Skip to content

[keymgr_dpe] Replace keymgr in EG - PR4 BootStageOwnerInt / Top dep. parameter#30618

Draft
rroth-lowrisc wants to merge 7 commits into
lowRISC:masterfrom
rroth-lowrisc:keymgr_dpe_PR4_rtl_changes
Draft

[keymgr_dpe] Replace keymgr in EG - PR4 BootStageOwnerInt / Top dep. parameter#30618
rroth-lowrisc wants to merge 7 commits into
lowRISC:masterfrom
rroth-lowrisc:keymgr_dpe_PR4_rtl_changes

Conversation

@rroth-lowrisc

@rroth-lowrisc rroth-lowrisc commented Jul 2, 2026

Copy link
Copy Markdown

PR4 - BootStageOwnerInt / Top dep. parameter

This PR is the fourth in a series which will replace the keymgr with the kemgr_dpe in earlgrey. The replacement was approved by this RFC.

Merge-Dependencies

Relevant Commits

Last two commits

Description

The goal of this PR is twofold:

  • Introduce the third bootstage required for the integration of the keymgr_dpe into earlgrey as approved by the RFC.
  • Make all necessary parameters top dependent which diverge between darjeeling and earlgrey (to avoid templating the IP)

After this PR is approved, both commits should be squashed together into a single commit.

Split the otp_keymgr_key interface into its respective components.
Future version of the keymgr(_dpe) may receive the information from
different IP's rather than combined from the otp_ctrl.

To avoid a circular dependencies the DevIdWidth instantiated
in keymgr_dpe_pkg replaces the otp_ctrl_pkg::DeviceIdWidth.

As the keymgr still expects the combined message the earlgrey top
manually combines the key material. This fix will be removed when
the keymgr is replaced by the keymgr_dpe.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit updates the `otp_ctrl` dv to reflect the new interface between
the `keymgr` and the `otp_ctrl`. The secret / seed verification inside the
otp_ctrl scoreboard template are no longer dynamically generated. The reason
is that the previously shared port signal has been split into its respective
components, which does not interacts well with the dynamic generation anymore.

However, adding a secret to the otp now results in a port-list change anyways the
resulting overhead is deemed acceptable.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit removes all otp_ctrl dependency in the keymgr_dpe dv.
This change ensures that the dv architecture accurately reflects
the dependency in the RTL implementation.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit improves the block level dv by:
- Introducing more verbose messages
- Latching the correct DEFAULT_UDS_POLICY
- Prevent ambiguous state after the disable operation
  by restricting any advance call

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
The scoreboard loads the UDS directly from the DUT via interface.
The problem is the keymgr_dpe initializes the slot for the UDS with
randomness. The initally loaded UDS is xored with the randomness
already present in the destination slot as countermeasure for SCA.
The scoreboard however can currently not recreate this randomness
thus the backdoor load.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
Introduction of the third bootstage defined in the opentitan identities-and-root-keys
(https://opentitan.org/book/doc/security/specs/identities_and_root_keys/index.html)
strategy. The `creator_seed` is now consumed by BootStageOwnerInt rather
than by BootStageCreator.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
This commit allows for a limited parametrization by the top without
having a fully templated IP. The top can define the following:

- Number of bootstages (either two or three)
- Number of ROM digest values
- Number of HW slots instanciated (up to 8 slots)

The block level dv is extended to test two different configurations,
called earlgrey and darjeeling.

Signed-off-by: Raphael Roth <rroth@lowrisc.org>
@rroth-lowrisc rroth-lowrisc force-pushed the keymgr_dpe_PR4_rtl_changes branch from 14b6897 to 4d3ee59 Compare July 7, 2026 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant