32.6-2Scalar Crypto X: Instruction & Entropy Rationale

Part III Linux boot: optional Vol. I (Unprivileged) pp. 446–451 · ~2 min read

The design-rationale sections (§32.6 instructions, §32.7 entropy) record why the crypto extension looks the way it does — useful as a checklist when evaluating or extending it.

Key design decisions and their reasons
Rationale
Per-round, not per-block, instructionsThe 2-read-1-write register model can’t hold a 128-bit block; software-sequenced rounds scale one instruction set from IoT to server and stay agnostic to key size.
Byte/two-column granularity (RV32/RV64)The “T-table in hardware” approach — fuse SBox and linear layer per byte — matches register width without exposing a memory table’s timing.
Encrypt/decrypt and NIST/ShangMi splitsDeployment economics: GCM needs only forward AES; SM ciphers are jurisdiction-specific. Pay silicon only for what the market needs.
Shared SBox hardwareForward and inverse AES SBoxes share the GF-inverse core; the spec points implementers at the compact-SBox literature.
Entropy: poll-and-wipe CSRA polled seed CSR is simple, virtualizable, and mediation-friendly (mseccfg gating); wipe-on-read enforces anti-replay; 16-bit granularity forces proper software conditioning.
Entropy certificationThe source must meet NIST SP 800-90B or BSI AIS-31 — so the architectural test target is the CSR INTERFACE, not the analog noise physics (a specialist domain).
Dotted-underlined cells have explanations — click one.

Hardware Designer Notes

Treat §32.6-7 as the review rubric for any crypto-capable core: the instruction set is easy to implement functionally and easy to get subtly wrong on the two properties that matter — constant-time timing and certified entropy. Those, not the SBox gates, are where security lives.

Minimal Linux-boot hart MUST

  • Nothing beyond the instruction pages — this is the WHY behind decisions already implemented

MAY simplify / trap-and-emulate

  • Use the rationale as an acquisition checklist: does a candidate core share its SBox, attest Zkt, certify its entropy source, and gate seed via mseccfg?

Check yourself — crypto design rationale

1.Why did the designers choose per-round instructions over a single full-block AES instruction?

2.The entropy-source rationale recommends polling over trapping. Why?

2 questions