Testplan - OpenTitan Documentation

Testpoints

Stage	Name	Tests	Description
V1	smoke	pwrmgr_smoke	Smoke test exercising the pwrmgr state transitions. Brings pwrmgr out of POR. Enables wakeup. Triggers SW initiated low power transition with reset settings in `control` CSR. Triggers wakeup. Enables and triggers a reset. Waits for pwrmgr to be out of reset. Stimulus: CSR writes to `wakeup_en`, `reset_en`, and `low_power_hint`. Needs many input pins to line up correctly in order to prevent the pwrmgr from waiting forever. Most of these are set in response to outputs, and are checked by SVA. Checks: The fast fsm becomes active when `fetch_en_o` output rises. The wakeup and reset causes are as expected reading CSRs `wake_status` and `reset_status`. The output `pwr_rst_req.reset_cause` matches a low power or reset cause. The output `pwr_rst_req.rstreqs` matches the enabled resets.
V1	csr_hw_reset	pwrmgr_csr_hw_reset	Verify the reset values as indicated in the RAL specification. Write all CSRs with a random value. Apply reset to the DUT as well as the RAL model. Read each CSR and compare it against the reset value. it is mandatory to replicate this test for each reset that affects all or a subset of the CSRs. It is mandatory to run this test for all available interfaces the CSRs are accessible from. Shuffle the list of CSRs first to remove the effect of ordering.
V1	csr_rw	pwrmgr_csr_rw	Verify accessibility of CSRs as indicated in the RAL specification. Loop through each CSR to write it with a random value. Read the CSR back and check for correctness while adhering to its access policies. It is mandatory to run this test for all available interfaces the CSRs are accessible from. Shuffle the list of CSRs first to remove the effect of ordering.
V1	csr_bit_bash	pwrmgr_csr_bit_bash	Verify no aliasing within individual bits of a CSR. Walk a 1 through each CSR by flipping 1 bit at a time. Read the CSR back and check for correctness while adhering to its access policies. This verify that writing a specific bit within the CSR did not affect any of the other bits. It is mandatory to run this test for all available interfaces the CSRs are accessible from. Shuffle the list of CSRs first to remove the effect of ordering.
V1	csr_aliasing	pwrmgr_csr_aliasing	Verify no aliasing within the CSR address space. Loop through each CSR to write it with a random value Shuffle and read ALL CSRs back. All CSRs except for the one that was written in this iteration should read back the previous value. The CSR that was written in this iteration is checked for correctness while adhering to its access policies. It is mandatory to run this test for all available interfaces the CSRs are accessible from. Shuffle the list of CSRs first to remove the effect of ordering.
V1	csr_mem_rw_with_rand_reset	pwrmgr_csr_mem_rw_with_rand_reset	Verify random reset during CSR/memory access. Run csr_rw sequence to randomly access CSRs If memory exists, run mem_partial_access in parallel with csr_rw Randomly issue reset and then use hw_reset sequence to check all CSRs are reset to default value It is mandatory to run this test for all available interfaces the CSRs are accessible from.
V1	regwen_csr_and_corresponding_lockable_csr	pwrmgr_csr_rw pwrmgr_csr_aliasing	Verify regwen CSR and its corresponding lockable CSRs. Randomly access all CSRs Test when regwen CSR is set, its corresponding lockable CSRs become read-only registers Note: If regwen CSR is HW read-only, this feature can be fully tested by common CSR tests - csr_rw and csr_aliasing. If regwen CSR is HW updated, a separate test should be created to test it. This is only applicable if the block contains regwen and locakable CSRs.
V2	wakeup	pwrmgr_wakeup	Test random wakeup, wakeup_en, wake_info_capture_dis, and interrupt. The different wakeup inputs can be disabled via bits in the `wakeup_en` CSR. Update of `wakeup_info` can be disabled via the `wake_info_capture_dis` CSR. Any wakeup causes an interrupt unless interrupts are disabled. Stimulus: Sets `wakeup_en` randomly but don't set it to zero, or the test will timeout. Set `wake_info_capture_dis` randomly on and off. Bring pwrmgr to low power. Set `wakeups_i` inputs randomly. Set `intr_enable` randomly. Checks: The fast fsm becomes active when `fetch_en_o` output rises. Depending on `wakeups_i`: If all wakeups are disabled, wait some time checking the state remains inactive. Set `wakeups_i` so at least one is enabled. Checks `wakeup_status` CSR during transition to active state since the reset involved will clear the wakeups_i input. Checks the `wake_info` CSR. Checks the output `pwr_rst_req.reset_cause` is `LowPwrEntry`. Check that `intr_wakeup_o` is set according to `intr_enable` CSR. Coverage collected by `wakeup_cg` and `wakeup_intr_cg`.
