add NLnet project code

since it seems as though we don't control who has mod privileges on irc,
probably because we all have matrix accounts and matrix can't automatically authenticate with oftc yet.

Cesar privately gave his permission in the meeting today.

.forgejo/workflows/deploy.yml

@@ -10,7 +10,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Install dependencies

src/README.md

@@ -7,7 +7,7 @@ More content is coming soon!
 * Sign up for Announcements by joining us on [our Forum](https://forum.libre-chip.org/)
 * Join our discussions on [our Forum][forum-general] and enable notifications for [General][forum-general] (click the bell icon).
 * Join us on [our Git instance](https://git.libre-chip.org/)
-* Chat with us at [#libre-chip:matrix.org](https://matrix.to/#/#libre-chip:matrix.org) or at #libre-chip on [OFTC IRC](https://www.oftc.net/)
+* Chat with us on [Zulip](https://libre-chip.zulipchat.com/#narrow/channel/486103-general)
 * If you're interested in supporting us, sign up for announcements and we'll announce when we're ready!
 
 * We have a [Code of Conduct](Conduct.md)

src/SUMMARY.md

@@ -1,6 +1,9 @@
 * [Libre-Chip](README.md)
     * [Proposal for Libre-Chip's First CPU Architecture](first_arch/index.md)
         * [Register Renaming](first_arch/register_renaming.md)
+    * [Grants](grants/index.md)
+        * [First NLNet Grant Proposal -- 2024-12-324](grants/nlnet-first.md)
+        * [NLNet Grant Proposal: Programmable Decoder -- 2025-12-681](grants/cpu_with_programmable_decoder.md)
 * [Conduct](Conduct.md)
 * [License](LICENSE.md)
     * [GPL 3.0](gpl-3.0.md)

src/first_arch/index.md

@@ -4,13 +4,15 @@
 
 The CPU architecture will be developed in several stages:
 
-1. Getting an initial working CPU -- First NLNet/etc. Grant
+1. [First NLNet Grant Proposal -- First CPU Architecture And Formal Proof of No Spectre bugs -- 2024-12-324](../grants/nlnet-first.md)
+    1. Getting an initial working CPU
+    2. Formal proof that the CPU doesn't have any spectre-style bugs even though it still is OoO superscalar with speculative execution. Jacob Lifshay came up with this idea [back in 2020](https://web.archive.org/web/20201021124234/https://bugs.libre-soc.org/show_bug.cgi?id=209)
 
 Possible follow-on work, order TBD:
 
 * Expand CPU to support more operations (e.g. floating-point, vector ops., paging)
 * Add FPGA-style programmable decoder and μOp Cache, with trap-to-software fallback for uncommon/complex ops, which allows running more ISAs such as RISC-V, older x86-32/64, more PowerISA support, and then if we can figure out the legal situation, ARM and modern x86-64. The idea is QEMU (or similar) will be compiled with a special compiler that generates both the fallback software and the bitstream for the decoder, the compiled output will be covered by QEMU's license which has some patent clauses, which hopefully helps with the legal situation. Jacob Lifshay came up with this idea [back in 2022](https://web.archive.org/web/20220612082603/https://bugs.libre-soc.org/show_bug.cgi?id=841)
-* Formal proof that the CPU doesn't have any spectre-style bugs even though it still is OoO superscalar with speculative execution. Jacob Lifshay came up with this idea [back in 2020](https://web.archive.org/web/20201021124234/https://bugs.libre-soc.org/show_bug.cgi?id=209)
+* [Idea for much wider fetch/decode/rename width based on parallel-prefix-sum and taking more than 1 cycle per batch of renamed instructions](https://forum.libre-chip.org/t/idea-for-maybe-allowing-much-wider-fetch-rename-etc-widths-in-a-cpu/33)
 
