Update lowrisc_ip to lowRISC/opentitan@4cf2479b8e

Update code from upstream repository https://github.com/lowRISC/opentitan to revision 4cf2479b8e6c9b68b9fe1adba202443d3dbe3ff3 * [prim_trivium] Allow dynamically disabling the lockup protection (Pirmin Vogel) * [scrambling] Add reference to RFC issue (Michael Schaffner) * [edn] Move prim_edn_req out of prim (Rupert Swarbrick) * [reggen] Remove the devmode input (Michael Schaffner) * [prim, rom_ctrl] Remove S&P layer from data scrambling (Michael Schaffner) * [prim] Fix typo in Trivium/Bivium stream cipher primitives (Pirmin Vogel) * [prim] Add scratch Verilator testbench for Trivium/Bivium primitives (Pirmin Vogel) * [prim] Add Trivium/Bivium stream cipher primitives (Pirmin Vogel) * [chip,dv] update makefile for real_key rom test (Jaedon Kim) * [dvsim] cast self.seed to 'int' (Jaedon Kim) * [dvsim] Change systemverilog seed to 32 bits (Hakim Filali) * [dv] Specialize dv_spinwait_* documentation comments (Rupert Swarbrick) Signed-off-by: Michael Schaffner <msf@opentitan.org>
lowRISC · Jan 19, 2024 · 94a7446 · 94a7446
1 parent 123d46b
commit 94a7446
Show file tree

Hide file tree

Showing 31 changed files with 1,249 additions and 364 deletions.
diff --git a/vendor/lowrisc_ip.lock.hjson b/vendor/lowrisc_ip.lock.hjson
@@ -9,6 +9,6 @@
   upstream:
   {
     url: https://github.com/lowRISC/opentitan
-    rev: e6a0e9a1363d33789283ea6ba3c4d94d41f2dee5
+    rev: 4cf2479b8e6c9b68b9fe1adba202443d3dbe3ff3
   }
 }
diff --git a/vendor/lowrisc_ip/dv/sv/dv_utils/dv_macros.svh b/vendor/lowrisc_ip/dv/sv/dv_utils/dv_macros.svh
@@ -360,14 +360,13 @@
   `define GET_PARITY(val, odd=0) (^val ^ odd)
 `endif
 
-// Wait a task or statement with exit condition
-// Kill the thread when either the wait statement is completed or exit condition occurs
-// input WAIT_ need to be a statement. Here are some examples
-// `DV_SPINWAIT(wait(...);, "Wait for ...")
-// `DV_SPINWAIT(
-//              while (1) begin
-//                ...
-//              end)
+// Wait for a statement but stop early if the EXIT statement completes.
+//
+// Example usage:
+//
+//    `DV_SPINWAIT_EXIT(do_something_time_consuming();,
+//                      wait(stop_now_flag);,
+//                      "The stop flag was set when we were working")
 `ifndef DV_SPINWAIT_EXIT
 `define DV_SPINWAIT_EXIT(WAIT_, EXIT_, MSG_ = "exit condition occurred!", ID_ =`gfn) \
   begin \
@@ -398,7 +397,7 @@
   end
 `endif
 
-// wait a task or statement with timer watchdog
+// Wait for a statement, but exit early after a timeout
 `ifndef DV_SPINWAIT
 `define DV_SPINWAIT(WAIT_, MSG_ = "timeout occurred!", TIMEOUT_NS_ = default_spinwait_timeout_ns, ID_ =`gfn) \
   `DV_SPINWAIT_EXIT(WAIT_, `DV_WAIT_TIMEOUT(TIMEOUT_NS_, ID_, MSG_);, "", ID_)

diff --git a/vendor/lowrisc_ip/dv/sv/dv_utils/dv_utils_pkg.sv b/vendor/lowrisc_ip/dv/sv/dv_utils/dv_utils_pkg.sv
@@ -36,7 +36,6 @@ package dv_utils_pkg;
 
