Testplan
Testpoints
Stage V1 Testpoints
smoke
Test: pwrmgr_smoke
Smoke test exercising the pwrmgr state transitions.
- Brings pwrmgr out of POR.
- Enables wakeup.
- Triggers SW initiated low power transition with reset settings
in
control
CSR. - Triggers wakeup.
- Enables and triggers a reset.
- Waits for pwrmgr to be out of reset.
Stimulus:
- CSR writes to
wakeup_en
,reset_en
, andlow_power_hint
. - Needs many input pins to line up correctly in order to prevent the pwrmgr from waiting forever. Most of these are set in response to outputs, and are checked by SVA.
Checks:
- The fast fsm becomes active when
fetch_en_o
output rises. - The wakeup and reset causes are as expected reading CSRs
wake_status
andreset_status
. - The output
pwr_rst_req.reset_cause
matches a low power or reset cause. - The output
pwr_rst_req.rstreqs
matches the enabled resets.
csr_hw_reset
Test: pwrmgr_csr_hw_reset
Verify the reset values as indicated in the RAL specification.
- Write all CSRs with a random value.
- Apply reset to the DUT as well as the RAL model.
- Read each CSR and compare it against the reset value. it is mandatory to replicate this test for each reset that affects all or a subset of the CSRs.
- It is mandatory to run this test for all available interfaces the CSRs are accessible from.
- Shuffle the list of CSRs first to remove the effect of ordering.
csr_rw
Test: pwrmgr_csr_rw
Verify accessibility of CSRs as indicated in the RAL specification.
- Loop through each CSR to write it with a random value.
- Read the CSR back and check for correctness while adhering to its access policies.
- It is mandatory to run this test for all available interfaces the CSRs are accessible from.
- Shuffle the list of CSRs first to remove the effect of ordering.
csr_bit_bash
Test: pwrmgr_csr_bit_bash
Verify no aliasing within individual bits of a CSR.
- Walk a 1 through each CSR by flipping 1 bit at a time.
- Read the CSR back and check for correctness while adhering to its access policies.
- This verify that writing a specific bit within the CSR did not affect any of the other bits.
- It is mandatory to run this test for all available interfaces the CSRs are accessible from.
- Shuffle the list of CSRs first to remove the effect of ordering.
csr_aliasing
Test: pwrmgr_csr_aliasing
Verify no aliasing within the CSR address space.
- Loop through each CSR to write it with a random value
- Shuffle and read ALL CSRs back.
- All CSRs except for the one that was written in this iteration should read back the previous value.
- The CSR that was written in this iteration is checked for correctness while adhering to its access policies.
- It is mandatory to run this test for all available interfaces the CSRs are accessible from.
- Shuffle the list of CSRs first to remove the effect of ordering.
csr_mem_rw_with_rand_reset
Test: pwrmgr_csr_mem_rw_with_rand_reset
Verify random reset during CSR/memory access.
- Run csr_rw sequence to randomly access CSRs
- If memory exists, run mem_partial_access in parallel with csr_rw
- Randomly issue reset and then use hw_reset sequence to check all CSRs are reset to default value
- It is mandatory to run this test for all available interfaces the CSRs are accessible from.
regwen_csr_and_corresponding_lockable_csr
Tests:
pwrmgr_csr_rw
pwrmgr_csr_aliasing
Verify regwen CSR and its corresponding lockable CSRs.
- Randomly access all CSRs
- Test when regwen CSR is set, its corresponding lockable CSRs become read-only registers
Note:
- If regwen CSR is HW read-only, this feature can be fully tested by common CSR tests - csr_rw and csr_aliasing.
- If regwen CSR is HW updated, a separate test should be created to test it.
This is only applicable if the block contains regwen and locakable CSRs.
Stage V2 Testpoints
wakeup
Test: pwrmgr_wakeup
Test random wakeup, wakeup_en, wake_info_capture_dis, and interrupt.
