theory TEEC_IPC_SEC
imports "../GPTEE_Instantiation" "./TEEC_SEC_Common" "./TEE_SEC_Common"
begin
section "TEEC_OpenSession proof"
subsection "Integrity"
text "integrity ≡ ∀ a d s s'. reachable0 s ∧ ((the (domain s a)) ∖↝ d) ∧ (s, s') ∈ trans a ⟶ (s ∼ d ∼ s')"
lemma TEEC_InitializeContext_integrity:
assumes p1: "a = hyperc (TEEC_INITIALIZECONTEXT tn tctext)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof -
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "((the (domain_of_event s a)) ∖↝ d)"
assume a3: "(s,s') ∈ exec_event a"
have a5: "s≠s'⟶((the (domain_of_event s a)) ∖↝ (TEE sysconf))"
by (metis a2 ins_no_intf_tee ins_tee_intf_all non_interference1_def)
have a4: "exec_event a = {(s,s'). s'∈{fst (TEEC_InitializeContext sysconf s tn tctext)}}"
using p1 exec_event_def
by auto
have "(s ∼ d ∼ s')"
proof(cases "current s ≠REE sysconf")
case True
then have "s=fst (TEEC_InitializeContext sysconf s tn tctext)"using TEEC_InitializeContext_def
by simp
then show ?thesis using vpeq1_def using a3 a4 by auto
next
case False
then have a6: "(the (domain_of_event s a)) = REE sysconf"
using p1 by fastforce
then show ?thesis
proof(cases "d=TEE sysconf")
case True
then have b1: "(s ∼ d ∼ s') =vpeq_TEE s d s'"
by auto
have b2: "tee_memories (TEE_state s) = tee_memories (TEE_state s')"
proof(cases "tctext = None")
case True
then have "s = fst (TEEC_InitializeContext sysconf s tn tctext)"
using TEEC_InitializeContext_def by simp
then show ?thesis
using a3 a4
by auto
next
case False
then show ?thesis
proof(cases "tn≠TEE_name sysconf")
case True
then have "s = fst (TEEC_InitializeContext sysconf s tn tctext)" using TEEC_InitializeContext_def
by force
then show ?thesis
using a3 a4 by fastforce
next
case False
then have "s' = fst (TEEC_InitializeContext sysconf s tn tctext) "
using a3 a4 by blast
then show ?thesis using TEEC_InitializeContext_def REE_AddContext_def
by simp
qed
qed
have b21: "ta_mgr (TEE_state s) = ta_mgr (TEE_state s')"
proof(cases "tctext = None")
case True
then have "s = fst (TEEC_InitializeContext sysconf s tn tctext)"
using TEEC_InitializeContext_def by simp
then show ?thesis
using a3 a4
by auto
next
case False
then show ?thesis
proof(cases "tn≠TEE_name sysconf")
case True
then have "s = fst (TEEC_InitializeContext sysconf s tn tctext)" using TEEC_InitializeContext_def
by force
then show ?thesis
using a3 a4 by fastforce
next
case False
then have "s' = fst (TEEC_InitializeContext sysconf s tn tctext) "
using a3 a4 by blast
then show ?thesis using TEEC_InitializeContext_def REE_AddContext_def
by simp
qed
qed
then have b3: "vpeq_TEE s d s'" using b2 b21 vpeq_TEE_def by fastforce
show ?thesis using b3 b1 by auto
next
case False
then have c1: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d=REE sysconf")
case True
then show ?thesis using a6 a2 nintf_neq by blast
next
case False
then have b4: "is_TA sysconf d" using is_TA_def c1
by auto
then show ?thesis
proof -
{
have b5: "(s ∼ d ∼ s') =vpeq_TA s d s'" using b4 by simp
have b6: "tee_memories (TEE_state s) = tee_memories (TEE_state s')"
proof(cases "tctext = None")
case True
then have "s = fst (TEEC_InitializeContext sysconf s tn tctext)"
using TEEC_InitializeContext_def by simp
then show ?thesis
using a3 a4 by auto
next
case False
then show ?thesis
proof(cases "tn≠TEE_name sysconf")
case True
then have "s = fst (TEEC_InitializeContext sysconf s tn tctext)" using TEEC_InitializeContext_def
by force
then show ?thesis
using a3 a4 by fastforce
next
case False
then have "s' = fst (TEEC_InitializeContext sysconf s tn tctext) "
using a3 a4 by blast
then show ?thesis using TEEC_InitializeContext_def REE_AddContext_def
by simp
qed
qed
then show ?thesis using b5 by auto
}
qed
qed
qed
qed
}
then show ?thesis by blast
qed
lemma TEEC_InitializeContext_integrity_e:
"integrity_e (hyperc (TEEC_INITIALIZECONTEXT tn tctext))"
using TEEC_InitializeContext_integrity integrity_e_def
by fastforce
lemma TEEC_FinalizeContext_integrity:
assumes p1: "a = hyperc (TEEC_FINALIZECONTEXT tctext)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof -
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "((the (domain_of_event s a)) ∖↝ d)"
assume a3: "(s,s') ∈ exec_event a"
have a4: "exec_event a = {(s,s'). s'∈{(TEEC_FinalizeContext sysconf s tctext)}}"
using p1 exec_event_def by auto
have a5: "s≠s'⟶((the (domain_of_event s a)) ∖↝ (TEE sysconf))"
by (metis a2 ins_no_intf_tee ins_tee_intf_all non_interference1_def)
have "(s ∼ d ∼ s')"
proof -
{
show ?thesis
proof(cases "current s≠REE sysconf∨exec_prime s ≠[]∨tctext = None")
case True
then have "s=TEEC_FinalizeContext sysconf s tctext" using TEEC_FinalizeContext_def
by presburger
then show ?thesis
by (metis a3 a4 case_prodD mem_Collect_eq singletonD vpeq_reflexive_lemma)
next
case False
have b1:"current s=REE sysconf∧exec_prime s =[]∧tctext ≠ None"
using False by auto
have b2:"s'=TEEC_FinalizeContext sysconf s tctext" using exec_event_def
using a3 a4 by blast
then show ?thesis
proof(cases "d=TEE sysconf")
case True
have b3:"(s ∼ d ∼ s') =vpeq_TEE s d s'" using vpeq1_def True by auto
have b4:"TEE_state s =TEE_state s'"
proof -
{
let ?ca_fd = "ca_fd (the tctext)"
let ?IDlst = "REE_getDriverSessionByFd s ?ca_fd"
let ?s1 = "foldl updateListForTEECCS s ?IDlst"
let ?s2 = "REE_RemoveContext ?s1 ?ca_fd"
have c1:"TEE_state s =TEE_state ?s1"
using foldl_induct_rule by blast
have c2:"?s2 = ?s1⦇REE_state := (REE_state ?s1)⦇
tee_ctx_list := remove1 (getTEEcontextByFd ?s1 ?ca_fd) (tee_ctx_list (REE_state ?s1))
⦈
⦈" using REE_RemoveContext_def by simp
have c3:"TEE_state ?s2 =TEE_state ?s1"
using c2 by simp
then show ?thesis using c1 c3 b2
using TEEC_FinalizeContext_def by presburger
}
qed
then show ?thesis using vpeq_TEE_def using b3 by auto
next
case False
then have d0: "d≠TEE sysconf" by simp
show ?thesis
proof(cases "d= REE sysconf")
case True
then show ?thesis using a2 domain_of_event_def
by (metis b1 nintf_neq option.sel)
next
case False
then have d1: "is_TA sysconf d" using is_TA_def d0 by auto
then have d2: "(s ∼ d ∼ s') =vpeq_TA s d s'" using vpeq1_def d1 by simp
have d3:"TEE_state s =TEE_state s'"
proof -
{
let ?ca_fd = "ca_fd (the tctext)"
let ?IDlst = "REE_getDriverSessionByFd s ?ca_fd"
let ?s1 = "foldl updateListForTEECCS s ?IDlst"
let ?s2 = "REE_RemoveContext ?s1 ?ca_fd"
have c1:"TEE_state s =TEE_state ?s1"
using foldl_induct_rule by blast
have c2:"?s2 = ?s1⦇REE_state := (REE_state ?s1)⦇
tee_ctx_list := remove1 (getTEEcontextByFd ?s1 ?ca_fd) (tee_ctx_list (REE_state ?s1))
⦈
⦈" using REE_RemoveContext_def by simp
have c3:"TEE_state ?s2 =TEE_state ?s1" using c2 by simp
then show ?thesis using c1 c3 b2
using TEEC_FinalizeContext_def by presburger
}
qed
then show ?thesis using d3 d2 by simp
qed
qed
qed
}
qed
}
then show ?thesis by blast
qed
lemma TEEC_FinalizeContext_integrity_e:
"integrity_e (hyperc (TEEC_FINALIZECONTEXT tctext))"
using TEEC_FinalizeContext_integrity integrity_e_def
by fastforce
lemma TEEC_OpenSession1_integrity:
assumes p1: "a = hyperc (TEEC_OPENSESSION1 ctx1 ses1 uuid cm cd opt mem_t)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof -
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "((the (domain_of_event s a)) ∖↝ d)"
assume a3: "(s,s') ∈ exec_event a"
have a4: "exec_event a = {(s,s'). s'∈{fst(TEEC_OpenSession1 sysconf s ctx1 ses1 uuid cm cd opt mem_t)}}"
using p1 exec_event_def by auto
have a5: "s≠s'⟶((the (domain_of_event s a)) ∖↝ (TEE sysconf))"
by (metis a2 ins_no_intf_tee ins_tee_intf_all non_interference1_def)
have a6:"s'=fst(TEEC_OpenSession1 sysconf s ctx1 ses1 uuid cm cd opt mem_t)"
using exec_event_def a4 a3 by simp
have "(s ∼ d ∼ s')"
proof(cases "current s≠REE sysconf∨(exec_prime s) ≠[]∨ctx1 = None∨ ses1 = None∨TEEC_pre_process_operation opt≠TEEC_SUCCESS")
case True
then have "s=fst(TEEC_OpenSession1 sysconf s ctx1 ses1 uuid cm cd opt mem_t)"
using TEEC_OpenSession1_def TEEC_pre_process_operation_def by simp
then show ?thesis
using a3 a4 by auto
next
case False
then have b0:"¬ (current s ≠ REE sysconf ∨ exec_prime s ≠ [] ∨ ctx1 = None
∨ ses1 = None ∨ TEEC_pre_process_operation opt ≠ TEEC_SUCCESS)" by simp
then have b1:"current s=REE sysconf" by simp
show ?thesis
proof(cases "d=TEE sysconf")
case True
then have b2:"(s ∼ d ∼ s') =vpeq_TEE s d s'"
using vpeq1_def True by auto
have b3:"TEE_state s =TEE_state s'"
proof -
{
let ?cli ="DefaultClientID"
let ?param = "⦇param1=Some uuid,param2=None,param3=opt,
param4=Some ?cli,param5=ctx1,param6=None,param7=None,param8=None,param9=None
,param10=Some (fst mem_t),param11=Some (snd mem_t),param12=None, param13=None⦈"
have c1:"s' = s⦇current:=TEE sysconf,exec_prime:=(?param,TEEC_OP2)#(exec_prime s)⦈"
using a6 TEEC_OpenSession1_def b0 by auto
then show ?thesis by simp
}
qed
then show ?thesis using b2 by auto
next
case False
have b4:"d≠TEE sysconf" using False by simp
show ?thesis
proof(cases "d=REE sysconf")
case True
then show ?thesis using a2 b1 by simp
next
case False
then have b5:"d≠REE sysconf" by simp
have b6:"is_TA sysconf d" using b4 b5 by auto
then have b7:"(s ∼ d ∼ s') =vpeq_TA s d s'"
using vpeq1_def by auto
have b8:"TEE_state s =TEE_state s'"
proof -
{
let ?cli ="DefaultClientID"
let ?param = "⦇param1=Some uuid,param2=None,param3=opt,
param4=Some ?cli,param5=ctx1,param6=None,param7=None,param8=None,param9=None
,param10=Some (fst mem_t),param11=Some (snd mem_t),param12=None, param13=None⦈"
have c1:"s' = s⦇current:=TEE sysconf,exec_prime:=(?param,TEEC_OP2)#(exec_prime s)⦈"
using a6 TEEC_OpenSession1_def b0 by auto
then show ?thesis by simp
}
qed
then show ?thesis using b8 b7 by auto
qed
qed
qed
}
thus ?thesis by blast
qed
lemma TEEC_OpenSession1_integrity_e:
"integrity_e (hyperc (TEEC_OPENSESSION1 ctx1 ses1 uuid cm cd opt mem_t))"
using TEEC_OpenSession1_integrity integrity_e_def
by (metis non_interference1_def non_interference_def)
lemma TEEC_OpenSession2_integrity:
assumes p1: "a = hyperc (TEEC_OPENSESSION2)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof -
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "((the (domain_of_event s a)) ∖↝ d)"
assume a3: "(s,s') ∈ exec_event a"
let ?domain = "the (domain_of_event s a)"
let ?exec = "exec_prime s"
let ?p = "fst (hd (?exec))"
let ?opt = "the(param3 ?p)"
let ?uuid = "the (param1 ?p)"
let ?cli = "the (param4 ?p)"
let ?ctx1 = "the (param5 ?p)"
let ?s0 = "s⦇exec_prime:=tl ?exec⦈"
have a4: "exec_event a = {(s,s'). s'∈{fst(TEEC_OpenSession2 sysconf s)}}"
using p1 exec_event_def by auto
have a5: "s≠s'⟶((the (domain_of_event s a)) ∖↝ (TEE sysconf))"
by (metis a2 ins_no_intf_tee ins_tee_intf_all non_interference1_def)
have a6:"s'=fst(TEEC_OpenSession2 sysconf s)"
using exec_event_def a4 a3 by simp
have "(s ∼ d ∼ s')"
proof(cases "current s≠TEE sysconf∨(exec_prime s) =[]∨snd (hd (exec_prime s)) ≠TEEC_OP2")
case True
then have "s=fst(TEEC_OpenSession2 sysconf s)"
using TEEC_OpenSession2_def by auto
then show ?thesis
using a3 a4 by auto
next
case False
then have b0:"¬ (current s ≠ TEE sysconf ∨ exec_prime s = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_OP2)" by simp
then have b1:"current s=TEE sysconf" by simp
have b2:"(s ∼ d ∼ ?s0)" by auto
have b3:"(?s0 ∼ d ∼ s')"
proof(cases "d=TEE sysconf")
case True
show ?thesis using True a2 interference1_def b1 by simp
next
case False
have b4:"d≠TEE sysconf" using False by simp
show ?thesis
proof(cases "d=REE sysconf")
case True
then show ?thesis using True a2 interference1_def b1 by auto
next
case False
then have b5:"d≠REE sysconf" by simp
have b6:"is_TA sysconf d" using b4 b5 by auto
then show ?thesis using b6 a2 interference1_def b1 by simp
qed
qed
thus ?thesis using b2
using vpeq_transitive_lemma by blast
qed
}
then show ?thesis by blast
qed
lemma TEEC_OpenSession2_integrity_e:
"integrity_e (hyperc (TEEC_OPENSESSION2))"
using TEEC_OpenSession2_integrity integrity_e_def
by fastforce
lemma TEEC_OpenSession3_integrity:
assumes p1: "a = hyperc (TEEC_OPENSESSION3 sid)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof -
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "((the (domain_of_event s a)) ∖↝ d)"
assume a3: "(s,s') ∈ exec_event a"
let ?domain = "the (domain_of_event s a)"
let ?exec = "exec_prime s"
let ?p = "fst (hd (?exec))"
let ?ses_id = "the (param2 ?p)"
let ?opt = "the(param3 ?p)"
let ?uuid = "the (param1 ?p)"
let ?ctx1 = "the (param5 ?p)"
let ?s0 = "s⦇exec_prime:=tl ?exec⦈"
let ?s1 = "initTAProcess ?s0 ?opt ?uuid ?ses_id"
let ?ta_ses= "(TA_sessions(the((TAs_state s) ?uuid)))"
let ?init1="(TA_instance_init(the((TAs_state s) ?uuid)))"
let ?s2 ="TA_OpenSessionEntryPoint sysconf ?s1 ?opt ?uuid"
let ?param="⦇param1=Some ?uuid,param2=Some ?ses_id,param3=None,param4=None,
param5=None,param6=None,param7=None,param8=None,param9=None,param10=None,param11=None,param12=Some TEEC_SUCCESS, param13=None⦈"
let ?s5= "?s2⦇current:=TEE sysconf,exec_prime:=(?param,TEEC_OP4)#(exec_prime ?s2)⦈"
have a4: "exec_event a = {(s,s'). s'∈{fst (TEEC_OpenSession3 sysconf s sid)}}"
using p1 exec_event_def
by auto
have a41: "s' = fst (TEEC_OpenSession3 sysconf s sid)" using a3 a4 by auto
have a5: "s≠s'⟶((the (domain_of_event s a)) ∖↝ (TEE sysconf))"
by (metis a2 ins_no_intf_tee ins_tee_intf_all non_interference1_def)
have a6: "?domain ≠d" using a2 nintf_neq by blast
have a7: "?domain = (current s)" using domain_of_event_def
using p1 by auto
have "s∼ d ∼ s'"
proof(cases "?exec = []∨snd (hd ?exec)≠TEEC_OP3∨sid≠?ses_id∨TEE sysconf=current s∨REE sysconf=current s∨current s≠?uuid")
case True
then have "s=s'" using TEEC_OpenSession3_def a41
by force
then show ?thesis
using vpeq_reflexive_lemma by blast
next
case False
then have b1: "?exec ≠[]∧snd (hd ?exec) =TEEC_OP3∧sid=?ses_id∧TEE sysconf≠current s∧REE sysconf≠current s∧current s=?uuid" by auto
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have b2:"(s ∼ d ∼ s') = vpeq_REE s d s'"
using tee_no_ree vpeq1_def by presburger
have b3:"ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧driver_mem(REE_state s) = driver_mem(REE_state s')"
proof -
{
have c1:"REE_state ?s0 =REE_state s"
by simp
have c2:"REE_state ?s0 =REE_state ?s1"
proof(cases "(∃a. a∈set(?ta_ses)∧a=?ses_id)")
case True
then have "?s1=?s0" using initTAProcess_def by simp
then show ?thesis
by simp
next
case False
then show ?thesis
proof(cases "?init1 =False")
case True
then show ?thesis using initTAProcess_def addTASession_def TA_CreateEntryPoint_def
by auto
next
case False
then show ?thesis using initTAProcess_def addTASession_def
by simp
qed
qed
have c3:"vpeq_REE ?s1 =vpeq_REE s" using c1 c2 vpeq_REE_def
by presburger
have c4:"REE_state ?s2 = REE_state ?s1" using TA_OpenSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE by blast
have c7:"vpeq_REE ?s2 d s" using c1 c2 c3 c4 by simp
have c8:"s'=?s5"
by (smt (verit) False State.fold_congs(6) State.unfold_congs(1) TEEC_OpenSession3_def a41 fst_conv)
have c9:"vpeq_REE s' = vpeq_REE s"
using c7 c8 by fastforce
show ?thesis using c9 vpeq_REE_def by metis
} qed
show ?thesis using b3 b2 by simp
next
case False
then have b4:"d≠REE sysconf" by simp
show ?thesis
proof(cases "d=TEE sysconf")
case True
then have b5:"d=TEE sysconf" by simp
then have b6:"(s ∼ d ∼ s') = vpeq_TEE s d s'" by simp
have b7:"{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
proof -
{
have c1:"TEE_state ?s0 =TEE_state s"
by simp
have c2:"TEE_state ?s0 =TEE_state ?s1"
proof(cases "(∃a. a∈set(?ta_ses)∧a=?ses_id)")
case True
then have "?s1=?s0" using initTAProcess_def by simp
then show ?thesis
by simp
next
case False
then show ?thesis
proof(cases "?init1 =False")
case True
then show ?thesis using initTAProcess_def addTASession_def TA_CreateEntryPoint_def
by auto
next
case False
then show ?thesis using initTAProcess_def addTASession_def
by simp
qed
qed
have c3:"vpeq_TEE ?s1 =vpeq_TEE s" using c1 c2 vpeq_TEE_def
by presburger
have c4:"vpeq_TEE ?s2 = vpeq_TEE ?s1" using TA_OpenSessionEntryPoint_def OpenSessionEntryPoint_not_change_TEE by fastforce
have c7:"vpeq_TEE ?s2 d s" using c3 c4 using vpeq_TEE_reflexive by presburger
let ?s'1="addREESession (MgrPostOperation (TA_OpenSessionEntryPoint sysconf
(initTAProcess ?s0 ?opt ?uuid ?ses_id) ?opt ?uuid) ?uuid) ?ses_id ?ctx1"
have c8:"s'=?s5" using TEEC_OpenSession3_def
by (smt (verit) False State.fold_congs(6) State.unfold_congs(1) TEEC_OpenSession3_def a41 b1 fst_conv)
then show ?thesis using c7 c8 by simp
} qed
show ?thesis using b6 b7 by simp
next
case False
then have b8:"is_TA sysconf d" using b4 by auto
then have b9:"(s ∼ d ∼ s') = vpeq_TA s d s'" by simp
show ?thesis
proof(cases "d=?uuid")
case True
then show ?thesis using a2 b1 by force
next
case False
then have b00:"d≠current s" using b1 by simp
have b10:"{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
proof -
{
have c1:"TEE_state ?s0 =TEE_state s"
by simp
have c2:"TEE_state ?s0 =TEE_state ?s1"
proof(cases "(∃a. a∈set(?ta_ses)∧a=?ses_id)")
case True
then have "?s1=?s0" using initTAProcess_def by simp
then show ?thesis
by simp
next
case False
then show ?thesis
proof(cases "?init1 =False")
case True
then show ?thesis using initTAProcess_def addTASession_def TA_CreateEntryPoint_def
by auto
next
case False
then show ?thesis using initTAProcess_def addTASession_def
by simp
qed
qed
have c3:"vpeq_TA ?s1 =vpeq_TA s" using c1 c2 vpeq_TA_def
by presburger
have c4:"{x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s2))∧ (ownership x=d)}"
using TA_OpenSessionEntryPoint_def OpenSessionEntryPoint_not_change_other_TA b00
using False by blast
have c7:"vpeq_TA ?s2 d s" using c1 c2 c3 c4 by simp
have c8:"s'=?s5"
by (smt (verit) False State.fold_congs(6) State.unfold_congs(1) TEEC_OpenSession3_def a41 b1 fst_conv)
have c9:"vpeq_TA s' d s"
using c7 c8 vpeq_TA_def by fastforce
show ?thesis using c9 vpeq_TA_def
by (metis (mono_tags, lifting))
}qed
then show ?thesis using b9 b10 by simp
qed
qed
qed
qed
}
then show ?thesis by blast
qed
lemma TEEC_OpenSession3_integrity_e:
"integrity_e (hyperc (TEEC_OPENSESSION3 sid))"
using TEEC_OpenSession3_integrity integrity_e_def
by fastforce
lemma TEEC_OpenSession4_integrity:
assumes p1: "a = hyperc (TEEC_OPENSESSION4)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof -
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "((the (domain_of_event s a)) ∖↝ d)"
assume a3: "(s,s') ∈ exec_event a"
let ?domain = "the (domain_of_event s a)"
let ?exec = "exec_prime s"
let ?p = "fst (hd (?exec))"
let ?tid1 = "the(param1 ?p)"
let ?sesid = "the (param2 ?p)"
let ?cli = "the (param4 ?p)"
let ?res = "the (param12 ?p)"
let ?s0 = "s⦇exec_prime:=tl ?exec⦈"
have a4: "exec_event a = {(s,s'). s'∈{fst(TEEC_OpenSession4 sysconf s)}}"
using p1 exec_event_def by auto
have a5: "s≠s'⟶((the (domain_of_event s a)) ∖↝ (TEE sysconf))"
by (metis a2 ins_no_intf_tee ins_tee_intf_all non_interference1_def)
have a6:"s'=fst(TEEC_OpenSession4 sysconf s)"
using exec_event_def a4 a3 by simp
have "(s ∼ d ∼ s')"
proof(cases "current s≠TEE sysconf∨(exec_prime s) =[]∨snd (hd (exec_prime s)) ≠TEEC_OP4")
case True
then have "s=fst(TEEC_OpenSession4 sysconf s)"
using TEEC_OpenSession4_def by auto
then show ?thesis
using a3 a4 by auto
next
case False
then have b0:"¬ (current s ≠ TEE sysconf ∨ exec_prime s = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_OP4)" by simp
then have b1:"current s=TEE sysconf" by simp
have b2:"(s ∼ d ∼ ?s0)" by auto
have b3:"(?s0 ∼ d ∼ s')"
proof(cases "d=TEE sysconf")
case True
show ?thesis using True a2 interference1_def b1 by simp
next
case False
have b4:"d≠TEE sysconf" using False by simp
show ?thesis
proof(cases "d=REE sysconf")
case True
then show ?thesis using True a2 interference1_def b1 by auto
next
case False
then have b5:"d≠REE sysconf" by simp
have b6:"is_TA sysconf d" using b4 b5 by auto
then show ?thesis using b6 a2 interference1_def b1 by simp
qed
qed
thus ?thesis using b2
using vpeq_transitive_lemma by blast
qed
}
then show ?thesis by blast
qed
lemma TEEC_OpenSession4_integrity_e:
"integrity_e (hyperc (TEEC_OPENSESSION4))"
using TEEC_OpenSession4_integrity integrity_e_def
by fastforce
subsection "Confidentiality"
lemma TEEC_InitializeContext_weak_confidentiality:
assumes p1: "a = hyperc (TEEC_INITIALIZECONTEXT tn tctext)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s=get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof -
{
fix s t d s' t'
assume a1:"reachable0 s"
assume a2:"reachable0 t"
assume a3:"s∼d∼t"
assume a31:"exec_prime s=exec_prime t"
assume a4:"(domain_of_event s a) = (domain_of_event t a)"
assume a5:"(the (domain_of_event s a)) ↝ d"
assume a6:"s ∼ (the (domain_of_event s a)) ∼ t"
assume a7:"(s, s') ∈ exec_event a"
assume a8:"(t, t') ∈ exec_event a"
have "s'∼d∼t'"
proof -
let ?dom = "the (domain_of_event s a)"
let ?new_ree = "REE_state s"
let ?new_tee_ctx_list = "⦇ctx_fd = newContextFd s,reg_mem = False,session_list = []⦈#(tee_ctx_list ?new_ree)"
let ?new_REE_state = "?new_ree⦇tee_ctx_list := ?new_tee_ctx_list⦈"
let ?new_ree_t = "REE_state t"
let ?new_tee_ctx_list_t = "⦇ctx_fd = newContextFd t,reg_mem = False,session_list = []⦈#(tee_ctx_list ?new_ree_t)"
let ?new_REE_state_t = "?new_ree_t⦇tee_ctx_list := ?new_tee_ctx_list_t⦈"
have b1:"s'=fst (TEEC_InitializeContext sysconf s tn tctext)"
using p1 a7 exec_event_def by simp
have b2:"t'=fst (TEEC_InitializeContext sysconf t tn tctext)"
using p1 a8 exec_event_def by simp
show ?thesis
proof(cases "tctext =None ∨ tn≠TEE_name sysconf ∨current s≠REE sysconf ∨(exec_prime s≠[])")
case True
have c0:"current s =current t" using domain_of_event_def a4
using p1 by auto
have c1:"s'=s" using TEEC_InitializeContext_def p1
by (metis True b1 fstI)
have c2:"t'=t" using TEEC_InitializeContext_def p1 a4 c0 a31
by (metis True b2 fstI)
then show ?thesis using c1 c2 a3
by blast
next
case False
then have b3:"the (domain_of_event s a) = REE sysconf"
using domain_of_event_def p1 by force
have c00:"current s =current t" using domain_of_event_def a4 p1 by auto
have b31:"exec_prime t=[]"
using False a31 by auto
have c3:"s'=s⦇REE_state := ?new_REE_state⦈"
using TEEC_InitializeContext_def False REE_AddContext_def b1 by fastforce
have c4:"t'=t⦇REE_state := ?new_REE_state_t⦈"
using TEEC_InitializeContext_def False REE_AddContext_def b2 b31 c00 by auto
show ?thesis
proof(cases "is_TEE sysconf d")
case True
then have d1: "(s'∼d∼t') = (vpeq_TEE s' d t')" by auto
have d2: "tee_memories (TEE_state s') =tee_memories (TEE_state t')"
using True a5 b3 tee_no_ree by force
have d21: "ta_mgr (TEE_state s') =ta_mgr (TEE_state t')"
using True a5 b3 tee_no_ree by force
then show ?thesis using d1 d2 d21
by auto
next
case False
then show ?thesis
proof(cases "is_REE sysconf d")
case True
then have d3:"(s'∼d∼t') = (vpeq_REE s' d t')"
using False by auto
have d4: "ree_total_size(REE_state s) = ree_total_size (REE_state s')"
using TEEC_InitializeContext_def REE_AddContext_def c3 by auto
have d5: "driver_mem(REE_state s) = driver_mem(REE_state s')"
using TEEC_InitializeContext_def REE_AddContext_def c3 by auto
have d6: "ree_total_size(REE_state t) = ree_total_size (REE_state t')"
using TEEC_InitializeContext_def REE_AddContext_def c4 by auto
have d7: "driver_mem(REE_state t) = driver_mem(REE_state t')"
using TEEC_InitializeContext_def REE_AddContext_def c4 by auto
then show ?thesis using d3 d4 d5 d6 d7
using True a3 tee_no_ree by fastforce
next
case False
then have "is_TA sysconf d"
by (metis a5 b3 ins_no_intf_tee is_REE_def is_TA_def)
then show ?thesis using a5 b3
by (metis False ins_no_intf_tee interference1_def is_REE_def tee_no_ree)
qed
qed
qed
qed
}
then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEEC_InitializeContext_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEEC_INITIALIZECONTEXT tn tctext))"
using TEEC_InitializeContext_weak_confidentiality weak_confidentiality_e_def get_exec_prime_def
by (smt (verit) Pair_inject)
lemma TEEC_FinalizeContext_weak_confidentiality:
assumes p1: "a = hyperc (TEEC_FINALIZECONTEXT tctext)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s=get_exec_prime t)∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof -
{
fix s t d s' t'
assume a1:"reachable0 s"
assume a2:"reachable0 t"
assume a3:"s∼d∼t"
assume a31:"exec_prime s=exec_prime t"
assume a4:"(domain_of_event s a) = (domain_of_event t a)"
assume a5:"(the (domain_of_event s a)) ↝ d"
assume a6:"s ∼ (the (domain_of_event s a)) ∼ t"
assume a7:"(s, s') ∈ exec_event a"
assume a8:"(t, t') ∈ exec_event a"
have "s'∼d∼t'"
proof -
{
have b1:"s'=(TEEC_FinalizeContext sysconf s tctext)"
using exec_event_def p1 a7 by simp
have b2:"t'=(TEEC_FinalizeContext sysconf t tctext)"
using exec_event_def p1 a8 by simp
show ?thesis
proof(cases "tctext =None ∨current s≠REE sysconf ∨(exec_prime s≠[])")
case True
have c0:"current s =current t" using domain_of_event_def a4
using p1 by auto
have c1:"s'=s" using TEEC_FinalizeContext_def p1 b1
using True by presburger
have c2:"t'=t" using TEEC_FinalizeContext_def p1 a4 a31 b2 c0
using True by presburger
then show ?thesis using c1 c2 a3
by blast
next
case False
then have c3:"tctext≠None∧current s=REE sysconf ∧current t=REE sysconf
∧ exec_prime s=[]∧ exec_prime t=[]" using domain_of_event_def a4 a31 by simp
show ?thesis
proof(cases "d=TEE sysconf")
case True
then show ?thesis using c3 a5 interference1_def
by (metis domain_of_event_def ins_no_intf_tee option.sel tee_no_ree)
next
case False
then have c4:"d≠TEE sysconf" by simp
then show ?thesis
proof(cases "d=REE sysconf")
case True
then have c5:"(s'∼d∼t') = (vpeq_REE s' d t')" using c4 by auto
then show ?thesis
proof -
{
have d1:"ree_total_size(REE_state s) = ree_total_size (REE_state s')"
proof -
{
let ?ca_fd = "ca_fd (the tctext)"
let ?IDlst = "REE_getDriverSessionByFd s ?ca_fd"
let ?s1 = "foldl updateListForTEECCS s ?IDlst"
let ?s2 = "REE_RemoveContext ?s1 ?ca_fd"
have c1:"ree_total_size(REE_state s) = ree_total_size (REE_state ?s1)"
using foldl_induct_rule2 by blast
have c2:"?s2 = ?s1⦇REE_state := (REE_state ?s1)⦇
tee_ctx_list := remove1 (getTEEcontextByFd ?s1 ?ca_fd) (tee_ctx_list (REE_state ?s1))
⦈
⦈" using REE_RemoveContext_def by simp
have c3:"ree_total_size(REE_state ?s1) = ree_total_size (REE_state ?s2)"
using c2 by simp
then show ?thesis using c1 c3 b1
using TEEC_FinalizeContext_def by presburger
}
qed
have d2:"driver_mem(REE_state s) = driver_mem(REE_state s')"
proof -
{
let ?ca_fd = "ca_fd (the tctext)"
let ?IDlst = "REE_getDriverSessionByFd s ?ca_fd"
let ?s1 = "foldl updateListForTEECCS s ?IDlst"
let ?s2 = "REE_RemoveContext ?s1 ?ca_fd"
have c1:"driver_mem(REE_state s) = driver_mem(REE_state ?s1)"
using foldl_induct_rule3 by blast
have c2:"?s2 = ?s1⦇REE_state := (REE_state ?s1)⦇
tee_ctx_list := remove1 (getTEEcontextByFd ?s1 ?ca_fd) (tee_ctx_list (REE_state ?s1))
⦈
⦈" using REE_RemoveContext_def by simp
have c3:"driver_mem(REE_state ?s1) = driver_mem(REE_state ?s2)"
using c2 by simp
then show ?thesis
using c1 c3 b1 TEEC_FinalizeContext_def by presburger
}
qed
have d3:"ree_total_size(REE_state t) = ree_total_size (REE_state t')"
proof -
{
let ?ca_fd = "ca_fd (the tctext)"
let ?IDlst = "REE_getDriverSessionByFd t ?ca_fd"
let ?s1 = "foldl updateListForTEECCS t ?IDlst"
let ?s2 = "REE_RemoveContext ?s1 ?ca_fd"
have c1:"ree_total_size(REE_state t) = ree_total_size (REE_state ?s1)"
using foldl_induct_rule2 by blast
have c2:"?s2 = ?s1⦇REE_state := (REE_state ?s1)⦇
tee_ctx_list := remove1 (getTEEcontextByFd ?s1 ?ca_fd) (tee_ctx_list (REE_state ?s1))
⦈
⦈" using REE_RemoveContext_def by simp
have c3:"ree_total_size(REE_state ?s1) = ree_total_size (REE_state ?s2)"
using c2 by simp
then show ?thesis using c1 c3 b2
using TEEC_FinalizeContext_def by presburger
}
qed
have d4:"driver_mem(REE_state t) = driver_mem(REE_state t')"
proof -
{
let ?ca_fd = "ca_fd (the tctext)"
let ?IDlst = "REE_getDriverSessionByFd t ?ca_fd"
let ?s1 = "foldl updateListForTEECCS t ?IDlst"
let ?s2 = "REE_RemoveContext ?s1 ?ca_fd"
have c1:"driver_mem(REE_state t) = driver_mem(REE_state ?s1)"
using foldl_induct_rule3 by blast
have c2:"?s2 = ?s1⦇REE_state := (REE_state ?s1)⦇
tee_ctx_list := remove1 (getTEEcontextByFd ?s1 ?ca_fd) (tee_ctx_list (REE_state ?s1))
⦈
⦈" using REE_RemoveContext_def by simp
have c3:"driver_mem(REE_state ?s1) = driver_mem(REE_state ?s2)"
using c2 by simp
then show ?thesis
using c1 c3 b2 TEEC_FinalizeContext_def by presburger
}
qed
show ?thesis using d1 d2 d3 d4 c5 vpeq_REE_def True a3 c4 by fastforce
}
qed
next
case False
then have c6:"is_TA sysconf d" using is_TA_def c4 by auto
then show ?thesis using c3 a5 interference1_def domain_of_event_def tee_no_ree by simp
qed
qed
qed
}
qed
}
then show ?thesis using get_exec_prime_def by (smt (verit, best) Pair_inject)
qed
lemma TEEC_FinalizeContext_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEEC_FINALIZECONTEXT tctext))"
using TEEC_FinalizeContext_weak_confidentiality weak_confidentiality_e_def get_exec_prime_def
by (smt (verit) Pair_inject)
lemma TEEC_OpenSession1_weak_confidentiality:
assumes p1: "a = hyperc (TEEC_OPENSESSION1 ctx1 ses1 id1 md str opt mem_t)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s=get_exec_prime t)∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof -
{
fix s t d s' t'
assume a1:"reachable0 s"
assume a2:"reachable0 t"
assume a3:"s∼d∼t"
assume a31:"exec_prime s=exec_prime t"
assume a4:"(domain_of_event s a) = (domain_of_event t a)"
assume a5:"(the (domain_of_event s a)) ↝ d"
assume a6:"s ∼ (the (domain_of_event s a)) ∼ t"
assume a7:"(s, s') ∈ exec_event a"
assume a8:"(t, t') ∈ exec_event a"
have "s'∼d∼t'"
proof -
{
have b1:"s'=fst(TEEC_OpenSession1 sysconf s ctx1 ses1 id1 md str opt mem_t)"
using exec_event_def p1 a7 by simp
have b2:"t'=fst(TEEC_OpenSession1 sysconf t ctx1 ses1 id1 md str opt mem_t)"
using exec_event_def p1 a8 by simp
have b3:"current s=current t"
using domain_of_event_def a4 by simp
show ?thesis
proof(cases "current s≠REE sysconf∨(exec_prime s) ≠[]∨ctx1 = None∨ ses1 = None∨TEEC_pre_process_operation opt≠TEEC_SUCCESS")
case True
then show ?thesis using TEEC_pre_process_operation_def TEEC_OpenSession1_def
by (metis a3 a31 b1 b2 b3 fstI)
next
case False
have c1:"¬ (current s ≠ REE sysconf ∨ exec_prime s ≠ [] ∨ ctx1 = None ∨ ses1 = None ∨ TEEC_pre_process_operation opt ≠ TEEC_SUCCESS)"
using False by simp
show ?thesis
proof(cases "d=TEE sysconf")
case True
then show ?thesis using a5 interference1_def domain_of_event_def
by (metis c1 ins_no_intf_tee option.sel tee_no_ree)
next
case False
then have c2:"d≠TEE sysconf" by simp
then show ?thesis
proof(cases "d=REE sysconf")
case True
then show ?thesis
proof -
{
have d1:"(s'∼d∼t') = (vpeq_REE s' d t')"
using vpeq1_def True using c2 by fastforce
have d2:"ree_total_size(REE_state s) = ree_total_size (REE_state s')"
proof -
{
let ?cli ="DefaultClientID"
let ?param = "⦇param1=Some id1,param2=None,param3=opt,
param4=Some ?cli,param5=ctx1,param6=None,param7=None,param8=None,param9=None
,param10=Some (fst mem_t),param11=Some (snd mem_t),param12=None, param13=None⦈"
have c3:"s' = s⦇current:=TEE sysconf,exec_prime:=(?param,TEEC_OP2)#(exec_prime s)⦈"
using TEEC_OpenSession1_def b1 c1 by auto
then show ?thesis by simp
}
qed
have d3:"driver_mem(REE_state s) = driver_mem (REE_state s')"
proof -
{
let ?cli ="DefaultClientID"
let ?param = "⦇param1=Some id1,param2=None,param3=opt,
param4=Some ?cli,param5=ctx1,param6=None,param7=None,param8=None,param9=None
,param10=Some (fst mem_t),param11=Some (snd mem_t),param12=None, param13=None⦈"
have c3:"s' = s⦇current:=TEE sysconf,exec_prime:=(?param,TEEC_OP2)#(exec_prime s)⦈"
using TEEC_OpenSession1_def b1 c1 by auto
then show ?thesis by simp
}
qed
have d4:"ree_total_size(REE_state t) = ree_total_size (REE_state t')"
proof -
{
let ?cli ="DefaultClientID"
let ?param = "⦇param1=Some id1,param2=None,param3=opt,
param4=Some ?cli,param5=ctx1,param6=None,param7=None,param8=None,param9=None
,param10=Some (fst mem_t),param11=Some (snd mem_t),param12=None, param13=None⦈"
have c3:"t' = t⦇current:=TEE sysconf,exec_prime:=(?param,TEEC_OP2)#(exec_prime t)⦈"
using TEEC_OpenSession1_def b2 c1 b3 a31 by auto
then show ?thesis by simp
}
qed
have d5:"driver_mem(REE_state t) = driver_mem (REE_state t')"
proof -
{
let ?cli ="DefaultClientID"
let ?param = "⦇param1=Some id1,param2=None,param3=opt,
param4=Some ?cli,param5=ctx1,param6=None,param7=None,param8=None,param9=None
,param10=Some (fst mem_t),param11=Some (snd mem_t),param12=None, param13=None⦈"
have c3:"t' = t⦇current:=TEE sysconf,exec_prime:=(?param,TEEC_OP2)#(exec_prime t)⦈"
using TEEC_OpenSession1_def b2 c1 b3 a31 by auto
then show ?thesis by simp
}
qed
show ?thesis using d1 d2 d3 d4 d5 vpeq_REE_def
using True a3 c2 by fastforce
}
qed
next
case False
then have "is_TA sysconf d" using c2 by auto
then show ?thesis using a5 interference1_def domain_of_event_def c1
using tee_no_ree by auto
qed
qed
qed
}
qed
}
then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEEC_OpenSession1_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEEC_OPENSESSION1 ctx1 ses1 id1 md str opt mem_t))"
using TEEC_OpenSession1_weak_confidentiality weak_confidentiality_e_def get_exec_prime_def
by (smt (verit) Pair_inject)
lemma TEEC_OpenSession2_weak_confidentiality:
assumes p1: "a = hyperc (TEEC_OPENSESSION2)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s=get_exec_prime t)∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof -
{
fix s t d s' t'
assume a1:"reachable0 s"
assume a2:"reachable0 t"
assume a3:"s∼d∼t"
assume a31:"exec_prime s=exec_prime t"
assume a32:"ta_mgr(TEE_state s) =ta_mgr(TEE_state t) "
assume a4:"(domain_of_event s a) = (domain_of_event t a)"
assume a5:"(the (domain_of_event s a)) ↝ d"
assume a6:"s ∼ (the (domain_of_event s a)) ∼ t"
assume a7:"(s, s') ∈ exec_event a"
assume a8:"(t, t') ∈ exec_event a"
let ?domain = "the (domain_of_event s a)"
let ?exec = "exec_prime s"
let ?exec_t = "exec_prime t"
let ?p = "fst (hd (?exec))"
let ?opt = "the(param3 ?p)"
let ?uuid = "the (param1 ?p)"
let ?cli = "the (param4 ?p)"
let ?ctx1 = "the (param5 ?p)"
let ?memt0 = "(the (param10 ?p),the (param11 ?p))"
let ?s0 = "s⦇exec_prime:=tl ?exec⦈"
let ?t0 = "t⦇exec_prime:=tl ?exec_t⦈"
have "s'∼d∼t'"
proof -
{
have b1:"s'=fst(TEEC_OpenSession2 sysconf s)"
using exec_event_def p1 a7 by simp
have b2:"t'=fst(TEEC_OpenSession2 sysconf t)"
using exec_event_def p1 a8 by simp
have b3:"current s=current t"
using domain_of_event_def a4 by simp
show ?thesis
proof(cases "current s≠TEE sysconf∨(exec_prime s) =[]∨snd (hd (exec_prime s)) ≠TEEC_OP2")
case True
then have z1:"s=fst(TEEC_OpenSession2 sysconf s)"
using TEEC_OpenSession2_def by auto
have z2:"t=fst(TEEC_OpenSession2 sysconf t)"
using TEEC_OpenSession2_def True a31 b3 by auto
show ?thesis
using z1 z2 b1 b2 a3 by argo
next
case False
then have b4:"¬ (current s ≠ TEE sysconf ∨ exec_prime s = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_OP2)" by simp
then have b5:"current s=TEE sysconf" by simp
have final:"s'∼ d ∼ t'"
proof -
{
let ?r1="newSessionId ?s0"
let ?ses_id = "fst ?r1"
let ?s1="addMgrSession ?s0 ?ses_id"
let ?attr = "findInstanceATTRInMgr ?s1 ?uuid"
let ?load_result = "LoadNewTA sysconf ?s1 ?uuid ?opt ?ses_id ?cli ?ctx1 ?memt0"
let ?r1_t="newSessionId ?t0"
let ?ses_id_t = "fst ?r1_t"
let ?t1="addMgrSession ?t0 ?ses_id_t"
let ?attr_t = "findInstanceATTRInMgr ?t1 ?uuid"
let ?load_result_t = "LoadNewTA sysconf ?t1 ?uuid ?opt ?ses_id_t ?cli ?ctx1 ?memt0"
let ?s2 = "fst ?load_result"
let ?t2 = "fst ?load_result_t"
let ?ls1="fst(addMgrInstance ?s1 sysconf ?uuid ?ses_id)"
let ?lt1="fst(addMgrInstance ?t1 sysconf ?uuid ?ses_id_t)"
let ?tid="snd((addMgrInstance ?s1 sysconf ?uuid ?ses_id))"
let ?tid_t="snd((addMgrInstance ?t1 sysconf ?uuid ?ses_id_t))"
let ?memtl = "TEE_pre_process ?memt0 ?tid"
let ?memtlft = "TEE_pre_process ?memt0 ?tid_t"
let ?ls2 = "TA_Memory_Init ?ls1 sysconf bin_mem_size ?tid"
let ?lt2 = "TA_Memory_Init ?lt1 sysconf bin_mem_size ?tid_t"
let ?size1 =bin_mem_size
let ?smid = "(let
new_total = (tee_total_size (TEE_state ?ls1)) -?size1;
new_memList = ⦇block_id = newMemBlockID3 ?ls1,size=?size1,ownership = ?tid,
access_right =(λx. None)(?tid:=Some READWRITE) ,is_SecureMem=True,related= None⦈#(tee_memories(TEE_state ?ls1));
s1 = ?ls1⦇TEE_state:=(TEE_state ?ls1)
⦇tee_total_size := new_total, tee_memories := new_memList,
ta_mgr:=ta_mgr(TEE_state ?ls1)⦇BIDpointer:=BIDpointer(ta_mgr (TEE_state ?ls1))+1 ⦈⦈⦈ in s1)"
let ?tmid = "(let
new_total = (tee_total_size (TEE_state ?lt1)) -?size1;
new_memList = ⦇block_id = newMemBlockID3 ?lt1,size=?size1,ownership = ?tid_t,
access_right =(λx. None)(?tid_t:=Some READWRITE) ,is_SecureMem=True,related= None⦈#(tee_memories(TEE_state ?lt1));
