Zvkned: add infrastructure for Zvkned

[KotorinMinami]

Implements the Zvkned (NIST Suite: Vector AES Block Cipher) extension, as of version Release 1.0.0.

The following instructions are included:

• vaesef.[vv,vs]
• vaesem.[vv,vs]
• vaesdf.[vv,vs]
• vaesdm.[vv,vs]
• vaeskf1.vi
• vaeskf2.vi
• vaesz.vs

All instructions were tested with VLEN=128 and results were compared with QEMU results of each instruction.

Note
This PR was originally developed by @charmitro , and now the Vector AES Block Cipher has been released.

[github-actions]

Test Results

400 tests  ±0   400 ✅ ±0   1m 48s ⏱️ ±0s
  1 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 4f8b826. ± Comparison against base commit 32d5194.

♻️ This comment has been updated with latest results.

[Timmmm]

A few random low-level Sail comments (I know nothing about the actual spec).

Also how was it tested against QEMU exactly? It would be nice to integrate tests like that (in future; we don't have the infrastructure for it yet).

[Timmmm]

Suggested change

	if (zvk_check_elements(VLEN, num_elem, LMUL, SEW) == false)
	if not(zvk_check_elements(VLEN, num_elem, LMUL, SEW))

(And in the other places.)

[Timmmm]

I think I would just simplify this to

function aes_rotword(x) = x[7 .. 0] @ x[15 .. 8] @ x[23 .. 16] @ x[31 .. 24]

[Timmmm]

Is this necessarily true? Definitely worth a comment explaining why at least.

[KotorinMinami]

the spec declared that it should be 32 bits, and without that, the Sail compiler will chuck an error, because it won't know how many bits 'm has.

[Timmmm]

Hmm the spec says it is reserved. I think we should maybe raise an illegal instruction exception in that case (though we still need a proper policy on how to handle reserved behaviour).

[jordancarlin]

I haven't looked at the spec closely enough yet, but if it is reserved it seems like it would be best to catch it at the encdec stage if possible and just not decode it as this instruction. Then it would fall through to the existing illegal instruction catch-all.

[Timmmm]

Yeah that probably makes sense.

[KotorinMinami]

Yes, but then bits('m) would need to be bits(32) for Sail to prove it.

[Timmmm]

You could do something like this:

  let 'SEW      = get_sew();
  let LMUL_pow = get_lmul_pow();
  let LMUL     = if LMUL_pow < 0 then 0 else LMUL_pow;
  let 'num_elem = get_num_elem(LMUL_pow, SEW);

  if 'SEW != 32 | not(zvk_check_elements(VLEN, num_elem, LMUL, SEW)) then {
    handle_illegal();
    RETIRE_FAIL
  } else {
    let vs2_val = read_vreg(num_elem, SEW, LMUL_pow, vs2);
    let vd_val  = read_vreg(num_elem, SEW, LMUL_pow, vd);

    let eg_len = (unsigned(vl) / 'num_elem);
   ...

I think that will compile. Not 100% sure though.

[KotorinMinami]

That works, thank you!

[Timmmm]

I think we should avoid having behaviour encoded in strings. suffix should be an enum, not strings.

[Timmmm]

So this would be something like:

let vs2_key = get_velem(vs2_val, match suffix { something_VV => i, something_VS => 0 });

(I'll leave you to come up with suitable names for whatever VV and VS mean!)

[Timmmm]

bits? Maybe before my time; is bitvector an old version of bits?

[Timmmm]

bits(128). You could just delete all these, though it may be appropriate for readability.

[Timmmm]

Remove , dec - Sail doesn't support per-vector orders now.

You could just delete the type annotations (I would, but up to you).

[charmitro]

Comment and mapping name states vaesdm but the mapping itself is happening for vaesem.[vv, vs] mnemonics.

[Timmmm]

Also the rest of the model maps ast to assembly; not the bits directly.

[jordancarlin]

Still need to take a look at the spec, but here are some initial comments.

[jordancarlin]

With simple function declarations like this, it’s usually easier to eliminate the val line and directly integrate the types into the function line.

[jordancarlin]

Missing comment with long form name of the extension. This should also be moved down to be with the rest of the Z* extensions in a new Zv* section.