 ## Register Renaming & Internal Registers
 

src/grants/cpu_with_programmable_decoder.md

@@ -0,0 +1,71 @@
+# NLNet Grant Proposal -- Libre-Chip's CPU with a Programmable Decoder to Run Multiple ISAs at Full Speed -- 2025-12-681
+
+Project Name: Libre-Chip's CPU with a Programmable Decoder to Run Multiple ISAs at Full Speed
+
+Website/Wiki: <https://libre-chip.org/>
+
+# Abstract
+
+Modern computers are built on several different mutually-incompatible popular ISAs such as x86_64, PowerISA, AArch64, and RISC-V. Many of the most popular ISAs have no high-speed libre/open-source implementations, which makes them much harder to trust since you can't inspect their source-code to look for bugs or secret backdoors. Additionally, there are basically no existing modern CPUs which can run more than one of those ISAs without requiring software emulation, which is slow and can often be buggy.
+
+To solve those issues, we are building a libre-licensed CPU with speculative out-of-order superscalar execution that will support a programmable decoder (loosely inspired by FPGAs) followed by a µOp cache so the CPU can be programmed to decode and run at full speed just about any ISA you select, by handling the most common instructions entirely in hardware, with software fallback for decoding some of the less common instructions which can still easily be executed in hardware (storing the decoded instructions in the µOp cache), and full software emulation for the remaining instructions.
+
+## Relevant Previous Involvement
+
+* Jacob Lifshay -- Currently working on <https://nlnet.nl/project/Libre-Chip-proof/>. Worked on designing PowerISA CPUs with Libre-SOC for 5yr, built a simple OoO Superscalar CPU simulator <https://salsa.debian.org/Kazan-team/power-cpu-sim>, built a RV32I CPU with VGA output in a few weeks that runs a 2.5D maze game <https://github.com/programmerjake/rv32>. Also is the main author of the [Fayalite](https://git.libre-chip.org/libre-chip/fayalite) HDL library. Has some experience writing compilers, e.g. Fayalite's simulator is implemented as a simple compiler to an internal p-code, also wrote a compiler from a language based on QuickBASIC to x86 (it successfully compiled a program he also wrote that animates a 3D diagram of a molecule), also wrote a JavaScript interpreter that properly handles running generators and is a compiler to internal p-code and has some optimization passes for specialization based on deduced types. Has experience writing and using LLVM IR, as well as being a contributor to LLVM and Rust.
+
+* Cesar Strauss - Currently working on <https://nlnet.nl/project/Libre-Chip-proof/>. Contributed to the Libre-SOC project, mostly on digital
+design and formal verification. Presented the talk "An introduction to
+Formal Verification of Digital Circuits" on FOSDEM 2024
+(<https://archive.fosdem.org/2024/schedule/event/fosdem-2024-2215-an-introduction-to-formal-verification-of-digital-circuits/>).
+
+* Tobias Platen -  Currently working on <https://nlnet.nl/project/Libre-Chip-proof/>. Contributed to the Libre-SOC project, mostly on
+ECP5 FPGA prototypes and DDR SDRAM memory interfaces. Presented the talk "Using the ECP5
+for Libre-SOC prototyping" on FOSDEM 2024 (<https://archive.fosdem.org/2024/schedule/event/fosdem-2024-2060-using-the-ecp5-for-libre-soc-prototyping/>).
+
+# Requested support
+
+Requested Amount €105000
+
+## Cost Explanation
+
+Libre-Chip is currently funded by NLnet for <https://nlnet.nl/project/Libre-Chip-proof/>, which we expect to be mostly completed by the time we can start working on this grant.
+
+We are requesting more than €50000 based on Jacob Lifshay having previously completed a grant as part of Libre-SoC. If that is not allowed, we can adjust our budget down by removing some tasks, and possibly by not implementing as much of the custom compiler, leaving some of it as future work.
+
+We're aiming for a FTE rate of $69305.60/yr per person which is rate used in our grant application for <https://nlnet.nl/project/Libre-Chip-proof/>
+
+Estimated Budget:
+
+* € 40000 Adding missing features to our CPU, such as memory paging, floating-point instructions, a better cache hierarchy, and better compatibility with the PowerISA specification.
+* € 20000 Add the programmable decoder and µOp cache to our CPU design.
+* € 20000 Build a compiler that can extract the decoder portion of QEMU using pattern matching and some symbolic execution of LLVM IR, converting to a HDL IR more suitable for hardware.
+* € 15000 Write code to convert the HDL IR to a bitstream we can program into the decoder.
+* € 10000 Get the fallback software decoder and the software instruction emulator to work, as well as misc. other parts of the compiler needed to make the whole system work together.
+
+## Compare with existing/historical efforts
+
+The [Transmeta Crusoe](https://en.wikipedia.org/wiki/Transmeta_Crusoe) is somewhat similar in that it implemented x86 by translating to an internal VLIW instruction set by using software JIT compilation, however our grant proposal differs in that we have hardware to handle the most common instructions instead of relying on software for everything, also we aim for compatibility with much more than just x86, unlike the Transmeta Crusoe.
+
+## Technical challenges we expect to solve during the project
+
+We expect to solve 3 technical challenges:
+
+* To design and write a working programmable decoder and µOp cache such that our CPU can run arbitrary ISAs. For now we're planning on it being able to support older x86_64 (where the patents have expired), PowerISA, and RISC-V, though we don't necessarily expect to have complete support for all of those within the scope of this grant.
+* To build a custom compiler that can successfully extract a decoder for the most common instructions of the user's selected ISA, as well as generate a bitstream to program our decoder.
+* To continue work on getting our CPU to be more complete and able to run more complex software.
+
+A WIP high-level design of our CPU: <https://libre-chip.org/first_arch/index.html>
+
+Text that was intended to be part of the Abstract, but didn't fit within the 1200 character length constraint:
+Additionally you can easily switch between selected ISAs by reprogramming the decoder, allowing you to e.g. run an x86_64 program alongside a RISC-V program in the same OS and quickly context-switch between them.
+
+We are planning on building a custom compiler so the user can select an ISA and that compiler can compile the source code of QEMU to automatically generate the required bitstream for the FPGA, as well as generating the software required for decoding and/or emulating the remaining parts of the chosen ISA.
+
+Our CPU is a continuation of the CPU from <https://nlnet.nl/project/Libre-Chip-proof/>, which we will also be extending to support more features such as memory paging, floating-point instructions, and better compatibility with the PowerISA specification.
+
+## Ecosystem
+
+We are likely to work with QEMU upstream, as well as LLVM and Clang. We are already working with the FIRRTL specification GitHub repo to resolve problems we encounter, as well as with LLVM Circt, and with the Rust Language.
+
+This project benefits Europeans (as well as everyone else) by providing a libre/open-source CPU with good performance that supports many of the most-popular ISAs all on the same CPU.