The different wakeup inputs can be disabled via bits in the
wakeup_en
CSR. Update of wakeup_info
can be disabled
via the wake_info_capture_dis
CSR. Any wakeup causes an
interrupt unless interrupts are disabled.
Stimulus:
- Sets
wakeup_en
randomly but don’t set it to zero, or the test will timeout. - Set
wake_info_capture_dis
randomly on and off. - Bring pwrmgr to low power.
- Set
wakeups_i
inputs randomly. - Set
intr_enable
randomly.
Checks:
- The fast fsm becomes active when
fetch_en_o
output rises. - Depending on
wakeups_i
:- If all wakeups are disabled, wait some time checking the state remains inactive.
- Set
wakeups_i
so at least one is enabled.
- Checks
wakeup_status
CSR during transition to active state since the reset involved will clear the wakeups_i input. - Checks the
wake_info
CSR. - Checks the output
pwr_rst_req.reset_cause
isLowPwrEntry
. - Check that
intr_wakeup_o
is set according tointr_enable
CSR. - Coverage collected by
wakeup_cg
andwakeup_intr_cg
.
control_clks
Test: pwrmgr_wakeup
Test CSR control of peripheral clocks during low power.
The peripheral clocks can be configured to remain on or be turned
off during low power with bits in the control
CSR register. The
usb clock can also be configured off in active mode.
Stimulus:
- Sets these control bits at random.
- Cause a low power transition and wakeup.
Checks:
- The clock enable outputs to the AST clocks during a low power transition match the control bits.
- The usb clock enable is also checked during active mode against the control register.
aborted_low_power
Tests:
pwrmgr_aborted_low_power
pwrmgr_lowpower_invalid
Test aborted low power transitions.
Low power transitions can be aborted in two cases:
- The processor gets an interrupt soon after a low power entry is triggered.
- OTP, LC, or FLASH are not idle. This test aborts low power transitions, and disables any wakeups, so the test would timeout if low power was entered.
Stimulus:
- Bring pwrmgr to low power.
- Either disable
pwr_cpu.core_sleeping
or keep some oflc_idle
,otp_idle
, orflash_idle
inputs off. - Disable all wakeup enables.
- Randomly set
wakeup_info_capture_dis
CSR.
Checks:
- The
ctrl_cfg_regwen
CSR reads as 1 on the first attempt. - Checks the output
pwr_rst_req.reset_cause
doesn’t change for a bounded amount of time. - Check that the
wakeup_info
CSR flags eitherfall_through
orabort
events when capture is enabled.
reset
Tests:
pwrmgr_reset
pwrmgr_reset_invalid
Test random reset and reset_en.
Conditional reset inputs can be disabled via bits in the reset_en
CSR, while escalation and main power are unconditional. Resets can
be triggered either in active or low power state.
Stimulus:
- Sets
reset_en
randomly. - Randomly choose whether to put the unit in low power mode.
- Generate resets randomly in value and time:
- Conditionals via rstreqs_i,
- Main power glitch via rst_main_ni.
- Escalation via
esc_rst_tx_i
. - Sw reset from rstmgr via
sw_rst_req_i
.
Checks:
- The fast fsm becomes active when
fetch_en_o
output rises. - Checks the
reset_status
CSRs. - Checks
ip_clk_en
output has a low transition. - SVA that when
pwr_rst_req.reset_cause
is HwReq, and the outputpwr_rst_req.rstreqs
matches the unconditional and enabled conditional resets inputs.
main_power_glitch_reset
Test: pwrmgr_reset
Test reset due to a glitch in main power.
A power glitch causes an unconditional reset.
Stimulus:
- Set the rst_main_ni input low indicating a main power glitch.
