[chip, dv] Update test description of chip_sw_keymgr_sideload_kmac_error #16661
Conversation
There was a problem hiding this comment.
Thanks for the test plan @weicaiyang. I looked a bit around the error interaction between KMAC and Keymgr, and I hope it makes sense to ask them here!
| - Verify that KMAC returns an error signal to the keymgr via checking keymgr CSRs, when | ||
| the operation is done: | ||
| - Check `op_status` is set to `DONE_ERROR`. | ||
| - Check `fault_status.kmac_done` is set to 1. |
There was a problem hiding this comment.
This might be out of the scope of the test plan, but...
I couldn't figure out how faulting kmac_app's FSM propagates to keymgr's error/fault CSR. I wonder which of the following is wrong about my reasoning:
- Keymgr starts KMAC operation, and
kmac_ifmoves toStOpWaitafter sending all message chunks. Note thatkmac_data_i.errorhere will propagate tokeymgr_ctrlwhenkmac_data_i.doneis raised to 1. So, this is condition onkmac_appraisingdonesignal. - On the KMAC side, faulting
kmac_app's FSM causeskmac_data_i.error = 1, butkmac_data_i.doneis not raised to 1 (because faulty state isStTerminalError). - So glitching
kmac_app's FSM leads tokmac_ifbeing stuck atStOpWait, andkmac_appsendingerror, but notdone.
I might be missing something here because I couldn't properly go through keymgr_ctrl yet.
There was a problem hiding this comment.
@eunchan yeah i think your observation is right.
In the case of a glitched fsm, I guess the kmac interface would just never complete then? Maybe we need to change this to glitch an error, or update the kmac app fsm behavior to always say "done and error" when in error state.
There was a problem hiding this comment.
yeah i had a quick look. It looks like we either need to make a keymgr update to always look at error regardless of done, or update kmac to output done whenever it's in the same error state.
The latter feels a bit more correct to me, but let me know what you think.
@cindychip
There was a problem hiding this comment.
The latter sounds good to me.
There was a problem hiding this comment.
I think the first approach is better. Consider this:
kmac_appFSM glitch happens before all message chunks are sent, so assume thatkmac_ifFSM is atStTxwhen glitch happens.- If we follow the second approach, I think
kmac_ifwill be stuck atStTxeven if botherroranddoneare 1.
I think kmac_if FSM should always move to error state if error is asserted by kmac_app, regardless of done signal.
There was a problem hiding this comment.
ah i thought @ballifatih was suggesting making the "error" signal more like an interrupt into keymgr.
I think that would be fine too. I suggested the done approach mostly because it keeps the interface assumptions the same and would allow us to get around cases of being more flexible when the error condition when the transaction isn't done (like a bus).
@weicaiyang can chime in, but if we make the error more like an interrupt, we would also need to add a test case probably on keymgr block level, and it would be nice to avoid that if we can.
There was a problem hiding this comment.
Agree with @tjaychen, if the error becomes an interrupt, DV needs to verify it happens in any place (not just along with done). I slightly prefer to either send a done with error, or keep it as is so that keymgr gets stuck and the fatal alert eventually leads to a reset.
There was a problem hiding this comment.
I kinda got stuck on the part where kmac_app is supposed to flush the incoming message blocks despite the glitch on kmac_app's FSM. I still think that kmac_if might get stuck at StTx, while waiting for kmac_data_i.ready. In StTerminalError state, I couldn't figure out how ready signal is asserted by kmac_app. StError seems to gracefully perform flushing during error, but I think FSM moves to StTerminalError when glitched.
I think if we go with the latter solution (i.e. assert done when there is error), we probably also want to make sure none of kmac_if's FSM ends up waiting for another control signal from kmac_app. Besides done, should we also assert ready in this approach?
There was a problem hiding this comment.
yeah, we need to have the ready too. And the early assertion of done will also lead to done consistency error too.
https://cs.opensource.google/opentitan/opentitan/+/master:hw/ip/keymgr/rtl/keymgr_kmac_if.sv;l=336?q=KMAC_IF_DONE.CTRL.CONSISTENCY&ss=opentitan%2Fopentitan:hw%2Fip%2Fkeymgr%2Frtl%2F
There was a problem hiding this comment.
Let's continue the discussion in this issue #16792.
| - Note: at end of the C test, issue a reset if the test is running in DV, otherwise, the | ||
| fatal alert will prevent the simulation from finishing. |
There was a problem hiding this comment.
Just to clarify if I understand it correctly:
- Error at KMAC and fault at Keymgr does not create an alert that blocks Ibex,
- Therefore, we can perform reset from SW side.
There was a problem hiding this comment.
hmmm... performing a reset just for that here seems a bit overkill though.
@weicaiyang couldn't we use the plusarg to just allow hanging alerts?
There was a problem hiding this comment.
Both Kmac and keymgr will fire alerts, but the alerts shouldn't block ibex.
we could use this plusarg too. Let me remove this note. either a reset or plusarg is fine to me.
run_opts: ["+bypass_alert_ready_to_end_check=1"]
|
|
||
| - Follow the steps in `chip_sw_keymgr_sideload_kmac` test. | ||
| - Configure keymgr to enter any of the 3 working states. | ||
| - Issue a keymgr operations. |
There was a problem hiding this comment.
super nit: we can drop the plural (a keymgr operation.)
Addressed the TBD in the testplan Signed-off-by: Weicai Yang <[email protected]>
Addressed the TBD in the testplan
Signed-off-by: Weicai Yang [email protected]