Verify transmission of data over the TX and RX port.

SW test sends a known payload over the TX port. The testbench, at the same time sends a known payload over RX. On reception, both payloads are checked for integrity. SW validates the reception of TX watermark, RX watermark, and the TX empty interrupts. Choosing the max supported baud rate for the UART is sufficient. Verify each UART instance at the chip level independently.

Verify the RX overflow interrupt.

The testbench sends a random payload of size greater than the RX fifo size (32). The SW ignores the received the data to allow the RX overflow interrupt to assert. Verify each UART instance at the chip level independently.

Verify GPIO outputs.

SW test configures the GPIO to be in the output mode. The test walks a 1 through the pins. The testbench checks the value for correctness.

Verify GPIO inputs.

The SW test configures the GPIO to be in input mode and enables all of them to generate an interrupt. The testbench walks a 1 through the pins. SW test ensures that the interrupt corresponding to the right pin is seen.

Verify the reset values as indicated in the RAL specification.

• Write all CSRs with a random value.
• Apply reset to the DUT as well as the RAL model.
• Read each CSR and compare it against the reset value. it is mandatory to replicate this test for each reset that affects all or a subset of the CSRs.
• It is mandatory to run this test for all available interfaces the CSRs are accessible from.
• Shuffle the list of CSRs first to remove the effect of ordering.

Verify accessibility of CSRs as indicated in the RAL specification.

• Loop through each CSR to write it with a random value.
• Read the CSR back and check for correctness while adhering to its access policies.
• It is mandatory to run this test for all available interfaces the CSRs are accessible from.
• Shuffle the list of CSRs first to remove the effect of ordering.

Verify no aliasing within individual bits of a CSR.

• Walk a 1 through each CSR by flipping 1 bit at a time.
• Read the CSR back and check for correctness while adhering to its access policies.
• This verify that writing a specific bit within the CSR did not affect any of the other bits.
• It is mandatory to run this test for all available interfaces the CSRs are accessible from.
• Shuffle the list of CSRs first to remove the effect of ordering.

Verify no aliasing within the CSR address space.

• Loop through each CSR to write it with a random value
• Shuffle and read ALL CSRs back.
• All CSRs except for the one that was written in this iteration should read back the previous value.
• The CSR that was written in this iteration is checked for correctness while adhering to its access policies.
• It is mandatory to run this test for all available interfaces the CSRs are accessible from.
• Shuffle the list of CSRs first to remove the effect of ordering.

Verify random reset during CSR/memory access.

• Run csr_rw sequence to randomly access CSRs
• If memory exists, run mem_partial_access in parallel with csr_rw
• Randomly issue reset and then use hw_reset sequence to check all CSRs are reset to default value
• It is mandatory to run this test for all available interfaces the CSRs are accessible from.

Verify shadow registers' update and storage errors.

• Issue reset at random to clear all the internal stored values and phases trackers in shadow registers.
• Select all the shadow registers and a random amount of the rest of the non-excluded registers. Shuffle and write random values to the selected registers. For shadow registers, the second write is not enabled. There is a 50% possibility that the shadow register's write value is identical to its previous write value. If shadow register's second write value does not match the first write value, ensure that the update error alert is triggered.
• Randomly inject storage errors by modifying the shadow register's staged or committed values via backdoor method. Ensure that the storage error alert is triggered.
• Randomly decide to read all the non-excluded registers or fields. Then check the read values against predicted values. A read on a shadow register will clear its phase tracker.
• Repeat the above steps a bunch of times.

Verify accessibility of all memories in the design.

• Run the standard UVM mem walk sequence on all memories in the RAL model.
• It is mandatory to run this test from all available interfaces the memories are accessible from.

Verify partial-accessibility of all memories in the design.

• Do partial reads and writes into the memories and verify the outcome for correctness.
• Also test outstanding access on memories

Sequentially test each host to access any device

Verify the transmission of data on the chip's SPI device port.

