RTL: Add 4-sbox version of SAES64

On branch master Your branch is ahead of 'origin/master' by 1 commit. (use "git push" to publish your local commits) Changes to be committed: modified: rtl/README.md modified: rtl/crypto-fu/riscv_crypto_fu.v modified: rtl/crypto-fu/riscv_crypto_fu_rv64.v modified: rtl/crypto-fu/riscv_crypto_fu_saes64.v modified: rtl/crypto-fu/riscv_crypto_fu_sboxes.v modified: rtl/crypto-fu/tb_riscv_crypto_fu.v modified: rtl/crypto-fu/verify.sby Changes not staged for commit: modified: extern/riscv-gnu-toolchain (modified content) modified: extern/riscv-isa-sim (modified content)
riscv · May 10, 2020 · 1b8825b · 1b8825b
1 parent 5f08d0e
commit 1b8825b
Show file tree

Hide file tree

Showing 7 changed files with 165 additions and 60 deletions.
diff --git a/rtl/README.md b/rtl/README.md
@@ -40,7 +40,8 @@ Module Name                       | NAND2 Cells | LTP
 `riscv_crypto_fu_lut4` (RV32)     |       566   |  6
 `riscv_crypto_fu_lut4` (RV64)     |      1938   |  7
 `riscv_crypto_fu_saes32`          |      1176   | 30
-`riscv_crypto_fu_saes64`          |      8250   | 28
+`riscv_crypto_fu_saes64` (8 Sbox) |      8663   | 28
+`riscv_crypto_fu_saes64` (4 Sbox) |      6277   | 29
 `riscv_crypto_fu_ssha256`         |       737   |  5
 `riscv_crypto_fu_ssha512` (RV32)  |       701   |  6
 `riscv_crypto_fu_ssha512` (RV64)  |      1986   |  4
@@ -87,7 +88,7 @@ Module Name            | Combined AES/SM4 | Gate Inputs | NAND2 Cells | LTP
 `riscv_crypto_fu_rv32` |        No        |     No      |      4259   | 31
 `riscv_crypto_fu_rv32` |       Yes        |     No      |      3846   | 36
 `riscv_crypto_fu_rv32` |       Yes        |     Yes     |      3672   | 35
-`riscv_crypto_fu_rv64` |       N/A        |     No      |     13582   | 28
+`riscv_crypto_fu_rv64` |       N/A        |     No      |     13806   | 28
 `riscv_crypto_fu_rv64` |       N/A        |     Yes     |     14116   | 28
 
 Notes:

diff --git a/rtl/crypto-fu/riscv_crypto_fu.v b/rtl/crypto-fu/riscv_crypto_fu.v
@@ -87,7 +87,7 @@ parameter XLEN              = 64, // Must be one of: 32, 64.
 parameter LUT4_EN           = 1 , // Enable the lut4 instructions.
 parameter SAES_EN           = 1 , // Enable the saes32/64 instructions.
 parameter SAES_DEC_EN       = 1 , // Enable saes32/64 decrypt instructions.
-parameter SAES64_SBOXES     = 8 , // saes64 sbox instances. Valid values: 8
+parameter SAES64_SBOXES     = 8 , // saes64 sbox instances. Valid values: 8,4
 parameter SSHA256_EN        = 1 , // Enable the ssha256.* instructions.
 parameter SSHA512_EN        = 1 , // Enable the ssha256.* instructions.
 parameter SSM3_EN           = 1 , // Enable the ssm3.* instructions.
@@ -349,15 +349,17 @@ generate if(SAES_EN && RV64) begin  : saes64_implemented
 
     if(SAES_DEC_EN) begin
 
-        assign saes64_valid = op_saes64_ks1   || op_saes64_ks2   ||
-                              op_saes64_imix  || op_saes64_encs  ||
-                              op_saes64_encsm || op_saes64_decs  ||
-                              op_saes64_decsm ;
+        assign saes64_valid = valid && (
+            op_saes64_ks1   || op_saes64_ks2   ||
+            op_saes64_imix  || op_saes64_encs  ||
+            op_saes64_encsm || op_saes64_decs  ||
+            op_saes64_decsm );
 
