Testplan

Testpoints

Stage V1 Testpoints

`smoke`

Test: pwrmgr_smoke

Smoke test exercising the pwrmgr state transitions.

Brings pwrmgr out of POR.
Enables wakeup.
Triggers SW initiated low power transition with reset settings in control CSR.
Triggers wakeup.
Enables and triggers a reset.
Waits for pwrmgr to be out of reset.

Stimulus:

CSR writes to wakeup_en, reset_en, and low_power_hint.
Needs many input pins to line up correctly in order to prevent the pwrmgr from waiting forever. Most of these are set in response to outputs, and are checked by SVA.

Checks:

The fast fsm becomes active when fetch_en_o output rises.
The wakeup and reset causes are as expected reading CSRs wake_status and reset_status.
The output pwr_rst_req.reset_cause matches a low power or reset cause.
The output pwr_rst_req.rstreqs matches the enabled resets.

`csr_hw_reset`

Test: pwrmgr_csr_hw_reset

Verify the reset values as indicated in the RAL specification.

Write all CSRs with a random value.
Apply reset to the DUT as well as the RAL model.
Read each CSR and compare it against the reset value. it is mandatory to replicate this test for each reset that affects all or a subset of the CSRs.
It is mandatory to run this test for all available interfaces the CSRs are accessible from.
Shuffle the list of CSRs first to remove the effect of ordering.

`csr_rw`

Test: pwrmgr_csr_rw

Verify accessibility of CSRs as indicated in the RAL specification.

Loop through each CSR to write it with a random value.
Read the CSR back and check for correctness while adhering to its access policies.
It is mandatory to run this test for all available interfaces the CSRs are accessible from.
Shuffle the list of CSRs first to remove the effect of ordering.

`csr_bit_bash`

Test: pwrmgr_csr_bit_bash

Verify no aliasing within individual bits of a CSR.

Walk a 1 through each CSR by flipping 1 bit at a time.
Read the CSR back and check for correctness while adhering to its access policies.
This verify that writing a specific bit within the CSR did not affect any of the other bits.
It is mandatory to run this test for all available interfaces the CSRs are accessible from.
Shuffle the list of CSRs first to remove the effect of ordering.

`csr_aliasing`

Test: pwrmgr_csr_aliasing

Verify no aliasing within the CSR address space.

Loop through each CSR to write it with a random value
Shuffle and read ALL CSRs back.
All CSRs except for the one that was written in this iteration should read back the previous value.
The CSR that was written in this iteration is checked for correctness while adhering to its access policies.
It is mandatory to run this test for all available interfaces the CSRs are accessible from.
Shuffle the list of CSRs first to remove the effect of ordering.

`csr_mem_rw_with_rand_reset`

Test: pwrmgr_csr_mem_rw_with_rand_reset

Verify random reset during CSR/memory access.

Run csr_rw sequence to randomly access CSRs
If memory exists, run mem_partial_access in parallel with csr_rw
Randomly issue reset and then use hw_reset sequence to check all CSRs are reset to default value
It is mandatory to run this test for all available interfaces the CSRs are accessible from.

`regwen_csr_and_corresponding_lockable_csr`

Tests:

pwrmgr_csr_rw
pwrmgr_csr_aliasing

Verify regwen CSR and its corresponding lockable CSRs.

Randomly access all CSRs
Test when regwen CSR is set, its corresponding lockable CSRs become read-only registers

Note:

If regwen CSR is HW read-only, this feature can be fully tested by common CSR tests - csr_rw and csr_aliasing.
If regwen CSR is HW updated, a separate test should be created to test it.

This is only applicable if the block contains regwen and locakable CSRs.

Stage V2 Testpoints

`wakeup`

Test: pwrmgr_wakeup

Test random wakeup, wakeup_en, wake_info_capture_dis, and interrupt.

