OTP_CTRL DV document
Goals
- DV
- Verify all OTP_CTRL IP features by running dynamic simulations with a SV/UVM based testbench
- Develop and run all tests based on the testplan below towards closing code and functional coverage on the IP and all of its sub-modules
- FPV
- Verify TileLink device protocol compliance with an SVA based testbench
Current status
Design features
For detailed information on OTP_CTRL design features, please see the OTP_CTRL HW IP technical specification.
Testbench architecture
OTP_CTRL testbench has been constructed based on the CIP testbench architecture.
Block diagram
Top level testbench
Top level testbench is located at hw/ip/otp_ctrl/dv/tb.sv
. It instantiates the OTP_CTRL DUT module hw/ip/otp_ctrl/rtl/otp_ctrl.sv
.
In addition, it instantiates the following interfaces, connects them to the DUT and sets their handle into uvm_config_db
:
- Clock and reset interface
- TileLink host interface
- OTP_CTRL IOs
- Interrupts (
pins_if
) - Alerts (
alert_esc_if
) - Devmode (
pins_if
)
Common DV utility components
The following utilities provide generic helper tasks and functions to perform activities that are common across the project:
Global types & methods
All common types and methods defined at the package level can be found in
otp_ctrl_env_pkg
. Some of them in use are:
parameter uint SCRAMBLE_DATA_SIZE = 64;
parameter uint SCRAMBLE_KEY_SIZE = 128;
parameter uint NUM_ROUND = 31;
typedef enum bit [2:0] {
OtpNoError,
OtpMacroError,
OtpMacroEccCorrError,
OtpMacroEccUncorrError,
OtpMacroWriteBlankError,
OtpAccessError,
OtpCheckFailError,
OtpFsmStateError
} otp_err_code_e;
TL_agent
OTP_CTRL testbench instantiates (already handled in CIP base env) tl_agent, which provides the ability to drive and independently monitor random traffic via TL host interface into OTP_CTRL device.
Alert_agents
OTP_CTRL testbench instantiates (already handled in CIP base env) two alert_agents: fatal_check_alert and fatal_macro_alert. The alert_agents provide the ability to drive and independently monitor alert handshakes via alert interfaces in OTP_CTRL device.
OTP_CTRL interface
OTP_CTRL design has specific inputs and outputs to communicate with other IPs including LC_CTRL, OTBN, SRAM, FLASH etc. This interface is created to initialize, use simple task to drive, and use assertions to monitor these signals.
Memory backdoor interface
OTP_CTRL testbench binds design’s non-volatile OTP memory with a mem_bkdr_util
, which supports read, write, and injection of ECC errors to design’s OTP memory.
UVM RAL model
The OTP_CTRL RAL model is created with the ralgen
FuseSoC generator script automatically when the simulation is at the build stage.
It can be created manually by invoking regtool
.
Reference models
The OTP_CTRL’s utilizes [PRESENT](/hw/ip/prim/doc/prim_present/ as the cipher to scramble and protect secrets.
Thus OTP_CTRL’s scoreboard adopted PRESENT’s C reference model, located under hw/ip/prim/dv/prim_present/
folder, for encryption and decryption purpose.
Stimulus strategy
Test sequences
All test sequences reside in hw/ip/otp_ctrl/dv/env/seq_lib
.
The otp_ctrl_base_vseq
virtual sequence is extended from cip_base_vseq
and serves as a starting point.
All test sequences are extended from otp_ctrl_base_vseq
.
It provides commonly used handles, variables, functions and tasks that the test sequences can simple use / call.
Some of the most commonly used tasks / functions are as follows:
- dai_wr: This task triggers an OTP write sequence via the DAI interface.
- dai_rd: This task triggers an OTP read sequence via the DAI interface.
- trigger_checks: This task triggers a one-time OTP check and user can choose to trigger consistency check or integrity check.
