Each CAmkES assembly gets an extra field `policy_extra` to specify
extra policy edges. These are added to the default policy graph from
`policy_of`.
This feature is intended to support endpoint merging in the
`global-endpoint` CAmkES template, which could add communication
edges that were not present in the ADL.
The new field `group_labels` specifies a mapping from ADL component
names to integrity policy labels. This will be used to support the
`group` keyword in CAmkES that allows components to share an address
space. See Jira VER-1109.
When extracting files for C parser and AutoCorres standalone releases,
we don't want Isabelle to fail a build when files referred to in
`@{file}` antiquotations no longer exist. Using `@{path}` avoids this
problem.
The CAmkES toolchain allows some interfaces to be declared optional.
We add such a flag to the ADL datatype and remove the requirement for
such interfaces to be connected.
This allows connectors to also grant access rights between the
from-ends themselves (and similarly the to-ends).
It was previously thought that production CAmkES systems would not
need these rights. However, some connectors (e.g. VirtQueue) don't
follow the standard ADL semantics and we need these rights to
express their behaviour. Limitations of the Access model also cause
`policy_wellformed` systems to have more rights than necessary; see
Jira VER-1108.
Adds an 'L4V_FEATURES' variable which can be used to select different
CMake configurations for seL4. This makes it easier to build and test
alternative configurations (like MCS).
Move `mlton-compiler` to the end of the apt-get list so it's easier for
a user to leave it off.
Point the user to the mlton website when installing on Debian Buster,
since there's no maintained mlton package for that distribution.
seL4 and L4V are migrating to python 3 given the upcoming end of python
2's support. Until we've rooted out all the old scripts, we recommend
installing both systems.
Contrary to its name, this is not a lock file, contains versions used
to build things, and does not go away. I have been informed this is the
industry standard.
Proofs for valid_vspace_objs and valid_vs_lookup are rather repetitive
and could use extraction of a common principle involving vs_lookup_table
over an updated state.
There is room to extract a property of vs_lookup_table on an updated
state, but for now the manipulation is done inline.
We needed an extra restriction that we do not introduce a loop by adding
a PTE to an empty table that would point to itself.
This spec bug was inspired by slightly differently but similarly wrong C code
(SELFOUR-2091). Current change brings it into sync with the (correct, we think)
C. Proof update included.
Gerwin Klein
Japheth Lim
Edward Pierzchalski
Rafal Kolanski