Update lowrisc_ibex to lowRISC/ibex@123d46b4

Update code from upstream repository
https://github.com/lowRISC/ibex.git to revision
123d46b4d60068502f80c117772a279db12f5af7

* [dv] Fix paths in `merge_cov.py` (Sᴜᴘᴇʀ Lᴇᴇ)
* Tweak questa timescale argument (Harry Callahan)
* Fixup the questa build/sim command templates in rtl_simulation.yaml
  (Harry Callahan)
* [rtl] Fix FI vulnerability in RF (Pascal Nasahl)
* [doc] Update cosim version (Pascal Nasahl)
* [util] Update check_tool_requirements.py (Gary Guo)
* [rtl] Avoid name collision in ibex_pmp.sv (Rupert Swarbrick)
* [dv] Fix performance counter printing in simple system (Rupert
  Swarbrick)
* Fix spelling of separator (Rupert Swarbrick)
* [dv] Add an extra key to common_project_cfg.hjson (Rupert Swarbrick)
* [verilator] Slight refactor in ibex_tracer to avoid BLKSEQ warning
  (Rupert Swarbrick)
* [verilator] Waive MULTIDRIVEN warning in ibex_tracer.sv (Rupert
  Swarbrick)

Signed-off-by: Michael Schaffner <msf@opentitan.org>

hw/vendor/lowrisc_ibex.lock.hjson

@@ -9,6 +9,6 @@
   upstream:
   {
     url: https://github.com/lowRISC/ibex.git
-    rev: bac72d96ec713a68ed07f3e1cb341ffbf40b8228
+    rev: 123d46b4d60068502f80c117772a279db12f5af7
   }
 }

hw/vendor/lowrisc_ibex/doc/03_reference/security.rst

@@ -90,6 +90,15 @@ When Ibex is configured with the SecureIbex parameter, the write enable signal i
 This can be useful to detect fault injection attacks.
 No attempt is made to correct detected errors, but an internal major alert is signaled for the system to take action.
 
+Register file read addresses glitch detection
+-------------------------------------------
+
+When Ibex is configured with the SecureIbex parameter, the read addresses provided to the register file are converted to one-hot encoded signals, and a one-hot encoded MUX is used to select the register to read from.
+By using one-hot encoding checkers, glitches in the one-hot encoded signals are detected.
+Bit-flips inside the plain read addresses before the one-hot conversion happens are detected by the dual core lockstep.
+This can be useful to detect fault injection attacks.
+No attempt is made to correct detected errors, but an internal major alert is signaled for the system to take action.
+
 ICache ECC
 ----------
 

hw/vendor/lowrisc_ibex/doc/03_reference/verification.rst

@@ -111,8 +111,7 @@ In order to run the co-simulation flow, you'll need:
   + Some custom CSRs
   + Custom NMI behavior
 
-  Ibex verification should work with the Spike version that is tagged as ``ibex-cosim-v0.3``.
-  Other, later, versions called ``ibex-cosim-v*`` may also work but there's no guarantee of backwards compatibility.
+  Ibex verification should work with the Spike version that is tagged as ``ibex-cosim-v0.5``.
 
   Spike must be built with the ``--enable-commitlog`` and ``--enable-misaligned`` options.
   ``--enable-commitlog`` is needed to produce log output to track the instructions that were executed.

hw/vendor/lowrisc_ibex/dv/uvm/common_project_cfg.hjson

@@ -5,6 +5,7 @@
   project:          ibex
 
   // These keys are expected by dvsim.py, so we have to set them to something.
+  book:              bogus.book.domain
   doc_server:        bogus.doc.server
   results_server:    bogus.results.server
   results_html_name: report.html

hw/vendor/lowrisc_ibex/dv/uvm/core_ibex/common/prim/prim_and2.sv

@@ -0,0 +1,27 @@
+// Copyright lowRISC contributors.
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+// Abstract primitives wrapper.
+//
+// This file is a stop-gap until the DV file list is generated by FuseSoC.
+// Its contents are taken from the file which would be generated by FuseSoC.
+// https://github.com/lowRISC/ibex/issues/893
+
+module prim_and2 #(
+  parameter int Width = 1
+) (
+  input        [Width-1:0] in0_i,
+  input        [Width-1:0] in1_i,
+  output logic [Width-1:0] out_o
+);
+
+if (1) begin : gen_generic
+  prim_generic_and2 #(
+    .Width(Width)
+  ) u_impl_generic (
+    .*
+  );
+end
+
+endmodule

