LC_CTRL DV document
Goals
- DV
- Verify all LC_CTRL IP features by running dynamic simulations with a SV/UVM based testbench
- Develop and run all tests based on the testplan below towards closing code and functional coverage on the IP and all of its sub-modules
- FPV
- Verify TileLink device protocol compliance with an SVA based testbench
Current status
Design features
For detailed information on LC_CTRL design features, please see the LC_CTRL HWIP technical specification.
Testbench architecture
LC_CTRL testbench has been constructed based on the CIP testbench architecture.
Block diagram
Top level testbench
Top level testbench is located at hw/ip/lc_ctrl/dv/tb/tb.sv
. It instantiates the LC_CTRL DUT module hw/ip/lc_ctrl/rtl/lc_ctrl.sv
.
In addition, it instantiates the following interfaces, connects them to the DUT and sets their handle into uvm_config_db
:
- Clock and reset interface
- TileLink host interface
- LC_CTRL IOs
- Interrupts (
pins_if
) - Alerts (
alert_esc_if
) - Devmode (
pins_if
)
Common DV utility components
The following utilities provide generic helper tasks and functions to perform activities that are common across the project:
Compile-time configurations
[list compile time configurations, if any and what are they used for]
Global types & methods
All common types and methods defined at the package level can be found in
lc_ctrl_env_pkg
.
TL_agent
LC_CTRL testbench instantiates (already handled in CIP base env) tl_agent which provides the ability to drive and independently monitor random traffic via TL host interface into LC_CTRL device.
JTAG RISCV Agent
jtag_riscv_agent is used to read and write LC_CTRL registers via the JTAG interface. It contains an embedded instance of [jtag_agent] /hw/dv/sv/jtag_agent/doc/ which uses the jtag_if interface in the testbench.
PUSH/PULL Agent
push_pull_agent is used to emulate the Token and OTP programing interfaces.
UVM RAL Model
The LC_CTRL RAL model is created with the ralgen
FuseSoC generator script automatically when the simulation is at the build stage.
It can be created manually by invoking regtool
:
Stimulus strategy
Test sequences
All test sequences reside in hw/ip/lc_ctrl/dv/env/seq_lib
.
The lc_ctrl_base_vseq
virtual sequence is extended from cip_base_vseq
and serves as a starting point.
All test sequences are extended from lc_ctrl_base_vseq
.
It provides commonly used handles, variables, functions and tasks that the test sequences can simple use / call.
Functional coverage
To ensure high quality constrained random stimulus, it is necessary to develop a functional coverage model. The following covergroups have been developed to prove that the test intent has been adequately met:
- err_inj_cg: indicates what error conditions have been injected.
Self-checking strategy
Scoreboard
The lc_ctrl_scoreboard
is primarily used for end to end checking.
It creates the following analysis exports to retrieve the data monitored by corresponding interface agents:
- tl_[a_chan, d_chan, dir]_fifo_lc_ctrl_reg_block.analysis_export: Tile Link CSR reads/writes.
- jtag_riscv_fifo.analysis_export: JTAG CSR reads/writes
- alert_fifo[fatal_bus_integ_error, fatal_prog_error, fatal_state_error].analysis_export: Alert traffic from DUT
- otp_prog_fifo.analysis_export: OTP program data from LC_CTRL and response to LC_CTRL.
- otp_token_fifo.analysis_export: OTP token data from LC_CTRL and response to LC_CTRL.
Scoreboard Checks
- TL CSR data is used to check against expected values predicted by the scoreboard. It also updates the UVM register model.
- JTAG CSR data is used to check against expected values predicted by the scoreboard. It also updates the UVM register model.
- Alert data is decoded and used to indicate an alert has occured
Assertions
- TLUL assertions: The
tb/lc_ctrl_bind.sv
binds thetlul_assert
assertions to the IP to ensure TileLink interface protocol compliance. - Unknown checks on DUT outputs: The RTL has assertions to ensure all outputs are initialized to known values after coming out of reset.
Building and running tests
We are using our in-house developed regression tool for building and running our tests and regressions. Please take a look at the link for detailed information on the usage, capabilities, features and known issues. Here’s how to run a smoke test:
$ $REPO_TOP/util/dvsim/dvsim.py $REPO_TOP/hw/ip/lc_ctrl/dv/lc_ctrl_sim_cfg.hjson -i lc_ctrl_smoke
Testplan
Testpoints
Milestone | Name | Tests | Description |
---|---|---|---|
V1 | smoke | lc_ctrl_smoke | Smoke test accessing lc_ctrl state transition datapath. Stimulus:
Checks:
|
V1 | csr_hw_reset | lc_ctrl_csr_hw_reset | Verify the reset values as indicated in the RAL specification.
|
V1 | csr_rw | lc_ctrl_csr_rw | Verify accessibility of CSRs as indicated in the RAL specification.
|
V1 | csr_bit_bash | lc_ctrl_csr_bit_bash | Verify no aliasing within individual bits of a CSR.
|
V1 | csr_aliasing | lc_ctrl_csr_aliasing | Verify no aliasing within the CSR address space.
|
V1 | csr_mem_rw_with_rand_reset | lc_ctrl_csr_mem_rw_with_rand_reset | Verify random reset during CSR/memory access.
|
V1 | regwen_csr_and_corresponding_lockable_csr | lc_ctrl_csr_rw lc_ctrl_csr_aliasing | Verify regwen CSR and its corresponding lockable CSRs.
