From bffeed3bf3d9cc306a9d33753f22a8af4d6b8a90 Mon Sep 17 00:00:00 2001 From: Ben Marshall Date: Fri, 18 Dec 2020 09:43:23 +0000 Subject: [PATCH] spec,spike,sail,toolchain: Update SM4/RV32 AES encodings. After feedback (see #65) and discussion within the TG at the Dec 17'th 2020 meeting, the SM4 and RV32 AES instruction encodings have been changed to source rd from rs1, and re-use the rd field as encoding space. This was deemed preferable to reclaiming the opcode space with the former rd==rs1 scheme. The change updates the encodings in the specificaiton, and brings the other components of the repository in line with this: - Spike - Binutils - SAIL - Benchmarks - Intrinsics On branch dev/next-release Your branch is up-to-date with 'origin/dev/next-release'. Changes to be committed: modified: benchmarks/aes/zscrypto_rv32/aes_128_ks.S modified: benchmarks/aes/zscrypto_rv32/aes_192_ks.S modified: benchmarks/aes/zscrypto_rv32/aes_256_ks.S modified: benchmarks/aes/zscrypto_rv32/aes_dec.S modified: benchmarks/aes/zscrypto_rv32/aes_enc.S modified: benchmarks/share/riscv-crypto-intrinsics.h modified: bin/better_parse_opcodes.py modified: doc/Makefile modified: doc/riscv-crypto-spec-scalar.tex modified: doc/tex/appx-scalar-encodings.tex modified: doc/tex/sec-scalar-aes.tex modified: doc/tex/sec-scalar-sha2.tex modified: doc/tex/sec-scalar-sm4.tex modified: sail/riscv_insts_crypto.sail modified: sail/riscv_insts_crypto_rv32.sail modified: sail/riscv_insts_crypto_rv64.sail modified: tools/opcodes-crypto-scalar-both modified: tools/opcodes-crypto-scalar-rv32 modified: tools/patch-binutils.patch modified: tools/patch-spike.patch Changes not staged for commit: modified: extern/riscv-compliance (modified content) modified: extern/riscv-gnu-toolchain (modified content) modified: extern/riscv-isa-sim (modified content) modified: extern/sail-riscv (modified content, untracked content) --- benchmarks/aes/zscrypto_rv32/aes_128_ks.S | 28 ++--- benchmarks/aes/zscrypto_rv32/aes_192_ks.S | 28 ++--- benchmarks/aes/zscrypto_rv32/aes_256_ks.S | 36 ++++--- benchmarks/aes/zscrypto_rv32/aes_dec.S | 114 ++++++++++----------- benchmarks/aes/zscrypto_rv32/aes_enc.S | 114 ++++++++++----------- benchmarks/share/riscv-crypto-intrinsics.h | 12 +-- bin/better_parse_opcodes.py | 3 +- doc/Makefile | 4 +- doc/riscv-crypto-spec-scalar.tex | 2 +- doc/tex/appx-scalar-encodings.tex | 17 ++- doc/tex/sec-scalar-aes.tex | 22 ++-- doc/tex/sec-scalar-sha2.tex | 4 +- doc/tex/sec-scalar-sm4.tex | 17 ++- sail/riscv_insts_crypto.sail | 100 +++++++++--------- sail/riscv_insts_crypto_rv32.sail | 88 ++++++++-------- sail/riscv_insts_crypto_rv64.sail | 109 +++++++++++--------- tools/opcodes-crypto-scalar-both | 4 +- tools/opcodes-crypto-scalar-rv32 | 8 +- tools/patch-binutils.patch | 28 ++--- tools/patch-spike.patch | 52 ++++++---- 20 files changed, 400 insertions(+), 390 deletions(-) diff --git a/benchmarks/aes/zscrypto_rv32/aes_128_ks.S b/benchmarks/aes/zscrypto_rv32/aes_128_ks.S index dcc360e9..79101bbc 100644 --- a/benchmarks/aes/zscrypto_rv32/aes_128_ks.S +++ b/benchmarks/aes/zscrypto_rv32/aes_128_ks.S @@ -57,10 +57,10 @@ aes_128_enc_key_schedule: // a0 - uint32_t rk [AES_128_RK_WORDS] xor C0, C0, RCT // c0 ^= rcp ROR32I T1, T2, C3, 8 // tr = ROR32(c3, 8) - aes32esi C0, C0, T1, 0 // tr = sbox(tr) - aes32esi C0, C0, T1, 1 // - aes32esi C0, C0, T1, 2 // - aes32esi C0, C0, T1, 3 // + aes32esi C0, T1, 0 // tr = sbox(tr) + aes32esi C0, T1, 1 // + aes32esi C0, T1, 2 // + aes32esi C0, T1, 3 // xor C1, C1, C0 // C1 ^= C0 xor C2, C2, C1 // C1 ^= C0 @@ -110,15 +110,17 @@ aes_128_dec_key_schedule: // a0 - uint32_t rk [AES_128_RK_WORDS] lw T0, 0(RKP) // Load key word - aes32esi T1, zero, T0, 0 // Sub Word Forward - aes32esi T1, T1 , T0, 1 - aes32esi T1, T1 , T0, 2 - aes32esi T1, T1 , T0, 3 - - aes32dsmi T0, zero, T1, 0 // Sub Word Inverse & Inverse MixColumns - aes32dsmi T0, T0 , T1, 1 - aes32dsmi T0, T0 , T1, 2 - aes32dsmi T0, T0 , T1, 3 + li T1, 0 + aes32esi T1, T0, 0 // Sub Word Forward + aes32esi T1, T0, 1 + aes32esi T1, T0, 2 + aes32esi T1, T0, 3 + + li T0, 0 + aes32dsmi T0, T1, 0 // Sub Word Inverse & Inverse MixColumns + aes32dsmi T0, T1, 1 + aes32dsmi T0, T1, 2 + aes32dsmi T0, T1, 3 sw T0, 0(RKP) // Store key word. diff --git a/benchmarks/aes/zscrypto_rv32/aes_192_ks.S b/benchmarks/aes/zscrypto_rv32/aes_192_ks.S index ed3731d4..ea3497d4 100644 --- a/benchmarks/aes/zscrypto_rv32/aes_192_ks.S +++ b/benchmarks/aes/zscrypto_rv32/aes_192_ks.S @@ -67,10 +67,10 @@ aes_192_enc_key_schedule: // a0 - uint32_t rk [AES_192_RK_WORDS] xor C0, C0, RCT // c0 ^= rcp ROR32I T1, T2, C5, 8 // tr = ROR32(c3, 8) - aes32esi C0, C0, T1, 0 // tr = sbox(tr) - aes32esi C0, C0, T1, 1 // - aes32esi C0, C0, T1, 2 // - aes32esi C0, C0, T1, 3 // + aes32esi C0, T1, 0 // tr = sbox(tr) + aes32esi C0, T1, 1 // + aes32esi C0, T1, 2 // + aes32esi C0, T1, 3 // xor C1, C1, C0 // C1 ^= C0 xor C2, C2, C1 // C2 ^= C1 @@ -122,15 +122,17 @@ aes_192_dec_key_schedule: // a0 - uint32_t rk [AES_192_RK_WORDS] lw T0, 0(RKP) // Load key word - aes32esi T1, zero, T0, 0 // Sub Word Forward - aes32esi T1, T1 , T0, 1 - aes32esi T1, T1 , T0, 2 - aes32esi T1, T1 , T0, 3 - - aes32dsmi T0, zero, T1, 0 // Sub Word Inverse & Inverse MixColumns - aes32dsmi T0, T0 , T1, 1 - aes32dsmi T0, T0 , T1, 2 - aes32dsmi T0, T0 , T1, 3 + li T1, 0 + aes32esi T1, T0, 0 // Sub Word Forward + aes32esi T1, T0, 1 + aes32esi T1, T0, 2 + aes32esi T1, T0, 3 + + li T0, 0 + aes32dsmi T0, T1, 0 // Sub Word Inverse & Inverse MixColumns + aes32dsmi T0, T1, 1 + aes32dsmi T0, T1, 2 + aes32dsmi T0, T1, 3 sw T0, 0(RKP) // Store key word. diff --git a/benchmarks/aes/zscrypto_rv32/aes_256_ks.S b/benchmarks/aes/zscrypto_rv32/aes_256_ks.S index 463eb562..ce13970f 100644 --- a/benchmarks/aes/zscrypto_rv32/aes_256_ks.S +++ b/benchmarks/aes/zscrypto_rv32/aes_256_ks.S @@ -71,10 +71,10 @@ aes_256_enc_key_schedule: // a0 - uint32_t rk [AES_256_RK_WORDS] xor C0, C0, RCT // c0 ^= rcp ROR32I T1, T2, C7, 8 // tr = ROR32(c3, 8) - aes32esi C0, C0, T1, 0 // tr = sbox(tr) - aes32esi C0, C0, T1, 1 // - aes32esi C0, C0, T1, 2 // - aes32esi C0, C0, T1, 3 // + aes32esi C0, T1, 0 // tr = sbox(tr) + aes32esi C0, T1, 1 // + aes32esi C0, T1, 2 // + aes32esi C0, T1, 3 // xor C1, C1, C0 // C1 ^= C0 xor C2, C2, C1 // C2 ^= C1 @@ -87,10 +87,10 @@ aes_256_enc_key_schedule: // a0 - uint32_t rk [AES_256_RK_WORDS] beq RKE, RKP, .aes_256_enc_ks_finish - aes32esi C4, C4, C3, 0 // tr = sbox(tr) - aes32esi C4, C4, C3, 1 // - aes32esi C4, C4, C3, 2 // - aes32esi C4, C4, C3, 3 // + aes32esi C4, C3, 0 // tr = sbox(tr) + aes32esi C4, C3, 1 // + aes32esi C4, C3, 2 // + aes32esi C4, C3, 3 // xor C5, C5, C4 // C5 ^= C4 xor C6, C6, C5 // C6 ^= C5 @@ -140,15 +140,17 @@ aes_256_dec_key_schedule: // a0 - uint32_t rk [AES_256_RK_WORDS] lw T0, 0(RKP) // Load key word - aes32esi T1, zero, T0, 0 // Sub Word Forward - aes32esi T1, T1 , T0, 1 - aes32esi T1, T1 , T0, 2 - aes32esi T1, T1 , T0, 3 - - aes32dsmi T0, zero, T1, 0 // Sub Word Inverse & Inverse MixColumns - aes32dsmi T0, T0 , T1, 1 - aes32dsmi T0, T0 , T1, 2 - aes32dsmi T0, T0 , T1, 3 + li T1, 0 + aes32esi T1, T0, 0 // Sub Word Forward + aes32esi T1, T0, 1 + aes32esi