Add PPE42 (PowerPC Embedded) architecture support#338
Open
Manideep-Bhupalam wants to merge 2 commits into
Open
Add PPE42 (PowerPC Embedded) architecture support#338Manideep-Bhupalam wants to merge 2 commits into
Manideep-Bhupalam wants to merge 2 commits into
Conversation
Manideep-Bhupalam
force-pushed
the
base_ppe
branch
2 times, most recently
from
efddbc3 to
4c51a4c
Compare
Author
|
@Wenzel @novafacing Can you please score this PR |
feat: Add PPE42 (PowerPC Embedded) architecture support
Add support for the PPE42 (PowerPC Processor Embedded 42-bit) architecture
used in IBM SBE (Self-Boot Engine) firmware and other embedded PowerPC systems.
Changes:
- Add PPE42 architecture implementation (src/arch/ppe42.rs)
* Uses rlwimi instruction for magic breakpoints
* Supports physical addressing (no MMU translation)
* Makes CpuInstructionQueryInterface and CpuInstrumentationSubscribeInterface
optional as they may not be available in all PPE42 Simics models
* Uses r10 for index selector, r3-r5 for arguments (PowerPC ABI)
- Add PPE42 harness header (harness/tsffs-gcc-ppe42.h)
* Implements magic instructions using rlwimi format
* Compatible with SBE firmware magic instruction conventions
* Supports all standard harness operations (start, stop, assert)
- Integrate PPE42 into architecture framework (src/arch/mod.rs)
* Add PPE42 to Architecture enum and all trait implementations
* Add architecture hint parsing for "ppe42", "ppc", "powerpc", "ppc32"
* Refactor detection chain to use early returns for clarity
- Update main harness header (harness/tsffs.h)
* Add PPE42 architecture detection for GCC/Clang compilers
* Include tsffs-gcc-ppe42.h for PowerPC preprocessor macros
This implementation provides the foundation for fuzzing embedded PowerPC
firmware in Simics, with optional coverage tracking to be added separately.
Manideep-Bhupalam
force-pushed
the
base_ppe
branch
from
4c51a4c to
05a94b5
Compare
There was a problem hiding this comment.
Pull request overview
This PR introduces initial support for the PPE42 (embedded PowerPC) architecture across TSFFS’s Rust architecture layer and the C/C++ harness headers, aiming to enable fuzzing of embedded PowerPC firmware (e.g., IBM SBE) in Simics.
Changes:
- Added a new PPE42 architecture implementation (
src/arch/ppe42.rs) and wired it into architecture hinting/selection (src/arch/mod.rs). - Added a PPE42 GCC/Clang harness header (
harness/tsffs-gcc-ppe42.h) and attempted to integrate it into the main harness selector (harness/tsffs.h). - Added a “physical addressing” mode to the architecture framework for embedded targets (
USE_PHYSICAL_ADDRESSES).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| src/arch/ppe42.rs | New PPE42 architecture operations + minimal disassembler. |
| src/arch/mod.rs | Adds PPE42 integration and introduces USE_PHYSICAL_ADDRESSES; refactors arch detection. |
| harness/tsffs.h | Attempts to include PPE42 harness based on PowerPC preprocessor macros. |
| harness/tsffs-gcc-ppe42.h | New PPE42 harness header with rlwimi-based “magic instruction” macros and TSFFS operation numbers. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
2589
to
2594
| #endif // TSFFS_H | ||
| #elif defined(__PPC__) || defined(__ppc__) || defined(__powerpc__) || defined(_ARCH_PPC) | ||
| #include "tsffs-gcc-ppe42.h" | ||
| #else | ||
| #error "Unsupported platform!" | ||
| #endif |
Comment on lines
+37
to
+41
