Google Git
Sign in
opensecura / 3p / lowrisc / opentitan / refs/heads/master / . / hw / top_earlgrey / data / chip_testplan.hjson
blob: 4882693e249009f69d719c32adb0f322beb40aa2 [file] [log] [blame] [edit]
// Copyright lowRISC contributors.
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
// SPDX-License-Identifier: Apache-2.0
{
name: "chip"
// TODO: remove the common testplans if not applicable
import_testplans: ["hw/dv/tools/dvsim/testplans/csr_testplan.hjson",
// TODO #5484, comment these 2 lines out because spi host memory is dummy
// "hw/dv/tools/dvsim/testplans/mem_testplan.hjson",
// Integrity error is tested in a SW test.
"hw/dv/tools/dvsim/testplans/tl_device_access_types_wo_intg_testplan.hjson",
"hw/ip/tlul/data/tlul_testplan.hjson",
"sw/device/silicon_creator/rom/data/rom_e2e_testplan.hjson",
"hw/top_earlgrey/data/chip_conn_testplan.hjson"]
testpoints: [
///////////////////////////////////////////////////////////////////////////
// IO Peripherals //
// UART, GPIO, I2C, SPIDEV, SPIHOST, USB, PINMUX & PADCTRL, PATTGEN, PWM //
///////////////////////////////////////////////////////////////////////////
// UART (pre-verified IP) integration tests:
{
name: chip_sw_uart_tx_rx
desc: '''Verify transmission of data over the TX and RX port.
SW test sends a known payload over the TX port. The testbench, at the same time
sends a known payload over RX. On reception, both payloads are checked for integrity.
SW validates the reception of TX watermark, RX watermark, and the TX empty interrupts.
Choosing the max supported baud rate for the UART is sufficient.
Verify each UART instance at the chip level independently. Verify there is no aliasing
on all UART ports across the instances.
'''
stage: V1
tests: ["chip_sw_uart_tx_rx"]
tags: ["gls"]
}
{
name: chip_sw_uart_rx_overflow
desc: '''Verify the RX overflow interrupt.
The testbench sends a random payload of size greater than the RX fifo size (32). The SW
ignores the received the data to allow the RX overflow interrupt to assert.
Verify each UART instance at the chip level independently. Verify there is no aliasing
on all UART ports across the instances.
'''
stage: V1
tests: ["chip_sw_uart_tx_rx", "chip_sw_uart_tx_rx_idx1", "chip_sw_uart_tx_rx_idx2",
"chip_sw_uart_tx_rx_idx3"]
}
{
name: chip_sw_uart_rand_baudrate
desc: '''Verify UART transmission of data at various speeds.
Randomly pick one of the UART instances and configure it to run with any of these baud
rates - 9600bps, 115200bps, 230400bps, 128Kbps, 256Kbps, 1Mkbps, 1.5Mkbps.
'''
stage: V1
tests: ["chip_sw_uart_rand_baudrate"]
}
{
name: chip_sw_uart_tx_rx_alt_clk_freq
desc: '''Verify the transmission of UART via using external clock as uart core clock.
Extend from chip_sw_uart_rand_baudrate with following added settings.
- Configure LC to RMA state, so that it allows clkmgr to use external clock.
- Configure clkmgr to select external clock.
- Randomize `HI_SPEED_SEL`, so that uart core clock frequency can be either
ext_clk_freq / 4 or ext_clk_freq / 2.
'''
stage: V1
tests: ["chip_sw_uart_tx_rx_alt_clk_freq", "chip_sw_uart_tx_rx_alt_clk_freq_low_speed"]
}
// GPIO (pre-verified IP) integration tests:
{
name: chip_sw_gpio_out
desc: '''Verify GPIO outputs.
SW test configures the GPIOs to be in the output mode. The test walks a 1 through the
pins. The testbench checks the value for correctness and verifies that there is no
aliasing between the pins.
'''
stage: V1
tests: ["chip_sw_gpio"]
}
{
name: chip_sw_gpio_in
desc: '''Verify GPIO inputs.
The SW test configures the GPIOs to be in input mode. The testbench walks a 1 through
the pins. SW test ensures that the GPIO values read from the CSR is correct.
'''
stage: V1
tests: ["chip_sw_gpio"]
}
{
name: chip_sw_gpio_irq
desc: '''Verify GPIO interrupts.
The SW test configures the GPIOs to be in input mode and enables all of them to generate
an interrupt. The testbench walks a 1 through the pins. SW test ensures that the
interrupt corresponding to the right pin is seen.
'''
stage: V1
tests: ["chip_sw_gpio"]
}
// SPI_DEVICE (pre-verified IP) integration tests:
{
name: chip_sw_spi_device_tx_rx
desc: '''Verify the transmission of data on the chip's SPI device port in firmware mode with
single mode.
- The testbench sends a known payload over the chip's SPI device input port.
- The SW test, at the same time sends a known payload out over the chip's SPI device
output port.
- On reception, both payloads are checked for integrity.
- SW validates the reception of RX fifo full, RX fifo over level, TX fifo under level,
RX overflow and TX underflow interrupts.
- Run with min (6MHz), typical (30-48Mhz) and max(48MHz) SPI clk frequencies.
should use
- Also, ensure that the spi_device does not receive transactions when the csb is high.
- TODO, consider to test this mode with a real use case. The actual use case of this
mdoe is not clear right now.
'''
stage: V2
tests: ["chip_sw_spi_device_tx_rx"]
}
{
name: chip_sw_spi_device_flash_mode
desc: '''Verify the SPI device in flash mode.
- SW puts the SPI device in flash mode
- Load a firmware image (bootstrap) through flash commands to the spi_device memory.
- SW verifies the integrity of the image upon reception by reading the spi_device
memory.
- Ensure the image is executed correctly
'''
stage: V2
tests: ["chip_sw_uart_tx_rx_bootstrap"]
}
{
name: chip_sw_spi_device_pass_through
desc: '''Verify the pass through mode from an end-to-end perspective.
- Configure the SPI device and host in pass through mode.
- Program the cmd_filter_* CSRs to filter out random commands.
- Configure and enable both spi_host0 and spi_host1
- Send a random flash commands over the SPI device interface (chip IOs) from the
testbench.
- Verify the flash commands which pass through spi_host0, are received on chip IOs.
- Verify that only the payloads that are not filtered show up on the SPI host interface
at chip IOs.
- Verify spi_host1 doesn't send out any data from spi_device
- Run with min (6MHz), typical (24Mhz) and max (30MHz) SPI clk frequencies.
- Run with single, dual and quad SPI modes.
- Testbench should test the following commands:
- Read Normal, Fast Read, Fast Dual, Fast Quad, Chip Erase, Program
'''
stage: V2
tests: ["chip_sw_spi_device_pass_through"]
}
{
name: chip_sw_spi_device_pass_through_flash_model
desc: '''Verify the command filtering mechanism in passthrough mode.
- Extend the chip_spi_device_pass_through test.
- Connect with a real flash model on spi_host
- Verify that the flash commands are received and interpreted correctly in the flash
model
'''
stage: V3
tests: []
}
{
name: chip_sw_spi_device_pass_through_collision
desc: '''Verify the collisions on driving spi_host is handled properly.
- Enable upload related interrupts and configure the spi_device in passthrough mode.
- Configure a command slot to enable upload for a flash program/erase command.
- Excecute two parallel threads:
1. SPI host agent.
- Send this command via an upstream SPI host agent, then the agent keeps sending
read_status to poll the busy bit.
- When the busy bit is low, issue a read command to read data from the downstream
SPI port, and check data correctness.
2. A SW process.
- SW receives an upload interrupt and reads the command in the upload fifo to check.
- SW configures the SPI host that shows the same downstream port, to send the
uploaded command to the downstream SPI port.
- SW clears busy bit to allow the upstream SPI host to proceed to the next command.
'''
stage: V2
tests: ["chip_sw_spi_device_pass_through_collision"]
}
{
name: chip_sw_spi_device_tpm
desc: '''Verify the basic operation of the spi tpm mode.
- The testbench sends a known payload over the chip's SPI device tpm input port.
- The testbench sends a read command.
- The software test should playback the data received in the write command as the read
response.
- The testbench should check if the written and read data match.
'''
stage: V2
tests: ["chip_sw_spi_device_tpm"]
}
// SPI_HOST (pre-verified IP) integration tests:
{
name: chip_sw_spi_host_tx_rx
desc: '''Verify the transmission of data on the chip's SPI host port.
- Program the SPI host to send a known payload out of the chip on the SPI host ports.
- The testbench receives the payload and plays it back to the SPI host interface.
- The SW verifies the sent payload matches the read response and services SPI event
interrupts.
- Run with min and max SPI clk frequencies and with single, dual and quad SPI modes.
Verify all SPI host instances in the chip.
'''
stage: V2
tests: ["chip_sw_spi_host_tx_rx"]
}
// I2C (pre-verified IP) integration tests:
{
name: chip_sw_i2c_host_tx_rx
desc: '''Verify the transmission of data over the chip's I2C host interface.
- Program the I2C to be in host mode.
- The SW test writes a known payload over the chip's I2C host interface, which is
received by the testbench.
- The testbench then loops this data back to the chip's I2C host and exercises the
read interface.
- SW validates the reception of FMT watermark and trans complete interrupts.
- SW validates that the data read matches the original data written.
- Verify the virtual / true open drain capability.
Verify all instances of I2C in the chip.
'''
stage: V2
tests: ["chip_sw_i2c_host_tx_rx",
"chip_sw_i2c_host_tx_rx_idx1",
"chip_sw_i2c_host_tx_rx_idx2"]
}
{
name: chip_sw_i2c_device_tx_rx
desc: '''Verify the transmission of data over the chip's I2C device interface.
- Program the I2C to be in device mode.
- The testbench writes a known payload over the chip's I2C device interface, which is
received and verified by the SW test for correctness.
- The testbench reads and verifies a known payload over the chip's I2C device interface,
- SW validates the reception of tx empty and trans complete interrupts.
- Verify the virtual / true open drain capability.
Verify all instances of I2C in the chip.
'''
stage: V2
tests: ["chip_sw_i2c_device_tx_rx"]
}
// USB (pre-verified IP) integration tests:
{
name: chip_sw_usb_fs_tx_rx
desc: '''Verify the transmission of single-ended data over the USB at full speed. As a part of
this test, the enablement of USB pullup is also expected to be verified.
- Set `tx_differential_mode` to single-ended and `rx_differential_mode` to
differential. The other modes are not supported in OpenTitan.
- configure Link state to `Active`.
- Send and receive packets to fill the entire buffer. Ensure all the packets are
correct.
- Check interrupts (connected, pkt_received, pkt_sent, av_empty, rx_full) are triggered
correcly.
'''
stage: V3
tests: []
}
{
name: chip_sw_usb_vbus
desc: '''Verify that the USB device can detect the presence of VBUS from the USB host.
- This test extends from `chip_usb_fs_df_tx_rx`, add below at the end of the sequence.
- VBUS is controlled by SW, through programming CSRs (`override_pwr_sense_en` and
`override_pwr_sense_val`) to connect / disconnect the USB.
- Disconnect the USB to trigger `disconnected` interrupt.
- Then reconnect it and check the `connected` interrupt.
- Re-enable data transfer and ensure data correctness.
- Observe valid reference pulse usb_ref_val/pulse_o.
'''
stage: V3
tests: []
}
{
name: chip_sw_usb_suspend
desc: '''Verify that the USB device can detect the presence of VBUS from the USB host.
- This test extends from `chip_usb_fs_df_tx_rx`, add below at the end of the sequence.
- Configure USB device to enter `Suspend` state and ensure `link_suspend` interrupt is
triggered.
- Test these 2 power modes.
- Normal sleep:
- Configure pwrmgr to enter normal sleep mode, then clocks are disable while powers
are kept on.
- Resume the device through pinmux and check the `link_resume` interrupt.
- Ensure that previously enumerated information is kept.
- Deep sleep:
- Before entering deep sleep, store previously enumerated information in retention
RAM. (optional)
- Configure pwrmgr to enter deep sleep mode, and powers are turned off.
- Resume the device through pinmux and check the `link_resume` interrupt.
- Ensure that previously enumerated information and configuration (non-default
values) are wiped, as USB has been reset before wakeup.
- Restore previously enumerated information (if it's stored) or re-enumerate the
USB.
- Re-enable data transfer and ensure data correctness.
'''
stage: V3
tests: []
}
{
name: chip_usb_sof
desc: '''Verify that USB can detect SOF and respond with `usb_ref_pulse_o` and
`usb_ref_val_o`.
- Configure to enable `usb_ref_disable`.
- Send a frame with the same frame number as the USB device to trigger `frame`
interrupt.
- Ensure `usb_ref_pulse_o` and `usb_ref_val_o` behave correctly.
- Stop sending any frame and check the `host_lost` interrupt. Ensure `use_ref_*` behave
correctly.
'''
stage: V3
tests: []
}
{
name: chip_usb_wake_debug
desc: '''Verify that `usb_state_debug_i` can be read from the CSR.
- Drive random value on `usb_state_debug_i`.
- Ensure the CSR `wake_debug` returns correctly value.
'''
stage: V3
tests: []
}
{
name: chip_usb_enumeration
desc: '''Verify USB enumeration. Details are not clear.
- TODO
'''
stage: V3
tests: []
}
// PINMUX & PADRING (pre-verified IP) integration tests:
{
name: chip_pin_mux
desc: '''Verify the MIO muxing at input and output sides.
- Enable `stub_cpu` mode.
- Add a forcing interface to pinmux's pad-facing DIO and MIO ports, including the output
enables; and a sampling interface for the peripheral facing DIO and MIO ports.
- Similarly, add a driving / sampling interface for all DIOs and MIOs at the chip pads.
- In the output direction:
- Program all MIO outsel and pad attribute registers to random values.
- Force the pad-facing pinmux MIO ports and output enables to random values.
- Verify all MIO pad values for correctness.
- For the input direction:
- Program all MIO insel and pad attribute registers to random values.
- Drive the MIO pads to random values.
- Probe and sample the peripheral facing MIO ports of the pinmux and verify the values
for correctness.
- Follow a similar testing procedure for DIOs.
'''
stage: V2
tests: ["chip_padctrl_attributes"]
}
{
name: chip_padctrl_attributes
desc: '''Verify pad attribute settings for all MIO and DIO pads.
- Follow the same procedure as the `chip_pin_mux` test, ensuring the padctrl attribute
registers for all MIOs and DIOs are also randomized when verifying the outcomes.
- Verify weak pull enable, output inversion and virtual open drain and drive strength
(bit 0) signaling in the output direction.
- Verify weak pull enable and input inversion in the input direction.
- Verify multiple pad attributes for each pad set at the same time through
randomization.
Cross-references the `chip_pin_mux` test.
'''
stage: V2
tests: ["chip_padctrl_attributes"]
}
{
name: chip_sw_sleep_pin_mio_dio_val
desc: '''Verify the MIO output values in any sleep states.
- Pick between normal sleep and deep sleep randomly
- Pick between tie-0, tie-1, or High-Z randomly for all muxed,
dedicated outputs coming from non-AON IPs.
SW programs the MIO OUTSEL CSRs to ensure that in sleep it randomly picks
between tie-0, tie-1 or hi-Z for all muxed outputs coming from non-AON IPs. If an AON
peripheral output is muxed, then that peripheral's output is selected to ensure in deep
sleep the peripheral can continue its signaling even in deep sleep. The testbench
verifies the correctness of the reflected values once the chip goes into deep sleep.
This is replicated for DIO pins as well.
In this test, passthrough feature is not tested. The feature is
covered in other tests such as chip_sw_sleep_pwm_pulses.
'''
stage: V2
tests: ["chip_sw_sleep_pin_mio_dio_val"]
}
{
name: chip_sw_sleep_pin_wake
desc: '''Verify pin wake up from any sleep states.
Verify one of the 8 possible MIO or DIO pad inputs (randomly configured) can cause the
chip to wake up from sleep state. Verifying wake on posedge is sufficient for the chip
level integration testing. Upon wake up, SW reads the wake cause CSR to verify
correctness.
For V3, enhance this test to configure all wakeup detectors rather than configure only
one, then have the host randomly pick one of the IOs configured for wakeup in one of
those detectors. Also, randomize and test all wakeup modes and enable debounce filter.
'''
stage: V2
tests: ["chip_sw_sleep_pin_wake"]
}
{
name: chip_sw_sleep_pin_retention
desc: '''Verify the retention logic in pinmux that is activated during deep sleep.
- Pick a pin (such as GPIO0) and enable it in output mode. Set a known value to it (0 or
1) and verify the correctless of the value on the chip IO.
- Program the pin's retention value during deep sleep to be opposite of the active power
value programmed in the previous step.
- Reuse an existing deep sleep / low power wake up test, such as
`chip_sw_sleep_pin_wake` test to enter low power.
- Once the chip enters the deep sleep state, verify that this pin holds the correct
retention value throughout the low power state.
- Wake up the chip from sleep using the chosen method.
- Verify the pin value at the chip IOs is no longer holding the retention value once the
chip is back in active power.
'''
stage: V2
tests: ["chip_sw_sleep_pin_retention"]
}
{
name: chip_sw_tap_strap_sampling
desc: '''Verify tap accesses in different LC states.
Verify pinmux can select the life_cycle, RISC-V, and DFT taps after reset.
Verify that in TEST_UNLOCKED* and RMA states, pinmux can switch between the three TAPs
without issuing reset.
Verify in PROD state, only the LC tap can be selected.
Verify in DEV state, only the LC tap and RISC-V taps can be selected.