T1, T0, 2 + aes32esi T1, T0, 3 + + li T0, 0 + aes32dsmi T0, T1, 0 // Sub Word Inverse & Inverse MixColumns + aes32dsmi T0, T1, 1 + aes32dsmi T0, T1, 2 + aes32dsmi T0, T1, 3 sw T0, 0(RKP) // Store key word. diff --git a/benchmarks/aes/zscrypto_rv32/aes_dec.S b/benchmarks/aes/zscrypto_rv32/aes_dec.S index e22c7904..47eca46e 100644 --- a/benchmarks/aes/zscrypto_rv32/aes_dec.S +++ b/benchmarks/aes/zscrypto_rv32/aes_dec.S @@ -61,25 +61,25 @@ aes_ecb_decrypt: // a2 - uint32_t * rk, lw U2, 24(KP) lw U3, 28(KP) - aes32dsmi U0, U0, T0, 0 // Even Round - aes32dsmi U0, U0, T3, 1 - aes32dsmi U0, U0, T2, 2 - aes32dsmi U0, U0, T1, 3 - - aes32dsmi U1, U1, T1, 0 - aes32dsmi U1, U1, T0, 1 - aes32dsmi U1, U1, T3, 2 - aes32dsmi U1, U1, T2, 3 - - aes32dsmi U2, U2, T2, 0 - aes32dsmi U2, U2, T1, 1 - aes32dsmi U2, U2, T0, 2 - aes32dsmi U2, U2, T3, 3 - - aes32dsmi U3, U3, T3, 0 - aes32dsmi U3, U3, T2, 1 - aes32dsmi U3, U3, T1, 2 - aes32dsmi U3, U3, T0, 3 // U* contains new state + aes32dsmi U0, T0, 0 // Even Round + aes32dsmi U0, T3, 1 + aes32dsmi U0, T2, 2 + aes32dsmi U0, T1, 3 + + aes32dsmi U1, T1, 0 + aes32dsmi U1, T0, 1 + aes32dsmi U1, T3, 2 + aes32dsmi U1, T2, 3 + + aes32dsmi U2, T2, 0 + aes32dsmi U2, T1, 1 + aes32dsmi U2, T0, 2 + aes32dsmi U2, T3, 3 + + aes32dsmi U3, T3, 0 + aes32dsmi U3, T2, 1 + aes32dsmi U3, T1, 2 + aes32dsmi U3, T0, 3 // U* contains new state lw T0, 0(KP) // Load Round Key lw T1, 4(KP) @@ -89,49 +89,49 @@ aes_ecb_decrypt: // a2 - uint32_t * rk, beq RK, KP, .aes_dec_block_l_finish // Break from loop addi KP, KP, -32 // Step Key pointer - aes32dsmi T0, T0, U0, 0 // Odd Round - aes32dsmi T0, T0, U3, 1 - aes32dsmi T0, T0, U2, 2 - aes32dsmi T0, T0, U1, 3 - - aes32dsmi T1, T1, U1, 0 - aes32dsmi T1, T1, U0, 1 - aes32dsmi T1, T1, U3, 2 - aes32dsmi T1, T1, U2, 3 - - aes32dsmi T2, T2, U2, 0 - aes32dsmi T2, T2, U1, 1 - aes32dsmi T2, T2, U0, 2 - aes32dsmi T2, T2, U3, 3 - - aes32dsmi T3, T3, U3, 0 - aes32dsmi T3, T3, U2, 1 - aes32dsmi T3, T3, U1, 2 - aes32dsmi T3, T3, U0, 3 // T* contains new state + aes32dsmi T0, U0, 0 // Odd Round + aes32dsmi T0, U3, 1 + aes32dsmi T0, U2, 2 + aes32dsmi T0, U1, 3 + + aes32dsmi T1, U1, 0 + aes32dsmi T1, U0, 1 + aes32dsmi T1, U3, 2 + aes32dsmi T1, U2, 3 + + aes32dsmi T2, U2, 0 + aes32dsmi T2, U1, 1 + aes32dsmi T2, U0, 2 + aes32dsmi T2, U3, 3 + + aes32dsmi T3, U3, 0 + aes32dsmi T3, U2, 1 + aes32dsmi T3, U1, 2 + aes32dsmi T3, U0, 3 // T* contains new state j .aes_dec_block_l0 // repeat loop .aes_dec_block_l_finish: - aes32dsi T0, T0, U0, 0 // Final round, no MixColumns - aes32dsi T0, T0, U3, 1 - aes32dsi T0, T0, U2, 2 - aes32dsi T0, T0, U1, 3 - - aes32dsi T1, T1, U1, 0 - aes32dsi T1, T1, U0, 1 - aes32dsi T1, T1, U3, 2 - aes32dsi T1, T1, U2, 3 - - aes32dsi T2, T2, U2, 0 - aes32dsi T2, T2, U1, 1 - aes32dsi T2, T2, U0, 2 - aes32dsi T2, T2, U3, 3 - - aes32dsi T3, T3, U3, 0 - aes32dsi T3, T3, U2, 1 - aes32dsi T3, T3, U1, 2 - aes32dsi T3, T3, U0, 3 // T* contains new state + aes32dsi T0, U0, 0 // Final round, no MixColumns + aes32dsi T0, U3, 1 + aes32dsi T0, U2, 2 + aes32dsi T0, U1, 3 + + aes32dsi T1, U1, 0 + aes32dsi T1, U0, 1 + aes32dsi T1, U3, 2 + aes32dsi T1, U2, 3 + + aes32dsi T2, U2, 0 + aes32dsi T2, U1, 1 + aes32dsi T2, U0, 2 + aes32dsi T2, U3, 3 + + aes32dsi T3, U3, 0 + aes32dsi T3, U2, 1 + aes32dsi T3, U1, 2 + aes32dsi T3, U0, 3 // T* contains new state AES_DUMP_STATE T0, T1, T2, T3, PT diff --git a/benchmarks/aes/zscrypto_rv32/aes_enc.S b/benchmarks/aes/zscrypto_rv32/aes_enc.S index 42971c67..b8cbc770 100644 --- a/benchmarks/aes/zscrypto_rv32/aes_enc.S +++ b/benchmarks/aes/zscrypto_rv32/aes_enc.S @@ -61,25 +61,25 @@ aes_ecb_encrypt: // a2 - uint32_t * rk, lw U2, 24(RK) lw U3, 28(RK) - aes32esmi U0, U0, T0, 0 // Even Round - aes32esmi U0, U0, T1, 1 - aes32esmi U0, U0, T2, 2 - aes32esmi U0, U0, T3, 3 - - aes32esmi U1, U1, T1, 0 - aes32esmi U1, U1, T2, 1 - aes32esmi U1, U1, T3, 2 - aes32esmi U1, U1, T0, 3 - - aes32esmi U2, U2, T2, 0 - aes32esmi U2, U2, T3, 1 - aes32esmi U2, U2, T0, 2 - aes32esmi U2, U2, T1, 3 - - aes32esmi U3, U3, T3, 0 - aes32esmi U3, U3, T0, 1 - aes32esmi U3, U3, T1, 2 - aes32esmi U3, U3, T2, 3 // U* contains new state + aes32esmi U0, T0, 0 // Even Round + aes32esmi U0, T1, 1 + aes32esmi U0, T2, 2 + aes32esmi U0, T3, 3 + + aes32esmi U1, T1, 0 + aes32esmi U1, T2, 1 + aes32esmi U1, T3, 2 + aes32esmi U1, T0, 3 + + aes32esmi U2, T2, 0 + aes32esmi U2, T3, 1 + aes32esmi U2, T0, 2 + aes32esmi U2, T1, 3 + + aes32esmi U3, T3, 0 + aes32esmi U3, T0, 1 + aes32esmi U3, T1, 2 + aes32esmi U3, T2, 3 // U* contains new state lw T0, 32(RK) // Load Round Key lw T1, 36(RK) @@ -89,49 +89,49 @@ aes_ecb_encrypt: // a2 - uint32_t * rk, addi RK, RK, 32 // Step Key pointer beq RK, KP, .aes_enc_block_l_finish // Break from loop - aes32esmi T0, T0, U0, 0 // Odd Round - aes32esmi T0, T0, U1, 1 - aes32esmi T0, T0, U2, 2 - aes32esmi T0, T0, U3, 3 - - aes32esmi T1, T1, U1, 0 - aes32esmi T1, T1, U2, 1 - aes32esmi T1, T1, U3, 2 - aes32esmi T1, T1, U0, 3 - - aes32esmi T2, T2, U2, 0 - aes32esmi T2, T2, U3, 1 - aes32esmi T2, T2, U0, 2 - aes32esmi T2, T2, U1, 3 - - aes32esmi T3, T3, U3, 0 - aes32esmi T3, T3, U0, 1 - aes32esmi T3, T3, U1, 2 - aes32esmi T3, T3, U2, 3 // T* contains new state + aes32esmi T0, U0, 0 // Odd Round + aes32esmi T0, U1, 1 + aes32esmi T0, U2, 2 + aes32esmi T0, U3, 3 + + aes32esmi T1, U1, 0 + aes32esmi T1, U2, 1 + aes32esmi T1, U3, 2 + aes32esmi T1, U0, 3 + + aes32esmi T2, U2, 0 + aes32esmi T2, U3, 1 + aes32esmi T2, U0, 2 + aes32esmi T2, U1, 3 + + aes32esmi T3, U3, 0 + aes32esmi T3, U0, 1 + aes32esmi T3, U1, 2 + aes32esmi T3, U2, 3 // T* contains new state j .aes_enc_block_l0 // repeat loop .aes_enc_block_l_finish: - aes32esi T0, T0, U0, 0 // Final round. No MixColumn. - aes32esi T0, T0, U1, 1 - aes32esi T0, T0, U2, 2 - aes32esi T0, T0, U3, 3 - - aes32esi T1, T1, U1, 0 - aes32esi T1, T1, U2, 1 - aes32esi T1, T1, U3, 2 - aes32esi T1, T1, U0, 3 - - aes32esi T2, T2, U2, 0 - aes32esi T2, T2, U3, 1 - aes32esi T2, T2, U0, 2 - aes32esi T2, T2, U1, 3 - - aes32esi T3, T3, U3, 0 - aes32esi T3, T3, U0, 1 - aes32esi T3, T3, U1, 2 - aes32esi T3, T3, U2, 3 // T* contains new state + aes32esi T0, U0, 0 // Final round. No MixColumn. + aes32esi T0, U1, 1 + aes32esi T0, U2, 2 + aes32esi T0, U3, 3 + + aes32esi T1, U1, 0 + aes32esi T1, U2, 1 + aes32esi T1, U3, 2 + aes32esi T1, U0, 3 + + aes32esi T2, U2, 0 + aes32esi T2, U3, 1 + aes32esi T2, U0, 2 + aes32esi T2, U1, 3 + + aes32esi T3, U3, 0 + aes32esi T3, U0, 1 + aes32esi T3, U1, 2 + aes32esi T3, U2, 3 // T* contains new state AES_DUMP_STATE T0, T1, T2, T3, CT diff --git a/benchmarks/share/riscv-crypto-intrinsics.h b/benchmarks/share/riscv-crypto-intrinsics.h index 265b0f22..bd252fc1 100644 --- a/benchmarks/share/riscv-crypto-intrinsics.h +++ b/benchmarks/share/riscv-crypto-intrinsics.h @@ -53,10 +53,10 @@ static inline uint_xlen_t _sha512sum1 (uint_xlen_t rs1) {uint_xlen_t rd; __asm__ // #if (defined(__ZSCRYPTO) && defined(RISCV_CRYPTO_RV32)) -static inline uint_xlen_t _aes32esi (uint_xlen_t rs1, uint_xlen_t rs2, int bs) {uint_xlen_t rd; __asm__("aes32esi %0, %1, %2, %3" : "=r"(rd) : "r"(rs1), "r"(rs2), "i"(bs)); return rd;} -static inline uint_xlen_t _aes32esmi(uint_xlen_t