| __asm__ __volatile__("rlwimi %0,%0,0,%1,%2" \ | ||
| : \ | ||
| : "i" (((n) >> 8) & 0x1f), \ | ||
| "i" (((n) >> 4) & 0xf), \ | ||
| "i" ((((n) >> 0) & 0xf) | 16) \ |
Comment on lines
+52
to
+59
| #define __ppe42_magic_extended1(n, arg0) \ | ||
| __asm__ __volatile__("mr 10, %0; rlwimi %1,%1,0,%2,%3" \ | ||
| : \ | ||
| : "r"(arg0), \ | ||
| "i" (((n) >> 8) & 0x1f), \ | ||
| "i" (((n) >> 4) & 0xf), \ | ||
| "i" ((((n) >> 0) & 0xf) | 16) \ | ||
| : "r10") |
Comment on lines
+122
to
+135
| /// Magic number base for TSFFS on SBE (in SBE range 8000-8190) | ||
| #define TSFFS_MAGIC_BASE (8010) | ||
|
|
||
| /// The default index number used for magic instructions | ||
| #define DEFAULT_INDEX (0x0000U) | ||
|
|
||
| /// Magic numbers for TSFFS operations (offset from base) | ||
| #define N_START_BUFFER_PTR_SIZE_PTR (TSFFS_MAGIC_BASE + 1) // 8011 | ||
| #define N_START_BUFFER_PTR_SIZE_VAL (TSFFS_MAGIC_BASE + 2) // 8012 | ||
| #define N_START_BUFFER_PTR_SIZE_PTR_VAL (TSFFS_MAGIC_BASE + 3) // 8013 | ||
| #define N_STOP_NORMAL (TSFFS_MAGIC_BASE + 4) // 8014 | ||
| #define N_STOP_ASSERT (TSFFS_MAGIC_BASE + 5) // 8015 | ||
| #define N_COVERAGE (TSFFS_MAGIC_BASE + 6) // 8016 | ||
|
|
Comment on lines
712
to
716
| fn get_magic_start_buffer_ptr_size_ptr_val(&mut self) -> Result<StartInfo> { | ||
| match self { | ||
| Architecture::X86_64(x86_64) => x86_64.get_magic_start_buffer_ptr_size_ptr(), | ||
| Architecture::I386(i386) => i386.get_magic_start_buffer_ptr_size_ptr(), | ||
| Architecture::Riscv(riscv) => riscv.get_magic_start_buffer_ptr_size_ptr(), |
Comment on lines
+214
to
+221
| // For architectures that use physical addresses directly (like embedded processors), | ||
| // skip the logical-to-physical translation | ||
| let (buffer_physical_address, buffer_is_virtual) = if Self::USE_PHYSICAL_ADDRESSES { | ||
| (buffer_logical_address, false) | ||
| } else { | ||
| let buffer_physical_address_block = self | ||
| .processor_info_v2() | ||
| .logical_to_physical(buffer_logical_address, Access::Sim_Access_Read)?; |
Comment on lines
+420
to
+423
| let buffer_physical_address = if Self::USE_PHYSICAL_ADDRESSES { | ||
| // For embedded processors, treat all addresses as physical | ||
| info.address.address() | ||
| } else if matches!(info.address, ManualStartAddress::Virtual(_)) { |
Comment on lines
+110
to
+116
| fn cpu_instruction_query(&mut self) -> &mut CpuInstructionQueryInterface { | ||
| self.cpu_instruction_query.as_mut().expect("CpuInstructionQueryInterface not available on this PPE42 CPU") | ||
| } | ||
|
|
||
| fn cpu_instrumentation_subscribe(&mut self) -> &mut CpuInstrumentationSubscribeInterface { | ||
| self.cpu_instrumentation_subscribe.as_mut().expect("CpuInstrumentationSubscribeInterface not available on this PPE42 CPU") | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
feat: Add PPE42 (PowerPC Embedded) architecture support
Add support for the PPE42 (PowerPC Processor Embedded 42-bit) architecture used in IBM SBE (Self-Boot Engine) firmware and other embedded PowerPC systems.
Changes:
Add PPE42 architecture implementation (src/arch/ppe42.rs)
Add PPE42 harness header (harness/tsffs-gcc-ppe42.h)
Integrate PPE42 into architecture framework (src/arch/mod.rs)
Update main harness header (harness/tsffs.h)
This implementation provides the foundation for fuzzing embedded PowerPC firmware in Simics, with optional coverage tracking to be added separately.