Commit Graph

1218 Commits

Author SHA1 Message Date
Rafal Kolanski 05c5140150 aarch64 haskell: RegisterSet definitions
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2022-04-20 09:16:19 +10:00
Rafal Kolanski 11ce90f8cc aarch64 haskell: some RISCV->ARM renames
Previously renamed invocation labels, as well as decodeARMMMUInvocation
and performARMMMUInvocation.

Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2022-04-20 09:16:19 +10:00
Rafal Kolanski d85201d2f1 aarch64 haskell: add Arm memory barriers
Copied from ARM_HYP.

Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2022-04-20 09:16:19 +10:00
Rafal Kolanski e3f6caee72 aarch64 haskell: add VCPU/HYP infrastucture
Largely adapted from ARM_HYP, modified and checked against C code.
Remaining known issues marked with FIXMEs.

Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2022-04-20 09:16:19 +10:00
Gerwin Klein 98f0338877 aarch64 haskell: global kernel data
Model AARCH64-specific global kernel data, which means:

- adjust vspace region mapping names
- remove global page tables, including accesses (copyGlobalMappings)
- add pointer to empty user page table

This commit does not yet include VCPU and SMMU.

As on 32-bit ARM_HYP, global page tables exist on AARCH64, but are not
accessed by any code after boot, so are not visible in verified code
apart from defining the (constant) kernel window and kernel mappings
during execution. User code without a valid VSpace root is assigned a
pointer to an empty table.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2022-04-20 09:16:19 +10:00
Gerwin Klein c3a2f39762 aarch64 haskell: global state component naming
Set the naming convention for global state components to armKS..
This overlaps with ARM and ARM_HYP, but so do the concepts as well
as the C convention.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2022-04-20 09:16:19 +10:00
Gerwin Klein aada0b9166 aarch64 haskell: first sketch of C asid_map
This commit adds hardware ASID handling from ARM/ARM_HYP, and tweaks it
to use local ASID pool entries for hardware ASIDs instead of a global
ASID map.

Naming here is unfortunate in multiple dimensions:
 - C calls the entries asid_map (from the global function in Haskell)
 - what is actually mapped is a seL4 ASID to a HW ASID + VSpace root,
   but only via multiple functions, the type is not a map
 - the HW ASIDS are not actual ASIDs, but instead VMIDs in AArch64 EL-2

To be cleaned up when nomenclature is clearer in C.

Validation against C is minimal at the moment; only the types are
validated to correspond with C, and which functions are present, but
not their full behaviour/structure yet.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2022-04-20 09:16:19 +10:00
Gerwin Klein 6418bda962 aarch64/riscv/x64: remove findVSpaceForASIDAssert
findVSpaceForASIDAssert is needed for modeling the hardware ASID lookup
on ARM. None of AARCH64, RISCV64, X64 use that mechanism and the
function is unused. There are some proof about it, but those are unused
as well. This commit removes all of these.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2022-04-20 09:16:19 +10:00
Rafal Kolanski b7cfc4c323 aarch64 haskell: add simplified FPU
Adds FPU state to UserContext, uses 64 general-purpose registers as seen
on TX2.
Abstracts FPU operations to fpuThreadDelete required for thread
deletion, thereby not including intricacies of lazy FPU switching.

Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2022-04-20 09:16:19 +10:00
Rafal Kolanski f0e4fbf112 aarch64 haskell: initialise from RISCV64 files
Use RISCV64 version of Haskell spec as a basis for upcoming work on
spec for AARCH64 architecture.

Only minimal RISCV64 to AARCH64 substitution done to yield a compiling
target, with a big FIXME stuck on top to remind people this got no human
oversight.

Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2022-04-20 09:16:19 +10:00
Rafal Kolanski f48b2041f9 aarch64 haskell: add TX2 hardware config
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2022-04-20 09:16:19 +10:00
Rafal Kolanski 745a94910b haskell: add build configuration for AARCH64 on TX2 platform
Setup.hs + SEL4.cabal + Makefile

Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2022-04-20 09:16:19 +10:00
Gerwin Klein f241510aef isabelle2021-1 cspec: Kernel_State_C simp set
globally (for all arches) removes word simp rules that are too eager
for 64 bit bitfield proofs.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2022-03-29 08:38:25 +11:00
Gerwin Klein eb74ae17bf isabelle2021-1: DSpec
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2022-03-29 08:38:25 +11:00
Gerwin Klein 1bbbe090c9 isabelle2021-1: global hide_lams -> opaque_lifting
The metis replay option hide_lams has been renamed.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2022-03-29 08:38:25 +11:00
Gerwin Klein 0f633ce387 isabelle2021-1 lib: update Lib session, retire wpx
The benefit of the wpx method is not worth the maintenance effort.
There are still a few instances of wpx left in AInvs, which will have
to be fixed later.

We are keeping the wps method from the same file (WPEx.thy), because
that is used more widely and does not break with Isabelle2021-1

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2022-03-29 08:38:25 +11:00
Matthew Brecknell 96b2dfc1d3 cspec kernel.mk: avoid spurious dependencies
The rule for kernel.sigs previously depended on building standalone C
parsers and tokenizers for all architectures. With this change, we only
build the standalone C parser for the current architecture.

We also explicitly pass a --cpp argument based on the TOOLPREFIX.

Signed-off-by: Matthew Brecknell <matt@kry10.com>
2022-03-23 11:53:28 +11:00
Matthew Brecknell 8c68e549d0 cspec kernel.mk: always use TOOLPREFIX for objdump
Some development environments set an environment variable OBJDUMP by
default. With the previous version of kernel.mk, decompilation used the
objdump indicated by that OBJDUMP variable. This could cause
decompilation to fail if OBJDUMP did not match the TOOLPREFIX used for
compilation.

Since we don't currently have a need to specify a different objdump, we
remove the ability to override via the OBJDUMP environment variable.
With this commit, we always use TOOLPREFIX to locate a suitable objdump.

Signed-off-by: Matthew Brecknell <matt@kry10.com>
2022-03-23 11:53:28 +11:00
Michael McInerney 31134da4c4 arm_hyp aspec+haskell: call vcpu_switch in associate_vcpu_tcb
An invocation to bind a thread to a VCPU will perform associate_vcpu_tcb.
Previously, vcpu_switch was called only on a context switch, and so
it was possible to bind the current thread to a VCPU and then not switch
to that VCPU. This change will allow us to prove that the current active
VCPU is the VCPU of the current thread.

Signed-off-by: Michael McInerney <m.mcinerney@unsw.edu.au>
2022-03-08 21:49:10 +10:30
Rafal Kolanski 23bfc8dadf cspec: Kernel_C: hide numDomains, sync comments
Since `numDomains` exists both in Kernel_Config in C, and we want to
force people to annotate the C version as `Kernel_C.numDomains`, we hide
it right after the C is parsed.

Some of the comments about hiding/reintroducing vmsize constants became
a bit broken/absent around X64, and adding the above made things extra
confusing. Put back the ARM/ARM_HYP comments to clear up what's going
on, and tweaked a little.

Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2022-02-22 18:24:02 +11:00
Corey Lewis 6d0c9fb78c arm+arm-hyp machine: match platform constants to C
This change eases any future platform ports by better matching the C
code that it models and by making it so that there is one less constant
that needs modification.