- randomize_dai_addr: This task takes a DAI address as input and randomize its last two bits, because the last two bits should be ignored in design.
Functional coverage
To ensure high quality constrained random stimulus, it is necessary to develop a functional coverage model. The following two files declared OTP_CTRL’s covergroups:
dv/env/otp_ctrl_env_cov.sv
declares functional or CSR related covergroups. The functional coverage is collected manually inside OTP_CTRL’s scoreboard by invoking thesample
function.dv/cov/otp_ctrl_cov_if.sv
declares interface signal related covergroups. The functional coverage is collected automatically when the sampled signal is active.
Self-checking strategy
Scoreboard
The otp_ctrl_scoreboard
is primarily used for end to end checking.
It creates the following analysis ports to retrieve the data monitored by corresponding interface agents:
- tl_a_chan_fifo: tl address channel
- tl_d_chan_fifo: tl data channel
- alert_fifos: alert handshakes
- sram_fifos: sram requests
- otbn_fifo: otbn request
- lc_prog_fifo: life cycle programming request
- lc_token_fifo: life cycle token request
- flash_addr_fifo: flash address request
- flash_data_fifo: flash data request
- edn_fifo: edn response to OTP_CTRL
For all requests to OTP_CTRL as listed above, scoreboard has a corresponding task to process request, check OTP_CTRL’s response value against encryption, and collect coverage.
OTP_CTRL’s scoreboard has an internal array otp_a
that tracks OTP memory data.
Every successful OTP write operation will update this internal array, and every successful OTP read operation will check the readout value against this internal array.
Note that in design, secret partitions will go through a encryption before writing to the actually OTP memory, and will be decrypted upon a read request.
For the simplicity of this internal array, we will skip this procedure.
However, if scoreboard backdoor read any secret partitions, we will decrypt the data then write the decrypted data to the internal array.
For any operation that fails, the scoreboard will predict the status and err_code according to the failure type.
If the error can trigger alert, scoreboard will use set_exp_alert
task to check if the alert is firing correctly.
If a HW digest operation is triggered by sequence, scoreboard will calculate digest value with partition data from its internal array and update the digest value.
According to design spec, scoreboard won’t lock the partition and predict the digest value to digest registers until next power cycle.
If a reset or lc_escalation_en is issued during an OTP_CTRL write operation, scoreboard cannot accurately predict how many bits have been programmed into OTP memory.
To avoid mismatches, scoreboard utilizes flags dai_wr_ip
and dai_digest_ip
to track otp write operations, and issue a backdoor read if the write operation is interrupted.
Assertions
- TLUL assertions: The
tb/otp_ctrl_bind.sv
binds thetlul_assert
assertions to the IP to ensure TileLink interface protocol compliance. - Unknown checks on DUT outputs: The RTL has assertions to ensure all outputs are initialized to known values after coming out of reset.
- OTP_CTRL_IF assertions: This interface has assertions to ensure certain OTP_CTRL’s outputs (such as: otp_hw_cfg_o, keymgr_key_o) are stable after OTP initialization.
Building and running tests
We are using our in-house developed regression tool for building and running our tests and regressions. Please take a look at the link for detailed information on the usage, capabilities, features and known issues. Here’s how to run a smoke test:
$ $REPO_TOP/util/dvsim/dvsim.py $REPO_TOP/hw/ip/otp_ctrl/dv/otp_ctrl_sim_cfg.hjson -i otp_ctrl_smoke
Testplan
Testpoints
Milestone | Name | Tests | Description |
---|---|---|---|
V1 | wake_up | otp_ctrl_wake_up | Wake_up test walks through otp_ctrl's power-on initialization, read, program, and digest functionalities.
|
V1 | smoke | otp_ctrl_smoke | OTP_CTRL smoke test provisions and locks partitions.
