lowRISC · nasahlpa · Feb 10, 2026 · Jan 13, 2026 · Jan 15, 2026
diff --git a/hw/ip_templates/rv_core_ibex/rtl/rv_core_ibex.sv.tpl b/hw/ip_templates/rv_core_ibex/rtl/rv_core_ibex.sv.tpl
@@ -1055,14 +1055,6 @@ module ${module_instance_name}
 
   // Alert assertions for reg_we onehot check
   `ASSERT_PRIM_REG_WE_ONEHOT_ERROR_TRIGGER_ALERT(RegWeOnehotCheck_A, u_reg_cfg, alert_tx_o[2])
-  `ASSERT_PRIM_ONEHOT_ERROR_TRIGGER_ALERT(RvCoreRegWeOnehotCheck_A,
-      u_core.gen_regfile_ff.register_file_i.gen_wren_check.u_prim_onehot_check, alert_tx_o[2])
-  `ASSERT_PRIM_ONEHOT_ERROR_TRIGGER_ALERT(RvCoreRegWeOnehotCheckRAddrA_A,
-        u_core.gen_regfile_ff.register_file_i.gen_rdata_mux_check.u_prim_onehot_check_raddr_a,
-        alert_tx_o[2])
-  `ASSERT_PRIM_ONEHOT_ERROR_TRIGGER_ALERT(RvCoreRegWeOnehotCheckRAddrB_A,
-        u_core.gen_regfile_ff.register_file_i.gen_rdata_mux_check.u_prim_onehot_check_raddr_b,
-        alert_tx_o[2])
 
 `ifdef INC_ASSERT
   if (ICache && ICacheScramble) begin : gen_icache_scramble_asserts

diff --git a/hw/top_darjeeling/ip_autogen/rv_core_ibex/rtl/rv_core_ibex.sv b/hw/top_darjeeling/ip_autogen/rv_core_ibex/rtl/rv_core_ibex.sv
@@ -1027,14 +1027,6 @@ module rv_core_ibex
 
   // Alert assertions for reg_we onehot check
   `ASSERT_PRIM_REG_WE_ONEHOT_ERROR_TRIGGER_ALERT(RegWeOnehotCheck_A, u_reg_cfg, alert_tx_o[2])
-  `ASSERT_PRIM_ONEHOT_ERROR_TRIGGER_ALERT(RvCoreRegWeOnehotCheck_A,
-      u_core.gen_regfile_ff.register_file_i.gen_wren_check.u_prim_onehot_check, alert_tx_o[2])
-  `ASSERT_PRIM_ONEHOT_ERROR_TRIGGER_ALERT(RvCoreRegWeOnehotCheckRAddrA_A,
-        u_core.gen_regfile_ff.register_file_i.gen_rdata_mux_check.u_prim_onehot_check_raddr_a,
-        alert_tx_o[2])
-  `ASSERT_PRIM_ONEHOT_ERROR_TRIGGER_ALERT(RvCoreRegWeOnehotCheckRAddrB_A,
-        u_core.gen_regfile_ff.register_file_i.gen_rdata_mux_check.u_prim_onehot_check_raddr_b,
-        alert_tx_o[2])
 
 `ifdef INC_ASSERT
   if (ICache && ICacheScramble) begin : gen_icache_scramble_asserts

@@ -14,6 +14,7 @@ class chip_sw_rv_core_ibex_lockstep_glitch_vseq extends chip_sw_base_vseq;
     int unsigned width; // >0: take this as width; 0: use width from parameter
     string       width_parameter_name;
     int unsigned unpacked_dim_width;
+    int unsigned offset;
   } port_t;
 
   typedef logic [255:0] val_t;
@@ -205,70 +206,85 @@ class chip_sw_rv_core_ibex_lockstep_glitch_vseq extends chip_sw_base_vseq;
                                             "Could not read LockstepOffset parameter.");
 