Checks:
- The fast fsm becomes active when
fetch_en_o
output rises. - Checks the
reset_status
CSRs. - Checks
ip_clk_en
output has a low transition. - Checks the output
pwr_rst_req.reset_cause
matches HwReq. - Checks the output
pwr_rst_req.rstreqs
matches power glitch.
reset_wakeup_race
Test: pwrmgr_wakeup_reset
Test wakeup from low power and reset request almost coinciding.
If a wakeup from low power and a reset occur at nearly the same time the system handles them one at a time.
Stimulus:
- Trigger reset and wakeup from low power as described for other testpoints.
- Issue reset and wakeup a random number of cycles after the slow
state machine is in LowPower state.
- This also checks them coinciding.
Check:
- Similar tests as for the wakeup and reset testpoints, except making sure they happen per the triggering order.
lowpower_wakeup_race
Test: pwrmgr_lowpower_wakeup_race
Test wakeups coming close to lowpower entry.
If low power entry and a wakeup are closely aligned the hardware could get confused. Notice this is very unlikely, since wakeup is only sensed when the slow fsm is in LowPower state.
Stimulus:
- Trigger low power entry as described for other testpoints.
- Have all wakeups enabled.
- Assert wakeups_i in the temporal neighborhood of low power entry.
Check:
- No timeout occurs.
- Either pwrmgr remains active or a full low power cycle occurs.
disable_rom_integrity_check
Test: pwrmgr_disable_rom_integrity_check
Test rom integrity check is disabled under life cycle test states.
While running a series of reset event, at FastPwrStateRomCheck state,
- Drive lc_hw_debug_en_i and lc_dft_en_i to random value excluding {lc_ctrl_pkg::On, lc_ctrl_pkg::On} for both ports.
- Set rom_ctrl_i.good = Mubi4False.
- Wait for a while to make sure fsm state check is not FastPwrStateActive.
Then,
- Drive lc_hw_debug_en_i and lc_dft_en_i to {lc_ctrl_pkg::On, lc_ctrl_pkg::On}
- Check test finish gracefully.
Try these steps with different lc_ctrl inputs.
stress_all
Test: pwrmgr_stress_all
This runs random sequences in succession.
Randomly chooses from the following sequences:
- pwrmgr_aborted_low_power_vseq
- pwrmgr_lowpower_wakeup_race_vseq
- pwrmgr_reset_vseq
- pwrmgr_smoke_vseq
- pwrmgr_wakeup_reset_vseq
- pwrmgr_wakeup_vseq
intr_test
Test: pwrmgr_intr_test
Verify common intr_test CSRs that allows SW to mock-inject interrupts.
- Enable a random set of interrupts by writing random value(s) to intr_enable CSR(s).
- Randomly “turn on” interrupts by writing random value(s) to intr_test CSR(s).
- Read all intr_state CSR(s) back to verify that it reflects the same value as what was written to the corresponding intr_test CSR.
- Check the cfg.intr_vif pins to verify that only the interrupts that were enabled and turned on are set.
- Clear a random set of interrupts by writing a randomly value to intr_state CSR(s).
- Repeat the above steps a bunch of times.
tl_d_oob_addr_access
Test: pwrmgr_tl_errors
Access out of bounds address and verify correctness of response / behavior
tl_d_illegal_access
Test: pwrmgr_tl_errors
Drive unsupported requests via TL interface and verify correctness of response / behavior. Below error cases are tested bases on the TLUL spec
- TL-UL protocol error cases
- invalid opcode
- some mask bits not set when opcode is
PutFullData
- mask does not match the transfer size, e.g.
a_address = 0x00
,a_size = 0
,a_mask = 'b0010
- mask and address misaligned, e.g.
a_address = 0x01
,a_mask = 'b0001
- address and size aren’t aligned, e.g.
a_address = 0x01
,a_size != 0
- size is greater than 2
- OpenTitan defined error cases
- access unmapped address, expect
d_error = 1
whendevmode_i == 1
- write a CSR with unaligned address, e.g.