rs1, uint_xlen_t rs2, int bs) {uint_xlen_t rd; __asm__("aes32esmi %0, %1, %2, %3" : "=r"(rd) : "r"(rs1), "r"(rs2), "i"(bs)); return rd;} -static inline uint_xlen_t _aes32dsi (uint_xlen_t rs1, uint_xlen_t rs2, int bs) {uint_xlen_t rd; __asm__("aes32dsi %0, %1, %2, %3" : "=r"(rd) : "r"(rs1), "r"(rs2), "i"(bs)); return rd;} -static inline uint_xlen_t _aes32dsmi(uint_xlen_t rs1, uint_xlen_t rs2, int bs) {uint_xlen_t rd; __asm__("aes32dsmi %0, %1, %2, %3" : "=r"(rd) : "r"(rs1), "r"(rs2), "i"(bs)); return rd;} +static inline uint_xlen_t _aes32esi (uint_xlen_t rs1, uint_xlen_t rs2, int bs) {__asm__("aes32esi %0, %1, %2" : "+r"(rs1) : "r"(rs2), "i"(bs)); return rs1;} +static inline uint_xlen_t _aes32esmi(uint_xlen_t rs1, uint_xlen_t rs2, int bs) {__asm__("aes32esmi %0, %1, %2" : "+r"(rs1) : "r"(rs2), "i"(bs)); return rs1;} +static inline uint_xlen_t _aes32dsi (uint_xlen_t rs1, uint_xlen_t rs2, int bs) {__asm__("aes32dsi %0, %1, %2" : "+r"(rs1) : "r"(rs2), "i"(bs)); return rs1;} +static inline uint_xlen_t _aes32dsmi(uint_xlen_t rs1, uint_xlen_t rs2, int bs) {__asm__("aes32dsmi %0, %1, %2" : "+r"(rs1) : "r"(rs2), "i"(bs)); return rs1;} #endif #if (defined(__ZSCRYPTO) && defined(RISCV_CRYPTO_RV64)) @@ -74,8 +74,8 @@ static inline uint_xlen_t _aes64ds (uint_xlen_t rs1, uint_xlen_t rs2 ) {uint_ // #if (defined(__ZSCRYPTO)) -static inline uint_xlen_t _sm4ks (uint_xlen_t rs1, uint_xlen_t rs2, int bs) {uint_xlen_t rd; __asm__("sm4ks %0, %1, %2, %3" : "=r"(rd) : "r"(rs1), "r"(rs2), "i"(bs)); return rd;} -static inline uint_xlen_t _sm4ed (uint_xlen_t rs1, uint_xlen_t rs2, int bs) {uint_xlen_t rd; __asm__("sm4ed %0, %1, %2, %3" : "=r"(rd) : "r"(rs1), "r"(rs2), "i"(bs)); return rd;} +static inline uint_xlen_t _sm4ks (uint_xlen_t rs1, uint_xlen_t rs2, int bs) {__asm__("sm4ks %0, %1, %2" : "+r"(rs1) : "r"(rs2), "i"(bs)); return rs1;} +static inline uint_xlen_t _sm4ed (uint_xlen_t rs1, uint_xlen_t rs2, int bs) {__asm__("sm4ed %0, %1, %2" : "+r"(rs1) : "r"(rs2), "i"(bs)); return rs1;} #endif // diff --git a/bin/better_parse_opcodes.py b/bin/better_parse_opcodes.py index a40a73ff..53f9bd68 100755 --- a/bin/better_parse_opcodes.py +++ b/bin/better_parse_opcodes.py @@ -26,7 +26,7 @@ def __init__(self, name, hi,lo,binutilscode,sailtype): @property def is_register(self): return self.name in [ - "rs1", "rs2", "rs3", "rd" + "rs1", "rs2", "rs3", "rd", "rt" ] def __repr__(self): @@ -172,6 +172,7 @@ class EncodingParser(object): "rcon" : Operand("rcon" , 23, 20,"W" , "bits(4)" ), "rd" : Operand("rd" , 11, 7,"d" , "regidx" ), "rs1" : Operand("rs1" , 19, 15,"s" , "regidx" ), + "rt" : Operand("rt" , 19, 15,"s" , "regidx" ), "rs2" : Operand("rs2" , 24, 20,"t" , "regidx" ), "rs3" : Operand("rs3" , 31, 27,"r" , "regidx" ), "shamt" : Operand("shamt" , 25, 20,">" , "bits(5)" ), diff --git a/doc/Makefile b/doc/Makefile index 58d3290c..f5bfc051 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -29,8 +29,8 @@ OPCODES_BASE_RV32 = \ # # Machine readable opcode descriptions for RV64 -OPCODES_BASE_RV32 = \ - $(BASE_RV32) \ +OPCODES_BASE_RV64 = \ + $(OPCODES_BASE_RV32) \ $(REPO_HOME)/extern/riscv-opcodes/opcodes-rv64a \ $(REPO_HOME)/extern/riscv-opcodes/opcodes-rv64b \ $(REPO_HOME)/extern/riscv-opcodes/opcodes-rv64d \ diff --git a/doc/riscv-crypto-spec-scalar.tex b/doc/riscv-crypto-spec-scalar.tex index 365c82c6..80dd9fe6 100644 --- a/doc/riscv-crypto-spec-scalar.tex +++ b/doc/riscv-crypto-spec-scalar.tex @@ -3,7 +3,7 @@ \title{RISC-V Cryptographic Extension Proposals\\Volume I: Scalar \& Entropy Source Instructions} \author{Editor: Ben Marshall\\ben.marshall@bristol.ac.uk} -\date{Version $0.8.0$ (\today) \\ +\date{Version $0.8.1$ (\today) \\ \medskip \url{\repourl{}} \\ \href{\repourl{}}{ diff --git a/doc/tex/appx-scalar-encodings.tex b/doc/tex/appx-scalar-encodings.tex index 5bd65d69..da1764f3 100644 --- a/doc/tex/appx-scalar-encodings.tex +++ b/doc/tex/appx-scalar-encodings.tex @@ -143,19 +143,18 @@ \subsection{Decoding Strategy} live in the {\tt OP-IMM} major opcode, adjacent to the hash function instructions but distinguished from them by bit $29$. -For the SM4 and RV32 AES instructions, we require that {\tt rs1=rd}. -Encodings where {\tt rs1!=rd} raise an Illegal Opcode Exception unless -they are defined as another instruction by another extension, or -future versions of the Scalar Cryptography Extension. +For the SM4 and RV32 AES instructions, we introduce a new {\em destructive} +instruction format, where the destination register is sourced from +the {\tt rs1} field. +We call this combined source/destination register {\tt rt}. This reflects the fact that these instructions are designed to {\em always} use their source/destination registers in this way. This takes the number of encoding points used per RV32 AES / SM4 instruction from $131072$ to $4096$. -It is possible to {\em remove} the {\tt rd} field completely from these -instructions and say that {\tt rd} must be sourced from the {\tt rs1} -field. -This breaks existing encoding idioms however about register address fields -always being in the same place in the encoding. +We source {\tt rd} from {\tt rs1} (rather than the reverse) because on +the smaller cores we expect these instructions to be use on, it is +more important to be able to decode {\tt rs1} quickly than {\tt rd}. +The former {\tt rd} field (bits $11:7$) are re-used as encoding space. Table \ref{tab:encodings:counts} shows the number of encoding points taken up by each instruction individually, and all instructions for either diff --git a/doc/tex/sec-scalar-aes.tex b/doc/tex/sec-scalar-aes.tex index 23640c6d..b13e5b72 100644 --- a/doc/tex/sec-scalar-aes.tex +++ b/doc/tex/sec-scalar-aes.tex @@ -22,10 +22,10 @@ \subsubsection{RV32 Instructions} \end{bytefield} \begin{cryptoisa} -aes32esi rd, rs1, rs2, bs // Encrypt: SubBytes -aes32esmi rd, rs1, rs2, bs // Encrypt: SubBytes & MixColumns -aes32dsi rd, rs1, rs2, bs // Decrypt: SubBytes -aes32dsmi rd, rs1, rs2, bs // Decrypt: SubBytes & MixColumns +aes32esi rt, rs2, bs // Encrypt: SubBytes +aes32esmi rt, rs2, bs // Encrypt: SubBytes & MixColumns +aes32dsi rt, rs2, bs // Decrypt: SubBytes +aes32dsmi rt, rs2, bs // Decrypt: SubBytes & MixColumns \end{cryptoisa} These instructions are a very lightweight proposal, derived from @@ -38,6 +38,10 @@ \subsubsection{RV32 Instructions} which byte of the input word is operated on. SAIL Model code for each instruction is found in figure \ref{fig:sail:aes:rv32}. +Note that the instructions source their destination register from +bits $19:15$ of the encoding, rather than the usual $11:7$. +This is because the instructions are designed to be used such that +the destination register is always the same as {\tt rs1}. These instructions use the Equivalent Inverse Cipher construction \cite[Section 5.3.5]{nist:fips:197}. @@ -45,20 +49,12 @@ \subsubsection{RV32 Instructions} \cite[Figure 15]{nist:fips:197}. \begin{figure}[h] -\lstinputlisting[language=sail,firstline=67,lastline=83]{../sail/riscv_insts_crypto_rv32.sail} +\lstinputlisting[language=sail,firstline=65,lastline=81]{../sail/riscv_insts_crypto_rv32.sail} \caption{SAIL specification for the lightweight AES instructions targeting the RV32 base architecture.