[otbn] Make the life cycle escalation a fatal alert

Before, the incoming life cycle escalation handling was specified as
"like a fatal alert, except for XZY." This commit simplifies the
specification to handle an incoming life cycle escalation in the same
way as a fatal error that was detected within OTBN.

Fixes #7625

Signed-off-by: Philipp Wagner <[email protected]>

hw/ip/otbn/data/otbn.hjson

@@ -250,6 +250,11 @@
  it was not allowed.
  '''
  }
+ { bits: "9",
+ name: "fatal_lifecycle_escalation"
+ resval: 0,
+ desc: "OTBN received a life cycle escalation request from the system."
+ }
  ]
  } // register : err_bits
  { name: "START_ADDR",
@@ -309,6 +314,11 @@
  it was not allowed.
  '''
  }
+ { bits: "5",
+ name: "lifecycle_escalation"
+ resval: 0,
+ desc: "OTBN received a life cycle escalation request from the system."
+ }
  ]
  } // register : fatal_alert_cause
  { name: "SEC_WIPE",

hw/ip/otbn/doc/_index.md

@@ -587,8 +587,7 @@ A fatal alert can only be cleared by resetting OTBN through the `rst_ni` line.
 ### Reaction to Life Cycle Escalation Requests
 
 OTBN receives and reacts to escalation signals from the [life cycle controller]({{< relref "/hw/ip/lc_ctrl/doc#security-escalation" >}}).
-
-An escalation request signaled through the `lc_escalate_en_i` signal results in the same action as a [fatal error](#design-details-fatal-errors) but does not raise a fatal alert.
+An incoming life cycle escalation is a fatal error of type `lifecycle_escalation` and treated as described in the section [Fatal Errors](#design-details-fatal-errors).
 
 ### Idle
 

hw/ip/otbn/dv/otbnsim/sim/err_bits.py

@@ -14,3 +14,4 @@
 FATAL_DMEM = 1 << 6
 FATAL_REG = 1 << 7
 FATAL_ILLEGAL_BUS_ACCESS = 1 << 8
+FATAL_LIFECYCLE_ESCALATION = 1 << 9

hw/ip/otbn/dv/verilator/otbn_top_sim.sv

@@ -61,43 +61,45 @@ module otbn_top_sim (
  .ImemSizeByte ( ImemSizeByte ),
  .DmemSizeByte ( DmemSizeByte )
  ) u_otbn_core (
- .clk_i ( IO_CLK ),
- .rst_ni ( IO_RST_N ),
-
- .start_i ( otbn_start ),
- .done_o ( otbn_done_d ),
-
- .err_bits_o ( otbn_err_bits_d ),
-
- .start_addr_i ( ImemStartAddr ),
-
- .imem_req_o ( imem_req ),
- .imem_addr_o ( imem_addr ),
- .imem_wdata_o ( ),
- .imem_rdata_i ( imem_rdata[31:0] ),
- .imem_rvalid_i ( imem_rvalid ),
- .imem_rerror_i ( imem_rerror ),
-
- .dmem_req_o ( dmem_req ),
- .dmem_write_o ( dmem_write ),
- .dmem_addr_o ( dmem_addr ),
- .dmem_wdata_o ( dmem_wdata ),
- .dmem_wmask_o ( dmem_wmask ),
- .dmem_rmask_o ( ),
- .dmem_rdata_i ( dmem_rdata ),
- .dmem_rvalid_i ( dmem_rvalid ),
- .dmem_rerror_i ( dmem_rerror ),
-
- .edn_rnd_req_o ( edn_rnd_req ),
- .edn_rnd_ack_i ( edn_rnd_ack ),
- .edn_rnd_data_i ( edn_rnd_data ),
-
- .edn_urnd_req_o ( edn_urnd_req ),
- .edn_urnd_ack_i ( edn_urnd_ack ),
- .edn_urnd_data_i ( edn_urnd_data ),
-
- .insn_cnt_o ( insn_cnt ),
- .illegal_bus_access_i ( 1'b0 )
+ .clk_i ( IO_CLK ),
+ .rst_ni ( IO_RST_N ),
+
+ .start_i ( otbn_start ),
+ .done_o ( otbn_done_d ),
+
+ .err_bits_o ( otbn_err_bits_d ),
+
+ .start_addr_i ( ImemStartAddr ),
+
+ .imem_req_o ( imem_req ),
+ .imem_addr_o ( imem_addr ),
+ .imem_wdata_o ( ),
+ .imem_rdata_i ( imem_rdata[31:0] ),
+ .imem_rvalid_i ( imem_rvalid ),
+ .imem_rerror_i ( imem_rerror ),
+
+ .dmem_req_o ( dmem_req ),
+ .dmem_write_o ( dmem_write ),
+ .dmem_addr_o ( dmem_addr ),
+ .dmem_wdata_o ( dmem_wdata ),
+ .dmem_wmask_o ( dmem_wmask ),
+ .dmem_rmask_o ( ),
+ .dmem_rdata_i ( dmem_rdata ),
+ .dmem_rvalid_i ( dmem_rvalid ),
+ .dmem_rerror_i ( dmem_rerror ),
+
+ .edn_rnd_req_o ( edn_rnd_req ),
+ .edn_rnd_ack_i ( edn_rnd_ack ),
+ .edn_rnd_data_i ( edn_rnd_data ),
+
+ .edn_urnd_req_o ( edn_urnd_req ),
+ .edn_urnd_ack_i ( edn_urnd_ack ),
+ .edn_urnd_data_i ( edn_urnd_data ),
+
+ .insn_cnt_o ( insn_cnt ),
+
+ .illegal_bus_access_i ( 1'b0 ),
+ .lifecycle_escalation_i ( 1'b0 )
  );
 
