ROM Controller DV document
Goals
- DV
- Verify all
rom_ctrl
IP features by running dynamic simulations with a SV/UVM based testbench - Develop and run all tests based on the testplan below towards closing code and functional coverage on the IP and all of its sub-modules
- Verify all
- FPV
- Verify TileLink device protocol compliance with an SVA based testbench
Current status
Design features
For detailed information on rom_ctrl
design features, please see the ROM Controller HWIP technical specification.
Testbench architecture
The rom_ctrl
testbench has been constructed based on the CIP testbench architecture.
Block diagram
Top level testbench
The top level testbench is located at hw/ip/rom_ctrl/dv/tb/tb.sv
.
It instantiates the rom_ctrl
DUT module hw/ip/rom_ctrl/rtl/rom_ctrl.sv
.
In addition, it instantiates the following interfaces, connects them to the DUT and sets their handle into uvm_config_db
:
- Clock and reset interface
- TileLink host interface
- Memory backdoor utility
rom_ctrl
IOs- Alerts (
pins_if
Common DV utility components
The following utilities provide generic helper tasks and functions to perform activities that are common across the project:
Compile-time configurations
There is only one compile-time configuration, where arbitrary values are chosen for compile-time constants.
TL_agent
The rom_ctrl
testbench instantiates (already handled in CIP base env) tl_agent.
This provides the ability to drive and independently monitor random traffic via both TL host interfaces into the DUT.
UVM RAL Model
The rom_ctrl
RAL model is created with the ralgen
FuseSoC generator script automatically when the simulation is at the build stage.
Stimulus strategy
Test sequences
The test sequences reside in hw/ip/rom_ctrl/dv/env/seq_lib
.
All test sequences are extended from rom_ctrl_base_vseq
, which is extended from cip_base_vseq
and serves as a starting point.
It provides commonly used handles, variables, functions and tasks that the test sequences can simple use / call.
Some of the most commonly used tasks / functions are as follows:
rom_ctrl_mem_init
: initialize the rom to random valuesdo_rand_ops
: drive random traffic into the rom TLUL interface
Functional coverage
To ensure high quality constrained random stimulus, it is necessary to develop a functional coverage model. The following covergroups have been developed to prove that the test intent has been adequately met:
- TODO
Self-checking strategy
Scoreboard
The rom_ctrl_scoreboard
is primarily used for end to end checking.
It creates the following analysis ports to retrieve the data monitored by corresponding interface agents:
kmac_req_fifo
kmac_resp_fifo
The scoreboard monitors traffic sent to and from the KMAC interface. Data sent to KMAC during rom checking are compared against expected values from the memory model. The data received from the KMAC interface are used to update expected digest values and expected check pass/fail values.
Traffic from the ROM TLUL interface is monitored and compared against memory model to check for correctness.
Assertions
- TLUL assertions: The
tb/rom_ctrl_bind.sv
file binds thetlul_assert
assertions to the IP to ensure TileLink interface protocol compliance. - Unknown checks on DUT outputs: The RTL has assertions to ensure all outputs are initialized to known values after coming out of reset.
Building and running tests
We are using our in-house developed regression tool for building and running our tests and regressions. Please take a look at the link for detailed information on the usage, capabilities, features and known issues. Here’s how to run a smoke test:
$ $REPO_TOP/util/dvsim/dvsim.py $REPO_TOP/hw/ip/rom_ctrl/dv/rom_ctrl_sim_cfg.hjson -i rom_ctrl_smoke
Testplan
Testpoints
Milestone | Name | Tests | Description |
---|---|---|---|
V1 | smoke | rom_ctrl_smoke | Smoke test exercising the main features of rom_ctrl. Stimulus:
Checks:
|
V1 | csr_hw_reset | rom_ctrl_csr_hw_reset | Verify the reset values as indicated in the RAL specification.
|
V1 | csr_rw | rom_ctrl_csr_rw | Verify accessibility of CSRs as indicated in the RAL specification.
|
V1 | csr_bit_bash | rom_ctrl_csr_bit_bash | Verify no aliasing within individual bits of a CSR.
|
V1 | csr_aliasing | rom_ctrl_csr_aliasing | Verify no aliasing within the CSR address space.
|
V1 | csr_mem_rw_with_rand_reset | rom_ctrl_csr_mem_rw_with_rand_reset | Verify random reset during CSR/memory access.
|
V1 | regwen_csr_and_corresponding_lockable_csr | rom_ctrl_csr_rw rom_ctrl_csr_aliasing | Verify regwen CSR and its corresponding lockable CSRs.
