Software APIs
all_escalation_resets_test.c
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 // This test triggers a regfile integrity error from the SV side for any
6 // random IP instance. The alert handler is programmed to trigger a specific
7 // alert for the corresponding IP.
8 //
9 // The test checks that the alert handler state indicates the correct alert
10 // prior to the alert, which is checked in the alert triggered NMI. The
11 // test also checks that the alert handler cleared that state after reset.
12 // It also checks that for some IPs the corresponding bit in the fatal error
13 // CSR is set in the interrupt, and it is also cleared after reset.
14 //
15 // For extra checking, the rstmgr is configured to capture the alert info
16 // on reset, which is also used to check the alert cause is as expected.
17 //
18 // If the fault is injected in the retention SRAM, we perform an additional
19 // access check to make sure that local escalation blocks any SRAM accesses
20 // correctly.
21 //
22 // As a backup the aon timer is programmed to bark and bite, but these are
23 // expected not to happen since the escalation takes precedence.
24 
25 #include <assert.h>
26 #include <limits.h>
27 #include <stdbool.h>
28 #include <stdint.h>
29 
30 #if defined(OPENTITAN_IS_EARLGREY)
31 #include "dt/dt_adc_ctrl.h" // Generated
32 #include "dt/dt_entropy_src.h" // Generated
33 #include "dt/dt_flash_ctrl.h" // Generated
34 #include "dt/dt_keymgr.h" // Generated
35 #include "dt/dt_pattgen.h" // Generated
36 #include "dt/dt_pwm.h" // Generated
37 #include "dt/dt_sensor_ctrl.h" // Generated
38 #include "dt/dt_sysrst_ctrl.h" // Generated
39 #include "dt/dt_usbdev.h" // Generated
40 #include "sw/device/lib/dif/dif_flash_ctrl.h"
41 
42 #include "flash_ctrl_regs.h" // Generated
43 #elif defined(OPENTITAN_IS_DARJEELING)
44 #include "dt/dt_keymgr_dpe.h" // Generated
45 #else
46 #error "all_escalation_resets_test does not support this top"
47 #endif
48 
49 #include "dt/dt_aes.h" // Generated
50 #include "dt/dt_alert_handler.h" // Generated
51 #include "dt/dt_aon_timer.h" // Generated
52 #include "dt/dt_api.h" // Generated
53 #include "dt/dt_clkmgr.h" // Generated
54 #include "dt/dt_csrng.h" // Generated
55 #include "dt/dt_edn.h" // Generated
56 #include "dt/dt_gpio.h" // Generated
57 #include "dt/dt_hmac.h" // Generated
58 #include "dt/dt_i2c.h" // Generated
59 #include "dt/dt_kmac.h" // Generated
60 #include "dt/dt_lc_ctrl.h" // Generated
61 #include "dt/dt_otbn.h" // Generated
62 #include "dt/dt_otp_ctrl.h" // Generated
63 #include "dt/dt_pinmux.h" // Generated
64 #include "dt/dt_pwrmgr.h" // Generated
65 #include "dt/dt_rom_ctrl.h" // Generated
66 #include "dt/dt_rstmgr.h" // Generated
67 #include "dt/dt_rv_core_ibex.h" // Generated
68 #include "dt/dt_rv_dm.h" // Generated
69 #include "dt/dt_rv_plic.h" // Generated
70 #include "dt/dt_rv_timer.h" // Generated
71 #include "dt/dt_spi_device.h" // Generated
72 #include "dt/dt_spi_host.h" // Generated
73 #include "dt/dt_sram_ctrl.h" // Generated
74 #include "sw/device/lib/base/abs_mmio.h"
75 #include "sw/device/lib/base/bitfield.h"
76 #include "sw/device/lib/base/math.h"
77 #include "sw/device/lib/base/mmio.h"
78 #include "sw/device/lib/dif/dif_aes.h"
79 #include "sw/device/lib/dif/dif_alert_handler.h"
80 #include "sw/device/lib/dif/dif_aon_timer.h"
81 #include "sw/device/lib/dif/dif_clkmgr.h"
82 #include "sw/device/lib/dif/dif_kmac.h"
83 #include "sw/device/lib/dif/dif_lc_ctrl.h"
84 #include "sw/device/lib/dif/dif_otp_ctrl.h"
85 #include "sw/device/lib/dif/dif_pwrmgr.h"
86 #include "sw/device/lib/dif/dif_rom_ctrl.h"
87 #include "sw/device/lib/dif/dif_rstmgr.h"
88 #include "sw/device/lib/dif/dif_rv_core_ibex.h"
89 #include "sw/device/lib/dif/dif_rv_plic.h"
90 #include "sw/device/lib/dif/dif_sram_ctrl.h"
91 #include "sw/device/lib/runtime/ibex.h"
92 #include "sw/device/lib/runtime/irq.h"
93 #include "sw/device/lib/runtime/log.h"
94 #include "sw/device/lib/testing/alert_handler_testutils.h"
95 #include "sw/device/lib/testing/aon_timer_testutils.h"
96 #include "sw/device/lib/testing/rand_testutils.h"
97 #include "sw/device/lib/testing/ret_sram_testutils.h"
98 #include "sw/device/lib/testing/rstmgr_testutils.h"
99 #include "sw/device/lib/testing/rv_plic_testutils.h"
100 #include "sw/device/lib/testing/test_framework/FreeRTOSConfig.h"
101 #include "sw/device/lib/testing/test_framework/check.h"
102 #include "sw/device/lib/testing/test_framework/ottf_main.h"
103 
104 #include "alert_handler_regs.h" // Generated
105 
106 OTTF_DEFINE_TEST_CONFIG();
107 
108 // This location will be update from SV to contain the expected alert.
109 static volatile const uint8_t kExpectedAlertNumber = 0;
110 
111 // Used for checking whether a load access exception has occurred.
112 static volatile bool load_access_exception_seen = false;
113 
114 // Used for checking whether a regular alert interrupt has been seen.
115 static volatile bool alert_irq_seen = false;
116 
117 // The function to check the fault status.
118 typedef void (*FaultCheckerFunction)(bool, const char *inst, const char *type);
119 
120 typedef struct fault_checker {
121  FaultCheckerFunction function;
122  const char *ip_inst;
123  const char *type;
124 } fault_checker_t;
125 
126 // This preserves the fault checker across multiple resets.
127 OT_SET_BSS_SECTION(".non_volatile_scratch", uint64_t nv_fault_checker[3];)
128 
129 // This is the fault checker to be used. It is saved and retrieved from
130 // Retention SRAM to preserve it across resets.
131 fault_checker_t fault_checker;
132 
133 // Alert class to use for the test. Will be chosen randomly by the test SW.
134 static volatile dif_alert_handler_class_t alert_class_to_use;
135 
136 static volatile uint32_t reset_count;
137 
138 enum {
139  // Counter for resets.
140  kCounterReset,
141  // Counter for regular interrupts.
142  kCounterInterrupt,
143  // Counter for NMIs.
144  kCounterNmi,
145 };
146 
147 /**
148  * Program the alert handler to escalate on alerts through NMI and then reset.
149  * Also program the aon timer with:
150  * - bark after escalation starts, so the interrupt is suppressed by escalation,
151  * - bite after escalation reset, so we should not get timer reset.
152  */
153 enum {
154  // Note that the escalation phase times below define the length of each phase,
155  // not when they start.
156  // The starting time is given by the aggregate of previous phase lengths, and
157  // is noted with @ below.
158  // @0 us -> in this phase we will not do anything so that the exception
159  // handlers have time to execute.
160  kEscalationPhase0Micros = 200,
161  // @200 us -> in this phase we will raise an NMI
162  kEscalationPhase1Micros = 200,
163  // @400 us -> in this phase we will assert lc_escalate_en
164  kEscalationPhase2Micros = 200,
165  // @600 us -> in this phase we will reset the chip
166  kEscalationPhase3Micros = 200,
167  // These are set so that both events happen in Phase2 of the escalation
168  // protocol, which asserts lc_escalate_en. That should prevent the Wdog
169  // from running and sending out an NMI on its own (we check in the NMI
170  // handler below that this does not happen).
171  kWdogBarkMicros = 450,
172  kWdogBiteMicros = 500,
173  kTestTimeout = 1000, // 1000 us
174  kMaxResets = 2,
175  kMaxInterrupts = 30,
176 };
177 
178 static_assert(
179  kWdogBarkMicros < kWdogBiteMicros &&
180  kWdogBarkMicros > (kEscalationPhase0Micros + kEscalationPhase1Micros),
181  "The wdog bite shall after the NMI phase when lc_escalate_en is asserted");
182 
183 /**
184  * SRAM address used in the test below.
185  */
186 static uint32_t kSramRetStart;
187 
188 /**
189  * Objects to access the peripherals used in this test via dif/dt APIs.