  // The top bits of IMEM rdata aren't currently used (they will eventually be used for integrity

hw/ip/otbn/rtl/otbn.sv

@@ -133,9 +133,9 @@ module otbn
  .lc_en_o(lc_escalate_en)
  );
 
- // TODO: Connect lifecycle signal.
- lc_ctrl_pkg::lc_tx_t unused_lc_escalate_en;
- assign unused_lc_escalate_en = lc_escalate_en;
+ // Reduce the life cycle escalation signal to a single bit to be used within this cycle.
+ logic lifecycle_escalation;
+ assign lifecycle_escalation = lc_escalate_en != lc_ctrl_pkg::Off;
 
  // Interrupts ================================================================
 
@@ -628,6 +628,9 @@ module otbn
  assign hw2reg.err_bits.fatal_illegal_bus_access.de = done;
  assign hw2reg.err_bits.fatal_illegal_bus_access.d = err_bits.fatal_illegal_bus_access;
 
+ assign hw2reg.err_bits.fatal_lifecycle_escalation.de = done;
+ assign hw2reg.err_bits.fatal_lifecycle_escalation.d = err_bits.fatal_lifecycle_escalation;
+
  // START_ADDR register
  assign start_addr = reg2hw.start_addr.q[ImemAddrWidth-1:0];
  logic [top_pkg::TL_DW-ImemAddrWidth-1:0] unused_start_addr_bits;
@@ -646,6 +649,8 @@ module otbn
  assign hw2reg.fatal_alert_cause.reg_error.d = 0;
  assign hw2reg.fatal_alert_cause.illegal_bus_access.de = illegal_bus_access_d;
  assign hw2reg.fatal_alert_cause.illegal_bus_access.d = illegal_bus_access_d;
+ assign hw2reg.fatal_alert_cause.lifecycle_escalation.de = lifecycle_escalation;
+ assign hw2reg.fatal_alert_cause.lifecycle_escalation.d = lifecycle_escalation;
 
