From 2d982c151bd7917a9d5675651180c1109a3c534c Mon Sep 17 00:00:00 2001 From: Michael Norris Date: Fri, 10 Jan 2025 16:06:09 -0800 Subject: [PATCH] adding valid wires to obf uds and field entropy --- src/integration/rtl/caliptra_top.sv | 4 ++++ src/integration/tb/caliptra_top_tb.sv | 6 ++++-- src/soc_ifc/rtl/soc_ifc_fuse_reg.rdl | 2 +- src/soc_ifc/rtl/soc_ifc_reg.sv | 4 ++-- src/soc_ifc/rtl/soc_ifc_reg_pkg.sv | 2 +- src/soc_ifc/rtl/soc_ifc_top.sv | 10 ++++++++-- 6 files changed, 20 insertions(+), 8 deletions(-) diff --git a/src/integration/rtl/caliptra_top.sv b/src/integration/rtl/caliptra_top.sv index 98b6242e0..a320ccc6e 100755 --- a/src/integration/rtl/caliptra_top.sv +++ b/src/integration/rtl/caliptra_top.sv @@ -36,7 +36,9 @@ module caliptra_top input logic [255:0] cptra_obf_key, input logic [`CLP_CSR_HMAC_KEY_DWORDS-1:0][31:0] cptra_csr_hmac_key, + input logic cptra_obf_field_entropy_vld, input logic [`CLP_OBF_FE_DWORDS-1 :0][31:0] cptra_obf_field_entropy, + input logic cptra_obf_uds_seed_vld, input logic [`CLP_OBF_UDS_DWORDS-1:0][31:0] cptra_obf_uds_seed, @@ -1297,8 +1299,10 @@ soc_ifc_top1 .scan_mode(scan_mode), .cptra_obf_key(cptra_obf_key), .cptra_obf_key_reg(cptra_obf_key_reg), + .cptra_obf_field_entropy_vld(cptra_obf_field_entropy_vld), .cptra_obf_field_entropy(cptra_obf_field_entropy), .obf_field_entropy(obf_field_entropy), + .cptra_obf_uds_seed_vld(cptra_obf_uds_seed_vld), .cptra_obf_uds_seed(cptra_obf_uds_seed), .obf_uds_seed(obf_uds_seed), diff --git a/src/integration/tb/caliptra_top_tb.sv b/src/integration/tb/caliptra_top_tb.sv index 6952c6daf..b631a9176 100755 --- a/src/integration/tb/caliptra_top_tb.sv +++ b/src/integration/tb/caliptra_top_tb.sv @@ -198,8 +198,10 @@ caliptra_top caliptra_top_dut ( .clk (core_clk), .cptra_obf_key (cptra_obf_key), - .cptra_obf_uds_seed ('0), - .cptra_obf_field_entropy ('0), + .cptra_obf_uds_seed_vld ('0), //TODO + .cptra_obf_uds_seed ('0), //TODO + .cptra_obf_field_entropy_vld('0), //TODO + .cptra_obf_field_entropy ('0), //TODO .cptra_csr_hmac_key (cptra_csr_hmac_key), .jtag_tck(jtag_tck), diff --git a/src/soc_ifc/rtl/soc_ifc_fuse_reg.rdl b/src/soc_ifc/rtl/soc_ifc_fuse_reg.rdl index d311d57f4..6fbe3f1c6 100644 --- a/src/soc_ifc/rtl/soc_ifc_fuse_reg.rdl +++ b/src/soc_ifc/rtl/soc_ifc_fuse_reg.rdl @@ -16,7 +16,7 @@ // FUSE Registers // All fuses persist across caliptra reset. Locked by Fuse WR done. "Read/Write Lock - Sticky" => RWL-S -field secret {sw = w1; hw = rw; wel; swwel; hwclr; resetsignal = cptra_pwrgood;}; +field secret {sw = w1; hw = rw; we; swwel; hwclr; resetsignal = cptra_pwrgood;}; field key {sw = w; swwe; hw = rw; wel; hwclr;}; field Fuse {sw = rw; hw = r; swwel; resetsignal = cptra_pwrgood;}; diff --git a/src/soc_ifc/rtl/soc_ifc_reg.sv b/src/soc_ifc/rtl/soc_ifc_reg.sv index be6d4aea2..6e0b7bff2 100644 --- a/src/soc_ifc/rtl/soc_ifc_reg.sv +++ b/src/soc_ifc/rtl/soc_ifc_reg.sv @@ -3557,7 +3557,7 @@ module soc_ifc_reg ( if(decoded_reg_strb.fuse_uds_seed[i0] && decoded_req_is_wr && !