[flash_ctrl] Use redundant arbiters in scrambling module

Signed-off-by: Michael Schaffner <msf@opentitan.org>

hw/ip/flash_ctrl/data/flash_ctrl.hjson

@@ -344,8 +344,8 @@
     }
     { name: "PHY_ARBITER.CTRL.REDUN",
       desc: '''
-        The phy arbiter for controller and host is redundant.
-        The arbiter has two instance underneath that are constantly compared to each other.
+        The phy arbiters for controller/host arbitration and in the shared scrambling module are redundant.
+        The arbiters have two instance underneath that are constantly compared to each other.
       '''
     }
     { name: "PHY_HOST_GRANT.CTRL.CONSISTENCY",

hw/ip/flash_ctrl/data/flash_ctrl.hjson.tpl

@@ -355,8 +355,8 @@
     }
     { name: "PHY_ARBITER.CTRL.REDUN",
       desc: '''
-        The phy arbiter for controller and host is redundant.
-        The arbiter has two instance underneath that are constantly compared to each other.
+        The phy arbiters for controller/host arbitration and in the shared scrambling module are redundant.
+        The arbiters have two instance underneath that are constantly compared to each other.
       '''
     }
     { name: "PHY_HOST_GRANT.CTRL.CONSISTENCY",

hw/ip/flash_ctrl/doc/interfaces.md

@@ -92,7 +92,7 @@ Referring to the [Comportable guideline for peripheral device functionality](htt
 | FLASH_CTRL.PHY.FSM.SPARSE                  | PHY FSMs are sparsely encoded.                                                                                                                                                                                                                     |
 | FLASH_CTRL.PHY_PROG.FSM.SPARSE             | PHY program FSMs are sparsely encoded.                                                                                                                                                                                                             |
 | FLASH_CTRL.CTR.REDUN                       | flash_ctrl_lcmgr handling counters are redundantly encoded. This includes seed count and address count used during seed reading phase, as well as word count, page count and wipe index in RMA entry phase.                                        |
-| FLASH_CTRL.PHY_ARBITER.CTRL.REDUN          | The phy arbiter for controller and host is redundant. The arbiter has two instance underneath that are constantly compared to each other.                                                                                                          |
+| FLASH_CTRL.PHY_ARBITER.CTRL.REDUN          | The phy arbiters for controller/host arbitration and in the shared scrambling module are redundant. The arbiters have two instance underneath that are constantly compared to each other.                                                          |
 | FLASH_CTRL.PHY_HOST_GRANT.CTRL.CONSISTENCY | The host grant is consistency checked. If the host is ever granted with info partition access, it is an error. If the host is ever granted at the same time as a program/erase operation, it is an error.                                          |
 | FLASH_CTRL.PHY_ACK.CTRL.CONSISTENCY        | If the host or controller ever receive an unexpeced transaction acknowledge, it is an error.                                                                                                                                                       |
 | FLASH_CTRL.FIFO.CTR.REDUN                  | The FIFO pointers of several FIFOs are implemented with duplicate counters.                                                                                                                                                                        |

hw/ip/flash_ctrl/rtl/flash_phy.sv

@@ -113,6 +113,9 @@ module flash_phy
   // outstanding count error per bank
   logic [NumBanks-1:0]     cnt_err;
 
+  // arbiter error from scrambling module
+  logic scramble_arb_err;
+
   // select which bank each is operating on
   assign host_bank_sel = host_req_i ? host_addr_i[BusAddrW-1 -: BankW] : '0;
   assign ctrl_bank_sel = flash_ctrl_i.addr[BusAddrW-1 -: BankW];
@@ -138,7 +141,7 @@ module flash_phy
   assign flash_ctrl_o.storage_intg_err = |intg_ecc_err;
   assign flash_ctrl_o.fsm_err = |fsm_err;
   assign flash_ctrl_o.spurious_ack = |spurious_acks;
-  assign flash_ctrl_o.arb_err = |arb_err;
+  assign flash_ctrl_o.arb_err = |arb_err | scramble_arb_err;
   assign flash_ctrl_o.host_gnt_err = |{host_gnt_err, cnt_err} ;
   assign flash_ctrl_o.fifo_err = |{rsp_fifo_err, core_fifo_err};
 
@@ -317,7 +320,8 @@ module flash_phy
     .rand_addr_key_i(flash_ctrl_i.rand_addr_key),
     .rand_data_key_i(flash_ctrl_i.rand_data_key),
     .scramble_req_i(scramble_req),
-    .scramble_rsp_o(scramble_rsp)
+    .scramble_rsp_o(scramble_rsp),
+    .arb_err_o(scramble_arb_err) // fatal error from redundant arbiter logic
   );
 