Note:
This is only applicable if the block contains regwen and locakable CSRs. |
V1 | mem_walk | rom_ctrl_mem_walk | Verify accessibility of all memories in the design.
|
V1 | mem_partial_access | rom_ctrl_mem_partial_access | Verify partial-accessibility of all memories in the design.
|
V2 | max_throughput_chk | rom_ctrl_max_throughput_chk | This test is intended to test the max throughput of ROM controller. It takes N+1 cycles to finish N ROM read accesses. Checks:
|
V2 | stress_all | rom_ctrl_stress_all |
|
V2 | kmac_err_chk | rom_ctrl_kmac_err_chk |
|
V2 | alert_test | rom_ctrl_alert_test | Verify common
|
V2 | tl_d_oob_addr_access | rom_ctrl_tl_errors | Access out of bounds address and verify correctness of response / behavior |
V2 | tl_d_illegal_access | rom_ctrl_tl_errors | Drive unsupported requests via TL interface and verify correctness of response / behavior. Below error cases are tested bases on the [TLUL spec]({{< relref "hw/ip/tlul/doc/_index.md#explicit-error-cases" >}})
|
V2 | tl_d_outstanding_access | rom_ctrl_csr_hw_reset rom_ctrl_csr_rw rom_ctrl_csr_aliasing rom_ctrl_same_csr_outstanding | Drive back-to-back requests without waiting for response to ensure there is one transaction outstanding within the TL device. Also, verify one outstanding when back- to-back accesses are made to the same address. |
V2 | tl_d_partial_access | rom_ctrl_csr_hw_reset rom_ctrl_csr_rw rom_ctrl_csr_aliasing rom_ctrl_same_csr_outstanding | Access CSR with one or more bytes of data. For read, expect to return all word value of the CSR. For write, enabling bytes should cover all CSR valid fields. |
V2S | corrupt_sig_fatal_chk | rom_ctrl_corrupt_sig_fatal_chk | Corrupt integrity of signals like the select signal to addr mux. Checks:
|
V2S | passthru_mem_tl_intg_err | rom_ctrl_passthru_mem_tl_intg_err | Verify data integrity is stored in the passthru memory rather than generated after a read.
|
V2S | tl_intg_err | rom_ctrl_tl_intg_err rom_ctrl_sec_cm | Verify that the data integrity check violation generates an alert.
|
V2S | prim_fsm_check | rom_ctrl_sec_cm | Verify that entering to an undefined state generates a fatal alert. Stimulus:
Checks:
|
V2S | sec_cm_checker_ctr_consistency | rom_ctrl_corrupt_sig_fatal_chk | Verify the countermeasure(s) CHECKER.CTR.CONSISTENCY. Once rom_ctrl has handed control of the mux to the bus, the internal FSM counter should point at the top of ROM. The unexpected_counter_change signal in rom_ctrl_fsm goes high and generates a fatal alert if that counter is perturbed in any way. To test this, addr_q in the counter is corrupted with any value other than the ROM's top address. |
V2S | sec_cm_checker_ctrl_flow_consistency | rom_ctrl_corrupt_sig_fatal_chk | Verify the countermeasure(s) CHECKER.CTRL_FLOW.CONSISTENCY. The main checker FSM steps on internal 'done' signals, coming from its address counter, the KMAC response and its comparison counter. If any of these are asserted at times we don't expect, the FSM jumps to an invalid state. This triggers an alert and will not set the external 'done' signal for pwrmgr to continue boot. |
V2S | sec_cm_checker_fsm_local_esc | rom_ctrl_corrupt_sig_fatal_chk | Verify the countermeasure(s) CHECKER.FSM.LOCAL_ESC. Check that fsm_state reaches invalid state whenever a fatal alert is signalled. |
V2S | sec_cm_compare_ctrl_flow_consistency | rom_ctrl_corrupt_sig_fatal_chk | Verify the countermeasure(s) COMPARE.CTRL_FLOW.CONSISTENCY. The main checker FSM steps on internal 'done' signals, coming from its address counter, the KMAC response and its comparison counter. If any of these are asserted at times we don't expect, the FSM jumps to an invalid state. This triggers an alert and will not set the external 'done' signal for pwrmgr to continue boot. To test this start_checker signal from rom_ctrl_fsm is asserted randomly. |
