I'm excited to see that the RV32 AES instructions now have separate rs1 and rd fields, because the previous version combined them into just rt, which was kind of annoying from an implementation perspective, since you had some register that was both input and output (iirc, unlike any other RV32 instruction previously implemented on that hardware)
Also like Xeon Phi, I'm guessing you could add that hardware, it just hasn't been done because the other priorities were more interesting, and the practical performance would be "disappointing".
- Some miscellaneous bit twiddling instructions (rotate, permute, pack, ...) useful in various crypto schemes.
- AES.
- SHA2 (-256 and -512).
- SM3 and SM4.
- Physical entropy source (with some variants to accommodate low profile variants)
I'm biased, but the spec is supposed to be very accessible to people without a cryptography background. There's a section on who the intended audience is and what assumptions are made about their background. I'd really recommend it.
> The SM3/4 were unfamiliar to me - apparently it is a hash function & block cipher used in Chinese WiFi variant.
SM3/4 are required for use in certain places in China. RISC-V is popular in China, hence their inclusion in the RISC-V spec. My expectation is that SM3/4 will not likely ever be adopted outside China.
> Physical entropy source (with some variants to accommodate low profile variants)
There are no "variants" of the entropy source. There is one entropy source interface definition which is designed to scale across the many RISC-V implementation profiles. It's very different to x86/RDRAND which lots of people are used to.
That sounds like a pretty poor reason.
China could create the RISC-V SCE-China spec that extends RISC-V SCE with these, and call it a day, instead of requiring the rest of the world to waste transistors for something that's useless.
Certainly! As you can probably tell from my comment I'm not expert and I found it easy to follow.
I just wanted to post a summary for anyone who is interested but doesn't find time to go into details. I know that I myself often read this site on phone and I appreciate similar comments giving a tl;dr on more complex stories.
> There are no "variants" of the entropy source. There is one entropy source interface definition which is designed to scale across the many RISC-V implementation profiles. It's very different to x86/RDRAND which lots of people are used to.
Maybe I phrased it poorly but section "4.2. Entropy Source Requirements" states: "An implementation of the entropy source should meet at least one of the following requirements sets in order to be considered a secure and safe design". It then gives three options, one of which ("4.2.3 Virtual Sources: Security Requirement") states "A virtual source is not a physical entropy source" and "A virtual source traps access to the seed CSR, emulates it, or otherwise implements it without direct access to a physical entropy source.".
My interpretation is that there is indeed a single interface (CSR) however the hardware implementation could be both real physical entropy source or a CSPRNG. And presumably the latter is more likely on low-end devices.
Please let me know if I'm getting this wrong.
I don't know whether I resent crypto because it gets the cool instructions at low latency because it's so important, or whether I love it due to the fact that even the "leavings at the crypto table" are computationally useful.
Base RISCV even lacks CLZ/popcount -- so it's a step backward from other popular architectures.
That said the stuff in bitmanip and crypto looks pretty good, so if they actually end up in chips that will be nice. On the other hand it's not clear how much awesome code will get written really exploiting them when they aren't everywhere-- which is probably why we're in this situation to begin with.
Agreed that stuff like CLZ/popcount/rotate etc should not be tucked away in a weird extension. I'm a bit alarmed at RISC-V's tendency to fragment into a gazillion subsets (the argument is that it's better to at least define the subsets rather than have a nightmare of incompatible and overlapping extensions, but still).