Signed-off-by: Corey Lewis <corey.lewis@unsw.edu.au>
2022-02-09 14:46:21 +11:00
Gerwin Klein 04626b0a88 cspec: enable preprocess test for AArch64
This commit adds compiler prefixes for AArch64 so that the preprocess
test finds the right cross compilers for this architecture.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2022-02-03 13:41:06 +11:00
Gerwin Klein 24c0c5c390 spec+proof: use generated config constants
This includes replacing previous ASpec names for such constants with
the names used in Haskell/ExecSpec to avoid duplication. This also
makes some of the proofs slightly more generic.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2021-12-23 14:54:13 +11:00
Gerwin Klein 8929a6d729 machine+C: generate Kernel_Config.thy from C
This script takes the gen_config.h file CMake produces for each kernel
configuration, parses it, and emits corresponding Isabelle definitions
into Kernel_Config.thy in spec/machine/$L4V_ARCH/

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2021-12-23 14:54:13 +11:00
Gerwin Klein 3b616f535a cspec: separately generate C config headers
This is in preparation for later turning these config headers into
Isabelle definitions.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2021-12-23 14:54:13 +11:00
Rafal Kolanski ec79dc3330 aspec+design+haskell: extract numDomains into Kernel_Config
Introduce Kernel_Config theory for storage of non-architecture-specific
seL4 configuration variables that are shared by the abstract and design
specs.

Remove `num_domains`, in lieu of `numDomains` that is now defined only
in `Kernel_Config.thy`. The definition is hidden and must be referred to
as Kernel_Config.numDomains_def when avoiding unfolding is not possible.

Include required properties of `numDomains` as lemmas.

Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2021-12-22 23:50:22 +11:00
Gerwin Klein ce67a725f7 cspec: more compiler options
The new docker containers that upgraded to gcc-10 use a different
version of the gcc Arm toolchain (`arm-linux-gnueabi`).

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2021-12-09 11:07:22 +11:00
Gerwin Klein 614e24ee10 riscv machine: use address size consistently
In the rest of the proofs we use machine_word to refer to addresses.
This commit brings the machine definitions in line with that.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2021-12-03 17:06:37 +11:00
Ryan Barry 0d4f451011 riscv infoflow + design: add IRQMasks proofs
Signed-off-by: Ryan Barry <ryan.barry@unsw.edu.au>
2021-11-12 09:39:16 +11:00
Gerwin Klein 091ab54e7b haskell: increase timeout
When there is no Haskell stack cache yet and all dependencies are
compiled from source, 30min CPU time is tight. Bumping it to 45min
should reduce failures.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2021-09-30 16:53:17 +10:00
Gerwin Klein c6a9247cb3 trivial: ignore generated file
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2021-09-30 16:53:17 +10:00
Rafal Kolanski 7e3b3cab9a isabelle-2021: arm-hyp/x64/riscv machine+aspec update
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2021-09-30 16:53:17 +10:00
Rafal Kolanski 792403250c aspec: use VERSION.tex for document
Using `VERSION` confused older LaTeX installs.

Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2021-09-30 16:53:17 +10:00
Gerwin Klein 4bf1635b2f cleanup: reduce warnings
This mostly refactors ML code to avoid non-exhaustive matches, restore
the (op infix) syntax that got lost in a previous Isabelle update, and
removes some unused functions/parameters.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2021-09-30 16:53:17 +10:00
Gerwin Klein 0bc533943b isabelle-2021: update CSpec
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2021-09-30 16:53:17 +10:00
Gerwin Klein f2fc2345fe isabelle-2021: update Lib
This includes the removal of the theory Extend_Locale, which was an
(unused) experiment.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2021-09-30 16:53:17 +10:00
Florian Haftmann ea9a25950d isabelle-2021: ad-hoc adjustions to preview
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2021-09-30 16:53:17 +10:00
Gerwin Klein 81b95eb6bf READMEs: fix publication links
PDFs and abstracts have moved to trustworthy.systems/

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2021-08-25 11:22:05 +10:00
Gerwin Klein 6fd6d6bd48 arm/arm-hyp: proof updates for Arm cache fix
This commit updates the proofs for seL4/seL4#485, which fixes
the security and correctness bug seL4/seL4#481. The bug was that
caches are not sufficiently flushed in retype for frames that can
be mapped uncached later.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2021-08-16 16:47:10 +10:00
Ryan Barry a99a2bf739 various: resolve some existing fixmes
Signed-off-by: Ryan Barry <ryan.barry@unsw.edu.au>
2021-07-22 10:44:43 +10:00
Rafal Kolanski 2248d34495 abstract x64+riscv: clean up some Word_Lib imports
These are already imported upstream.

Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2021-07-16 23:39:39 +10:00
Matthew Brecknell fd01872121 always use `addrFromKPPtr` for kernel addresses
This verifies a C kernel patch (seL4/seL4#409) which consolidates
translation between virtual and physical addresses, and makes it
consistent across architectures. In particular, we always use
`addrFromKPPtr`, even on architectures that don't use a distinct region
to map the kernel ELF. This will facilitate future improvements which
move the ELF mapping into a distinct virtual address region.

Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2021-06-25 16:31:22 +10:00
Matthew Brecknell 2aadbf9589 trivial: restyle `spec/machine/ARM*/Platform.thy`
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2021-06-25 16:31:22 +10:00
Ryan Barry 9863065915 aspec+access: Access arch split
Signed-off-by: Ryan Barry <ryan.barry@unsw.edu.au>
2021-06-21 20:10:32 +10:00
Gerwin Klein 4da8cfacdc
yet another TOOLPREFIX for riscv toolchain (#264)
This one is relevant for MacOs on Apple M1

Signed-off-by: Gerwin Klein <kleing@unsw.edu.au>
2021-04-04 20:41:25 +10:00
Gerwin Klein 8f992b2350 arm_hyp: proof updates for seL4 commit 93ab2543d9d8
The seL4 commit factors out special treatment of specific VCPU
registers, and this commit updates the ARM_HYP proofs accordingly.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-12-19 21:08:30 +11:00
Gerwin Klein 3cc7a1c6b7 arm-hyp: proof updates for seL4 c381c7e14c
seL4 commit c381c7e14c changes cache flushing behaviour for the
verified ARM_HYP configuration. This commit adjusts accordingly.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-12-09 19:46:02 +11:00
Rafal Kolanski a422e817a4 machine+design: update for platform constant changes
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2020-11-16 16:52:40 +11:00
Rafal Kolanski 9ed45e17bd arm+arm-hyp: kernelBase and physMappingOffset renames
This brings the naming convention closer to the other architectures,
closer to the Haskell, and closer to the constant renames that happened
in C. It is, however, quite an invasive change.

kernelBase_addr -> pptrBase
kernelBase -> pptrBase
physMappingOffset -> ptrBaseOffset

Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2020-11-16 16:52:40 +11:00
Rafal Kolanski 6ed9db6e75 haskell: small tweaks for haskell translator
Platform constants were previously not translated. When they were moved
to translated code, some constructor issues came up.

Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2020-11-16 16:52:40 +11:00
Curtis Millar 6e0bd26c46 arm haskell: Use updated constant names in VSpace
The names for `kernelBase` and `physBase` are renamed to `pptrBase` and
`paddrBase` respectively to be more consistent with the C (and the
previous commit).

Signed-off-by: Curtis Millar <curtis.millar@data61.csiro.au>
2020-11-16 16:52:40 +11:00
Curtis Millar 48f1ad30f4 haskell: Consolidate physical-virtual translation
This update reflects a set of changes made to the seL4 kernel some time
ago that consolidates the definitions for physical to virtual
translation.

Signed-off-by: Curtis Millar <curtis.millar@data61.csiro.au>
2020-11-16 16:52:40 +11:00
Corey Lewis 7baa19495f spec proof: resolve_address_bits'.simps[simp del]
Remove resolve_address_bits'.simps from the simp set at the definition
site, instead of in the middle of the proofs.

Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
2020-11-09 17:18:41 +11:00
Gerwin Klein a45adef66a all: remove theory import path references
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.

Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-11-02 10:16:17 +10:00
Gerwin Klein b5e7fa4e45 Makefiles: factor out ASpec doc file generation
Make these a separate target so that other sessions that depend on
ASpec can kick off generation of these files (necessary because some
are mentioned in spec/ROOT, and the session structure will fail if they
don't exist).

This is only relevant in a fresh check-out when you've never built
ASpec, but in test environments this can happen if only specific
sessions are tested.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-10-28 14:06:36 +10:00
Gerwin Klein a253f7d1eb cspec: additional session directories
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-10-27 15:52:31 +10:00
Gerwin Klein 33e6400f8a aspec: include doc build in ASpec again
Isabelle2020 doesn't allow sharing session directories between the document
session and non-document session. Instead of duplicating things, this commit
pulls the document build back into the ASpec session, but changes the build
such that the git revision is read directly from LaTeX, removing the
superfluous re-build for every git revision change (even when no relevant spec
file changed).

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-10-27 15:52:31 +10:00
Gerwin Klein 3076f7ffcf spec: ROOT file structure
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-10-27 15:52:31 +10:00
Gerwin Klein e7fb36b7e2 ROOT files: file reorg for new ROOT requirements
Isabelle2020 requires each session to declare it own set of directories that
may not overlap with other session's directories. This commit reorganises
files to comply with that requirement.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-10-27 15:52:31 +10:00
Miki Tanaka caf09bd3db aspec+ainvs: remove interrupt/irq from p_monad
- preemption in C is not associated to an irq
- updating aspec to reflect this so that we can have irq-independent
  preemptions (needed in MCS)

- proof fix for the above: remove intr

Signed-off-by: Miki Tanaka <miki.tanaka@data61.csiro.au>
2020-10-25 13:15:00 +11:00
Gerwin Klein cb7d3250df haskell: deal with existing "~/.stack"
Bring happiness to both bamboo and github: create ~/.stack, but don't
fail if it's there.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-09-10 16:18:12 +08:00
Gerwin Klein 894bf95473 haskell: force create ~/.stack
stack refuses to create it when ~/ is owned by a different user,
such as on github CI

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-09-10 16:09:38 +08:00
Matthew Brecknell b77f83c57b riscv: rename sbadaddr -> stval
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-08-26 15:24:06 +10:00
Matthew Brecknell d5170f121c regression: explain why `CKernel` depends on `design-spec`
The reason `CKernel` depends on `design-spec` is quite obscure, so we
add a comment to relevant `Makefile`s to help us avoid wasting time
trying to remove the dependency.

Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-08-10 13:45:35 +10:00
Matthew Brecknell 16f87e04fe regression: use python3 for mk_umm_types
I previously updated the `#!` in `mk_umm_types.py` to use `python3`, but
forgot to remove the explicit `python` call from `kernel.mk`.

Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-08-10 13:45:35 +10:00
Gerwin Klein 5ee37bd11e refine: replace DomainTime_R by assertion
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-07-02 11:30:56 +08:00
Rafal Kolanski c160f4053d riscv machine: add alternative definition for pptrUserTop
(presents numeral directly without further unfolding)

Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2020-06-08 20:41:10 +08:00
Gerwin Klein 472e65e7ee riscv haskell: FIXMEs now resolved
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-06-08 20:41:10 +08:00
Gerwin Klein 6fd03279df riscv aspec: spec is in sync with C, the returned error is correct
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-06-08 20:41:10 +08:00
Gerwin Klein f1e8cbab28 design: import new arch function
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-06-08 20:41:10 +08:00
Gerwin Klein 35e7b9676f haskell: arch split maskIrqSignal
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-06-08 20:41:10 +08:00
Gerwin Klein 9de5bb27e4 aspec: factor out arch_mask_irq_signal
On RISC-V we do not call mask_irq.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-06-08 20:41:10 +08:00
Gerwin Klein fe566628da haskell+design: factor out arch specific IRQ handling
RISC-V has a different machine op invocation for acknowledging IRQs.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-06-08 20:41:10 +08:00
Victor Phan 461a798412 aspec: arch split on invokeIRQHandler
The RISCV implementation of invokeIRQHandler calls plic_complete_claim
instead of maskInterrupt. plicCompleteClaim is added as a machine op
and invokeIRQHandler has been arch split for the ACKIrq case.

Signed-off-by: Victor Phan <Victor.Phan@data61.csiro.au>
2020-06-08 20:41:10 +08:00
Rafal Kolanski 06d6620340 riscv haskell: update vmRightsToBits
This was incorrect, but unused in the proofs. Once used, the numbers
turned out to be unrelated to the C.

Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2020-06-08 20:41:10 +08:00
Gerwin Klein 100f8ed949 riscv haskell+design: new assertion in lookupPTFromLevel
The corresponding C code (correctly) expects never to be called for a
top-level table.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-06-08 20:41:10 +08:00
Gerwin Klein 6b78e37cec riscv design+haskell: move pt_at assertions to the recursive call
The proof needs to know that there is a page table at the entry
point in the induction for lookupPTSlot. Moving the assertion just
before the recursive call establishes this directly.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-06-08 20:41:09 +08:00
Gerwin Klein 9bd06da4d7 riscv aspec+haskell: make mapped PTE invalid for insufficient rights
The RISC-V ISA spec does not allow PagePTEs with 000 for rwx rights,
because 000 is used to identify PageTablePTEs. Instead we write
InvalidPTEs, which has the same effect for the user.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-06-08 20:41:09 +08:00
Gerwin Klein 1dccd9ceaf riscv aspec: update arch API type decoding to new order
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-06-08 20:41:09 +08:00
Gerwin Klein 7b9249fe2a riscv design: port new asserts into design spec
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-06-08 20:41:09 +08:00
Gerwin Klein fca56f750b riscv haskell: additional assertions for CRefine
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-06-08 20:41:09 +08:00
Gerwin Klein 6be8b794ec riscv haskell: sync order with C enum
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-06-08 20:41:09 +08:00
Gerwin Klein 70ee5750f6 riscv haskell+refine: add assertion to setVMRoot
The assertion is provable from the abstract invariants, and used in
CRefine to conclude that the test wether the vspace root cap is mapped
can be left out.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-06-08 20:41:09 +08:00
Rafal Kolanski 3a71e0d6ad riscv haskell: update exceptionMessage to conform to C
Now contains only FaultIP and SP.

Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2020-06-08 20:41:09 +08:00
Rafal Kolanski 6fc6aeb20c riscv cspec/crefine: update ctcb_size_bits to 9
One bit smaller than X64. Removes FIXME.

Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2020-06-08 20:41:09 +08:00
Rafal Kolanski 84fd22524b design/haskell spec: arch split for tcbBlockSizeBits
`tcbBlockSizeBits` was previously defined to be `wordSizeCase 9 11`
universally, but this claim does not hold anymore since it takes the
value 10 on RISCV64. Therefore an arch split for `tcbBlockSizeBits` and
affected definitions are made. The constant and its definition needs to
be requalified so that proofs in Refine can access it through the
constant objBits_defs.

Signed-off-by: Victor Phan <Victor.Phan@data61.csiro.au>
2020-06-08 20:41:09 +08:00
Rafal Kolanski cc367d61b2 riscv aspec+ainvs: update tcb bits to 10
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2020-06-08 20:41:09 +08:00
Rafal Kolanski c4f6572aff arm+arm-hyp: move TPIDRURO from vcpu to tcb context
Update specs and proofs for ARM platforms to contain TPIDRURO in the
TCB user context rather than treating it as a VCPU register, following
change in C.

Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2020-05-15 13:14:24 +10:00
Gerwin Klein 96d0470629 haskell: remove check-newlines test
This was used to make sure the LaTeX document from literate Haskell builds.
Since this document is retired, we don't need the check any more.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-05-14 13:36:11 +08:00
Edward Pierzchalski 7c6b2af816 refine: comments for pspace_storable
We keep on forgetting what the parameters to loadObject and storeObject
mean, and why we have pspace_storable in the first place. Hopefully
these comments mean having to re-remember fewer things.

Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
2020-05-13 11:54:15 +08:00
Gerwin Klein 71e7f87614 haskell/refine/crefine: rename isBlocked to isStopped
sync with corresponding change in C

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-05-06 15:49:02 +10:00
Matthew Brecknell 1c4c9a8153 c-kernel: remove Makefile dependency on seL4/.git
This allows some git operations (e.g. fetch) without requiring a
c-kernel rebuild.

Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-04-23 23:37:59 +10:00
Gerwin Klein 092b1207f7 run astyle on all C files in the repository
Leaves parse tests and generated files unchanged, and provides a style
filter for these.

Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
2020-04-19 13:50:17 +08:00
Matthew Brecknell d8364c952d c-kernel: avoid unnecessary rebuilds due to `__pycache__` directories
Previously, we would rebuild the kernel if any file in the `seL4`
repository changed since previous `cmake` setup. Since the kernel build
after the `cmake` setup generates `__pycache__` directories in the
`seL4` tree, this would cause some unnecessary rebuilds.

This commit explicitly excludes `__pycache__` directories from the set
of files considered to be dependencies of the kernel build.

Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-04-17 10:27:30 +10:00
Matthew Brecknell 78f1808264 design: remove redundant `design-spec` test
This effectively reverts commit 2fec23d646, which was a previous attempt
at fixing a race condition in the design spec generation, which turned
out to be ineffective. Since the `design-spec` test had the same effect
as the `haskell-translator` test on which it depended, it was redundant,
and can be removed.

Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-04-01 14:31:36 +11:00
Matthew Brecknell 00330af209 design: more precise Makefile dependencies
Previously the Makefile rule for generating the design spec depended on
all Haskell source files in `spec/haskell`. This unintentionally
included files generated by the Haskell kernel build in
`spec/haskell/dist`. This meant that for `run_tests` builds in which the
Haskell kernel test completes *after* the initial generation of the
design spec, subsequent Makefile jobs which depend on the design spec
could cause re-runs of the design spec. Furthermore, if `run_tests` runs
several such jobs concurrently, race conditions in concurrent runs of
the design spec could cause errors.

Since the design spec does not make use of the generated Haskell source
in `spec/haskell/dist`, this commit restricts the design spec
dependencies to Haskell source files in `spec/haskell/src`.

Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-04-01 14:31:36 +11:00
Matthew Brecknell cf48906b26 regression: force use of python3
Python 2 has passed its sunset date, and many distributions are
withdrawing support for Python 2.

PEP 394 recommends distributions always install versioned interpreter
commands (e.g. `python3`), but does not make a recommendation about
whether or not an unversioned command (`python`) should exist, or what
version it should run.

It therefore seems advisable to explicitly run scripts using the
`python3` command, for scripts that are compatible with Python 3.

Here, we do this for Python scripts used by `run_tests`. For this to
work, some scripts have been updated in ways that will break Python 2
compatibility. But for some other scripts which were already compatible
with both Python 2 and 3, we have not yet removed Python 2
compatibility. There are also miscellaneous scripts that are not used by
`run_tests`, and these have not yet been updated to Python 3.

Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-04-01 14:31:36 +11:00
Victor Phan 190d3b402a riscv spec/ainvs: update IRQs to target hifive platform
- Increase IRQ word size from 3 to 6 to match IRQ_CNODE_SLOT_BITS in
  sel4 config.
- Bump maxIRQ up to 54.
- Fix broken inequality proof by changing constant that depended on IRQ
  word size.
2020-03-27 15:50:46 +11:00
Gerwin Klein 75acf19dcd style: pep8 style for python files 2020-03-25 22:42:27 +11:00
Gerwin Klein c68915b92b license: provide documentation under CC-BY-SA-4.0
Datat61 provides all docs under CC-BY-SA-4.0.
2020-03-16 14:19:15 +08:00
Gerwin Klein 86a941e7e7 spdx: review missing copyright & license info
Some files were missing machine-readable copyright info, others were tagged
incorrectly.
2020-03-16 14:19:15 +08:00
Gerwin Klein a5c7c91192 haskell: review copyright in src/SEL4/Kernel/Hypervisor/ 2020-03-13 14:38:47 +08:00
Gerwin Klein a424d55e3e licenses: convert license tags to SPDX 2020-03-13 14:38:24 +08:00
Gerwin Klein 8d12d8e4be licenses: tag .md and document file 2020-03-02 18:52:15 +08:00
Matthew Brecknell 65074bc35d c-kernel: add Makefile targets useful for binary verification
- Add Makefile targets for building ELF binaries and various dumps that
  are used in binary verification.

- Add support for extra CMake command-line arguments. For binary
  verification, this is used to set the optimisation level for the ELF
  targets.

- Add support for the Debian RISC-V toolchain packages, without breaking
  existing users with a manually built RISC-V toolchain.