   // life cycle handling

hw/ip/flash_ctrl/rtl/flash_phy_scramble.sv

@@ -20,7 +20,8 @@ module flash_phy_scramble import flash_phy_pkg::*; #(
   input [KeySize-1:0] rand_addr_key_i,
   input [KeySize-1:0] rand_data_key_i,
   input  scramble_req_t [NumBanks-1:0] scramble_req_i,
-  output scramble_rsp_t [NumBanks-1:0] scramble_rsp_o
+  output scramble_rsp_t [NumBanks-1:0] scramble_rsp_o,
+  output logic arb_err_o
 );
 
   ///////////////////////////
@@ -57,7 +58,9 @@ module flash_phy_scramble import flash_phy_pkg::*; #(
     assign scramble_rsp_o[k].scrambled_data = scrambled_data_out;
   end
 
-  prim_arbiter_tree #(
+  // SEC_CM: PHY_ARBITER.CTRL.REDUN
+  logic [NumBanks-1:0] local_err;
+  prim_arbiter_tree_dup #(
     .N(NumBanks),
     .DW(BankAddrW),
     .EnDataPort(1)
@@ -71,10 +74,12 @@ module flash_phy_scramble import flash_phy_pkg::*; #(
     .idx_o    (),
     .valid_o  (calc_req),
     .data_o   (calc_addr_in),
-    .ready_i  (calc_ack)
+    .ready_i  (calc_ack),
+    .err_o    (local_err[0])
   );
 
-  prim_arbiter_tree #(
+  // SEC_CM: PHY_ARBITER.CTRL.REDUN
+  prim_arbiter_tree_dup #(
     .N(NumBanks),
     .DW(OpDataWidth),
     .EnDataPort(1)
@@ -88,9 +93,12 @@ module flash_phy_scramble import flash_phy_pkg::*; #(
     .idx_o    (),
     .valid_o  (op_req),
     .data_o   (op_data_in),
-    .ready_i  (op_ack)
+    .ready_i  (op_ack),
+    .err_o    (local_err[1])
   );
 
+  assign arb_err_o = |local_err;
+
   assign {op_type,
           plain_data_in,
           scrambled_data_in} = op_data_in;

hw/ip_templates/flash_ctrl/data/flash_ctrl.hjson.tpl

@@ -355,8 +355,8 @@
     }
     { name: "PHY_ARBITER.CTRL.REDUN",
       desc: '''
-        The phy arbiter for controller and host is redundant.
-        The arbiter has two instance underneath that are constantly compared to each other.
+        The phy arbiters for controller/host arbitration and in the shared scrambling module are redundant.
+        The arbiters have two instance underneath that are constantly compared to each other.
       '''
     }
     { name: "PHY_HOST_GRANT.CTRL.CONSISTENCY",

hw/ip_templates/flash_ctrl/rtl/flash_phy.sv

@@ -113,6 +113,9 @@ module flash_phy
   // outstanding count error per bank
   logic [NumBanks-1:0]     cnt_err;
 
+  // arbiter error from scrambling module
+  logic scramble_arb_err;
+
   // select which bank each is operating on
   assign host_bank_sel = host_req_i ? host_addr_i[BusAddrW-1 -: BankW] : '0;
   assign ctrl_bank_sel = flash_ctrl_i.addr[BusAddrW-1 -: BankW];
@@ -138,7 +141,7 @@ module flash_phy
   assign flash_ctrl_o.storage_intg_err = |intg_ecc_err;
   assign flash_ctrl_o.fsm_err = |fsm_err;
   assign flash_ctrl_o.spurious_ack = |spurious_acks;
-  assign flash_ctrl_o.arb_err = |arb_err;
+  assign flash_ctrl_o.arb_err = |arb_err | scramble_arb_err;
   assign flash_ctrl_o.host_gnt_err = |{host_gnt_err, cnt_err} ;
   assign flash_ctrl_o.fifo_err = |{rsp_fifo_err, core_fifo_err};
 
@@ -317,7 +320,8 @@ module flash_phy
     .rand_addr_key_i(flash_ctrl_i.rand_addr_key),
     .rand_data_key_i(flash_ctrl_i.rand_data_key),
     .scramble_req_i(scramble_req),
-    .scramble_rsp_o(scramble_rsp)
+    .scramble_rsp_o(scramble_rsp),
+    .arb_err_o(scramble_arb_err) // fatal error from redundant arbiter logic
   );
 
