Previously renamed invocation labels, as well as decodeARMMMUInvocation
and performARMMMUInvocation.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Largely adapted from ARM_HYP, modified and checked against C code.
Remaining known issues marked with FIXMEs.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Model AARCH64-specific global kernel data, which means:
- adjust vspace region mapping names
- remove global page tables, including accesses (copyGlobalMappings)
- add pointer to empty user page table
This commit does not yet include VCPU and SMMU.
As on 32-bit ARM_HYP, global page tables exist on AARCH64, but are not
accessed by any code after boot, so are not visible in verified code
apart from defining the (constant) kernel window and kernel mappings
during execution. User code without a valid VSpace root is assigned a
pointer to an empty table.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Set the naming convention for global state components to armKS..
This overlaps with ARM and ARM_HYP, but so do the concepts as well
as the C convention.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This commit adds hardware ASID handling from ARM/ARM_HYP, and tweaks it
to use local ASID pool entries for hardware ASIDs instead of a global
ASID map.
Naming here is unfortunate in multiple dimensions:
- C calls the entries asid_map (from the global function in Haskell)
- what is actually mapped is a seL4 ASID to a HW ASID + VSpace root,
but only via multiple functions, the type is not a map
- the HW ASIDS are not actual ASIDs, but instead VMIDs in AArch64 EL-2
To be cleaned up when nomenclature is clearer in C.
Validation against C is minimal at the moment; only the types are
validated to correspond with C, and which functions are present, but
not their full behaviour/structure yet.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
findVSpaceForASIDAssert is needed for modeling the hardware ASID lookup
on ARM. None of AARCH64, RISCV64, X64 use that mechanism and the
function is unused. There are some proof about it, but those are unused
as well. This commit removes all of these.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Adds FPU state to UserContext, uses 64 general-purpose registers as seen
on TX2.
Abstracts FPU operations to fpuThreadDelete required for thread
deletion, thereby not including intricacies of lazy FPU switching.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Use RISCV64 version of Haskell spec as a basis for upcoming work on
spec for AARCH64 architecture.
Only minimal RISCV64 to AARCH64 substitution done to yield a compiling
target, with a big FIXME stuck on top to remind people this got no human
oversight.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
globally (for all arches) removes word simp rules that are too eager
for 64 bit bitfield proofs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The benefit of the wpx method is not worth the maintenance effort.
There are still a few instances of wpx left in AInvs, which will have
to be fixed later.
We are keeping the wps method from the same file (WPEx.thy), because
that is used more widely and does not break with Isabelle2021-1
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The rule for kernel.sigs previously depended on building standalone C
parsers and tokenizers for all architectures. With this change, we only
build the standalone C parser for the current architecture.
We also explicitly pass a --cpp argument based on the TOOLPREFIX.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
Some development environments set an environment variable OBJDUMP by
default. With the previous version of kernel.mk, decompilation used the
objdump indicated by that OBJDUMP variable. This could cause
decompilation to fail if OBJDUMP did not match the TOOLPREFIX used for
compilation.
Since we don't currently have a need to specify a different objdump, we
remove the ability to override via the OBJDUMP environment variable.
With this commit, we always use TOOLPREFIX to locate a suitable objdump.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
An invocation to bind a thread to a VCPU will perform associate_vcpu_tcb.
Previously, vcpu_switch was called only on a context switch, and so
it was possible to bind the current thread to a VCPU and then not switch
to that VCPU. This change will allow us to prove that the current active
VCPU is the VCPU of the current thread.
Signed-off-by: Michael McInerney <m.mcinerney@unsw.edu.au>
Since `numDomains` exists both in Kernel_Config in C, and we want to
force people to annotate the C version as `Kernel_C.numDomains`, we hide
it right after the C is parsed.
Some of the comments about hiding/reintroducing vmsize constants became
a bit broken/absent around X64, and adding the above made things extra
confusing. Put back the ARM/ARM_HYP comments to clear up what's going
on, and tweaked a little.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
This change eases any future platform ports by better matching the C
code that it models and by making it so that there is one less constant
that needs modification.
Signed-off-by: Corey Lewis <corey.lewis@unsw.edu.au>
This commit adds compiler prefixes for AArch64 so that the preprocess
test finds the right cross compilers for this architecture.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes replacing previous ASpec names for such constants with
the names used in Haskell/ExecSpec to avoid duplication. This also
makes some of the proofs slightly more generic.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This script takes the gen_config.h file CMake produces for each kernel
configuration, parses it, and emits corresponding Isabelle definitions
into Kernel_Config.thy in spec/machine/$L4V_ARCH/
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Introduce Kernel_Config theory for storage of non-architecture-specific
seL4 configuration variables that are shared by the abstract and design
specs.
