merged with main

.github/workflow_metadata/pr_hash

@@ -1 +1 @@
-148a6d381422de56ae26bc8c4288130b67b86f624ee2adb675b36c18e09bc5319f1cc53b9c3268c98892d594e9a28b44
+2b5d5480a88290833152d554d26989b7369e35dd426a284518f7c0599edfab1f1094a239fab6771d019fb9d0129c2126

.github/workflow_metadata/pr_timestamp

@@ -1 +1 @@
-1733339945
+1734475178

src/abr_libs/rtl/abr_masked_N_bit_mult_two_share.sv

@@ -25,7 +25,7 @@
 //  - Final output is obtained by combining the reshared and masked intermediate results.
 //  - It requires fresh randomness.
 //  - This design assumes that both x and y are secret, although y input from top level is usually public 
-//  - It has one cycle latency and can accept a new input set at every clock.
+//  - It has two cycle latency and can accept a new input set at every clock.
 //
 //======================================================================
 
@@ -43,6 +43,7 @@
 
     // Intermediate calculation logic for multiplication operations
     logic [WIDTH-1:0] calculation [3:0];
+    logic [WIDTH-1:0] calculation_reg [1:0];
     logic [WIDTH-1:0] calculation_rand [1:0];
     logic [WIDTH-1:0] final_res [1:0];
     logic [WIDTH-1:0] x0, x1, y0, y1;
@@ -53,12 +54,30 @@
         calculation[1] = WIDTH'(x[1] * y[0]); // Multiplication of the second share x and first share y
         calculation[2] = WIDTH'(x[0] * y[1]); // Multiplication of the first share x and second share y
         calculation[3] = WIDTH'(x[1] * y[1]); // Multiplication of the second share x and second share y
-
-        calculation_rand[0] = calculation[2] + random;
-        calculation_rand[1] = calculation[1] - random;
-
-        final_res[0] = calculation[0] + calculation_rand[0];
-        final_res[1] = calculation[3] + calculation_rand[1];
+    end
+    always_ff @(posedge clk or negedge rst_n) begin
+        if (!rst_n) begin
+            for (int i = 0; i < 2; i++) begin
+                calculation_rand[i] <= 'h0;
+                calculation_reg[i] <= 'h0;
+            end
+        end
+        else if (zeroize) begin
+            for (int i = 0; i < 2; i++) begin
+                calculation_rand[i] <= 'h0;
+                calculation_reg[i] <= 'h0;
+            end
+        end
+        else begin
+            calculation_rand[0] <= calculation[2] + random;
+            calculation_rand[1] <= calculation[1] - random;
+            calculation_reg[0]  <= calculation[0];
+            calculation_reg[1]  <= calculation[3];
+        end
+    end
+    always_comb begin
+        final_res[0] = calculation_reg[0] + calculation_rand[0];
+        final_res[1] = calculation_reg[1] + calculation_rand[1];
     end
 
     // Final output assignment

src/mldsa_top/config/compile.yml

@@ -73,4 +73,28 @@ global:
       default:
         - '-assert svaext'
         - +define+ABR_ASSERT_ON
-        - '-noinherit_timescale=1ns/1ps'
+        - '-noinherit_timescale=1ns/1ps'
+---
+provides: [mldsa_coverage]  
+schema_version: 2.4.0
+requires: 
+  - mldsa_top
+targets:
+  tb:
+    directories: 
+      - $COMPILE_ROOT/coverage
+    files:
+      - $COMPILE_ROOT/coverage/mldsa_top_cov_if.sv
+      - $COMPILE_ROOT/coverage/mldsa_top_cov_bind.sv
+global:
+  tool:
+    vcs:
+      default:
+        - '-assert svaext'
+        - +define+CLP_ASSERT_ON
+        #- '-v2k_generate'
+        #- '-timescale=1ns/1ps'
+        - '-noinherit_timescale=1ns/1ps'
+        #- '-ucli -i dump.ucli'
+      #sim:
+        #- '-ucli -i dump.ucli'        

src/mldsa_top/coverage/config/mldsa_cm_hier.cfg

@@ -0,0 +1,4 @@
+begin line+tgl+fsm+cond+branch
+    +tree mldsa_top_tb.dut 0
+end
+

