OTP_CTRL DV Plan

Goals

  • DV
    • Verify all OTP_CTRL IP features by running dynamic simulations with a SV/UVM based testbench
    • Develop and run all tests based on the testplan below towards closing code and functional coverage on the IP and all of its sub-modules
  • FPV
    • Verify TileLink device protocol compliance with an SVA based testbench

Current status

Design features

For detailed information on OTP_CTRL design features, please see the OTP_CTRL HWIP technical specification.

Testbench architecture

OTP_CTRL testbench has been constructed based on the CIP testbench architecture.

Block diagram

Block diagram

Top level testbench

Top level testbench is located at hw/ip/otp_ctrl/dv/tb/tb.sv. It instantiates the OTP_CTRL DUT module hw/ip/otp_ctrl/rtl/otp_ctrl.sv. In addition, it instantiates the following interfaces, connects them to the DUT and sets their handle into uvm_config_db:

Common DV utility components

The following utilities provide generic helper tasks and functions to perform activities that are common across the project:

Compile-time configurations

[list compile time configurations, if any and what are they used for]

Global types & methods

All common types and methods defined at the package level can be found in otp_ctrl_env_pkg. Some of them in use are:

[list a few parameters, types & methods; no need to mention all]

TL_agent

OTP_CTRL testbench instantiates (already handled in CIP base env) tl_agent which provides the ability to drive and independently monitor random traffic via TL host interface into OTP_CTRL device.

UVC/agent 1

[Describe here or add link to its README]

UVC/agent 2

[Describe here or add link to its README]

UVM RAL Model

The OTP_CTRL RAL model is created with the ralgen FuseSoC generator script automatically when the simulation is at the build stage.

It can be created manually by invoking regtool:

Reference models

[Describe reference models in use if applicable, example: SHA256/HMAC]

Stimulus strategy

Test sequences

All test sequences reside in hw/ip/otp_ctrl/dv/env/seq_lib. The otp_ctrl_base_vseq virtual sequence is extended from cip_base_vseq and serves as a starting point. All test sequences are extended from otp_ctrl_base_vseq. It provides commonly used handles, variables, functions and tasks that the test sequences can simple use / call. Some of the most commonly used tasks / functions are as follows:

  • task 1:
  • task 2:

Functional coverage

To ensure high quality constrained random stimulus, it is necessary to develop a functional coverage model. The following covergroups have been developed to prove that the test intent has been adequately met:

  • cg1:
  • cg2:

Self-checking strategy

Scoreboard

The otp_ctrl_scoreboard is primarily used for end to end checking. It creates the following analysis ports to retrieve the data monitored by corresponding interface agents:

  • analysis port1:
  • analysis port2:

Assertions

  • TLUL assertions: The tb/otp_ctrl_bind.sv binds the tlul_assert assertions to the IP to ensure TileLink interface protocol compliance.
  • Unknown checks on DUT outputs: The RTL has assertions to ensure all outputs are initialized to known values after coming out of reset.
  • assert prop 1:
  • assert prop 2:

Building and running tests

We are using our in-house developed regression tool for building and running our tests and regressions. Please take a look at the link for detailed information on the usage, capabilities, features and known issues. Here’s how to run a smoke test:

$ $REPO_TOP/util/dvsim/dvsim.py $REPO_TOP/hw/ip/otp_ctrl/dv/otp_ctrl_sim_cfg.hjson -i otp_ctrl_smoke

Testplan

Milestone Name Description Tests
V1 wake_up

Wake_up test walks through otp_ctrl's power-on initialization, read, program, and digest functionalities.

  • Drive pwrmgr's request pin to trigger OTP initialization after reset, check status after OTP initialization
  • Write all-ones to a random address within OTP partition 0, wait until this operation completes
  • Read out the random selected write address, check if the readout value is all-ones
  • Trigger a digest calculation for a Software partition, check if the OtpError interrupt is set
  • Trigger a digest calculation for a non-software partition, expect operation completes without the OtpError interrupt
  • Read out secrets through the hardware interfaces
otp_ctrl_wake_up
V1 smoke

Otp_ctrl smoke test to provision and lock partitions.