   // typedef parameterized pins_if for ease of implementation for interrupts and alerts
   typedef virtual pins_if #(NUM_MAX_INTERRUPTS) intr_vif;
-  typedef virtual pins_if #(1)                  devmode_vif;
 
   // interface direction / mode - Host or Device
   typedef enum bit {

diff --git a/vendor/lowrisc_ip/dv/sv/mem_bkdr_util/mem_bkdr_util__rom.sv b/vendor/lowrisc_ip/dv/sv/mem_bkdr_util/mem_bkdr_util__rom.sv
@@ -59,7 +59,6 @@ virtual function bit [38:0] rom_encrypt_read32(bit [bus_params_pkg::BUS_AW-1:0]
     zero_key[i] = '0;
   end
 
-  data_arr = sram_scrambler_pkg::sp_decrypt(data_arr, 39, zero_key);
   for (int i = 0; i < 39; i++) begin
     data[i] = data_arr[i] ^ keystream[i];
   end

diff --git a/vendor/lowrisc_ip/dv/sv/mem_bkdr_util/sram_scrambler_pkg.sv b/vendor/lowrisc_ip/dv/sv/mem_bkdr_util/sram_scrambler_pkg.sv
@@ -237,10 +237,10 @@ package sram_scrambler_pkg;
   // SRAM data encryption is more involved, we need to run 2 rounds of PRINCE on the nonce and key
   // and then XOR the result with the data.
   //
-  // After that, the XORed data neeeds to them be passed through the S&P network one byte at a time.
+  // Optionally, the XORed data can be passed through the S&P network.
   function automatic state_t encrypt_sram_data(logic data[], int data_width, int sp_width,
                                                logic addr[], int addr_width,
-                                               logic key[], logic nonce[]);
+                                               logic key[], logic nonce[], bit use_sp_layer = 0);
     logic keystream[] = new[SRAM_BLOCK_WIDTH];
     logic data_enc[] = new[data_width];
     logic byte_to_enc[] = new[8];
@@ -262,31 +262,33 @@ package sram_scrambler_pkg;
       data_enc[i] = data[i] ^ keystream[i % ks_width];
     end
 
-    if (data_width == sp_width) begin
-      // pass the entire word through the subst/perm network at once (the next cases would give the
-      // same results too, but this should be a bit more efficient)
-      data_enc = sp_encrypt(data_enc, data_width, zero_key);
-    end else if (sp_width == 8) begin
-      // pass each byte of the encoded result through the subst/perm network (special case of the
-      // general code below)
-      for (int i = 0; i < data_width / 8; i++) begin
-        byte_to_enc = data_enc[i*8 +: 8];
-        enc_byte = sp_encrypt(byte_to_enc, 8, zero_key);
-        data_enc[i*8 +: 8] = enc_byte;
-      end
-    end else begin
-      // divide the word into sp_width chunks to pass it through the subst/perm network
-      for (int chunk_lsb = 0; chunk_lsb < data_width; chunk_lsb += sp_width) begin
-        int bits_remaining = data_width - chunk_lsb;
-        int chunk_width = (bits_remaining < sp_width) ? bits_remaining : sp_width;
-        logic chunk[] = new[chunk_width];
-
-        for (int j = 0; j < chunk_width; j++) begin
-          chunk[j] = data_enc[chunk_lsb + j];
+    if (use_sp_layer) begin
+      if (data_width == sp_width) begin
+        // pass the entire word through the subst/perm network at once (the next cases would give the
+        // same results too, but this should be a bit more efficient)
+        data_enc = sp_encrypt(data_enc, data_width, zero_key);
+      end else if (sp_width == 8) begin
+        // pass each byte of the encoded result through the subst/perm network (special case of the
+        // general code below)
+        for (int i = 0; i < data_width / 8; i++) begin
+          byte_to_enc = data_enc[i*8 +: 8];
+          enc_byte = sp_encrypt(byte_to_enc, 8, zero_key);
+          data_enc[i*8 +: 8] = enc_byte;
         end
-        chunk = sp_encrypt(chunk, chunk_width, zero_key);
-        for (int j = 0; j < chunk_width; j++) begin
-          data_enc[chunk_lsb + j] = chunk[j];
+      end else begin
+        // divide the word into sp_width chunks to pass it through the subst/perm network
+        for (int chunk_lsb = 0; chunk_lsb < data_width; chunk_lsb += sp_width) begin
+          int bits_remaining = data_width - chunk_lsb;
+          int chunk_width = (bits_remaining < sp_width) ? bits_remaining : sp_width;
+          logic chunk[] = new[chunk_width];
+
+          for (int j = 0; j < chunk_width; j++) begin
+            chunk[j] = data_enc[chunk_lsb + j];
+          end
+          chunk = sp_encrypt(chunk, chunk_width, zero_key);
+          for (int j = 0; j < chunk_width; j++) begin
+            data_enc[chunk_lsb + j] = chunk[j];
+          end
         end
       end
     end
@@ -296,7 +298,7 @@ package sram_scrambler_pkg;
 
