The way we handle vcpuBits on AARCH64 is different to ARM_HYP.
This seems the most logical place to put vcpuBits_def to aid automation.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Add VCPU/hyp lemmas from ARM_HYP, fix and update failing lemmas. Leave
1 sorry on pspace_canonical, which might not be needed for AARCH64.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Add VCPU/hyp material from ARM_HYP, fix up broken lemmas.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Don't store the bottom 12 bits of the base address for page table PTEs,
because we know they are zero. This gives us implicit alignment to
pageBits in the page table walker.
The C code stores only 36 significant bits, whereas this commit still
uses a full 64-bit machine word for the ppn in Haskell. To be adjusted
in a future change.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Quite a few issues remain, notably validity of ASID maps and
relationship to ASID table is missing from valid_arch_state'
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The worklow_dispatch trigger adds a button in the GitHub UI that lets
one trigger the workflow manually. Useful for testing the workflows.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This also moves several lemmas required for obj_range'_disjoint
to Invariants_H
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
These rules allow the simplifier to solve almost all existing goals that
involve the C constants true and false, without unfolding their
definitions.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
word_less_bit_eq turns `<` into a bitwise expression on abstract word
length to make it easier to reason about the relationship of < and bit
operations (boolean, but also shift etc).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The Eisbach method command doesn't seem to allow providing a doc
string. Instead at least place a comment right next to the definition
so that people can find that when they discover the method name with
print_methods.
Update doc string of word_bitwise to clarify where it is useful.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Adds generic (ring_bit_operations) relationships between boolean and
arithmetic operations. These automatically hold for word and int.
In particular:
x + y = (x OR y) + (x AND y)
x + y = (x XOR y) + 2 * (x AND y)
x XOR y = (x OR y) - (x AND y)
Similar laws for OR, AND, and -.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Provide sgn (sign, mapping to -1, 0, 1) and abs (absolute value)
functions for 'a word by instantiating the relevant type classes.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The condition `pptrBase < kernelELFBase` is not required on AArch64 in
hyp mode and was left over from the initial RISC-V setup.
Since this check does fail for some platforms (where physBase = 0 and
consequently pptrBase = kernelELFBase) we remove it here.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Extracted from verification-manifest README which now only points to
the instructions in this repo.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- Provide one flattened set of instructions to install all
dependencies, google repo, manifest checkout, and Isabelle
installation. At the end of it, link to the description on how to run
the proofs.
- Remove jEdit section from main README, since it's duplicated in
`setup.md`.
- update Google repo link to a page that contains installation
instructions
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Avoid mixing `isabelle`, `make`, and `run_tests` invocations.
Standardise on `run_tests` and mention `L4V_ARCH` each time to
indicate that you can and should set `L4V_ARCH`.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- Distinguish between virtual and physical address for the shared page
in the example state.
- Reuse lemmas from ArchKernelInit to solve address translation proofs.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
Move physBase into Arch_Kernel_Config_Lemmas, and move basic lemmas
about kernel constants that do not directly unfold physBase into
ArchInvariants_AI.
Because Arch_Kernel_Config_Lemmas does not have all names available
yet, some of the lemmas are folded and shadowed later in
ArchInvariants_AI.
Also refactor translate_address_kernel_elf_window to have two helper
lemmas that can be used in infoflow.
Co-authored-by: Corey Lewis <corey.lewis@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- adjust the example init state such that it does not constrain the
value of physBase and kernelELFBase too much. We assume 4M physical
memory and 4k of kernel ELF memory. We need 4M for the infoflow
example, because it requires a 2M RISCVLargePage plus additional
kernel objects.
- make the PagePTE for kernelELFBase point to kernelELFPAddrBase so
that the mapping stays consistent when physBase changes.
- introduce shorthand constants for the index in the page table that
is responsible for kernelELFBase, and for the number of bits left
to translate from the top-level page table (= size of the pages in
that table).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Factor out pptrTop from the definition in kernelELFBase and define it
as a constant as on other platforms. Shadows the equivalent definition
in Haskell.
Also remove incorrect comment -- the term was not PADDR_TOP, but
PPTR_TOP in C.
Co-authored-by: Corey Lewis <corey.lewis@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Rafal Kolanski
Gerwin Klein
Michael McInerney
Corey Lewis