The different wakeup inputs can be disabled via bits in the wakeup_en CSR. Update of wakeup_info can be disabled via the wake_info_capture_dis CSR. Any wakeup causes an interrupt unless interrupts are disabled.

Stimulus:

Sets wakeup_en randomly but don’t set it to zero, or the test will timeout.
Set wake_info_capture_dis randomly on and off.
Bring pwrmgr to low power.
Set wakeups_i inputs randomly.
Set intr_enable randomly.

Checks:

The fast fsm becomes active when fetch_en_o output rises.
Depending on wakeups_i:
- If all wakeups are disabled, wait some time checking the state remains inactive.
- Set wakeups_i so at least one is enabled.
Checks wakeup_status CSR during transition to active state since the reset involved will clear the wakeups_i input.
Checks the wake_info CSR.
Checks the output pwr_rst_req.reset_cause is LowPwrEntry.
Check that intr_wakeup_o is set according to intr_enable CSR.
Coverage collected by wakeup_cg and wakeup_intr_cg.

`control_clks`

Test: pwrmgr_wakeup

Test CSR control of peripheral clocks during low power.

The peripheral clocks can be configured to remain on or be turned off during low power with bits in the control CSR register. The usb clock can also be configured off in active mode.

Stimulus:

Sets these control bits at random.
Cause a low power transition and wakeup.

Checks:

The clock enable outputs to the AST clocks during a low power transition match the control bits.
The usb clock enable is also checked during active mode against the control register.

`aborted_low_power`

Tests:

pwrmgr_aborted_low_power
pwrmgr_lowpower_invalid

Test aborted low power transitions.

Low power transitions can be aborted in two cases:

The processor gets an interrupt soon after a low power entry is triggered.
OTP, LC, or FLASH are not idle. This test aborts low power transitions, and disables any wakeups, so the test would timeout if low power was entered.

Stimulus:

Bring pwrmgr to low power.
Either disable pwr_cpu.core_sleeping or keep some of lc_idle, otp_idle, or flash_idle inputs off.
Disable all wakeup enables.
Randomly set wakeup_info_capture_dis CSR.

Checks:

The ctrl_cfg_regwen CSR reads as 1 on the first attempt.
Checks the output pwr_rst_req.reset_cause doesn’t change for a bounded amount of time.
Check that the wakeup_info CSR flags either fall_through or abort events when capture is enabled.

`reset`

Tests:

pwrmgr_reset
pwrmgr_reset_invalid

Test random reset and reset_en.

Conditional reset inputs can be disabled via bits in the reset_en CSR, while escalation and main power are unconditional. Resets can be triggered either in active or low power state.

Stimulus:

Sets reset_en randomly.
Randomly choose whether to put the unit in low power mode.
Generate resets randomly in value and time:
- Conditionals via rstreqs_i,
- Main power glitch via rst_main_ni.
- Escalation via esc_rst_tx_i.
- Sw reset from rstmgr via sw_rst_req_i.

Checks:

The fast fsm becomes active when fetch_en_o output rises.
Checks the reset_status CSRs.
Checks ip_clk_en output has a low transition.
SVA that when pwr_rst_req.reset_cause is HwReq, and the output pwr_rst_req.rstreqs matches the unconditional and enabled conditional resets inputs.

`main_power_glitch_reset`

Test: pwrmgr_reset

Test reset due to a glitch in main power.

A power glitch causes an unconditional reset.

Stimulus:

Set the rst_main_ni input low indicating a main power glitch.

Checks:

The fast fsm becomes active when fetch_en_o output rises.
Checks the reset_status CSRs.
Checks ip_clk_en output has a low transition.
Checks the output pwr_rst_req.reset_cause matches HwReq.
Checks the output pwr_rst_req.rstreqs matches power glitch.

`reset_wakeup_race`

Test: pwrmgr_wakeup_reset

Test wakeup from low power and reset request almost coinciding.

