Skip to content

Latest commit

 

History

History

abstract

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
AARCH64
AARCH64
 
 
ARM
ARM
 
 
ARM_HYP
ARM_HYP
 
 
RISCV64
RISCV64
 
 
X64
X64
 
 
document
document
 
 
CSpaceAcc_A.thy
CSpaceAcc_A.thy
 
 
CSpace_A.thy
CSpace_A.thy
 
 
CapRights_A.thy
CapRights_A.thy
 
 
Decode_A.thy
Decode_A.thy
 
 
Deterministic_A.thy
Deterministic_A.thy
 
 
ExceptionTypes_A.thy
ExceptionTypes_A.thy
 
 
Exceptions_A.thy
Exceptions_A.thy
 
 
Glossary_Doc.thy
Glossary_Doc.thy
 
 
Interrupt_A.thy
Interrupt_A.thy
 
 
Intro_Doc.thy
Intro_Doc.thy
 
 
InvocationLabels_A.thy
InvocationLabels_A.thy
 
 
Invocations_A.thy
Invocations_A.thy
 
 
IpcCancel_A.thy
IpcCancel_A.thy
 
 
Ipc_A.thy
Ipc_A.thy
 
 
KHeap_A.thy
KHeap_A.thy
 
 
KernelInit_A.thy
KernelInit_A.thy
 
 
MiscMachine_A.thy
MiscMachine_A.thy
 
 
README.md
README.md
 
 
Retype_A.thy
Retype_A.thy
 
 
Schedule_A.thy
Schedule_A.thy
 
 
Structures_A.thy
Structures_A.thy
 
 
Syscall_A.thy
Syscall_A.thy
 
 
TcbAcc_A.thy
TcbAcc_A.thy
 
 
Tcb_A.thy
Tcb_A.thy
 
 
VMRights_A.thy
VMRights_A.thy
 
 

README.md

The Abstract Specification of seL4

l4v/spec/abstract/

This directory contains the main Isabelle sources of the seL4 abstract specification. The specification draws in additional interface files from design and machine.

The specification is written in monadic style. See l4v/lib/Monads/NonDetMonad for the definition of this monad.

Top-Level Theory

The top-level theory file that draws the whole specification together is Syscall_A, the top-level function in that theory is call_kernel.

This top-level function defines in-kernel behaviour. Later in the proof, in particular in invariant-abstract, this function is further wrapped in an automaton that describes system behaviour.

Entry Points

Two useful entry points for browsing the abstract specification are the theories Structures_A and ARM_Structs_A. They define the state space of the kernel model, including what capabilities and kernel objects are.

The theories Invocations_A and ArchInvocation_A define datatypes for the capability invocations/operations the kernel understands.

Most theories are named after the subsystem of the kernel they specify.

Building

The corresponding Isabelle session is ASpec. It is set up to build a human-readable PDF document. Glossary_Doc contains definitions of common seL4 terms.

To build, run in directory l4v/:

L4V_ARCH=ARM ./run_test ASpec

Remarks

  • Note that this specification is actually an extensible family of specifications, with predefined extension points. These points can either be left generic, as for most of the abstract invariant proofs, or they can be instantiated to more precise behaviour, such as in the theory Deterministic_A, which is used for the information flow proofs.

  • The theory Init_A does not define real kernel initialisation. Instead it is a dummy initial state for the kernel to demonstrate non-emptiness of abstract kernel invariants.

  • KernelInit_A is a paused project and not currently included in the rest of the specification.