Checks:
|
V1 | csr_hw_reset | otp_ctrl_csr_hw_reset | Verify the reset values as indicated in the RAL specification.
|
V1 | csr_rw | otp_ctrl_csr_rw | Verify accessibility of CSRs as indicated in the RAL specification.
|
V1 | csr_bit_bash | otp_ctrl_csr_bit_bash | Verify no aliasing within individual bits of a CSR.
|
V1 | csr_aliasing | otp_ctrl_csr_aliasing | Verify no aliasing within the CSR address space.
|
V1 | csr_mem_rw_with_rand_reset | otp_ctrl_csr_mem_rw_with_rand_reset | Verify random reset during CSR/memory access.
|
V1 | regwen_csr_and_corresponding_lockable_csr | otp_ctrl_csr_rw otp_ctrl_csr_aliasing | Verify regwen CSR and its corresponding lockable CSRs.
Note:
This is only applicable if the block contains regwen and locakable CSRs. |
V1 | mem_walk | otp_ctrl_mem_walk | Verify accessibility of all memories in the design.
|
V1 | mem_partial_access | otp_ctrl_mem_partial_access | Verify partial-accessibility of all memories in the design.
|
V2 | dai_access_partition_walk | otp_ctrl_partition_walk | Similar to UVM's memory walk test, this test ensures every address in each partition can be accessed successfully via DAI and TLUL interfacs according to its access policy. |
V2 | init_fail | otp_ctrl_init_fail | Based on OTP_CTRL smoke test, this test creates OTP_CTRL's initialization failure:
If fatal error is triggered, this test will check:
If OTP initialization finished without any fatal error, this test will check:
|
V2 | partition_check | otp_ctrl_check_fail otp_ctrl_background_chks | Randomly program the partition check related CSRs including:
Create a failure scenario by randomly picking one of these three methods:
Checks:
|
V2 | regwen_during_otp_init | otp_ctrl_regwen | The Stimulus and checks:
|
V2 | partition_lock | otp_ctrl_dai_lock | This test will cover two methods of locking read and write: digest calculation and CSR
write. After locking the partitions, issue read or program sequences and check if the
operations are locked correctly, and check if the |
V2 | interface_key_check | otp_ctrl_parallel_key_req | OTP_CTRL will generate keys to |
V2 | lc_interactions | otp_ctrl_parallel_lc_req otp_ctrl_parallel_lc_esc | Verify the procotols between OTP_CTRL and LC_CTRL. Based on the DAI access sequence, run the following sequences in parallel:
Checks:
|
V2 | otp_dai_errors | otp_ctrl_dai_errs | Based on the otp_dai_lock test, this test will randomly run the following OTP errors:
Checks:
|
V2 | otp_macro_errors | otp_ctrl_macro_errs | Randomly run the following OTP errors:
Checks:
|
V2 | test_access | otp_ctrl_test_access | This test checks if the test access to OTP macro is connected correctly. Stimulus and Checks:
|
V2 | stress_all | otp_ctrl_stress_all |
|
V2 | intr_test | otp_ctrl_intr_test | Verify common intr_test CSRs that allows SW to mock-inject interrupts.
|
V2 | alert_test | otp_ctrl_alert_test | Verify common
|
V2 | tl_d_oob_addr_access | otp_ctrl_tl_errors | Access out of bounds address and verify correctness of response / behavior |
V2 | tl_d_illegal_access | otp_ctrl_tl_errors | Drive unsupported requests via TL interface and verify correctness of response / behavior. Below error cases are tested bases on the [TLUL spec]({{< relref "hw/ip/tlul/doc/_index.md#explicit-error-cases" >}})
|
V2 | tl_d_outstanding_access | otp_ctrl_csr_hw_reset otp_ctrl_csr_rw otp_ctrl_csr_aliasing otp_ctrl_same_csr_outstanding | Drive back-to-back requests without waiting for response to ensure there is one transaction outstanding within the TL device. Also, verify one outstanding when back- to-back accesses are made to the same address. |
V2 | tl_d_partial_access | otp_ctrl_csr_hw_reset otp_ctrl_csr_rw otp_ctrl_csr_aliasing otp_ctrl_same_csr_outstanding | Access CSR with one or more bytes of data. For read, expect to return all word value of the CSR. For write, enabling bytes should cover all CSR valid fields. |
V2S | sec_cm_additional_check | otp_ctrl_sec_cm | Verify the outcome of injecting faults to security countermeasures. Stimulus:
As mentioned in Checks:
|
V2S | tl_intg_err | otp_ctrl_tl_intg_err otp_ctrl_sec_cm | Verify that the data integrity check violation generates an alert.