190  */
191 // Top-specific objects
192 #if defined(OPENTITAN_IS_EARLGREY)
193 static dif_flash_ctrl_state_t flash_ctrl_state;
194 dt_flash_ctrl_t kFlashCtrlDt = (dt_flash_ctrl_t)0;
195 static_assert(kDtFlashCtrlCount >= 1, "This test requires a Flash Ctrl");
196 static dif_rom_ctrl_t rom_ctrl;
197 static dt_rom_ctrl_t kRomCtrlDt = (dt_rom_ctrl_t)0;
198 static_assert(kDtRomCtrlCount >= 1, "This test requires a ROM CTRL");
199 
200 static const char *flash_fatal_check = "flash_fatal_check";
201 #elif defined(OPENTITAN_IS_DARJEELING)
202 static dif_sram_ctrl_t sram_ctrl_mbox;
203 static dt_sram_ctrl_t kSramCtrlMboxDt = kDtSramCtrlMbox;
204 static dif_rom_ctrl_t rom_ctrl0;
205 static dif_rom_ctrl_t rom_ctrl1;
206 static dt_rom_ctrl_t kRomCtrl0Dt = kDtRomCtrl0;
207 static dt_rom_ctrl_t kRomCtrl1Dt = kDtRomCtrl1;
208 #else
209 #error "all_escalation_resets_test does not support this top"
210 #endif
211 
212 // Top-agnostic objects
213 static const uint32_t kPlicTarget = 0;
214 
215 static dif_aes_t aes;
216 static dif_alert_handler_t alert_handler;
217 static dif_aon_timer_t aon_timer;
218 static dif_clkmgr_t clkmgr;
219 static dif_kmac_t kmac;
220 static dif_lc_ctrl_t lc_ctrl;
221 static dif_otp_ctrl_t otp_ctrl;
222 static dif_pwrmgr_t pwrmgr;
223 static dif_rstmgr_t rstmgr;
224 static dif_rv_core_ibex_t rv_core_ibex;
225 static dif_rv_plic_t plic;
226 static dif_sram_ctrl_t sram_ctrl_main;
227 static dif_sram_ctrl_t sram_ctrl_ret;
228 
229 static dt_aes_t kAesDt = (dt_aes_t)0;
230 static_assert(kDtAesCount >= 1, "This test requires an AES");
231 static dt_alert_handler_t kAlertHandlerDt = (dt_alert_handler_t)0;
232 static_assert(kDtAlertHandlerCount >= 1, "This test needs an Alert Handler");
233 static dt_aon_timer_t kAonTimerDt = kDtAonTimerAon;
234 static dt_clkmgr_t kClkmgrDt = kDtClkmgrAon;
235 static dt_kmac_t kKmacDt = (dt_kmac_t)0;
236 static_assert(kDtKmacCount >= 1, "This test requires a KMAC instance");
237 static dt_lc_ctrl_t kLcCtrlDt = (dt_lc_ctrl_t)0;
238 static_assert(kDtLcCtrlCount >= 1, "This test requries a LC CTRL");
239 static dt_otp_ctrl_t kOtpCtrlDt = (dt_otp_ctrl_t)0;
240 static_assert(kDtOtpCtrlCount >= 1, "This test requires an OTP CTRL");
241 static dt_pwrmgr_t kPwrmgrDt = kDtPwrmgrAon;
242 static dt_rstmgr_t kRstmgrDt = kDtRstmgrAon;
243 static dt_rv_core_ibex_t kRvCoreIbexDt = (dt_rv_core_ibex_t)0;
244 static_assert(kDtRvCoreIbexCount >= 1, "This test requires an Ibex core");
245 static dt_rv_plic_t kRvPlicDt = (dt_rv_plic_t)0;
246 static_assert(kDtRvPlicCount >= 1, "This test requries an RV PLIC instance");
247 static dt_sram_ctrl_t kSramCtrlMainDt = kDtSramCtrlMain;
248 static dt_sram_ctrl_t kSramCtrlRetAonDt = kDtSramCtrlRetAon;
249 
250 static const char *sparse_fsm_check = "prim_sparse_fsm_flop";
251 static const char *we_check = "prim_reg_we_check";
252 static const char *rst_cnsty_check = "rst_cnsty_check";
253 static const char *sw_alert_check = "sw_fatal_alert_check";
254 
255 /**
256  * Utilities for saving & restoring the fault checker to/from non-volatile SRAM
257  * so it persists across resets.
258  */
259 static void save_fault_checker(fault_checker_t *fault_checker) {
260  uint32_t function_addr = (uint32_t)(fault_checker->function);
261  uint32_t ip_inst_addr = (uint32_t)(fault_checker->ip_inst);
262  uint32_t type_addr = (uint32_t)(fault_checker->type);
263  CHECK_STATUS_OK(ret_sram_testutils_scratch_write(0, 1, &function_addr));
264  CHECK_STATUS_OK(ret_sram_testutils_scratch_write(1, 1, &ip_inst_addr));
265  CHECK_STATUS_OK(ret_sram_testutils_scratch_write(2, 1, &type_addr));
266 }
267 
268 static void restore_fault_checker(fault_checker_t *fault_checker) {
269  CHECK_STATUS_OK(ret_sram_testutils_scratch_read(
270  0, 1, (uint32_t *)&(fault_checker->function)));
271  CHECK_STATUS_OK(ret_sram_testutils_scratch_read(
272  1, 1, (uint32_t *)&(fault_checker->ip_inst)));
273  CHECK_STATUS_OK(ret_sram_testutils_scratch_read(
274  2, 1, (uint32_t *)&(fault_checker->type)));
275 }
276 
277 // Instance name definitions. TODO: It would be handy to generate these.
278 #if defined(OPENTITAN_IS_EARLGREY)
279 static const char *adc_ctrl_inst_name = "adc_ctrl";
280 static const char *entropy_src_inst_name = "entropy_src";
281 static const char *flash_ctrl_inst_name = "flash_ctrl";
282 static const char *i2c1_inst_name = "i2c1";
283 static const char *i2c2_inst_name = "i2c2";
284 static const char *keymgr_inst_name = "keymgr";
285 static const char *pattgen_inst_name = "pattgen";
286 static const char *pwm_inst_name = "pwm";
287 static const char *rom_ctrl_inst_name = "rom_ctrl";
288 static const char *sensor_ctrl_inst_name = "sensor_ctrl";
289 static const char *spi_host1_inst_name = "spi_host1";
290 static const char *sysrst_ctrl_inst_name = "sysrst_ctrl";
291 static const char *uart1_inst_name = "uart1";
292 static const char *uart2_inst_name = "uart2";
293 static const char *uart3_inst_name = "uart3";
294 static const char *usbdev_inst_name = "usbdev";
295 #elif defined(OPENTITAN_IS_DARJEELING)
296 static const char *keymgr_dpe_inst_name = "keymgr_dpe";
297 static const char *sram_ctrl_mbox_inst_name = "sram_ctrl_mbox";
298 static const char *rom_ctrl0_inst_name = "rom_ctrl0";
299 static const char *rom_ctrl1_inst_name = "rom_ctrl1";
300 #else
301 #error "all_escalation_resets_test does not support this top"
302 #endif
303 
304 static const char *aes_inst_name = "aes";
305 static const char *aon_timer_inst_name = "aon_timer";
306 static const char *clkmgr_inst_name = "clkmgr";
307 static const char *csrng_inst_name = "csrng";
308 static const char *edn0_inst_name = "edn0";
309 static const char *edn1_inst_name = "edn1";
310 static const char *gpio_inst_name = "gpio";
311 static const char *hmac_inst_name = "hmac";
312 static const char *i2c0_inst_name = "i2c0";
313 static const char *kmac_inst_name = "kmac";
314 // TODO: test lc_ctrl fatal_state, alert 17.
315 static const char *lc_ctrl_inst_name = "lc_ctrl";
316 static const char *otbn_inst_name = "otbn";
317 static const char *otp_ctrl_inst_name = "otp_ctrl";
318 static const char *pinmux_inst_name = "pinmux";
319 static const char *pwrmgr_inst_name = "pwrmgr";
320 static const char *rstmgr_inst_name = "rstmgr";
321 // TODO: test rv_core_ibex fatal SW error, alert 57.
322 static const char *rv_core_ibex_inst_name = "rv_core_ibex";
323 static const char *rv_dm_inst_name = "rv_dm";
324 static const char *rv_plic_inst_name = "rv_plic";
325 static const char *rv_timer_inst_name = "rv_timer";
326 static const char *spi_host0_inst_name = "spi_host0";
327 static const char *spi_device_inst_name = "spi_device";
328 static const char *sram_ctrl_main_inst_name = "sram_ctrl_main";
329 static const char *sram_ctrl_ret_inst_name = "sram_ctrl_ret";
330 static const char *uart0_inst_name = "uart0";
331 
332 /**
333  * Define fault checkers used for checking faults in different IPs
334  * during the test.