     end else begin
 
-        assign saes64_valid = op_saes64_ks1   || op_saes64_ks2   ||
-                              op_saes64_encs  || op_saes64_encsm ;
+        assign saes64_valid = valid && (
+            op_saes64_ks1   || op_saes64_ks2   ||
+            op_saes64_encs  || op_saes64_encsm );
 
     end
 

diff --git a/rtl/crypto-fu/riscv_crypto_fu_rv64.v b/rtl/crypto-fu/riscv_crypto_fu_rv64.v
@@ -53,7 +53,7 @@ module riscv_crypto_fu_rv64 #(
 parameter LUT4_EN       = 1 , // Enable the lut4 instructions.
 parameter SAES_EN       = 1 , // Enable the saes32/64 instructions.
 parameter SAES_DEC_EN   = 1 , // Enable the saes32/64 decrypt instructions.
-parameter SAES64_SBOXES = 8 , // saes64 sbox instances. Valid values: 8
+parameter SAES64_SBOXES = 8 , // saes64 sbox instances. Valid values: 8,4
 parameter SSHA256_EN    = 1 , // Enable the ssha256.* instructions.
 parameter SSHA512_EN    = 1 , // Enable the ssha256.* instructions.
 parameter SSM3_EN       = 1 , // Enable the ssm3.* instructions.
@@ -97,17 +97,17 @@ output wire [     63:0] rd
 
 
 riscv_crypto_fu #(
-.XLEN           (64          ), // Must be one of: 32, 64.
-.LUT4_EN        (LUT4_EN     ), // Enable the lut4 instructions.
-.SAES_EN        (SAES_EN     ), // Enable the saes32/64 instructions.
-.SAES_DEC_EN    (SAES_DEC_EN ), // Enable the saes32/64 decrypt instructions.
-.SAES64_SBOXES  (8           ), // saes64 sbox instances. Valid values: 8
-.SSHA256_EN     (SSHA256_EN  ), // Enable the ssha256.* instructions.
-.SSHA512_EN     (SSHA512_EN  ), // Enable the ssha256.* instructions.
-.SSM3_EN        (SSM3_EN     ), // Enable the ssm3.* instructions.
-.SSM4_EN        (SSM4_EN     ), // Enable the ssm4.* instructions.
-.COMBINE_AES_SM4(        1'b0), // Not applicable for RV64
-.LOGIC_GATING   (LOGIC_GATING)  // Gate submodule inputs to save toggling.
+.XLEN           (64           ), // Must be one of: 32, 64.
+.LUT4_EN        (LUT4_EN      ), // Enable the lut4 instructions.
+.SAES_EN        (SAES_EN      ), // Enable the saes32/64 instructions.
+.SAES_DEC_EN    (SAES_DEC_EN  ), // Enable the saes32/64 decrypt instructions.
+.SAES64_SBOXES  (SAES64_SBOXES), // saes64 sbox instances. Valid values: 8,4
+.SSHA256_EN     (SSHA256_EN   ), // Enable the ssha256.* instructions.
+.SSHA512_EN     (SSHA512_EN   ), // Enable the ssha256.* instructions.
+.SSM3_EN        (SSM3_EN      ), // Enable the ssm3.* instructions.
+.SSM4_EN        (SSM4_EN      ), // Enable the ssm4.* instructions.
+.COMBINE_AES_SM4(        1'b0 ), // Not applicable for RV64
+.LOGIC_GATING   (LOGIC_GATING )  // Gate submodule inputs to save toggling.
 ) i_riscv_crypto_fu (
 .g_clk           (g_clk           ), // Global clock
 .g_resetn        (g_resetn        ), // Synchronous active low reset.