|
V2S | prim_count_check | otp_ctrl_sec_cm | Verify that violating prim_count counter properties generate a fatal alert. Stimulus:
Checks:
|
V2S | prim_fsm_check | otp_ctrl_sec_cm | Verify that entering to an undefined state generates a fatal alert. Stimulus:
Checks:
|
V2S | sec_cm_bus_integrity | otp_ctrl_tl_intg_err | Verify the countermeasure(s) BUS.INTEGRITY. |
V2S | sec_cm_secret_mem_scramble | otp_ctrl_smoke | Verify the countermeasure(s) SECRET.MEM.SCRAMBLE. |
V2S | sec_cm_part_mem_digest | otp_ctrl_smoke | Verify the countermeasure(s) PART.MEM.DIGEST. |
V2S | sec_cm_dai_fsm_sparse | otp_ctrl_sec_cm | Verify the countermeasure(s) DAI.FSM.SPARSE. |
V2S | sec_cm_kdi_fsm_sparse | otp_ctrl_sec_cm | Verify the countermeasure(s) KDI.FSM.SPARSE. |
V2S | sec_cm_lci_fsm_sparse | otp_ctrl_sec_cm | Verify the countermeasure(s) LCI.FSM.SPARSE. |
V2S | sec_cm_part_fsm_sparse | otp_ctrl_sec_cm | Verify the countermeasure(s) PART.FSM.SPARSE. |
V2S | sec_cm_scrmbl_fsm_sparse | otp_ctrl_sec_cm | Verify the countermeasure(s) SCRMBL.FSM.SPARSE. |
V2S | sec_cm_timer_fsm_sparse | otp_ctrl_sec_cm | Verify the countermeasure(s) TIMER.FSM.SPARSE. |
V2S | sec_cm_dai_ctr_redun | otp_ctrl_sec_cm | Verify the countermeasure(s) DAI.CTR.REDUN. |
V2S | sec_cm_kdi_seed_ctr_redun | otp_ctrl_sec_cm | Verify the countermeasure(s) KDI_SEED.CTR.REDUN. |
V2S | sec_cm_kdi_entropy_ctr_redun | otp_ctrl_sec_cm | Verify the countermeasure(s) KDI_ENTROPY.CTR.REDUN. |
V2S | sec_cm_lci_ctr_redun | otp_ctrl_sec_cm | Verify the countermeasure(s) LCI.CTR.REDUN. |
V2S | sec_cm_part_ctr_redun | otp_ctrl_sec_cm | Verify the countermeasure(s) PART.CTR.REDUN. |
V2S | sec_cm_scrmbl_ctr_redun | otp_ctrl_sec_cm | Verify the countermeasure(s) SCRMBL.CTR.REDUN. |
V2S | sec_cm_timer_integ_ctr_redun | otp_ctrl_sec_cm | Verify the countermeasure(s) TIMER_INTEG.CTR.REDUN. |
V2S | sec_cm_timer_cnsty_ctr_redun | otp_ctrl_sec_cm | Verify the countermeasure(s) TIMER_CNSTY.CTR.REDUN. |
V2S | sec_cm_timer_lfsr_redun | otp_ctrl_sec_cm | Verify the countermeasure(s) TIMER.LFSR.REDUN. |
V2S | sec_cm_dai_fsm_local_esc | otp_ctrl_parallel_lc_esc otp_ctrl_sec_cm | Verify the countermeasure(s) DAI.FSM.LOCAL_ESC. |
V2S | sec_cm_lci_fsm_local_esc | otp_ctrl_parallel_lc_esc | Verify the countermeasure(s) LCI.FSM.LOCAL_ESC. |
V2S | sec_cm_kdi_fsm_local_esc | otp_ctrl_parallel_lc_esc | Verify the countermeasure(s) KDI.FSM.LOCAL_ESC. |
V2S | sec_cm_part_fsm_local_esc | otp_ctrl_parallel_lc_esc otp_ctrl_macro_errs | Verify the countermeasure(s) PART.FSM.LOCAL_ESC. |
V2S | sec_cm_scrmbl_fsm_local_esc | otp_ctrl_parallel_lc_esc | Verify the countermeasure(s) SCRMBL.FSM.LOCAL_ESC. |
V2S | sec_cm_timer_fsm_local_esc | otp_ctrl_parallel_lc_esc otp_ctrl_sec_cm | Verify the countermeasure(s) TIMER.FSM.LOCAL_ESC. |