} \label{fig:sail:aes:rv32} \end{figure} -\note{ -The SM4 (see Section \ref{sec:scalar:sm4}) and RV32 AES -instructions are designed to share much of their data-path, and -can be implemented with much logic shared between their SBoxes -in particular. -} - - % ------------------------------------------------------------ \newpage diff --git a/doc/tex/sec-scalar-sha2.tex b/doc/tex/sec-scalar-sha2.tex index 0e2edd9e..61612a9b 100644 --- a/doc/tex/sec-scalar-sha2.tex +++ b/doc/tex/sec-scalar-sha2.tex @@ -112,13 +112,13 @@ \subsubsection{SHA-512 Instructions} } \begin{figure}[h] -\lstinputlisting[language=sail,firstline=143,lastline=156]{../sail/riscv_insts_crypto_rv32.sail} +\lstinputlisting[language=sail,firstline=141,lastline=154]{../sail/riscv_insts_crypto_rv32.sail} \caption{SAIL specification for the scalar RV32 SHA512 instructions.} \label{fig:sail:sha512:rv32} \end{figure} \begin{figure}[h] -\lstinputlisting[language=sail,firstline=152,lastline=162]{../sail/riscv_insts_crypto_rv64.sail} +\lstinputlisting[language=sail,firstline=159,lastline=169]{../sail/riscv_insts_crypto_rv64.sail} \caption{SAIL specification for the scalar RV64 SHA512 instructions.} \label{fig:sail:sha512:rv64} \end{figure} diff --git a/doc/tex/sec-scalar-sm4.tex b/doc/tex/sec-scalar-sm4.tex index 5cfe1f07..e6deb9e7 100644 --- a/doc/tex/sec-scalar-sm4.tex +++ b/doc/tex/sec-scalar-sm4.tex @@ -13,8 +13,8 @@ \subsection{Scalar SM4 Acceleration} \begin{cryptoisa} RV32 / RV64: - sm4ed rd, rs1, rs2, bs - sm4ks rd, rs1, rs2, bs + sm4ed rt, rs2, bs + sm4ks rt, rs2, bs \end{cryptoisa} This section proposes acceleration instructions for @@ -35,6 +35,10 @@ \subsection{Scalar SM4 Acceleration} SAIL Model code for each instruction is found in figure \ref{fig:sail:sm4}. +Note that the instructions source their destination register from +bits $19:15$ of the encoding, rather than the usual $11:7$. +This is because the instructions are designed to be used such that +the destination register is always the same as {\tt rs1}. % % Old pseudo code for SM4. @@ -60,15 +64,8 @@ \subsection{Scalar SM4 Acceleration} %\caption{Scalar SM4 instruction pseudocode.} %\end{figure} -\note{ -The SM4 and RV32 AES (see Section \ref{sec:scalar:aes:rv32}) -instructions are designed to share much of their data-path, and -can be implemented with much logic shared between their SBoxes -in particular. -} - \begin{figure}[h] -\lstinputlisting[language=sail,firstline=164,lastline=187]{../sail/riscv_insts_crypto.sail} +\lstinputlisting[language=sail,firstline=160,lastline=183]{../sail/riscv_insts_crypto.sail} \caption{SAIL specification for the SM4 instructions.} \label{fig:sail:sm4} \end{figure} diff --git a/sail/riscv_insts_crypto.sail b/sail/riscv_insts_crypto.sail index 679f624b..bbf32a27 100644 --- a/sail/riscv_insts_crypto.sail +++ b/sail/riscv_insts_crypto.sail @@ -15,31 +15,31 @@ */ /* AST clauses for the SHA256 instructions. */ -union clause ast = SHA256_SIG0 : (regidx,regidx) -union clause ast = SHA256_SIG1 : (regidx,regidx) -union clause ast = SHA256_SUM0 : (regidx,regidx) -union clause ast = SHA256_SUM1 : (regidx,regidx) +union clause ast = SHA256SIG0 : (regidx,regidx) +union clause ast = SHA256SIG1 : (regidx,regidx) +union clause ast = SHA256SUM0 : (regidx,regidx) +union clause ast = SHA256SUM1 : (regidx,regidx) /* Encode/decode mappings for the SHA256 instructions. */ -mapping clause encdec = SHA256_SIG0 (rs1,rd) <-> - 0b000011100000 @ rs1 @ 0b111 @ rd @ 0b0101011 +mapping clause encdec = SHA256SUM0 (rs1,rd) + <-> 0b00 @ 0b01000 @ 0b00000 @ rs1 @ 0b001 @ rd @ 0b0010011 -mapping clause encdec = SHA256_SIG1 (rs1,rd) <-> - 0b000011100001 @ rs1 @ 0b111 @ rd @ 0b0101011 +mapping clause encdec = SHA256SUM1 (rs1,rd) + <-> 0b00 @ 0b01000 @ 0b00001 @ rs1 @ 0b001 @ rd @ 0b0010011 -mapping clause encdec = SHA256_SUM0 (rs1,rd) <-> - 0b000011100010 @ rs1 @ 0b111 @ rd @ 0b0101011 +mapping clause encdec = SHA256SIG0 (rs1,rd) + <-> 0b00 @ 0b01000 @ 0b00010 @ rs1 @ 0b001 @ rd @ 0b0010011 -mapping clause encdec = SHA256_SUM1 (rs1,rd) <-> - 0b000011100011 @ rs1 @ 0b111 @ rd @ 0b0101011 +mapping clause encdec = SHA256SIG1 (rs1,rd) + <-> 0b00 @ 0b01000 @ 0b00011 @ rs1 @ 0b001 @ rd @ 0b0010011 /* Assembly string mappings for the SHA256 instructions. */ -mapping clause assembly = SHA256_SIG0 (rs1,rd) <-> "sha256sig0" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) -mapping clause assembly = SHA256_SIG1 (rs1,rd) <-> "sha256sig1" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) -mapping clause assembly = SHA256_SUM0 (rs1,rd) <-> "sha256sum0" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) -mapping clause assembly = SHA256_SUM1 (rs1,rd) <-> "sha256sum1" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) +mapping clause assembly = SHA256SIG0 (rs1,rd) <-> "sha256sig0" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) +mapping clause assembly = SHA256SIG1 (rs1,rd) <-> "sha256sig1" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) +mapping clause assembly = SHA256SUM0 (rs1,rd) <-> "sha256sum0" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) +mapping clause assembly = SHA256SUM1 (rs1,rd) <-> "sha256sum1" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) val crypto_sha256 : (sha256_op, regidx, regidx) -> Retired effect {escape,rreg,wreg} /* --- specification snippet begin --- */ @@ -57,19 +57,19 @@ function crypto_sha256 (op , rd , rs1 ) = { /* --- specification snippet end --- */ /* Execution clauses for the SHA256 instructions. */ -function clause execute (SHA256_SIG0 (rs1,rd)) = { +function clause execute (SHA256SIG0 (rs1,rd)) = { crypto_sha256(OP_SHA256_SIG0, rd, rs1); } -function clause execute (SHA256_SIG1 (rs1,rd)) = { +function clause execute (SHA256SIG1 (rs1,rd)) = { crypto_sha256(OP_SHA256_SIG1, rd, rs1); } -function clause execute (SHA256_SUM0 (rs1,rd)) = { +function clause execute (SHA256SUM0 (rs1,rd)) = { crypto_sha256(OP_SHA256_SUM0, rd, rs1); } -function clause execute (SHA256_SUM1 (rs1,rd)) = { +function clause execute (SHA256SUM1 (rs1,rd)) = { crypto_sha256(OP_SHA256_SUM1, rd, rs1); } @@ -80,24 +80,24 @@ function clause execute (SHA256_SUM1 (rs1,rd)) = { /* AST Types for SM3.p0/1 */ -union clause ast = SM3_P0 : (regidx,regidx) -union clause ast = SM3_P1 : (regidx,regidx) +union clause ast = SM3P0 : (regidx,regidx) +union clause ast = SM3P1 : (regidx,regidx) /* Decode clause for sm3.p0 */ -mapping clause encdec = SM3_P0 (rs1,rd) <-> - 0b000011101000 @ rs1 @ 0b111 @ rd @ 0b0101011 +mapping clause encdec = SM3P0 (rs1,rd) + <-> 0b00 @ 0b01000 @ 0b01000 @ rs1 @ 0b001 @ rd @ 0b0010011 /* Decode clause for sm3.p1 */ -mapping clause encdec = SM3_P1 (rs1,rd) <-> - 0b000011101001 @ rs1 @ 0b111 @ rd @ 0b0101011 +mapping clause encdec = SM3P1 (rs1,rd) + <-> 0b00 @ 0b01000 @ 0b01001 @ rs1 @ 0b001 @ rd @ 0b0010011 -/* Asssembly code mapping for sm3.p0 */ -mapping clause assembly = SM3_P0 (rs1,rd) <-> +/* Asssembly code mapping for sm3p0 */ +mapping clause assembly = SM3P0 (rs1,rd) <-> "sm3.p0" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) -/* Asssembly code mapping for sm3.p1 */ -mapping clause assembly = SM3_P1 (rs1,rd) <-> +/* Asssembly