Note:
This is only applicable if the block contains regwen and locakable CSRs. |
V2 | state_post_trans | lc_ctrl_state_post_trans | This test is based on smoke test. After smoke sequence, this test adds additional lc_state transition request before issuing reset. This should happen regardless if the transition is successful. Use scoreboard to ensure lc_ctrl ignores this additional lc_state transition request and check state count. |
V2 | regwen_during_op | lc_ctrl_regwen_during_op |
Checks:
|
V2 | lc_prog_failure | lc_ctrl_prog_failure | This test checks lc_program failure by setting the error bit after otp program request. Checks:
|
V2 | lc_state_failure | lc_ctrl_state_failure | This test checks lc_state failure by:
Checks:
|
V2 | lc_errors | lc_ctrl_errors | This test randomly executes the error senarios:
Checks:
|
V2 | security_escalation | lc_ctrl_security_escalation lc_ctrl_errors lc_ctrl_state_failure lc_ctrl_prog_failure lc_ctrl_jtag_errors lc_ctrl_jtag_state_failure lc_ctrl_jtag_prog_failure | This test checks two security escalation responses:
|
V2 | jtag_access | lc_ctrl_jtag_access lc_ctrl_jtag_smoke lc_ctrl_jtag_state_post_trans lc_ctrl_jtag_errors lc_ctrl_jtag_prog_failure lc_ctrl_jtag_errors lc_ctrl_jtag_regwen_during_op lc_ctrl_jtag_csr_hw_reset lc_ctrl_jtag_csr_rw lc_ctrl_jtag_csr_bit_bash lc_ctrl_jtag_csr_aliasing lc_ctrl_jtag_same_csr_outstanding lc_ctrl_jtag_csr_mem_rw_with_rand_reset lc_ctrl_jtag_alert_test | This test checks jtag debug interface in lc_ctrl. This test will use both JTAG TAP and TLUL to access the CSR space. All above CSR sequences should be accessible via both interfaces. |
V2 | jtag_priority | lc_ctrl_jtag_priority | This test covers a corner case in JTAG and TLUL interfaces. Stimulus:
Checks:
|
V2 | stress_all | lc_ctrl_stress_all |
|
V2 | alert_test | lc_ctrl_alert_test | Verify common
|
V2 | tl_d_oob_addr_access | lc_ctrl_tl_errors | Access out of bounds address and verify correctness of response / behavior |
V2 | tl_d_illegal_access | lc_ctrl_tl_errors | Drive unsupported requests via TL interface and verify correctness of response / behavior. Below error cases are tested bases on the [TLUL spec]({{< relref "hw/ip/tlul/doc/_index.md#explicit-error-cases" >}})
|
V2 | tl_d_outstanding_access | lc_ctrl_csr_hw_reset lc_ctrl_csr_rw lc_ctrl_csr_aliasing lc_ctrl_same_csr_outstanding | Drive back-to-back requests without waiting for response to ensure there is one transaction outstanding within the TL device. Also, verify one outstanding when back- to-back accesses are made to the same address. |
V2 | tl_d_partial_access | lc_ctrl_csr_hw_reset lc_ctrl_csr_rw lc_ctrl_csr_aliasing lc_ctrl_same_csr_outstanding | Access CSR with one or more bytes of data. For read, expect to return all word value of the CSR. For write, enabling bytes should cover all CSR valid fields. |
V2S | tl_intg_err | lc_ctrl_tl_intg_err lc_ctrl_sec_cm | Verify that the data integrity check violation generates an alert.
