Allow more settings to be overridden when using the standalone C parser
to generate kernel.sigs in the l4v kernel make files.
This makes it easier to use a pre-built standalone C parser, say, from a
Docker image.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
This can be used by l4v proof runs in GitHub CI to save kernel build outputs
for later use by binary verification.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
seL4/seL4#975 slightly changed how the config headers are generated.
They now need a (short) `ninja` build step and they produce less spaces
in the header file.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We initially wanted to move ucast_ucast_ppn to Kernel_Config_Lemmas.
This doesn't work, because ppn is only defined in Arch_Structs_A, but
it turns out that ppn_len is exactly the term `ipa_size - pageBits`
that the lemma needs, so instead of moving the lemma up, we make its
proof generic by providing the symbolic form of `ppn_len` instead.
This still unfolds Kernel_Config.config_ARM_PA_SIZE_BITS_40, but it
does so only trivially and directly where ppn_len is defined.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Implementations for machine ops returning a value should have a _val
postfix. This commit brings vcpuHardwareRegVal in line.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The flush_type definition is an exact duplicate, so it makes sense
to directly re-use the Haskell definition in ASpec.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Make it possible to refer to the size of the irq type symbolically.
So far, this is only necessary in an example state for kernel init,
but it's still nicer to avoid magic numbers.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The non_kernel_IRQs constant collects IRQs that cannot occur in kernel
mode. For non-hyp platforms this is usually empty, for hyp platforms we
add software-generated virtual interrupts.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On ARM_HYP we added a fix for a problem discovered during the proof of
the VCPU invariant that the current VCPU always belongs to the current
thread. This commit ports that fix from ARM_HYP to AARCH64.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- align init_irq_node_ptr to its size (which is larger than in RISCV)
- remove ArmVSpaceUserRegion, because kernel has its own page table
- define global_pt_obj, add to initial heap
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Sync both values with what the C code does. The corresponding comment
in C is wrong and would not produce a safe value for pptrTop (the
comment says 2^48 - 2^30), but the actual definition in C (the
equivalent of 2^40 - 2^30) is safe.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Previously the wrong cap argument was checked against being the vspace
root (cap vs vspace_cap).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
At the point we call set_asid_pool, the pool we are writing is out
of date, because invalidate_asid_entry will have changed it. This
commit adds another read operation after invalidate_asid_entry to
perform a write that is similarly atomic as the corresponding C code.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We previously made use of the fact that the table to be unmapped will
be a NormalPT_T. This is still true, but to avoid an unnecessary proof
obligation here, we take the pt_type provided by the cap instead, which
coincides with the pt_type the proof uses.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Check that the type of the page table that is present is the type we
are requested to update. The same assert is already present for ptes_of.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
According to the RISC-V spec, PageTablePTEs must have the access,
dirty, and user bits set to 0. This means that
- there is no user attribute that can be set on PageTablePTEs
(removed from Haskell spec)
- the encoding for PageTablePTEs in C must have 0 in these fields
instead of 1.
See PR seL4/seL4#880 for discussion and corresponding C changes.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The strict function application operator made sense when performance
mattered because the model was used from a simulator. Now it's just
noise.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
GHC 9.0.2 requires a space between ! and the operand to distinguish
the expression from a bang pattern.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
GHC 9.0.2 is more strict in its pattern syntax and rejects @ patterns
that are surrounded by parentheses.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- switch to lts-19.12 (GHC 9.0.2)
- use cabal v2 commands, which build locally by default and don't
need a separate sandbox
- update SEL4.cabal file to cabal spec version 3
- remove generated `cabal.project.local~*` backup files after configure
to avoid flooding the directory
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The previous spec was trying to set message registers manually
when instead it should have just returned the list of data words
that forms the reply. This correctly modeled the currently wrong
behaviour in C, which seL4/seL4#243 fixes.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
C code changed to drop stage 1 translation from constructing VM fault
messages when in a hypervisor context.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
arch_same_region_as must respect the type of the object the cap points
to, so we need to constrain PageTableCap to the same type.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On RISCV64, we had the nice property that pt_walk can only produce
aligned addresses. This alignment is important for further address
computation.
It turns out that the same is true on AARCH64, because the bottom 12
bits of page table addresses are not stored in PTEs. PagePTEs can only
point to normal page tables, so there is not variation in the size of
the alignment.
This commit uses a similar encoding to RISCV64 to achieve this pt_walk
property without using an additional invariant.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This target was used in the regression test setup before this repo
switched to `run_tests` and has been unused for some time.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This means Isabelle will automatically insert `level_type` when it
finds a term of type `vm_level` but expects one of type `pt_type`.
This only works when the context is unambiguous, but it does make quite
a few terms shorter.
This is input-only, `level_type` will still show up in output.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Same principle as for ASpec, set up in a way that PT_Type can be shared
between the specs. Fewer occurrences in Haskell, because does not have
explicit page table objects, only PTEs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Replaces bool with a dedicated type for page table types. This should
generalise nicely to more different levels and removes the slightly
confusing occurrence of bool.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This replaces 'a word for indices with machine_word. Since we can't use
a specific word length for a generic table index (because different
tables can have different index types), we don't win much by using 'a
word, but we do lose something: we must instantiate 'a when we use the
term, which means we need to decide at that point which type of table
we are talking about. This forces early case distinctions in proofs.