   function automatic state_t decrypt_sram_data(logic data[], int data_width, int sp_width,
                                                logic addr[], int addr_width,
-                                               logic key[], logic nonce[]);
+                                               logic key[], logic nonce[], bit use_sp_layer = 0);
     logic keystream[] = new[SRAM_BLOCK_WIDTH];
     logic data_dec[] = new[data_width];
     logic byte_to_dec[] = new[8];
@@ -312,38 +314,45 @@ package sram_scrambler_pkg;
     // Generate the keystream
     keystream = gen_keystream(addr, addr_width, key, nonce);
 
-    if (data_width == sp_width) begin
-      // pass the entire word through the subst/perm network at once (the next cases would give the
-      // same results too, but this should be a bit more efficient)
-      data_dec = sp_decrypt(data, data_width, zero_key);
-    end else if (sp_width == 8) begin
-      // pass each byte of the data through the subst/perm network (special case of the general code
-      // below)
-      for (int i = 0; i < data_width / 8; i++) begin
-        byte_to_dec = data[i*8 +: 8];
-        dec_byte = sp_decrypt(byte_to_dec, 8, zero_key);
-        data_dec[i*8 +: 8] = dec_byte;
-      end
-    end else begin
-      // divide the word into sp_width chunks to pass it through the subst/perm network
-      for (int chunk_lsb = 0; chunk_lsb < data_width; chunk_lsb += sp_width) begin
-        int bits_remaining = data_width - chunk_lsb;
-        int chunk_width = (bits_remaining < sp_width) ? bits_remaining : sp_width;
-        logic chunk[] = new[chunk_width];
-
-        for (int j = 0; j < chunk_width; j++) begin
-          chunk[j] = data[chunk_lsb + j];
+    if (use_sp_layer) begin
+      if (data_width == sp_width) begin
+        // pass the entire word through the subst/perm network at once (the next cases would give the
+        // same results too, but this should be a bit more efficient)
+        data_dec = sp_decrypt(data, data_width, zero_key);
+      end else if (sp_width == 8) begin
+        // pass each byte of the data through the subst/perm network (special case of the general code
+        // below)
+        for (int i = 0; i < data_width / 8; i++) begin
+          byte_to_dec = data[i*8 +: 8];
+          dec_byte = sp_decrypt(byte_to_dec, 8, zero_key);
+          data_dec[i*8 +: 8] = dec_byte;
         end
-        chunk = sp_decrypt(chunk, chunk_width, zero_key);
-        for (int j = 0; j < chunk_width; j++) begin
-          data_dec[chunk_lsb + j] = chunk[j];
+      end else begin
+        // divide the word into sp_width chunks to pass it through the subst/perm network
+        for (int chunk_lsb = 0; chunk_lsb < data_width; chunk_lsb += sp_width) begin
+          int bits_remaining = data_width - chunk_lsb;
+          int chunk_width = (bits_remaining < sp_width) ? bits_remaining : sp_width;
+          logic chunk[] = new[chunk_width];
+
+          for (int j = 0; j < chunk_width; j++) begin
+            chunk[j] = data[chunk_lsb + j];
+          end
+          chunk = sp_decrypt(chunk, chunk_width, zero_key);
+          for (int j = 0; j < chunk_width; j++) begin
+            data_dec[chunk_lsb + j] = chunk[j];
+          end
         end
       end
-    end
 