The testbench sends a known payload over the chip's SPI device input port. The SW test, at the same time sends a known payload out over the chip's SPI device output port. On reception, both payloads are checked for integrity. SW validates the reception of RX fifo full, RX fifo over level, TX fifo under level, RX overflow and TX underflow interrupts. Run with min and max SPI clk frequencies. Also, run with single, dual and quad SPI modes. Also, ensure that the spi_device does not recieve transactions when the csb is high.

Verify the SPI device in EEPROM mode.

SW puts the SPI device in EEPROM mode and allows a firmware image (a.k.a. a known payload) to be downloaded into the in-built EEPROM. SW verifies the integrity of the payload upon reception by reading the EEPROM. Details TBD since the feature is NA yet.

Verify the transmission of data on the chip's SPI host port.

Details TBD. Run with min and max SPI clk frequencies. Also, run with single, dual, and quad SPI modes.

Verifies the pass through mode from an end-to-end perspective.

SW configures the SPI device and host in pass through mode. The testbench sends a random payload over the SPI device interface and verifies its integrity on the SPI host interface. Run with min and max SPI clk frequencies. Also, run with single, dual, and quad SPI modes. Details TBD.

Verify the transmission of data over the chip's I2C host interface.

The SW test writes a known data over the chip's I2C host interface, which is verified by the testbench (which acts as the I2C device). Likewise, SW test then reads and verifies a known data. SW validates the reception of RX watermark, FMT overflow, RX overflow, NAK, FMT watermark and trans complete interrupts (the SW test / testbench work together to create those scenarios). Verify all instances of I2C in the chip independently.

Verify the transmission of data over the chip's I2C device interface.

The testbench writes a known data over the chip's I2C device interface, which is verified by the SW test for correctness. Testbench then reads and verifies a known data. SW validates the reception of TBD interrupts (the SW test / testbench create those scenarios). Verify all instances of I2C in the chip independently.

Verify the transmission of single-ended data over the USB at full speed. As a part of this test, the enablement of USB pullup is also expected to be verified.

Details TBD.

Verify the transmission of data over the USB at full speed. As a part of this test, the enablement of USB pullup is also expected to be verified. In this test, the USB is configured in differential mode.

Details TBD.

Verify that the USB device can detect the presence of VBUS from the USB host.

TBD.

Verify that the USB device can detect the presence of VBUS from the USB host.

TBD.

Same as the above, but tested with low power entry/exit.

TBD.

Verify the MIO muxing at input and output sides.

SW programs MIO INSEL and OUTSEL CSRs to connect and verify each muxed source. At the moment, GPIOs are the only mux inputs.

Verify the MIO output values in deep sleep state.

SW programs the MIO OUTSEL CSRs to to ensure that in deep sleep it randomly picks between tie-0, tie-1 or hi-Z for all muxed outputs coming from non-AON IPs. If an AON peripheral output is muxed, then that peripheral's output is selected to ensure in deep sleep the peripheral can continue its signaling even in deep sleep. The testbench verifies the correctness of the reflected values once the chip goes into deep sleep. This is replicated for DIO pins as well.

Verify pin wake up from deep sleep state.

Verify one of the 8 possible MIO or DIO pad inputs (randomly configured) can cause the chip to wake up from sleep state. Verifying wake on posedge is sufficient for the chip level integration testing. Upon wake up, SW reads the wake cause CSR to verify correctness.

Verify pad attribute settings for all MIO and DIO pads.

Verify access to the debug mem from the CPU.

Verify access to the debug mem from the external JTAG interface.

Verify debug request to Ibex while it is actively executing.

Verify non-debug reset req initiated from RV_DM when the chip is awake.

Read CSRs / mem within all IPs in the chip to ensure that they are reset to the original values. Read CSRs / mem in the debug domain to ensure that the values survive the reset.