Using machine_word allows us to delay committing to a particular table
type and instead write a generic condition on the width of the index.
We are using machine_word instead of nat or a different specific word
length, because the index into the table is a slice of either an
obj_ref (in ptes_of) or a vref (when we do page table walks), both of
which are compatible with machine_word.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Instead of modeling uniform PTE access between levels from Haskell and
C, it comes out cleaner in the abstract spec to keep PTE access
separate per level. This means that get/storePTE take an is_vspace
argument, which in turn is propagated up, so a few more functions now
have a level/is_vspace argument.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Making vs_index_len a sybmolic value instead of a plain number means we
have to unfold config_ARM_PA_SIZE_BITS_40 less often (instead, we need
to consider both cases, which forces us to stay generic).
This also makes sure the type vs_index_len is always distinct from
pt_index_len (even if the sizes are the same), which was only
guaranteed in one of the two configurations before.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The bit width of intermediate physical addresses (IPA) is occasionally
useful in the invariants later.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Make the function usable not only in the code+specs, but also in the
invariants by adding a case for asid_pool_level (= max_pt_level + 1).
At this level, we also need to translate the bits of the top-level
table.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This makes sure we're accessing the right kind of object for the level
we are interested in. Relying on alignment is Ok when the invariants
are in scope, but this check is more immediate and avoids us needing
pspace_aligned and pspace_distinct in all lemmas.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Since user addresses are intermediate physical addresses in hyp mode,
the concept of canonical_user is different to other architectures.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Give more time for downloading and compiling dependencies for runs
where these are not cached.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This makes sure we're catching all dependencies that are declared for
`design-spec` in the top-level Makefile. In particular, we want
`c-config` to run at least once before either `ASpec` or `ExecSpec` run
it, to make sure these two are not racing on config generation in
`-j 2`.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We had put a lot of VCPU content into ArchVSpace and ArchVSpaceAcc even
though VCPUs aren't really very related to VSpace. These functions now
live in a separate files VCPUAcc in analogy to VSpaceAcc and TcbAcc.
Some of these functions could also move into VCPU_A instead.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
As Corey points out, the rest of the fields are in perfect order with
Haskell, and keeping all of them fully in sync will save us shuffling
and looking up things later in the proofs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- tune comment
- make vs_index_len the generic interface for vs_index_len_def
- provide relationship to ptTranslationBits
The two latter points will help to keep invariant proofs generic over
the size of the top-level table.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Config files should be re-generated when generator content changes,
because that generally changes the content of the output.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On AArch64 pptrUserTop is not page aligned, which also suits us fine for
reusing the value later in AInvs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Definitions in Platform.thy may depend on kernel config options, so
we need Kernel_Config_Lemmas there already, and need to replace the
dependency in Machine_Types to avoid a dependency circle.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
These files have been reviewed, but the FIXMEs stuck around.
Update copyright on files we modified, and leave as is for only
copy+sed.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The C code PR still uses the old naming scheme (hw_asid), but even if
it stays that way so it can share code with paths that use a "generic"
hw_asid name, it is better for the specs to use the correct name.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
These are ArchCSpace_A, ArchIpcCancel_A, ArchRetype_A, ArchTcb_A.
Already in good shape, just some style copyright headers, etc.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Minor style update; set up global user page table and example kernel
vspace uses that should satisfy invariants.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Also sync handle_reserved_irq phrasing with Haskell and C (sequential
comparison instead of cascaded. Comes out to the same, but no need to
prove that here).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes new vspace decode and page flush invocations, as well
as machine constants that are used in those paths.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The actual order for the ObjectType enum is defined in design. This one
has to correspond to the C enum. Mirroring it here in Haskell for
consistency.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The page table size can not be "vspace" here, because the invocation
is only for lower-level tables.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
VCPU and style still needs to be updated, but the virtual memory
operations in this file are validated.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This only updates the rest of the spec to type check, it does not
yet use the vmid information stored in the new type.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The pte type is now in sync with Haskell and C.
Note that there is a trade-off in storing the entire paddr (base
address) in the pte. In RISC-V we don't store the bottom bits, so get
an invariant for free that these are always 0, but we need to do a
bunch of shifting and casting to convert addresses. The shifting there
aligns with the C code.
On AArch64, the address field instead uses field_high, which does the
shifting inside the bitfield generator and makes it invisible to the
rest of the C code. To model that there is no such shifting going on,
we choose to store the entire base address here (as in ARM/ARM_HYP).
This means we will need an invariant that they are all aligned to
pageBits.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Use a more principled way to define ptes_of/get_pte by defining
level_pte_of parametric in the level and setting ptes_of to the union
of all levels. This works because objects must be distinct.
For store_pte a simple union doesn't work, but we can still first
extract the level, and then use the level to update the object for that
level.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Matthew Brecknell
Gerwin Klein
Corey Lewis
Michael McInerney
Rafal Kolanski
Ryan Barry