V2	control_clks	pwrmgr_wakeup	Test CSR control of peripheral clocks during low power. The peripheral clocks can be configured to remain on or be turned off during low power with bits in the `control` CSR register. The usb clock can also be configured off in active mode. Stimulus: Sets these control bits at random. Cause a low power transition and wakeup. Checks: The clock enable outputs to the AST clocks during a low power transition match the control bits. The usb clock enable is also checked during active mode against the control register.
V2	aborted_low_power	pwrmgr_aborted_low_power pwrmgr_lowpower_invalid	Test aborted low power transitions. Low power transitions can be aborted in two cases: The processor gets an interrupt soon after a low power entry is triggered. OTP, LC, or FLASH are not idle. This test aborts low power transitions, and disables any wakeups, so the test would timeout if low power was entered. Stimulus: Bring pwrmgr to low power. Either disable `pwr_cpu.core_sleeping` or keep some of `lc_idle`, `otp_idle`, or `flash_idle` inputs off. Disable all wakeup enables. Randomly set `wakeup_info_capture_dis` CSR. Checks: The `ctrl_cfg_regwen` CSR reads as 1 on the first attempt. Checks the output `pwr_rst_req.reset_cause` doesn't change for a bounded amount of time. Check that the `wakeup_info` CSR flags either `fall_through` or `abort` events when capture is enabled.
V2	reset	pwrmgr_reset pwrmgr_reset_invalid	Test random reset and reset_en. Conditional reset inputs can be disabled via bits in the `reset_en` CSR, while escalation and main power are unconditional. Resets can be triggered either in active or low power state. Stimulus: Sets `reset_en` randomly. Randomly choose whether to put the unit in low power mode. Generate resets randomly in value and time: Conditionals via rstreqs_i, Main power glitch via rst_main_ni. Escalation via `esc_rst_tx_i`. Sw reset from rstmgr via `sw_rst_req_i`. Checks: The fast fsm becomes active when `fetch_en_o` output rises. Checks the `reset_status` CSRs. Checks `ip_clk_en` output has a low transition. SVA that when `pwr_rst_req.reset_cause` is HwReq, and the output `pwr_rst_req.rstreqs` matches the unconditional and enabled conditional resets inputs.
V2	main_power_glitch_reset	pwrmgr_reset	Test reset due to a glitch in main power. A power glitch causes an unconditional reset. Stimulus: Set the rst_main_ni input low indicating a main power glitch. Checks: The fast fsm becomes active when `fetch_en_o` output rises. Checks the `reset_status` CSRs. Checks `ip_clk_en` output has a low transition. Checks the output `pwr_rst_req.reset_cause` matches HwReq. Checks the output `pwr_rst_req.rstreqs` matches power glitch.
V2	reset_wakeup_race	pwrmgr_wakeup_reset	Test wakeup from low power and reset request almost coinciding. If a wakeup from low power and a reset occur at nearly the same time the system handles them one at a time. Stimulus: Trigger reset and wakeup from low power as described for other testpoints. Issue reset and wakeup a random number of cycles after the slow state machine is in LowPower state. This also checks them coinciding. Check: Similar tests as for the wakeup and reset testpoints, except making sure they happen per the triggering order.
V2	lowpower_wakeup_race	pwrmgr_lowpower_wakeup_race	Test wakeups coming close to lowpower entry. If low power entry and a wakeup are closely aligned the hardware could get confused. Notice this is very unlikely, since wakeup is only sensed when the slow fsm is in LowPower state. Stimulus: Trigger low power entry as described for other testpoints. Have all wakeups enabled. Assert wakeups_i in the temporal neighborhood of low power entry. Check: No timeout occurs. Either pwrmgr remains active or a full low power cycle occurs.
V2	disable_rom_integrity_check	pwrmgr_disable_rom_integrity_check	Test rom integrity check is disabled under life cycle test states. While running a series of reset event, at FastPwrStateRomCheck state, Drive lc_hw_debug_en_i and lc_dft_en_i to random value excluding {lc_ctrl_pkg::On, lc_ctrl_pkg::On} for both ports. Set rom_ctrl_i.good = Mubi4False. Wait for a while to make sure fsm state check is not FastPwrStateActive. Then, Drive lc_hw_debug_en_i and lc_dft_en_i to {lc_ctrl_pkg::On, lc_ctrl_pkg::On} Check test finish gracefully. Try these steps with different lc_ctrl inputs.
