V1 | smoke | pwrmgr_smoke | Smoke test exercising the pwrmgr state transitions.
- Brings pwrmgr out of POR.
- Enables wakeup.
- Triggers SW initiated low power transition with reset settings
in
control CSR.
- Triggers wakeup.
- Enables and triggers a reset.
- Waits for pwrmgr to be out of reset.
Stimulus:
- CSR writes to
wakeup_en , reset_en , and low_power_hint .
- Needs many input pins to line up correctly in order to prevent the
pwrmgr from waiting forever. Most of these are set in response
to outputs, and are checked by SVA.
Checks:
- The fast fsm becomes active when
fetch_en_o output rises.
- The wakeup and reset causes are as expected reading CSRs
wake_status and reset_status .
- The output
pwr_rst_req.reset_cause matches a low power or
reset cause.
- The output
pwr_rst_req.rstreqs matches the enabled resets.
|
V1 | csr_hw_reset | pwrmgr_csr_hw_reset | Verify the reset values as indicated in the RAL specification.
- Write all CSRs with a random value.
- Apply reset to the DUT as well as the RAL model.
- Read each CSR and compare it against the reset value.
it is mandatory to replicate this test for each reset that affects
all or a subset of the CSRs.
- It is mandatory to run this test for all available interfaces the
CSRs are accessible from.
- Shuffle the list of CSRs first to remove the effect of ordering.
|
V1 | csr_rw | pwrmgr_csr_rw | Verify accessibility of CSRs as indicated in the RAL specification.
- Loop through each CSR to write it with a random value.
- Read the CSR back and check for correctness while adhering to its
access policies.
- It is mandatory to run this test for all available interfaces the
CSRs are accessible from.
- Shuffle the list of CSRs first to remove the effect of ordering.
|
V1 | csr_bit_bash | pwrmgr_csr_bit_bash | Verify no aliasing within individual bits of a CSR.
- Walk a 1 through each CSR by flipping 1 bit at a time.
- Read the CSR back and check for correctness while adhering to its
access policies.
- This verify that writing a specific bit within the CSR did not affect
any of the other bits.
- It is mandatory to run this test for all available interfaces the
CSRs are accessible from.
- Shuffle the list of CSRs first to remove the effect of ordering.
|
V1 | csr_aliasing | pwrmgr_csr_aliasing | Verify no aliasing within the CSR address space.
- Loop through each CSR to write it with a random value
- Shuffle and read ALL CSRs back.
- All CSRs except for the one that was written in this iteration should
read back the previous value.
- The CSR that was written in this iteration is checked for correctness
while adhering to its access policies.
- It is mandatory to run this test for all available interfaces the
CSRs are accessible from.
- Shuffle the list of CSRs first to remove the effect of ordering.
|
V1 | csr_mem_rw_with_rand_reset | pwrmgr_csr_mem_rw_with_rand_reset | Verify random reset during CSR/memory access.
- Run csr_rw sequence to randomly access CSRs
- If memory exists, run mem_partial_access in parallel with csr_rw
- Randomly issue reset and then use hw_reset sequence to check all CSRs
are reset to default value
- It is mandatory to run this test for all available interfaces the
CSRs are accessible from.
|
V1 | regwen_csr_and_corresponding_lockable_csr | pwrmgr_csr_rw
pwrmgr_csr_aliasing | Verify regwen CSR and its corresponding lockable CSRs.
- Randomly access all CSRs
- Test when regwen CSR is set, its corresponding lockable CSRs become
read-only registers
Note:
- If regwen CSR is HW read-only, this feature can be fully tested by common
CSR tests - csr_rw and csr_aliasing.
- If regwen CSR is HW updated, a separate test should be created to test it.
This is only applicable if the block contains regwen and locakable CSRs. |
V2 | wakeup | pwrmgr_wakeup | Test random wakeup, wakeup_en, wake_info_capture_dis, and
interrupt.
The different wakeup inputs can be disabled via bits in the
wakeup_en CSR. Update of wakeup_info can be disabled
via the wake_info_capture_dis CSR. Any wakeup causes an
interrupt unless interrupts are disabled.
