ghidra icon indicating copy to clipboard operation
ghidra copied to clipboard

Published 20 hours ago verified publisher icon NationalSecurityAgency

Update RISCV-64 sleigh files to support vector, bit manipulation, and crypto extensions

Open thixotropist opened this issue 1 year ago • 14 comments

Add several RISCV Instruction Set extensions to Ghidra, following discussion https://github.com/NationalSecurityAgency/ghidra/discussions/5744. This pull request tracks the tip of the binutils testsuite for vector, bitmap, and crypto instructions. You can verify the content by importing sample binaries from https://github.com/thixotropist/ghidra_import_tests. Import the RISCV-64 gas test suite, assemble to binary, then iterate on the Ghidra sleigh files until Ghidra and objdump give essentially the same disassembled output.

The sleigh files do not yet include pcode semantics. Recent updates to GCC-14 and libssl using RISCV vector and crypto extensions may give us sample binaries to work with, to see what pcode semantics actually add value with complex instructions like these.

thixotropist avatar Sep 14 '23 18:09 thixotropist

To fix build errors:

diff --git a/Ghidra/Processors/RISCV/certification.manifest b/Ghidra/Processors/RISCV/certification.manifest
index 569138783..b498068db 100644
--- a/Ghidra/Processors/RISCV/certification.manifest
+++ b/Ghidra/Processors/RISCV/certification.manifest
@@ -40,6 +40,9 @@ data/languages/riscv.rvc.sinc||GHIDRA||||END|
 data/languages/riscv.rvv.sinc||GHIDRA||||END|
 data/languages/riscv.table.sinc||GHIDRA||||END|
 data/languages/riscv.zi.sinc||GHIDRA||||END|
+data/languages/riscv.zvbb.sinc||GHIDRA||||END|
+data/languages/riscv.zvkng.sinc||GHIDRA||||END|
+data/languages/riscv.zvksg.sinc||GHIDRA||||END|
 data/languages/riscv32-fp.cspec||GHIDRA||||END|
 data/languages/riscv32.cspec||GHIDRA||||END|
 data/languages/riscv32.dwarf||GHIDRA||||END|

jobermayr avatar Sep 19 '23 16:09 jobermayr

I expect to fill in some gaps in this PR shortly. Scalar crypto extensions were skipped even though vector crypto extensions were added. openssl can use RISCV scalar crypto AES extension instructions but not (yet?) the vector crypto extensions. I also hope to add minimalist pcode semantics to allow decompilation of the simplest GCC-14 RISCV builtin intrinsic vector function examples - as used in rvv_memcpy, rvv_strncpy, rvv_matmul, and rvv_reduce.

Ghidra developers will have some serious design questions to thrash out when GCC-14 autovectorization support lands some time next year.

thixotropist avatar Sep 20 '23 13:09 thixotropist

THead extensions are now collected into separate slaspec files, which are now referenced in riscv.ldefs. I've only tested the 64 bit version. Thanks to @mumbel for making this suggestion.

  • each of the 10 THead extensions is guarded by its own versioned ifdef flag derived from the name embedded in Tag_RISCV_arch. That should give a bit more granular control.
  • riscv.opinion remains unchanged. The presence of ISA extensions is identified in ELF by appending to Tag_RISCV_arch, rather than setting a bit in a fixed ELF header bitfield e_flags.
  • users will only see the THead language option on import or change-language if they show all RISCV languages, not just the recommended language based on e_machine and e_flags

thixotropist avatar Oct 30 '23 13:10 thixotropist

@thixotropist I stubbed out some risc-v packed simd instructions and implemented some thead instructions here to fix some issues had with my work, feel free to cherry-pick the commits if you want.

madushan1000 avatar Nov 02 '23 23:11 madushan1000

@madushan1000: Those look good - I'll be happy to cherrypick them into the branch. Have you any suggestions for RISCV integration tests to add to https://github.com/thixotropist/ghidra_import_tests? It's currently very weak in 32 bit and microcontroller exemplars, as I've been leaning towards linux-capable 64 bit examples.

thixotropist avatar Nov 04 '23 16:11 thixotropist

This sdk I'm working with has a bunch of rv32 examples, https://github.com/bouffalolab/bouffalo_sdk/tree/master/examples. bl602, bl70x have sifive e24 cores. and bl61x and bl808 has various t-head cores. the examples have a small readme with the build instructions. they all generate .elf files.

madushan1000 avatar Nov 04 '23 16:11 madushan1000 

diff --git a/Ghidra/Processors/RISCV/data/languages/riscv.zfh.sinc b/Ghidra/Processors/RISCV/data/languages/riscv.zfh.sinc
index 696766a208..f8e0c69a4b 100644
--- a/Ghidra/Processors/RISCV/data/languages/riscv.zfh.sinc
+++ b/Ghidra/Processors/RISCV/data/languages/riscv.zfh.sinc
@@ -10,7 +10,7 @@
 :flh frd,immI(rs1) is immI & frd & rs1 & op0001=0x3 & op0204=0x1 & op0506=0x0 & funct3=0x1
 {
     local ea:$(XLEN) = immI + rs1;
-    fassignS(frd, *[ram]:2 ea);
+    fassignS(frd, *[ram]:4 ea);
 }
 
 # Half-Precision Store Instruction

to fix

> Task :RISCV:sleighCompile FAILED

Compiling ./data/languages/riscv.lp32qingke.slaspec:
5 NOP constructors found
Use -n switch to list each individually
riscv.table.sinc:103: Size restriction error in table 'instruction' in constructor at riscv.zfh.sinc:10
  Problem with 'frd' in 'Copy(=)' operator
  Input and output sizes must match; {type=real value_real=0x2 spaceid=null} != {type=handle value_real=0x0 spaceid=null}
No output produced

jobermayr avatar May 02 '24 19:05 jobermayr

@jobermayr: Thanks for the fix. I'm pushing your patch

thixotropist avatar May 02 '24 20:05 thixotropist