V2S | sec_cm_dai_fsm_global_esc | otp_ctrl_parallel_lc_esc otp_ctrl_sec_cm | Verify the countermeasure(s) DAI.FSM.GLOBAL_ESC. |
V2S | sec_cm_lci_fsm_global_esc | otp_ctrl_parallel_lc_esc | Verify the countermeasure(s) LCI.FSM.GLOBAL_ESC. |
V2S | sec_cm_kdi_fsm_global_esc | otp_ctrl_parallel_lc_esc | Verify the countermeasure(s) KDI.FSM.GLOBAL_ESC. |
V2S | sec_cm_part_fsm_global_esc | otp_ctrl_parallel_lc_esc otp_ctrl_macro_errs | Verify the countermeasure(s) PART.FSM.GLOBAL_ESC. |
V2S | sec_cm_scrmbl_fsm_global_esc | otp_ctrl_parallel_lc_esc | Verify the countermeasure(s) SCRMBL.FSM.GLOBAL_ESC. |
V2S | sec_cm_timer_fsm_global_esc | otp_ctrl_parallel_lc_esc otp_ctrl_sec_cm | Verify the countermeasure(s) TIMER.FSM.GLOBAL_ESC. |
V2S | sec_cm_part_data_reg_integrity | otp_ctrl_init_fail | Verify the countermeasure(s) PART.DATA_REG.INTEGRITY. |
V2S | sec_cm_part_data_reg_bkgn_chk | otp_ctrl_check_fail | Verify the countermeasure(s) PART.DATA_REG.BKGN_CHK. |
V2S | sec_cm_part_mem_regren | otp_ctrl_dai_lock | Verify the countermeasure(s) PART.MEM.REGREN. |
V2S | sec_cm_part_mem_sw_unreadable | otp_ctrl_dai_lock | Verify the countermeasure(s) PART.MEM.SW_UNREADABLE. |
V2S | sec_cm_part_mem_sw_unwritable | otp_ctrl_dai_lock | Verify the countermeasure(s) PART.MEM.SW_UNWRITABLE. |
V2S | sec_cm_lc_part_mem_sw_noaccess | otp_ctrl_dai_lock | Verify the countermeasure(s) LC_PART.MEM.SW_NOACCESS. |
V2S | sec_cm_access_ctrl_mubi | otp_ctrl_dai_lock | Verify the countermeasure(s) ACCESS.CTRL.MUBI. |
V2S | sec_cm_token_valid_ctrl_mubi | otp_ctrl_smoke | Verify the countermeasure(s) TOKEN_VALID.CTRL.MUBI. |
V2S | sec_cm_lc_ctrl_intersig_mubi | otp_ctrl_dai_lock | Verify the countermeasure(s) LC_CTRL.INTERSIG.MUBI. |
V2S | sec_cm_test_bus_lc_gated | otp_ctrl_smoke | Verify the countermeasure(s) TEST.BUS.LC_GATED. |
V2S | sec_cm_direct_access_config_regwen | otp_ctrl_regwen | Verify the countermeasure(s) DIRECT_ACCESS.CONFIG.REGWEN. |
V2S | sec_cm_check_trigger_config_regwen | otp_ctrl_smoke | Verify the countermeasure(s) CHECK_TRIGGER.CONFIG.REGWEN. |
V2S | sec_cm_check_config_regwen | otp_ctrl_smoke | Verify the countermeasure(s) CHECK.CONFIG.REGWEN. |
V2S | sec_cm_macro_mem_integrity | otp_ctrl_macro_errs | Verify the countermeasure(s) MACRO.MEM.INTEGRITY. |
V2S | sec_cm_macro_mem_cm | N/A | Verify the countermeasure(s) MACRO.MEM.CM. |
V3 | otp_ctrl_low_freq_read | otp_ctrl_low_freq_read | This test checks if OTP's read operation can operate successfully in a low clock frequency before the clock is calibrated. Stimulus and Checks:
|
V3 | stress_all_with_rand_reset | otp_ctrl_stress_all_with_rand_reset | This test runs 3 parallel threads - stress_all, tl_errors and random reset. After reset is asserted, the test will read and check all valid CSR registers. |