(hwif_in.fuse_uds_seed[i0].seed.swwel)) begin // SW write next_c = (field_storage.fuse_uds_seed[i0].seed.value & ~decoded_wr_biten[31:0]) | (decoded_wr_data[31:0] & decoded_wr_biten[31:0]); load_next_c = '1; - end else if(!hwif_in.fuse_uds_seed[i0].seed.wel) begin // HW Write - wel + end else if(hwif_in.fuse_uds_seed[i0].seed.we) begin // HW Write - we next_c = hwif_in.fuse_uds_seed[i0].seed.next; load_next_c = '1; end else if(hwif_in.fuse_uds_seed[i0].seed.hwclr) begin // HW Clear @@ -3586,7 +3586,7 @@ module soc_ifc_reg ( if(decoded_reg_strb.fuse_field_entropy[i0] && decoded_req_is_wr && !(hwif_in.fuse_field_entropy[i0].seed.swwel)) begin // SW write next_c = (field_storage.fuse_field_entropy[i0].seed.value & ~decoded_wr_biten[31:0]) | (decoded_wr_data[31:0] & decoded_wr_biten[31:0]); load_next_c = '1; - end else if(!hwif_in.fuse_field_entropy[i0].seed.wel) begin // HW Write - wel + end else if(hwif_in.fuse_field_entropy[i0].seed.we) begin // HW Write - we next_c = hwif_in.fuse_field_entropy[i0].seed.next; load_next_c = '1; end else if(hwif_in.fuse_field_entropy[i0].seed.hwclr) begin // HW Clear diff --git a/src/soc_ifc/rtl/soc_ifc_reg_pkg.sv b/src/soc_ifc/rtl/soc_ifc_reg_pkg.sv index 29ae07498..49759aee5 100644 --- a/src/soc_ifc/rtl/soc_ifc_reg_pkg.sv +++ b/src/soc_ifc/rtl/soc_ifc_reg_pkg.sv @@ -278,7 +278,7 @@ package soc_ifc_reg_pkg; typedef struct packed{ logic [31:0] next; - logic wel; + logic we; logic swwel; logic hwclr; } soc_ifc_reg__secret_w32__in_t; diff --git a/src/soc_ifc/rtl/soc_ifc_top.sv b/src/soc_ifc/rtl/soc_ifc_top.sv index 6ba7be567..400ffbe14 100644 --- a/src/soc_ifc/rtl/soc_ifc_top.sv +++ b/src/soc_ifc/rtl/soc_ifc_top.sv @@ -104,8 +104,10 @@ module soc_ifc_top input logic scan_mode, input logic [`CLP_OBF_KEY_DWORDS-1:0][31:0] cptra_obf_key, output logic [`CLP_OBF_KEY_DWORDS-1:0][31:0] cptra_obf_key_reg, + input logic cptra_obf_field_entropy_vld, input logic [`CLP_OBF_FE_DWORDS-1 :0][31:0] cptra_obf_field_entropy, output logic [`CLP_OBF_FE_DWORDS-1 :0][31:0] obf_field_entropy, + input logic cptra_obf_uds_seed_vld, input logic [`CLP_OBF_UDS_DWORDS-1:0][31:0] cptra_obf_uds_seed, output logic [`CLP_OBF_UDS_DWORDS-1:0][31:0] obf_uds_seed, @@ -492,13 +494,17 @@ always_comb begin end for (int i = 0; i < `CLP_OBF_UDS_DWORDS; i++) begin soc_ifc_reg_hwif_in.fuse_uds_seed[i].seed.hwclr = clear_obf_secrets; - soc_ifc_reg_hwif_in.fuse_uds_seed[i].seed.wel = ~Warm_Reset_Capture_Flag || ~security_state.debug_locked || scan_mode_f; + //Sample immediately after we leave warm reset. + //Only if debug locked, not scan mode, and the fuse valid bit is set + soc_ifc_reg_hwif_in.fuse_uds_seed[i].seed.we = ~Warm_Reset_Capture_Flag && security_state.debug_locked && ~scan_mode_f && cptra_obf_uds_seed_vld; soc_ifc_reg_hwif_in.fuse_uds_seed[i].seed.next = cptra_obf_uds_seed[i]; obf_uds_seed[i] = soc_ifc_reg_hwif_out.fuse_uds_seed[i].seed.value; end for (int i = 0; i < `CLP_OBF_FE_DWORDS; i++) begin soc_ifc_reg_hwif_in.fuse_field_entropy[i].seed.hwclr = clear_obf_secrets; - soc_ifc_reg_hwif_in.fuse_field_entropy[i].seed.wel = ~Warm_Reset_Capture_Flag || ~security_state.debug_locked || scan_mode_f; + //Sample immediately after we leave warm reset. + //Only if debug locked, not scan mode, and the fuse valid bit is set + soc_ifc_reg_hwif_in.fuse_field_entropy[i].seed.we = ~Warm_Reset_Capture_Flag && security_state.debug_locked && ~scan_mode_f && cptra_obf_field_entropy_vld; soc_ifc_reg_hwif_in.fuse_field_entropy[i].seed.next = cptra_obf_field_entropy[i]; obf_field_entropy[i] = soc_ifc_reg_hwif_out.fuse_field_entropy[i].seed.value; end