s1 = ?lt1⦇TEE_state:=(TEE_state ?lt1)
⦇tee_total_size := new_total, tee_memories := new_memList,
ta_mgr:=ta_mgr(TEE_state ?lt1)⦇BIDpointer:=BIDpointer(ta_mgr (TEE_state ?lt1))+1 ⦈⦈⦈ in s1)"
let ?ls3 = "InitMgrSession (fst ?ls2) ?cli ?ses_id ?tid"
let ?lt3 = "InitMgrSession (fst ?lt2) ?cli ?ses_id_t ?tid_t"
let ?ls4 = "?ls3⦇current:=?tid,exec_prime:=(⦇param1=Some ?tid,param2=Some ?ses_id,param3=Some ?opt,param4=None,param5=Some ?ctx1
,param6=None,param7=None,param8=None,param9=None
,param10=Some(fst ?memtl),param11=Some(snd ?memtl),param12=None, param13=None⦈,TEEC_OP3)#(exec_prime ?ls3)⦈"
let ?lt4 = "?lt3⦇current:=?tid_t,exec_prime:=(⦇param1=Some ?tid_t,param2=Some ?ses_id_t,param3=Some ?opt,param4=None,param5=Some ?ctx1
,param6=None,param7=None,param8=None,param9=None
,param10=Some(fst ?memtlft),param11=Some(snd ?memtlft),param12=None, param13=None⦈,TEEC_OP3)#(exec_prime ?lt3)⦈"
let ?ins_lst =" (mgr_ta_instances (ta_mgr (TEE_state ?s0)))"
let ?ins_lst_t =" (mgr_ta_instances (ta_mgr (TEE_state ?t0)))"
let ?cur_instance =" (SOME a. a∈set ?ins_lst ∧ ta_id a = ?uuid)"
let ?cur_instance_t =" (SOME a. a∈set ?ins_lst_t ∧ ta_id a = ?uuid)"
let ?cnt = "(reference_cnt ?cur_instance)"
let ?b = "busy ?cur_instance"
let ?tid1 = "cur_ta_thread_id ?cur_instance"
let ?tid1_t = "cur_ta_thread_id ?cur_instance_t"
let ?memt1 = "TEE_pre_process ?memt0 ?tid1"
let ?memtft = "TEE_pre_process ?memt0 ?tid1_t"
let ?param = "⦇param1=Some ?tid1,param2=Some ?ses_id,param3=Some ?opt,param4=None,param5=Some ?ctx1,
param6=None,param7=None,param8=None,param9=None
,param10=Some(fst ?memt1),param11=Some(snd ?memt1),param12=None, param13=None⦈"
let ?param_t = "⦇param1=Some ?tid1_t,param2=Some ?ses_id_t,param3=Some ?opt,param4=None,param5=Some ?ctx1,
param6=None,param7=None,param8=None,param9=None
,param10=Some(fst ?memtft),param11=Some(snd ?memtft),param12=None, param13=None⦈"
let ?s3="plusRefInstance ?s1 ?uuid"
let ?s4="InitMgrSession ?s3 ?cli ?ses_id ?tid1"
let ?s5="setBusyInstance ?s4 ?uuid"
let ?s6="?s5⦇current:=?tid1,exec_prime:=(?param,TEEC_OP3)#(exec_prime ?s5)⦈"
let ?t3="plusRefInstance ?t1 ?uuid"
let ?t4="InitMgrSession ?t3 ?cli ?ses_id_t ?tid1"
let ?t5="setBusyInstance ?t4 ?uuid"
let ?t6="?t5⦇current:=?tid1_t,exec_prime:=(?param,TEEC_OP3)#(exec_prime ?t5)⦈"
have e2:"newMemBlockID3 ?ls1 =newMemBlockID3 ?lt1"
using a32 addMgrSession_not_change_BID addMgrInstance_not_change_BID
using newMemBlockID3_def by fastforce
have e22:"BIDpointer(ta_mgr(TEE_state ?ls1)) = BIDpointer(ta_mgr(TEE_state ?lt1))"
using a32 addMgrSession_not_change_BID addMgrInstance_not_change_BID
using newMemBlockID3_def by fastforce
have e23:"BIDpointer(ta_mgr(TEE_state ?smid)) = BIDpointer(ta_mgr(TEE_state ?ls1)) +1" by auto
have e24:"BIDpointer(ta_mgr(TEE_state ?tmid)) = BIDpointer(ta_mgr(TEE_state ?lt1)) +1" by auto
have e3:"newMemBlockID3 ?smid=newMemBlockID3 ?tmid" using e22 newMemBlockID3_def e23 e24
by presburger
have a9:"ta_mgr(TEE_state s) = ta_mgr(TEE_state t)" using a32 by auto
have a91:"ta_mgr(TEE_state ?s0) = ta_mgr(TEE_state ?t0)" using a9 by simp
have a10:"?r1=?r1_t" using newSessionId_def a9 by simp
have c11:"ta_mgr(TEE_state ?s1) = ta_mgr(TEE_state ?t1)" using a9 a10 addMgrSession_def by simp
have c12:"tee_memories (TEE_state ?s1) = tee_memories (TEE_state ?s0)"using addMgrSession_def by simp
have c13:"tee_memories (TEE_state ?t1) = tee_memories (TEE_state ?t0)" using addMgrSession_def by auto
have c2:"?attr=?attr_t"
proof -
{
have c21:"(∃a. a∈set (mgr_ta_instances (ta_mgr (TEE_state ?s1))) ∧ ta_id a = ?uuid)
=(∃a. a∈set (mgr_ta_instances (ta_mgr (TEE_state ?t1))) ∧ ta_id a = ?uuid) "
using c11 by auto
show ?thesis
proof(cases "∃a. a∈set (mgr_ta_instances (ta_mgr (TEE_state ?s1))) ∧ ta_id a = ?uuid")
case True
have z1:"?attr=(Some (attribute (SOME a. a∈set (mgr_ta_instances (ta_mgr (TEE_state ?s1))) ∧ ta_id a = ?uuid)))"
using findInstanceATTRInMgr_def True
proof -
obtain tt :: TA_INSTANCE_CTX_TYPE where
f1: "the (param1 (fst (hd (exec_prime s)))) = ta_id tt ∧ tt ∈ set (mgr_ta_instances (ta_mgr (TEE_state (addMgrSession (s⦇exec_prime := tl (exec_prime s)⦈) (fst (newSessionId (s⦇exec_prime := tl (exec_prime s)⦈)))))))"
by (metis (no_types) True)
then have "(if ∀t. ¬ (t ∈ set (mgr_ta_instances (ta_mgr (TEE_state (addMgrSession (s⦇exec_prime := tl (exec_prime s)⦈) (fst (newSessionId (s⦇exec_prime := tl (exec_prime s)⦈))))))) ∧ ta_id t = ta_id tt) then None else Some (attribute (SOME t. t ∈ set (mgr_ta_instances (ta_mgr (TEE_state (addMgrSession (s⦇exec_prime := tl (exec_prime s)⦈) (fst (newSessionId (s⦇exec_prime := tl (exec_prime s)⦈))))))) ∧ ta_id t = ta_id tt))) = Some (attribute (SOME t. t ∈ set (mgr_ta_instances (ta_mgr (TEE_state (addMgrSession (s⦇exec_prime := tl (exec_prime s)⦈) (fst (newSessionId (s⦇exec_prime := tl (exec_prime s)⦈))))))) ∧ ta_id t = the (param1 (fst (hd (exec_prime s))))))"
by force
then show ?thesis
using f1 by (simp add: findInstanceATTRInMgr_def)
qed
have z2:"?attr_t=(Some (attribute (SOME a. a∈set (mgr_ta_instances (ta_mgr (TEE_state ?t1))) ∧ ta_id a = ?uuid)))"
using findInstanceATTRInMgr_def True a10
proof -
obtain tt :: TA_INSTANCE_CTX_TYPE where
f1: "the (param1 (fst (hd (exec_prime t)))) = ta_id tt ∧ tt ∈ set (mgr_ta_instances (ta_mgr (TEE_state (addMgrSession (t⦇exec_prime := tl (exec_prime t)⦈) (fst (newSessionId (t⦇exec_prime := tl (exec_prime t)⦈)))))))" using a10
using True a31 c11 by force
then have "(if ∀t1. ¬ (t1 ∈ set (mgr_ta_instances (ta_mgr (TEE_state (addMgrSession (t⦇exec_prime := tl (exec_prime t)⦈) (fst (newSessionId (t⦇exec_prime := tl (exec_prime t)⦈))))))) ∧ ta_id t1 = ta_id tt) then None else Some (attribute (SOME t1. t1 ∈ set (mgr_ta_instances (ta_mgr (TEE_state (addMgrSession (t⦇exec_prime := tl (exec_prime t)⦈) (fst (newSessionId (t⦇exec_prime := tl (exec_prime t)⦈))))))) ∧ ta_id t1 = ta_id tt))) = Some (attribute (SOME t1. t1 ∈ set (mgr_ta_instances (ta_mgr (TEE_state (addMgrSession (t⦇exec_prime := tl (exec_prime t)⦈) (fst (newSessionId (t⦇exec_prime := tl (exec_prime t)⦈))))))) ∧ ta_id t1 = the (param1 (fst (hd (exec_prime t))))))"
by force
then show ?thesis
using f1 findInstanceATTRInMgr_def
using c11 z1 by presburger
qed
then show ?thesis using z1 z2 c11 by simp
next
case False
have z1:"?attr = None" using findInstanceATTRInMgr_def False by simp
have z2:"?attr_t=None" using findInstanceATTRInMgr_def False c21 by simp
then show ?thesis using z1 z2 by auto
qed
}
qed
show ?thesis
proof(cases "d=TEE sysconf")
case True
then have d1:"d=TEE sysconf" by simp
have d2:"(s'∼ d ∼ t') =(vpeq_TEE s' d t')" using d1 by simp
have c0:"vpeq_TEE ?s0 d ?t0" using vpeq_TEE_def a9 a3 d1 by fastforce
have c01:"{x ∈ set (tee_memories (TEE_state ?s0)). block_id x = 0} = {x ∈ set (tee_memories (TEE_state ?t0)). block_id x = 0}" using c0 vpeq_TEE_def by blast
have c14:"{x ∈ set (tee_memories (TEE_state ?s1)). block_id x = 0}
= {x ∈ set (tee_memories (TEE_state ?t1)). block_id x = 0}" using c12 c13 c01 by auto
have d3:"vpeq_TEE ?s1 d ?t1" using vpeq_TEE_def c11 c14 by blast
have c1:"?s1 =?s0⦇TEE_state :=(TEE_state ?s0)⦇ta_mgr:=
(ta_mgr (TEE_state ?s0))⦇mgr_ta_sessions:=
⦇session_id=?ses_id,session_ctx=DefaultThreadID,client_id=DefaultClientID⦈#(mgr_ta_sessions (ta_mgr (TEE_state ?s0)))
⦈⦈⦈" using addMgrSession_def by simp
have c1t:"?t1 =?t0⦇TEE_state :=(TEE_state ?t0)⦇ta_mgr:=
(ta_mgr (TEE_state ?t0))⦇mgr_ta_sessions:=
⦇session_id=?ses_id_t,session_ctx=DefaultThreadID,client_id=DefaultClientID⦈#(mgr_ta_sessions (ta_mgr (TEE_state ?t0)))
⦈⦈⦈" using addMgrSession_def by simp
show ?thesis
proof(cases "?attr=None")
case True
then have z1:"?attr=None" by simp
have c3:"vpeq_TEE ?s2 d ?t2"
proof -
{
let ?load="(Load_TA_Service sysconf (Some ?uuid))"
show ?thesis
proof(cases "fst(?load)≠TEEC_SUCCESS")
case True
have z3:"?s2=?s1" using LoadNewTA_def True by auto
have z4:"?t2=?t1" using LoadNewTA_def True by auto
then show ?thesis using z3 z4 d3 by simp
next
case False
have e1:"vpeq_TEE ?ls1 d ?lt1" using d3 addMgrInstance_not_change_TEE_mem by auto
have z13:"{x. x∈set(tee_memories (TEE_state (fst ?ls2)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ( ?ls1)))∧ (block_id x=0)}" using TA_Memory_Init_def TA_Memory_Init_not_change_TEE by blast
have z14:"{x. x∈set(tee_memories (TEE_state (fst ?lt2)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ( ?lt1)))∧ (block_id x=0)}" using TA_Memory_Init_def TA_Memory_Init_not_change_TEE by blast
have z15:"{x. x∈set(tee_memories (TEE_state (fst ?ls2)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state (fst ?lt2)))∧ (block_id x=0)}" using z13 z14
using addMgrInstance_not_change_TEE_mem c14 by presburger
have z16:"vpeq_TEE (fst ?ls2) d (fst ?lt2)" using z15 by simp
have z17:"{x. x∈set(tee_memories (TEE_state (?ls3)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ( ?lt3)))∧ (block_id x=0)}" using InitMgrSession_not_change_TEE_mem z16 by simp
have z18:"vpeq_TEE ( ?ls3) d ( ?lt3)" using z17 by simp
have z19:"vpeq_TEE (?ls4) d (?lt4)" using a113 z18 by simp
have z21:"?ls3= (InitMgrSession (fst (TA_Memory_Init (fst(addMgrInstance ?s1 sysconf ?uuid ?ses_id)) sysconf bin_mem_size ?tid)) ?cli ?ses_id ?tid) " by blast
have z20:"vpeq_TEE (?ls3) d (?ls4)" using LoadNewTA_def False a113 by simp
have z200:"vpeq_TEE (?lt3) d (?lt4)" using LoadNewTA_def False a113 by simp
have z22:"vpeq_TEE (?ls4) d (?s2)" using LoadNewTA_def False z20
State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TEE_symmetric vpeq_TEE_transitive
by (smt (verit, best))
have z23:"vpeq_TEE (?lt4) d (?t2)" using LoadNewTA_def False z200
State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TEE_symmetric vpeq_TEE_transitive a10
by (smt (verit, best))
have z24:"vpeq_TEE (?s2) d (?t2)" using z22 z23 z19 by simp
then show ?thesis using LoadNewTA_def z24 by blast
qed
}qed
have c4:"s'=?s2" using b1 TEEC_OpenSession2_def b4 ioctrl_def z1
by (smt (z3) State.fold_congs(6))
have c5:"t'=?t2" using b2 TEEC_OpenSession2_def a31 b3 b4 ioctrl_def z1 c2
by (smt (z3) State.fold_congs(6))
show ?thesis using c3 c4 c5 using d2 by blast
next
case False
then have z1:"?attr≠None" by simp
have x11:"?attr_t≠None" using z1 c2 by simp
show ?thesis
proof(cases "singleInstance (the ?attr) = True")
case True
then have z2:"singleInstance (the ?attr) = True" by simp
have z21:"singleInstance (the ?attr_t) = True" using z2 c2 by simp
then show ?thesis
proof(cases "(multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True")
case True
then have z3:"(multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True" by simp
have z31:"(multiSession (the ?attr_t) = False ∧ ?cnt ≠ 0)∨?b = True" using z3 c2 by simp
have z4:"s'=?s0" using TEEC_OpenSession2_def b1 b4 ioctrl_def z1 z2 z3
by (smt (z3) Eps_cong State.fold_congs(6) old.prod.inject prod.collapse)
have z5:"t'=?t0" using TEEC_OpenSession2_def b2 b4 ioctrl_def x11 z21 z31 a31 b3 a91
by (smt (z3) Eps_cong State.fold_congs(6) prod.collapse prod.inject)
show ?thesis using z4 z5 c0 d2 by simp
next
case False
then have z6:"¬((multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True)" by simp
have z7:"vpeq_TEE ?s3 d ?s1" using plusRefInstance_not_change_TEE_mem by auto
have z8:"vpeq_TEE ?s4 d ?s3" using InitMgrSession_not_change_TEE_mem by auto
have z9:"vpeq_TEE ?s5 d ?s4" using setBusyInstance_not_change_TEE_mem by auto
have z10:"vpeq_TEE ?s6 d ?s5" using a113 by simp
have z71:"vpeq_TEE ?t3 d ?t1" using plusRefInstance_not_change_TEE_mem by auto
have z81:"vpeq_TEE ?t4 d ?t3" using InitMgrSession_not_change_TEE_mem by auto
have z91:"vpeq_TEE ?t5 d ?t4" using setBusyInstance_not_change_TEE_mem by auto
have z101:"vpeq_TEE ?t6 d ?t5" using a113 by simp
have z11:"vpeq_TEE ?s6 d s" using z7 z8 z9 z10 c12 by auto
have z111:"vpeq_TEE ?t6 d t" using z71 z81 z91 z101 c13 by auto
have z14:" s'= ?s6"
by (smt (verit) State.unfold_congs(1) Eps_cong State.unfold_congs(6) TEEC_OpenSession2_def b1 b4 fst_conv ioctrl_def z1 z2 z6)
have z15:"t'=?t6"
by (smt (verit) State.unfold_congs(1) Eps_cong State.unfold_congs(6) TEEC_OpenSession2_def a31 a91 b2 b3 b4 c2 fst_conv ioctrl_def z1 z2 z6 a10)
have z16:"vpeq_TEE s d t" using a3 d1 vpeq1_def by simp
then show ?thesis using z14 z15 z11 z111 a3 d1 z16 by simp
qed
next
case False
then have z222:"singleInstance (the ?attr) ≠ True" by simp
have c3:"vpeq_TEE ?s2 d ?t2"
proof -
{
let ?load="(Load_TA_Service sysconf (Some ?uuid))"
show ?thesis
proof(cases "fst(?load)≠TEEC_SUCCESS")
case True
have z3:"?s2=?s1" using LoadNewTA_def True by auto
have z4:"?t2=?t1" using LoadNewTA_def True by auto
then show ?thesis using z3 z4 d3 by simp
next
case False
have e1:"vpeq_TEE ?ls1 d ?lt1" using d3 addMgrInstance_not_change_TEE_mem by auto
have z13:"{x. x∈set(tee_memories (TEE_state (fst ?ls2)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ( ?ls1)))∧ (block_id x=0)}" using TA_Memory_Init_def TA_Memory_Init_not_change_TEE by blast
have z14:"{x. x∈set(tee_memories (TEE_state (fst ?lt2)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ( ?lt1)))∧ (block_id x=0)}" using TA_Memory_Init_def TA_Memory_Init_not_change_TEE by blast
have z15:"{x. x∈set(tee_memories (TEE_state (fst ?ls2)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state (fst ?lt2)))∧ (block_id x=0)}" using z13 z14
using addMgrInstance_not_change_TEE_mem c14 by presburger
have z16:"vpeq_TEE (fst ?ls2) d (fst ?lt2)" using z15 by simp
have z17:"{x. x∈set(tee_memories (TEE_state (?ls3)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ( ?lt3)))∧ (block_id x=0)}" using InitMgrSession_not_change_TEE_mem z16 by simp
have z18:"vpeq_TEE ( ?ls3) d ( ?lt3)" using z17 by simp
have z19:"vpeq_TEE (?ls4) d (?lt4)" using a113 z18 by simp
have z21:"?ls3= (InitMgrSession (fst (TA_Memory_Init (fst(addMgrInstance ?s1 sysconf ?uuid ?ses_id)) sysconf bin_mem_size ?tid)) ?cli ?ses_id ?tid) " by blast
have z20:"vpeq_TEE (?ls3) d (?ls4)" using LoadNewTA_def False a113 by simp
have z200:"vpeq_TEE (?lt3) d (?lt4)" using LoadNewTA_def False a113 by simp
have z22:"vpeq_TEE (?ls4) d (?s2)" using LoadNewTA_def False z20
by (smt (verit,best) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TEE_symmetric vpeq_TEE_transitive)
have z23:"vpeq_TEE (?lt4) d (?t2)" using LoadNewTA_def False z200
by (smt (z3) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TEE_symmetric vpeq_TEE_transitive)
have z24:"vpeq_TEE (?s2) d (?t2)" using z22 z23 z19 by simp
then show ?thesis using LoadNewTA_def z24 by blast
qed
}qed
have c4:"s'=?s2" using b1 TEEC_OpenSession2_def c2 b4 ioctrl_def z1 z222
by (smt (z3) State.fold_congs(6))
have c5:"t'=?t2" using b2 TEEC_OpenSession2_def a31 b3 b4 ioctrl_def z1 c2 z222
by (smt (z3) State.fold_congs(6))
show ?thesis using c3 c4 c5 using d2 by blast
qed
qed
next
case False
then have d0: "d≠TEE sysconf" by simp
then show ?thesis
proof(cases "d=REE sysconf")
case True
then have d1:"d=REE sysconf" by simp
have d2:"(s'∼ d ∼ t') =(vpeq_REE s' d t')" using d1 vpeq1_def False by auto
have c0:"vpeq_REE ?s0 d ?t0" using vpeq_REE_def d1 a3 False by auto
have c1:"?s1 =?s0⦇TEE_state :=(TEE_state ?s0)⦇ta_mgr:=
(ta_mgr (TEE_state ?s0))⦇mgr_ta_sessions:=
⦇session_id=?ses_id,session_ctx=DefaultThreadID,client_id=DefaultClientID⦈#(mgr_ta_sessions (ta_mgr (TEE_state ?s0)))
⦈⦈⦈" using addMgrSession_def by simp
have c1t:"?t1 =?t0⦇TEE_state :=(TEE_state ?t0)⦇ta_mgr:=
(ta_mgr (TEE_state ?t0))⦇mgr_ta_sessions:=
⦇session_id=?ses_id_t,session_ctx=DefaultThreadID,client_id=DefaultClientID⦈#(mgr_ta_sessions (ta_mgr (TEE_state ?t0)))
⦈⦈⦈" using addMgrSession_def by simp
have d3:"vpeq_REE ?s1 d ?t1" using vpeq_TEE_def c0 c1 c1t by fastforce
show ?thesis
proof(cases "?attr=None")
case True
then have z1:"?attr=None" by simp
have c3:"vpeq_REE ?s2 d ?t2"
proof -
{
let ?load="(Load_TA_Service sysconf (Some ?uuid))"
show ?thesis
proof(cases "fst(?load)≠TEEC_SUCCESS")
case True
have z3:"?s2=?s1" using LoadNewTA_def True by auto
have z4:"?t2=?t1" using LoadNewTA_def True by auto
then show ?thesis using z3 z4 d3 by simp
next
case False
have e1:"vpeq_REE ?ls1 d ?lt1" using d3 addMgrInstance_not_change_REE addMgrInstance_def a10
by (smt (verit, del_insts) State.select_convs(3) State.surjective State.update_convs(2) State.update_convs(4) fst_conv vpeq_REE_def)
have z14:"REE_state (fst ?ls2)=REE_state ( ?ls1)" using TA_Memory_Init_not_change_REE by simp
have z15:"REE_state (fst ?lt2)=REE_state ( ?lt1)" using TA_Memory_Init_not_change_REE by simp
have z16:"vpeq_REE (fst ?ls2) d (fst ?lt2)" using z14 z15 e1 by auto
have z18:"vpeq_REE ( ?ls3) d ( ?lt3)" using z16 InitMgrSession_not_change_REE by auto
have z19:"vpeq_REE (?ls4) d (?lt4)" using a113 z18 by simp
have z21:"?ls3= (InitMgrSession (fst (TA_Memory_Init (fst(addMgrInstance ?s1 sysconf ?uuid ?ses_id)) sysconf bin_mem_size ?tid)) ?cli ?ses_id ?tid) " by blast
have z20:"vpeq_REE (?ls3) d (?ls4)" using LoadNewTA_def False a113 by simp
have z200:"vpeq_REE (?lt3) d (?lt4)" using LoadNewTA_def False a113 by simp
have z22:"vpeq_REE (?ls4) d (?s2)" using LoadNewTA_def False z20
State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_REE_reflexive
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_REE_reflexive)
have z23:"vpeq_REE (?lt4) d (?t2)" using LoadNewTA_def False z200
by (smt (z3) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_REE_reflexive)
have z24:"vpeq_REE (?s2) d (?t2)" using z22 z23 z19 by simp
then show ?thesis using LoadNewTA_def z24 by blast
qed
}qed
have c4:"s'=?s2" using b1 TEEC_OpenSession2_def b4 ioctrl_def z1
by (smt (z3) State.fold_congs(6))
have c5:"t'=?t2" using b2 TEEC_OpenSession2_def a31 b3 b4 ioctrl_def z1 c2
by (smt (z3) State.fold_congs(6))
show ?thesis using c3 c4 c5 using d2 by blast
next
case False
then have z1:"?attr≠None" by simp
have x11:"?attr_t≠None" using z1 c2 by simp
show ?thesis
proof(cases "singleInstance (the ?attr) = True")
case True
then have z2:"singleInstance (the ?attr) = True" by simp
have z21:"singleInstance (the ?attr_t) = True" using z2 c2 by simp
then show ?thesis
proof(cases "(multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True")
case True
then have z3:"(multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True" by simp
have z31:"(multiSession (the ?attr_t) = False ∧ ?cnt ≠ 0)∨?b = True" using z3 c2 by simp
have z4:"s'=?s0" using TEEC_OpenSession2_def b1 b4 ioctrl_def z1 z2 z3
by (smt (z3) Eps_cong State.fold_congs(6) old.prod.inject prod.collapse)
have z5:"t'=?t0" using TEEC_OpenSession2_def b2 b4 ioctrl_def x11 z21 z31 a31 b3 a91
by (smt (z3) Eps_cong State.fold_congs(6) prod.collapse prod.inject)
show ?thesis using z4 z5 c0 d2 by simp
next
case False
then have z6:"¬((multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True)" by simp
have z7:"vpeq_REE ?s3 d ?s1" using plusRefInstance_not_change_REE by auto
have z8:"vpeq_REE ?s4 d ?s3" using InitMgrSession_not_change_REE by auto
have z9:"vpeq_REE ?s5 d ?s4" using setBusyInstance_not_change_REE by auto
have z10:"vpeq_REE ?s6 d ?s5" using a113 by simp
have z71:"vpeq_REE ?t3 d ?t1" using plusRefInstance_not_change_REE by auto
have z81:"vpeq_REE ?t4 d ?t3" using InitMgrSession_not_change_REE by auto
have z91:"vpeq_REE ?t5 d ?t4" using setBusyInstance_not_change_REE by auto
have z101:"vpeq_REE ?t6 d ?t5" using a113 by simp
have c21:"vpeq_REE ?s1 d s" using addMgrSession_not_change_REE addMgrSession_def a114 by simp
have c31:"vpeq_REE ?t1 d t" using addMgrSession_not_change_REE addMgrSession_def a114 by simp
have z11:"vpeq_REE ?s5 d s" using z7 z8 z9 z10 c21 by auto
have z111:"vpeq_REE ?t5 d t" using z71 z81 z91 z101 c31 by auto
have z14:" s'= ?s6"
by (smt (verit) State.unfold_congs(1) Eps_cong State.unfold_congs(6) TEEC_OpenSession2_def b1 b4 fst_conv ioctrl_def z1 z2 z6)
have z15:"t'=?t6"
by (smt (verit) State.unfold_congs(1) Eps_cong State.unfold_congs(6) TEEC_OpenSession2_def a31 a91 b2 b3 b4 c2 fst_conv ioctrl_def z1 z2 z6 a10)
have z16:"vpeq_REE s d t" using a3 d1 vpeq1_def d0 by simp
then show ?thesis using z14 z15 z11 z111 a3 d1 z16 d0 by simp
qed
next
case False
then have z222:"singleInstance (the ?attr) ≠ True" by simp
have c3:"vpeq_REE ?s2 d ?t2"
proof -
{
let ?load="(Load_TA_Service sysconf (Some ?uuid))"
show ?thesis
proof(cases "fst(?load)≠TEEC_SUCCESS")
case True
have z3:"?s2=?s1" using LoadNewTA_def True by auto
have z4:"?t2=?t1" using LoadNewTA_def True by auto
then show ?thesis using z3 z4 d3 by simp
next
case False
have e1:"vpeq_REE ?ls1 d ?lt1" using d3 addMgrInstance_not_change_REE addMgrInstance_def a10
by (smt (verit, del_insts) State.select_convs(3) State.surjective State.update_convs(2) State.update_convs(4) fst_conv vpeq_REE_def)
have z14:"REE_state (fst ?ls2)=REE_state ( ?ls1)" using TA_Memory_Init_not_change_REE by simp
have z15:"REE_state (fst ?lt2)=REE_state ( ?lt1)" using TA_Memory_Init_not_change_REE by simp
have z16:"vpeq_REE (fst ?ls2) d (fst ?lt2)" using z14 z15 e1 by auto
have z18:"vpeq_REE ( ?ls3) d ( ?lt3)" using z16 InitMgrSession_not_change_REE InitMgrSession_def by auto
have z19:"vpeq_REE (?ls4) d (?lt4)" using a113 z18 by simp
have z21:"?ls3= (InitMgrSession (fst (TA_Memory_Init (fst(addMgrInstance ?s1 sysconf ?uuid ?ses_id)) sysconf bin_mem_size ?tid)) ?cli ?ses_id ?tid) " by blast
have z20:"vpeq_REE (?ls3) d (?ls4)" using LoadNewTA_def False a113 by simp
have z200:"vpeq_REE (?lt3) d (?lt4)" using LoadNewTA_def False a113 by simp
have z22:"vpeq_REE (?ls4) d (?s2)" using LoadNewTA_def False z20 Load_TA_Service_def
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_REE_reflexive)
have z23:"vpeq_REE (?lt4) d (?t2)" using LoadNewTA_def False z200
by (smt (z3) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_REE_reflexive)
have z24:"vpeq_REE (?s2) d (?t2)" using z22 z23 z19 by simp
then show ?thesis using LoadNewTA_def z24 by blast
qed
}qed
have c4:"s'=?s2" using b1 TEEC_OpenSession2_def c2 b4 ioctrl_def z1 z222
by (smt (z3) State.fold_congs(6))
have c5:"t'=?t2" using b2 TEEC_OpenSession2_def a31 b3 b4 ioctrl_def z1 c2 z222
by (smt (z3) State.fold_congs(6))
show ?thesis using c3 c4 c5 using d2 by blast
qed
qed
next
case False
then have d1:"is_TA sysconf d" using d0 is_TA_def by auto
have d2:"(s'∼ d ∼ t') =(vpeq_TA s' d t')" using d1 by simp
have c0:"vpeq_TA ?s0 d ?t0" using vpeq_TA_def a9 a3 d1 by fastforce
have c01:"{x ∈ set (tee_memories (TEE_state ?s0)). ownership x = d} = {x ∈ set (tee_memories (TEE_state ?t0)). ownership x = d}" using c0 vpeq_TA_def by blast
have c14:"{x ∈ set (tee_memories (TEE_state ?s1)). ownership x = d}
= {x ∈ set (tee_memories (TEE_state ?t1)). ownership x = d}" using c12 c13 c01 by auto
have d3:"vpeq_TA ?s1 d ?t1" using vpeq_TA_def c11 c14 by blast
have c1:"?s1 =?s0⦇TEE_state :=(TEE_state ?s0)⦇ta_mgr:=
(ta_mgr (TEE_state ?s0))⦇mgr_ta_sessions:=
⦇session_id=?ses_id,session_ctx=DefaultThreadID,client_id=DefaultClientID⦈#(mgr_ta_sessions (ta_mgr (TEE_state ?s0)))
⦈⦈⦈" using addMgrSession_def by simp
have c1t:"?t1 =?t0⦇TEE_state :=(TEE_state ?t0)⦇ta_mgr:=
(ta_mgr (TEE_state ?t0))⦇mgr_ta_sessions:=
⦇session_id=?ses_id_t,session_ctx=DefaultThreadID,client_id=DefaultClientID⦈#(mgr_ta_sessions (ta_mgr (TEE_state ?t0)))
⦈⦈⦈" using addMgrSession_def by simp
show ?thesis
proof(cases "?attr=None")
case True
then have z1:"?attr=None" by simp
have c3:"vpeq_TA ?s2 d ?t2"
proof -
{
let ?load="(Load_TA_Service sysconf (Some ?uuid))"
show ?thesis
proof(cases "fst(?load)≠TEEC_SUCCESS")
case True
have z3:"?s2=?s1" using LoadNewTA_def True by auto
have z4:"?t2=?t1" using LoadNewTA_def True by auto
then show ?thesis using z3 z4 d3 by simp
next
case False
have e1:"vpeq_TA ?ls1 d ?lt1" using d3 addMgrInstance_not_change_TEE_mem by auto
have z111:"?tid=newInstancethread ?s1" using addMgrInstance_def
by (metis snd_conv)
have z112:"?tid_t=newInstancethread ?t1" using addMgrInstance_def
by (metis snd_conv)
have z113:"?tid=?tid_t" using z111 z112 newInstancethread_def c11 by simp
have z16:"vpeq_TA (fst ?ls2) d (fst ?lt2)"
proof -
{
show ?thesis
proof(cases "d≠?tid")
case True
have z161:"{x. x∈set(tee_memories (TEE_state (fst ?ls2)))∧ ownership x = d} =
{x. x∈set(tee_memories (TEE_state ( ?ls1)))∧ ownership x = d}"
using TA_Memory_Init_not_change_otherTA TA_Memory_Init_def True by blast
have z162:"{x. x∈set(tee_memories (TEE_state (fst ?lt2)))∧ ownership x = d} =
{x. x∈set(tee_memories (TEE_state ( ?lt1)))∧ ownership x = d}"
using TA_Memory_Init_not_change_otherTA TA_Memory_Init_def True a10 z113 by fastforce
show ?thesis using z161 z162 e1 by simp
next
case False
have z163:"(fst ?ls2)=(let new_total1 = (tee_total_size (TEE_state ?smid)) -?size1;
new_memList1 = ⦇block_id = newMemBlockID3 ?smid,size=?size1,ownership = ?tid,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈#(tee_memories(TEE_state ?smid));
s2 =?smid⦇TEE_state:=(TEE_state ?smid)
⦇tee_total_size := new_total1, tee_memories := new_memList1,
ta_mgr:=ta_mgr(TEE_state ?smid)⦇BIDpointer:=BIDpointer(ta_mgr (TEE_state ?smid))+1 ⦈⦈⦈ in
s2)" using TA_Memory_Init_def by (metis fst_conv)
have z164:"(fst ?lt2)=(let new_total1 = (tee_total_size (TEE_state ?tmid)) -?size1;
new_memList1 = ⦇block_id = newMemBlockID3 ?tmid,size=?size1,ownership = ?tid_t,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈#(tee_memories(TEE_state ?tmid));
s2 =?tmid⦇TEE_state:=(TEE_state ?tmid)
⦇tee_total_size := new_total1, tee_memories := new_memList1,
ta_mgr:=ta_mgr(TEE_state ?tmid)⦇BIDpointer:=BIDpointer(ta_mgr (TEE_state ?tmid))+1 ⦈⦈⦈ in
s2)" using TA_Memory_Init_def by (metis fst_conv)
have z165:"⦇block_id = newMemBlockID3 ?ls1,size=?size1,ownership = ?tid,
access_right =(λx. None)(?tid:=Some READWRITE) ,is_SecureMem=True,related= None⦈ =
⦇block_id = newMemBlockID3 ?lt1,size=?size1,ownership = ?tid_t,
access_right =(λx. None)(?tid_t:=Some READWRITE) ,is_SecureMem=True,related= None⦈" using z113 e2 by simp
have z166:"⦇block_id = newMemBlockID3 ?smid,size=?size1,ownership = ?tid,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈=
⦇block_id = newMemBlockID3 ?tmid,size=?size1,ownership = ?tid_t,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈" using z113 e3 by simp
have z167:"vpeq_TA ?smid d ?tmid" using e1 False z165 by auto
then show ?thesis using z163 z164 z113 e1 False z166 z167 by auto
qed
}qed
have z17:"{x. x∈set(tee_memories (TEE_state (?ls3)))∧ ownership x = d} =
{x. x∈set(tee_memories (TEE_state ( ?lt3)))∧ ownership x = d}" using InitMgrSession_not_change_TEE_mem z16 by simp
have z18:"vpeq_TA ( ?ls3) d ( ?lt3)" using z17 by simp
have z19:"vpeq_TA (?ls4) d (?lt4)" using a113 z18 by simp
have z21:"?ls3= (InitMgrSession (fst (TA_Memory_Init (fst(addMgrInstance ?s1 sysconf ?uuid ?ses_id)) sysconf bin_mem_size ?tid)) ?cli ?ses_id ?tid) " by blast
have z20:"vpeq_TA (?ls3) d (?ls4)" using LoadNewTA_def False a113 by simp
have z200:"vpeq_TA (?lt3) d (?lt4)" using LoadNewTA_def False a113 by simp
have z22:"vpeq_TA (?ls4) d (?s2)" using LoadNewTA_def False z20 Load_TA_Service_def
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TA_reflexive)
have z23:"vpeq_TA (?lt4) d (?t2)" using LoadNewTA_def False z200 Load_TA_Service_def
by (smt (z3) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TA_reflexive)
have z24:"vpeq_TA (?s2) d (?t2)" using z22 z23 z19 by simp
then show ?thesis using LoadNewTA_def z24 by blast
qed
}qed
have c4:"s'=?s2" using b1 TEEC_OpenSession2_def b4 ioctrl_def z1
by (smt (z3) State.fold_congs(6))
have c5:"t'=?t2" using b2 TEEC_OpenSession2_def a31 b3 b4 ioctrl_def z1 c2
by (smt (z3) State.fold_congs(6))
show ?thesis using c3 c4 c5 using d2 by blast
next
case False
then have z1:"?attr≠None" by simp
have x11:"?attr_t≠None" using z1 c2 by simp
show ?thesis
proof(cases "singleInstance (the ?attr) = True")
case True
then have z2:"singleInstance (the ?attr) = True" by simp
have z21:"singleInstance (the ?attr_t) = True" using z2 c2 by simp
then show ?thesis
proof(cases "(multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True")
case True
then have z3:"(multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True" by simp
have z31:"(multiSession (the ?attr_t) = False ∧ ?cnt ≠ 0)∨?b = True" using z3 c2 by simp
have z4:"s'=?s0" using TEEC_OpenSession2_def b1 b4 ioctrl_def z1 z2 z3
by (smt (z3) Eps_cong State.fold_congs(6) old.prod.inject prod.collapse)
have z5:"t'=?t0" using TEEC_OpenSession2_def b2 b4 ioctrl_def x11 z21 z31 a31 b3 a91
by (smt (z3) Eps_cong State.fold_congs(6) prod.collapse prod.inject)
show ?thesis using z4 z5 c0 d2 by simp
next
case False
then have z6:"¬((multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True)" by simp
have z7:"vpeq_TA ?s3 d ?s1" using plusRefInstance_not_change_TEE_mem by auto
have z8:"vpeq_TA ?s4 d ?s3" using InitMgrSession_not_change_TEE_mem by auto
have z9:"vpeq_TA ?s5 d ?s4" using setBusyInstance_not_change_TEE_mem by auto
have z10:"vpeq_TA ?s6 d ?s5" using a113 by simp
have z71:"vpeq_TA ?t3 d ?t1" using plusRefInstance_not_change_TEE_mem by auto
have z81:"vpeq_TA ?t4 d ?t3" using InitMgrSession_not_change_TEE_mem by auto
have z91:"vpeq_TA ?t5 d ?t4" using setBusyInstance_not_change_TEE_mem by auto
have z101:"vpeq_TA ?t6 d ?t5" using a113 by simp
have z11:"vpeq_TA ?s5 d s" using z7 z8 z9 z10 c12 by auto
have z111:"vpeq_TA ?t5 d t" using z71 z81 z91 z101 c13 by auto
have z14:" s'= ?s6"
by (smt (verit) State.unfold_congs(1) Eps_cong State.unfold_congs(6) TEEC_OpenSession2_def b1 b4 fst_conv ioctrl_def z1 z2 z6)
have z15:"t'=?t6"
by (smt (verit) State.unfold_congs(1) Eps_cong State.unfold_congs(6) TEEC_OpenSession2_def a31 a91 b2 b3 b4 c2 fst_conv ioctrl_def z1 z2 z6 a10)
have z16:"vpeq_TA s d t" using a3 d1 vpeq1_def by auto
show ?thesis using z14 z15 z16 z11 z111 d2 by simp
qed
next
case False
then have z222:"singleInstance (the ?attr) ≠ True" by simp
have c3:"vpeq_TA ?s2 d ?t2"
proof -
{
let ?load="(Load_TA_Service sysconf (Some ?uuid))"
show ?thesis
proof(cases "fst(?load)≠TEEC_SUCCESS")
case True
have z3:"?s2=?s1" using LoadNewTA_def True by auto
have z4:"?t2=?t1" using LoadNewTA_def True by auto
then show ?thesis using z3 z4 d3 by simp
next
case False
have z9:"(let attr = getATTRfromBin sysconf ?uuid;
ctid = (newInstancethread ?s1) in
⦇ta_id=?uuid,cur_ta_session_list=[?ses_id],reference_cnt=1,
busy=True,cur_ta_thread_id=ctid,attribute=attr⦈) =
(let attr = getATTRfromBin sysconf ?uuid;
ctid = (newInstancethread ?t1) in
⦇ta_id=?uuid,cur_ta_session_list=[?ses_id_t],reference_cnt=1,
busy=True,cur_ta_thread_id=ctid,attribute=attr⦈)" using a10
using c11 newInstancethread_def by auto
have e1:"vpeq_TA ?ls1 d ?lt1" using d3 addMgrInstance_not_change_TEE_mem by auto
have z111:"?tid=newInstancethread ?s1" using addMgrInstance_def
by (metis snd_conv)
have z112:"?tid_t=newInstancethread ?t1" using addMgrInstance_def
by (metis snd_conv)
have z113:"?tid=?tid_t" using z111 z112 newInstancethread_def c11 by simp
have z16:"vpeq_TA (fst ?ls2) d (fst ?lt2)"
proof -
{
show ?thesis
proof(cases "d≠?tid")
case True
have z161:"{x. x∈set(tee_memories (TEE_state (fst ?ls2)))∧ ownership x = d} =
{x. x∈set(tee_memories (TEE_state ( ?ls1)))∧ ownership x = d}"
using TA_Memory_Init_not_change_otherTA TA_Memory_Init_def True by blast
have z162:"{x. x∈set(tee_memories (TEE_state (fst ?lt2)))∧ ownership x = d} =
{x. x∈set(tee_memories (TEE_state ( ?lt1)))∧ ownership x = d}"
using TA_Memory_Init_not_change_otherTA TA_Memory_Init_def True a10 z113 by fastforce
show ?thesis using z161 z162 e1 by simp
next
case False
have z163:"(fst ?ls2)=(let new_total1 = (tee_total_size (TEE_state ?smid)) -?size1;
new_memList1 = ⦇block_id = newMemBlockID3 ?smid,size=?size1,ownership = ?tid,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈#(tee_memories(TEE_state ?smid));
s2 =?smid⦇TEE_state:=(TEE_state ?smid)
⦇tee_total_size := new_total1, tee_memories := new_memList1,
ta_mgr:=ta_mgr(TEE_state ?smid)⦇BIDpointer:=BIDpointer(ta_mgr (TEE_state ?smid))+1 ⦈⦈⦈ in
s2)" using TA_Memory_Init_def by (metis fst_conv)
have z164:"(fst ?lt2)=(let new_total1 = (tee_total_size (TEE_state ?tmid)) -?size1;
new_memList1 = ⦇block_id = newMemBlockID3 ?tmid,size=?size1,ownership = ?tid_t,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈#(tee_memories(TEE_state ?tmid));
s2 =?tmid⦇TEE_state:=(TEE_state ?tmid)
⦇tee_total_size := new_total1, tee_memories := new_memList1,
ta_mgr:=ta_mgr(TEE_state ?tmid)⦇BIDpointer:=BIDpointer(ta_mgr (TEE_state ?tmid))+1 ⦈⦈⦈ in
s2)" using TA_Memory_Init_def by (metis fst_conv)
have z165:"⦇block_id = newMemBlockID3 ?ls1,size=?size1,ownership = ?tid,
access_right =(λx. None)(?tid:=Some READWRITE) ,is_SecureMem=True,related= None⦈ =
⦇block_id = newMemBlockID3 ?lt1,size=?size1,ownership = ?tid_t,
access_right =(λx. None)(?tid_t:=Some READWRITE) ,is_SecureMem=True,related= None⦈" using z113 e2 by simp
have z166:"⦇block_id = newMemBlockID3 ?smid,size=?size1,ownership = ?tid,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈=
⦇block_id = newMemBlockID3 ?tmid,size=?size1,ownership = ?tid_t,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈" using z113 e3 by simp
have z167:"vpeq_TA ?smid d ?tmid" using e1 False z165 by auto
then show ?thesis using z163 z164 z113 e1 False z166 z167 by auto
qed
}qed
have z17:"{x. x∈set(tee_memories (TEE_state (?ls3)))∧ ownership x = d} =
{x. x∈set(tee_memories (TEE_state ( ?lt3)))∧ ownership x = d}" using InitMgrSession_not_change_TEE_mem z16 by simp
have z18:"vpeq_TA ( ?ls3) d ( ?lt3)" using z17 by simp
have z19:"vpeq_TA (?ls4) d (?lt4)" using a113 z18 by simp
have z21:"?ls3= (InitMgrSession (fst (TA_Memory_Init (fst(addMgrInstance ?s1 sysconf ?uuid ?ses_id)) sysconf bin_mem_size ?tid)) ?cli ?ses_id ?tid) " by blast
have z20:"vpeq_TA (?ls3) d (?ls4)" using LoadNewTA_def False a113 by simp
have z200:"vpeq_TA (?lt3) d (?lt4)" using LoadNewTA_def False a113 by simp
have z22:"vpeq_TA (?ls4) d (?s2)" using LoadNewTA_def False z20 Load_TA_Service_def
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TA_reflexive)
have z23:"vpeq_TA (?lt4) d (?t2)" using LoadNewTA_def False z200 Load_TA_Service_def
by (smt (z3) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TA_reflexive)
have z24:"vpeq_TA (?s2) d (?t2)" using z22 z23 z19 by simp
then show ?thesis using LoadNewTA_def z24 by blast
qed
}qed
have c4:"s'=?s2" using b1 TEEC_OpenSession2_def c2 b4 ioctrl_def z1 z222
by (smt (z3) State.fold_congs(6))
have c5:"t'=?t2" using b2 TEEC_OpenSession2_def a31 b3 b4 ioctrl_def z1 c2 z222
by (smt (z3) State.fold_congs(6))
show ?thesis using c3 c4 c5 using d2 by blast
qed
qed
qed
qed
}
qed
then show ?thesis by blast
qed
}qed
}
then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEEC_OpenSession2_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEEC_OPENSESSION2))"
using TEEC_OpenSession2_weak_confidentiality weak_confidentiality_e_def get_exec_prime_def
by (smt (verit) Pair_inject)
lemma TEEC_OpenSession3_weak_confidentiality:
assumes p1: "a = hyperc (TEEC_OPENSESSION3 sid)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s=get_exec_prime t)∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof -
{
fix s t d s' t'
assume a1:"reachable0 s"
assume a2:"reachable0 t"
assume a3:"s∼d∼t"
assume a31:"exec_prime s=exec_prime t"
assume a4:"(domain_of_event s a) = (domain_of_event t a)"
assume a5:"(the (domain_of_event s a)) ↝ d"
assume a6:"s ∼ (the (domain_of_event s a)) ∼ t"
assume a7:"(s, s') ∈ exec_event a"
assume a8:"(t, t') ∈ exec_event a"
let ?domain = "the (domain_of_event s a)"
let ?exec = "exec_prime s"
let ?p = "fst (hd (?exec))"
let ?ses_id = "the (param2 ?p)"
let ?opt = "the(param3 ?p)"
let ?uuid = "the (param1 ?p)"
let ?ctx1 = "the (param5 ?p)"
let ?s0 = "s⦇exec_prime:=tl ?exec⦈"
let ?s1 = "initTAProcess ?s0 ?opt ?uuid ?ses_id"
let ?ta_ses= "(TA_sessions(the((TAs_state s) ?uuid)))"
let ?init1="(TA_instance_init(the((TAs_state s) ?uuid)))"
let ?s2 ="TA_OpenSessionEntryPoint sysconf ?s1 ?opt ?uuid"
let ?exec_t = "exec_prime s"
let ?t0 = "t⦇exec_prime:=tl ?exec_t⦈"
let ?t1 = "initTAProcess ?t0 ?opt ?uuid ?ses_id"
let ?ta_ses_t= "(TA_sessions(the((TAs_state t) ?uuid)))"
let ?init1_t="(TA_instance_init(the((TAs_state t) ?uuid)))"
let ?t2 ="TA_OpenSessionEntryPoint sysconf ?t1 ?opt ?uuid"
let ?param="⦇param1=Some ?uuid,param2=Some ?ses_id,param3=None,param4=None,
param5=None,param6=None,param7=None,param8=None,param9=None,param10=None,param11=None,param12=Some TEEC_SUCCESS, param13=None⦈"
let ?s5= "?s2⦇current:=TEE sysconf,exec_prime:=(?param,TEEC_OP4)#(exec_prime ?s2)⦈"
let ?t5= "?t2⦇current:=TEE sysconf,exec_prime:=(?param,TEEC_OP4)#(exec_prime ?t2)⦈"