Stimulus:
- Sets
wakeup_en randomly but don't set it to zero, or the
test will timeout.
- Set
wake_info_capture_dis randomly on and off.
- Bring pwrmgr to low power.
- Set
wakeups_i inputs randomly.
- Set
intr_enable randomly.
Checks:
- The fast fsm becomes active when
fetch_en_o output rises.
- Depending on
wakeups_i :
- If all wakeups are disabled, wait some time checking the
state remains inactive.
- Set
wakeups_i so at least one is enabled.
- Checks
wakeup_status CSR during transition to active state
since the reset involved will clear the wakeups_i input.
- Checks the
wake_info CSR.
- Checks the output
pwr_rst_req.reset_cause is LowPwrEntry .
- Check that
intr_wakeup_o is set according to intr_enable CSR.
- Coverage collected by
wakeup_cg and wakeup_intr_cg .
|
V2 | control_clks | pwrmgr_wakeup | Test CSR control of peripheral clocks during low power.
The peripheral clocks can be configured to remain on or be turned
off during low power with bits in the control CSR register. The
usb clock can also be configured off in active mode.
Stimulus:
- Sets these control bits at random.
- Cause a low power transition and wakeup.
Checks:
- The clock enable outputs to the AST clocks during a low
power transition match the control bits.
- The usb clock enable is also checked during active mode against
the control register.
|
V2 | aborted_low_power | pwrmgr_aborted_low_power
pwrmgr_lowpower_invalid | Test aborted low power transitions.
Low power transitions can be aborted in two cases:
- The processor gets an interrupt soon after a low power entry is
triggered.
- OTP, LC, or FLASH are not idle.
This test aborts low power transitions, and disables any wakeups,
so the test would timeout if low power was entered.
Stimulus:
- Bring pwrmgr to low power.
- Either disable
pwr_cpu.core_sleeping or keep some of lc_idle ,
otp_idle , or flash_idle inputs off.
- Disable all wakeup enables.
- Randomly set
wakeup_info_capture_dis CSR.
Checks:
- The
ctrl_cfg_regwen CSR reads as 1 on the first attempt.
- Checks the output
pwr_rst_req.reset_cause doesn't change for
a bounded amount of time.
- Check that the
wakeup_info CSR flags either fall_through or
abort events when capture is enabled.
|
V2 | reset | pwrmgr_reset
pwrmgr_reset_invalid | Test random reset and reset_en.
Conditional reset inputs can be disabled via bits in the reset_en
CSR, while escalation and main power are unconditional. Resets can
be triggered either in active or low power state.
Stimulus:
- Sets
reset_en randomly.
- Randomly choose whether to put the unit in low power mode.
- Generate resets randomly in value and time:
- Conditionals via rstreqs_i,
- Main power glitch via rst_main_ni.
- Escalation via
esc_rst_tx_i .
- Sw reset from rstmgr via
sw_rst_req_i .
Checks:
- The fast fsm becomes active when
fetch_en_o output rises.
- Checks the
reset_status CSRs.
- Checks
ip_clk_en output has a low transition.
- SVA that when
pwr_rst_req.reset_cause is HwReq, and the output
pwr_rst_req.rstreqs matches the unconditional and enabled
conditional resets inputs.
|
V2 | main_power_glitch_reset | pwrmgr_reset | Test reset due to a glitch in main power.
A power glitch causes an unconditional reset.
Stimulus:
- Set the rst_main_ni input low indicating a main power glitch.
Checks:
- The fast fsm becomes active when
fetch_en_o output rises.
- Checks the
reset_status CSRs.
- Checks
ip_clk_en output has a low transition.
- Checks the output
pwr_rst_req.reset_cause matches HwReq.
- Checks the output
pwr_rst_req.rstreqs matches power glitch.
|
V2 | reset_wakeup_race | pwrmgr_wakeup_reset | Test wakeup from low power and reset request almost coinciding.
If a wakeup from low power and a reset occur at nearly the same time
the system handles them one at a time.
Stimulus:
- Trigger reset and wakeup from low power as described for other
testpoints.
- Issue reset and wakeup a random number of cycles after the slow
state machine is in LowPower state.
