Ciphers are only as strong as their keys, and keys need real
randomness. Zkr defines the seed CSR (0x015) — the
architectural window onto a physical entropy source (NIST SP 800-90B
or BSI AIS-31 compliant). It is not a random number generator: it
delivers raw physical entropy 16 bits at a time, to be conditioned
(hashed) and fed to a DRBG.
seed (0x015), unprivileged
The polling protocol
| Rule | |
|---|---|
| Read with csrrw rd, seed, x0 | A READ-ONLY form (csrrs rd, seed, x0 etc.) raises illegal-instruction — reading must carry write semantics to trigger the wipe. The written value is ignored. |
| Wipe-on-read | Polling clears the entropy word and returns state to WAIT — no secret word is ever delivered twice (anti-replay). |
| Poll until ES16 | WAIT is not an error; loop until OPST=10, then consume seed[15:0]. Only OPST signals validity — the numeric value never does (0x0000 under ES16 is real entropy). |
| Condition + DRBG | Gather ~256 ES16 reads, hash (SHA-2/3) into a full-entropy seed, seed a DRBG (AES CTR_DRBG) — that composition is the cryptographic RNG. |
| Access control | M-mode only by default; mseccfg.SSEED / mseccfg.USEED grant S / U access. DEAD (11) is permanent — reset or replace. |
Hardware Designer Notes
The entropy interface is deliberately minimal so the hard part (a certified noise source) stays a specialist analog-design problem, while the digital interface — one CSR, a four-state machine, wipe-on-read — is trivially verifiable. For a Linux box, Zkr feeds getrandom()/the kernel CSPRNG; without it, boot-time entropy is a known headache.
Minimal Linux-boot hart MUST
- Implement the OPST state machine (BIST → WAIT → ES16, DEAD terminal) with wipe-on-read clearing entropy and returning to WAIT
- Raise illegal-instruction on read-only-form accesses and on accesses outside granted modes (mseccfg.SSEED/USEED)
- Force entropy[15:0]=0 whenever OPST≠ES16
MAY simplify / trap-and-emulate
- Certify the physical source to SP 800-90B or AIS-31 — required for real security claims, and the reason verification of THIS interface (not the noise physics) is the architectural test target
- Omit Zkr and rely on a platform TRNG via MMIO — but the CSR interface is the portable, virtualizable path
Check yourself — the entropy source
1.Why does reading the seed CSR with a read-ONLY instruction (csrrs rd, seed, x0) raise illegal-instruction?
2.A poll returns OPST=ES16 with entropy=0x0000. Is that valid randomness?
3.Why is the entropy source NOT itself a secure random number generator?
4.Who can access seed by default, and how is that changed?