Dear Jacob Lifshay,

A proposal for a grant application was sent to NLnet Foundation
(https://nlnet.nl) using this email address. Your project has received
code 2024-12-324. The text of the proposal is shown below for your
records. If you want to make changes to this proposal before the
deadline, feel free to resubmit. We will send you a follow-up email
after the deadline has passed to provide more information regarding
the review process.

Important: if this request did NOT originate from you (and you are
unaware of others that could have made this application on your
behalf), do NOT CLICK on any links in this message nor open
attachments. Please notify us if this is the case, otherwise you can
expect at least two other emails from us. If that is not a problem,
feel free to discard immediately.

Best regards,
the NLnet team

Code : 2024-12-324
Requestor : Jacob Lifshay
Email : programmerjake@gmail.com
Phone : 12089070040
Organization: Libre-Chip
Country : USA
Consent : You may keep my data on record
Call : Commons_Fund
Project : Libre-Chip's First CPU Architecture And Formal Proof of
No Spectre bugs
Website : https://libre-chip.org/
Abstract : Modern CPUs suffer from a constant stream of new
speculative-execution security
flaws
(Spectre-style bugs). Because of that,
software has to constantly add more convoluted and slow mitigations to
properly enforce security boundaries, such as a WebAssembly VM needing
to add code to prevent leaking data from outside the VM to whatever
programs are running inside the VM, or a web browser needing to stop
JavaScript code from seeing memory that it should not have access to.

To address this major category of CPU flaws, Jacob Lifshay formulated
a way to formally prove that a CPU with speculative execution doesn't
suffer from any speculative-execution data leaks -- this should work
for nearly any kind of CPU design.

We are working towards building a high-performance superscalar CPU
with speculative execution and working on proving that it doesn't
suffer from any speculative-execution data leaks, thereby
demonstrating that this major category of CPU flaws can be fixed once
and for all without crippling CPU performance.

Experience : * Jacob Lifshay -- Worked on designing PowerISA CPUs
with Libre-SOC for 5yr, built a simple OoO Superscalar CPU simulator
https://salsa.debian.org/Kazan-team/power-cpu-sim, built a RV32I CPU
with VGA output in a few weeks that runs a 2.5D maze game
https://github.com/programmerjake/rv32. Also is the main author of
the Fayalite HDL
library

• Cesar Strauss - Contributed to the Libre-SOC project, mostly on digital
  design and formal verification. Presented the talk "An introduction to
  Formal Verification of Digital Circuits" on FOSDEM 2024
  (https://archive.fosdem.org/2024/schedule/event/fosdem-2024-2215-an-introduction-to-formal-verification-of-digital-circuits/).
  Amount : € 50000
  Use : Nearly all of the cost is for labor, with some amount
  set aside for general project management (e.g. tracking funding,
  server maintenance, etc.), and for hardware costs such as buying
  bigger FPGAs so the CPU design will fit.

We're aiming for a rate of somewhere around $69305.60/yr per person
which is the minimum salary for small employers for 2025 in Washington
State USA (where Jacob Lifshay lives at the time).
https://www.lni.wa.gov/forms-publications/f700-207-000.pdf

Estimated Budget:

General Project Management

€2000

For tracking funding, server maintenance, and similar.

Hardware Costs

€3000

For buying bigger FPGAs, CI server hardware improvements,
Oscilloscopes (if necessary), and similar.

Improvements to Fayalite

€10000

For adding the code for translation to Coq, adding tooling for
generating FPGA bitstreams, as well as other improvements to Fayalite
as necessary.

Building enough of the CPU to execute multiple instructions

€10000

This covers getting register renaming and ALU and/or branch
instructions working, as well as other portions of the CPU design as
necessary. This may or may not include actually fetching those
instructions from memory, instead the instructions may be supplied by
a testing harness.

Implementing Memory Subsystem

€15000

This covers the rest needed for the CPU to be able to fetch
instructions from memory and execute them as well as implementing
Load/Store instructions.