hw/vendor/lowrisc_ibex/dv/uvm/core_ibex/ibex_dv.f

@@ -45,6 +45,8 @@
 ${PRJ_DIR}/dv/uvm/core_ibex/common/prim/prim_clock_mux2.sv
 ${LOWRISC_IP_DIR}/ip/prim_generic/rtl/prim_generic_flop.sv
 ${PRJ_DIR}/dv/uvm/core_ibex/common/prim/prim_flop.sv
+${LOWRISC_IP_DIR}/ip/prim_generic/rtl/prim_generic_and2.sv
+${PRJ_DIR}/dv/uvm/core_ibex/common/prim/prim_and2.sv
 
 // Shared lowRISC code
 ${LOWRISC_IP_DIR}/ip/prim/rtl/prim_cipher_pkg.sv
@@ -64,6 +66,8 @@
 ${LOWRISC_IP_DIR}/ip/prim/rtl/prim_secded_72_64_enc.sv
 ${LOWRISC_IP_DIR}/ip/prim/rtl/prim_secded_72_64_dec.sv
 ${LOWRISC_IP_DIR}/ip/prim/rtl/prim_onehot_check.sv
+${LOWRISC_IP_DIR}/ip/prim/rtl/prim_onehot_enc.sv
+${LOWRISC_IP_DIR}/ip/prim/rtl/prim_onehot_mux.sv
 ${LOWRISC_IP_DIR}/ip/prim/rtl/prim_mubi_pkg.sv
 
 // ibex CORE RTL files

hw/vendor/lowrisc_ibex/dv/uvm/core_ibex/scripts/merge_cov.py

@@ -42,11 +42,11 @@ def merge_cov_vcs(md: RegressionMetadata, cov_dirs: Set[pathlib.Path]) -> int:
     logging.info("Generating merged coverage directory")
     cmd = (['urg', '-full64',
             '-format', 'both',
-            '-dbname', str(md.cov_dir/'merged.vdb'),
-            '-report', str(md.cov_dir/'report'),
-            '-log', str(md.cov_dir/'merge.log'),
+            '-dbname', str(md.dir_cov/'merged.vdb'),
+            '-report', str(md.dir_cov/'report'),
+            '-log', str(md.dir_cov/'merge.log'),
             '-dir'] +
-           list(cov_dirs))
+           [str(cov_dir) for cov_dir in list(cov_dirs)])
     return run_one(md.verbose, cmd, redirect_stdstreams='/dev/null')
 
 

hw/vendor/lowrisc_ibex/dv/uvm/core_ibex/scripts/report_lib/util.py

@@ -96,7 +96,7 @@ def parse_xcelium_cov_report(cov_report: str) -> Dict[str, Dict[str, Dict[str, i
                 metric_info.append((metric_info_match.group(1),
                     metric_info_match.group(2)))
 
-            # Skip header seperator line
+            # Skip header separator line
             metrics_start_line = line_no + 2
 
     if metrics_start_line == -1:

hw/vendor/lowrisc_ibex/dv/uvm/core_ibex/tb/core_ibex_tb_top.sv

@@ -336,4 +336,12 @@ module core_ibex_tb_top;
     assign dut.u_ibex_top.gen_regfile_ff.register_file_i.gen_wren_check.u_prim_onehot_check.
           unused_assert_connected = 1;
   end
+
+  // Disable the assertion for onhot check in case RdataMuxCheck (set by SecureIbex) is enabled.
+  if (SecureIbex) begin : gen_disable_rdata_mux_check
+    assign dut.u_ibex_top.gen_regfile_ff.register_file_i.gen_rdata_mux_check.
+          u_prim_onehot_check_raddr_a.unused_assert_connected = 1;
+    assign dut.u_ibex_top.gen_regfile_ff.register_file_i.gen_rdata_mux_check.
+          u_prim_onehot_check_raddr_b.unused_assert_connected = 1;
+  end
 endmodule