335  */
336 static void trivial_fault_checker(bool enable, const char *ip_inst,
337  const char *type) {
338  CHECK(enable == enable);
339 }
340 
341 static void generic_rom_ctrl_fault_checker(bool enable, const char *ip_inst,
342  const char *type,
343  dif_rom_ctrl_t *dif) {
344  dif_rom_ctrl_fatal_alert_causes_t codes;
345  CHECK_DIF_OK(dif_rom_ctrl_get_fatal_alert_cause(dif, &codes));
346  uint32_t expected_codes =
347  enable ? bitfield_bit32_write(0, kDifRomCtrlFatalAlertCauseIntegrityError,
348  true)
349  : 0;
350  CHECK(codes == expected_codes, "For %s got codes 0x%x, expected 0x%x",
351  ip_inst, codes, expected_codes);
352 }
353 
354 static void generic_sram_ctrl_fault_checker(const dif_sram_ctrl_t *sram_ctrl,
355  bool enable, const char *ip_inst,
356  const char *type) {
357  dif_sram_ctrl_status_bitfield_t codes;
358  CHECK_DIF_OK(dif_sram_ctrl_get_status(sram_ctrl, &codes));
359  uint32_t expected_codes = enable ? kDifSramCtrlStatusBusIntegErr : 0;
360  CHECK(codes == expected_codes, "For %s got codes 0x%x, expected 0x%x",
361  ip_inst, codes, expected_codes);
362 }
363 
364 // Fault checkers for Top-specific IP
365 #if defined(OPENTITAN_IS_EARLGREY)
366 static void flash_ctrl_fault_checker(bool enable, const char *ip_inst,
367  const char *type) {
368  dif_flash_ctrl_faults_t faults;
369  CHECK_DIF_OK(dif_flash_ctrl_get_faults(&flash_ctrl_state, &faults));
370  uint32_t fault_code = (type == we_check) ? faults.register_integrity_error
371  : faults.host_gnt_error;
372 
373  CHECK(fault_code == enable, "For %s got codes 0x%x, expected 0x%x", ip_inst,
374  fault_code, enable);
375 }
376 
377 static void flash_ctrl_prim_fault_checker(bool enable, const char *ip_inst,
378  const char *type) {
379  dif_flash_ctrl_faults_t faults;
380  CHECK_DIF_OK(dif_flash_ctrl_get_faults(&flash_ctrl_state, &faults));
381 
382  CHECK(faults.memory_properties_error == 0,
383  "For flash memory_properties err exp 1 get 0");
384  CHECK(faults.read_error == 0, "For flash read err exp 1 get 0");
385  CHECK(faults.prog_window_error == 0, "For flash prog_window err exp 1 get 0");
386  CHECK(faults.prog_type_error == 0, "For flash prog_type err exp 1 get 0");
387  CHECK(faults.host_gnt_error == 0, "For flash host_gnt err exp 1 get 0");
388  CHECK(faults.host_gnt_error == 0, "For flash host_gnt err exp 1 get 0");
389  CHECK(faults.register_integrity_error == 0,
390  "For flash register_integrity err exp 1 get 0");
391  CHECK(faults.phy_integrity_error == 0,
392  "For flash phy_integrity err exp 1 get 0");
393  CHECK(faults.lifecycle_manager_error == 0,
394  "For flash lifecycle_manager err exp 1 get 0");
395  CHECK(faults.shadow_storage_error == 0,
396  "For flash shadow_storage err exp 1 get 0");
397 }
398 
399 /*
400 // TODO(#14518) keymgr cannot read fault_status register.
401 static void keymgr_fault_checker(bool enable) {
402  // Check the keymgr integrity fatal error code.
403  dif_kmac_status_t status;
404  CHECK_DIF_OK(dif_kmac_get_status(&keymgr, &codes));
405  if (enable) {
406  CHECK(status.faults == 1, "Got faults 0x%x", status.faults);
407  } else {
408  CHECK(status.faults == 0, "Got codes 0x%x", status.faults);
409  }
410 }
411 */
412 
413 static void keymgr_fault_checker(bool enable, const char *ip_inst,
414  const char *type) {
415  // TODO(#14518)
416  LOG_INFO("Expected alert %d keymgr fault check is yet unimplemented",
417  kDtKeymgrAlertFatalFaultErr);
418  trivial_fault_checker(enable, ip_inst, type);
419 }
420 
421 static void rom_ctrl_fault_checker(bool enable, const char *ip_inst,
422  const char *type) {
423  return generic_rom_ctrl_fault_checker(enable, ip_inst, type, &rom_ctrl);
424 }
425 #elif defined(OPENTITAN_IS_DARJEELING)
426 static void keymgr_dpe_fault_checker(bool enable, const char *ip_inst,
427  const char *type) {
428  // TODO(#14518)
429  LOG_INFO("Expected alert %d keymgr_dpe fault check is yet unimplemented",
430  kDtKeymgrDpeAlertFatalFaultErr);
431  trivial_fault_checker(enable, ip_inst, type);
432 }
433 
434 static void rom_ctrl0_fault_checker(bool enable, const char *ip_inst,
435  const char *type) {
436  return generic_rom_ctrl_fault_checker(enable, ip_inst, type, &rom_ctrl0);
437 }
438 
439 static void rom_ctrl1_fault_checker(bool enable, const char *ip_inst,
440  const char *type) {
441  return generic_rom_ctrl_fault_checker(enable, ip_inst, type, &rom_ctrl1);
442 }
443 
444 static void sram_ctrl_mbox_fault_checker(bool enable, const char *ip_inst,
445  const char *type) {
446  generic_sram_ctrl_fault_checker(&sram_ctrl_mbox, enable, ip_inst, type);
447 }
448 #else
449 #error "all_escalation_resets_test does not support this top"
450 #endif
451 
452 // Fault checkers for the remaining top-agnostic IP
453 static void aes_fault_checker(bool enable, const char *ip_inst,
454  const char *type) {
455  // Check the aes integrity fatal error code.
456  bool status;
457  CHECK_DIF_OK(dif_aes_get_status(&aes, kDifAesStatusAlertFatalFault, &status));
458  CHECK(status == enable, "For %s got 0x%x, expected 0x%x", ip_inst, status,
459  enable);
460 }
461 
462 static void clkmgr_fault_checker(bool enable, const char *ip_inst,
463  const char *type) {
464  // Check the clkmgr integrity fatal error code.
465  dif_clkmgr_fatal_err_codes_t codes;
466  CHECK_DIF_OK(dif_clkmgr_fatal_err_code_get_codes(&clkmgr, &codes));
467  uint32_t expected = enable ? kDifClkmgrFatalErrTypeRegfileIntegrity : 0;
468  CHECK(codes == expected, "For %s got codes 0x%x, expected 0x%x", ip_inst,
469  codes, expected);
470 }
471 
472 /*
473 // TODO(#14518) hmac cannot read fault_status register.
474 static void hmac_fault_checker(bool enable) {
475  // Check the hmac integrity fatal error code.
476  dif_kmac_status_t status;
477  CHECK_DIF_OK(dif_kmac_get_status(&keymgr, &codes));
478  if (enable) {
479  CHECK(status.faults == 1, "Got faults 0x%x", status.faults);
480  } else {
481  CHECK(status.faults == 0, "Got codes 0x%x", status.faults);
482  }
483 }
484 */
485 
486 static void hmac_fault_checker(bool enable, const char *ip_inst,
487  const char *type) {
488  // TODO(#14518)
489  LOG_INFO("Expected alert %d hmac fault check is yet unimplemented",
490  kDtHmacAlertFatalFault);
491  trivial_fault_checker(enable, ip_inst, type);
492 }
493 
494 static void kmac_fault_checker(bool enable, const char *ip_inst,
495  const char *type) {
496  // Check the kmac integrity fatal error code.
497  dif_kmac_status_t status;
498  uint32_t expected = enable ? 1 : 0;
499  CHECK_DIF_OK(dif_kmac_get_status(&kmac, &status));
500  CHECK(status.faults == expected, "For %s got codes 0x%x, expected 0x%x",
501  ip_inst, status.faults, expected);
502 }
503 
504 // This discriminates between the two faults based on type.
505 static void lc_ctrl_fault_checker(bool enable, const char *ip_inst,
506  const char *type) {
507  // Check the lc_ctrl integrity fatal error code.
508  dif_lc_ctrl_status_t status;
509  CHECK_DIF_OK(dif_lc_ctrl_get_status(&lc_ctrl, &status));
510  bitfield_field32_t relevant_field = {
511  .mask = UINT32_MAX, .index = kDifLcCtrlStatusCodeTooManyTransitions};
512  uint32_t mask = bitfield_field32_write(0, relevant_field, UINT32_MAX);
513  uint32_t relevant_status = status & mask;
514  uint32_t bus_integ_error =
515  bitfield_bit32_write(0, kDifLcCtrlStatusCodeBusIntegError, true);
516  uint32_t state_error =
517  bitfield_bit32_write(0, kDifLcCtrlStatusCodeCorrupt, true);
518  uint32_t expected_status =
519  enable ? (type == we_check ? bus_integ_error : state_error) : 0;
520  CHECK(relevant_status == expected_status,
521  "For %s got codes 0x%x, expected 0x%x", ip_inst, relevant_status,
522  expected_status);
523 }
524 
525 /*
526 // TODO(#14518) otbn cannot read fault_status register.
527 static void otbn_ctrl_fault_checker(bool enable) {
528  // Check the otbn integrity fatal error code.
529  dif_otbn_err_bits_t codes;
530  // TODO we seem to be missing a dif to read FATAL_ALERT_CAUSE.
531  CHECK_DIF_OK(dif_otbn_get_err_bits(&otbn, &codes));
532  if (enable) {
533  CHECK(status.codes == kDifOtbn??, "Got codes 0x%x", codes);
534  } else {
535  CHECK(codes == 0, "Got codes 0x%x", codes);
536  }
537 }
538 */
539 
540 static void otbn_fault_checker(bool enable, const char *ip_inst,
541  const char *type) {
542  // TODO(#14518)
543  LOG_INFO("Expected alert %d otbn fault check is yet unimplemented",
544  kDtOtbnAlertFatal);
545  trivial_fault_checker(enable, ip_inst, type);
546 }
547 
548 static void otp_ctrl_fault_checker(bool enable, const char *ip_inst,
549  const char *type) {
550  // Check the otp_ctrl integrity fatal error code.
551  dif_otp_ctrl_status_t status;
552  uint32_t expected_codes;
553  uint32_t relevant_codes;
554  uint32_t relevant_mask =
555  bitfield_bit32_write(UINT32_MAX, kDifOtpCtrlStatusCodeDaiIdle, false);
556  relevant_mask = bitfield_bit32_write(
557  relevant_mask, kDifOtpCtrlStatusCodeCheckPending, false);
558  CHECK_DIF_OK(dif_otp_ctrl_get_status(&otp_ctrl, &status));
559  relevant_codes = status.codes & relevant_mask;
560  dif_otp_ctrl_status_code_t exp_err = (type == we_check)
561  ? kDifOtpCtrlStatusCodeBusIntegError
562  : kDifOtpCtrlStatusCodeDaiError;
563  expected_codes = enable ? (1 << exp_err) : 0;
564  CHECK(relevant_codes == expected_codes,
565  "For %s got codes 0x%x, expected 0x%x", ip_inst, relevant_codes,
566  expected_codes);
567 }
568 
569 // OTP_prim_fault does not affect open source otp_ctrl's status register.