diff --git a/rtl/crypto-fu/riscv_crypto_fu_saes64.v b/rtl/crypto-fu/riscv_crypto_fu_saes64.v
@@ -39,7 +39,7 @@
 //
 module riscv_crypto_fu_saes64 #(
 parameter SAES_DEC_EN = 1 , // Enable the saes64 decrypt instructions.
-parameter SAES64_SBOXES = 8   // saes64 sbox instances. Valid values: 8
+parameter SAES64_SBOXES = 8   // saes64 sbox instances. Valid values: 8,4
 )(
 
 input  wire         g_clk           , // Global clock
@@ -67,7 +67,7 @@ output wire         ready             // Compute finished?
 `define BY(X,I) X[7+8*I:8*I]
 
 // Always finish in a single cycle.
-assign     ready            = valid              ;
+assign     ready            = valid && sbox_ready;
 
 // AES Round Constants
 wire [ 7:0] rcon [0:15];
@@ -127,6 +127,8 @@ wire [ 7:0] sb_fwd_out [7:0];
 wire [ 7:0] sb_inv_in  [7:0];
 wire [ 7:0] sb_inv_out [7:0];
 
+wire        sbox_ready      ;
+
 //
 // KeySchedule 1 SBox input selection
 wire        rcon_rot    = enc_rcon != 4'hA;
@@ -221,39 +223,101 @@ assign rd =
     {64{op_saes64_imix         }} & result_imix    ;
 
 //
-// AES SBox instances
+// Generate AES SBox instances
 // ------------------------------------------------------------
 