src/mldsa_top/coverage/mldsa_top_cov_bind.sv

@@ -0,0 +1,20 @@
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+
+module mldsa_top_cov_bind;
+    `ifdef FCOV
+    bind mldsa_top mldsa_top_cov_if i_mldsa_top_cov_if(.*);
+    `endif
+endmodule

src/mldsa_top/coverage/mldsa_top_cov_if.sv

@@ -0,0 +1,126 @@
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+`ifndef VERILATOR
+
+interface mldsa_top_cov_if     
+    (
+    input logic           clk,
+    input logic           reset_n,
+    input logic           cptra_pwrgood
+
+);
+
+    logic [2 : 0] mldsa_cmd;
+    logic [2 : 0] mldsa_sw_cmd;
+    logic zeroize;
+    // logic pcr_sign_mode;
+    logic ready;
+    logic valid;
+
+    logic mldsa_privkey_lock;
+
+    logic error_flag;
+    // logic privkey_input_outofrange;
+    // logic r_output_outofrange;
+    // logic s_output_outofrange;
+    // logic r_input_outofrange;
+    // logic s_input_outofrange;
+    // logic pubkeyx_input_outofrange;
+    // logic pubkeyy_input_outofrange;
+    // logic pubkey_input_invalid;
+    // logic pcr_sign_input_invalid;
+    logic keygen_process;
+    logic signing_process;
+    logic verifying_process;
+    logic keygen_signing_process;
+
+
+    assign mldsa_cmd = mldsa_top.mldsa_ctrl_inst.cmd_reg;
+    // assign pcr_sign_mode = mldsa_top.mldsa_ctrl_inst.pcr_sign_mode;
+    assign zeroize = mldsa_top.mldsa_ctrl_inst.zeroize;
+    assign ready = mldsa_top.mldsa_ctrl_inst.mldsa_ready;
+    assign valid = mldsa_top.mldsa_ctrl_inst.mldsa_valid_reg;
+
+    always_ff @(posedge clk) begin
+        if (!reset_n) begin
+            mldsa_sw_cmd <= '0;
+        end
+        else if (mldsa_top.mldsa_reg_inst.decoded_reg_strb.MLDSA_CTRL && mldsa_top.mldsa_reg_inst.decoded_req_is_wr) begin // SW write
+            mldsa_sw_cmd <= (mldsa_top.mldsa_reg_inst.field_storage.MLDSA_CTRL.CTRL.value & ~mldsa_top.mldsa_reg_inst.decoded_wr_biten[2:0]) | (mldsa_top.mldsa_reg_inst.decoded_wr_data[2:0] & mldsa_top.mldsa_reg_inst.decoded_wr_biten[2:0]);
+        end
+    end
+
+    assign mldsa_privkey_lock = mldsa_top.mldsa_ctrl_inst.mldsa_privkey_lock;
+
+    assign error_flag = mldsa_top.mldsa_dsa_ctrl_i.error_flag;
+    // assign privkey_input_outofrange = mldsa_top.mldsa_dsa_ctrl_i.privkey_input_outofrange;
+    // assign r_output_outofrange = mldsa_top.mldsa_dsa_ctrl_i.r_output_outofrange;
+    // assign s_output_outofrange = mldsa_top.mldsa_dsa_ctrl_i.s_output_outofrange;
+    // assign r_input_outofrange = mldsa_top.mldsa_dsa_ctrl_i.r_input_outofrange;
+    // assign s_input_outofrange = mldsa_top.mldsa_dsa_ctrl_i.s_input_outofrange;
+    // assign pubkeyx_input_outofrange = mldsa_top.mldsa_dsa_ctrl_i.pubkeyx_input_outofrange;
+    // assign pubkeyy_input_outofrange = mldsa_top.mldsa_dsa_ctrl_i.pubkeyy_input_outofrange;
+    // assign pubkey_input_invalid = mldsa_top.mldsa_dsa_ctrl_i.pubkey_input_invalid;
+    // assign pcr_sign_input_invalid = mldsa_top.mldsa_dsa_ctrl_i.pcr_sign_input_invalid;
+    assign keygen_process = mldsa_top.mldsa_ctrl_inst.keygen_process;
+    assign signing_process = mldsa_top.mldsa_ctrl_inst.signing_process;
+    assign verifying_process = mldsa_top.mldsa_ctrl_inst.verifying_process;
+    assign keygen_signing_process = mldsa_top.mldsa_ctrl_inst.keygen_signing_process;
+
+    covergroup mldsa_top_cov_grp @(posedge clk);
+        reset_cp: coverpoint reset_n;
+        cptra_pwrgood_cp: coverpoint cptra_pwrgood;
+
+        mldsa_cmd_cp: coverpoint mldsa_cmd;
+        // pcr_sign_cp: coverpoint pcr_sign_mode;
+        zeroize_cp: coverpoint zeroize;
+        ready_cp: coverpoint ready;
+        valid_cp: coverpoint valid;
+
+        mldsa_privkey_lock_cp: coverpoint mldsa_privkey_lock;
+
+        error_flag_cp: coverpoint error_flag;
+        // privkey_input_outofrange_cp: coverpoint privkey_input_outofrange;
+        // r_output_outofrange_cp: coverpoint r_output_outofrange;
+        // s_output_outofrange_cp: coverpoint s_output_outofrange;
+        // r_input_outofrange_cp: coverpoint r_input_outofrange;
+        // s_input_outofrange_cp: coverpoint s_input_outofrange;
+        // pubkeyx_input_outofrange_cp: coverpoint pubkeyx_input_outofrange;
+        // pubkeyy_input_outofrange_cp: coverpoint pubkeyy_input_outofrange;
+        // pubkey_input_invalid_cp: coverpoint pubkey_input_invalid;
+        // pcr_sign_input_invalid_cp: coverpoint pcr_sign_input_invalid;
+
+        // cmd_ready_cp: cross mldsa_sw_cmd, ready;
+        cmd_kv_cp: cross mldsa_cmd, mldsa_privkey_lock;
+        // pcr_ready_cp: cross ready, pcr_sign_mode;
+        // pcr_cmd_cp: cross pcr_sign_mode, mldsa_cmd;
+        // zeroize_pcr_cp: cross zeroize, pcr_sign_mode;
+        zeroize_cmd_cp: cross zeroize, mldsa_cmd;
+        zeroize_error_cp: cross zeroize, error_flag;
+        zeroize_ready_cp: cross ready, zeroize;
+        // pcr_sign_input_invalid_cmd_cp: cross error_flag, mldsa_cmd;
+        error_keygen_cp: cross error_flag, keygen_process;
+        error_signing_cp: cross error_flag, signing_process;
+        error_verifying_cp: cross error_flag, verifying_process;
+        error_keygen_signing_cp: cross error_flag, keygen_signing_process;
+
+
+    endgroup
+
+    mldsa_top_cov_grp mldsa_top_cov_grp1 = new();
+
+endinterface
+
+`endif