570 static void otp_ctrl_prim_fault_checker(bool enable, const char *ip_inst,
571  const char *type) {
572  // Check the otp_ctrl integrity fatal error code.
573  dif_otp_ctrl_status_t status;
574  uint32_t expected_codes;
575  CHECK_DIF_OK(dif_otp_ctrl_get_status(&otp_ctrl, &status));
576  expected_codes = 1 << kDifOtpCtrlStatusCodeDaiIdle;
577  CHECK(status.codes == expected_codes, "For %s got codes 0x%x, expected 0x%x",
578  ip_inst, status.codes, expected_codes);
579 }
580 
581 static void pwrmgr_fault_checker(bool enable, const char *ip_inst,
582  const char *type) {
583  // Check the pwrmgr integrity fatal error code.
584  dif_pwrmgr_fatal_err_codes_t codes;
585  CHECK_DIF_OK(dif_pwrmgr_fatal_err_code_get_codes(&pwrmgr, &codes));
586  uint32_t expected_codes = enable ? kDifPwrmgrFatalErrTypeRegfileIntegrity : 0;
587  CHECK(codes == expected_codes, "For %s got codes 0x%x, expected 0x%x",
588  ip_inst, codes, expected_codes);
589 }
590 
591 static void rstmgr_fault_checker(bool enable, const char *ip_inst,
592  const char *type) {
593  // Check the rstmgr integrity fatal error code.
594  dif_rstmgr_fatal_err_codes_t codes;
595  CHECK_DIF_OK(dif_rstmgr_fatal_err_code_get_codes(&rstmgr, &codes));
596  uint32_t fault_code = (type == we_check)
597  ? kDifRstmgrFatalErrTypeRegfileIntegrity
598  : kDifRstmgrFatalErrTypeResetConsistency;
599  uint32_t expected_codes = enable ? fault_code : 0;
600  CHECK(codes == expected_codes, "For %s got codes 0x%x, expected 0x%x",
601  ip_inst, codes, expected_codes);
602 }
603 
604 static void rv_core_ibex_fault_checker(bool enable, const char *ip_inst,
605  const char *type) {
606  dif_rv_core_ibex_error_status_t codes;
607  CHECK_DIF_OK(dif_rv_core_ibex_get_error_status(&rv_core_ibex, &codes));
608  // For a we_check an error code
609  // (kDifRvCoreIbexErrorStatusRegisterTransmissionIntegrity) is reported. If
610  // triggering a software fatal alert no error code should be seen.
611  uint32_t expected_codes =
612  (type == we_check) && enable
613  ? kDifRvCoreIbexErrorStatusRegisterTransmissionIntegrity
614  : 0;
615 
616  CHECK(codes == expected_codes, "For %s got codes 0x%x, expected 0x%x",
617  ip_inst, codes, expected_codes);
618 }
619 
620 /**
621  * Load access error exception handler.
622  *
623  * Handles load access error exceptions on Ibex.
624  * This is needed for the SRAM fault check that tries to access
625  * the retention SRAM after escalation to make sure the access
626  * is correctly blocked.
627  *
628  */
629 void ottf_load_store_fault_handler(uint32_t *exc_info) {
630  LOG_INFO("At load access error handler");
631 
632  uint32_t mtval = ibex_mtval_read();
633  CHECK(mtval == kSramRetStart, "Unexpected mtval: expected 0x%x, got 0x%x",
634  kSramRetStart, mtval);
635 
636  load_access_exception_seen = true;
637 
638  LOG_INFO("Load access error handler exiting");
639 }
640 
641 static void sram_ctrl_main_fault_checker(bool enable, const char *ip_inst,
642  const char *type) {
643  generic_sram_ctrl_fault_checker(&sram_ctrl_main, enable, ip_inst, type);
644 }
645 
646 static void sram_ctrl_ret_fault_checker(bool enable, const char *ip_inst,
647  const char *type) {
648  generic_sram_ctrl_fault_checker(&sram_ctrl_ret, enable, ip_inst, type);
649 }
650 
651 /**
652  * External ISR.
653  *
654  * Handles all peripheral interrupts on Ibex. PLIC asserts an external interrupt
655  * line to the CPU, which results in a call to this OTTF ISR. This ISR
656  * overrides the default OTTF implementation.
657  */
658 void ottf_external_isr(uint32_t *exc_info) {
659  dif_rv_plic_irq_id_t irq_id;
660 
661  // There may be multiple interrupts due to the alert firing, so this keeps an
662  // interrupt counter and errors-out if there are too many interrupts.
663 
664  // Increment the interrupt count and detect overflows.
665  uint32_t interrupt_count = 0;
666  CHECK_STATUS_OK(
667  ret_sram_testutils_counter_get(kCounterInterrupt, &interrupt_count));
668  if (interrupt_count > kMaxInterrupts) {
669  restore_fault_checker(&fault_checker);
670  CHECK(false, "For %s, reset count %d got too many interrupts (%d)",
671  fault_checker.ip_inst, reset_count, interrupt_count);
672  }
673  CHECK_STATUS_OK(ret_sram_testutils_counter_increment(kCounterInterrupt));
674 
675  CHECK_DIF_OK(dif_rv_plic_irq_claim(&plic, kPlicTarget, &irq_id));
676 
677  dt_instance_id_t peripheral_id = dt_plic_id_to_instance_id(irq_id);
678 
679  if (peripheral_id == dt_aon_timer_instance_id(kDtAonTimerAon)) {
680  dt_aon_timer_irq_t irq =
681  dt_aon_timer_irq_from_plic_id(kDtAonTimerAon, irq_id);
682 
683  // We should not get aon timer interrupts since escalation suppresses them.
684  CHECK(false, "Unexpected aon timer interrupt %d", irq);
685  } else if (peripheral_id == dt_alert_handler_instance_id(kAlertHandlerDt)) {
686  // Don't acknowledge the interrupt to alert_handler so it escalates.
687  CHECK(fault_checker.function);
688  CHECK(fault_checker.ip_inst);
689  CHECK(fault_checker.type);
690  // Fatal alerts are only cleared by reset.
691  fault_checker.function(/*enable=*/true, fault_checker.ip_inst,
692  fault_checker.type);
693  }
694 
695  // Disable these interrupts from alert_handler so they don't keep happening
696  // until NMI.
697  dt_alert_handler_irq_t irq =
698  dt_alert_handler_irq_from_plic_id(kAlertHandlerDt, irq_id);
699  CHECK_DIF_OK(dif_alert_handler_irq_set_enabled(&alert_handler, irq,
700  kDifToggleDisabled));
701 
702  // Disable this interrupt to prevent it from continuously firing. This
703  // should not prevent escalation from continuing.
704  CHECK_DIF_OK(dif_rv_plic_irq_set_enabled(&plic, irq_id, kPlicTarget,
705  kDifToggleDisabled));
706 
707  // Complete the IRQ by writing the IRQ source to the Ibex specific CC
708  // register.
709  CHECK_DIF_OK(dif_rv_plic_irq_complete(&plic, kPlicTarget, irq_id));
710 
711  // Notify test function that the alert IRQ has been seen
712  alert_irq_seen = true;
713 }
714 
715 /**
716  * External NMI ISR.
717  *
718  * Handles NMI interrupts on Ibex for either escalation or watchdog.
719  */
720 void ottf_external_nmi_handler(uint32_t *exc_info) {
721  dif_rv_core_ibex_nmi_state_t nmi_state = (dif_rv_core_ibex_nmi_state_t){0};
722  // Increment the nmi interrupt count.
723  uint32_t nmi_count = 0;
724  CHECK_STATUS_OK(ret_sram_testutils_counter_get(kCounterNmi, &nmi_count));
725  if (nmi_count <= kMaxInterrupts) {
726  CHECK_STATUS_OK(ret_sram_testutils_counter_increment(kCounterNmi));
727  }
728 
729  // Check that this NMI was due to an alert handler escalation, and not due
730  // to a watchdog bark, since escalation suppresses the watchdog.
731  CHECK_DIF_OK(dif_rv_core_ibex_get_nmi_state(
732  &rv_core_ibex, (dif_rv_core_ibex_nmi_state_t *)&nmi_state));
733  CHECK(nmi_state.alert_enabled && nmi_state.alert_raised,
734  "Alert handler NMI state not expected:\n\t"
735  "alert_enable:%x\n\talert_raised:%x\n",
736  nmi_state.alert_enabled, nmi_state.alert_raised);
737  CHECK(nmi_state.wdog_enabled && !nmi_state.wdog_barked,
738  "Watchdog NMI state not expected:\n\t"
739  "wdog_enabled:%x\n\twdog_barked:%x\n",
740  nmi_state.wdog_enabled, nmi_state.wdog_barked);
741 
742  // Check the class.
743  dif_alert_handler_class_state_t state;
744  CHECK_DIF_OK(dif_alert_handler_get_class_state(&alert_handler,
745  alert_class_to_use, &state));
746  CHECK(state == kDifAlertHandlerClassStatePhase1, "Wrong phase %d", state);
747 
748  // Check this gets the expected alert.
