[TB] Add smoke_test_fc_filter_rule_write_zer_id for fuse_ctrl_filter …#1061
Open
ekarabu wants to merge 2 commits intopatch_ss_v2.1from
Open
[TB] Add smoke_test_fc_filter_rule_write_zer_id for fuse_ctrl_filter …#1061ekarabu wants to merge 2 commits intopatch_ss_v2.1from
ekarabu wants to merge 2 commits intopatch_ss_v2.1from
Conversation
…coverage (#1056) * Add smoke_test_fc_filter_rule_write_zer_id for fuse_ctrl_filter coverage Add a new integration test targeting four uncovered paths in the fuse_ctrl_filter FSM (FUSE_ADDR_AXI_WR_ST and FUSE_CMD_AXI_ADDR_ST states): Scenario 1 - trigger_table_check in FUSE_ADDR_AXI_WR_ST: Writing DIRECT_ACCESS_ADDRESS twice in succession causes the FSM to see trigger_table_check while already in FUSE_ADDR_AXI_WR_ST, exercising the re-latch-and-loop-back path to FUSE_ADDR_AXI_ADDR_ST. Issuing a DaiWrite from the MCU user to a secret partition address (SECRET_MANUF_PARTITION). The MCU user is not in the access_control_table for the secret range [0x48,0xF0], so wr_req_allowed evaluates to false and the filter asserts discard_fuse_write. Writing WDATA_0 and WDATA_1 with MCU user, then switching to Caliptra core user for ADDRESS and CMD. The command is authorized (Caliptra core matches entry[0]), but the latched data IDs (MCU) differ from the address/command IDs (Caliptra core), making all_same_id false. The filter discards the write. Writing DIRECT_ACCESS_ADDRESS with MCU user, then switching to Caliptra core user for the DaiZeroize CMD. A non-secret partition (SW_MANUF_PARTITION at 0xF8) is targeted so the FIPS zeroization check passes, and the command is authorized, but addr_and_cmd_same_id is false because the address writer differs from the command writer. The filter discards the zeroize. * removed hard-coded line numbers * added new fc cov test to the regression list * Cover the false-branch of line 172 in mci_lcc_st_trans.sv where │ │ │ │ lcc_volatile_raw_unlock_success_i is HIGH but state_error is also HIGH, │ │ │ │ keeping the FSM in TRANSLATOR_NON_DEBUG instead of transitioning to │ │ │ │ TRANSLATOR_UNPROV_DEBUG. This is a security-critical guard that prevents │ │ │ │ debug unlock when a fatal state error is active. │ │ │ │ │ │ │ │ Changes: │ │ │ │ - Add CMD_MCI_FORCE_STATE_ERROR/CMD_MCI_RELEASE_STATE_ERROR BFM commands │ │ │ │ to caliptra_ss_tb_cmd_list.svh, caliptra_ss_lib.h, and │ │ │ │ fc_lcc_tb_services.sv (force/release state_error on │ │ │ │ MCI_PATH.LCC_state_translator) │ │ │ │ - Add caliptra_ss_lcc_volatile_unlock_with_state_error test that boots │ │ │ │ to RAW, forces state_error, performs volatile raw unlock, and verifies │ │ │ │ the MCI translator stays locked │ │ │ │ - Fix UnProvSIGNAL_with_Volatile_Decoding_A assertion to disable when │ │ │ │ state_error is active (the assertion incorrectly fired when state_error │ │ │ │ legitimately blocks the volatile unlock promotion) │ │ │ │ - Register test in master test list and regenerate regression YAMLs │ │ * removed the hard-coded line number * removed assertion change on RTL * MICROSOFT AUTOMATED PIPELINE: Stamp 'user/ekarabulut/fc-filter-write-zeroize-id-coverage' with updated timestamp and hash after successful run * updated assertion label * MICROSOFT AUTOMATED PIPELINE: Stamp 'user/ekarabulut/fc-filter-write-zeroize-id-coverage' with updated timestamp and hash after successful run # Conflicts: # .github/workflow_metadata/pr_hash # .github/workflow_metadata/pr_timestamp
…zeroize-id-coverage_2.1_patch' with updated timestamp and hash after successful run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…coverage (#1056)
Add smoke_test_fc_filter_rule_write_zer_id for fuse_ctrl_filter coverage
Add a new integration test targeting four uncovered paths in the
fuse_ctrl_filter FSM (FUSE_ADDR_AXI_WR_ST and FUSE_CMD_AXI_ADDR_ST states):
Scenario 1 - trigger_table_check in FUSE_ADDR_AXI_WR_ST:
Writing DIRECT_ACCESS_ADDRESS twice in succession causes the FSM to
see trigger_table_check while already in FUSE_ADDR_AXI_WR_ST, exercising
the re-latch-and-loop-back path to FUSE_ADDR_AXI_ADDR_ST.
Issuing a DaiWrite from the MCU user to a secret partition address
(SECRET_MANUF_PARTITION). The MCU user is not in the access_control_table
for the secret range [0x48,0xF0], so wr_req_allowed evaluates to false
and the filter asserts discard_fuse_write.
Writing WDATA_0 and WDATA_1 with MCU user, then switching to Caliptra
core user for ADDRESS and CMD. The command is authorized (Caliptra core
matches entry[0]), but the latched data IDs (MCU) differ from the
address/command IDs (Caliptra core), making all_same_id false. The
filter discards the write.
Writing DIRECT_ACCESS_ADDRESS with MCU user, then switching to Caliptra
core user for the DaiZeroize CMD. A non-secret partition (SW_MANUF_PARTITION
at 0xF8) is targeted so the FIPS zeroization check passes, and the command
is authorized, but addr_and_cmd_same_id is false because the address writer
differs from the command writer. The filter discards the zeroize.
removed hard-coded line numbers
added new fc cov test to the regression list
Cover the false-branch of line 172 in mci_lcc_st_trans.sv where │ │
│ │ lcc_volatile_raw_unlock_success_i is HIGH but state_error is also HIGH, │ │
│ │ keeping the FSM in TRANSLATOR_NON_DEBUG instead of transitioning to │ │
│ │ TRANSLATOR_UNPROV_DEBUG. This is a security-critical guard that prevents │ │
│ │ debug unlock when a fatal state error is active. │ │
│ │ │ │
│ │ Changes: │ │
│ │ - Add CMD_MCI_FORCE_STATE_ERROR/CMD_MCI_RELEASE_STATE_ERROR BFM commands │ │
│ │ to caliptra_ss_tb_cmd_list.svh, caliptra_ss_lib.h, and │ │
│ │ fc_lcc_tb_services.sv (force/release state_error on │ │
│ │ MCI_PATH.LCC_state_translator) │ │
│ │ - Add caliptra_ss_lcc_volatile_unlock_with_state_error test that boots │ │
│ │ to RAW, forces state_error, performs volatile raw unlock, and verifies │ │
│ │ the MCI translator stays locked │ │
│ │ - Fix UnProvSIGNAL_with_Volatile_Decoding_A assertion to disable when │ │
│ │ state_error is active (the assertion incorrectly fired when state_error │ │
│ │ legitimately blocks the volatile unlock promotion) │ │
│ │ - Register test in master test list and regenerate regression YAMLs │ │
removed the hard-coded line number
removed assertion change on RTL
MICROSOFT AUTOMATED PIPELINE: Stamp 'user/ekarabulut/fc-filter-write-zeroize-id-coverage' with updated timestamp and hash after successful run
updated assertion label