The design-rationale sections (§32.6 instructions, §32.7 entropy) record why the crypto extension looks the way it does — useful as a checklist when evaluating or extending it.
| Rationale | |
|---|---|
| Per-round, not per-block, instructions | The 2-read-1-write register model can’t hold a 128-bit block; software-sequenced rounds scale one instruction set from IoT to server and stay agnostic to key size. |
| Byte/two-column granularity (RV32/RV64) | The “T-table in hardware” approach — fuse SBox and linear layer per byte — matches register width without exposing a memory table’s timing. |
| Encrypt/decrypt and NIST/ShangMi splits | Deployment economics: GCM needs only forward AES; SM ciphers are jurisdiction-specific. Pay silicon only for what the market needs. |
| Shared SBox hardware | Forward and inverse AES SBoxes share the GF-inverse core; the spec points implementers at the compact-SBox literature. |
| Entropy: poll-and-wipe CSR | A polled seed CSR is simple, virtualizable, and mediation-friendly (mseccfg gating); wipe-on-read enforces anti-replay; 16-bit granularity forces proper software conditioning. |
| Entropy certification | The source must meet NIST SP 800-90B or BSI AIS-31 — so the architectural test target is the CSR INTERFACE, not the analog noise physics (a specialist domain). |
Hardware Designer Notes
Treat §32.6-7 as the review rubric for any crypto-capable core: the instruction set is easy to implement functionally and easy to get subtly wrong on the two properties that matter — constant-time timing and certified entropy. Those, not the SBox gates, are where security lives.
Minimal Linux-boot hart MUST
- Nothing beyond the instruction pages — this is the WHY behind decisions already implemented
MAY simplify / trap-and-emulate
- Use the rationale as an acquisition checklist: does a candidate core share its SBox, attest Zkt, certify its entropy source, and gate seed via mseccfg?
Check yourself — crypto design rationale
1.Why did the designers choose per-round instructions over a single full-block AES instruction?
2.The entropy-source rationale recommends polling over trapping. Why?