749  bool is_cause = false;
750  CHECK_DIF_OK(dif_alert_handler_alert_is_cause(
751  &alert_handler, kExpectedAlertNumber, &is_cause));
752  CHECK(is_cause);
753 
754  // Acknowledge the cause, which doesn't affect escalation.
755  CHECK_DIF_OK(dif_alert_handler_alert_acknowledge(&alert_handler,
756  kExpectedAlertNumber));
757 }
758 
759 /**
760  * Initialize the peripherals used in this test.
761  */
762 static void init_peripherals(void) {
763 #if defined(OPENTITAN_IS_EARLGREY)
764  CHECK_DIF_OK(
765  dif_flash_ctrl_init_state_from_dt(&flash_ctrl_state, kFlashCtrlDt));
766  CHECK_DIF_OK(dif_rom_ctrl_init_from_dt(kRomCtrlDt, &rom_ctrl));
767 #elif defined(OPENTITAN_IS_DARJEELING)
768  CHECK_DIF_OK(dif_rom_ctrl_init_from_dt(kRomCtrl0Dt, &rom_ctrl0));
769  CHECK_DIF_OK(dif_rom_ctrl_init_from_dt(kRomCtrl1Dt, &rom_ctrl1));
770  CHECK_DIF_OK(dif_sram_ctrl_init_from_dt(kSramCtrlMboxDt, &sram_ctrl_mbox));
771 #else
772 #error "all_escalation_resets_test does not support this top"
773 #endif
774 
775  CHECK_DIF_OK(dif_aes_init_from_dt(kAesDt, &aes));
776  CHECK_DIF_OK(dif_alert_handler_init_from_dt(kAlertHandlerDt, &alert_handler));
777  CHECK_DIF_OK(dif_aon_timer_init_from_dt(kAonTimerDt, &aon_timer));
778  CHECK_DIF_OK(dif_clkmgr_init_from_dt(kClkmgrDt, &clkmgr));
779  CHECK_DIF_OK(dif_kmac_init_from_dt(kKmacDt, &kmac));
780  CHECK_DIF_OK(dif_lc_ctrl_init_from_dt(kLcCtrlDt, &lc_ctrl));
781  CHECK_DIF_OK(dif_otp_ctrl_init_from_dt(kOtpCtrlDt, &otp_ctrl));
782  CHECK_DIF_OK(dif_pwrmgr_init_from_dt(kPwrmgrDt, &pwrmgr));
783  CHECK_DIF_OK(dif_rstmgr_init_from_dt(kRstmgrDt, &rstmgr));
784  CHECK_DIF_OK(dif_rv_core_ibex_init_from_dt(kRvCoreIbexDt, &rv_core_ibex));
785  CHECK_DIF_OK(dif_rv_plic_init_from_dt(kRvPlicDt, &plic));
786  CHECK_DIF_OK(dif_sram_ctrl_init_from_dt(kSramCtrlMainDt, &sram_ctrl_main));
787  CHECK_DIF_OK(dif_sram_ctrl_init_from_dt(kSramCtrlRetAonDt, &sram_ctrl_ret));
788 }
789 
790 /**
791  * Program the alert handler to escalate on alerts and reset on phase 2,
792  * and to start escalation after timing out due to an unacknowledged
793  * interrupt.
794  */
795 static void alert_handler_config(void) {
796  alert_class_to_use = (dif_alert_handler_class_t)rand_testutils_gen32_range(
797  kDifAlertHandlerClassA, kDifAlertHandlerClassD);
798  dif_alert_handler_alert_t alerts[] = {kExpectedAlertNumber};
799  dif_alert_handler_class_t alert_classes[] = {alert_class_to_use};
800 
801  uint32_t cycles[4] = {0};
802  CHECK_STATUS_OK(alert_handler_testutils_get_cycles_from_us(
803  kEscalationPhase0Micros, &cycles[0]));
804  CHECK_STATUS_OK(alert_handler_testutils_get_cycles_from_us(
805  kEscalationPhase1Micros, &cycles[1]));
806  CHECK_STATUS_OK(alert_handler_testutils_get_cycles_from_us(
807  kEscalationPhase2Micros, &cycles[2]));
808  CHECK_STATUS_OK(alert_handler_testutils_get_cycles_from_us(
809  kEscalationPhase3Micros, &cycles[3]));
810 
811  dif_alert_handler_escalation_phase_t esc_phases[] = {
812  {.phase = kDifAlertHandlerClassStatePhase0,
813  .signal = 0xFFFFFFFF, // do not trigger any signal, just wait.
814  .duration_cycles = cycles[0]},
815  {.phase = kDifAlertHandlerClassStatePhase1,
816  .signal = 0, // NMI
817  .duration_cycles = cycles[1]},
818  {.phase = kDifAlertHandlerClassStatePhase2,
819  .signal = 1, // lc_escalate_en
820  .duration_cycles = cycles[2]},
821  {.phase = kDifAlertHandlerClassStatePhase3,
822  .signal = 3, // reset
823  .duration_cycles = cycles[3]}};
824 
825  // This test does not leverage the IRQ timeout feature of the alert
826  // handler, hence deadline_cycles is set to zero. Rather, it triggers
827  // escalation right away if an alert event is seen, hence threshold = 0;
828  uint32_t deadline_cycles = 0;
829  uint16_t threshold = 0;
830  LOG_INFO("Configuring class %d with %d cycles and %d occurrences",
831  alert_class_to_use, deadline_cycles, threshold);
832  dif_alert_handler_class_config_t class_config[] = {{
833  .auto_lock_accumulation_counter = kDifToggleDisabled,
834  .accumulator_threshold = threshold,
835  .irq_deadline_cycles = deadline_cycles,
836  .escalation_phases = esc_phases,
837  .escalation_phases_len = ARRAYSIZE(esc_phases),
838  .crashdump_escalation_phase = kDifAlertHandlerClassStatePhase3,
839  }};
840 
841  dif_alert_handler_class_t classes[] = {alert_class_to_use};
842  dif_alert_handler_config_t config = {
843  .alerts = alerts,
844  .alert_classes = alert_classes,
845  .alerts_len = ARRAYSIZE(alerts),
846  .classes = classes,
847  .class_configs = class_config,
848  .classes_len = ARRAYSIZE(class_config),
849  .ping_timeout = 256,
850  };
851 
852  CHECK_STATUS_OK(alert_handler_testutils_configure_all(&alert_handler, config,
853  kDifToggleEnabled));
854 
855  // Enables all alert handler irqs. This allows us to implicitly check that
856  // we do not get spurious IRQs from the classes that are unused.
857  CHECK_DIF_OK(dif_alert_handler_irq_set_enabled(
858  &alert_handler, kDifAlertHandlerIrqClassa, kDifToggleEnabled));
859  CHECK_DIF_OK(dif_alert_handler_irq_set_enabled(
860  &alert_handler, kDifAlertHandlerIrqClassb, kDifToggleEnabled));
861  CHECK_DIF_OK(dif_alert_handler_irq_set_enabled(
862  &alert_handler, kDifAlertHandlerIrqClassc, kDifToggleEnabled));
863  CHECK_DIF_OK(dif_alert_handler_irq_set_enabled(
864  &alert_handler, kDifAlertHandlerIrqClassd, kDifToggleEnabled));
865 }
866 
867 static void set_aon_timers(const dif_aon_timer_t *aon_timer) {
868  uint32_t bark_cycles = 0;
869  CHECK_STATUS_OK(aon_timer_testutils_get_aon_cycles_32_from_us(kWdogBarkMicros,
870  &bark_cycles));
871  uint32_t bite_cycles = 0;
872  CHECK_STATUS_OK(aon_timer_testutils_get_aon_cycles_32_from_us(kWdogBiteMicros,
873  &bite_cycles));
874 
875  LOG_INFO(
876  "Wdog will bark after %u us (%u cycles) and bite after %u us (%u cycles)",
877  (uint32_t)kWdogBarkMicros, bark_cycles, (uint32_t)kWdogBiteMicros,
878  bite_cycles);
879 
880  // Setup the wdog bark and bite timeouts.
881  CHECK_STATUS_OK(
882  aon_timer_testutils_watchdog_config(aon_timer, bark_cycles, bite_cycles,
883  /*pause_in_sleep=*/false));
884 }
885 
886 /**
887  * Initialise the map of fault checkers to use for different fault alerts.