src/grants/index.md

@@ -0,0 +1 @@
+# Grants

src/grants/nlnet-first.md

@@ -0,0 +1,109 @@
+# First NLNet Grant Proposal -- First CPU Architecture And Formal Proof of No Spectre bugs -- 2024-12-324
+
+(Edit: [approved by NLnet](https://nlnet.nl/project/Libre-Chip-proof/))
+
+Project Name: Libre-Chip's First CPU Architecture And Formal Proof of No Spectre bugs
+
+Website/Wiki: <https://libre-chip.org/>
+
+# Abstract
+
+Modern CPUs suffer from a [constant stream of new speculative-execution security flaws](https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability#Timeline) ([Spectre](https://meltdownattack.com/)-style bugs). Because of that, software has to constantly add more convoluted and slow mitigations to properly enforce security boundaries, such as a WebAssembly VM needing to add code to prevent leaking data from outside the VM to whatever programs are running inside the VM, or a web browser needing to stop JavaScript code from seeing memory that it should not have access to.
+
+To address this major category of CPU flaws, Jacob Lifshay formulated a way to formally prove that a CPU with speculative execution doesn't suffer from any speculative-execution data leaks -- this should work for nearly any kind of CPU design.
+
+We are working towards building a high-performance superscalar CPU with speculative execution and working on proving that it doesn't suffer from any speculative-execution data leaks, thereby demonstrating that this major category of CPU flaws can be fixed once and for all without crippling CPU performance.
+
+## Relevant Previous Involvement
+
+* Jacob Lifshay -- Worked on designing PowerISA CPUs with Libre-SOC for 5yr, built a simple OoO Superscalar CPU simulator <https://salsa.debian.org/Kazan-team/power-cpu-sim>, built a RV32I CPU with VGA output in a few weeks that runs a 2.5D maze game <https://github.com/programmerjake/rv32>. Also is the main author of the [Fayalite](https://git.libre-chip.org/libre-chip/fayalite) HDL library
+
+* Cesar Strauss - Contributed to the Libre-SOC project, mostly on digital
+design and formal verification. Presented the talk "An introduction to
+Formal Verification of Digital Circuits" on FOSDEM 2024
+(<https://archive.fosdem.org/2024/schedule/event/fosdem-2024-2215-an-introduction-to-formal-verification-of-digital-circuits/>).
+
+# Requested support
+
+Requested Amount &euro;50000
+
+## Cost Explanation
+
+Nearly all of the cost is for labor, with some amount set aside for general project management (e.g. tracking funding, server maintenance, etc.), and for hardware costs such as buying bigger FPGAs so the CPU design will fit.
+
+We're aiming for a rate of somewhere around $69305.60/yr per person which is the minimum salary for small employers for 2025 in Washington State USA (where Jacob Lifshay lives at the time). <https://www.lni.wa.gov/forms-publications/f700-207-000.pdf>
+
+Estimated Budget:
+
+### General Project Management
+
+&euro;2000
+
+For tracking funding, server maintenance, and similar.
+
+### Hardware Costs
+
+&euro;3000
+
+For buying bigger FPGAs, CI server hardware improvements, Oscilloscopes (if necessary), and similar.
+
+### Improvements to Fayalite
+
+&euro;10000
+
+For adding the code for translation to Coq, adding tooling for generating FPGA bitstreams, as well as other improvements to Fayalite as necessary.
+
+### Building enough of the CPU to execute multiple instructions
+
+&euro;10000
+
+This covers getting register renaming and ALU and/or branch instructions working, as well as other portions of the CPU design as necessary. This may or may not include actually fetching those instructions from memory, instead the instructions may be supplied by a testing harness.
+
+### Implementing Memory Subsystem
+
+&euro;15000
+
+This covers the rest needed for the CPU to be able to fetch instructions from memory and execute them as well as implementing Load/Store instructions.
+
+### Work towards the Formal Proof of No Spectre bugs
+
+&euro;10000
+
+This covers working on the Formal Proof of No Spectre bugs as well as improvements to other software/hardware needed for that.
+
+## Compare with existing/historical efforts
+
+### UPEC, as described in "An Exhaustive Approach to Detecting Transient Execution Side Channels in RTL Designs of Processors"
+
+<https://arxiv.org/pdf/2108.01979>
+
+According to <https://arxiv.org/pdf/2407.12232>, UPEC is limited in that it only works on a specific conservative mechanism (preventing speculative load instructions from executing until all prior branches are resolved). by contrast our formal proof method should work even if the CPU runs speculative loads before resolving branches, with much less stringent conditions on those loads.
+
+### "RTL Verification for Secure Speculation Using Contract Shadow Logic"
+
+<https://arxiv.org/pdf/2407.12232>
+
+Contract Shadow Logic works by assuming that memory is partitioned into secret and non-secret regions, by contrast our formal proof method is based on verifying that no data processed by transient instructions (instructions that were speculatively executed and then canceled) can affect any digital signals that leave the processor.
+
+## Technical challenges we expect to solve during the project
+
+We expect to solve 2 technical challenges:
+
+* To create a working OoO Superscalar CPU with Speculative Execution, trying to design it such that it doesn't have any Spectre-style vulnerabilities (mostly by doing a better job of tracking any state whatsoever that has speculative modifications). The CPU probably will not yet support some of the features required for high performance (e.g. a complex cache hierarchy) and/or supporting running an operating system and/or floating-point. The plan is to add those features later if they are not completed as part of this grant.
+* To make substantial progress on creating a formal proof that the CPU doesn't have any Spectre-style vulnerabilities. This is complex enough and has enough potential problems we may run into that we may not finish by the end of this grant, and may need additional grants afterward to finish, hence why the goal is making substantial progress instead of having the proof 100% complete and working.
+
+To address this general category of CPU flaws, Jacob Lifshay formulated a way to formally prove that a CPU with speculative execution doesn't suffer from any speculative-execution data leaks:
+
+1. Assume that to leak data, you must be able to observe some change in the digital signals going from/to the CPU core that depends on the results (defined to include any side-effects that change any state, such as cache state changes or branch predictor changes) of some transient instructions (instructions that were speculatively executed and then canceled).
+2. Take the concrete cycle-accurate CPU design, and construct a theoretical equivalent that has the additional feature of looking into the future to determine which instructions will be canceled and preemptively forces their results to be zeros (or any other value that doesn't depend on transient instructions' data; since we're doing math here, we don't have to limit ourselves to physically possible designs that respect time flow). The reasoning is that if all transient instructions' results are always zeros, they can't possibly be leaking any useful data, therefore the theoretical equivalent CPU design doesn't have any speculative-execution data leaks.
+3. Formally prove that all digital signals from/to the concrete CPU core always exactly match the timing and data in all respects of the theoretical equivalent CPU design. This proves that the concrete CPU core can't have any speculative-execution data leaks.
+
+It is expected that automated formal proof software (like SMT solvers such as Z3) will probably be too slow to be usable for the formal correctness proof, therefore the plan is to use Fayalite to generate a translation of the CPU design to Coq or some other similar language for writing formal proofs. [Fayalite](https://git.libre-chip.org/libre-chip/fayalite) is a HDL library written in Rust that we have been developing since around April 2024 that targets the [FIRRTL](https://github.com/chipsalliance/firrtl-spec) intermediate language (used by the [Chisel](https://www.chisel-lang.org/) ecosystem for generating Verilog; firtool, the FIRRTL to Verilog translator, is part of [LLVM Circt](https://circt.llvm.org/), so is well maintained).
+
+A WIP high-level design of our CPU: <https://libre-chip.org/first_arch/index.html>
+
+## Ecosystem
+
+We plan on working with the OpenPower Foundation for any custom ISA extensions we may need. We are already working with the FIRRTL specification GitHub repo to resolve problems we encounter, as well as with LLVM Circt, and with the Rust Language.
+
+This project benefits Europeans (as well as everyone else) by providing a CPU with good performance that doesn't suffer from Spectre-style flaws, as well as working on providing a method of formally proving if any particular CPU design doesn't suffer from Spectre-style flaws, hopefully encouraging CPU designers everywhere to formally prove their CPU designs to not have Spectre-style flaws instead of the reactionary fixes that they have been using that only covers known Spectre-style flaws and has a constant stream of failures.