- This also checks them coinciding.
Check:
- Similar tests as for the wakeup and reset testpoints, except
making sure they happen per the triggering order.
|
V2 | lowpower_wakeup_race | pwrmgr_lowpower_wakeup_race | Test wakeups coming close to lowpower entry.
If low power entry and a wakeup are closely aligned the hardware
could get confused. Notice this is very unlikely, since wakeup is
only sensed when the slow fsm is in LowPower state.
Stimulus:
- Trigger low power entry as described for other testpoints.
- Have all wakeups enabled.
- Assert wakeups_i in the temporal neighborhood of low power
entry.
Check:
- No timeout occurs.
- Either pwrmgr remains active or a full low power cycle occurs.
|
V2 | disable_rom_integrity_check | pwrmgr_disable_rom_integrity_check | Test rom integrity check is disabled under life cycle test states.
While running a series of reset event, at FastPwrStateRomCheck
state,
- Drive lc_hw_debug_en_i and lc_dft_en_i to random value
excluding {lc_ctrl_pkg::On, lc_ctrl_pkg::On} for both ports.
- Set rom_ctrl_i.good = Mubi4False.
- Wait for a while to make sure fsm state check is not FastPwrStateActive.
Then,
- Drive lc_hw_debug_en_i and lc_dft_en_i to {lc_ctrl_pkg::On, lc_ctrl_pkg::On}
- Check test finish gracefully.
Try these steps with different lc_ctrl inputs. |
V2 | stress_all | pwrmgr_stress_all | This runs random sequences in succession.
Randomly chooses from the following sequences:
- pwrmgr_aborted_low_power_vseq
- pwrmgr_lowpower_wakeup_race_vseq
- pwrmgr_reset_vseq
- pwrmgr_smoke_vseq
- pwrmgr_wakeup_reset_vseq
- pwrmgr_wakeup_vseq
|
V2 | intr_test | pwrmgr_intr_test | Verify common intr_test CSRs that allows SW to mock-inject interrupts.
- Enable a random set of interrupts by writing random value(s) to
intr_enable CSR(s).
- Randomly "turn on" interrupts by writing random value(s) to intr_test
CSR(s).
- Read all intr_state CSR(s) back to verify that it reflects the same value
as what was written to the corresponding intr_test CSR.
- Check the cfg.intr_vif pins to verify that only the interrupts that were
enabled and turned on are set.
- Clear a random set of interrupts by writing a randomly value to intr_state
CSR(s).
- Repeat the above steps a bunch of times.
|
V2 | tl_d_oob_addr_access | pwrmgr_tl_errors | Access out of bounds address and verify correctness of response / behavior |
V2 | tl_d_illegal_access | pwrmgr_tl_errors | Drive unsupported requests via TL interface and verify correctness of response
/ behavior. Below error cases are tested bases on the
TLUL spec
- TL-UL protocol error cases
- invalid opcode
- some mask bits not set when opcode is
PutFullData
- mask does not match the transfer size, e.g.
a_address = 0x00 , a_size = 0 ,
a_mask = 'b0010
- mask and address misaligned, e.g.
a_address = 0x01 , a_mask = 'b0001
- address and size aren't aligned, e.g.
a_address = 0x01 , a_size != 0
- size is greater than 2
- OpenTitan defined error cases
- access unmapped address, expect
d_error = 1 when devmode_i == 1
- write a CSR with unaligned address, e.g.
a_address[1:0] != 0
- write a CSR less than its width, e.g. when CSR is 2 bytes wide, only write 1 byte
- write a memory with
a_mask != '1 when it doesn't support partial accesses
- read a WO (write-only) memory
- write a RO (read-only) memory
- write with
instr_type = True
|
V2 | tl_d_outstanding_access | pwrmgr_csr_hw_reset
pwrmgr_csr_rw
pwrmgr_csr_aliasing
pwrmgr_same_csr_outstanding | Drive back-to-back requests without waiting for response to ensure there is one
transaction outstanding within the TL device. Also, verify one outstanding when back-
to-back accesses are made to the same address. |
V2 | tl_d_partial_access | pwrmgr_csr_hw_reset
pwrmgr_csr_rw
pwrmgr_csr_aliasing
pwrmgr_same_csr_outstanding | Access CSR with one or more bytes of data.