-    // XOR result data with the keystream
-    for (int i = 0; i < data_width; i++) begin
-      data_dec[i] = data_dec[i] ^ keystream[i % ks_width];
+      // XOR result data with the keystream
+      for (int i = 0; i < data_width; i++) begin
+        data_dec[i] = data_dec[i] ^ keystream[i % ks_width];
+      end
+    end else begin
+      // XOR result data with the keystream
+      for (int i = 0; i < data_width; i++) begin
+        data_dec[i] = data[i] ^ keystream[i % ks_width];
+      end
     end
 
     return data_dec;

diff --git a/vendor/lowrisc_ip/dv/tools/dvsim/sim.mk b/vendor/lowrisc_ip/dv/tools/dvsim/sim.mk
@@ -19,9 +19,9 @@ pre_build:
 	mkdir -p ${build_dir}
 ifneq (${pre_build_cmds},)
 	# pre_build_cmds are likely changing the in-tree sources. We hence use FLOCK
-        # utility to prevent multiple builds that may be running in parallel from
-        # stepping on each other. TODO: Enforce the list of pre_build_cmds is
-        # identical across all build modes.
+	# utility to prevent multiple builds that may be running in parallel from
+	# stepping on each other. TODO: Enforce the list of pre_build_cmds is
+	# identical across all build modes.
 	${LOCK_ROOT_DIR} "cd ${build_dir} && ${pre_build_cmds}"
 endif
 
@@ -124,6 +124,7 @@ ifneq (${sw_images},)
 				--output=label_kind | cut -f1 -d' '); \
 			if [[ $${kind} == "opentitan_test" \
 					|| $${bazel_label} == "//sw/device/lib/testing/test_rom:test_rom_sim_dv" \
+					|| $${bazel_label} == "//sw/device/silicon_creator/rom:rom_with_real_keys_sim_dv" \
 					|| $${bazel_label} == "//sw/device/silicon_creator/rom:rom_with_fake_keys_sim_dv" ]]; then \
 				for artifact in $$($${bazel_cmd} cquery $${bazel_airgapped_opts} \
 					$${bazel_label} \
@@ -229,18 +230,18 @@ cov_analyze:
 	${cov_analyze_cmd} ${cov_analyze_opts}
 
 .PHONY: build \
-        pre_build \
-        gen_sv_flist \
-        do_build \
-        post_build \
-        build_result \
-        run \
-        pre_run \
-        sw_build \
-        simulate \
-        post_run \
-        run_result \
-        debug_waves \
-        cov_merge \
-        cov_analyze \
-        cov_report
+	pre_build \
+	gen_sv_flist \
+	do_build \
+	post_build \
+	build_result \
+	run \
+	pre_run \
+	sw_build \
+	simulate \
+	post_run \
+	run_result \
+	debug_waves \
+	cov_merge \
+	cov_analyze \
+	cov_report
diff --git a/vendor/lowrisc_ip/dv/tools/dvsim/testplans/tl_device_access_types_wo_intg_testplan.hjson b/vendor/lowrisc_ip/dv/tools/dvsim/testplans/tl_device_access_types_wo_intg_testplan.hjson
@@ -23,7 +23,7 @@
               - address and size aren't aligned, e.g. `a_address = 0x01`, `a_size != 0`
               - size is greater than 2
             - OpenTitan defined error cases
-              - access unmapped address, expect `d_error = 1` when `devmode_i == 1`
+              - access unmapped address, expect `d_error = 1`
               - write a CSR with unaligned address, e.g. `a_address[1:0] != 0`
               - write a CSR less than its width, e.g. when CSR is 2 bytes wide, only write 1 byte
               - write a memory with `a_mask != '1` when it doesn't support partial accesses