code mapping for sm3p1 */ +mapping clause assembly = SM3P1 (rs1,rd) <-> "sm3.p1" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) @@ -116,12 +116,12 @@ function crypto_sm3 (op , rd , rs1 ) = { /* Execute clause for sm3.p0 */ -function clause execute ( SM3_P0 (rs1,rd)) = { +function clause execute ( SM3P0 (rs1,rd)) = { crypto_sm3(P0, rd, rs1); } /* Execute clause for sm3.p1 */ -function clause execute ( SM3_P1 (rs1,rd)) = { +function clause execute ( SM3P1 (rs1,rd)) = { crypto_sm3(P1, rd, rs1); } @@ -133,35 +133,31 @@ function clause execute ( SM3_P1 (rs1,rd)) = { /* AST clauses for the SM4 instructions. */ -union clause ast = SM4_ED : (bits(2),regidx,regidx,regidx) -union clause ast = SM4_KS : (bits(2),regidx,regidx,regidx) +union clause ast = SM4ED : (bits(2),regidx,regidx) +union clause ast = SM4KS : (bits(2),regidx,regidx) /* Encode / decode mappings for the SM4 instructions. */ -mapping clause encdec = SM4_ED (bs,rs2,rs1,rd) <-> - bs @ 0b00100 @ rs2 @ rs1 @ 0b011 @ rd @ 0b0101011 - -mapping clause encdec = SM4_KS (bs,rs2,rs1,rd) <-> - bs @ 0b00101 @ rs2 @ rs1 @ 0b011 @ rd @ 0b0101011 - +mapping clause encdec = SM4ED (bs,rs2,rt) + <-> bs @ 0b11000 @ rs2 @ rt @ 0b000 @ 0b00000 @ 0b0110011 +mapping clause encdec = SM4KS (bs,rs2,rt) + <-> bs @ 0b11010 @ rs2 @ rt @ 0b000 @ 0b00000 @ 0b0110011 /* Assembly string mappings for the SM4 instructions. */ -mapping clause assembly = SM4_ED (bs,rs2,rs1,rd) <-> +mapping clause assembly = SM4ED (bs,rs2,rt) <-> "sm4.ed" ^ spc() ^ - reg_name(rd) ^ sep() ^ - reg_name(rs1) ^ sep() ^ + reg_name(rt) ^ sep() ^ reg_name(rs2) ^ sep() ^ hex_bits_2(bs) -mapping clause assembly = SM4_KS (bs,rs2,rs1,rd) <-> +mapping clause assembly = SM4KS (bs,rs2,rt) <-> "sm4.ks" ^ spc() ^ - reg_name(rd) ^ sep() ^ - reg_name(rs1) ^ sep() ^ + reg_name(rt) ^ sep() ^ reg_name(rs2) ^ sep() ^ hex_bits_2(bs) /* Execute clause for the sm4 instructions. */ /* --- specification snippet begin --- */ -function clause execute (SM4_ED (bs,rs2,rs1,rd)) = { +function clause execute (SM4ED (bs,rs2,rt)) = { let shamt : bits(6) = (0b0 @ bs @ 0b000); /* shamt = bs*8 */ let sb_in : bits(8) = (X(rs2) >> shamt)[7..0]; let x : bits(32) = 0x000000 @ sm4_sbox(sb_in); @@ -169,20 +165,20 @@ function clause execute (SM4_ED (bs,rs2,rs1,rd)) = { (x << 18) ^ ((x & 0x0000003F) << 26) ^ ((x & 0x000000C0) << 10); let z : bits(32) = (y << shamt) ^ (y >> (0b100000-shamt)); - let result: bits(32) = z ^ X(rs1)[31..0]; - X(rd) = EXTZ(result); + let result: bits(32) = z ^ X(rt)[31..0]; + X(rt) = EXTZ(result); RETIRE_SUCCESS } -function clause execute (SM4_KS (bs,rs2,rs1,rd)) = { +function clause execute (SM4KS (bs,rs2,rt)) = { let shamt : bits(6) = (0b0 @ bs @ 0b000); /* shamt = bs*8 */ let sb_in : bits(8) = (X(rs2) >> shamt)[7..0]; let x : bits(32) = 0x000000 @ sm4_sbox(sb_in); let y : bits(32) = x ^ ((x & 0x00000007) << 29) ^ ((x & 0x000000FE) << 7) ^ ((x & 0x00000001) << 23) ^ ((x & 0x000000F8) << 13) ; let z : bits(32) = (y << shamt) ^ (y >> (0b100000-shamt)); - let result: bits(32) = z ^ X(rs1)[31..0]; - X(rd) = EXTZ(result); + let result: bits(32) = z ^ X(rt)[31..0]; + X(rt) = EXTZ(result); RETIRE_SUCCESS } /* --- specification snippet end --- */ diff --git a/sail/riscv_insts_crypto_rv32.sail b/sail/riscv_insts_crypto_rv32.sail index 55052003..7e102535 100644 --- a/sail/riscv_insts_crypto_rv32.sail +++ b/sail/riscv_insts_crypto_rv32.sail @@ -16,10 +16,10 @@ /* Map between f5 encoding field and scalar round function instrucitons. */ mapping encdec_aes32_op : aes_op <-> bits(5) = { - ENCSM <-> 0b00000, - ENCS <-> 0b00001, - DECSM <-> 0b00010, - DECS <-> 0b00011 + ENCSM <-> 0b11011, + ENCS <-> 0b11001, + DECSM <-> 0b11111, + DECS <-> 0b11101 } /* Map 32-bit operations to assembly mnemonics - for disassemly */ @@ -39,33 +39,31 @@ mapping aes32_bs_to_str : aes_bs <-> string = { 0b11 <-> "3" } -union clause ast = AES32 : (aes_bs, regidx, regidx, regidx, aes_op) +union clause ast = AES32 : (aes_bs, regidx, regidx, aes_op) /* Encrypt/Decrypt mapping for 32-bit scalar AES instructions. */ -mapping clause encdec = AES32 (aes_bs, rs2 , rs1 , rd , op ) - <-> aes_bs @ encdec_aes32_op(op) @ rs2 @ rs1 @ 0b010 @ rd @ 0b0101011 +mapping clause encdec = AES32 (aes_bs, rs2 , rt , op ) + <-> aes_bs @ encdec_aes32_op(op) @ rs2 @ rt @ 0b010 @ 0b00000 @ 0b0101011 /* Map between an AST representation of AES32 and a disassembly string. */ -mapping clause assembly = AES32 ( bs, rs2 , rs1 , rd , op ) +mapping clause assembly = AES32 ( bs, rs2 , rt , op ) <-> aes32_op_to_mnemonic(op) ^ spc() ^ - reg_name(rd) ^ sep() ^ - reg_name(rs1) ^ sep() ^ + reg_name(rt) ^ sep() ^ reg_name(rs2) ^ sep() ^ aes32_bs_to_str(bs) /* Execute the scalar 32-bit AES instructions. * - op : The exact instruciton variant to perform. - * - rd : Destination register address - * - rs1: Source register 1 address + * - rt : Source register 1 / Destination register address * - rs2: Source register 2 address * - bs : 2-bit byte shift. */ /* --- specification snippet begin --- */ -function clause execute (AES32 (bs, rs2, rs1, rd, op))={ - let rs1_val : xlenbits = X(rs1); +function clause execute (AES32 (bs, rs2, rt, op))={ + let rs1_val : xlenbits = X(rt ); let rs2_val : xlenbits = X(rs2); let shamt : bits(6) = (0b0 @ bs @ 0b000); /* shamt = bs*8 */ let si : bits(8) = (rs2_val >> shamt)[7..0]; /* SBox Input */ @@ -78,7 +76,7 @@ function clause execute (AES32 (bs, rs2, rs1, rd, op))={ else 0x000000 @ so; let result : xlenbits = rs1_val ^ (mixed << shamt) ^ (mixed >> (0b100000-shamt)); - X(rd) = result; + X(rt) = result; RETIRE_SUCCESS } /* --- specification snippet end --- */ @@ -91,50 +89,50 @@ function clause execute (AES32 (bs, rs2, rs1, rd, op))={ /* AST clauses for the RV32 SHA512 instructions. */ -union clause ast = SHA512_SIG0L : (regidx,regidx,regidx) -union clause ast = SHA512_SIG0H : (regidx,regidx,regidx) -union clause ast = SHA512_SIG1L : (regidx,regidx,regidx) -union clause ast = SHA512_SIG1H : (regidx,regidx,regidx) -union clause ast = SHA512_SUM0R : (regidx,regidx,regidx) -union clause ast = SHA512_SUM1R : (regidx,regidx,regidx) +union clause ast = SHA512SIG0L : (regidx,regidx,regidx) +union clause ast = SHA512SIG0H : (regidx,regidx,regidx) +union clause ast = SHA512SIG1L : (regidx,regidx,regidx) +union clause ast = SHA512SIG1H : (regidx,regidx,regidx) +union clause ast = SHA512SUM0R : (regidx,regidx,regidx) +union clause ast = SHA512SUM1R : (regidx,regidx,regidx) /* Encode / decode mappings for the RV32 SHA512 instructions. */ -mapping clause encdec = SHA512_SIG0L (rs2,rs1,rd) <-> - 0b0001000 @ rs2 @ rs1 @ 0b111 @ rd @ 0b0101011 +mapping clause encdec = SHA512SUM0R (rs2,rs1,rd) + <-> 0b01 @ 0b01000 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011 -mapping clause encdec = SHA512_SIG0H (rs2,rs1,rd) <-> - 0b0001001 @ rs2 @ rs1 @ 0b111 @ rd @ 0b0101011 +mapping clause encdec = SHA512SUM1R (rs2,rs1,rd) + <-> 0b01 @ 0b01001 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011 -mapping clause encdec = SHA512_SIG1L (rs2,rs1,rd) <-> - 0b0001010 @ rs2 @ rs1 @ 0b111 @ rd @ 0b0101011 +mapping clause encdec = SHA512SIG0L (rs2,rs1,rd) + <-> 0b01 @ 0b01010 