Work towards the Formal Proof of No Spectre bugs

€10000

This covers working on the Formal Proof of No Spectre bugs as well as
improvements to other software/hardware needed for that.
Comparison : ### UPEC, as described in "An Exhaustive Approach to
Detecting Transient Execution Side Channels in RTL Designs of
Processors"

https://arxiv.org/pdf/2108.01979

According to https://arxiv.org/pdf/2407.12232, UPEC is limited in
that it only works on a specific conservative mechanism (preventing
speculative load instructions from executing until all prior branches
are resolved). by contrast our formal proof method should work even if
the CPU runs speculative loads before resolving branches, with much
less stringent conditions on those loads.

"RTL Verification for Secure Speculation Using Contract Shadow Logic"

https://arxiv.org/pdf/2407.12232

Contract Shadow Logic works by assuming that memory is partitioned
into secret and non-secret regions, by contrast our formal proof
method is based on verifying that no data processed by transient
instructions (instructions that were speculatively executed and then
canceled) can affect any digital signals that leave the processor.

Challenges : We expect to solve 2 technical challenges:

• To create a working OoO Superscalar CPU with Speculative Execution,
  trying to design it such that it doesn't have any Spectre-style
  vulnerabilities (mostly by doing a better job of tracking any state
  whatsoever that has speculative modifications). The CPU probably will
  not yet support some of the features required for high performance
  (e.g. a complex cache hierarchy) and/or supporting running an
  operating system and/or floating-point. The plan is to add those
  features later if they are not completed as part of this grant.
• To make substantial progress on creating a formal proof that the CPU
  doesn't have any Spectre-style vulnerabilities. This is complex enough
  and has enough potential problems we may run into that we may not
  finish by the end of this grant, and may need additional grants
  afterward to finish, hence why the goal is making substantial progress
  instead of having the proof 100% complete and working.

To address this general category of CPU flaws, Jacob Lifshay
formulated a way to formally prove that a CPU with speculative
execution doesn't suffer from any speculative-execution data leaks:

1. Assume that to leak data, you must be able to observe some change
   in the digital signals going from/to the CPU core that depends on the
   results (defined to include any side-effects that change any state,
   such as cache state changes or branch predictor changes) of some
   transient instructions (instructions that were speculatively executed
   and then canceled).
2. Take the concrete cycle-accurate CPU design, and construct a
   theoretical equivalent that has the additional feature of looking into
   the future to determine which instructions will be canceled and
   preemptively forces their results to be zeros (or any other value that
   doesn't depend on transient instructions' data; since we're doing math
   here, we don't have to limit ourselves to physically possible designs
   that respect time flow). The reasoning is that if all transient
   instructions' results are always zeros, they can't possibly be leaking
   any useful data, therefore the theoretical equivalent CPU design
   doesn't have any speculative-execution data leaks.
3. Formally prove that all digital signals from/to the concrete CPU
   core always exactly match the timing and data in all respects of the
   theoretical equivalent CPU design. This proves that the concrete CPU
   core can't have any speculative-execution data leaks.

It is expected that automated formal proof software (like SMT solvers
such as Z3) will probably be too slow to be usable for the formal
correctness proof, therefore the plan is to use Fayalite to generate a
translation of the CPU design to Coq or some other similar language
for writing formal proofs.
Fayalite is a HDL
library written in Rust that we have been developing since around
April 2024 that targets the
FIRRTL intermediate
language (used by the Chisel ecosystem
for generating Verilog; firtool, the FIRRTL to Verilog translator, is
part of LLVM Circt, so is well maintained).

A WIP high-level design of our CPU:
https://libre-chip.org/first_arch/index.html
Ecosystem : We plan on working with the OpenPower Foundation for any
custom ISA extensions we may need. We are already working with the
FIRRTL specification GitHub repo to resolve problems we encounter, as
well as with LLVM Circt, and with the Rust Language.

This project benefits Europeans (as well as everyone else) by
providing a CPU with good performance that doesn't suffer from
Spectre-style flaws, as well as working on providing a method of
formally proving if any particular CPU design doesn't suffer from
Spectre-style flaws, hopefully encouraging CPU designers everywhere to
formally prove their CPU designs to not have Spectre-style flaws
instead of the reactionary fixes that they have been using that only
covers known Spectre-style flaws and has a constant stream of
failures.

