Testplan

Testpoints

Stage V1 Testpoints

`smoke`

Test: rv_dm_smoke

A basic smoke test.

. Read the DTM register idcode and verify that it reflects the correct value.

Enable debug by setting lc_hw_debug_en to true.
Write to the DMI register field dmcontrol[dmactive] via JTAG and verify that the dmactive output pin reflects the same value.
Write to the DMI register field dmcontrol[haltreq] via JTAG and verify that the debug_req output pin reflects the same value.
Write to the DMI register field dmcontrol[ndmreset] via JTAG and verify that the ndmreset output pin reflects the same value.
Wiggle the unavailable input and read the DTM register field dmstatus[allunavail] to verify that it reflects the same value as the input signal.

`jtag_dtm_csr_hw_reset`

Test: rv_dm_jtag_dtm_csr_hw_reset

Verify the reset values of JTAG DTM CSRs as indicated in the RAL specification.

See hw/dv/tools/dvsim/testplans/csr_testplan.hjson for more description, This follows the same approach, but applies to the JTAG DTM regisers.

In these set of tests, the lc_hw_debug_en is set to true, scanmode & scan_rst_n inputs to false.

`jtag_dtm_csr_rw`

Test: rv_dm_jtag_dtm_csr_rw

Verify accessibility of JTAG DTM CSRs as indicated in the RAL specification.

See hw/dv/tools/dvsim/testplans/csr_testplan.hjson for more description, This follows the same approach, but applies to the JTAG DTM regisers.

`jtag_dtm_csr_bit_bash`

Test: rv_dm_jtag_dtm_csr_bit_bash

Verify no aliasing within individual bits of JTAG DTM CSR.

See hw/dv/tools/dvsim/testplans/csr_testplan.hjson for more description, This follows the same approach, but applies to the JTAG DTM regisers.

`jtag_dtm_csr_aliasing`

Test: rv_dm_jtag_dtm_csr_aliasing

Verify no aliasing within the JTAG DTM CSR address space.

See hw/dv/tools/dvsim/testplans/csr_testplan.hjson for more description, This follows the same approach, but applies to the JTAG DTM regisers.

`jtag_dmi_csr_hw_reset`

Test: rv_dm_jtag_dmi_csr_hw_reset

Verify the reset values of JTAG DMI CSRs as indicated in the RAL specification.

See hw/dv/tools/dvsim/testplans/csr_testplan.hjson for more description, This follows the same approach, but applies to the JTAG DMI regisers.

In these set of tests, the lc_hw_debug_en is set to true, scanmode & scan_rst_n inputs to false.

Also, the dmcontrol[dmactive] field is set to 1 at the start, to ensure CSR accesses to all other registers go through.

`jtag_dmi_csr_rw`

Test: rv_dm_jtag_dmi_csr_rw

Verify accessibility of JTAG DMI CSRs as indicated in the RAL specification.

See hw/dv/tools/dvsim/testplans/csr_testplan.hjson for more description, This follows the same approach, but applies to the JTAG DMI regisers.

`jtag_dmi_csr_bit_bash`

Test: rv_dm_jtag_dmi_csr_bit_bash

Verify no aliasing within individual bits of JTAG DMI CSR.

See hw/dv/tools/dvsim/testplans/csr_testplan.hjson for more description, This follows the same approach, but applies to the JTAG DMI regisers.

`jtag_dmi_csr_aliasing`

Test: rv_dm_jtag_dmi_csr_aliasing

Verify no aliasing within the JTAG DMI CSR address space.

See hw/dv/tools/dvsim/testplans/csr_testplan.hjson for more description, This follows the same approach, but applies to the JTAG DMI regisers.

`jtag_dmi_cmderr_busy`

Test: rv_dm_cmderr_busy

Generate the “busy” command error in abstractcs.

Start an abstract command executing (but don’t allow it to stop)
Write to one of command, abstractcs, abstractauto or access (read or write) the data or progbuf register.
Read the abstractcs register and check that cmderr is now set to 1 (the encoding of “busy”)

`jtag_dmi_cmderr_not_supported`

Test: rv_dm_cmderr_not_supported

Generate the “not supported” command error in abstractcs

This command error is generated when trying to run an abstract command that is not supported.

