | | 
|  | |          1         |             0            |     1    |  enabled  | disabled | | 
|  | |          1         |             1            |     0    |  disabled | disabled | | 
|  | |          1         |             1            |     1    |  enabled  | disabled | | 
|  |  | 
|  | For the retention SRAM, instruction fetch is completely disabled via design parameter. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sram_ctrl_execution_main"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sram_lc_escalation | 
|  | desc: '''Verify the LC escalation path to the SRAMs. | 
|  |  | 
|  | - Configure the LC_CTRL to trigger an escalation request to the SRAMs. | 
|  | - Verify that the SRAMs stop accepting and responding to new memory requests. | 
|  | - Reset the system to exit the terminal escalation state. | 
|  | - Re-initialize the SRAMs and verify that they can now respond correctly to | 
|  | any further memory requests. | 
|  |  | 
|  | X-ref with chip_sw_all_escalation_resets and chip_sw_data_integrity. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_all_escalation_resets", | 
|  | "chip_sw_data_integrity_escalation"] | 
|  | } | 
|  |  | 
|  | // OTP (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_otp_ctrl_init | 
|  | desc: '''Verify the OTP ctrl initialization on chip power up. | 
|  |  | 
|  | Verify that the chip powers up correctly on POR. | 
|  | - The pwrmgr initiates a handshake with OTP ctrl and later, with LC ctrl in subsequent | 
|  | FSM states. Ensure that the whole power up sequence does not hang. | 
|  | - Verify with connectivity assertion checks, the handshake signals are connected. | 
|  | - Ensure that no interrupts or alerts are triggered. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_lc_ctrl_transition"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_otp_ctrl_keys | 
|  | desc: '''Verify the proliferation of keys to security peripherals. | 
|  |  | 
|  | - Verify the correctness of keys provided to SRAM ctrl (main & ret), flash ctrl, keymgr, | 
|  | (note that keymgr does not have handshake), OTBN and the CPU instruction cache. | 
|  | - Ensure that the test requests a new key and verifies the previously written | 
|  | data to an address now returns a garbage value. | 
|  |  | 
|  | X-ref'ed with the following IP tests that consume these signals: | 
|  | - chip_sw_sram_scrambled_access | 
|  | - chip_sw_flash_scramble | 
|  | - chip_sw_keymgr_key_derivation | 
|  | - chip_sw_otbn_mem_scramble | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: [// Verifies both, main and retention SRAM scrambling. | 
|  | "chip_sw_sram_ctrl_scrambled_access", | 
|  | "chip_sw_flash_init", | 
|  | "chip_sw_keymgr_key_derivation", | 
|  | "chip_sw_otbn_mem_scramble", | 
|  | "chip_sw_rv_core_ibex_icache_invalidate"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_otp_ctrl_entropy | 
|  | desc: '''Verify the entropy interface from OTP ctrl to EDN. | 
|  |  | 
|  | This is X-ref'ed with the chip_otp_ctrl_keys test, which needs to handshake with the EDN | 
|  | to receive some entropy bits before the keys for SRAM ctrl and OTBN are computed. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sram_ctrl_scrambled_access", | 
|  | "chip_sw_flash_init", | 
|  | "chip_sw_keymgr_key_derivation", | 
|  | "chip_sw_otbn_mem_scramble", | 
|  | "chip_sw_rv_core_ibex_icache_invalidate"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_otp_ctrl_program | 
|  | desc: '''Verify the program request from lc_ctrl. | 
|  |  | 
|  | - Verify that upon an LC state transition request, LC ctrl signals the OTP ctrl with a | 
|  | program request. | 
|  | - Verify that the OTP ctrl generates the LC data output correctly and is sent to the LC | 
|  | ctrl before it is reset. | 
|  | - Verify that the `lc_check_byp_en_i` from LC ctrl is set. | 
|  | - Ensure that the whole operation does not raise any interrupts or alerts or errors. | 
|  | - After reset, verify that the LC state transition completed successfully by reading the | 
|  | LC state and LC count CSRs. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_lc_ctrl_transition"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_otp_ctrl_program_error | 
|  | desc: '''Verify the otp program error. | 
|  |  | 
|  | - Initiate an illegal program request from LC ctrl to OTP ctrl by forcing the | 
|  | `lc_otp_program_i`. | 
|  | - Verify that the LC ctrl triggers an alert when the OTP ctrl responds back with a | 
|  | program error. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_lc_ctrl_program_error"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_otp_ctrl_hw_cfg | 
|  | desc: '''Verify the correctness of otp_hw_cfg bus in all peripherals that receive it. | 
|  |  | 
|  | Preload the OTP ctrl's `hw_cfg` partition with random data and verify that all | 
|  | consumers of the hardware configuration bits are receiving the correct values. | 