Attachments :

From: Michiel Leenaars michiel@NLnet.nl
Sent: December 2, 2024 2:28:59 AM PST
To: Jacob Lifshay programmerjake@gmail.com
Cc: 2024-12-324@NLnet.nl
Subject: Acknowledgement of your proposal Libre-Chip's First CPU Architecture And Formal Proof of No Spectre bugs

Dear Jacob,

this mail serves to acknowledge receipt of your grant application "Libre-Chip's First CPU Architecture And Formal Proof of No Spectre bugs" (2024-12-324). The project will be carefully reviewed for eligibility in two rounds following the criteria set out here:

NLnet; NGI Zero Commons Fund Eligibility information

There has been enormous demand for our programmes, and things take longer than usual. We expect the first round to take about nine weeks, but given natural variation in the amount of projects and their complexity it may take longer or shorter. When the first round of review is done, we will inform you whether or not your project will be selected to enter the second round of the December 2024 call. Meanwhile, keep up the good work - and why not check out some of the wonderful projects already funded by NLnet Foundation:

NLnet; Current projects

Or have a look at how you can help out with reducing the impact of software patents on the FOSS ecosystem:

NLnet; Help to help the internet

Have a good week!

Kind regards,
on behalf of NLnet foundation,

Michiel Leenaars
Strategy Director
+31 20 8884252

From: Michiel Leenaars michiel@NLnet.nl
Sent: February 10, 2025 5:17:51 AM PST
To: Jacob Lifshay programmerjake@gmail.com
Cc: 2024-12-324@NLnet.nl
Subject: Delay in processing your proposal Libre-Chip's First CPU Architecture And Formal Proof of No Spectre bugs

Dear Jacob,

unfortunately I have to inform you that we are still not ready with the evaluation and selection for the first round of the December 2024 call. There has been enormous demand for our programmes, and things take longer than usual.

This means you will have to wait a bit more to learn about whether or not we are able to support your project "Libre-Chip's First CPU Architecture And Formal Proof of No Spectre bugs" (2024-12-324). We aim to finish the first round in April. We apologise for the inconvenience this may cause.

Kind regards,
on behalf of NLnet foundation,

Michiel Leenaars
Strategy Director
+31 20 8884252

From: Michiel Leenaars michiel@NLnet.nl
Sent: April 9, 2025 3:31:54 AM PDT
To: Jacob Lifshay programmerjake@gmail.com
Cc: 2024-12-324@nlnet.nl
Subject: Your project Libre-Chip's First CPU Architecture And Formal Proof of No Spectre bugs has been selected for the second round

Dear Jacob,

it is my pleasure to inform you that your project "Libre-Chip's First CPU Architecture And Formal Proof of No Spectre bugs" (2024-12-324) has been selected to enter the second round of the December 2024 call. While the first round is solely based on your proposal, this strict selection round is potentially interactive. As your project is looked into in more depth, the reviewers may need some additional information to properly assess your application, in which case they will contact you.

Note that proposals are reviewed with regards to urgency, relevance and value for money. Unfortunately we will not be able to fund all projects proposed, as much as we would like that. In the coming weeks we will send you questions, and we will be subsequently thoroughly evaluating your answers and those of the remaining proposals for the second round which due to the very large amount of submission we had may take six weeks or more. During this round we may ask you to supply additional details, such as a breakdown of the main tasks of your project if that wasn't part of your original application. After that we will inform you on the outcome of this second (and final) selection round.

I hope the above is clear. Let us know if you have any questions, and have a good weekend!

Kind regards,
on behalf of NLnet foundation,

Michiel Leenaars
Strategy Director
+31 20 8884252

From: Michiel Leenaars michiel@nlnet.nl
Sent: May 10, 2025 10:21:27 AM PDT
To: programmerjake@gmail.com
Cc: 2024-12-324@nlnet.nl
Subject: Questions Libre-Chips First CPU Architecture And Formal Proof of No Spectre bugs

Dear Jacob,

you applied to the 2024-12 open call from NLnet. Good to hear from you. We obviously have some questions regarding your project proposal Libre-Chips First CPU Architecture And Formal Proof of No Spectre bugs.

