[aes] Add shadow CTRL register, interface with alert handler #2152
Conversation
vogelpi
requested review from
tjaychen,
eunchan,
cdgori,
martin-lueker,
rasmus-madsen and
msfschaffner
| ////////////////////// | ||
| // Control Register // | ||
| ////////////////////// | ||
|
|
There was a problem hiding this comment.
this looks great! although..do you want to turn this into a prim so others can make use of it also?
There was a problem hiding this comment.
I actually wanted to get this in quickly to have it ready for bronze. But due to the high impact on DV it has to wait. So I can indeed work out a prim now.
There was a problem hiding this comment.
sounds good. Is the high DV impact because the sequences all have to change for a double write..?
There was a problem hiding this comment.
No that is the simple part. A lot of work lies in adding another interface (the alert handler), feeding back alerts into the sequences, dealing with it in the scoreboard and things like that. Since Rasmus has a ton of changes almost ready, it is more efficient to first get his changes in.
There was a problem hiding this comment.
@vogelpi the fact that it "wants to go quickly" means it probably should just wait for bronze modifications. :) would love to see this as a primitive fully integrated into reggen with auto-reg testing included (@sriyerg @cindychip )
There was a problem hiding this comment.
I have factored out the shadow register primitive into a separate PR here: #2293
This PR is now using the primitive.
|
I rather not review the code specifically - to avoid having a deeper understanding of how it works. but I do have a clearification question. but I have questions |
|
I just talked to @rasmus-madsen and must admit that I underestimated the implications of this on DV. For this reason, I have to split this up. I will add the altert handler interface on @rasmus-madsen will soon push a major DV update. I will first await that one before pushing this PR for Regarding DV: Modifying the sequences to properly handle the shadow register is low effort. But adding the alert handler interface has a high impact on DV. There will be a lot of work required to get the interface integrated into the environment properly. Finally, adding any new interface will probably set us back to V0. This we might need to discuss at some point @weicaiyang , @sriyerg , @sjgitty . |
hw/ip/aes/rtl/aes_core.sv
Outdated
| AES_128: ctrl_d.key_len = AES_128; | ||
| AES_256: ctrl_d.key_len = AES_256; | ||
| AES_192: ctrl_d.key_len = AES192Enable ? AES_192 : AES_128; | ||
| default: ctrl_d.key_len = AES_128; // unsupported values are mapped to AES_128 |
There was a problem hiding this comment.
Thinking about this a bit more: hould the default/unsupported mapping be AES_128 or AES_256?
I believe that it could be a tiny bit safer to have AES_256 (for this one and the second-half of the AES192 case above), since there is then less chance of using a key with reduced rounds (?). This is a pretty minor thing though, and I'm not sure if it actually affects anything.
There was a problem hiding this comment.
For sure it does not hurt to default to AES_256. Thus, I made the switch. Thanks for the suggestion.
vogelpi
force-pushed
the
aes-add-shadow-ctrl
branch
3 times, most recently
from
09f1e15
to
38d8c0a
Compare
vogelpi
force-pushed
the
aes-add-shadow-ctrl
branch
2 times, most recently
from
20fc176
to
9014aac
Compare
we should have a common CSR seq or add the support in csr_rw seq to test shadow registers. |
|
Regarding DV: Modifying the sequences to properly handle the shadow register is low effort. But adding the alert handler interface has a high impact on DV. There will be a lot of work required to get the interface integrated into the environment properly. Finally, adding any new interface will probably set us back to V0. This we might need to discuss at some point @weicaiyang , @sriyerg , @sjgitty . perhaps we can keep it in V1 as long as we keep sanity passing and update testplan accordingly. |
Those alerts are coming, sooner or later, so we'll have to "face the effects" regardless. I don't think it means going back to V0 if we keep the sanity going like @weicaiyang suggested. But I recognize that it will set us back some time. I thought that it was known alerts were eventually coming, which makes me wonder if there are other surprises we should make sure are discussed. For instance the eventual port to the key manager for side loading. |
vogelpi
force-pushed
the
aes-add-shadow-ctrl
branch
from
9014aac
to
db1bc25
Compare
There was a problem hiding this comment.
