search

lowRISC / opentitan

OpenTitan: Open source silicon root of trust
https://www.opentitan.org
Apache License 2.0
2.58k stars 776 forks source link

Primitives to hold errors high until reset #15644

Open GregAC opened 2 years ago

GregAC commented 2 years ago

A potential security issue in OTBN was discovered where some errors triggered by a fault being detected only asserted their error signal for a single cycle. When this occurred along with an OTBN start command this would allow the fault to be missed. The fix was to latch various errors, so once an error signal is raised it stays raised. See this PR for more detail: https://github.com/lowRISC/opentitan/pull/15611

We should consider introducing primitives to handle this.

  1. Create a prim_hold or prim_err_latch or similar which implements the set and only clear on reset behaviour
  2. Add this behaviour to prim_count for its error output (in OTBN most of the issues were around the counter error only being asserted for a single cycle, though this was because the count was being cleared the same cycle the fault was being injected).

This isn't an M2 issue, but something to consider for the future

@tjaychen @cdgori @moidx

cdgori commented 2 years ago

Agreed, a new prim (or change to prim_count) to handle this consistently would be nice, but post-M2.