Could you provide a slightly more breakdown of the main tasks, and the associated effort?

We plan on working with the OpenPower Foundation for any custom ISA extensions we may need.

Maybe we missed this while reading the proposal, but reading between the lines are we correct in concluding that the core instruction set of is to be based on the OpenPower ISA?

Jacob Lifshay formulated a way to formally prove that a CPU with speculative execution doesn't suffer from any speculative-execution data leaks

Could you provide a bit more detail, so we can understand where this claim comes from? Is this proof method already published or implemented somewhere? How does it compare to methodologies such as [1], next to the two papers mentioned by yourself?

[1] https://dial.uclouvain.be/pr/boreal/object/boreal:264203

hence why the goal is making substantial progress instead of having the proof 100 % complete and working.

That caveat does makes the goals of this effort fairly vague. Could you at least describe the high level approach you will be taking (perhaps this automatically comes with the answer to the previous question)?

(Note BTW that Coq was renamed to Rocq Prover two years ago, the way the name was pronounced made some people take the project less serious than it deserved..)

Assume that to leak data, you must be able to observe some change in the digital signals going from/to the CPU core that depends on the results (defined to include any side-effects that change any state, such as cache state changes or branch predictor changes) of some transient instructions (instructions that were speculatively executed and then canceled).

If this assumption is broken, what guarantees does this proof method still give? What about long-term effects of transient instructions, i.e. not immediately returning a result but instead having another effect such as power consumption or delayed synchronization? There are also other ways to leak data through side-channels, for example through timing or synchronization, voltage drops, or by (in)directly reading out the values of unspecified wires.

Is side-channel resistance something you are taking as a design requirement?

and construct a theoretical equivalent that has the additional feature of looking into the future to determine which instructions will be canceled and preemptively forces their results to be zeros

Is this modeled using prophecy variables (see e.g. [2])? How does this compare to non-interference properties for speculative execution, such as described by Jhala1 and McMillan [3]

[2] https://link.springer.com/content/pdf/10.1007/s10703-021-00377-1.pdf
[3] https://www.mcmil.net/pubs/CAV01.pdf

the minimum salary for small employers for 2025 in Washington State

Note that that isn't the actual minimum salary for small employers as such - that is a threshold for overtime exempt workers - which has a multiplier of 2x over the real minimum salary. This proposal is significantly more than the previous grants in which you and Caesar were involved, but we can agree on a monthly rate of 5111 EUR as proposed. The prior rate was low, and the cost of living obviously has since grown significantly while the exchange rate for the US dollar has plummeted.

[ However, there are some proposed costs that might not be eligible such as the hardware costs ("CI server hardware improvements, oscilloscopes, etc"). You could propose additional R&D work and pay this out of your own pocket. We prefer project management budget to be included in the tasks themselves, as there is no other reporting overhead beyond that. ]

Will there be any collaborators to the project from Europe, which would give a clearer EU dimension to this project?

Is Fayalite as expressive as the dynamically typed system for composing circuits you previously worked with, such as nmigen2 (as well as its reincarnation Amaranth, and alternatives like Py2HWSW [4]? Or are some circuits not (easily) expressible due to the strict(er) typing discipline?

[4] NLnet; Py2HWSW

Is there a strategy to get other people to use Fayalite (and at some time contribute), and build enough critical mass? There are meanwhile quite some nice HDL's in play - next to Chisel which you already mention, there is SpinalHDL [5], Spade [6], Clash [7], etc. Obviously, there is room for different options but there is a high cost of developing and maintaining 'picks and shovels' over and over again - where you actually want to build chips. Could you reflect on these HDL's and explain the reason(s) for developing your own rather than contribute to any of those larger efforts?

