[racl,rtl,sram_ctrl,spi_host,spi_device] Enable RACL ranges for sram_…

…ctrl And implement ranges for tlul_adapter_sram_racl and rewire parameters where it is already being used. Signed-off-by: David Schrammel <[email protected]>
lowRISC · Feb 7, 2025 · 44a70ee · 44a70ee
1 parent c61bf1a
commit 44a70ee
Show file tree

Hide file tree

Showing 8 changed files with 113 additions and 33 deletions.
diff --git a/hw/ip/spi_device/rtl/spi_device.sv b/hw/ip/spi_device/rtl/spi_device.sv
@@ -16,7 +16,19 @@ module spi_device
   parameter bit                             RaclErrorRsp                  = EnableRacl,
   parameter top_racl_pkg::racl_policy_sel_t RaclPolicySelVec[73]          = '{73{0}},
   parameter top_racl_pkg::racl_policy_sel_t RaclPolicySelWinEgressbuffer  = 0,
-  parameter top_racl_pkg::racl_policy_sel_t RaclPolicySelWinIngressbuffer = 0
+  parameter top_racl_pkg::racl_policy_sel_t RaclPolicySelWinIngressbuffer = 0,
+  localparam top_racl_pkg::racl_range_t RaclPolicySelRangesEgressbuffer[1] = '{
+    '{base: {top_pkg::TL_AW{1'b0}},
+      mask: {top_pkg::TL_AW{1'b1}},
+      policy_sel: top_racl_pkg::racl_policy_sel_t'(RaclPolicySelWinEgressbuffer)
+    }
+  },
+  localparam top_racl_pkg::racl_range_t RaclPolicySelRangesIngressbuffer[1] = '{
+    '{base: {top_pkg::TL_AW{1'b0}},
+      mask: {top_pkg::TL_AW{1'b1}},
+      policy_sel: top_racl_pkg::racl_policy_sel_t'(RaclPolicySelWinIngressbuffer)
+    }
+  }
 ) (
   input clk_i,
   input rst_ni,
@@ -1687,7 +1699,8 @@ module spi_device
     .ByteAccess       (0),
     .EnableRacl       (EnableRacl),
     .RaclErrorRsp     (RaclErrorRsp),
-    .RaclPolicySelVec (RaclPolicySelWinEgressbuffer)
+    .RaclPolicySelNumRanges(1),
+    .RaclPolicySelRanges(RaclPolicySelRangesEgressbuffer)
   ) u_tlul2sram_egress (
     .clk_i,
     .rst_ni,
@@ -1725,7 +1738,8 @@ module spi_device
     .ByteAccess       (0),
     .EnableRacl       (EnableRacl),
     .RaclErrorRsp     (RaclErrorRsp),
-    .RaclPolicySelVec (RaclPolicySelWinIngressbuffer)
+    .RaclPolicySelNumRanges(1),
+    .RaclPolicySelRanges(RaclPolicySelRangesIngressbuffer)
   ) u_tlul2sram_ingress (
     .clk_i,
     .rst_ni,

diff --git a/hw/ip/spi_host/rtl/spi_host_window.sv b/hw/ip/spi_host/rtl/spi_host_window.sv
@@ -10,7 +10,14 @@ module spi_host_window
   parameter bit                             EnableRacl             = 1'b0,
   parameter bit                             RaclErrorRsp           = 1'b1,
   parameter top_racl_pkg::racl_policy_sel_t RaclPolicySelWinRXDATA = 0,
-  parameter top_racl_pkg::racl_policy_sel_t RaclPolicySelWinTXDATA = 0
+  parameter top_racl_pkg::racl_policy_sel_t RaclPolicySelWinTXDATA = 0,
+  localparam top_racl_pkg::racl_range_t RaclPolicySelRangesTXDATA[1] = '{
+    '{
+      base: {top_pkg::TL_AW{1'b0}},
+      mask: {top_pkg::TL_AW{1'b1}},
+      policy_sel: top_racl_pkg::racl_policy_sel_t'(RaclPolicySelWinTXDATA)
+    }
+  }
 ) (
   input  clk_i,
   input  rst_ni,
@@ -97,7 +104,8 @@ module spi_host_window
     .ErrOnRead(1),
     .EnableRacl(EnableRacl),
     .RaclErrorRsp(RaclErrorRsp),
-    .RaclPolicySelVec(RaclPolicySelWinTXDATA)
+    .RaclPolicySelNumRanges(1),
+    .RaclPolicySelRanges(RaclPolicySelRangesTXDATA)
   ) u_adapter_tx (
     .clk_i,
     .rst_ni,