If a wakeup from low power and a reset occur at nearly the same time the system handles them one at a time.

Stimulus:

Trigger reset and wakeup from low power as described for other testpoints.
Issue reset and wakeup a random number of cycles after the slow state machine is in LowPower state.
- This also checks them coinciding.

Check:

Similar tests as for the wakeup and reset testpoints, except making sure they happen per the triggering order.

`lowpower_wakeup_race`

Test: pwrmgr_lowpower_wakeup_race

Test wakeups coming close to lowpower entry.

If low power entry and a wakeup are closely aligned the hardware could get confused. Notice this is very unlikely, since wakeup is only sensed when the slow fsm is in LowPower state.

Stimulus:

Trigger low power entry as described for other testpoints.
Have all wakeups enabled.
Assert wakeups_i in the temporal neighborhood of low power entry.

Check:

No timeout occurs.
Either pwrmgr remains active or a full low power cycle occurs.

`disable_rom_integrity_check`

Test: pwrmgr_disable_rom_integrity_check

Test rom integrity check is disabled under life cycle test states.

While running a series of reset event, at FastPwrStateRomCheck state,

Drive lc_hw_debug_en_i and lc_dft_en_i to random value excluding {lc_ctrl_pkg::On, lc_ctrl_pkg::On} for both ports.
Set rom_ctrl_i.good = Mubi4False.
Wait for a while to make sure fsm state check is not FastPwrStateActive.

Then,

Drive lc_hw_debug_en_i and lc_dft_en_i to {lc_ctrl_pkg::On, lc_ctrl_pkg::On}
Check test finish gracefully.

Try these steps with different lc_ctrl inputs.

`stress_all`

Test: pwrmgr_stress_all

This runs random sequences in succession.

Randomly chooses from the following sequences:

pwrmgr_aborted_low_power_vseq
pwrmgr_lowpower_wakeup_race_vseq
pwrmgr_reset_vseq
pwrmgr_smoke_vseq
pwrmgr_wakeup_reset_vseq
pwrmgr_wakeup_vseq

`intr_test`

Test: pwrmgr_intr_test

Verify common intr_test CSRs that allows SW to mock-inject interrupts.

Enable a random set of interrupts by writing random value(s) to intr_enable CSR(s).
Randomly “turn on” interrupts by writing random value(s) to intr_test CSR(s).
Read all intr_state CSR(s) back to verify that it reflects the same value as what was written to the corresponding intr_test CSR.
Check the cfg.intr_vif pins to verify that only the interrupts that were enabled and turned on are set.
Clear a random set of interrupts by writing a randomly value to intr_state CSR(s).
Repeat the above steps a bunch of times.

`tl_d_oob_addr_access`

Test: pwrmgr_tl_errors

Access out of bounds address and verify correctness of response / behavior

`tl_d_illegal_access`

Test: pwrmgr_tl_errors

Drive unsupported requests via TL interface and verify correctness of response / behavior. Below error cases are tested bases on the TLUL spec

TL-UL protocol error cases
- invalid opcode
- some mask bits not set when opcode is PutFullData
- mask does not match the transfer size, e.g. a_address = 0x00, a_size = 0, a_mask = 'b0010
- mask and address misaligned, e.g. a_address = 0x01, a_mask = 'b0001
- address and size aren’t aligned, e.g. a_address = 0x01, a_size != 0
- size is greater than 2
OpenTitan defined error cases
- access unmapped address, expect d_error = 1
- write a CSR with unaligned address, e.g. a_address[1:0] != 0
- write a CSR less than its width, e.g. when CSR is 2 bytes wide, only write 1 byte
- write a memory with a_mask != '1 when it doesn’t support partial accesses
- read a WO (write-only) memory
- write a RO (read-only) memory
- write with instr_type = True

`tl_d_outstanding_access`

Tests:

pwrmgr_csr_hw_reset
pwrmgr_csr_rw
pwrmgr_csr_aliasing
pwrmgr_same_csr_outstanding

Drive back-to-back requests without waiting for response to ensure there is one transaction outstanding within the TL device. Also, verify one outstanding when back- to-back accesses are made to the same address.