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011 -mapping clause encdec = SHA512_SIG1H (rs2,rs1,rd) <-> - 0b0001011 @ rs2 @ rs1 @ 0b111 @ rd @ 0b0101011 +mapping clause encdec = SHA512SIG0H (rs2,rs1,rd) + <-> 0b01 @ 0b01110 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011 -mapping clause encdec = SHA512_SUM0R (rs2,rs1,rd) <-> - 0b0001100 @ rs2 @ rs1 @ 0b111 @ rd @ 0b0101011 +mapping clause encdec = SHA512SIG1L (rs2,rs1,rd) + <-> 0b01 @ 0b01011 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011 -mapping clause encdec = SHA512_SUM1R (rs2,rs1,rd) <-> - 0b0001101 @ rs2 @ rs1 @ 0b111 @ rd @ 0b0101011 +mapping clause encdec = SHA512SIG1H (rs2,rs1,rd) + <-> 0b01 @ 0b01111 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011 /* Assembly string mappings for the RV32 SHA512 instructions. */ -mapping clause assembly = SHA512_SIG0L (rs2,rs1,rd) <-> +mapping clause assembly = SHA512SIG0L (rs2,rs1,rd) <-> "sha512sig0l" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) ^ sep() ^ reg_name(rs2) -mapping clause assembly = SHA512_SIG0H (rs2,rs1,rd) <-> +mapping clause assembly = SHA512SIG0H (rs2,rs1,rd) <-> "sha512sig0h" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) ^ sep() ^ reg_name(rs2) -mapping clause assembly = SHA512_SIG1L (rs2,rs1,rd) <-> +mapping clause assembly = SHA512SIG1L (rs2,rs1,rd) <-> "sha512sig1l" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) ^ sep() ^ reg_name(rs2) -mapping clause assembly = SHA512_SIG1H (rs2,rs1,rd) <-> +mapping clause assembly = SHA512SIG1H (rs2,rs1,rd) <-> "sha512sig1h" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) ^ sep() ^ reg_name(rs2) -mapping clause assembly = SHA512_SUM0R (rs2,rs1,rd) <-> +mapping clause assembly = SHA512SUM0R (rs2,rs1,rd) <-> "sha512sum0r" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) ^ sep() ^ reg_name(rs2) -mapping clause assembly = SHA512_SUM1R (rs2,rs1,rd) <-> +mapping clause assembly = SHA512SUM1R (rs2,rs1,rd) <-> "sha512sum1r" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) ^ sep() ^ reg_name(rs2) @@ -161,27 +159,27 @@ function crypto_sha512_rv32 (op , rd , rs1 , rs2 ) = { * Execute clauses for the 32-bit SHA512 instructions. */ -function clause execute ( SHA512_SIG0L (rs2,rs1,rd)) = { +function clause execute ( SHA512SIG0L (rs2,rs1,rd)) = { crypto_sha512_rv32(OP_SHA512_SIG0L, rd, rs1, rs2); } -function clause execute ( SHA512_SIG0H (rs2,rs1,rd)) = { +function clause execute ( SHA512SIG0H (rs2,rs1,rd)) = { crypto_sha512_rv32(OP_SHA512_SIG0H, rd, rs1, rs2); } -function clause execute ( SHA512_SIG1L (rs2,rs1,rd)) = { +function clause execute ( SHA512SIG1L (rs2,rs1,rd)) = { crypto_sha512_rv32(OP_SHA512_SIG1L, rd, rs1, rs2); } -function clause execute ( SHA512_SIG1H (rs2,rs1,rd)) = { +function clause execute ( SHA512SIG1H (rs2,rs1,rd)) = { crypto_sha512_rv32(OP_SHA512_SIG1H, rd, rs1, rs2); } -function clause execute ( SHA512_SUM0R (rs2,rs1,rd)) = { +function clause execute ( SHA512SUM0R (rs2,rs1,rd)) = { crypto_sha512_rv32(OP_SHA512_SUM0R, rd, rs1, rs2); } -function clause execute ( SHA512_SUM1R (rs2,rs1,rd)) = { +function clause execute ( SHA512SUM1R (rs2,rs1,rd)) = { crypto_sha512_rv32(OP_SHA512_SUM1R, rd, rs1, rs2); } diff --git a/sail/riscv_insts_crypto_rv64.sail b/sail/riscv_insts_crypto_rv64.sail index 640232ef..1311bead 100644 --- a/sail/riscv_insts_crypto_rv64.sail +++ b/sail/riscv_insts_crypto_rv64.sail @@ -14,56 +14,56 @@ * ---------------------------------------------------------------------- */ -union clause ast =AES64_KS1I : (bits(4),regidx,regidx) -union clause ast = AES64_KS2 : (regidx,regidx,regidx) -union clause ast = AES64_IM : (regidx,regidx) -union clause ast = AES64_ESM : (regidx,regidx,regidx) -union clause ast = AES64_ES : (regidx,regidx,regidx) -union clause ast = AES64_DSM : (regidx,regidx,regidx) -union clause ast = AES64_DS : (regidx,regidx,regidx) +union clause ast =AES64KS1I : (bits(4),regidx,regidx) +union clause ast = AES64KS2 : (regidx,regidx,regidx) +union clause ast = AES64IM : (regidx,regidx) +union clause ast = AES64ESM : (regidx,regidx,regidx) +union clause ast = AES64ES : (regidx,regidx,regidx) +union clause ast = AES64DSM : (regidx,regidx,regidx) +union clause ast = AES64DS : (regidx,regidx,regidx) -mapping clause encdec = AES64_KS1I (rcon,rs1,rd) <-> - 0b00001000 @ rcon @ rs1 @ 0b010 @ rd @ 0b0101011 +mapping clause encdec = AES64KS1I (rcon,rs1,rd) + <-> 0b00 @ 0b11000 @ 0b1 @ rcon @ rs1 @ 0b001 @ rd @ 0b0010011 -mapping clause encdec = AES64_KS2 (rs2,rs1,rd) <-> - 0b0000101 @ rs2 @ rs1 @ 0b010 @ rd @ 0b0101011 +mapping clause encdec = AES64IM (rs1,rd) + <-> 0b00 @ 0b11000 @ 0b00000 @ rs1 @ 0b001 @ rd @ 0b0010011 -mapping clause encdec = AES64_IM (rs1,rd) <-> - 0b000011000001 @ rs1 @ 0b010 @ rd @ 0b0101011 +mapping clause encdec = AES64KS2 (rs2,rs1,rd) + <-> 0b01 @ 0b11111 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011 -mapping clause encdec = AES64_ESM (rs2,rs1,rd) <-> - 0b0000111 @ rs2 @ rs1 @ 0b010 @ rd @ 0b0101011 +mapping clause encdec = AES64ESM (rs2,rs1,rd) + <-> 0b00 @ 0b11011 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011 -mapping clause encdec = AES64_ES (rs2,rs1,rd) <-> - 0b0001000 @ rs2 @ rs1 @ 0b010 @ rd @ 0b0101011 +mapping clause encdec = AES64ES (rs2,rs1,rd) + <-> 0b00 @ 0b11001 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011 -mapping clause encdec = AES64_DSM (rs2,rs1,rd) <-> - 0b0001001 @ rs2 @ rs1 @ 0b010 @ rd @ 0b0101011 +mapping clause encdec = AES64DSM (rs2,rs1,rd) + <-> 0b00 @ 0b11111 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011 -mapping clause encdec = AES64_DS (rs2,rs1,rd) <-> - 0b0001010 @ rs2 @ rs1 @ 0b010 @ rd @ 0b0101011 +mapping clause encdec = AES64DS (rs2,rs1,rd) + <-> 0b00 @ 0b11101 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011 -mapping clause assembly = AES64_KS1I (rcon,rs1,rd) <-> +mapping clause assembly = AES64KS1I (rcon,rs1,rd) <-> "aes64ks1i" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) ^ sep() ^ hex_bits_4(rcon) -mapping clause assembly = AES64_KS2 (rs2,rs1,rd) <-> +mapping clause assembly = AES64KS2 (rs2,rs1,rd) <-> "aes64ks2" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) ^ sep() ^ reg_name(rs2) -mapping clause assembly = AES64_IM (rs1,rd) <-> +mapping clause assembly = AES64IM (rs1,rd) <-> "aes64im" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) -mapping clause assembly = AES64_ESM (rs2,rs1,rd) <-> +mapping clause assembly = AES64ESM (rs2,rs1,rd) <-> "aes64esm" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) ^ sep() ^ reg_name(rs2) -mapping clause assembly = AES64_ES (rs2,rs1,rd) <-> +mapping clause assembly = AES64ES (rs2,rs1,rd) <-> "aes64es" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) ^ sep() ^ reg_name(rs2) -mapping clause assembly = AES64_DSM (rs2,rs1,rd) <-> +mapping clause assembly = AES64DSM (rs2,rs1,rd) <-> "aes64dsm" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) ^ sep() ^ reg_name(rs2) -mapping clause assembly = AES64_DS (rs2,rs1,rd) <-> +mapping clause assembly = AES64DS (rs2,rs1,rd) <-> "aes64ds" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) ^ sep() ^ reg_name(rs2) @@ -87,7 +87,7 @@ function crypto_aes64 (rd , rs1 , rs2 , enc , mix ) = { RETIRE_SUCCESS } -function clause execute (AES64_KS1I (rcon,rs1,rd)) = { +function clause execute (AES64KS1I (rcon,rs1,rd)) = { let tmp1 : bits(32) = X(rs1)[63..32]; let rc : bits(32) = aes_decode_rcon(rcon); let tmp2 : bits(32) = if rcon==0xA then tmp1 else ror32(tmp1, 8); @@ -97,32 +97,32 @@ function clause execute (AES64_KS1I (rcon,rs1,rd)) = { X(rd) = EXTZ(result); RETIRE_SUCCESS } -function clause execute (AES64_KS2 (rs2,rs1,rd)) = { +function clause execute (AES64KS2 (rs2,rs1,rd)) = { let w0 : bits(32) = X(rs1)[63..32] ^ X(rs2)[31..0]; let w1 : bits(32) = X(rs1)[63..32] ^ X(rs2)[31..0] ^ X(rs2)[63..32]; X(rd) = w1 @ w0; RETIRE_SUCCESS } -function clause execute (AES64_IM (rs1,rd)) = { +function clause execute (AES64IM (rs1,rd)) = { let w0 : bits(32) = aes_mixcolumn_inv(X(rs1)[31.. 