diff --git a/hw/ip/sram_ctrl/data/sram_ctrl.hjson b/hw/ip/sram_ctrl/data/sram_ctrl.hjson
@@ -29,7 +29,7 @@
 
   bus_interfaces: [
     { protocol: "tlul", direction: "device", name: "regs", racl_support: true }
-    { protocol: "tlul", direction: "device", name: "ram" },
+    { protocol: "tlul", direction: "device", name: "ram" , racl_support: true }
   ],
 
   ///////////////////////////

diff --git a/hw/ip/sram_ctrl/dv/env/seq_lib/sram_ctrl_common_vseq.sv b/hw/ip/sram_ctrl/dv/env/seq_lib/sram_ctrl_common_vseq.sv
@@ -79,8 +79,8 @@ class sram_ctrl_common_vseq extends sram_ctrl_base_vseq;
     // their counters. This avoids a problem where we generate a spurious request when the FIFO was
     // actually empty and lots of signals in the design become X. This will let the fifos error
     // signal stuck at X. Zeroing the backing memory avoids that problem.
-    splat_fifo_storage("tb.dut.u_tlul_adapter_sram.u_reqfifo", 2);
-    splat_fifo_storage("tb.dut.u_tlul_adapter_sram.u_sramreqfifo", 2);
+    splat_fifo_storage("tb.dut.u_tlul_adapter_sram_racl.tlul_adapter_sram.u_reqfifo", 2);
+    splat_fifo_storage("tb.dut.u_tlul_adapter_sram_racl.tlul_adapter_sram.u_sramreqfifo", 2);
 
     super.dut_init(reset_kind);
   endtask
@@ -168,13 +168,13 @@ class sram_ctrl_common_vseq extends sram_ctrl_base_vseq;
       if (is_ptr_in_adapters_fifo(if_proxy.path, touching_req_fifo)) begin
         if (!enable) begin
           `uvm_info(`gfn, "Doing FI on a prim_fifo_sync. Disabling related assertions", UVM_HIGH)
-          $assertoff(0, "tb.dut.u_tlul_adapter_sram.u_reqfifo");
-          $assertoff(0, "tb.dut.u_tlul_adapter_sram.u_sramreqfifo");
-          $assertoff(0, "tb.dut.u_tlul_adapter_sram.u_rspfifo");
+          $assertoff(0, "tb.dut.u_tlul_adapter_sram_racl.tlul_adapter_sram.u_reqfifo");
+          $assertoff(0, "tb.dut.u_tlul_adapter_sram_racl.tlul_adapter_sram.u_sramreqfifo");
+          $assertoff(0, "tb.dut.u_tlul_adapter_sram_racl.tlul_adapter_sram.u_rspfifo");
         end else begin
-          $asserton(0, "tb.dut.u_tlul_adapter_sram.u_reqfifo");
-          $asserton(0, "tb.dut.u_tlul_adapter_sram.u_sramreqfifo");
-          $asserton(0, "tb.dut.u_tlul_adapter_sram.u_rspfifo");
+          $asserton(0, "tb.dut.u_tlul_adapter_sram_racl.tlul_adapter_sram.u_reqfifo");
+          $asserton(0, "tb.dut.u_tlul_adapter_sram_racl.tlul_adapter_sram.u_sramreqfifo");
+          $asserton(0, "tb.dut.u_tlul_adapter_sram_racl.tlul_adapter_sram.u_rspfifo");
         end
 
         // Disable assertions that we expect to fail if we corrupt a request FIFO. This causes us to

diff --git a/hw/ip/sram_ctrl/dv/env/seq_lib/sram_ctrl_readback_err_vseq.sv b/hw/ip/sram_ctrl/dv/env/seq_lib/sram_ctrl_readback_err_vseq.sv
@@ -110,7 +110,8 @@ class sram_ctrl_readback_err_vseq extends sram_ctrl_base_vseq;
     cfg.is_fi_test = 1'b1;
 
     // If we are faulting the sram_we signal, this assertion would trigger. Disable it.
-    $assertoff(0, "tb.dut.u_tlul_adapter_sram.u_sram_byte.gen_integ_handling");
+    $assertoff(0,
+      "tb.dut.u_tlul_adapter_sram_racl.tlul_adapter_sram.u_sram_byte.gen_integ_handling");
 