|  |  | 
|  | Xref'ed with corresponding IP tests that receive these bits. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_lc_ctrl_otp_hw_cfg"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_otp_ctrl_lc_signals | 
|  | desc: '''Verify the broadcast signals from LC ctrl. | 
|  |  | 
|  | - `lc_creator_seed_sw_rw_en_i`: verify that the SECRET2 partition is locked. | 
|  | - `lc_seed_hw_rd_en_i`: verify that the keymgr outputs a default value when enabled. | 
|  | - `lc_dft_en_i`: verify that the test interface within OTP ctrl is accessible. | 
|  | - `lc_check_byp_en_i`: verify that the background check during LC ctrl state | 
|  | programming passes when enabled. | 
|  |  | 
|  | Note that `lc_escalate_en_i` is verified via a connectivity test. | 
|  |  | 
|  | The `lc_seed_hw_rd_en_i` signal can be tested by attempting a keymgr advance operation | 
|  | into the CreatorRootKey state, which should fail since the root key will be tied off to | 
|  | all-zero when the SECRET2 partition is not locked in OTP. | 
|  |  | 
|  | X-ref'ed with chip_sw_lc_ctrl_broadcast test, which verifies the connectivity of the LC | 
|  | decoded outputs to other IPs. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: [ | 
|  | // lc_dft_en_i | 
|  | "chip_prim_tl_access", | 
|  | // lc_check_byp_en_i | 
|  | "chip_sw_lc_ctrl_transition", | 
|  | // lc_seed_hw_rd_en_i, lc_creator_seed_sw_rw_en_i, also checks lc_keymgr_en_i since it uses | 
|  | // the keymgr. | 
|  | "chip_sw_otp_ctrl_lc_signals_test_unlocked0", | 
|  | "chip_sw_otp_ctrl_lc_signals_dev", | 
|  | "chip_sw_otp_ctrl_lc_signals_prod", | 
|  | "chip_sw_otp_ctrl_lc_signals_rma", | 
|  | ] | 
|  | } | 
|  | { | 
|  | name: chip_sw_otp_prim_tl_access | 
|  | desc: '''Verify that the SW can read / write the prim tlul interface. | 
|  |  | 
|  | - The prim tlul interface is a open source placeholder for the closed source CSRs that | 
|  | will be implemented in a translation 'shim'. | 
|  | - Verify that when `lc_dft_en_i` is On, this region can be read / written to by the SW. | 
|  | When `lc_dft_en_i` is Off, accessing this region will result in a TLUL error. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_prim_tl_access"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_otp_ctrl_vendor_test_csr_access | 
|  | desc: ''' | 
|  | Verify the vendor test control access in raw, test_*, dev, prod, and rma LC states. | 
|  |  | 
|  | - Boot the chip successively in raw, test_*, dev, prod and rma LC states. | 
|  | - Verify that the SW is able to access the vendor test control and status registers in | 
|  | raw, test_* and rma LC states. | 
|  | In open source environment, this check is implemented by probing the OTP_CTRL's | 
|  | `lc_otp_vendor_test_i` port. | 
|  | - Verify that in dev / prod LC states, the vendor status always reads back 0s regardless | 
|  | of what is programmed into the vendor test control register. | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: ["chip_sw_otp_ctrl_vendor_test_csr_access"] | 
|  | } | 
|  |  | 
|  | // FLASH (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_flash_init | 
|  | desc: '''Verify that flash initialization routine works correctly. | 
|  |  | 
|  | - Initialize the flash ctrl by writing 1 to the INIT register. | 
|  | - Poll the status register for the initialization to complete. | 
|  | - Verify that during the init process, the flash ctrl requested keys from OTP. Verify | 
|  | with different sets of key values programmed in OTP. | 
|  | - Verify the flash ctrl can read seeds when lc_seed_hw_rd_en is set, otherwise all 1s. | 
|  | - Verify that the flash ctrl sent the creator and owner seeds to keymgr. Verify with | 
|  | different seed values. | 
|  |  | 
|  | - This test needs to execute as a boot rom image. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_flash_init"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_host_access | 
|  | desc: '''Verify that the flash memory contents can be read by the CPU. | 
|  |  | 
|  | Nothing extra to do here - most SW based tests fetch code from flash. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_flash_ctrl_access", | 
|  | "chip_sw_flash_ctrl_access_jitter_en"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_ctrl_ops | 
|  | desc: '''Verify the SW can initiate flash operations via the controller. | 
|  |  | 
|  | Verify that the CPU can read / program and erase the flash mem. Pick an operation on | 
|  | all data and info partitions. Erase both, bank and page. SW validates the reception of | 
|  | prog empty, prog level, rd full, rd level and op done interrupts. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_flash_ctrl_ops", "chip_sw_flash_ctrl_ops_jitter_en"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_rma_unlocked | 
|  | desc: '''Verify the flash memory contents can be accessed after in RMA unlock. | 
|  |  | 
