A fatal error. Fatal alerts are non-recoverable and will be asserted until a hard reset.

Once rom_ctrl has handed control of the mux to the bus, the internal FSM counter should point at the top of ROM (where we ensure the word has invalid ECC bits). The unexpected_counter_change signal in rom_ctrl_fsm goes high and generates a fatal alert if that counter is perturbed in any way.

The main checker FSM steps on internal 'done' signals, coming from its address counter, the KMAC response and its comparison counter. If any of these are asserted at times we don't expect, the FSM jumps to an invalid state. This triggers an alert and will not set the external 'done' signal for pwrmgr to continue boot.

The main checker FSM moves to an invalid state on local escalation.

The hash comparison module triggers a fatal error if the checker FSM triggers a second comparison after a reset. This is handled by the start_alert signal in the rom_ctrl_compare module and could be triggered if the checker FSM was somehow glitched to jump backwards.

The hash comparison module has an internal count (indexing 32-bit words in the 256-bit digests). If this glitches to a nonzero value before the comparison starts or to a value other than the last index after the comparison ends then an fatal alert is generated. This is handled by the wait_addr_alert and done_addr_alert signals in rom_ctrl_compare.

The hash comparison module has an internal count (indexing 32-bit words in the 256-bit digests) implemented using a redundant counter module. In case a mismatch is detected between the redundant counters a fatal alert is generated.

FSMs are sparsely encoded. There are two FSMs. The first is in rom_ctrl_fsm. The second, simpler FSM is in rom_ctrl_compare.

The ROM is scrambled.

A cSHAKE digest is computed of the ROM contents.

Checker FSM 'done' signal is multi-bit encoded when passed to pwrmgr. This signal is derived from the (multi-bit) sparse FSM state in the rom_ctrl_fsm module.

TL bus control and data signals are integrity protected (using the system-wide end-to-end integrity scheme).

To avoid responding to a request with erroneous data, even though an alert went out, the bus_rom_rvalid signal used to signal a response to the ROM-side TL bus can only be high if no internal consistency error has been spotted.

The mux that arbitrates between the checker and the bus is multi-bit encoded. An invalid value generates a fatal alert with the sel_invalid signal in the rom_ctrl_mux module.

The mux that arbitrates between the checker and the bus gives access to the checker at the start of time and then switches to the bus, never going back. If a glitch does cause it to switch back, a fatal alert is generated with the sel_reverted or sel_q_reverted signals in the rom_ctrl_mux module.

Addresses from TL accesses are passed redundantly to the scrambled ROM module, to ensure the address lines are not independently faultable downstream of the bus integrity ECC check. See the bus_rom_prince_index and bus_rom_rom_index signals in the rom_ctrl module.

End-to-end data/memory integrity scheme.

The TL-UL response FIFO pointers are implemented with duplicate counters.