Verify non-debug reset req initiated from RV_DM when the chip is in deep sleep.

Read CSRs / mem within all IPs in the chip to ensure that they are reset to the original values. Read CSRs / mem in the debug domain to ensure that the values survive the reset. There are also other modules such as clk, pwr, rstmgr which survive this reset. Verify those as well.

TODO: rv_dm currently is not on the AON domain, so this feature does not exist ATM. Need discussion with SW/Nuvoton.

Verify ability to select all available TAPs.

Details TBD.

Verify that the debug capabilities are disabled in certain life cycle stages.

Verify that the debug mem is inaccessible from the CPU as well as external JTAG. Details TBD. X-ref'ed with the LC tests.

Verify pattern generation to chip output pads.

SW programs pattgen to generate distinct patterns on both groups. SW programs pinmux to select pattgen outputs to be routed. SW validates the reception of patt_done interrupts. Testbench verifies the correctness of the pattern seen on the IO pins.

Verify PWM signaling to chip output pads during deep sleep

PWM is in the AON domain. During deep sleep, we should be able to signal the 3 external LEDs that are connected to the PWM signals. Details TBD.

Verify the timeout interrupt from all timer instances.

The SW test configures the RV_TIMER to generate interrupt after a set timeout. The SW test validates the received interrupt. The testbench verifies that the interrupt was fired only after the timeout elapsed. Verify all instances of the RV_Timer.

Verify the timer in the AON domain can wake up the chip from sleep.

Verify the watchdog bark reception in awake state.

Verify the watchdog bite causing reset in awake state.

Verify the watchdog bark wake up from sleep state.

Verify the watchdog bite reset from sleep state.

Verify all interrupts from all peripherals aggregated at the PLIC.

The automated SW test enables all interrupts at the PLIC to interrupt the core. It uses the intr_test CSR in each peripheral to mock assert an interrupt, looping through all available interrupts in that peripheral. The ISR verifies that the right interrupt occurred. This is used as a catch-all interrupt test for all peripheral integration testing within which functionally asserting an interrupt is hard to achieve or not of high value.

Verify the SW interrupt to the CPU.

Enable all peripheral interrupts at PLIC. Enable all types of interrupt at the CPU core. Write to the MSIP CSR to generate a SW interrupt to the CPU. Verify that the only interrupt that is seen is the SW interrupt.

Verify the NMI interrupt to the CPU and correctness of the cause.

TBD if multiple NMI irqs are OR-ed into the CPU (example - NMI from alert handler and the watchdog bark), then map each test to this testpoint.

Verify the ability to turn off the transactional clock via SW.

Ensure that activity in any of the IPs running on this clock prevents the clock from actually being turned off. Verify that turning off this clock does not affect the other derived clocks.

Verify the ability to turn off the peripheral clock via SW.

Verify clk division logic is working correctly.

Verify the cold boot sequence through the wiggling of por_rst_n.

This mainly ensures that both FSMs are properly reset on the POR signal. Details TBD.

Verify that the chip can go into normal sleep state and be woken up by ALL wake up sources.

This verifies ALL wake up sources. This also verifies that the pwrmgr sequencing is working correctly as expected. X-ref'ed with all individual IP tests.

Verify that the chip can go into normal sleep state and be reset by ALL reset req sources.

This verifies ALL reset sources. This also verifies that the pwrmgr sequencing is working correctly as expected. X-ref'ed with all individual IP tests.

Verify that the chip can go into deep sleep state and be woken up by ALL wake up sources.

This verifies ALL wake up sources. This also verifies that the pwrmgr sequencing is working correctly as expected. X-ref'ed with all individual IP tests.

Verify that the chip can go into deep sleep state and be reset up by ALL reset req sources.

This verifies ALL reset sources. This also verifies that the pwrmgr sequencing is working correctly as expected. X-ref'ed with all individual IP tests.

Verify that the chip can be reset by ALL available reset sources.