For read, expect to return all word value of the CSR.
For write, enabling bytes should cover all CSR valid fields. |
V2S | tl_intg_err | pwrmgr_tl_intg_err
pwrmgr_sec_cm | Verify that the data integrity check violation generates an alert.
- Randomly inject errors on the control, data, or the ECC bits during CSR accesses.
Verify that triggers the correct fatal alert.
- Inject a fault at the onehot check in
u_reg.u_prim_reg_we_check and verify the
corresponding fatal alert occurs
|
V2S | prim_count_check | pwrmgr_sec_cm | Verify that violating prim_count counter properties generate a fatal alert.
Stimulus:
- At the falling edge (non-active edge), force the counter to a different value than
expected.
- Randomly force the counter back to a normal value to ensure the error is latched and
won't go away until reset.
- Within the next few cycles, the violation of hardened counter property should
generate a fatal alert.
- Repeat for ALL prim_count instances in the DUT.
Checks:
- Check that fatal alert is triggered.
- Check that err_code/fault_status is updated correctly and preserved until reset.
- Verify any operations that follow fail (as applicable).
|
V2S | prim_fsm_check | pwrmgr_sec_cm | Verify that entering to an undefined state generates a fatal alert.
Stimulus:
- Backdoor force the FSM to any of the undefined values.
- Randomly force the FSM back to a defined state to ensure the error is latched and
won't go away until reset.
- Within the next few cycles, the FSM landing in an invalid state should trigger a
fatal alert.
- Repeat for ALL prim_fsm instances in the DUT.
Checks:
- Check that fatal alert is triggered.
- Check that err_code/fault_status is updated correctly and preserved until reset.
- Verify any operations that follow fail (as applicable).
|
V2S | sec_cm_bus_integrity | pwrmgr_tl_intg_err | Verify the countermeasure(s) BUS.INTEGRITY.
This entry is covered by tl_access_test
(hw/dv/tools/dvsim/tests/tl_access_tests.hjson) |
V2S | sec_cm_lc_ctrl_intersig_mubi | pwrmgr_sec_cm_lc_ctrl_intersig_mubi | Verify the countermeasure(s) LC_CTRL.INTERSIG.MUBI.
Stimulus:
- Use comprehensive stimulus - reset and wakeup -
as background traffic to ensure this counter measure
is valid for various states of fast and slow state.
- Drive lc_hw_debug_en_i and lc_dft_en_i with
mixed valid and invalid values.
Check:
- Collect coverage by binding cip_mubi_cov_if to
tb.dut.lc_hw_debug_en_i and tb.dut.lc_dft_en_i
- Add assertion to check whether rom_intg_chk_dis
is set to '1' only when lc_dft_en_i or lc_hw_debug_en_i
is high.
|
V2S | sec_cm_rom_ctrl_intersig_mubi | pwrmgr_sec_cm_rom_ctrl_intersig_mubi | Verify the countermeasure(s) ROM_CTRL.INTERSIG.MUBI.
Stimulus:
- Use comprehensive stimulus - reset and wakeup -
as background traffic to ensure this counter measure
is valid for various states of fast and slow fsm.
- Drive rom_ctrl_i with mixed valid and invalid values.
Check:
- Collect coverage by binding cip_mubi_cov_if to
tb.dut.rom_ctrl_i
|
V2S | sec_cm_rstmgr_intersig_mubi | pwrmgr_sec_cm_rstmgr_intersig_mubi | Verify the countermeasure(s) RSTMGR.INTERSIG.MUBI.
Stimulus:
- Drive tb.dut.sw_rst_req_i with mixed valid and invalid values
Check:
- See sw rst only happens when dut gets valid value by
probing fast fsm state. The state has to move low power state.
- Collect coverage by binding cip_mubi_cov_if to
tb.dut.sw_rst_req_i
|
V2S | sec_cm_esc_rx_clk_bkgn_chk | pwrmgr_esc_clk_rst_malfunc | Verify the countermeasure(s) ESC_RX.CLK.BKGN_CHK.