0]); let w1 : bits(32) = aes_mixcolumn_inv(X(rs1)[63..32]); X(rd) = w1 @ w0; RETIRE_SUCCESS } /* --- specification snippet begin --- */ -function clause execute (AES64_ESM (rs2,rs1,rd)) = { +function clause execute (AES64ESM (rs2,rs1,rd)) = { crypto_aes64(rd, rs1, rs2, true, true); } -function clause execute (AES64_ES (rs2,rs1,rd)) = { +function clause execute (AES64ES (rs2,rs1,rd)) = { crypto_aes64(rd, rs1, rs2, true, false); } -function clause execute (AES64_DSM (rs2,rs1,rd)) = { +function clause execute (AES64DSM (rs2,rs1,rd)) = { crypto_aes64(rd, rs1, rs2, false, true); } -function clause execute (AES64_DS (rs2,rs1,rd)) = { +function clause execute (AES64DS (rs2,rs1,rd)) = { crypto_aes64(rd, rs1, rs2, false, false); } @@ -131,20 +131,27 @@ function clause execute (AES64_DS (rs2,rs1,rd)) = { * ---------------------------------------------------------------------- */ -union clause ast = SHA512_SIG0 : (regidx,regidx) -union clause ast = SHA512_SIG1 : (regidx,regidx) -union clause ast = SHA512_SUM0 : (regidx,regidx) -union clause ast = SHA512_SUM1 : (regidx,regidx) +union clause ast = SHA512SIG0 : (regidx,regidx) +union clause ast = SHA512SIG1 : (regidx,regidx) +union clause ast = SHA512SUM0 : (regidx,regidx) +union clause ast = SHA512SUM1 : (regidx,regidx) -mapping clause encdec = SHA512_SIG0 (rs1,rd) <-> 0b000011100100 @ rs1 @ 0b111 @ rd @ 0b0101011 -mapping clause encdec = SHA512_SIG1 (rs1,rd) <-> 0b000011100101 @ rs1 @ 0b111 @ rd @ 0b0101011 -mapping clause encdec = SHA512_SUM0 (rs1,rd) <-> 0b000011100110 @ rs1 @ 0b111 @ rd @ 0b0101011 -mapping clause encdec = SHA512_SUM1 (rs1,rd) <-> 0b000011100111 @ rs1 @ 0b111 @ rd @ 0b0101011 +mapping clause encdec = SHA512SUM0 (rs1,rd) + <-> 0b00 @ 0b01000 @ 0b00100 @ rs1 @ 0b001 @ rd @ 0b0010011 -mapping clause assembly = SHA512_SIG0 (rs1,rd) <-> "sha512sig0" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) -mapping clause assembly = SHA512_SIG1 (rs1,rd) <-> "sha512sig1" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) -mapping clause assembly = SHA512_SUM0 (rs1,rd) <-> "sha512sum0" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) -mapping clause assembly = SHA512_SUM1 (rs1,rd) <-> "sha512sum1" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) +mapping clause encdec = SHA512SUM1 (rs1,rd) + <-> 0b00 @ 0b01000 @ 0b00101 @ rs1 @ 0b001 @ rd @ 0b0010011 + +mapping clause encdec = SHA512SIG0 (rs1,rd) + <-> 0b00 @ 0b01000 @ 0b00110 @ rs1 @ 0b001 @ rd @ 0b0010011 + +mapping clause encdec = SHA512SIG1 (rs1,rd) + <-> 0b00 @ 0b01000 @ 0b00111 @ rs1 @ 0b001 @ rd @ 0b0010011 + +mapping clause assembly = SHA512SIG0 (rs1,rd) <-> "sha512sig0" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) +mapping clause assembly = SHA512SIG1 (rs1,rd) <-> "sha512sig1" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) +mapping clause assembly = SHA512SUM0 (rs1,rd) <-> "sha512sum0" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) +mapping clause assembly = SHA512SUM1 (rs1,rd) <-> "sha512sum1" ^ spc() ^ reg_name(rd) ^ sep() ^ reg_name(rs1) val crypto_sha512_rv64 : (sha512_rv64_op, regidx, regidx) -> Retired effect {escape, rreg, wreg} @@ -163,19 +170,19 @@ function crypto_sha512_rv64 (op , rd , rs1 ) = { /* --- specification snippet end --- */ -function clause execute ( SHA512_SIG0 (rs1,rd)) = { +function clause execute ( SHA512SIG0 (rs1,rd)) = { crypto_sha512_rv64(OP_SHA512_SIG0, rd, rs1); } -function clause execute ( SHA512_SIG1 (rs1,rd)) = { +function clause execute ( SHA512SIG1 (rs1,rd)) = { crypto_sha512_rv64(OP_SHA512_SIG1, rd, rs1); } -function clause execute ( SHA512_SUM0 (rs1,rd)) = { +function clause execute ( SHA512SUM0 (rs1,rd)) = { crypto_sha512_rv64(OP_SHA512_SUM0, rd, rs1); } -function clause execute ( SHA512_SUM1 (rs1,rd)) = { +function clause execute ( SHA512SUM1 (rs1,rd)) = { crypto_sha512_rv64(OP_SHA512_SUM1, rd, rs1); } diff --git a/tools/opcodes-crypto-scalar-both b/tools/opcodes-crypto-scalar-both index a3b34085..bd3368e2 100644 --- a/tools/opcodes-crypto-scalar-both +++ b/tools/opcodes-crypto-scalar-both @@ -10,8 +10,8 @@ @getnoise rd 19..15=0 31..20=0x7A9 14..12=0 6..0=0b1110011 # Scalar SM4 - RV32, RV64 -sm4ed rd rs1 rs2 bs rs1:==rd 29..25=0b11000 14..12=0 6..0=0x33 -sm4ks rd rs1 rs2 bs rs1:==rd 29..25=0b11010 14..12=0 6..0=0x33 +sm4ed rt rs2 bs 11..7=0 29..25=0b11000 14..12=0 6..0=0x33 +sm4ks rt rs2 bs 11..7=0 29..25=0b11010 14..12=0 6..0=0x33 # Scalar SM3 - RV32, RV64 sm3p0 rd rs1 31..30=0 29..25=0b01000 24..20=0b01000 14..12=1 6..0=0x13 diff --git a/tools/opcodes-crypto-scalar-rv32 b/tools/opcodes-crypto-scalar-rv32 index 03177008..1d195ecb 100644 --- a/tools/opcodes-crypto-scalar-rv32 +++ b/tools/opcodes-crypto-scalar-rv32 @@ -6,10 +6,10 @@ # ------------------------------------------------------------ # Scalar AES - RV32 -aes32esmi rd rs1 rs2 bs rs1:==rd 29..25=0b11011 14..12=0 6..0=0x33 -aes32esi rd rs1 rs2 bs rs1:==rd 29..25=0b11001 14..12=0 6..0=0x33 -aes32dsmi rd rs1 rs2 bs rs1:==rd 29..25=0b11111 14..12=0 6..0=0x33 -aes32dsi rd rs1 rs2 bs rs1:==rd 29..25=0b11101 14..12=0 6..0=0x33 +aes32esmi rt rs2 bs 11..7=0 29..25=0b11011 14..12=0 6..0=0x33 +aes32esi rt rs2 bs 11..7=0 29..25=0b11001 14..12=0 6..0=0x33 +aes32dsmi rt rs2 bs 11..7=0 29..25=0b11111 14..12=0 6..0=0x33 +aes32dsi rt rs2 bs 11..7=0 29..25=0b11101 14..12=0 6..0=0x33 # Scalar SHA512 - RV32 sha512sum0r rd rs1 rs2 31..30=1 29..25=0b01000 14..12=0 6..0=0x33 diff --git a/tools/patch-binutils.patch b/tools/patch-binutils.patch index ff2f2e70..89e5b36d 100644 --- a/tools/patch-binutils.patch +++ b/tools/patch-binutils.patch @@ -49,7 +49,7 @@ index 9ecdcab0b6..1834f7c08b 100644 case 'd': /* Destination register. */ case 's': /* Source register. */ diff --git a/include/opcode/riscv-opc.h b/include/opcode/riscv-opc.h -index 6c750a33b1..57b49f8a5c 100644 +index 6c750a33b1..7a9cd08674 100644 --- a/include/opcode/riscv-opc.h +++ b/include/opcode/riscv-opc.h @@ -343,6 +343,70 @@ @@ -61,9 +61,9 @@ index 6c750a33b1..57b49f8a5c 100644 +#define MATCH_POLLENTROPY 0xf1500073 +#define MASK_GETNOISE 0xfffff07f +#define MATCH_GETNOISE 0x7a900073 -+#define MASK_SM4ED 0x3e00707f ++#define MASK_SM4ED 0x3e007fff +#define MATCH_SM4ED 0x30000033 -+#define MASK_SM4KS 0x3e00707f ++#define MASK_SM4KS 0x3e007fff +#define MATCH_SM4KS 0x34000033 +#define MASK_SM3P0 0xfff0707f +#define MATCH_SM3P0 0x10801013 @@ -77,13 +77,13 @@ index 