This verifies ALL reset sources. This also verifies that the pwrmgr sequencing is working correctly as expected. X-ref'ed with all individual IP tests.

Verify the effect of main_pok de-assertion in the middle of low power entry / exit FSM transition.

The main_pok from AST is randomly forced to flip while in the middle of a FSM transition. This is done on all normal / deep sleep / reset request tests.

Verify that the pwrmge sequences sleep_req and reset req coming in almost at the same time, one after the other.

Verify that when the chip being in "debuggable" state prevent the low power entry.

Verify that the chip cannot be woken up from sleep from a wake up source that is disabled.

Verify that the chip cannot be reset from a reset source that is disabled.

Verify that the chip cannot be woken up from sleep from a reset source that is disabled.

Verify that the chip does not go to sleep on WFI when low power hint is 0.

Verify that the chip sleep falls through when an interrupt arrives just in time before the pwrmgr iniitates the low power entry.

Verify that the chip sleep transition aborts due to an active flash / lifecycle / OTP transaction.

Verify all alerts coming into the alert_handler.

X-ref'ed with all IP tests.

Verify all classes of alert handler interrupts to the CPU.

Program each alert to cause an interrupt in each class. SW validates the reception of the interrupt. X-ref'ed with all IP tests.

Verify all alert handler escalation irqs.

Details TBD.

Verify the alert handler entropy input to ensure pseudo-random ping timer.

Details TBD.

Verify the alert handler crashdump signal.

Details TBD.

Verify the alert ping failure results in an escalation.

Details TBD.

Verify the AES operation.

Write a 32-byte key and a 16-byte plain text to the AES registers and trigger the AES computation to start. Wait for the AES operation to complete by polling the status register (or interrupt if available). Check the digest registers for correctness against the expected digest value.

Verify shadow reg alert from AES.

Inject a storage error via backdoor to generate this alert signal while the SW is actively executing some piece of code. Verify alert propagation to an NMI.

Verify AES idle signaling to clkmgr.

Details TBD.

Verify HMAC / SHA256 operation.

SW test verifies SHA256 operation with a known key, plain text and digest (pick one of the NIST vectors). SW validates the reception of hmac done and fifo empty interrupts.

Verify alert from HMAC.

Details TBD.

Verify HMAC idle signaling to clkmgr.

Details TBD.

Verify the SHA3 operation.

SW test verifies SHA3 operation with a known key, plain text and digest (pick one of the NIST vectors). SW validates the reception of kmac done and fifo empty interrupts.

Verify the SRAM uncorrectable alert from KMAC.

Inject 2 bit errors within the SRAM inside KMAC via backdoor and ensure that this alert propagates to an NMI.

Verify the data parity alert from KMAC.

Details TBD.

Verify the keymgr interface to KMAC.

X-ref'ed with keymgr test.

Verify KMAC idle signaling to clkmgr.

Details TBD.

Verify the cmd interface to CSRNG.

Details TBD. SW test validates the reception of cmd req done interrupt.

Verify the interface to entropy_src.

Details TBD.

Verify the fuse input to CSRNG.

Details TBD.

Verify the RNG req to ast.

Details TBD. SW test validates the reception of the entropy valid interrupt.

Verify the fuse input entropy_src.

Details TBD.

Verify an OTBN operation.

SW test directs the BIGNUM engine to perform an operation. The BIGNUM SW image is backdoor loaded into OTBN IMEM. SW validates the reception of the otbn done interrupt. SW also verifies the correctness of the OTBN operation using a reference model. Details TBD.

Verify the imem uncorrectable alert from OTBN.

Inject 2 bit errors within the IMEM SRAM inside OTBN via backdoor and ensure that this alert propagates to an NMI.

Verify the dmem uncorrectable alert from OTBN.

Inject 2 bit errors within the DMEM SRAM inside OTBN via backdoor and ensure that this alert propagates to an NMI.