  // INSN_CNT register
  logic [31:0] insn_cnt;
@@ -806,42 +811,44 @@ module otbn
  .RndCnstUrndChunkLfsrPerm(RndCnstUrndChunkLfsrPerm)
  ) u_otbn_core (
  .clk_i,
- .rst_ni (rst_n),
-
- .start_i (start_rtl),
- .done_o (done_rtl),
-
- .err_bits_o (err_bits_rtl),
-
- .start_addr_i (start_addr),
-
- .imem_req_o (imem_req_core),
- .imem_addr_o (imem_addr_core),
- .imem_wdata_o (imem_wdata_core),
- .imem_rdata_i (imem_rdata_core),
- .imem_rvalid_i (imem_rvalid_core),
- .imem_rerror_i (imem_rerror_core),
-
- .dmem_req_o (dmem_req_core),
- .dmem_write_o (dmem_write_core),
- .dmem_addr_o (dmem_addr_core),
- .dmem_wdata_o (dmem_wdata_core),
- .dmem_wmask_o (dmem_wmask_core),
- .dmem_rmask_o (dmem_rmask_core_d),
- .dmem_rdata_i (dmem_rdata_core),
- .dmem_rvalid_i (dmem_rvalid_core),
- .dmem_rerror_i (dmem_rerror_core),
-
- .edn_rnd_req_o (edn_rnd_req),
- .edn_rnd_ack_i (edn_rnd_ack),
- .edn_rnd_data_i (edn_rnd_data),
-
- .edn_urnd_req_o (edn_urnd_req),
- .edn_urnd_ack_i (edn_urnd_ack),
- .edn_urnd_data_i (edn_urnd_data),
-
- .insn_cnt_o (insn_cnt_rtl),
- .illegal_bus_access_i (illegal_bus_access_q)
+ .rst_ni (rst_n),
+
+ .start_i (start_rtl),
+ .done_o (done_rtl),
+
+ .err_bits_o (err_bits_rtl),
+
+ .start_addr_i (start_addr),
+
+ .imem_req_o (imem_req_core),
+ .imem_addr_o (imem_addr_core),
+ .imem_wdata_o (imem_wdata_core),
+ .imem_rdata_i (imem_rdata_core),
+ .imem_rvalid_i (imem_rvalid_core),
+ .imem_rerror_i (imem_rerror_core),
+
+ .dmem_req_o (dmem_req_core),
+ .dmem_write_o (dmem_write_core),
+ .dmem_addr_o (dmem_addr_core),
+ .dmem_wdata_o (dmem_wdata_core),
+ .dmem_wmask_o (dmem_wmask_core),
+ .dmem_rmask_o (dmem_rmask_core_d),
+ .dmem_rdata_i (dmem_rdata_core),
+ .dmem_rvalid_i (dmem_rvalid_core),
+ .dmem_rerror_i (dmem_rerror_core),
+
+ .edn_rnd_req_o (edn_rnd_req),
+ .edn_rnd_ack_i (edn_rnd_ack),
+ .edn_rnd_data_i (edn_rnd_data),
+
+ .edn_urnd_req_o (edn_urnd_req),
+ .edn_urnd_ack_i (edn_urnd_ack),
+ .edn_urnd_data_i (edn_urnd_data),
+
+ .insn_cnt_o (insn_cnt_rtl),
+
+ .illegal_bus_access_i (illegal_bus_access_q),
+ .lifecycle_escalation_i (lifecycle_escalation)
  );
  `else
  otbn_core #(
@@ -852,42 +859,44 @@ module otbn
  .RndCnstUrndChunkLfsrPerm(RndCnstUrndChunkLfsrPerm)
  ) u_otbn_core (
  .clk_i,
- .rst_ni (rst_n),
-
- .start_i (start_q),
- .done_o (done),
-
- .err_bits_o (err_bits),
-
- .start_addr_i (start_addr),
-
- .imem_req_o (imem_req_core),
- .imem_addr_o (imem_addr_core),
- .imem_wdata_o (imem_wdata_core),
- .imem_rdata_i (imem_rdata_core),
- .imem_rvalid_i (imem_rvalid_core),
- .imem_rerror_i (imem_rerror_core),
-
- .dmem_req_o (dmem_req_core),
- .dmem_write_o (dmem_write_core),
- .dmem_addr_o (dmem_addr_core),
- .dmem_wdata_o (dmem_wdata_core),
- .dmem_wmask_o (dmem_wmask_core),
- .dmem_rmask_o (dmem_rmask_core_d),
- .dmem_rdata_i (dmem_rdata_core),
- .dmem_rvalid_i (dmem_rvalid_core),
- .dmem_rerror_i (dmem_rerror_core),
-
- .edn_rnd_req_o (edn_rnd_req),
- .edn_rnd_ack_i (edn_rnd_ack),
- .edn_rnd_data_i (edn_rnd_data),
-
- .edn_urnd_req_o (edn_urnd_req),
- .edn_urnd_ack_i (edn_urnd_ack),
- .edn_urnd_data_i (edn_urnd_data),
-
- .insn_cnt_o (insn_cnt),
- .illegal_bus_access_i (illegal_bus_access_q)
+ .rst_ni (rst_n),
+
+ .start_i (start_q),
+ .done_o (done),
+
+ .err_bits_o (err_bits),
+
+ .start_addr_i (start_addr),
+
+ .imem_req_o (imem_req_core),
+ .imem_addr_o (imem_addr_core),
+ .imem_wdata_o (imem_wdata_core),
+ .imem_rdata_i (imem_rdata_core),
+ .imem_rvalid_i (imem_rvalid_core),
+ .imem_rerror_i (imem_rerror_core),
+
+ .dmem_req_o (dmem_req_core),
+ .dmem_write_o (dmem_write_core),
+ .dmem_addr_o (dmem_addr_core),
+ .dmem_wdata_o (dmem_wdata_core),
+ .dmem_wmask_o (dmem_wmask_core),
+ .dmem_rmask_o (dmem_rmask_core_d),
+ .dmem_rdata_i (dmem_rdata_core),
+ .dmem_rvalid_i (dmem_rvalid_core),
+ .dmem_rerror_i (dmem_rerror_core),
+
+ .edn_rnd_req_o (edn_rnd_req),
+ .edn_rnd_ack_i (edn_rnd_ack),
+ .edn_rnd_data_i (edn_rnd_data),
+
+ .edn_urnd_req_o (edn_urnd_req),
+ .edn_urnd_ack_i (edn_urnd_ack),
+ .edn_urnd_data_i (edn_urnd_data),
+
+ .insn_cnt_o (insn_cnt),
+
+ .illegal_bus_access_i (illegal_bus_access_q),
+ .lifecycle_escalation_i (lifecycle_escalation)
  );
  `endif
 