888  */
889 static void init_fault_checkers(fault_checker_t *checkers) {
890 #if defined(OPENTITAN_IS_EARLGREY)
891  checkers[dt_adc_ctrl_alert_to_alert_id(kDtAdcCtrlAon,
892  kDtAdcCtrlAlertFatalFault)] =
893  (fault_checker_t){trivial_fault_checker, adc_ctrl_inst_name, we_check};
894 
895  checkers[dt_entropy_src_alert_to_alert_id((dt_entropy_src_t)0,
896  kDtEntropySrcAlertFatalAlert)] =
897  (fault_checker_t){trivial_fault_checker, entropy_src_inst_name, we_check};
898  static_assert(kDtEntropySrcCount >= 1, "This test needs an entropy src");
899 
900  checkers[dt_flash_ctrl_alert_to_alert_id(
901  kFlashCtrlDt, kDtFlashCtrlAlertFatalErr)] = (fault_checker_t){
902  flash_ctrl_fault_checker, flash_ctrl_inst_name, flash_fatal_check};
903  checkers[dt_flash_ctrl_alert_to_alert_id(
904  kFlashCtrlDt, kDtFlashCtrlAlertFatalStdErr)] = (fault_checker_t){
905  flash_ctrl_fault_checker, flash_ctrl_inst_name, flash_fatal_check};
906  checkers[dt_flash_ctrl_alert_to_alert_id(
907  kFlashCtrlDt, kDtFlashCtrlAlertFatalPrimFlashAlert)] = (fault_checker_t){
908  flash_ctrl_prim_fault_checker, flash_ctrl_inst_name, flash_fatal_check};
909 
910  checkers[dt_i2c_alert_to_alert_id((dt_i2c_t)1, kDtI2cAlertFatalFault)] =
911  (fault_checker_t){trivial_fault_checker, i2c1_inst_name, we_check};
912  checkers[dt_i2c_alert_to_alert_id((dt_i2c_t)2, kDtI2cAlertFatalFault)] =
913  (fault_checker_t){trivial_fault_checker, i2c2_inst_name, we_check};
914  static_assert(kDtI2cCount >= 3, "This test needs 3 I2C instances");
915 
916  checkers[dt_keymgr_alert_to_alert_id((dt_keymgr_t)0,
917  kDtKeymgrAlertFatalFaultErr)] =
918  (fault_checker_t){keymgr_fault_checker, keymgr_inst_name, we_check};
919  static_assert(kDtKeymgrCount >= 1, "This test needs a keymgr");
920 
921  checkers[dt_pattgen_alert_to_alert_id((dt_pattgen_t)0,
922  kDtPattgenAlertFatalFault)] =
923  (fault_checker_t){trivial_fault_checker, pattgen_inst_name, we_check};
924  static_assert(kDtPattgenCount >= 1, "This test needs a pattgen instance");
925 
926  checkers[dt_pwm_alert_to_alert_id(kDtPwmAon, kDtPwmAlertFatalFault)] =
927  (fault_checker_t){trivial_fault_checker, pwm_inst_name, we_check};
928 
929  checkers[dt_rom_ctrl_alert_to_alert_id(kRomCtrlDt, kDtRomCtrlAlertFatal)] =
930  (fault_checker_t){rom_ctrl_fault_checker, rom_ctrl_inst_name, we_check};
931 
932  checkers[dt_sensor_ctrl_alert_to_alert_id(kDtSensorCtrlAon,
933  kDtSensorCtrlAlertFatalAlert)] =
934  (fault_checker_t){trivial_fault_checker, sensor_ctrl_inst_name, we_check};
935 
936  checkers[dt_spi_host_alert_to_alert_id((dt_spi_host_t)1,
937  kDtSpiHostAlertFatalFault)] =
938  (fault_checker_t){trivial_fault_checker, spi_host1_inst_name, we_check};
939  static_assert(kDtSpiHostCount >= 2, "This test needs 2 SPI Host instances");
940 
941  checkers[dt_sysrst_ctrl_alert_to_alert_id(kDtSysrstCtrlAon,
942  kDtSysrstCtrlAlertFatalFault)] =
943  (fault_checker_t){trivial_fault_checker, sysrst_ctrl_inst_name, we_check};
944 
945  checkers[dt_uart_alert_to_alert_id((dt_uart_t)1, kDtUartAlertFatalFault)] =
946  (fault_checker_t){trivial_fault_checker, uart1_inst_name, we_check};
947  checkers[dt_uart_alert_to_alert_id((dt_uart_t)2, kDtUartAlertFatalFault)] =
948  (fault_checker_t){trivial_fault_checker, uart2_inst_name, we_check};
949  checkers[dt_uart_alert_to_alert_id((dt_uart_t)3, kDtUartAlertFatalFault)] =
950  (fault_checker_t){trivial_fault_checker, uart3_inst_name, we_check};
951  static_assert(kDtUartCount >= 4, "This test needs 4 UART instances");
952 
953  checkers[dt_usbdev_alert_to_alert_id((dt_usbdev_t)0,
954  kDtUsbdevAlertFatalFault)] =
955  (fault_checker_t){trivial_fault_checker, usbdev_inst_name, we_check};
956  static_assert(kDtUsbdevCount >= 1, "This test needs a USB Device");
957 #elif defined(OPENTITAN_IS_DARJEELING)
958  checkers[dt_keymgr_dpe_alert_to_alert_id(
959  (dt_keymgr_dpe_t)0, kDtKeymgrDpeAlertFatalFaultErr)] = (fault_checker_t){
960  keymgr_dpe_fault_checker, keymgr_dpe_inst_name, we_check};
961  static_assert(kDtKeymgrDpeCount >= 1, "This test needs a keymgr_dpe");
962 
963  checkers[dt_sram_ctrl_alert_to_alert_id(
964  kDtSramCtrlMbox, kDtSramCtrlAlertFatalError)] = (fault_checker_t){
965  sram_ctrl_mbox_fault_checker, sram_ctrl_mbox_inst_name, we_check};
966 
967  checkers[dt_rom_ctrl_alert_to_alert_id(kRomCtrl0Dt, kDtRomCtrlAlertFatal)] =
968  (fault_checker_t){rom_ctrl0_fault_checker, rom_ctrl0_inst_name, we_check};
969  checkers[dt_rom_ctrl_alert_to_alert_id(kRomCtrl1Dt, kDtRomCtrlAlertFatal)] =
970  (fault_checker_t){rom_ctrl1_fault_checker, rom_ctrl1_inst_name, we_check};
971 #else
972 #error "all_escalation_resets_test does not support this top"
973 #endif
974 
975  checkers[dt_aes_alert_to_alert_id(kAesDt, kDtAesAlertFatalFault)] =
976  (fault_checker_t){aes_fault_checker, aes_inst_name, we_check};
977 
978  checkers[dt_aon_timer_alert_to_alert_id(kAonTimerDt,
979  kDtAonTimerAlertFatalFault)] =
980  (fault_checker_t){trivial_fault_checker, aon_timer_inst_name, we_check};
981 
982  checkers[dt_clkmgr_alert_to_alert_id(kClkmgrDt, kDtClkmgrAlertFatalFault)] =
983  (fault_checker_t){clkmgr_fault_checker, clkmgr_inst_name, we_check};
984 
985  checkers[dt_csrng_alert_to_alert_id((dt_csrng_t)0, kDtCsrngAlertFatalAlert)] =
986  (fault_checker_t){trivial_fault_checker, csrng_inst_name, we_check};
987  static_assert(kDtCsrngCount >= 1, "This test needs a CSRNG instance");
988 
989  checkers[dt_edn_alert_to_alert_id((dt_edn_t)0, kDtEdnAlertFatalAlert)] =
990  (fault_checker_t){trivial_fault_checker, edn0_inst_name, we_check};
991  checkers[dt_edn_alert_to_alert_id((dt_edn_t)1, kDtEdnAlertFatalAlert)] =
992  (fault_checker_t){trivial_fault_checker, edn1_inst_name, we_check};
993  static_assert(kDtEdnCount >= 2, "This test needs 2 EDN instances");
994 
995  checkers[dt_gpio_alert_to_alert_id((dt_gpio_t)0, kDtGpioAlertFatalFault)] =
996  (fault_checker_t){trivial_fault_checker, gpio_inst_name, we_check};
997  static_assert(kDtGpioCount >= 1, "This test needs 1 GPIO instance");
998 
999  checkers[dt_hmac_alert_to_alert_id((dt_hmac_t)0, kDtHmacAlertFatalFault)] =
1000  (fault_checker_t){hmac_fault_checker, hmac_inst_name, we_check};
1001  static_assert(kDtHmacCount >= 1, "This test needs 1 HMAC instance");
1002 
1003  checkers[dt_i2c_alert_to_alert_id((dt_i2c_t)0, kDtI2cAlertFatalFault)] =
1004  (fault_checker_t){trivial_fault_checker, i2c0_inst_name, we_check};
1005  static_assert(kDtI2cCount >= 1, "This test needs at least 1 I2C instance");
1006 
1007  checkers[dt_kmac_alert_to_alert_id(kKmacDt, kDtKmacAlertFatalFaultErr)] =
1008  (fault_checker_t){kmac_fault_checker, kmac_inst_name, we_check};
1009 
1010  // TODO add mechanism to inject kDtLcCtrlAlertFatalProgError by
1011  // forcing otp_prog_err_o from lc_ctrl_fsm
1012  checkers[dt_lc_ctrl_alert_to_alert_id(
1013  kLcCtrlDt, kDtLcCtrlAlertFatalStateError)] = (fault_checker_t){
1014  lc_ctrl_fault_checker, lc_ctrl_inst_name, sparse_fsm_check};
1015  checkers[dt_lc_ctrl_alert_to_alert_id(kLcCtrlDt,
1016  kDtLcCtrlAlertFatalBusIntegError)] =
1017  (fault_checker_t){lc_ctrl_fault_checker, lc_ctrl_inst_name, we_check};
1018 
1019  checkers[dt_otbn_alert_to_alert_id((dt_otbn_t)0, kDtOtbnAlertFatal)] =
1020  (fault_checker_t){otbn_fault_checker, otbn_inst_name, we_check};
1021  static_assert(kDtOtbnCount >= 1, "This test needs at least 1 OTBN instance");
1022 
1023  // TODO add mechanism to inject:
1024  // forcing otp_prog_err_o from lc_ctrl_fsm and
1025  // kDtLcCtrlAlertFatalStateError using sparse fsm.
1026  // alerts, and corresponding CSR bit to check.