6c750a33b1..57b49f8a5c 100644 +#define MATCH_SHA256SIG0 0x10201013 +#define MASK_SHA256SIG1 0xfff0707f +#define MATCH_SHA256SIG1 0x10301013 -+#define MASK_AES32ESMI 0x3e00707f ++#define MASK_AES32ESMI 0x3e007fff +#define MATCH_AES32ESMI 0x36000033 -+#define MASK_AES32ESI 0x3e00707f ++#define MASK_AES32ESI 0x3e007fff +#define MATCH_AES32ESI 0x32000033 -+#define MASK_AES32DSMI 0x3e00707f ++#define MASK_AES32DSMI 0x3e007fff +#define MATCH_AES32DSMI 0x3e000033 -+#define MASK_AES32DSI 0x3e00707f ++#define MASK_AES32DSI 0x3e007fff +#define MATCH_AES32DSI 0x3a000033 +#define MASK_SHA512SUM0R 0xfe00707f +#define MATCH_SHA512SUM0R 0x50000033 @@ -182,7 +182,7 @@ index 19f10c0e55..7506f2bc80 100644 case 'z': print (info->stream, "%s", riscv_gpr_names[0]); diff --git a/opcodes/riscv-opc.c b/opcodes/riscv-opc.c -index e99febc823..016734c618 100644 +index e99febc823..880c815570 100644 --- a/opcodes/riscv-opc.c +++ b/opcodes/riscv-opc.c @@ -496,27 +496,27 @@ const struct riscv_opcode riscv_opcodes[] = @@ -281,12 +281,12 @@ index e99febc823..016734c618 100644 {"unzip", 0, INSN_CLASS_B_OR_ZBP, "d,s", 0, (int) M_PERM, match_never, INSN_MACRO }, +/* Scalar Crypto Instructions */ -+{"sm4ed" , 0, INSN_CLASS_I, "d,s,t,w", MATCH_SM4ED, MASK_SM4ED, match_opcode, 0}, -+{"sm4ks" , 0, INSN_CLASS_I, "d,s,t,w", MATCH_SM4KS, MASK_SM4KS, match_opcode, 0}, -+{"aes32esmi" ,32, INSN_CLASS_I, "d,s,t,w", MATCH_AES32ESMI, MASK_AES32ESMI, match_opcode, 0}, -+{"aes32esi" ,32, INSN_CLASS_I, "d,s,t,w", MATCH_AES32ESI, MASK_AES32ESI, match_opcode, 0}, -+{"aes32dsmi" ,32, INSN_CLASS_I, "d,s,t,w", MATCH_AES32DSMI, MASK_AES32DSMI, match_opcode, 0}, -+{"aes32dsi" ,32, INSN_CLASS_I, "d,s,t,w", MATCH_AES32DSI, MASK_AES32DSI, match_opcode, 0}, ++{"sm4ed" , 0, INSN_CLASS_I, "s,t,w", MATCH_SM4ED, MASK_SM4ED, match_opcode, 0}, ++{"sm4ks" , 0, INSN_CLASS_I, "s,t,w", MATCH_SM4KS, MASK_SM4KS, match_opcode, 0}, ++{"aes32esmi" ,32, INSN_CLASS_I, "s,t,w", MATCH_AES32ESMI, MASK_AES32ESMI, match_opcode, 0}, ++{"aes32esi" ,32, INSN_CLASS_I, "s,t,w", MATCH_AES32ESI, MASK_AES32ESI, match_opcode, 0}, ++{"aes32dsmi" ,32, INSN_CLASS_I, "s,t,w", MATCH_AES32DSMI, MASK_AES32DSMI, match_opcode, 0}, ++{"aes32dsi" ,32, INSN_CLASS_I, "s,t,w", MATCH_AES32DSI, MASK_AES32DSI, match_opcode, 0}, +{"aes64ks1i" ,64, INSN_CLASS_I, "d,s,W", MATCH_AES64KS1I, MASK_AES64KS1I, match_opcode, 0}, +{"aes64ks2" ,64, INSN_CLASS_I, "d,s,t", MATCH_AES64KS2, MASK_AES64KS2, match_opcode, 0}, +{"aes64im" ,64, INSN_CLASS_I, "d,s", MATCH_AES64IM, MASK_AES64IM, match_opcode, 0}, diff --git a/tools/patch-spike.patch b/tools/patch-spike.patch index 2e4704f8..0d3f49b0 100644 --- a/tools/patch-spike.patch +++ b/tools/patch-spike.patch @@ -22,7 +22,7 @@ index b4bb2e6..ad335b6 100644 #define require_accelerator require((STATE.mstatus & MSTATUS_XS) != 0) diff --git a/riscv/encoding.h b/riscv/encoding.h -index fb1536e..62862cc 100644 +index fb1536e..c4dc4ce 100644 --- a/riscv/encoding.h +++ b/riscv/encoding.h @@ -660,6 +660,62 @@ @@ -34,9 +34,9 @@ index fb1536e..62862cc 100644 +#define MATCH_POLLENTROPY 0xf1500073 +#define MASK_GETNOISE 0xfffff07f +#define MATCH_GETNOISE 0x7a900073 -+#define MASK_SM4ED 0x3e00707f ++#define MASK_SM4ED 0x3e007fff +#define MATCH_SM4ED 0x30000033 -+#define MASK_SM4KS 0x3e00707f ++#define MASK_SM4KS 0x3e007fff +#define MATCH_SM4KS 0x34000033 +#define MASK_SM3P0 0xfff0707f +#define MATCH_SM3P0 0x10801013 @@ -537,10 +537,10 @@ index 0000000..9cc353c + diff --git a/riscv/insns/aesds.h b/riscv/insns/aesds.h new file mode 100644 -index 0000000..63c12f2 +index 0000000..c8d4f1f --- /dev/null +++ b/riscv/insns/aesds.h -@@ -0,0 +1,40 @@ +@@ -0,0 +1,42 @@ + +#include "aes_common.h" + @@ -548,6 +548,7 @@ index 0000000..63c12f2 + + require_rv32; + require_extension('K'); ++ require(RD == 0); // Additional decoding required for RV32 + + uint8_t bs = insn.bs(); + @@ -557,7 +558,8 @@ index 0000000..63c12f2 + + u = (u << (8*bs)) | (u >> (32-8*bs)); + -+ WRITE_RD(u ^ RS1); ++ uint64_t rd = insn.rs1(); // RD sourced from RS1 field. ++ WRITE_REG(rd, u ^ RS1); + +} else { + @@ -583,10 +585,10 @@ index 0000000..63c12f2 +} diff --git a/riscv/insns/aesdsm.h b/riscv/insns/aesdsm.h new file mode 100644 -index 0000000..f3ee138 +index 0000000..02bbbc8 --- /dev/null +++ b/riscv/insns/aesdsm.h -@@ -0,0 +1,53 @@ +@@ -0,0 +1,55 @@ + +#include "aes_common.h" + @@ -594,6 +596,7 @@ index 0000000..f3ee138 + + require_rv32; + require_extension('K'); ++ require(RD == 0); // Additional decoding required for RV32 + + uint8_t bs = insn.bs(); + @@ -608,7 +611,8 @@ index 0000000..f3ee138 + + u = (u << (8*bs)) | (u >> (32-8*bs)); + -+ WRITE_RD(u ^ RS1); ++ uint64_t rd = insn.rs1(); // RD sourced from RS1 field. ++ WRITE_REG(rd, u ^ RS1); + +} else { + @@ -642,10 +646,10 @@ index 0000000..f3ee138 +} diff --git a/riscv/insns/aeses.h b/riscv/insns/aeses.h new file mode 100644 -index 0000000..1d7d206 +index 0000000..088b8b5 --- /dev/null +++ b/riscv/insns/aeses.h -@@ -0,0 +1,41 @@ +@@ -0,0 +1,43 @@ + +#include "aes_common.h" + @@ -654,6 +658,7 @@ index 0000000..1d7d206 + + require_rv32; + require_extension('K'); ++ require(RD == 0); // Additional decoding required for RV32 + + uint8_t bs = insn.bs(); + @@ -663,7 +668,8 @@ index 0000000..1d7d206 + + u = (u << (8*bs)) | (u >> (32-8*bs)); + -+ WRITE_RD(u ^ RS1); ++ uint64_t rd = insn.rs1(); // RD sourced from RS1 field. ++ WRITE_REG(rd, u ^ RS1); + +} else { + @@ -689,10 +695,10 @@ index 0000000..1d7d206 +} diff --git a/riscv/insns/aesesm.h b/riscv/insns/aesesm.h new file mode 100644 -index 0000000..740270c +index 0000000..9188cf2 --- /dev/null +++ b/riscv/insns/aesesm.h -@@ -0,0 +1,54 @@ +@@ -0,0 +1,56 @@ + +#include "aes_common.h" + @@ -700,6 +706,7 @@ index 0000000..740270c + + require_rv32; + require_extension('K'); ++ require(RD == 0); // Additional decoding required for RV32 + + uint8_t bs = insn.bs(); + @@ -714,7 +721,8 @@ index 0000000..740270c + + u = (u << (8*bs)) | (u >> (32-8*bs)); + -+ WRITE_RD(u ^ RS1); ++ uint64_t rd = insn.rs1(); // RD sourced from RS1 field. ++ WRITE_REG(rd, u ^ RS1); + +} else { + @@ -1242,10 +1250,10 @@ index 0000000..17f129f + diff --git a/riscv/insns/sm4ed.h b/riscv/insns/sm4ed.h new file mode 100644 -index 0000000..738bc69 +index 0000000..5583335 --- /dev/null +++ b/riscv/insns/sm4ed.h -@@ -0,0 +1,22 @@ +@@ -0,0 +1,23 @@ + +require_extension('K'); + @@ -1265,15 +1273,16 @@ index 0000000..738bc69 +uint32_t rotl = (linear << (8*bs)) | (linear >> (32-8*bs)); + +uint32_t result = rotl ^ RS1; ++uint64_t rd = insn.rs1(); // RD sourced from RS1 field. + -+WRITE_RD(zext_xlen(result)); ++WRITE_REG(rd, zext_xlen(result)); + diff --git a/riscv/insns/sm4ks.h b/riscv/insns/sm4ks.h new file mode 100644 -index 0000000..5758d57 +index 0000000..589eb97 --- /dev/null +++ b/riscv/insns/sm4ks.h -@@ -0,0 +1,20 @@ +@@ -0,0 +1,21 @@ + +require_extension('K'); + @@ -1291,8 +1300,9 @@ index 0000000..5758d57 +uint32_t rotl = (x << (8*bs)) | (x >> (32-8*bs)); + +uint32_t result = rotl ^ RS1; ++uint64_t rd = insn.rs1(); // RD sourced from RS1 field. + -+WRITE_RD(zext_xlen(result)); ++WRITE_REG(rd, zext_xlen(result)); + diff --git a/riscv/insns/xnor.h b/riscv/insns/xnor.h index b2fe95b..fdb1f5d 100644