[chip,dv] Fix RegFileDataWidth in lockstep_glitch_vseq

Depending on whether we are faulting the main or the shadow core,
use the correct data width size for the register file ports. The
main core operates on the plain data (RegFileDataWidth = 32 bit)
and the shadow core on the data + ECC (RegFileDataEccWidth = 39
bit). The write data that is forwarded to the shadow core RF
only uses the upper bits of the write data.

Signed-off-by: Pascal Nasahl <[email protected]>

Author: nasahlpa

hw/top_earlgrey/dv/env/seq_lib/chip_sw_rv_core_ibex_lockstep_glitch_vseq.sv

@@ -14,6 +14,7 @@ class chip_sw_rv_core_ibex_lockstep_glitch_vseq extends chip_sw_base_vseq;
     int unsigned width; // >0: take this as width; 0: use width from parameter
     string       width_parameter_name;
     int unsigned unpacked_dim_width;
+    int unsigned offset;
   } port_t;
 
   typedef logic [255:0] val_t;
@@ -205,70 +206,85 @@ class chip_sw_rv_core_ibex_lockstep_glitch_vseq extends chip_sw_base_vseq;
                                             "Could not read LockstepOffset parameter.");
 
     // List of all ports and their bit widths (or the name of the parameter that defines the width
-    // and/or the unpacked dimension).
+    // and/or the unpacked dimension). The fourth field allows enabling an offset from where the
+    // fault will be injected.
     ports = new[45];
     ports = '{
       // `hart_id_i` and `boot_addr_i` are not glitch-protected by the lockstep core.
-      // '{"hart_id_i",               1, "", 0},
-      // '{"boot_addr_i",             1, "", 0},
-      '{"instr_req_o",             1, "", 0},
-      '{"instr_gnt_i",             1, "", 0},
-      '{"instr_rvalid_i",          1, "", 0},
-      '{"instr_addr_o",           32, "", 0},
-      '{"instr_rdata_i",           0, "MemDataWidth", 0},
-      '{"instr_err_i",             1, "", 0},
-      '{"data_req_o",              1, "", 0},
-      '{"data_gnt_i",              1, "", 0},
-      '{"data_rvalid_i",           1, "", 0},
-      '{"data_we_o",               1, "", 0},
-      '{"data_be_o",               1, "", 0},
-      '{"data_addr_o",            32, "", 0},
-      '{"data_wdata_o",            0, "MemDataWidth", 0},
-      '{"data_rdata_i",            0, "MemDataWidth", 0},
-      '{"data_err_i",              1, "", 0},
-      '{"dummy_instr_id_o",        1, "", 0},
-      '{"rf_raddr_a_o",            5, "", 0},
-      '{"rf_raddr_b_o",            5, "", 0},
-      '{"rf_waddr_wb_o",           5, "", 0},
-      '{"rf_we_wb_o",              1, "", 0},
-      '{"rf_wdata_wb_ecc_o",       0, "RegFileDataWidth", 0},
-      '{"rf_rdata_a_ecc_i",        0, "RegFileDataWidth", 0},
-      '{"rf_rdata_b_ecc_i",        0, "RegFileDataWidth", 0},
-      '{"ic_tag_req_o",            ibex_pkg::IC_NUM_WAYS, "", 0},
-      '{"ic_tag_write_o",          1, "", 0},
-      '{"ic_tag_addr_o",           ibex_pkg::IC_INDEX_W, "", 0},
-      '{"ic_tag_wdata_o",          0, "TagSizeECC", 0},
-      '{"ic_tag_rdata_i",          0, "TagSizeECC", ibex_pkg::IC_NUM_WAYS},
-      '{"ic_data_req_o",           ibex_pkg::IC_NUM_WAYS, "", 0},
-      '{"ic_data_write_o",         1, "", 0},
-      '{"ic_data_addr_o",          ibex_pkg::IC_INDEX_W, "", 0},
-      '{"ic_data_wdata_o",         0, "LineSizeECC", 0},
-      '{"ic_data_rdata_i",         0, "LineSizeECC", ibex_pkg::IC_NUM_WAYS},
-      '{"ic_scr_key_valid_i",      1, "", 0},
-      '{"ic_scr_key_req_o",        1, "", 0},
-      '{"irq_software_i",          1, "", 0},
-      '{"irq_timer_i",             1, "", 0},
-      '{"irq_external_i",          1, "", 0},
-      '{"irq_fast_i",             15, "", 0},
-      '{"irq_nm_i",                1, "", 0},
-      '{"irq_pending_o",           1, "", 0},