- Move reusable parts of the C kernel Makefile out to a separate include
  file, with support for configuring the build directory. For binary
  verification, this is used to allow multiple builds at different
  optimisation levels.
2020-02-26 16:22:40 +11:00
Rafal Kolanski f9ea44ef89 arm-hyp: update spec+proofs for multi-VM support
Highlights:
- new reserved IRQ and associated handler: VPPIEvent
- VPPI events are virtual interrupts we can forward to VMs; currently there is
  only one event: virtual timer interrupt
- VGICMaintenance and VPPIEvent can both receive late interrupts from hardware,
  which are now discarded instead of being delivered to current thread
- given only one possible VPPI event, simplifier tends to mop up more than it
  should, making some proofs fragile w.r.t. adding a new VPPI event
- the order of some lemmas/specs needed shuffling, as now VCPU code needs some
  interrupt code, which uses VCPU code
2020-02-19 10:52:07 +11:00
Zoltan Kocsis 788b4bd180 refactored irq_t structure (VER-1159) 2020-02-05 17:58:45 +11:00
Gerwin Klein f50985b448 abstract: use new invocation label enum 2020-02-03 12:56:19 +08:00
Gerwin Klein 700dab41aa design: generate new GenInvocationLabels type 2020-02-03 12:56:19 +08:00
Gerwin Klein 3a6ce53def haskell: remove invocationLabel triplication
We listed the invocation labels 3 times -- this commit removes the duplication
and instead derives the enum from the order the constructors are listed in.
2020-02-03 12:56:19 +08:00
Edward Pierzchalski 68606b7c23 spec: refactor test dependencies.
Since test sets are recursive, we can clean up shared dependencies.
2020-01-22 15:13:53 +11:00
Edward Pierzchalski 2fec23d646 spec: factor out common `design-spec` task.
`ASpec`, `ExecSpec`, and `DSpec` were identical tests which built the
`design-spec` make target. This means that when `./run_tests` runs tests
concurrently, multiple instances of the `design-spec` make target were
also run concurrently.

We address the issue by making a new "test" called `design-spec` which
builds the `design-spec` make target, and making `{A,Exec,D}Spec`
dependees on `design-spec`.
2020-01-22 15:13:53 +11:00
Victor Phan ff6c0d8a0a Move vcpu_switch into Arch_switchToThread and update proofs
Currently the vcpu_switch function is called in the setVMRoot function
after possible early returns. In order to make sure the vcpu is
always switched, the call is moved into Arch_switchToThread before the
call to setVMRoot.
2020-01-20 16:53:32 +11:00
Edward Pierzchalski fb9f5d972d asmrefine riscv: allow assembly 2019-12-18 12:04:48 +11:00
Victor Phan b9c285400d remove diminished (VER-1158)
diminished takes two caps and asserts that one is equal to the other
except that one may have fewer rights. We remove this definition and all
references to it, replacing diminished with equality.
2019-11-16 01:03:36 +11:00
Gerwin Klein 55aeefdb64 x64: avoid automatic unfolding of handle_vm_fault
(fun -> definition)
2019-11-15 12:04:50 +11:00
Gerwin Klein b820b13d06 riscv: avoid automatic unfolding of handle_vm_fault
(fun -> definition)
2019-11-15 12:04:50 +11:00
Victor Phan 1db6ae7cf0 riscv: add kdev_base/kdevBase to handle RISCVVSpaceDeviceWindow and update proofs
- Add HiFive.hs to replace Spike.hs, it's the same except for kdevBase
  addition.
- Originally called KDEV_PPTR in the C Code, to be changed to KDEV_BASE
  across all architectures.
- Add RISCVVSpaceDeviceWindow case for valid_uses_2 definition.
2019-11-13 16:27:30 +11:00
Victor Phan 79513ae604 riscv: update to HiFive platform from Spike
- Increase maxIRQ to 53
- Change keywords to build HiFive instead of Spike
2019-11-13 16:26:55 +11:00
Victor Phan c7fb4dcf2b riscv aspec/ainvs: redefine kernel_elf_base to point to be kernelELFBase 2019-11-13 16:08:52 +11:00
Victor Phan 6f94fff163 riscv aspec/ainvs: rename kernel_base to kernel_elf_base 2019-11-13 16:08:42 +11:00
Victor Phan 8bf03d45a0 riscv haskell/design: add and implement IRQ invocations
setIRQTrigger added but unimplemented because it's a machine op.
irqInvalid added, set to 0, since this is what's defined on the Spike
platform, may need to implement irqInvalid for other platforms if we
want generality for later proofs (Refine).
check, decode, perform IRQ control fully implemented to match the CSpec.
2019-11-12 18:28:40 +11:00
Victor Phan 55408a48af riscv aspec: implement IRQ check, decode and invoke control functions
These functions were originally doing throwError IllegalOperation or
returnOk (). Now they have been reimplemented to match the CSpec.

In arch_check_irq, an error is thrown if IRQ is greater than maxIRQ or
is equal to irqInvalid. The error that gets returned to the user however
is a RangeError from 1 to maxIRQ.
2019-11-12 18:28:40 +11:00
Victor Phan 39d314137e riscv haskell: add support to thread id registers 2019-11-12 18:28:40 +11:00
Victor Phan 79da089c2e riscv aspec: update for moving IPC buffer register to thread-local storage 2019-11-12 18:28:40 +11:00
Victor Phan d4f302ae7f riscv haskell: rename kernelBase to kernelELFBase and fix its value 2019-11-12 18:28:40 +11:00
Victor Phan 453233faad riscv aspec: rename kernelBase to kernelELFBase and update address space layout comment 2019-11-12 18:28:40 +11:00
Victor Phan e4d83b313a riscv refine: update for PageMap replacing PageRemap (SELFOUR-161) 2019-11-12 18:28:40 +11:00
Gerwin Klein a5e27933a5 riscv: cleanup; resolve remaining FIXMEs 2019-11-12 18:28:40 +11:00
Gerwin Klein 090894c990 riscv aspec+ainvs: define a consistent initial page table
Simpler than the real kernel layout, but will show that invariants are
consistent.
2019-11-12 18:28:39 +11:00
Gerwin Klein 9d81f85c38 riscv: force vptr alignment in PTMap decode
Instead of checking for alignment, mask out the bottom bits to force the
vptr stored in the cap into the correct alignment for the level to be mapped.

