Mainly repercusion of changes occuring for Access:
- Fix subjectReads and subjectAffects with new authorities
- SILC label is forbidden to contain any transferable cap
- Lots of lemma that required is_subject on their parameter now only
require aag_can_read when possible
- Major cleanup of the integrity ==> subjectAffects proofs for kheap,
CDT and user memory.
This patch generalises the mapping between authority labels and
scheduler domains, so that the access-control integrity property still
holds when labels are not partitioned into domains. This lets us use
the integrity result on systems that don't use the domain scheduler.
The information flow proofs still rely on the domain partitioning,
hence we add constraints on the label-domain mapping for the info-flow
results to hold.
Jira VER-945
The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
* tcb_context rephrasing to (tcb_context o tcb_arch) and respectively
for set operations
* unfolding of reserved_irq for trivially solving most lemmas
* Changes to the inductive definition of integrity_obj to account for
tcb_arch and tcb_context new location
* Changes to the tcb examples in ExampleSystem to include tcb_arch
* Rephrasing of domain_sep_inv to accommodate the ReservedIRQ case
* Mostly rephrasing of tcb_context to (some form of) (tcb_context o tcb_arch)
* Trivial unfolding of handle_reserved_irq for hoare rules
* Examples in Example_Valid_State.thy were updated
* Nothing remarkable, mostly rephrasing of tcb_context and ReservedIRQ
handling
* Fun fact, some proofs are now shorter
tags: [VER-623][SELFOUR-413]
This commit should at least remove merge conflict markers, and the idea
is that at least refine, crefine, drefine, and infoflow (with sorrys)
build. Subsequent commits may be required to fix build issues that I
have not picked up.
Victor Phan
Japheth Lim
Thibaut Perami
Gerwin Klein
Corey Lewis
Thomas Sewell
Michael Sproul
Miki Tanaka
Alejandro Gomez-Londono
Gerwin Klein
Matthew Brecknell
Joel Beeren
Thomas Sewell
Xin,Gao
Matthew Brecknell
Sophie Taylor
Daniel Matichuk
Ramana Kumar