have "s'∼d∼t'"
proof -
{
have b1:"s'=fst(TEEC_OpenSession3 sysconf s sid)"
using exec_event_def p1 a7 by simp
have b2:"t'=fst(TEEC_OpenSession3 sysconf t sid)"
using exec_event_def p1 a8 by simp
have b3:"current s=current t"
using domain_of_event_def a4 by simp
show ?thesis
proof(cases "?exec = []∨snd (hd ?exec)≠TEEC_OP3∨sid≠?ses_id∨TEE sysconf=current s∨REE sysconf=current s∨?uuid≠current s")
case True
then have c1:"?exec = []∨snd (hd ?exec)≠TEEC_OP3∨sid≠?ses_id∨TEE sysconf=current s∨REE sysconf=current s∨?uuid≠current s" by simp
have c2:"s'=s" using c1 b1 TEEC_OpenSession3_def by auto
have c3:"t'=t" using c1 b2 TEEC_OpenSession3_def a31 b3 by auto
then show ?thesis using a3 c2 c3 by blast
next
case False
then have c4:"¬(?exec = []∨snd (hd ?exec)≠TEEC_OP3∨sid≠?ses_id∨TEE sysconf=current s∨REE sysconf=current s∨?uuid≠current s)" by simp
then have c5:"is_TA sysconf (current s)" using is_TA_def by blast
show ?thesis
proof(cases "d=TEE sysconf")
case True
then show ?thesis using a5 c5 by auto
next
case False
then have c6:"d≠TEE sysconf" by simp
then show ?thesis
proof(cases "d=REE sysconf")
case True
then show ?thesis using a5 c5 by auto
next
case False
then have c7:"is_TA sysconf d" using is_TA_def c6 by blast
show ?thesis
proof(cases "d=current s")
case False
then show ?thesis using a5 domain_of_event_def c5 interference1_def by auto
next
case True
then have c71:"d=current s" by simp
then have c72:"d=?uuid" using c4 by simp
have c73:"(s'∼d∼t') = (vpeq_TA s' d t')" using c7 by auto
have c74:"vpeq_TA s d t" using c7 a3 by fastforce
have c8:"{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
proof -
{
have d1:"{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s0))∧ (ownership x=d)}"
by simp
have d2:"{x. x∈set(tee_memories (TEE_state ?s0))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)}"
proof(cases "(∃a. a∈set(?ta_ses)∧a=?ses_id)")
case True
then have "?s1=?s0" using initTAProcess_def by simp
then show ?thesis
by simp
next
case False
then show ?thesis
proof(cases "?init1 =False")
case True
then show ?thesis using initTAProcess_def addTASession_def TA_CreateEntryPoint_def
by auto
next
case False
then show ?thesis using initTAProcess_def addTASession_def
by simp
qed
qed
have d3:"{x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}" using d1 d2 vpeq_TA_def
by presburger
have d4:"{x. x∈set(tee_memories (TEE_state ?t0))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
by simp
have d5:"{x. x∈set(tee_memories (TEE_state ?t0))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t1))∧ (ownership x=d)}"
proof(cases "(∃a. a∈set(?ta_ses_t)∧a=?ses_id)")
case True
then have "?t1=?t0" using initTAProcess_def a31 b3 by simp
then show ?thesis
by simp
next
case False
then show ?thesis
proof(cases "?init1_t =False")
case True
then show ?thesis using initTAProcess_def addTASession_def TA_CreateEntryPoint_def
by auto
next
case False
then show ?thesis using initTAProcess_def addTASession_def
by simp
qed
qed
have d6:"{x. x∈set(tee_memories (TEE_state ?t1))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}" using d4 d5 vpeq_TA_def
by presburger
have d7:"vpeq_TA ?s1 d ?t1" using d3 d6 vpeq_TA_def c74 by simp
have d8:"{x. x∈set(tee_memories (TEE_state ?s2))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t2))∧ (ownership x=d)}"
using d7 OpenSessionEntryPoint_not_change_mem by auto
have d12:"s'=?s5"
by (smt (verit) False State.fold_congs(6) State.unfold_congs(1) TEEC_OpenSession3_def c4 b1 fst_conv)
have d13:"vpeq_TA s' d ?s2"
using d12 vpeq_TA_def by auto
have d17:"t'=?t5"
by (smt (verit) False State.fold_congs(6) State.unfold_congs(1) TEEC_OpenSession3_def c4 b3 b2 a31 fst_conv)
have d18:"vpeq_TA t' d ?t2"
using d17 vpeq_TA_def by auto
show ?thesis using d8 d13 d18 by simp
}qed
show ?thesis using c73 c8 by simp
qed
qed
qed
qed
}qed
}
then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEEC_OpenSession3_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEEC_OPENSESSION3 sid))"
using TEEC_OpenSession3_weak_confidentiality weak_confidentiality_e_def get_exec_prime_def
by (smt (verit) Pair_inject)
lemma TEEC_OpenSession4_weak_confidentiality:
assumes p1: "a = hyperc (TEEC_OPENSESSION4)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s=get_exec_prime t)∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof -
{
fix s t d s' t'
assume a1:"reachable0 s"
assume a2:"reachable0 t"
assume a3:"s∼d∼t"
assume a31:"exec_prime s=exec_prime t"
assume a4:"(domain_of_event s a) = (domain_of_event t a)"
assume a5:"(the (domain_of_event s a)) ↝ d"
assume a6:"s ∼ (the (domain_of_event s a)) ∼ t"
assume a7:"(s, s') ∈ exec_event a"
assume a8:"(t, t') ∈ exec_event a"
let ?domain = "the (domain_of_event s a)"
let ?exec = "exec_prime s"
let ?exec_t = "exec_prime t"
let ?p = "fst (hd (?exec))"
let ?sesid = "the (param2 ?p)"
let ?tid1 = "the (param1 ?p)"
let ?ctx1 = "the (param5 ?p)"
let ?res = "the (param12 ?p)"
let ?memt0 = "(the (param10 ?p),the (param11 ?p))"
let ?s0 = "s⦇exec_prime:=tl ?exec⦈"
let ?t0 = "t⦇exec_prime:=tl ?exec_t⦈"
let ?sa= "MgrPostOperation ?s0 ?tid1"
let ?ta= "MgrPostOperation ?t0 ?tid1"
let ?param="⦇param1=Some ?sesid,param2=Some ?tid1,param3=None,param4=Some ⦇login=DTC_IDENTITY,id=Some 0⦈,
param5=None,param6=None,param7=None,param8=None,param9=None,param10=None,param11=None,param12=None, param13=None⦈"
let ?s1="?sa⦇current:=TEE sysconf,exec_prime:=(?param,TEEC_CS2)#(exec_prime ?sa)⦈"
let ?t1="?ta⦇current:=TEE sysconf,exec_prime:=(?param,TEEC_CS2)#(exec_prime ?ta)⦈"
have "s'∼d∼t'"
proof -
{
have b1:"s'=fst(TEEC_OpenSession4 sysconf s)"
using exec_event_def p1 a7 by simp
have b2:"t'=fst(TEEC_OpenSession4 sysconf t)"
using exec_event_def p1 a8 by simp
have b3:"current s=current t"
using domain_of_event_def a4 by simp
show ?thesis
proof(cases "current s≠TEE sysconf∨(exec_prime s) =[]∨snd (hd (exec_prime s)) ≠TEEC_OP4")
case True
then have z1:"s=fst(TEEC_OpenSession4 sysconf s)"
using TEEC_OpenSession4_def by auto
have z2:"t=fst(TEEC_OpenSession4 sysconf t)"
using TEEC_OpenSession4_def True a31 b3 by auto
show ?thesis
using z1 z2 b1 b2 a3 by argo
next
case False
then have b4:"¬ (current s ≠ TEE sysconf ∨ exec_prime s = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_OP4)" by simp
then have b5:"current s=TEE sysconf" by simp
show ?thesis
proof(cases "?res=TEEC_SUCCESS")
case True
have b7 :"?res=TEEC_SUCCESS" using True by simp
show ?thesis
proof(cases "d=TEE sysconf")
case True
then have c1:"d=TEE sysconf" by simp
then have c2:"(s'∼ d ∼ t') =(vpeq_TEE s' d t')" by simp
have c3:"vpeq_TEE ?s0 d ?t0" using a3 c1 by auto
have c31:"tee_memories(TEE_state ?sa )=tee_memories( TEE_state ?s0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c32:"tee_memories(TEE_state ?ta )=tee_memories( TEE_state ?t0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c4:"vpeq_TEE ?sa d ?ta" using c3 a3 c1 c31 c32 by auto
have c5:"?sa=s'" using b1 b4 b7 TEEC_OpenSession4_def
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
have c6:"?ta=t'" using b2 b4 b7 TEEC_OpenSession4_def b3 a31
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
show ?thesis using c2 c4 c5 c6 by blast
next
case False
then have c0:"d≠TEE sysconf" by simp
show ?thesis
proof(cases "d=REE sysconf")
case True
then have c1:"d=REE sysconf" by simp
then have c2:"(s'∼ d ∼ t') =(vpeq_REE s' d t')" using c0 by simp
have c3:"vpeq_REE ?s0 d ?t0" using a3 c1 c0 by auto
have c31:"REE_state ?sa = REE_state ?s0" using MgrPostOperation_def MgrPostOperation_not_change_REE by blast
have c32:"REE_state ?ta = REE_state ?t0" using MgrPostOperation_def MgrPostOperation_not_change_REE by blast
have c4:"vpeq_REE ?sa d ?ta" using c3 a3 c1 c0 c31 c32 by auto
have c5:"?sa=s'" using b1 b4 b7 TEEC_OpenSession4_def
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
have c6:"?ta=t'" using b2 b4 b7 TEEC_OpenSession4_def b3 a31
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
show ?thesis using c2 c4 c5 c6 by blast
next
case False
then have c1:"is_TA sysconf d" using is_TA_def c0 by auto
then have c2:"(s'∼ d ∼ t') =(vpeq_TA s' d t')" by simp
have c3:"vpeq_TA ?s0 d ?t0" using a3 c1 by auto
have c31:"tee_memories(TEE_state ?sa )=tee_memories( TEE_state ?s0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c32:"tee_memories(TEE_state ?ta )=tee_memories( TEE_state ?t0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c4:"vpeq_TA ?sa d ?ta" using c3 a3 c1 c31 c32 by auto
have c5:"?sa=s'" using b1 b4 b7 TEEC_OpenSession4_def
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
have c6:"?ta=t'" using b2 b4 b7 TEEC_OpenSession4_def b3 a31
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
show ?thesis using c2 c4 c5 c6 by blast
qed
qed
next
case False
have b7:"?res≠TEEC_SUCCESS" using False by simp
show ?thesis
proof(cases "d=TEE sysconf")
case True
then have c1:"d=TEE sysconf" by simp
then have c2:"(s'∼ d ∼ t') =(vpeq_TEE s' d t')" by simp
have c3:"vpeq_TEE ?s0 d ?t0" using a3 c1 by auto
have c31:"tee_memories(TEE_state ?sa )=tee_memories( TEE_state ?s0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c32:"tee_memories(TEE_state ?ta )=tee_memories( TEE_state ?t0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c4:"vpeq_TEE ?s1 d ?t1" using c3 a3 c1 c31 c32 by auto
have c5:"?s1=s'" using b1 b4 b7 TEEC_OpenSession4_def
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
have c6:"?t1=t'" using b2 b4 b7 TEEC_OpenSession4_def b3 a31
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
show ?thesis using c2 c4 c5 c6 by blast
next
case False
then have c0:"d≠TEE sysconf" by simp
show ?thesis
proof(cases "d=REE sysconf")
case True
then have c1:"d=REE sysconf" by simp
then have c2:"(s'∼ d ∼ t') =(vpeq_REE s' d t')" using c0 by simp
have c3:"vpeq_REE ?s0 d ?t0" using a3 c1 c0 by auto
have c31:"REE_state ?sa = REE_state ?s0" using MgrPostOperation_def MgrPostOperation_not_change_REE by blast
have c32:"REE_state ?ta = REE_state ?t0" using MgrPostOperation_def MgrPostOperation_not_change_REE by blast
have c4:"vpeq_REE ?s1 d ?t1" using c3 a3 c1 c0 c31 c32 by auto
have c5:"?s1=s'" using b1 b4 b7 TEEC_OpenSession4_def
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
have c6:"?t1=t'" using b2 b4 b7 TEEC_OpenSession4_def b3 a31
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
show ?thesis using c2 c4 c5 c6 by blast
next
case False
then have c1:"is_TA sysconf d" using is_TA_def c0 by auto
then have c2:"(s'∼ d ∼ t') =(vpeq_TA s' d t')" by simp
have c3:"vpeq_TA ?s0 d ?t0" using a3 c1 by auto
have c31:"tee_memories(TEE_state ?sa )=tee_memories( TEE_state ?s0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c32:"tee_memories(TEE_state ?ta )=tee_memories( TEE_state ?t0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c4:"vpeq_TA ?s1 d ?t1" using c3 a3 c1 c31 c32 by auto
have c5:"?s1=s'" using b1 b4 b7 TEEC_OpenSession4_def
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
have c6:"?t1=t'" using b2 b4 b7 TEEC_OpenSession4_def b3 a31
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
show ?thesis using c2 c4 c5 c6 by blast
qed
qed
qed
qed
} qed
}
then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEEC_OpenSession4_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEEC_OPENSESSION4))"
using TEEC_OpenSession4_weak_confidentiality weak_confidentiality_e_def get_exec_prime_def
by (smt (verit) Pair_inject)
section "TEEC_InvokeCommand proof"
subsection "TEEC_InvokeCommand1"
lemma TEEC_InvokeCommand1_integrity :
assumes p1: "a = hyperc (TEEC_INVOKECOMMAND1 ses_id time_out cmd_id in_params out_params memBlock_memRef)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?sesin = "isSessionInREECtxList (tee_ctx_list (REE_state s)) (the ses_id)"
let ?param = "⦇param1=ses_id,param2=Some time_out,param3=None,param4=None,param5=None,
param6=Some cmd_id,param7=Some in_params,param8=Some out_params,param9=None,
param10=Some (fst memBlock_memRef), param11=Some (snd memBlock_memRef),
param12=None, param13=None⦈"
let ?s1 = "s⦇current:=TEE sysconf,exec_prime:=(?param,TEEC_IC2)#(exec_prime s)⦈"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEEC_InvokeCommand1 sysconf s ses_id time_out cmd_id in_params out_params memBlock_memRef)}}"
using p1 exec_event_def
by auto
have a4_1: "s' = fst (TEEC_InvokeCommand1 sysconf s ses_id time_out cmd_id in_params out_params memBlock_memRef)"
using a3 a4 by auto
have "(s ∼ d ∼ s')"
proof(cases "current s ≠ REE sysconf ∨ (exec_prime s) ≠[] ∨ (ses_id = None∨(findSesCliTid s (the ses_id)) = None) ∨ ?sesin = False")
case True
then have "s = s'" using TEEC_InvokeCommand1_def a4_1
by (smt (z3) fstI)
then show ?thesis by auto
next
case False
then have b1: "¬(current s ≠ REE sysconf ∨ (exec_prime s) ≠[] ∨ (ses_id = None∨(findSesCliTid s (the ses_id)) = None) ∨ ?sesin = False)"
by metis
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have p1: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have f1: "vpeq1 s d s' = vpeq_TEE s d s'"
using p1 vpeq1_def by fastforce
have f2: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s1)"
by simp
have f3: "ta_mgr (TEE_state s) =ta_mgr (TEE_state ?s1)"
by auto
have f4: "fst (TEEC_InvokeCommand1 sysconf s ses_id time_out cmd_id in_params out_params memBlock_memRef) = ?s1"
by (smt (verit, best) Pair_inject State.fold_congs(6) State.unfold_congs(1) TEEC_InvokeCommand1_def b1 prod.exhaust_sel)
have f5: "s' = ?s1"
using a4_1 f4 by blast
have f6: "tee_memories (TEE_state s) = tee_memories (TEE_state s')"
using f2 f4 f5 by blast
have f7: "ta_mgr (TEE_state s) =ta_mgr (TEE_state s')"
using f3 f4 f5 by blast
have f8: "(s ∼ d ∼ s') = (vpeq_TEE s d s')"
using f1 by auto
have f9: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}∧
ta_mgr (TEE_state s) =ta_mgr (TEE_state s')"
using f6 f7 by fastforce
then show ?thesis
using f8 vpeq_TEE_def by blast
}
qed
next
case False
have p2: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have p3: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True p2 by auto
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_REE s d s'"
using True p2 by auto
have e2: "ree_total_size(REE_state s) = ree_total_size (REE_state ?s1)"
by simp
have e3: "driver_mem(REE_state s) = driver_mem(REE_state ?s1)"
by simp
have e4: "fst (TEEC_InvokeCommand1 sysconf s ses_id time_out cmd_id in_params out_params memBlock_memRef) = ?s1"
by (smt (verit, best) Pair_inject State.fold_congs(6) State.unfold_congs(1) TEEC_InvokeCommand1_def b1 prod.exhaust_sel)
have e5: "s' = ?s1" using a4_1 e4
by blast
have e6: "ree_total_size(REE_state s) = ree_total_size (REE_state s')"
using e2 e4 e5 by blast
have e7: "driver_mem(REE_state s) = driver_mem(REE_state s')"
using e3 e4 e5 by blast
have e8: "(s ∼ d ∼ s') = (vpeq_REE s d s')"
using e1 by auto
have e9: "ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧driver_mem(REE_state s) = driver_mem(REE_state s')"
by (simp add: e6 e7)
then show ?thesis
by (metis e8 vpeq_REE_def)
}
qed
next
case False
have p4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False p2)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
have p5: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False True p2 by blast
then show ?thesis
proof-
{
have d1: "vpeq1 s d s' = vpeq_TA s d s'"
using False True p2 vpeq1_def by presburger
have d2: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s1)"
by simp
have d3: "fst (TEEC_InvokeCommand1 sysconf s ses_id time_out cmd_id in_params out_params memBlock_memRef) = ?s1"
by (smt (verit, best) Pair_inject State.fold_congs(6) State.unfold_congs(1) TEEC_InvokeCommand1_def b1 prod.exhaust_sel)
have d4: "s' = ?s1" using a4_1 d3 by blast
have d5: "tee_memories (TEE_state s) = tee_memories (TEE_state s')"
using d2 d4
by blast
have d6: "(s ∼ d ∼ s') = (vpeq_TA s d s')"
using d1 by auto
have d7: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
using d5 by fastforce
then show ?thesis
using d6 vpeq_TA_def by blast
}
qed
next
case False
have p6: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using False p4 by auto
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False is_TA_def p4 by blast
then show ?thesis
by blast
}
qed
qed
qed
qed
qed
} then show ?thesis by blast
qed
lemma TEEC_InvokeCommand1_integrity_e:
"integrity_e (hyperc (TEEC_INVOKECOMMAND1 ses_id time_out cmd_id in_params out_params memBlock_memRef))"
using TEEC_InvokeCommand1_integrity integrity_e_def get_exec_prime_def
proof -
have f1: "∀e. integrity_e e = (∀n s sa. (¬ reachable0 s ∨ ¬ non_interference (the (domain_of_event s e)) n ∨ (s, sa) ∉ exec_event e) ∨ s ∼ n ∼ sa)"
using integrity_e_def by blast
have "∀n s sa. ¬ reachable0 s ∨ ¬ the (domain_of_event s (hyperc (TEEC_INVOKECOMMAND1 ses_id time_out cmd_id in_params out_params memBlock_memRef))) ∖↝ n ∨ (s, sa) ∉ exec_event (hyperc (TEEC_INVOKECOMMAND1 ses_id time_out cmd_id in_params out_params memBlock_memRef)) ∨ s ∼ n ∼ sa"
using TEEC_InvokeCommand1_integrity by presburger
then show ?thesis
using f1 non_interference1_def non_interference_def by blast
qed
lemma TEEC_InvokeCommand1_weak_confidentiality:
assumes p1: "a = hyperc (TEEC_INVOKECOMMAND1 ses_id time_out cmd_id in_params out_params memBlock_memRef)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a51:"ta_mgr (TEE_state s) =ta_mgr (TEE_state t)"
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?sesin = "isSessionInREECtxList (tee_ctx_list (REE_state s)) (the ses_id)"
let ?param = "⦇param1=ses_id,param2=Some time_out,param3=None,param4=None,param5=None,
param6=Some cmd_id,param7=Some in_params,param8=Some out_params,param9=None,
param10=Some (fst memBlock_memRef), param11=Some (snd memBlock_memRef),
param12=None, param13=None⦈"
let ?s1 = "s⦇current:=TEE sysconf,exec_prime:=(?param,TEEC_IC2)#(exec_prime s)⦈"
let ?sesin_t = "isSessionInREECtxList (tee_ctx_list (REE_state t)) (the ses_id)"
let ?param_t = "⦇param1=ses_id,param2=Some time_out,param3=None,param4=None,param5=None,
param6=Some cmd_id,param7=Some in_params,param8=Some out_params,param9=None,
param10=Some (fst memBlock_memRef), param11=Some (snd memBlock_memRef),
param12=None, param13=None⦈"
let ?t1 = "t⦇current:=TEE sysconf,exec_prime:=(?param_t,TEEC_IC2)#(exec_prime t)⦈"
have a10: "s' = fst (TEEC_InvokeCommand1 sysconf s ses_id time_out cmd_id in_params out_params memBlock_memRef)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEEC_InvokeCommand1 sysconf t ses_id time_out cmd_id in_params out_params memBlock_memRef)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t" using domain_of_event_def a4
by (metis option.sel)
have a14: "(findSesCliTid s (the ses_id)) = (findSesCliTid t (the ses_id))" using a51 findSesCliTid_def by simp
have "(s' ∼ d ∼ t')"
proof(cases "current s ≠ REE sysconf ∨ (exec_prime s) ≠[]
∨ (ses_id = None∨(findSesCliTid s (the ses_id)) = None)")
case True
have d1:"current t ≠ REE sysconf ∨ (exec_prime t) ≠[]
∨ (ses_id = None∨(findSesCliTid t (the ses_id)) = None)" using a5 a14 True a12 by auto
have b1:"s'=s" using a10 TEEC_InvokeCommand1_def True by simp
have b2:"t'=t" using a11 TEEC_InvokeCommand1_def d1 by simp
then show ?thesis using b1 b2 a3 by blast
next
case False
have d2:"¬(current s ≠ REE sysconf ∨ (exec_prime s) ≠[]
∨ (ses_id = None∨(findSesCliTid s (the ses_id)) = None))" using False by simp
have d3:"¬(current t ≠ REE sysconf ∨ (exec_prime t) ≠[]
∨ (ses_id = None∨(findSesCliTid t (the ses_id)) = None))" using a5 a14 d2 a12 by auto
show ?thesis
proof (cases "?sesin = False")
case True
have b3:"s'=s" using True d2 TEEC_InvokeCommand1_def a10 by simp
show ?thesis
proof (cases "?sesin_t = False")
case True
have b4:"t'=t" using True d2 TEEC_InvokeCommand1_def a11 by simp
show ?thesis using a3 b3 b4 by blast
next
case False
have d4:"¬(?sesin_t = False)" using False by simp
have b5:"t'=?t1" using d3 d4 TEEC_InvokeCommand1_def a11 by auto
show ?thesis
proof (cases "d=TEE sysconf")
case True
then show ?thesis using vpeq_TEE_def b3 b5 a3 by auto
next
case False
have d5:"¬(d=TEE sysconf)" using False by simp
show ?thesis
proof (cases "d=REE sysconf")
case True
then show ?thesis using vpeq_REE_def b3 b5 a3 by auto
next
case False
have d6:"¬(d=REE sysconf)" using False by simp
show ?thesis
proof (cases "is_TA sysconf d")
case True
then show ?thesis using vpeq_TA_def b3 b5 a3 by auto
next
case False
have d7:"¬(is_TA sysconf d)" using False by simp
show ?thesis using vpeq1_def d7 d6 d5 by simp
qed
qed
qed
qed
next
case False
have d8:"¬(?sesin = False)" using False by simp
have b6:"s'=?s1" using d2 d8 TEEC_InvokeCommand1_def a10 by auto
show ?thesis
proof (cases "?sesin_t = False")
case True
have b7:"t'=t" using True TEEC_InvokeCommand1_def a11 by auto
show ?thesis
proof (cases "d=TEE sysconf")
case True
then show ?thesis using vpeq_TEE_def b6 b7 a3 by auto
next
case False
have d9:"¬(d=TEE sysconf)" using False by simp
show ?thesis
proof (cases "d=REE sysconf")
case True
then show ?thesis using vpeq_REE_def b6 b7 a3 by auto
next
case False
have d10:"¬(d=REE sysconf)" using False by simp
show ?thesis
proof (cases "is_TA sysconf d")
case True
then show ?thesis using vpeq_TA_def b6 b7 a3 by auto
next
case False
then show ?thesis using d8 d9 d10 vpeq1_def by auto
qed
qed
qed
next
case False
have d11:"¬(?sesin_t = False)" using False by simp
have b8:"t'=?t1" using d11 d3 TEEC_InvokeCommand1_def a11 by auto
then show ?thesis using b6 a3 by auto
qed
qed
qed
} then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEEC_InvokeCommand1_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEEC_INVOKECOMMAND1 ses_id time_out cmd_id in_params out_params memBlock_memRef))"
using TEEC_InvokeCommand1_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def
by (smt (z3))
subsection "TEEC_InvokeCommand2"
lemma TEEC_InvokeCommand2_integrity:
assumes p1: "a = hyperc (TEEC_INVOKECOMMAND2)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?time_out = "param2 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?sesID = "the ?ses_id"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?s_invoke = "tee_invokeTACommand_TEEDomain2 sysconf ?s_rev_event ?ses_id ?time_out ?cmd_id ?in_params ?out_params"
let ?s_state = "fst ?s_invoke"
let ?s_origin = "fst(snd ?s_invoke)"
let ?s_code = "fst(snd (snd ?s_invoke))"
let ?s_params = "(snd (snd (snd ?s_invoke)))"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEEC_InvokeCommand2 sysconf s)}}"
using p1 exec_event_def by auto
have a4_1: "s' = fst (TEEC_InvokeCommand2 sysconf s)"
using a3 a4 by auto
have "(s ∼ d ∼ s')"
proof(cases "current s ≠ TEE sysconf ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_IC2")
case True
then have "s = s'" using TEEC_InvokeCommand2_def a4_1
by (smt (verit, best) prod.collapse prod.inject)
then show ?thesis
using vpeq_reflexive_lemma by blast
next
case False
have d1: "¬(current s ≠ TEE sysconf ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_IC2)"
using False by auto
have d2: "?s_state = fst (TEEC_InvokeCommand2 sysconf s)"
using TEEC_InvokeCommand2_def a4_1 d1
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have d3: "?s_state = s'"
by (simp add: a4_1 d2)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have tmp1: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
using a2 tmp1 d1 by auto
next
case False
have p2: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have p3: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True p2 by auto
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_REE s d s'"
using True p2 by auto
have e2: "vpeq_REE s d s' = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have e3: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_rev_event)"
by simp
have e4: "ree_total_size (REE_state ?s_rev_event) = ree_total_size (REE_state ?s_state)"
using ree_total_size_tee_invokeTACommand_TEEDomain2 by auto
have e5: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_state)"
by (metis e3 e4)
have e6: "?s_state = s'"
by (simp add: d3)
have e7: "ree_total_size (REE_state s) = ree_total_size (REE_state s')"
using e5 e6 by simp
have e8: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by simp
have e9: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_state)"
using driver_mem_tee_invokeTACommand_TEEDomain2 by auto
have e10: "driver_mem(REE_state s) = driver_mem(REE_state ?s_state)"
using e9 by auto
have e11: "driver_mem(REE_state s) = driver_mem(REE_state s')"
using e6 e10 by simp
have e12: "(s ∼ d ∼ s') = vpeq_REE s d s'"
using e1 by auto
have e13: "ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s')"
by (simp add: e11 e7)
then show ?thesis
using e12 by auto
}
qed
next
case False
have p4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False p2)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
have p5: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ is_TA sysconf d"
using False True p2 by blast
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_TA s d s'"
using False True p2 vpeq1_def by presburger
have e3: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state s)"
by simp
have e2: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state ?s_state)"
using tee_memories_tee_invokeTACommand_TEEDomain2 by blast
have e4: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_state)"
by (metis e2 e3)
have e5: "?s_state = s'"
by (simp add: d3)
have e6: "tee_memories (TEE_state s) = tee_memories (TEE_state s')"
using e4 e5 by simp
have e7: "(s ∼ d ∼ s') = vpeq_TA s d s'"
using e1 by auto
have e8: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
by (simp add: e6)
then show ?thesis using e8
using e7 vpeq_TA_def by blast
}
qed
next
case False
have p6: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using False p4 by auto
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False is_TA_def p4 by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
qed
} then show ?thesis by blast
qed
lemma TEEC_InvokeCommand2_integrity_e:
"integrity_e (hyperc (TEEC_INVOKECOMMAND2))"
using TEEC_InvokeCommand2_integrity integrity_e_def
using get_exec_prime_def by auto
lemma TEEC_InvokeCommand2_weak_confidentiality:
assumes p1: "a = hyperc (TEEC_INVOKECOMMAND2)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?time_out = "param2 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?sesID = "the ?ses_id"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?s_invoke = "tee_invokeTACommand_TEEDomain2 sysconf ?s_rev_event ?ses_id ?time_out ?cmd_id ?in_params ?out_params"
let ?s_state = "fst ?s_invoke"
let ?s_origin = "fst(snd ?s_invoke)"
let ?s_code = "fst(snd (snd ?s_invoke))"
let ?s_params = "(snd (snd (snd ?s_invoke)))"
let ?exec_t = "(exec_prime t)"
let ?p_t = "fst (hd ?exec_t)"
let ?ses_id_t = "param1 ?p_t"
let ?time_out_t = "param2 ?p_t"
let ?cmd_id_t = "param6 ?p_t"
let ?in_params_t = "param7 ?p_t"
let ?out_params_t = "param8 ?p_t"
let ?sesID_t = "the ?ses_id_t"
let ?t_rev_event = "t⦇exec_prime := tl ?exec_t⦈"
let ?t_invoke = "tee_invokeTACommand_TEEDomain2 sysconf ?t_rev_event ?ses_id_t ?time_out_t ?cmd_id_t ?in_params_t ?out_params_t"
let ?t_state = "fst ?t_invoke"
let ?t_origin = "fst(snd ?t_invoke)"
let ?t_code = "fst(snd (snd ?t_invoke))"
let ?t_params = "(snd (snd (snd ?t_invoke)))"
have a10: "s' = fst (TEEC_InvokeCommand2 sysconf s)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEEC_InvokeCommand2 sysconf t)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t" using domain_of_event_def a4
by (metis option.sel)
have "(s' ∼ d ∼ t')"
proof(cases "current s ≠ TEE sysconf ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_IC2")
case True
have b1: "current s ≠ TEE sysconf ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_IC2"
using True by auto
have b2: "current t ≠ TEE sysconf ∨ (exec_prime t) = [] ∨ snd (hd (exec_prime t)) ≠ TEEC_IC2"
using a12 a5 b1 by auto
have b3: "s = s'"
using b1 TEEC_InvokeCommand2_def a10
by (smt (z3) fstI)
have b4: "t = t'"
using b2 TEEC_InvokeCommand2_def a11
by (smt (z3) fstI)
then show ?thesis
proof-
{
have c1: "(s' ∼ d ∼ t')"
using a3 b3 b4 by blast
then show ?thesis by auto
}
qed
next
case False
have d1: "¬(current s ≠ TEE sysconf ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_IC2)"
using False by auto
have d2: "?s_state = fst (TEEC_InvokeCommand2 sysconf s)"
using TEEC_InvokeCommand2_def a10 d1
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have d3: "?s_state = s'"
by (simp add: a10 d2)
have d4: "¬(current t ≠ TEE sysconf ∨ (exec_prime t) = [] ∨ snd (hd (exec_prime t)) ≠ TEEC_IC2)"
using a12 a5 d1 by auto
have d5: "?t_state = fst (TEEC_InvokeCommand2 sysconf t)"
using TEEC_InvokeCommand2_def a11 d4
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have d6: "?t_state = t'"
by (simp add: a11 d5)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
then have d7: "d = TEE sysconf" by simp
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: d7)
have h2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: d7)
have h4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 h3 by auto
have h6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
using tee_memories_exec_prime_tl by auto
have h7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_state))∧ (block_id x=0)}"
using tee_memories_tee_invokeTACommand_TEEDomain2 by auto
have h8: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_state))∧ (block_id x=0)}"
using h6 h7 by auto
have h9: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
using tee_memories_exec_prime_tl by auto
have h10: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_state))∧ (block_id x=0)}"
using tee_memories_tee_invokeTACommand_TEEDomain2 by auto
have h11: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_state))∧ (block_id x=0)}"
using h10 h9 by blast
have h12: "{x. x∈set(tee_memories (TEE_state ?s_state))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
by (simp add: d3)
have h13: "{x. x∈set(tee_memories (TEE_state ?t_state))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using d6 by blast
have h14: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using h5 h8 h11 h12 h13 by presburger
then show ?thesis
using h1 h2 by blast
}
qed
next
case False
then have d8: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have d9: "d ≠ TEE sysconf ∧ d = REE sysconf"
using d8 by auto
then show ?thesis
proof-
{
have g1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d8 by auto
have g2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by fastforce
have g3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d8 by auto
have g4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have g5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 g3 by auto
have g6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 g3 by auto
have g7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
using ree_total_size_exec_prime_tl by blast
have g8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_state)"
using ree_total_size_tee_invokeTACommand_TEEDomain2 by meson
have g9: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_state)"
using g8 by auto
have g10: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
using ree_total_size_exec_prime_tl by blast
have g11: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_state)"
using ree_total_size_tee_invokeTACommand_TEEDomain2 by auto
have g12: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_state)"
using g11 by auto
have g13: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by auto
have g14: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_state)"
using driver_mem_tee_invokeTACommand_TEEDomain2 by auto
have g15: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have g16: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_state)"
using driver_mem_tee_invokeTACommand_TEEDomain2 by auto
have g17: "driver_mem(REE_state s) = driver_mem(REE_state ?s_state)"
using g14 by auto
have g18: "driver_mem(REE_state t) = driver_mem(REE_state ?t_state)"
using g16 by auto
have g19: "driver_mem(REE_state s') = driver_mem(REE_state ?s_state)"
by (simp add: d3)
have g20: "driver_mem(REE_state t') = driver_mem(REE_state ?t_state)"
by (simp add: d6)
have g21: "driver_mem(REE_state ?s_state) = driver_mem(REE_state ?t_state)"
using g13 g14 g15 g16 g6 by presburger
have g22: "driver_mem(REE_state s') = driver_mem(REE_state t')"
using g21 g19 g20 by presburger
have g23: "ree_total_size(REE_state s') = ree_total_size(REE_state ?s_state)"
by (simp add: d3)
have g24: "ree_total_size(REE_state t') = ree_total_size(REE_state ?t_state)"
by (simp add: d6)
have g25: "ree_total_size(REE_state ?s_state) = ree_total_size(REE_state ?t_state)"
using g10 g11 g5 g9 by presburger
have g26: "ree_total_size(REE_state s') = ree_total_size(REE_state t')"
using g23 g24 g25 by presburger
have g27: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
by (simp add: g22 g26)
then show ?thesis using g1 by auto
}
qed
next
case False
then have d12: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d8)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False d8 by blast
then show ?thesis
proof-
{
have f1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using False True d8 vpeq1_def by presburger
have f2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have f3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson False True d8 vpeq1_def)
have f4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have f5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 f3 f4 by blast
have f6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have f7: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have f8: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_state))∧ (ownership x=d)}"
using tee_memories_tee_invokeTACommand_TEEDomain2 by force
have f9: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_state))∧ (ownership x=d)}"
using tee_memories_tee_invokeTACommand_TEEDomain2 by auto
have f10: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_state))∧ (ownership x=d)}"
using f6 f8 by presburger
have f11: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_state))∧ (ownership x=d)}"
using f7 f9 by blast
have f12: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_state))∧ (ownership x=d)}"
by (simp add: d3)
have f13: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_state))∧ (ownership x=d)}"
by (simp add: d6)
have f14: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using f10 f12 f13 f5 f7 f9 by presburger
then show ?thesis using f1 by auto
}
qed
next
case False
then have d14: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using d12 by auto
then show ?thesis
proof-
{
have e1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
using vpeq1_def by simp
have e2: "vpeq1 s' d t' = True"
using d14 by auto
then show ?thesis by blast
}
qed
qed
qed
qed
qed
} then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEEC_InvokeCommand2_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEEC_INVOKECOMMAND2))"
using TEEC_InvokeCommand2_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def by auto
subsection "TEEC_InvokeCommand3"
lemma TEEC_InvokeCommand3_integrity:
assumes p1: "a = hyperc (TEEC_INVOKECOMMAND3)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?time_out = "param2 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?sesID = "the ?ses_id"
let ?serverID = "findSesServTid s ?sesID"
let ?server_tid = "the(findSesServTid s ?sesID)"
let ?curServTaState = "(TAs_state s) (the ?serverID)"
let ?curServSessList = "TA_sessions (the ?curServTaState)"
let ?isSessIdInSessList = "isSessIdInTaInsSessList ?curServSessList ?sesID"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?s_invoke = "TA_InvokeCommandEntryPoint sysconf ?s_rev_event ?cmd_id ?server_tid"
let ?s_postOps = "TEE_MgrPostOps ?s_invoke ?server_tid"
let ?post_param_ops = "TEE_post_param_operation ?in_params"
let ?param_error = "⦇param1 = ?ses_id, param2 = ?time_out, param3 = None, param4 = None, param5 = None,
param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12=Some TEEC_ERROR_BAD_PARAMETERS, param13=None⦈"
let ?s_error_ret = "setCurDomainAndEvent ?s_rev_event (TEE sysconf) (?param_error, TEEC_IC4)"
let ?param_success = "⦇param1 = ?ses_id, param2 = ?time_out, param3 = None, param4 = None, param5 = None,
param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12=Some TEEC_SUCCESS, param13=None⦈"
let ?s_success_ret = "setCurDomainAndEvent ?s_postOps (TEE sysconf) (?param_success, TEEC_IC4)"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEEC_InvokeCommand3 sysconf s)}}"
using p1 exec_event_def by auto
have a4_1: "s' = fst (TEEC_InvokeCommand3 sysconf s)"
using a3 a4 by blast
