Skip to content

Commit

Permalink
[rtl] Harden lockstep enable against FI
Browse files Browse the repository at this point in the history
Currently, the dual-core lockstep FI mitigation is enabled/disabled
using a single bit.
For transient bit-flips, this is not problematic, as one bit-flip
into this signal and one bit into the Ibex is required to threaten
the security of the system.

However, a permanent stuck-at-0 fault could disable the lockstep
completely by targeting this signal. Then, only a single, additional
fault (transient or permanent) is required.

This PR enhances the FI resilience of the Ibex lockstep by encoding
this single bit into a ibex_mubi_t signal, i.e., a 4-bit multi-bit
signal.

Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
  • Loading branch information
nasahlpa committed Jan 18, 2024
1 parent 123d46b commit 2f040eb
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 11 deletions.
37 changes: 27 additions & 10 deletions rtl/ibex_lockstep.sv
Original file line number Diff line number Diff line change
Expand Up @@ -123,41 +123,57 @@ module ibex_lockstep import ibex_pkg::*; #(
logic [LockstepOffsetW-1:0] rst_shadow_cnt_d, rst_shadow_cnt_q, rst_shadow_cnt_incr;
// Internally generated resets cause IMPERFECTSCH warnings
/* verilator lint_off IMPERFECTSCH */
logic rst_shadow_set_d, rst_shadow_set_q;
logic rst_shadow_n, enable_cmp_q;
ibex_mubi_t rst_shadow_set_d, rst_shadow_set_q;
// This signal is needed in order to avoid "Warning-IMPERFECTSCH" messages.
logic rst_shadow_set_single_bit;
logic rst_shadow_n;
ibex_mubi_t enable_cmp_d, enable_cmp_q;
/* verilator lint_on IMPERFECTSCH */

assign rst_shadow_cnt_incr = rst_shadow_cnt_q + 1'b1;

assign rst_shadow_set_d = (rst_shadow_cnt_q == LockstepOffsetW'(LockstepOffset - 1));
assign rst_shadow_cnt_d = rst_shadow_set_d ? rst_shadow_cnt_q : rst_shadow_cnt_incr;
assign rst_shadow_set_d =
(rst_shadow_cnt_q == LockstepOffsetW'(LockstepOffset - 1)) ? IbexMuBiOn : IbexMuBiOff;
assign rst_shadow_cnt_d =
(rst_shadow_set_d == IbexMuBiOn) ? rst_shadow_cnt_q : rst_shadow_cnt_incr;
assign rst_shadow_set_single_bit = rst_shadow_set_q[0];

assign enable_cmp_d = rst_shadow_set_q;

always_ff @(posedge clk_i or negedge rst_ni) begin
if (!rst_ni) begin
rst_shadow_cnt_q <= '0;
enable_cmp_q <= '0;
end else begin
rst_shadow_cnt_q <= rst_shadow_cnt_d;
enable_cmp_q <= rst_shadow_set_q;
end
end

// The primitives below are used to place size-only constraints in order to prevent
// synthesis optimizations and preserve anchor points for constraining backend tools.
prim_flop #(
.Width(1),
.ResetValue(1'b0)
.Width(IbexMuBiWidth),
.ResetValue(IbexMuBiOff)
) u_prim_rst_shadow_set_flop (
.clk_i (clk_i),
.rst_ni(rst_ni),
.d_i (rst_shadow_set_d),
.q_o (rst_shadow_set_q)
);

prim_flop #(
.Width(IbexMuBiWidth),
.ResetValue(IbexMuBiOff)
) u_prim_enable_cmp_flop (
.clk_i (clk_i),
.rst_ni(rst_ni),
.d_i (enable_cmp_d),
.q_o (enable_cmp_q)
);

prim_clock_mux2 #(
.NoFpgaBufG(1'b1)
) u_prim_rst_shadow_n_mux2 (
.clk0_i(rst_shadow_set_q),
.clk0_i(rst_shadow_set_single_bit),
.clk1_i(scan_rst_ni),
.sel_i (test_en_i),
.clk_o (rst_shadow_n)
Expand Down Expand Up @@ -458,7 +474,8 @@ module ibex_lockstep import ibex_pkg::*; #(

logic outputs_mismatch;

assign outputs_mismatch = enable_cmp_q & (shadow_outputs_q != core_outputs_q[0]);
assign outputs_mismatch =
(enable_cmp_q != IbexMuBiOff) & (shadow_outputs_q != core_outputs_q[0]);
assign alert_major_internal_o = outputs_mismatch | shadow_alert_major_internal;
assign alert_major_bus_o = shadow_alert_major_bus;
assign alert_minor_o = shadow_alert_minor;
Expand Down
4 changes: 3 additions & 1 deletion rtl/ibex_pkg.sv
Original file line number Diff line number Diff line change
Expand Up @@ -655,7 +655,9 @@ package ibex_pkg;

// Mult-bit signal used for security hardening. For non-secure implementation all bits other than
// the bottom bit are ignored.
typedef logic [3:0] ibex_mubi_t;
parameter int IbexMuBiWidth = 4;

typedef logic [IbexMuBiWidth-1:0] ibex_mubi_t;

// Note that if adjusting these parameters it is assumed the bottom bit is set for On and unset
// for Off. This allows the use of IbexMuBiOn/IbexMuBiOff to work for both secure and non-secure
Expand Down

0 comments on commit 2f040eb

Please sign in to comment.