Write a command to the command register where cmdtype is definitely not supported.
Check that the cmderr field of abstractcs register is set to 2.

`cmderr_exception`

Test: rv_dm_cmderr_exception

Verify that if an exception occurs when executing a command then cmderr is set to 3.

Start an abstract command.
While it’s running, write to the exception register over TL.
Check that the cmderr field of abstractcs register is now 3.

`mem_tl_access_resuming`

Test: rv_dm_mem_tl_access_resuming

Verify whether the selected hart has been resumed or not.

-Write into memory mapped register called RESUMING(0x110) through tl-device interface. -Verify that the anyresumeack and allresumeack bits of the dmstatus register are set. -After that, set the resumereq bit of dmcontrol register. -Verify that the anyresumeack and allresumeack bits of the dmstatus register are cleared.

`mem_tl_access_halted`

Test: rv_dm_mem_tl_access_halted

Verify whether the selected hart has been halted or not.

Set the haltreq bit of dmcontrol register.
Write into memory mapped register called HALTED(0x100) through tl-device(mem_tl_if) interface.
Verify that the anyhalted and allhalted bits of the dmstatus register are set.

`cmderr_halt_resume`

Test: rv_dm_cmderr_halt_resume

Verify that attempt to generate command error result in cmderr field of abstractcs register are set.

Try to execute abstract command when hart is not in halt/resume state.
Assert unavailable signal through core interface.
The abstract command could not be execute.
Verify that the cmderr field of abstractcs register is set to 4.

`dataaddr_rw_access`

Test: rv_dm_dataaddr_rw_access

Verify the read write access of the data registers through the memory mapped DataAddr register.

Write random data to the shadowed data registers via the corresponding DataAddr registers.
Read back the written data and verify that it matches the expected values.

`halt_resume`

Test: rv_dm_halt_resume_whereto

Verify debug module halt/going/resume behavior.

Request a halt over DMI, then send an abstract command.
Check that the debug module reports itself to be busy.
Check that the debug module’s internal state machine is in the Go state.
As the hart, respond to the message from the debug module to say that it has started handling it.
Check the debug module still reports itself to be busy.
Check that WHERETO points at the expected address (which contains the start of the abstract command)
As the hart, tell the debug module that we have halted.
Check the debug module no longer reports itself to be busy.
Tell the debug module to resume again, by clearing the halt request and sending a resume request.
Check the debug module now reports itself busy again (since it should be asking the hart to resume)
Check flags to make sure the debug module is in the Resume state.
As the hart, acknowledge the resume request.
Check the debug module no longer reports itself to be busy.

`progbuf_busy`

Test: rv_dm_cmderr_busy

Verify that writing on DM progbuf registers while abstract command is executing causes jtag_dmi_ral.abstractcs.busy to be set to 1.

This is implemented by rv_dm_cmderr_busy, which chooses a random operation to generate the busy command error. One possible operation is writing to progbuf[0].

`abstractcmd_status`

Test: rv_dm_abstractcmd_status

Verify the functionality of abstract command by reading tl_mem_ral.abstractcmd0-9 registers.

Program jtag_dmi_ral.dmcontrol.haltreq to 1’b1.
Verify that the ‘debug_req_o’ is set to 1.
Acknowledge haltreq by setting tl_mem_ral.halted to 0.
Send a valid abstract command (command type AccessRegister).
Verify that the jtag_dmi_ral.abstractcs.busy is set to 1.
Read tl_mem_ral.abstractcmd0-9 registers to verify that due to executing specific abstract command we can read instructions stored in these registers.

`progbuf_read_write_execute`

Test: rv_dm_progbuf_read_write_execute

Verify the functionality of program buffer by writing random data on program buffer.

Program jtag_dmi_ral.dmcontrol.haltreq to 1’b1.
Verify that ‘debug_req_o’ is set to 1.
Acknowledge haltreq by setting tl_mem_ral.halted to 0.
Fill the program buffer by writing random data to jtag_dmi_ral.progbuf0-7 registers.
Read tl_mem_ral.program_buffer0-7 registers to verify that the data we wrote is what we read back.