|  | - Provision an RMA_UNLOCK token in OTP. | 
|  | - Repeat the following a few times: | 
|  | - Randomize the otp contents for device id, manufacturing state and RMA_UNLOCK token.. | 
|  | - Reset the chip. | 
|  | - Ensure chip revision, device id and manufacturing state can be read through the LC JTAG. | 
|  | - Enable RMA mode, and verify that the SW can access the flash after RMA completion. | 
|  |  | 
|  | - RMA entry should be done through the  JTAG interface. | 
|  |  | 
|  | - X-ref'ed with manuf_ft_provision_rma_token_and_personalization from the manufacturing | 
|  | testplan. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_flash_rma_unlocked"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_scramble | 
|  | desc: '''Verify flash scrambling via the controller. | 
|  |  | 
|  | - Extends the chip_flash_init test. | 
|  | - Verify flash scrambling with different key values programmed in OTP. | 
|  | - Verify read of scrambled contents via both, controller and direct host read. | 
|  |  | 
|  | - Program a new scramble key in OTP and reboot - this time we need to backdoor load the | 
|  | flash with new test image that is re-scrambled with the new key. | 
|  | - Need to understand the bootstrapping requirements. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_flash_init"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_idle_low_power | 
|  | desc: '''Verify flash_idle signaling to pwrmgr. | 
|  |  | 
|  | - Initiate flash program or erase over the controller. | 
|  | - Program the pwrmgr to go into deep sleep. | 
|  | - Issue a WFI. | 
|  | - Ensure that the low power entry does not happen due to the ongoing flash operation. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_flash_ctrl_idle_low_power"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_keymgr_seeds | 
|  | desc: '''Verify the creator and owner seeds are read on flash init provided lc_hw_seed_rd_en | 
|  | is set. | 
|  |  | 
|  | X-ref'ed with keymgr test. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_keymgr_key_derivation"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_lc_creator_seed_sw_rw_en | 
|  | desc: '''Verify the lc_creator_seed_sw_rw_en signal from LC ctrl. | 
|  |  | 
|  | - Transition from TEST_LOCKED to DEV/PROD to ESCALATION/SCRAP state via OTP and verify | 
|  | that this LC signal transitions from 0 to 1 and back to 0. Verify that the SW | 
|  | accessibility of the corresponding partition depending on the signal value. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_flash_ctrl_lc_rw_en"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_creator_seed_wipe_on_rma | 
|  | desc: '''Verify that the creator seed is wiped by the flash ctrl on RMA entry. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_flash_rma_unlocked"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_lc_owner_seed_sw_rw_en | 
|  | desc: '''Verify the lc_owner_seed_sw_rw_en signal from LC ctrl. | 
|  |  | 
|  | - Transition from TEST_LOCKED to DEV/PROD to ESCALATION/SCRAP state via OTP and verify | 
|  | that this LC signal transitions from 0 to 1 and back to 0. Verify that the SW | 
|  | accessibility of the corresponding partition depending on the signal value. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_flash_ctrl_lc_rw_en"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_lc_iso_part_sw_rd_en | 
|  | desc: '''Verify the lc_iso_part_sw_rd_en signal from LC ctrl. | 
|  |  | 
|  | - Transition from DEV to PROD to ESCALATION/SCRAP state via OTP and verify | 
|  | that this LC signal transitions from 0 to 1 and back to 0. Verify that the SW | 
|  | accessibility of the corresponding partition depending on the signal value. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_flash_ctrl_lc_rw_en"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_lc_iso_part_sw_wr_en | 
|  | desc: '''Verify the lc_creator_seed_sw_wr_en signal from LC ctrl. | 
|  |  | 
|  | - Transition from TEST_LOCKED to DEV/PROD to ESCALATION/SCRAP state via OTP and verify | 
|  | that this LC signal transitions from 0 to 1 and back to 0. Verify that the SW | 
|  | accessibility of the corresponding partition depending on the signal value. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_flash_ctrl_lc_rw_en"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_lc_seed_hw_rd_en | 
|  | desc: '''Verify the lc_seed_hw_rd_en signal from LC ctrl. | 
|  |  | 
|  | - Transition from TEST_LOCKED to DEV/PROD to ESCALATION/SCRAP state via OTP and verify | 
|  | that this LC signal transitions from 0 to 1 and back to 0. Verify that the flash ctrl | 
|  | does (or does not) read the creator and owner partitions to fetch the seeds for the | 
|  | keymgr. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_flash_ctrl_lc_rw_en"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_lc_escalate_en | 
|  | desc: '''Verify the lc_escalate_en signal from LC ctrl. | 
|  |  | 