     // List of all ports and their bit widths (or the name of the parameter that defines the width
-    // and/or the unpacked dimension).
+    // and/or the unpacked dimension). The fourth field allows enabling an offset from where the
+    // fault will be injected.
     ports = new[45];
     ports = '{
       // `hart_id_i` and `boot_addr_i` are not glitch-protected by the lockstep core.
-      // '{"hart_id_i",               1, "", 0},
-      // '{"boot_addr_i",             1, "", 0},
-      '{"instr_req_o",             1, "", 0},
-      '{"instr_gnt_i",             1, "", 0},
-      '{"instr_rvalid_i",          1, "", 0},
-      '{"instr_addr_o",           32, "", 0},
-      '{"instr_rdata_i",           0, "MemDataWidth", 0},
-      '{"instr_err_i",             1, "", 0},
-      '{"data_req_o",              1, "", 0},
-      '{"data_gnt_i",              1, "", 0},
-      '{"data_rvalid_i",           1, "", 0},
-      '{"data_we_o",               1, "", 0},
-      '{"data_be_o",               1, "", 0},
-      '{"data_addr_o",            32, "", 0},
-      '{"data_wdata_o",            0, "MemDataWidth", 0},
-      '{"data_rdata_i",            0, "MemDataWidth", 0},
-      '{"data_err_i",              1, "", 0},
-      '{"dummy_instr_id_o",        1, "", 0},
-      '{"rf_raddr_a_o",            5, "", 0},
-      '{"rf_raddr_b_o",            5, "", 0},
-      '{"rf_waddr_wb_o",           5, "", 0},
-      '{"rf_we_wb_o",              1, "", 0},
-      '{"rf_wdata_wb_ecc_o",       0, "RegFileDataWidth", 0},
-      '{"rf_rdata_a_ecc_i",        0, "RegFileDataWidth", 0},
-      '{"rf_rdata_b_ecc_i",        0, "RegFileDataWidth", 0},
-      '{"ic_tag_req_o",            ibex_pkg::IC_NUM_WAYS, "", 0},
-      '{"ic_tag_write_o",          1, "", 0},
-      '{"ic_tag_addr_o",           ibex_pkg::IC_INDEX_W, "", 0},
-      '{"ic_tag_wdata_o",          0, "TagSizeECC", 0},
-      '{"ic_tag_rdata_i",          0, "TagSizeECC", ibex_pkg::IC_NUM_WAYS},
-      '{"ic_data_req_o",           ibex_pkg::IC_NUM_WAYS, "", 0},
-      '{"ic_data_write_o",         1, "", 0},
-      '{"ic_data_addr_o",          ibex_pkg::IC_INDEX_W, "", 0},
-      '{"ic_data_wdata_o",         0, "LineSizeECC", 0},
-      '{"ic_data_rdata_i",         0, "LineSizeECC", ibex_pkg::IC_NUM_WAYS},
-      '{"ic_scr_key_valid_i",      1, "", 0},
-      '{"ic_scr_key_req_o",        1, "", 0},
-      '{"irq_software_i",          1, "", 0},
-      '{"irq_timer_i",             1, "", 0},
-      '{"irq_external_i",          1, "", 0},
-      '{"irq_fast_i",             15, "", 0},
-      '{"irq_nm_i",                1, "", 0},
-      '{"irq_pending_o",           1, "", 0},
-      '{"debug_req_i",             1, "", 0},
-      '{"crash_dump_o",            $bits(ibex_pkg::crash_dump_t), "", 0},
-      '{"double_fault_seen_o",     1, "", 0},
+      // '{"hart_id_i",               1, "", 0, 0},
+      // '{"boot_addr_i",             1, "", 0, 0},
+      '{"instr_req_o",             1, "", 0, 0},
+      '{"instr_gnt_i",             1, "", 0, 0},
+      '{"instr_rvalid_i",          1, "", 0, 0},
+      '{"instr_addr_o",           32, "", 0, 0},
+      '{"instr_rdata_i",           0, "MemDataWidth", 0, 0},
+      '{"instr_err_i",             1, "", 0, 0},
+      '{"data_req_o",              1, "", 0, 0},
+      '{"data_gnt_i",              1, "", 0, 0},
+      '{"data_rvalid_i",           1, "", 0, 0},
+      '{"data_we_o",               1, "", 0, 0},
+      '{"data_be_o",               1, "", 0, 0},
+      '{"data_addr_o",            32, "", 0, 0},
+      '{"data_wdata_o",            0, "MemDataWidth", 0, 0},
+      '{"data_rdata_i",            0, "MemDataWidth", 0, 0},
+      '{"data_err_i",              1, "", 0, 0},
+      '{"dummy_instr_id_o",        1, "", 0, 0},
+      '{"rf_raddr_a_o",            5, "", 0, 0},
+      '{"rf_raddr_b_o",            5, "", 0, 0},
+      '{"rf_waddr_wb_o",           5, "", 0, 0},
+      '{"rf_we_wb_o",              1, "", 0, 0},
+      '{"ic_tag_req_o",            ibex_pkg::IC_NUM_WAYS, "", 0, 0},
+      '{"ic_tag_write_o",          1, "", 0, 0},
+      '{"ic_tag_addr_o",           ibex_pkg::IC_INDEX_W, "", 0, 0},
+      '{"ic_tag_wdata_o",          0, "TagSizeECC", 0, 0},
+      '{"ic_tag_rdata_i",          0, "TagSizeECC", ibex_pkg::IC_NUM_WAYS, 0},
+      '{"ic_data_req_o",           ibex_pkg::IC_NUM_WAYS, "", 0, 0},
+      '{"ic_data_write_o",         1, "", 0, 0},
+      '{"ic_data_addr_o",          ibex_pkg::IC_INDEX_W, "", 0, 0},
+      '{"ic_data_wdata_o",         0, "LineSizeECC", 0, 0},
+      '{"ic_data_rdata_i",         0, "LineSizeECC", ibex_pkg::IC_NUM_WAYS, 0},
+      '{"ic_scr_key_valid_i",      1, "", 0, 0},
+      '{"ic_scr_key_req_o",        1, "", 0, 0},
+      '{"irq_software_i",          1, "", 0, 0},
+      '{"irq_timer_i",             1, "", 0, 0},
+      '{"irq_external_i",          1, "", 0, 0},
+      '{"irq_fast_i",             15, "", 0, 0},
+      '{"irq_nm_i",                1, "", 0, 0},
+      '{"irq_pending_o",           1, "", 0, 0},
+      '{"debug_req_i",             1, "", 0, 0},
+      '{"crash_dump_o",            $bits(ibex_pkg::crash_dump_t), "", 0, 0},
+      '{"double_fault_seen_o",     1, "", 0, 0},
       // `fetch_enable_i` is a multi-bit signal, and multi-bit FI is outside the threat model.
-      // '{"fetch_enable_i",          1, "", 0},
+      // '{"fetch_enable_i",          1, "", 0, 0},
       // The `alert_*` output signals are not compared between the regular core and the lockstep
       // core. Thus, those outputs are not protected against glitches.  This is intentional because
       // an alert is raised in reaction to a glitch (potentially an injected fault) inside the core.
       // To then also glitch the `alert_*` outputs, the attacker would need to be able to glitch two
       // signals at the same time, which is outside the threat model.  Thus, these signals are
       // excluded from the list of outputs in order to prevent false negative test results.
-      // '{"alert_minor_o",           1, "", 0},
-      // '{"alert_major_internal_o",  1, "", 0},
-      // '{"alert_major_bus_o",       1, "", 0},
-      '{"core_busy_o",             1, "", 0}
+      // '{"alert_minor_o",           1, "", 0, 0},
+      // '{"alert_major_internal_o",  1, "", 0, 0},
+      // '{"alert_major_bus_o",       1, "", 0, 0},
+      '{"core_busy_o",             1, "", 0, 0}
     };
 
