[otbn,dv] Adapt OTBN vseqs to match delayed escalation

Sequences must be adapted such that the error escalation behaviour is correctly
modelled.

Signed-off-by: Pascal Etterli <[email protected]>

Author: etterli

hw/ip/otbn/dv/uvm/env/seq_lib/otbn_alu_bignum_mod_err_vseq.sv

@@ -8,7 +8,12 @@
 class otbn_alu_bignum_mod_err_vseq extends otbn_intg_err_vseq;
   `uvm_object_utils(otbn_alu_bignum_mod_err_vseq)
 
-  `uvm_object_new
+  // TODO: Replaced the macro `uvm_object_new with the effective constructor to be able to
+  //       overwrite expect_delayed_escalation. There is probably a smarter way?
+  function new (string name="");
+      super.new(name);
+      expect_delayed_escalation = 1;
+    endfunction : new
 
   protected task await_use(output bit [otbn_pkg::BaseWordsPerWLEN-1:0] used_words);
     used_words = '0;

hw/ip/otbn/dv/uvm/env/seq_lib/otbn_ctrl_redun_vseq.sv

@@ -178,6 +178,23 @@ class otbn_ctrl_redun_vseq extends otbn_single_vseq;
         case(choose_err)
           0: begin
             insn_dec_shared_i.ld_insn = !insn_dec_shared_i.ld_insn;
+            // This is a workaround to match the model behaviour to what happens if this
+            // error is injected. When injecting the ld_insn error from the, the OTBN will start a
+            // load in parallel to the current instruction. As of this the stall signal is asserted
+            // and the OTBN enter the stall state (as ld_insn factors into it). We need to model
+            // this but duplicating the logic in the model is not smart. We therefore signal simply
+            // to the model to stall once. Due to the error the OTBN will escalate in the next
+            // cycle anyway.
+            // TODO: In case the instruction where we inject the error into is a branch instruction
+            // the assertion NoStallOnBranch in the controller fails. However, this assertion is
+            // not meaningful in this case and maybe could be disabled.
+            // TODO: The injection can next to the stall also lead to a non fatal SW error. The RTL
+            // therefore does not immediately escalate but still retires the current instruction
+            // and goes into the HALT state. The RTL will then escalate from this state. Due to the
+            // stall request, the model however won't retire the current instruction. Therefore no
+            // ISS trace is generated and we get the back-to-back RTL trace entries with no ISS
+            // entry error. To fix this the errors due to injections must be modelled differently.
+            cfg.model_agent_cfg.vif.send_stall_request();
           end
           1: begin
             insn_dec_shared_i.st_insn = !insn_dec_shared_i.st_insn;
@@ -309,9 +326,18 @@ class otbn_ctrl_redun_vseq extends otbn_single_vseq;
         `uvm_fatal(`gfn, "issue with randomization")
       end
     endcase
+
+    // Due to the delayed escalation, the faulted instruction still commits but with wrong values.
+    // We must signal to the ISS that the result can be off.
+    cfg.model_agent_cfg.vif.tolerate_result_mismatch(1);
+
+    // Handle any SW error during the delayed escalation
+    handle_delayed_escalation();
+
     `uvm_info(`gfn, "injecting bad internal state error into ISS", UVM_HIGH)
     have_injected_error = 1'b1;
     cfg.model_agent_cfg.vif.send_err_escalation(err_val);
+
     `DV_WAIT(cfg.model_agent_cfg.vif.status == otbn_pkg::StatusLocked)
     `DV_CHECK_FATAL(uvm_hdl_release(err_path) == 1);
     reset_if_locked();

hw/ip/otbn/dv/uvm/env/seq_lib/otbn_dmem_err_vseq.sv

@@ -33,6 +33,7 @@ class otbn_dmem_err_vseq extends otbn_base_vseq;
 
     // Inject error at negedge of clock to avoid racing with second cycle of store instruction.
     @(cfg.clk_rst_vif.cbn);
+    `uvm_info(`gfn, $sformatf("Modifying DMEM"), UVM_LOW)
 
     for (int i = 0; i < DmemSizeByte / 32; i++) begin
       bit [ExtWLEN-1:0] old_data = cfg.read_dmem_word(i, key, nonce);
@@ -41,7 +42,11 @@ class otbn_dmem_err_vseq extends otbn_base_vseq;
       cfg.write_dmem_word(i, bad_data, key, nonce);
     end
 
+    // Invalidate the memory. Any next read will result in an escalation.
     cfg.model_agent_cfg.vif.invalidate_dmem();
+    // As the next read will result in a mismatch between RTL and ISS, we must signal to the ISS
+    // that this is expected.
+    cfg.model_agent_cfg.vif.tolerate_result_mismatch(0);
 
     wait (!(cfg.model_agent_cfg.vif.status inside {otbn_pkg::StatusBusyExecute,
                                                    otbn_pkg::StatusBusySecWipeInt}));

hw/ip/otbn/dv/uvm/env/seq_lib/otbn_intg_err_vseq.sv

@@ -11,6 +11,10 @@ class otbn_intg_err_vseq extends otbn_base_vseq;
 
   `uvm_object_new
 
+  // A flag whether the injected fault leads to a delayed escalation. Some escalation sources are
+  // flopped in the RTL to improve timing. Overwrite this in the deriving class.
+  protected bit expect_delayed_escalation = 0;
+
   // Wait until the integrity-checked signal is used (otherwise an injected error would not have any
   // consequences) or an internal timeout expires.  The `used_words` output indicates which words
   // were used during the call of this task.
@@ -81,7 +85,16 @@ class otbn_intg_err_vseq extends otbn_base_vseq;
 
     inject_errors(used_words, corrupted_words);
 