[charmitro]

Specification states:

  let CurrentRoundKey[3:0] : bits(128) = get_velem(vs2, EGW=128, i);
  let RoundKeyB[3:0] : bits(32) = get_velem(vd, EGW=128, i); // Previous round key

[KotorinMinami]

I think the issues raised by the review have been resolved so far. @Timmmm @jordancarlin Is there anything else wrong with my code?

[jordancarlin]

@KotorinMinami Sorry about the delay in reviewing this. I think it needs some modifications because of the recent type refactoring for registers. Once it is rebased I'll give it another look. Would be good to get this one in soon for RVA23.

[KotorinMinami]

I think we can move forward with this. @jordancarlin

[nadime15]

Do you still need that? Its part of the encdec clause already (get_sew() == 32)

[jordancarlin]

What about even moving the zvk_check_elements check into the encdec clause?

[KotorinMinami]

Need. The Sail compiler cannot obtain specific SEW information here (even if proven in encdec). Without specifying SEW, it will fail type checking.

[jordancarlin]

If it's just to make the Sail compiler happy then how about using an assert?

[nadime15]

You can remove the RISCV_* from all instruction names.

Suggested change

	union clause ast = RISCV_VAESKF2_VI : (vregidx, bits(5), vregidx)
	union clause ast = VAESKF2_VI : (vregidx, bits(5), vregidx)

[nadime15]

Suggested change

	when extensionEnabled(Ext_Zvkned) & get_sew() == 32
	when extensionEnabled(Ext_Zvkned) & get_sew() == 32

Spaces

[nadime15]

Formatting

Suggested change

	let 'SEW = get_sew();
	let LMUL_pow = get_lmul_pow();
	let LMUL = if LMUL_pow < 0 then 0 else LMUL_pow;
	let 'num_elem = get_num_elem(LMUL_pow, 'SEW);
	let 'SEW = get_sew();
	let LMUL_pow = get_lmul_pow();
	let LMUL = if LMUL_pow < 0 then 0 else LMUL_pow;
	let 'num_elem = get_num_elem(LMUL_pow, SEW);

[nadime15]

Is there a reason why you use 'SEW and sometimes SEW? Probably a typo?

[jordancarlin]

Let’s put this with the existing Zvk extensions.

[jordancarlin]

What about even moving the zvk_check_elements check into the encdec clause?

[nadime15]

Writing an element of size 128 is not possible. This will cause a runtime assertion failure.

write_single_element() invokes read_single_vreg(), which contains the assertion:
assert(8 <= SEW && SEW <= 64);

[KotorinMinami]

So, why does write_single_element even allow 128-bit EEW? If it's going to trigger an assertion, the function definition shouldn't permit a 128-bit EEW (Element Effective Width) in the first place. If that's the case, then we'll just have to perform two 64-bit reads.

val write_single_element : forall 'm 'x, 8 <= 'm <= 128. (int('m), int('x), vregidx, bits('m)) -> unit

[pmundkur]

Good point. It looks like some of the type signatures on these helpers are insufficiently precise.

[nadime15]

I really like the idea of zvk_check_encdec! We can use this for the other Zvk* extensions too!

Personally, I prefer something like:

Suggested change

	function zvk_check_elements(VLEN : int, num_elem : int, LMUL : int, SEW : int) -> bool = {
	((unsigned(vl)%num_elem) != 0) | ((unsigned(vstart)%num_elem) != 0) | (LMUL*VLEN) < (num_elem*SEW)
	}
	function zvk_check_encdec() -> bool = {
	let SEW = get_sew();
	let LMUL_pow = get_lmul_pow();
	let LMUL = if LMUL_pow < 0 then 0 else LMUL_pow;
	let num_elem = get_num_elem(LMUL_pow, SEW);
	zvk_check_elements(VLEN, num_elem, LMUL, SEW)
	}
	function zvk_check_encdec() -> bool = {
	let LMUL_pow = get_lmul_pow();
	(unsigned(vl) % 4 == 0) & (unsigned(vstart) % 4 == 0) | (2 ^ LMUL_pow * VLEN) >= 128)
	}

The spec sets EGW=128 and EGS=4

The spec also says that vl and vstart must be multiples of 4 (=EGS), not num_elem. This means we could have vl = 8 and num_elem = 8, which is valid, but the current check (vl % num_elem != 0) would incorrectly be false when it should be true.

Additionally, the code currently takes the exponent of the current LMUL (get_lmul_pow()) but ignores negative exponents (!). Right now, if you check get_lmul_pow(), the condition (LMUL*VLEN) < (num_elem*SEW) effectively does:

LMUL_pow * VLEN < (2 ^ LMUL_pow * VLEN / SEW) * SEW

which simplifies to LMUL_pow < (2 ^ LMUL_pow) Which is always true (for now).

What we really want is

2 * get_lmul_pow() * VLEN >= 128 (I assume that sail can deal with negative exponents)

Edit: It would probable make even more sense to have something like

function zvk_check_encdec(EGW : int, EGS: int)

because EGW for vsha2c[hl].vv varies and is EGW = 4 * SEW

[nadime15]

Same here for EGS = 4:

Suggested change

	let eg_len = (unsigned(vl) / num_elem);
	let eg_start = (unsigned(vstart) / num_elem);
	let eg_len = (unsigned(vl) / 4);
	let eg_start = (unsigned(vstart) / 4;

I ran into cases where vl = 4 and vstart = 0, but num_elem = 8 (which is valid). However, with the old code, we would incorrectly skip the following loop because eg_len would be 0, even though it should be 1.

[nadime15]

For #819, I added my own version of the set_velem function, but I actually prefer yours! One suggestion: instead of returning s, how about we write directly to vd within the function and then call write_vreg? Since it's a setter method, it might make more sense to do it that way and we would follow the spec.

[KotorinMinami]

However, there's a problem: this approach results in multiple calls to write_vreg, subsequently leading to redundant calls to write_single_vreg, making it less efficient.

[nadime15]

Yes you are right its not really efficient but Sail's primary focus is readability.

Currently, Sail does not provide a function to write n continuous elements starting from a specific position in a given vreg. The available functions for writing to a vreg are:

• write_vreg()
• write_single_vreg()
• write_single_element()

The implementation I have is:

/* Divide the input bitvector into 4 equal slices and store them in vd starting at position 4*i */
val set_velem : forall 'p 'n 'm, 8 <= 'n <= 64 & 'm > 0 & 'p >= 0. (vregidx, int('n), bits('m), int('p)) -> unit
function set_velem(vd, SEW, input, i) = {
  foreach(j from 0 to 3)
    write_single_element(SEW, 4 * i + j, vd, slice(input, j * SEW, SEW));
}

This function enables direct writing (setting) of multiple continuous elements to a vreg without the need to return the value vector and to store it at some pointer later via write_vreg() . Additionally, it could be further generalized to allow writing n continuous elements instead of just four and it follows more the spec.

It might be helpful to get feedback from others as well. @pmundkur @jordancarlin

[KotorinMinami]

Maybe we can add function like write_element_group ?

[nadime15]

We more or less agreed on the same function but you use

2 ^ LMUL * VLEN >= 128

instead of

2 ^ LMUL_pow * VLEN >= 128

This essentially suggests that LMUL = 0.5 (mf2), 0.25 (mf4), 0.125 (mf8) cannot be used with this extension, which is incorrect (I still assume that Sail can handle negative exponents).

[pmundkur]

See rems-project/sail#1252

[nadime15]

Yes I noticed that too while testing it with the OCaml backend and it did not work, I was surprised that it worked with the C backend. Thats why I initially assumed its supported somehow.

I propose that we go ahead and merge the function as it is for now. We can then either update it after this is merged and the remaining vector crypto extensions are in, or modify it immediately.

Personally, I think it makes more sense to keep the current version and follow up with a separate PR that explicitly changes the function.

Edit: Actually it does not matter if we change the function now or do it after all the remaining vector crypto extension are in, I am happy with both

[pmundkur]

I'm okay with both too, though we should file an issue with the details to track this. Is this a hole in the vector test suite that doesn't trigger this?

[nadime15]

No, because the vector test suite only generates test cases for valid configurations.

[nadime15]

If you started reviewing the code, it’s ready for another look. @KotorinMinami and I worked together, and the code now structurally matches the other Vector Cryptography Extensions.