`progbuf_exception`

Test: rv_dm_cmderr_exception

Verify that writing on tl_mem_ral.exception register while an abstract command is executing causes jtag_dmi_ral.abstractcs.cmderr to be set to 3.

Program jtag_dmi_ral.dmcontrol.haltreq to 1’b1.
Verify that ‘debug_req_o’ is set to 1.
Acknowledge haltreq by setting tl_mem_ral.halted to 0.
Send access register abstract command with postexec bit set.
Write on tl_mem_ral.exception register.
Verify that jtag_dmi_ral.abstractcs.cmderr is set to 3.

`rom_read_access`

Test: rv_dm_rom_read_access

Verify the read accessability of rom.

Read from the addresses of rom and verify that it reads the expected data.

`csr_hw_reset`

Test: rv_dm_csr_hw_reset

Verify the reset values as indicated in the RAL specification.

Write all CSRs with a random value.
Apply reset to the DUT as well as the RAL model.
Read each CSR and compare it against the reset value. it is mandatory to replicate this test for each reset that affects all or a subset of the CSRs.
It is mandatory to run this test for all available interfaces the CSRs are accessible from.
Shuffle the list of CSRs first to remove the effect of ordering.

`csr_rw`

Test: rv_dm_csr_rw

Verify accessibility of CSRs as indicated in the RAL specification.

Loop through each CSR to write it with a random value.
Read the CSR back and check for correctness while adhering to its access policies.
It is mandatory to run this test for all available interfaces the CSRs are accessible from.
Shuffle the list of CSRs first to remove the effect of ordering.

`csr_bit_bash`

Test: rv_dm_csr_bit_bash

Verify no aliasing within individual bits of a CSR.

Walk a 1 through each CSR by flipping 1 bit at a time.
Read the CSR back and check for correctness while adhering to its access policies.
This verify that writing a specific bit within the CSR did not affect any of the other bits.
It is mandatory to run this test for all available interfaces the CSRs are accessible from.
Shuffle the list of CSRs first to remove the effect of ordering.

`csr_aliasing`

Test: rv_dm_csr_aliasing

Verify no aliasing within the CSR address space.

Loop through each CSR to write it with a random value
Shuffle and read ALL CSRs back.
All CSRs except for the one that was written in this iteration should read back the previous value.
The CSR that was written in this iteration is checked for correctness while adhering to its access policies.
It is mandatory to run this test for all available interfaces the CSRs are accessible from.
Shuffle the list of CSRs first to remove the effect of ordering.

`csr_mem_rw_with_rand_reset`

Test: rv_dm_csr_mem_rw_with_rand_reset

Verify random reset during CSR/memory access.

Run csr_rw sequence to randomly access CSRs
If memory exists, run mem_partial_access in parallel with csr_rw
Randomly issue reset and then use hw_reset sequence to check all CSRs are reset to default value
It is mandatory to run this test for all available interfaces the CSRs are accessible from.

`regwen_csr_and_corresponding_lockable_csr`

Tests:

rv_dm_csr_rw
rv_dm_csr_aliasing

Verify regwen CSR and its corresponding lockable CSRs.

Randomly access all CSRs
Test when regwen CSR is set, its corresponding lockable CSRs become read-only registers

Note:

If regwen CSR is HW read-only, this feature can be fully tested by common CSR tests - csr_rw and csr_aliasing.
If regwen CSR is HW updated, a separate test should be created to test it.

This is only applicable if the block contains regwen and locakable CSRs.

`mem_walk`

Test: rv_dm_mem_walk

Verify accessibility of all memories in the design.

Run the standard UVM mem walk sequence on all memories in the RAL model.
It is mandatory to run this test from all available interfaces the memories are accessible from.

`mem_partial_access`

Test: rv_dm_mem_partial_access

Verify partial-accessibility of all memories in the design.

Do partial reads and writes into the memories and verify the outcome for correctness.
Also test outstanding access on memories

Stage V2 Testpoints

`idcode`

Test: rv_dm_smoke

Verify that the JTAG IDCODE reads the correct value.

Set a different JTAG ID code an rv_dm design parameter.
Read the IDCODE register in JTAG DTM register space, via JTAG.
Verify it reads back what was set.