   // life cycle handling

hw/ip_templates/flash_ctrl/rtl/flash_phy_scramble.sv

@@ -20,7 +20,8 @@ module flash_phy_scramble import flash_phy_pkg::*; #(
   input [KeySize-1:0] rand_addr_key_i,
   input [KeySize-1:0] rand_data_key_i,
   input  scramble_req_t [NumBanks-1:0] scramble_req_i,
-  output scramble_rsp_t [NumBanks-1:0] scramble_rsp_o
+  output scramble_rsp_t [NumBanks-1:0] scramble_rsp_o,
+  output logic arb_err_o
 );
 
   ///////////////////////////
@@ -57,7 +58,9 @@ module flash_phy_scramble import flash_phy_pkg::*; #(
     assign scramble_rsp_o[k].scrambled_data = scrambled_data_out;
   end
 
-  prim_arbiter_tree #(
+  // SEC_CM: PHY_ARBITER.CTRL.REDUN
+  logic [NumBanks-1:0] local_err;
+  prim_arbiter_tree_dup #(
     .N(NumBanks),
     .DW(BankAddrW),
     .EnDataPort(1)
@@ -71,10 +74,12 @@ module flash_phy_scramble import flash_phy_pkg::*; #(
     .idx_o    (),
     .valid_o  (calc_req),
     .data_o   (calc_addr_in),
-    .ready_i  (calc_ack)
+    .ready_i  (calc_ack),
+    .err_o    (local_err[0])
   );
 
-  prim_arbiter_tree #(
+  // SEC_CM: PHY_ARBITER.CTRL.REDUN
+  prim_arbiter_tree_dup #(
     .N(NumBanks),
     .DW(OpDataWidth),
     .EnDataPort(1)
@@ -88,9 +93,12 @@ module flash_phy_scramble import flash_phy_pkg::*; #(
     .idx_o    (),
     .valid_o  (op_req),
     .data_o   (op_data_in),
-    .ready_i  (op_ack)
+    .ready_i  (op_ack),
+    .err_o    (local_err[1])
   );
 
+  assign arb_err_o = |local_err;
+
   assign {op_type,
           plain_data_in,
           scrambled_data_in} = op_data_in;

hw/top_earlgrey/ip/flash_ctrl/data/autogen/flash_ctrl.hjson

@@ -350,8 +350,8 @@
     }
     { name: "PHY_ARBITER.CTRL.REDUN",
       desc: '''
-        The phy arbiter for controller and host is redundant.
-        The arbiter has two instance underneath that are constantly compared to each other.
+        The phy arbiters for controller/host arbitration and in the shared scrambling module are redundant.
+        The arbiters have two instance underneath that are constantly compared to each other.
       '''
     }
     { name: "PHY_HOST_GRANT.CTRL.CONSISTENCY",

hw/top_earlgrey/ip_autogen/flash_ctrl/data/flash_ctrl.hjson

@@ -344,8 +344,8 @@
     }
     { name: "PHY_ARBITER.CTRL.REDUN",
       desc: '''
-        The phy arbiter for controller and host is redundant.
-        The arbiter has two instance underneath that are constantly compared to each other.
+        The phy arbiters for controller/host arbitration and in the shared scrambling module are redundant.
+        The arbiters have two instance underneath that are constantly compared to each other.
       '''
     }
     { name: "PHY_HOST_GRANT.CTRL.CONSISTENCY",

hw/top_earlgrey/ip_autogen/flash_ctrl/doc/interfaces.md

@@ -92,7 +92,7 @@ Referring to the [Comportable guideline for peripheral device functionality](htt
 | FLASH_CTRL.PHY.FSM.SPARSE                  | PHY FSMs are sparsely encoded.                                                                                                                                                                                                                     |
 | FLASH_CTRL.PHY_PROG.FSM.SPARSE             | PHY program FSMs are sparsely encoded.                                                                                                                                                                                                             |
 | FLASH_CTRL.CTR.REDUN                       | flash_ctrl_lcmgr handling counters are redundantly encoded. This includes seed count and address count used during seed reading phase, as well as word count, page count and wipe index in RMA entry phase.                                        |
-| FLASH_CTRL.PHY_ARBITER.CTRL.REDUN          | The phy arbiter for controller and host is redundant. The arbiter has two instance underneath that are constantly compared to each other.                                                                                                          |
+| FLASH_CTRL.PHY_ARBITER.CTRL.REDUN          | The phy arbiters for controller/host arbitration and in the shared scrambling module are redundant. The arbiters have two instance underneath that are constantly compared to each other.                                                          |
 | FLASH_CTRL.PHY_HOST_GRANT.CTRL.CONSISTENCY | The host grant is consistency checked. If the host is ever granted with info partition access, it is an error. If the host is ever granted at the same time as a program/erase operation, it is an error.                                          |
 | FLASH_CTRL.PHY_ACK.CTRL.CONSISTENCY        | If the host or controller ever receive an unexpeced transaction acknowledge, it is an error.                                                                                                                                                       |
 | FLASH_CTRL.FIFO.CTR.REDUN                  | The FIFO pointers of several FIFOs are implemented with duplicate counters.                                                                                                                                                                        |

