[otbn,dv] Enable RTL/ISS checker to tolerate mismatches

With this change one can tell the checker to tolerate a mismatch on the
next RTL to ISS trace comparison.
This is useful when FI related tests lead to escalations which fire one
cycle delayed.

Signed-off-by: Pascal Etterli <[email protected]>

Author: etterli

hw/ip/otbn/dv/model/otbn_model.cc

@@ -561,6 +561,11 @@ int OtbnModel::set_software_errs_fatal(unsigned char new_val) {
   return 0;
 }
 
+int OtbnModel::tolerate_result_mismatch() {
+  OtbnTraceChecker::get().TolerateResultMismatch();
+  return 0;
+}
+
 int OtbnModel::set_no_sec_wipe_chk() {
   OtbnTraceChecker::get().set_no_sec_wipe_chk();
   return 0;
@@ -1029,6 +1034,11 @@ int otbn_model_set_software_errs_fatal(OtbnModel *model,
   return model->set_software_errs_fatal(new_val);
 }
 
+int otbn_model_tolerate_result_mismatch(OtbnModel *model) {
+  assert(model);
+  return model->tolerate_result_mismatch();
+}
+
 int otbn_set_no_sec_wipe_chk(OtbnModel *model) {
   assert(model);
   return model->set_no_sec_wipe_chk();

hw/ip/otbn/dv/model/otbn_model.h

@@ -90,6 +90,11 @@ class OtbnModel {
   // error. Returns 0 on success; -1 on failure.
   int invalidate_dmem();
 
+  // Tell the model to tolerate mismatches between RTL and ISS trace entries
+  // for the next comparison. Required for tests covering FI countermeasures
+  // with delayed escalation.
+  int tolerate_result_mismatch();
+
   // Set software_errs_fatal bit in ISS model.
   int set_software_errs_fatal(unsigned char new_val);
 
@@ -167,6 +172,10 @@ class OtbnModel {
   std::string design_scope_;
 
   bool stack_check_enabled_ = true;
+
+  // If true, tolerate a mismatch in results between ISS and RTL for the next
+  // check.
+  bool tolerate_result_mismatch_ = false;
 };
 
 #endif  // OPENTITAN_HW_IP_OTBN_DV_MODEL_OTBN_MODEL_H_

hw/ip/otbn/dv/model/otbn_model_dpi.h

@@ -112,6 +112,11 @@ int otbn_model_invalidate_dmem(OtbnModel *model);
 // error.
 int otbn_model_set_software_errs_fatal(OtbnModel *model, unsigned char new_val);
 
+// Tell the model to tolerate mismatches between RTL and ISS trace entries
+// for the next comparison. Required for tests covering FI countermeasures
+// with delayed escalation.
+int otbn_model_tolerate_result_mismatch(OtbnModel *model);
+
 // Tell the model to not execute checks to see if secure wiping has written
 // random data to all registers before wiping them with zeroes.
 int otbn_set_no_sec_wipe_chk(OtbnModel *model);

hw/ip/otbn/dv/model/otbn_model_dpi.svh

@@ -53,6 +53,8 @@ import "DPI-C" function int otbn_model_invalidate_dmem(chandle model);
 
 import "DPI-C" function int otbn_model_set_software_errs_fatal(chandle model, bit new_val);
 
+import "DPI-C" function int otbn_model_tolerate_result_mismatch(chandle model);
+
 import "DPI-C" function int otbn_set_no_sec_wipe_chk(chandle model);
 
 import "DPI-C" function int otbn_model_step_crc(chandle          model,

hw/ip/otbn/dv/model/otbn_trace_checker.cc

@@ -20,6 +20,7 @@ OtbnTraceChecker::OtbnTraceChecker()
       iss_started_(false),
       iss_pending_(false),
       done_(true),
+      tolerate_result_mismatch_(false),
       seen_err_(false),
       last_data_vld_(false) {
   OtbnTraceSource::get().AddListener(this);
@@ -245,6 +246,11 @@ const OtbnIssTraceEntry::IssData *OtbnTraceChecker::PopIssData() {
 