Verify the reg uncorrectable alert from OTBN.

Details TBD. Ensure that this alert propagates to an NMI.

Verify the encryption of the mem within OTBN using the key provided by the OTP.

Details TBD.

Verify OTBN idle signaling to clkmgr.

Details TBD.

Verify access to the rom.

Verify that the CPU can fetch instructions from the ROM. Nothing extra needs to be done here - all SW tests do this anyway.

Verify ROM security / ECC features if available.

Details TBD.

Verify access to the SRAM.

Verify that the CPU can fetch data from the SRAM. Nothing extra needs to be done here - all SW tests do this anyway.

Verify scrambling of the SRAM data.

SW enables scrambling within the SRAM. Ensure that the data written to the SRAM is scrambled and likewise, when read from the SRAM is de-scrambled correctly via backdoor. The key and nonce for the scrambling is supplied by the OTP.

Verify access to the retention SRAM.

Verify that the CPU can fetch data from the retention SRAM.

Verify scrambling of the retention SRAM data.

SW enables scrambling within the retention SRAM. Ensure that the data written to the SRAM is scrambled and likewise, when read from the SRAM is de-scrambled correctly via backdoor. The key and nonce for the scrambling is supplied by the OTP.

Verify that the data within the retention SRAM survives low power entry-exit.

Ensure that the data within the retention SRAM survives ALL low power entry-exit variations.

TODO: how to deal with the scramble keys on low power exit?

Verify the OPT initialization on chip power up.

Details TBD.

Verify the proliferation of keys to security peripherals.

Ensure that the correct set of keys are provided to sram, sram_ret, flash, keymgr and the OTBN. X-ref'ed with those individual IP tests.

Verify the OTP program req from LC.

Ensure that the correct set of keys are provided to sram, sram_ret, flash, keymgr and the OTBN. X-ref'ed with those individual IP tests.

Verify access to the flash mem.

Verify that the CPU can read the flash mem contents.

Verify flash ctrl ops.

Verify that the CPU can read / program and erase the flash mem. Pick an operation on both data and info partitions. Erase both, bank and page. SW validates the reception of prog empty, prog level, rd full, rd level and op done interrupts.

Verify flash scrambling via the controller.

Verify that the CPU can program and read back data via the flash ctrl with scrambling enabled.

Verify flash scrambling via the host interface.

Verify that the CPU read data from the flash with scrambling enabled.

Verify that power down signaling from AST to flash.

Details TBD.

Verify that flash test mode and flash volt signaling from chip IOs.

Details TBD.

Verify pass through of key in to key out.

Details TBD.

Verify pass through of power button signal in to out.

Details TBD.

Verify the RBOX can detect AC present input.

Details TBD.

Verify the RBOX can signal battery enabled output.

Details TBD.

Verify the RBOX can detect EC entering RW mode input.

Details TBD.

Verify the RBOX can signal EC in RW mode output.

Details TBD.

Verify the RBOX can signal EC reset output.

Verify EC reset pulse duration. Verify open drain when not active. Details TBD.

Verify the RBOX can signal EC reset output.

Verify EC reset pulse duration. Verify open drain when not active. Details TBD.

Verify that in deep sleep, DCD can signal the ADC within the AST to power down.

Details TBD.

Verify that the debug cable detection logic can wake up the chip from sleep.

Details TBD.

Verify that the DCD can use the ADC within AST to know the voltage level.

Details TBD. SW test validates the reception of debug cable update interrupt.

Verify the POR reset input to DCD.

This sort of also tracks the testing of DCD surviving low power entry/exit. Details TBD.

Verify that the AST generates the 4 clocks when requested by the clkmgr.

Verify the clock frequencies are reasonably accurate. Verify that when the clkmgr deasserts the enable (on account of low power entry), the clocks are turned off. Verify that when turned on (low power exit), the clocks are glitch free.

Verify the clk and rst inputs to AST (from clkmgr).

