-
Notifications
You must be signed in to change notification settings - Fork 762
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[reggen] Add tooling for checking in-line countermeasure annotations #10071
Comments
CC @sriyerg |
that sounds good. Each one would then probably match to the same entry in the hjson? |
That is correct, unless we want to enforce a 1:1 correspondence. |
i dont think so. I think 1 to many should be fine, especially when it comes to the more standard types. |
Yes, I think I am also leaning towards leaving more flexibility. This would eliminate quite some replication in blocks like OTP: opentitan/hw/ip/otp_ctrl/data/otp_ctrl.hjson Lines 892 to 909 in 7df0097
|
I definitely favor flexibility, too. Collapsing multiple standardized CM instances seems more acceptable with the annotations in the RTL. However, there may still be cases if the list of CM for a particular instance are different in which case giving individual names simplifies things . For example, you may have different FSMs in an IP that all use the same base hardening but only one FSM features global escalation, too. |
Initial thought was that 1:1 would be more effective, but after more consideration, maybe just having the broad CM listed in the hjson and the instance name in the RTL is sufficient. |
@mwbranstad since we would like to be able to globally aggregate and list CM IDs, I think we should not use different IDs in RTL annotation for consistency. I.e., either the annotator chooses to make instance names explicit, and then the list in Hjson should reflect that, or they choose to use the general ID, in which case you get multiple tags of the same name in RTL. |
+1 for flexibility - it will be useful to enforce for example, ALL instances of some critical counter measure |
As the reviewer, probably 1:1 would be easier to deal with. But that basically makes the countermeasure lists unwieldy and forces a need for manual reconciliation which is not desirable. So 1:many for things like MUBI is ok for me, I think. We'll check the individual MUBIs in D2S and have to keep in mind that downstream changes to anything countermeasure-related (adding or removing) probably mean retriggering a D2S review. |
One other comment, what I am finding in the review process is that we are pursuing two goals in parallel:
The second one is harder without fully enumerated 1:1 type of lists. I think the flexibility is still probably worth it, it just means that we spend a little more time on the review (a one-time cost, hopefully) to get everything accounted for. |
Thanks for all the feedback here. We now have the tooling in place that can check
Note that 2) produces an error and 3) a warning at the moment since we still have some un-annotated blocks that already have an Hjson list merged. That warning should be bumped to an error once all blocks have been annotated. As for additional enhancements, one thing that I would find very neat would be to use the extracted info to enhance the autogen'd table and add links to the individual label instaces in the code like this (example from
I don't think it is hard to do, given that we already extract this info as part of the RTL annotation checking. We would just need to append this info to the datastructure stored in the opentitan/util/reggen/gen_cfg_html.py Lines 116 to 128 in dc40cb5
If anyone feels inclined to take a stab at this please go ahead. Otherwise I'll come back to this enhancement once I find some spare cycles in my backyard. |
btw i think one thing we "might" not be dealing with yet is the templated modules. I've run into a few cases where either the wrong hjson or maybe the wrong rtl was being inspected? do you happen to know? |
Ah, this is something we need to double check. The regtool does the check on the files that live at Could this be the issue? |
It turns out ipgen is not required: what needs to be done is to avoid running regtool in hw/Makefile for generated blocks, since topgen will run regtool with the right hjson file. This is addressed by #21053. There is also an issue (#20887) to add missing countermeasure annotation to some blocks which issue warnings. Once these two items are dealt with we could turn missing annotations into errors by default, perhaps with a flag to turn them into warnings for RTL development? |
Fixes lowRISC#10071 Signed-off-by: Michael Schaffner <[email protected]>
@matutem , I've assigned you to this issue because it is my understanding that you are in the process of finishing the last items before we can switch the warnings into errors. Please let me know if this is not correct, thanks! |
Matute has a PR that converts flash_ctrl to ipgen, and a follow-up PR will resolve this |
This used to be a warning, but it is promoted to an error. Fixes lowRISC#10071 Signed-off-by: Guillermo Maturana <[email protected]>
This used to be a warning, but it is promoted to an error. Fixes lowRISC#10071 Signed-off-by: Guillermo Maturana <[email protected]>
An update: #22848 has a change that triggers errors for any unimplemented countermeasures. Unfortunately, it is failing for pinmux because we invoke regtool.py against hw/top_earlgrey/ip/pinmux/data/autogen/pinmx.hjson, and that fails. The reason is that it cannot find all the sources, since they are split between hw/ip/pinmux and hw/top_earlgrey/ip/pinmux (for autogen code). It could be messy to implement a fix in regtool, and this problem won't affect pinmux if it was generated by ipgen. I would like to commit this fix once pinmux is done via ipgen, which it should be done as part of #8440. |
Discussed in triage meeting, agreed to continue tracking this in M4 |
The topgen script has all the information needed to check countermeasures, specifically how any module is generated. Move the check from regtool to topgen. Fixes lowRISC#10071 Signed-off-by: Guillermo Maturana <[email protected]>
Fixes lowRISC#10071 Signed-off-by: Guillermo Maturana <[email protected]>
The topgen script has all the information needed to check countermeasures, specifically how any module is generated. Move the check from regtool to topgen. Fixes lowRISC#10071 Signed-off-by: Guillermo Maturana <[email protected]>
Fixes lowRISC#10071 Signed-off-by: Guillermo Maturana <[email protected]>
The topgen script has all the information needed to check countermeasures, specifically how any module is generated. Move the check from regtool to topgen. Fixes lowRISC#10071 Signed-off-by: Guillermo Maturana <[email protected]>
Fixes lowRISC#10071 Signed-off-by: Guillermo Maturana <[email protected]>
The topgen script has all the information needed to check countermeasures, specifically how any module is generated. Move the check from regtool to topgen. Fixes #10071 Signed-off-by: Guillermo Maturana <[email protected]>
Fixes #10071 Signed-off-by: Guillermo Maturana <[email protected]>
The topgen script has all the information needed to check countermeasures, specifically how any module is generated. Move the check from regtool to topgen. Fixes lowRISC#10071 Signed-off-by: Guillermo Maturana <[email protected]>
Fixes lowRISC#10071 Signed-off-by: Guillermo Maturana <[email protected]>
As discussed in the
entropy_src
D2S review meeting today, it would be great if we could annotate the code with the countermeasure IDs.These would not be exact annotations, but rather serve as hints where an auditor should look in order to audit a specific countermeasure. I.e., certain countermeasures can be pinpointed exactly - think prim like instances like
prim_count
, whereas algorithmic countermeasures like masking schemes are a bit less well localized.The tentative format for such annotations should be
// SEC_CM [INSTANCE].ASSET.CM_TYPE
in order to facilitate checks in reggen.In particular, reggen should:
// SEC_CM
fromipname/rtl/*.sv
filesPossible future enhancements:
ipname/rtl/*.sv
, fusesoc could be invoked to build the file listThe text was updated successfully, but these errors were encountered: