[Zk ext] V.1.0.0 Scalar cryptography extension implementation for the Ibex core

[phthinh]

This PR adds an implementation of the ratified v.1.0.0 Scalar cryptography extension spec. Particularly, this PR adds a set of instructions specified for Zkn (supporting NIST algorithm suite) and Zks (supporting ShangMi Algorithm Suite). The implementation can be configured by RV32K parameter. The implementation was successfully verified with the ibex_simple_system on Verilator with 2 new experimental configurations: experimental-maxperf-pmp-zkn for Zkn and experimental-maxperf-pmp-zks for Zks. I am happy to have further discussions and/or sanitizing works to merge this PR to the Ibex core.

[phthinh]

Finally, the PR passes the CI checking. Please do the review and let me know if anything else needs to improve.

[GregAC]

Thanks for the contribution @phthinh. I believe we will be keen to merge some form of this but as you can imagine new ISA extensions require careful consideration. There's quite a lot going on at lowRISC right now so we might not manage a full review before Christmas but rest assured this has not been forgotten!

In the meantime I would be interested to hear a bit more about the verification. You said you used simple system, do you have a set of test programs? They may also be useful to add. Eventually we'd want to test it using the RISC-DV instruction generator our main DV uses but some directed tests would suffice in the mean time.

[phthinh]

Thanks for your response and interest in the PR @GregAC. I understand that many active things are going on at lowRISC. I will keep following up with the PR unit when it can be good for merging to lowRISC. I look forward to getting your review after Christmas.

In the meantime, I will keep my developing branch up-to-date with new merged PRs at LowRISC, which allows merging Zk ext PR easier later on. Regarding the verification, I successfully tested the Zk ext with my own test program and also with the riscv-compliance [1] test suites. I think the test compliance is more formal but the K extension test of the current the riscv-compliance does not be updated for the ratified v.1.0.0 Scalar cryptography extension spec. I did some small changes on this to support the ratified spec. (more specifically, xperm.b -> xperm8; xperm.n -> xperm4) and to run K extension test for the ibex target. For the target for the compliance test, I built the ibex system with make build-riscv-compliance IBEX_CONFIG=experimental-maxperf-pmp-zkn' and make build-riscv-compliance IBEX_CONFIG=experimental-maxperf-pmp-zkn'. I used the toolchain supporting the Zk extension, that was built from [2].

Apart from that, I will look at how to use the RISC-DV instruction generator to verify the Zk extension.

[1] https://github.com/riscv-non-isa/riscv-arch-test [2] https://github.com/riscv/riscv-crypto

[phthinh]

Hi @GregAC, for the verification of the scalar crypto extension, we have created a public Repo consisting of our testing works, including instructions test programs and the RISC-V-compliance test suites, for crypto-supporting ibex core. You can find it here https://github.com/scarv/crypto-ibex-test. We also wrote down a simple instruction to show how to test the scalar crypto extension on the repos' Readme file.