+    glitch_lockstep_core = $urandom_range(1);
+    // The main core uses a register file data width of RegFileDataWidth and the
+    // shadow core uses RegFileDataEccWidth. Assemble the ports array
+    // accordingly.
+    if (glitch_lockstep_core) begin
+      // Although the shadow core drives all RegFileDataEccWidth bits of rf_wdata_wb_ecc_o, only
+      // bits RegFileDataEccWidth-1:RegFileDataWidth are forwarded to the shadow register file.
+      // As a fault in the lower bits have no effect, use an offset of RegFileDataWidth.
+      ports[42] = '{"rf_wdata_wb_ecc_o",       0, "RegFileDataEccWidth", 0, "RegFileDataWidth"};
+      ports[43] = '{"rf_rdata_a_ecc_i",        0, "RegFileDataEccWidth", 0, 0};
+      ports[44] = '{"rf_rdata_b_ecc_i",        0, "RegFileDataEccWidth", 0, 0};
+    end else begin
+      ports[42] = '{"rf_wdata_wb_ecc_o",       0, "RegFileDataWidth", 0, 0};
+      ports[43] = '{"rf_rdata_a_ecc_i",        0, "RegFileDataWidth", 0, 0};
+      ports[44] = '{"rf_rdata_b_ecc_i",        0, "RegFileDataWidth", 0, 0};
+    end
+
     // Randomly pick a port (of either the lockstep core or the regular core) to glitch.
     port_idx = $urandom_range(ports.size() - 1);
     if (ports[port_idx].width > 0) begin
@@ -280,7 +296,6 @@ class chip_sw_rv_core_ibex_lockstep_glitch_vseq extends chip_sw_base_vseq;
                                          "Could not obtain port width from parameter value.");
       `DV_CHECK_FATAL(port_width > 0, "Read zero port width from parameter value.")
     end
-    glitch_lockstep_core = $urandom_range(1);
     glitch_core_path = glitch_lockstep_core ? lockstep_core_path : core_path;
     port_name = ports[port_idx].name;
     glitch_path = $sformatf("%s.%s", glitch_core_path, port_name);
@@ -296,7 +311,7 @@ class chip_sw_rv_core_ibex_lockstep_glitch_vseq extends chip_sw_base_vseq;
     end
 