[5] NLnet; SpinalHDL, VexRiscv, SaxonSoc
[6] NLnet; Spade
[7] https://clash-lang.org

Thank you very much for your timely reply. Could you get the answers to us by Monday next week?

Kind regards,
on behalf of NLnet foundation,

Michiel Leenaars
Strategy Director
+31 6 27 050 947

Support NLnet, the open internet and open source with just 5 minutes
of your time. Make a difference today.

Visit: NLnet; Help to help the internet (English) - NLnet; Ayúdanos a ayudar a Internet (Espanol)

Do you know people that have ideas to improve the internet? Or maybe you have such an idea yourself? Check out what we can do for you at NLnet; Apply for a grant and apply!

From: Jacob Lifshay programmerjake@gmail.com
Date: Sun, May 11, 2025 at 11:41 PM
Subject: Re: Questions Libre-Chips First CPU Architecture And Formal Proof of No Spectre bugs
To: Michiel Leenaars michiel@nlnet.nl
Cc: 2024-12-324@nlnet.nl

On Sat, May 10, 2025 at 10:21 AM Michiel Leenaars
michiel@nlnet.nl wrote:

Could you provide a slightly more breakdown of the main tasks, and the associated effort?

I'm removing project management and hardware costs from the budget as
suggested, as well as adjusting budget for the work we've completed so
far.

The new budget:

Adding Rocq output in Fayalite

€ 6000
This is for adding the code for translating Fayalite HDL to Rocq, as
well as determining how exactly we'll describe HDL in Rocq. I expect
the translation code to be of comparable size to the compiler portion
of the simulator (the simulator is broken into three main parts, a
compiler to an IR optimized for interpretation, the interpreter
itself, and the code for reading/writing simulator I/O and handling
time simulation), so somewhere around 5000 LoC.

Adding supporting code for generating FPGA bitstreams from Fayalite

€ 4000
This is for adding the tooling to run all the right programs to
generate FPGA bitstreams, as well as adding code to handle connecting
I/O ports to the FPGA pins. I expect this to be on the order of
1000-2000 LoC for the FPGA pins code, as well as a few hundred for
running all the right programs in sequence.

Register Renaming, Execution, and Instruction Retire

€ 10000

This covers getting register renaming working, as well as scheduling,
executing simple ALU and Branch instructions, and properly handling
instruction retire. (Some of that work is already done.)

A lot of this is the work to come up with a detailed low-level plan
for the CPU, so I don't have a good idea of how complex or not this
is, though I expect it to be probably 40% of the CPU's complexity.

Instruction Fetch/Decode

€ 8000

This covers instruction fetch, decoding, and caching. For the decoder,
unless OpenPower has gotten around to releasing the Latex source code,
I'm expecting to use a parser I wrote that parses the instruction
descriptions out of the PowerISA v3.1C PDF and writes out XML.

Load/Store instructions

€ 10000

This covers implementing the load/store hierarchy, including an L1
cache. For now, the CPU will only target on-FPGA memory blocks, as
well as simple I/O devices. (Support for DRAM can be added at a later
point outside of this grant.)

Work towards the Formal Proof of No Spectre bugs

€ 12000

This covers working on the Formal Proof of No Spectre bugs as well as
improvements to other software/hardware needed for that. A major
portion of this is to figure out what exact properties we need to
formally prove for each part of the CPU, so we can put those parts
together to make a working proof for the entire CPU. I'm hoping this
will be enough work to get nearly all of the proof written out, even
if there are some flaws we discover that we'll have to put off fixing
for a later grant.

We plan on working with the OpenPower Foundation for any custom ISA extensions we may need.

Maybe we missed this while reading the proposal, but reading between the lines are we correct in concluding that the core instruction set of is to be based on the OpenPower ISA?

Yes, sort-of. The CPU will have its own internal instruction set
(designed to be more general than just for PowerISA, since, as a later
addition outside of this grant proposal, I'd like it to support
running x86_64, RISC-V, etc. by translating to the internal ISA using
a FPGA-style programmable decoder and a µOp-cache), and there will be
a dedicated HW decoder that translates PowerISA to that internal
instruction set.