Verify DFT test mode straps are sampled and output to AST via
top_earlgrey.dft_strap_test_o in TEST_UNLOCKED* and RMA states.
Verify top_earlgrey.dft_strap_test_o is always 0 in the states other than TEST_UNLOCKED*
and RMA, regardless of the value on DFT SW straps.
Verify loss of DFT functionality when DFT straps are deasserted on the next POR cycle.
Note: these tests require the ROM init stage to complete. So a test ROM image is loaded,
but the software does not test anything. The CPU boots and runs to completion while the
host (SV testbench) performs these stimulus / checks.
'''
stage: V2
tests: ["chip_tap_straps_dev", "chip_tap_straps_prod", "chip_tap_straps_rma"]
}
// PATTGEN (pre-verified IP) integration tests:
{
name: chip_sw_pattgen_ios
desc: '''Verify pattern generation to chip output pads.
- Program the pattgen to generate a known pattern in each lane.
- Program the pinmux to route the chosen output to the chip IOs.
- Verify that the correct pattern is seen on the IOs by hooking up the pattgen monitor.
- Validate the reception of the done interrupt.
- Verify both pattgen channels independently.
'''
stage: V2
tests: ["chip_sw_pattgen_ios"]
}
// PWM (pre-verified IP) integration tests:
{
name: chip_sw_sleep_pwm_pulses
desc: '''Verify PWM signaling to chip output pads during deep sleep.
- Program each PWM output to pulse in a known pattern.
- Program the pinmux to route the chosen PWM output to the chip IOs.
- Program the pwrmgr to go to deep sleep state, with AON timer wakeup.
- Initiate the sleep state by issuing a WFI.
- Verify that in the sleep state, the PWM signals are active and pulsing correctly, by
hooking up the PWM monitor.
- Repeat the steps for all 6 PWM signals.
'''
stage: V2
tests: ["chip_sw_sleep_pwm_pulses"]
}
//////////////////////////////////////////////////////////////////////////////////////
// System Peripherals //
// XBAR, RV_DM, RV_TIMER, AON_TIMER, PLIC, CLK/RST/PWR MGR, ALERT_HANDLER, LC_CTRL, //
// ADC_CTRL, SYSRST_CTRL //
//////////////////////////////////////////////////////////////////////////////////////
// XBAR (pre-verified IP) tests:
{
name: chip_sw_data_integrity
desc: '''
Verify the alert signaling mechanism due to integrity violations of load ops.
An SW test which performs the following on main and retention SRAMs to verify the memory
end-to-end integrity scheme:
- Corrupt a random data / integrity bit in the memory using SV force.
- SW reads that address and the corrupted data is sent to ibex.
- Verify that ibex detects the integrity violation and triggers an alert.
- Check the alert up to the NMI phase and make sure that the alert cause is from Ibex.
'''
stage: V2
tests: ["chip_sw_data_integrity_escalation"]
}
{
name: chip_sw_instruction_integrity
desc: '''
Verify the alert signaling mechanism due to integrity violations of instruction fetches.
An SW test which performs the following on main SRAM to verify the memory end-to-end
integrity scheme:
- Corrupt a data / integrity bit in a test function in the main SRAM using SV force.
- SW jumps to that test function in the main SRAM.
- Verify that ibex detects the integrity violation and triggers an alert.
- Check the alert up to the NMI phase and make sure that the alert cause is from Ibex.
'''
stage: V2
tests: ["chip_sw_data_integrity_escalation"]
}
// RV_DM (JTAG) tests:
{
name: chip_jtag_csr_rw
desc: '''
Verify accessibility of all the CSRs in the chip over JTAG.
- Shuffle the list of CSRs first to remove the effect of ordering.
- Write all CSRs via JTAG interface with a random value.
- Shuffle the list of CSRs yet again.
- Read all CSRs back and check their values for correctness while adhering to the CSR's
access policies.
- Accesses to CSRs external to `rv_dm` go through RV_DM SBA interface into the `xbar`.
'''
stage: V2
tests: ["chip_jtag_csr_rw"]
}
{
name: chip_jtag_mem_access
desc: '''
Verify accessibility of all the memories in the chip over JTAG.
This test will target the following memories in the chip:
sram_main, sram_ret, otbn i|dmem, ROM
- Shuffle the list of memories first to remove the effect of ordering.
- Write a location in a randomly chosen set of addresses within each memory via JTAG
interface with random values.
- For read-only memories, preload the memory with random data via backdoor.
- Shuffle the list of memories again.
- Read the previously written addresses in the memories back again and check the read
value for correctness. Pick some random addresses to verify in case of read-only
memories.
'''
stage: V2
tests: ["chip_jtag_mem_access"]
}
{
name: chip_rv_dm_perform_debug
desc: '''
- X-ref'ed with rom_e2e_jtag_inject from rom testplan.
- X-ref'ed with chip_sw_flash_lc_iso_part_sw_wr_en.
- X-ref'ed with manuf_cp_device_info_flash_wr from manufacturing testplan.
- Using the sram injection mechanism from rom_e2e_jtag_inject, load a SRAM program that
writes to isolated flash partition while the device is in TEST_UNLOCKED state.
- After writing, verify that the test program cannot read back the written value.
'''
stage: V3
tests: ["rom_e2e_jtag_debug_test_unlocked0", "rom_e2e_jtag_debug_dev",
"rom_e2e_jtag_debug_rma"]
}
{
name: chip_rv_dm_ndm_reset_req
desc: '''Verify non-debug reset request initiated from RV_DM when the chip is awake.
- Program some CSRs / mem that are under life cycle reset tree and system reset tree.
- Configure RV_DM to send NDM reset request to reset sytem reset tree.
- While NDM reset is ongoing, ensure the RV_DM debug module registers can still be
accessed.
- Read the programmed CSRs / mem to ensure that everything under system reset tree is
reset to the original values, while values under life cycle reset will be preserved.
- Read CSRs / mem in the debug domain to ensure that the values survive the reset.
'''
stage: V2
tests: ["chip_rv_dm_ndm_reset_req"]
}
{
name: chip_sw_rv_dm_ndm_reset_req_when_cpu_halted
desc: '''Verify non-debug reset request initiated from RV_DM when the CPU is in halted state.
- Initialize the DUT in a HW-debug enabled life cycle state.
- Activate the RISCV debug module.
- Run some SW test on the CPU.
- Initiate a CPU halt request via JTAG.
- Wait for the CPU to be in halted state via JTAG by polling dmstatus.anyhalted.
- Deassert the CPU haltreq and verify that we are still in halted state.
- (Optional) Using the abstract command, read the dcsr register to verify the cause
reflects the debug halt request.
- Issue an NDM reset request. All non-debug parts of the chip should reset. Read the
dmstatus.anyhalted / dvstatus.allhalted and verify that they are cleared.
- Verify that the debug logic is fully accessible during this time, while the NDM reset
is being processed and the chip is rebooted, by continuously accessing the DMI
register space in `rv_dm` over JTAG.
- De-assert the NDM reset request and wait for the CPU to reboot and finish the post-NDM
reset phase of the test.
'''
stage: V2
tests: ["chip_sw_rv_dm_ndm_reset_req_when_cpu_halted"]
}
{
name: chip_rv_dm_access_after_wakeup
desc: '''Verify RV_DM works after wakes up from sleep.
- Put the chip into sleep mode and then wake up (both deep sleep and normal sleep).
- If waking up from normal sleep, an activation should not be required for RV_DM CSR
accesses to work.
- If waking up from deep sleep, an activation is required for RV_DM CSR accesses to work.
'''
stage: V2
tests: ["chip_sw_rv_dm_access_after_wakeup"]
}
{
name: chip_sw_rv_dm_access_after_hw_reset
desc: '''Verify RV_DM works after a watchdog or escalated reset.
- Access some RV_DM CSRs both before and after resets.
- An activation would be required, and the tap strap would also be sampled again.
'''
stage: V3
tests: ["chip_sw_rv_dm_access_after_escalation_reset"]
}
{
name: chip_sw_rv_dm_jtag_tap_sel
desc: '''Verify ability to select all available TAPs.
- Put life cycle on Test or RMA state, so that TAPs can be selected between life cycle
RV_DM and DFT.
- Verify the TAP is selected correctly.
- X-ref'ed with chip_sw_tap_strap_sampling.
'''
stage: V2
tests: ["chip_tap_straps_rma"]
}
{
name: chip_rv_dm_lc_disabled
desc: '''Verify that the debug capabilities are disabled in certain life cycle stages.
- Put life cycle in a random life cycle state.
- Verify that the rv_dm bus device is inaccessible from the CPU as well as external
JTAG if the life cycle state is not in TEST_UNLOCKED*, DEV or RMA.
- The bus access check is performed by randomly reading or writing a CSR inside the
RV_DM and checking whether the TL-UL bus errors out.
- The JTAG access check is performed by writing and then reading a register that is
accessible via the TAP/DMI inside the RV_DM. If the JTAG wires are gated, it is
expected that the RV_DM returns all-zero instead of the written value.
- X-ref'ed with `chip_tap_strap_sampling`
'''
stage: V2
tests: ["chip_rv_dm_lc_disabled"]
}
// RV_TIMER (pre-verified IP) integration tests:
{
name: chip_sw_timer
desc: '''Verify the timeout interrupt assertion.
- Configure the RV_TIMER to generate interrupt after a set timeout.
- Issue a WFI to wait for the interrupt to trigger.
- Service the interrupt when it triggers; verify that it came from rv_timer.
- Verify that the interrupt triggered only after the timeout elapsed.
'''
stage: V2
tests: ["chip_sw_rv_timer_irq"]
}
// AON_TIMER (pre-verified IP) integration tests:
{
name: chip_sw_aon_timer_wakeup_irq
desc: '''Verify the AON timer wake up interrupt in normal operating state.
- Program the PLIC to let the AON timer wake up interrupt the CPU.
- Program the AON timer to generate the wake up timeout interrupt after some time.
- Issue a WFI to wait for the interrupt to trigger.
- Service the interrupt when it triggers; verify that it came from AON timer.
- Verify that the interrupt triggered only after the timeout elapsed.
'''
stage: V2
tests: ["chip_sw_aon_timer_irq"]
}
{
name: chip_sw_aon_timer_sleep_wakeup
desc: '''Verify that AON timer can wake up the chip from a deep sleep state.
- Read the reset cause register in rstmgr to confirm that the SW is in the POR reset
phase.
- Program the pwrmgr to go to deep sleep state (clocks off, power off).
- Program the AON timer to wake up the chip in a reasonable amount of time.
- Have the CPU issue WFI to signal the pwrmgr to go into sleep state.
- Verify via assertion checks, the wake up request occurs after the timeout has elapsed.
- After reset followed by AON timer wake up, read the reset cause register to confirm
the AON timer wake up phase.
- After the test sequence is complete, read the wake up threshold register - it should
not be reset.
'''
stage: V2
tests: ["chip_sw_pwrmgr_smoketest"]
}
{
name: chip_sw_aon_timer_wdog_bark_irq
desc: '''Verify the watchdog bark reception in normal state.
- Program the PLIC to let the wdog bark signal interrupt the CPU.
- Program the AON timer wdog to 'bark' after some time and enable the bark interrupt.
- Service the bark interrupt upon reception.
'''
stage: V2
tests: ["chip_sw_aon_timer_irq"]
}
{
name: chip_sw_aon_timer_wdog_lc_escalate
desc: '''Verify that the LC escalation signal disables the AON timer wdog.
- Program the AON timer wdog to 'bark' after some time and enable the bark interrupt.
- Start the escalation process and fail the test in the interrupt handler in case the
bark interrupt is fired.
- Program the alert handler to escalate on alerts upto phase 2 (i.e. reset) but the
phase 1 (i.e. wipe secrets) should occur and last during the time the wdog is
programed to bark and bite.
- Trigger an alert to cause an escalation condition before the bark signal asserts.
- After the reset ensure that the reset cause was due to the escalation to prove that
the wdog was disabled.
'''
stage: V2
tests: ["chip_sw_aon_timer_wdog_lc_escalate"]
}
{
name: chip_sw_aon_timer_wdog_bite_reset
desc: '''Verify the watchdog bite causing reset in the normal state.
- Read the reset cause register in rstmgr to confirm that the SW is in the POR reset
phase.
- Program the AON timer wdog to 'bark' after some time.
- Let the bark escalate to bite, which should result in a reset request.
- After reset, read the reset cause register in rstmgr to confirm that the SW is now in
the wdog reset phase.
'''
stage: V2
tests: ["chip_sw_aon_timer_wdog_bite_reset"]
}
{
name: chip_sw_aon_timer_sleep_wdog_bite_reset
desc: '''Verify the watchdog bite causing reset in sleep state.
- Repeat the steps in chip_aon_timer_wdog_bite_reset test, but with following changes:
- Program the pwrmgr to go to deep sleep state (clocks off, power off).
- Issue a WFI after programming the wdog, so that the reset request due to bite occurs
during deep sleep state.
- After reset, read the reset cause register in rstmgr to confirm that the SW is now in
the wdog reset phase.
'''
stage: V2
tests: ["chip_sw_aon_timer_wdog_bite_reset"]
}
{
name: chip_sw_aon_timer_sleep_wdog_sleep_pause
desc: '''Verify that the wdog can be paused in sleep state.
- Repeat the steps in chip_aon_timer_sleep_wakeup test, but with following changes:
- Program the wdog to 'bite' a little sooner than the AON timer wake up.
- Also, program the wdog to pause during sleep.
- Issue a WFI after programming the wdog, so that the reset request occurs during deep
sleep state.
- After reset followed by AON timer wake up, read the reset cause register to confirm
that the AON timer woke up the chip, not the wdog reset.
- Un-pause the wdog and service the bark interrupt.
'''
stage: V2
tests: ["chip_sw_aon_timer_sleep_wdog_sleep_pause"]
}
// PLIC integration tests:
{
name: chip_sw_plic_all_irqs
desc: '''Verify all interrupts from all peripherals aggregated at the PLIC.
The automated SW test enables all interrupts at the PLIC to interrupt the core. It uses
the `intr_test` CSR in each peripheral to mock assert an interrupt, looping through all
available interrupts in that peripheral. The ISR verifies that the right interrupt
occurred. This is used as a catch-all interrupt test for all peripheral integration
testing within which functionally asserting an interrupt is hard to achieve or not of
high value.
'''
stage: V2
tests: ["chip_plic_all_irqs"]
}
{
name: chip_sw_plic_sw_irq
desc: '''Verify the SW interrupt to the CPU.
Enable all peripheral interrupts at PLIC. Enable all types of interrupt at the CPU core.
Write to the MSIP CSR to generate a SW interrupt to the CPU. Verify that the only
interrupt that is seen is the SW interrupt.
'''
stage: V2
tests: ["chip_sw_plic_sw_irq"]
}
{
name: chip_plic_fatal_alert
desc: '''Verify that the fatal alert is fired from PLIC due to bus integrity violation.
- PLIC is a non-preverified IP, so it is necessary to test the assertion of fatal alert
via fault injection.
- In stub CPU mode, read a register in PLIC.
- Intercept the access in the SystemVerilog testbench and using force, inject an
integrity error on the command channel.
- Verify that the fatal alert fired on the PLIC output.
- Reboot the chip and this time, inject a fatal alert through violation of the reg
write-enable one hot check using the standardized sec_cm_pkg framework.
- Verify that the fatal alert fired on the PLIC output.
'''
stage: V3
tests: []
}
{
name: chip_sw_plic_alerts
desc: '''Verify alerts from PLIC due to both, TL intg and reg WE onehot check faults.
- Since PLIC is not pre-verified in a DV environment, we need to ensure these are tested
separately.
'''
stage: V3
tests: []
}
// CLKMGR tests:
{
name: chip_sw_clkmgr_idle_trans
desc: '''Verify the ability to turn off the transactional clock via SW.
Ensure that the clock to transactional units will be turned off after any activity
completes in the transactional IP. Verify it is off via spinwait in hints_status CSR.
Verify that turning off this clock does not affect the other derived clocks.
'''
stage: V2
tests: ["chip_sw_aes_idle",
"chip_sw_hmac_enc_idle",
"chip_sw_kmac_idle",
"chip_sw_otbn_randomness"]
}
{
name: chip_sw_clkmgr_off_trans
desc: '''Verify the turned off transactional units.
Verify CSR accesses do not complete in units that are off. Using the watchdog timers,
turn off a transactional unit's clock, issue a CSR access to that unit, verify a
watchdog event results, and verify the rstmgr crash dump info records the CSR address.
A stretch goal is to check the PC corresponds to the code performing the CSR access
(stretch since it could be difficult to maintain this check).
'''
stage: V2
tests: ["chip_sw_clkmgr_off_aes_trans",
"chip_sw_clkmgr_off_hmac_trans",
"chip_sw_clkmgr_off_kmac_trans",
"chip_sw_clkmgr_off_otbn_trans"]
}
{
name: chip_sw_clkmgr_off_peri
desc: '''Verify the ability to turn off the peripheral clock via SW.
Verify CSR accesses do not complete in peripherals that are off. Using the watchdog
timers, turn off a peripheral's clock, issue a CSR access to that peripheral, verify a
watchdog event results, and verify the rstmgr crash dump info records the CSR address.
'''
stage: V2
tests: ["chip_sw_clkmgr_off_peri"]
}
{
name: chip_sw_clkmgr_div
desc: '''Verify clk division logic is working correctly.
The IP level checks the divided clocks via SVA, and these are also bound at chip level.
Connectivity tests check peripherals are connected to the clock they expect.
Use the clkmgr count measurement feature to verify clock division.
