From 5a6b9a35f56edea4082a6b12a349a57b63c63ec8 Mon Sep 17 00:00:00 2001 From: Pascal Nasahl Date: Wed, 17 Jan 2024 12:59:59 +0100 Subject: [PATCH] [rtl] Harden lockstep enable against FI Currently, the dual-core lockstep FI mitigation is enabled/disabled using a single bit. For transient bit-flips, this is not problematic, as one bit-flip into this signal and one bit into the Ibex is required to threaten the security of the system. However, a permanent stuck-at-0 fault could disable the lockstep completely by targeting this signal. Then, only a single, additional fault (transient or permanent) is required. This PR enhances the FI resilience of the Ibex lockstep by encoding this single bit into a ibex_mubi_t signal, i.e., a 4-bit multi-bit signal. Signed-off-by: Pascal Nasahl --- rtl/ibex_lockstep.sv | 25 ++++++++++++++++--------- rtl/ibex_pkg.sv | 4 +++- 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/rtl/ibex_lockstep.sv b/rtl/ibex_lockstep.sv index 7778ff74d0..d06073b16d 100644 --- a/rtl/ibex_lockstep.sv +++ b/rtl/ibex_lockstep.sv @@ -123,19 +123,25 @@ module ibex_lockstep import ibex_pkg::*; #( logic [LockstepOffsetW-1:0] rst_shadow_cnt_d, rst_shadow_cnt_q, rst_shadow_cnt_incr; // Internally generated resets cause IMPERFECTSCH warnings /* verilator lint_off IMPERFECTSCH */ - logic rst_shadow_set_d, rst_shadow_set_q; - logic rst_shadow_n, enable_cmp_q; + ibex_mubi_t rst_shadow_set_d, rst_shadow_set_q; + // This signal is needed in order to avoid "Warning-IMPERFECTSCH" messages. + logic rst_shadow_set_single_bit; + logic rst_shadow_n; + ibex_mubi_t enable_cmp_q; /* verilator lint_on IMPERFECTSCH */ assign rst_shadow_cnt_incr = rst_shadow_cnt_q + 1'b1; - assign rst_shadow_set_d = (rst_shadow_cnt_q == LockstepOffsetW'(LockstepOffset - 1)); - assign rst_shadow_cnt_d = rst_shadow_set_d ? rst_shadow_cnt_q : rst_shadow_cnt_incr; + assign rst_shadow_set_d = + (rst_shadow_cnt_q == LockstepOffsetW'(LockstepOffset - 1)) ? IbexMuBiOn : IbexMuBiOff; + assign rst_shadow_cnt_d = + (rst_shadow_set_d == IbexMuBiOn) ? rst_shadow_cnt_q : rst_shadow_cnt_incr; + assign rst_shadow_set_single_bit = rst_shadow_set_q[0]; always_ff @(posedge clk_i or negedge rst_ni) begin if (!rst_ni) begin rst_shadow_cnt_q <= '0; - enable_cmp_q <= '0; + enable_cmp_q <= IbexMuBiOff; end else begin rst_shadow_cnt_q <= rst_shadow_cnt_d; enable_cmp_q <= rst_shadow_set_q; @@ -145,8 +151,8 @@ module ibex_lockstep import ibex_pkg::*; #( // The primitives below are used to place size-only constraints in order to prevent // synthesis optimizations and preserve anchor points for constraining backend tools. prim_flop #( - .Width(1), - .ResetValue(1'b0) + .Width(IbexMuBiWidth), + .ResetValue(IbexMuBiOff) ) u_prim_rst_shadow_set_flop ( .clk_i (clk_i), .rst_ni(rst_ni), @@ -157,7 +163,7 @@ module ibex_lockstep import ibex_pkg::*; #( prim_clock_mux2 #( .NoFpgaBufG(1'b1) ) u_prim_rst_shadow_n_mux2 ( - .clk0_i(rst_shadow_set_q), + .clk0_i(rst_shadow_set_single_bit), .clk1_i(scan_rst_ni), .sel_i (test_en_i), .clk_o (rst_shadow_n) @@ -458,7 +464,8 @@ module ibex_lockstep import ibex_pkg::*; #( logic outputs_mismatch; - assign outputs_mismatch = enable_cmp_q & (shadow_outputs_q != core_outputs_q[0]); + assign outputs_mismatch = + (enable_cmp_q != IbexMuBiOff) & (shadow_outputs_q != core_outputs_q[0]); assign alert_major_internal_o = outputs_mismatch | shadow_alert_major_internal; assign alert_major_bus_o = shadow_alert_major_bus; assign alert_minor_o = shadow_alert_minor; diff --git a/rtl/ibex_pkg.sv b/rtl/ibex_pkg.sv index 9a3c7faa90..74adc48324 100644 --- a/rtl/ibex_pkg.sv +++ b/rtl/ibex_pkg.sv @@ -655,7 +655,9 @@ package ibex_pkg; // Mult-bit signal used for security hardening. For non-secure implementation all bits other than // the bottom bit are ignored. - typedef logic [3:0] ibex_mubi_t; + parameter int IbexMuBiWidth = 4; + + typedef logic [IbexMuBiWidth-1:0] ibex_mubi_t; // Note that if adjusting these parameters it is assumed the bottom bit is set for On and unset // for Off. This allows the use of IbexMuBiOn/IbexMuBiOff to work for both secure and non-secure