-riscv_crypto_aes_fwd_sbox i_fwd_sbox_0 (.in(sb_fwd_in[0]),.fx(sb_fwd_out[0]));
-riscv_crypto_aes_fwd_sbox i_fwd_sbox_1 (.in(sb_fwd_in[1]),.fx(sb_fwd_out[1]));
-riscv_crypto_aes_fwd_sbox i_fwd_sbox_2 (.in(sb_fwd_in[2]),.fx(sb_fwd_out[2]));
-riscv_crypto_aes_fwd_sbox i_fwd_sbox_3 (.in(sb_fwd_in[3]),.fx(sb_fwd_out[3]));
-riscv_crypto_aes_fwd_sbox i_fwd_sbox_4 (.in(sb_fwd_in[4]),.fx(sb_fwd_out[4]));
-riscv_crypto_aes_fwd_sbox i_fwd_sbox_5 (.in(sb_fwd_in[5]),.fx(sb_fwd_out[5]));
-riscv_crypto_aes_fwd_sbox i_fwd_sbox_6 (.in(sb_fwd_in[6]),.fx(sb_fwd_out[6]));
-riscv_crypto_aes_fwd_sbox i_fwd_sbox_7 (.in(sb_fwd_in[7]),.fx(sb_fwd_out[7]));
-
-generate if(SAES_DEC_EN) begin : saes64_dec_sboxes_implemented
-
-riscv_crypto_aes_inv_sbox i_inv_sbox_0 (.in(sb_inv_in[0]),.fx(sb_inv_out[0]));
-riscv_crypto_aes_inv_sbox i_inv_sbox_1 (.in(sb_inv_in[1]),.fx(sb_inv_out[1]));
-riscv_crypto_aes_inv_sbox i_inv_sbox_2 (.in(sb_inv_in[2]),.fx(sb_inv_out[2]));
-riscv_crypto_aes_inv_sbox i_inv_sbox_3 (.in(sb_inv_in[3]),.fx(sb_inv_out[3]));
-riscv_crypto_aes_inv_sbox i_inv_sbox_4 (.in(sb_inv_in[4]),.fx(sb_inv_out[4]));
-riscv_crypto_aes_inv_sbox i_inv_sbox_5 (.in(sb_inv_in[5]),.fx(sb_inv_out[5]));
-riscv_crypto_aes_inv_sbox i_inv_sbox_6 (.in(sb_inv_in[6]),.fx(sb_inv_out[6]));
-riscv_crypto_aes_inv_sbox i_inv_sbox_7 (.in(sb_inv_in[7]),.fx(sb_inv_out[7]));
-
-end else begin  : saes64_dec_sboxes_not_implemented
-
-assign sb_inv_out[0] = 8'b0;
-assign sb_inv_out[1] = 8'b0;
-assign sb_inv_out[2] = 8'b0;
-assign sb_inv_out[3] = 8'b0;
-assign sb_inv_out[4] = 8'b0;
-assign sb_inv_out[5] = 8'b0;
-assign sb_inv_out[6] = 8'b0;
-assign sb_inv_out[7] = 8'b0;
+genvar i;
+
+generate if(SAES64_SBOXES == 8) begin : saes64_8_sboxes
+
+    // All sboxes complete in a single cycle.
+    assign sbox_ready = 1'b1;
+
+    for(i = 0; i < 8; i = i + 1) begin
+
+        riscv_crypto_aes_fwd_sbox i_fwd_sbox (
+            .in(sb_fwd_in [i]),
+            .fx(sb_fwd_out[i])
+        );
+
+        if(SAES_DEC_EN) begin : saes64_dec_sboxes_implemented
+
+            riscv_crypto_aes_inv_sbox i_inv_sbox (
+                .in(sb_inv_in [i]),
+                .fx(sb_inv_out[i])
+            );
+
+        end else begin  : saes64_dec_sboxes_not_implemented
+
+            assign sb_inv_out[i] = 8'b0;
+
+        end
+
+    end
+
+end else if(SAES64_SBOXES == 4) begin : saes64_4_sboxes
+
+    // Is this an instruction using >4 sboxes?
+    wire sbox_instr = op_saes64_encs || op_saes64_encsm ||
+                      op_saes64_decs || op_saes64_decsm ||
+                      op_saes64_ks1  ;
+
+    reg sbox_hi;
+
+    reg [7:0]   sbox_regs [3:0];
+    wire[7:0] n_sbox_inv  [3:0];
+    wire[7:0] n_sbox_fwd  [3:0];
+
+    wire      sbox_reg_ld_en = !sbox_hi && sbox_instr && valid;
+
+    assign sbox_ready = sbox_hi && sbox_instr || !sbox_instr;
+
+    for(i = 0; i < 4; i = i + 1) begin
+
+        always @(posedge g_clk) begin
+            if(sbox_reg_ld_en) begin
+                if(op_dec) begin
+                    sbox_regs[i] <= n_sbox_inv[i];
+                end else begin
+                    sbox_regs[i] <= n_sbox_fwd[i];
+                end
+            end
+        end
+
+        assign sb_inv_out[i  ] = sbox_regs [i  ];
+        assign sb_inv_out[i+4] = n_sbox_inv[i  ];
+        assign sb_fwd_out[i  ] = sbox_regs [i  ];
+        assign sb_fwd_out[i+4] = n_sbox_fwd[i  ];
+
+        riscv_crypto_aes_fwd_sbox i_fwd_sbox (
+            .in(sb_fwd_in [i + (sbox_hi ? 4 : 0)]),
+            .fx(n_sbox_fwd[i                    ])
+        );
+
+        if(SAES_DEC_EN) begin : saes64_dec_sboxes_implemented
+
+            riscv_crypto_aes_inv_sbox i_inv_sbox (
+                .in(sb_inv_in [i + (sbox_hi ? 4 : 0)]),
+                .fx(n_sbox_inv[i                    ])
+            );
+
+        end else begin  : saes64_dec_sboxes_not_implemented
+
+            assign n_sbox_inv[i] = 8'b0;
+
+        end
+
+    end
+
+    always @(posedge g_clk) begin
+        if(!g_resetn) begin
+            sbox_hi <= 1'b0;
+        end else if(valid && ready) begin
+            sbox_hi <= 1'b0;
+        end else if(valid && sbox_instr) begin
+            sbox_hi <= 1'b1;
+        end
+    end
 
 end endgenerate
 

diff --git a/rtl/crypto-fu/riscv_crypto_fu_sboxes.v b/rtl/crypto-fu/riscv_crypto_fu_sboxes.v
@@ -464,6 +464,32 @@ module riscv_crypto_aes_fwd_sbox (
 endmodule
 