'''
stage: V2
tests: ["chip_sw_clkmgr_external_clk_src_for_sw_fast",
"chip_sw_clkmgr_external_clk_src_for_sw_slow",
"chip_sw_clkmgr_external_clk_src_for_lc"]
}
{
name: chip_sw_clkmgr_external_clk_src_for_lc
desc: '''Verify the clkmgr requests ext clk src during certain LC states.
On POR lc asserts lc_clk_byp_req on some LC states, and de-asserts
it when lc_program completes. This also triggers divided clocks to step down. It may be
best to verify this via SVA, unless we implement clock cycle counters.
'''
stage: V2
tests: ["chip_sw_clkmgr_external_clk_src_for_lc"]
}
{
name: chip_sw_clkmgr_external_clk_src_for_sw
desc: '''Verify SW causes the clkmgr requests ext clk src during certain LC states.
In RMA and TEST_UNLOCKED lc states the external clock is enabled in response to
`extclk_ctrl.sel` CSR writes. In addition `extclk_ctrl.hi_speed_sel` CSR causes the
divided clocks to step down. Verify this via SVA bound to clkmgr, and clock cycle
counters.
Disable external clock source and verify the AST reliably falls back to the internal
clock. Ensure the chip operates normally.
X-ref with chip_sw_uart_tx_rx_alt_clk_freq, which needs to deal with this as well.
'''
stage: V2
tests: ["chip_sw_clkmgr_external_clk_src_for_sw_fast",
"chip_sw_clkmgr_external_clk_src_for_sw_slow"]
}
{
name: chip_sw_clkmgr_jitter
desc: '''Verify the clock jitter functionality.
Enable clock jitter setting the clkmgr `jitter_enable` CSR high. This causes the
jitter_o clkmgr output to toggle. Verify this output is connected to AST's
clk_src_sys_jen_i input using formal.
X-ref with various specific jitter enable tests.
'''
stage: V2
tests: ["chip_sw_clkmgr_jitter",
"chip_sw_flash_ctrl_ops_jitter_en",
"chip_sw_flash_ctrl_access_jitter_en",
"chip_sw_otbn_ecdsa_op_irq_jitter_en",
"chip_sw_aes_enc_jitter_en",
"chip_sw_hmac_enc_jitter_en",
"chip_sw_keymgr_key_derivation_jitter_en",
"chip_sw_kmac_mode_kmac_jitter_en",
"chip_sw_sram_ctrl_scrambled_access_jitter_en",
"chip_sw_edn_entropy_reqs_jitter"]
}
{
name: chip_sw_clkmgr_extended_range
desc: '''Verify that the system can run at a reduced, calibrated clock frequency.
This test should check that the system can run at a reduced, calibrated clock frequency
(70MHz) with jitter enabled (which can lower the frequency down to ~55 MHz
momentarily). This option is intended as a fall-back in case there are issues running
the system with at 100MHz (calibrated).
This testpoint can be covered by extending the DV environment to support the extended
range clock option via a flag, and running several existing chip-level tests with that
option.
Test the following functionalities with reduced clock:
- flash_ctrl initialization
- flash_ctrl program, read and erase operations
- AES, HMAC, KMAC and OTBN operations
- Keymgr key derivation
- Scramble-enabled access from the main SRAM
- Csrng edn concurrency
'''
stage: V2
tests: ["chip_sw_clkmgr_jitter_reduced_freq",
"chip_sw_flash_ctrl_ops_jitter_en_reduced_freq",
"chip_sw_flash_ctrl_access_jitter_en_reduced_freq",
"chip_sw_otbn_ecdsa_op_irq_jitter_en_reduced_freq",
"chip_sw_aes_enc_jitter_en_reduced_freq",
"chip_sw_hmac_enc_jitter_en_reduced_freq",
"chip_sw_keymgr_key_derivation_jitter_en_reduced_freq",
"chip_sw_kmac_mode_kmac_jitter_en_reduced_freq",
"chip_sw_sram_ctrl_scrambled_access_jitter_en_reduced_freq",
"chip_sw_flash_init_reduced_freq",
"chip_sw_csrng_edn_concurrency_reduced_freq"]
}
{
name: chip_sw_clkmgr_deep_sleep_frequency
desc: '''Verify the frequency measurement through deep sleep.
Enable clock cycle counts. Put the chip in deep sleep. Upon wakeup reset the
clock measurements should be off, but the recoverable fault status should not
be cleared.
'''
stage: V2
tests: ["chip_sw_ast_clk_outputs"]
}
{
name: chip_sw_clkmgr_sleep_frequency
desc: '''Verify the frequency measurement through shallow sleep.
Enable clock cycle counts. Put the chip in shallow sleep with pwrmgr's CONTROL CSR
keeping some clocks disabled. Upon wakeup the clock measurements should be on, and the
recoverable fault status should show no errors for the disabled clocks.
'''
stage: V2
tests: ["chip_sw_clkmgr_sleep_frequency"]
}
{
name: chip_sw_clkmgr_reset_frequency
desc: '''Verify the frequency measurement through reset.
Enable clock cycle counts, configured to cause errors. Trigger a chip reset via SW.
After reset the clock measurements should be off and the recoverable fault status
should be cleared.
'''
stage: V2
tests: ["chip_sw_clkmgr_reset_frequency"]
}
{
name: chip_sw_clkmgr_escalation_reset
desc: '''Verify the clock manager resets to a clean state after an escalation reset.
Trigger an internal fatal fault for the regfile onehot checker and let it escalate to
reset. Upon alert escalation reset, the internal status should be clear and clkmgr
should not attempt to send out more alerts.
'''
stage: V2
tests: ["chip_sw_all_escalation_resets"]
}
// PWRMGR tests:
{
name: chip_sw_pwrmgr_external_full_reset
desc: '''Verify the cold boot sequence by wiggling of chip's `POR_N`.
This ensures that both FSMs are properly reset on the POR signal. The check is that
the processor ends up running. Also verify, the rstmgr recorded POR in `reset_info` CSR
by checking retention SRAM for reset_reason.
'''
stage: V2
tests: ["chip_sw_pwrmgr_full_aon_reset"]
}
{
name: chip_sw_pwrmgr_random_sleep_all_wake_ups
desc: '''Verify that the chip can go into random low power states and be woken up by ALL wake
up sources.
This verifies ALL wake up sources. This also verifies that the pwrmgr sequencing is
working correctly as expected. X-ref'ed with all individual IP tests. For each wakeup
source clear and enable `wake_info` CSR, enable the wakeup from that source with the
`wakeup_en` CSR, bring the chip to both normal and low power sleep, optionally
disabling the source's clock, have the source issue a wakeup event and verify
`wake_info` indicates the expected wakeup.
Each test should perform a minimum of 2 low power transitions to ensure there are no
state dependent corner cases with wakeup interactions.
'''
stage: V2
tests: ["chip_sw_pwrmgr_random_sleep_all_wake_ups"]
}
{
name: chip_sw_pwrmgr_normal_sleep_all_wake_ups
desc: '''Verify that the chip can go into normal sleep state and be woken up by ALL wake up
sources.
This verifies ALL wake up sources. This also verifies that the pwrmgr sequencing is
working correctly as expected. X-ref'ed with all individual IP tests. For each wakeup
source clear and enable `wake_info` CSR, enable the wakeup from that source with the
`wakeup_en` CSR, bring the chip to normal sleep, optionally disabling the source's
clock, have the source issue a wakeup event and verify `wake_info` indicates the
expected wakeup.
'''
stage: V2
tests: ["chip_sw_pwrmgr_normal_sleep_all_wake_ups"]
}
{
name: chip_sw_pwrmgr_sleep_all_reset_reqs
desc: '''Verify that the chip can go into normal sleep state and be reset by ALL reset req
sources.
This verifies ALL reset sources. This also verifies that the pwrmgr sequencing is
working correctly as expected. X-ref'ed with all individual IP tests. For each reset
source, enable the source and bring the chip to low power, issue a reset, and verify the
rstmgr's `reset_info` indicated the expected reset by checking retention SRAM for
reset_reason.
'''
stage: V2
tests: ["chip_sw_aon_timer_wdog_bite_reset"]
}
{
name: chip_sw_pwrmgr_deep_sleep_all_wake_ups
desc: '''Verify that the chip can go into deep sleep state and be woken up by ALL wake up
sources.
This verifies ALL wake up sources. This also verifies that the pwrmgr sequencing is
working correctly as expected. X-ref'ed with all individual IP tests. Similar to
chip_pwrmgr_sleep_all_wake_ups, except `control.main_pd_n` is set to 0.
'''
stage: V2
tests: ["chip_sw_pwrmgr_deep_sleep_all_wake_ups"]
}
{
name: chip_sw_pwrmgr_deep_sleep_all_reset_reqs
desc: '''Verify that the chip can go into deep sleep state and be reset up by ALL reset req
sources.
This verifies ALL reset sources.
- 7 resets are generated randomly with deep sleeps
- POR (HW PAD) reset, SW POR, sysrst, wdog timer reset, esc rst, SW req
- esc reset is followd by normal mode because it does not work with sleep mode
'''
stage: V2
tests: ["chip_sw_pwrmgr_deep_sleep_all_reset_reqs"]
}
{
name: chip_sw_pwrmgr_normal_sleep_all_reset_reqs
desc: '''Verify that the chip can go into normal sleep state and be reset up by ALL reset req
sources.
This verifies ALL reset sources.
- 7 resets are generated randomly with normal sleeps
- POR (HW PAD) reset, SW POR, sysrst, wdog timer reset, esc rst, SW req
- esc reset is followed by normal mode and cleared by reset because it does not work
with sleep mode
'''
stage: V2
tests: ["chip_sw_pwrmgr_normal_sleep_all_reset_reqs"]
}
{
name: chip_sw_pwrmgr_wdog_reset
desc: '''Verify that the chip can be reset by watchdog timer reset source.
This verifies watchdog timer reset source. This also verifies that the pwrmgr sequencing
is working correctly as expected. X-ref'ed with all individual IP tests. Similar to
chip_pwrmgr_sleep_all_reset_reqs, except the chip is not put in low power mode.
'''
stage: V2
tests: ["chip_sw_pwrmgr_wdog_reset"]
}
{
name: chip_sw_pwrmgr_aon_power_glitch_reset
desc: '''Verify the cold boot sequence through an AON power glitch.
Pulsing the AST vcaon_supp_i input causes an AON power glitch which becomes a POR.
This ensures that both FSMs are properly reset on the POR signal. The check is that
the processor ends up running. Also verify, the rstmgr recorded POR in `reset_info` CSR
by checking retention SRAM for reset_reason.
'''
stage: V2
tests: ["chip_sw_pwrmgr_full_aon_reset"]
}
{
name: chip_sw_pwrmgr_main_power_glitch_reset
desc: '''Verify the effect of a glitch in main power rail.
The vcmain_supp_i AST input is forced to drop once the test is running. This triggers
a MainPwr reset request, which is checked by reading retention SRAM's reset_reason to
see that the reset_info CSR's POR bit is not set when the test restarts.
'''
stage: V2
tests: ["chip_sw_pwrmgr_main_power_glitch_reset"]
}
{
name: chip_sw_pwrmgr_random_sleep_power_glitch_reset
desc: '''Verify the effect of a glitch in main power rail in random sleep states.
The vcmain_supp_i AST input is forced to drop right after putting the chip in a random
sleep state. This triggers a MainPwr reset request, which is checked by reading
retention SRAM's reset_reason to show that the reset_info CSR's POR bit is not set when
the test restarts.
Note: the glitch has to be sent in a very narrow window:
- If sent too early the chip won't have started to process deep sleep.
- If too late the hardware won't monitor main power okay so the glitch will have no
effect, and the test will timeout.
Each test should perform a minimum of 2 low power transitions to ensure there are no
state dependent corner cases with power glitch handling.
'''
stage: V2
tests: ["chip_sw_pwrmgr_random_sleep_power_glitch_reset"]
}
{
name: chip_sw_pwrmgr_deep_sleep_power_glitch_reset
desc: '''Verify the effect of a glitch in main power rail in deep sleep.
The vcmain_supp_i AST input is forced to drop right after putting the chip in deep
sleep. This triggers a MainPwr reset request, which is checked by reading retention
SRAM's reset_reason to show that the reset_info CSR's POR bit is not set when the test
restarts.
Note: the glitch has to be sent in a very narrow window:
- If sent too early the chip won't have started to process deep sleep.
- If too late the hardware won't monitor main power okay so the glitch will have no
effect, and the test will timeout.
'''
stage: V2
tests: ["chip_sw_pwrmgr_deep_sleep_power_glitch_reset"]
}
{
name: chip_sw_pwrmgr_sleep_power_glitch_reset
desc: '''Verify the effect of a glitch in main power rail in shallow sleep.
The vcmain_supp_i AST input is forced to drop after putting the chip in shallow sleep.
This triggers a MainPwr reset request, which is checked by reading the retention SRAM's
reset_reason shows that the reset_info CSR's POR bit is not set when the
test restarts.
'''
stage: V2
tests: ["chip_sw_pwrmgr_sleep_power_glitch_reset"]
}
{
name: chip_sw_pwrmgr_random_sleep_all_reset_reqs
desc: '''Verify that this chip can be reset by All available reset sources.
- 12 resets are generated randomly with normal/deep sleeps
- POR (HW PAD) reset, SW POR, sysrst, wdog timer reset, esc rst, SW req
- esc reset is followd by normal mode because it does not work with sleep mode
'''
stage: V2
tests: ["chip_sw_pwrmgr_random_sleep_all_reset_reqs"]
}
{
name: chip_sw_pwrmgr_sysrst_ctrl_reset
desc: '''Verify the effect of a sysrst_ctrl output in main power rail.
- Read the reset cause register in rstmgr to confirm that the SW is in the POR reset
phase.
- After sysrst reset is generated by forcing, read the reset cause register in rstmgr to
confirm that the SW is now in the sysrst reset phase.
- Generate sysrst by driving input PAD.
- After reset, read the reset cause register in rstmgr to confirm that the SW is now in
the sysrst reset phase.
- Program the AON timer wdog to 'bark' after some time.
- Let the bark escalate to bite, which should result in a reset request.
- After reset, read the reset cause register in rstmgr to confirm that the SW is now in
the wdog reset phase.
- Program the AON timer wdog to 'bark' after some time.
'''
stage: V2
tests: ["chip_sw_pwrmgr_sysrst_ctrl_reset"]
}
{
name: chip_sw_pwrmgr_b2b_sleep_reset_req
desc: '''Verify that the pwrmgr sequences sleep_req and reset req coming in almost at the same
time, one after the other. Use POR_N PAD to trigger reset.
'''
stage: V2
tests: ["chip_sw_pwrmgr_b2b_sleep_reset_req"]
}
{
name: chip_sw_pwrmgr_sleep_disabled
desc: '''Verify that the chip does not go to sleep on WFI when low power hint is 0.
This calls WFI with low_power_hint disabled and pwrmgr interrupts enabled,
and fails if the pwrmgr ISR is called.
'''
stage: V2
tests: ["chip_sw_pwrmgr_sleep_disabled"]
}
{
name: chip_sw_pwrmgr_escalation_reset
desc: '''Verify the power manager resets to a clean state after an escalation reset.
Trigger an internal fatal fault for the regfile onehot checker and let it escalate to
reset. Upon alert escalation reset, the internal status should be clear and pwrmgr
should not attempt to send out more alerts.
'''
stage: V2
tests: ["chip_sw_all_escalation_resets"]
}
// RSTMGR tests:
{
name: chip_sw_rstmgr_non_sys_reset_info
desc: '''Verify the `reset_info` CSR register for lc or higher resets.
Generate the 5 types of reset at `lc` level or higher, and check the retention SRAM's
reset_reason to show that `reset_info` CSR is as expected. This and other rstmgr
testpoints that require different resets cross-reference the individual IP tests that
generate those resets, and this testpoint merely adds reset checks in them. Those IP
blocks are `pwrmgr`, `alert_handler`, `aon_timer`, and `sysrst_ctrl`.
This should also check the reset's destination IP to make sure some reset side-effect
is present. Setting some `intr_enable` CSR bit when the test starts and checking it
after reset seems suitable. The `spi_host` IPs receive multiple resets so they will
need special consideration.
TODO(maturana) Add specific tests once they are developed.
'''
stage: V2
tests: ["chip_sw_pwrmgr_smoketest"]
}
{
name: chip_sw_rstmgr_sys_reset_info
desc: '''Verify the `reset_info` CSR register for sys reset.
Generate reset triggered by `rv_dm`, which results in a sys level reset, and check the
retention SRAM's reset_reason to show that the `reset_info` CSR is as expected. This
testpoint cross-reference the `rv_dm` tests that generate this reset, and this
testpoint merely adds reset checks in them.
This should also check the reset's destination IP to make sure some reset side-effect
is present. Setting some `intr_enable` CSR bit when the test starts and checking it
after reset seems suitable. The `spi_host` IPs receive multiple resets so they will
need special consideration.
X-ref with chip_rv_dm_ndm_reset_req.
'''
stage: V2
tests: ["chip_rv_dm_ndm_reset_req"]
}
{
name: chip_sw_rstmgr_cpu_info
desc: '''Verify the expected values from the `cpu_info` CSR on reset.
For some software induced resets we can predict the expected contents of `cpu_info`;
reads of writes to unmapped addresses for example. Generate these resets and verify
the `cpu_info` register contents when reset is handled.
Refer to `chip_*sys_rstmgr_reset_info`.
'''
stage: V2
tests: ["chip_sw_rstmgr_cpu_info"]
}
{
name: chip_sw_rstmgr_sw_req_reset
desc: '''Verify software requested device reset.
