The example valid state is changed to correctly use both the virtual
and physical address of the shared page, instead of just the virtual
address.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
While having a single Kernel_Config_Lemmas was fine for constraining the
number of domains, it does not work for constraining architecture-specific
configuration options/values.
Add an (empty for now) Arch_Kernel_Config_Lemmas theory to every architecture
that imports the generic Kernel_Config_Lemmas. Change all imports of
Kernel_Config_Lemmas to import Arch_Kernel_Config_Lemmas instead.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Make the C kernel config extraction visible as a separate test session
in run_tests so that run_tests can do concurrency control for it.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
physBase is now a generated definition on all arches except X64, with
the expectation that this value can change (for static multikernel systems).
All definitions that depend on physBase in C must therefore adapt to
depend on the physBase constant instead of its unfolded value.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
A previous commit added a new job which depended on a job that didn't
exist. We rename the `all` job to `proofs` for consistency with other
workflows.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
This rule allows us to prove correspondence in the case
where the result of a function call is assigned to a
global variable
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
Terms of the form "(if P then None else Some _) = None" and all their
combinations can be simplified automatically. For the "Some" variants
we provide a safer form, e.g.:
((if P then Some x else None) = Some x) = P
because
((if P then Some x else None) = Some y) = (P /\ x = y)
adds an equation to the goal that the simplifier will pick up. That is
often wanted, but sometimes leads to non-termination.
Even the safer form can lead to non-termination if P is an equation, so
none of these are [simp] by default.
- `if_option_eq` is the safer set
- `if_option` is the less safe set that simplifies more
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
* getHSR confirmed unusued
* setHCR confirmed used on C side for hyp
* addressTranslateS1 was merged into C
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
* explain how canonical_bit concept applies to AArch64
* use powers of 2 for kernelELFBase
* pptrBase unlikely to migrate to 0 in near future
* pptrUserTop_def' is not used on AARCH64, and should not be used as we
try to avoid expanding config_ARM_PA_SIZE_BITS_40 whenever possible
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Draw connection between conjugate wp in the literature and our
exs_valid definition.
Add exs_valid_alt lemma, which is one of the main rules that is
different between wp and conjugate wp (or vs and).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The `export-kernel-builds.py` script expects to be able to run the
build from an arbitrary temporary directory.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Add mechanism for adding overlay.dts files to the l4v build for all
architectures apart from X64 (which does not use dts files).
For example, place a file `overlays/ARM/overlay.dts` into the tree and
the build will pick it up as custom overlay file with the correct proof
session dependencies.
If no file is provided, an empty default overlay file is used.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
In order to parametrise the kernel's physical address in verification,
physBase becomes a function in C.
This updates the functional correctness proofs so that they work again.
Proper abstraction of physBase in the proof is forthcoming.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Extract the numeric value PHYS_BASE_RAW from the generated header
gen_headers/plat/machine/devices_gen.h and provide it as the constant
physBase in Kernel_Config.thy.
In C this will later match up with the value returned by physBase().
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Allow more settings to be overridden when using the standalone C parser
to generate kernel.sigs in the l4v kernel make files.
This makes it easier to use a pre-built standalone C parser, say, from a
Docker image.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
The decompilation process (part of binary verification) is more tightly
coupled to the graph-refine repository than l4v, so it makes more sense
to perform decompilation in graph-refine. (It was temporarily performed
here in l4v because the graph-refine branches needed some stabilisation
work.)
This also modifies proof workflows:
- All proof workflows now upload kernel build artifacts. These can be
used as inputs to binary verification.
- Proof workflows other than the one for pull requests (proof.yml)
automatically trigger a decompilation workflow. We can still manually
initiate a decompilation workflow using the uploaded artifacts, but
doint so automatically would consume too many parallel runners.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
This can be used by l4v proof runs in GitHub CI to save kernel build outputs
for later use by binary verification.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
seL4/seL4#975 slightly changed how the config headers are generated.
They now need a (short) `ninja` build step and they produce less spaces
in the header file.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We have so far not been mentioning L4V_ARCH in the instructions and
haven't pointed out which sessions need generated input.
Add this information to the instructions.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Need to check out the ci-actions repo first (where the nl-unescape.sh
script is located).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>