`jtag_dtm_hard_reset`

Test: rv_dm_jtag_dtm_hard_reset

Verify that the debugger can cancel an on-going DMI transaction with a hard reset.

Perform DMI register read and check the data value.
Write 1 to dtmcs[dmihardreset] bit.
Perform DMI register read and check the data value to make sure the reset doesn’t create any harmful event.

`jtag_dtm_idle_hint`

Test: rv_dm_jtag_dtm_idle_hint

Verify that the JTAG debugger does not need to stay any longer than the advertized idle time indicated in dtmcs register.

Read the dtmcs[idle] value and configure the JTAG DMI register adapter to insert that many delay between transactions.
Issue random legal DMI accesses back to back and ensure that all of them complete successfully, without dmistat reflecting an error.

`jtag_dmi_failed_op`

Test: rv_dm_dmi_failed_op

Verify that a failed DMI op is reflected properly in dtmcs register.

Issue a random legal DMI write to a chosen DMI register.
Before that access completes, issue another random legal DMI access.
Read the dtmcs[dmistat] register to verify busy error.
Clear it by writing to dtmcs[dmireset] register.
Poll the DMI access for completion and verify that the first write completed successfully by doing a read-check.

`jtag_dmi_dm_inactive`

Test: rv_dm_jtag_dmi_dm_inactive

Verify that DMI writes to data other than dmcontrol.dmactive are ignored when dmactive is false. All of these registers should return their reset values on reads.

Write 0 to DMCONTROL.DMACTIVE to put the debug module into its reset state.
Perform random DMI writes, constrained only by requiring that they don’t write 1 to DMCONTROL.DMACTIVE.
Write 1 to DMCONTROL.DMACTIVE to leave the reset state.
Read DMI registers back and check they have their POR values.

`sba`

Tests:

rv_dm_sba_tl_access
rv_dm_delayed_resp_sba_tl_access

Verify all types of accesses from JTAG to SBA.

Enable debug by setting lc_hw_debug_en to true and activate the dm
Write to SBA registers to inject randomized 8/16/32bit writes and reads.
Randomize readonaddr and readondata settings and ensure those have the intended effect.
Generate sbbusy = 1 scenario by picking a very large response delay, since JTAG accesses are much slower (SBA TL accesses tend to complete faster than JTAG can read the SBCS register).

`bad_sba`

Test: rv_dm_bad_sba_tl_access

Verify attempts to make bad SBA accesses results in the error sticky bits getting set.

Enable debug by setting lc_hw_debug_en to true and activate the dm.
Build on the previous sba test and randomly inject errors in the following ways:
- Inject a response error on the TL response channel (d_error = 1) and verify that the sberror bit is set to 2.
- Inject a randomized SBA access that is not aligned to the size of the transfer and verify that the sberror bit is set to 3.
- Inject a randomized SBA access that is greater that the supported transfer size and verify that the sberror bit is set to 4.
- Inject an integrity error on the TL response channel and verify that the sberror bit is set to 7. Verify that an alert is seen. Reset the DUT.
- Inject a new SBA traffic before the previous one completes - verify that the sbbusyerror asserts. This is achieved by setting a large TL response delay (TODO).
- Have more than one of these types of errors trigger at the same time.

Note: The following error scenarios are not supported by the design:

pulp-platform/riscv-dbg#128: response timeout (sberror = 1) is not implemented.

`sba_autoincrement`

Test: rv_dm_autoincr_sba_tl_access

Verify the address autoincrement functionality of SBA.

Enable debug by setting lc_hw_debug_en to true and activate the dm.
Write to the SBCS register to inject randomized 8/16/32bit writes. Set the autoincrement bit.
Pick a random address and write to sbaddress0 register.
Write a random value to sbdata0, repeating a randomized number of times.
Each write should trigger a new SBA TL write access with the address incremented with the transfer size. Verify that the SBA TL access shows up.
Repeat the same procedure for reads. For reads, set the readondata register and read the sbdata0 a randomized number of times - each read should trigger a new SBA TL read access.
Intermittently also generate busy and error conditions.

`jtag_dmi_debug_disabled`

Test: rv_dm_jtag_dmi_debug_disabled

Verify that the JTAG DMI register space cannot be accessed if pinmux_hw_debug_en is a non strict true value.