 
+//
+// Forward / inverse aes sbox.
+module riscv_crypto_aes_sbox(
+    input  wire        dec,
+    input  wire [7:0]  in ,
+    output wire [7:0]  fx
+);
+
+wire [7:0] fx_fwd;
+wire [7:0] fx_inv;
+
+riscv_crypto_aes_fwd_sbox i_fwd (
+    .in(in)     ,
+    .fx(fx_fwd)
+);
+
+riscv_crypto_aes_inv_sbox i_inv (
+    .in(in)     ,
+    .fx(fx_fwd)
+);
+
+assign fx = dec ? fx_inv : fx_fwd;
+
+endmodule
+
+
 //
 // Single SM4 sbox. no need for inverse.
 module riscv_crypto_sm4_sbox( output [7:0] out, input [7:0] in );

diff --git a/rtl/crypto-fu/tb_riscv_crypto_fu.v b/rtl/crypto-fu/tb_riscv_crypto_fu.v
@@ -38,7 +38,7 @@ parameter XLEN          = `XLEN ; // Must be one of: 32, 64.
 parameter LUT4_EN       = 1     ; // Enable the lut4 instructions.
 parameter SAES_EN       = 1     ; // Enable the saes32/64 instructions.
 parameter SAES_DEC_EN   = 1     ; // Enable the saes32/64 decrypt instructions.
-parameter SAES64_SBOXES = 8     ; // saes64 sbox instances. Valid values: 8
+parameter SAES64_SBOXES =`SBOXES; // saes64 sbox instances. Valid values: 8
 parameter SSHA256_EN    = 1     ; // Enable the ssha256.* instructions.
 parameter SSHA512_EN    = 1     ; // Enable the ssha256.* instructions.
 parameter SSM3_EN       = 1     ; // Enable the ssm3.* instructions.
@@ -193,6 +193,7 @@ always @(posedge dut_g_clk) begin
     if($past(dut_valid) && $past(!dut_ready)) begin
         // If the TB is waiting for the DUT to compute an output,
         // make sure that the inputs are stable.
+        assume(        dut_valid            );
         assume($stable(dut_rs1             ));
         assume($stable(dut_rs2             ));
         assume($stable(dut_imm             ));

diff --git a/rtl/crypto-fu/verify.sby b/rtl/crypto-fu/verify.sby
@@ -1,12 +1,17 @@
 
 [tasks]
-rv32_prove prove rv32
-rv32_cover cover rv32
-rv64_prove prove rv64
-rv64_cover cover rv64
+rv32_prove prove rv32   sboxes_1
+rv32_cover cover rv32   sboxes_1
+rv64_4_prove prove rv64 sboxes_4
+rv64_4_cover cover rv64 sboxes_4
+rv64_8_prove prove rv64 sboxes_8
+rv64_8_cover cover rv64 sboxes_8
 
 [options]
-depth   5
+sboxes_1: depth 5
+sboxes_4: depth 6
+sboxes_8: depth 5
+
 prove: mode bmc
 cover: mode cover
 timeout 7200
@@ -17,6 +22,12 @@ smtbmc boolector
 [script]
 rv32: verilog_defaults -add -DXLEN=32 
 rv64: verilog_defaults -add -DXLEN=64 
+
+sboxes_1: verilog_defaults -add -DSBOXES=1
+sboxes_4: verilog_defaults -add -DSBOXES=4
+sboxes_8: verilog_defaults -add -DSBOXES=8
+
+
 read_verilog -formal riscv_crypto_fu.v
 read_verilog -formal riscv_crypto_fu_aes_mix_columns.v
 read_verilog -formal riscv_crypto_fu_lut4.v