V2S | sec_cm_compare_ctr_consistency | rom_ctrl_corrupt_sig_fatal_chk | Verify the countermeasure(s) COMPARE.CTR.CONSISTENCY. The hash comparison module has an internal count. If this glitches to a nonzero value before the comparison starts or to a value other than the last index after the comparison ends then a fatal alert is generated. |
V2S | sec_cm_fsm_sparse | rom_ctrl_sec_cm | Verify the countermeasure(s) FSM.SPARSE. |
V2S | sec_cm_mem_scramble | rom_ctrl_smoke | Verify the countermeasure(s) MEM.SCRAMBLE. Check that The ROM is scrambled. |
V2S | sec_cm_mem_digest | rom_ctrl_smoke | Verify the countermeasure(s) MEM.DIGEST. Check that a cSHAKE digest is computed of the ROM contents. |
V2S | sec_cm_intersig_mubi | rom_ctrl_smoke | Verify the countermeasure(s) INTERSIG.MUBI. |
V2S | sec_cm_bus_integrity | rom_ctrl_tl_intg_err | Verify the countermeasure(s) BUS.INTEGRITY. |
V2S | sec_cm_bus_local_esc | rom_ctrl_corrupt_sig_fatal_chk rom_ctrl_kmac_err_chk | Verify the countermeasure(s) BUS.LOCAL_ESC. Check that in invalid state, rvalid is not asserted. |
V2S | sec_cm_mux_mubi | rom_ctrl_corrupt_sig_fatal_chk | Verify the countermeasure(s) MUX.MUBI. The mux that arbitrates between the checker and the bus is multi-bit encoded. An invalid value generates a fatal alert with the sel_invalid signal in rom_ctrl_mux module. To test this rom_select_bus_o is forced with any value other than MuBi4True and MuBi4False. |
V2S | sec_cm_mux_consistency | rom_ctrl_corrupt_sig_fatal_chk | Verify the countermeasure(s) MUX.CONSISTENCY. The mux that arbitrates between the checker and the bus gives access to the checker at the start of time and then switches to the bus, never going back. If a glitch does cause it to switch back, a fatal alert is generated with the sel_reverted or sel_q_reverted_q signals in the rom_ctrl_mux module. To test this rom_select_bus_o is forced to MuBi4False after rom check is completed. |
V2S | sec_cm_ctrl_redun | rom_ctrl_corrupt_sig_fatal_chk | Verify the countermeasure(s) CTRL.REDUN. Inject errors into bus_rom_rom_index (which is how an attacker would get a different memory word) and then check that the data that gets read doesn't match the data stored at the glitched address. |
V2S | sec_cm_ctrl_mem_integrity | rom_ctrl_passthru_mem_tl_intg_err | Verify the countermeasure(s) MEM.INTEGRITY. |
Covergroups
Name | Description |
---|---|
regwen_val_when_new_value_written_cg | Cover each lockable reg field with these 2 cases:
This is only applicable if the block contains regwen and locakable CSRs. |
rom_ctrl_check_cg | Collect coverage on the outputs sent to the power manager to confirm that we see pass and fail results. |
rom_ctrl_kmac_cg | Collect coverage on the rom_ctrl / kmac interface, specifically around stalling and back-pressure behavior. The agent needs to cover the case where the kmac returns a digest before the rom_ctrl finishes reading the expected digest from memory, and also after. |
rom_ctrl_tlul_cg | -Collect coverage on the two TLUL interfaces, specifically checking that we see requests around the same time as the rom check completes.
|
tl_errors_cg | Cover the following error cases on TL-UL bus:
|
tl_intg_err_cg | Cover all kinds of integrity errors (command, data or both) and cover number of error bits on each integrity check. Cover the kinds of integrity errors with byte enabled write on memory if applicable: Some memories store the integrity values. When there is a subword write, design re-calculate the integrity with full word data and update integrity in the memory. This coverage ensures that memory byte write has been issued and the related design logic has been verfied. |