1027  checkers[dt_otp_ctrl_alert_to_alert_id(
1028  kOtpCtrlDt, kDtOtpCtrlAlertFatalMacroError)] = (fault_checker_t){
1029  otp_ctrl_fault_checker, otp_ctrl_inst_name, sparse_fsm_check};
1030  checkers[dt_otp_ctrl_alert_to_alert_id(
1031  kOtpCtrlDt, kDtOtpCtrlAlertFatalPrimOtpAlert)] = (fault_checker_t){
1032  otp_ctrl_prim_fault_checker, otp_ctrl_inst_name, sparse_fsm_check};
1033  checkers[dt_otp_ctrl_alert_to_alert_id(
1034  kOtpCtrlDt, kDtOtpCtrlAlertFatalCheckError)] = (fault_checker_t){
1035  otp_ctrl_fault_checker, otp_ctrl_inst_name, sparse_fsm_check};
1036  checkers[dt_otp_ctrl_alert_to_alert_id(kOtpCtrlDt,
1037  kDtOtpCtrlAlertFatalBusIntegError)] =
1038  (fault_checker_t){otp_ctrl_fault_checker, otp_ctrl_inst_name, we_check};
1039 
1040  checkers[dt_pinmux_alert_to_alert_id(kDtPinmuxAon,
1041  kDtPinmuxAlertFatalFault)] =
1042  (fault_checker_t){trivial_fault_checker, pinmux_inst_name, we_check};
1043 
1044  checkers[dt_pwrmgr_alert_to_alert_id(kPwrmgrDt, kDtPwrmgrAlertFatalFault)] =
1045  (fault_checker_t){pwrmgr_fault_checker, pwrmgr_inst_name, we_check};
1046 
1047  checkers[dt_rstmgr_alert_to_alert_id(
1048  kRstmgrDt, kDtRstmgrAlertFatalCnstyFault)] = (fault_checker_t){
1049  rstmgr_fault_checker, rstmgr_inst_name, rst_cnsty_check};
1050  checkers[dt_rstmgr_alert_to_alert_id(kRstmgrDt, kDtRstmgrAlertFatalFault)] =
1051  (fault_checker_t){rstmgr_fault_checker, rstmgr_inst_name, we_check};
1052 
1053  checkers[dt_rv_core_ibex_alert_to_alert_id(
1054  kRvCoreIbexDt, kDtRvCoreIbexAlertFatalSwErr)] = (fault_checker_t){
1055  rv_core_ibex_fault_checker, rv_core_ibex_inst_name, sw_alert_check};
1056  checkers[dt_rv_core_ibex_alert_to_alert_id(
1057  kRvCoreIbexDt, kDtRvCoreIbexAlertFatalHwErr)] = (fault_checker_t){
1058  rv_core_ibex_fault_checker, rv_core_ibex_inst_name, we_check};
1059 
1060  checkers[dt_rv_dm_alert_to_alert_id((dt_rv_dm_t)0, kDtRvDmAlertFatalFault)] =
1061  (fault_checker_t){trivial_fault_checker, rv_dm_inst_name, we_check};
1062  static_assert(kDtRvDmCount >= 1, "This test needs an RV DM");
1063 
1064  checkers[dt_rv_plic_alert_to_alert_id(kRvPlicDt, kDtRvPlicAlertFatalFault)] =
1065  (fault_checker_t){trivial_fault_checker, rv_plic_inst_name, we_check};
1066 
1067  checkers[dt_rv_timer_alert_to_alert_id((dt_rv_timer_t)0,
1068  kDtRvTimerAlertFatalFault)] =
1069  (fault_checker_t){trivial_fault_checker, rv_timer_inst_name, we_check};
1070  static_assert(kDtRvTimerCount >= 1, "This test needs a RV Timer");
1071 
1072  checkers[dt_spi_device_alert_to_alert_id((dt_spi_device_t)0,
1073  kDtSpiDeviceAlertFatalFault)] =
1074  (fault_checker_t){trivial_fault_checker, spi_device_inst_name, we_check};
1075  static_assert(kDtSpiDeviceCount >= 1, "This test needs a SPI Device");
1076 
1077  checkers[dt_spi_host_alert_to_alert_id((dt_spi_host_t)0,
1078  kDtSpiHostAlertFatalFault)] =
1079  (fault_checker_t){trivial_fault_checker, spi_host0_inst_name, we_check};
1080  static_assert(kDtSpiHostCount >= 1, "This test needs at leasst 1 SPI Host");
1081 
1082  checkers[dt_sram_ctrl_alert_to_alert_id(
1083  kSramCtrlMainDt, kDtSramCtrlAlertFatalError)] = (fault_checker_t){
1084  sram_ctrl_main_fault_checker, sram_ctrl_main_inst_name, we_check};
1085  checkers[dt_sram_ctrl_alert_to_alert_id(
1086  kSramCtrlRetAonDt, kDtSramCtrlAlertFatalError)] = (fault_checker_t){
1087  sram_ctrl_ret_fault_checker, sram_ctrl_ret_inst_name, we_check};
1088 
1089  checkers[dt_uart_alert_to_alert_id((dt_uart_t)0, kDtUartAlertFatalFault)] =
1090  (fault_checker_t){trivial_fault_checker, uart0_inst_name, we_check};
1091  static_assert(kDtUartCount >= 1, "This test needs at least 1 UART instance");
1092 }
1093 
1094 /**
1095  * Execute the all_escalations_reset_test.
1096  */
1097 static void execute_test(const dif_aon_timer_t *aon_timer) {
1098  alert_handler_config();
1099 
1100  fault_checker_t fault_checkers[kDtAlertCount] = {{NULL, NULL, NULL}};
1101  init_fault_checkers((fault_checker_t *)fault_checkers);
1102 
1103  // Select the fault_checker function, depending on kExpectedAlertNumber.
1104  CHECK(kExpectedAlertNumber < kDtAlertCount,
1105  "Expected alert number larger than the number of alerts?");
1106  fault_checker_t fc = fault_checkers[kExpectedAlertNumber];
1107  if (fc.function == NULL || fc.ip_inst == NULL || fc.type == NULL) {
1108  LOG_ERROR("Unexpected fault");
1109  } else {
1110  fault_checker = fc;
1111  }
1112 
1113  // Save the fault_checker to flash.
1114  save_fault_checker(&fault_checker);
1115 
1116  // Make sure we can receive both the watchdog and alert NMIs.
1117  CHECK_DIF_OK(
1118  dif_rv_core_ibex_enable_nmi(&rv_core_ibex, kDifRvCoreIbexNmiSourceAlert));
1119  CHECK_DIF_OK(
1120  dif_rv_core_ibex_enable_nmi(&rv_core_ibex, kDifRvCoreIbexNmiSourceWdog));
1121 
1122  set_aon_timers(aon_timer);
1123 
1124  LOG_INFO("Expected alert is %d for %s", kExpectedAlertNumber,
1125  fault_checker.ip_inst);
1126 
1127  // Trigger the SV side to inject fault.
1128  // DO NOT CHANGE THIS: it is used to notify the SV side.
1129  LOG_INFO("Ready for fault injection");
1130 
1131  if (kExpectedAlertNumber ==
1132  dt_rv_core_ibex_alert_to_alert_id(kRvCoreIbexDt,
1133  kDtRvCoreIbexAlertFatalSwErr)) {
1134  CHECK_DIF_OK(dif_rv_core_ibex_trigger_sw_fatal_err_alert(&rv_core_ibex));
1135  LOG_INFO("Software fatal alert triggered");
1136  }
1137 
1138  // OTP ecc macro error test requires otp to read backdoor injected error
1139  // macro.
1140  if (kExpectedAlertNumber == dt_otp_ctrl_alert_to_alert_id(
1141  kOtpCtrlDt, kDtOtpCtrlAlertFatalMacroError)) {
1142  CHECK_DIF_OK(
1143  dif_otp_ctrl_dai_read_start(&otp_ctrl, kDifOtpCtrlPartitionHwCfg0, 0));
1144  LOG_INFO("OTP_CTRL error inject done");
1145  }
1146 
1147 #if defined(OPENTITAN_IS_EARLGREY)
1148  // FlashCtrlFatalErr test requires host read request.
1149  if (kExpectedAlertNumber == dt_flash_ctrl_alert_to_alert_id(
1150  kFlashCtrlDt, kDtFlashCtrlAlertFatalErr)) {
1151  enum {
1152  kNumTestWords = 16,
1153  kNumTestBytes = kNumTestWords * sizeof(uint32_t),
1154  };
1155  uint32_t host_data[kNumTestWords];
1156  // Send host request to trigger host grant from flash_ctrl.
1157  mmio_region_memcpy_from_mmio32(
1158  mmio_region_from_addr(
1159  dt_flash_ctrl_reg_block(kFlashCtrlDt, kDtFlashCtrlRegBlockMem)),
1160  FLASH_CTRL_PARAM_BYTES_PER_BANK, &host_data, kNumTestBytes);
1161  }
1162 #elif defined(OPENTITAN_IS_DARJEELING)
1163 // Darjeeling does not have a Flash Controller
1164 #else
1165 #error "all_escalation_resets_test does not support this top"
1166 #endif
1167 
1168  IBEX_SPIN_FOR(alert_irq_seen, kTestTimeout);
1169  LOG_INFO("Alert IRQ seen");
1170 
1171  if (kExpectedAlertNumber ==
1172  dt_sram_ctrl_alert_to_alert_id(kSramCtrlRetAonDt,
1173  kDtSramCtrlAlertFatalError)) {
1174  LOG_INFO("Check that the retention SRAM blocks accesses");
1175  uint32_t data = *((uint32_t *)kSramRetStart);
1176  LOG_INFO("Read from address 0x%0x with expected error gets 0x%x",
1177  kSramRetStart, data);
1178  CHECK(load_access_exception_seen,
1179  "We expect this access to trigger a load access exception");
1180  }
1181 
1182  wait_for_interrupt();
1183  CHECK(false, "This should not be reached");
1184 }
1185 
1186 void check_alert_dump(void) {
1187  dif_rstmgr_alert_info_dump_segment_t dump[DIF_RSTMGR_ALERT_INFO_MAX_SIZE];
1188  size_t seg_size;
1189  alert_handler_testutils_info_t actual_info;
1190 
1191  CHECK_DIF_OK(dif_rstmgr_alert_info_dump_read(
1192  &rstmgr, dump, DIF_RSTMGR_ALERT_INFO_MAX_SIZE, &seg_size));
1193 
1194  LOG_INFO("DUMP SIZE %d", seg_size);
1195  for (int i = 0; i < seg_size; i++) {
1196  LOG_INFO("DUMP:%d: 0x%x", i, dump[i]);
1197  }
1198 
1199  CHECK(seg_size <= INT_MAX, "seg_size must fit in int");
1200  CHECK_STATUS_OK(
1201  alert_handler_testutils_info_parse(dump, (int)seg_size, &actual_info));
1202  LOG_INFO("The alert info crash dump:");
1203  alert_handler_testutils_info_dump(&actual_info);
1204  // Check alert cause.
