June 2021 - Devel - lists.sel4.systems

Proving there exists a valid execution of a function
by Ben Fiedler 11 Jun '21

11 Jun '21

Hi seL4 devs, I'm not sure whether this list is the right spot to ask about AutoCorres issues, but I gather you have some experience with that :-) I'm currently working on proving that some CAmkES component behaves well wrt some higher- level specification. I want to prove this by simulation: Each step of my concrete CAmkES code corresponds to a step of some abstract machine. I've proven the behavioural lemmas as Hoare-triples using the validNF framework, and now want to lift the AutoCorres-generated executions to my higher-level representation. I'm having issues with this however. Concretely, I want to be able to extract some resulting state after e.g. execution function f. For example: I have the following triple: {| P |} f {| Q |}! Now given a state s such that P s is satisfied, I want to obtain some resulting state s' such that Q' _ s' holds. This is easy enough, as Isabelle has Hilbert's choice operator: fun get_next_state where "get_next_state f s = SOME s'. s' : (snd ` fst (f s))" Here is my problem: The choice operator only works when selecting from a non-empty set. I have a feeling that since I've shown that {P} f {Q} is a non-failing and valid hoare-triple this should somehow follow, but it doesn't. There is an easy counter-example: {| top |} select {} {| toptop |} This is a valid triple, however there are no valid executions for `select {}`. I have a feeling that this is the only counterexample though, since all other potential sources of empty executions are covered (namely nonterminating while loops, as they must always terminate in the validNF framework). If `select A` included a guard that A is non-empty, then I believe one could show that vaildNF P f Q implies exs_valid P f Q, although I'm not sure on this. I've looked into the exs_valid framework, which proves exactly what I want. However, I have two issues with this: 1. I have already proven all the invariants I wanted in the validNF framework, and repeating these proofs seems redundant to me. 2. The exs_valid framework has very little utilities provided for use with the wp tool, which makes working with it more tedious than the validNF framework. Another avenue I've looked at is using termination proofs from the SIMPL code: The AutoCorres ac_corres lemmas derived for my functions guarantee termination of the concrete SIMPL code if the abstract version does not fail, which I have proven. Since, as far as I understand it, the SIMPL layer has no problematic `select`-equivalent, termination should be sufficient to guarantee that a following state actually exists, and somehow lifting that guarantee to the AutoCorres layer. I haven't had success with this though. Any help/pointers is appreciated. Thanks a lot in advance! Cheers, Ben

1 1

Increase Initrd Max Size Beyond DTB Address Limitation
by Olof Holmberg 10 Jun '21

10 Jun '21

Hi, I was wondering if there is a way to increase the RAM size of the Initrd in the qemu-arm-virt VM to more than the initially allowed which seems to be around 250MB. These are my current settings for the VM RAM: #define VM_RAM_OFFSET 0x00000000 #define VM_INITRD_MAX_SIZE 0x9000000 // 150 MB #define VM_RAM_BASE 0x40000000 #define VM_RAM_SIZE 0x20000000 #define VM_DTB_ADDR 0x4F000000 // VM0_RAM_BASE + 0xF000000 #define VM_INITRD_ADDR 0x46000000 // VM0_DTB_ADDR - VM_INITRD_MAX_SIZE And what I would want is something like this: #define VM_RAM_OFFSET 0x00000000 #define VM_INITRD_MAX_SIZE 0x20000000 // 500 MB #define VM_RAM_BASE 0x40000000 #define VM_RAM_SIZE 0x30000000 #define VM_DTB_ADDR 0x6F000000 // VM0_RAM_BASE + 0xF000000 #define VM_INITRD_ADDR 0x4F000000 // VM0_DTB_ADDR - VM_INITRD_MAX_SIZE VM_DTB_ADDR should probably be 0x4F000000. If I interpreted it correctly it means that the VM_INITRD_ADDR will be below the VM_RAM_BASE_ADDR and therefore outside of the allocated memory for the VM. But I assume that the comments regarding the address of the DTB that it is not possible to have a larger size of Initrd than the difference between VM_DTB_ADDR and the VM_RAM_BASE allows for. I have tested with some different configurations and it either results in the boot hanging after touching the pages for the VM or results in a page error during the touching of pages. It however seems to work with having the VM_INITRD_MAX_SIZE larger than what could fit between the base and Initrd address but I assume that it would result in an error should the actual loaded initramfs require the whole allocated space. What would be the correct way to achieve this if it is even possible? I assume that it might not even be possible if the addresses that has to be allocated for the larger Initrd is already used and allocated for other things. Best regards, Olof