See also SELFOUR-2162
2019-11-12 18:28:39 +11:00
Gerwin Klein 4a49681bf5 riscv haskell: look up ASID of PT cap, not vspace cap.
It is the user-provided cap that needs to be checked for correct ASID and
vspace.
2019-11-12 18:28:39 +11:00
Gerwin Klein 7ce1c0fb21 riscv haskell: force vptr alignment in decodeRISCVPageTableInvocationMap
see also JIRA SELFOUR-2162
2019-11-12 18:28:39 +11:00
Gerwin Klein b5c47d552e riscv aspec+ainvs: perform_pg_inv_unmap: update cap in memory
The argument cap is the same as the one in memory, but it's less work to not
prove that.
2019-11-12 18:28:39 +11:00
Gerwin Klein a26c57a825 riscv haskell: needs to unmap, not ignore in finalise 2019-11-12 18:28:39 +11:00
Gerwin Klein 750746296f riscv aspec: unmap_page may be called with unmapped ASID
This means we can't use gets_the, which asserts, but need find_vspace_for_asid,
which can throw.
2019-11-12 18:28:39 +11:00
Gerwin Klein d4f3d7122c riscv aspec: fix addr conversions in set_vm_root
global_pt needs addrFromKPPtr, because it is an address that lives in the
kernel image, other pt's need addrFromPPtr because they are standard
kernel-virtual addresses.
2019-11-12 18:28:39 +11:00
Gerwin Klein 11bcbc1675 riscv refine: fix ppn handling in checkMappingPPtr 2019-11-12 18:28:39 +11:00
Gerwin Klein 09dbc34a0c riscv haskell/design: fix lookupPTSlotFromLevel and lookupPTFromLevel 2019-11-12 18:28:39 +11:00
Gerwin Klein c46a641f7f riscv haskell: globalPT is at maxPTLevel 2019-11-12 18:28:39 +11:00
Gerwin Klein c77b2126e0 riscv aspec: initialise SSTATUS register correctly 2019-11-12 18:28:39 +11:00
Gerwin Klein 5a7c2ef850 riscv aspec: correct comment for kernel_base; adjust idle_thread_ptr 2019-11-12 18:28:39 +11:00
Gerwin Klein 960636f744 riscv aspec: pick aligned addresses for pptr_base in initial example state. 2019-11-12 18:28:39 +11:00
Gerwin Klein 8ab9888cf4 riscv aspec: set irq type to lowest word length that fits maxIRQ
The irq type determines the size of the IRQ CNode in the abstract spec, which
(in C) is the smallest power of two that fits maxIRQ.
2019-11-12 18:28:39 +11:00
Gerwin Klein c764565b51 riscv haskell: fail ArchInv.IRQControlInvocation
Use fail instead of error so we don't have to prove unreachability for all
properties.
2019-11-12 18:28:39 +11:00
Gerwin Klein 688f8b193d riscv design: make machine op definition available
setVSpaceRoot was being shadowed, because setVMRoot was wrongly excluded instead.
2019-11-12 18:28:39 +11:00
Gerwin Klein bb4245d23d riscv haskell: define rest of arch kernel state
Included vspace_uses for refinement proof, and added multiple global PTs.
2019-11-12 18:28:39 +11:00
Gerwin Klein 6dd45e2d5f riscv aspec: sync max_untyped_size with Haskell/C 2019-11-12 18:28:39 +11:00
Gerwin Klein 067d1bdcab riscv haskell: object numbers for LargePage and HugePage 2019-11-12 18:28:39 +11:00
Gerwin Klein d72e6b5263 riscv haskell: sync RISCVPageTableUnmap with C and spec
now in sync with seL4 change set f612028b180633dc4e404aaceee656da953f877d
2019-11-12 18:28:38 +11:00
Gerwin Klein ab43338feb riscv haskell: bring lookupPTFromLevel up to date with C and spec 2019-11-12 18:28:38 +11:00
Gerwin Klein 6b30142018 riscv haskell: maxUntypedSize depends on addressable memory
(not on word size)
2019-11-12 18:28:38 +11:00
Gerwin Klein 8e39bbbda9 riscv aspec: provide a constant for ppn word width 2019-11-12 18:28:38 +11:00
Gerwin Klein 430a345aeb riscv aspec: avoid type variable warning and freeindex increase 2019-11-12 18:28:38 +11:00
Victor Phan c143029f25 capdl: update PageMap to replace PageRemap (SELFOUR-161) 2019-10-10 11:27:28 +11:00
Victor Phan 5d22c1d329 riscv haskell: update PageMap to replace PageRemap (SELFOUR-161) 2019-10-10 11:27:04 +11:00
Victor Phan f284a0cb0e x64 haskell: update PageMap to replace PageRemap (SELFOUR-161) 2019-10-10 11:27:01 +11:00
Victor Phan 18a12fc4a0 arm/arm-hyp haskell: update PageMap to replace PageRemap (SELFOUR-161) 2019-10-10 11:27:01 +11:00
Victor Phan 0ae9614d30 riscv aspec: update PageMap to replace PageRemap (SELFOUR-161) 2019-10-10 11:26:41 +11:00
Victor Phan 2f04dc3694 x64 aspec: update PageMap to replace PageRemap (SELFOUR-161) 2019-10-10 11:26:33 +11:00
Victor Phan 12a7c2d441 arm-hyp aspec: update PageMap to replace PageRemap (SELFOUR-161) 2019-10-10 11:26:33 +11:00
Victor Phan c64e054c3f arm aspec: update PageMap to replace PageRemap (SELFOUR-161) 2019-10-10 11:26:33 +11:00
Victor Phan 90c0bd618f aspec doc: update for PageMap replacing Remap (SELFOUR-161) 2019-10-10 11:26:33 +11:00
MiladKetabi d934d25269 proof update for SELFOUR-1187: seL4 setPriority should attempt a direct schedule
Prior to this commit the kernel would always trigger a full reschedule
on setPriority. This change allows the kernel to attempt a direct
switch, avoiding invoking the scheduler.
2019-10-06 18:31:19 +11:00
Edward Pierzchalski 31d5c1c70e cspec: Add feature selection variable.
Adds an 'L4V_FEATURES' variable which can be used to select different
CMake configurations for seL4. This makes it easier to build and test
alternative configurations (like MCS).
2019-08-12 16:22:41 +10:00
Gerwin Klein a1dca67543 riscv aspec/ainvs: resolve FIXMEs, reduce warnings
Mostly moved lemmas and definitions to more suitable locations.
Removed unused lemmas and commented-out code.
Resolved simple Isabelle warnings.
2019-07-31 16:56:26 +10:00
Gerwin Klein f8dc660baf riscv aspec/ainvs: move init_vspace_uses and canonical_user to spec
Needed to define an initial state that satisfies invariants.
2019-07-31 16:55:32 +10:00
Gerwin Klein 519b672d08 riscv aspec bugfix: need to check vaddr alignment for PT-map 2019-07-31 16:55:32 +10:00
Gerwin Klein 0feb5c1a1e riscv aspec: add check for top-level PT in PT unmap decode
See also SELFOUR-2158
2019-07-31 16:55:32 +10:00
Gerwin Klein af6e0765c5 riscv aspec+ainvs: spec bugfix for arch_finalise_cap; finish ArchFinalise 2019-07-31 16:55:32 +10:00
Gerwin Klein 82df777dd7 riscv aspec: fix spec bug in pt_lookup_from_level
This spec bug was inspired by slightly differently but similarly wrong C code
(SELFOUR-2091). Current change brings it into sync with the (correct, we think)
C. Proof update included.
2019-07-31 16:55:32 +10:00
Gerwin Klein 116009c1d7 riscv aspec: constrain asid type to asid_len
We previously had asids at machine word representation, but it turns out that
constraining them to actual asid_len is almost no overhead and saves us proving
invariants about asid sizes.
2019-07-31 16:55:32 +10:00
Gerwin Klein d140b5d9bc aspec: workaround for VER-1099
(locale_abbrev does not always contract when part of the abbreviation chain is outside the locale)
2019-07-31 16:55:32 +10:00
Gerwin Klein ed87ba03a9 riscv aspec: vtable roots must be page table caps 2019-07-31 16:55:32 +10:00
Rafal Kolanski 89aafed912 riscv aspec+ainvs+haskell: update kernelBase, paddrLoad to match C
update for changeset 897aaf5b13f39ba2b9ca8ade3a58d1350eb42ad7

This changes properties of kernel_base, thereby invalidating two unused
lemmas: mask_out_8_le_kernel_base, mask_out_8_less_kernel_base
2019-07-31 16:55:32 +10:00
Rafal Kolanski 8cd2f3de79 riscv aspec: change pte to store ppn instead of address
On other architectures, the address is a PTE stored using field_high and
thus retrieved as an aligned address. On RISCV we have a frame number
(referred to as PPN in some places) that is the address shifted down by
pt_bits.

