# RISC-V®

# RISC-V ISA The Entropy-Source Standard

Presented at the Cryptarchi Workshop May 30, 2022 – Porquerolles, France By G. Richard Newell (Associate Technical Fellow, Microchip Technology, Inc.)

## RISC-V Security Rationale

# • Clean-slate architecture invites new hardware security solutions

- Open security model accelerates hardware security innovation
- Opportunity to incorporate security industry learnings & best practices
- Open governance facilitates collaboration on best security approach
- Royalty free model enables new open-source hardware security solutions



## RISC-V International Security Organization



## From the Archives (circa 2015/2016)...

One Security Committee – a Chair and a Vice-Chair (and not much else!)



## **RISC-V Technical Organization 2022**

|                                    | Board of Directors (BoD) |         |                |       |                 |                                    |                                                                      |                              |                         |                            |   |
|------------------------------------|--------------------------|---------|----------------|-------|-----------------|------------------------------------|----------------------------------------------------------------------|------------------------------|-------------------------|----------------------------|---|
| Technical Steering Committee (TSC) |                          |         |                |       |                 | Technical Steering Committee (TSC) | Architecture Profiles                                                |                              | CTO, Staff              |                            |   |
|                                    |                          |         |                |       |                 |                                    |                                                                      |                              |                         |                            |   |
|                                    |                          |         |                |       |                 |                                    |                                                                      | Unpriv IC                    | Architecture Profiles ( | Priv IC                    |   |
| Industry Verticals SIG             |                          |         |                |       | $\sim  $        |                                    |                                                                      |                              | ure Review (IC chairs   |                            |   |
| Indu                               | istry                    | ver     | пса            | 15 51 | G               |                                    | Privileged Software HC<br>(Components, Interfaces, OSs, Platforms)   | IMAFDQC                      |                         | 1.11                       |   |
|                                    |                          |         |                |       |                 |                                    | Applications & Tools HC<br>(Application, Libraries, Runtimes, Tools) | Zb[abcs]<br>Memory Model     |                         | <i>ePMP</i><br>1.12 (Priv) |   |
|                                    |                          |         |                |       |                 | _                                  | Security HC                                                          | Crypto Scalar<br>Zfinx       |                         | H                          |   |
|                                    |                          |         |                |       |                 | onta                               | Technology Sector HC                                                 |                              |                         |                            |   |
|                                    |                          |         |                |       |                 | Horizontal                         | SoC Infra. HC<br>(RAS, Trace & Debug)                                | Vector SIG<br>FP SIG         |                         |                            |   |
|                                    |                          |         |                |       |                 | Ť                                  | Implementation HC                                                    | =                            |                         |                            |   |
|                                    | , <u> </u>               |         | Communications |       | Defense/MilAero |                                    | ISA Infrastructure HC                                                | V phase 2                    |                         |                            |   |
| Consumer                           | Center                   |         | ŋ              | s     | <u>ξ</u>        |                                    |                                                                      | Crypto GOST-R TG             |                         |                            |   |
| Consumer                           | ē ē                      | Finance | nu             | Gas   | l se            |                                    |                                                                      | Packed SIMD TG               |                         |                            |   |
|                                    | Data                     | Jan     | Ē              | Oil & | ll fe           |                                    |                                                                      | J TG                         |                         |                            |   |
| U S A                              | č Ö                      | Ē       | ပိ             | ö     | گ               |                                    |                                                                      | Code Size TG                 |                         | AIA TG                     |   |
|                                    |                          |         |                |       |                 | -                                  |                                                                      | Crypto Vector TG             |                         | SMPU TG                    | ′ |
|                                    |                          |         |                |       |                 |                                    |                                                                      | Bfloat16 TG                  |                         | FastInt TG                 |   |
| 2                                  | RISC-V°                  |         |                |       |                 | 8                                  |                                                                      | FT: Zmmul, Zihintntl,<br>WRS |                         | CMO 2 TG                   |   |

### **Security Scope**



### Security Horizontal Committee and sub-committees

| Security HC                           |                       |                   |  |  |  |  |  |  |
|---------------------------------------|-----------------------|-------------------|--|--|--|--|--|--|
| Crypto Vector TG                      | Trusted Computing SIG | Memory Safety SIG |  |  |  |  |  |  |
| Crypto GOST-R TG                      | AP-TEE TG             | IOPMP TG          |  |  |  |  |  |  |
| Security Model TG                     | Secure Boot TG        | SMPU TG           |  |  |  |  |  |  |
| Security Response SIG                 |                       |                   |  |  |  |  |  |  |
| Blockchain SIG                        |                       |                   |  |  |  |  |  |  |
| Control Flow Integrity SIG            |                       |                   |  |  |  |  |  |  |
| Microarchitecture Side<br>Channel SIG |                       |                   |  |  |  |  |  |  |





### **Security HC - Roadmap**



8



### **Specification Plan**



|                           | CY22-Q1        | CY22-Q2   | CY22-Q3 | CY22-Q4 | CY23-Q1          | CY23-Q2 | CY23-Q3 | CY23-Q4 |
|---------------------------|----------------|-----------|---------|---------|------------------|---------|---------|---------|
| Security Model            | Inception Plan |           | Develop |         | Freeze Rat-Ready |         |         |         |
| AP-TEE<br>(ISA + non-ISA) | Inception      | Plan      | Develop | Freeze  | Rat-Read         | ly      |         |         |
| CFI<br>(ISA)              | Inception      | Plan      | De      | velop   | Freeze           | Rat-F   | Ready   |         |
| Vector crypto             | De             | /elop     | Freeze  | Rat-F   | Ready            |         |         |         |
| S-mode MPU                | Inception      | Plan      | Develop | Freez   | ze Rat-R         | leady   |         |         |
| IOPMP<br>(non-ISA)        | Inceptio       | on Pla    | an      | Develop | Freeze           | Rat-    | Ready   |         |
| uSC leakage               |                | Inception |         | Plan    |                  | Develop |         | Freeze  |