Remove `num_domains`, in lieu of `numDomains` that is now defined only
in `Kernel_Config.thy`. The definition is hidden and must be referred to
as Kernel_Config.numDomains_def when avoiding unfolding is not possible.
Include required properties of `numDomains` as lemmas.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The new docker containers that upgraded to gcc-10 use a different
version of the gcc Arm toolchain (`arm-linux-gnueabi`).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
In the rest of the proofs we use machine_word to refer to addresses.
This commit brings the machine definitions in line with that.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
When there is no Haskell stack cache yet and all dependencies are
compiled from source, 30min CPU time is tight. Bumping it to 45min
should reduce failures.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This mostly refactors ML code to avoid non-exhaustive matches, restore
the (op infix) syntax that got lost in a previous Isabelle update, and
removes some unused functions/parameters.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This commit updates the proofs for seL4/seL4#485, which fixes
the security and correctness bug seL4/seL4#481. The bug was that
caches are not sufficiently flushed in retype for frames that can
be mapped uncached later.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This verifies a C kernel patch (seL4/seL4#409) which consolidates
translation between virtual and physical addresses, and makes it
consistent across architectures. In particular, we always use
`addrFromKPPtr`, even on architectures that don't use a distinct region
to map the kernel ELF. This will facilitate future improvements which
move the ELF mapping into a distinct virtual address region.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The seL4 commit factors out special treatment of specific VCPU
registers, and this commit updates the ARM_HYP proofs accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
seL4 commit c381c7e14c changes cache flushing behaviour for the
verified ARM_HYP configuration. This commit adjusts accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This brings the naming convention closer to the other architectures,
closer to the Haskell, and closer to the constant renames that happened
in C. It is, however, quite an invasive change.
kernelBase_addr -> pptrBase
kernelBase -> pptrBase
physMappingOffset -> ptrBaseOffset
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Platform constants were previously not translated. When they were moved
to translated code, some constructor issues came up.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
The names for `kernelBase` and `physBase` are renamed to `pptrBase` and
`paddrBase` respectively to be more consistent with the C (and the
previous commit).
Signed-off-by: Curtis Millar <curtis.millar@data61.csiro.au>
This update reflects a set of changes made to the seL4 kernel some time
ago that consolidates the definitions for physical to virtual
translation.
Signed-off-by: Curtis Millar <curtis.millar@data61.csiro.au>
Remove resolve_address_bits'.simps from the simp set at the definition
site, instead of in the middle of the proofs.
Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Make these a separate target so that other sessions that depend on
ASpec can kick off generation of these files (necessary because some
are mentioned in spec/ROOT, and the session structure will fail if they
don't exist).
This is only relevant in a fresh check-out when you've never built
ASpec, but in test environments this can happen if only specific
sessions are tested.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Isabelle2020 doesn't allow sharing session directories between the document
session and non-document session. Instead of duplicating things, this commit
pulls the document build back into the ASpec session, but changes the build
such that the git revision is read directly from LaTeX, removing the
superfluous re-build for every git revision change (even when no relevant spec
file changed).
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Isabelle2020 requires each session to declare it own set of directories that
may not overlap with other session's directories. This commit reorganises
files to comply with that requirement.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
- preemption in C is not associated to an irq
- updating aspec to reflect this so that we can have irq-independent
preemptions (needed in MCS)
- proof fix for the above: remove intr
Signed-off-by: Miki Tanaka <miki.tanaka@data61.csiro.au>
The reason `CKernel` depends on `design-spec` is quite obscure, so we
add a comment to relevant `Makefile`s to help us avoid wasting time
trying to remove the dependency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
I previously updated the `#!` in `mk_umm_types.py` to use `python3`, but
forgot to remove the explicit `python` call from `kernel.mk`.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The RISCV implementation of invokeIRQHandler calls plic_complete_claim
instead of maskInterrupt. plicCompleteClaim is added as a machine op
and invokeIRQHandler has been arch split for the ACKIrq case.
Signed-off-by: Victor Phan <Victor.Phan@data61.csiro.au>
This was incorrect, but unused in the proofs. Once used, the numbers
turned out to be unrelated to the C.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
The proof needs to know that there is a page table at the entry
point in the induction for lookupPTSlot. Moving the assertion just
before the recursive call establishes this directly.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
The RISC-V ISA spec does not allow PagePTEs with 000 for rwx rights,
because 000 is used to identify PageTablePTEs. Instead we write
InvalidPTEs, which has the same effect for the user.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
The assertion is provable from the abstract invariants, and used in
CRefine to conclude that the test wether the vspace root cap is mapped
can be left out.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
`tcbBlockSizeBits` was previously defined to be `wordSizeCase 9 11`
universally, but this claim does not hold anymore since it takes the
value 10 on RISCV64. Therefore an arch split for `tcbBlockSizeBits` and
affected definitions are made. The constant and its definition needs to
be requalified so that proofs in Refine can access it through the
constant objBits_defs.
