RISC-V International
Status at a glance:
- Current Definition-of-Done Status: Stable
- Next Definition-of-Done Status:: Freeze
- (allows start of formal public review period)
Scalar Crypto Specification:
Lightweight instruction set extensions for RV32 and RV64 HARTs. Proposed extensions:
- Extensions fully defined in the Scalar Crypto Specification: K, Zkn, Zks, Zkr, Zkne, Zknd, Zknh, Zkse, Zksd, Zksh
- Shared with the Bit-Manipulation Specification: Zkg, Zkb
Specification
- Draft Scalar Crypto Specification (v0.8.1)
- Stable
- What's next:
- Needs translation into ASCIIDOC
- Incorporate results of OpCode consistency review, once available
Encoding/OpCode consistency review
- Opcodes and encodings proposed
- Instruction extensions (instruction groupings) proposed
- Submitted to review task group
- The Bit-Manipulation shared subsets are being reviewed first as part of Bit-Manipulation specification review
- Proposed as Zkg (clmul) and Zkb (specific crypto-required bit-manipulation commands)
- The Proposed Scalar Crypto-unique subsets are next in line for review:
- K (Krypto):
- Zkn (full NIST Suite): ZKne (NIST encrypt suite), ZKnd (NIST decrypt suite), ZKnh (NIST hash suite), Zkg, Zkb (see above)
- Zkr (random entropy source)
- Zks (full ShangMi Suite): Zkse (SM encrypt suite), Zksd (SM decrypt suite), Zksh (SM hash suite), Zkg, Zkb (see above)
- K (Krypto):
- OpCode and Consistency Review page
- What's next: Respond to OpCode and Consistency Review comments, once available, and achieve consensus on any changes
Architecture Tests
- Test plan for the scalar-crypto specific instructions is available.
- No actual tests suitable for use currently available. An old experimental set need removing from the riscv-crypto repository, as these no longer work with the latest toolchain or architectural test framework.
- What's next: Currently exploring two paths:
- Imperas have a complete set of tests, written to the existing test plan, for the scalar crypto instructions and the bitmanip instructions we borrow.
- Some work required to re-generate them in a form suitable for merging into the main architectural test suite.
- No exact estimate for how much work this is in days/weeks.
- IIT Madras are looking at writing the scalar crypto tests for integration into the official architectural tests repo as well.
- No estimate for how long that would take yet.
- Possible path forward:
- Ask Imperas to contribute their complete scalar-crypto + bitmanip subset tests.
- IIT Madras can then write the coverage plan for the architectural test framework.
- Any future changes to the contributed tests would need to be carefully managed, as they were not generated with the RISC-V test generator tool.
- Imperas have a complete set of tests, written to the existing test plan, for the scalar crypto instructions and the bitmanip instructions we borrow.
GCC and Assembler
- Experimental / development toolchain available in the riscv-crypto repository.
- This cannot be up-streamed, but can be used for development work for now.
- Up-streamable support is WiP with PQShield.
- Progress so far:
- Progress so far:
SAIL
- Currently working on getting support merged in upstream in PR#80
- Support for all scalar-crypto dedicated instructions is present.
- Support for the entropy source is still the main point of discussion.
- No support for Bitmanip. The Bitmanip TG is waiting until after the opcode and consistency review to start writing SAIL code.
Spike
- Upstream support has been merged in as of PR#635
- Support for all of scalar crypto specific instructions and entropy source.
- The only feature left is to enable the right Bitmanip instructions when K is enabled. Currently, one must include "b" in the spike "–isa=" argument.
- Some pending bug fixes in PR#649
LLVM
- No work started yet.
- Work will be done by PLTC lab under the group contributor model.
QEMU
- No work started yet.
- Work will be done by PLTC lab under the group contributor model.
Proof-of-Concept implementations
Hardware
| Project Name | Base Architecture | Level of implementation | Notes |
|---|---|---|---|
| scarv-cpu | RV32 | Behavioural RTL simulation. Running on FPGA. Post yosys synthesis results. | Completely Public/Open Source. Useful as a public baseline. Commercial implementations should aim to be better than this! |
| PQShield security core | RV32 | (assumed) Behavioural RTL simulation. Running on FPGA. | Closed / commercial source. Most complete implementation of the entropy source. |
| Romain Dolbeau / VexRISC-V | RV32 | Running on FPGA. | Uses VexRiscv core as a base. Completely independent implementation from scratch, outside the Crypto TG. |
- We still need a RV64 implementation.
- I (Ben) am working on adding support to a toy core of mine, but I don't have much time to dedicate to this.
- Barry Spinney has offered to do advanced node synthesis runs for open source implementations.
- I (Ben) intend to take him up on this when I get time. No idea when that will be.
Software
| Project/Maintainer | Description |
|---|---|
| Romain Dolbeau | Independent implementations of various important ciphers + modes of operation. |
| rvkrypto-fips / Markku | "FIPS 140-3 and higher-level algorithm Tests for RISC-V Crypto Extension" |
| riscv-crypto benchmarks | Initial benchmarks used to develop the scalar crypto extension. |
ABI Extensions
- None required
Overview
Content Tools