have "(s ∼ d ∼ s')"
proof(cases "?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEEC_IC3")
case True
have k1: "?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEEC_IC3"
using True by auto
have k2: "s' = s" using TEEC_InvokeCommand3_def a4_1 k1
by (smt (z3) fstI)
then show ?thesis
using vpeq_reflexive_lemma by blast
next
case False
have k3: "¬(?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEEC_IC3)"
using False by auto
then show ?thesis
proof(cases "?ses_id = None ∨ ?cmd_id = None ∨ ?isSessIdInSessList ≠ True ∨ ?serverID = None")
case True
have k4: "?ses_id = None ∨ ?cmd_id = None ∨ ?isSessIdInSessList ≠ True ∨ ?serverID = None"
using True by auto
then have b1: "s' = ?s_error_ret" using TEEC_InvokeCommand3_def a4_1 k4 k3
by (smt (z3) State.fold_congs(6) a4_1 old.prod.inject prod.collapse)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have p5: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have e1: "(s ∼ d ∼ s') = (vpeq_TEE s d s')"
by (simp add: p5)
have e2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)})"
by simp
have e3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
using tee_memories_exec_prime_tl
by auto
have e4: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state ?s_error_ret)"
using tee_memories_setCurDomainAndEvent by auto
then show ?thesis
using b1 e1 by auto
}
qed
next
case False
have p6: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have p7: "d = REE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have f1: "(s ∼ d ∼ s') = (vpeq_REE s d s')"
using p6 p7 by auto
have f2: "(vpeq_REE s d s') = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have f3: "ree_total_size(REE_state s) = ree_total_size (REE_state ?s_rev_event)"
using ree_total_size_exec_prime_tl by auto
have f4: "ree_total_size(REE_state ?s_rev_event) = ree_total_size (REE_state ?s_error_ret)"
using ree_total_size_setCurDomainAndEvent by auto
have f5: "driver_mem (REE_state s) = driver_mem (REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by auto
have f6: "driver_mem (REE_state ?s_rev_event) = driver_mem (REE_state ?s_error_ret)"
using driver_mem_tee_setCurDomainAndEvent by blast
then show ?thesis
using b1 f1 f2 f3 f4 f5 by presburger
}
qed
next
case False
have p8: "d ≠ REE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
have p9: "is_TA sysconf d"
using True by auto
then show ?thesis
proof-
{
have g1: "(s ∼ d ∼ s') = (vpeq_TA s d s')"
by (meson p6 p8 p9 vpeq1_def)
have g2: "(vpeq_TA s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)})"
by simp
have g3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
using tee_memories_exec_prime_tl
by auto
have g4: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state ?s_error_ret)"
using tee_memories_setCurDomainAndEvent by auto
then show ?thesis
using b1 g1 by force
}
qed
next
case False
have p10: "¬(is_TA sysconf d)"
using False by auto
have p11: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using p10 p6 p8 by auto
then show ?thesis
proof-
{
have d1: "vpeq1 s d s' = True"
using is_TA_def p10 p6 p8 by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
next
case False
then have b2: "¬(?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEEC_IC3 ∨ ?ses_id = None ∨ ?cmd_id = None ∨ ?isSessIdInSessList ≠ True ∨ ?serverID = None)"
using k3 by auto
have b3: "s' = ?s_success_ret"
by (smt (z3) State.unfold_congs(6) TEEC_InvokeCommand3_def a4_1 b2 fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have p0: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have h1: "(s ∼ d ∼ s') = (vpeq_TEE s d s')"
by (simp add: p0)
have h2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)})"
by simp
have h3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
using tee_memories_exec_prime_tl
by auto
have h4: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (block_id x=0)}"
using TA_InvokeCommandEntryPoint_not_change_TEE
by presburger
have h5: "{x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (block_id x=0)}"
proof-
{
have h5_0: "?s_postOps = TEE_MgrPostOps ?s_invoke ?server_tid"
by simp
have h5_1: "TEE_MgrPostOps ?s_invoke ?server_tid = setTaInsBusyByThreadId ?s_invoke ?server_tid False"
by (simp add: TEE_MgrPostOps_def)
have h5_2: "tee_memories (TEE_state ?s_invoke) = tee_memories (TEE_state (setTaInsBusyByThreadId ?s_invoke ?server_tid False))"
using tee_memories_setTaInsBusy
by simp
then show ?thesis
by (simp add: TEE_MgrPostOps_def)
}
qed
have h6: "{x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ?s_success_ret))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
then show ?thesis
using TA_InvokeCommandEntryPoint_not_change_TEE b3 h1 h5 by force
}
qed
next
case False
have p2: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have p3: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True p2 by auto
then show ?thesis
proof-
{
have i1: "(s ∼ d ∼ s') = (vpeq_REE s d s')"
using True p2 by auto
have i2: "(vpeq_REE s d s') = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have i3: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have i4: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_invoke)"
using ree_total_size_TA_InvokeCommandEntryPoint
by auto
have i5: "ree_total_size(REE_state ?s_invoke) = ree_total_size(REE_state ?s_postOps)"
by (simp add: TEE_MgrPostOps_def ree_total_size_setTaInsBusy)
have i5_1: "ree_total_size(REE_state ?s_postOps) = ree_total_size(REE_state ?s_success_ret)"
by (simp add: ree_total_size_setCurDomainAndEvent)
have i6: "ree_total_size(REE_state s) = ree_total_size (REE_state s')"
using b3 i3 i4 i5 i5_1
by auto
have i7: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have i8: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_invoke)"
using driver_mem_TA_InvokeCommandEntryPoint by auto
have i9: "driver_mem(REE_state ?s_invoke) = driver_mem(REE_state ?s_postOps)"
by (simp add: TEE_MgrPostOps_def driver_mem_tee_setTaInsBusy)
have i9_1: "driver_mem(REE_state ?s_postOps) = driver_mem(REE_state ?s_success_ret)"
by (simp add: driver_mem_tee_setCurDomainAndEvent)
have i10: "driver_mem(REE_state s) = driver_mem(REE_state s')"
using b3 i7 i8 i9 i9_1
by auto
then show ?thesis
using i1 i6 i10
by auto
}
qed
next
case False
have p4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False p2)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
have p5: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ is_TA sysconf d"
using False True p2 by blast
then show ?thesis
proof(cases "d = current s")
case True
have tmp1: "d = current s"
by (simp add: True)
then show ?thesis
using a2 p5 tmp1 by auto
next
case False
have tmp2: "d ≠ current s"
by (simp add: False)
then show ?thesis
proof-
{
have d0: "current s = ?server_tid"
using b2 by auto
have d1: "?server_tid ≠ d"
using d0 tmp2 by auto
have d2: "(s ∼ d ∼ s') = (vpeq_TA s d s')"
by (meson p5 vpeq1_def)
have d3: "(vpeq_TA s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)})"
by simp
have d4: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by simp
have d5: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (ownership x=d)}"
using TA_InvokeCommandEntryPoint_not_change_other_TA
using d0 tee_memories_TA_InvokeCommandEntryPoint tmp2 by presburger
have d6: "tee_memories (TEE_state ?s_invoke) = tee_memories (TEE_state ?s_postOps)"
by (simp add: TEE_MgrPostOps_def tee_memories_setTaInsBusy)
have d7: "tee_memories (TEE_state ?s_postOps) = tee_memories (TEE_state ?s_success_ret)"
by (simp add: tee_memories_setCurDomainAndEvent)
then show ?thesis
using b3 d2 d5 d6 d7 by auto
}
qed
qed
next
case False
have p5: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using False p4 by blast
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False is_TA_def p4 by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
qed
qed
} then show ?thesis by blast
qed
lemma TEEC_InvokeCommand3_integrity_e:
"integrity_e (hyperc (TEEC_INVOKECOMMAND3))"
using TEEC_InvokeCommand3_integrity integrity_e_def
using get_exec_prime_def by auto
lemma TEEC_InvokeCommand3_weak_confidentiality:
assumes p1: "a = hyperc (TEEC_INVOKECOMMAND3)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a51: "ta_mgr(TEE_state s) =ta_mgr(TEE_state t)"
assume a52: "TAs_state s =TAs_state t "
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?time_out = "param2 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?sesID = "the ?ses_id"
let ?serverID = "findSesServTid s ?sesID"
let ?server_tid = "the(findSesServTid s ?sesID)"
let ?curServTaState = "(TAs_state s) (the ?serverID)"
let ?curServSessList = "TA_sessions (the ?curServTaState)"
let ?isSessIdInSessList = "isSessIdInTaInsSessList ?curServSessList ?sesID"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?s_invoke = "TA_InvokeCommandEntryPoint sysconf ?s_rev_event ?cmd_id ?server_tid"
let ?s_postOps = "TEE_MgrPostOps ?s_invoke ?server_tid"
let ?post_param_ops = "TEE_post_param_operation ?in_params"
let ?param_error = "⦇param1 = ?ses_id, param2 = ?time_out, param3 = None, param4 = None, param5 = None,
param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12=Some TEEC_ERROR_BAD_PARAMETERS, param13=None⦈"
let ?s_error_ret = "setCurDomainAndEvent ?s_rev_event (TEE sysconf) (?param_error, TEEC_IC4)"
let ?param_success = "⦇param1 = ?ses_id, param2 = ?time_out, param3 = None, param4 = None, param5 = None,
param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12=Some TEEC_SUCCESS, param13=None⦈"
let ?s_success_ret = "setCurDomainAndEvent ?s_postOps (TEE sysconf) (?param_success, TEEC_IC4)"
let ?exec_t = "(exec_prime t)"
let ?p_t = "fst (hd ?exec_t)"
let ?ses_id_t = "param1 ?p_t"
let ?time_out_t = "param2 ?p_t"
let ?cmd_id_t = "param6 ?p_t"
let ?in_params_t = "param7 ?p_t"
let ?out_params_t = "param8 ?p_t"
let ?sesID_t = "the ?ses_id_t"
let ?serverID_t = "findSesServTid t ?sesID_t"
let ?server_tid_t = "the(findSesServTid t ?sesID_t)"
let ?curServTaState_t = "(TAs_state t) (the ?serverID_t)"
let ?curServSessList_t = "TA_sessions (the ?curServTaState_t)"
let ?isSessIdInSessList_t = "isSessIdInTaInsSessList ?curServSessList_t ?sesID_t"
let ?t_rev_event = "t⦇exec_prime := tl ?exec_t⦈"
let ?t_invoke = "TA_InvokeCommandEntryPoint sysconf ?t_rev_event ?cmd_id_t ?server_tid_t"
let ?t_postOps = "TEE_MgrPostOps ?t_invoke ?server_tid_t"
let ?post_param_ops_t = "TEE_post_param_operation ?in_params_t"
let ?param_error_t = "⦇param1 = ?ses_id_t, param2 = ?time_out_t, param3 = None, param4 = None, param5 = None,
param6 = ?cmd_id_t, param7 = ?in_params_t, param8 = ?out_params_t, param9 = None,
param10 = None, param11 = None, param12=Some TEEC_ERROR_BAD_PARAMETERS, param13=None⦈"
let ?t_error_ret = "setCurDomainAndEvent ?t_rev_event (TEE sysconf) (?param_error_t, TEEC_IC4)"
let ?param_success_t = "⦇param1 = ?ses_id_t, param2 = ?time_out_t, param3 = None, param4 = None, param5 = None,
param6 = ?cmd_id_t, param7 = ?in_params_t, param8 = ?out_params_t, param9 = None,
param10 = None, param11 = None, param12=Some TEEC_SUCCESS, param13=None⦈"
let ?t_success_ret = "setCurDomainAndEvent ?t_postOps (TEE sysconf) (?param_success_t, TEEC_IC4)"
have a10: "s' = fst (TEEC_InvokeCommand3 sysconf s)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEEC_InvokeCommand3 sysconf t)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t" using domain_of_event_def a4
by (metis option.sel)
have a13: "ta_mgr(TEE_state s) = ta_mgr(TEE_state t)" using a3 vpeq1_def a51 by auto
have a14: "?sesID = ?sesID_t"
by (simp add: a5)
have a15: "?serverID = ?serverID_t"
using mgr_ta_sessions_findSesServTid
by (metis a13 a5)
have a16: "?ses_id = ?ses_id_t"
by (simp add: a5)
have a17: "?cmd_id = ?cmd_id_t"
by (simp add: a5)
have a18: "?isSessIdInSessList = ?isSessIdInSessList_t" using a52 isSessIdInTaInsSessList_def
using a15 a5 by auto
have "(s' ∼ d ∼ t')"
proof(cases "?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEEC_IC3")
case True
have k1: "?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEEC_IC3"
using True by blast
have k2: "?exec_t = [] ∨ ?ses_id_t = None ∨ ?serverID_t = None ∨ current t = TEE sysconf ∨ current t = REE sysconf ∨ current t ≠ ?server_tid_t ∨ snd (hd (exec_prime t)) ≠ TEEC_IC3"
using a12 a15 a5 k1 by auto
have k3: "s' = s"
using TEEC_InvokeCommand3_def k1 a10
by (smt (z3) State.fold_congs(6) old.prod.inject prod.collapse)
have k4: "t' = t"
using TEEC_InvokeCommand3_def k2 a11
by (smt (z3) State.fold_congs(6) old.prod.inject prod.collapse)
then show ?thesis
using a3 k3 by blast
next
case False
have k5: "¬(?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEEC_IC3)"
using False by auto
have k6: "¬(?exec_t = [] ∨ ?ses_id_t = None ∨ ?serverID_t = None ∨ current t = TEE sysconf ∨ current t = REE sysconf ∨ current t ≠ ?server_tid_t ∨ snd (hd (exec_prime t)) ≠ TEEC_IC3)"
using a12 a15 a5 k5 by auto
then show ?thesis
proof(cases "?ses_id = None ∨ ?cmd_id = None ∨ ?isSessIdInSessList ≠ True ∨ ?serverID = None")
case True
have b1: "?ses_id = None ∨ ?cmd_id = None ∨ ?isSessIdInSessList ≠ True ∨ ?serverID = None"
using True by auto
have b2: "?ses_id_t = None ∨ ?cmd_id_t = None ∨ ?isSessIdInSessList_t ≠ True ∨ ?serverID_t = None"
using a12 a5 b1 a15 a18 by auto
have b3: "s' = ?s_error_ret"
using TEEC_InvokeCommand3_def b1 a10 k5
by (smt (z3) State.fold_congs(6) old.prod.inject prod.collapse)
have b4: "t' = ?t_error_ret"
using TEEC_InvokeCommand3_def b2 a11 k6
by (smt (z3) State.fold_congs(6) old.prod.inject prod.collapse)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have d6: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have i1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: d6)
have i2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have i3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: d6)
have i4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have i5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 i3 i4 by blast
have i6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by auto
have i7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_error_ret))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
have i8: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by auto
have i9: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_error_ret))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
have i10: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using i6 i7 i8 i9 b3 b4 i5 by blast
then show ?thesis
using i1 i2 by blast
}
qed
next
case False
have d8: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have d9: "d ≠ TEE sysconf ∧ d = REE sysconf"
using d8 by auto
then show ?thesis
proof-
{
have j1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d8 by auto
have j2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have j3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d8 by auto
have j4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have j5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 j3 by auto
have j6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 j3 by auto
have j6: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have j6_1: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_error_ret)"
using ree_total_size_setCurDomainAndEvent by auto
have j7: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have j7_1: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_error_ret)"
using ree_total_size_setCurDomainAndEvent by auto
have j8: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have j8_1: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_error_ret)"
using driver_mem_tee_setCurDomainAndEvent by auto
have j9: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have j9_1: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_error_ret)"
using driver_mem_tee_setCurDomainAndEvent by blast
have j10: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?t_rev_event)"
by (metis a3 j3 j4 j8 j9)
have j11: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?t_rev_event)"
by (metis j5 j6 j7)
have j12: "ree_total_size(REE_state ?s_error_ret) = ree_total_size(REE_state s')"
by (simp add: b3)
have j13: "ree_total_size(REE_state ?t_error_ret) = ree_total_size(REE_state t')"
by (simp add: b4)
have j14: "driver_mem(REE_state ?s_error_ret) = driver_mem(REE_state s')"
by (simp add: b3)
have j15: "driver_mem(REE_state ?t_error_ret) = driver_mem(REE_state t')"
by (simp add: b4)
have j16: "(ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
using j10 j11 j12 j13 j14 j15
using j6_1 j7_1 j8_1 j9_1 by presburger
then show ?thesis
using j1 by auto
}
qed
next
case False
then have d10: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d8)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d11: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False d8 by blast
then show ?thesis
proof-
{
have k1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson False True d8 vpeq1_def)
have k2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have k3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using False True d8 vpeq1_def by presburger
have k4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have k5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 k3 by auto
have k6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have k7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_error_ret))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by auto
have k8: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have k9: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_error_ret))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by auto
have k10: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
using k5 k6 k7 k8 k9 by blast
then show ?thesis
using b4 b3 d11 k1 k2 k7 k9 by presburger
}
qed
next
case False
then have d12: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using d10 by auto
then show ?thesis
proof-
{
have e1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have e2: "vpeq1 s' d t' = True"
using False d10 by auto
then show ?thesis by blast
}
qed
qed
qed
qed
next
case False
have p1: "¬(?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEEC_IC3 ∨ ?ses_id = None ∨ ?cmd_id = None ∨ ?isSessIdInSessList ≠ True ∨ ?serverID = None)"
using False k5 by auto
have p2: "s' = ?s_success_ret"
by (smt (verit, best) False Pair_inject State.surjective State.update_convs(6) TEEC_InvokeCommand3_def a10 p1 surjective_pairing)
have p3: "¬(?exec_t = [] ∨ ?ses_id_t = None ∨ ?serverID_t = None ∨ current t = TEE sysconf ∨ current t = REE sysconf ∨ current t ≠ ?server_tid_t ∨ snd (hd (exec_prime t)) ≠ TEEC_IC3 ∨ ?ses_id_t = None ∨ ?cmd_id_t = None ∨ ?isSessIdInSessList_t ≠ True ∨ ?serverID_t = None)"
using a12 a15 a18 a5 p1 by auto
have p4: "t' = ?t_success_ret"
using a11 TEE_InvokeTACommand3_def a12 a15 a5 p3
by (smt (verit, best) False Pair_inject State.surjective State.update_convs(6) TEEC_InvokeCommand3_def a10 p1 surjective_pairing)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
then have g1: "d = TEE sysconf" by simp
then show ?thesis
proof-
{
have l1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
using g1 by fastforce
have l2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have l3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: g1)
have l4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have l5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 l3 l4 by blast
have l6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by force
have l7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (block_id x=0)}"
using TA_InvokeCommandEntryPoint_not_change_TEE by auto
have l8: "{x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (block_id x=0)}"
using TEE_MgrPostOps_def tee_memories_setTaInsBusy by fastforce
have l8_1: "{x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_success_ret))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
have l9: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by force
have l10: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_invoke))∧ (block_id x=0)}"
using TA_InvokeCommandEntryPoint_not_change_TEE by auto
have l11: "{x. x∈set(tee_memories (TEE_state ?t_invoke))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_postOps))∧ (block_id x=0)}"
using TEE_MgrPostOps_def tee_memories_setTaInsBusy by fastforce
have l11_1: "{x. x∈set(tee_memories (TEE_state ?t_postOps))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_success_ret))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
have l12: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (block_id x=0)}"
using l6 l7 l8 by blast
have l13: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_postOps))∧ (block_id x=0)}"
using l10 l11 l9 by presburger
have l14: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using l12 l13 l2 l5 p2 p4 l11_1 l8_1 by presburger
then show ?thesis
using l1 l2 by blast
}
qed
next
case False
then have g2: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have g3: "d ≠ TEE sysconf ∧ d = REE sysconf"
using g2 by auto
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True g2 by auto
have m2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True g2 by auto
have m4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by (meson vpeq_REE_def)
have m5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 m3 by auto
have m6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 m3 by auto
have m7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have m8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_invoke)"
using ree_total_size_TA_InvokeCommandEntryPoint by auto
have m9: "ree_total_size(REE_state ?s_invoke) = ree_total_size(REE_state ?s_postOps)"
by (simp add: TEE_MgrPostOps_def ree_total_size_setTaInsBusy)
have m10: "ree_total_size(REE_state ?s_postOps) = ree_total_size(REE_state ?s_success_ret)"
by (simp add: ree_total_size_setCurDomainAndEvent)
have m10_sree: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_success_ret)"
using m8 m9 m10 by auto
have m7_t: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have m8_t: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_invoke)"
using ree_total_size_TA_InvokeCommandEntryPoint by auto
have m9_t: "ree_total_size(REE_state ?t_invoke) = ree_total_size(REE_state ?t_postOps)"
by (simp add: TEE_MgrPostOps_def ree_total_size_setTaInsBusy)
have m10_t: "ree_total_size(REE_state ?t_postOps) = ree_total_size(REE_state ?t_success_ret)"
by (simp add: ree_total_size_setCurDomainAndEvent)
have m10_sree: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_success_ret)"
using m8_t m9_t m10_t by auto
have m11: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by blast
have m12: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_invoke)"
using driver_mem_TA_InvokeCommandEntryPoint by auto
have m13: "driver_mem(REE_state ?s_invoke) = driver_mem(REE_state ?s_postOps)"
by (simp add: TEE_MgrPostOps_def driver_mem_tee_setTaInsBusy)
have m13_1: "driver_mem(REE_state ?s_postOps) = driver_mem(REE_state ?s_success_ret)"
by (simp add: driver_mem_tee_setCurDomainAndEvent)
have m14: "driver_mem(REE_state s) = driver_mem(REE_state ?s_success_ret)"
using m12 m13 m13_1 by auto
have m11_t: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
using driver_mem_exec_prime_tl by blast
have m12_t: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_invoke)"
using driver_mem_TA_InvokeCommandEntryPoint by auto
have m13_t: "driver_mem(REE_state ?t_invoke) = driver_mem(REE_state ?t_postOps)"
by (simp add: TEE_MgrPostOps_def driver_mem_tee_setTaInsBusy)
have m13_t_1: "driver_mem(REE_state ?t_postOps) = driver_mem(REE_state ?t_success_ret)"
by (simp add: driver_mem_tee_setCurDomainAndEvent)
have m14_t: "driver_mem(REE_state t) = driver_mem(REE_state ?t_postOps)"
using m12_t m13_t by auto
have m15: "driver_mem(REE_state s') = driver_mem(REE_state ?s_success_ret)"
by (simp add: p2)
have m16: "driver_mem(REE_state t') = driver_mem(REE_state ?t_success_ret)"
by (simp add: p4)
have m17: "driver_mem(REE_state ?s_success_ret) = driver_mem(REE_state ?t_success_ret)"
using m11_t m12_t m13_t m13_t_1 m14 m6 by presburger
have m18: "driver_mem(REE_state s') = driver_mem(REE_state t')"
by (simp add: m15 m16 m17)
have m19: "ree_total_size(REE_state s') = ree_total_size(REE_state ?s_success_ret)"
by (simp add: p2)
have m20: "ree_total_size(REE_state t') = ree_total_size(REE_state ?t_success_ret)"
by (simp add: p4)
have m21: "ree_total_size(REE_state ?s_success_ret) = ree_total_size(REE_state ?t_success_ret)"
using m10 m10_t m5 m7 m7_t m8 m8_t m9 m9_t by presburger
have m22: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
by (simp add: m18 m19 m20 m21)
then show ?thesis
using m1 by auto
}
qed
next
case False
then have g4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: g2)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have g5: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)" by simp
then show ?thesis
proof(cases "d ≠ ?server_tid")
case True
have f9_1: "d ≠ ?server_tid" using True by simp
have f9_2: "d ≠ ?server_tid_t" using True
using a15 by auto
then show ?thesis
proof-
{
have n1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson g5 vpeq1_def)
have n2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have n3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using g5 by auto
have n4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have n5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 n3 n4 by blast
have n6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have n7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (ownership x=d)}"
proof-
{
have v1: "TEE_state s = TEE_state ?s_rev_event" by simp
have v2: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (ownership x=d)}"
using f9_1 tee_memories_TA_InvokeCommandEntryPoint by auto
then show ?thesis
by auto
}
qed
have n8: "{x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (ownership x=d)}"
using TEE_MgrPostOps_def tee_memories_setTaInsBusy by auto
have n8_1: "{x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_success_ret))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by auto
have n9: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have n10: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_invoke))∧ (ownership x=d)}"
using f9_2 tee_memories_TA_InvokeCommandEntryPoint by auto
have n11: "{x. x∈set(tee_memories (TEE_state ?t_invoke))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_postOps))∧ (ownership x=d)}"
using TEE_MgrPostOps_def tee_memories_setTaInsBusy by auto
have n11_1: "{x. x∈set(tee_memories (TEE_state ?t_postOps))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_success_ret))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by fastforce
have n12: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_success_ret))∧ (ownership x=d)}"
using n10 n11 n9 n11_1 by presburger
then show ?thesis
using n1 n2 n5 n6 n7 n8 n8_1 p2 p4 by blast
}
qed
next
case False
have f10_1: "d = ?server_tid" using False by simp
have f10_2: "d = ?server_tid_t" using False
using a15 by auto
have f11_1: "d = current s"
by (metis False p1)
have f11_2: "d = current t"
by (simp add: a12 f11_1)
have f12: "vpeq_TA s d t"
by (meson a3 g5 vpeq1_def)
have f13: "(s'∼d∼t') = (vpeq_TA s' d t')"
by (meson g5 vpeq1_def)
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using f13 by auto
have m2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using a3 f12 by blast
have m4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using f12 m4 by blast
have m6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (ownership x=d)}"
using TA_InvokeCommandEntryPoint_def OpenSessionEntryPoint_not_change_mem TA_OpenSessionEntryPoint_def by auto
have m8: "{x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (ownership x=d)}"
using TEE_MgrPostOps_def tee_memories_setTaInsBusy by force
have m9: "{x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_success_ret))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by auto
have m11: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_success_ret))∧ (ownership x=d)}"
using m7 m8 tee_memories_setCurDomainAndEvent by force
have m12: "tee_memories (TEE_state t) = tee_memories (TEE_state ?t_rev_event)"
by auto
have m13: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_invoke))∧ (ownership x=d)}"
using TA_InvokeCommandEntryPoint_def OpenSessionEntryPoint_not_change_mem TA_OpenSessionEntryPoint_def by auto
have m14: "{x. x∈set(tee_memories (TEE_state ?t_invoke))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_postOps))∧ (ownership x=d)}"
using TEE_MgrPostOps_def tee_memories_setTaInsBusy by force
have m15: "{x. x∈set(tee_memories (TEE_state ?t_postOps))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_success_ret))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by fastforce
have m17: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_success_ret))∧ (ownership x=d)}"
using m13 m14 tee_memories_setCurDomainAndEvent by force
have m18: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_success_ret))∧ (ownership x=d)}"
by (simp add: p2)
have m19: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_success_ret))∧ (ownership x=d)}"
by (simp add: p4)
have h20: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using m18 m19
using m11 m17 m5 by presburger
then show ?thesis
using m1 m2 by blast
}
qed
qed
next
case False
then have d12: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using g4 by auto
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have h2: "vpeq1 s' d t' = True"
using False g4 by auto
then show ?thesis by blast
}
qed
qed
qed
qed
qed
qed
} then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEEC_InvokeCommand3_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEEC_INVOKECOMMAND3))"
using TEEC_InvokeCommand3_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def by auto
subsection "TEEC_InvokeCommand4"
lemma TEEC_InvokeCommand4_integrity:
assumes p1: "a = hyperc (TEEC_INVOKECOMMAND4)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?time_out = "param2 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?teec_ret_code = "param12 ?p"
let ?tee_ret_code = "param13 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?param_call_closeSession = "⦇param1 = ?ses_id, param2 = ?time_out, param3 = None, param4 = Some ⦇login=DTC_IDENTITY,id=Some 0⦈,
param5 = None, param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12=?teec_ret_code, param13=?tee_ret_code⦈"
let ?s_call_closeSession = "setCurDomainAndEvent ?s_rev_event (TEE sysconf) (?param_call_closeSession, TEEC_CS2)"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEEC_InvokeCommand4 sysconf s)}}"
using p1 exec_event_def by auto
have a4_1: "s' = fst (TEEC_InvokeCommand4 sysconf s)"
using a3 a4 by auto
have "(s ∼ d ∼ s')"
proof(cases "(exec_prime s) =[] ∨ snd (hd (exec_prime s)) ≠ TEEC_IC4 ∨ current s ≠ TEE sysconf")
case True
then have "s' = s" using TEEC_InvokeCommand4_def a4_1
by (smt (verit, best) prod.collapse prod.inject)
then show ?thesis
using vpeq_reflexive_lemma by blast
next
case False
have d1: "¬((exec_prime s) =[] ∨ snd (hd (exec_prime s)) ≠ TEEC_IC4 ∨ current s ≠ TEE sysconf)"
using False by auto
then show ?thesis
proof(cases "?teec_ret_code ≠ (Some TEEC_SUCCESS)")
case True
have d1_1: "?teec_ret_code ≠ (Some TEEC_SUCCESS)"
by (simp add: True)
have d2: "?s_call_closeSession = fst (TEEC_InvokeCommand4 sysconf s)"
using TEEC_InvokeCommand4_def a4_1 d1 d1_1
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have d4: "s' = ?s_call_closeSession"
by (simp add: a4_1 d2)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have tmp1: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
using a2 tmp1 d1 by auto
next
case False
have p2: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have p3: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True p2 by auto
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_REE s d s'"
using True p2 by auto
have e2: "vpeq_REE s d s' = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have e3: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_rev_event)"
by simp
have e4: "ree_total_size (REE_state ?s_rev_event) = ree_total_size (REE_state ?s_call_closeSession)"
using ree_total_size_setCurDomainAndEvent by auto
have e5: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_call_closeSession)"
by (metis e3 e4)
have e6: "?s_call_closeSession = s'"
by (simp add: d4)
have e7: "ree_total_size (REE_state s) = ree_total_size (REE_state s')"
using e5 e6 by simp
have e8: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by simp
have e9: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_call_closeSession)"
using driver_mem_tee_setCurDomainAndEvent by auto
have e10: "driver_mem(REE_state s) = driver_mem(REE_state ?s_call_closeSession)"
using e9 by auto
have e11: "driver_mem(REE_state s) = driver_mem(REE_state s')"
using e6 e10 by simp
have e12: "(s ∼ d ∼ s') = vpeq_REE s d s'"
using e1 by auto
have e13: "ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s')"
by (simp add: e11 e7)
then show ?thesis
using e12 by auto
}
qed
next
case False
have p4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False p2)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
have p5: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ is_TA sysconf d"
using False True p2 by blast
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_TA s d s'"
using False True p2 vpeq1_def by presburger
have e3: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state s)"
by simp
have e2: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state ?s_call_closeSession)"
using tee_memories_setCurDomainAndEvent by auto
have e4: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_call_closeSession)"
by (metis e2 e3)
have e5: "?s_call_closeSession = s'"
by (simp add: d4)
have e6: "tee_memories (TEE_state s) = tee_memories (TEE_state s')"
using e4 e5 by simp
have e7: "(s ∼ d ∼ s') = vpeq_TA s d s'"
using e1 by auto
have e8: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
by (simp add: e6)
then show ?thesis using e8
using e7 vpeq_TA_def by blast
}
qed
next
case False
have p6: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using False p4 by auto
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False is_TA_def p4 by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
next
case False
have p7_1: "?teec_ret_code = (Some TEEC_SUCCESS)"
using False by auto
have p7: "¬((exec_prime s) =[] ∨ snd (hd (exec_prime s)) ≠ TEEC_IC4 ∨ current s ≠ TEE sysconf ∨ (?teec_ret_code ≠ (Some TEEC_SUCCESS)))"
using False d1 by auto
have p8: "s' = ?s_rev_event"
using p7 a4_1 TEEC_InvokeCommand4_def
by (smt (verit, best) State.unfold_congs(1) State.unfold_congs(6) fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have tmp1: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
using a2 tmp1 d1 by auto
next
case False
have p2: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have p3: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True p2 by auto
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_REE s d s'"
using True p2 by auto
have e2: "vpeq_REE s d s' = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have e3: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_rev_event)"
by simp
have e8: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by simp
have e12: "(s ∼ d ∼ s') = vpeq_REE s d s'"
using e1 by auto
have e13: "ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s')"
using e3 e8 p8 by auto
then show ?thesis
using e12 by auto
}
qed
next
case False
have p4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False p2)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
have p5: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ is_TA sysconf d"
using False True p2 by blast
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_TA s d s'"
using False True p2 vpeq1_def by presburger
have e7: "(s ∼ d ∼ s') = vpeq_TA s d s'"
using e1 by auto
have e8: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
using p8 by force
then show ?thesis using e8
using e7 vpeq_TA_def by blast
}
qed
next
case False
have p6: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using False p4 by auto
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False is_TA_def p4 by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
qed
qed
} then show ?thesis by blast
qed
lemma TEEC_InvokeCommand4_integrity_e:
"integrity_e (hyperc (TEEC_INVOKECOMMAND4))"
using TEEC_InvokeCommand4_integrity integrity_e_def
using get_exec_prime_def by auto
lemma TEEC_InvokeCommand4_weak_confidentiality:
assumes p1: "a = hyperc (TEEC_INVOKECOMMAND4)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?time_out = "param2 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?teec_ret_code = "param12 ?p"
let ?tee_ret_code = "param13 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?param_call_closeSession = "⦇param1 = ?ses_id, param2 = ?time_out, param3 = None, param4 = Some ⦇login=DTC_IDENTITY,id=Some 0⦈,
param5 = None, param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12=?teec_ret_code, param13=?tee_ret_code⦈"
let ?s_call_closeSession = "setCurDomainAndEvent ?s_rev_event (TEE sysconf) (?param_call_closeSession, TEEC_CS2)"
let ?exec_t = "(exec_prime t)"
let ?p_t = "fst (hd ?exec_t)"
let ?ses_id_t = "param1 ?p_t"
let ?time_out_t = "param2 ?p_t"
let ?cmd_id_t = "param6 ?p_t"
let ?in_params_t = "param7 ?p_t"
let ?out_params_t = "param8 ?p_t"
let ?teec_ret_code_t = "param12 ?p_t"
let ?tee_ret_code_t = "param13 ?p_t"
let ?t_rev_event = "t⦇exec_prime := tl ?exec_t⦈"
let ?param_call_closeSession_t = "⦇param1 = ?ses_id_t, param2 = ?time_out_t, param3 = None, param4 = Some ⦇login=DTC_IDENTITY,id=Some 0⦈,
param5 = None, param6 = ?cmd_id_t, param7 = ?in_params_t, param8 = ?out_params_t, param9 = None,
param10 = None, param11 = None, param12=?teec_ret_code_t, param13=?tee_ret_code_t⦈"
let ?t_call_closeSession = "setCurDomainAndEvent ?t_rev_event (TEE sysconf) (?param_call_closeSession_t, TEEC_CS2)"
have a10: "s' = fst (TEEC_InvokeCommand4 sysconf s)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEEC_InvokeCommand4 sysconf t)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t" using domain_of_event_def a4
by (metis option.sel)
have "(s' ∼ d ∼ t')"
proof(cases "(exec_prime s) =[] ∨ snd (hd (exec_prime s)) ≠ TEEC_IC4 ∨ current s ≠ TEE sysconf")
case True
have b1: "(exec_prime s) =[] ∨ snd (hd (exec_prime s)) ≠ TEEC_IC4 ∨ current s ≠ TEE sysconf"
using True by auto
have b2: "(exec_prime t) =[] ∨ snd (hd (exec_prime t)) ≠ TEEC_IC4 ∨ current t ≠ TEE sysconf"
by (metis a12 a5 b1)
have b3: "s = s'"
using b1 TEEC_InvokeCommand4_def a10
by (smt (z3) fstI)
have b4: "t = t'"
using b2 TEEC_InvokeCommand4_def a11
by (smt (z3) fstI)
then show ?thesis
proof-
{
have c1: "(s' ∼ d ∼ t')"
using a3 b3 b4 by blast
then show ?thesis by auto
}
qed
next
case False
have d1: "¬((exec_prime s) =[] ∨ snd (hd (exec_prime s)) ≠ TEEC_IC4 ∨ current s ≠ TEE sysconf)"
using False by auto
have d2: "¬((exec_prime t) =[] ∨ snd (hd (exec_prime t)) ≠ TEEC_IC4 ∨ current t ≠ TEE sysconf)"
using a12 a5 d1 by auto
then show ?thesis
proof(cases "?teec_ret_code ≠ (Some TEEC_SUCCESS)")
case True
have p3: "?teec_ret_code ≠ (Some TEEC_SUCCESS)"
by (simp add: True)
have p4: "?teec_ret_code_t ≠ (Some TEEC_SUCCESS)"
using a5 p3 by auto
have p5: "?s_call_closeSession = fst (TEEC_InvokeCommand4 sysconf s)"
using TEEC_InvokeCommand4_def a10 d1 p3
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have p6: "?s_call_closeSession = s'"
by (simp add: a10 p5)
have p7: "?t_call_closeSession = fst (TEEC_InvokeCommand4 sysconf t)"
using TEEC_InvokeCommand4_def a10 d2 p4
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have p8: "?t_call_closeSession = t'"
by (simp add: a11 p7)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
then have d7: "d = TEE sysconf" by simp
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: d7)
have h2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: d7)
have h4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 h3 by auto
have h6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
using tee_memories_exec_prime_tl by auto
have h7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_call_closeSession))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
have h8: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_call_closeSession))∧ (block_id x=0)}"
using h6 h7 by auto
have h9: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
using tee_memories_exec_prime_tl by auto
have h10: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_call_closeSession))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
have h11: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_call_closeSession))∧ (block_id x=0)}"
using h10 h9 by blast
have h12: "{x. x∈set(tee_memories (TEE_state ?s_call_closeSession))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
by (simp add: p6)
have h13: "{x. x∈set(tee_memories (TEE_state ?t_call_closeSession))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
by (simp add: p8)
have h14: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using h5 h8 h11 h12 h13 by presburger
then show ?thesis
using h1 h2 by blast
}
qed
next
case False
then have d8: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have d9: "d ≠ TEE sysconf ∧ d = REE sysconf"
using d8 by auto
then show ?thesis
proof-
{
have g1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d8 by auto
have g2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by fastforce
have g3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d8 by auto
have g4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have g5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 g3 by auto
have g6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 g3 by auto
have g7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
using ree_total_size_exec_prime_tl by blast
have g8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_call_closeSession)"
using ree_total_size_setCurDomainAndEvent by auto
have g9: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_call_closeSession)"
using g8 by auto
have g10: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
using ree_total_size_exec_prime_tl by blast
have g11: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_call_closeSession)"
using ree_total_size_setCurDomainAndEvent by auto
have g12: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_call_closeSession)"
using g11 by auto
have g13: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by auto
have g14: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_call_closeSession)"
using driver_mem_tee_setCurDomainAndEvent by blast
have g15: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have g16: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_call_closeSession)"
using driver_mem_tee_setCurDomainAndEvent by auto
have g17: "driver_mem(REE_state s) = driver_mem(REE_state ?s_call_closeSession)"
using g14 by auto
have g18: "driver_mem(REE_state t) = driver_mem(REE_state ?t_call_closeSession)"
using g16 by auto
have g19: "driver_mem(REE_state s') = driver_mem(REE_state ?s_call_closeSession)"
by (simp add: p6)
have g20: "driver_mem(REE_state t') = driver_mem(REE_state ?t_call_closeSession)"
by (simp add: p8)
have g21: "driver_mem(REE_state ?s_call_closeSession) = driver_mem(REE_state ?t_call_closeSession)"
using g13 g14 g15 g16 g6 by presburger
have g22: "driver_mem(REE_state s') = driver_mem(REE_state t')"
using g21 g19 g20 by presburger
have g23: "ree_total_size(REE_state s') = ree_total_size(REE_state ?s_call_closeSession)"
by (simp add: p6)
have g24: "ree_total_size(REE_state t') = ree_total_size(REE_state ?t_call_closeSession)"
by (simp add: p8)
have g25: "ree_total_size(REE_state ?s_call_closeSession) = ree_total_size(REE_state ?t_call_closeSession)"
using g10 g11 g5 g9 by presburger
have g26: "ree_total_size(REE_state s') = ree_total_size(REE_state t')"
using g23 g24 g25 by presburger
have g27: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
by (simp add: g22 g26)
then show ?thesis using g1 by auto
}
qed
next
case False
then have d12: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d8)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False d8 by blast
then show ?thesis
proof-
{
have f1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using False True d8 vpeq1_def by presburger
have f2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have f3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson False True d8 vpeq1_def)
have f4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have f5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 f3 f4 by blast
have f6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have f7: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have f8: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_call_closeSession))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by auto
have f9: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_call_closeSession))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by auto
have f10: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_call_closeSession))∧ (ownership x=d)}"
using f6 f8 by presburger
have f11: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_call_closeSession))∧ (ownership x=d)}"
using f7 f9 by blast
have f12: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_call_closeSession))∧ (ownership x=d)}"
by (simp add: p6)
have f13: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_call_closeSession))∧ (ownership x=d)}"
by (simp add: p8)
have f14: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using f10 f12 f13 f5 f7 f9 by presburger
then show ?thesis using f1 by auto
}
qed
next
case False
then have d14: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using d12 by auto
then show ?thesis
proof-
{
have e1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
using vpeq1_def by simp
have e2: "vpeq1 s' d t' = True"
using d14 by auto
then show ?thesis by blast
}
qed
qed
qed
qed
next
case False
have p3: "?teec_ret_code = (Some TEEC_SUCCESS)"
using False by auto
have p4: "?teec_ret_code_t = (Some TEEC_SUCCESS)"
using a5 p3 by auto
have p5: "?s_rev_event = fst (TEEC_InvokeCommand4 sysconf s)"
using TEEC_InvokeCommand4_def a10 d1 p3
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have p6: "?s_rev_event = s'"
by (simp add: a10 p5)
have p7: "?t_rev_event = fst (TEEC_InvokeCommand4 sysconf t)"
using TEEC_InvokeCommand4_def a10 d2 p4
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have p8: "?t_rev_event = t'"
by (simp add: a11 p7)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
then have d7: "d = TEE sysconf" by simp
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: d7)
have h2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: d7)
have h4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 h3 by auto
have h6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
using tee_memories_exec_prime_tl by auto
have h9: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
using tee_memories_exec_prime_tl by auto
have h12: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
by (simp add: p6)
have h13: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
by (simp add: p8)
have h14: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using h12 h13 h5 h6 h9 by presburger
then show ?thesis
using h1 h2 by blast
}
qed
next
case False
then have d8: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have d9: "d ≠ TEE sysconf ∧ d = REE sysconf"
using d8 by auto
then show ?thesis
proof-
{
have g1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d8 by auto
have g2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by fastforce
have g3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d8 by auto
have g4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have g5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 g3 by auto
have g6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 g3 by auto
have g7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
using ree_total_size_exec_prime_tl by blast
have g10: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
using ree_total_size_exec_prime_tl by blast
have g13: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by auto
have g15: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have g19: "driver_mem(REE_state s') = driver_mem(REE_state ?s_rev_event)"
by (simp add: p6)
have g20: "driver_mem(REE_state t') = driver_mem(REE_state ?t_rev_event)"
by (simp add: p8)
have g21: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?t_rev_event)"
by (metis g13 g15 g6)
have g22: "driver_mem(REE_state s') = driver_mem(REE_state t')"
using g21 g19 g20 by presburger
have g25: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?t_rev_event)"
using g10 g5 g7 by linarith
have g26: "ree_total_size(REE_state s') = ree_total_size(REE_state t')"
using g25 p6 p8 by auto
have g27: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
by (simp add: g22 g26)
then show ?thesis using g1 by auto
}
qed
next
case False
then have d12: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d8)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False d8 by blast
then show ?thesis
proof-
{
have f1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using False True d8 vpeq1_def by presburger
have f2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have f3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson False True d8 vpeq1_def)
have f4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have f5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 f3 f4 by blast
have f6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have f7: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have f12: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by (simp add: p6)
have f13: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by (simp add: p8)
have f14: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using f12 f13 f5 f6 f7 by blast
then show ?thesis using f1 by auto
}
qed
next
case False
then have d14: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using d12 by auto
then show ?thesis
proof-
{
have e1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
using vpeq1_def by simp
have e2: "vpeq1 s' d t' = True"
using d14 by auto
then show ?thesis by blast
}
qed
qed
qed
qed
qed
qed
} then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEEC_InvokeCommand4_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEEC_INVOKECOMMAND4))"
using TEEC_InvokeCommand4_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def by auto
section "TEEC_CloseSession proof"
subsection "TEEC_CloseSession1"
lemma TEEC_CloseSession1_integrity:
assumes p1: "a = hyperc (TEEC_CLOSESESSION1 fd ses_id in_params out_params)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?clientTid = "findSesCliTid s (the ses_id)"
let ?sesin = "isSessionInREECtxList (tee_ctx_list (REE_state s)) (the ses_id)"
let ?s_rev_event = "s⦇exec_prime := tl (exec_prime s)⦈"
let ?s1 = "removeSessionInContext ?s_rev_event fd (the ses_id)"
let ?pre_param_ops = "TEE_pre_param_operation (Some in_params)"
let ?taIns = "getTAInsCtx ?s1 (the ?clientTid)"
let ?taId_cli = "ta_id ?taIns"
let ?ca = "DefaultClientID"
let ?nextFuncStepParam = "⦇param1 = ses_id, param2 = None, param3 = None, param4 = Some ?ca,
param5 = None, param6 =None, param7 =Some in_params, param8 =Some out_params,
param9 = None,param10=None, param11=None, param12=None, param13=None⦈"
let ?s2 = "?s1⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEEC_CS2)#(exec_prime ?s1)⦈"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEEC_CloseSession1 sysconf s fd ses_id in_params out_params)}}"
using p1 exec_event_def
by auto
have a4_1: "s' = fst (TEEC_CloseSession1 sysconf s fd ses_id in_params out_params)"
using a3 a4 by auto
have a4_2: "?pre_param_ops = TEE_SUCCESS"
by (simp add: TEE_pre_param_operation_def)
have "(s ∼ d ∼ s')"
proof(cases "(ses_id = None ∨ current s ≠ REE sysconf)
∨ ((exec_prime s) ≠ [] ∧ (snd (hd (exec_prime s))) ≠ TEEC_CS1)")
case True
have b1: "(ses_id = None ∨ current s ≠ REE sysconf)
∨ ((exec_prime s) ≠ [] ∧ (snd (hd (exec_prime s))) ≠ TEEC_CS1)"
using True by blast
have b3: "s = s'"
using b1 TEEC_CloseSession1_def a4_1
by (smt (z3) fstI)
then show ?thesis by auto
next
case False
have d1: "¬((ses_id = None ∨ current s ≠ REE sysconf)
∨ ((exec_prime s) ≠ [] ∧ (snd (hd (exec_prime s))) ≠ TEEC_CS1))"
using False by auto
have d2: "?pre_param_ops = TEE_SUCCESS"
by (simp add: TEE_pre_param_operation_def)
then show ?thesis
proof(cases "?sesin = False")
case True
have d1_1: "?sesin = False"
using True by auto
have d6: "s' = ?s_rev_event"
using a4_1 d1 d1_1 d2 TEEC_CloseSession1_def
by (smt (verit, best) State.unfold_congs(1) State.unfold_congs(6) fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
then have b2: "d = TEE sysconf"
by simp
then show ?thesis
proof-
{
have f1: "vpeq1 s d s' = (vpeq_TEE s d s')"
by (simp add: b2)
have f2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)})"
by simp
have f3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
then show ?thesis
using d6 f2 f1 by presburger
}
qed
next
case False
then have b3: "d ≠ TEE sysconf"
by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have b4: "d = REE sysconf"
by simp
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_REE s d s'"
by (metis b3 b4 vpeq1_def)
have e2: "vpeq_REE s d s' = (ree_total_size (REE_state s) = ree_total_size (REE_state s')
∧ driver_mem (REE_state s) = driver_mem (REE_state s'))"
by simp
have e3: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_rev_event)"
by auto
have e6: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
then show ?thesis
by (metis d6 e1 e2 e3)
}
qed
next
case False
then have b5: "d ≠ REE sysconf ∧ d ≠ TEE sysconf"
by (simp add: b3)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have b6: "d ≠ REE sysconf ∧ d ≠ TEE sysconf ∧ (is_TA sysconf d)"
by auto
then show ?thesis
proof-
{
have d1: "vpeq1 s d s' = (vpeq_TA s d s')"
using False True b3 vpeq1_def by presburger
have d2: "(vpeq_TA s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)})"
by simp
have d3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
then show ?thesis
using d1 d2 d6 by force
}
qed
next
case False
then have b7: "d ≠ REE sysconf ∧ d ≠ TEE sysconf ∧ ¬(is_TA sysconf d)"
using b5 by auto
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False b5 is_TA_def by blast
then show ?thesis
by blast
}
qed
qed
qed
qed
next
case False
have d3: "¬((ses_id = None ∨ current s ≠ REE sysconf)
∨ ((exec_prime s) ≠ [] ∧ (snd (hd (exec_prime s))) ≠ TEEC_CS1) ∧ (?sesin = False))"
using d1 by auto
have d4: "¬((ses_id = None ∨ current s ≠ REE sysconf)
∨ ((exec_prime s) ≠ [] ∧ (snd (hd (exec_prime s))) ≠ TEEC_CS1) ∧ (?sesin = False) ∧ ?pre_param_ops ≠ TEE_SUCCESS)"
using d1 by blast
have d6: "s' = ?s2"
using a4_1 d1 d2 d3 d4 TEEC_CloseSession1_def
by (smt (verit, best) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
then have b2: "d = TEE sysconf"
by simp
then show ?thesis
proof-
{
have f1: "vpeq1 s d s' = (vpeq_TEE s d s')"
by (simp add: b2)
have f2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)})"
by simp
have f3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have f4: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state ?s1)"
using removeSessionInContext_def
by (metis (no_types, lifting) State.select_convs(4) State.surjective State.update_convs(3))
have f5: "tee_memories (TEE_state ?s1) = tee_memories (TEE_state ?s2)"
by force
have f6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s2)"
using f3 f4 f5
by presburger
then show ?thesis
using d6 f2 f1 by presburger
}
qed
next
case False
then have b3: "d ≠ TEE sysconf"
by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have b4: "d = REE sysconf"
by simp
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_REE s d s'"
by (metis b3 b4 vpeq1_def)
have e2: "vpeq_REE s d s' = (ree_total_size (REE_state s) = ree_total_size (REE_state s')
∧ driver_mem (REE_state s) = driver_mem (REE_state s'))"
by simp
have e3: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_rev_event)"
by auto
have e4: "ree_total_size (REE_state ?s_rev_event) = ree_total_size (REE_state ?s1)"
using ree_total_size_removeSessionInContext by auto
have e5: "s' = ?s2"
by (simp add: d6)
have e5_1: "ree_total_size (REE_state s) = ree_total_size (REE_state s')"
using e5 e4 by auto
have e6: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have e7: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s2)"
by (simp add: driver_mem_removeSessionInContext)
have e8: "driver_mem(REE_state s) = driver_mem(REE_state s')"
using e5 e6 e7
by fastforce
then show ?thesis
using e5 e8 e1 e2 e5_1 by blast
}
qed
next
case False
then have b5: "d ≠ REE sysconf ∧ d ≠ TEE sysconf"
by (simp add: b3)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have b6: "d ≠ REE sysconf ∧ d ≠ TEE sysconf ∧ (is_TA sysconf d)"
by auto
then show ?thesis
proof-
{
have d1: "vpeq1 s d s' = (vpeq_TA s d s')"
using False True b3 vpeq1_def by presburger
have d2: "(vpeq_TA s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)})"
by simp
have d3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have d4: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state ?s2)"
using tee_memories_removeSessionInContext by auto
have d5: "(s ∼ d ∼ s') = (vpeq_TA s d s')"
using d1 by auto
have d6: "s' = ?s2"
by (simp add: d6)
have d7: "tee_memories (TEE_state s) = tee_memories (TEE_state s')"
using d3 d4 d5 d6
by presburger
then show ?thesis
using d2 d5 by presburger
}
qed
next
case False
then have b7: "d ≠ REE sysconf ∧ d ≠ TEE sysconf ∧ ¬(is_TA sysconf d)"
using b5 by auto
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False b5 is_TA_def by blast
then show ?thesis
by blast
}
qed
qed
qed
qed
qed
qed
} then show ?thesis by blast
qed
lemma TEEC_CloseSession1_integrity_e:
"integrity_e (hyperc (TEEC_CLOSESESSION1 fd ses_id in_params out_params))"
using TEEC_CloseSession1_integrity integrity_e_def
using get_exec_prime_def
proof -
have "∀e. integrity_e e = (∀n s sa. (¬ reachable0 s ∨ ¬ non_interference (the (domain_of_event s e)) n ∨ (s, sa) ∉ exec_event e) ∨ s ∼ n ∼ sa)"
using integrity_e_def by blast
then obtain ss :: "Event ⇒ State" and nn :: "Event ⇒ nat" and ssa :: "Event ⇒ State" where
f1: "∀e. (¬ integrity_e e ∨ (∀n s sa. (¬ reachable0 s ∨ ¬ non_interference (the (domain_of_event s e)) n ∨ (s, sa) ∉ exec_event e) ∨ s ∼ n ∼ sa)) ∧ (integrity_e e ∨ (reachable0 (ss e) ∧ non_interference (the (domain_of_event (ss e) e)) (nn e) ∧ (ss e, ssa e) ∈ exec_event e) ∧ ¬ ss e ∼ nn e ∼ ssa e)"
by (metis (no_types))
have "∀n s sa. ¬ reachable0 s ∨ ¬ the (domain_of_event s (hyperc (TEEC_CLOSESESSION1 fd ses_id in_params out_params))) ∖↝ n ∨ (s, sa) ∉ exec_event (hyperc (TEEC_CLOSESESSION1 fd ses_id in_params out_params)) ∨ s ∼ n ∼ sa"
by (meson TEEC_CloseSession1_integrity)
then show ?thesis
using f1 non_interference1_def non_interference_def by blast
qed
lemma TEEC_CloseSession1_weak_confidentiality:
assumes p1: "a = hyperc (TEEC_CLOSESESSION1 fd ses_id in_params out_params)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a51: "ta_mgr(TEE_state s) =ta_mgr(TEE_state t)"
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?clientTid = "findSesCliTid s (the ses_id)"
let ?sesin = "isSessionInREECtxList (tee_ctx_list (REE_state s)) (the ses_id)"
let ?s_rev_event = "s⦇exec_prime := tl (exec_prime s)⦈"
let ?s1 = "removeSessionInContext ?s_rev_event fd (the ses_id)"
let ?pre_param_ops = "TEE_pre_param_operation (Some in_params)"
let ?taIns = "getTAInsCtx ?s1 (the ?clientTid)"
let ?taId_cli = "ta_id ?taIns"
let ?ca = "DefaultClientID"
let ?nextFuncStepParam = "⦇param1 = ses_id, param2 = None, param3 = None, param4 = Some ?ca,
param5 = None, param6 =None, param7 =Some in_params, param8 =Some out_params,
param9 = None, param10=None, param11=None, param12=None, param13=None⦈"
let ?s2 = "?s1⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEEC_CS2)#(exec_prime ?s1)⦈"
let ?clientTid_t = "findSesCliTid t (the ses_id)"
let ?sesin_t = "isSessionInREECtxList (tee_ctx_list (REE_state t)) (the ses_id)"
let ?t_rev_event = "t⦇exec_prime := tl (exec_prime t)⦈"
let ?t1 = "removeSessionInContext ?t_rev_event fd (the ses_id)"
let ?pre_param_ops_t = "TEE_pre_param_operation (Some in_params)"
let ?taIns_t = "getTAInsCtx ?t1 (the ?clientTid_t)"
let ?taId_cli_t = "ta_id ?taIns_t"
let ?ca_t = "DefaultClientID"
let ?nextFuncStepParam_t = "⦇param1 = ses_id, param2 = None, param3 = None, param4 = Some ?ca_t,
param5 = None, param6 =None, param7 =Some in_params, param8 =Some out_params,
param9 = None, param10=None, param11=None, param12=None, param13=None⦈"
let ?t2 = "?t1⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam_t, TEEC_CS2)#(exec_prime ?t1)⦈"
have a10: "s' = fst (TEEC_CloseSession1 sysconf s fd ses_id in_params out_params)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEEC_CloseSession1 sysconf t fd ses_id in_params out_params)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t"
using domain_of_event_def a4 by (metis option.sel)
have a13: "ta_mgr(TEE_state s) = ta_mgr(TEE_state t)" using a3 vpeq1_def a51 by auto
have a15: "?clientTid = ?clientTid_t"
using a13 mgr_ta_sessions_findSesCliTid
by blast
have "(s' ∼ d ∼ t')"
proof(cases "(ses_id = None ∨ current s ≠ REE sysconf)
∨ ((exec_prime s) ≠ [] ∧ (snd (hd (exec_prime s))) ≠ TEEC_CS1)")
case True
have b1: "(ses_id = None ∨ current s ≠ REE sysconf)
∨ ((exec_prime s) ≠ [] ∧ (snd (hd (exec_prime s))) ≠ TEEC_CS1)"
using True by blast
have b2: "(ses_id = None ∨ current t ≠ REE sysconf)
∨ ((exec_prime t) ≠ [] ∧ (snd (hd (exec_prime t))) ≠ TEEC_CS1)"
using a12 a5 b1 a15
by force
have b3: "s = s'"
using b1 TEEC_CloseSession1_def a10
by (smt (z3) prod.collapse prod.inject)
have b4: "t = t'"
using b2 TEEC_CloseSession1_def a11 findSesServTid_def
by (smt (z3) prod.collapse prod.inject)
then show ?thesis
proof-
{
have c1: "(s' ∼ d ∼ t')"
using a3 b3 b4 by blast
then show ?thesis by auto
}
qed
next
case False
have d1: "¬((ses_id = None ∨ current s ≠ REE sysconf)
∨ ((exec_prime s) ≠ [] ∧ (snd (hd (exec_prime s))) ≠ TEEC_CS1))"
using False by auto
have d2:"¬((ses_id = None ∨ current t ≠ REE sysconf)
∨ ((exec_prime t) ≠ [] ∧ (snd (hd (exec_prime t))) ≠ TEEC_CS1))" using d1 a12 a5 by simp
show ?thesis
proof (cases "?sesin = False")
case True
have b5:"s'=?s_rev_event" using True d1 TEEC_CloseSession1_def a10 by force
show ?thesis
proof (cases "?sesin_t = False")
case True
have b6:"t'=?t_rev_event" using True d2 TEEC_CloseSession1_def a11 by force
show ?thesis using b5 b6 a3 by auto
next
case False
have d3:"¬(?sesin_t = False)" using False by simp
show ?thesis
proof (cases "?pre_param_ops_t ≠ TEE_SUCCESS")
case True
have b7:"t'=?t1" using True d3 d2 TEEC_CloseSession1_def a11 by force
show ?thesis
proof (cases "d=TEE sysconf")
case True
show ?thesis using True b5 b7 a3 vpeq_TEE_def removeSessionInContext_def
by (smt (verit, ccfv_SIG) State.unfold_congs(6) filter_related tee_memories_exec_prime_tl tee_memories_removeSessionInContext vpeq1_def)
next
case False
have d4:"¬(d=TEE sysconf)" using False by simp
show ?thesis
proof (cases "d=REE sysconf")
case True
have "vpeq_REE s' d t'"
proof -
{
have b57:"ree_total_size(REE_state s') = ree_total_size (REE_state t')"
using a3 True d4 b5 b7 removeSessionInContext_def vpeq_REE_def vpeq1_def
by (smt (verit) State.unfold_congs(6) ree_total_size_exec_prime_tl ree_total_size_removeSessionInContext)
have b57_1:"driver_mem(REE_state s') = driver_mem(REE_state t')"
using a3 True d4 b5 b7 removeSessionInContext_def vpeq_REE_def vpeq1_def
by (smt (verit, ccfv_SIG) State.unfold_congs(6) driver_mem_exec_prime_tl driver_mem_removeSessionInContext)
show ?thesis using b57 b57_1 by simp
}qed
then show ?thesis using True vpeq1_def d4 by simp
next
case False
have d5:"¬(d=REE sysconf)" using False by simp
show ?thesis
proof (cases "is_TA sysconf d")
case True
have "vpeq_TA s' d t'"
proof -
{
have b57_2:"{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
using True vpeq1_def vpeq_TA_def b5 d4 d5
by auto
have b57_3:"{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
using b7 True vpeq1_def vpeq_TA_def
by simp
have b57_4:"{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using b7 True vpeq1_def vpeq_TA_def removeSessionInContext_def tee_memories_removeSessionInContext
by presburger
have b57_5:"{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using b57_3 b57_4
by blast
show ?thesis using b57_2 b57_5 a3 b5 b7 vpeq1_def vpeq_TA_def True
by auto
}qed
then show ?thesis using True vpeq1_def d5 d4 by metis
next
case False
then show ?thesis using vpeq1_def d4 d5
by simp
qed
qed
qed
next
case False
have d6:"¬(?pre_param_ops_t ≠ TEE_SUCCESS)" using False by simp
have b8:"t'=?t2" using d6 d3 d2 TEEC_CloseSession1_def a11
by (smt (verit, best) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
show ?thesis
proof (cases "d=TEE sysconf")
case True
show ?thesis using True b5 b8 a3 vpeq_TEE_def removeSessionInContext_def vpeq1_def
by (metis a6 d1 domain_of_event_def ins_no_intf_tee option.collapse option.distinct(1) option.inject tee_no_ree)
next
case False
have d7:"¬(d=TEE sysconf)" using False by simp
show ?thesis
proof (cases "d=REE sysconf")
case True
have "vpeq_REE s' d t'"
proof -
{
have b58:"ree_total_size(REE_state s) = ree_total_size (REE_state s')"
using b5
by auto
have b58_1:"driver_mem(REE_state s) = driver_mem(REE_state s')"
using b5
by simp
have b58_2:"ree_total_size(REE_state t) = ree_total_size (REE_state ?t_rev_event)"
by simp
have b58_3:"ree_total_size(REE_state ?t_rev_event) = ree_total_size (REE_state ?t1)"
using removeSessionInContext_def ree_total_size_removeSessionInContext
by presburger
have b58_4:"ree_total_size(REE_state ?t1) = ree_total_size (REE_state ?t2)" by simp
have b58_8:"ree_total_size(REE_state t) = ree_total_size (REE_state t')" using b8 b58_2 b58_3 b58_4 by argo
have b58_5:"driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)" by simp
have b58_6:"driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t1)"
using removeSessionInContext_def driver_mem_removeSessionInContext
by presburger
have b58_7:"driver_mem(REE_state ?t1) = driver_mem(REE_state ?t2)" by simp
have b58_9:"driver_mem(REE_state t) = driver_mem(REE_state t')" using b8 b58_5 b58_6 b58_7 by argo
show ?thesis using vpeq_REE_def b58 b58_1 b58_8 b58_9 a3 True d7
by auto
}qed
then show ?thesis using True vpeq1_def d7 by auto
next
case False
have d8:"¬(d=REE sysconf)" using False by simp
show ?thesis
proof (cases "is_TA sysconf d")
case True
have "vpeq_TA s' d t'"
proof -
{
have b58_10:"{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
using True vpeq1_def vpeq_TA_def b5 d7 d8
by auto
have b58_11:"{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
using b8 True vpeq1_def vpeq_TA_def
by simp
have b58_12:"{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t1))∧ (ownership x=d)}"
using b8 True vpeq1_def vpeq_TA_def removeSessionInContext_def tee_memories_removeSessionInContext
by presburger
have b58_13:"{x. x∈set(tee_memories (TEE_state ?t1))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t2))∧ (ownership x=d)}" by simp
have b58_14:"{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using b58_11 b58_12 b58_13 vpeq_TA_def True d7 d8 a6 d1 domain_of_event_def interference1_def is_TEE_def
by (metis option.collapse option.distinct(1) option.inject tee_no_ree)
show ?thesis using b58_10 b58_14 a3 b5 b8 vpeq1_def vpeq_TA_def True
by auto
}qed
then show ?thesis using a3 vpeq1_def True
by auto
next
case False
show ?thesis using vpeq1_def d7 d8 False
by simp
qed
qed
qed
qed
qed
next
case False
have d9:"¬(?sesin = False)" using False by simp
show ?thesis
proof (cases "?pre_param_ops ≠ TEE_SUCCESS")
case True
have d10:"?pre_param_ops_t ≠ TEE_SUCCESS" using True by blast
have b9:"s'=?s1" using True d9 d1 TEEC_CloseSession1_def
by (simp add: TEE_pre_param_operation_def)
show ?thesis
proof (cases "?sesin_t = False")
case True
have b10:"t'=?t_rev_event" using True d2 TEEC_CloseSession1_def TEE_pre_param_operation_def d10 by presburger
show ?thesis
proof (cases "d=TEE sysconf")
case True
then show ?thesis
using True b9 b10 a3 vpeq_TEE_def removeSessionInContext_def vpeq1_def filter_related tee_memories_exec_prime_tl tee_memories_removeSessionInContext
by (smt (verit, ccfv_SIG) State.unfold_congs(6) )
next
case False
have d11:"¬(d=TEE sysconf)" using False by simp
show ?thesis
proof (cases "d=REE sysconf")
case True
have "vpeq_REE s' d t'"
proof -
{
have b910:"ree_total_size(REE_state t) = ree_total_size (REE_state t')" using b10 by auto
have b910_1:"driver_mem(REE_state t) = driver_mem(REE_state t')" using b10 by simp
have b910_2:"ree_total_size(REE_state s) = ree_total_size (REE_state ?s_rev_event)" by simp
have b910_3:"ree_total_size(REE_state ?s_rev_event) = ree_total_size (REE_state ?s1)"
using removeSessionInContext_def
by (metis ree_total_size_removeSessionInContext)
have b910_4:"driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)" by simp
have b910_5:"driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s1)"
using removeSessionInContext_def driver_mem_removeSessionInContext
by presburger
show ?thesis using b910 b910_1 b910_2 b910_3 b910_4 b910_5 vpeq_REE_def True a3 b9 d11 by simp
}qed
then show ?thesis using True vpeq1_def d11
by simp
next
case False
have d12:"¬(d=REE sysconf)" using False by simp
show ?thesis
proof (cases "is_TA sysconf d")
case True
have "vpeq_TA s' d t'"
proof -
{
have b910_6:"{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using True vpeq1_def vpeq_TA_def b10 d11 d12
by auto
have b910_7:"{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}" by simp
have b910_8:"{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)}"
using removeSessionInContext_def tee_memories_removeSessionInContext
by presburger
show ?thesis using b910_6 b910_7 b910_8 vpeq_TA_def True d11 d12 a3 vpeq1_def b9 b10 by auto
}qed
then show ?thesis using True vpeq1_def d12 by simp
next
case False
then show ?thesis using vpeq1_def d11 d12 False by simp
qed
qed
qed
next
case False
have d13:"¬(?sesin_t = False)" using False by simp
have b11:"t'=?t1" using d13 d2 d10 TEEC_CloseSession1_def
by (simp add: TEE_pre_param_operation_def)
show ?thesis
proof (cases "d=TEE sysconf")
case True
show ?thesis using True b9 b11 a3 vpeq_TEE_def removeSessionInContext_def vpeq1_def filter_related tee_memories_exec_prime_tl tee_memories_removeSessionInContext
by (smt (verit, ccfv_SIG) State.unfold_congs(6))
next
case False
have d14:"¬(d=TEE sysconf)" using False by simp
show ?thesis
proof (cases "d=REE sysconf")
case True
have "vpeq_REE s' d t'"
proof -
{
have b911:"ree_total_size(REE_state s) = ree_total_size (REE_state ?s_rev_event)" by simp
have b911_1:"ree_total_size(REE_state ?s_rev_event) = ree_total_size (REE_state ?s1)"
using removeSessionInContext_def
by (metis ree_total_size_removeSessionInContext)
have b911_2:"driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)" by simp
have b911_3:"driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s1)"
using removeSessionInContext_def driver_mem_removeSessionInContext
by presburger
have b911_4:"ree_total_size(REE_state s) = ree_total_size (REE_state ?s1)" using b911 b911_1 by simp
have b911_5:"driver_mem(REE_state s) = driver_mem(REE_state ?s1)" using b911_2 b911_3 by simp
have b911_6:"ree_total_size(REE_state t) = ree_total_size (REE_state ?t_rev_event)" by simp
have b911_7:"ree_total_size(REE_state ?t_rev_event) = ree_total_size (REE_state ?t1)"
using removeSessionInContext_def
by (metis ree_total_size_removeSessionInContext)
have b911_8:"driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)" by simp
have b911_9:"driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t1)"
using removeSessionInContext_def driver_mem_removeSessionInContext
by presburger
have b911_10:"ree_total_size(REE_state t) = ree_total_size (REE_state ?t1)" using b911_6 b911_7 by simp
have b911_11:"driver_mem(REE_state t) = driver_mem(REE_state ?t1)" using b911_8 b911_9 by simp
show ?thesis using vpeq_REE_def b911_4 b911_5 b911_10 b911_11 True a3 b9 b11 d14 by auto
}qed
then show ?thesis using True vpeq1_def b9 b11 d14 by auto
next
case False
have d15:"¬(d=REE sysconf)" using False by simp
show ?thesis
proof (cases "is_TA sysconf d")
case True
have "vpeq_TA s' d t'"
proof -
{
have b911_12:"{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}" by simp
have b911_13:"{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)}"
using removeSessionInContext_def tee_memories_removeSessionInContext
by presburger
have b911_14:"{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}" by simp
have b911_15:"{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t1))∧ (ownership x=d)}"
using removeSessionInContext_def tee_memories_removeSessionInContext
by presburger
show ?thesis using b911_12 b911_13 b911_14 b911_15 vpeq_TA_def True d14 d15 a3 vpeq1_def b9 b11 by auto