a_address[1:0] != 0
- write a CSR less than its width, e.g. when CSR is 2 bytes wide, only write 1 byte
- write a memory with
a_mask != '1
when it doesn’t support partial accesses - read a WO (write-only) memory
- write a RO (read-only) memory
- write with
instr_type = True
- access unmapped address, expect
tl_d_outstanding_access
Tests:
pwrmgr_csr_hw_reset
pwrmgr_csr_rw
pwrmgr_csr_aliasing
pwrmgr_same_csr_outstanding
Drive back-to-back requests without waiting for response to ensure there is one transaction outstanding within the TL device. Also, verify one outstanding when back- to-back accesses are made to the same address.
tl_d_partial_access
Tests:
pwrmgr_csr_hw_reset
pwrmgr_csr_rw
pwrmgr_csr_aliasing
pwrmgr_same_csr_outstanding
Access CSR with one or more bytes of data. For read, expect to return all word value of the CSR. For write, enabling bytes should cover all CSR valid fields.
Stage V2S Testpoints
tl_intg_err
Tests:
pwrmgr_tl_intg_err
pwrmgr_sec_cm
Verify that the data integrity check violation generates an alert.
- Randomly inject errors on the control, data, or the ECC bits during CSR accesses. Verify that triggers the correct fatal alert.
- Inject a fault at the onehot check in
u_reg.u_prim_reg_we_check
and verify the corresponding fatal alert occurs
prim_count_check
Test: pwrmgr_sec_cm
Verify that violating prim_count counter properties generate a fatal alert.
Stimulus:
- At the falling edge (non-active edge), force the counter to a different value than expected.
- Randomly force the counter back to a normal value to ensure the error is latched and won’t go away until reset.
- Within the next few cycles, the violation of hardened counter property should generate a fatal alert.
- Repeat for ALL prim_count instances in the DUT.
Checks:
- Check that fatal alert is triggered.
- Check that err_code/fault_status is updated correctly and preserved until reset.
- Verify any operations that follow fail (as applicable).
prim_fsm_check
Test: pwrmgr_sec_cm
Verify that entering to an undefined state generates a fatal alert.
Stimulus:
- Backdoor force the FSM to any of the undefined values.
- Randomly force the FSM back to a defined state to ensure the error is latched and won’t go away until reset.
- Within the next few cycles, the FSM landing in an invalid state should trigger a fatal alert.
- Repeat for ALL prim_fsm instances in the DUT.
Checks:
- Check that fatal alert is triggered.
- Check that err_code/fault_status is updated correctly and preserved until reset.
- Verify any operations that follow fail (as applicable).
sec_cm_bus_integrity
Test: pwrmgr_tl_intg_err
Verify the countermeasure(s) BUS.INTEGRITY. This entry is covered by tl_access_test (hw/dv/tools/dvsim/tests/tl_access_tests.hjson)
sec_cm_lc_ctrl_intersig_mubi
Test: pwrmgr_sec_cm_lc_ctrl_intersig_mubi
Verify the countermeasure(s) LC_CTRL.INTERSIG.MUBI.
Stimulus:
- Use comprehensive stimulus - reset and wakeup - as background traffic to ensure this counter measure is valid for various states of fast and slow state.
- Drive lc_hw_debug_en_i and lc_dft_en_i with mixed valid and invalid values.
Check:
- Collect coverage by binding cip_mubi_cov_if to tb.dut.lc_hw_debug_en_i and tb.dut.lc_dft_en_i
- Add assertion to check whether rom_intg_chk_dis is set to ‘1’ only when lc_dft_en_i or lc_hw_debug_en_i is high.
sec_cm_rom_ctrl_intersig_mubi
Test: pwrmgr_sec_cm_rom_ctrl_intersig_mubi
Verify the countermeasure(s) ROM_CTRL.INTERSIG.MUBI.
Stimulus:
- Use comprehensive stimulus - reset and wakeup - as background traffic to ensure this counter measure is valid for various states of fast and slow fsm.