More details: Proposal for Libre-Chip's First CPU Architecture

Jacob Lifshay formulated a way to formally prove that a CPU with speculative execution doesn't suffer from any speculative-execution data leaks

Could you provide a bit more detail, so we can understand where this claim comes from?

It's an idea I came up with a few years ago, but didn't pursue at the time.

I have thought through it in enough detail to convince myself it can
work, but haven't tried to actually implement it yet.

Is this proof method already published or implemented somewhere?

No, though I did come up with a high-level plan, which I'll write out
in some more detail here:

Basically, the idea is to track throughout the cpu which instructions
are speculative, and to have a near-identical copy of the cpu that is
a mathematical model where it knows (because it is a mathematical
model, it can look into the future) when instructions first enter the
cpu if those instructions are going to eventually be canceled and it
forces those instructions that will be canceled to have their
speculative results forced to be zero (or some other appropriate value
that obviously can't leak information), then, we write a proof
module-by-module that those are equivalent to the original version of
the cpu without the time travel. at the whole-cpu level, equivalence
is defined to be that, for every clock cycle (past, present, and
future), all externally-visible signals from the cpu must have
identical values between cpu models.

How does it compare to methodologies such as [1], next to the two papers mentioned by yourself?

[1] https://dial.uclouvain.be/pr/boreal/object/boreal:264203

That website is inaccessible for both Cesar and me, I was able to find
the abstract on web.archive.org, but not the actual paper. It seems to
be about masking the analog aspects of digital circuits such as timing
within a clock cycle and glitches, which is something that our proof
doesn't address, since our proof assumes that all output signals have
gone through flip-flops before becoming visible to external
communications, so only timing at the resolution of a clock cycle
matters.

hence why the goal is making substantial progress instead of having the proof 100 % complete and working.

That caveat does makes the goals of this effort fairly vague. Could you at least describe the high level approach you will be taking (perhaps this automatically comes with the answer to the previous question)?

(Note BTW that Coq was renamed to Rocq Prover two years ago, the way the name was pronounced made some people take the project less serious than it deserved..)

Ah, I wasn't aware of that. The rename seems to have only happened in
their latest major release, which happened since I submitted the grant
proposal:

Assume that to leak data, you must be able to observe some change in the digital signals going from/to the CPU core that depends on the results (defined to include any side-effects that change any state, such as cache state changes or branch predictor changes) of some transient instructions (instructions that were speculatively executed and then canceled).

If this assumption is broken, what guarantees does this proof method still give?

Then it doesn't guarantee a whole lot, though I expect that assumption
to hold for basically all intentional (over some defined digital bus)
external communication between a computer and the external world.

This excludes things like the chip's internal signals generating radio
waves, or things like power measurement, since those require a
completely different design process that intentionally takes those
into account at every design level, and since those are not generally
visible through remote communication protocols (e.g. over a network)
and require direct physical access, at which point you generally could
more easily just take out the SSD and put whatever code you wanted on
it.

What about long-term effects of transient instructions, i.e. not immediately returning a result but instead having another effect such as power consumption or delayed synchronization?

Power consumption is out of scope for the proof.
Synchronization is timing here, so that should be covered by the proof.

There are also other ways to leak data through side-channels, for example through timing or synchronization, voltage drops, or by (in)directly reading out the values of unspecified wires.

All timing at the clock-cycle resolution is covered by the proof. If
you're reading the CPU's internal wires (that aren't intended to be
used for communication with the external world), or measuring power
(voltage drop), then the proof doesn't cover that.

Is side-channel resistance something you are taking as a design requirement?

Timing side-channels -- yes, since those are visible over a network.
Power, radio waves, electron microscope images of the chip while it's
running, etc. -- no, since those need physical access.

and construct a theoretical equivalent that has the additional feature of looking into the future to determine which instructions will be canceled and preemptively forces their results to be zeros

Is this modeled using prophecy variables (see e.g. [2])?
[2] https://link.springer.com/content/pdf/10.1007/s10703-021-00377-1.pdf

Not intentionally, I'd have to spend a lot more time researching them
to know for sure, but I think probably not.