|
V2S | sec_cm_bus_integrity | lc_ctrl_tl_intg_err | BUS.INTEGRITY: Verify this countermeasure with a standardized test. |
V2S | sec_cm_transition_config_regwen | lc_ctrl_regwen_during_op | TRANSITION.CONFIG.REGWEN: Verify that the transition interface registers cannot be modified anymore once a transition has been initiated (either via TL-UL or the JTAG interface, depending on which interface is being used to claim the mutex). |
V2S | sec_cm_manuf_state_sparse | lc_ctrl_sec_cm lc_ctrl_state_failure | MANUF.STATE.SPARSE: Verify this countermeasure with a standardized test. |
V2S | sec_cm_transition_ctr_sparse | lc_ctrl_sec_cm lc_ctrl_state_failure | TRANSITION.CTR.SPARSE: Verify this countermeasure with a standardized test. |
V2S | sec_cm_manuf_state_bkgn_chk | lc_ctrl_sec_cm lc_ctrl_state_failure | MANUF.STATE.BKGN_CHK: Verify this countermeasure with a standardized test. |
V2S | sec_cm_transition_ctr_bkgn_chk | lc_ctrl_sec_cm lc_ctrl_state_failure | TRANSITION.CTR.BKGN_CHK: Verify this countermeasure with a standardized test. |
V2S | sec_cm_state_config_sparse | lc_ctrl_sec_cm lc_ctrl_state_failure | STATE.CONFIG.SPARSE: Verify this countermeasure with a standardized test. |
V2S | sec_cm_main_fsm_sparse | lc_ctrl_sec_cm lc_ctrl_state_failure | MAIN.FSM.SPARSE: Verify this countermeasure with a standardized test. |
V2S | sec_cm_kmac_fsm_sparse | lc_ctrl_sec_cm lc_ctrl_state_failure | KMAC.FSM.SPARSE: Verify this countermeasure with a standardized test. |
V2S | sec_cm_main_fsm_local_esc | lc_ctrl_sec_cm lc_ctrl_state_failure | MAIN.FSM.LOCAL_ESC: Verify that the main FSM goes into the
|
V2S | sec_cm_main_fsm_global_esc | lc_ctrl_security_escalation | MAIN.FSM.GLOBAL_ESC: Verify that the main FSM goes into the |
V2S | sec_cm_main_ctrl_flow_consistency | lc_ctrl_state_post_trans lc_ctrl_jtag_state_post_trans | MAIN.CTRL_FLOW.CONSISTENCY: Verify that the control flow of the main FSM only ever progresses in one
direction - i.e. that there are no transitions that move backwards into
a state where the FSM has previously been (e.g. from Note: This is expected to be formally proven by FPV test lc_ctrl_sec_cm_fsm but there is currently no mechanism to include this in the testplan. |
V2S | sec_cm_intersig_mubi | lc_ctrl_sec_mubi | INTERSIG.MUBI: Verify the behavior of MUBI inputs as follows:
There are two ways this condition can be triggered: either no external
clock is requested, and then setting
There are two ways this condition can be triggered: either no RMA
transition is requested, and then setting The main life cycle FSM should not progress through the |
V2S | sec_cm_token_valid_ctrl_mubi | lc_ctrl_sec_mubi | TOKEN_VALID.CTRL.MUBI: Verify that any value other than 'ON' will lead to a TOKEN_ERROR in life
cycle transitions where the associated token is being used. The main
life cycle FSM should not progress through the |
V2S | sec_cm_token_digest | lc_ctrl_sec_token_digest | TOKEN.DIGEST: Life cycle tokens are hashed using an external SHA3 block, and checked multiple times internally. In order to verify this countermeasure, the following aspects should be tested:
|
V2S | sec_cm_token_mux_ctrl_redun | lc_ctrl_sec_token_mux | TOKEN_MUX.CTRL.REDUN: The token mux is split into two halves that are indexed separately.
Verify that any inconsistency between the two indexes leads to a
TRANSITION_ERROR, without the main FSM going through the Note: the same test as for TOKEN_VALID.MUX.REDUN can be used. |
V2S | sec_cm_token_valid_mux_redun | lc_ctrl_sec_token_mux | TOKEN_VALID.MUX.REDUN: The token mux is split into two halves that are indexed separately.
Verify that any inconsistency between the two indexes leads to a
TRANSITION_ERROR, without the main FSM going through the Note: the same test as for TOKEN_MUX.CTRL.REDUN can be used. |
V3 | stress_all_with_rand_reset | lc_ctrl_stress_all_with_rand_reset | This test runs 3 parallel threads - stress_all, tl_errors and random reset. After reset is asserted, the test will read and check all valid CSR registers. |
Covergroups
Name | Description |
---|---|
err_inj_cg | Indicates what error conditions have been injected. |
lc_ctrl_fsm_cg | lc_ctrl_fsm states and arcs |
regwen_val_when_new_value_written_cg | Cover each lockable reg field with these 2 cases:
This is only applicable if the block contains regwen and locakable CSRs. |
sec_token_digest_error_cg | Indicates FSM states that a token digest error is detected |
sec_token_mux_idx_error_cg | Indicates FSM states that a token mux index error is detected |
tl_errors_cg | Cover the following error cases on TL-UL bus:
|
tl_intg_err_cg | Cover all kinds of integrity errors (command, data or both) and cover number of error bits on each integrity check. Cover the kinds of integrity errors with byte enabled write on memory if applicable: Some memories store the integrity values. When there is a subword write, design re-calculate the integrity with full word data and update integrity in the memory. This coverage ensures that memory byte write has been issued and the related design logic has been verfied. |