|  | - Trigger an LC escalation signal by generating an alert. | 
|  | - Verify that all flash accesses are disabled when the escalation kicks in. | 
|  | - Confirm flash accesses are disabled by erroing if the device executes the ISR. | 
|  | - Use assertion based connectivity check to prove that this signal is connected to the | 
|  | flash ctrl. | 
|  |  | 
|  | X-ref with chip_sw_all_escalation_resets. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_all_escalation_resets"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_prim_tl_access | 
|  | desc: '''Verify that the SW can read / write the prim tlul interface in flash phy. | 
|  |  | 
|  | - The prim tlul interface is a open source placeholder for the closed source CSRs that | 
|  | will be implemented in a translation 'shim'. | 
|  | - Verify that this region can be read / written to by the SW in any LC state. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_prim_tl_access"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_flash_ctrl_clock_freqs | 
|  | desc: '''Verify flash program and erase operations over the ctrl over a range of clock freqs. | 
|  |  | 
|  | - Enable jitter on the clock while performing erase, write and read operations | 
|  | to the flash. | 
|  | - This sets the test for closed source where the flash access timing matters. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_flash_ctrl_clock_freqs"] | 
|  | } | 
|  |  | 
|  | //////////////////////// | 
|  | // Analog Peripherals // | 
|  | // AST, SENSOR_CTRL   // | 
|  | //////////////////////// | 
|  |  | 
|  | // AST (pre-verified IP) integration tests: | 
|  | { | 
|  | name: chip_sw_ast_clk_outputs | 
|  | desc: '''Verify that the AST generates the 4 clocks when requested by the clkmgr. | 
|  |  | 
|  | Verify the clock frequencies are reasonably accurate. Bring the chip to deep sleep, | 
|  | and verify that upon wakeup reset the clock counters are turned off, measure ctrl | 
|  | regwen is enabled, and errors are not cleared. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_ast_clk_outputs"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_ast_clk_rst_inputs | 
|  | desc: '''Verify the clk and rst inputs to AST (from `clkmgr`). | 
|  |  | 
|  | Create different scenarios that affect the clocks and resets and see that the AST features | 
|  | (RNG, entropy, alert, ADC) that use those clocks/resets behave correctly. | 
|  | sequence: | 
|  | 1. Check that AST RNG generates data and fills the entropy source fifo | 
|  | 2. Create AST alerts | 
|  | 3. Activate ADC conversion | 
|  | 4. EDN entropy supply to AST | 
|  | Enter sleep/deep sleep/ stop IO/USB clocks | 
|  | Repeat 1-4 to check it is ok. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_ast_clk_rst_inputs"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_ast_sys_clk_jitter | 
|  | desc: '''Verify that the AST sys clk jitter control. | 
|  |  | 
|  | X-ref with chip_sw_clkmgr_jitter | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_clkmgr_jitter", | 
|  | "chip_sw_flash_ctrl_ops_jitter_en", | 
|  | "chip_sw_flash_ctrl_access_jitter_en", | 
|  | "chip_sw_otbn_ecdsa_op_irq_jitter_en", | 
|  | "chip_sw_aes_enc_jitter_en", | 
|  | "chip_sw_hmac_enc_jitter_en", | 
|  | "chip_sw_keymgr_key_derivation_jitter_en", | 
|  | "chip_sw_kmac_mode_kmac_jitter_en", | 
|  | "chip_sw_sram_ctrl_scrambled_access_jitter_en", | 
|  | "chip_sw_edn_entropy_reqs_jitter"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_ast_usb_clk_calib | 
|  | desc: '''Verify the USB clk calibration signaling. | 
|  |  | 
|  | - First place the AST into a mode where usb clock frequency significantly deviates from | 
|  | the ideal. | 
|  | - Verify the clock is "off" using the clkmgr measurement mechanism. | 
|  | - Then, turn on the usb sof calibration machinery and wait a few mS. | 
|  | - Afterwards, measure the usb clock again using the clkmgr measurement controls, at this | 
|  | point the clock should be significantly more accurate. | 
|  | - Note, while the above is ideal, usbdev chip level testing is not yet ready and this | 
|  | test fakes the usb portion through DV forces. | 
|  | - Note also the real AST calibration logic is not available, so the sof testing in the | 
|  | open source is effectively short-circuited. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_usb_ast_clk_calib"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_ast_alerts | 
|  | desc: '''Verify the alerts from AST aggregating into the sensor_ctrl. | 
|  |  | 
|  | X-ref'ed with `chip_sensor_ctrl_ast_alerts`. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sensor_ctrl_alert"] | 
|  | } | 
|  |  | 
|  | // SENSOR_CTRL tests: | 
|  | { | 
|  | name: chip_sw_sensor_ctrl_ast_alerts | 
|  | desc: '''Verify the alerts from AST aggregating into the sensor_ctrl. | 
|  |  | 
|  | Check that AST events can be triggered from sensor_ctrl and that | 