}qed
then show ?thesis using True vpeq1_def by simp
next
case False
then show ?thesis using vpeq1_def False d14 d15 by auto
qed
qed
qed
qed
next
case False
have d16:"¬(?pre_param_ops ≠ TEE_SUCCESS)" using False by simp
have d17:"¬(?pre_param_ops_t ≠ TEE_SUCCESS)" using d16 by blast
have b12:"s'=?s2" using d16 d1 d9 TEEC_CloseSession1_def a10
by (smt (verit, best) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
show ?thesis
proof (cases "¬(?sesin_t = False)")
case True
have b13:"t'=?t2" using d2 True TEEC_CloseSession1_def a11 d17
by (smt (verit, best) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
show ?thesis
proof (cases "d=TEE sysconf")
case True
show ?thesis using True b12 b13 a3 vpeq_TEE_def removeSessionInContext_def vpeq1_def filter_related tee_memories_exec_prime_tl tee_memories_removeSessionInContext
by (metis a6 d1 domain_of_event_def ins_no_intf_tee option.sel tee_no_ree)
next
case False
have d18:"¬(d=TEE sysconf)" using False by simp
show ?thesis
proof (cases "d=REE sysconf")
case True
have "vpeq_REE s' d t'"
proof -
{
have b1213:"ree_total_size(REE_state s) = ree_total_size (REE_state ?s_rev_event)" by simp
have b1213_1:"ree_total_size(REE_state ?s_rev_event) = ree_total_size (REE_state ?s1)"
using removeSessionInContext_def
by (metis ree_total_size_removeSessionInContext)
have b1213_2:"ree_total_size(REE_state ?s1) = ree_total_size (REE_state ?s2)" by simp
have b1213_3:"driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)" by simp
have b1213_3:"driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s1)"
using removeSessionInContext_def driver_mem_removeSessionInContext
by presburger
have b1213_4:"driver_mem(REE_state ?s1) = driver_mem(REE_state ?s2)" by simp
have b1213_5:"ree_total_size(REE_state s) = ree_total_size (REE_state ?s2)" using b1213 b1213_1 b1213_2 by metis
have b1213_6:"driver_mem(REE_state s) = driver_mem(REE_state ?s2)" using b1213_3 by auto
have b1213_7:"ree_total_size(REE_state t) = ree_total_size (REE_state ?t_rev_event)" by simp
have b1213_8:"ree_total_size(REE_state ?t_rev_event) = ree_total_size (REE_state ?t1)"
using removeSessionInContext_def
by (metis ree_total_size_removeSessionInContext)
have b1213_9:"ree_total_size(REE_state ?t1) = ree_total_size (REE_state ?t2)" by simp
have b1213_10:"driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)" by simp
have b1213_11:"driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t1)"
using removeSessionInContext_def driver_mem_removeSessionInContext
by presburger
have b1213_12:"driver_mem(REE_state ?t1) = driver_mem(REE_state ?t2)" by simp
have b1213_13:"ree_total_size(REE_state t) = ree_total_size (REE_state ?t2)" using b1213_11 b1213_7 b1213_8 b1213_9 by presburger
have b1213_14:"driver_mem(REE_state t) = driver_mem(REE_state ?t1)" using b1213_11 by simp
show ?thesis using b1213_13 b1213_14 b1213_5 b1213_6 vpeq_REE_def True a3 b12 b13 d18 by auto
}qed
then show ?thesis using vpeq1_def True d18 by auto
next
case False
have d19:"¬(d=REE sysconf)" using False by simp
show ?thesis
proof (cases "is_TA sysconf d")
case True
have "vpeq_TA s' d t'"
proof -
{
have b1213_15:"{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}" by simp
have b1213_16:"{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)}"
using removeSessionInContext_def tee_memories_removeSessionInContext
by presburger
have b1213_17:"{x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s2))∧ (ownership x=d)}" by simp
have b1213_18:"{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}" by simp
have b1213_19:"{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t1))∧ (ownership x=d)}"
using removeSessionInContext_def tee_memories_removeSessionInContext
by presburger
have b1213_20:"{x. x∈set(tee_memories (TEE_state ?t1))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t2))∧ (ownership x=d)}" by simp
show ?thesis using b1213_15 b1213_16 b1213_17 b1213_18 b1213_19 b1213_20 vpeq_TA_def True a3 b12 b13 d18 d19
by (metis a6 d1 domain_of_event_def ins_no_intf_tee interference1_def option.collapse option.distinct(1) option.inject tee_no_ree)
}qed
then show ?thesis using True vpeq1_def by simp
next
case False
show ?thesis using False vpeq1_def d18 d19 by simp
qed
qed
qed
next
case False
have d20:"?sesin_t = False" using False by simp
have b14:"t'=?t_rev_event" using d20 d2 TEEC_CloseSession1_def a11 by auto
show ?thesis
proof (cases "d=TEE sysconf")
case True
show ?thesis using True b12 b14 a3 vpeq_TEE_def removeSessionInContext_def vpeq1_def filter_related tee_memories_exec_prime_tl tee_memories_removeSessionInContext
by (metis a6 d1 domain_of_event_def ins_no_intf_tee option.sel tee_no_ree)
next
case False
have d21:"¬(d=TEE sysconf)" using False by simp
show ?thesis
proof (cases "d=REE sysconf")
case True
have "vpeq_REE s' d t'"
proof -
{
have b1213:"ree_total_size(REE_state s) = ree_total_size (REE_state ?s_rev_event)" by simp
have b1213_1:"ree_total_size(REE_state ?s_rev_event) = ree_total_size (REE_state ?s1)"
using removeSessionInContext_def
by (metis ree_total_size_removeSessionInContext)
have b1213_2:"ree_total_size(REE_state ?s1) = ree_total_size (REE_state ?s2)" by simp
have b1213_3:"driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)" by simp
have b1213_3:"driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s1)"
using removeSessionInContext_def driver_mem_removeSessionInContext
by presburger
have b1213_4:"driver_mem(REE_state ?s1) = driver_mem(REE_state ?s2)" by simp
have b1213_5:"ree_total_size(REE_state s) = ree_total_size (REE_state ?s2)" using b1213 b1213_1 b1213_2 by metis
have b1213_6:"driver_mem(REE_state s) = driver_mem(REE_state ?s2)" using b1213_3 by auto
have b1213_7:"ree_total_size(REE_state t) = ree_total_size (REE_state ?t_rev_event)" by simp
have b1213_10:"driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)" by simp
show ?thesis using b1213_5 b1213_6 b1213_7 b1213_10 vpeq_REE_def True d21 a3 b12 b14 by auto
}qed
then show ?thesis using vpeq1_def True a3 d21 by simp
next
case False
have d22:"¬(d=REE sysconf)" using False by simp
show ?thesis
proof (cases "is_TA sysconf d")
case True
have "vpeq_TA s' d t'"
proof -
{
have b1213_15:"{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}" by simp
have b1213_16:"{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)}"
using removeSessionInContext_def tee_memories_removeSessionInContext
by presburger
have b1213_17:"{x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s2))∧ (ownership x=d)}" by simp
have b1213_18:"{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}" by simp
show ?thesis using b1213_15 b1213_16 b1213_17 b1213_18 vpeq_TA_def True a3 b12 b14 d21 d22
by (metis a6 d1 domain_of_event_def ins_no_intf_tee interference1_def option.collapse option.distinct(1) option.inject tee_no_ree)
}qed
then show ?thesis using vpeq1_def True a3 d21 d22
by (metis a6 d1 domain_of_event_def interference1_def is_TEE_def option.sel tee_no_ree)
next
case False
then show ?thesis using False vpeq1_def d21 d22
by simp
qed
qed
qed
qed
qed
qed
qed
} then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEEC_CloseSession1_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEEC_CLOSESESSION1 fd ses_id in_params out_params))"
using TEEC_CloseSession1_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def
by (smt (verit, ccfv_threshold) get_exec_prime_def)
subsection "CloseSession2"
subsection "integrity"
lemma TEEC_CloseSession2_integrity:
assumes p1: "a = hyperc (TEEC_CLOSESESSION2)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?client_type = "param4 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?pre_param_ops = "TEE_pre_param_operation ?in_params"
let ?isSesIdinMgrSesIdList = "isSesIdinMgrSesList (mgr_ta_sessions (ta_mgr (TEE_state ?s_rev_event))) (the ?ses_id)"
let ?s_ret = "tee_ta_close_session_teeDomain2_pre sysconf ?s_rev_event ?ses_id ?client_type ?in_params ?out_params"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEEC_CloseSession2 sysconf s)}}"
using p1 exec_event_def by auto
have a4_1: "s' = fst (TEEC_CloseSession2 sysconf s)"
using a3 a4 by auto
have a4_2: "?pre_param_ops = TEE_SUCCESS"
by (simp add: TEE_pre_param_operation_def)
have "(s ∼ d ∼ s')"
proof(cases "current s ≠ TEE sysconf ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_CS2")
case True
then have "s = s'"
using TEEC_CloseSession2_def a4_1
by (smt (verit, ccfv_SIG) fst_conv)
then show ?thesis
using vpeq_reflexive_lemma by blast
next
case False
then have b1: "current s = TEE sysconf ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS2 ∧ ?pre_param_ops = TEE_SUCCESS"
using a4_2 by auto
then have b4: "current s = TEE sysconf"
by simp
then have b5: "(the (domain_of_event s a)) = current s"
by (metis domain_of_event_def option.sel)
then have b6: "(the (domain_of_event s a)) ↝ d"
using b4 ins_tee_intf_all by presburger
then show ?thesis
proof(cases "?isSesIdinMgrSesIdList = False")
case True
then have b2: "?isSesIdinMgrSesIdList = False"
by auto
then have b3: "s' = ?s_rev_event"
using a3 a4 b1 b2 a4_1 TEEC_CloseSession2_def a2 b6 non_interference1_def by blast
then show ?thesis
using b6 a2
by auto
next
case False
then show ?thesis
using b6 a2 by auto
qed
qed
} then show ?thesis by blast
qed
lemma TEEC_CloseSession2_integrity_e :
"integrity_e (hyperc (TEEC_CLOSESESSION2))"
using TEEC_CloseSession2_integrity integrity_e_def
by fastforce
subsection "Confidentiality"
lemma TEEC_CloseSession2_weak_confidentiality:
assumes p1: "a = hyperc (TEEC_CLOSESESSION2)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a51: "ta_mgr(TEE_state s) =ta_mgr(TEE_state t)"
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?client_type = "param4 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?sesID = "the ?ses_id"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?client_tid = "findSesCliTid ?s_rev_event ?sesID"
let ?pre_param_ops = "TEE_pre_param_operation ?in_params"
let ?taIns = "getTAInsCtx ?s_rev_event (the ?client_tid)"
let ?taId_cli = "ta_id ?taIns"
let ?mgrTaInsCtxs = "mgr_ta_instances (ta_mgr (TEE_state ?s_rev_event))"
let ?clientTaIns = "getTAInsCtx ?s_rev_event (the ?client_tid)"
let ?client_id = "ta_id ?clientTaIns"
let ?clientType = "getClientType TRUSTED_APP ?client_id"
let ?isSesIdinMgrSesIdList = "isSesIdinMgrSesList (mgr_ta_sessions (ta_mgr (TEE_state ?s_rev_event))) (the ?ses_id)"
let ?s_ret = "tee_ta_close_session_teeDomain2_pre sysconf ?s_rev_event ?ses_id ?client_type ?in_params ?out_params"
let ?exec_t = "(exec_prime t)"
let ?p_t = "fst (hd ?exec_t)"
let ?ses_id_t = "param1 ?p_t"
let ?client_type_t = "param4 ?p_t"
let ?cmd_id_t = "param6 ?p_t"
let ?in_params_t = "param7 ?p_t"
let ?out_params_t = "param8 ?p_t"
let ?sesID_t = "the ?ses_id_t"
let ?t_rev_event = "t⦇exec_prime := tl ?exec_t⦈"
let ?client_tid_t = "findSesCliTid ?t_rev_event ?sesID_t"
let ?pre_param_ops_t = "TEE_pre_param_operation ?in_params_t"
let ?taIns_t = "getTAInsCtx ?t_rev_event (the ?client_tid_t)"
let ?taId_cli_t = "ta_id ?taIns_t"
let ?mgrTaInsCtxs_t = "mgr_ta_instances (ta_mgr (TEE_state ?t_rev_event))"
let ?clientTaIns_t = "getTAInsCtx ?t_rev_event (the ?client_tid_t)"
let ?client_id_t = "ta_id ?clientTaIns_t"
let ?clientType_t = "getClientType TRUSTED_APP ?client_id_t"
let ?isSesIdinMgrSesIdList_t = "isSesIdinMgrSesList (mgr_ta_sessions (ta_mgr (TEE_state ?t_rev_event))) (the ?ses_id_t)"
let ?t_ret = "tee_ta_close_session_teeDomain2_pre sysconf ?t_rev_event ?ses_id_t ?client_type_t ?in_params_t ?out_params_t"
have a10: "s' = fst (TEEC_CloseSession2 sysconf s)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEEC_CloseSession2 sysconf t)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t"
using domain_of_event_def a4 by (metis option.sel)
have a13: "ta_mgr(TEE_state s) = ta_mgr(TEE_state t)" using a3 vpeq1_def a51 by auto
have a14: "?sesID = ?sesID_t"
by (simp add: a5)
have "(s' ∼ d ∼ t')"
proof(cases "current s ≠ TEE sysconf ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_CS2")
case True
have b1: "current s ≠ TEE sysconf ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_CS2"
using True by auto
have b2: "current t ≠ TEE sysconf ∨ (exec_prime t) = [] ∨ snd (hd (exec_prime t)) ≠ TEEC_CS2"
using a12 a5 b1 by auto
have b3: "s = s'"
using b1 TEEC_CloseSession2_def a10
by (smt (z3) prod.collapse prod.inject)
have b4: "t = t'"
using b2 TEEC_CloseSession2_def a11 findSesServTid_def
by (smt (z3) fst_conv)
then show ?thesis
using a3 b3 by blast
next
case False
have d1: "current s = TEE sysconf ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS2"
using False by auto
have d2: "?pre_param_ops = TEE_SUCCESS"
by (simp add: TEE_pre_param_operation_def)
have d3: "?pre_param_ops_t = TEE_SUCCESS"
by (simp add: TEE_pre_param_operation_def)
have d4: "current s = TEE sysconf ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS2 ∧ ?pre_param_ops = TEE_SUCCESS"
using False d2 by auto
have d5: "current t = TEE sysconf ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEEC_CS2 ∧ ?pre_param_ops_t = TEE_SUCCESS"
using False a12 a5 d3 by auto
have d8: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have d9: "?isSesIdinMgrSesIdList = ?isSesIdinMgrSesIdList_t"
using isSesIdinMgrSesList_cur_ta_session_list a13 d8
by (simp add: a5)
then show ?thesis
proof(cases "?isSesIdinMgrSesIdList = False")
case True
have d6: "?isSesIdinMgrSesIdList = False"
using True by auto
have d10: "?isSesIdinMgrSesIdList_t = False"
using d6 d9 by auto
have d11: "s' = ?s_rev_event"
using a10 d2 d4 d6 TEEC_CloseSession2_def
by (smt (verit, ccfv_SIG) State.unfold_congs(6) fst_conv)
have d12: "t' = ?t_rev_event"
using a11 d3 d5 d10 TEEC_CloseSession2_def
by (smt (verit, ccfv_SIG) State.unfold_congs(6) fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have d13: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have e1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: d13)
have e2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have e3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: d13)
have e4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have e5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 e3 e4 by blast
have e6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by fastforce
have e7: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by fastforce
have e8: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using d11 d12 e5 e6 e7 by blast
then show ?thesis
using e1 by auto
}
qed
next
case False
have d14: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have d15: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True d14 by auto
then show ?thesis
proof-
{
have j1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d14 by auto
have j2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have j3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d14 by fastforce
have j4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have j5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 j3 by auto
have j6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 j3 by auto
have j7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have j8: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have j9: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?t_rev_event)"
using j5 j7 j8 by linarith
have j10: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have j11: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have j12: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?s_rev_event)"
using j10 j11 j6 by presburger
have j13: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state t')"
by (simp add: d12)
have j14: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state s')"
by (simp add: d11)
have j15: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state t')"
by (simp add: d12)
have j16: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state s')"
by (simp add: d11)
have j17: "(ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
using j9 j12 j13 j14 j15 j16
by auto
then show ?thesis using j17 j1 by auto
}
qed
next
case False
then have d16: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d14)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d17: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using d16 by blast
then show ?thesis
proof-
{
have k1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson False True d14 vpeq1_def)
have k2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have k3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using False d14 is_TA_def vpeq1_def by presburger
have k4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have k5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 k3 k4 by blast
have k6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have k7: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have k10: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
using k5 k6 k7 by blast
then show ?thesis
using d11 d12 k1 k2 by blast
}
qed
next
case False
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
by (metis d16)
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have h2: "vpeq1 s' d t' = True"
using False d16 is_TA_def by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
next
case False
have f1: "?isSesIdinMgrSesIdList = True"
using False by auto
have f2: "?isSesIdinMgrSesIdList_t = True"
using False d9 by auto
have f3: "s' = fst ?s_ret"
using d4 f1 TEEC_CloseSession2_def a10
by (smt (verit, ccfv_SIG) State.unfold_congs(6) fst_conv)
have f4: "t' = fst ?t_ret"
using d5 f2 TEEC_CloseSession2_def a11
by (smt (verit, ccfv_SIG) State.unfold_congs(6) fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have f5: "d = TEE sysconf" by (simp add: True)
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: f5)
have m2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: f5)
have m4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 m3 by auto
have m6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state (fst ?s_ret)))∧ (block_id x=0)}"
using tee_memories_tee_ta_close_session_teeDomain2
by simp
have m8: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by fastforce
have m9: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state (fst ?t_ret)))∧ (block_id x=0)}"
using tee_memories_tee_ta_close_session_teeDomain2
by simp
have m10: "{x. x∈set(tee_memories (TEE_state (fst ?s_ret)))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
by (simp add: f3)
have m11: "{x. x∈set(tee_memories (TEE_state (fst ?t_ret)))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
by (simp add: f4)
have m11: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using m5 m10 m11 m6 m7 m8 m9 by presburger
then show ?thesis
using m1 by auto
}
qed
next
case False
then have f6: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have f7: "d ≠ TEE sysconf ∧ d = REE sysconf"
using f6 by auto
then show ?thesis
proof-
{
have g1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True f6 by auto
have g2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have g3: "(s ∼ d ∼ t) = vpeq_REE s d t"
by (metis True tee_no_ree vpeq1_def)
have g4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have g5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 g3 by auto
have g6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 g3 by auto
have g7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
using ree_total_size_exec_prime_tl by blast
have g8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state (fst ?s_ret))"
using ree_total_size_tee_ta_close_session_teeDomain2
by simp
have g9: "ree_total_size(REE_state s) = ree_total_size(REE_state (fst ?s_ret))"
using g8 by auto
have g10: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have g11: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state (fst ?t_ret))"
using ree_total_size_tee_ta_close_session_teeDomain2
by simp
have g12: "ree_total_size(REE_state t) = ree_total_size(REE_state (fst ?t_ret))"
using g11 by auto
have g13: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by auto
have g14: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state (fst ?s_ret))"
using driver_mem_tee_ta_close_session_teeDomain2
by simp
have g15: "driver_mem(REE_state s) = driver_mem(REE_state (fst ?s_ret))"
using g14 by auto
have g16: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
using driver_mem_exec_prime_tl by auto
have g17: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state (fst ?t_ret))"
using driver_mem_tee_ta_close_session_teeDomain2
by simp
have g18: "driver_mem(REE_state t) = driver_mem(REE_state (fst ?t_ret))"
using g17 by auto
have g19: "driver_mem(REE_state s') = driver_mem(REE_state (fst ?s_ret))"
by (simp add: f3)
have g20: "driver_mem(REE_state t') = driver_mem(REE_state (fst ?t_ret))"
using f4 by fastforce
have g21: "driver_mem(REE_state (fst ?s_ret)) = driver_mem(REE_state (fst ?t_ret))"
using g13 g14 g16 g17 g6 by presburger
have g22: "driver_mem(REE_state s') = driver_mem(REE_state t')"
by (simp add: g19 g20 g21)
have g23: "ree_total_size(REE_state s') = ree_total_size(REE_state (fst ?s_ret))"
by (simp add: f3)
have g24: "ree_total_size(REE_state t') = ree_total_size(REE_state (fst ?t_ret))"
by (simp add: f4)
have g25: "ree_total_size(REE_state (fst ?s_ret)) = ree_total_size(REE_state (fst ?t_ret))"
using g10 g11 g5 g7 g8 by linarith
have g26: "ree_total_size(REE_state s') = ree_total_size(REE_state t')"
by (simp add: g23 g24 g25)
have g27: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
using g22 g26 by blast
then show ?thesis
using g1 g2 by blast
}
qed
next
case False
then have f8: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: f6)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have f9: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False f6 by blast
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson False True f6 vpeq1_def)
have h2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson False True f6 vpeq1_def)
have h4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
by (metis a3 h3 h4)
have h6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have h7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state (fst ?s_ret)))∧ (ownership x=d)}"
using tee_memories_tee_ta_close_session_teeDomain2
by simp
have h8: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have h9: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state (fst ?t_ret)))∧ (ownership x=d)}"
using tee_memories_tee_ta_close_session_teeDomain2
by simp
have h10: "{x. x∈set(tee_memories (TEE_state (fst ?s_ret)))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state (fst ?t_ret)))∧ (ownership x=d)}"
using h5 h6 h7 h8 h9 by blast
then show ?thesis
using f3 f4 h1 by fastforce
}
qed
next
case False
then have f10: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using f8 by auto
then show ?thesis
proof-
{
have i1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have i2: "vpeq1 s' d t' = True"
using f10 False by auto
then show ?thesis by blast
}
qed
qed
qed
qed
qed
qed
} then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEEC_CloseSession2_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEEC_CLOSESESSION2))"
using TEEC_CloseSession2_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def by fastforce
subsection "CloseSession3"
lemma TEEC_CloseSession3_integrity:
assumes p1: "a = hyperc (TEEC_CLOSESESSION3)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?servTid = "param2 ?p"
let ?clientType = "param4 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?isSesIdInTaStateSesList = "isSessIdInTaStateSessList s ?ses_id ?servTid"
let ?nextFuncStepParam = "⦇param1 = ?ses_id, param2 = ?servTid, param3 = None, param4 = ?clientType,
param5 = None, param6 =None, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10=None, param11=None, param12=None, param13=None⦈"
let ?s_taCloseSessionEntry = "TA_CloseSessionEntryPoint ?s_rev_event (the ?servTid)"
let ?s_removeSess_inTaState = "removeAllSessIdInTaStateSessList ?s_taCloseSessionEntry (the ?ses_id) (the ?in_params) (the ?out_params)"
let ?taState = "(TAs_state s) (the ?servTid)"
let ?taSesListInTaState = "(TA_sessions (the ?taState))"
let ?ta_attr = "TA_attribute (the ?taState)"
let ?isSingleInstance = "singleInstance ?ta_attr"
let ?isKeepAlive = "keepAlive ?ta_attr"
let ?s_sesIdNotInTaStateSesList = "?s_rev_event⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEEC_CS4)#(exec_prime ?s_rev_event)⦈"
let ?s_taDestroyEntryPoint = "TA_DestroyEntryPoint ?s_removeSess_inTaState"
let ?s_deleteTaStateBackTEE = "?s_taDestroyEntryPoint⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEEC_CS4)#(exec_prime ?s_taDestroyEntryPoint)⦈"
let ?s_notDeleteTaStateBackTEE = "?s_removeSess_inTaState⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEEC_CS4)#(exec_prime ?s_removeSess_inTaState)⦈"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEEC_CloseSession3 sysconf s)}}"
using p1 exec_event_def by auto
have a4_1: "s' = fst (TEEC_CloseSession3 sysconf s)"
using a3 a4 by auto
have "(s ∼ d ∼ s')"
proof(cases "current s ≠ (the ?servTid) ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_CS3")
case True
then have "s = s'" using TEEC_CloseSession3_def a4_1
by (smt (z3) fst_conv)
then show ?thesis
using vpeq_reflexive_lemma by blast
next
case False
then have b1: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS3"
by auto
then show ?thesis
proof(cases "?isSesIdInTaStateSesList = False")
case True
have c1 : "current s = (the ?servTid) ∧ (exec_prime s) ≠ []
∧ snd (hd (exec_prime s)) = TEEC_CS3 ∧ ?isSesIdInTaStateSesList = False"
using False True by auto
have c2 : "s' = ?s_sesIdNotInTaStateSesList"
using TEEC_CloseSession3_def a4_1 c1
by (smt (verit, best) State.unfold_congs(1) State.unfold_congs(6) fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have c3: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have d1: "(s ∼ d ∼ s') = (vpeq_TEE s d s')"
by (simp add: c3)
have d2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s')) ∧ (block_id x=0)})"
by simp
have d5: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_sesIdNotInTaStateSesList)"
by auto
then show ?thesis
using c2 d1 d2 by presburger
}
qed
next
case False
have c4: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have c5: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True c4 by auto
then show ?thesis
proof-
{
have f1: "(s ∼ d ∼ s') = (vpeq_REE s d s')"
using True c4 by auto
have f2: "(vpeq_REE s d s') = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have f5: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_sesIdNotInTaStateSesList)"
by simp
have f8: "driver_mem(REE_state s) = driver_mem(REE_state ?s_sesIdNotInTaStateSesList)"
by simp
then show ?thesis
using c2 f1 f2 f5 f8 by presburger
}
qed
next
case False
have c6: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False c4)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
have b7: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ is_TA sysconf d"
using False True c4 by blast
then show ?thesis
proof(cases "d = current s")
case True
have tmp1: "d = current s"
by (simp add: True)
then show ?thesis
by (metis a2 domain_of_event_def nintf_neq option.sel)
next
case False
have tmp2: "d ≠ current s"
by (simp add: False)
then show ?thesis
proof-
{
have g1: "(s ∼ d ∼ s') = (vpeq_TA s d s')"
using b7 by auto
have g2: "(vpeq_TA s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)})"
by simp
have g3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_sesIdNotInTaStateSesList)"
by simp
then show ?thesis
using c2 g1 g2 g3 by presburger
}
qed
qed
next
case False
have b8: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using False c6 by auto
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False c6 is_TA_def by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
next
case False
have b9: "?isSesIdInTaStateSesList ≠ False"
using False by auto
have b10: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS3 ∧ ?isSesIdInTaStateSesList ≠ False"
using b1 b9 by auto
then show ?thesis
proof(cases "¬(?isSingleInstance = True ∧ ?isKeepAlive = True) ∧ ?taSesListInTaState = []")
case True
have b11: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS3 ∧ ?isSesIdInTaStateSesList ≠ False
∧ ¬(?isSingleInstance = True ∧ ?isKeepAlive = True) ∧ ?taSesListInTaState = []"
using True b1 b9 by auto
have b12: "s' = ?s_deleteTaStateBackTEE"
using TEEC_CloseSession3_def a4_1 b11
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_eqD)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have b13: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have d1: "(s ∼ d ∼ s') = (vpeq_TEE s d s')"
by (simp add: b13)
have d2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s')) ∧ (block_id x=0)})"
by simp
have d3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have d4: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (block_id x=0)}"
using CloseSessionEntryPoint_not_change_TEE TA_CloseSessionEntryPoint_def
by (metis d3)
have d5: "{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}"
using tee_memories_removeAllSessIdInTaStateSessList by simp
have d6: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (block_id x=0)}"
by (simp add: TA_DestroyEntryPoint_def)
have d7: "{x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (block_id x=0)}"
by simp
have d8: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (block_id x=0)}"
using d3 d4 d5 d6 d7 by presburger
then show ?thesis
using b12 d1 d2 by blast
}
qed
next
case False
then have b14: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
have b15: "d ≠ TEE sysconf ∧ d = REE sysconf"
using b14 True by auto
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_REE s d s'"
using True b14 by auto
have e2: "vpeq_REE s d s' = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have e3: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_rev_event)"
by simp
have e4: "ree_total_size (REE_state ?s_rev_event) = ree_total_size (REE_state ?s_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have e5: "ree_total_size (REE_state ?s_taCloseSessionEntry) = ree_total_size (REE_state ?s_removeSess_inTaState)"
by (simp add: ree_total_size_removeAllSessIdInTaStateSessList)
have e6: "ree_total_size (REE_state ?s_removeSess_inTaState) = ree_total_size (REE_state ?s_taDestroyEntryPoint)"
by (simp add: TA_DestroyEntryPoint_def)
have e7: "ree_total_size (REE_state ?s_taDestroyEntryPoint) = ree_total_size (REE_state ?s_deleteTaStateBackTEE)"
by simp
have e8: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by simp
have e9: "driver_mem (REE_state ?s_rev_event) = driver_mem (REE_state ?s_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have e10: "driver_mem (REE_state ?s_taCloseSessionEntry) = driver_mem (REE_state ?s_removeSess_inTaState)"
by (simp add: driver_mem_removeAllSessIdInTaStateSessList)
have e11: "driver_mem (REE_state ?s_removeSess_inTaState) = driver_mem (REE_state ?s_taDestroyEntryPoint)"
by (simp add: TA_DestroyEntryPoint_def)
have e12: "driver_mem (REE_state ?s_taDestroyEntryPoint) = driver_mem (REE_state ?s_deleteTaStateBackTEE)"
by simp
have e13: "(s ∼ d ∼ s') = vpeq_REE s d s'"
using e1 by auto
have e14: "ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s')"
using e1 e2 e3 e4 e5 e6 e7 e8 e9 e10 e11 e12 e13 b12
by presburger
then show ?thesis using e14
using e13 by auto
}
qed
next
case False
have p4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False b14)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False b14 by blast
then show ?thesis
proof(cases "d = (the ?servTid)")
case True
then show ?thesis using a2 b10 by force
next
case False
then have d14: "d ≠ current s"
by (simp add: b1)
then have d15: "(s ∼ d ∼ s') = vpeq_TA s d s'"
using d13 by auto
have t1: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
proof-
{
have u1: "TEE_state s = TEE_state ?s_rev_event" by simp
have u2: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def CloseSessionEntryPoint_not_change_other_TA d14
using False CloseSessionEntryPoint_not_change_other_TA_aux b10 get_exec_prime_def mem_Collect_eq u1
by (metis (mono_tags, lifting))
have u3: "tee_memories(TEE_state ?s_taCloseSessionEntry)=tee_memories( TEE_state ?s_removeSess_inTaState)"
by (simp add: tee_memories_removeAllSessIdInTaStateSessList)
have u4: "tee_memories(TEE_state ?s_removeSess_inTaState)=tee_memories( TEE_state ?s_taDestroyEntryPoint)"
by (simp add: TA_DestroyEntryPoint_def)
have u5: "tee_memories(TEE_state ?s_taDestroyEntryPoint)=tee_memories( TEE_state ?s_deleteTaStateBackTEE)"
by simp
have u6: "vpeq_TA s' d s"
using u1 u2 u3 u4 u5 b12 vpeq_TA_def
by presburger
then show ?thesis
by auto
}
qed
then show ?thesis using t1
using d15 vpeq_TA_def by blast
qed
next
case False
then show ?thesis
using is_TA_def p4 by blast
qed
qed
qed
next
case False
have d16: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS3 ∧ ?isSesIdInTaStateSesList ≠ False
∧ ((?isSingleInstance = True ∧ ?isKeepAlive = True) ∨ ?taSesListInTaState ≠ [])"
using False b1 b9 by auto
have d17: "s' = ?s_notDeleteTaStateBackTEE"
using d16 TEEC_CloseSession3_def a4_1
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_eqD)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have d18: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have e1: "(s ∼ d ∼ s') = (vpeq_TEE s d s')"
by (simp add: d18)
have e2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s')) ∧ (block_id x=0)})"
by simp
have e3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have e4: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (block_id x=0)}"
using CloseSessionEntryPoint_not_change_TEE TA_CloseSessionEntryPoint_def
by (metis e3)
have e5: "{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}"
using tee_memories_removeAllSessIdInTaStateSessList by simp
have e6: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (block_id x=0)}"
by force
then show ?thesis
using d17 e1 e3 e4 e5 vpeq_TEE_def by presburger
}
qed
next
case False
then have p4: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
have p5: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True p4 by auto
then show ?thesis
proof-
{
have q1: "(s ∼ d ∼ s') = (vpeq_REE s d s')"
using True p4 by auto
have q2: "(vpeq_REE s d s') = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have q3: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have q4: "ree_total_size (REE_state ?s_rev_event) = ree_total_size (REE_state ?s_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have q5: "ree_total_size (REE_state ?s_taCloseSessionEntry) = ree_total_size (REE_state ?s_removeSess_inTaState)"
by (simp add: ree_total_size_removeAllSessIdInTaStateSessList)
have q6: "ree_total_size (REE_state ?s_removeSess_inTaState) = ree_total_size (REE_state ?s_notDeleteTaStateBackTEE)"
by simp
have q8: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by simp
have q9: "driver_mem (REE_state ?s_rev_event) = driver_mem (REE_state ?s_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have q10: "driver_mem (REE_state ?s_taCloseSessionEntry) = driver_mem (REE_state ?s_removeSess_inTaState)"
by (simp add: driver_mem_removeAllSessIdInTaStateSessList)
have q11: "driver_mem (REE_state ?s_removeSess_inTaState) = driver_mem (REE_state ?s_notDeleteTaStateBackTEE)"
by (simp add: TA_DestroyEntryPoint_def)
have q13: "(s ∼ d ∼ s') = vpeq_REE s d s'"
using q1 by auto
have q14: "ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s')"
using q1 q2 q3 q4 q5 q6 q8 q9 q10 q11 d17
by presburger
then show ?thesis using q14 q13
by auto
}
qed
next
case False
have p4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False p4)
then show ?thesis
proof(cases "d = (the ?servTid)")
case True
then show ?thesis using a2 b10 by force
next
case False
then have p14: "d ≠ current s"
by (simp add: b1)
then have p15: "(s ∼ d ∼ s') = vpeq_TA s d s'"
using is_TA_def p4 vpeq1_def by presburger
have t2: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
proof-
{
have v1: "TEE_state s = TEE_state ?s_rev_event" by simp
have v2: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def CloseSessionEntryPoint_not_change_other_TA p14
using False CloseSessionEntryPoint_not_change_other_TA_aux b10 get_exec_prime_def mem_Collect_eq v1
by (metis (mono_tags, lifting))
have v3: "tee_memories(TEE_state ?s_taCloseSessionEntry)=tee_memories( TEE_state ?s_removeSess_inTaState)"
by (simp add: tee_memories_removeAllSessIdInTaStateSessList)
have v5: "tee_memories(TEE_state ?s_removeSess_inTaState)=tee_memories( TEE_state ?s_notDeleteTaStateBackTEE)"