1 0

Running vm_multi on TK1 and TX2
by Mike Clark 10 Jun '21

10 Jun '21

The camkes-vm-examples readme mentions that the Nvidia TX2 should support multiple VMs but it is untested. If you try to build the vm_multi app for TX2 you just get an error that the platform is unsupported. Has anyone tried vm_multi on TX2? Do you have a working devices.camkes that you can share? On the TK1 board, the readme says multiple VMs is unsupported, but in the Notes it says that Multi-VM is untested. Could multi-vm work for TK1? Mike

1 0

Bug when compling in release mode
by Ben Fiedler 09 Jun '21

09 Jun '21

Hello everyone, I've recently found an interesting bug that only occurs when compiling in release mode. Use of the ZF_LOG library (for normal log output) leads to syscalls being made when the capdl-loader runs. These are invoked via musllibc's __stdio_write, which relies on __sysinfo being set correctly for syscalls to work. When compiling with RELEASE=OFF this works fine, however when compiling with RELEASE=ON, __sysinfo is not set (yet?), and subsequently leads to an illegal prefetch exception when __stdio_write tries to invoke a syscall. Setting __sysinfo to sel4_vsyscall using gdb during runtime fixes this. I don't really know the correct place to fix this in the code, but I hope that you can provide some hints on where to fix this bug. Thanks a lot for your help! Cheers, Ben

2 2

Pull request of S91lighttpd
by Hugo V.C. 08 Jun '21

08 Jun '21

Hi, I'm trying to make a pull request as I want to make a very simple (yet useful) change to S91lighttpd file. I wonder where I can find this file in Git as I can find it locally in my build directory: build/overlay/etc/init.d/S91lighttpd but can not find it anywhere else in Git. I assume it is part of some prebuilt file system (overlay?) but still I can't find where this file system is in Git. Any help will be appreciated. Hugo

2 2

Status of the seL4 RISC-V platform Rocketchip
by Axel Heider 07 Jun '21

07 Jun '21

Hi, I'm wondering about the state of the seL4 RISC-V platform "Rocketchip", is anybody actively using this? At the seL4 hardware status page https://docs.sel4.systems/Hardware/rocketchip.html there is not much, and the repo https://github.com/ucb-bar/fpga-zynq has been abandoned. It points to https://github.com/sifive/freedom which has also been abandoned recently. So I wonder, is this platform effectively dead and should be removed? Axel

1 0

watch dog timer and stability mechanisms in sel4 and camkes
by MOHAMAD REZA SHAFIEI 05 Jun '21

05 Jun '21

Hi there. i'm working on my master project and try to implement a system which act as a storage system (a simple sample). so i write my components and its work correctly but some times (rarely) my threads crashes and I couldn't find problem. So i decide to use a service like watch dog timer for garanti all of threads work and when one thread failed and crashed, this mechanism detect it and start another thread or reset the system. My project is on sle4 and camkes framework, a simple solution can implement by some thread controlling (implement WDT in user mode). But I want to know is there in camkes or sel4 any mechanism for this need? a mechanism for garanti stability and system availability? can any body help me? Is there anybody which confront with this need? -- This email was Anti Virus checked by Security Gateway.