- Drive rom_ctrl_i with mixed valid and invalid values.
Check:
- Collect coverage by binding cip_mubi_cov_if to tb.dut.rom_ctrl_i
sec_cm_rstmgr_intersig_mubi
Test: pwrmgr_sec_cm_rstmgr_intersig_mubi
Verify the countermeasure(s) RSTMGR.INTERSIG.MUBI.
Stimulus:
- Drive tb.dut.sw_rst_req_i with mixed valid and invalid values
Check:
- See sw rst only happens when dut gets valid value by probing fast fsm state. The state has to move low power state.
- Collect coverage by binding cip_mubi_cov_if to tb.dut.sw_rst_req_i
sec_cm_esc_rx_clk_bkgn_chk
Test: pwrmgr_esc_clk_rst_malfunc
Verify the countermeasure(s) ESC_RX.CLK.BKGN_CHK.
Stimulus:
- At FastPwrStateActive state, create escalation clock or reset failure by stopping clock or asserting reset.
Check:
- Expecting fatal alert event and rstreqs[ResetEscIdx].
- Add assertion to see if u_esc_timeout happens, then rstreqs[ResetEscIdx] should be asserted.
- After the alert agent processese the alert by asserting escalation reset, see if dut is back to normal operation state.
sec_cm_esc_rx_clk_local_esc
Test: pwrmgr_sec_cm
Verify the countermeasure(s) ESC_RX.CLK.LOCAL_ESC.
This is triggered by common cm primitives (SecCmPrimCount). (https://github.com/lowRISC/opentitan/blob/master /hw/dv/sv/cip_lib/doc/index.md#security-verification -for-common-countermeasure-primitives)
Check:
- Detect fast state transition to FastPwrStateResetPrep.
- Add assertion to check if u_sec_timeout happens, then rstreqs[ResetEscIdx] should be asserted.
sec_cm_fsm_sparse
Test: pwrmgr_sec_cm
Verify the countermeasure(s) FSM.SPARSE. This is triggered by common cm primitives (SecCmPrimSparseFsmFlop). (https://github.com/lowRISC/opentitan/blob/master /hw/dv/sv/cip_lib/doc/index.md#security-verification -for-common-countermeasure-primitives)
sec_cm_fsm_terminal
Test: pwrmgr_sec_cm
Verify the countermeasure(s) FSM.TERMINAL.
This is caused by any invalid (slow|fast) state.
Check:
- If slow state is invalid, fast state becomes FastPwrStateInvalid, pwr_ast_o.pwr_clamp =1 and pwr_ast_o.main_pd_n = 0.
- If fast state is invalid, pwr_rst_o.rst_lc_req is all one, pwr_rst_o.rst_sys_req is all one and pwr_clk_o = 0. Dut should be recovered by asserting rst_n = 0.
sec_cm_ctrl_flow_global_esc
Test: pwrmgr_global_esc
Verify the countermeasure(s) CTRL_FLOW.GLOBAL_ESC.
Stimulus:
- Send escalation request to esc_rst_tx_i
Check:
- Check fast state transition to FastPwrStateResetPrep
- Add assertion to see if we get pwr_rst_o.rstreqs[ResetEscIdx] set when dut receives esc_rst_tx_i
sec_cm_main_pd_rst_local_esc
Test: pwrmgr_glitch
Verify the countermeasure(s) MAIN_PD.RST.LOCAL_ESC.
Stimulus:
- Create power reset glitch by setting tb.dut.rst_main_ni and tb.dut.pwr_ast_i.main_pok to 0
Check:
- Check fast state transition to FastPwrStateResetPrep
- Add assertion to see if we get pwr_rst_o.rstreqs[ResetMainPwrIdx]
sec_cm_ctrl_config_regwen
Test: pwrmgr_sec_cm_ctrl_config_regwen
Verify the countermeasure(s) CTRL.CONFIG.REGWEN.
