From adb0eac98aacb8b26d0f935e3f10974482d626a8 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@ledger.fr>
Date: Wed, 7 May 2025 15:40:24 +0200
Subject: [PATCH] Add support for big endian eBPF programs

---
 Ghidra/Processors/eBPF/certification.manifest |  1 +
 .../Processors/eBPF/data/languages/eBPF.ldefs | 14 ++++++++++++-
 .../eBPF/data/languages/eBPF.opinion          |  1 +
 .../Processors/eBPF/data/languages/eBPF.sinc  | 20 ++++++++++++++++++-
 .../eBPF/data/languages/eBPF_be.slaspec       |  3 +++
 5 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100644 Ghidra/Processors/eBPF/data/languages/eBPF_be.slaspec

diff --git a/Ghidra/Processors/eBPF/certification.manifest b/Ghidra/Processors/eBPF/certification.manifest
index b27d4f3656..a8e4796ceb 100644
--- a/Ghidra/Processors/eBPF/certification.manifest
+++ b/Ghidra/Processors/eBPF/certification.manifest
@@ -7,4 +7,5 @@ data/languages/eBPF.ldefs||GHIDRA||||END|
 data/languages/eBPF.opinion||GHIDRA||||END|
 data/languages/eBPF.pspec||GHIDRA||||END|
 data/languages/eBPF.sinc||GHIDRA||||END|
+data/languages/eBPF_be.slaspec||GHIDRA||||END|
 data/languages/eBPF_le.slaspec||GHIDRA||||END|
diff --git a/Ghidra/Processors/eBPF/data/languages/eBPF.ldefs b/Ghidra/Processors/eBPF/data/languages/eBPF.ldefs
index c2924c996d..ce03dfcc6f 100644
--- a/Ghidra/Processors/eBPF/data/languages/eBPF.ldefs
+++ b/Ghidra/Processors/eBPF/data/languages/eBPF.ldefs
@@ -1,5 +1,17 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <language_definitions>
+   <language processor="eBPF"
+            endian="big"
+            size="64"
+            variant="default"
+            version="1.0"
+            slafile="eBPF_be.sla"
+            processorspec="eBPF.pspec"
+            id="eBPF:BE:64:default">
+    <description>eBPF processor 64-bit big-endian</description>
+    <compiler name="default" spec="eBPF.cspec" id="default"/>
+    <external_name tool="DWARF.register.mapping.file" name="eBPF.dwarf"/>
+  </language>
    <language processor="eBPF"
             endian="little"
             size="64"
@@ -10,6 +22,6 @@
             id="eBPF:LE:64:default">
     <description>eBPF processor 64-bit little-endian</description>
     <compiler name="default" spec="eBPF.cspec" id="default"/>
-	<external_name tool="DWARF.register.mapping.file" name="eBPF.dwarf"/>
+    <external_name tool="DWARF.register.mapping.file" name="eBPF.dwarf"/>
   </language>
 </language_definitions>
diff --git a/Ghidra/Processors/eBPF/data/languages/eBPF.opinion b/Ghidra/Processors/eBPF/data/languages/eBPF.opinion
index 282c4cc66c..7685e94773 100644
--- a/Ghidra/Processors/eBPF/data/languages/eBPF.opinion
+++ b/Ghidra/Processors/eBPF/data/languages/eBPF.opinion
@@ -1,5 +1,6 @@
 <opinions>
     <constraint loader="Executable and Linking Format (ELF)" compilerSpecID="default">
+        <constraint primary="247" processor="eBPF" endian="big" size="64" />
         <constraint primary="247" processor="eBPF" endian="little" size="64" />
     </constraint>  
 </opinions>
diff --git a/Ghidra/Processors/eBPF/data/languages/eBPF.sinc b/Ghidra/Processors/eBPF/data/languages/eBPF.sinc
index 16384685a4..d57828d407 100644
--- a/Ghidra/Processors/eBPF/data/languages/eBPF.sinc
+++ b/Ghidra/Processors/eBPF/data/languages/eBPF.sinc
@@ -15,6 +15,7 @@ define space syscall type=ram_space size=4;
 define register offset=0 size=8 [ R0  R1  R2  R3  R4  R5  R6  R7  R8  R9  R10  PC ];
 
 # Instruction encoding: Insop:8, dst_reg:4, src_reg:4, off:16, imm:32 - from lsb to msb
+@if ENDIAN == "little"
 define token instr(64)
     imm=(32, 63) signed
     off=(16, 31) signed
@@ -29,8 +30,25 @@ define token instr(64)
 
 #We'll need this token to operate with LDDW instruction, which has 64 bit imm value
 define token immtoken(64)
-    imm2=(32, 63)		
+    imm2=(32, 63)
 ;
+@else # ENDIAN == "big"
+define token instr(64)
+    imm=(0, 31) signed
+    off=(32, 47) signed
+    src=(48, 51)
+    dst=(52, 55)
+    op_insn_class=(56, 58)
+    op_ld_st_size=(59, 60)
+    op_ld_st_mode=(61, 63)
+    op_alu_jmp_source=(59, 59)
+    op_alu_jmp_opcode=(60, 63)
+;
+
+define token immtoken(64)
+    imm2=(0, 31)
+;
+@endif # ENDIAN = "big"
 
 #To operate with registers
 attach variables [ src dst ] [  R0  R1  R2  R3  R4  R5  R6  R7  R8  R9  R10  _  _  _  _  _  ];
diff --git a/Ghidra/Processors/eBPF/data/languages/eBPF_be.slaspec b/Ghidra/Processors/eBPF/data/languages/eBPF_be.slaspec
new file mode 100644
index 0000000000..0773d2431b
--- /dev/null
+++ b/Ghidra/Processors/eBPF/data/languages/eBPF_be.slaspec
@@ -0,0 +1,3 @@
+@define ENDIAN "big"
+
+@include "eBPF.sinc"