  • Drive pwrmgr's request pin to trigger OTP initialization after reset, check status after OTP initialization
  • Read out keys from key_manager, flash, SRAM, OTBN
  • Write random values to random addresses within each OTP partition
  • Read out the random selected write addresses, check if the readout values are expected
  • Perform a system-level reset and check corresponding CSRs are set correctly
  • Lock all partitions except life_cycle by triggering digest calculations
  • Read back and verify the digest
  • Perform a system-level reset to verify the corresponding CSRs exposing the digests have been populated
otp_ctrl_smoke
V1 csr_hw_reset

Verify the reset values as indicated in the RAL specification.

  • Write all CSRs with a random value.
  • Apply reset to the DUT as well as the RAL model.
  • Read each CSR and compare it against the reset value. it is mandatory to replicate this test for each reset that affects all or a subset of the CSRs.
  • It is mandatory to run this test for all available interfaces the CSRs are accessible from.
  • Shuffle the list of CSRs first to remove the effect of ordering.
otp_ctrl_csr_hw_reset
V1 csr_rw

Verify accessibility of CSRs as indicated in the RAL specification.

  • Loop through each CSR to write it with a random value.
  • Read the CSR back and check for correctness while adhering to its access policies.
  • It is mandatory to run this test for all available interfaces the CSRs are accessible from.
  • Shuffle the list of CSRs first to remove the effect of ordering.
otp_ctrl_csr_rw
V1 csr_bit_bash

Verify no aliasing within individual bits of a CSR.

  • Walk a 1 through each CSR by flipping 1 bit at a time.
  • Read the CSR back and check for correctness while adhering to its access policies.
  • This verify that writing a specific bit within the CSR did not affect any of the other bits.
  • It is mandatory to run this test for all available interfaces the CSRs are accessible from.
  • Shuffle the list of CSRs first to remove the effect of ordering.
otp_ctrl_csr_bit_bash
V1 csr_aliasing

Verify no aliasing within the CSR address space.

  • Loop through each CSR to write it with a random value
  • Shuffle and read ALL CSRs back.
  • All CSRs except for the one that was written in this iteration should read back the previous value.
  • The CSR that was written in this iteration is checked for correctness while adhering to its access policies.
  • It is mandatory to run this test for all available interfaces the CSRs are accessible from.
  • Shuffle the list of CSRs first to remove the effect of ordering.
otp_ctrl_csr_aliasing
V1 csr_mem_rw_with_rand_reset

Verify random reset during CSR/memory access.

  • Run csr_rw sequence to randomly access CSRs
  • If memory exists, run mem_partial_access in parallel with csr_rw
  • Randomly issue reset and then use hw_reset sequence to check all CSRs are reset to default value
  • It is mandatory to run this test for all available interfaces the CSRs are accessible from.
otp_ctrl_csr_mem_rw_with_rand_reset
V1 mem_walk

Verify accessibility of all memories in the design.

  • Run the standard UVM mem walk sequence on all memories in the RAL model.
  • It is mandatory to run this test from all available interfaces the memories are accessible from.
otp_ctrl_mem_walk
V1 mem_partial_access

Verify partial-accessibility of all memories in the design.

  • Do partial reads and writes into the memories and verify the outcome for correctness.
  • Also test outstanding access on memories
otp_ctrl_mem_partial_access
V2 all_partitions

Based on the smoke test, this test ensures every address in each partition can be accessed successfully within its access policy.

V2 partition_check_failure

Randomly program partition check related registers including: check_timeout, integrity_check_period, consistency_check_period, and check_trigger. Then backdoor write OTP_macro to create parity, digest, and OTP memory errors

  • Check if the corresponding alerts are triggered
  • Check if the error_code register is set correctly
V2 partition_lock

This test will cover two methods of locking read and write: digest calculation and CSR write. After locking the partitions, issue read or program sequences and check if the operations are locked correctly, and check if the AccessError is set.

V2 interface_key_check

OTP_CTRL can output keys to key_manager, flash, sram, and OTBN. This test will modify inputs and OTP storage, the check if generated keys are correct.

V2 lc_interactions

This test check otp and life_cycle interactions.

