32.4Scalar Crypto VIII: The Entropy Source (Zkr)

Part III Linux boot: optional Vol. I (Unprivileged) pp. 437–439 · ~3 min read

Ciphers are only as strong as their keys, and keys need real randomness. Zkr defines the seed CSR (0x015) — the architectural window onto a physical entropy source (NIST SP 800-90B or BSI AIS-31 compliant). It is not a random number generator: it delivers raw physical entropy 16 bits at a time, to be conditioned (hashed) and fed to a DRBG.

seed (0x015), unprivileged

OPST3130reserved/custom2916entropy150
WPRI/RO WLRL WARL RW
Click a field for semantics, reset state, and the minimal-implementation note.

The polling protocol

How software reads entropy
Rule
Read with csrrw rd, seed, x0A READ-ONLY form (csrrs rd, seed, x0 etc.) raises illegal-instruction — reading must carry write semantics to trigger the wipe. The written value is ignored.
Wipe-on-readPolling clears the entropy word and returns state to WAIT — no secret word is ever delivered twice (anti-replay).
Poll until ES16WAIT is not an error; loop until OPST=10, then consume seed[15:0]. Only OPST signals validity — the numeric value never does (0x0000 under ES16 is real entropy).
Condition + DRBGGather ~256 ES16 reads, hash (SHA-2/3) into a full-entropy seed, seed a DRBG (AES CTR_DRBG) — that composition is the cryptographic RNG.
Access controlM-mode only by default; mseccfg.SSEED / mseccfg.USEED grant S / U access. DEAD (11) is permanent — reset or replace.
Dotted-underlined cells have explanations — click one.

Hardware Designer Notes

The entropy interface is deliberately minimal so the hard part (a certified noise source) stays a specialist analog-design problem, while the digital interface — one CSR, a four-state machine, wipe-on-read — is trivially verifiable. For a Linux box, Zkr feeds getrandom()/the kernel CSPRNG; without it, boot-time entropy is a known headache.

Minimal Linux-boot hart MUST

  • Implement the OPST state machine (BIST → WAIT → ES16, DEAD terminal) with wipe-on-read clearing entropy and returning to WAIT
  • Raise illegal-instruction on read-only-form accesses and on accesses outside granted modes (mseccfg.SSEED/USEED)
  • Force entropy[15:0]=0 whenever OPST≠ES16

MAY simplify / trap-and-emulate

  • Certify the physical source to SP 800-90B or AIS-31 — required for real security claims, and the reason verification of THIS interface (not the noise physics) is the architectural test target
  • Omit Zkr and rely on a platform TRNG via MMIO — but the CSR interface is the portable, virtualizable path

Check yourself — the entropy source

1.Why does reading the seed CSR with a read-ONLY instruction (csrrs rd, seed, x0) raise illegal-instruction?

2.A poll returns OPST=ES16 with entropy=0x0000. Is that valid randomness?

3.Why is the entropy source NOT itself a secure random number generator?

4.Who can access seed by default, and how is that changed?

4 questions