Signed-off-by: Victor Phan <Victor.Phan@data61.csiro.au>
Update specs and proofs for ARM platforms to contain TPIDRURO in the
TCB user context rather than treating it as a VCPU register, following
change in C.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
This was used to make sure the LaTeX document from literate Haskell builds.
Since this document is retired, we don't need the check any more.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
We keep on forgetting what the parameters to loadObject and storeObject
mean, and why we have pspace_storable in the first place. Hopefully
these comments mean having to re-remember fewer things.
Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
This allows some git operations (e.g. fetch) without requiring a
c-kernel rebuild.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Previously, we would rebuild the kernel if any file in the `seL4`
repository changed since previous `cmake` setup. Since the kernel build
after the `cmake` setup generates `__pycache__` directories in the
`seL4` tree, this would cause some unnecessary rebuilds.
This commit explicitly excludes `__pycache__` directories from the set
of files considered to be dependencies of the kernel build.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
This effectively reverts commit 2fec23d646, which was a previous attempt
at fixing a race condition in the design spec generation, which turned
out to be ineffective. Since the `design-spec` test had the same effect
as the `haskell-translator` test on which it depended, it was redundant,
and can be removed.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Previously the Makefile rule for generating the design spec depended on
all Haskell source files in `spec/haskell`. This unintentionally
included files generated by the Haskell kernel build in
`spec/haskell/dist`. This meant that for `run_tests` builds in which the
Haskell kernel test completes *after* the initial generation of the
design spec, subsequent Makefile jobs which depend on the design spec
could cause re-runs of the design spec. Furthermore, if `run_tests` runs
several such jobs concurrently, race conditions in concurrent runs of
the design spec could cause errors.
Since the design spec does not make use of the generated Haskell source
in `spec/haskell/dist`, this commit restricts the design spec
dependencies to Haskell source files in `spec/haskell/src`.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Python 2 has passed its sunset date, and many distributions are
withdrawing support for Python 2.
PEP 394 recommends distributions always install versioned interpreter
commands (e.g. `python3`), but does not make a recommendation about
whether or not an unversioned command (`python`) should exist, or what
version it should run.
It therefore seems advisable to explicitly run scripts using the
`python3` command, for scripts that are compatible with Python 3.
Here, we do this for Python scripts used by `run_tests`. For this to
work, some scripts have been updated in ways that will break Python 2
compatibility. But for some other scripts which were already compatible
with both Python 2 and 3, we have not yet removed Python 2
compatibility. There are also miscellaneous scripts that are not used by
`run_tests`, and these have not yet been updated to Python 3.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
- Increase IRQ word size from 3 to 6 to match IRQ_CNODE_SLOT_BITS in
sel4 config.
- Bump maxIRQ up to 54.
- Fix broken inequality proof by changing constant that depended on IRQ
word size.
- Add Makefile targets for building ELF binaries and various dumps that
are used in binary verification.
- Add support for extra CMake command-line arguments. For binary
verification, this is used to set the optimisation level for the ELF
targets.
- Add support for the Debian RISC-V toolchain packages, without breaking
existing users with a manually built RISC-V toolchain.
- Move reusable parts of the C kernel Makefile out to a separate include
file, with support for configuring the build directory. For binary
verification, this is used to allow multiple builds at different
optimisation levels.
Highlights:
- new reserved IRQ and associated handler: VPPIEvent
- VPPI events are virtual interrupts we can forward to VMs; currently there is
only one event: virtual timer interrupt
- VGICMaintenance and VPPIEvent can both receive late interrupts from hardware,
which are now discarded instead of being delivered to current thread
- given only one possible VPPI event, simplifier tends to mop up more than it
should, making some proofs fragile w.r.t. adding a new VPPI event
- the order of some lemmas/specs needed shuffling, as now VCPU code needs some
interrupt code, which uses VCPU code
We listed the invocation labels 3 times -- this commit removes the duplication
and instead derives the enum from the order the constructors are listed in.
`ASpec`, `ExecSpec`, and `DSpec` were identical tests which built the
`design-spec` make target. This means that when `./run_tests` runs tests
concurrently, multiple instances of the `design-spec` make target were
also run concurrently.
We address the issue by making a new "test" called `design-spec` which
builds the `design-spec` make target, and making `{A,Exec,D}Spec`
dependees on `design-spec`.