+    if (expect_delayed_escalation) begin
+      // Due to the delayed escalation, the faulted instruction still commits but with wrong values.
+      // We must signal to the ISS that the result can be off.
+      cfg.model_agent_cfg.vif.tolerate_result_mismatch(1);
+
+      handle_delayed_escalation(); // This resumes on the next clk posedge
+    end
+
     // Notify the model about the integrity violation error.
+    // The HW escalation must happen on the rising edge. Otherwise the model is informed too late.
     if (|(corrupted_words & used_words)) begin
       otbn_pkg::err_bits_t err_bits;
       err_bits = '{reg_intg_violation: 1'b1, default: 1'b0};

hw/ip/otbn/dv/uvm/env/seq_lib/otbn_mac_bignum_acc_err_vseq.sv

@@ -8,7 +8,12 @@
 class otbn_mac_bignum_acc_err_vseq extends otbn_intg_err_vseq;
   `uvm_object_utils(otbn_mac_bignum_acc_err_vseq)
 
-  `uvm_object_new
+  // TODO: Replaced the macro `uvm_object_new with the effective constructor to be able to
+  //       overwrite expect_delayed_escalation. There is probably a smarter way?
+  function new (string name="");
+      super.new(name);
+      expect_delayed_escalation = 1;
+    endfunction : new
 
   protected task await_use(output bit [otbn_pkg::BaseWordsPerWLEN-1:0] used_words);
     used_words = '0;

hw/ip/otbn/dv/uvm/env/seq_lib/otbn_pc_ctrl_flow_redun_vseq.sv

@@ -41,13 +41,25 @@ class otbn_pc_ctrl_flow_redun_vseq extends otbn_single_vseq;
                         prefetch_ignore_err))
         `uvm_fatal(`gfn, "failed to read prefetch_ignore_errs_i");
     end while(!(imem_rvalid & insn_fetch_req_valid & !prefetch_ignore_err));
+
     `DV_CHECK_FATAL(uvm_hdl_read(addr_path, good_addr));
     // Mask to corrupt 1 to 2 bits of the prefetch addr
     `DV_CHECK_STD_RANDOMIZE_WITH_FATAL(mask, $countones(mask) inside {[1:2]};)
     bad_addr = good_addr ^ mask;
     `DV_CHECK_FATAL(uvm_hdl_force(addr_path, bad_addr) == 1);
+
+    // The core will never execute an instruction but the model will and then wait for a RTL trace.
+    // However, due to the error the RTL will never produce traces and therefore the checker fails
+    // because the model has two consecutive traces without a RTL trace.
+    // We can tell the model that it should wait by requesting a stall for one cycle.
+    cfg.model_agent_cfg.vif.send_stall_request();
+
+    // Send the HW escalation signal in the next cycle
+    @(cfg.clk_rst_vif.cb);
     `uvm_info(`gfn, "injecting bad internal state error into ISS", UVM_HIGH)
     cfg.model_agent_cfg.vif.send_err_escalation(err_val);
+
+    // OTBN should perform a secure wipe and lock up
     wait(cfg.model_agent_cfg.vif.status == otbn_pkg::StatusLocked);
     `DV_CHECK_FATAL(uvm_hdl_release(addr_path) == 1);
     reset_if_locked();

hw/ip/otbn/dv/uvm/env/seq_lib/otbn_rf_base_intg_err_vseq.sv

@@ -115,7 +115,15 @@ class otbn_rf_base_intg_err_vseq extends otbn_base_vseq;
 
     inject_errors();
 
+    // Due to the delayed escalation, the faulted instruction still commits but with wrong values.
+    // We must signal to the ISS that the result can be off.
+    cfg.model_agent_cfg.vif.tolerate_result_mismatch(1);
+
+    handle_delayed_escalation(); // This resumes on the next clk posedge
+
     // Notify the model about the integrity violation error.
+    // The HW escalation must happen on the rising edge. Otherwise the model is informed too late.
+    `uvm_info(`gfn, $sformatf("Send HW escalation to model"), UVM_LOW)
     err_bits = '{reg_intg_violation: 1'b1, default: 1'b0};
     cfg.model_agent_cfg.vif.send_err_escalation(err_bits);
 

hw/ip/otbn/dv/uvm/env/seq_lib/otbn_zero_state_err_urnd_vseq.sv

@@ -26,12 +26,13 @@ class otbn_zero_state_err_urnd_vseq extends otbn_single_vseq;
 
         cfg.clk_rst_vif.wait_clks($urandom_range(10, 1000));
         `DV_CHECK_FATAL(uvm_hdl_force(prng_path, 'b0) == 1);
+        cfg.clk_rst_vif.wait_clks(1); // the escalation is delayed by one cycle
+        `DV_CHECK_FATAL(uvm_hdl_release(prng_path) == 1);
+        `uvm_info(`gfn,"string released", UVM_HIGH)
         `uvm_info(`gfn,"injecting zero state error into ISS", UVM_HIGH)
         cfg.model_agent_cfg.vif.send_err_escalation(err_val);
         cfg.clk_rst_vif.wait_clks(1);
         cfg.model_agent_cfg.vif.otbn_set_no_sec_wipe_chk();
-        `DV_CHECK_FATAL(uvm_hdl_release(prng_path) == 1);
-        `uvm_info(`gfn,"string released", UVM_HIGH)
         wait (cfg.model_agent_cfg.vif.status == otbn_pkg::StatusLocked);
         reset_if_locked();
       end