Covergroups
Name | Description |
---|---|
buf_err_code_cg | This is an array of covergroups to cover all applicable error codes in five buffered partitions. |
csr_rd_after_alert_cg | Covers if the following CSRs are being read and the value is checked in scoreboard after any fatal alert is triggered:
|
dai_access_secret2_cg | Covers whether |
dai_err_code_cg | Covers all applicable error codes in DAI, and cross each error code with all 7 partitions. |
flash_addr_req_condition_cg | Covers the following conditions when
|
flash_data_req_condition_cg | Covers the following conditions when
|
flash_req_cg | Covers whether secret1 partition is locked during |
issue_checks_after_alert_cg | Covers if sequence issued various OTP_CTRL's background checks after any fatal alert is triggered. |
keymgr_o_cg | Covers the following conditions when scoreboard checks
|
lc_esc_en_condition_cg | Covers the following conditions when
|
lc_prog_cg | Covers whether the error bit is set during LC program request. |
lc_prog_req_condition_cg | Covers the following conditions when
|
lci_err_code_cg | Covers all applicable error codes in LCI. |
otbn_req_cg | Covers whether secret1 partition is locked during |
otbn_req_condition_cg | Covers the following conditions when
|
power_on_cg | Covers the following conditions when OTP_CTRL finishes power-on initialization:
|
regwen_val_when_new_value_written_cg | Cover each lockable reg field with these 2 cases:
This is only applicable if the block contains regwen and locakable CSRs. |
req_dai_access_after_alert_cg | Covers if sequence issued various DAI requests after any fatal alert is triggered. |
sram_0_req_condition_cg | Covers the following conditions when
|
sram_1_req_condition_cg | Covers the following conditions when
|
sram_req_cg | Covers whether secret1 partition is locked during all |
status_csr_cg | Covers the value of every bit in |
tl_errors_cg | Cover the following error cases on TL-UL bus:
|
tl_intg_err_cg | Cover all kinds of integrity errors (command, data or both) and cover number of error bits on each integrity check. Cover the kinds of integrity errors with byte enabled write on memory if applicable: Some memories store the integrity values. When there is a subword write, design re-calculate the integrity with full word data and update integrity in the memory. This coverage ensures that memory byte write has been issued and the related design logic has been verfied. |
unbuf_access_lock_cg_wrap_cg | This is an array of covergroups to cover lock conditions below in three unbuffered partitions:
|
unbuf_err_code_cg | This is an array of covergroups to cover all applicable error codes in three unbuffered partitions. |