|  | the resulting AST outputs are observed in both sensor_ctrl and | 
|  | the alert_handler. | 
|  |  | 
|  | For the alert handler case, make sure to test each alert configured | 
|  | as either recoverable or fatal. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_sleep_sensor_ctrl_alert_wakeup", | 
|  | "chip_sw_sensor_ctrl_alert"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_sensor_ctrl_ast_status | 
|  | desc: '''Verify the io power ok status from AST. | 
|  |  | 
|  | Check that when the IO POK status changes, an interrupt is triggered | 
|  | from sensor_ctrl.  After triggering, the IO status can be read | 
|  | from a sensor_ctrl register. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_sensor_ctrl_status"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_pwrmgr_sleep_sensor_ctrl_alert_wakeup | 
|  | desc: '''Verify the sensor control is able to wake the device | 
|  | from sleep mode when an alert event is triggered from | 
|  | AST. X-ref'ed chip_sw_pwrmgr_sleep_all_wake_ups. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_pwrmgr_sleep_sensor_ctrl_alert_wakeup"] | 
|  | } | 
|  |  | 
|  | ////////////////// | 
|  | // CPU          // | 
|  | // RV_CORE_IBEX // | 
|  | ////////////////// | 
|  |  | 
|  | { | 
|  | name: chip_sw_nmi_irq | 
|  | desc: '''Verify the NMI interrupt to the CPU and correctness of the cause. | 
|  |  | 
|  | Randomly use these two methods (simultaneously or choose one of them) to trigger the | 
|  | NMI interrupt: | 
|  | - Trigger the alert_handler escalation pair that maps to NMI. | 
|  | - Trigger a watchdog bark. | 
|  |  | 
|  | Check rv_core_ibex's NMI interrupt register and clear the interrupt. | 
|  | If the NMI interrupt is triggered by alert_handle and the `class_clr_regwen` register | 
|  | is not locked, check that alert_handler can clear this NMI escalation stage. Then make | 
|  | sure that the alert_handler won't move forward to the next escalation stage. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rv_core_ibex_nmi_irq"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rv_core_ibex_rnd | 
|  | desc: '''Verify the functionality of the random number generation CSRs. | 
|  |  | 
|  | - Enable entropy complex so `RND_DATA` can get entropy. | 
|  | - Perform multiple reads from `RND_DATA` polling `RND_STATUS` in | 
|  | between to only read valid data. Check different random bits | 
|  | are provided each time and that the random data is never zero or all ones. | 
|  | - Ensure `RND_STATUS` indicate invalid data immediately after | 
|  | `RND_DATA` read. | 
|  | - Perform repeated reads from `RND_DATA` without `RND_STATUS` | 
|  | polling to check read when invalid doesn't block. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rv_core_ibex_rnd"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rv_core_ibex_address_translation | 
|  | desc: '''Verify the simple address translation functionality. | 
|  |  | 
|  | - Setup address translation for both slots on the the I and D | 
|  | side and check correct translation for I and D accesses. | 
|  | - Switch address translation to use different regions that | 
|  | overlap for both slots and check translation again. Ensure some | 
|  | test accesses match both regions, where the lowest indexed one | 
|  | takes priority. | 
|  | - Turn off address translation and confirm regions are no longer | 
|  | being remapped. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rv_core_ibex_address_translation"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rv_core_ibex_icache_scrambled_access | 
|  | desc: '''Verify scrambled memory accesses to CPU icache. | 
|  |  | 
|  | - Initialize the entropy_src subsystem to enable OTP_CTRL fetch random data (already | 
|  | done by the test_rom startup code). | 
|  | - Execute the `fence` instruction to invalidate the icache. | 
|  | - Verify using probes, that this resulted in a new scrambling key fetched from the OTP | 
|  | ctrl. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rv_core_ibex_icache_invalidate"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rv_core_ibex_fault_dump | 
|  | desc: '''Verify the functionality of the ibex fault dump. | 
|  |  | 
|  | - Purposely create an ibex exception during execution through reads to an ummapped | 
|  | address. | 
|  | - Ensure the rstmgr fault dump correctly captures the related addresses to the | 
|  | exception. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rstmgr_cpu_info"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rv_core_ibex_double_fault | 
|  | desc: '''Verify the functionality of the ibex double fault dump. | 
|  |  | 
|  | - Purposely create an ibex double exception during execution, by performing an | 
|  | unmapped read and in the exception handler perform another unmapped read. | 
|  | - Ensure the rstmgr fault dump correctly captures both dumps correctly and indicates | 
