db70e3ea75
Making vs_index_len a sybmolic value instead of a plain number means we have to unfold config_ARM_PA_SIZE_BITS_40 less often (instead, we need to consider both cases, which forces us to stay generic). This also makes sure the type vs_index_len is always distinct from pt_index_len (even if the sizes are the same), which was only guaranteed in one of the two configurations before. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems> |
||
---|---|---|
.. | ||
AARCH64 | ||
ARM | ||
ARM_HYP | ||
RISCV64 | ||
X64 | ||
document | ||
CSpaceAcc_A.thy | ||
CSpace_A.thy | ||
CapRights_A.thy | ||
Decode_A.thy | ||
Deterministic_A.thy | ||
ExceptionTypes_A.thy | ||
Exceptions_A.thy | ||
Glossary_Doc.thy | ||
Interrupt_A.thy | ||
Intro_Doc.thy | ||
InvocationLabels_A.thy | ||
Invocations_A.thy | ||
IpcCancel_A.thy | ||
Ipc_A.thy | ||
KHeap_A.thy | ||
KernelInit_A.thy | ||
MiscMachine_A.thy | ||
README.md | ||
Retype_A.thy | ||
Schedule_A.thy | ||
Structures_A.thy | ||
Syscall_A.thy | ||
TcbAcc_A.thy | ||
Tcb_A.thy | ||
VMRights_A.thy |
README.md
The Abstract Specification of seL4
l4v/spec/abstract/
This directory contains the main Isabelle sources of the seL4 abstract
specification. The specification draws in additional interface files from
design
and machine
.
The specification is written in monadic style. See
l4v/lib/Monad_WP/NonDetMonad
for the definition of this monad.
Top-Level Theory
The top-level theory file that draws the whole specification together is
Syscall_A
, the top-level function in that theory is call_kernel
.
This top-level function defines in-kernel behaviour. Later in the proof,
in particular in invariant-abstract
, this function is further wrapped
in an automaton that describes system behaviour.
Entry Points
Two useful entry points for browsing the abstract specification are the
theories Structures_A
and ARM_Structs_A
. They define the state space
of the kernel model, including what capabilities and kernel objects are.
The theories Invocations_A
and ArchInvocation_A
define datatypes for
the capability invocations/operations the kernel understands.
Most theories are named after the subsystem of the kernel they specify.
Building
The corresponding Isabelle session is ASpec
. It is set up to build a
human-readable PDF document. Glossary_Doc
contains definitions of common
seL4 terms.
To build, run in directory l4v/spec
:
make ASpec
Remarks
-
Note that this specification is actually an extensible family of specifications, with predefined extension points. These points can either be left generic, as for most of the abstract invariant proofs, or they can be instantiated to more precise behaviour, such as in the theory
Deterministic_A
, which is used for the information flow proofs. -
The theory
Init_A
does not define real kernel initialisation. Instead it is a dummy initial state for the kernel to demonstrate non-emptiness of abstract kernel invariants. -
KernelInit_A
is a paused project and not currently included in the rest of the specification.