This changes over the pte to use a ppn with a different number of bits,
and provides addr_from_ppn and addr_from_pte accessors, the latter being
an abbreviation.

Issues:
- "ppn" and "frame" show up in C, which should we use
- conversion functions take paddr, but are named with "addr": change
  naming to use paddr?
- we sanity check the number of bits in a ppn is word_bits - pt_bits,
  but in C that number subtracts another 8 bits, not clear why
2019-07-31 16:55:31 +10:00
Rafal Kolanski 341d12d2fb riscv aspec: adjust asid high and low bits to match C
1 bit moves from high bits to low bits
2019-07-31 16:55:31 +10:00
Rafal Kolanski 31da393e14 riscv haskell: adjust asid high and low bits to match C
1 bit moves from high bits to low bits
2019-07-31 16:55:31 +10:00
Gerwin Klein bda33be6b9 riscv aspec: sync with C fix for SELFOUR-1955
aspec now in sync with seL4 master@a39c9b6a76d279364e28d3415d750d7287fefd67
2019-07-31 16:55:31 +10:00
Gerwin Klein decbdd9c17 riscv haskell: sync VMFaults with C fix for SELFOUR-1955
RISCV faults reduced to actual VM faults, rest become anonymous user-level
faults. handleVMFault adjusted to perform complete case distinction and to not
change the state.

Now in sync with seL4 master@a39c9b6a76d279364e28d3415d750d7287fefd67
2019-07-31 16:55:31 +10:00
Gerwin Klein 23866cbae9 riscv platform: sync seL4_UserTop with C
now in sync with master@63ed19c9b7d972eb4af73c666484e277b0d4cf83
2019-07-31 16:55:31 +10:00
Gerwin Klein b7bf3a9e22 riscv haskell: sync register set definition with C
Now in sync with seL4 master@63ed19c9b7d972eb4af73c666484e277b0d4cf83
2019-07-31 16:55:31 +10:00
Rafal Kolanski f2a6566192 riscv: add Kernel_C.thy to base CKernel image on 2019-07-31 16:55:31 +10:00
Gerwin Klein 61bd76708f riscv aspec: temporarily work around SELFOUR-1955 2019-07-31 16:55:31 +10:00
Rafal Kolanski 3e8f89f249 riscv aspec: make aobjs_of projection available in generic spec 2019-07-31 16:55:31 +10:00
Gerwin Klein c0b7d2fc83 riscv aspec: make decode case distinctions complete 2019-07-31 16:55:31 +10:00
Gerwin Klein a37d867e66 riscv aspec: abbreviations for asid_table & pt table base + index
(moved from riscv ainvs)
2019-07-31 16:55:31 +10:00
Rafal Kolanski d91c83f3a6 riscv aspec+ainvs: rename lookup_pt_* to pt_lookup_* to resemble vs_lookup_*
More consistent naming, easier to remember.
2019-07-31 16:55:31 +10:00
Gerwin Klein ac9ff925ce riscv platform: removed unused region in address space diagram
co-authored-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2019-07-31 14:13:56 +10:00
Gerwin Klein 367922b8fa riscv aspec: factor out pure page table walking
In particular, separate out a function that returns page table pointers instead
of a function that returns slots in page tables. Phrase the latter in terms of
the former. This makes many properties about walks much more compositional.
2019-07-31 14:13:56 +10:00
Gerwin Klein 629b131dcd riscv aspec: use OptionReader instead of Option monad 2019-07-31 14:13:56 +10:00
Gerwin Klein d54fc7860e riscv aspec: use locale_abbrev 2019-07-31 14:13:56 +10:00
Gerwin Klein 28e1298eea riscv spec: refactored for invariants; force alignment for PTEs
Also:
 - renamed pt_slot_index and pte_at_index to *_offset
 - store pte_addr instead of pte_ppn
2019-07-31 14:13:56 +10:00
Gerwin Klein f152d32512 riscv aspec: refactor ptes_of
(to make it obvious it depends on pts_of only)
2019-07-31 14:13:56 +10:00
Gerwin Klein 7561116d08 riscv aspec: factor out conversion of page number to kernel virtual 2019-07-31 14:13:56 +10:00
Gerwin Klein 0b8af8800c riscv aspec: fail not too early in lookup_pt_slot_from_level 2019-07-31 14:13:56 +10:00
Gerwin Klein e2e68953ae riscv aspec: refactor to allow multiple levels of global PTs 2019-07-31 14:13:56 +10:00
Gerwin Klein b44925d0b0 riscv aspec: add riscv_kernel_vspace to support invariant formulation 2019-07-31 14:13:56 +10:00
Gerwin Klein 5f2e6c15db riscv design: avoid double declaration of riscvvspace_region_use 2019-07-31 14:13:56 +10:00
Gerwin Klein c1373f3eac riscv haskell: add kernel ELF region identifier
(used in proofs only)
2019-07-31 14:13:56 +10:00
Amirreza Zarrabi bc7c4efc5a abstract: updates for moving IPC buffer register to thread-local storage for SELFOUR-1524 2019-06-28 11:32:31 +10:00
Amirreza Zarrabi 0116126a3c design: add support to thread id registers 2019-06-28 11:20:22 +10:00
Matthew Brecknell 2e556d4a33 reduce UserLevelFault code to 28 bits
This makes room for a 4-bit seL4_FaultType field.
2019-06-18 12:04:45 +10:00
Gerwin Klein c34840d09b global: isabelle update_cartouches 2019-06-14 11:41:21 +10:00
Gerwin Klein 6af81b535c x64 aspec: more comments now rendered in LaTeX 2019-06-14 11:41:20 +10:00
Gerwin Klein 159a9fc27e arm-hyp aspec: more comments now rendered in LaTeX 2019-06-14 11:41:20 +10:00
Japheth Lim dfb7ed8fc9 design: correct haskell-translator build dependencies 2019-06-13 16:22:33 +10:00
Michael McInerney 356e91c9fa access-control, capDL-api, drefine, infoflow, sep-capDL, capDL: update for Isabelle2019 2019-06-13 16:22:33 +10:00
Gerwin Klein 664fc34aaa cspec: eliminate Local_Theory.reset
(removed in Isabelle2019)
2019-06-13 16:22:33 +10:00
Gerwin Klein ea5e502d25 cspec: update to using cartouches 2019-06-13 16:22:33 +10:00
Michael McInerney 26fdedad4d ainvs, spec: changes to remove errors for Isabelle 2019 update 2019-06-13 16:22:33 +10:00
Michael McInerney 4463e9750e SELFOUR-1198: update proofs for correct restart PC
Fixes a case where a thread can go from Running->Inactive->Restart and
use a restart PC that is out of date. An out of date restart PC occurs
when a thread was transitioned to running after being in a blocked
state, but was never scheduled and so did not execute the traps code
that updates the restart PC.