|  | the previous dump is valid. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_rstmgr_cpu_info"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rv_core_ibex_lockstep_glitch | 
|  | desc: '''Verify lockstep checking of the Ibex core. | 
|  |  | 
|  | Ensure suitable alerts are triggered when: | 
|  | - Outputs from the lockstep or the main core are corrupted. | 
|  | - Inputs into the lockstep core are corrupted. | 
|  | ''' | 
|  | stage: V2S | 
|  | tests: ["chip_sw_rv_core_ibex_lockstep_glitch"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rv_core_ibex_alerts | 
|  | desc: '''Inject and verify all available faults in rv_core_ibex / ibex_top. | 
|  |  | 
|  | Inject faults in the following areas and verify the alert is fired leading to an | 
|  | escalation. | 
|  |  | 
|  | - Bus integrity error on the data and instruction TL interface (on the response channel) | 
|  | - PC mismatch fault | 
|  | - ECC error in the register file | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  |  | 
|  | //////////////////////////// | 
|  | // System level scenarios // | 
|  | //////////////////////////// | 
|  | { | 
|  | name: chip_sw_example_tests | 
|  | desc: '''Provide example tests for different testing scenarios / needs. | 
|  |  | 
|  | These tests do not verify the hardware. They are meant to serve as a guide for | 
|  | developing actual tests under different testing scenarios. These example tests | 
|  | demonstrate the capabilities of the DV infrastructure which enables these scenarios: | 
|  |  | 
|  | 1. Implement test in the ROM stage itself | 
|  | 2. Implement test in the flash stage, using test ROM | 
|  | 3. Implement test in the flash stage, using production ROM | 
|  | 4. Enable external maufacturer hooks in existing tests developed in the open source | 
|  | 5. Enable concurrent threads in tests | 
|  | ''' | 
|  | stage: V1 | 
|  | tests: ["chip_sw_example_rom", | 
|  | "chip_sw_example_flash", | 
|  | "chip_sw_uart_smoketest_signed", | 
|  | "chip_sw_example_manufacturer", | 
|  | "chip_sw_example_concurrency" | 
|  | ] | 
|  | } | 
|  | { | 
|  | name: chip_sw_smoketest | 
|  | desc: '''Run smoke tests developed for each IP. | 
|  |  | 
|  | The smoke tests are developed by the SW team to test each IP is | 
|  | alive, and can be actuated by the DIF. We need to ensure that they | 
|  | work in DV as well. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_aes_smoketest", | 
|  | "chip_sw_aon_timer_smoketest", | 
|  | "chip_sw_clkmgr_smoketest", | 
|  | "chip_sw_csrng_smoketest", | 
|  | "chip_sw_entropy_src_smoketest", | 
|  | "chip_sw_gpio_smoketest", | 
|  | "chip_sw_hmac_smoketest", | 
|  | "chip_sw_kmac_smoketest", | 
|  | "chip_sw_otbn_smoketest", | 
|  | "chip_sw_otp_ctrl_smoketest", | 
|  | "chip_sw_pwrmgr_smoketest", | 
|  | "chip_sw_pwrmgr_usbdev_smoketest", | 
|  | "chip_sw_rv_plic_smoketest", | 
|  | "chip_sw_rv_timer_smoketest", | 
|  | "chip_sw_rstmgr_smoketest", | 
|  | "chip_sw_sram_ctrl_smoketest", | 
|  | "chip_sw_uart_smoketest", | 
|  | ] | 
|  | } | 
|  | { | 
|  | name: chip_sw_rom_functests | 
|  | desc: '''Run some ROM functional tests with test ROM. | 
|  |  | 
|  | ROM functional tests test ROM drivers and libraries by exercising | 
|  | these components in the flash stage, launched via the test ROM. They | 
|  | primarily are tested on the FPGA, however, we ensure they run in DV | 
|  | as well. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["rom_keymgr_functest"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_signed | 
|  | desc: '''Run some chip-level tests with ROM. | 
|  |  | 
|  | In addition to ROM E2E tests, we select at least one (or a few) | 
|  | tests defined in this file to sign, and run via ROM instead of | 
|  | test ROM. We need to ensure our test infrastructure and ROM can | 
|  | boot and run one (or a few) of the same tests our test ROM can. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_uart_smoketest_signed"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_coremark | 
|  | desc: '''Run the coremark benchmark on the full chip.''' | 
|  | stage: V3 | 
|  | tests: ["chip_sw_coremark"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_boot | 
|  | desc: '''Verify the full flash image download with bootstrap signal set. | 
|  |  | 
|  | - SW puts the SPI device in firmware mode | 
|  | - Load a firmware image (bootstrap) through spi input pin to the spi_device memory. | 
|  | - SW verifies the integrity of the image upon reception by reading the spi_device | 
|  | memory. | 
|  | - Ensure the image is executed correctly | 
|  |  | 
|  | Note: This flow will be replaced by using spi_device flash mode. | 
|  | For detail, refer to chip_spi_device_flash_mode | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_uart_tx_rx_bootstrap"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_secure_boot | 
|  | desc: '''Verify the secure boot flow. | 