Set pinmux_hw_debug_en to true and activate the dm.
Write a known value to a randomly picked DMI CSR.
Set pinmux_hw_debug_en to non-true value.
Write a different value to the same DMI CSR.
Attempt to read that DMI CSR - it should read all 0s.
Note that the above steps are rendered moot because the JTAG DTM itself will not receive any incoming JTAG transactions.
Set pinmux_hw_debug_en to true and again read the DMI CSR - it should reflect the originally written value.

`sba_debug_disabled`

Test: rv_dm_sba_debug_disabled

Verify that access to SBA interface is disabled if lc_hw_debug_en is set to a value other than lc_ctrl_pkg::On.

Set lc_hw_debug_en to non-true value and activate the dm.
Attempt to send some legal randomized SBA accesses. Checks in the scoreboard will assert that no SBA TL accesses appear on the TL interface.

`ndmreset_req`

Test: rv_dm_ndmreset_req

Verify that the debugger can issue a non-debug reset to the rest of the system.

Set lc_hw_debug_en / pinmux_hw_debug_en to true value and activate the dm.
Pick a random set of write/readable CSRs in the debug RALs (JTAG DMI and debug memory). Write known values to them.
Write the dmcontrol register to assert ndmreset - verify that the ndmreset output is asserted.
Mimic the CPU going into reset by asserting the unavailable input.
Set lc_hw_debug_en to something other than On (since it should no longer be needed). At this point the ndmreset output signal will drop. Keep pinmux_hw_debug_en set to On to keep the JTAG side open while the ndmreset is in progress.
Read the dmstatus register to verify allunavail is asserted.
De-assert the ndmreset by writing 0 to the dmcontrol register field, verify the ndmreset output deasserted as well.
Mimic the CPU going out of reset by de-asserting unavailable input after some delay. Set lc_hw_debug_en to true again as well.
Read the previously written registers back and verify that they reflect the previously written value, proving that ndmreset assertion had no effect on them.

`hart_unavail`

Test: rv_dm_hart_unavail

Verify that the debugger can read the status of unavailable hart

Set lc_hw_debug_en to true value and activate the dm.
Randomly assert and de-assert the unavailable input (indicates the CPU is under reset). This ideally happens when ndmreset is issued by the debugger.
Periodically issue reads to dmstatus register to verify allunavail matches the unavailable input value

`tap_ctrl_transitions`

Tests:

rv_dm_tap_fsm
rv_dm_tap_fsm_rand_reset

Verify all JTAG TAP controller FSM transitions

This test should verify that the standardized JTAG TAP FSM is working correctly.

`hartsel_warl`

Test: rv_dm_hartsel_warl

Check the WARL behaviour of the hartsel field in dmcontrol

Write ’1 to hartsel and then read dmcontrol back again.
Check resulting value of hartsel equals the maximum hart index.

`stress_all`

Test: rv_dm_stress_all

A ‘bug hunt’ test that stresses the DUT to its limits.

Combine above sequences in one test and run as many of them as possible in parallel. Run the rest sequentially.
Randomly inject a full device reset intermittently.

`alert_test`

Test: rv_dm_alert_test

Verify common alert_test CSR that allows SW to mock-inject alert requests.

Enable a random set of alert requests by writing random value to alert_test CSR.
Check each alert_tx.alert_p pin to verify that only the requested alerts are triggered.
During alert_handshakes, write alert_test CSR again to verify that: If alert_test writes to current ongoing alert handshake, the alert_test request will be ignored. If alert_test writes to current idle alert handshake, a new alert_handshake should be triggered.
Wait for the alert handshakes to finish and verify alert_tx.alert_p pins all sets back to 0.
Repeat the above steps a bunch of times.