hw/vendor/lowrisc_ibex/dv/uvm/core_ibex/yaml/rtl_simulation.yaml

@@ -99,9 +99,9 @@
           -mfcu -cuname design_cuname
           +define+UVM_REGEX_NO_DPI
           +define+UVM
-          -timescale \"1 ns / 1 ps \"
+          -timescale 1ns/1ps
           -writetoplevels <tb_dir>/top.list
-          -l <tb_dir>/<rtl_log>
+          -l <tb_build_log>
           <cmp_opts>
   sim:
     cmd:
@@ -118,7 +118,7 @@
           +UVM_VERBOSITY=UVM_LOW
           +bin=<binary>
           +ibex_tracer_file_base=<rtl_trace>
-          -l <test_dir>/sim.log
+          -l <rtl_sim_log>
           <cov_opts>
     cov_opts: >-
       -do "coverage save -onexit <tb_dir>/cov.ucdb;"

hw/vendor/lowrisc_ibex/dv/verilator/pcount/cpp/ibex_pcounts.cc

@@ -10,6 +10,7 @@
 #include <svdpi.h>
 
 extern "C" {
+extern unsigned int mhpmcounter_num();
 extern unsigned long long mhpmcounter_get(int index);
 }
 
@@ -32,24 +33,48 @@ const std::vector<std::string> ibex_counter_names = {
     "Multiply Wait",
     "Divide Wait"};
 
+static bool has_hpm_counter(int index) {
+  // The "cycles" and "instructions retired" counters are special and always
+  // exist.
+  if (index == 0 || index == 2)
+    return true;
+
+  // The "NONE" counter is a placeholder. The space reserves an index that was
+  // once the "MTIME" CSR, but now is unused. Return false: there's no real HPM
+  // counter at index 1.
+  if (index == 1)
+    return false;
+
+  // Otherwise, a counter exists if the index is strictly less than
+  // the MHPMCounterNum parameter that got passed to the
+  // ibex_cs_registers module.
+  return index < mhpmcounter_num();
+}
+
 std::string ibex_pcount_string(bool csv) {
-  char seperator = csv ? ',' : ':';
+  char separator = csv ? ',' : ':';
   std::string::size_type longest_name_length;
 
   if (!csv) {
     longest_name_length = 0;
-    for (const std::string &counter_name : ibex_counter_names) {
-      longest_name_length = std::max(longest_name_length, counter_name.length());
+    for (int i = 0; i < ibex_counter_names.size(); ++i) {
+      if (has_hpm_counter(i)) {
+        longest_name_length =
+            std::max(longest_name_length, ibex_counter_names[i].length());
+      }
     }
 
-    // Add 1 to always get at least once space after the seperator
+    // Add 1 to always get at least once space after the separator
     longest_name_length++;
   }
 
   std::stringstream pcount_ss;
 
   for (int i = 0; i < ibex_counter_names.size(); ++i) {
-    pcount_ss << ibex_counter_names[i] << seperator;
+    if (!has_hpm_counter(i))
+      continue;
+
+    pcount_ss << ibex_counter_names[i] << separator;
 
     if (!csv) {
       int padding = longest_name_length - ibex_counter_names[i].length();

hw/vendor/lowrisc_ibex/ibex_top.core

@@ -10,11 +10,13 @@ filesets:
     depend:
       - lowrisc:ibex:ibex_pkg
       - lowrisc:ibex:ibex_core
+      - lowrisc:prim:and2
       - lowrisc:prim:buf
       - lowrisc:prim:clock_mux2
       - lowrisc:prim:flop
       - lowrisc:prim:ram_1p_scr
       - lowrisc:prim:onehot_check
+      - lowrisc:prim:onehot
     files:
       - rtl/ibex_register_file_ff.sv # generic FF-based
       - rtl/ibex_register_file_fpga.sv # FPGA

hw/vendor/lowrisc_ibex/lint/verilator_waiver.vlt

@@ -64,6 +64,13 @@ lint_off -rule UNUSED -file "*/rtl/ibex_compressed_decoder.sv" -match "*rst_ni*"
 lint_off -rule UNUSED -file "*/rtl/ibex_decoder.sv" -match "*rst_ni*"
 lint_off -rule UNUSED -file "*/rtl/ibex_branch_predict.sv" -match "*rst_ni*"
 
