The current formulation allows an interface of an instance to be
mentioned multiple times in the from side of the same connection.
Signed-off-by: Ben Fiedler <git@bfiedler.ch>
Each CAmkES assembly gets an extra field `policy_extra` to specify
extra policy edges. These are added to the default policy graph from
`policy_of`.
This feature is intended to support endpoint merging in the
`global-endpoint` CAmkES template, which could add communication
edges that were not present in the ADL.
The new field `group_labels` specifies a mapping from ADL component
names to integrity policy labels. This will be used to support the
`group` keyword in CAmkES that allows components to share an address
space. See Jira VER-1109.
The CAmkES toolchain allows some interfaces to be declared optional.
We add such a flag to the ADL datatype and remove the requirement for
such interfaces to be connected.
This allows connectors to also grant access rights between the
from-ends themselves (and similarly the to-ends).
It was previously thought that production CAmkES systems would not
need these rights. However, some connectors (e.g. VirtQueue) don't
follow the standard ADL semantics and we need these rights to
express their behaviour. Limitations of the Access model also cause
`policy_wellformed` systems to have more rights than necessary; see
Jira VER-1108.
The VirtQueueDev connector in global-components currently uses empty
procedures as a hack, and allowing empty procedures seems to be
harmless to the rest of the ADL semantics.
The classic ADL formal model has a fixed palette of connectors, with
the interface type and seL4 integrity model also being fixed for each
connector type. This is unable to model new CAmkES connectors.
We change the ADL model to allow more combinations of connector
semantics, including arbitrary sets of Access rights between the
policy labels that a connector touches.
See Jira VER-1110 for more context.
Instead of hardcoding basic C types, this passes most of them along as
uninterpreted strings. This allows typedefs such as time_t or ssize_t
to be used, without requiring the formal model to recognise them.
Isabelle LaTeX style files use old font commands \bf, \rm, \tt, etc.
However, newer versions of some LaTeX document classes (e.g. scrbook)
have removed support for these commands. This brings back those
commands for documents built with isabelle.sty.
This brings the architectural model in line with the current implementation by
making the following adjustments:
- Remove "trait" terminology and replace with "procedure." This was already
done in the datatypes, but had not been updated in the accompanying text.
- Remove both fixed size and NULL-terminated arrays and replace with the more
recent arbitrary sized arrays. Neither of the former are supported, but can
now be emulated if necessary.
- Remove references to `RPCEvent` and `DirectCall` connectors. `RPCEvent` no
longer exists and `DirectCall`, while still present, introduces complexities
that are not adequately explained in the context of this document.
- Remove legacy comments.
- Various typo fixes.
The only major change is that "embed" is now a constant in HOL, removing
it from the set of valid names for free variables.
Have renamed uses of "embed" to "embed_data"; a better name could
probably be chosen by someone more familiar with the code.
Ben Fiedler
Gerwin Klein
Japheth Lim
Michael McInerney
Matthew Brecknell
Alejandro Gomez-Londono
Matthew Brecknell
Miki Tanaka
Matthew Fernandez
David Greenaway
Gerwin Klein