     // Pick one bit to glitch in the port.
-    bit_idx = $urandom_range(port_width - 1);
+    bit_idx = $urandom_range(port_width - 1 - ports[port_idx].offset) + ports[port_idx].offset;
 
     // Wait until the CPU is executing code, except if glitching the I$ scramble key valid port.
     // The reason is that the scramble key is provided shortly after reset and then not again until

diff --git a/hw/top_earlgrey/ip_autogen/rv_core_ibex/rtl/rv_core_ibex.sv b/hw/top_earlgrey/ip_autogen/rv_core_ibex/rtl/rv_core_ibex.sv
@@ -1027,14 +1027,6 @@ module rv_core_ibex
 
   // Alert assertions for reg_we onehot check
   `ASSERT_PRIM_REG_WE_ONEHOT_ERROR_TRIGGER_ALERT(RegWeOnehotCheck_A, u_reg_cfg, alert_tx_o[2])
-  `ASSERT_PRIM_ONEHOT_ERROR_TRIGGER_ALERT(RvCoreRegWeOnehotCheck_A,
-      u_core.gen_regfile_ff.register_file_i.gen_wren_check.u_prim_onehot_check, alert_tx_o[2])
-  `ASSERT_PRIM_ONEHOT_ERROR_TRIGGER_ALERT(RvCoreRegWeOnehotCheckRAddrA_A,
-        u_core.gen_regfile_ff.register_file_i.gen_rdata_mux_check.u_prim_onehot_check_raddr_a,
-        alert_tx_o[2])
-  `ASSERT_PRIM_ONEHOT_ERROR_TRIGGER_ALERT(RvCoreRegWeOnehotCheckRAddrB_A,
-        u_core.gen_regfile_ff.register_file_i.gen_rdata_mux_check.u_prim_onehot_check_raddr_b,
-        alert_tx_o[2])
 
 `ifdef INC_ASSERT
   if (ICache && ICacheScramble) begin : gen_icache_scramble_asserts

diff --git a/hw/top_englishbreakfast/ip_autogen/rv_core_ibex/rtl/rv_core_ibex.sv b/hw/top_englishbreakfast/ip_autogen/rv_core_ibex/rtl/rv_core_ibex.sv
@@ -1027,14 +1027,6 @@ module rv_core_ibex
 