This looks good @vogelpi, thanks! I just have a few minor comments below.
hw/ip/aes/data/aes.hjson
Outdated
| hwaccess: "hrw", | ||
| desc: ''' | ||
| 3-bit one-hot field to select AES block cipher mode: ECB (3'b001), CBC (3'b010) or CTR (3'b100). | ||
| Invalid input values, i.e., value with multiple bits set, and value 3'b000 are not supported are mapped to 3'b001. | ||
| 4-bit one-hot field to select AES block cipher mode: ECB (4'b0001), CBC (4'b0010), CTR (4'b0100) or NONE (4'b1000). |
There was a problem hiding this comment.
you may want to consider making these multibit fields for mode selection enum types. the reggen tool creates a nice table with a row for each value. see, e.g.
opentitan/hw/ip/pinmux/data/pinmux.hjson
Lines 210 to 226 in 5c323ef
There was a problem hiding this comment.
Good points, I switched to enums for both mode and key length fields.
| @@ -6,15 +6,19 @@ | |||
|
|
|||
| package aes_pkg; | |||
|
|
|||
| parameter int NumAlerts = 1; | |||
| parameter logic [NumAlerts-1:0] AlertAsyncOn = NumAlerts'(1'b1); | |||
There was a problem hiding this comment.
I think for integration purposes, this parameter should be a module parameter such that topgen can easily set it when instantiating the module in top_earlgrey. this is one of the aspects that is not fully automated in topgen yet.
There was a problem hiding this comment.
Thanks @msfschaffner for your review. Should we change this in a follow-up PR? I think HMAC does currently the same...
There was a problem hiding this comment.
Sure, just leave it be for now. It's probably better to do this as part of a topgen update...
There was a problem hiding this comment.
btw, since you guys brought this up, what do we like as the general approach?
Do we want to pass parameters as part of instantiation, or do we prefer to have a top_pkg.sv of sorts, which is templatized, and that all the ips can reference? I guess this doesn't work at all when there are multiple instances of the same module...but it's for example what i'm doing in flash.
Is it worth making this more uniform in your opinion?
There was a problem hiding this comment.
Sorry I am pretty late to the party, I wonder if there is any conclusion or follow up about this discussion?
From the DV automation point of view, I think it would be useful to specify "which alert the shadow_reg error is connected to" in the register hjson file (if possible). In DV csr test, we are trying to automatically generate update_err and storage error, then check if the corresponding alert is triggered. It would be very helpful if we can know which alert reflects the shadow_reg errors.
There was a problem hiding this comment.
Thanks for the reminder @cindychip. I forgot a bit about this but now took a note in the AES tracking issue. I had in mind to add a second alert. One would be minor for update errors and other stuff. One would be major and require a reset (storage error). This would also require a small change to make every storage error fatal. Right now, they are only fatal if the module is busy (ctrl register not writable, cipher core will never finish with invalid config). Does that sound reasonable to you?
vogelpi
force-pushed
the
aes-add-shadow-ctrl
branch
from
db1bc25
to
5603c8a
Compare
vogelpi
force-pushed
the
aes-add-shadow-ctrl
branch
from
5603c8a
to
2dd4848
Compare
|
Update: this PR has been rebased to include the latest improvements to the AES DV framework and also @cindychip 's work for shadow regs (#2377) . |
| @@ -53,7 +53,7 @@ | |||
| { name: "AsyncOn", | |||
| desc: "Number of peripheral outputs", | |||
There was a problem hiding this comment.
hi @vogelpi LGTM
thank you for updating the Dv also - I added a few nit comment.
one of which I will just update on my side.
by choice i skipped the aes RTL files so I did not review those
hw/dv/sv/dv_base_reg/dv_base_reg.sv
Outdated
|
|
||
| function void set_en_shadow_wr(bit val); | ||
| if (en_shadow_wr == 0 && val && shadow_wr_staged) begin | ||
| `uvm_info(`gfn, "unable to set en_shadow_wr due to register already complete first write", |
There was a problem hiding this comment.
nit: missing d - completed
| @@ -74,7 +74,7 @@ The AES unit automatically starts the encryption/decryption of the next data blo | |||
| The order in which the input registers are written does not matter. | |||
| Every input register must be written at least once for the AES unit to automatically start encryption/decryption. | |||
There was a problem hiding this comment.
Do you mean input data register?
if not, it this also true when running ECB mode - it does not make sense if the user have to write the IV registers for ECB
There was a problem hiding this comment.
Yes, this section is about the input data registers.
| 4'b0010: input_item.mode = AES_CBC; | ||
| 4'b0100: input_item.mode = AES_CTR; | ||
| 4'b1000: input_item.mode = AES_NONE; | ||
| default: input_item.mode = AES_ECB; |
There was a problem hiding this comment.