Details TBD.

Verify that the AST sys clk jitter control.

Details TBD.

Verify the USB clk calibration signaling.

Details TBD.

Verify the alerts from AST aggregating into the sensor_ctrl.

X-ref'ed with chip_sensor_ctrl_ast_alerts.

Verify the alerts from AST aggregating into the sensor_ctrl.

Details TBD.

Verify the io power ok status from AST.

Details TBD.

Verify the full flash image download with bootstrap signal set.

Details TBD.

Verify the secure boot flow.

Details TBD.

Run the OpenTitan TockOS that will be deployed in production.

Run the TockOS image in DV. The advantage of doing so is running Tock with the full suite of design assertions and other checks in place in the DV environment.

Walk through the life cycle stages reseting the chip each time.

Verify that the features that should indeed be disabled are indeed disabled.

Walk through device ownership stages and flows.

Details TBD.

The CSR test sequences will read and write accessible CSRs including the enable registers and their locked registers. The RAL model supports predicting the correct value of the locked registers based on their enable registers.

Verify common intr_test CSRs that allows SW to mock-inject interrupts.

• Enable a random set of interrupts by writing random value(s) to intr_enable CSR(s).
• Randomly "turn on" interrupts by writing random value(s) to intr_test CSR(s).
• Read all intr_state CSR(s) back to verify that it reflects the same value as what was written to the corresponding intr_test CSR.
• Check the cfg.intr_vif pins to verify that only the interrupts that were enabled and turned on are set.
• Clear a random set of interrupts by writing a randomly value to intr_state CSR(s).
• Repeat the above steps a bunch of times.

Access out of bounds address and verify correctness of response / behavior

Drive unsupported requests via TL interface and verify correctness of response / behavior. Below error cases are tested

• TL-UL protocol error cases
  • Unsupported opcode. e.g a_opcode isn't Get, PutPartialData or PutFullData
  • Mask isn't all active if opcode = PutFullData
  • Mask isn't in enabled lanes, e.g. a_address = 0x00, a_size = 0, a_mask = 'b0010
  • Mask doesn't align with address, e.g. a_address = 0x01, a_mask = 'b0001
  • Address and size aren't aligned, e.g. a_address = 0x01, a_size != 0
  • Size is over 2.
• OpenTitan defined error cases
  • Access unmapped address, return d_error = 1 when devmode_i == 1
  • Write CSR with unaligned address, e.g. a_address[1:0] != 0
  • Write CSR less than its width, e.g. when CSR is 2 bytes wide, only write 1 byte
  • Write a memory without enabling all lanes (a_mask = '1) if memory doesn't support byte enabled write
  • Read a WO (write-only) memory

Drive back-to-back requests without waiting for response to ensure there is one transaction outstanding within the TL device. Also, verify one outstanding when back- to-back accesses are made to the same address.

Access CSR with one or more bytes of data For read, expect to return all word value of the CSR For write, enabling bytes should cover all CSR valid fields

Enable all hosts to randomly send transactions to any device

Control delays through plusargs to create tests for below types of delay

• Zero delay for sending a/d_valid and a/d_ready
• Large delay from 0 ~ 1000 cycles
• Small delay (0-10 cycles) for a_channel, large delay (0-1000 cycles) for d_channel

• Host randomly drives transactions with mapped and unmapped address
• Ensure DUT returns d_error=1 if address is unmapped and transaction isn't passed down to any device

• Drive any random value on size, mask, opcode in both channels
• Ensure everything just pass through host to device or device to host

• Randomly pick a device, make all hosts to access this device
• If the device isn't accessible for the host, let the host randomly access the other devices

Test all hosts use same ID at the same same

• Combine all sequences and run in parallel
• Add random reset between each iteration

• Inject reset while stress_all is running, after reset is completed, kill the stress seq and then start a new stress seq
• Run a few iteration to ensure reset doesn't break the design