Generate a reset request by directly writing the `reset_req` CSR.
The reset created should be identical to those caused by hardware sources.
After reset, the retention SRAM's reset_reason should show that the `reset_info` CSR
reflects that a software request was the reset cause.
'''
stage: V2
tests: ["chip_sw_rstmgr_sw_req"]
}
{
name: chip_sw_rstmgr_alert_info
desc: '''Verify the expected values from the `alert_info` CSR on reset.
Various alerts can be created, for example, timeouts, and integrity errors, and at
least part of the `alert_info` CSR can be predicted. To cause some of these to
cause a reset, mask the relevant processor interrupts. Trigger these resets and
verify the `alert_info` register contents when reset is handled.
Refer to `chip_*sys_rstmgr_reset_info`.
'''
stage: V2
tests: ["chip_sw_rstmgr_alert_info"]
}
{
name: chip_sw_rstmgr_sw_rst
desc: '''Verify `sw_rst_ctrl_n` CSR resets individual peripherals.
- Pick a rw type CSR in each peripheral and program arbitrary value
that does not cause any adverse side-effects.
- Pulse the reset to the peripheral via software.
- Read the resister after reset and verify it returns the reset value.
- Repeat these steps for each of these software resettable peripherals:
`spi_device`, `spi_host0`, `spi_host1`, `usb`, `i2c0`, `i2c1`, `i2c2`.
Notice the two `spi_host` IPs receive two different resets, `spi_host*`.
'''
stage: V2
tests: ["chip_sw_rstmgr_sw_rst"]
}
{
name: chip_sw_rstmgr_escalation_reset
desc: '''Verify the reset manager resets to a clean state after an escalation reset.
Trigger an internal fatal fault for the regfile onehot checker and let it escalate to
reset. Upon alert escalation reset, the internal status should be clear and rstmgr
should not attempt to send out more alerts.
'''
stage: V2
tests: ["chip_sw_all_escalation_resets"]
}
// ALERT_HANDLER (pre-verified IP) integration tests:
{
name: chip_sw_alert_handler_alerts
desc: '''Verify all alerts coming into the alert_handler.
An automated SW test, which does the following (applies to all alerts in all IPs):
- Program the alert_test CSR in each block to trigger each alert one by one.
- Ensure that all alerts are properly connected to the alert handler and cause the
escalation paths to trigger.
'''
stage: V2
tests: ["chip_sw_alert_test"]
}
{
name: chip_sw_alert_handler_escalations
desc: '''Verify all alert escalation paths.
Verify all escalation paths triggered by an alert.
- Verify the first escalation results in NMI interrupt serviced by the CPU.
- Verify the second results in device being put in scrap state, via the LC JTAG TAP.
- Verify the third results in chip reset.
- Ensure that all escalation handshakes complete without errors.
'''
stage: V2
tests: ["chip_sw_alert_handler_escalation"]
}
{
name: chip_sw_all_escalation_resets
desc: '''Verify escalation from all unit integrity errors.
Inject integrity errors in any unit that has a one-hot checker for CSR register
writes, and verify escalation is triggered. Allow escalation to go through reset.
Use the rstmgr alert info and the unit's fault CSRs to check the alert cause is right.
Each run of the test randomly chooses some one-hot checker for the error to be injected.
Keep state across resets in flash to check the expected interrupts and the right number
of resets occur.
- Verify the integrity error results in a regular interrupt.
- Verify the first escalation results in NMI serviced by the CPU.
- Verify the alert id in both these interrupts.
- Verify the unit's fault CSR correctly captured the fault kind.
- Verify any timer interrupts are disabled by escalation.
- Verify after the escalation reset all faults are cleared, and that the alert
info captured the correct alert.
- Check that no additional resets occur.
'''
stage: V2
tests: ["chip_sw_all_escalation_resets"]
}
{
name: chip_sw_alert_handler_irqs
desc: '''Verify all classes of alert handler interrupts to the CPU.
X-ref'ed with the automated PLIC test.
'''
stage: V2
tests: ["chip_plic_all_irqs"]
}
{
name: chip_sw_alert_handler_entropy
desc: '''Verify the alert handler entropy input to ensure pseudo-random ping timer.
- Force `alert_handler_ping_timer` input signal `wait_cyc_mask_i` to `8'h07` to
shorten the simulation time.
- Verify that the alert_handler can request EDN to provide entropy.
- Ensure that the alert ping handshake to all alert sources and escalation receivers
complete without errors.
'''
stage: V2
tests: ["chip_sw_alert_handler_entropy"]
}
{
name: chip_sw_alert_handler_crashdump
desc: '''Verify the alert handler crashdump signal.
When the chip resets due to alert escalating to cause the chip to reset, verify the
reset cause to verify the alert crashdump.
Xref'ed with chip_sw_rstmgr_alert_info.
'''
stage: V2
tests: ["chip_sw_rstmgr_alert_info"]
}
{
name: chip_sw_alert_handler_ping_timeout
desc: '''Verify the alert senders' ping timeout.
Set alert_handler's ping timeout cycle to 2 and enable alert_senders. Verify that
alert_handler detects the ping timeout and reflects it on the `loc_alert_cause`
register.
'''
stage: V2
tests: ["chip_sw_alert_handler_ping_timeout"]
}
{
name: chip_sw_alert_handler_lpg_sleep_mode_alerts
desc: '''Verify alert_handler can preserve alerts during low_power mode.
- Trigger fatal alerts for all IPs but configure alert_handler so it won't trigger
reset.
- Randomly enter normal or deep sleep mode.
- Wait random cycles then wake up from the sleep mode.
- After wake up from normal sleep mode, clear all alert cause registers and check that
all alerts are still firing after waking up.
- Repeat the previous steps for random number of iterations.
'''
stage: V2
tests: ["chip_sw_alert_handler_lpg_sleep_mode_alerts"]
}
{
name: chip_sw_alert_handler_lpg_sleep_mode_pings
desc: '''Verify alert_handler's ping mechanism works correctly during sleep and wake up.
There are two scenarios to check:
- Configure alert_handler's ping timeout register to a reasonble value that won't cause
ping timeout in normal cases.
Then randomly enter and exit normal or deep sleep modes.
Check that no local alerts triggered in alert_handler.
This scenario ensures that ping mechanism won't send out spurious failure.
- Configure alert_handler's ping timeout register to a small value that will always
causes ping timeout.
Then randomly enter and exit normal or deep sleep modes.
Clear local alert cause register and check that alert ping timeout continue to fire
after wake up.
This scenario ensures the ping mechanism will continue to send out pings after waking
up from sleep modes.
'''
stage: V2
tests: ["chip_sw_alert_handler_lpg_sleep_mode_pings"]
}
{
name: chip_sw_alert_handler_lpg_clock_off
desc: '''Verify alert_handler's works correctly when sender clock is turned off.
- Configure clkmgr to randomly turn off one of the IP's clock and check alert_handler
won't trigger a ping timeout error on that block.
'''
stage: V2
tests: ["chip_sw_alert_handler_lpg_clkoff"]
}
{
name: chip_sw_alert_handler_lpg_reset_toggle
desc: '''Verify alert_handler's works correctly when sender reset is toggled.
- Configure rstmgr to randomly toggle one IP block's SW reset and check alert_handler
won't trigger a ping timeout error on that block.
'''
stage: V2
tests: ["chip_sw_alert_handler_lpg_reset_toggle"]
}
{
name: chip_sw_alert_handler_reverse_ping_in_deep_sleep
desc: '''Verify escalation reverse ping timer disabled in sleep mode.
Check that escalation receivers located inside always-on blocks do not auto-escalate
due to the reverse ping feature while the system is in deep sleep.
## Reverse ping timeout calculation
The reverse ping timeout calculation is done using the following formula available in
`prim_esc_receiver`:
```
4 * N_ESC_SEV * (2 * 2 * 2^PING_CNT_DW)
```
`pwrmgr` is the only block consuming the `N_ESC_SEV` and `PING_CNT_DW` compile time
parameters:
```
alert_handler_reg_pkg::N_ESC_SEV = 4
alert_handler_reg_pkg::PING_CNT_DW = 16
```
The alert escalation responder inside `pwrmgr` is connected to the `io_div4` clock,
yielding a target 24MHz frequency. The result expected timeout based on the above
parameters is thus:
```
reverse_ping_timeout = 0.175s = (4 * 4 ( 2 * 2 * 2^16)) / 24e6
```
## Procedure
- On POR reset:
- Enable all alerts assigning them to ClassA.
- Enable all local alerts and assign to ClassB.
- Set escalation configuration to trigger before test wake up time.
- Set ping timeout to a time less than wake up time.
- Lock alert configuration and enable ping mechanism.
- Wait for polling counters to cycle through by busy polling on Ibex for
`reverse_ping_timeout >> 2` usec.
- Configure AON to wake up device at a later time, making sure it is greater than the
`reverse_ping_timeout` calculated in the previous section.
- Enter deep sleep.
- On wake up from sleep:
- Ensure reset status is low power exit. A `kDifRstmgrResetInfoEscalation` signals
that there was a local escalation and should result in test failure.
- Disable AON timer.
- Check there are no flagged local alerts.
'''
stage: V2
tests: ["chip_sw_alert_handler_reverse_ping_in_deep_sleep"]
}
// LC_CTRL (pre-verified IP) integration tests:
{
name: chip_sw_lc_ctrl_alert_handler_escalation
desc: '''Verify that the escalation signals from the alert handler are connected to LC ctrl.
- Trigger an alert to initiate the escalations.
- Check that the escalation signals are connected to the LC ctrl:
- First escalation has no effect on the LC ctrl. Read LC_STATE CSR to confirm
this is the case.
- Second escalation should cause the `lc_escalation_en` output to be asserted and for
the LC_STATE to transition to scrap state. Confirm by reading the LC_STATE CSR
- Verify that all decoded outputs except for escalate_en are
disabled. X-ref'ed with the respective IP tests that consume these signals.
X-ref'ed with chip_sw_lc_ctrl_broadcast test, which verifies the connectivity of the LC
decoded outputs to other IPs.
X-ref'ed with alert_handler's escalation test.
'''
stage: V2
tests: ["chip_sw_alert_handler_escalation"]
}
{
name: chip_sw_lc_ctrl_jtag_access
desc: '''Verify enable to access LC ctrl via JTAG.
Using the JTAG agent, write and read LC ctrl CSRs, verify the read value for
correctness.
'''
stage: V2
tests: ["chip_tap_straps_dev", "chip_tap_straps_prod", "chip_tap_straps_rma"]
}
{
name: chip_sw_lc_ctrl_otp_hw_cfg
desc: '''Verify the device_ID and ID_state CSRs.
- Preload the hw_cfg partition in OTP ctrl with random data.
- Read the device ID and the ID state CSRs to verify their correctness.
- Reset the chip and repeat the first 2 steps to verify a different set of values.
'''
stage: V2
tests: ["chip_sw_lc_ctrl_otp_hw_cfg"]
}
{
name: chip_sw_lc_ctrl_init
desc: '''Verify the LC ctrl initialization on power up.
Verify that the chip powers up correctly on POR.
- The pwrmgr initiates a handshake with OTP ctrl and later, with LC ctrl in subsequent
FSM states. Ensure that the whole power up sequence does not hang.
- Verify with connectivity assertion checks, the handshake signals are connected.
- Ensure that no interrupts or alerts are triggered.
'''
stage: V2
tests: ["chip_sw_lc_ctrl_transition"]
}
{
name: chip_sw_lc_ctrl_transitions
desc: '''Verify the LC ctrl can transit from one state to another valid state with the
correct tokens.
- Preload OTP image with a LC state and required tokens to transfer to next state.
- Initiate an LC ctrl state transition via SW if CPU is enabled, or via JTAG interface
if CPU is disable.
- Ensure that the LC program request is received by the OTP ctrl.
- Verify the updated data output from OTP ctrl to LC ctrl is correct.
- Ensure that there is no background or otp_init error.
- Verify that the LC ctrl has transitioned to the programmed state after a reboot.
Re-randomize the lc_transition tokens and repeat the sequence above.
X-ref'ed chip_sw_otp_ctrl_program.
'''
stage: V2
tests: ["chip_sw_lc_ctrl_transition"]
}
{
name: chip_sw_lc_ctrl_kmac_req
desc: '''Verify the token requested from KMAC.
- For conditional transition, the LC ctrl will send out a token request to KMAC.
- Verify that the KMAC returns a hashed token, which should match one of the
transition token CSRs.
X-ref'ed with chip_kmac_lc_req.
'''
stage: V2
tests: ["chip_sw_lc_ctrl_transition"]
}
{
name: chip_sw_lc_ctrl_key_div
desc: '''Verify the keymgr div output to keymgr.
- Verify in different LC states, LC ctrl outputs the correct `key_div_o` to keymgr.
- Verify that the keymgr uses the given `key_div_o` value to compute the keys.
'''
stage: V2
tests: ["chip_sw_keymgr_key_derivation_prod"]
}
{
name: chip_sw_lc_ctrl_broadcast
desc: '''Verify broadcast signals from lc_ctrl.
- Preload the LC partition in the otp_ctrl with the following states: RMA, DEV,
TEST_LOCKED[N] & SCRAP.
- Verify that the following broadcast signals are having the right effect in the
respective IPs that consume them:
- lc_dft_en_o: impacts pinmux, pwrmgr, otp_ctrl, AST
- lc_hw_debug_en_o: impacts pinmux, pwrmgr, sram_ctrl (main and ret) & the rv_dm
- lc_keymgr_en_o: impacts keymgr
- lc_clk_byp_req_o: impacts clkmgr (handshake with lc_clk_byp_ack_i)
- lc_flash_rma_req_o: impacts flash_ctrl (handshake with lc_flash_ram_ack_i)
- lc_flash_rma_seed_o: impacts flash_ctrl
- lc_check_byp_en_o: impacts otp_ctrl
- lc_creator_seed_sw_rw_en_o: impacts flash_ctrl & otp_ctrl
- lc_owner_seed_sw_rw_en_o: impacts flash_ctrl
- lc_iso_part_sw_rd_en_o: impacts flash_ctrl
- lc_iso_part_sw_wr_en_o: impacts flash_ctrl
- lc_seed_hw_rd_en_o: impacts flash_ctrl & otp_ctrl
- These outputs are enabled per the
[life cycle architecture spec](doc/security/specs/device_life_cycle/README.md#architecture).
X-ref'ed with the respective IP tests that consume these signals.
Note that the following signals are already verified with connectivity tests and SVAs:
- lc_dft_en_o (AST connection)
- lc_cpu_en_o (rv_core_ibex)
- lc_nvm_debug_en_o (flash_ctrl)
- lc_escalate_en_o (multiple)
'''
stage: V2
tests: [
"chip_prim_tl_access", // lc_dft_en_o: otp_ctrl
"chip_tap_straps_dev", // lc_dft_en_o, lc_hw_debug_en_o: pinmux
"chip_tap_straps_prod", // lc_dft_en_o, lc_hw_debug_en_o: pinmux
"chip_tap_straps_rma", // lc_dft_en_o, lc_hw_debug_en_o: pinmux
"chip_sw_rom_ctrl_integrity_check", // lc_dft_en_o, lc_hw_debug_en_o: pwrmgr
"chip_sw_clkmgr_external_clk_src_for_sw_fast", // lc_hw_debug_en_o: clkmgr
"chip_sw_clkmgr_external_clk_src_for_sw_slow", // lc_hw_debug_en_o: clkmgr
"chip_sw_sram_ctrl_execution_main", // lc_hw_debug_en_o: sram_ctrl main
"chip_rv_dm_lc_disabled" // lc_hw_debug_en_o: rv_dm
"chip_sw_keymgr_key_derivation", // lc_keymgr_en_o: keymgr
"chip_sw_clkmgr_external_clk_src_for_lc", // lc_clk_byp_req_o: clkmgr
"chip_sw_flash_rma_unlocked", // lc_flash_rma_req_o, lc_flash_rma_seed_o: flash_ctrl
"chip_sw_lc_ctrl_transition", // lc_check_byp_en_o: otp_ctrl
"chip_sw_flash_ctrl_lc_rw_en", // lc_creator*, lc_seed*, lc_owner*, lc_iso*: flash_ctrl
"chip_sw_otp_ctrl_lc_signals_test_unlocked0", // lc_seed_hw_rd_en_i, lc_creator_seed_sw_rw_en_i, lc_keymgr_en_i: otp_ctrl
"chip_sw_otp_ctrl_lc_signals_dev", // lc_seed_hw_rd_en_i, lc_creator_seed_sw_rw_en_i, lc_keymgr_en_i: otp_ctrl
"chip_sw_otp_ctrl_lc_signals_prod", // lc_seed_hw_rd_en_i, lc_creator_seed_sw_rw_en_i, lc_keymgr_en_i: otp_ctrl
"chip_sw_otp_ctrl_lc_signals_rma", // lc_seed_hw_rd_en_i, lc_creator_seed_sw_rw_en_i, lc_keymgr_en_i: otp_ctrl
]
}
{
name: chip_sw_lc_ctrl_kmac_error
desc: '''
Verify the effect of KMAC returning an error during the hash generation of LC tokens.
- Follow the steps in `chip_sw_lc_ctrl_kmac_req` test.
- While the KMAC is actively computing the digest, glitch the KMAC app sparse FSM to
trigger a fault.
- Verify that KMAC returns an error signal to the LC controller.
- TBD
'''
stage: V3
tests: []
}
// SYSRST_CTRL (pre-verified IP) integration tests:
{
name: chip_sw_sysrst_ctrl_inputs
desc: '''Verify that the SYSRST ctrl input pin values can be read.