 void OtbnTraceChecker::set_no_sec_wipe_chk() { no_sec_wipe_data_chk_ = true; }
 
+void OtbnTraceChecker::TolerateResultMismatch() {
+  tolerate_result_mismatch_ = true;
+  std::cerr << "INFO: Next RTL/ISS trace entry mismatch will be tolerated.\n";
+}
+
 bool OtbnTraceChecker::MatchPair() {
   if (!(rtl_pending_ && iss_pending_)) {
     return true;
@@ -256,17 +262,31 @@ bool OtbnTraceChecker::MatchPair() {
   std::string err_desc;
   if (!(rtl_entry_.compare_rtl_iss_entries(iss_entry_, no_sec_wipe_data_chk_,
                                            &err_desc))) {
-    std::cerr << "ERROR: Mismatch between RTL and ISS trace entries: "
-              << err_desc << "\n  RTL entry is:\n";
-    rtl_entry_.print("    ", std::cerr);
-    std::cerr << "  ISS entry is:\n";
-    iss_entry_.print("    ", std::cerr);
-    seen_err_ = true;
-    return false;
-    if (rtl_entry_.trace_type() == OtbnTraceEntry::WipeComplete) {
-      no_sec_wipe_data_chk_ = false;
+    if (tolerate_result_mismatch_) {
+      std::cerr << "INFO: Mismatch between RTL and ISS trace entries "
+                << "but tolerated: " << err_desc << "\n  RTL entry is:\n";
+      rtl_entry_.print("    ", std::cerr);
+      std::cerr << "  ISS entry is:\n";
+      iss_entry_.print("    ", std::cerr);
+    } else {
+      std::cerr << "ERROR: Mismatch between RTL and ISS trace entries: "
+                << err_desc << "\n  RTL entry is:\n";
+      rtl_entry_.print("    ", std::cerr);
+      std::cerr << "  ISS entry is:\n";
+      iss_entry_.print("    ", std::cerr);
+      seen_err_ = true;
+      return false;
+      if (rtl_entry_.trace_type() == OtbnTraceEntry::WipeComplete) {
+        no_sec_wipe_data_chk_ = false;
+      }
     }
   }
+  // We tolerate a mismatch only for one comparison.
+  if (tolerate_result_mismatch_) {
+    std::cerr << "INFO: No longer tolerating RTL/ISS mismatches.\n";
+  }
+  tolerate_result_mismatch_ = false;
+
   // We've got a matching pair of entries. Move the ISS data out of the (now
   // defunct) iss_entry_ and into last_data_.
   if (rtl_entry_.trace_type() == OtbnTraceEntry::Exec) {

hw/ip/otbn/dv/model/otbn_trace_checker.h

@@ -80,6 +80,11 @@ class OtbnTraceChecker : public OtbnTraceListener {
   // secure wipe entry.
   void set_no_sec_wipe_chk();
 
+  // Tell the model to tolerate a mismatch in results between ISS and RTL for
+  // the next check. This is required for FI tests where we expect the RTL to
+  // misbehave.
+  void TolerateResultMismatch();
+
  private:
   // If rtl_pending_ and iss_pending_ are not both true, return true
   // immediately with no other change. Otherwise, compare the two pending trace
@@ -96,6 +101,7 @@ class OtbnTraceChecker : public OtbnTraceListener {
   OtbnIssTraceEntry iss_entry_;
 
   bool done_;
+  bool tolerate_result_mismatch_;
   bool seen_err_;
 
   // The ISS entry for the last pair of trace entries that went through

hw/ip/otbn/dv/uvm/otbn_model_agent/otbn_model_if.sv

@@ -114,6 +114,12 @@ interface otbn_model_if
     release u_model.wakeup_iss;
   endtask: lock_immediately
 
+  function automatic void tolerate_result_mismatch();
+    `uvm_info("otbn_model_if", "Enabling tolerate result mismatch for next check", UVM_HIGH);
+    `DV_CHECK_FATAL(u_model.otbn_model_tolerate_result_mismatch(handle) == 0,
+                    "Failed to enable tolerating result mismatch", "otbn_model_if")
+  endfunction
+
   function automatic void set_software_errs_fatal(bit new_val);
     `uvm_info("otbn_model_if", "writing to software_errs_fatal", UVM_HIGH);
     `DV_CHECK_FATAL(u_model.otbn_model_set_software_errs_fatal(handle, new_val) == 0,