`tl_d_oob_addr_access`

Test: rv_dm_tl_errors

Access out of bounds address and verify correctness of response / behavior

`tl_d_illegal_access`

Test: rv_dm_tl_errors

Drive unsupported requests via TL interface and verify correctness of response / behavior. Below error cases are tested bases on the TLUL spec

TL-UL protocol error cases
- invalid opcode
- some mask bits not set when opcode is PutFullData
- mask does not match the transfer size, e.g. a_address = 0x00, a_size = 0, a_mask = 'b0010
- mask and address misaligned, e.g. a_address = 0x01, a_mask = 'b0001
- address and size aren’t aligned, e.g. a_address = 0x01, a_size != 0
- size is greater than 2
OpenTitan defined error cases
- access unmapped address, expect d_error = 1
- write a CSR with unaligned address, e.g. a_address[1:0] != 0
- write a CSR less than its width, e.g. when CSR is 2 bytes wide, only write 1 byte
- write a memory with a_mask != '1 when it doesn’t support partial accesses
- read a WO (write-only) memory
- write a RO (read-only) memory
- write with instr_type = True

`tl_d_outstanding_access`

Tests:

rv_dm_csr_hw_reset
rv_dm_csr_rw
rv_dm_csr_aliasing
rv_dm_same_csr_outstanding

Drive back-to-back requests without waiting for response to ensure there is one transaction outstanding within the TL device. Also, verify one outstanding when back- to-back accesses are made to the same address.

`tl_d_partial_access`

Tests:

rv_dm_csr_hw_reset
rv_dm_csr_rw
rv_dm_csr_aliasing
rv_dm_same_csr_outstanding

Access CSR with one or more bytes of data. For read, expect to return all word value of the CSR. For write, enabling bytes should cover all CSR valid fields.

Stage V2S Testpoints

`tl_intg_err`

Tests:

rv_dm_tl_intg_err
rv_dm_sec_cm

Verify that the data integrity check violation generates an alert.

Randomly inject errors on the control, data, or the ECC bits during CSR accesses. Verify that triggers the correct fatal alert.
Inject a fault at the onehot check in u_reg.u_prim_reg_we_check and verify the corresponding fatal alert occurs

`sec_cm_bus_integrity`

Test: rv_dm_tl_intg_err

Verify the countermeasure(s) BUS.INTEGRITY.

`sec_cm_lc_hw_debug_en_intersig_mubi`

Tests:

rv_dm_debug_disabled
rv_dm_sba_debug_disabled

Verify the countermeasure(s) LC_HW_DEBUG_EN.INTERSIG.MUBI.

The lc_hw_debug_en_i signal is encoded as lc_tx_t and is used through the lc_hw_debug_en_gated signal when late debug enable is enabled (through the late_debug_enable register or the otp_dis_rv_dm_late_debug_i pin). Bad values of this signal should be interpreted as “Off”, disabling debug and also memory/sba TL access.

When late debug is enabled, set this to a value other than On and check:

No ndmreset is possible (true because the ndmreset_ack signal is gated)
No debug request can be sent to the core through debug_req_o
Instruction fetch requests through the memory window are not successful.
The “mem” and “sba” TL interfaces are both disabled.

Note that both of the tests that implement this testpoint do so with either late debug enable active (so using lc_hw_debug_en_i) or with it inactive (so using otp_dis_rv_dm_late_debug_i), with a 50% chance of each.

`sec_cm_lc_dft_en_intersig_mubi`

Tests:

rv_dm_debug_disabled
rv_dm_sba_debug_disabled

Verify the countermeasure(s) LC_DFT_EN.INTERSIG.MUBI.

This is analogous to the sec_cm_lc_dft_en_intersig_mubi testpoint. This time, we check when late debug enable is not active, so the corrupted signal is lc_dft_en_i. Otherwise, the description is identical and is tested by the same tests (when late debug enable is randomised to be Off).

`sec_cm_otp_dis_rv_dm_late_debug_intersig_mubi`

Test: rv_dm_smoke

Verify the countermeasure(s) OTP_DIS_RV_DM_LATE_DEBUG.INTERSIG.MUBI.

Control of whether to use late debug is governed by both the otp_dis_rv_dm_late_debug_i port and the late_debug_enable register. In both cases, bad values of the signal are interpreted as “Off”, causing debug enable to be controlled by the lc_dft_en_i port instead of the lc_hw_debug_en_i port.

To test that this mubi encoding is interpreted as expected, disable late debug enablement by setting both the otp_dis_rv_dm_late_debug_i port and the late_debug_enable register to values that are not strict mubi true values. Then check that whether debug is enabled is caused by lc_dft_en_i.