- Drive a known value on ac_reset, ec_rst_l, flash_wp_l, pwrb, lid_open and key* pins at
the chip inputs.
- Read the pin_in_value CSR to check for correctness.
'''
stage: V2
tests: ["chip_sw_sysrst_ctrl_inputs"]
}
{
name: chip_sw_sysrst_ctrl_outputs
desc: '''Verify that the SYSRST ctrl output pin values can be set.
- Drive a known value on ac_reset, ec_rst_l, flash_wp_l, pwrb, lid_open and key* pins
at the chip inputs.
- Verify that SYSRST ctrl correctly loops them back to the chip outputs.
- Write the pin_allowed_ctl register to allow some of the pins to be overridden with
either 0 or 1 or both.
- Write the pin_out_ctl register to enable the override on some of the pins.
- Write the pin_out_value register to set known values on those pins.
- Verify that at the chip outputs, pins on which override should be active is
reflecting the overridden values. All others should reflect the values driven on chip
inputs.
- Via assertion checks (or equivalent) verify that the transitions at the inputs
immediately reflect at the outputs, if not intercepted / debounced by sysrst_ctrl.
'''
stage: V2
tests: ["chip_sw_sysrst_ctrl_outputs"]
}
{
name: chip_sw_sysrst_ctrl_in_irq
desc: '''Verify the SYSRST ctrl can detect an input combination to signal an interrupt.
- Program a specific combination of transitions on pwrb, key*, ac_present and ec_reset_l
pins to trigger an interrupt by writing to key_intr_ctl register.
- Program the key_intr_debounce_ctl register to debounce an appropriate time.
- Enable the interrupt at SYSRST ctrl as well as at the PLIC.
- Create glitches only for some time less than detection time and check that there is no
- interrupt triggered.
- Glitch the inputs at the chip IOs before stabilizing on the programmed transitions.
- SW services the interrupt when triggered, verifies the pin input value and
key_intr_status for correctness and clears the interrupt status.
- Verify separately, each key combination sufccessfully generates an interrupt.
'''
stage: V2
tests: ["chip_sw_sysrst_ctrl_in_irq"]
}
{
name: chip_sw_sysrst_ctrl_sleep_wakeup
desc: '''Verify the SYSRST ctrl can wake up the chip from deep sleep.
- Read the reset cause register in rstmgr to confirm we are in POR reset phase.
- Program one of the com_sel_ctl_* CSRs to choose a set of inputs to be detected as
a low power wakeup signal for the pwrmgr.
- Program the associated detection timer.
- Program the detection outcome CSR's (com_out_ctl) interrupt bit to 1.
- Program the pwrmgr to put the chip in deep sleep state and wake up on chip wake up
event.
- Issue a WFI to bring the chip in low power state.
- After the chip has entered low power mode, set the SYSRST ctrl inputs at the chip IOs
to the programmed combination for the duration of the detection timer.
- Read the reset cause register to confirm wake up from low power exit phase.
- Read the pwrmgr wake up status register to confirm chip wake up.
- Read the pin input value and the combo_intr_status CSRs to verify the correct
combination on inputs woke up the chip from sleep.
'''
stage: V2
tests: ["chip_sw_sysrst_ctrl_reset"]
}
{
name: chip_sw_sysrst_ctrl_reset
desc: '''Verify the SYSRST ctrl can reset the chip from normal state.
- Read the reset cause register in rstmgr to confirm we are in POR reset phase.
- Program one of the com_sel_ctl_* CSRs to choose a set of inputs to be detected as
the chip reset signal.
- Program the associated detection timer.
- Program the detection outcome CSR's (com_out_ctl) chip reset bit to 1.
- After some time, set the SYSRST ctrl inputs at the chip IOs to the programmed
combination for the duration of the detection timer.
- The pwrmgr will power cycle the chip once it receives the chip reset input.
- Check that ec_rst_l and flash_wp_l (on pads IOR8 and IOR9) are asserted right after
the pwrmgr has power cycled the system.
- Read the reset cause register after boot up to confirm peripheral reset phase.
- Read the pwrmgr reset status register to confirm chip reset.
- Read the com_sel_ctl_* CSR in SYSRST ctrl we programmed earlier - it should have been
reset.
'''
stage: V2
tests: ["chip_sw_sysrst_ctrl_reset"]
}
{
name: chip_sw_sysrst_ctrl_sleep_reset
desc: '''Verify the SYSRST ctrl can reset the chip from deep sleep.
- Read the reset cause register in rstmgr to confirm we are in POR reset phase.
- Program one of the com_sel_ctl_* CSRs to choose a set of inputs to be detected as
the chip reset signal.
- Program the associated detection timer.
- Program the detection outcome CSR's (com_out_ctl) chip reset bit to 1.
- Program the pwrmgr to put the chip in deep sleep state and allow it to be reset by the
chip reset bit.
- Issue a WFI to bring the chip in low power state.
- After the chip has entered low power mode, set the SYSRST ctrl inputs at the chip IOs
to the programmed combination for the duration of the detection timer.
- The pwrmgr will power cycle the chip from the deep sleep state once it receives the
chip reset input.
- Read the reset cause register after boot up to confirm peripheral reset phase.
- Read the pwrmgr reset status register to confirm chip reset.
- Read the com_sel_ctl_* CSR in SYSRST ctrl we programmed earlier - it should have been
reset.
'''
stage: V2
tests: ["chip_sw_sysrst_ctrl_reset"]
}
{
name: chip_sw_sysrst_ctrl_ec_rst_l
desc: '''Verify that the ec_rst_l stays asserted on power-on-reset until SW can control it.
- Verify that ec_rst_l stays asserted as the chip is brought out of reset.
- Verify that the pin continues to remain low until SW is alive.
- Have the SW write to pin_allowed|out_ctrl CSRs to control the ec_rst_l value and
verify the value at the chip output.
- Optionally, also verify ec_rst_l pulse stretching by setting the ec_rst_ctl register
with a suitable pulse width.
'''
stage: V2
tests: ["chip_sw_sysrst_ctrl_ec_rst_l"]
}
{
name: chip_sw_sysrst_ctrl_flash_wp_l
desc: '''Verify that the flash_wp_l stays asserted on power-on-reset until SW can control it.
- Exactly the same as chip_sysrst_ctrl_ec_rst_l, but covers the flash_wp_l pin.
'''
stage: V2
tests: ["chip_sw_sysrst_ctrl_ec_rst_l"]
}
{
name: chip_sw_sysrst_ctrl_ulp_z3_wakeup
desc: '''Verify the z3_wakeup signaling.
- Start off with ac_present = 0, lid_open = 0 and pwrb = 0 at the chip inputs.
- Program the ulp_ac|lid|pwrb_debounce_ctl registers to debounce these inputs for an
appropriate time.
- Enable the ULP wakeup feature by writing to the ulp_ctl register.
- Read the ulp_wakeup register and verify that no wakeup event is detected, after some
amount of delay.
- Glitch the lid_open input at the chip IOs before stabilizing on value 1.
- Read the ulp_wakeup register to verify that the wakeup event is detected this time.
- Verify that the z3_wakeup output at the chip IOs is reflecting the value of 1.
'''
stage: V2
tests: [
"chip_sw_adc_ctrl_sleep_debug_cable_wakeup",
"chip_sw_sysrst_ctrl_ulp_z3_wakeup"
]
}
// ADC_CTRL (pre-verified IP) integration tests:
{
name: chip_sw_adc_ctrl_debug_cable_irq
desc: '''Verify that the ADC correctly detects the voltage level programmed for each channel.
- Program both ADC channels to detect mutually exclusive range of voltages. Setting only
one filter CSR is sufficient.
- Program the ADC intr ctrl CSR to detect the selected filter on both channels.
Enable the debug cable interrupt at ADC ctrl as well as PLIC.
- Enable the ADC ctrl to run with defaults in normal mode (depending on simulation
runtime).
- Verify through assertion checks, the ADC with AST stays powered down periodically in
slow scan mode.
- After some time, force the ADC output of AST to be a value within the programmed range
for each channel. Glitch it out of range for some time before stabilizing to ensure
that debouce logic works.
- Service the debug cable irq. Read the intr status register to verify that the selected
filter caused the interrupt to fire. Read the ADC channel value register to verify the
correctness of the detected value that was forced in the AST for each channel.
'''
stage: V2
tests: ["chip_sw_adc_ctrl_sleep_debug_cable_wakeup"]
}
{
name: chip_sw_adc_ctrl_sleep_debug_cable_wakeup
desc: '''Verify that in deep sleep, ADC ctrl can signal the ADC within the AST to power down.
- Read the reset cause register in rstmgr to confirm we are in POR reset phase.
- Follow the same steps as chip_adc_ctrl_debug_cable_irq, but instead of programming the
selected filter to interrupt, program it to wake up the chip from sleep.
- Program the pwrmgr to put the chip in deep sleep state and wake up on debug cable
detection.
- Issue a WFI to bring the chip in low power state.
- After some time, force the ADC output of AST to be a value within the programmed
filter range. That should cause the pwrmgr to wake up.
- Read the reset cause register to confirm wake up from low power exit phase.
- Read the pwrmgr wake up status register to confirm wake up was due to debug cable
detection.
- Read the ADC channel value register to verify the correctness of the detected value
that was forced in the AST.
- Repeat for both ADC channels.
'''
stage: V2
tests: ["chip_sw_adc_ctrl_sleep_debug_cable_wakeup"]
}
///////////////////////////////////////////////////////
// Security Peripherals //
// AES, HMAC, KMAC, CSRNG, ENTROPY_SRC, KEYMGR, OTBN //
///////////////////////////////////////////////////////
// AES (pre-verified IP) integration tests:
{
name: chip_sw_aes_enc
desc: '''Verify the AES operation.
Write a 32-byte key and a 16-byte plain text to the AES registers and trigger the AES
computation to start. Wait for the AES operation to complete by polling the status
register. Check the digest registers for correctness against the expected digest value.
'''
stage: V2
tests: ["chip_sw_aes_enc",
"chip_sw_aes_enc_jitter_en"]
}
{
name: chip_sw_aes_entropy
desc: '''Verify the AES entropy input used by the internal PRNGs.
- Write the initial key share, IV and data in CSRs (known combinations).
- Configure the entropy_src to generate entropy in LFSR mode.
- Write the PRNG_RESEED bit to reseed the internal state of the PRNG.
- Poll the status idle bit to ensure reseed operation is complete.
- Trigger the AES operation to run and wait for it to complete.
- Check the digest against the expected value.
- Write the KEY_IV_DATA_IN_CLEAR and DATA_OUT_CLEAR trigger bits to 1 and wait for it to
complete by polling the status idle bit.
- Read back the data out CSRs - they should all read garbage values.
- Assertion check verifies that the IV are also garbage, i.e. different from the
originally written values.
'''
stage: V2
tests: ["chip_sw_aes_entropy"]
}
{
name: chip_sw_aes_idle
desc: '''Verify AES idle signaling to clkmgr.
- Write the AES clk hint to 0 within clkmgr to indicate AES clk can be gated and
verify that the AES clk hint status within clkmgr reads 0 (AES is disabled).
- Write the AES clk hint to 1 within clkmgr to indicate AES clk can be enabled.
- Initiate an AES operation with a known key, plain text and digest, write AES clk
hint to 0 and verify that the AES clk hint status within clkmgr now reads 1 (AES
is enabled), before the AES operation is complete.
- After the AES operation is complete verify that the AES clk hint status within
clkmgr now reads 0 again (AES is disabled).
- Write the AES clk hint to 1, read and check the AES output for correctness.
'''
stage: V2
tests: ["chip_sw_aes_idle"]
}
{
name: chip_sw_aes_sideload
desc: '''Verify the AES sideload mechanism.
- Configure the keymgr to generate an aes key.
- Configure the AES to use the sideloaded key.
- Load the plaintext into the AES.
- Trigger the AES encryption and wait for it to complete.
- Verify that the ciphertext is different from the plaintext.
- Load the ciphertext into the AES.
- Trigger the AES decryption and wait for it to complete.
- Verify that the output is equal to the plain text.
- Clear the key in the keymgr and decrypt the ciphertext again.
- Verify that output is not equal to the plain text.
'''
stage: V2
tests: ["chip_sw_keymgr_sideload_aes"]
}
{
name: chip_sw_aes_masking_off
desc: '''Verify the AES masking off feature for ES.
- Perform known-answer test using CSRNG SW application interface.
- Verify CSRNG produces the deterministic seed leading to an all-zero output of the AES
masking PRNG.
- Configure EDN to perform a CSRNG instantiate followed by repeated generate and reseed
commands using the maximum amount of additional data and no entropy input in automatic
mode.
- Let CSRNG produce and forward to EDN the deterministic seed leading to an all-zero
output of the AES masking PRNG.
- Initialize AES and set the force_masks configuration bit.
- Configure an AES key of which the second share is zero.
- Trigger a reseed operation of the masking PRNG inside AES to load the deterministic
seed produced by CSRNG and distributed by EDN.
- Verify that the masking PRNG outputs an all-zero vector.
- Encrypt a message of multiple blocks using AES.
- Verify that the second share of the initial, intermediate and output state is zero.
- Verify that the second share of the SubBytes input and output is zero.
- Verify that the produced cipher text is correct.
'''
stage: V2S
tests: ["chip_sw_aes_masking_off"]
}
// HMAC (pre-verified IP) integration tests:
{
name: chip_sw_hmac_enc
desc: '''Verify HMAC operation.
SW test verifies an HMAC operation with a known key, plain text and digest (pick one of
the NIST vectors). SW test verifies the digest against the pre-computed value. Verify
the HMAC done and FIFO empty interrupts as a part of this test.
'''
stage: V2
tests: ["chip_sw_hmac_enc",
"chip_sw_hmac_enc_jitter_en"]
}
{
name: chip_sw_hmac_idle
desc: '''Verify the HMAC clk idle signal to clkmgr.
- Write the HMAC clk hint to 0 within clkmgr to indicate HMAC clk can be gated and
verify that the HMAC clk hint status within clkmgr reads 0 (HMAC is disabled).
- Write the HMAC clk hint to 1 within clkmgr to indicate HMAC clk can be enabled.
Verify that the HMAC clk hint status within clkmgr reads 1 (HMAC is enabled).
- Initiate an HMAC operation with a known key, plain text and digest.
Write HMAC clock hint to 0 and verify the HMAC clk hint status within clkmgr reads 1
(HMAC is enabled), before the HMAC operation is complete.
- After the HMAC operation is complete, verify the digest for correctness. Verify that
the HMAC clk hint status within clkmgr now reads 0 again (HMAC is disabled).
- This process is repeated for two hmac operations needed to verify the resulting hmac
digest.
'''
stage: V2
tests: ["chip_sw_hmac_enc_idle"]
}
// KMAC pre-verified IP) integration tests:
{
name: chip_sw_kmac_enc
desc: '''Verify the SHA3 operation.
SW test verifies SHA3 operation with a known key, plain text and digest (pick one of
the NIST vectors). SW validates the reception of kmac done and fifo empty interrupts.
'''
stage: V2
tests: ["chip_sw_kmac_mode_cshake", "chip_sw_kmac_mode_kmac",
"chip_sw_kmac_mode_kmac_jitter_en"]
}
{
name: chip_sw_kmac_app_keymgr
desc: '''Verify the keymgr interface to KMAC.
- Configure the keymgr to start sending known message data to the KMAC.
- Keymgr should transmit a sideloaded key to the KMAC as well.
- KMAC should finish hashing successfully (not visible to SW) and return digest to
keymgr.
- This digest is compared against the known digest value for correctness.
- Verify that the keymgr has received valid output from the KMAC.
X-ref'ed with keymgr test.
'''
stage: V2
tests: ["chip_sw_keymgr_key_derivation"]
}
{
name: chip_sw_kmac_app_lc
desc: '''Verify the LC interface to KMAC.
- Configure the LC_CTRL to start a token hash using KMAC interface.
- KMAC should finish hashing successfully (not visible to SW) and return digest to
LC_CTRL.
X-ref'ed with LC_CTRL test/env.
'''
stage: V2
tests: ["chip_sw_lc_ctrl_transition"]
}
{
name: chip_sw_kmac_app_rom
desc: '''Verify the ROM interface to KMAC.
- Backdoor initialize ROM memory immediately out of reset.
- ROM will send message to the KMAC containing its memory contents,
- KMAC will hash and return the digest to the ROM.
- ROM will compare received digest against its first 8 logical memory lines for
correctness.
X-ref'ed with ROM_CTRL test/env.
'''
stage: V2
tests: ["chip_sw_kmac_app_rom"]
}
{
name: chip_sw_kmac_entropy
desc: '''Verify the EDN interface to KMAC.
Requires `EnMasking` parameter to be enabled.
SW randomly configures the KMAC in any hashing mode/strength, and enable EDN mode.
Randomly enable/disable the `entropy_refresh`.
Randomly configure `wait_timer` values (zero for disable, non-zero for timer expire).
- Program `wait_timer` to a small value.
Check if EDN timeout error occurs after issuing the hashing op.
- Adjust `wait_timer` greater than expected EDN latency (with correct `prescaler`
too). Then check if Digest is correct.
KMAC should send EDN request after `entropy_ready` is set.
KMAC also should send out another request to EDN when either:
- kmac hash counter hits the configured threshold (assuming it is non-zero)
- Hash count exceeds the threshold.
SW verifies that KMAC produces the correct digest value.
TODO: This is pending security review discussion. It is unclear if this feature will be
implemented.
X-ref'ed with EDN test/env.