diff --git a/vendor/lowrisc_ip/dv/tools/dvsim/vcs.hjson b/vendor/lowrisc_ip/dv/tools/dvsim/vcs.hjson
@@ -113,7 +113,7 @@
 
   run_opts:   ["-licqueue",
                "-ucli -do {run_script}",
-               "+ntb_random_seed={seed}",
+               "+ntb_random_seed={svseed}",
                // Disable the display of the SystemVerilog assert and cover statement summary
                // at the end of simulation. This summary is list of assertions that started but
                // did not finish because the simulation terminated, or assertions that did not
@@ -134,7 +134,7 @@
 
   // Individual test specific coverage data - this will be deleted if the test fails
   // so that coverage from failiing tests is not included in the final report.
-  cov_db_test_dir_name: "{run_dir_name}.{seed}"
+  cov_db_test_dir_name: "{run_dir_name}.{svseed}"
   cov_db_test_dir: "{cov_db_dir}/snps/coverage/db/testdata/{cov_db_test_dir_name}"
 
   // Merging coverage.

diff --git a/vendor/lowrisc_ip/dv/tools/dvsim/verilator.hjson b/vendor/lowrisc_ip/dv/tools/dvsim/verilator.hjson
@@ -69,9 +69,7 @@
                // "--x-initial unique",
                ]
 
-  run_opts: [// Set random seed.
-             // "+verilator+seed+{seed}",
-             ]
+  run_opts: []
 
   // Supported wave dumping formats (in order of preference).
   supported_wave_formats: ["fst"]

diff --git a/vendor/lowrisc_ip/dv/tools/dvsim/xcelium.hjson b/vendor/lowrisc_ip/dv/tools/dvsim/xcelium.hjson
@@ -68,7 +68,7 @@
                "-64bit -xmlibdirname {build_db_dir}",
                // Use the same snapshot name set during the build step.
                "-r {tb}",
-               "+SVSEED={seed}",
+               "+SVSEED={svseed}",
                "{uvm_testname_plusarg}",
                "{uvm_testseq_plusarg}",
                // Ignore "IEEE 1800-2009 SystemVerilog simulation semantics" warning
@@ -129,7 +129,7 @@
 
   // Individual test specific coverage data - this will be deleted if the test fails
   // so that coverage from failiing tests is not included in the final report.
-  cov_db_test_dir_name: "{run_dir_name}.{seed}"
+  cov_db_test_dir_name: "{run_dir_name}.{svseed}"
   cov_db_test_dir:      "{cov_db_dir}/{cov_db_test_dir_name}"
 
   // Merging coverage.

diff --git a/vendor/lowrisc_ip/dv/verilator/cpp/scrambled_ecc32_mem_area.cc b/vendor/lowrisc_ip/dv/verilator/cpp/scrambled_ecc32_mem_area.cc
@@ -162,9 +162,10 @@ void ScrambledEcc32MemArea::WriteBuffer(uint8_t buf[SV_MEM_WIDTH_BYTES],
 std::vector<uint8_t> ScrambledEcc32MemArea::ReadUnscrambled(
     const uint8_t buf[SV_MEM_WIDTH_BYTES], uint32_t src_word) const {
   std::vector<uint8_t> scrambled_data(buf, buf + GetPhysWidthByte());
-  return scramble_decrypt_data(
-      scrambled_data, GetPhysWidth(), 39, AddrIntToBytes(src_word, addr_width_),
-      addr_width_, GetScrambleNonce(), GetScrambleKey(), repeat_keystream_);
+  return scramble_decrypt_data(scrambled_data, GetPhysWidth(), 39,
+                               AddrIntToBytes(src_word, addr_width_),
+                               addr_width_, GetScrambleNonce(),
+                               GetScrambleKey(), repeat_keystream_, false);
 }
 