How does this compare to non-interference properties for speculative execution, such as described by Jhala1 and McMillan [3]
[3] https://www.mcmil.net/pubs/CAV01.pdf

As far as I can tell our proof is more general in that it proves that
speculative execution that gets cancelled can't change
externally-visible timing or signal values, rather than only proving
that it doesn't give wrong results.

Will there be any collaborators to the project from Europe, which would give a clearer EU dimension to this project?

Not at this moment, there are some others that were interested, but
nothing came of it (probably because I waited too long to apply for
this grant).

Is Fayalite as expressive as the dynamically typed system for composing circuits you previously worked with, such as nmigen2 (as well as its reincarnation Amaranth,

As far as I can tell Fayalite is more expressive in some ways (it
includes hardware-level enums (tagged-unions)) and less in others (it
doesn't automatically thread signals across module-level boundaries if
you refer to a child module's internals from outside it, but I think
that's actually a benefit in most cases for Fayalite since it
encourages better modularization and not violating privacy
boundaries).

and alternatives like Py2HWSW [4]? Or are some circuits not (easily) expressible due to the strict(er) typing discipline?

Fayalite can express everything you can write with standard Verilog
and more (it allows you to use external modules written in Verilog if
you run into something you need that for or just want to use some
external project written in Verilog). I think it has better ease of
use, but that's a matter of opinion.

[4] NLnet; Py2HWSW

I don't think that's suitable for our purposes since it appears to be
a fancy wrapper around a bunch of Verilog snippets, so it comes with
the restrictions Verilog imposes, and seems rather verbose.

Is there a strategy to get other people to use Fayalite (and at some time contribute), and build enough critical mass?

I haven't thought about that all that much, but I think Fayalite fills
a compelling niche of being a language embedded in Rust that doesn't
have all the annoying restrictions of Verilog (which is what the only
other Rust library I'm aware of does last I checked). Plus, if we
develop a working CPU using Fayalite, I think that will help it be
seen as a useful language, similar to Chisel and the first RISC-V
CPUs.

There are meanwhile quite some nice HDL's in play - next to Chisel which you already mention, there is SpinalHDL [5], Spade [6], Clash [7], etc. Obviously, there is room for different options but there is a high cost of developing and maintaining 'picks and shovels'

I'll mention that Fayalite is essentially ready to write the CPU
design in (in fact the CPU is already maybe 10-15% completed).
Fayalite has support for formal proofs using SymbiYosys, a working
simulator (implemented since we submitted the grant proposal), and
working generation of Verilog. The main thing that Fayalite would need
to have added is to generate a Rocq translation of the HDL, which is
needed for the grant's main proof since I expect SymbiYosys-style
automated theorem provers aren't capable enough from my experience
using them before.

over and over again - where you actually want to build chips. Could you reflect on these HDL's and explain the reason(s) for developing your own rather than contribute to any of those larger efforts?

[5] NLnet; SpinalHDL, VexRiscv, SaxonSoc

We decided not to use Chisel or SpinalHDL because:

• We found those to be quite difficult to set up due to being written in Scala
• The wide variety of custom operators make Chisel much harder to understand.
• I am much more fluent in Rust than in Scala or Haskell, saving a lot
  of time when implementing the translator to Rocq.

[6] NLnet; Spade

We decided to not use Spade because it doesn't seem to let you do
arbitrary computation while generating HDL (e.g. you could parse
instruction descriptions from the PowerISA pdf or XML and translate
those to HDL). Also Fayalite lets you use Rust's powerful generics and
traits system (Spade doesn't have those yet, though they're working on
it), as well as all existing Rust code (or other languages such as C
through FFI).

[7] https://clash-lang.org

I think Clash is not suitable for our project because Fayalite is
syntactically much more similar to traditional hardware description
languages and imperative programming languages, which makes it much
easier to understand for most hardware designers and programmers than
Haskell (this is particularly true for Jacob, who has not programmed
in Haskell).

Thank you very much for your timely reply. Could you get the answers to us by Monday next week?

Jacob