'''
stage: V2
tests: ["chip_sw_kmac_entropy"]
}
{
name: chip_sw_kmac_idle
desc: '''Verify the KMAC idle signaling to clkmgr.
- Write the KMAC clk hint to 0 within clkmgr to indicate KMAC clk can be gated and
verify that the KMAC clk hint status within clkmgr reads 0 (KMAC is disabled).
- Write the KMAC clk hint to 1 within clkmgr to indicate KMAC clk can be enabled.
Verify that the KMAC clk hint status within clkmgr reads 1 (KMAC is enabled).
- Initiate a KMAC operation with a known key, plain text and digest.
Write KMAC clock hint to 0 and verify the KMAC clk hint status within clkmgr reads 1
(KMAC is enabled), before the KMAC operation is complete.
- After the KMAC operation is complete, verify the digest for correctness. Verify that
the KMAC clk hint status within clkmgr now reads 0 again (KMAC is disabled).
'''
stage: V2
tests: ["chip_sw_kmac_idle"]
}
// ENTROPY_SRC (pre-verified IP) integration tests:
{
name: chip_sw_entropy_src_ast_rng_req
//TODO(#13460): A dv enginner should add an assertion to check the connectivity for this test.
desc: '''Verify the RNG req to ast.
- Program the entropy src in normal RNG mode.
- Route the entropy data received from RNG to the FIFO.
- Verify that the FIFO depth is non-zero via SW - indicating the reception of data over
the AST RNG interface.
- Verify the correctness of the received data with assertion based connectivity checks.
'''
stage: V2
tests: ["chip_sw_entropy_src_ast_rng_req"]
}
{
name: chip_sw_entropy_src_csrng
desc: '''Verify the transfer of entropy bits to CSRNG.
Verify the entropy valid interrupt.
At the CSRNG, validate the reception of entropy req interrupt.
- Disable edn0, edn1, csrng and entropy_src, as these are enabled by the test ROM.
- Enable entropy_src in fips mode routing data to csrng.
- Enable csrng and enable the entropy request interrupt.
- Issue csrng instantiate and reseed commands. Check that for each csrng command,
there is a corresponding entropy request interrupt.
- Generate output and ensure the data output is valid, and that csrng is not reporting
any errors.
- Issue instantiate and reseed commands from edn0 and edn1. Check that for each
command, there is a corresponding entropy request interrupt.
'''
stage: V2
tests: ["chip_sw_entropy_src_csrng"]
}
{
name: chip_sw_entropy_src_cs_aes_halt
desc: '''Verify the `entropy_src`'s aes halt handshake with CSRNG.
- Through one of the application interfaces of CSRNG, issue a reseed command. This can
be done via a hardware peripheral requesting entropy via EDN.
- Through the SW application interface, issue a generate command.
- While the CSRNG is performing the generate operation, issue another reseed command
via the first application interface. Verify via backdoor probes, the SHA3 in the
entropy_src module is triggered at the same time the AES engine in CSRNG is
performing an operation.
- The second reseed command should trigger the entropy_src to request that the CSRNG
halts the AES engine until entropy is available. Verify via assertion checks, the halt
request successfully completed. Also verify that the AES engine is indeed paused
during this time.
Note: There may be existing tests that already create this scenario. It should be
sufficient to augment those tests with the backdoor / assertion checks.
'''
stage: V3
tests: []
}
{
name: chip_sw_entropy_src_fuse_en_fw_read
desc: '''Verify the fuse input entropy_src.
- Initialize the OTP with the fuse that controls whether the SW can read the entropy src
enabled.
- Read the OTP and verify that the fuse is enabled.
- Read the entropy_data_fifo via SW and verify that it reads valid values.
- Reset the chip, but this time, initialize the OTP with with the fuse disabled.
- Read the OTP and verify that fuse is disabled.
- Read the internal state via SW and verify that the entropy valid bit is zero.
'''
stage: V2
tests: ["chip_sw_entropy_src_fuse_en_fw_read_test"]
}
{
name: chip_sw_entropy_src_known_answer_tests
desc: '''Verify our ability to run known-answer tests in SW.
- Configure the device in firmware-bypass mode.
- Feed NIST test-defined entropy sequences into the conditioner
- Read the entropy_data_fifo via SW; verify that it reads the expected values.
'''
stage: V2
tests: ["chip_sw_entropy_src_kat_test"]
}
// CSRNG (pre-verified IP) integration tests:
{
name: chip_sw_csrng_edn_cmd
desc: '''Verify incoming command interface from EDN.
- Have each EDN instance issue an instantiate, reseed and generate command to CSRNG.
- On each command done, verify the reception of edn cmd req done interrupt.
- Run OTBN randomness test to test the output from EDN0 and EDN1.
- Check the data returned to EDN via connectivity assertion checks.
'''
stage: V2
tests: ["chip_sw_entropy_src_csrng"]
}
{
name: chip_sw_csrng_fuse_en_sw_app_read
desc: '''Verify the fuse input to CSRNG.
- Initialize the OTP with the fuse that control whether the SW can read the CSRNG state
enabled.
- Issue an instantiate command to request entropy.
- Verify that SW can read the internal state values.
- Reset the chip and repeat the steps above, but this time, initialized the OTP with
fuse disabled.
- Verify that the SW reads back all zeros when reading the internal state values.
'''
stage: V2
tests: ["chip_sw_csrng_fuse_en_sw_app_read_test"]
}
{
name: chip_sw_csrng_lc_hw_debug_en
desc: '''Verify the effect of LC HW debug enable on CSRNG.
lc_hw_debug_en is used to diversify the csrng seed.
- Configure entropy_src into bypassing the conditioner and directly inject known
entropy.
- Instantiate CSRNG with the known entropy while in TEST state (hw_debug_en = 1).
- Retrieve entropy from csrng and save it in flash and reset the system.
- Run the process again and ensure the exact same result can be reproduced (similar to
KAT).
- Advance the device to PROD or DEV state.
- Again configure entropy_src to bypass the conditioner and use direct injection.
- Instantiate CSRNG with the same fixed seed and fetch entropy again while in the NEW
state.
- The newly fetched entropy and the old entropy stored in flash should not match.
'''
stage: V2
tests: ["chip_sw_csrng_lc_hw_debug_en_test"]
}
{
name: chip_sw_csrng_known_answer_tests
desc: '''Verify our ability to run known-answer tests in SW.
- Configure the software instance with the expected seed (as per
the NIST-specified test for CTR_DRBG operation). Compare the
DRBG internal K and V state against the test vector expected
values.
- Perform generate operations as required by the test vector.
- Compare the results to test expectations.
'''
stage: V2
tests: ["chip_sw_csrng_kat_test"]
}
{
name: chip_sw_csrng_edn_error
desc: '''Verify the outcome of an error response generated by CSRNG when processing an EDN
request.
- Inject a fault in CSRNG while it is processing a request from EDN so that it returns
an error response to EDN.
- TODO(#16516): How does EDN respond to the error?
'''
stage: V3
tests: []
}
// EDN (pre-verified IP) integration tests:
{
name: chip_sw_edn_entropy_reqs
desc: '''Verify the entropy requests from all peripherals.
Verify that there are no misconnects between each peripheral requesting entropy.
TODO: system level scenario: have all entropy sources request entropy in the same test
one after to show boot to post boot load, cycling all entropy blocks off and on again.
Ensure there are no deadlocks and everything works as expected.
X'ref'ed with each IP test that requsts entropy from EDN.
'''
stage: V2
tests: ["chip_sw_edn_entropy_reqs",
"chip_sw_csrng_edn_concurrency"]
}
// KEYMGR (pre-verified IP) integration tests:
{
name: chip_sw_keymgr_key_derivation
desc: '''Verify the keymgr advances to all states and generate identity / SW output.
- In the SW test, write fixed value to OTP for root_key and write creator and owner
seeds in flash. And then roboot the chip.
- In the SV sequence, backdoor read Device ID and ROM digest through CSRs.
- For HardwareRevisionSecret, use the constant values in design.
- Configure the keymgr and advance to `CreatorRootKey` and `OwnerIntermediateKey`.
- Check keymgr internal keys after advance operations.
- Generate identity / SW output for the Sealing CDI.
- No need to test the Attestation CDI in chip-level as the only difference is to
use another set of CSR values, and the rest of inputs are the same as the Sealing
CDI.
- KMAC should finish hashing successfully (not visible to SW) and return digest to
keymgr.
- Read keymgr CSRs `SW_SHARE*` and verify the return values.
- Advance to `Disabled` and verify keymgr enters the state successfully.
- For each operation, wait for the interrupt `op_done` to be triggered and check CSR
`op_status` is `DONE_SUCCESS`.
- Note: there are 3 ways of calculating the expected digest for comparison. Any of them
is acceptable.
- Use SW to calculate that, and it will also exercise the Ibex.
- SW sends all the keys through CSRs to KMAC to generate the degist data.
- DV calls C functions to generate and backdoor load to a specific memory location
for SW. (Adpot this approach.)
X-ref'ed with kmac test.
'''
stage: V2
tests: ["chip_sw_keymgr_key_derivation", "chip_sw_keymgr_key_derivation_jitter_en"]
}
{
name: chip_sw_keymgr_sideload_kmac
desc: '''Verify the keymgr sideload interface to KMAC.
- Configure the keymgr and advance to the `OwnerIntKey` state.
- Request keymgr to generate hw key for KMAC sideload key slot.
- Request KMAC operation with sideload key configuration.
- Verify the digest for correctness (should match the DV-side result).
- Clear keymer's KMAC sideload key slot.
- Request KMAC operation with sideload key configuration.
- Verify the digest value has changed.
- Request keymgr to derive the same key for the KMAC sideload key slot.
- Request KMAC operation with sideload key configuration.
- Verify the digest for correctness (should match the DV-side result again).
X-ref'ed with chip_kmac_app_keymgr test.
'''
stage: V2
tests: ["chip_sw_keymgr_sideload_kmac"]
}
{
name: chip_sw_keymgr_sideload_aes
desc: '''Verify the keymgr sideload interface to AES.
Same as `chip_keymgr_sideload_kmac`, except, sideload to AES.
'''
stage: V2
tests: ["chip_sw_keymgr_sideload_aes"]
}
{
name: chip_sw_keymgr_sideload_otbn
desc: '''Verify the keymgr sideload interface to OTBN.
Load OTBN binary image, the rest is similar to `chip_keymgr_sideload_kmac`, except
sideloading to otbn.
Clear the sideload key once done.
'''
stage: V2
tests: ["chip_sw_keymgr_sideload_otbn"]
}
{
name: chip_sw_keymgr_sideload_kmac_error
desc: '''
Verify the effect of KMAC returning an error during a keymgr operation.
- Configure keymgr to enter any of the 3 working states.
- Issue a keymgr operation.
- While the KMAC is actively computing the digest, glitch the KMAC app sparse FSM to
trigger a fault.
- Verify that KMAC returns an error signal to the keymgr via checking keymgr CSRs, when
the operation is done:
- Check `op_status` is set to `DONE_ERROR`.
- Check `fault_status.kmac_done` is set to 1.
'''
stage: V3
tests: []
}
// OTBN (pre-verified IP) integration tests:
{
name: chip_sw_otbn_op
desc: '''Verify an OTBN operation.
- SW test directs the OTBN engine to perform an ECDSA operation.
- SW validates the reception of the otbn done interrupt once the operation is complete.
- SW verifies the correctness of the result with the expected value which is
pre-computed using a reference model.
'''
stage: V2
tests: ["chip_sw_otbn_ecdsa_op_irq",
"chip_sw_otbn_ecdsa_op_irq_jitter_en"]
}
{
name: chip_sw_otbn_rnd_entropy
desc: '''Verify OTBN can fetch RND numbers from the entropy src.
- SW initializes the entropy subsystem to generate randomness.
- SW loads an OTBN app that executes instructions to read the RND bits.
- The OTBN app ensures that the values when read consequtively do not match, and its not
all 0s or all 1s, as a basic measure to ensure that the entropy subsystem is returning
some data.
'''
stage: V2
tests: ["chip_sw_otbn_randomness"]
}
{
name: chip_sw_otbn_urnd_entropy
desc: '''Verify OTBN can fetch URND numbers from the entropy src.
- Similar to chip_otbn_rnd_entropy, but verifies the URND bits.
'''
stage: V2
tests: ["chip_sw_otbn_randomness"]
}
{
name: chip_sw_otbn_idle
desc: '''Verify the OTBN idle signal to clkmgr.
- Write the OTBN clk hint to 0 within clkmgr to indicate OTBN clk can be gated
and verify that the OTBN clk hint status within clkmgr reads 0 (OTBN is disabled).
- Write the OTBN clk hint to 1 within clkmgr to indicate OTBN clk can be enabled.
Verify that the OTBN clk hint status within clkmgr reads 1 (OTBN is enabled).
- Start an OTBN operation, write the OTBN clk hint to 0 within clkmgr and verify that
the OTBN clk hint status within clkmgr reads 1 (OTBN is enabled) before the
OTBN operation is complete.
- After the OTBN operation is complete, verify that the OTBN clk hint status within
clkmgr now reads 0 again (OTBN is disabled).
- Write the OTBN clk hint to 1, read and check the OTBN output for correctness.
'''
stage: V2
tests: ["chip_sw_otbn_randomness"]
}
{
name: chip_sw_otbn_mem_scramble
desc: '''Verify the OTBN can receive keys from the OTP to scramble the OTBN imem and dmem.
- Initialize the entropy_src subsystem to enable OTP_CTRL fetch random data (already
done by the test_rom startup code).
- Extract random address offsets from RV_CORE_IBEX_RND_DATA.
- Wait for OTBN to be idle.
- Write random address offsets in OTBN imem and dmem.
- Read back the written address offsets and compare against expected values. All values
must match, no integrity errors must be triggered.
- Have OTBN fetch new keys and nonces from the OTP_CTRL.
- Wait for OTBN to be idle.
- Read back the written address offsets. Most reads should trigger integrity errors. It
is possible that after re-scrambling the integrity bits are still valid. But this is
expected to happen rarely. If the number of observed integrity errors is below a
chosen threshold, the test fails.
- Verify the validity of EDN's output to OTP_CTRL via assertions
(unique, non-zero data).
'''
stage: V2
tests: ["chip_sw_otbn_mem_scramble"]
}
/////////////////////////////////////////////////////
// Memory & Controllers //
// ROM_CTRL, RAM, FLASH, FLASH_CTRL, OTP, OTP_CTRL //
/////////////////////////////////////////////////////
// ROM_CTRL (pre-verified IP) integration tests:
{
name: chip_sw_rom_access
desc: '''Verify that the CPU can access the rom contents.
- Verify that the CPU can fetch instructions from the ROM.
'''
stage: V2
tests: ["chip_sw_rom_ctrl_integrity_check"]
}
{
name: chip_sw_rom_ctrl_integrity_check
desc: '''Verify that the ROM ctrl performs the integrity check of the ROM on power up.
- In non-PROD LC state, the computed digest does not have to match the top 8 words in
the ROM. Verify that we can successfully power up the chip in this case.
- In PROD LC state, verify that the pwrmgr does not fully power up if the computed
digest does not match the top 8 words of the ROM.
'''
stage: V2
tests: ["chip_sw_rom_ctrl_integrity_check"]
}
{
name: chip_sw_rom_ctrl_kmac_error
desc: '''
Verify the effect of KMAC reporting an error during ROM digest computation.
- Backdoor load a valid test ROM image and bring the DUT out of reset.
- During the ROM checker pwrmgr FSM state, while the ROM controller is actively sending
data to KMAC for the digest computation, glitch the KMAC app sparse FSM to trigger a
fault.
- Verify that KMAC returns an error signal to the ROM controller.
- Verify that the ROM controller itself transitions to invalid state and the chip is
effectively dead.
'''
stage: V3
tests: []
}
// SRAM (pre-verified IP) integration tests:
{
name: chip_sw_sram_scrambled_access
desc: '''Verify scrambled memory accesses to both main and retention SRAMs.
- Initialize the entropy_src subsystem to enable OTP_CTRL fetch random data (already
done by the test_rom startup code).
- Trigger both SRAMs to fetch a new key and nonce from the OTP_CTRL
- Drive the CPU to perform random accesses to both RAMs and verify these operations
complete successfully by using the backdoor interface
- Fetch a new key from the OTP_CTRL and ensure that the previous contents cannot be
read anymore.
- Verify the validity of EDN's output to OTP_CTRL via assertions
(unique, non-zero data).
'''
stage: V2
tests: ["chip_sw_sram_ctrl_scrambled_access",
"chip_sw_sram_ctrl_scrambled_access_jitter_en"]
}
{
name: chip_sw_sleep_sram_ret_contents
desc: '''Verify that the data within the retention SRAM survives low power entry-exit and reset.
Ensure that the data within the retention SRAM survives as described in this table.
| Mode | Scrambled | Data Preserved |
|:----------------------------:|:---------:|:--------------:|
| Normal sleep | No | Yes |
| Deep sleep | No | Yes |
| Reset due to a reset request | No | Yes |
| Normal sleep | Yes | Yes |
| Deep sleep | Yes | Yes |
| Reset due to a reset request | Yes | No |
'''
stage: V2
tests: ["chip_sw_sleep_sram_ret_contents"]
}
{
name: chip_sw_sram_execution
desc: '''Verify that CPU can fetch instructions from SRAM if enabled.
- Create the following combinations of 8 scenarios:
- The fetch enable bit in the HW_CFG partition of OTP controller set and not set.
- A life cycle state that enables (TEST_UNLOCKED, DEV or RMA) and disables (PROD)
hardware debug.
