This is mostly verbatim copy/paste from RISCV64 to get started. Needs
update and validation everywhere, but type checks for now.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Allows building ExecSpec, but is almost certainly wrong due to not
taking top-level pages into account.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Enables generation of boolean config keys. Since C for these often
equates absence with `false`, but Isabelle won't be able to deal with
the absence of the config name, we need to manually indicate which ones
we want. For now, we generate `false` for absence for all boolean keys
that have a custom Isabelle name.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Use RISCV64 design spec skeletons to start work on AARCH64 ExecSpec.
Only minimal RISCV64 to AARCH64 substitution done, with big FIXMEs
stuck on top to remind people this got no human oversight.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
This is firmly a bash script and not intended to be portable to other
shells, so no point checking portability.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Haskell translator import statements in skeleton files can get very
long, and keeping them as one line is rather inconvenient. This change
allows a backslash (`\`) at end-of-line to indicate line continuation.
Note: the `\` acts like in shells, i.e. it must be exactly at EOL.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Note: left FIXMEs in InvocationLabels where we currently diverge from C,
and the missing SMMU invocations at this time.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Directly switches to global empty VSpace instead of doing the cap
checks in setVMRoot which we know will fail.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This adds armContextSwitch and setGlobalUserVSpace, the latter a
shorthand for setting the empty VSpace, to be re-used in
switchToIdleThread.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Validate decodeARMASIDPoolInvocation. Main change to RISCV64 is that
VTableRoot caps can now be distinguished and checked-for.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Validated against C. We seem to be doing some unnecessary calculations
in ARM_HYP there, which are left out here (Haskell now is closer to C).
As follow-on, validated and tweaked decodeARMVSpaceRootInvocation.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
No plans to resurrect Haskell simulation any more, so the comments are
mostly going to be confusing to people who come at this fresh.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The C code has an unnecessary name indirection via isValidNativeRoot
here, which I replicated to make more obvious what maps to what.
Eventually this should disappear.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a bit speculative since the C is not there yet, but I think
it's a good candidate, esp turning the VMPageSize parameters into Int,
because that will save the C from converting it back and forth.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Uses lookupFrame which still needs to be filled in. We already have
a form of that in the formalisation, and can maybe reuse some of that.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This adds first AArch64-specific flushing. More to come when we add
the explicit flush API.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This refactors getASIDPoolEntry to extract code that is shared between
lookup and update, and should make conversion to reader monad later
easier.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We are on an Arm board, where <= maxIRQ implies != irqInvalid, so use
original ARM version.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
This adjusts ptBitsLeft and ptIndex to properly take into account
the potentially different-sized top-level table. This is all that is
needed for the rest of the lookup code to be correct.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a sketch of what I think the API will look like after C code
changes. In particular, this adds a VSpaceRoot API object type
that stands for a top-level page table. The name may change, but a
different API object type for the different page size will probably
stay.
Different top-level table size only applies in some configurations. The
spec attempts to model both cases by making ptBits and
ptTranslationBits dependent on whether it is a top-level table or not.
The rest follows from that.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Validated constants defined in Structures/AARCH64.lhs
PT caps now include a flag whether they are for a top-level table or
not. This could later be generalised to a level, but that's likely not
necessary for AArch64.
Amazingly, only the creation of new PT caps was affected by this
change. That creation will need user-level input which size of table to
create (to be added later).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Previously renamed invocation labels, as well as decodeARMMMUInvocation
and performARMMMUInvocation.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Largely adapted from ARM_HYP, modified and checked against C code.
Remaining known issues marked with FIXMEs.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The repo token allows the action to work on a private repo, and
the S3 cache bucket name allows it to charge a different org.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Model AARCH64-specific global kernel data, which means:
- adjust vspace region mapping names
- remove global page tables, including accesses (copyGlobalMappings)
- add pointer to empty user page table
This commit does not yet include VCPU and SMMU.
As on 32-bit ARM_HYP, global page tables exist on AARCH64, but are not
accessed by any code after boot, so are not visible in verified code
apart from defining the (constant) kernel window and kernel mappings
during execution. User code without a valid VSpace root is assigned a
pointer to an empty table.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Set the naming convention for global state components to armKS..
This overlaps with ARM and ARM_HYP, but so do the concepts as well
as the C convention.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Gerwin Klein
Rafal Kolanski