[pmundkur]

Looks pretty clean! Some minor fixes suggested.

[pmundkur]

Suggested change

	enum zvkfunct6 = {ZVK_VAESDFVV, ZVK_VAESDFVS, ZVK_VAESDMVV, ZVK_VAESDMVS, ZVK_VAESEFVV, ZVK_VAESEFVS, ZVK_VAESEMVV, ZVK_VAESEMVS, ZVK_VSHA2CH, ZVK_VSHA2CL}
	enum zvkfunct6 = {ZVK_VAESDF_VV, ZVK_VAESDF_VS, ZVK_VAESDM_VV, ZVK_VAESDM_VS, ZVK_VAESEF_VV, ZVK_VAESEF_VS, ZVK_VAESEM_VV, ZVK_VAESEM_VS, ZVK_VSHA2CH, ZVK_VSHA2CL}

This will make it a bit easier to read and is closer to the mnemonic where . is replaced by _. Their uses will need to be updated as well.

[pmundkur]

Suggested change

	union clause ast = ZVKVAESDFTYPE : (zvkfunct6, vregidx, vregidx)
	union clause ast = VAESDF : (zvkfunct6, vregidx, vregidx)

Elsewhere in the PR there are ast nodes like VAESKF1_VI, VAESZ_VS and similar, which are easier to parse; this will make it more consistent.

[pmundkur]

This is a partial mapping, since there are more elements in zvkfunct6 than just these two. mappings should be complete, otherwise use scattered mapping clauses.

In this case, since there are only two valid funct6 values for VAESDF and similar nodes , it might be best to split the big zvkfunct6 enumeration into {_VV, _VS} pairs for each ast node. This will also help make the above if .. else safer.

[nadime15]

If I understand correctly, do you mean something like

enum zvk_vaesdf_funct6 = {ZVK_VAESDF_VV, ZVK_VAESDF_VS}
enum zvk_vaesdm_funct6 = {ZVK_VAESDM_VV, ZVK_VAESDM_VS}
enum zvk_vaesef_funct6 = {ZVK_VAESEF_VV, ZVK_VAESEF_VS}
enum zvk_vaesem_funct6 = {ZVK_VAESEM_VV, ZVK_VAESEM_VS}

?

[pmundkur]

Yes, exactly.

[pmundkur]

Suggested change

	union clause ast = ZVKVAESDMTYPE : (zvkfunct6, vregidx, vregidx)
	union clause ast = VAESDM : (zvkfunct6, vregidx, vregidx)

[pmundkur]

See above; make this into one complete mapping for zvkfunct6.

[pmundkur]

Suggested change

	union clause ast = ZVKVAESEFTYPE : (zvkfunct6, vregidx, vregidx)
	union clause ast = VAESEF : (zvkfunct6, vregidx, vregidx)

[pmundkur]

This if ... else is safer if there are only possible values for funct6. See below.

[pmundkur]

Suggested change

	union clause ast = ZVKVAESEMTYPE : (zvkfunct6, vregidx, vregidx)
	union clause ast = VAESEM : (zvkfunct6, vregidx, vregidx)

[pmundkur]

Splitting up zvkfunct6 will help make this mapping complete; right now, it isn't.

[KotorinMinami]

I've already made the corresponding changes. Since the if section already fully covers the enum, I wanted to use match to handle it. However, I'm not sure why, without specifying the type, sail can't infer the return type of the match expression. If you think using if is still more clear, I can switch it back.

[pmundkur]

I've already made the corresponding changes. Since the if section already fully covers the enum, I wanted to use match to handle it. However, I'm not sure why, without specifying the type, sail can't infer the return type of the match expression. If you think using if is still more clear, I can switch it back.

The match is clearer, no needed to change.

[nadime15]

Is there a reason why you put Zvkned after Zvknha ? In the spec Zvknh[ab] comes after Zvkned

[nadime15]

Same here, why is Zvkned in between Zvknha and Zvknhb?

[nadime15]

In my opinion this function should be part of riscv_types_kext.sail

function aes_rotword(x : bits(32)) -> bits(32) = x[7.. 0] @ x[31..24] @ x[23..16] @ x[15.. 8]

[nadime15]

Looks good!

[pmundkur]

Nice!