Stimulus:
- Initiate low power transition by setting PWRMGR.CONTROL.LOW_POWER_HINT to 1. Wait for a few cycle to ensure the csr value propagates to slow clock domain. Then issue csr write to PWRMGR.CONTROL
Check:
- After the csr update under PWRMGR.CTRL_CFG_REGWEN = 0, read back and check the value is not updated by the csr update attempt.
sec_cm_wakeup_config_regwen
Test: pwrmgr_csr_rw
Verify the countermeasure(s) WAKEUP.CONFIG.REGWEN.
This is covered by auto csr test.
sec_cm_reset_config_regwen
Test: pwrmgr_csr_rw
Verify the countermeasure(s) RESET.CONFIG.REGWEN.
This is covered by auto csr test.
Stage V3 Testpoints
stress_all_with_rand_reset
Test: pwrmgr_stress_all_with_rand_reset
This test runs 3 parallel threads - stress_all, tl_errors and random reset. After reset is asserted, the test will read and check all valid CSR registers.
Covergroups
control_cg
Collects coverage on clock and power bits from control
CSR during
a lowpower transition and active state.
esc_reset_cg
Collects coverage on resets due to escalation.
Covergroup contains a coverpoint for the input esc_rst_tx_i
that
triggers an escalation reset, and whether this reset is asserted
during low power state.
hw_reset_0_cg
Collects coverage related to external reset 0
.
Covergroup contains coverpoints for the rstreqs_i[0]
external
reset input, its corresponding bit in reset_en
CSR, and whether
this reset is asserted during low power state, and suitable crosses.
hw_reset_1_cg
Collects coverage related to external reset 1
.
Covergroup contains coverpoints for the rstreqs_i[1]
external
reset input, its corresponding bit in reset_en
CSR, and whether
this reset is asserted during low power state, and suitable crosses.
main_power_reset_cg
Collects coverage on resets due to a main power glitch.
Covergroup contains a coverpoint for the input rst_main_i
that
triggers a power glitch reset, and whether this reset is asserted
during low power state.
regwen_val_when_new_value_written_cg
Cover each lockable reg field with these 2 cases:
- When regwen = 1, a different value is written to the lockable CSR field, and a read occurs after that.
- When regwen = 0, a different value is written to the lockable CSR field, and a read occurs after that.
This is only applicable if the block contains regwen and locakable CSRs.
reset_wakeup_distance_cg
Covergroup contains a coverpoint for the difference between the cycles when the reset and the wakeup were received in the inputs. The difference is positive when reset happened after wakeup, and zero when the two happened at the same clock cycle.
rstmgr_sw_reset_cg
Collects coverage on the software reset from rstmgr.
Covergroup contains a coverpoint for the input sw_rst_req_i
from
rstmgr.
tl_errors_cg
Cover the following error cases on TL-UL bus:
- TL-UL protocol error cases.
- OpenTitan defined error cases, refer to testpoint
tl_d_illegal_access
.
tl_intg_err_cg
Cover all kinds of integrity errors (command, data or both) and cover number of error bits on each integrity check.
Cover the kinds of integrity errors with byte enabled write on memory if applicable: Some memories store the integrity values. When there is a subword write, design re-calculate the integrity with full word data and update integrity in the memory. This coverage ensures that memory byte write has been issued and the related design logic has been verfied.
wakeup_ctrl_cg
Collects coverage on wakeup enable and capture functionality.
This is collected per individual wakeup bit. Covergroup contains
coverpoints for the wakeup_en
CSR bit, wakeup_info_capture_dis
CSR, wakeups_i
input bit, and wakeup_status
CSR bit, and their
cross.
wakeup_intr_cg
Collects coverage on interrupts for wakeup functionality.
This is collected per individual wakeup bit. Covergroup contains
coverpoints for the intr_en
CSR, the wakeup_status
CSR bit,
the intr_status
CSR, the output intr_wakeup
port, and their
cross.