Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 41 Next »

Status at a glance:

Scalar Crypto Specification:

Lightweight instruction set extensions for RV32 and RV64 HARTs.  Proposed extensions:

  • Extensions fully defined in the Scalar Crypto Specification:  K, Zkn, Zks, Zkr, Zkne, Zknd, Zknh, Zksed, Zksh
  • Shared with the Bit-Manipulation Specification: Zkg, Zkb

Specification

  • Latest Draft Scalar Crypto Specification (v0.9.0)
  • Stable
  • What's next:
    • Needs translation into ASCIIDOC.
      • Expecting this to happen after the specification is frozen, possibly post public review.
    • Incorporate results of OpCode consistency review from Ken, once available
  • Roadmap:
    • Next version will include any feedback from opcode consistency review, plus any small cleanups and editorial work.
      • aes32* and sm4* encodings will change to remove the `rt` field.
      • Change aes64ks1i "rcon" immediate to "rnum".
    • v1.0.0 will be the public review version.

Encoding/OpCode consistency review

  • Opcodes and encodings proposed
  • Instruction extensions (instruction groupings) proposed
  • Submitted to review task group
  • The Bit-Manipulation shared subsets are being reviewed first as part of Bit-Manipulation specification review
    • Proposed as Zkg (clmul) and Zkb (specific crypto-required bit-manipulation commands)
  • The Proposed Scalar Crypto-unique subsets are next in line for review:
    • K (Krypto): 
      • Zkn (full NIST Suite):  ZKne (NIST encrypt suite), ZKnd (NIST decrypt suite), ZKnh (NIST hash suite), Zkg, Zkb (see above)
      • Zkr (random entropy source)
    • Zks (full ShangMi Suite):  Zksed (SM4 encrypt/decrypt suite), Zksh (SM3 hash suite), Zkg, Zkb (see above)
  • OpCode and Consistency Review page
  • What's next:  Respond to OpCode and Consistency Review comments, once available, and achieve consensus on any changes.
  • (warning)We need to discuss the aes32* and sm4* rt encodings.
    • Comments from others and Andrew particularly suggest that having distinct rd/rs1/rs2 is acceptable and that we over-estimated the importance of minimising encoding cost.
    • We will likely be reverting to the original form of these instructions, with separate rd/rs1/rs2 before public review.

Architecture Tests

  • Test plan for the scalar-crypto specific instructions is available.
  • Imperas have a complete set of tests, written to the existing test plan, for the scalar crypto instructions and the bitmanip instructions we borrow.
    • These have been merged into the main test suite as of PR#177, with many thanks to Imperas for the contribution.
      • Sail, OVPSim and Sail all agree on the test signatures.
    • They form a base we can use to develop prototype implementations / Spike / SAIL / QEMU very easily and quickly.
  • Upstream Spike support for enabling it to work with the K test suite is being added in PR#687.
  • IIT Madras are also looking at writing the scalar crypto tests for integration into the official architectural tests repo as well.
    • Agreed SoW for IITM
    • They will re-implement the tests as part of the blessed coverage and test generation tooling.
    • We then switch over to using the IIT tests when they are finished, since they will be easier to maintain/extend going forward than the Imperas tests.
  • YAML config changes for K have been merged in. See here.

Compilers / Toolchains

Imperas maintain pre-built toolchains for various in-progress RISC-V extensions here. See the "rvk-*" branches for scalar crypto.

GCC and Assembler

  • Experimental / development toolchain available in the riscv-crypto repository.
    • This cannot be up-streamed, but can be used for development work for now.
  • Intrinsics proposal from Markku
  • PLCT Lab are starting this work in an up-streamable way.
    • Expecting an update next week. I.e. by March 20'th.

LLVM

Simulators

Though all listed under "simulators", these are actually a collection of formal model / virtual machine / architectural simulators / DV simulators etc.

SAIL

  • Currently working on getting support merged in upstream in PR#80
    • Support for all scalar-crypto dedicated instructions is present.
    • Support for the entropy source is still the main point of discussion.
    • No support for Bitmanip. The Bitmanip TG is waiting until after the opcode and consistency review to start writing SAIL code.
    • (warning) This PR is "paused" until the next release of the scalar crypto spec, which will bring some functional changes to the `aes32*` and `sm4*` instructions.

Spike

  • Upstream support has been merged in as of PR#635
    • Support for all of scalar crypto specific instructions and entropy source.
    • The only feature left is to enable the right Bitmanip instructions when K is enabled. Currently, one must include "b" in the spike "–isa=" argument.
    • PR#649 has now been merged. Support now consistent with v0.9.0.

riscvOVPSimPlus

  • Imperas Commercial Simulator
  • Freeware version
  • Support for:
    • Crypto-scalar v0.7.2, v0.81 + Bitmanip subsets
    • Bitmanip 0.92, 0.93
    • Functional coverage collection.

QEMU

Proof-of-Concept implementations

Hardware

Project NameBase ArchitectureLevel of implementationNotes
Stand-alone functional unitsRV32/64Yosys SynthesisStand-alone functional-unit style implementations of the dedicated scalar crypto instructions. Free to use as "drop-ins" for prototyping.
scarv-cpuRV32Behavioural RTL simulation / Yosys Synthesis / FPGA

Completely Public/Open Source. Useful as a public baseline. Commercial implementations should aim to be better than this!

PQShield security coreRV32(assumed) Behavioural RTL simulation. Running on FPGA.Closed / commercial source - PQShield.
Minidice TRNGN/AFPGA ImplementationClosed / commercial source - PQShield. Complete implementation of the RISC-V entropy source.
Romain Dolbeau / VexRISC-VRV32Running on FPGA.Uses VexRiscv core as a base. Completely independent implementation from scratch, outside the Crypto TG.
IQonIC Works RV32IC_P5RV32In development"implemented Zkn (...), along with selectable Zb* and Zkb. We also have an optional custom extension that does AES block encrypt/decrypt, and a bus-based AES/cipher-mode accelerator. Work in progress benchmarking them on FPGA to compare relative performance in accelerating crypto library functions."
croyde-riscvRV64Behavioural RTL simulation / Yosys Synthesis / FPGA3-stage RV64 micro-controller. rv64imck. Free/Open source. Something commercial implementations should better. Implements everything except ZKR.
  • (warning) We still need RV64 implementations. (warning)
  • Barry Spinney has offered to do advanced node synthesis runs for open source implementations.
    • I (Ben) intend to take him up on this when I get time. No idea when that will be.

Software

Project/MaintainerDescription
Romain DolbeauIndependent implementations of various important ciphers + modes of operation.
rvkrypto-fips / Markku"FIPS 140-3 and higher-level algorithm Tests for RISC-V Crypto Extension"
riscv-crypto benchmarksInitial benchmarks used to develop the scalar crypto extension.

ABI Extensions

  • None required




  • No labels