by simp
have u6: "vpeq_TA s' d s"
using v1 v2 v3 v5 d17 vpeq_TA_def
by presburger
then show ?thesis by auto
}
qed
then show ?thesis using t2
using p15 vpeq_TA_def by blast
qed
qed
qed
qed
qed
qed
} then show ?thesis
by blast
qed
lemma TEEC_CloseSession3_integrity_e:
"integrity_e (hyperc (TEEC_CLOSESESSION3))"
using TEEC_CloseSession3_integrity integrity_e_def
using get_exec_prime_def by auto
lemma TEEC_CloseSession3_weak_confidentiality:
assumes p1: "a = hyperc (TEEC_CLOSESESSION3)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a52: "TAs_state s =TAs_state t "
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?servTid = "param2 ?p"
let ?clientType = "param4 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?isSesIdInTaStateSesList = "isSessIdInTaStateSessList s ?ses_id ?servTid"
let ?nextFuncStepParam = "⦇param1 = ?ses_id, param2 = ?servTid, param3 = None, param4 = ?clientType,
param5 = None, param6 = None, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12 = None, param13 = None⦈"
let ?s_taCloseSessionEntry = "TA_CloseSessionEntryPoint ?s_rev_event (the ?servTid)"
let ?s_removeSess_inTaState = "removeAllSessIdInTaStateSessList ?s_taCloseSessionEntry (the ?ses_id) (the ?in_params) (the ?out_params)"
let ?taState = "(TAs_state s) (the ?servTid)"
let ?taSesListInTaState = "(TA_sessions (the ?taState))"
let ?ta_attr = "TA_attribute (the ?taState)"
let ?isSingleInstance = "singleInstance ?ta_attr"
let ?isKeepAlive = "keepAlive ?ta_attr"
let ?s_sesIdNotInTaStateSesList = "?s_rev_event⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEEC_CS4)#(exec_prime ?s_rev_event)⦈"
let ?s_taDestroyEntryPoint = "TA_DestroyEntryPoint ?s_removeSess_inTaState"
let ?s_deleteTaStateBackTEE = "?s_taDestroyEntryPoint⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEEC_CS4)#(exec_prime ?s_taDestroyEntryPoint)⦈"
let ?s_notDeleteTaStateBackTEE = "?s_removeSess_inTaState⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEEC_CS4)#(exec_prime ?s_removeSess_inTaState)⦈"
let ?exec_t = "(exec_prime t)"
let ?p_t = "fst (hd ?exec_t)"
let ?ses_id_t = "param1 ?p_t"
let ?servTid_t = "param2 ?p_t"
let ?clientType_t = "param4 ?p_t"
let ?in_params_t = "param7 ?p_t"
let ?out_params_t = "param8 ?p_t"
let ?t_rev_event = "t⦇exec_prime := tl ?exec_t⦈"
let ?isSesIdInTaStateSesList_t = "isSessIdInTaStateSessList t ?ses_id_t ?servTid_t"
let ?nextFuncStepParam_t = "⦇param1 = ?ses_id_t, param2 = ?servTid_t, param3 = None,
param4 = ?clientType_t, param5 = None, param6 =None, param7 = ?in_params_t,
param8 = ?out_params_t, param9 = None, param10=None, param11=None,
param12 = None, param13 = None⦈"
let ?t_taCloseSessionEntry = "TA_CloseSessionEntryPoint ?t_rev_event (the ?servTid_t)"
let ?t_removeSess_inTaState = "removeAllSessIdInTaStateSessList ?t_taCloseSessionEntry (the ?ses_id_t) (the ?in_params_t) (the ?out_params_t)"
let ?taState_t = "(TAs_state t) (the ?servTid_t)"
let ?taSesListInTaState_t = "(TA_sessions (the ?taState_t))"
let ?ta_attr_t = "TA_attribute (the ?taState_t)"
let ?isSingleInstance_t = "singleInstance ?ta_attr_t"
let ?isKeepAlive_t = "keepAlive ?ta_attr_t"
let ?t_sesIdNotInTaStateSesList = "?t_rev_event⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam_t, TEEC_CS4)#(exec_prime ?t_rev_event)⦈"
let ?t_taDestroyEntryPoint = "TA_DestroyEntryPoint ?t_removeSess_inTaState"
let ?t_deleteTaStateBackTEE = "?t_taDestroyEntryPoint⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam_t, TEEC_CS4)#(exec_prime ?t_taDestroyEntryPoint)⦈"
let ?t_notDeleteTaStateBackTEE = "?t_removeSess_inTaState⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam_t, TEEC_CS4)#(exec_prime ?t_removeSess_inTaState)⦈"
have a10: "s' = fst (TEEC_CloseSession3 sysconf s)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEEC_CloseSession3 sysconf t)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t"
using domain_of_event_def a4 by (metis option.sel)
have a14: "(TAs_state s) = (TAs_state t)" using a52 by auto
have a15: "?servTid = ?servTid_t"
by (simp add: a5)
have "(s' ∼ d ∼ t')"
proof(cases "current s ≠ (the ?servTid) ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_CS3")
case True
have b1: "current s ≠ (the ?servTid) ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_CS3"
using True by auto
have b2: "current t ≠ (the ?servTid_t) ∨ (exec_prime t) = [] ∨ snd (hd (exec_prime t)) ≠ TEEC_CS3"
using a12 a5 b1 by auto
have b3: "s = s'"
using b1 TEEC_CloseSession3_def a10
by (smt (z3) prod.collapse prod.inject)
have b4: "t = t'"
using b2 TEEC_CloseSession3_def a11
by (smt (z3) prod.collapse prod.inject)
then show ?thesis
proof-
{
have c1: "(s' ∼ d ∼ t')"
using a3 b3 b4 by blast
then show ?thesis by auto
}
qed
next
case False
have d1: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS3"
using False by auto
have d2: "current t = (the ?servTid_t) ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEEC_CS3"
using False a12 a5 by auto
have e2: "?isSesIdInTaStateSesList = ?isSesIdInTaStateSesList_t"
using isSessIdInTaStateSessList_def a14 a5
by (metis (no_types, lifting))
then show ?thesis
proof(cases "?isSesIdInTaStateSesList = False")
case True
have e1: "?isSesIdInTaStateSesList = False"
by (simp add: True)
have e3: "current s = (the ?servTid) ∧ (exec_prime s) ≠ []
∧ snd (hd (exec_prime s)) = TEEC_CS3 ∧ ?isSesIdInTaStateSesList = False"
using False e1 by auto
have e4: "current t = (the ?servTid_t) ∧ (exec_prime t) ≠ []
∧ snd (hd (exec_prime t)) = TEEC_CS3 ∧ ?isSesIdInTaStateSesList_t = False"
using d2 e2 e3 by auto
have e5: "s' = ?s_sesIdNotInTaStateSesList"
using TEEC_CloseSession3_def a10 e3
by (smt (verit, best) State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have e6: "t' = ?t_sesIdNotInTaStateSesList"
using TEEC_CloseSession3_def a11 e4
by (smt (verit, best) State.unfold_congs(1) State.unfold_congs(6) fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have d3: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have f1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: d3)
have f2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have f3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: d3)
have f4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have f5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 f3 f4 by blast
have f6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by fastforce
have f7: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by fastforce
have e8: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using e5 e6 f5 f6 f7
using setCurDomainAndEvent_def tee_memories_setCurDomainAndEvent by presburger
then show ?thesis
using e8
using f1 by auto
}
qed
next
case False
have d14: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have d15: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True d14 by auto
then show ?thesis
proof-
{
have j1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d14 by auto
have j2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have j3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d14 by fastforce
have j4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have j5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 j3 by auto
have j6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 j3 by auto
have j7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have j8: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have j9: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?t_rev_event)"
using j5 j7 j8 by linarith
have j10: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have j11: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have j12: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?s_rev_event)"
using j10 j11 j6 by presburger
have j13: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state t')"
by (simp add: e6)
have j14: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state s')"
by (simp add: e5)
have j15: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state t')"
by (simp add: e6)
have j16: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state s')"
by (simp add: e5)
have j17: "(ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
using j9 j12 j13 j14 j15 j16
by auto
then show ?thesis using j17 j1 by auto
}
qed
next
case False
then have d16: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d14)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d17: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using d16 by blast
then show ?thesis
proof-
{
have k1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson False True d14 vpeq1_def)
have k2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have k3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using False d14 is_TA_def vpeq1_def by presburger
have k4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have k5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 k3 k4 by blast
have k6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have k7: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have k10: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
using k5 k6 k7 by blast
then show ?thesis
using e5 e6 k1 k2
by auto
}
qed
next
case False
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
by (metis d16)
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have h2: "vpeq1 s' d t' = True"
using False d16 is_TA_def by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
next
case False
have g1: "?isSesIdInTaStateSesList = True"
using False by auto
have g2: "?isSesIdInTaStateSesList_t = True"
using False e2 by auto
have g3: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS3 ∧ ?isSesIdInTaStateSesList ≠ False"
using d1 g1 by auto
have g4: "current t = (the ?servTid_t) ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEEC_CS3 ∧ ?isSesIdInTaStateSesList_t ≠ False"
using d2 g2 by auto
then show ?thesis
proof(cases "¬(?isSingleInstance = True ∧ ?isKeepAlive = True) ∧ ?taSesListInTaState = []")
case True
have g5: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS3 ∧ ?isSesIdInTaStateSesList ≠ False
∧ ¬(?isSingleInstance = True ∧ ?isKeepAlive = True) ∧ ?taSesListInTaState = []"
using True g3 by auto
have g6: "current t = (the ?servTid_t) ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEEC_CS3 ∧ ?isSesIdInTaStateSesList_t ≠ False
∧ ¬(?isSingleInstance_t = True ∧ ?isKeepAlive_t = True) ∧ ?taSesListInTaState_t = []"
using True g4
using a14 a5 by auto
have g7: "s' = ?s_deleteTaStateBackTEE"
using TEEC_CloseSession3_def a10 g5
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_eqD)
have g8: "t' = ?t_deleteTaStateBackTEE"
using TEEC_CloseSession3_def a11 g6
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_eqD)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have b13: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: b13)
have m2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: b13)
have m4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 m3 by auto
have m6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}"
using CloseSessionEntryPoint_not_change_TEE_aux tee_memories_removeAllSessIdInTaStateSessList by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (block_id x=0)}"
by (simp add: TA_DestroyEntryPoint_def)
have m8: "{x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (block_id x=0)}"
by fastforce
have m9: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (block_id x=0)}"
using CloseSessionEntryPoint_not_change_TEE_aux tee_memories_removeAllSessIdInTaStateSessList by auto
have m10: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_taDestroyEntryPoint))∧ (block_id x=0)}"
by (simp add: TA_DestroyEntryPoint_def)
have m11: "{x. x∈set(tee_memories (TEE_state ?t_taDestroyEntryPoint))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_deleteTaStateBackTEE))∧ (block_id x=0)}"
by fastforce
have m12: "{x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
by (simp add: g7)
have m11: "{x. x∈set(tee_memories (TEE_state ?t_deleteTaStateBackTEE))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
by (simp add: g8)
have m11: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using m5 m10 m11 m6 m7 m8 m9 g6
by (metis isSesIdinSesIdList.simps(1) isSessIdInTaStateSessList_def)
then show ?thesis
using m1 by auto
}
qed
next
case False
then have f6: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have f7: "d ≠ TEE sysconf ∧ d = REE sysconf"
using f6 by auto
then show ?thesis
proof-
{
have n1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True f6 by auto
have n2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have n3: "(s ∼ d ∼ t) = vpeq_REE s d t"
by (metis True tee_no_ree vpeq1_def)
have n4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have n5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 n3 by auto
have n6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 n3 by auto
have n7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
using ree_total_size_exec_prime_tl by blast
have n8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have n9: "ree_total_size (REE_state ?s_taCloseSessionEntry) = ree_total_size (REE_state ?s_removeSess_inTaState)"
by (simp add: ree_total_size_removeAllSessIdInTaStateSessList)
have n10: "ree_total_size (REE_state ?s_removeSess_inTaState) = ree_total_size (REE_state ?s_taDestroyEntryPoint)"
by (simp add: TA_DestroyEntryPoint_def)
have n11: "ree_total_size (REE_state ?s_taDestroyEntryPoint) = ree_total_size (REE_state ?s_deleteTaStateBackTEE)"
by simp
have n12: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
using ree_total_size_exec_prime_tl by blast
have n8: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have n9: "ree_total_size (REE_state ?t_taCloseSessionEntry) = ree_total_size (REE_state ?t_removeSess_inTaState)"
by (simp add: ree_total_size_removeAllSessIdInTaStateSessList)
have n10: "ree_total_size (REE_state ?t_removeSess_inTaState) = ree_total_size (REE_state ?t_taDestroyEntryPoint)"
by (simp add: TA_DestroyEntryPoint_def)
have n11: "ree_total_size (REE_state ?t_taDestroyEntryPoint) = ree_total_size (REE_state ?t_deleteTaStateBackTEE)"
by simp
have n12: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_deleteTaStateBackTEE)"
using g6 by (metis isSesIdinSesIdList.simps(1) isSessIdInTaStateSessList_def)
have n321: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_deleteTaStateBackTEE)"
using g6 isSessIdInTaStateSessList_def by force
have n13: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by auto
have n14: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_taCloseSessionEntry)"
using g6 isSessIdInTaStateSessList_def by force
have n15: "driver_mem(REE_state ?s_taCloseSessionEntry) = driver_mem(REE_state ?s_removeSess_inTaState)"
by (simp add: driver_mem_removeAllSessIdInTaStateSessList)
have n16: "driver_mem(REE_state ?s_removeSess_inTaState) = driver_mem(REE_state ?s_deleteTaStateBackTEE)"
by (simp add: TA_DestroyEntryPoint_def)
have n17: "driver_mem(REE_state s) = driver_mem(REE_state ?s_deleteTaStateBackTEE)"
using n14 n15 n16 by auto
have n18: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
using driver_mem_exec_prime_tl by auto
have n19: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_taCloseSessionEntry)"
using g6 isSessIdInTaStateSessList_def by force
have n20: "driver_mem(REE_state ?t_taCloseSessionEntry) = driver_mem(REE_state ?t_removeSess_inTaState)"
by (simp add: driver_mem_removeAllSessIdInTaStateSessList)
have n21: "driver_mem(REE_state ?t_removeSess_inTaState) = driver_mem(REE_state ?t_deleteTaStateBackTEE)"
by (simp add: TA_DestroyEntryPoint_def)
have n22: "driver_mem(REE_state t) = driver_mem(REE_state ?t_deleteTaStateBackTEE)"
using n18 n19 n20 n21 by presburger
have n23: "driver_mem(REE_state s') = driver_mem(REE_state ?s_deleteTaStateBackTEE)"
using g7 by auto
have n24: "driver_mem(REE_state t') = driver_mem(REE_state ?t_deleteTaStateBackTEE)"
by (simp add: g8)
have n25: "driver_mem(REE_state ?s_deleteTaStateBackTEE) = driver_mem(REE_state ?t_deleteTaStateBackTEE)"
using n17 n18 n19 n20 n21 n6 by presburger
have n26: "driver_mem(REE_state s') = driver_mem(REE_state t')"
using n23 n24 n25 by force
have n27: "ree_total_size(REE_state s') = ree_total_size(REE_state ?s_deleteTaStateBackTEE)"
by (simp add: g7)
have n28: "ree_total_size(REE_state t') = ree_total_size(REE_state ?t_deleteTaStateBackTEE)"
by (simp add: g8)
have n29: "ree_total_size(REE_state ?s_deleteTaStateBackTEE) = ree_total_size(REE_state ?t_deleteTaStateBackTEE)"
using n12 n321 n5 by presburger
have n30: "ree_total_size(REE_state s') = ree_total_size(REE_state t')"
using n27 n28 n29 by linarith
have n31: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
by (simp add: n26 n30)
then show ?thesis
using n1 by auto
}
qed
next
case False
then have f8: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: f6)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have f9: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False f6 by blast
have f9_1: "current s = (the ?servTid)"
by (simp add: d1)
then show ?thesis
proof(cases "d ≠ (the ?servTid)")
case True
have f9_1: "d ≠ (the ?servTid)" using True by simp
have f9_2: "d ≠ (the ?servTid_t)" using True
using a5 by auto
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using f9 vpeq1_def by presburger
have h2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson f9 vpeq1_def)
have h4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
by (metis a3 h3 h4)
have h6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have h7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
proof-
{
have v1: "TEE_state s = TEE_state ?s_rev_event" by simp
have v2: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def CloseSessionEntryPoint_not_change_other_TA f9_1
using False CloseSessionEntryPoint_not_change_other_TA_aux g5 get_exec_prime_def mem_Collect_eq v1
by blast
have v3: "tee_memories(TEE_state ?s_taCloseSessionEntry)=tee_memories( TEE_state ?s_removeSess_inTaState)"
by (simp add: tee_memories_removeAllSessIdInTaStateSessList)
have v5: "tee_memories(TEE_state ?s_removeSess_inTaState)=tee_memories( TEE_state ?s_notDeleteTaStateBackTEE)"
by simp
have v6: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using v2 by auto
then show ?thesis by auto
}
qed
have h8: "{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have h9: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (ownership x=d)}"
by (simp add: TA_DestroyEntryPoint_def)
have h10: "{x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (ownership x=d)}"
by simp
have h11: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (ownership x=d)}"
using h6 h7 h8 h9 h10
by presburger
have h12: "tee_memories (TEE_state t) = tee_memories (TEE_state ?t_rev_event)"
by auto
have h13: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
proof-
{
have v1: "TEE_state t = TEE_state ?t_rev_event" by simp
have v2: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def CloseSessionEntryPoint_not_change_other_TA f9_2
using False CloseSessionEntryPoint_not_change_other_TA_aux g5 get_exec_prime_def mem_Collect_eq v1
by blast
have v3: "tee_memories(TEE_state ?t_taCloseSessionEntry)=tee_memories( TEE_state ?t_removeSess_inTaState)"
by (simp add: tee_memories_removeAllSessIdInTaStateSessList)
have v5: "tee_memories(TEE_state ?t_removeSess_inTaState)=tee_memories( TEE_state ?t_notDeleteTaStateBackTEE)"
by simp
have v6: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using v2 by auto
then show ?thesis by auto
}
qed
have h14: "{x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have h15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taDestroyEntryPoint))∧ (ownership x=d)}"
by (simp add: TA_DestroyEntryPoint_def)
have h16: "{x. x∈set(tee_memories (TEE_state ?t_taDestroyEntryPoint))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_deleteTaStateBackTEE))∧ (ownership x=d)}"
by simp
have h17: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using h12 h13 h14 h15 h16
by presburger
have h18: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using g6 isSessIdInTaStateSessList_def by force
have h19: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using g8 h14 h15 h16 by presburger
have h20: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using h18 h19
by (metis h17 h5 h6 h7)
then show ?thesis
using h1 h2 by blast
}
qed
next
case False
have f10_1: "d = (the ?servTid)" using False by simp
have f10_2: "d = (the ?servTid_t)" using False
using a5 by auto
have f11_1: "d = current s"
using False d1 by auto
have f11_2: "d = current t"
by (simp add: a12 f11_1)
have f12: "vpeq_TA s d t"
by (meson a3 f9 vpeq1_def)
have f13: "(s'∼d∼t') = (vpeq_TA s' d t')"
using f9 vpeq1_def by presburger
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using f13 by auto
have m2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson f9 vpeq1_def)
have m4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using f12 m4 by blast
have m6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_mem TA_OpenSessionEntryPoint_def by auto
have m8: "{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have m9: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (ownership x=d)}"
by (simp add: TA_DestroyEntryPoint_def)
have m10: "{x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (ownership x=d)}"
by simp
have m11: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (ownership x=d)}"
using g6 isSessIdInTaStateSessList_def by force
have m12: "tee_memories (TEE_state t) = tee_memories (TEE_state ?t_rev_event)"
by auto
have m13: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_mem TA_OpenSessionEntryPoint_def by auto
have m14: "{x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have m15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taDestroyEntryPoint))∧ (ownership x=d)}"
by (simp add: TA_DestroyEntryPoint_def)
have m16: "{x. x∈set(tee_memories (TEE_state ?t_taDestroyEntryPoint))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_deleteTaStateBackTEE))∧ (ownership x=d)}"
by simp
have m17: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using m13 by auto
have m18: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using g6 isSessIdInTaStateSessList_def by force
have m19: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using g8 m14 m15 m16 by presburger
have h20: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using m18 m19
by (metis m17 m5 m6 m7)
then show ?thesis
using m1 m2 by blast
}
qed
qed
next
case False
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using f8 by auto
then show ?thesis
proof-
{
have l1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have l2: "vpeq1 s' d t' = True"
using False f8 is_TA_def by blast
then show ?thesis by blast
}
qed
qed
qed
qed
next
case False
have u5: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS3 ∧ ?isSesIdInTaStateSesList ≠ False
∧ ¬(¬(?isSingleInstance = True ∧ ?isKeepAlive = True) ∧ ?taSesListInTaState = [])"
using False g3 by blast
have u6: "current t = (the ?servTid_t) ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEEC_CS3 ∧ ?isSesIdInTaStateSesList_t ≠ False
∧ ¬(¬(?isSingleInstance_t = True ∧ ?isKeepAlive_t = True) ∧ ?taSesListInTaState_t = [])"
using False a14 a5 g4 by auto
have u7: "s' = ?s_notDeleteTaStateBackTEE"
using TEEC_CloseSession3_def a10 u5
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_eqD)
have u8: "t' = ?t_notDeleteTaStateBackTEE"
using TEEC_CloseSession3_def a11 u6
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_eqD)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have b13: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: b13)
have m2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: b13)
have m4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 m3 by auto
have m6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}"
using CloseSessionEntryPoint_not_change_TEE_aux tee_memories_removeAllSessIdInTaStateSessList by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (block_id x=0)}"
by fastforce
have m8: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (block_id x=0)}"
using CloseSessionEntryPoint_not_change_TEE_aux tee_memories_removeAllSessIdInTaStateSessList by auto
have m9: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_notDeleteTaStateBackTEE))∧ (block_id x=0)}"
by fastforce
have m10: "{x. x∈set(tee_memories (TEE_state ?t_notDeleteTaStateBackTEE))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
using m5 m6 m7 m8 m9 u7 by presburger
have m11: "{x. x∈set(tee_memories (TEE_state ?t_notDeleteTaStateBackTEE))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using u8 by blast
have m11: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using m5 m10 m11 by presburger
then show ?thesis
using m1 by auto
}
qed
next
case False
then have f6: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
have f7: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True f6 by auto
then show ?thesis
proof-
{
have n1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True f6 by auto
have n2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have n3: "(s ∼ d ∼ t) = vpeq_REE s d t"
by (metis True tee_no_ree vpeq1_def)
have n4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have n5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 n3 by auto
have n6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 n3 by auto
have n7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
using ree_total_size_exec_prime_tl by blast
have n8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have n9: "ree_total_size (REE_state ?s_taCloseSessionEntry) = ree_total_size (REE_state ?s_removeSess_inTaState)"
by (simp add: ree_total_size_removeAllSessIdInTaStateSessList)
have n10: "ree_total_size (REE_state ?s_removeSess_inTaState) = ree_total_size (REE_state ?s_notDeleteTaStateBackTEE)"
by (simp add: TA_DestroyEntryPoint_def)
have n11: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
using ree_total_size_exec_prime_tl by blast
have n12: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have n13: "ree_total_size (REE_state ?t_taCloseSessionEntry) = ree_total_size (REE_state ?t_removeSess_inTaState)"
by (simp add: ree_total_size_removeAllSessIdInTaStateSessList)
have n14: "ree_total_size (REE_state ?t_removeSess_inTaState) = ree_total_size (REE_state ?t_notDeleteTaStateBackTEE)"
by (simp add: TA_DestroyEntryPoint_def)
have n15: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_notDeleteTaStateBackTEE)"
using u5 n7 n8 n9 n10
by presburger
have n16: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_notDeleteTaStateBackTEE)"
using n11 n12 n13 n14
by linarith
have n13: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by auto
have n14: "REE_state ?s_rev_event = REE_state ?s_taCloseSessionEntry"
using TA_CloseSessionEntryPoint_def
using OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have n15: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_taCloseSessionEntry)"
using u5 n14 by simp
have n16: "driver_mem(REE_state ?s_taCloseSessionEntry) = driver_mem(REE_state ?s_removeSess_inTaState)"
by (simp add: driver_mem_removeAllSessIdInTaStateSessList)
have n17: "driver_mem(REE_state ?s_removeSess_inTaState) = driver_mem(REE_state ?s_deleteTaStateBackTEE)"
by (simp add: TA_DestroyEntryPoint_def)
have n18: "driver_mem(REE_state s) = driver_mem(REE_state ?s_deleteTaStateBackTEE)"
using n13 n14 n15 n16 n17 by auto
have n19: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
using driver_mem_exec_prime_tl by auto
have n20: "REE_state ?t_rev_event = REE_state ?t_taCloseSessionEntry"
using TA_CloseSessionEntryPoint_def
using OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have n21: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_taCloseSessionEntry)"
using u6 n20 by simp
have n22: "driver_mem(REE_state ?t_taCloseSessionEntry) = driver_mem(REE_state ?t_removeSess_inTaState)"
by (simp add: driver_mem_removeAllSessIdInTaStateSessList)
have n23: "driver_mem(REE_state ?t_removeSess_inTaState) = driver_mem(REE_state ?t_deleteTaStateBackTEE)"
by (simp add: TA_DestroyEntryPoint_def)
have n24: "driver_mem(REE_state t) = driver_mem(REE_state ?t_deleteTaStateBackTEE)"
using n19 n20 n20 n21 n22 n23 by auto
have n25: "driver_mem(REE_state s') = driver_mem(REE_state ?s_notDeleteTaStateBackTEE)"
using u7 by auto
have n26: "driver_mem(REE_state t') = driver_mem(REE_state ?t_notDeleteTaStateBackTEE)"
by (simp add: u8)
have n27: "driver_mem(REE_state ?s_notDeleteTaStateBackTEE) = driver_mem(REE_state ?t_notDeleteTaStateBackTEE)"
using TA_DestroyEntryPoint_def driver_mem_removeAllSessIdInTaStateSessList n18 n20 n6 by auto
have n28: "driver_mem(REE_state s') = driver_mem(REE_state t')"
using n25 n26 n27 by force
have n29: "ree_total_size(REE_state s') = ree_total_size(REE_state ?s_notDeleteTaStateBackTEE)"
by (simp add: u7)
have n30: "ree_total_size(REE_state t') = ree_total_size(REE_state ?t_notDeleteTaStateBackTEE)"
by (simp add: u8)
have n31: "ree_total_size(REE_state ?s_notDeleteTaStateBackTEE) = ree_total_size(REE_state ?t_notDeleteTaStateBackTEE)"
using n14 n20 n5 ree_total_size_removeAllSessIdInTaStateSessList by auto
have n32: "ree_total_size(REE_state s') = ree_total_size(REE_state t')"
using n29 n30 n31 by linarith
have n31: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
by (simp add: n28 n32)
then show ?thesis
using n1 by auto
}
qed
next
case False
then have f8: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: f6)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have f9: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False f6 by blast
have f9_1: "current s = (the ?servTid)"
by (simp add: d1)
then show ?thesis
proof(cases "d ≠ (the ?servTid)")
case True
have f9_1: "d ≠ (the ?servTid)" using True by simp
have f9_2: "d ≠ (the ?servTid_t)" using True
using a5 by auto
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using f9 vpeq1_def by presburger
have h2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson f9 vpeq1_def)
have h4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
by (metis a3 h3 h4)
have h6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have h7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
proof-
{
have v1: "TEE_state s = TEE_state ?s_rev_event" by simp
have v2: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def CloseSessionEntryPoint_not_change_other_TA f9_1
using False CloseSessionEntryPoint_not_change_other_TA_aux u5 get_exec_prime_def mem_Collect_eq v1
by blast
have v3: "tee_memories(TEE_state ?s_taCloseSessionEntry)=tee_memories( TEE_state ?s_removeSess_inTaState)"
by (simp add: tee_memories_removeAllSessIdInTaStateSessList)
have v5: "tee_memories(TEE_state ?s_removeSess_inTaState)=tee_memories( TEE_state ?s_notDeleteTaStateBackTEE)"
by simp
have v6: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using v2 by auto
then show ?thesis by auto
}
qed
have h8: "{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have h9: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (ownership x=d)}"
by (simp add: TA_DestroyEntryPoint_def)
have h10: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
by simp
have h11: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
using h6 h7 h8 h9 h10
by presburger
have h12: "tee_memories (TEE_state t) = tee_memories (TEE_state ?t_rev_event)"
by auto
have h13: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
proof-
{
have v1: "TEE_state t = TEE_state ?t_rev_event" by simp
have v2: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def CloseSessionEntryPoint_not_change_other_TA f9_2
using False CloseSessionEntryPoint_not_change_other_TA_aux u5 get_exec_prime_def mem_Collect_eq v1
by blast
have v3: "tee_memories(TEE_state ?t_taCloseSessionEntry)=tee_memories( TEE_state ?t_removeSess_inTaState)"
by (simp add: tee_memories_removeAllSessIdInTaStateSessList)
have v5: "tee_memories(TEE_state ?t_removeSess_inTaState)=tee_memories( TEE_state ?t_notDeleteTaStateBackTEE)"
by simp
have v6: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using v2 by auto
then show ?thesis by auto
}
qed
have h14: "{x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have h15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
by simp
have h16: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using h12 h13 h14 h15
by presburger
have h18: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
using u5 isSessIdInTaStateSessList_def
by (simp add: u7)
have h19: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using u8 h14 h15 h16 by presburger
have h20: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using h18 h19
using h11 h16 h5 by presburger
then show ?thesis
using h1 h2 by blast
}
qed
next
case False
have f10_1: "d = (the ?servTid)" using False by simp
have f10_2: "d = (the ?servTid_t)" using False
using a5 by auto
have f11_1: "d = current s"
using False d1 by auto
have f11_2: "d = current t"
by (simp add: a12 f11_1)
have f12: "vpeq_TA s d t"
by (meson a3 f9 vpeq1_def)
have f13: "(s'∼d∼t') = (vpeq_TA s' d t')"
using f9 vpeq1_def by presburger
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using f13 by auto
have m2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson f9 vpeq1_def)
have m4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using f12 m4 by blast
have m6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_mem TA_OpenSessionEntryPoint_def by auto
have m8: "{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have m9: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
by simp
have m10: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
using u6 isSessIdInTaStateSessList_def
using m6 m7 m8 m9 by presburger
have m12: "tee_memories (TEE_state t) = tee_memories (TEE_state ?t_rev_event)"
by auto
have m13: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_mem TA_OpenSessionEntryPoint_def by auto
have m14: "{x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have m15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
using m13 m5 m7 tee_memories_removeAllSessIdInTaStateSessList by auto
have m17: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
using m10 m5 by presburger
have m18: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
using u6 isSessIdInTaStateSessList_def
using u7 by fastforce
have m19: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
using u8 m14 m15 by fastforce
have h20: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using m18 m19 a113 m10 m12 m13 m5
by (metis tee_memories_removeAllSessIdInTaStateSessList)
then show ?thesis
using m1 m2 by blast
}
qed
qed
next
case False
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using f8 by auto
then show ?thesis
proof-
{
have l1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have l2: "vpeq1 s' d t' = True"
using False f8 is_TA_def by blast
then show ?thesis by blast
}
qed
qed
qed
qed
qed
qed
qed
} then show ?thesis
using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEEC_CloseSession3_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEEC_CLOSESESSION3))"
using TEEC_CloseSession3_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def by auto
subsection "CloseSession4"
lemma TEEC_CloseSession4_integrity:
assumes p1: "a = hyperc (TEEC_CLOSESESSION4)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?servTid = "(param2 ?p)"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?mgrSes = "the(findMgrSessionFromList s (the ?ses_id))"
let ?clientType = "client_id ?mgrSes"
let ?loginType = "login ?clientType"
let ?mgrTaInsList = "mgr_ta_instances (ta_mgr (TEE_state s))"
let ?curMgrTaIns = "findTaInsInMgrByTid ?mgrTaInsList (the ?servTid)"
let ?curMgrTaIns_attr = "attribute (the ?curMgrTaIns)"
let ?isSingleInstance = "singleInstance ?curMgrTaIns_attr"
let ?isKeepAlive = "keepAlive ?curMgrTaIns_attr"
let ?curMgrTaIns_refCnt = "reference_cnt (the ?curMgrTaIns) - 1"
let ?s_removeSess_inMgrTaSes = "removeAllSessionInMgrSesList ?s_rev_event (the ?ses_id)"
let ?s_setNotBusy = "setTaInsBusyByThreadId ?s_removeSess_inMgrTaSes (the ?servTid) False"
let ?s_subRef = "fst(subtractMgrInsRef ?s_setNotBusy (the ?servTid))"
let ?curTa_curTaSessionList = "cur_ta_session_list (the ?curMgrTaIns)"
let ?s_removeTaInTaIns = "fst (removeTaInsInMgrInsList ?s_subRef (the ?servTid))"
let ?s_closeCurTaInsSessList = "addCloseSessionEvent2 sysconf ?s_removeTaInTaIns (the ?in_params) (the ?out_params) ?curTa_curTaSessionList"
let ?s_teeState_deleteCurTa = "deleteTaStateByThreadId ?s_closeCurTaInsSessList (the ?servTid)"