`tl_d_partial_access`

Tests:

pwrmgr_csr_hw_reset
pwrmgr_csr_rw
pwrmgr_csr_aliasing
pwrmgr_same_csr_outstanding

Access CSR with one or more bytes of data. For read, expect to return all word value of the CSR. For write, enabling bytes should cover all CSR valid fields.

Stage V2S Testpoints

`tl_intg_err`

Tests:

pwrmgr_tl_intg_err
pwrmgr_sec_cm

Verify that the data integrity check violation generates an alert.

Randomly inject errors on the control, data, or the ECC bits during CSR accesses. Verify that triggers the correct fatal alert.
Inject a fault at the onehot check in u_reg.u_prim_reg_we_check and verify the corresponding fatal alert occurs

`prim_count_check`

Test: pwrmgr_sec_cm

Verify that violating prim_count counter properties generate a fatal alert.

Stimulus:

At the falling edge (non-active edge), force the counter to a different value than expected.
Randomly force the counter back to a normal value to ensure the error is latched and won’t go away until reset.
Within the next few cycles, the violation of hardened counter property should generate a fatal alert.
Repeat for ALL prim_count instances in the DUT.

Checks:

Check that fatal alert is triggered.
Check that err_code/fault_status is updated correctly and preserved until reset.
Verify any operations that follow fail (as applicable).

`prim_fsm_check`

Test: pwrmgr_sec_cm

Verify that entering to an undefined state generates a fatal alert.

Stimulus:

Backdoor force the FSM to any of the undefined values.
Randomly force the FSM back to a defined state to ensure the error is latched and won’t go away until reset.
Within the next few cycles, the FSM landing in an invalid state should trigger a fatal alert.
Repeat for ALL prim_fsm instances in the DUT.

Checks:

Check that fatal alert is triggered.
Check that err_code/fault_status is updated correctly and preserved until reset.
Verify any operations that follow fail (as applicable).

`sec_cm_bus_integrity`

Test: pwrmgr_tl_intg_err

Verify the countermeasure(s) BUS.INTEGRITY. This entry is covered by tl_access_test (hw/dv/tools/dvsim/tests/tl_access_tests.hjson)

`sec_cm_lc_ctrl_intersig_mubi`

Test: pwrmgr_sec_cm_lc_ctrl_intersig_mubi

Verify the countermeasure(s) LC_CTRL.INTERSIG.MUBI.

Stimulus:

Use comprehensive stimulus - reset and wakeup - as background traffic to ensure this counter measure is valid for various states of fast and slow state.
Drive lc_hw_debug_en_i and lc_dft_en_i with mixed valid and invalid values.

Check:

Collect coverage by binding cip_mubi_cov_if to tb.dut.lc_hw_debug_en_i and tb.dut.lc_dft_en_i
Add assertion to check whether rom_intg_chk_dis is set to ‘1’ only when lc_dft_en_i or lc_hw_debug_en_i is high.

`sec_cm_rom_ctrl_intersig_mubi`

Test: pwrmgr_sec_cm_rom_ctrl_intersig_mubi

Verify the countermeasure(s) ROM_CTRL.INTERSIG.MUBI.

Stimulus:

Use comprehensive stimulus - reset and wakeup - as background traffic to ensure this counter measure is valid for various states of fast and slow fsm.
Drive rom_ctrl_i with mixed valid and invalid values.

Check:

Collect coverage by binding cip_mubi_cov_if to tb.dut.rom_ctrl_i

`sec_cm_rstmgr_intersig_mubi`

Test: pwrmgr_sec_cm_rstmgr_intersig_mubi

Verify the countermeasure(s) RSTMGR.INTERSIG.MUBI.

