Each CAmkES assembly gets an extra field `policy_extra` to specify
extra policy edges. These are added to the default policy graph from
`policy_of`.
This feature is intended to support endpoint merging in the
`global-endpoint` CAmkES template, which could add communication
edges that were not present in the ADL.
The new field `group_labels` specifies a mapping from ADL component
names to integrity policy labels. This will be used to support the
`group` keyword in CAmkES that allows components to share an address
space. See Jira VER-1109.
This allows connectors to also grant access rights between the
from-ends themselves (and similarly the to-ends).
It was previously thought that production CAmkES systems would not
need these rights. However, some connectors (e.g. VirtQueue) don't
follow the standard ADL semantics and we need these rights to
express their behaviour. Limitations of the Access model also cause
`policy_wellformed` systems to have more rights than necessary; see
Jira VER-1108.
This theory was a project to specify the behaviour of the CAmkES
toolchain as an Isabelle function. However, this copy of the theory
is incomplete, the toolchain has moved on, and the ADL model is also
undergoing changes, so there is no longer much value in maintaining
this file.
The classic ADL formal model has a fixed palette of connectors, with
the interface type and seL4 integrity model also being fixed for each
connector type. This is unable to model new CAmkES connectors.
We change the ADL model to allow more combinations of connector
semantics, including arbitrary sets of Access rights between the
policy labels that a connector touches.
See Jira VER-1110 for more context.
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
This patch generalises the mapping between authority labels and
scheduler domains, so that the access-control integrity property still
holds when labels are not partitioned into domains. This lets us use
the integrity result on systems that don't use the domain scheduler.
The information flow proofs still rely on the domain partitioning,
hence we add constraints on the label-domain mapping for the info-flow
results to hold.
Jira VER-945
Moves some unnecessary stuff out of the locale and now specifies the label type
as `string` rather than a locale parameter. The purpose of the latter is to
allow us to talk about concrete labels rather than continually falling back on
the user's projection, but it's not clear yet whether this is a big win.
These were phrased as slots containing NULL caps, but the translation of CapDL
specifications into Isabelle actually just restricts the domain of the
underlying capability map. This is much cleaner and we now have exact
equivalence.
This connection actually uses read/write caps on both sides because it is
implemented using Send and Wait. It may be worthwhile modelling seL4RPCCall
(which is implemented using Call and ReplyWait) as well. This would be a
trivial extension.
CAmkES deliberately skips over CSlot 0 when allocating caps to allow typos and
misallocations to be more easily detected. This commit captures this logic in
the generator function.
Previously, the CapDL-generating function assumed a CNode size of 12 bits for
each component instance, though this was known to be inaccurate. In the
implementation of CAmkES, the code generator calculates the minimum required
size of each CNode on the fly. This commit updates the formalised generator to
perform the same calculation. The calculation is currently written in terms of
the `LEAST` binder, which as it turns out is sometimes awkward to reason about.
It may be worthwhile rephrasing this in future.
The CapDL translation tools produce threads with an undefined intent, rather
than no intent. This commit modifies the CAmkES generation to do the same to
ease the correspondence proof.
Presumably this is only the case for when there are no assigned interrupts in
the system. These theories will need some tweaking to support systems with
interrupts.
Current example systems do not involve hardware interrupts, but each interrupt
in such a system is represented in CapDL as an empty single-slot CNode. We need
to note their existence or the final correspondence proof becomes tricky. This
commit adds support for (assumed empty) IRQ CNodes and pushes this through the
existing proofs. The generated label mapping will need some associated updates
following this.
This is a relatively straightforward property, but shows that CAmkES systems
fall into a constrained class of seL4 systems that it is easier to reason
about. In particular a lack of caps to more dynamic objects like untypeds
guarantees a tighter seL4 worst case execution time and an absence of many
possible dynamic behaviours.
We prove this property across all CapDL specifications produced by the high-
level generator, rather than on a concrete specification. In this way, we can
do the proof manually once and for all.
The low-level specification roughly maps to the code generator and template
instantiation phases of CAmkES. At this point no address space objects exist
(excepting slight infidelity with respect to page directories). The address
space objects are introduced in the "extra" objects that we append, which map
roughly to the ELF derivation and CapDL filters.
Separating the two collections of objects gives us some nice preserved
properties that can be shown over generation from an abstract input. In
particular, we can phrase some provable properties that are resilient against
things like changes in compiler optimisation levels and allocation strategies.
These theories construct a locale with holes that are filled in by generated
code. Interpreting the locale manually is quite tedious and error prone, but we
entirely automate this process during code generation. For the details of this,
see the CAmkES 'architecture-semantics' and 'label-mapping' back ends.