     `DV_CHECK_MEMBER_RANDOMIZE_FATAL(num_ops)
     `DV_CHECK_MEMBER_RANDOMIZE_FATAL(do_fi_op)

diff --git a/hw/ip/sram_ctrl/rtl/sram_ctrl.sv b/hw/ip/sram_ctrl/rtl/sram_ctrl.sv
@@ -31,7 +31,9 @@ module sram_ctrl
   parameter  lfsr_perm_t                RndCnstLfsrPerm  = RndCnstLfsrPermDefault,
   parameter bit                         EnableRacl       = 1'b0,
   parameter bit                         RaclErrorRsp     = EnableRacl,
-  parameter top_racl_pkg::racl_policy_sel_t RaclPolicySelVecRegs[NumRegsRegs] = '{NumRegsRegs{0}}
+  parameter top_racl_pkg::racl_policy_sel_t RaclPolicySelVecRegs[NumRegsRegs] = '{NumRegsRegs{0}},
+  parameter int unsigned RaclPolicySelRangesRamNum = 1,
+  parameter top_racl_pkg::racl_range_t RaclPolicySelRangesRam[RaclPolicySelRangesRamNum] = '{'0}
 ) (
   // SRAM Clock
   input  logic                                               clk_i,
@@ -90,6 +92,13 @@ module sram_ctrl
 
   `ASSERT_INIT(NonceWidthsLessThanSource_A, NonceWidth + LfsrWidth <= otp_ctrl_pkg::SramNonceWidth)
 
+  logic racl_error_regs;
+  logic racl_error_ram;
+  top_racl_pkg::racl_error_log_t racl_error_regs_log;
+  top_racl_pkg::racl_error_log_t racl_error_ram_log;
+  // We are combining all racl errors here because only one of them can be set at any time.
+  assign racl_error_o = racl_error_regs | racl_error_ram;
+  assign racl_error_log_o = racl_error_regs_log | racl_error_ram_log;
 
   /////////////////////////////////////
   // Anchor incoming seeds and constants
@@ -137,8 +146,8 @@ module sram_ctrl
     .hw2reg,
     // RACL interface
     .racl_policies_i  ( racl_policies_i    ),
-    .racl_error_o     ( racl_error_o       ),
-    .racl_error_log_o ( racl_error_log_o   ),
+    .racl_error_o     ( racl_error_regs    ),
+    .racl_error_log_o ( racl_error_regs_log),
     // SEC_CM: BUS.INTEGRITY
     .intg_err_o       ( bus_integ_error[0] )
    );
@@ -492,7 +501,7 @@ module sram_ctrl
   mubi4_t reg_readback_en;
   assign reg_readback_en = mubi4_t'(reg2hw.readback.q);
 
-  tlul_adapter_sram #(
+  tlul_adapter_sram_racl #(
     .SramAw(AddrWidth),
     .SramDw(DataWidth - tlul_pkg::DataIntgWidth),
     .Outstanding(2),
@@ -502,8 +511,12 @@ module sram_ctrl
     .EnableDataIntgGen(0),
     .EnableDataIntgPt(1), // SEC_CM: MEM.INTEGRITY
     .SecFifoPtr      (1), // SEC_CM: TLUL_FIFO.CTR.REDUN
-    .EnableReadback  (1)  // SEC_CM: MEM.READBACK
-  ) u_tlul_adapter_sram (
+    .EnableReadback  (1), // SEC_CM: MEM.READBACK
+    .EnableRacl(EnableRacl),
+    .RaclErrorRsp(RaclErrorRsp),
+    .RaclPolicySelNumRanges(RaclPolicySelRangesRamNum),
+    .RaclPolicySelRanges(RaclPolicySelRangesRam)
+  ) u_tlul_adapter_sram_racl (
     .clk_i,
     .rst_ni,
     .tl_i                       (ram_tl_in_gated),
@@ -526,7 +539,11 @@ module sram_ctrl
     .readback_en_i              (reg_readback_en),
     .readback_error_o           (readback_error),
     .wr_collision_i             (sram_wr_collision),
-    .write_pending_i            (sram_wpending)
+    .write_pending_i            (sram_wpending),
+    // RACL interface
+    .racl_policies_i            (racl_policies_i),
+    .racl_error_o               (racl_error_ram),
+    .racl_error_log_o           (racl_error_ram_log)
   );
 