  • Initialize life_cycle, secret0, and secret2 partitions
  • Check if otp_lc_data_o is asserted correctly
  • Randomly issue the following three sequences:
  • Seq 1. State transitions via the programming interface
  • Seq 2. Token hashing
  • Seq 3. Trigger escalation_en
otp_ctrl_lc
V2 otp_macro_errors

This test will randomly run the following OTP errors:

  • MacroError
  • MacroEccCorrError
  • MacroEccUncorrError
  • MacroWriteBlankError

The test will check:

  • The value of err_code and status registers
  • If error is unrecoverable, ensure that OTP entered terminal state
V2 otp_ctrl_errors

This test will randomly run the following OTP errors:

  • CheckFailError
  • FsmStateError

The test will check:

  • The value of err_code and status registers
  • If error is unrecoverable, ensure that OTP entered terminal state
V2 test_access

This test checks if the test access to OTP macro is connected correctly.

  • Read out from the test access window and ensure no error occurs
V2 stress_all
  • Combine above sequences in one test to run sequentially, except csr sequence
  • Randomly add reset between each sequence
V2 intr_test

Verify common intr_test CSRs that allows SW to mock-inject interrupts.

  • Enable a random set of interrupts by writing random value(s) to intr_enable CSR(s).
  • Randomly "turn on" interrupts by writing random value(s) to intr_test CSR(s).
  • Read all intr_state CSR(s) back to verify that it reflects the same value as what was written to the corresponding intr_test CSR.
  • Check the cfg.intr_vif pins to verify that only the interrupts that were enabled and turned on are set.
  • Clear a random set of interrupts by writing a randomly value to intr_state CSR(s).
  • Repeat the above steps a bunch of times.
otp_ctrl_intr_test
V2 alert_test

Verify common alert_test CSR that allows SW to mock-inject alert requests.

  • Enable a random set of alert requests by writing random value to alert_test CSR.
  • Check each alert_tx.alert_p pin to verify that only the requested alerts are triggered.
  • During alert_handshakes, write alert_test CSR again to verify that: If alert_test writes to current ongoing alert handshake, the alert_test request will be ignored. If alert_test writes to current idle alert handshake, a new alert_handshake should be triggered.
  • Wait for the alert handshakes to finish and verify alert_tx.alert_p pins all sets back to 0.
  • Repeat the above steps a bunch of times.
otp_ctrl_alert_test
V2 tl_d_oob_addr_access

Access out of bounds address and verify correctness of response / behavior

otp_ctrl_tl_errors
V2 tl_d_illegal_access

Drive unsupported requests via TL interface and verify correctness of response / behavior. Below error cases are tested

  • TL-UL protocol error cases
    • Unsupported opcode. e.g a_opcode isn't Get, PutPartialData or PutFullData
    • Mask isn't all active if opcode = PutFullData
    • Mask isn't in enabled lanes, e.g. a_address = 0x00, a_size = 0, a_mask = 'b0010
    • Mask doesn't align with address, e.g. a_address = 0x01, a_mask = 'b0001
    • Address and size aren't aligned, e.g. a_address = 0x01, a_size != 0
    • Size is over 2.
  • OpenTitan defined error cases
    • Access unmapped address, return d_error = 1 when devmode_i == 1
    • Write CSR with unaligned address, e.g. a_address[1:0] != 0
    • Write CSR less than its width, e.g. when CSR is 2 bytes wide, only write 1 byte
    • Write a memory without enabling all lanes (a_mask = '1) if memory doesn't support byte enabled write
    • Read a WO (write-only) memory
otp_ctrl_tl_errors
V2 tl_d_outstanding_access

Drive back-to-back requests without waiting for response to ensure there is one transaction outstanding within the TL device. Also, verify one outstanding when back- to-back accesses are made to the same address.

otp_ctrl_csr_hw_reset
otp_ctrl_csr_rw
otp_ctrl_csr_aliasing
otp_ctrl_same_csr_outstanding
V2 tl_d_partial_access

Access CSR with one or more bytes of data For read, expect to return all word value of the CSR For write, enabling bytes should cover all CSR valid fields

otp_ctrl_csr_hw_reset
otp_ctrl_csr_rw
otp_ctrl_csr_aliasing
otp_ctrl_same_csr_outstanding