This commit protects the core_busy_o signal using a multi-bit encoding
to reduce the chances of an adversary for glitching this signal to low,
thereby putting the core to sleep and e.g. not handling an alert.
Without this commit, the glitch would only be detected once both the
main core and the shadow core wake up again and the comparison of the
core_busy_o signals continues.
This resolveslowRISC/Ibex#1827.
Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>
Previously Ibex signalled a major alert on an integrity error (where
incoming read data doesn't match its integrity bits) for both read and
write responses. This was removed as the data part of a response to a
write is ignored.
This brings it back in a more measured way. This provides a little extra
fault injection hardening as an attacker glitching the memory bus will
generate an alert on both read and write responses.
The ic_scr_key_valid field indicates whether the ICache scrambling key
is valid.
CPUCTRL is also renamed CPUCTRLSTS as it contains both control and
status bits.
This refactors the invalidation control logic into an explicit state
machine. The top-level icache_invalid_o signal is also removed.
Replaced with an explicit scramble key request instead.
This has all been done to better deal with corner cases around a new
invalidation being requested whilst another is still going on.
Previously there was a bug wher an invalidation request in the final
cycle of an ongoing invalidation didn't restart the invalidation but did
rotate the scrambling key producing an ECC failure and an alert.
Some aspects of the memory response are only relevant to reads. This
introduces outstanding request tracking so we know which outstanding
requests are reads and applies X checks appropriately.
Fixes#1645
Extends RVFI connections further to include 30 mhpmcounterX registers.
Sets them up before every cosim step to let Spike know their real values.
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
Previously integrity checks for incoming memory reads and integrity
generation for outgoing memory writes were handled within ibex_lockstep
and weren't duplicated.
This moves the integrity checks and generation into the core so they are
replicated and checked as part of the lockstep mechanism.
Additionally it generates a bus error on any memory integrity check
failure. This will result in Ibex taking an exception if any data read
or instruction fetch has bad integrity.
A sufficiently agressive optimiser may optimise these away as under
normal functioning they effectively don't do anything. They are purely
to detect the presence of induced faults.
This is to allow more consistent signalling in systems that integrate
Ibex (e.g. OpenTitan) so bus integrity errors external to Ibex and one's
detected within Ibex can be fed into the same alert whilst seperating
out Ibex's various internal alert causes.
This commit includes switching to a scrambling RAM primitive for
ICache data and tag RAMs. Also introduces minor changes to ICache
to handle scrambling key valid signal.
It also includes a minor bug fix regarding not initializing
`fill_way_q` signal without ResetAll parameter. When the parameter
is not set and we have our first hit right after ICache enables,
the signal hangs.
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
This adds some new `rvfi_ext` signals that are needed by the
co-simulation environment.
It also fixes/alters `rvfi_trap`. Previously it wouldn't work correctly
in various cases. Now it is fully functional, though it's meaning
includes more trap cases than the RVFI spec strictly includes. It is now
set for any instruction that produces a synchronous trap (everything bar
interrupts).
Extra bits are added alongside read/write data for the instruction and
data buses to facilitate data integrity checking.
Ibex testbench extended to generate the expected bits.
All other top-levels modified to add the new signals (which are mostly
ignored).
Signed-off-by: Tom Roberts <tomroberts@lowrisc.org>
Random constants are sent through the hierarchy as parameters in-line
with other OpenTitan modules.
Further detail on this mechanism can be found in lowrisc/opentitan#2229
Signed-off-by: Tom Roberts <tomroberts@lowrisc.org>
A minor change to use the Width parameter of prim_buf. No functional
impact but stops the hierarchy from being cluttered with hundreds of
generate contexts in the top level.
Signed-off-by: Tom Roberts <tomroberts@lowrisc.org>
This parameter forces a reset of all registers inside the core. This is
required to guarantee a common starting point for lockstep and thus
prevent spurious lockstep failure alerts.
Another minor change in this commit rearranges the writeback stage
multiplexing to gate incoming lsu write data when not valid. This stops
any X values from the data bus propagating to the register file
signalling (and thus to the lockstep comparison) which would cause the
lockstep alert to be X. It has the side effect of possibly reducing
power consumption in the register file.
Signed-off-by: Tom Roberts <tomroberts@lowrisc.org>
This signal used to be a one shot enable out of reset. We need an option
to pause execution for OpenTitan, so fetch_enable is extended to cover
that.
The signal is already driven low by the testbench at the end of test.
This is moved after the performance counter reads to ensure they can
complete.
Fixes#1105
Signed-off-by: Tom Roberts <tomroberts@lowrisc.org>
Certain synthesis tools like DC are very smart at optimizing away redundant logic.
Hence, we have to insert an optimization barrier at the IOs of the lockstep Ibex.
This is achieved by manually buffering each bit using prim_buf.
Our Xilinx and DC synthesis flows make sure that these buffers cannot be optimized
away using keep attributes (Vivado) and size_only constraints (DC).
Signed-off-by: Michael Schaffner <msf@google.com>
1. Missing prim_assert in ibex_top.sv (more of an rtl bug but only found
in running synthesis scripts)
2. Write out the pre-mapped netlist before mapping latches
Relates to #1335
Signed-off-by: Tom Roberts <tomroberts@lowrisc.org>
Note that the alert output is tied off for now until an option is added
to reset all registers (otherwise there will be X propagation).
Signed-off-by: Tom Roberts <tomroberts@lowrisc.org>
This commit creates a new top level wrapping the core, register file and
icache RAMs. The tracing top level is also renamed to ibex_top_tracing
to match. This new top level is intended to enable a dual core lockstep
implementation of Ibex.
There are no functional changes in this commit, only wiring.
Signed-off-by: Tom Roberts <tomroberts@lowrisc.org>
