We should only indicate an ebreak debug cause if an ebreak leads to a
debug entry (otherwise when single stepping over an ebreak that traps to
an exception we incorrectly enter debug mode with an ebreak cause).
This commit protects the core_busy_o signal using a multi-bit encoding
to reduce the chances of an adversary for glitching this signal to low,
thereby putting the core to sleep and e.g. not handling an alert.
Without this commit, the glitch would only be detected once both the
main core and the shadow core wake up again and the comparison of the
core_busy_o signals continues.
This resolveslowRISC/Ibex#1827.
Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>
Previously if a dummy instruction entered the pipeline whilst it
wouldn't make RVFI stage 0 valid, it would make RVFI stage 1 valid.
Now stage 1 can only become valid if stage 0 was valid.
Previously `fetch_enable_i` only controlled the request going into the
instruction fetch stage. Due to buffering in the prefetch queue and
icache when this request is dropped it's possible for multiple
instructions to still be available for the ID/EX stage to consume. So
when `fetch_enable_i` was set to off you would get a 'soft stop'. Some
finite number of instructions may still execute and Ibex would come to
an eventual halt.
Now `fetch_enable_i` also gates the instruction moving between the fetch
stage and the ID/EX stage. This gives a 'hard stop' where once fetch is
disabled Ibex comes to an immediate halt.
This commit changes when we cath the debug causes. Since debug_cause_o
only gets latched when `csr_save_cause_o` is high, it would work if
we change the cause with a mux that is connected to the input signals.
Resolves#1772
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
Previously Ibex signalled a major alert on an integrity error (where
incoming read data doesn't match its integrity bits) for both read and
write responses. This was removed as the data part of a response to a
write is ignored.
This brings it back in a more measured way. This provides a little extra
fault injection hardening as an attacker glitching the memory bus will
generate an alert on both read and write responses.
Observing the spec change:
RISC-V Debug Support Version 1.0.0-STABLE
1.2.1.4 New Features from 0.13 to 1.0
> 8. Move scontext, renaming original to mscontext, and create hcontext. #535
MSCONTEXT is a backwards-compatible alias to SCONTEXT
In Ibex, SCONTEXT is a read-only zero register. Hence MSCONTEXT has the same behaviour.
Previously it had two packed dimensions. In general we prefer the use of
unpacked arrays for this kind of usage. In particular this had an impact
on trace viewing in GTKWave, the two dimensions were flattened into a
single large bus which made determining individual register values
tricky.
The ic_scr_key_valid field indicates whether the ICache scrambling key
is valid.
CPUCTRL is also renamed CPUCTRLSTS as it contains both control and
status bits.
Referring to specific parts of a specific version of the specification
can be brittle as all of these references need to be updated when we
shift specification versions. It's also redundant it should be generally
understood Ibex implements the RISC-V specifications and many lines
could have comments that point to the part of the specification they are
implementing. Rather than having a few of these for no particular reason
easier to just remove them all.
This is specification change between the v1.11 and v1.12 privileged
architectures. Previously mprv wasn't altered on mret. Now if returning
to a privilege level other than M mode mprv must be cleared.
This adds the following CSRs to support the v1.12 priviledged spec.
- MSTATUSH
- MCONFIGPTR
- MENVCFG
- MENVCFGH
MCONFIGPTR is read only and has its value provided by a ibex_pkg
parameter CSR_MCONFIGPTR_VALUE which is set to 0. Implementors can alter
this value if needed.
All the other CSRs ignore writes and read as 0.
This refactors the invalidation control logic into an explicit state
machine. The top-level icache_invalid_o signal is also removed.
Replaced with an explicit scramble key request instead.
This has all been done to better deal with corner cases around a new
invalidation being requested whilst another is still going on.
Previously there was a bug wher an invalidation request in the final
cycle of an ongoing invalidation didn't restart the invalidation but did
rotate the scrambling key producing an ECC failure and an alert.
The following changes are made:
- For unimplemented counters corresponding bits in MCOUNTINHIBIT read as
0 not 1
- For MHPMEVENTx we start at x = 3 with the first bit set (0-2
MHPMEVENTx CSRs do not exist)
- When writing an invalid privilege mode to MSTATUS.MPP/DCSR.PRV default
to U rather than M mode.
These new behaviours remain spec compliant and match spike.
Initially the 'B' bit was going to be used to indicate the presence of
the bit-manipulation extension. Now that has been seperated into
multiple smaller extensions the 'B' MISA bit isn't being used and
remains a reserved bit that should read as 0.
For the RV32B configurations where we implement non ratified
bit-manipulation extensions we must set the 'X' bit.
These changes matche the behaviour of spike.
As Greg pointed out:
When we have an instruction in ID/EX that writes a PMP register that
update gets written to the CSR the same cycle the next instruction
moves from IF to ID/EX with it's PMP check done with the old value.
The solution is to flush the pipeline when we get a PMP CSR write.
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
The relevant page [Debug Spec v1.0.0-STABLE, p.53] gives the following
priorities for resolving multiple concurrent reasons for entering debug mode....
DCSR.cause : Explains why Debug Mode was entered.
When there are multiple reasons to enter Debug Mode in a single cycle,
hardware should set cause to the cause with the highest priority.
1: An ebreak instruction was executed. (priority 3)
2: A Trigger Module trigger fired with action=1. (priority 4)
3: The debugger requested entry to Debug Mode using haltreq. (priority 1)
4: The hart single stepped because step was set. (priority 0, lowest)
5: The hart halted directly out of reset due to resethaltreq. (priority 2)
It is also acceptable to report 3 when this happens.
6: The hart halted because it’s part of a halt group. (priority 5, highest)
Harts may report 3 for this cause instead.
Other values are reserved for future use.
In ePMP spec, it specifies as:
```
Executing code with Machine mode privileges is only possible from memory
regions with a matching Mmode-only rule or a locked Shared-Region rule
with executable privileges. Executing code from a region without a
matching rule or with a matching S/U-mode-only rule is denied.
```
This change provides that.
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
Some aspects of the memory response are only relevant to reads. This
introduces outstanding request tracking so we know which outstanding
requests are reads and applies X checks appropriately.
Fixes#1645
Extends RVFI connections further to include 30 mhpmcounterX registers.
Sets them up before every cosim step to let Spike know their real values.
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
Adds some signal to the load store unit to catch when we have the
fetch error signals from both first and second part of the misaligned
load/store access cases.
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
Includes coverpoints for:
- Hardware trigger point matches
- Debug simple step entrance in controller
- Seeing different insns while single stepping
Also updates on coverage plan to fill up missing mentions of
coverpoints/crosses
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
- mtval is a bit more useful for double fault situations
as on the second exception we can still "remember" the
data address and PC of the first exception.
Signed-off-by: Timothy Chen <timothytim@google.com>
This makes use of functions in a way that enables us to use `priv_lvl`
dependent logic in the DV environment.
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
This functional code coverage section has hierarchical paths, which will
break certain synthesis and lint flows.
Signed-off-by: Michael Schaffner <msf@google.com>
Vivado gives synthesis error complaining about assignment of irq_nm_int_cause to '0 by saying it is an enum type.
Change the assignment to NMI_INT_CAUSE_ECC, which is defined to 5'b0 in ibex_pkg.sv