V2	stress_all	pwrmgr_stress_all	This runs random sequences in succession. Randomly chooses from the following sequences: pwrmgr_aborted_low_power_vseq pwrmgr_lowpower_wakeup_race_vseq pwrmgr_reset_vseq pwrmgr_smoke_vseq pwrmgr_wakeup_reset_vseq pwrmgr_wakeup_vseq
V2	intr_test	pwrmgr_intr_test	Verify common intr_test CSRs that allows SW to mock-inject interrupts. Enable a random set of interrupts by writing random value(s) to intr_enable CSR(s). Randomly "turn on" interrupts by writing random value(s) to intr_test CSR(s). Read all intr_state CSR(s) back to verify that it reflects the same value as what was written to the corresponding intr_test CSR. Check the cfg.intr_vif pins to verify that only the interrupts that were enabled and turned on are set. Clear a random set of interrupts by writing a randomly value to intr_state CSR(s). Repeat the above steps a bunch of times.
V2	tl_d_oob_addr_access	pwrmgr_tl_errors	Access out of bounds address and verify correctness of response / behavior
V2	tl_d_illegal_access	pwrmgr_tl_errors	Drive unsupported requests via TL interface and verify correctness of response / behavior. Below error cases are tested bases on the TLUL spec TL-UL protocol error cases invalid opcode some mask bits not set when opcode is `PutFullData` mask does not match the transfer size, e.g. `a_address = 0x00`, `a_size = 0`, `a_mask = 'b0010` mask and address misaligned, e.g. `a_address = 0x01`, `a_mask = 'b0001` address and size aren't aligned, e.g. `a_address = 0x01`, `a_size != 0` size is greater than 2 OpenTitan defined error cases access unmapped address, expect `d_error = 1` when `devmode_i == 1` write a CSR with unaligned address, e.g. `a_address[1:0] != 0` write a CSR less than its width, e.g. when CSR is 2 bytes wide, only write 1 byte write a memory with `a_mask != '1` when it doesn't support partial accesses read a WO (write-only) memory write a RO (read-only) memory write with `instr_type = True`
V2	tl_d_outstanding_access	pwrmgr_csr_hw_reset pwrmgr_csr_rw pwrmgr_csr_aliasing pwrmgr_same_csr_outstanding	Drive back-to-back requests without waiting for response to ensure there is one transaction outstanding within the TL device. Also, verify one outstanding when back- to-back accesses are made to the same address.
V2	tl_d_partial_access	pwrmgr_csr_hw_reset pwrmgr_csr_rw pwrmgr_csr_aliasing pwrmgr_same_csr_outstanding	Access CSR with one or more bytes of data. For read, expect to return all word value of the CSR. For write, enabling bytes should cover all CSR valid fields.
V2S	tl_intg_err	pwrmgr_tl_intg_err pwrmgr_sec_cm	Verify that the data integrity check violation generates an alert. Randomly inject errors on the control, data, or the ECC bits during CSR accesses. Verify that triggers the correct fatal alert. Inject a fault at the onehot check in `u_reg.u_prim_reg_we_check` and verify the corresponding fatal alert occurs
V2S	prim_count_check	pwrmgr_sec_cm	Verify that violating prim_count counter properties generate a fatal alert. Stimulus: At the falling edge (non-active edge), force the counter to a different value than expected. Randomly force the counter back to a normal value to ensure the error is latched and won't go away until reset. Within the next few cycles, the violation of hardened counter property should generate a fatal alert. Repeat for ALL prim_count instances in the DUT. Checks: Check that fatal alert is triggered. Check that err_code/fault_status is updated correctly and preserved until reset. Verify any operations that follow fail (as applicable).
V2S	prim_fsm_check	pwrmgr_sec_cm	Verify that entering to an undefined state generates a fatal alert. Stimulus: Backdoor force the FSM to any of the undefined values. Randomly force the FSM back to a defined state to ensure the error is latched and won't go away until reset. Within the next few cycles, the FSM landing in an invalid state should trigger a fatal alert. Repeat for ALL prim_fsm instances in the DUT. Checks: Check that fatal alert is triggered. Check that err_code/fault_status is updated correctly and preserved until reset. Verify any operations that follow fail (as applicable).
V2S	sec_cm_bus_integrity	pwrmgr_tl_intg_err	Verify the countermeasure(s) BUS.INTEGRITY. This entry is covered by tl_access_test (hw/dv/tools/dvsim/tests/tl_access_tests.hjson)
V2S	sec_cm_lc_ctrl_intersig_mubi	pwrmgr_sec_cm_lc_ctrl_intersig_mubi	Verify the countermeasure(s) LC_CTRL.INTERSIG.MUBI. Stimulus: Use comprehensive stimulus - reset and wakeup - as background traffic to ensure this counter measure is valid for various states of fast and slow state. Drive lc_hw_debug_en_i and lc_dft_en_i with mixed valid and invalid values. Check: Collect coverage by binding cip_mubi_cov_if to tb.dut.lc_hw_debug_en_i and tb.dut.lc_dft_en_i Add assertion to check whether rom_intg_chk_dis is set to '1' only when lc_dft_en_i or lc_hw_debug_en_i is high.
V2S	sec_cm_rom_ctrl_intersig_mubi	pwrmgr_sec_cm_rom_ctrl_intersig_mubi	Verify the countermeasure(s) ROM_CTRL.INTERSIG.MUBI. Stimulus: Use comprehensive stimulus - reset and wakeup - as background traffic to ensure this counter measure is valid for various states of fast and slow fsm. Drive rom_ctrl_i with mixed valid and invalid values. Check: Collect coverage by binding cip_mubi_cov_if to tb.dut.rom_ctrl_i
V2S	sec_cm_rstmgr_intersig_mubi	pwrmgr_sec_cm_rstmgr_intersig_mubi	Verify the countermeasure(s) RSTMGR.INTERSIG.MUBI. Stimulus: Drive tb.dut.sw_rst_req_i with mixed valid and invalid values Check: See sw rst only happens when dut gets valid value by probing fast fsm state. The state has to move low power state. Collect coverage by binding cip_mubi_cov_if to tb.dut.sw_rst_req_i
V2S	sec_cm_esc_rx_clk_bkgn_chk	pwrmgr_esc_clk_rst_malfunc	Verify the countermeasure(s) ESC_RX.CLK.BKGN_CHK. Stimulus: At FastPwrStateActive state, create escalation clock or reset failure by stopping clock or asserting reset. Check: Expecting fatal alert event and rstreqs[ResetEscIdx]. Add assertion to see if u_esc_timeout happens, then rstreqs[ResetEscIdx] should be asserted. After the alert agent processese the alert by asserting escalation reset, see if dut is back to normal operation state.
V2S	sec_cm_esc_rx_clk_local_esc	pwrmgr_sec_cm	Verify the countermeasure(s) ESC_RX.CLK.LOCAL_ESC. This is triggered by common cm primitives (SecCmPrimCount). (https://github.com/lowRISC/opentitan/blob/master /hw/dv/sv/cip_lib/doc/index.md#security-verification -for-common-countermeasure-primitives) Check: Detect fast state transition to FastPwrStateResetPrep. Add assertion to check if u_sec_timeout happens, then rstreqs[ResetEscIdx] should be asserted.
V2S	sec_cm_fsm_sparse	pwrmgr_sec_cm	Verify the countermeasure(s) FSM.SPARSE. This is triggered by common cm primitives (SecCmPrimSparseFsmFlop). (https://github.com/lowRISC/opentitan/blob/master /hw/dv/sv/cip_lib/doc/index.md#security-verification -for-common-countermeasure-primitives)
V2S	sec_cm_fsm_terminal	pwrmgr_sec_cm	Verify the countermeasure(s) FSM.TERMINAL. This is caused by any invalid (slow\|fast) state. Check: If slow state is invalid, fast state becomes FastPwrStateInvalid, pwr_ast_o.pwr_clamp =1 and pwr_ast_o.main_pd_n = 0. If fast state is invalid, pwr_rst_o.rst_lc_req is all one, pwr_rst_o.rst_sys_req is all one and pwr_clk_o = 0. Dut should be recovered by asserting rst_n = 0.