   // Alert assertions for reg_we onehot check
   `ASSERT_PRIM_REG_WE_ONEHOT_ERROR_TRIGGER_ALERT(RegWeOnehotCheck_A, u_reg_cfg, alert_tx_o[2])
-  `ASSERT_PRIM_ONEHOT_ERROR_TRIGGER_ALERT(RvCoreRegWeOnehotCheck_A,
-      u_core.gen_regfile_ff.register_file_i.gen_wren_check.u_prim_onehot_check, alert_tx_o[2])
-  `ASSERT_PRIM_ONEHOT_ERROR_TRIGGER_ALERT(RvCoreRegWeOnehotCheckRAddrA_A,
-        u_core.gen_regfile_ff.register_file_i.gen_rdata_mux_check.u_prim_onehot_check_raddr_a,
-        alert_tx_o[2])
-  `ASSERT_PRIM_ONEHOT_ERROR_TRIGGER_ALERT(RvCoreRegWeOnehotCheckRAddrB_A,
-        u_core.gen_regfile_ff.register_file_i.gen_rdata_mux_check.u_prim_onehot_check_raddr_b,
-        alert_tx_o[2])
 
 `ifdef INC_ASSERT
   if (ICache && ICacheScramble) begin : gen_icache_scramble_asserts

diff --git a/hw/vendor/lowrisc_ibex.lock.hjson b/hw/vendor/lowrisc_ibex.lock.hjson
@@ -9,6 +9,6 @@
   upstream:
   {
     url: https://github.com/lowRISC/ibex.git
-    rev: 19592a1fc7ba7e85427906cd4d86b8356b91a45d
+    rev: 9f375d7dcb81294300bbe1014042f95a46073d18
   }
 }
diff --git a/hw/vendor/lowrisc_ibex/doc/02_user/integration.rst b/hw/vendor/lowrisc_ibex/doc/02_user/integration.rst
@@ -53,8 +53,6 @@ The configuration dependent primitives are:
    Required where ``ICache == 1`` and ``SecureIbex == 1``.
  * ``prim_lfsr`` - Linear feedback shift register, used for pseudo random number generation for dummy instruction insertion.
    Required where ``SecureIbex == 1``.
- * ``prim_onehot_check`` - Checks a onehot signal is correct, for detecting fault injection attacks.
-   Required where ``SecureIbex == 1``.
  * ``prim_secded_X`` - Various primitives to encode and decode SECDED (Single Error Correct, Double Error Detect) error detection and correction codes.
    Required where ``SecureIbex == 1``.
 

diff --git a/hw/vendor/lowrisc_ibex/doc/03_reference/coverage_plan.rst b/hw/vendor/lowrisc_ibex/doc/03_reference/coverage_plan.rst
@@ -338,7 +338,7 @@ For more detail about each security countermeasure in Ibex see :ref:`security`
 
 * ``cp_lockstep_err`` - Lockstep glitch fault seen.
 
-* ``cp_rf_we_glitch_err`` - Register file write enable glitch fault seen.
+* ``cp_rf_glitch_err`` - Register file fault seen.
 
 * ``cp_pc_mismatch_err`` - PC mismatch error seen.
 
@@ -360,7 +360,7 @@ The mapping between security countermeasures and coverpoints that demonstrate it
 +--------------------------------+-------------------------------------------------------+
 | DATA_REG_SW.INTEGRITY          | ``cp_rf_a_ecc_err`` ``cp_rf_b_ecc_err``               |
 +--------------------------------+-------------------------------------------------------+
-| DATA_REG_SW.GLITCH_DETECT      | ``cp_rf_we_glitch_err``                               |
+| DATA_REG_SW.GLITCH_DETECT      | ``cp_rf_glitch_err``                                  |
 +--------------------------------+-------------------------------------------------------+
 | LOGIC.SHADOW                   | ``cp_lockstep_err``                                   |
 +--------------------------------+-------------------------------------------------------+

@@ -395,7 +395,7 @@ interface core_ibex_fcov_if import ibex_pkg::*; (
     id_stall_type_last_valid;
 
   // V2S Related Probes for Top-Level
-  logic rf_we_glitch_err;
+  logic rf_glitch_err;
   logic lockstep_glitch_err;
 
   logic imem_single_cycle_response, dmem_single_cycle_response;
@@ -493,7 +493,7 @@ interface core_ibex_fcov_if import ibex_pkg::*; (
     `DV_FCOV_EXPR_SEEN(mem_store_ecc_err, load_store_unit_i.store_resp_intg_err_o)
 
