This target was used in the regression test setup before this repo
switched to `run_tests` and has been unused for some time.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The current formulation allows an interface of an instance to be
mentioned multiple times in the from side of the same connection.
Signed-off-by: Ben Fiedler <git@bfiedler.ch>
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Isabelle2020 requires each session to declare it own set of directories that
may not overlap with other session's directories. This commit reorganises
files to comply with that requirement.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Each CAmkES assembly gets an extra field `policy_extra` to specify
extra policy edges. These are added to the default policy graph from
`policy_of`.
This feature is intended to support endpoint merging in the
`global-endpoint` CAmkES template, which could add communication
edges that were not present in the ADL.
The new field `group_labels` specifies a mapping from ADL component
names to integrity policy labels. This will be used to support the
`group` keyword in CAmkES that allows components to share an address
space. See Jira VER-1109.
The CAmkES toolchain allows some interfaces to be declared optional.
We add such a flag to the ADL datatype and remove the requirement for
such interfaces to be connected.
This allows connectors to also grant access rights between the
from-ends themselves (and similarly the to-ends).
It was previously thought that production CAmkES systems would not
need these rights. However, some connectors (e.g. VirtQueue) don't
follow the standard ADL semantics and we need these rights to
express their behaviour. Limitations of the Access model also cause
`policy_wellformed` systems to have more rights than necessary; see
Jira VER-1108.
This theory was a project to specify the behaviour of the CAmkES
toolchain as an Isabelle function. However, this copy of the theory
is incomplete, the toolchain has moved on, and the ADL model is also
undergoing changes, so there is no longer much value in maintaining
this file.
The VirtQueueDev connector in global-components currently uses empty
procedures as a hack, and allowing empty procedures seems to be
harmless to the rest of the ADL semantics.
The classic ADL formal model has a fixed palette of connectors, with
the interface type and seL4 integrity model also being fixed for each
connector type. This is unable to model new CAmkES connectors.
We change the ADL model to allow more combinations of connector
semantics, including arbitrary sets of Access rights between the
policy labels that a connector touches.
See Jira VER-1110 for more context.
Instead of hardcoding basic C types, this passes most of them along as
uninterpreted strings. This allows typedefs such as time_t or ssize_t
to be used, without requiring the formal model to recognise them.
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
This patch generalises the mapping between authority labels and
scheduler domains, so that the access-control integrity property still
holds when labels are not partitioned into domains. This lets us use
the integrity result on systems that don't use the domain scheduler.
The information flow proofs still rely on the domain partitioning,
hence we add constraints on the label-domain mapping for the info-flow
results to hold.
Jira VER-945
The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.