- The execution CSR programmed to be enabled and disabled.
- For both, main and the retention SRAM in each of these 8 scenarios:
- Load instruction data into the SRAMs.
- If the instruction execution is enabled, verify that the CPU can fetch and execute
the instruction from the SRAM correctly.
- If the instruction execution is not enabled, verify that the SRAM throws an error
response via an exception handler.
The following table indicates in which of these scenarios should the instruction
execution be enabled, for both, main and the retention SRAM instances.
| OTP HW_CFG[IFETCH] | HW_DEBUG_EN via LC state | EXEC CSR | MAIN SRAM | RET SRAM |
|:------------------:|:------------------------:|:--------:|:---------:|:--------:|
| 0 | 0 | 0 | disabled | disabled |
| 0 | 0 | 1 | disabled | disabled |
| 0 | 1 | 0 | enabled | disabled |
| 0 | 1 | 1 | enabled | disabled |
| 1 | 0 | 0 | disabled | disabled |
| 1 | 0 | 1 | enabled | disabled |
| 1 | 1 | 0 | disabled | disabled |
| 1 | 1 | 1 | enabled | disabled |
For the retention SRAM, instruction fetch is completely disabled via design parameter.
'''
stage: V2
tests: ["chip_sw_sram_ctrl_execution_main"]
}
{
name: chip_sw_sram_lc_escalation
desc: '''Verify the LC escalation path to the SRAMs.
- Configure the LC_CTRL to trigger an escalation request to the SRAMs.
- Verify that the SRAMs stop accepting and responding to new memory requests.
- Reset the system to exit the terminal escalation state.
- Re-initialize the SRAMs and verify that they can now respond correctly to
any further memory requests.
X-ref with chip_sw_all_escalation_resets and chip_sw_data_integrity.
'''
stage: V2
tests: ["chip_sw_all_escalation_resets",
"chip_sw_data_integrity_escalation"]
}
// OTP (pre-verified IP) integration tests:
{
name: chip_otp_ctrl_init
desc: '''Verify the OTP ctrl initialization on chip power up.
Verify that the chip powers up correctly on POR.
- The pwrmgr initiates a handshake with OTP ctrl and later, with LC ctrl in subsequent
FSM states. Ensure that the whole power up sequence does not hang.
- Verify with connectivity assertion checks, the handshake signals are connected.
- Ensure that no interrupts or alerts are triggered.
'''
stage: V2
tests: ["chip_sw_lc_ctrl_transition"]
}
{
name: chip_sw_otp_ctrl_keys
desc: '''Verify the proliferation of keys to security peripherals.
- Verify the correctness of keys provided to SRAM ctrl (main & ret), flash ctrl, keymgr,
(note that keymgr does not have handshake), OTBN and the CPU instruction cache.
- Ensure that the test requests a new key and verifies the previously written
data to an address now returns a garbage value.
X-ref'ed with the following IP tests that consume these signals:
- chip_sw_sram_scrambled_access
- chip_sw_flash_scramble
- chip_sw_keymgr_key_derivation
- chip_sw_otbn_mem_scramble
'''
stage: V2
tests: [// Verifies both, main and retention SRAM scrambling.
"chip_sw_sram_ctrl_scrambled_access",
"chip_sw_flash_init",
"chip_sw_keymgr_key_derivation",
"chip_sw_otbn_mem_scramble",
"chip_sw_rv_core_ibex_icache_invalidate"]
}
{
name: chip_sw_otp_ctrl_entropy
desc: '''Verify the entropy interface from OTP ctrl to EDN.
This is X-ref'ed with the chip_otp_ctrl_keys test, which needs to handshake with the EDN
to receive some entropy bits before the keys for SRAM ctrl and OTBN are computed.
'''
stage: V2
tests: ["chip_sw_sram_ctrl_scrambled_access",
"chip_sw_flash_init",
"chip_sw_keymgr_key_derivation",
"chip_sw_otbn_mem_scramble",
"chip_sw_rv_core_ibex_icache_invalidate"]
}
{
name: chip_sw_otp_ctrl_program
desc: '''Verify the program request from lc_ctrl.
- Verify that upon an LC state transition request, LC ctrl signals the OTP ctrl with a
program request.
- Verify that the OTP ctrl generates the LC data output correctly and is sent to the LC
ctrl before it is reset.
- Verify that the `lc_check_byp_en_i` from LC ctrl is set.
- Ensure that the whole operation does not raise any interrupts or alerts or errors.
- After reset, verify that the LC state transition completed successfully by reading the
LC state and LC count CSRs.
'''
stage: V2
tests: ["chip_sw_lc_ctrl_transition"]
}
{
name: chip_sw_otp_ctrl_program_error
desc: '''Verify the otp program error.
- Initiate an illegal program request from LC ctrl to OTP ctrl by forcing the
`lc_otp_program_i`.
- Verify that the LC ctrl triggers an alert when the OTP ctrl responds back with a
program error.
'''
stage: V2
tests: ["chip_sw_lc_ctrl_program_error"]
}
{
name: chip_sw_otp_ctrl_hw_cfg
desc: '''Verify the correctness of otp_hw_cfg bus in all peripherals that receive it.
Preload the OTP ctrl's `hw_cfg` partition with random data and verify that all
consumers of the hardware configuration bits are receiving the correct values.
Xref'ed with corresponding IP tests that receive these bits.
'''
stage: V2
tests: ["chip_sw_lc_ctrl_otp_hw_cfg"]
}
{
name: chip_sw_otp_ctrl_lc_signals
desc: '''Verify the broadcast signals from LC ctrl.
- `lc_creator_seed_sw_rw_en_i`: verify that the SECRET2 partition is locked.
- `lc_seed_hw_rd_en_i`: verify that the keymgr outputs a default value when enabled.
- `lc_dft_en_i`: verify that the test interface within OTP ctrl is accessible.
- `lc_check_byp_en_i`: verify that the background check during LC ctrl state
programming passes when enabled.
Note that `lc_escalate_en_i` is verified via a connectivity test.
The `lc_seed_hw_rd_en_i` signal can be tested by attempting a keymgr advance operation
into the CreatorRootKey state, which should fail since the root key will be tied off to
all-zero when the SECRET2 partition is not locked in OTP.
X-ref'ed with chip_sw_lc_ctrl_broadcast test, which verifies the connectivity of the LC
decoded outputs to other IPs.
'''
stage: V2
tests: [
// lc_dft_en_i
"chip_prim_tl_access",
// lc_check_byp_en_i
"chip_sw_lc_ctrl_transition",
// lc_seed_hw_rd_en_i, lc_creator_seed_sw_rw_en_i, also checks lc_keymgr_en_i since it uses
// the keymgr.
"chip_sw_otp_ctrl_lc_signals_test_unlocked0",
"chip_sw_otp_ctrl_lc_signals_dev",
"chip_sw_otp_ctrl_lc_signals_prod",
"chip_sw_otp_ctrl_lc_signals_rma",
]
}
{
name: chip_sw_otp_prim_tl_access
desc: '''Verify that the SW can read / write the prim tlul interface.
- The prim tlul interface is a open source placeholder for the closed source CSRs that
will be implemented in a translation 'shim'.
- Verify that when `lc_dft_en_i` is On, this region can be read / written to by the SW.
When `lc_dft_en_i` is Off, accessing this region will result in a TLUL error.
'''
stage: V2
tests: ["chip_prim_tl_access"]
}
{
name: chip_sw_otp_ctrl_vendor_test_csr_access
desc: '''
Verify the vendor test control access in raw, test_*, dev, prod, and rma LC states.
- Boot the chip successively in raw, test_*, dev, prod and rma LC states.
- Verify that the SW is able to access the vendor test control and status registers in
raw, test_* and rma LC states.
In open source environment, this check is implemented by probing the OTP_CTRL's
`lc_otp_vendor_test_i` port.
- Verify that in dev / prod LC states, the vendor status always reads back 0s regardless
of what is programmed into the vendor test control register.
'''
stage: V3
tests: ["chip_sw_otp_ctrl_vendor_test_csr_access"]
}
{
name: chip_sw_otp_ctrl_escalation
desc: '''Verify escalation from otp_ctrl macro fatal error.
- Inject ECC fatal error into OTP macro's HW cfg partition, and read back this macro
via DAI interface.
- Because this fatal error will immediately turn off CPU, so the DV sequence will probe
the alert interface to make sure alert and escalation is triggered.
X'ref with chip_sw_all_escalation_resets.
'''
stage: V3
tests: ["chip_sw_otp_ctrl_escalation"]
}
// FLASH (pre-verified IP) integration tests:
{
name: chip_sw_flash_init
desc: '''Verify that flash initialization routine works correctly.
- Initialize the flash ctrl by writing 1 to the INIT register.
- Poll the status register for the initialization to complete.
- Verify that during the init process, the flash ctrl requested keys from OTP. Verify
with different sets of key values programmed in OTP.
- Verify the flash ctrl can read seeds when lc_seed_hw_rd_en is set, otherwise all 1s.
- Verify that the flash ctrl sent the creator and owner seeds to keymgr. Verify with
different seed values.
- This test needs to execute as a boot rom image.
'''
stage: V2
tests: ["chip_sw_flash_init"]
}
{
name: chip_sw_flash_host_access
desc: '''Verify that the flash memory contents can be read by the CPU.
Nothing extra to do here - most SW based tests fetch code from flash.
'''
stage: V2
tests: ["chip_sw_flash_ctrl_access",
"chip_sw_flash_ctrl_access_jitter_en"]
}
{
name: chip_sw_flash_ctrl_ops
desc: '''Verify the SW can initiate flash operations via the controller.
Verify that the CPU can read / program and erase the flash mem. Pick an operation on
all data and info partitions. Erase both, bank and page. SW validates the reception of
prog empty, prog level, rd full, rd level and op done interrupts.
'''
stage: V2
tests: ["chip_sw_flash_ctrl_ops", "chip_sw_flash_ctrl_ops_jitter_en"]
}
{
name: chip_sw_flash_rma_unlocked
desc: '''Verify the flash memory contents can be accessed after in RMA unlock.
- Provision an RMA_UNLOCK token in OTP.
- Repeat the following a few times:
- Randomize the otp contents for device id, manufacturing state and RMA_UNLOCK token.
- Reset the chip.
- Ensure chip revision, device id and manufacturing state can be read through the LC JTAG.
- Enable RMA mode, and verify that the SW can access the flash after RMA completion.
- RMA entry should be done through the JTAG interface.
- X-ref'ed with manuf_ft_provision_rma_token_and_personalization from the manufacturing
testplan.
'''
stage: V2
tests: ["chip_sw_flash_rma_unlocked"]
}
{
name: chip_sw_flash_scramble
desc: '''Verify flash scrambling via the controller.
- Extends the chip_flash_init test.
- Verify flash scrambling with different key values programmed in OTP.
- Verify read of scrambled contents via both, controller and direct host read.
- Program a new scramble key in OTP and reboot - this time we need to backdoor load the
flash with new test image that is re-scrambled with the new key.
- Need to understand the bootstrapping requirements.
'''
stage: V2
tests: ["chip_sw_flash_init"]
}
{
name: chip_sw_flash_idle_low_power
desc: '''Verify flash_idle signaling to pwrmgr.
- Initiate flash program or erase over the controller.
- Program the pwrmgr to go into deep sleep.
- Issue a WFI.
- Ensure that the low power entry does not happen due to the ongoing flash operation.
'''
stage: V2
tests: ["chip_sw_flash_ctrl_idle_low_power"]
}
{
name: chip_sw_flash_keymgr_seeds
desc: '''Verify the creator and owner seeds are read on flash init provided lc_hw_seed_rd_en
is set.
X-ref'ed with keymgr test.
'''
stage: V2
tests: ["chip_sw_keymgr_key_derivation"]
}
{
name: chip_sw_flash_lc_creator_seed_sw_rw_en
desc: '''Verify the lc_creator_seed_sw_rw_en signal from LC ctrl.
- Transition from TEST_LOCKED to DEV/PROD to ESCALATION/SCRAP state via OTP and verify
that this LC signal transitions from 0 to 1 and back to 0. Verify that the SW
accessibility of the corresponding partition depending on the signal value.
'''
stage: V2
tests: ["chip_sw_flash_ctrl_lc_rw_en"]
}
{
name: chip_sw_flash_creator_seed_wipe_on_rma
desc: '''Verify that the creator seed is wiped by the flash ctrl on RMA entry.
'''
stage: V2
tests: ["chip_sw_flash_rma_unlocked"]
}
{
name: chip_sw_flash_lc_owner_seed_sw_rw_en
desc: '''Verify the lc_owner_seed_sw_rw_en signal from LC ctrl.
- Transition from TEST_LOCKED to DEV/PROD to ESCALATION/SCRAP state via OTP and verify
that this LC signal transitions from 0 to 1 and back to 0. Verify that the SW
accessibility of the corresponding partition depending on the signal value.
'''
stage: V2
tests: ["chip_sw_flash_ctrl_lc_rw_en"]
}
{
name: chip_sw_flash_lc_iso_part_sw_rd_en
desc: '''Verify the lc_iso_part_sw_rd_en signal from LC ctrl.
- Transition from DEV to PROD to ESCALATION/SCRAP state via OTP and verify
that this LC signal transitions from 0 to 1 and back to 0. Verify that the SW
accessibility of the corresponding partition depending on the signal value.
'''
stage: V2
tests: ["chip_sw_flash_ctrl_lc_rw_en"]
}
{
name: chip_sw_flash_lc_iso_part_sw_wr_en
desc: '''Verify the lc_creator_seed_sw_wr_en signal from LC ctrl.
- Transition from TEST_LOCKED to DEV/PROD to ESCALATION/SCRAP state via OTP and verify
that this LC signal transitions from 0 to 1 and back to 0. Verify that the SW
accessibility of the corresponding partition depending on the signal value.
'''
stage: V2
tests: ["chip_sw_flash_ctrl_lc_rw_en"]
}
{
name: chip_sw_flash_lc_seed_hw_rd_en
desc: '''Verify the lc_seed_hw_rd_en signal from LC ctrl.
- Transition from TEST_LOCKED to DEV/PROD to ESCALATION/SCRAP state via OTP and verify
that this LC signal transitions from 0 to 1 and back to 0. Verify that the flash ctrl
does (or does not) read the creator and owner partitions to fetch the seeds for the
keymgr.
'''
stage: V2
tests: ["chip_sw_flash_ctrl_lc_rw_en"]
}
{
name: chip_sw_flash_lc_escalate_en
desc: '''Verify the lc_escalate_en signal from LC ctrl.
- Trigger an LC escalation signal by generating an alert.
- Verify that all flash accesses are disabled when the escalation kicks in.
- Confirm flash accesses are disabled by erroing if the device executes the ISR.
- Use assertion based connectivity check to prove that this signal is connected to the
flash ctrl.
X-ref with chip_sw_all_escalation_resets.
'''
stage: V2
tests: ["chip_sw_all_escalation_resets"]
}
{
name: chip_sw_flash_prim_tl_access
desc: '''Verify that the SW can read / write the prim tlul interface in flash phy.
- The prim tlul interface is a open source placeholder for the closed source CSRs that
will be implemented in a translation 'shim'.
- Verify that this region can be read / written to by the SW in any LC state.
'''
stage: V2
tests: ["chip_prim_tl_access"]
}
{
name: chip_sw_flash_ctrl_clock_freqs
desc: '''Verify flash program and erase operations over the ctrl over a range of clock freqs.
- Enable jitter on the clock while performing erase, write and read operations
to the flash.
- This sets the test for closed source where the flash access timing matters.
'''
stage: V2
tests: ["chip_sw_flash_ctrl_clock_freqs"]
}
{
name: chip_sw_flash_ctrl_escalation_reset
desc: '''Verify the flash ctrl fatal error does not disturb escalation process
and operation of ibex core.
Trigger an internal fatal fault (host_gnt_err) from flash_ctrl
and let it escalate to reset. Upon alert escalation reset,
the internal status should be clean and should not send out more alerts.
'''
stage: V2
tests: ["chip_sw_flash_crash_alert"]
}
////////////////////////
// Analog Peripherals //
// AST, SENSOR_CTRL //
////////////////////////
// AST (pre-verified IP) integration tests:
{
name: chip_sw_ast_clk_outputs
desc: '''Verify that the AST generates the 4 clocks when requested by the clkmgr.
Verify the clock frequencies are reasonably accurate. Bring the chip to deep sleep,
and verify that upon wakeup reset the clock counters are turned off, measure ctrl
regwen is enabled, and errors are not cleared.
'''
stage: V2
tests: ["chip_sw_ast_clk_outputs"]
}
{
name: chip_sw_ast_clk_rst_inputs
desc: '''Verify the clk and rst inputs to AST (from `clkmgr`).
Create different scenarios that affect the clocks and resets and see that the AST features
(RNG, entropy, alert, ADC) that use those clocks/resets behave correctly.
sequence:
1. Check that AST RNG generates data and fills the entropy source fifo
2. Create AST alerts
3. Activate ADC conversion
4. EDN entropy supply to AST
Enter sleep/deep sleep/ stop IO/USB clocks
Repeat 1-4 to check it is ok.
'''
stage: V2
tests: ["chip_sw_ast_clk_rst_inputs"]
}
{
name: chip_sw_ast_sys_clk_jitter
desc: '''Verify that the AST sys clk jitter control.