hw/top_earlgrey/ip_autogen/flash_ctrl/rtl/flash_phy.sv

@@ -113,6 +113,9 @@ module flash_phy
   // outstanding count error per bank
   logic [NumBanks-1:0]     cnt_err;
 
+  // arbiter error from scrambling module
+  logic scramble_arb_err;
+
   // select which bank each is operating on
   assign host_bank_sel = host_req_i ? host_addr_i[BusAddrW-1 -: BankW] : '0;
   assign ctrl_bank_sel = flash_ctrl_i.addr[BusAddrW-1 -: BankW];
@@ -138,7 +141,7 @@ module flash_phy
   assign flash_ctrl_o.storage_intg_err = |intg_ecc_err;
   assign flash_ctrl_o.fsm_err = |fsm_err;
   assign flash_ctrl_o.spurious_ack = |spurious_acks;
-  assign flash_ctrl_o.arb_err = |arb_err;
+  assign flash_ctrl_o.arb_err = |arb_err | scramble_arb_err;
   assign flash_ctrl_o.host_gnt_err = |{host_gnt_err, cnt_err} ;
   assign flash_ctrl_o.fifo_err = |{rsp_fifo_err, core_fifo_err};
 
@@ -317,7 +320,8 @@ module flash_phy
     .rand_addr_key_i(flash_ctrl_i.rand_addr_key),
     .rand_data_key_i(flash_ctrl_i.rand_data_key),
     .scramble_req_i(scramble_req),
-    .scramble_rsp_o(scramble_rsp)
+    .scramble_rsp_o(scramble_rsp),
+    .arb_err_o(scramble_arb_err) // fatal error from redundant arbiter logic
   );
 
   // life cycle handling

hw/top_earlgrey/ip_autogen/flash_ctrl/rtl/flash_phy_scramble.sv

@@ -20,7 +20,8 @@ module flash_phy_scramble import flash_phy_pkg::*; #(
   input [KeySize-1:0] rand_addr_key_i,
   input [KeySize-1:0] rand_data_key_i,
   input  scramble_req_t [NumBanks-1:0] scramble_req_i,
-  output scramble_rsp_t [NumBanks-1:0] scramble_rsp_o
+  output scramble_rsp_t [NumBanks-1:0] scramble_rsp_o,
+  output logic arb_err_o
 );
 
   ///////////////////////////
@@ -57,7 +58,9 @@ module flash_phy_scramble import flash_phy_pkg::*; #(
     assign scramble_rsp_o[k].scrambled_data = scrambled_data_out;
   end
 
-  prim_arbiter_tree #(
+  // SEC_CM: PHY_ARBITER.CTRL.REDUN
+  logic [NumBanks-1:0] local_err;
+  prim_arbiter_tree_dup #(
     .N(NumBanks),
     .DW(BankAddrW),
     .EnDataPort(1)
@@ -71,10 +74,12 @@ module flash_phy_scramble import flash_phy_pkg::*; #(
     .idx_o    (),
     .valid_o  (calc_req),
     .data_o   (calc_addr_in),
-    .ready_i  (calc_ack)
+    .ready_i  (calc_ack),
+    .err_o    (local_err[0])
   );
 
-  prim_arbiter_tree #(
+  // SEC_CM: PHY_ARBITER.CTRL.REDUN
+  prim_arbiter_tree_dup #(
     .N(NumBanks),
     .DW(OpDataWidth),
     .EnDataPort(1)
@@ -88,9 +93,12 @@ module flash_phy_scramble import flash_phy_pkg::*; #(
     .idx_o    (),
     .valid_o  (op_req),
     .data_o   (op_data_in),
-    .ready_i  (op_ack)
+    .ready_i  (op_ack),
+    .err_o    (local_err[1])
   );
 
+  assign arb_err_o = |local_err;
+
   assign {op_type,
           plain_data_in,
           scrambled_data_in} = op_data_in;