1205  for (int i = 0; i < ALERT_HANDLER_PARAM_N_ALERTS; ++i) {
1206  if (i == kExpectedAlertNumber) {
1207  CHECK(actual_info.alert_cause[i], "Expected alert cause %d to be set", i);
1208  } else {
1209  // It is possible some alerts can trigger others; for example, some
1210  // lc_ctrl faults lead to otp_ctrl faults.
1211  if (actual_info.alert_cause[i]) {
1212  LOG_INFO("Unexpected alert cause %d, may be triggered by %d", i,
1213  kExpectedAlertNumber);
1214  }
1215  }
1216  }
1217 }
1218 
1219 bool test_main(void) {
1220  // Retrieve the SRAM Ret Start address from the DT
1221  kSramRetStart =
1222  dt_sram_ctrl_reg_block(kDtSramCtrlRetAon, kDtSramCtrlRegBlockRam);
1223 
1224  // Enable global and external IRQ at Ibex.
1225  irq_global_ctrl(true);
1226  irq_external_ctrl(true);
1227 
1228  init_peripherals();
1229 
1230  ret_sram_testutils_init();
1231 
1232  // Enable all the interrupts used in this test.
1233  rv_plic_testutils_irq_range_enable(
1234  &plic, kPlicTarget,
1235  dt_aon_timer_irq_to_plic_id(kAonTimerDt, kDtAonTimerIrqWkupTimerExpired),
1236  dt_aon_timer_irq_to_plic_id(kAonTimerDt, kDtAonTimerIrqWdogTimerBark));
1237  rv_plic_testutils_irq_range_enable(
1238  &plic, kPlicTarget,
1239  dt_alert_handler_irq_to_plic_id(kAlertHandlerDt,
1240  kDtAlertHandlerIrqClassa),
1241  dt_alert_handler_irq_to_plic_id(kAlertHandlerDt,
1242  kDtAlertHandlerIrqClassd));
1243 
1244  // Check if there was a HW reset caused by the escalation.
1245  dif_rstmgr_reset_info_bitfield_t rst_info;
1246  rst_info = rstmgr_testutils_reason_get();
1247  rstmgr_testutils_reason_clear();
1248 
1249  CHECK(rst_info == kDifRstmgrResetInfoPor ||
1250  rst_info == kDifRstmgrResetInfoEscalation,
1251  "Wrong reset reason %02X", rst_info);
1252 
1253  if (rst_info == kDifRstmgrResetInfoPor) {
1254  LOG_INFO("Booting for the first time, starting test");
1255  // Enable rstmgr alert info capture.
1256  CHECK_DIF_OK(dif_rstmgr_alert_info_set_enabled(&rstmgr, kDifToggleEnabled));
1257  CHECK_STATUS_OK(ret_sram_testutils_counter_clear(kCounterReset));
1258  CHECK_STATUS_OK(ret_sram_testutils_counter_clear(kCounterInterrupt));
1259  CHECK_STATUS_OK(ret_sram_testutils_counter_clear(kCounterNmi));
1260  execute_test(&aon_timer);
1261  } else if (rst_info == kDifRstmgrResetInfoEscalation) {
1262  restore_fault_checker(&fault_checker);
1263  // Get the reset counter.
1264  CHECK_STATUS_OK(ret_sram_testutils_counter_get(kCounterReset,
1265  (uint32_t *)&reset_count));
1266  LOG_INFO("Reset counter value: %u", reset_count);
1267  if (reset_count > kMaxResets) {
1268  CHECK(false, "Ip %d Got too many resets (%d)", fault_checker.ip_inst,
1269  reset_count);
1270  }
1271 
1272  // Increment reset counter to know where we are.
1273  CHECK_STATUS_OK(ret_sram_testutils_counter_increment(kCounterReset));
1274 
1275  restore_fault_checker(&fault_checker);
1276 
1277  LOG_INFO("Booting due to escalation reset");
1278 
1279  uint32_t interrupt_count = 0;
1280  CHECK_STATUS_OK(
1281  ret_sram_testutils_counter_get(kCounterInterrupt, &interrupt_count));
1282  uint32_t nmi_count = 0;
1283  CHECK_STATUS_OK(ret_sram_testutils_counter_get(kCounterNmi, &nmi_count));
1284 
1285  LOG_INFO("Interrupt count %d", interrupt_count);
1286  LOG_INFO("NMI count %d", nmi_count);
1287 
1288 #if defined(OPENTITAN_IS_EARLGREY)
1289  // ISRs should not run if flash_ctrl or sram_ctrl_main get a fault because
1290  // flash or sram accesses are blocked in those cases. For lc_ctrl fatal
1291  // state, otp_fatal alerts tha will trigger LC to escalate, the lc_ctrl
1292  // blocks the CPU.
1293  if (kExpectedAlertNumber ==
1294  dt_flash_ctrl_alert_to_alert_id(kFlashCtrlDt,
1295  kDtFlashCtrlAlertFatalStdErr) ||
1296  kExpectedAlertNumber ==
1297  dt_sram_ctrl_alert_to_alert_id(kSramCtrlMainDt,
1298  kDtSramCtrlAlertFatalError) ||
1299  kExpectedAlertNumber == dt_lc_ctrl_alert_to_alert_id(
1300  kLcCtrlDt, kDtLcCtrlAlertFatalStateError) ||
1301  kExpectedAlertNumber ==
1302  dt_otp_ctrl_alert_to_alert_id(kOtpCtrlDt,
1303  kDtOtpCtrlAlertFatalMacroError) ||
1304  kExpectedAlertNumber ==
1305  dt_otp_ctrl_alert_to_alert_id(kOtpCtrlDt,
1306  kDtOtpCtrlAlertFatalCheckError)) {
1307  CHECK(interrupt_count == 0,
1308  "Expected regular ISR should not run for flash_ctrl, lc_ctrl fatal "
1309  "state, or sram_ctrl_main faults");
1310  CHECK(nmi_count == 0,
1311  "Expected nmi should not run for flash_ctrl, lc_ctrl fatal state, "
1312  "or sram_ctrl_main faults");
1313  } else {
1314  CHECK(interrupt_count == 1, "Expected exactly one regular interrupt");
1315  CHECK(nmi_count > 0, "Expected at least one nmi");
1316  }
1317 #elif defined(OPENTITAN_IS_DARJEELING)
1318  // ISRs should not run if sram_ctrl_main gets a fault because sram accesses
1319  // are blocked in that cases. For lc_ctrl fatal state, otp_fatal alerts that
1320  // will trigger LC to escalate, the lc_ctrl blocks the CPU.
1321  if (kExpectedAlertNumber ==
1322  dt_sram_ctrl_alert_to_alert_id(kSramCtrlMainDt,
1323  kDtSramCtrlAlertFatalError) ||
1324  kExpectedAlertNumber == dt_lc_ctrl_alert_to_alert_id(
1325  kLcCtrlDt, kDtLcCtrlAlertFatalStateError) ||
1326  kExpectedAlertNumber ==
1327  dt_otp_ctrl_alert_to_alert_id(kOtpCtrlDt,
1328  kDtOtpCtrlAlertFatalMacroError) ||
1329  kExpectedAlertNumber ==
1330  dt_otp_ctrl_alert_to_alert_id(kOtpCtrlDt,
1331  kDtOtpCtrlAlertFatalCheckError)) {
1332  CHECK(interrupt_count == 0,
1333  "Expected regular ISR should not run for lc_ctrl fatal state, "
1334  "or sram_ctrl_main faults");
1335  CHECK(nmi_count == 0,
1336  "Expected nmi should not run for lc_ctrl fatal state, or "
1337  "sram_ctrl_main faults");
1338  } else {
1339  CHECK(interrupt_count == 1, "Expected exactly one regular interrupt");
1340  CHECK(nmi_count > 0, "Expected at least one nmi");
1341  }
1342 #else
1343 #error "all_escalation_resets_test does not support this top"
1344 #endif
1345 
1346  // Check the alert handler cause is cleared.
1347  bool is_cause = true;
1348  CHECK_DIF_OK(dif_alert_handler_alert_is_cause(
1349  &alert_handler, kExpectedAlertNumber, &is_cause));
1350  CHECK(!is_cause);
1351 
1352  // Check the fault register is clear.
1353  fault_checker.function(/*enable=*/false, fault_checker.ip_inst,
1354  fault_checker.type);
1355  check_alert_dump();
1356  return true;
1357  } else {
1358  LOG_ERROR("Unexpected rst_info=0x%x", rst_info);
1359  return false;
1360  }
1361 
1362  return false;
1363 }
Return to OpenTitan Documentation