tool: enforce the protected procedure priorities

As per the Microkit manual, > A protected call is only possible if the callee has strictly higher > priority than the caller. Due to the change to specify `pp="true"` in the SDF in the previous commit, we can now verify that the priority invariant holds true, instead of it being possible to create a system with this behaviour. Signed-off-by: julia <[email protected]>
seL4 · Sep 5, 2024 · 73e8f47 · 73e8f47
1 parent 2edb5c3
commit 73e8f47
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 0 deletions.
diff --git a/tool/microkit/src/sdf.rs b/tool/microkit/src/sdf.rs
@@ -1198,6 +1198,18 @@ pub fn parse(filename: &str, xml: &str, config: &Config) -> Result<SystemDescrip
             ));
         }
 
+        let pd_a = &pds[ch.end_a.pd];
+        let pd_b = &pds[ch.end_b.pd];
+        if !(!ch.end_a.can_ppcall_other || (pd_a.priority < pd_b.priority)) {
+            // a can ppcall =>   priority(a) < priority(b)
+            return Err(format!("Error: PPCs must be to protection domains of strictly higher priorities; you did from pd {} (priority: {}) to pd {} (priority: {})",
+            pd_a.name, pd_a.priority, pd_b.name, pd_b.priority));
+        } else if !(!ch.end_b.can_ppcall_other || (pd_b.priority < pd_a.priority)) {
+            // b can ppcall =>   priority(b) < priority(a)
+            return Err(format!("Error: PPCs must be to protection domains of strictly higher priorities; you did from pd {} (priority: {}) to pd {} (priority: {})",
+            pd_b.name, pd_b.priority, pd_a.name, pd_a.priority));
+        }
+
         ch_ids[ch.end_a.pd].push(ch.end_a.id);
         ch_ids[ch.end_b.pd].push(ch.end_b.id);
     }

diff --git a/tool/microkit/tests/sdf/ch_ppcall_priority.xml b/tool/microkit/tests/sdf/ch_ppcall_priority.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Copyright 2024, UNSW.
+
+ SPDX-License-Identifier: BSD-2-Clause
+-->
+<system>
+    <protection_domain name="test1" priority="2">
+        <program_image path="test" />
+    </protection_domain>
+    <protection_domain name="test2" priority="1">
+        <program_image path="test" />
+    </protection_domain>
+
+    <channel>
+        <end pd="test1" id="0" pp="true" />
+        <end pd="test2" id="0" />
+    </channel>
+</system>
diff --git a/tool/microkit/tests/test.rs b/tool/microkit/tests/test.rs
@@ -368,6 +368,14 @@ mod channel {
             "Error: cannot ppc bidirectionally on element 'channel': ",
         )
     }
+
+    #[test]
+    fn test_ppcall_priority() {
+        check_error(
+            "ch_ppcall_priority.xml",
+            "Error: PPCs must be to protection domains of strictly higher priorities; you did from pd test1 (priority: 2) to pd test2 (priority: 1)",
+        )
+    }
 }
 
 #[cfg(test)]