 void ScrambledEcc32MemArea::ReadBuffer(std::vector<uint8_t> &data,
@@ -196,7 +197,8 @@ void ScrambledEcc32MemArea::ScrambleBuffer(uint8_t buf[SV_MEM_WIDTH_BYTES],
   // Scramble data with integrity
   scramble_buf = scramble_encrypt_data(
       scramble_buf, GetPhysWidth(), 39, AddrIntToBytes(dst_word, addr_width_),
-      addr_width_, GetScrambleNonce(), GetScrambleKey(), repeat_keystream_);
+      addr_width_, GetScrambleNonce(), GetScrambleKey(), repeat_keystream_,
+      false);
 
   // Copy scrambled data to write buffer
   std::copy(scramble_buf.begin(), scramble_buf.end(), &buf[0]);

diff --git a/vendor/lowrisc_ip/ip/prim/dv/prim_ram_scr/cpp/scramble_model.cc b/vendor/lowrisc_ip/ip/prim/dv/prim_ram_scr/cpp/scramble_model.cc
@@ -322,7 +322,7 @@ std::vector<uint8_t> scramble_encrypt_data(
     const std::vector<uint8_t> &data_in, uint32_t data_width,
     uint32_t subst_perm_width, const std::vector<uint8_t> &addr,
     uint32_t addr_width, const std::vector<uint8_t> &nonce,
-    const std::vector<uint8_t> &key, bool repeat_keystream) {
+    const std::vector<uint8_t> &key, bool repeat_keystream, bool use_sp_layer) {
   assert(data_in.size() == ((data_width + 7) / 8));
   assert(addr.size() == ((addr_width + 7) / 8));
 
@@ -335,28 +335,32 @@ std::vector<uint8_t> scramble_encrypt_data(
 
   auto data_enc = xor_vectors(data_in, keystream);
 
-  return scramble_subst_perm_full_width(data_enc, data_width, subst_perm_width,
-                                        true);
+  if (use_sp_layer) {
+    return scramble_subst_perm_full_width(data_enc, data_width,
+                                          subst_perm_width, true);
+  } else {
+    return data_enc;
+  }
 }
 
 std::vector<uint8_t> scramble_decrypt_data(
     const std::vector<uint8_t> &data_in, uint32_t data_width,
     uint32_t subst_perm_width, const std::vector<uint8_t> &addr,
     uint32_t addr_width, const std::vector<uint8_t> &nonce,
-    const std::vector<uint8_t> &key, bool repeat_keystream) {
+    const std::vector<uint8_t> &key, bool repeat_keystream, bool use_sp_layer) {
   assert(data_in.size() == ((data_width + 7) / 8));
   assert(addr.size() == ((addr_width + 7) / 8));
 
-  // Data is decrypted by reversing substitution/permutation layer then XORing
-  // with keystream
-  auto data_sp_out = scramble_subst_perm_full_width(data_in, data_width,
-                                                    subst_perm_width, false);
-
   auto keystream =
       scramble_gen_keystream(addr, addr_width, nonce, key, data_width,
                              kNumPrinceHalfRounds, repeat_keystream);
-
-  auto data_dec = xor_vectors(data_sp_out, keystream);
-
-  return data_dec;
+  if (use_sp_layer) {
+    // Data is decrypted by reversing substitution/permutation layer then XORing
+    // with keystream
+    auto data_sp_out = scramble_subst_perm_full_width(data_in, data_width,
+                                                      subst_perm_width, false);
+    return xor_vectors(data_sp_out, keystream);
+  } else {
+    return xor_vectors(data_in, keystream);
+  }
 }