

# A Formal Methodology for Verifying RISC-V Cores

Chen Wei Wei, 13.11.2019



assuring IC integrity



### Leading-Edge Technology Targeting critical hardware verification challenges

#### **Functional Correctness**

Rigorous coverage-driven functional verification from block to chip, leveraging formal technology



Design Exploration Protocol Violations Integrate Formal/Sim Coverage End-to-End User Assertions HLS/SystemC Verification Synthesis/P&R Errors



Safety analysis and higher diagnostic coverage to meet strict certification requirements



FMEDA of Complex SoCs Failure Mode Distribution Avoid Excessive Fault Simulations Measure Diagnostic Coverage ISO 26262 Compliance Tool Qualification

#### **Trust and Security**

Automated detection of RTL Trojans and hardware vulnerabilities to adversary attacks



Denial of Service Data Leakage Privileges Escalation Data Integrity/Confidentiality Hardware Backdoors Hardware Trojans

#### **OneSpin 360® Formal Platform**

#### **Heterogeneous Computing**



Thorough verification of complex SoC platforms used for 5G wireless, IoT, and AI applications

#### Automotive and Industrial



Systematic bug elimination and metrics on proper handling of random errors in the field

#### **RISC-V**



Efficient and complete verification, including custom extensions. Compliance to ISA.

#### **OneSpin Solutions and Services**

Page 2 | © 2019 OneSpin Solutions

www.onespin.com

### **RISC-V Verification Challenges**

Does the RTL precisely implement the RISC-V ISA spec?

**RISC-V** cores become very popular

- Use in critical application domains including mil/aero, automotive, IoT, industry
- Trust in IP implementation is critical for business and mission success
- Commercial IP vendors, including internal IP groups must perform extensive verification, demonstrate the results to their clients
- Open source IP users must perform own verification, especially when adding custom extensions

#### **RISC-V** processor cores are hard to verify

- Complex µ-architectures to achieve PPA targets
- Many configurations of implementation

#### **Inadequate Methods**

- Months of verification setup, weeks of simulation for each instance
- Bounded formal proofs, hard to setup&reuse
- Bugs and additional logic remain undetected

**Alternative: Formal methodology** 









# **RISC-V Formal Methodology**

Automates and Accelerates Verification

#### **OneSpin RISC-V Formal Verification App**

- Completely verifies RISC-V Core RTL Implementations with full proofs, no bugs escape
- Guarantees full compliance with ISA and privileged ISA
- Takes less than a week to setup, runs only 2 hours on complete core
- Identifies unspecified instructions/CSRs
- Proven on 32-Bit and 64-Bit commercial and open source implementations with single issue pipeline, out-of-order completion, and branch prediction

Page 4



#### Verification Flow with OneSpin RISC-V Formal App





# RISC-V ISA

Excerpt of configuration choices



www.onespin.com



## **RISC-V** Parameterization



Sample configuration:

- RV64IMA
- Page-based 39-bit virtual memory system
- User mode
- No counters
- 8 PMPs
- Debug mode according to debug spec
- Initial PC 0x10040

SVA instantiation parameter map:

**green**: provided by App **blue** : provided by user

### **RISC-V ISA Description**





www.onespin.com

Page 7 | © 2019 OneSpin Solutions

### **Formalized User-Level ISA**



- · Captures effect of instructions on architecture state and output to data memory
- Formalized in SystemVerilog Assertions(SVA)



## **Verification of RISC-V Implementation**



- Instructions executed as specified in ISA
  - Example: **Operational SVA** for LW instruction fully verifying Use ISA forwarding to decode/execute and full register update formalization t##0 Ready2Execute and t##0 set freeze(dec,decode(ibuf\_io\_inst\_0\_bits\_raw,RF)) and t##0 ibuf io inst 0 valid && dec.instr == LW && Overlapping !dec.xcpt.valid && !ctrl stalld Non-exceptional instructions implies execution of LW t##1 Ready2Execute and Check expected register pipe result(dec,RF,result) and file and DCache request pipe dmem out(dec);
  - Several opcodes can be handled in same property
  - Exceptions, bubbles, and replay handled in separate properties

from ISA

### **Operational SVAssertion**



- Formally captures single DUV operation
  - Suppose part describes cause when does assertion apply
  - Prove part specifies effect intended behavior in that case



### **Selection of Issues Found in Rocket Core**

- DIV (divide) result not written to register file (#1752)
  - Issue confirmed by Rocket Core developers and fixed in RTL
- Illegal opcodes replayed (#1861)
  - Illegal opcodes or fetch side exceptions can cause spurious memory access
- Core contains undocumented non-standard instruction (#1868)
  - Issue confirmed by Rocket Core developers and fixed in RTL (misa.X bit set)
- Core contains undocumented non-standard CSR (#1949)
  - CSR 0x7c1 reads back as 0
- Return from debug mode is executable outside of debug mode (#2022)
  - · Issue confirmed by Rocket Core developers and fixed in RTL





## **Selection of Issues Found in RI5CY Core**



- Fetch side exception influences execution of earlier instruction (#132)
  - Earlier instruction executes as if exception of later instruction had already been taken
- Missing illegal exceptions (#136, #137, #170)
  - Several scenarios specified as raising illegal exceptions do not
- Wrong physical memory protection (PMP) computation (#159)
  - PMPs beyond first match are looked up to check for legal access
- Wrong rounding mode for F extension (#169, #174)
  - Updates of rounding mode register not visible for next instruction
- Update of interrupt enable by exception violates spec (#182)
  - Applies both to entering and return from exception

# Summary



- RISC-V formal verification methodology proves DUT against RISC-V spec
  - Compliance without hidden additional instructions or registers
  - Finds ISA violations, other functional correctness bugs, and security and trust issues
- App setup in 3 steps
  - Configure app to implemented RISC-V ISA extensions
  - Automatic extraction of architecture registers from DUT
  - Adaption of templates to concrete pipeline implementation and cache interfaces
- Developed on RocketCore standard configuration
  - Exhaustive proofs for core achieved for all instructions on 64-bit pipeline with out-oforder completion in 2-hour sequential runtimes
- Also run on RI5CY 32-bit core
  - 13 issues (so far) reported to core development team

OneSpin for IC Integrity Visit <u>https://www.onespin.com</u>





OneSpin provides certified **IC Integrity Verification Solutions** to develop reliable, safe, secure, and trusted integrated circuits.