## RISC-V Security 5 year horizon



- Platform Security Model outlining RISC-V security capacities and system's integration
- Tools and Software support for RISC-V security capabilities
- Protection against side-channel information leakage at the hardware level
- Robustness capabilities to prevent malicious manipulation of e.g., code execution flows
- Cryptography support for small to large devices, including Post-Quantum Crypto
- Memory isolation and Trusted Execution Environments to securely separate applications from each other
- Support for Confidential Compute and Capability based models to enhance application and data privacy
- Blockchain technology on RISC-V based systems

RISC-V Cryptographic Extensions Scalar Crypto Vector Crypto



### Overview: Scalar Crypto (a.k.a. "K" for "Krypto")

#### **Scalar Cryptographic Extension:**

- Adds Functionality required for cryptography to Unprivileged Spec.
  - Cryptographic algorithms acceleration
  - Cryptographic-quality Random bits
- True random bits generation
  - Entropy source
- Performance-driven proposals:
  - New dedicated instructions:
    - NIST: AES / SHA2
    - ShangMi: SM3 / SM4
  - Fine-grained options for highly-constrained systems
  - Some required instructions *shared* with Bitmanip:
    - Rotations / Permutations
    - Carryless Multiply
  - Data-independent timing guarantees



- Asymmetric crypto (e.g., ECC, RSA)
- GMAC (needed for AES-GCM)
- SHA3 (needed for post-quantum crypto)
- o Many lightweight algorithms like PRESENT
- Bit-slice implementations
  - One possible approach for DPA resistance
- "**Firsts**" First ISA to do this for Cryptography:
  - Lightweight crypto. instructions using GP X-registers (vs. round-based using vector/SIMD registers)
    - Algorithms still done largely in software, but accelerated with lightweight instructions
  - Entropy source (vs. full random number generator)
    - supports any security strength in software
    - Compatible with modern view of TRNGs
  - Timing guarantees on a subset of the full RISC-V ISA



# **Overview: Vector Crypto**

#### Vector Cryptographic Extension:

- Built on top of the base vector extension
  - RISC-V -style variable-length vector support for crypto using vector registers
  - Extremely broad range of implementations possible from narrow to wide data-paths
- Low-latency limited-rounds instructions for AES, SHA2 (i.e., SHA-256, SHA-512)
- Full-rounds instructions for AES
- Round-based for SM3, SM4 (2022, time permitting)
- AES modes (e.g., AES-CBC) and SHA2 variations (e.g., SHA-384) done in software taking advantage of the commands above



- Rotations & Permutations not already in the base vector extension
- Vector Carry-less Multiply
- In total, these commands can also accelerate:
  - o SHA3
  - Asymmetric algorithms (ECC, RSA)
  - GMAC (needed for AES-GCM)
- "Firsts" First ISA to do this for Cryptography:
  - Full-round instructions that facilitate building side-channel-resistant micro-architectures (if desired)



### The RISC-V Entropy Source Ratified Dec. 2021



## **Overview: Entropy Source**

- Provides standardized polling interface to a modern Entropy Source
- DRBG/PRNG post processing is out-of-scope
  - Done on software side
- Minimum Entropy guarantee:
  - 128 bits "full entropy" per 256 bits, plus one or more of:
    - 0.75 min-entropy rate per SP800-99B/C (192 bits per 256)
    - 0.997 Shannon entropy rate (per AIS-31 PTG.2)
    - Post-Quantum level 5 security
- 2:1 compression required of user on output
  - 512 bits → (e.g.) 2:1 SHA → 256-bit DRBG "seed"
- No limit on security strength... just draw more bits out
  - If an implementation *does* limit security strength (discouraged, or for virtual sources), it must support 256-bit security strength, minimum



### **Overview: Entropy Source (cont.)**

31 30 29

OPS<sup>-</sup>

- SEED CSR available in M-mode. Also available in S- & U-Modes
  If M-mode allows it
- Optional standardized raw noise interface **GetNoise** (in M-mode only), for qualification testing
- Designed to work with NIST SP800-90B & BSI AIS31

zero extend

- Works with RISC-V hypervisor spec.
- Can be virtualized

XLEN-1

10



## We need your help:

## Security@lists.riscv.org



### **Backup Slides**



### **Robustness**

- Pointer Masking
  - actual\_address = (requested\_address & ~mpmmask) | mpmbase
  - Software based memory tagging
  - Memory bounding

#### under development:

- Control Flow Integrity
  - Shadow Stack
  - Labelled Landing Pad
- MicroArchitectural Side Channel Leakage
  - $\circ \quad \text{An anomaly} \quad$
  - Speculation Barriers fence.t







## Cryptography

- Scalar Extension Ratified
- Vector Extension 2022
- Post Quantum under discussion



### **Trusted Computing**

*Under Development:* 

- Trusted Execution Environment
- APT TEE i/f to allow support on current ratified ISA
- Extensions possible to improve performance, security etc





Conf. VMs,

containers

Conf. apps, libraries

### **Trusted Computing (2)**

Under Development:

- Confidential Computing
  - $\circ$  Confidential VMs
- Extension of APP TEE
- Incorporate attestation standards





### **Future Potential**

Requirement Under discussion

- Lightweight TEE
  - Potential Memory isolation scheme for small M/U systems.
  - Additional context to M mode
- Capability Based Security
  - CHERI



### SIRT

- Ensure continuity of the RISC-V Security Incident Response Team (SIRT)
- Institute and manage a responsible disclosure process
- Triage incoming security disclosures
- Maintain a catalogue of security issues