[rtl] Add prim_buf for security critical signals

A sufficiently agressive optimiser may optimise these away as under normal functioning they effectively don't do anything. They are purely to detect the presence of induced faults.
2025-04-22 04:47:25 -04:00 · 2022-02-21 17:54:19 +00:00 · 2022-02-21 17:54:19 +00:00 · d3bd063662
commit d3bd063662
parent b18eceba81
2 changed files with 23 additions and 7 deletions
--- a/rtl/ibex_if_stage.sv
+++ b/rtl/ibex_if_stage.sv
@ -462,7 +462,7 @@ module ibex_if_stage import ibex_pkg::*; #(

  // Check for expected increments of the PC when security hardening enabled
  if (PCIncrCheck) begin : g_secure_pc
-    logic [31:0] prev_instr_addr_incr;
+    logic [31:0] prev_instr_addr_incr, prev_instr_addr_incr_buf;
    logic        prev_instr_seq_q, prev_instr_seq_d;

    // Do not check for sequential increase after a branch, jump, exception, interrupt or debug
@ -480,8 +480,14 @@ module ibex_if_stage import ibex_pkg::*; #(

    assign prev_instr_addr_incr = pc_id_o + (instr_is_compressed_id_o ? 32'd2 : 32'd4);

+    // Buffer anticipated next PC address to ensure optimiser cannot remove the check.
+    prim_buf #(.Width(32)) u_prev_instr_addr_incr_buf (
+      .in_i (prev_instr_addr_incr),
+      .out_o(prev_instr_addr_incr_buf)
+    );
+
    // Check that the address equals the previous address +2/+4
-    assign pc_mismatch_alert_o = prev_instr_seq_q & (pc_if_o != prev_instr_addr_incr);
+    assign pc_mismatch_alert_o = prev_instr_seq_q & (pc_if_o != prev_instr_addr_incr_buf);

  end else begin : g_no_secure_pc
    assign pc_mismatch_alert_o = 1'b0;
--- a/rtl/ibex_top.sv
+++ b/rtl/ibex_top.sv
@ -158,8 +158,8 @@ module ibex_top import ibex_pkg::*; #(
  logic [4:0]                  rf_waddr_wb;
  logic                        rf_we_wb;
  logic [RegFileDataWidth-1:0] rf_wdata_wb_ecc;
-  logic [RegFileDataWidth-1:0] rf_rdata_a_ecc;
-  logic [RegFileDataWidth-1:0] rf_rdata_b_ecc;
+  logic [RegFileDataWidth-1:0] rf_rdata_a_ecc, rf_rdata_a_ecc_buf;
+  logic [RegFileDataWidth-1:0] rf_rdata_b_ecc, rf_rdata_b_ecc_buf;
  // Core <-> RAMs signals
  logic [IC_NUM_WAYS-1:0]      ic_tag_req;
  logic                        ic_tag_write;
@ -210,12 +210,22 @@ module ibex_top import ibex_pkg::*; #(
  // Core instantiation //
  ////////////////////////

-  // Buffer fetch_enable_i to prevent synthesis optimising away multi-bit signal
+  // Buffer security critical signals to prevent synthesis optimisation removing them
  prim_buf #(.Width($bits(fetch_enable_t))) u_fetch_enable_buf (
    .in_i (fetch_enable_i),
    .out_o(fetch_enable_buf)
  );

+  prim_buf #(.Width(RegFileDataWidth)) u_rf_rdata_a_ecc_buf (
+    .in_i (rf_rdata_a_ecc),
+    .out_o(rf_rdata_a_ecc_buf)
+  );
+
+  prim_buf #(.Width(RegFileDataWidth)) u_rf_rdata_b_ecc_buf (
+    .in_i (rf_rdata_b_ecc),
+    .out_o(rf_rdata_b_ecc_buf)
+  );
+
  ibex_core #(
    .PMPEnable        (PMPEnable),
    .PMPGranularity   (PMPGranularity),
@ -274,8 +284,8 @@ module ibex_top import ibex_pkg::*; #(
    .rf_waddr_wb_o    (rf_waddr_wb),
    .rf_we_wb_o       (rf_we_wb),
    .rf_wdata_wb_ecc_o(rf_wdata_wb_ecc),
-    .rf_rdata_a_ecc_i (rf_rdata_a_ecc),
-    .rf_rdata_b_ecc_i (rf_rdata_b_ecc),
+    .rf_rdata_a_ecc_i (rf_rdata_a_ecc_buf),
+    .rf_rdata_b_ecc_i (rf_rdata_b_ecc_buf),

    .ic_tag_req_o      (ic_tag_req),
    .ic_tag_write_o    (ic_tag_write),