|  |  | 
|  | X-ref rom_e2e_smoke. | 
|  | In reality this can be any rom based test, which requires secure boot. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["rom_e2e_smoke"] | 
|  | } | 
|  | { | 
|  | name: chip_lc_scrap | 
|  | desc: '''Ensure it is possible to enter scrap state from every legal life cycle state. | 
|  |  | 
|  | -  Request transition to SCRAP state using the JTAG interface. | 
|  | -  It should be possible to transition from every legal state using external clock. | 
|  | -  Where it is allowed, transition using internal clocks should also be checked. | 
|  | -  After transition, verify that the device is in SCRAP state through LC read. | 
|  | -  Verify while in SCRAP state: | 
|  | - RV JTAG interface is unavailable. | 
|  | - Ibex is not executing. | 
|  | - RV_DM is unreachable by the stub CPU. | 
|  |  | 
|  | - X-ref'd with manuf_scrap from the manufacturing testplan. | 
|  | - X-ref'd with chip_lc_test_locked. | 
|  | - X-ref'd with chip_tap_strap_sampling | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_lc_ctrl_rand_to_scrap", | 
|  | "chip_sw_lc_ctrl_raw_to_scrap", | 
|  | "chip_sw_lc_ctrl_rma_to_scrap", | 
|  | "chip_sw_lc_ctrl_test_locked0_to_scrap"] | 
|  | } | 
|  | { | 
|  | name: chip_lc_test_locked | 
|  | desc: '''Transition from TEST_UNLOCKED to TEST_LOCKED using LC JTAG interface. | 
|  |  | 
|  | -  Check in TEST_UNLOCKED RV JTAG interface is available. | 
|  | -  Verify When in TEST_LOCKED state: | 
|  | - RV JTAG interface is unavailable. | 
|  | - Ibex is not executing. | 
|  | - RV_DM is unreachable by the stub CPU. | 
|  |  | 
|  | - X-ref'd with manuf_cp_test_lock from the manufacturing testplan. | 
|  | - X-ref'd with chip_lc_scrap. | 
|  | - X-ref'd with chip_tap_strap_sampling | 
|  | - X-ref'd with chip_sw_lc_walkthrough | 
|  | - X-ref'd with chip_rv_dm_lc_disabled | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_lc_walkthrough_testunlocks", | 
|  | "chip_rv_dm_lc_disabled"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_lc_walkthrough | 
|  | desc: '''Walk through the life cycle stages from RAW state and reseting the chip each time. | 
|  |  | 
|  | - Pre-load OTP image with RAW lc_state. | 
|  | - Initiate the LC transition to one of the test unlock state. | 
|  | - Program test_unlock_token, test_exit_token, rma_unlock_token into OTP partitions. | 
|  | - Move forward to next valid LC states via JTAG interface or SW interface if CPU is | 
|  | enabled. | 
|  | Verify that the features that should indeed be disabled are indeed disabled. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_lc_walkthrough_dev", | 
|  | "chip_sw_lc_walkthrough_prod", | 
|  | "chip_sw_lc_walkthrough_prodend", | 
|  | "chip_sw_lc_walkthrough_rma", | 
|  | "chip_sw_lc_walkthrough_testunlocks"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_power_max_load | 
|  | desc: '''Concurrency test modeling maximum load conditions. | 
|  |  | 
|  | This concurrency test runs multiple blocks at the same time, to simulate | 
|  | maximum load ("power virus test"). Should be combined with low power | 
|  | entry and exit scenarios. | 
|  |  | 
|  | The test should be made configurable so that the type of power state and | 
|  | the time spent in a particular power state can be configured via a | 
|  | flag (or similar). This will make it easier to reuse the test for power | 
|  | simulation and characterization later on. | 
|  |  | 
|  | The test should set a GPIO (mapped to the IOA2 pin) to high while the power | 
|  | state of interest is active. | 
|  |  | 
|  | Blocks / functionality to run simulatenously in this test: | 
|  |  | 
|  | - The ADC is continuously sampling new data | 
|  | - Staggered activation of OTBN, aes, KMAC/HMAC. | 
|  | - KMAC / aes would need to take turns being fed data | 
|  | - KMAC activation should be a combination of otp background, key | 
|  | manager background and software | 
|  | - for OTBN, any signature verification / signing event is sufficient | 
|  | - Entropy complex ongoing | 
|  | - reseed / update operation ongoing | 
|  | - Flash scramble ongoing (ideally both instruction and data, but data should be sufficient | 
|  | for now) | 
|  | - instruction scrambling gated by script availability | 
|  | - Simultaneous IO toggling as defined below | 
|  | - ideally for digital activity, 3xUART / I2C modules should be activated | 
|  | - for first pass simplicity can activate IO portion only for now through GPIO | 
|  | - for dedicated pins, focus on SPI device quad activity | 
|  | - USB activity should be activated | 
|  | - for first pass simplicity activate IO portion only for now via pin forcing in usbdev. | 
|  | - Ongoing cpu activity (icache / SRAM scrambling both activated) | 
|  | - servicing ongoing threads and random read/write data to memory | 
|  | - icache needs to be activated, otherwise the system may spend most of its time fetching | 