Stimulus:
- At FastPwrStateActive state, create escalation clock
or reset failure by stopping clock or asserting reset.
Check:
- Expecting fatal alert event and rstreqs[ResetEscIdx].
- Add assertion to see if u_esc_timeout happens, then
rstreqs[ResetEscIdx] should be asserted.
- After the alert agent processese the alert
by asserting escalation reset,
see if dut is back to normal operation state.
|
V2S | sec_cm_esc_rx_clk_local_esc | pwrmgr_sec_cm | Verify the countermeasure(s) ESC_RX.CLK.LOCAL_ESC.
This is triggered by common cm primitives (SecCmPrimCount).
(https://github.com/lowRISC/opentitan/blob/master
/hw/dv/sv/cip_lib/doc/index.md#security-verification
-for-common-countermeasure-primitives)
Check:
- Detect fast state transition to FastPwrStateResetPrep.
- Add assertion to check if u_sec_timeout happens, then
rstreqs[ResetEscIdx] should be asserted.
|
V2S | sec_cm_fsm_sparse | pwrmgr_sec_cm | Verify the countermeasure(s) FSM.SPARSE.
This is triggered by common cm primitives (SecCmPrimSparseFsmFlop).
(https://github.com/lowRISC/opentitan/blob/master
/hw/dv/sv/cip_lib/doc/index.md#security-verification
-for-common-countermeasure-primitives) |
V2S | sec_cm_fsm_terminal | pwrmgr_sec_cm | Verify the countermeasure(s) FSM.TERMINAL.
This is caused by any invalid (slow|fast) state.
Check:
- If slow state is invalid, fast state becomes FastPwrStateInvalid,
pwr_ast_o.pwr_clamp =1 and pwr_ast_o.main_pd_n = 0.
- If fast state is invalid, pwr_rst_o.rst_lc_req is all one,
pwr_rst_o.rst_sys_req is all one and pwr_clk_o = 0.
Dut should be recovered by asserting rst_n = 0.
|
V2S | sec_cm_ctrl_flow_global_esc | pwrmgr_global_esc | Verify the countermeasure(s) CTRL_FLOW.GLOBAL_ESC.
Stimulus:
- Send escalation request to esc_rst_tx_i
Check:
- Check fast state transition to FastPwrStateResetPrep
- Add assertion to see if we get pwr_rst_o.rstreqs[ResetEscIdx]
set when dut receives esc_rst_tx_i
|
V2S | sec_cm_main_pd_rst_local_esc | pwrmgr_glitch | Verify the countermeasure(s) MAIN_PD.RST.LOCAL_ESC.
Stimulus:
- Create power reset glitch by setting tb.dut.rst_main_ni
and tb.dut.pwr_ast_i.main_pok to 0
Check:
- Check fast state transition to FastPwrStateResetPrep
- Add assertion to see if we get pwr_rst_o.rstreqs[ResetMainPwrIdx]
|
V2S | sec_cm_ctrl_config_regwen | pwrmgr_sec_cm_ctrl_config_regwen | Verify the countermeasure(s) CTRL.CONFIG.REGWEN.
Stimulus:
- Initiate low power transition by setting
PWRMGR.CONTROL.LOW_POWER_HINT to 1. Wait for a few cycle
to ensure the csr value propagates to slow clock domain.
Then issue csr write to PWRMGR.CONTROL
Check:
- After the csr update under PWRMGR.CTRL_CFG_REGWEN = 0,
read back and check the value is not updated by
the csr update attempt.
|
V2S | sec_cm_wakeup_config_regwen | pwrmgr_csr_rw | Verify the countermeasure(s) WAKEUP.CONFIG.REGWEN.
This is covered by auto csr test. |
V2S | sec_cm_reset_config_regwen | pwrmgr_csr_rw | Verify the countermeasure(s) RESET.CONFIG.REGWEN.
This is covered by auto csr test. |
V3 | stress_all_with_rand_reset | pwrmgr_stress_all_with_rand_reset | This test runs 3 parallel threads - stress_all, tl_errors and random reset.
After reset is asserted, the test will read and check all valid CSR registers. |