The condition `pptrBase < kernelELFBase` is not required on AArch64 in
hyp mode and was left over from the initial RISC-V setup.
Since this check does fail for some platforms (where physBase = 0 and
consequently pptrBase = kernelELFBase) we remove it here.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Move physBase into Arch_Kernel_Config_Lemmas, and move basic lemmas
about kernel constants that do not directly unfold physBase into
ArchInvariants_AI.
Because Arch_Kernel_Config_Lemmas does not have all names available
yet, some of the lemmas are folded and shadowed later in
ArchInvariants_AI.
Also refactor translate_address_kernel_elf_window to have two helper
lemmas that can be used in infoflow.
Co-authored-by: Corey Lewis <corey.lewis@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Factor out pptrTop from the definition in kernelELFBase and define it
as a constant as on other platforms. Shadows the equivalent definition
in Haskell.
Also remove incorrect comment -- the term was not PADDR_TOP, but
PPTR_TOP in C.
Co-authored-by: Corey Lewis <corey.lewis@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Remove the only unfolding of Kernel_Config.physBase_def in
ArchKernelInit by removing an unused lemma. Move the remaining
unfolding in ArchAInvariants to Kernel_Config_Lemmas.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
While having a single Kernel_Config_Lemmas was fine for constraining the
number of domains, it does not work for constraining architecture-specific
configuration options/values.
Add an (empty for now) Arch_Kernel_Config_Lemmas theory to every architecture
that imports the generic Kernel_Config_Lemmas. Change all imports of
Kernel_Config_Lemmas to import Arch_Kernel_Config_Lemmas instead.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
physBase is now a generated definition on all arches except X64, with
the expectation that this value can change (for static multikernel systems).
All definitions that depend on physBase in C must therefore adapt to
depend on the physBase constant instead of its unfolded value.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
* explain how canonical_bit concept applies to AArch64
* use powers of 2 for kernelELFBase
* pptrBase unlikely to migrate to 0 in near future
* pptrUserTop_def' is not used on AARCH64, and should not be used as we
try to avoid expanding config_ARM_PA_SIZE_BITS_40 whenever possible
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Implementations for machine ops returning a value should have a _val
postfix. This commit brings vcpuHardwareRegVal in line.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Make it possible to refer to the size of the irq type symbolically.
So far, this is only necessary in an example state for kernel init,
but it's still nicer to avoid magic numbers.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The non_kernel_IRQs constant collects IRQs that cannot occur in kernel
mode. For non-hyp platforms this is usually empty, for hyp platforms we
add software-generated virtual interrupts.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Sync both values with what the C code does. The corresponding comment
in C is wrong and would not produce a safe value for pptrTop (the
comment says 2^48 - 2^30), but the actual definition in C (the
equivalent of 2^40 - 2^30) is safe.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Since user addresses are intermediate physical addresses in hyp mode,
the concept of canonical_user is different to other architectures.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On AArch64 pptrUserTop is not page aligned, which also suits us fine for
reusing the value later in AInvs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Definitions in Platform.thy may depend on kernel config options, so
we need Kernel_Config_Lemmas there already, and need to replace the
dependency in Machine_Types to avoid a dependency circle.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes new vspace decode and page flush invocations, as well
as machine constants that are used in those paths.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Use RISCV64 design spec skeletons to start work on AARCH64 ExecSpec.
Only minimal RISCV64 to AARCH64 substitution done, with big FIXMEs
stuck on top to remind people this got no human oversight.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The benefit of the wpx method is not worth the maintenance effort.
There are still a few instances of wpx left in AInvs, which will have
to be fixed later.
We are keeping the wps method from the same file (WPEx.thy), because
that is used more widely and does not break with Isabelle2021-1
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This change eases any future platform ports by better matching the C
code that it models and by making it so that there is one less constant
that needs modification.
Signed-off-by: Corey Lewis <corey.lewis@unsw.edu.au>
This includes replacing previous ASpec names for such constants with
the names used in Haskell/ExecSpec to avoid duplication. This also
makes some of the proofs slightly more generic.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Introduce Kernel_Config theory for storage of non-architecture-specific
seL4 configuration variables that are shared by the abstract and design
specs.
Remove `num_domains`, in lieu of `numDomains` that is now defined only
in `Kernel_Config.thy`. The definition is hidden and must be referred to
as Kernel_Config.numDomains_def when avoiding unfolding is not possible.
Include required properties of `numDomains` as lemmas.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
In the rest of the proofs we use machine_word to refer to addresses.
This commit brings the machine definitions in line with that.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This commit updates the proofs for seL4/seL4#485, which fixes
the security and correctness bug seL4/seL4#481. The bug was that
caches are not sufficiently flushed in retype for frames that can
be mapped uncached later.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This verifies a C kernel patch (seL4/seL4#409) which consolidates
translation between virtual and physical addresses, and makes it
consistent across architectures. In particular, we always use
`addrFromKPPtr`, even on architectures that don't use a distinct region
to map the kernel ELF. This will facilitate future improvements which
move the ELF mapping into a distinct virtual address region.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
seL4 commit c381c7e14c changes cache flushing behaviour for the
verified ARM_HYP configuration. This commit adjusts accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This brings the naming convention closer to the other architectures,
closer to the Haskell, and closer to the constant renames that happened
in C. It is, however, quite an invasive change.
kernelBase_addr -> pptrBase
kernelBase -> pptrBase
physMappingOffset -> ptrBaseOffset
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
The RISCV implementation of invokeIRQHandler calls plic_complete_claim
instead of maskInterrupt. plicCompleteClaim is added as a machine op
and invokeIRQHandler has been arch split for the ACKIrq case.
Signed-off-by: Victor Phan <Victor.Phan@data61.csiro.au>
- Increase IRQ word size from 3 to 6 to match IRQ_CNODE_SLOT_BITS in
sel4 config.
- Bump maxIRQ up to 54.
- Fix broken inequality proof by changing constant that depended on IRQ
word size.
Highlights:
- new reserved IRQ and associated handler: VPPIEvent
- VPPI events are virtual interrupts we can forward to VMs; currently there is
only one event: virtual timer interrupt
- VGICMaintenance and VPPIEvent can both receive late interrupts from hardware,
which are now discarded instead of being delivered to current thread
- given only one possible VPPI event, simplifier tends to mop up more than it
should, making some proofs fragile w.r.t. adding a new VPPI event
- the order of some lemmas/specs needed shuffling, as now VCPU code needs some
interrupt code, which uses VCPU code
- Add HiFive.hs to replace Spike.hs, it's the same except for kdevBase
addition.
- Originally called KDEV_PPTR in the C Code, to be changed to KDEV_BASE
across all architectures.
- Add RISCVVSpaceDeviceWindow case for valid_uses_2 definition.
These functions were originally doing throwError IllegalOperation or
returnOk (). Now they have been reimplemented to match the CSpec.
In arch_check_irq, an error is thrown if IRQ is greater than maxIRQ or
is equal to irqInvalid. The error that gets returned to the user however
is a RangeError from 1 to maxIRQ.
Corey Lewis
Gerwin Klein
Rafal Kolanski
Corey Lewis
Gerwin Klein
Matthew Brecknell
Rafal Kolanski
Victor Phan