|  | code | 
|  | - Background checks enabled wherever possible | 
|  | - rstmgr background checks | 
|  | - alert_handler ping checks | 
|  | - OTP background checks | 
|  | - The test should be run both with / without external clock | 
|  |  | 
|  | This test should leverage the OTTF test framework for supporting | 
|  | concurrency in a FreeRTOS environment. See also the design docs linked | 
|  | in #14095 for more details on how to approach the implementation. | 
|  | ''' | 
|  | stage: V3 | 
|  | tests: [] | 
|  | } | 
|  | { | 
|  | name: chip_sw_power_idle_load | 
|  | desc: '''Concurrency test modeling load conditions in idle state | 
|  |  | 
|  | This concurrency test models an average idle scenarios. | 
|  |  | 
|  | The test should be made configurable so that the type of power state and | 
|  | the time spent in a particular power state can be configured via a | 
|  | flag (or similar). This will make it easier to reuse the test for power | 
|  | simulation and characterization later on. | 
|  |  | 
|  | The test should set a GPIO (mapped to the IOA2 pin) to high while the power | 
|  | state of interest is active. | 
|  |  | 
|  | The test should cover the following scenarios: | 
|  |  | 
|  | - Processor polls for nmi interrupt | 
|  | - Background checks enabled wherever possible | 
|  | - rstmgr background checks | 
|  | - alert_handler ping checks | 
|  | - OTP background checks | 
|  | - Timers (regular and AON) are active | 
|  | - Check whether transactional clocks should be enabled or disabled | 
|  | - Check whether PWM should be active | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_power_idle_load"] | 
|  | } | 
|  | { | 
|  | name: chip_sw_power_sleep_load | 
|  | desc: '''Concurrency test modeling load conditions in idle state | 
|  |  | 
|  | This concurrency test models average sleep scenarios. | 
|  |  | 
|  | The test should be made configurable so that the type of power state and | 
|  | the time spent in a particular power state can be configured via a | 
|  | flag (or similar). This will make it easier to reuse the test for power | 
|  | simulation and characterization later on. | 
|  |  | 
|  | The test should cover the following scenarios: | 
|  |  | 
|  | - System can be in deep or light sleep | 
|  | - The system has the following AON / IO activity: | 
|  | - aon_timer active | 
|  | - adc_ctrl active in low power mode | 
|  | - TBD: check whether sysrst_ctrl and pinmux wakeup detectors should be active | 
|  | - TBD: check whether PWM should be active | 
|  |  | 
|  | This test should leverage the OTTF test framework for supporting | 
|  | concurrency in a FreeRTOS environment. See also the design docs linked | 
|  | in #14095 for more details on how to approach the implementation. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_power_sleep_load"] | 
|  | } | 
|  |  | 
|  | { | 
|  | name: chip_sw_exit_test_unlocked_bootstrap | 
|  | desc: '''End to end test to ensure rom boot strap can be performed after | 
|  | transitioning from TEST states to PROD staets. . | 
|  |  | 
|  | - Pre-load the device into TEST_UNLOCKED state and ROM_EXEC_EN = 0. | 
|  | - In the same power cycle, advance device to PROD, PROD_END or DEV through LC JTAG request and | 
|  | set ROM_EXEC_EN in OTP to logically true. | 
|  | - Reboot the device and perform boot strap of a simple image, (e.g Hello World). | 
|  | - Ensure boot strap succeeds. | 
|  |  | 
|  | X-ref'ed with manuf_ft_exit_token from manufacturing test plan. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_exit_test_unlocked_bootstrap"] | 
|  | } | 
|  |  | 
|  | { | 
|  | name: chip_sw_inject_scramble_seed | 
|  | desc: '''End to end test to ensure boot strap can succeed after injecting scramble seeds. | 
|  |  | 
|  | - Pre-load the device into PROD, PROD_END or DEV state. | 
|  | - Backdoor load an unscrambled value into flash isolated partition. | 
|  | - In the test program, populate the scramble seeds (flash / sram). | 
|  | - In the test program, populate OTP entries to inform ROM to scramble flash upon next boot. | 
|  | - Reboot the device and perform boot strap of the same test image, ROM should now program | 
|  | the flash image with scramble enabled. | 
|  | - Upon successful boot strap, ROM jumps to the newly programmed image and de-scrambles the | 
|  | instructions. | 
|  | - In the test program, check whether the OTP partition containing the scramble seeds is | 
|  | locked. Also check that the unscrambled value progarmmed into flash isolated partition | 
|  | can be correctly read back when the region is set to scramble disable. | 
|  | - If either of the above checks is incorrect, return error. | 
|  |  | 
|  |  | 
|  | X-ref'ed with manuf_ft_sku_individualization from manufacturing test plan. | 
|  | ''' | 
|  | stage: V2 | 
|  | tests: ["chip_sw_inject_scramble_seed"] | 
|  | } | 
|  | ] | 
|  | } |