The condition `pptrBase < kernelELFBase` is not required on AArch64 in
hyp mode and was left over from the initial RISC-V setup.
Since this check does fail for some platforms (where physBase = 0 and
consequently pptrBase = kernelELFBase) we remove it here.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Avoid mixing `isabelle`, `make`, and `run_tests` invocations.
Standardise on `run_tests` and mention `L4V_ARCH` each time to
indicate that you can and should set `L4V_ARCH`.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Move physBase into Arch_Kernel_Config_Lemmas, and move basic lemmas
about kernel constants that do not directly unfold physBase into
ArchInvariants_AI.
Because Arch_Kernel_Config_Lemmas does not have all names available
yet, some of the lemmas are folded and shadowed later in
ArchInvariants_AI.
Also refactor translate_address_kernel_elf_window to have two helper
lemmas that can be used in infoflow.
Co-authored-by: Corey Lewis <corey.lewis@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- adjust the example init state such that it does not constrain the
value of physBase and kernelELFBase too much. We assume 4M physical
memory and 4k of kernel ELF memory. We need 4M for the infoflow
example, because it requires a 2M RISCVLargePage plus additional
kernel objects.
- make the PagePTE for kernelELFBase point to kernelELFPAddrBase so
that the mapping stays consistent when physBase changes.
- introduce shorthand constants for the index in the page table that
is responsible for kernelELFBase, and for the number of bits left
to translate from the top-level page table (= size of the pages in
that table).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Factor out pptrTop from the definition in kernelELFBase and define it
as a constant as on other platforms. Shadows the equivalent definition
in Haskell.
Also remove incorrect comment -- the term was not PADDR_TOP, but
PPTR_TOP in C.
Co-authored-by: Corey Lewis <corey.lewis@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Remove the only unfolding of Kernel_Config.physBase_def in
ArchKernelInit by removing an unused lemma. Move the remaining
unfolding in ArchAInvariants to Kernel_Config_Lemmas.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
While having a single Kernel_Config_Lemmas was fine for constraining the
number of domains, it does not work for constraining architecture-specific
configuration options/values.
Add an (empty for now) Arch_Kernel_Config_Lemmas theory to every architecture
that imports the generic Kernel_Config_Lemmas. Change all imports of
Kernel_Config_Lemmas to import Arch_Kernel_Config_Lemmas instead.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Make the C kernel config extraction visible as a separate test session
in run_tests so that run_tests can do concurrency control for it.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
physBase is now a generated definition on all arches except X64, with
the expectation that this value can change (for static multikernel systems).
All definitions that depend on physBase in C must therefore adapt to
depend on the physBase constant instead of its unfolded value.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
* getHSR confirmed unusued
* setHCR confirmed used on C side for hyp
* addressTranslateS1 was merged into C
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
* explain how canonical_bit concept applies to AArch64
* use powers of 2 for kernelELFBase
* pptrBase unlikely to migrate to 0 in near future
* pptrUserTop_def' is not used on AARCH64, and should not be used as we
try to avoid expanding config_ARM_PA_SIZE_BITS_40 whenever possible
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The `export-kernel-builds.py` script expects to be able to run the
build from an arbitrary temporary directory.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Add mechanism for adding overlay.dts files to the l4v build for all
architectures apart from X64 (which does not use dts files).
For example, place a file `overlays/ARM/overlay.dts` into the tree and
the build will pick it up as custom overlay file with the correct proof
session dependencies.
If no file is provided, an empty default overlay file is used.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Extract the numeric value PHYS_BASE_RAW from the generated header
gen_headers/plat/machine/devices_gen.h and provide it as the constant
physBase in Kernel_Config.thy.
In C this will later match up with the value returned by physBase().
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Allow more settings to be overridden when using the standalone C parser
to generate kernel.sigs in the l4v kernel make files.
This makes it easier to use a pre-built standalone C parser, say, from a
Docker image.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
This can be used by l4v proof runs in GitHub CI to save kernel build outputs
for later use by binary verification.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
seL4/seL4#975 slightly changed how the config headers are generated.
They now need a (short) `ninja` build step and they produce less spaces
in the header file.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We initially wanted to move ucast_ucast_ppn to Kernel_Config_Lemmas.
This doesn't work, because ppn is only defined in Arch_Structs_A, but
it turns out that ppn_len is exactly the term `ipa_size - pageBits`
that the lemma needs, so instead of moving the lemma up, we make its
proof generic by providing the symbolic form of `ppn_len` instead.
This still unfolds Kernel_Config.config_ARM_PA_SIZE_BITS_40, but it
does so only trivially and directly where ppn_len is defined.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Implementations for machine ops returning a value should have a _val
postfix. This commit brings vcpuHardwareRegVal in line.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The flush_type definition is an exact duplicate, so it makes sense
to directly re-use the Haskell definition in ASpec.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Make it possible to refer to the size of the irq type symbolically.
So far, this is only necessary in an example state for kernel init,
but it's still nicer to avoid magic numbers.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The non_kernel_IRQs constant collects IRQs that cannot occur in kernel
mode. For non-hyp platforms this is usually empty, for hyp platforms we
add software-generated virtual interrupts.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On ARM_HYP we added a fix for a problem discovered during the proof of
the VCPU invariant that the current VCPU always belongs to the current
thread. This commit ports that fix from ARM_HYP to AARCH64.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- align init_irq_node_ptr to its size (which is larger than in RISCV)
- remove ArmVSpaceUserRegion, because kernel has its own page table
- define global_pt_obj, add to initial heap
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Sync both values with what the C code does. The corresponding comment
in C is wrong and would not produce a safe value for pptrTop (the
comment says 2^48 - 2^30), but the actual definition in C (the
equivalent of 2^40 - 2^30) is safe.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Previously the wrong cap argument was checked against being the vspace
root (cap vs vspace_cap).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
At the point we call set_asid_pool, the pool we are writing is out
of date, because invalidate_asid_entry will have changed it. This
commit adds another read operation after invalidate_asid_entry to
perform a write that is similarly atomic as the corresponding C code.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We previously made use of the fact that the table to be unmapped will
be a NormalPT_T. This is still true, but to avoid an unnecessary proof
obligation here, we take the pt_type provided by the cap instead, which
coincides with the pt_type the proof uses.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Check that the type of the page table that is present is the type we
are requested to update. The same assert is already present for ptes_of.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
According to the RISC-V spec, PageTablePTEs must have the access,
dirty, and user bits set to 0. This means that
- there is no user attribute that can be set on PageTablePTEs
(removed from Haskell spec)
- the encoding for PageTablePTEs in C must have 0 in these fields
instead of 1.
See PR seL4/seL4#880 for discussion and corresponding C changes.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>