- align init_irq_node_ptr to its size (which is larger than in RISCV)
- remove ArmVSpaceUserRegion, because kernel has its own page table
- define global_pt_obj, add to initial heap
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On RISCV64, we had the nice property that pt_walk can only produce
aligned addresses. This alignment is important for further address
computation.
It turns out that the same is true on AARCH64, because the bottom 12
bits of page table addresses are not stored in PTEs. PagePTEs can only
point to normal page tables, so there is not variation in the size of
the alignment.
This commit uses a similar encoding to RISCV64 to achieve this pt_walk
property without using an additional invariant.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The bit width of intermediate physical addresses (IPA) is occasionally
useful in the invariants later.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Since user addresses are intermediate physical addresses in hyp mode,
the concept of canonical_user is different to other architectures.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
As Corey points out, the rest of the fields are in perfect order with
Haskell, and keeping all of them fully in sync will save us shuffling
and looking up things later in the proofs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Minor style update; set up global user page table and example kernel
vspace uses that should satisfy invariants.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The pte type is now in sync with Haskell and C.
Note that there is a trade-off in storing the entire paddr (base
address) in the pte. In RISC-V we don't store the bottom bits, so get
an invariant for free that these are always 0, but we need to do a
bunch of shifting and casting to convert addresses. The shifting there
aligns with the C code.
On AArch64, the address field instead uses field_high, which does the
shifting inside the bitfield generator and makes it invisible to the
rest of the C code. To model that there is no such shifting going on,
we choose to store the entire base address here (as in ARM/ARM_HYP).
This means we will need an invariant that they are all aligned to
pageBits.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes the type-checking fallout from those two main additions,
but no real further validation yet downstream from Structures.thy.
PageTable objects now have an inner object that contains either a
normal page table or a page table with the potentially different size
for top-level VSpace roots.
In ArchVSpaceAcc, the follow-on effects include making pte operations
figure out what kind of object is is by first checking for the
potentially smaller-sized object, and if that does not exist, trying
the larger-sized object (which has a different base address). When
pspace_distinct and pspace_aligned invariants hold, this should model
the behaviour of Haskell/C precisely.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is mostly verbatim copy/paste from RISCV64 to get started. Needs
update and validation everywhere, but type checks for now.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Gerwin Klein