src/mldsa_top/rtl/mldsa_ctrl.sv

@@ -287,7 +287,8 @@ always_comb mldsa_privkey_lock = '0;
   logic [MLDSA_OPR_WIDTH-1:$clog2(MsgStrbW)] msg_cnt;
   logic msg_hold;
 
-  logic error_flag, error_flag_reg;
+  logic error_flag;
+  logic error_flag_reg;
   logic error_flag_edge;
   logic subcomponent_busy;
   logic sign_subcomponent_busy;
@@ -850,11 +851,10 @@ always_comb mldsa_privkey_lock = '0;
       end
     end
   end
-
-  //concatenate OID and MSG to make msg prime
-  logic [MSG_NUM_DWORDS-1+4 : 0][DATA_WIDTH-1:0] msg_p_reg;
-
-  always_comb msg_p_reg = {24'h0, msg_reg, PREHASH_OID, 8'h00, 8'h01};
+
+  //pure-MLDSA assuming 512-bit input msg and empty ctx
+  logic [MSG_NUM_DWORDS-1+1 : 0][DATA_WIDTH-1:0] msg_p_reg;
+  always_comb msg_p_reg = {16'h0, msg_reg, 8'h00, 8'h00};
 
   always_comb rho_reg = verifying_process ? publickey_reg.enc.rho : privatekey_reg.enc.rho;
 