Stimulus:

Drive tb.dut.sw_rst_req_i with mixed valid and invalid values

Check:

See sw rst only happens when dut gets valid value by probing fast fsm state. The state has to move low power state.
Collect coverage by binding cip_mubi_cov_if to tb.dut.sw_rst_req_i

`sec_cm_esc_rx_clk_bkgn_chk`

Test: pwrmgr_esc_clk_rst_malfunc

Verify the countermeasure(s) ESC_RX.CLK.BKGN_CHK.

Stimulus:

At FastPwrStateActive state, create escalation clock or reset failure by stopping clock or asserting reset.

Check:

Expecting fatal alert event and rstreqs[ResetEscIdx].
Add assertion to see if u_esc_timeout happens, then rstreqs[ResetEscIdx] should be asserted.
After the alert agent processese the alert by asserting escalation reset, see if dut is back to normal operation state.

`sec_cm_esc_rx_clk_local_esc`

Test: pwrmgr_sec_cm

Verify the countermeasure(s) ESC_RX.CLK.LOCAL_ESC.

This is triggered by common cm primitives (SecCmPrimCount). (https://github.com/lowRISC/opentitan/blob/master /hw/dv/sv/cip_lib/doc/index.md#security-verification -for-common-countermeasure-primitives)

Check:

Detect fast state transition to FastPwrStateResetPrep.
Add assertion to check if u_sec_timeout happens, then rstreqs[ResetEscIdx] should be asserted.

`sec_cm_fsm_sparse`

Test: pwrmgr_sec_cm

Verify the countermeasure(s) FSM.SPARSE. This is triggered by common cm primitives (SecCmPrimSparseFsmFlop). (https://github.com/lowRISC/opentitan/blob/master /hw/dv/sv/cip_lib/doc/index.md#security-verification -for-common-countermeasure-primitives)

`sec_cm_fsm_terminal`

Test: pwrmgr_sec_cm

Verify the countermeasure(s) FSM.TERMINAL.

This is caused by any invalid (slow|fast) state.

Check:

If slow state is invalid, fast state becomes FastPwrStateInvalid, pwr_ast_o.pwr_clamp =1 and pwr_ast_o.main_pd_n = 0.
If fast state is invalid, pwr_rst_o.rst_lc_req is all one, pwr_rst_o.rst_sys_req is all one and pwr_clk_o = 0. Dut should be recovered by asserting rst_n = 0.

`sec_cm_ctrl_flow_global_esc`

Test: pwrmgr_global_esc

Verify the countermeasure(s) CTRL_FLOW.GLOBAL_ESC.

Stimulus:

Send escalation request to esc_rst_tx_i

Check:

Check fast state transition to FastPwrStateResetPrep
Add assertion to see if we get pwr_rst_o.rstreqs[ResetEscIdx] set when dut receives esc_rst_tx_i

`sec_cm_main_pd_rst_local_esc`

Test: pwrmgr_glitch

Verify the countermeasure(s) MAIN_PD.RST.LOCAL_ESC.

Stimulus:

Create power reset glitch by setting tb.dut.rst_main_ni and tb.dut.pwr_ast_i.main_pok to 0

Check:

Check fast state transition to FastPwrStateResetPrep
Add assertion to see if we get pwr_rst_o.rstreqs[ResetMainPwrIdx]

`sec_cm_ctrl_config_regwen`

Test: pwrmgr_sec_cm_ctrl_config_regwen

Verify the countermeasure(s) CTRL.CONFIG.REGWEN.

Stimulus:

Initiate low power transition by setting PWRMGR.CONTROL.LOW_POWER_HINT to 1. Wait for a few cycle to ensure the csr value propagates to slow clock domain. Then issue csr write to PWRMGR.CONTROL

Check:

After the csr update under PWRMGR.CTRL_CFG_REGWEN = 0, read back and check the value is not updated by the csr update attempt.

`sec_cm_wakeup_config_regwen`

Test: pwrmgr_csr_rw

Verify the countermeasure(s) WAKEUP.CONFIG.REGWEN.

This is covered by auto csr test.

`sec_cm_reset_config_regwen`

Test: pwrmgr_csr_rw

Verify the countermeasure(s) RESET.CONFIG.REGWEN.

This is covered by auto csr test.

Stage V3 Testpoints

`escalation_timeout`

Test: pwrmgr_escalation_timeout

This tests the escalation timeout feature.

If the escalation network doesn’t respond to an outgoing “health” requests within 128 cycles pwrmgr should issue an escalation reset request.

Stimulus:

Cause the external escalation network to stop responding, either disabling the clock or jamming the differential pairs.

Check:

After 128 cycles of inactivity an escalation reset should be triggered.

`stress_all_with_rand_reset`

Test: pwrmgr_stress_all_with_rand_reset

This test runs 3 parallel threads - stress_all, tl_errors and random reset. After reset is asserted, the test will read and check all valid CSR registers.

Covergroups

control_cg

Collects coverage on clock and power bits from control CSR during a lowpower transition and active state.

esc_reset_cg

Collects coverage on resets due to escalation.

Covergroup contains a coverpoint for the input esc_rst_tx_i that triggers an escalation reset, and whether this reset is asserted during low power state.

hw_reset_0_cg

Collects coverage related to external reset 0.

Covergroup contains coverpoints for the rstreqs_i[0] external reset input, its corresponding bit in reset_en CSR, and whether this reset is asserted during low power state, and suitable crosses.

hw_reset_1_cg

Collects coverage related to external reset 1.

Covergroup contains coverpoints for the rstreqs_i[1] external reset input, its corresponding bit in reset_en CSR, and whether this reset is asserted during low power state, and suitable crosses.

main_power_reset_cg

Collects coverage on resets due to a main power glitch.

Covergroup contains a coverpoint for the input rst_main_i that triggers a power glitch reset, and whether this reset is asserted during low power state.

regwen_val_when_new_value_written_cg

Cover each lockable reg field with these 2 cases:

When regwen = 1, a different value is written to the lockable CSR field, and a read occurs after that.
When regwen = 0, a different value is written to the lockable CSR field, and a read occurs after that.

This is only applicable if the block contains regwen and locakable CSRs.

reset_wakeup_distance_cg

Covergroup contains a coverpoint for the difference between the cycles when the reset and the wakeup were received in the inputs. The difference is positive when reset happened after wakeup, and zero when the two happened at the same clock cycle.

rstmgr_sw_reset_cg

Collects coverage on the software reset from rstmgr.

Covergroup contains a coverpoint for the input sw_rst_req_i from rstmgr.

tl_errors_cg

Cover the following error cases on TL-UL bus:

TL-UL protocol error cases.
OpenTitan defined error cases, refer to testpoint tl_d_illegal_access.

tl_intg_err_cg

Cover all kinds of integrity errors (command, data or both) and cover number of error bits on each integrity check.

Cover the kinds of integrity errors with byte enabled write on memory if applicable: Some memories store the integrity values. When there is a subword write, design re-calculate the integrity with full word data and update integrity in the memory. This coverage ensures that memory byte write has been issued and the related design logic has been verfied.

wakeup_ctrl_cg

Collects coverage on wakeup enable and capture functionality.

This is collected per individual wakeup bit. Covergroup contains coverpoints for the wakeup_en CSR bit, wakeup_info_capture_dis CSR, wakeups_i input bit, and wakeup_status CSR bit, and their cross.

wakeup_intr_cg

Collects coverage on interrupts for wakeup functionality.

This is collected per individual wakeup bit. Covergroup contains coverpoints for the intr_en CSR, the wakeup_status CSR bit, the intr_status CSR, the output intr_wakeup port, and their cross.