   logic key_valid;
@@ -621,22 +638,28 @@ module sram_ctrl
 
   // Alert assertions for redundant counters.
   `ASSERT_PRIM_COUNT_ERROR_TRIGGER_ALERT(RspFifoWptrCheck_A,
-      u_tlul_adapter_sram.u_rspfifo.gen_normal_fifo.u_fifo_cnt.gen_secure_ptrs.u_wptr,
+      u_tlul_adapter_sram_racl.tlul_adapter_sram.u_rspfifo.gen_normal_fifo.u_fifo_cnt
+        .gen_secure_ptrs.u_wptr,
       alert_tx_o[0])
   `ASSERT_PRIM_COUNT_ERROR_TRIGGER_ALERT(RspFifoRptrCheck_A,
-      u_tlul_adapter_sram.u_rspfifo.gen_normal_fifo.u_fifo_cnt.gen_secure_ptrs.u_rptr,
+      u_tlul_adapter_sram_racl.tlul_adapter_sram.u_rspfifo.gen_normal_fifo.u_fifo_cnt
+        .gen_secure_ptrs.u_rptr,
       alert_tx_o[0])
   `ASSERT_PRIM_COUNT_ERROR_TRIGGER_ALERT(SramReqFifoWptrCheck_A,
-      u_tlul_adapter_sram.u_sramreqfifo.gen_normal_fifo.u_fifo_cnt.gen_secure_ptrs.u_wptr,
+      u_tlul_adapter_sram_racl.tlul_adapter_sram.u_sramreqfifo.gen_normal_fifo.u_fifo_cnt
+        .gen_secure_ptrs.u_wptr,
       alert_tx_o[0])
   `ASSERT_PRIM_COUNT_ERROR_TRIGGER_ALERT(SramReqFifoRptrCheck_A,
-      u_tlul_adapter_sram.u_sramreqfifo.gen_normal_fifo.u_fifo_cnt.gen_secure_ptrs.u_rptr,
+      u_tlul_adapter_sram_racl.tlul_adapter_sram.u_sramreqfifo.gen_normal_fifo.u_fifo_cnt
+        .gen_secure_ptrs.u_rptr,
       alert_tx_o[0])
   `ASSERT_PRIM_COUNT_ERROR_TRIGGER_ALERT(ReqFifoWptrCheck_A,
-      u_tlul_adapter_sram.u_reqfifo.gen_normal_fifo.u_fifo_cnt.gen_secure_ptrs.u_wptr,
+      u_tlul_adapter_sram_racl.tlul_adapter_sram.u_reqfifo.gen_normal_fifo.u_fifo_cnt
+        .gen_secure_ptrs.u_wptr,
       alert_tx_o[0])
   `ASSERT_PRIM_COUNT_ERROR_TRIGGER_ALERT(ReqFifoRptrCheck_A,
-      u_tlul_adapter_sram.u_reqfifo.gen_normal_fifo.u_fifo_cnt.gen_secure_ptrs.u_rptr,
+      u_tlul_adapter_sram_racl.tlul_adapter_sram.u_reqfifo.gen_normal_fifo.u_fifo_cnt
+        .gen_secure_ptrs.u_rptr,
       alert_tx_o[0])
 
   // `tlul_gnt` doesn't factor in `sram_gnt` for timing reasons. This assertions checks that

diff --git a/hw/ip/sram_ctrl/rtl/sram_ctrl_ram_reg_top.sv b/hw/ip/sram_ctrl/rtl/sram_ctrl_ram_reg_top.sv
@@ -6,13 +6,24 @@
 
 `include "prim_assert.sv"
 
-module sram_ctrl_ram_reg_top (
+module sram_ctrl_ram_reg_top
+  # (
+    parameter bit          EnableRacl           = 1'b0,
+    parameter bit          RaclErrorRsp         = 1'b1,
+    parameter top_racl_pkg::racl_policy_sel_t RaclPolicySelVec[sram_ctrl_reg_pkg::NumRegsRam] =
+      '{sram_ctrl_reg_pkg::NumRegsRam{0}}
+  ) (
   input clk_i,
   input rst_ni,
   input  tlul_pkg::tl_h2d_t tl_i,
   output tlul_pkg::tl_d2h_t tl_o,
   // To HW
 
