This commit protects the core_busy_o signal using a multi-bit encoding
to reduce the chances of an adversary for glitching this signal to low,
thereby putting the core to sleep and e.g. not handling an alert.
Without this commit, the glitch would only be detected once both the
main core and the shadow core wake up again and the comparison of the
core_busy_o signals continues.
This resolveslowRISC/Ibex#1827.
Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>
The ic_scr_key_valid field indicates whether the ICache scrambling key
is valid.
CPUCTRL is also renamed CPUCTRLSTS as it contains both control and
status bits.
This refactors the invalidation control logic into an explicit state
machine. The top-level icache_invalid_o signal is also removed.
Replaced with an explicit scramble key request instead.
This has all been done to better deal with corner cases around a new
invalidation being requested whilst another is still going on.
Previously there was a bug wher an invalidation request in the final
cycle of an ongoing invalidation didn't restart the invalidation but did
rotate the scrambling key producing an ECC failure and an alert.
Extends RVFI connections further to include 30 mhpmcounterX registers.
Sets them up before every cosim step to let Spike know their real values.
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
Previously integrity checks for incoming memory reads and integrity
generation for outgoing memory writes were handled within ibex_lockstep
and weren't duplicated.
This moves the integrity checks and generation into the core so they are
replicated and checked as part of the lockstep mechanism.
Additionally it generates a bus error on any memory integrity check
failure. This will result in Ibex taking an exception if any data read
or instruction fetch has bad integrity.
This is to allow more consistent signalling in systems that integrate
Ibex (e.g. OpenTitan) so bus integrity errors external to Ibex and one's
detected within Ibex can be fed into the same alert whilst seperating
out Ibex's various internal alert causes.
This commit includes switching to a scrambling RAM primitive for
ICache data and tag RAMs. Also introduces minor changes to ICache
to handle scrambling key valid signal.
It also includes a minor bug fix regarding not initializing
`fill_way_q` signal without ResetAll parameter. When the parameter
is not set and we have our first hit right after ICache enables,
the signal hangs.
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
This adds some new `rvfi_ext` signals that are needed by the
co-simulation environment.
It also fixes/alters `rvfi_trap`. Previously it wouldn't work correctly
in various cases. Now it is fully functional, though it's meaning
includes more trap cases than the RVFI spec strictly includes. It is now
set for any instruction that produces a synchronous trap (everything bar
interrupts).
Extra bits are added alongside read/write data for the instruction and
data buses to facilitate data integrity checking.
Ibex testbench extended to generate the expected bits.
All other top-levels modified to add the new signals (which are mostly
ignored).
Signed-off-by: Tom Roberts <tomroberts@lowrisc.org>
Random constants are sent through the hierarchy as parameters in-line
with other OpenTitan modules.
Further detail on this mechanism can be found in lowrisc/opentitan#2229
Signed-off-by: Tom Roberts <tomroberts@lowrisc.org>
This parameter forces a reset of all registers inside the core. This is
required to guarantee a common starting point for lockstep and thus
prevent spurious lockstep failure alerts.
Another minor change in this commit rearranges the writeback stage
multiplexing to gate incoming lsu write data when not valid. This stops
any X values from the data bus propagating to the register file
signalling (and thus to the lockstep comparison) which would cause the
lockstep alert to be X. It has the side effect of possibly reducing
power consumption in the register file.
Signed-off-by: Tom Roberts <tomroberts@lowrisc.org>
This signal used to be a one shot enable out of reset. We need an option
to pause execution for OpenTitan, so fetch_enable is extended to cover
that.
The signal is already driven low by the testbench at the end of test.
This is moved after the performance counter reads to ensure they can
complete.
Fixes#1105
Signed-off-by: Tom Roberts <tomroberts@lowrisc.org>
In tests with multiple resets, these signals could hold onto spurious
values through reset (since the clock is also gated) which caused
assertion failures on resumption.
Fixes#1368
Signed-off-by: Tom Roberts <tomroberts@lowrisc.org>
Note that the alert output is tied off for now until an option is added
to reset all registers (otherwise there will be X propagation).
Signed-off-by: Tom Roberts <tomroberts@lowrisc.org>