+// Don't worry about the fact that decoded_str and data_accessed appear to be
+// written by multiple processes that might race with each other. They can't
+// race with each other (everything is a descendent of the always_comb block),
+// but Verilator doesn't notice this.
+lint_off -rule MULTIDRIVEN -file "*/rtl/ibex_tracer.sv" -match "*decoded_str*"
+lint_off -rule MULTIDRIVEN -file "*/rtl/ibex_tracer.sv" -match "*data_accessed*"
+
 // Temporary waivers until OpenTitan primitives are lint-clean
 // https://github.com/lowRISC/opentitan/issues/2313
 lint_off -file "*/lowrisc_prim_*/rtl/*.sv"

hw/vendor/lowrisc_ibex/rtl/ibex_pmp.sv

@@ -51,16 +51,16 @@ module ibex_pmp #(
   //                                                            \--> pmp_req_err_o
 
   // Compute permissions checks that apply when MSECCFG.MML is set. Added for Smepmp support.
-  function automatic logic mml_perm_check(ibex_pkg::pmp_cfg_t  csr_pmp_cfg,
+  function automatic logic mml_perm_check(ibex_pkg::pmp_cfg_t  region_csr_pmp_cfg,
                                           ibex_pkg::pmp_req_e  pmp_req_type,
                                           ibex_pkg::priv_lvl_e priv_mode,
                                           logic                permission_check);
     logic result = 1'b0;
-    logic unused_cfg = |csr_pmp_cfg.mode;
+    logic unused_cfg = |region_csr_pmp_cfg.mode;
 
-    if (!csr_pmp_cfg.read && csr_pmp_cfg.write) begin
+    if (!region_csr_pmp_cfg.read && region_csr_pmp_cfg.write) begin
       // Special-case shared regions where R = 0, W = 1
-      unique case ({csr_pmp_cfg.lock, csr_pmp_cfg.exec})
+      unique case ({region_csr_pmp_cfg.lock, region_csr_pmp_cfg.exec})
         // Read/write in M, read only in S/U
         2'b00: result =
             (pmp_req_type == PMP_ACC_READ) |
@@ -77,14 +77,15 @@ module ibex_pmp #(
         default: ;
       endcase
     end else begin
-      if (csr_pmp_cfg.read & csr_pmp_cfg.write & csr_pmp_cfg.exec & csr_pmp_cfg.lock) begin
+      if (region_csr_pmp_cfg.read & region_csr_pmp_cfg.write &
+          region_csr_pmp_cfg.exec & region_csr_pmp_cfg.lock) begin
         // Special-case shared read only region when R = 1, W = 1, X = 1, L = 1
         result = pmp_req_type == PMP_ACC_READ;
       end else begin
         // Otherwise use basic permission check. Permission is always denied if in S/U mode and
         // L is set or if in M mode and L is unset.
         result = permission_check &
-                 (priv_mode == PRIV_LVL_M ? csr_pmp_cfg.lock : ~csr_pmp_cfg.lock);
+                 (priv_mode == PRIV_LVL_M ? region_csr_pmp_cfg.lock : ~region_csr_pmp_cfg.lock);
       end
     end
     return result;
@@ -105,15 +106,15 @@ module ibex_pmp #(
 
   // A wrapper function in which it is decided which form of permission check function gets called
   function automatic logic perm_check_wrapper(logic                csr_pmp_mseccfg_mml,
-                                              ibex_pkg::pmp_cfg_t  csr_pmp_cfg,
+                                              ibex_pkg::pmp_cfg_t  region_csr_pmp_cfg,
                                               ibex_pkg::pmp_req_e  pmp_req_type,
                                               ibex_pkg::priv_lvl_e priv_mode,
                                               logic                permission_check);
-    return csr_pmp_mseccfg_mml ? mml_perm_check(csr_pmp_cfg,
+    return csr_pmp_mseccfg_mml ? mml_perm_check(region_csr_pmp_cfg,
                                                 pmp_req_type,
                                                 priv_mode,
                                                 permission_check) :
-                                 orig_perm_check(csr_pmp_cfg.lock,
+                                 orig_perm_check(region_csr_pmp_cfg.lock,
                                                  priv_mode,
                                                  permission_check);
   endfunction