+  // RACL interface
+  input  top_racl_pkg::racl_policy_vec_t racl_policies_i,
+  output logic                           racl_error_o,
+  output top_racl_pkg::racl_error_log_t  racl_error_log_o,
+
   // Integrity check errors
   output logic intg_err_o
 );
@@ -39,4 +50,6 @@ module sram_ctrl_ram_reg_top (
   assign tl_o_pre   = tl_reg_d2h;
 
   // Unused signal tieoff
+  logic unused_policy_sel;
+  assign unused_policy_sel = ^racl_policies_i;
 endmodule
diff --git a/hw/ip/tlul/rtl/tlul_adapter_sram_racl.sv b/hw/ip/tlul/rtl/tlul_adapter_sram_racl.sv
@@ -41,8 +41,8 @@ module tlul_adapter_sram_racl
   parameter bit DataXorAddr       = 0,          // 1: XOR data and address for address protection
   parameter bit EnableRacl        = 0,          // 1: Enable RACL checks on access
   parameter bit RaclErrorRsp      = EnableRacl, // 1: Return TLUL error on RACL errors
-  parameter top_racl_pkg::racl_policy_sel_t RaclPolicySelVec = 0, // RACL policy for this SRAM
-                                                                  // adapter
+  parameter int RaclPolicySelNumRanges = 1,     // Number of ranges with a RACL policy
+  parameter top_racl_pkg::racl_range_t RaclPolicySelRanges [RaclPolicySelNumRanges] = '{'0},
   localparam int WidthMult        = SramDw / top_pkg::TL_DW,
   localparam int IntgWidth        = tlul_pkg::DataIntgWidth * WidthMult,
   localparam int DataOutW         = EnableDataIntgPt ? SramDw + IntgWidth : SramDw
@@ -98,12 +98,31 @@ module tlul_adapter_sram_racl
     );
 
     logic req, rd_req, wr_req, racl_read_allowed, racl_write_allowed;
+    logic [RaclPolicySelNumRanges-1:0] range_read_allowed;
+    logic [RaclPolicySelNumRanges-1:0] range_write_allowed;
+
+    for (genvar r = 0; r < RaclPolicySelNumRanges; r++) begin : gen_racl_range_check
+      top_racl_pkg::racl_range_t range;
+      top_racl_pkg::racl_policy_t policy;
+      logic range_match;
+      assign range = RaclPolicySelRanges[r];
+      assign policy = racl_policies_i[range.policy_sel];
+      // Asserts that a valid range is defined
+      `ASSERT(RaclAdapterSramValidRange, range.mask > 0)
+      // Check if the address is within range
+      assign range_match = (tl_i.a_address & ~range.mask) == range.base;
+      // If address matches, lookup permissions for policy defined for this range
+      assign range_read_allowed[r]  = range_match & |(policy.read_perm  & racl_role_vec);
+      assign range_write_allowed[r] = range_match & |(policy.write_perm & racl_role_vec);
+    end
+
+    assign racl_read_allowed  = |range_read_allowed;
+    assign racl_write_allowed = |range_write_allowed;
+
     assign req                = tl_i.a_valid & tl_o.a_ready;
     assign rd_req             = req & (tl_i.a_opcode == tlul_pkg::Get);
     assign wr_req             = req & (tl_i.a_opcode == tlul_pkg::PutFullData |
                                        tl_i.a_opcode == tlul_pkg::PutPartialData);
-    assign racl_read_allowed  = (|(racl_policies_i[RaclPolicySelVec].read_perm  & racl_role_vec));
-    assign racl_write_allowed = (|(racl_policies_i[RaclPolicySelVec].write_perm & racl_role_vec));
     assign racl_error_o       = (rd_req & ~racl_read_allowed) | (wr_req & ~racl_write_allowed);
 
     tlul_request_loopback #(
@@ -174,6 +193,8 @@ module tlul_adapter_sram_racl
   logic unused_policy_sel;
   assign unused_policy_sel = ^racl_policies_i;
 
+  `ASSERT(RaclAdapterSramNumRanges, EnableRacl |-> RaclPolicySelNumRanges > 0)
+
   // Ensure that RACL signals are not undefined
   `ASSERT_KNOWN(RaclAdapterSramErrorKnown_A, racl_error_o)
   `ASSERT_KNOWN(RaclAdapterSramErrorLogKnown_A, racl_error_log_o)