This also renames relevant register names for consistency across
architectures (FaultIP and NextIP).
2019-06-13 11:43:50 +10:00
Victor Phan 1c35127dcc x64 aspec: trivial - removed filename prefix in set_asid_pool definition 2019-04-18 14:32:08 +10:00
Victor Phan 27a46bbe94 aspec: move type checking assert to set_object
Move type checking assert from kernel object set functions to
set_object. This improves proofs by generic reasoning of set_object
instead of kernel object specific lemmas.
2019-04-18 14:32:08 +10:00
Matthew Brecknell 8a13759deb haskell: update to GHC 8.6.4 and Cabal 2.4
Cabal 2.4 deprecates the default behaviours of previous versions, and
issues warnings whenever the usual cabal-install commands are used. This
is in preparation for future versions of Cabal where the usual commands
will have entirely new default behaviours. More work would be required
to update our SEL4.cabal configuration to these new behaviours. For now,
we avoid the warnings given by Cabal 2.4 by using the `v1-` versions of
cabal-install commands, which should continue to have the old behaviours
until they are removed from Cabal.
2019-04-02 18:14:37 +11:00
Japheth Lim 22f2a1c08c CSpec: update KernelInc_C imports to match seL4 build system changes
This fixes import breakage due to seL4 commit f85774e36f.
2019-03-21 19:54:16 +11:00
Luke Mondy 89372de534 Update to new toolchain 2019-03-18 16:35:18 +11:00
Michael Sproul c44fd87594 capdl: remove redundant definition `opt_object`
A lot of the proofs in SysInit and DRefine previously had to unfold opt_object,
which was really just an alias for cdl_objects with the arguments in the
opposite order! This commit deletes opt_object in favour of using cdl_objects
directly, which should slightly reduce the burden of unfolding.
2019-02-28 14:34:01 +11:00
Callum Bannister 4c79675879 sysinit: implement support for shared frames
Co-authored-by: Michael Sproul <michael.sproul@data61.csiro.au>
2019-02-19 14:47:00 +11:00
Gerwin Klein 04f1254cb8 arm/arm-hyp abstract: remove outdated comment about globals_frame 2019-01-14 13:37:52 +11:00
Japheth Lim 10b5bab0f4 aspec: avoid manual proof for rec_del definition 2018-12-18 14:50:54 +11:00
Japheth Lim 3758df05df dspec, drefine: fix for GrantReply (SELFOUR-6)
Nothing too exciting here, just duplicating the new GrantReply logic
from ASpec and repairing the proofs.
2018-12-10 20:01:38 +11:00
Thibaut Perami ddf222700f haskell: Update for GrantReply (SELFOUR-6) 2018-12-10 20:01:37 +11:00
Thibaut Perami c955ff4917 aspec + arm ainvs: Update mask_rights to mask master reply caps 2018-12-10 20:01:37 +11:00
Thibaut Perami 1b0b188679 aspec: Fix send_fault_ipc to call send_ipc with is_call at true 2018-12-10 20:01:37 +11:00
Thibaut Perami 10145250c2 aspec: Update ASpec for GrantReply (SELFOUR-6) 2018-12-10 20:01:37 +11:00
Michael Sproul cac9472e44 sys-init: eliminate non-constructive UNIV 2018-11-26 16:05:37 +11:00
Gerwin Klein 558aa5ca05 riscv platform: address space layout diagram; fixed pAddr_base 2018-11-06 14:14:26 +11:00
Gerwin Klein 021f3eedb5 riscv aspec: refactor RISC-V spec to use OptionMonad 2018-10-26 09:24:27 +11:00
Gerwin Klein c53f7850d7 Base ASpec + machine on OptionMonad_ND; fix proof fallout 2018-10-25 12:54:02 +11:00
Gerwin Klein 7a48f4c8c7 aspec: add function for mapping arch objects from objects 2018-10-25 12:54:02 +11:00
Gerwin Klein 516952bd9d aspec: clean up comments + warnings 2018-10-25 12:54:02 +11:00
Gerwin Klein 15bfcdd98b reduce DRefine dependencies from Refine to AInvs
This needs (and includes) some deduplication and moving of lemmas formerly in
refine.
2018-10-22 13:21:11 +11:00
Mitchell Buckley 331a0ee1c2 Minor adjustments to the patch for selfour-1491.
There were some sloppy last-minute changes that were not properly tested
and managed to evade testing. These contained a single logical omission
and a few typographic mistakes.
2018-09-21 10:09:49 +10:00
Mitchell Buckley 8173a37c2d Updated specs and proofs for SELFOUR-1491: control IRQ triggering on ARM. 2018-09-19 16:18:09 +10:00
Gerwin Klein 733f749e7e cspec: normalise imports + use proper session name for Kernel_C
Substitute.thy already includes Kernel_C, no need to import twice.
Not using the session name in the imports was leading to a second import
of the C code, instead of using the CKernel image/session.
2018-09-10 08:34:32 +10:00
Gerwin Klein 64ea909c4d haskell: increase timeout for Haskell compilation
(GHC setup now seems to take longer)
2018-09-08 11:36:22 +10:00
Gerwin Klein 1597395f03 riscv aspec: style + docs 2018-09-07 08:13:13 +10:00
Gerwin Klein 6301a9703f riscv aspec: implement abstract spec for RISCV64 2018-09-07 08:13:13 +10:00
Gerwin Klein 395a1eede5 riscv machine: update copyright headers for RISCV64 work 2018-09-07 08:13:13 +10:00
Gerwin Klein 7986766e95 riscv haskell: consistent name for Frame invocations 2018-09-07 08:13:13 +10:00
Gerwin Klein 340232aeb5 riscv haskell: refactor checkFreeSlot; fix test in PageRemap decoding 2018-09-07 08:13:13 +10:00
Gerwin Klein 85a589e1a8 riscv haskell: add type annotations 2018-09-07 08:13:13 +10:00
Gerwin Klein ec6e969cbf riscv design: use pre-defined machine ops 2018-09-07 08:13:13 +10:00
Gerwin Klein 01307aeeb0 riscv machine: define setVSpaceRoot, update read_sbadaddr 2018-09-07 08:13:13 +10:00
Gerwin Klein 4791ae78e2 riscv design: make vmFaultTypeFSR available to ASpec 2018-09-07 08:13:13 +10:00
Ilya Yanok 378717bee0 haskell: hide count{Leading,Trailing}Zeros from Data.Bits 2018-09-04 14:59:45 +10:00
Ilya Yanok d63c9d0343 haskell: enable FlexibleContexts extension in some files
Since version 7.10 complains if the inferred type requires FlexibleContexts.
Alternatively we could just add monomorphic type signatures.
2018-09-04 14:59:45 +10:00
Ilya Yanok 333f01608e haskell: switch from deprecated ErrorT to ExceptT
and remove Error instances that are not needed anymore.
2018-09-04 14:59:45 +10:00
Ilya Yanok 34e437f918 haskell: hide Prelude.Word in generated hsboot files 2018-09-04 14:59:44 +10:00