This is actually handled by rv_dm_base_vseq, which controls half of its runs with an invalid late_debug_enable signal. As such, most tests will verify this testpoint.

`sec_cm_dm_en_ctrl_lc_gated`

Test: rv_dm_buffered_enable

Verify the countermeasure(s) DM_EN.CTRL.LC_GATED.

The multibit nature of the debug enable signal is covered in sec_cm_lc_hw_debug_en_intersig_mubi. However, this testpoint doesn’t address the way there are separate buffered copies of the enable signal. This testpoint addresses that.

There are five copies of the lifecycle enable signal:

LcEnFetch controls whether hart fetch requests the debug module’s memory, which are made over TL, is relayed to the debug module. (This is implemented with the en_ifetch_i signal in tlul_adapter_reg).
LcEnRom controls whether hart access to debug module’s memory is possible at all, gating TL transactions.
LcEnSba controls whether SBA (system bus access) transactions are relayed from the debug module to the TL bus.
LcEnDebugReq controls whether a debug request from the debug module (which ultimately will have come from a DMI command) gets relayed to the hart.
LcEnResetReq controls whether a request for ndmreset from the debug module is relayed to the rest of the system.

These are buffered from each other to make sure that corrupting one won’t affect the other copies. With debug disabled, force one of the copies. Verify that, while this feature is now active, none of the other features become active.

`sec_cm_sba_tl_lc_gate_fsm_sparse`

Test: rv_dm_sparse_lc_gate_fsm

Verify the countermeasure SBA_TL_LC_GATE.FSM.SPARSE.

The gate at u_tlul_lc_gate_sba has a sparse FSM, so a fault injection of only a couple of bits cannot change between valid values. Inject a 1- or 2-bit error and check that the fatal_fault alert is triggered.

`sec_cm_mem_tl_lc_gate_fsm_sparse`

Test: rv_dm_sparse_lc_gate_fsm

Verify the countermeasure MEM_TL_LC_GATE.FSM.SPARSE.

The gate at u_tlul_lc_gate_rom has a sparse FSM, so a fault injection of only a couple of bits cannot change between valid values. Inject a 1- or 2-bit error and check that the fatal_fault alert is triggered.

`sec_cm_exec_ctrl_mubi`

Test: rv_dm_buffered_enable

Verify the countermeasure EXEC.CTRL.MUBI.

The multi-bit nature of the signal is checked by all tests that disable debug (since they do so by choosing an arbitrary value other than On). An even tighter check for this countermeasure comes from the rv_dm_buffered_enable test, which ensures fetch requests are more tightly controlled than arbitrary TL requests.

Stage V3 Testpoints

`stress_all_with_rand_reset`

Test: rv_dm_stress_all_with_rand_reset

This test runs 3 parallel threads - stress_all, tl_errors and random reset. After reset is asserted, the test will read and check all valid CSR registers.

Covergroups

regwen_val_when_new_value_written_cg

Cover each lockable reg field with these 2 cases:

When regwen = 1, a different value is written to the lockable CSR field, and a read occurs after that.
When regwen = 0, a different value is written to the lockable CSR field, and a read occurs after that.

This is only applicable if the block contains regwen and locakable CSRs.

sba_access_cg

Cover all possible types of accesses over SBA.

cp: reads and write accesses
cp: supported transfer sizes
cp: auto-increment address with back-to-back acesses
cp: for reads, cover readonaddr and readondata settings
cp: sberror cases with unaligned address and unsupported size
cp: sbbusyerror case - attempt new access before the previous one completed
cr: cross all of the above

tl_errors_cg

Cover the following error cases on TL-UL bus:

TL-UL protocol error cases.
OpenTitan defined error cases, refer to testpoint tl_d_illegal_access.

tl_intg_err_cg

Cover all kinds of integrity errors (command, data or both) and cover number of error bits on each integrity check.

Cover the kinds of integrity errors with byte enabled write on memory if applicable: Some memories store the integrity values. When there is a subword write, design re-calculate the integrity with full word data and update integrity in the memory. This coverage ensures that memory byte write has been issued and the related design logic has been verfied.