     `DV_FCOV_EXPR_SEEN(lockstep_err, lockstep_glitch_err)
-    `DV_FCOV_EXPR_SEEN(rf_we_glitch_err, rf_we_glitch_err)
+    `DV_FCOV_EXPR_SEEN(rf_glitch_err, rf_glitch_err)
     `DV_FCOV_EXPR_SEEN(pc_mismatch_err, if_stage_i.pc_mismatch_alert_o)
 
     cp_fetch_enable: coverpoint fetch_enable_i {

@@ -50,9 +50,6 @@
 ${LOWRISC_IP_DIR}/ip/prim/rtl/prim_secded_39_32_dec.sv
 ${LOWRISC_IP_DIR}/ip/prim/rtl/prim_secded_72_64_enc.sv
 ${LOWRISC_IP_DIR}/ip/prim/rtl/prim_secded_72_64_dec.sv
-${LOWRISC_IP_DIR}/ip/prim/rtl/prim_onehot_check.sv
-${LOWRISC_IP_DIR}/ip/prim/rtl/prim_onehot_enc.sv
-${LOWRISC_IP_DIR}/ip/prim/rtl/prim_onehot_mux.sv
 
 // ibex CORE RTL files
 +incdir+${PRJ_DIR}/rtl

@@ -709,9 +709,9 @@
   rtl_params:
     SecureIbex: 1
 
-- test: riscv_rf_ctrl_intg_test
+- test: riscv_rf_addr_intg_test
   description: >
-    Randomly corrupt one of the register file write and read enables signals in the middle of program execution
+    Randomly corrupt one of the register file addresses in the middle of program execution
   iterations: 15
   gen_test: riscv_rand_instr_test
   gen_opts: >
@@ -720,7 +720,7 @@
     +gen_all_csrs_by_default=1
     +add_csr_write=MSTATUS,MEPC,MCAUSE,MTVAL,0x7c0,0x7c1
     +no_csr_instr=0
-  rtl_test: core_ibex_rf_ctrl_intg_test
+  rtl_test: core_ibex_rf_addr_intg_test
   rtl_params:
     SecureIbex: 1
 

@@ -198,9 +198,8 @@ module core_ibex_tb_top;
   end
 
 `ifndef DV_FCOV_DISABLE
-  assign dut.u_ibex_top.u_ibex_core.u_fcov_bind.rf_we_glitch_err =
-    dut.u_ibex_top.rf_alert_major_internal;
-
+  assign dut.u_ibex_top.u_ibex_core.u_fcov_bind.rf_glitch_err =
+    dut.u_ibex_top.alert_major_internal_o;
   assign dut.u_ibex_top.u_ibex_core.u_fcov_bind.lockstep_glitch_err =
     dut.u_ibex_top.lockstep_alert_major_internal;
 `endif
@@ -386,20 +385,6 @@ module core_ibex_tb_top;
           unused_assert_connected = 1;
   end
 
-  // Disable the assertion for onehot check in case WrenCheck (set by SecureIbex) is enabled.
-  if (SecureIbex) begin : gen_disable_onehot_check
-    assign dut.u_ibex_top.gen_regfile_ff.register_file_i.gen_wren_check.u_prim_onehot_check.
-          unused_assert_connected = 1;
-  end
-
-  // Disable the assertion for onehot check in case RdataMuxCheck (set by SecureIbex) is enabled.
-  if (SecureIbex) begin : gen_disable_rdata_mux_check
-    assign dut.u_ibex_top.gen_regfile_ff.register_file_i.gen_rdata_mux_check.
-          u_prim_onehot_check_raddr_a.unused_assert_connected = 1;
-    assign dut.u_ibex_top.gen_regfile_ff.register_file_i.gen_rdata_mux_check.
-          u_prim_onehot_check_raddr_b.unused_assert_connected = 1;
-  end
-
   ibex_pkg::ctrl_fsm_e controller_state;
   logic                controller_handle_irq;
   ibex_pkg::irqs_t     ibex_irqs, last_ibex_irqs;