Should we make this none to match the RTL?
I can do that.
There was a problem hiding this comment.
If this is an invalid mode, is that actually allowed by the module spec? If not, surely the test code should just throw an error?
There was a problem hiding this comment.
yes this mode is allowed by the RTL
so the dv should also go into this state.
the question here is since the RTL goes into this as a default state - the DV should also.
There was a problem hiding this comment.
Yep, AES_NONE is the reset value in the RTL and every invalid setting is mapped to AES_NONE. I wasn't fully sure how to correctly adapt DV for this. If you could change that @rasmus-madsen this would be great. This should possibly be a follow-up PR?
There was a problem hiding this comment.
yep let's do that in a follow up PR
vogelpi
force-pushed
the
aes-add-shadow-ctrl
branch
from
2dd4848
to
e94a4a0
Compare
vogelpi
force-pushed
the
aes-add-shadow-ctrl
branch
from
e94a4a0
to
0882c89
Compare
|
Update: rebased on master to get latest improvements to AES DV from #2665. |
vogelpi
force-pushed
the
aes-add-shadow-ctrl
branch
from
0882c89
to
090fd49
Compare
vogelpi
requested review from
gkelly,
lenary,
mcy,
moidx,
sriyerg and
weicaiyang
as code owners
vogelpi
force-pushed
the
aes-add-shadow-ctrl
branch
from
090fd49
to
2736707
Compare
|
Update: rebased on master, removed draft status. @cindychip 's DV PR #2377 will hopefully get merged soon. This is ready for review. I already got approval from DV. What is now needed is:
|
sw/device/lib/aes.c
Outdated
| @@ -101,7 +105,7 @@ void aes_clear(void) { | |||
| } | |||
|
|
|||
| // Disable autostart | |||
| REG32(AES_CTRL(0)) = 0x1u << AES_CTRL_MANUAL_OPERATION; | |||
| REG32(AES_CTRL_SHADOWED(0)) = 0x1u << AES_CTRL_SHADOWED_MANUAL_OPERATION; | |||
There was a problem hiding this comment.
This write needs duplicating, surely?
There was a problem hiding this comment.
Oh thanks, good catch Sam! I just fixed it.
| REG32(AES_CTRL_SHADOWED(0)) = cfg_val; | ||
| REG32(AES_CTRL_SHADOWED(0)) = cfg_val; |
| REG32(AES_CTRL_SHADOWED(0)) = aes_ctrl_val; | ||
| REG32(AES_CTRL_SHADOWED(0)) = aes_ctrl_val; |
| * encoding. NONE is not a supported mode but the reset value of the hardware. | ||
| * The hardware resolves invalid mode values to NONE. |
vogelpi
force-pushed
the
aes-add-shadow-ctrl
branch
from
2736707
to
88f57a8
Compare
| disabled at compile time) are mapped to 3'b001. | ||
| desc: ''' | ||
| 3-bit one-hot field to select AES key length. | ||
| Invalid input values, i.e., values with multiple bits set, value 3'b000, and value 3'b010 in case 192-bit keys are not supported (because disabled at compile time) are mapped to AES_256 (3'b100). |
There was a problem hiding this comment.
Thanks for your review @cdgori . I switched to 1 sentence per line on purpose here. Actually I do this switch for every block that I change.
vogelpi
force-pushed
the
aes-add-shadow-ctrl
branch
from
88f57a8
to
f961347
Compare
This commit adds a shadow CTRL register according to @tjaychen's Shadow Register RFC: - If the content of the staged register and the value written to the actual register do not match, this causes an update error and triggers an alert. The register is not updated. - If the contents of actual and shadow registers differ, this causes a storage error and triggers an alert. - Invalid mode field values are resolved to the new reset value AES_NONE = 4'b1000. - The cipher core is not allowed to start or finish unless the mode field is set to a valid value. Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>
vogelpi
force-pushed
the
aes-add-shadow-ctrl
branch
from
f961347
to
2546b2b
Compare
This PR adds a shadow CTRL register according to @tjaychen's Shadow Register RFC discussed in #150.
More specifically, two more copies are added for the CTRL register: a shadow register and a staged register. An update to the CTRL register now always takes two subsequent writes. The first write goes into the staged register and the second potentially to the actual and the shadow register.
What is missing is the adaption of the UVM-based DV infrastructure.The changes have been successfully tested using AES DV, my own Verilator framework and the aes_test.