X-ref with chip_sw_clkmgr_jitter
'''
stage: V2
tests: ["chip_sw_clkmgr_jitter",
"chip_sw_flash_ctrl_ops_jitter_en",
"chip_sw_flash_ctrl_access_jitter_en",
"chip_sw_otbn_ecdsa_op_irq_jitter_en",
"chip_sw_aes_enc_jitter_en",
"chip_sw_hmac_enc_jitter_en",
"chip_sw_keymgr_key_derivation_jitter_en",
"chip_sw_kmac_mode_kmac_jitter_en",
"chip_sw_sram_ctrl_scrambled_access_jitter_en",
"chip_sw_edn_entropy_reqs_jitter"]
}
{
name: chip_sw_ast_usb_clk_calib
desc: '''Verify the USB clk calibration signaling.
- First place the AST into a mode where usb clock frequency significantly deviates from
the ideal.
- Verify the clock is "off" using the clkmgr measurement mechanism.
- Then, turn on the usb sof calibration machinery and wait a few mS.
- Afterwards, measure the usb clock again using the clkmgr measurement controls, at this
point the clock should be significantly more accurate.
- Note, while the above is ideal, usbdev chip level testing is not yet ready and this
test fakes the usb portion through DV forces.
- Note also the real AST calibration logic is not available, so the sof testing in the
open source is effectively short-circuited.
'''
stage: V2
tests: ["chip_sw_usb_ast_clk_calib"]
}
{
name: chip_sw_ast_alerts
desc: '''Verify the alerts from AST aggregating into the sensor_ctrl.
X-ref'ed with `chip_sensor_ctrl_ast_alerts`.
'''
stage: V2
tests: ["chip_sw_sensor_ctrl_alert"]
}
// SENSOR_CTRL tests:
{
name: chip_sw_sensor_ctrl_ast_alerts
desc: '''Verify the alerts from AST aggregating into the sensor_ctrl.
Check that AST events can be triggered from sensor_ctrl and that
the resulting AST outputs are observed in both sensor_ctrl and
the alert_handler.
For the alert handler case, make sure to test each alert configured
as either recoverable or fatal.
'''
stage: V2
tests: ["chip_sw_pwrmgr_sleep_sensor_ctrl_alert_wakeup",
"chip_sw_sensor_ctrl_alert"]
}
{
name: chip_sw_sensor_ctrl_ast_status
desc: '''Verify the io power ok status from AST.
Check that when the IO POK status changes, an interrupt is triggered
from sensor_ctrl. After triggering, the IO status can be read
from a sensor_ctrl register.
'''
stage: V2
tests: ["chip_sw_sensor_ctrl_status"]
}
{
name: chip_sw_pwrmgr_sleep_sensor_ctrl_alert_wakeup
desc: '''Verify the sensor control is able to wake the device
from sleep mode when an alert event is triggered from
AST. X-ref'ed chip_sw_pwrmgr_sleep_all_wake_ups.
'''
stage: V2
tests: ["chip_sw_pwrmgr_sleep_sensor_ctrl_alert_wakeup"]
}
//////////////////
// CPU //
// RV_CORE_IBEX //
//////////////////
{
name: chip_sw_nmi_irq
desc: '''Verify the NMI interrupt to the CPU and correctness of the cause.
Randomly use these two methods (simultaneously or choose one of them) to trigger the
NMI interrupt:
- Trigger the alert_handler escalation pair that maps to NMI.
- Trigger a watchdog bark.
Check rv_core_ibex's NMI interrupt register and clear the interrupt.
If the NMI interrupt is triggered by alert_handle and the `class_clr_regwen` register
is not locked, check that alert_handler can clear this NMI escalation stage. Then make
sure that the alert_handler won't move forward to the next escalation stage.
'''
stage: V2
tests: ["chip_sw_rv_core_ibex_nmi_irq"]
}
{
name: chip_sw_rv_core_ibex_rnd
desc: '''Verify the functionality of the random number generation CSRs.
- Enable entropy complex so `RND_DATA` can get entropy.
- Perform multiple reads from `RND_DATA` polling `RND_STATUS` in
between to only read valid data. Check different random bits
are provided each time and that the random data is never zero or all ones.
- Ensure `RND_STATUS` indicate invalid data immediately after
`RND_DATA` read.
- Perform repeated reads from `RND_DATA` without `RND_STATUS`
polling to check read when invalid doesn't block.
'''
stage: V2
tests: ["chip_sw_rv_core_ibex_rnd"]
}
{
name: chip_sw_rv_core_ibex_address_translation
desc: '''Verify the simple address translation functionality.
- Setup address translation for both slots on the the I and D
side and check correct translation for I and D accesses.
- Switch address translation to use different regions that
overlap for both slots and check translation again. Ensure some
test accesses match both regions, where the lowest indexed one
takes priority.
- Turn off address translation and confirm regions are no longer
being remapped.
'''
stage: V2
tests: ["chip_sw_rv_core_ibex_address_translation"]
}
{
name: chip_sw_rv_core_ibex_icache_scrambled_access
desc: '''Verify scrambled memory accesses to CPU icache.
- Initialize the entropy_src subsystem to enable OTP_CTRL fetch random data (already
done by the test_rom startup code).
- Execute the `fence` instruction to invalidate the icache.
- Verify using probes, that this resulted in a new scrambling key fetched from the OTP
ctrl.
'''
stage: V2
tests: ["chip_sw_rv_core_ibex_icache_invalidate"]
}
{
name: chip_sw_rv_core_ibex_fault_dump
desc: '''Verify the functionality of the ibex fault dump.
- Purposely create an ibex exception during execution through reads to an ummapped
address.
- Ensure the rstmgr fault dump correctly captures the related addresses to the
exception.
'''
stage: V2
tests: ["chip_sw_rstmgr_cpu_info"]
}
{
name: chip_sw_rv_core_ibex_double_fault
desc: '''Verify the functionality of the ibex double fault dump.
- Purposely create an ibex double exception during execution, by performing an
unmapped read and in the exception handler perform another unmapped read.
- Ensure the rstmgr fault dump correctly captures both dumps correctly and indicates
the previous dump is valid.
'''
stage: V2
tests: ["chip_sw_rstmgr_cpu_info"]
}
{
name: chip_sw_rv_core_ibex_lockstep_glitch
desc: '''Verify lockstep checking of the Ibex core.
Ensure suitable alerts are triggered when:
- Outputs from the lockstep or the main core are corrupted.
- Inputs into the lockstep core are corrupted.
'''
stage: V2S
tests: ["chip_sw_rv_core_ibex_lockstep_glitch"]
}
{
name: chip_sw_rv_core_ibex_alerts
desc: '''Inject and verify all available faults in rv_core_ibex / ibex_top.
Inject faults in the following areas and verify the alert is fired leading to an
escalation.
- Bus integrity error on the data and instruction TL interface (on the response channel)
- PC mismatch fault
- ECC error in the register file
'''
stage: V3
tests: []
}
////////////////////////////
// System level scenarios //
////////////////////////////
{
name: chip_sw_example_tests
desc: '''Provide example tests for different testing scenarios / needs.
These tests do not verify the hardware. They are meant to serve as a guide for
developing actual tests under different testing scenarios. These example tests
demonstrate the capabilities of the DV infrastructure which enables these scenarios:
1. Implement test in the ROM stage itself
2. Implement test in the flash stage, using test ROM
3. Implement test in the flash stage, using production ROM
4. Enable external maufacturer hooks in existing tests developed in the open source
5. Enable concurrent threads in tests
'''
stage: V1
tests: ["chip_sw_example_rom",
"chip_sw_example_flash",
"chip_sw_uart_smoketest_signed",
"chip_sw_example_manufacturer",
"chip_sw_example_concurrency"
]
}
{
name: chip_sw_smoketest
desc: '''Run smoke tests developed for each IP.
The smoke tests are developed by the SW team to test each IP is
alive, and can be actuated by the DIF. We need to ensure that they
work in DV as well.
'''
stage: V2
tests: ["chip_sw_aes_smoketest",
"chip_sw_aon_timer_smoketest",
"chip_sw_clkmgr_smoketest",
"chip_sw_csrng_smoketest",
"chip_sw_entropy_src_smoketest",
"chip_sw_gpio_smoketest",
"chip_sw_hmac_smoketest",
"chip_sw_kmac_smoketest",
"chip_sw_otbn_smoketest",
"chip_sw_otp_ctrl_smoketest",
"chip_sw_pwrmgr_smoketest",
"chip_sw_pwrmgr_usbdev_smoketest",
"chip_sw_rv_plic_smoketest",
"chip_sw_rv_timer_smoketest",
"chip_sw_rstmgr_smoketest",
"chip_sw_sram_ctrl_smoketest",
"chip_sw_uart_smoketest",
]
}
{
name: chip_sw_rom_functests
desc: '''Run some ROM functional tests with test ROM.
ROM functional tests test ROM drivers and libraries by exercising
these components in the flash stage, launched via the test ROM. They
primarily are tested on the FPGA, however, we ensure they run in DV
as well.
'''
stage: V2
tests: ["rom_keymgr_functest"]
}
{
name: chip_sw_signed
desc: '''Run some chip-level tests with ROM.
In addition to ROM E2E tests, we select at least one (or a few)
tests defined in this file to sign, and run via ROM instead of
test ROM. We need to ensure our test infrastructure and ROM can
boot and run one (or a few) of the same tests our test ROM can.
'''
stage: V2
tests: ["chip_sw_uart_smoketest_signed"]
}
{
name: chip_sw_coremark
desc: '''Run the coremark benchmark on the full chip.'''
stage: V3
tests: ["chip_sw_coremark"]
}
{
name: chip_sw_boot
desc: '''Verify the full flash image download with bootstrap signal set.
- SW puts the SPI device in firmware mode
- Load a firmware image (bootstrap) through spi input pin to the spi_device memory.
- SW verifies the integrity of the image upon reception by reading the spi_device
memory.
- Ensure the image is executed correctly
Note: This flow will be replaced by using spi_device flash mode.
For detail, refer to chip_spi_device_flash_mode
'''
stage: V2
tests: ["chip_sw_uart_tx_rx_bootstrap"]
}
{
name: chip_sw_secure_boot
desc: '''Verify the secure boot flow.
X-ref rom_e2e_smoke.
In reality this can be any rom based test, which requires secure boot.
'''
stage: V2
tests: ["rom_e2e_smoke"]
}
{
name: chip_lc_scrap
desc: '''Ensure it is possible to enter scrap state from every legal life cycle state.
- Request transition to SCRAP state using the JTAG interface.
- It should be possible to transition from every legal state using external clock.
- Where it is allowed, transition using internal clocks should also be checked.
- After transition, verify that the device is in SCRAP state through LC read.
- Verify while in SCRAP state:
- RV JTAG interface is unavailable.
- Ibex is not executing.
- RV_DM is unreachable by the stub CPU.
- X-ref'd with manuf_scrap from the manufacturing testplan.
- X-ref'd with chip_lc_test_locked.
- X-ref'd with chip_tap_strap_sampling
'''
stage: V2
tests: ["chip_sw_lc_ctrl_rand_to_scrap",
"chip_sw_lc_ctrl_raw_to_scrap",
"chip_sw_lc_ctrl_rma_to_scrap",
"chip_sw_lc_ctrl_test_locked0_to_scrap"]
}
{
name: chip_lc_test_locked
desc: '''Transition from TEST_UNLOCKED to TEST_LOCKED using LC JTAG interface.
- Check in TEST_UNLOCKED RV JTAG interface is available.
- Verify When in TEST_LOCKED state:
- RV JTAG interface is unavailable.
- Ibex is not executing.
- RV_DM is unreachable by the stub CPU.
- X-ref'd with manuf_cp_test_lock from the manufacturing testplan.
- X-ref'd with chip_lc_scrap.
- X-ref'd with chip_tap_strap_sampling
- X-ref'd with chip_sw_lc_walkthrough
- X-ref'd with chip_rv_dm_lc_disabled
'''
stage: V2
tests: ["chip_sw_lc_walkthrough_testunlocks",
"chip_rv_dm_lc_disabled"]
}
{
name: chip_sw_lc_walkthrough
desc: '''Walk through the life cycle stages from RAW state and reseting the chip each time.
- Pre-load OTP image with RAW lc_state.
- Initiate the LC transition to one of the test unlock state.
- Program test_unlock_token, test_exit_token, rma_unlock_token into OTP partitions.
- Move forward to next valid LC states via JTAG interface or SW interface if CPU is
enabled.
Verify that the features that should indeed be disabled are indeed disabled.
'''
stage: V2
tests: ["chip_sw_lc_walkthrough_dev",
"chip_sw_lc_walkthrough_prod",
"chip_sw_lc_walkthrough_prodend",
"chip_sw_lc_walkthrough_rma",
"chip_sw_lc_walkthrough_testunlocks"]
}
{
name: chip_sw_power_max_load
desc: '''Concurrency test modeling maximum load conditions.
This concurrency test runs multiple blocks at the same time, to simulate
maximum load ("power virus test"). Should be combined with low power
entry and exit scenarios.
The test should be made configurable so that the type of power state and
the time spent in a particular power state can be configured via a
flag (or similar). This will make it easier to reuse the test for power
simulation and characterization later on.
The test should set a GPIO (mapped to the IOA2 pin) to high while the power
state of interest is active.
Blocks / functionality to run simulatenously in this test:
- The ADC is continuously sampling new data
- Staggered activation of OTBN, aes, KMAC/HMAC.
- KMAC / aes would need to take turns being fed data
- KMAC activation should be a combination of otp background, key
manager background and software
- for OTBN, any signature verification / signing event is sufficient
- Entropy complex ongoing
- reseed / update operation ongoing
- Flash scramble ongoing (ideally both instruction and data, but data should be sufficient
for now)
- instruction scrambling gated by script availability
- Simultaneous IO toggling as defined below
- ideally for digital activity, 3xUART / I2C modules should be activated
- for first pass simplicity can activate IO portion only for now through GPIO
- for dedicated pins, focus on SPI device quad activity
- USB activity should be activated
- for first pass simplicity activate IO portion only for now via pin forcing in usbdev.
- Ongoing cpu activity (icache / SRAM scrambling both activated)
- servicing ongoing threads and random read/write data to memory
- icache needs to be activated, otherwise the system may spend most of its time fetching
code
- Background checks enabled wherever possible
- rstmgr background checks
- alert_handler ping checks
- OTP background checks
- The test should be run both with / without external clock
This test should leverage the OTTF test framework for supporting
concurrency in a FreeRTOS environment. See also the design docs linked
in #14095 for more details on how to approach the implementation.
'''
stage: V3
tests: []
}
{
name: chip_sw_power_idle_load
desc: '''Concurrency test modeling load conditions in idle state
This concurrency test models an average idle scenarios.
The test should be made configurable so that the type of power state and
the time spent in a particular power state can be configured via a
flag (or similar). This will make it easier to reuse the test for power
simulation and characterization later on.
The test should set a GPIO (mapped to the IOA2 pin) to high while the power
state of interest is active.
The test should cover the following scenarios:
- Processor polls for nmi interrupt
- Background checks enabled wherever possible
- rstmgr background checks
- alert_handler ping checks
- OTP background checks
- Timers (regular and AON) are active
- Check whether transactional clocks should be enabled or disabled
- Check whether PWM should be active
'''
stage: V2
tests: ["chip_sw_power_idle_load"]
}
{
name: chip_sw_power_sleep_load
desc: '''Concurrency test modeling load conditions in idle state
This concurrency test models average sleep scenarios.
The test should be made configurable so that the type of power state and
the time spent in a particular power state can be configured via a
flag (or similar). This will make it easier to reuse the test for power
simulation and characterization later on.
The test should cover the following scenarios:
- System can be in deep or light sleep
- The system has the following AON / IO activity:
- aon_timer active
- adc_ctrl active in low power mode
- TBD: check whether sysrst_ctrl and pinmux wakeup detectors should be active
- TBD: check whether PWM should be active
This test should leverage the OTTF test framework for supporting
concurrency in a FreeRTOS environment. See also the design docs linked
in #14095 for more details on how to approach the implementation.
'''
stage: V2
tests: ["chip_sw_power_sleep_load"]
}
{
name: chip_sw_exit_test_unlocked_bootstrap
desc: '''End to end test to ensure rom boot strap can be performed after
transitioning from TEST states to PROD staets. .
- Pre-load the device into TEST_UNLOCKED state and ROM_EXEC_EN = 0.
- In the same power cycle, advance device to PROD, PROD_END or DEV through LC JTAG request and
set ROM_EXEC_EN in OTP to logically true.
- Reboot the device and perform boot strap of a simple image, (e.g Hello World).
- Ensure boot strap succeeds.
X-ref'ed with manuf_ft_exit_token from manufacturing test plan.
'''
stage: V2
tests: ["chip_sw_exit_test_unlocked_bootstrap"]
}
{
name: chip_sw_inject_scramble_seed
desc: '''End to end test to ensure boot strap can succeed after injecting scramble seeds.
- Pre-load the device into PROD, PROD_END or DEV state.
- Backdoor load an unscrambled value into flash isolated partition.
- In the test program, populate the scramble seeds (flash / sram).
- In the test program, populate OTP entries to inform ROM to scramble flash upon next boot.
- Reboot the device and perform boot strap of the same test image, ROM should now program
the flash image with scramble enabled.
- Upon successful boot strap, ROM jumps to the newly programmed image and de-scrambles the
instructions.
- In the test program, check whether the OTP partition containing the scramble seeds is
locked. Also check that the unscrambled value progarmmed into flash isolated partition
can be correctly read back when the region is set to scramble disable.
- If either of the above checks is incorrect, return error.
X-ref'ed with manuf_ft_sku_individualization from manufacturing test plan.
'''
stage: V2
tests: ["chip_sw_inject_scramble_seed"]
}
]
}