Module prim_ram_1p_scr
Block Diagram of prim_ram_1p_scr
Name |
Default |
Description |
|---|---|---|
Depth |
16*1024 |
Needs to be a power of 2 if NumAddrScrRounds > 0. |
Width |
32 |
Needs to be byte aligned if byte parity is enabled. |
DataBitsPerMask |
8 |
Needs to be set to 8 in case of byte parity. |
EnableParity |
1 |
Enable byte parity. |
NumPrinceRoundsHalf |
3 |
Scrambling parameters. Note that this needs to be low-latency, hence we have to keep the amount of cipher rounds low. PRINCE has 5 half rounds in its original form, which corresponds to 2*5 + 1 effective rounds. Setting this to 3 lowers this to approximately 7 effective rounds. Number of PRINCE half rounds, can be [1..5] |
NumDiffRounds |
0 |
Number of extra diffusion rounds. Setting this to 0 to disables diffusion. NOTE: this is zero by default, since the non-linear transformation of data bits can interact adversely with end-to-end ECC integrity. Only enable this if you know what you are doing (e.g. using this primitive in a different context with byte parity). See #20788 for context. |
DiffWidth |
DataBitsPerMask |
This parameter governs the block-width of additional diffusion layers. For intra-byte diffusion, set this parameter to 8. |
NumAddrScrRounds |
2 |
Number of address scrambling rounds. Setting this to 0 disables address scrambling. |
ReplicateKeyStream |
1'b0 |
If set to 1, the same 64bit key stream is replicated if the data port is wider than 64bit. If set to 0, the cipher primitive is replicated, and together with a wider nonce input, a unique keystream is generated for the full data width. |
Name |
Type |
Direction |
Description |
|---|---|---|---|
clk_i |
wire logic |
input |
|
rst_ni |
wire logic |
input |
|
key_valid_i |
wire logic |
input |
Key interface. Memory requests will not be granted if key_valid is set to 0. |
key_i |
wire logic [DataKeyWidth - 1 : 0] |
input |
|
nonce_i |
wire logic [NonceWidth - 1 : 0] |
input |
|
req_i |
wire logic |
input |
Interface to TL-UL SRAM adapter |
gnt_o |
var logic |
output |
|
write_i |
wire logic |
input |
|
addr_i |
wire logic [AddrWidth - 1 : 0] |
input |
|
wdata_i |
wire logic [Width - 1 : 0] |
input |
|
wmask_i |
wire logic [Width - 1 : 0] |
input |
Needs to be byte-aligned for parity |
intg_error_i |
wire logic |
input |
On integrity errors, the primitive surpresses any real transaction to the memory. |
rdata_o |
var logic [Width - 1 : 0] |
output |
|
rvalid_o |
var logic |
output |
Read response (rdata_o) is valid |
rerror_o |
var logic [1 : 0] |
output |
Bit1 Uncorrectable, Bit0: Correctable |
raddr_o |
var logic [31 : 0] |
output |
Read address for error reporting. |
cfg_i |
wire ram_1p_cfg_t |
input |
config |
wr_collision_o |
var logic |
output |
Write currently pending inside this module. |
write_pending_o |
var logic |
output |
|
alert_o |
var logic |
output |
When detecting multi-bit encoding errors, raise alert. |
Name |
Kind |
Description |
|---|---|---|
prim_ram_1p_scr.DepthPow2Check_A |
immediate assert |
((NumAddrScrRounds <= '0) || ((2 ** $clog2(Depth)) == Depth))
|
prim_ram_1p_scr.DiffWidthMinimum_A |
immediate assert |
(DiffWidth >= 4)
|
prim_ram_1p_scr.DiffWidthWithParity_A |
immediate assert |
((EnableParity && (DiffWidth == 8)) || ! EnableParity)
|
Functions
- simutil_get_scramble_key(bit[127:0] val)
- Parameters:
val (bit[127:0])
- simutil_get_scramble_nonce(bit[319:0] nonce)
- Parameters:
nonce (bit[319:0])
This is a draft implementation of a low-latency memory scrambling mechanism.
The module is implemented as a primitive, in the same spirit as similar prim_ram_1p_adv wrappers. Hence, it can be conveniently instantiated by comportable IPs (such as OTBN) or in top_earlgrey for the main system memory.
The currently implemented architecture uses a reduced-round PRINCE cipher primitive in CTR mode in order to (weakly) scramble the data written to the memory macro. Plain CTR mode does not diffuse the data since the keystream is just XOR'ed onto it, hence we also we perform byte-wise diffusion using a (shallow) substitution/permutation network layers in order to provide a limited avalanche effect within a byte.
In order to break the linear addressing space, the address is passed through a bijective scrambling function constructed using a (shallow) substitution/permutation and a nonce. Due to that nonce, the address mapping is not fully baked into RTL and can be changed at runtime as well.
See also
prim_cipher_pkg, prim_prince