-      '{"debug_req_i",             1, "", 0},
-      '{"crash_dump_o",            $bits(ibex_pkg::crash_dump_t), "", 0},
-      '{"double_fault_seen_o",     1, "", 0},
+      // '{"hart_id_i",               1, "", 0, 0},
+      // '{"boot_addr_i",             1, "", 0, 0},
+      '{"instr_req_o",             1, "", 0, 0},
+      '{"instr_gnt_i",             1, "", 0, 0},
+      '{"instr_rvalid_i",          1, "", 0, 0},
+      '{"instr_addr_o",           32, "", 0, 0},
+      '{"instr_rdata_i",           0, "MemDataWidth", 0, 0},
+      '{"instr_err_i",             1, "", 0, 0},
+      '{"data_req_o",              1, "", 0, 0},
+      '{"data_gnt_i",              1, "", 0, 0},
+      '{"data_rvalid_i",           1, "", 0, 0},
+      '{"data_we_o",               1, "", 0, 0},
+      '{"data_be_o",               1, "", 0, 0},
+      '{"data_addr_o",            32, "", 0, 0},
+      '{"data_wdata_o",            0, "MemDataWidth", 0, 0},
+      '{"data_rdata_i",            0, "MemDataWidth", 0, 0},
+      '{"data_err_i",              1, "", 0, 0},
+      '{"dummy_instr_id_o",        1, "", 0, 0},
+      '{"rf_raddr_a_o",            5, "", 0, 0},
+      '{"rf_raddr_b_o",            5, "", 0, 0},
+      '{"rf_waddr_wb_o",           5, "", 0, 0},
+      '{"rf_we_wb_o",              1, "", 0, 0},
+      '{"ic_tag_req_o",            ibex_pkg::IC_NUM_WAYS, "", 0, 0},
+      '{"ic_tag_write_o",          1, "", 0, 0},
+      '{"ic_tag_addr_o",           ibex_pkg::IC_INDEX_W, "", 0, 0},
+      '{"ic_tag_wdata_o",          0, "TagSizeECC", 0, 0},
+      '{"ic_tag_rdata_i",          0, "TagSizeECC", ibex_pkg::IC_NUM_WAYS, 0},
+      '{"ic_data_req_o",           ibex_pkg::IC_NUM_WAYS, "", 0, 0},
+      '{"ic_data_write_o",         1, "", 0, 0},
+      '{"ic_data_addr_o",          ibex_pkg::IC_INDEX_W, "", 0, 0},
+      '{"ic_data_wdata_o",         0, "LineSizeECC", 0, 0},
+      '{"ic_data_rdata_i",         0, "LineSizeECC", ibex_pkg::IC_NUM_WAYS, 0},
+      '{"ic_scr_key_valid_i",      1, "", 0, 0},
+      '{"ic_scr_key_req_o",        1, "", 0, 0},
+      '{"irq_software_i",          1, "", 0, 0},
+      '{"irq_timer_i",             1, "", 0, 0},
+      '{"irq_external_i",          1, "", 0, 0},
+      '{"irq_fast_i",             15, "", 0, 0},
+      '{"irq_nm_i",                1, "", 0, 0},
+      '{"irq_pending_o",           1, "", 0, 0},
+      '{"debug_req_i",             1, "", 0, 0},
+      '{"crash_dump_o",            $bits(ibex_pkg::crash_dump_t), "", 0, 0},
+      '{"double_fault_seen_o",     1, "", 0, 0},
       // `fetch_enable_i` is a multi-bit signal, and multi-bit FI is outside the threat model.
-      // '{"fetch_enable_i",          1, "", 0},
+      // '{"fetch_enable_i",          1, "", 0, 0},
       // The `alert_*` output signals are not compared between the regular core and the lockstep
       // core. Thus, those outputs are not protected against glitches.  This is intentional because
       // an alert is raised in reaction to a glitch (potentially an injected fault) inside the core.
       // To then also glitch the `alert_*` outputs, the attacker would need to be able to glitch two
       // signals at the same time, which is outside the threat model.  Thus, these signals are
       // excluded from the list of outputs in order to prevent false negative test results.
-      // '{"alert_minor_o",           1, "", 0},
-      // '{"alert_major_internal_o",  1, "", 0},
-      // '{"alert_major_bus_o",       1, "", 0},
-      '{"core_busy_o",             1, "", 0}
+      // '{"alert_minor_o",           1, "", 0, 0},
+      // '{"alert_major_internal_o",  1, "", 0, 0},
+      // '{"alert_major_bus_o",       1, "", 0, 0},
+      '{"core_busy_o",             1, "", 0, 0}
     };
 
+    glitch_lockstep_core = $urandom_range(1);
+    // The main core uses a register file data width of RegFileDataWidth and the
+    // shadow core uses RegFileDataEccWidth. Assemble the ports array
+    // accordingly.
+    if (glitch_lockstep_core) begin
+      // Although the shadow core drives all RegFileDataEccWidth bits of rf_wdata_wb_ecc_o, only
+      // bits RegFileDataEccWidth-1:RegFileDataWidth are forwarded to the shadow register file.
+      // As a fault in the lower bits have no effect, use an offset of RegFileDataWidth.
+      ports[42] = '{"rf_wdata_wb_ecc_o",       0, "RegFileDataEccWidth", 0, "RegFileDataWidth"};
+      ports[43] = '{"rf_rdata_a_ecc_i",        0, "RegFileDataEccWidth", 0, 0};
+      ports[44] = '{"rf_rdata_b_ecc_i",        0, "RegFileDataEccWidth", 0, 0};
+    end else begin
+      ports[42] = '{"rf_wdata_wb_ecc_o",       0, "RegFileDataWidth", 0, 0};
+      ports[43] = '{"rf_rdata_a_ecc_i",        0, "RegFileDataWidth", 0, 0};
+      ports[44] = '{"rf_rdata_b_ecc_i",        0, "RegFileDataWidth", 0, 0};
+    end
+
     // Randomly pick a port (of either the lockstep core or the regular core) to glitch.
     port_idx = $urandom_range(ports.size() - 1);
     if (ports[port_idx].width > 0) begin
@@ -280,7 +296,6 @@ class chip_sw_rv_core_ibex_lockstep_glitch_vseq extends chip_sw_base_vseq;
                                          "Could not obtain port width from parameter value.");
       `DV_CHECK_FATAL(port_width > 0, "Read zero port width from parameter value.")
     end
-    glitch_lockstep_core = $urandom_range(1);
     glitch_core_path = glitch_lockstep_core ? lockstep_core_path : core_path;
     port_name = ports[port_idx].name;
     glitch_path = $sformatf("%s.%s", glitch_core_path, port_name);
@@ -296,7 +311,7 @@ class chip_sw_rv_core_ibex_lockstep_glitch_vseq extends chip_sw_base_vseq;
     end
 
     // Pick one bit to glitch in the port.
-    bit_idx = $urandom_range(port_width - 1);
+    bit_idx = $urandom_range(port_width - 1 - ports[port_idx].offset) + ports[port_idx].offset;
 
     // Wait until the CPU is executing code, except if glitching the I$ scramble key valid port.
     // The reason is that the scramble key is provided shortly after reset and then not again until