hw/ip/otbn/rtl/otbn_controller.sv

@@ -125,7 +125,8 @@ module otbn_controller
 
  input logic state_reset_i,
  output logic [31:0] insn_cnt_o,
- input logic illegal_bus_access_i
+ input logic illegal_bus_access_i,
+ input logic lifecycle_escalation_i
 );
  otbn_state_e state_q, state_d, state_raw;
 
@@ -327,15 +328,16 @@ module otbn_controller
  end
  end
 
- assign err_bits_o.fatal_illegal_bus_access = illegal_bus_access_i;
- assign err_bits_o.fatal_reg = rf_base_rd_data_err_i | rf_bignum_rd_data_err_i;
- assign err_bits_o.fatal_imem = insn_fetch_err_i;
- assign err_bits_o.fatal_dmem = lsu_rdata_err_i;
- assign err_bits_o.illegal_insn = insn_illegal_i | ispr_err | rf_indirect_err;
- assign err_bits_o.bad_data_addr = dmem_addr_err;
- assign err_bits_o.loop = loop_err;
- assign err_bits_o.call_stack = rf_base_call_stack_err_i;
- assign err_bits_o.bad_insn_addr = imem_addr_err;
+ assign err_bits_o.fatal_lifecycle_escalation = lifecycle_escalation_i;
+ assign err_bits_o.fatal_illegal_bus_access = illegal_bus_access_i;
+ assign err_bits_o.fatal_reg = rf_base_rd_data_err_i | rf_bignum_rd_data_err_i;
+ assign err_bits_o.fatal_imem = insn_fetch_err_i;
+ assign err_bits_o.fatal_dmem = lsu_rdata_err_i;
+ assign err_bits_o.illegal_insn = insn_illegal_i | ispr_err | rf_indirect_err;
+ assign err_bits_o.bad_data_addr = dmem_addr_err;
+ assign err_bits_o.loop = loop_err;
+ assign err_bits_o.call_stack = rf_base_call_stack_err_i;
+ assign err_bits_o.bad_insn_addr = imem_addr_err;
 
  assign err = |err_bits_o;
 

hw/ip/otbn/rtl/otbn_core.sv

@@ -68,9 +68,12 @@ module otbn_core
 
  output logic [31:0] insn_cnt_o,
 
- // Asserted by system when bus tries to access OTBN memories whilst OTBN is active. Results in an
+ // Asserted by system when bus tries to access OTBN memories whilst OTBN is active. Results in a
  // fatal error.
- input logic illegal_bus_access_i
+ input logic illegal_bus_access_i,
+
+ // Indicates an incoming escalation from the life cycle manager. Results in a fatal error.
+ input logic lifecycle_escalation_i
 );
  // Fetch request (the next instruction)
  logic [ImemAddrWidth-1:0] insn_fetch_req_addr;
@@ -353,7 +356,8 @@ module otbn_core
 
  .state_reset_i (state_reset),
  .insn_cnt_o (insn_cnt),
- .illegal_bus_access_i
+ .illegal_bus_access_i,
+ .lifecycle_escalation_i
  );
 
  assign insn_cnt_o = insn_cnt;

hw/ip/otbn/rtl/otbn_pkg.sv

@@ -54,6 +54,7 @@ package otbn_pkg;
  //
  // Note: These errors are duplicated in other places. If updating them here, update those too.
  typedef struct packed {
+ logic fatal_lifecycle_escalation;
  logic fatal_illegal_bus_access;
  logic fatal_reg;
  logic fatal_dmem;