Currently the vcpu_switch function is called in the setVMRoot function
after possible early returns. In order to make sure the vcpu is
always switched, the call is moved into Arch_switchToThread before the
call to setVMRoot.
diminished takes two caps and asserts that one is equal to the other
except that one may have fewer rights. We remove this definition and all
references to it, replacing diminished with equality.
- Add HiFive.hs to replace Spike.hs, it's the same except for kdevBase
addition.
- Originally called KDEV_PPTR in the C Code, to be changed to KDEV_BASE
across all architectures.
- Add RISCVVSpaceDeviceWindow case for valid_uses_2 definition.
setIRQTrigger added but unimplemented because it's a machine op.
irqInvalid added, set to 0, since this is what's defined on the Spike
platform, may need to implement irqInvalid for other platforms if we
want generality for later proofs (Refine).
check, decode, perform IRQ control fully implemented to match the CSpec.
These functions were originally doing throwError IllegalOperation or
returnOk (). Now they have been reimplemented to match the CSpec.
In arch_check_irq, an error is thrown if IRQ is greater than maxIRQ or
is equal to irqInvalid. The error that gets returned to the user however
is a RangeError from 1 to maxIRQ.
Instead of checking for alignment, mask out the bottom bits to force the
vptr stored in the cap into the correct alignment for the level to be mapped.
See also SELFOUR-2162
global_pt needs addrFromKPPtr, because it is an address that lives in the
kernel image, other pt's need addrFromPPtr because they are standard
kernel-virtual addresses.
Prior to this commit the kernel would always trigger a full reschedule
on setPriority. This change allows the kernel to attempt a direct
switch, avoiding invoking the scheduler.
Adds an 'L4V_FEATURES' variable which can be used to select different
CMake configurations for seL4. This makes it easier to build and test
alternative configurations (like MCS).
This spec bug was inspired by slightly differently but similarly wrong C code
(SELFOUR-2091). Current change brings it into sync with the (correct, we think)
C. Proof update included.
We previously had asids at machine word representation, but it turns out that
constraining them to actual asid_len is almost no overhead and saves us proving
invariants about asid sizes.
update for changeset 897aaf5b13f39ba2b9ca8ade3a58d1350eb42ad7
This changes properties of kernel_base, thereby invalidating two unused
lemmas: mask_out_8_le_kernel_base, mask_out_8_less_kernel_base
On other architectures, the address is a PTE stored using field_high and
thus retrieved as an aligned address. On RISCV we have a frame number
(referred to as PPN in some places) that is the address shifted down by
pt_bits.
This changes over the pte to use a ppn with a different number of bits,
and provides addr_from_ppn and addr_from_pte accessors, the latter being
an abbreviation.
Issues:
- "ppn" and "frame" show up in C, which should we use
- conversion functions take paddr, but are named with "addr": change
naming to use paddr?
- we sanity check the number of bits in a ppn is word_bits - pt_bits,
but in C that number subtracts another 8 bits, not clear why
RISCV faults reduced to actual VM faults, rest become anonymous user-level
faults. handleVMFault adjusted to perform complete case distinction and to not
change the state.
Now in sync with seL4 master@a39c9b6a76d279364e28d3415d750d7287fefd67
In particular, separate out a function that returns page table pointers instead
of a function that returns slots in page tables. Phrase the latter in terms of
the former. This makes many properties about walks much more compositional.
Fixes a case where a thread can go from Running->Inactive->Restart and
use a restart PC that is out of date. An out of date restart PC occurs
when a thread was transitioned to running after being in a blocked
state, but was never scheduled and so did not execute the traps code
that updates the restart PC.
This also renames relevant register names for consistency across
architectures (FaultIP and NextIP).
Move type checking assert from kernel object set functions to
set_object. This improves proofs by generic reasoning of set_object
instead of kernel object specific lemmas.
Cabal 2.4 deprecates the default behaviours of previous versions, and
issues warnings whenever the usual cabal-install commands are used. This
is in preparation for future versions of Cabal where the usual commands
will have entirely new default behaviours. More work would be required
to update our SEL4.cabal configuration to these new behaviours. For now,
we avoid the warnings given by Cabal 2.4 by using the `v1-` versions of
cabal-install commands, which should continue to have the old behaviours
until they are removed from Cabal.
A lot of the proofs in SysInit and DRefine previously had to unfold opt_object,
which was really just an alias for cdl_objects with the arguments in the
opposite order! This commit deletes opt_object in favour of using cdl_objects
directly, which should slightly reduce the burden of unfolding.
There were some sloppy last-minute changes that were not properly tested
and managed to evade testing. These contained a single logical omission
and a few typographic mistakes.
Substitute.thy already includes Kernel_C, no need to import twice.
Not using the session name in the imports was leading to a second import
of the C code, instead of using the CKernel image/session.