1 0

libsel4utils: load_segment memory leak bug
by wzt wzt 05 Jun '21

05 Jun '21

hello: i found a bug memory leak bug in libsel4utils/src/elf.c static int load_segment(vspace_t *loadee_vspace, vspace_t *loader_vspace, vka_t *loadee_vka, vka_t *loader_vka, const char *src, size_t file_size, int num_regions, sel4utils_elf_region_t regions[num_regions], int region_index) { seL4_CPtr loader_slot; cspacepath_t loader_frame_cap; error = vka_cspace_alloc(loader_vka, &loader_slot); [1] while (pos < segment_size && error == seL4_NoError) { reservation_t reservation; if (loadee_vaddr < region.reservation_vstart) { if ((region_index - 1) < 0) { ZF_LOGE("Invalid regions: bad elf file."); return 1; [2] } } if [2] happned, it not free the prev alloc memory, and then it's memory will be leaked. i think the correct way is invoke vka_cspace_free() before return.

3 2

Mapping VM Kernel Memory
by Michael Neises 05 Jun '21

05 Jun '21

Hello everyone, I have a question about some code I'm using from the seL4 repositories. I have a follow-up question about whether a certain memory mapping strategy is feasible. I'm looking at this kernel module: https://github.com/seL4/camkes-vm-linux/blob/master/camkes-linux-artifacts/… and at this user-space app: https://github.com/seL4/camkes-vm-linux/blob/master/camkes-linux-artifacts/… In short, there is shared memory between a camkes component and the vm-linux. I can tell that the shared memory region is given by accessing /dev/uio0. However, it's not clear to me what exactly this memory region is. As I simulate the kernel, I find this: [ 0.000000] Virtual kernel memory layout: [ 0.000000] modules : 0xffff000000000000 - 0xffff000008000000 ( 128 MB) [ 0.000000] vmalloc : 0xffff000008000000 - 0xffff7dffbfff0000 (129022 GB) [ 0.000000] .text : 0xffff000008080000 - 0xffff0000087d0000 ( 7488 KB) [ 0.000000] .rodata : 0xffff0000087d0000 - 0xffff000008a50000 ( 2560 KB) [ 0.000000] .init : 0xffff000008a50000 - 0xffff000008e00000 ( 3776 KB) [ 0.000000] .data : 0xffff000008e00000 - 0xffff000008f31200 ( 1221 KB) [ 0.000000] .bss : 0xffff000008f31200 - 0xffff000008fb9034 ( 544 KB) [ 0.000000] fixed : 0xffff7dfffe7fb000 - 0xffff7dfffec00000 ( 4116 KB) [ 0.000000] PCI I/O : 0xffff7dfffee00000 - 0xffff7dffffe00000 ( 16 MB) [ 0.000000] vmemmap : 0xffff7e0000000000 - 0xffff800000000000 ( 2048 GB maximum) [ 0.000000] 0xffff7e0000000000 - 0xffff7e0000200040 ( 2 MB actual) [ 0.000000] memory : 0xffff800000000000 - 0xffff800008001000 ( 128 MB) My belief is that /dev/uio0 points to the section here labeled "memory." Is that right? My goal is to perform memory introspection on vm-linux kernel modules. To that end, I think I want to look at the section labeled "modules." Is that possible? Best, Michael Neises

1 0

QEMU simulation: Passing drive to CAmkES ARM VM
by Olof Holmberg 04 Jun '21

04 Jun '21

Hi, I am currently booting a initramfs as the VM so that I later would be able to switch root to a filesystem disk that allows for larger storage and has other software installed that I want inside the VM. I have started the simulate script with a few variants of the following line (Passing the virtio device was a guess since the virtio-net device is supported for networking for the VM. I have also tried to pass only the drive part but it has the same result.): sudo ./simulate --extra-qemu-args="-device virtio-blk-pci,drive=drive0 -drive file=filesystem/testimage,format=raw,if=none,id=drive0" However there are no devices appearing in /dev/ that seem to be the drive passed to qemu such as sdaX or vdaX. There is no output from running "fdisk -l" either. So therefore I wonder if this kind of passthrough is supported by seL4? I have tried to find documentation that relates passing a disk to the VM in seL4 but have not found anything yet. This was done for the qemu-arm-virt platform if that has some significance regarding platform support. Best regards, Olof

2 2