@@ -1638,7 +1638,7 @@ mldsa_seq_sec mldsa_seq_sec_inst
             INTT_raw_signal <= 'h0;
         end 
         else begin
-            if (prim_seq_en) begin
+            if (sec_seq_en) begin
                 unique case(sec_prog_cntr_nxt)
                     MLDSA_SIGN_VALID_S : begin //NTT(C)
                         NTT_raw_signal <= 'h1;

src/mldsa_top/rtl/mldsa_seq_prim.sv

@@ -197,7 +197,7 @@ module mldsa_seq_prim
                 MLDSA_SIGN_RND_S+ 2     : data_o_rom <= '{opcode:MLDSA_UOP_LFSR,        imm:'h0000, length:'d00, operand1:MLDSA_NOP,        operand2:MLDSA_NOP, operand3:MLDSA_NOP};
                 //μ ←H(tr||M,512)
                 MLDSA_SIGN_S            : data_o_rom <= '{opcode:MLDSA_UOP_LD_SHAKE256, imm:'h0000, length:'d64, operand1:MLDSA_TR_ID, operand2:MLDSA_NOP, operand3:MLDSA_NOP};
-                MLDSA_SIGN_S+ 1         : data_o_rom <= '{opcode:MLDSA_UOP_SHAKE256, imm:'h0000, length:'d77, operand1:MLDSA_MSG_ID, operand2:MLDSA_NOP, operand3:MLDSA_DEST_MU_REG_ID};
+                MLDSA_SIGN_S+ 1         : data_o_rom <= '{opcode:MLDSA_UOP_SHAKE256, imm:'h0000, length:'d66, operand1:MLDSA_MSG_ID, operand2:MLDSA_NOP, operand3:MLDSA_DEST_MU_REG_ID};
                 //ρ′=Keccak(K||rnd|| μ)
                 MLDSA_SIGN_S+ 2         : data_o_rom <= '{opcode:MLDSA_UOP_LD_SHAKE256, imm:'h0000, length:'d32, operand1:MLDSA_K_ID, operand2:MLDSA_NOP, operand3:MLDSA_NOP};
                 MLDSA_SIGN_S+ 3         : data_o_rom <= '{opcode:MLDSA_UOP_LD_SHAKE256, imm:'h0000, length:'d32, operand1:MLDSA_SIGN_RND_ID, operand2:MLDSA_NOP, operand3:MLDSA_NOP};
@@ -339,7 +339,7 @@ module mldsa_seq_prim
                 MLDSA_VERIFY_H_TR           : data_o_rom <= '{opcode:MLDSA_UOP_SHAKE256, imm:'h0000, length:PUBKEY_NUM_BYTES, operand1:MLDSA_PK_REG_ID, operand2:MLDSA_NOP, operand3:MLDSA_DEST_TR_REG_ID};
                 //μ ←H(tr||M,512)
                 MLDSA_VERIFY_H_MU           : data_o_rom <= '{opcode:MLDSA_UOP_LD_SHAKE256, imm:'h0000, length:'d64, operand1:MLDSA_TR_ID, operand2:MLDSA_NOP, operand3:MLDSA_NOP};
-                MLDSA_VERIFY_H_MU+ 1        : data_o_rom <= '{opcode:MLDSA_UOP_SHAKE256, imm:'h0000, length:'d77, operand1:MLDSA_MSG_ID, operand2:MLDSA_NOP, operand3:MLDSA_DEST_MU_REG_ID};
+                MLDSA_VERIFY_H_MU+ 1        : data_o_rom <= '{opcode:MLDSA_UOP_SHAKE256, imm:'h0000, length:'d66, operand1:MLDSA_MSG_ID, operand2:MLDSA_NOP, operand3:MLDSA_DEST_MU_REG_ID};
                 //c ←SampleInBall(c˜1)
                 MLDSA_VERIFY_MAKE_C         : data_o_rom <= '{opcode:MLDSA_UOP_SIB, imm:'h0000, length:'d64, operand1:MLDSA_SIG_C_REG_ID, operand2:MLDSA_NOP, operand3:MLDSA_NOP};
                 //cˆ ←NTT(c)