V2S	sec_cm_ctrl_flow_global_esc	pwrmgr_global_esc	Verify the countermeasure(s) CTRL_FLOW.GLOBAL_ESC. Stimulus: Send escalation request to esc_rst_tx_i Check: Check fast state transition to FastPwrStateResetPrep Add assertion to see if we get pwr_rst_o.rstreqs[ResetEscIdx] set when dut receives esc_rst_tx_i
V2S	sec_cm_main_pd_rst_local_esc	pwrmgr_glitch	Verify the countermeasure(s) MAIN_PD.RST.LOCAL_ESC. Stimulus: Create power reset glitch by setting tb.dut.rst_main_ni and tb.dut.pwr_ast_i.main_pok to 0 Check: Check fast state transition to FastPwrStateResetPrep Add assertion to see if we get pwr_rst_o.rstreqs[ResetMainPwrIdx]
V2S	sec_cm_ctrl_config_regwen	pwrmgr_sec_cm_ctrl_config_regwen	Verify the countermeasure(s) CTRL.CONFIG.REGWEN. Stimulus: Initiate low power transition by setting PWRMGR.CONTROL.LOW_POWER_HINT to 1. Wait for a few cycle to ensure the csr value propagates to slow clock domain. Then issue csr write to PWRMGR.CONTROL Check: After the csr update under PWRMGR.CTRL_CFG_REGWEN = 0, read back and check the value is not updated by the csr update attempt.
V2S	sec_cm_wakeup_config_regwen	pwrmgr_csr_rw	Verify the countermeasure(s) WAKEUP.CONFIG.REGWEN. This is covered by auto csr test.
V2S	sec_cm_reset_config_regwen	pwrmgr_csr_rw	Verify the countermeasure(s) RESET.CONFIG.REGWEN. This is covered by auto csr test.
V3	stress_all_with_rand_reset	pwrmgr_stress_all_with_rand_reset	This test runs 3 parallel threads - stress_all, tl_errors and random reset. After reset is asserted, the test will read and check all valid CSR registers.

Covergroups

Name	Description
control_cg	Collects coverage on clock and power bits from `control` CSR during a lowpower transition and active state.
esc_reset_cg	Collects coverage on resets due to escalation. Covergroup contains a coverpoint for the input `esc_rst_tx_i` that triggers an escalation reset, and whether this reset is asserted during low power state.
hw_reset_0_cg	Collects coverage related to external reset `0`. Covergroup contains coverpoints for the `rstreqs_i[0]` external reset input, its corresponding bit in `reset_en` CSR, and whether this reset is asserted during low power state, and suitable crosses.
hw_reset_1_cg	Collects coverage related to external reset `1`. Covergroup contains coverpoints for the `rstreqs_i[1]` external reset input, its corresponding bit in `reset_en` CSR, and whether this reset is asserted during low power state, and suitable crosses.
main_power_reset_cg	Collects coverage on resets due to a main power glitch. Covergroup contains a coverpoint for the input `rst_main_i` that triggers a power glitch reset, and whether this reset is asserted during low power state.
regwen_val_when_new_value_written_cg	Cover each lockable reg field with these 2 cases: When regwen = 1, a different value is written to the lockable CSR field, and a read occurs after that. When regwen = 0, a different value is written to the lockable CSR field, and a read occurs after that. This is only applicable if the block contains regwen and locakable CSRs.
reset_wakeup_distance_cg	Covergroup contains a coverpoint for the difference between the cycles when the reset and the wakeup were received in the inputs. The difference is positive when reset happened after wakeup, and zero when the two happened at the same clock cycle.
rstmgr_sw_reset_cg	Collects coverage on the software reset from rstmgr. Covergroup contains a coverpoint for the input `sw_rst_req_i` from rstmgr.
tl_errors_cg	Cover the following error cases on TL-UL bus: TL-UL protocol error cases. OpenTitan defined error cases, refer to testpoint `tl_d_illegal_access`.
tl_intg_err_cg	Cover all kinds of integrity errors (command, data or both) and cover number of error bits on each integrity check. Cover the kinds of integrity errors with byte enabled write on memory if applicable: Some memories store the integrity values. When there is a subword write, design re-calculate the integrity with full word data and update integrity in the memory. This coverage ensures that memory byte write has been issued and the related design logic has been verfied.
wakeup_ctrl_cg	Collects coverage on wakeup enable and capture functionality. This is collected per individual wakeup bit. Covergroup contains coverpoints for the `wakeup_en` CSR bit, `wakeup_info_capture_dis` CSR, `wakeups_i` input bit, and `wakeup_status` CSR bit, and their cross.
wakeup_intr_cg	Collects coverage on interrupts for wakeup functionality. This is collected per individual wakeup bit. Covergroup contains coverpoints for the `intr_en` CSR, the `wakeup_status` CSR bit, the `intr_status` CSR, the output `intr_wakeup` port, and their cross.