let ?s_removeTaMemInTee = "removeTaMemInTeeDomain ?s_teeState_deleteCurTa (the ?servTid)"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEEC_CloseSession4 sysconf s)}}"
using p1 exec_event_def by auto
have a4_1: "s' = fst (TEEC_CloseSession4 sysconf s)"
using a3 a4 by auto
have "(s ∼ d ∼ s')"
proof(cases "current s ≠ (TEE sysconf) ∨ (exec_prime s) = [] ∨ (snd (hd (exec_prime s)) ≠ TEEC_CS4)")
case True
then have "s = s'" using TEEC_CloseSession4_def a4_1
by (smt (z3) fst_conv)
then show ?thesis
using vpeq_reflexive_lemma by blast
next
case False
then have b1: "current s = (TEE sysconf) ∧ (exec_prime s) ≠ [] ∧ (snd (hd (exec_prime s)) = TEEC_CS4)"
by auto
then show ?thesis
proof(cases "?curMgrTaIns_refCnt = 0 ∧ (¬(?isKeepAlive = True ∧ ?isSingleInstance = True) | ?loginType = DTC_IDENTITY)")
case True
have c1: "current s = (TEE sysconf) ∧ (exec_prime s) ≠ [] ∧ (snd (hd (exec_prime s)) = TEEC_CS4)
∧ ?curMgrTaIns_refCnt = 0 ∧ (¬(?isKeepAlive = True ∧ ?isSingleInstance = True) | ?loginType = DTC_IDENTITY)"
using False True by blast
have c2 : "s' = ?s_removeTaMemInTee"
using TEEC_CloseSession4_def a4_1 c1
by (smt (verit, best) State.unfold_congs(1) State.unfold_congs(6) fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have c3: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have d1: "(s ∼ d ∼ s') = (vpeq_TEE s d s')"
by (simp add: c3)
have d2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s')) ∧ (block_id x=0)})"
by simp
have d3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have d4: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state ?s_removeSess_inMgrTaSes)"
by (metis a225 removeAllSessionInMgrSesList_def)
have d5: "tee_memories (TEE_state ?s_removeSess_inMgrTaSes) = tee_memories (TEE_state ?s_setNotBusy)"
using tee_memories_setTaInsBusy by blast
have d6: "tee_memories (TEE_state ?s_setNotBusy) = tee_memories (TEE_state ?s_subRef)"
using subtractMgrInsRef_def tee_memories_subtractMgrInsRef
by blast
have d7: "tee_memories (TEE_state ?s_subRef) = tee_memories (TEE_state ?s_removeTaInTaIns)"
by (simp add: tee_memories_removeTaInsInMgrInsList)
have d8: "tee_memories (TEE_state ?s_removeTaInTaIns) = tee_memories (TEE_state ?s_closeCurTaInsSessList)"
using tee_memories_addCloseSessionEvent2
by simp
have d9: "tee_memories (TEE_state ?s_closeCurTaInsSessList) = tee_memories (TEE_state ?s_teeState_deleteCurTa)"
using deleteTaStateByThreadId_def tee_memories_deleteTaStateByThreadId
by simp
then show ?thesis using True a2 interference1_def b1 by simp
}
qed
next
case False
have b4:"d ≠ TEE sysconf" using False by simp
then show ?thesis
proof(cases "d=REE sysconf")
case True
then show ?thesis using True a2 interference1_def b1 by auto
next
case False
then have b5:"d≠REE sysconf" by simp
have b6:"is_TA sysconf d" using b4 b5 by auto
then show ?thesis using b6 a2 interference1_def b1 by simp
qed
qed
next
case False
have d1: "¬(?curMgrTaIns_refCnt = 0 ∧ (¬(?isKeepAlive = True ∧ ?isSingleInstance = True) | ?loginType = DTC_IDENTITY))"
using False by auto
have d2: "current s = (TEE sysconf) ∧ (exec_prime s) ≠ [] ∧ (snd (hd (exec_prime s)) = TEEC_CS4)
∧ ¬(?curMgrTaIns_refCnt = 0 ∧ (¬(?isKeepAlive = True ∧ ?isSingleInstance = True) | ?loginType = DTC_IDENTITY))"
using b1 d1 by blast
then show ?thesis
proof(cases "d=TEE sysconf")
case True
then show ?thesis using True a2 interference1_def b1 by simp
next
case False
have b4:"d≠TEE sysconf" using False by simp
then show ?thesis
proof(cases "d=REE sysconf")
case True
then show ?thesis using True a2 interference1_def b1 by auto
next
case False
then have b5:"d≠REE sysconf" by simp
have b6:"is_TA sysconf d" using b4 b5 by auto
then show ?thesis using b6 a2 interference1_def b1 by simp
qed
qed
qed
qed
} then show ?thesis
by blast
qed
lemma TEEC_CloseSession4_integrity_e:
"integrity_e (hyperc (TEEC_CLOSESESSION4))"
using TEEC_CloseSession4_integrity integrity_e_def
using get_exec_prime_def by auto
lemma removeAllBlockbyTid: "∀x::MemBlock. (x∈set(removeAllMemBlockInMemBlockList tid memlist)⟶ownership x ≠ tid)"
apply(induct memlist)
apply simp
apply simp
apply auto
done
lemma prop1: "∀x::MemBlock. (ownership x=tid⟶x∉set(removeAllMemBlockInMemBlockList tid memlist))" using removeAllBlockbyTid
by blast
lemma prop2: "set(removeAllMemBlockInMemBlockList tid memlist) = set(filter (λx. ownership x ≠ tid) memlist)"
apply(induct memlist)
apply simp
apply simp
done
lemma prop3: "∀x. x∈set(memlist)∧ownership x ≠ tid ⟶ x∈set(removeAllMemBlockInMemBlockList tid memlist)"
proof (cases "memlist = []")
case True
then show ?thesis
by simp
next
case False
then show ?thesis using prop2
by simp
qed
lemma prop4: "tee_memories (TEE_state (removeTaMemInTeeDomain s d)) =
tee_memories (TEE_state (s⦇TEE_state:=(TEE_state s)⦇tee_total_size := ((tee_total_size (TEE_state s)) + (calMemBlockInMemBlockList d (tee_memories (TEE_state s)))),tee_memories:=(removeAllMemBlockInMemBlockList d (tee_memories (TEE_state s)))⦈⦈))"
using removeTaMemInTeeDomain_def
by metis
lemma prop5: "tee_memories (TEE_state (removeTaMemInTeeDomain s d)) =
tee_memories (TEE_state (s⦇TEE_state:=(TEE_state s)⦇tee_memories:=(removeAllMemBlockInMemBlockList d (tee_memories (TEE_state s)))⦈⦈))"
using prop4
by simp
lemma prop6: "tee_memories (TEE_state (removeTaMemInTeeDomain s d)) = removeAllMemBlockInMemBlockList d (tee_memories (TEE_state s))"
using prop5
by simp
axiomatization where prop7: "∀x::MemBlock. block_id x = 0 ⟶ ownership x = 1"
lemma prop8: "∀x::MemBlock. ownership x ≠ 1 ⟶ block_id x ≠ 0"
using prop7
by auto
lemma TEEC_CloseSession4_weak_confidentiality:
assumes p1: "a = hyperc (TEEC_CLOSESESSION4)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a51: "ta_mgr(TEE_state s) =ta_mgr(TEE_state t)"
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?servTid = "(param2 ?p)"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?mgrSes = "the(findMgrSessionFromList s (the ?ses_id))"
let ?clientType = "client_id ?mgrSes"
let ?loginType = "login ?clientType"
let ?mgrTaInsList = "mgr_ta_instances (ta_mgr (TEE_state s))"
let ?curMgrTaIns = "findTaInsInMgrByTid ?mgrTaInsList (the ?servTid)"
let ?curMgrTaIns_attr = "attribute (the ?curMgrTaIns)"
let ?isSingleInstance = "singleInstance ?curMgrTaIns_attr"
let ?isKeepAlive = "keepAlive ?curMgrTaIns_attr"
let ?curMgrTaIns_refCnt = "reference_cnt (the ?curMgrTaIns) - 1"
let ?s_removeSess_inMgrTaSes = "removeAllSessionInMgrSesList ?s_rev_event (the ?ses_id)"
let ?s_setNotBusy = "setTaInsBusyByThreadId ?s_removeSess_inMgrTaSes (the ?servTid) False"
let ?s_subRef = "fst(subtractMgrInsRef ?s_setNotBusy (the ?servTid))"
let ?curTa_curTaSessionList = "cur_ta_session_list (the ?curMgrTaIns)"
let ?s_removeTaInTaIns = "fst (removeTaInsInMgrInsList ?s_subRef (the ?servTid))"
let ?s_closeCurTaInsSessList = "addCloseSessionEvent2 sysconf ?s_removeTaInTaIns (the ?in_params) (the ?out_params) ?curTa_curTaSessionList"
let ?s_teeState_deleteCurTa = "deleteTaStateByThreadId ?s_closeCurTaInsSessList (the ?servTid)"
let ?s_removeTaMemInTee = "removeTaMemInTeeDomain ?s_teeState_deleteCurTa (the ?servTid)"
let ?exec_t = "(exec_prime t)"
let ?p_t = "fst (hd ?exec_t)"
let ?ses_id_t = "param1 ?p_t"
let ?servTid_t = "(param2 ?p_t)"
let ?in_params_t = "param7 ?p_t"
let ?out_params_t = "param8 ?p_t"
let ?t_rev_event = "t⦇exec_prime := tl ?exec_t⦈"
let ?mgrSes_t = "the(findMgrSessionFromList t (the ?ses_id_t))"
let ?clientType_t = "client_id ?mgrSes_t"
let ?loginType_t = "login ?clientType_t"
let ?mgrTaInsList_t = "mgr_ta_instances (ta_mgr (TEE_state t))"
let ?curMgrTaIns_t = "findTaInsInMgrByTid ?mgrTaInsList_t (the ?servTid_t)"
let ?curMgrTaIns_attr_t = "attribute (the ?curMgrTaIns_t)"
let ?isSingleInstance_t = "singleInstance ?curMgrTaIns_attr_t"
let ?isKeepAlive_t = "keepAlive ?curMgrTaIns_attr_t"
let ?curMgrTaIns_refCnt_t = "reference_cnt (the ?curMgrTaIns_t) - 1"
let ?t_removeSess_inMgrTaSes = "removeAllSessionInMgrSesList ?t_rev_event (the ?ses_id_t)"
let ?t_setNotBusy = "setTaInsBusyByThreadId ?t_removeSess_inMgrTaSes (the ?servTid_t) False"
let ?t_subRef = "fst(subtractMgrInsRef ?t_setNotBusy (the ?servTid_t))"
let ?curTa_curTaSessionList_t = "cur_ta_session_list (the ?curMgrTaIns_t)"
let ?t_removeTaInTaIns = "fst (removeTaInsInMgrInsList ?t_subRef (the ?servTid_t))"
let ?t_closeCurTaInsSessList = "addCloseSessionEvent2 sysconf ?t_removeTaInTaIns (the ?in_params_t) (the ?out_params_t) ?curTa_curTaSessionList_t"
let ?t_teeState_deleteCurTa = "deleteTaStateByThreadId ?t_closeCurTaInsSessList (the ?servTid_t)"
let ?t_removeTaMemInTee = "removeTaMemInTeeDomain ?t_teeState_deleteCurTa (the ?servTid_t)"
have a10: "s' = fst (TEEC_CloseSession4 sysconf s)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEEC_CloseSession4 sysconf t)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t"
using domain_of_event_def a4 by (metis option.sel)
have a13: "ta_mgr(TEE_state s) = ta_mgr(TEE_state t)" using a3 vpeq1_def a51 by auto
have a15: "?servTid = ?servTid_t"
by (simp add: a5)
have "(s' ∼ d ∼ t')"
proof(cases "current s ≠ (TEE sysconf) ∨ (exec_prime s) = [] ∨ (snd (hd (exec_prime s)) ≠ TEEC_CS4)")
case True
have b1: "current s ≠ (TEE sysconf) ∨ (exec_prime s) = [] ∨ (snd (hd (exec_prime s)) ≠ TEEC_CS4)"
using True by auto
have b2: "current t ≠ (TEE sysconf) ∨ (exec_prime t) = [] ∨ (snd (hd (exec_prime t)) ≠ TEEC_CS4)"
using a12 a5 b1 by auto
have b3: "s = s'"
using b1 TEEC_CloseSession4_def a10
by (smt (z3) prod.collapse prod.inject)
have b4: "t = t'"
using b2 TEEC_CloseSession4_def a11
by (smt (z3) prod.collapse prod.inject)
then show ?thesis
proof-
{
have c1: "(s' ∼ d ∼ t')"
using a3 b3 b4 by blast
then show ?thesis by auto
}
qed
next
case False
have d0: "current s = TEE sysconf"
using False by auto
have d1: "current s = (TEE sysconf) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS4"
using False by auto
have d2: "current t = (TEE sysconf) ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEEC_CS4"
using False a12 a5 by auto
have d3: "?servTid = ?servTid_t"
by (simp add: a5)
have d4: "ta_mgr(TEE_state s) = ta_mgr(TEE_state t)"
by (simp add: a13)
have d5: "ta_mgr(TEE_state ?s_rev_event) = ta_mgr(TEE_state ?t_rev_event)"
by (simp add: d4)
have d6: "?mgrTaInsList = ?mgrTaInsList_t"
by (simp add: d4)
have d7: "?curMgrTaIns = ?curMgrTaIns_t"
using d6 d3 by simp
have d8: "?curMgrTaIns_attr = ?curMgrTaIns_attr_t"
by (simp add: a5 d4)
have d9: "?isSingleInstance = ?isSingleInstance_t"
by (simp add: a5 d4)
have d10: "?isKeepAlive = ?isKeepAlive_t"
by (simp add: a5 d4)
have d11: "reference_cnt (the ?curMgrTaIns) = reference_cnt (the ?curMgrTaIns_t)"
by (simp add: a5 d4)
have d12: "?curMgrTaIns_refCnt = ?curMgrTaIns_refCnt_t"
by (simp add: a5 d4)
have d13: "findMgrSessionFromList s (the ?ses_id) = findMgrSessionFromList t (the ?ses_id_t)"
proof-
{
let ?mgr = "(ta_mgr(TEE_state s))"
let ?lst = "mgr_ta_sessions (ta_mgr (TEE_state s))"
let ?index = "(SOME x. (the ?ses_id) = session_id (?lst!x))"
let ?mgr_session = "?lst!?index"
let ?mgr_t = "(ta_mgr(TEE_state t))"
let ?lst_t = "mgr_ta_sessions (ta_mgr (TEE_state t))"
let ?index_t = "(SOME x. (the ?ses_id_t) = session_id (?lst_t!x))"
let ?mgr_session_t = "?lst_t!?index_t"
have d13_0: "?mgr = ?mgr_t"
by (simp add: d4)
have d13_1: "?lst = ?lst_t"
by (simp add: d4)
have d13_2: "?index = ?index_t"
by (simp add: a5 d4)
have d13_3: "?mgr_session = ?mgr_session_t"
by (simp add: a5 d4)
then show ?thesis
by (metis findMgrSessionFromList_def)
}
qed
have d14: "?mgrSes = ?mgrSes_t"
using d13 by simp
have d15: "?loginType = ?loginType_t"
by (simp add: d13)
then show ?thesis
proof(cases "?curMgrTaIns_refCnt = 0 ∧ (¬(?isKeepAlive = True ∧ ?isSingleInstance = True) | ?loginType = DTC_IDENTITY)")
case True
have c1: "?curMgrTaIns_refCnt = 0 ∧ (¬(?isKeepAlive = True ∧ ?isSingleInstance = True) | ?loginType = DTC_IDENTITY)"
using True by auto
have c2: "?curMgrTaIns_refCnt_t = 0 ∧ (¬(?isKeepAlive_t = True ∧ ?isSingleInstance_t = True) | ?loginType_t = DTC_IDENTITY)"
using a5 c1 d13 d4 by force
have c3: "s' = ?s_removeTaMemInTee"
using TEEC_CloseSession4_def a10 c1 d1
by (smt (z3) False State.fold_congs(6) old.prod.inject prod.collapse)
have c4: "t' = ?t_removeTaMemInTee"
using TEEC_CloseSession4_def a11 c2 d2
by (smt (z3) False State.fold_congs(6) old.prod.inject prod.collapse)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have c5: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: c5)
have m2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: c5)
have m4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 m3 by auto
have m6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (block_id x=0)}"
using removeAllSessionInMgrSesList_def by auto
have m8: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (block_id x=0)}"
using tee_memories_setTaInsBusy by auto
have m9: "{x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (block_id x=0)}"
using tee_memories_subtractMgrInsRef by auto
have m10: "{x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeTaInTaIns))∧ (block_id x=0)}"
using tee_memories_removeTaInsInMgrInsList by force
have m11: "{x. x∈set(tee_memories (TEE_state ?s_removeTaInTaIns))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_closeCurTaInsSessList))∧ (block_id x=0)}"
using tee_memories_addCloseSessionEvent2 by auto
have m12: "{x. x∈set(tee_memories (TEE_state ?s_closeCurTaInsSessList))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))∧ (block_id x=0)}"
using tee_memories_deleteTaStateByThreadId by auto
have m13: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by auto
have m14: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (block_id x=0)}"
using removeAllSessionInMgrSesList_def by auto
have m15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (block_id x=0)}"
using tee_memories_setTaInsBusy by auto
have m16: "{x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (block_id x=0)}"
using tee_memories_subtractMgrInsRef by auto
have m17: "{x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeTaInTaIns))∧ (block_id x=0)}"
using tee_memories_removeTaInsInMgrInsList by force
have m18: "{x. x∈set(tee_memories (TEE_state ?t_removeTaInTaIns))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_closeCurTaInsSessList))∧ (block_id x=0)}"
using tee_memories_addCloseSessionEvent2 by auto
have m19: "{x. x∈set(tee_memories (TEE_state ?t_closeCurTaInsSessList))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))∧ (block_id x=0)}"
using tee_memories_deleteTaStateByThreadId by auto
have m20: "{x. x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))∧ (block_id x=0)}"
using m14 m5 m7 tee_memories_addCloseSessionEvent2 tee_memories_deleteTaStateByThreadId tee_memories_removeTaInsInMgrInsList tee_memories_setTaInsBusy tee_memories_subtractMgrInsRef by force
have m21: "{x. x∈set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ (block_id x=0)}"
proof -{
have m211: "?s_removeTaMemInTee = removeTaMemInTeeDomain ?s_teeState_deleteCurTa (the ?servTid)"
by simp
have m212: "?t_removeTaMemInTee = removeTaMemInTeeDomain ?t_teeState_deleteCurTa (the ?servTid)"
using a5
by simp
show ?thesis
proof (cases "(the ?servTid) = 1")
case True
have m216:"∀x::MemBlock. (ownership x=1⟶x∉set(removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?s_teeState_deleteCurTa))))"
using prop1 True
by simp
have m217:"tee_memories (TEE_state ?s_removeTaMemInTee) = (removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?s_teeState_deleteCurTa)))"
using m211 removeTaMemInTeeDomain_def prop6
by simp
have m218:"{x. x∈set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ (block_id x=0)}= {}"
using prop7 m217 m216
by auto
have m219:"∀x::MemBlock. (ownership x=1⟶x∉set(removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?t_teeState_deleteCurTa))))"
using prop1 True
by simp
have m220:"tee_memories (TEE_state ?t_removeTaMemInTee) = (removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?t_teeState_deleteCurTa)))"
using m212 removeTaMemInTeeDomain_def prop6
by simp
have m211:"{x. x∈set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ (block_id x=0)}= {}"
using prop7 m219 m220
by auto
show ?thesis using m218 m220 m211
by blast
next
case False
have m213: "(the ?servTid) ≠ 1" using False
by blast
have m2131: "∀x::MemBlock. (ownership x=(the ?servTid)⟶x∉set(removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?s_teeState_deleteCurTa))))"
using prop1
by blast
have m2132: "tee_memories (TEE_state ?s_removeTaMemInTee) = (removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?s_teeState_deleteCurTa)))"
using m211 removeTaMemInTeeDomain_def prop6
by simp
have m21321: "∀x::MemBlock. x∉set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))⟶ownership x = (the ?servTid)"
using m2132 prop3
by auto
have m21322: "∀x::MemBlock. x∉set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))⟶block_id x ≠ 0"
using m213 m21321 prop8
by simp
have m2134: "∀x::MemBlock. (ownership x=(the ?servTid)⟶x∉set(removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?t_teeState_deleteCurTa))))"
using prop1
by simp
have m21341: "∀x::MemBlock. x∉set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))⟶ownership x = (the ?servTid)"
using m2134 prop3 a5 prop6
by auto
have m21342: "∀x::MemBlock. x∉set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))⟶block_id x ≠ 0"
using m213 m21341 prop8
by simp
have m2135: "tee_memories (TEE_state ?t_removeTaMemInTee) = (removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?t_teeState_deleteCurTa)))"
using m212 m211 removeTaMemInTeeDomain_def prop6
by simp
have m214: "{x. x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ (block_id x=0)}" using m21322 m2132 prop2
by auto
have m215: "{x. x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ (block_id x=0)}" using m21342 m2135 prop2
by auto
then show ?thesis using m214 m215 m20
by simp
qed
}
qed
have m22: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using m21 by (simp add: c3 c4)
then show ?thesis using m22
using m1 by auto
}
qed
next
case False
have d14: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have d15: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True d14 by auto
then show ?thesis
proof-
{
have j1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d14 by auto
have j2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have j3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d14 by fastforce
have j4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have j5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 j3 by auto
have j6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 j3 by auto
have j7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have j8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j9: "ree_total_size(REE_state ?s_removeSess_inMgrTaSes) = ree_total_size(REE_state ?s_setNotBusy)"
by (simp add: ree_total_size_setTaInsBusy)
have j10: "ree_total_size(REE_state ?s_setNotBusy) = ree_total_size(REE_state ?s_subRef)"
by (simp add: ree_total_size_subtractMgrInsRef)
have j11: "ree_total_size(REE_state ?s_subRef) = ree_total_size(REE_state ?s_removeTaInTaIns)"
by (simp add: ree_total_size_removeTaInsInMgrInsList)
have j12: "ree_total_size(REE_state ?s_removeTaInTaIns) = ree_total_size(REE_state ?s_closeCurTaInsSessList)"
using ree_total_size_addCloseSessionEvent2 by simp
have j13: "ree_total_size(REE_state ?s_closeCurTaInsSessList) = ree_total_size(REE_state ?s_teeState_deleteCurTa)"
using ree_total_size_deleteTaStateByThreadId by simp
have j14: "ree_total_size(REE_state ?s_teeState_deleteCurTa) = ree_total_size(REE_state ?s_removeTaMemInTee)"
by (simp add: ree_total_size_removeTaMemInTeeDomain)
have j15: "ree_total_size(REE_state ?s_removeTaMemInTee) = ree_total_size(REE_state ?s_removeTaMemInTee)"
by linarith
have j16: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have j17: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j18: "ree_total_size(REE_state ?t_removeSess_inMgrTaSes) = ree_total_size(REE_state ?t_setNotBusy)"
by (simp add: ree_total_size_setTaInsBusy)
have j19: "ree_total_size(REE_state ?t_setNotBusy) = ree_total_size(REE_state ?t_subRef)"
by (simp add: ree_total_size_subtractMgrInsRef)
have j20: "ree_total_size(REE_state ?t_subRef) = ree_total_size(REE_state ?t_removeTaInTaIns)"
by (simp add: ree_total_size_removeTaInsInMgrInsList)
have j21: "ree_total_size(REE_state ?t_removeTaInTaIns) = ree_total_size(REE_state ?t_closeCurTaInsSessList)"
using ree_total_size_addCloseSessionEvent2 by simp
have j22: "ree_total_size(REE_state ?t_closeCurTaInsSessList) = ree_total_size(REE_state ?t_teeState_deleteCurTa)"
using ree_total_size_deleteTaStateByThreadId by simp
have j23: "ree_total_size(REE_state ?t_teeState_deleteCurTa) = ree_total_size(REE_state ?t_removeTaMemInTee)"
by (simp add: ree_total_size_removeTaMemInTeeDomain)
have j24: "ree_total_size(REE_state ?t_removeTaMemInTee) = ree_total_size(REE_state ?t_removeTaMemInTee)"
by linarith
have j25: "ree_total_size(REE_state ?s_removeTaMemInTee) = ree_total_size(REE_state ?t_removeTaMemInTee)"
using j10 j11 j12 j13 j14 j16 j17 j18 j19 j20 j21 j22 j23 j5 j7 j8 j9 by presburger
have j26: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have j27: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j28: "driver_mem(REE_state ?s_removeSess_inMgrTaSes) = driver_mem(REE_state ?s_setNotBusy)"
by (simp add: driver_mem_setTaInsBusy)
have j29: "driver_mem(REE_state ?s_setNotBusy) = driver_mem(REE_state ?s_subRef)"
by (simp add: driver_mem_subtractMgrInsRef)
have j30: "driver_mem(REE_state ?s_subRef) = driver_mem(REE_state ?s_removeTaInTaIns)"
by (simp add: driver_mem_removeTaInsInMgrInsList)
have j31: "driver_mem(REE_state ?s_removeTaInTaIns) = driver_mem(REE_state ?s_closeCurTaInsSessList)"
using driver_mem_addCloseSessionEvent2 by simp
have j32: "driver_mem(REE_state ?s_closeCurTaInsSessList) = driver_mem(REE_state ?s_teeState_deleteCurTa)"
using driver_mem_deleteTaStateByThreadId by simp
have j33: "driver_mem(REE_state ?s_teeState_deleteCurTa) = driver_mem(REE_state ?s_removeTaMemInTee)"
by (simp add: driver_mem_removeTaMemInTeeDomain)
have j34: "driver_mem(REE_state ?s_removeTaMemInTee) = driver_mem(REE_state ?s_removeTaMemInTee)"
by simp
have j35: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have j36: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j37: "driver_mem(REE_state ?t_removeSess_inMgrTaSes) = driver_mem(REE_state ?t_setNotBusy)"
by (simp add: driver_mem_setTaInsBusy)
have j38: "driver_mem(REE_state ?t_setNotBusy) = driver_mem(REE_state ?t_subRef)"
by (simp add: driver_mem_subtractMgrInsRef)
have j39: "driver_mem(REE_state ?t_subRef) = driver_mem(REE_state ?t_removeTaInTaIns)"
by (simp add: driver_mem_removeTaInsInMgrInsList)
have j40: "driver_mem(REE_state ?t_removeTaInTaIns) = driver_mem(REE_state ?t_closeCurTaInsSessList)"
using driver_mem_addCloseSessionEvent2 by simp
have j41: "driver_mem(REE_state ?t_closeCurTaInsSessList) = driver_mem(REE_state ?t_teeState_deleteCurTa)"
using driver_mem_deleteTaStateByThreadId by simp
have j42: "driver_mem(REE_state ?t_teeState_deleteCurTa) = driver_mem(REE_state ?t_removeTaMemInTee)"
by (simp add: driver_mem_removeTaMemInTeeDomain)
have j44: "driver_mem(REE_state ?s_removeTaMemInTee) = driver_mem(REE_state ?t_removeTaMemInTee)"
using j26 j27 j28 j29 j30 j31 j32 j33 j35 j36 j37 j38 j39 j40 j41 j42 j6 by presburger
have j13: "driver_mem(REE_state ?t_removeTaMemInTee) = driver_mem(REE_state t')"
by (simp add: c4)
have j14: "driver_mem(REE_state ?s_removeTaMemInTee) = driver_mem(REE_state s')"
by (simp add: c3)
have j15: "ree_total_size(REE_state ?t_removeTaMemInTee) = ree_total_size(REE_state t')"
by (simp add: c4)
have j16: "ree_total_size(REE_state ?s_removeTaMemInTee) = ree_total_size(REE_state s')"
by (simp add: c3)
have j17: "(ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
using j9 j12 j13 j14 j15 j16 j25 j44
by presburger
then show ?thesis using j17 j1 by auto
}
qed
next
case False
then have d16: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d14)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d17: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using d16 by blast
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson d17 vpeq1_def)
have h2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using d17 by auto
have h4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
by (metis a3 h3 h4)
have h6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have h7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (ownership x=d)}"
using removeAllSessionInMgrSesList_def by auto
have h8: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (ownership x=d)}"
using tee_memories_setTaInsBusy by auto
have h9: "{x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (ownership x=d)}"
using tee_memories_subtractMgrInsRef by auto
have h10: "{x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeTaInTaIns))∧ (ownership x=d)}"
using tee_memories_removeTaInsInMgrInsList by fastforce
have h11: "{x. x∈set(tee_memories (TEE_state ?s_removeTaInTaIns))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_closeCurTaInsSessList))∧ (ownership x=d)}"
using tee_memories_addCloseSessionEvent2 by auto
have h12: "{x. x∈set(tee_memories (TEE_state ?s_closeCurTaInsSessList))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))∧ (ownership x=d)}"
using tee_memories_deleteTaStateByThreadId by auto
have h13: "tee_memories (TEE_state t) = tee_memories (TEE_state ?t_rev_event)"
by auto
have h14: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (ownership x=d)}"
using removeAllSessionInMgrSesList_def by auto
have h15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (ownership x=d)}"
using tee_memories_setTaInsBusy by auto
have h16: "{x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (ownership x=d)}"
using tee_memories_subtractMgrInsRef by auto
have h17: "{x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeTaInTaIns))∧ (ownership x=d)}"
using tee_memories_removeTaInsInMgrInsList by fastforce
have h18: "{x. x∈set(tee_memories (TEE_state ?t_removeTaInTaIns))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_closeCurTaInsSessList))∧ (ownership x=d)}"
using tee_memories_addCloseSessionEvent2 by auto
have h19: "{x. x∈set(tee_memories (TEE_state ?t_closeCurTaInsSessList))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))∧ (ownership x=d)}"
using tee_memories_deleteTaStateByThreadId by auto
have h20: "{x. x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))∧ (ownership x=d)}"
using h14 h5 h7 tee_memories_addCloseSessionEvent2 tee_memories_deleteTaStateByThreadId tee_memories_removeTaInsInMgrInsList tee_memories_setTaInsBusy tee_memories_subtractMgrInsRef by force
have h21: "{x. x∈set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ (ownership x=d)}"
proof (cases "d = (the ?servTid)")
case True
have h215: "?s_removeTaMemInTee = removeTaMemInTeeDomain ?s_teeState_deleteCurTa d"
using True
by simp
have h2151: "∀x::MemBlock. (ownership x=d⟶x∉set(removeAllMemBlockInMemBlockList d (tee_memories (TEE_state ?s_teeState_deleteCurTa))))"
using prop1
by blast
have h2152: "tee_memories (TEE_state ?s_removeTaMemInTee) = (removeAllMemBlockInMemBlockList d (tee_memories (TEE_state ?s_teeState_deleteCurTa)))"
using h215 removeTaMemInTeeDomain_def prop6
by simp
have h217: "∀x::MemBlock. (ownership x=d⟶x∉set(tee_memories (TEE_state ?s_removeTaMemInTee)))"
using h2151 h2152
by simp
have h219: "?t_removeTaMemInTee = removeTaMemInTeeDomain ?t_teeState_deleteCurTa d"
using True a5
by simp
have h2191: "∀x::MemBlock. (ownership x=d⟶x∉set(removeAllMemBlockInMemBlockList d (tee_memories (TEE_state ?t_teeState_deleteCurTa))))"
using prop1
by blast
have h2192: "tee_memories (TEE_state ?t_removeTaMemInTee) = (removeAllMemBlockInMemBlockList d (tee_memories (TEE_state ?t_teeState_deleteCurTa)))"
using h219 removeTaMemInTeeDomain_def prop6
by auto
have h218: "∀x. ownership x=d⟶x∉set(tee_memories (TEE_state ?t_removeTaMemInTee))"
using h2191 h2192
by simp
show ?thesis
using h217 h218
by blast
next
case False
have h216: "?s_removeTaMemInTee = removeTaMemInTeeDomain ?s_teeState_deleteCurTa (the ?servTid)"
by simp
have h2111: "tee_memories (TEE_state ?s_removeTaMemInTee) = removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?s_teeState_deleteCurTa))"
using removeTaMemInTeeDomain_def h216 prop6
by blast
have h2112: "∀x. x∈set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ownership x ≠ (the ?servTid) ⟶ x∈set(removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?s_teeState_deleteCurTa)))"
using h2111 prop3
by simp
have h211: "{x. x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ (ownership x=d)}"
using False removeTaMemInTeeDomain_def h216 prop2 h2111 h2112
by auto
have h212: "{x. x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ (ownership x=d)}"
proof -{
have h2120: "?t_removeTaMemInTee = removeTaMemInTeeDomain ?t_teeState_deleteCurTa (the ?servTid)"
using a5
by auto
have h2121: "tee_memories (TEE_state ?t_removeTaMemInTee) = removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?t_teeState_deleteCurTa))"
using removeTaMemInTeeDomain_def h2120 prop6
by simp
have h2122: "∀x. x∈set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ownership x ≠ (the ?servTid) ⟶ x∈set(removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?t_teeState_deleteCurTa)))"
using h2120 prop6
by simp
show ?thesis
using h2120 h2121 h2122 removeTaMemInTeeDomain_def False prop2
by auto
}
qed
show ?thesis
using False h20 h211 h212
by simp
qed
have h22: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ (ownership x=d)}"
using c3 by fastforce
have h23: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ (ownership x=d)}"
using c4 by blast
have h24: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
by (simp add: h21 h22 h23)
then show ?thesis
using h1 h2 by blast
}
qed
next
case False
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using d16 by auto
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have h2: "vpeq1 s' d t' = True"
by (meson d13 vpeq1_def)
then show ?thesis by blast
}
qed
qed
qed
qed
next
case False
have e1: "¬(?curMgrTaIns_refCnt = 0 ∧ (¬(?isKeepAlive = True ∧ ?isSingleInstance = True) | ?loginType = DTC_IDENTITY))"
using False by blast
have e2: "¬(?curMgrTaIns_refCnt_t = 0 ∧ (¬(?isKeepAlive_t = True ∧ ?isSingleInstance_t = True) | ?loginType_t = DTC_IDENTITY))"
using a5 d13 d4 e1 by presburger
have e3: "s' = ?s_subRef"
using TEEC_CloseSession4_def a10 e1 d1
by (smt (z3) False State.fold_congs(6) old.prod.inject prod.collapse)
have e4: "t' = ?t_subRef"
using TEEC_CloseSession4_def a11 e2 d2
by (smt (z3) False State.fold_congs(6) old.prod.inject prod.collapse)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have c5: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: c5)
have m2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: c5)
have m4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 m3 by auto
have m6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (block_id x=0)}"
using removeAllSessionInMgrSesList_def by auto
have m8: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (block_id x=0)}"
using tee_memories_setTaInsBusy by auto
have m9: "{x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (block_id x=0)}"
using tee_memories_subtractMgrInsRef by auto
have m13: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by auto
have m14: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (block_id x=0)}"
using removeAllSessionInMgrSesList_def by auto
have m15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (block_id x=0)}"
using tee_memories_setTaInsBusy by auto
have m16: "{x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (block_id x=0)}"
using tee_memories_subtractMgrInsRef by auto
have m20: "{x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (block_id x=0)}"
using m14 m5 m7 tee_memories_addCloseSessionEvent2 tee_memories_deleteTaStateByThreadId tee_memories_removeTaInsInMgrInsList tee_memories_setTaInsBusy tee_memories_subtractMgrInsRef by force
have m22: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using m20
by (simp add: e3 e4)
then show ?thesis using m22
using m1 by auto
}
qed
next
case False
have d14: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have d15: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True d14 by auto
then show ?thesis
proof-
{
have j1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d14 by auto
have j2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have j3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d14 by fastforce
have j4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have j5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 j3 by auto
have j6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 j3 by auto
have j7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have j8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j9: "ree_total_size(REE_state ?s_removeSess_inMgrTaSes) = ree_total_size(REE_state ?s_setNotBusy)"
by (simp add: ree_total_size_setTaInsBusy)
have j10: "ree_total_size(REE_state ?s_setNotBusy) = ree_total_size(REE_state ?s_subRef)"
by (simp add: ree_total_size_subtractMgrInsRef)
have j16: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have j17: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j18: "ree_total_size(REE_state ?t_removeSess_inMgrTaSes) = ree_total_size(REE_state ?t_setNotBusy)"
by (simp add: ree_total_size_setTaInsBusy)
have j19: "ree_total_size(REE_state ?t_setNotBusy) = ree_total_size(REE_state ?t_subRef)"
by (simp add: ree_total_size_subtractMgrInsRef)
have j25: "ree_total_size(REE_state ?s_setNotBusy) = ree_total_size(REE_state ?t_setNotBusy)"
using j16 j17 j18 j5 j7 j8 j9 by presburger
have j26: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have j27: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j28: "driver_mem(REE_state ?s_removeSess_inMgrTaSes) = driver_mem(REE_state ?s_setNotBusy)"
by (simp add: driver_mem_setTaInsBusy)
have j29: "driver_mem(REE_state ?s_setNotBusy) = driver_mem(REE_state ?s_subRef)"
by (simp add: driver_mem_subtractMgrInsRef)
have j35: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have j36: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j37: "driver_mem(REE_state ?t_removeSess_inMgrTaSes) = driver_mem(REE_state ?t_setNotBusy)"
by (simp add: driver_mem_setTaInsBusy)
have j44: "driver_mem(REE_state ?s_setNotBusy) = driver_mem(REE_state ?t_setNotBusy)"
using driver_mem_tee_setTaInsBusy j26 j27 j35 j36 j6 by presburger
have j13: "driver_mem(REE_state ?t_subRef) = driver_mem(REE_state t')"
using driver_mem_subtractMgrInsRef e4 j44 by auto
have j14: "driver_mem(REE_state ?s_subRef) = driver_mem(REE_state s')"
using e3 by fastforce
have j15: "ree_total_size(REE_state ?t_subRef) = ree_total_size(REE_state t')"
by (simp add: e4)
have j16: "ree_total_size(REE_state ?s_subRef) = ree_total_size(REE_state s')"
by (simp add: e3)
have j17: "(ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
using driver_mem_subtractMgrInsRef j10 j13 j14 j15 j16 j19 j25 j26 j27 j28 j35 j36 j37 j6 by presburger
then show ?thesis using j17 j1 by auto
}
qed
next
case False
then have d16: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d14)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d17: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using d16 by blast
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson d17 vpeq1_def)
have h2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using d17 by auto
have h4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
by (metis a3 h3 h4)
have h6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have h7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (ownership x=d)}"
using removeAllSessionInMgrSesList_def by auto
have h8: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (ownership x=d)}"
using tee_memories_setTaInsBusy by auto
have h9: "{x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (ownership x=d)}"
using tee_memories_subtractMgrInsRef by auto
have h13: "tee_memories (TEE_state t) = tee_memories (TEE_state ?t_rev_event)"
by auto
have h14: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (ownership x=d)}"
using removeAllSessionInMgrSesList_def by auto
have h15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (ownership x=d)}"
using tee_memories_setTaInsBusy by auto
have h16: "{x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (ownership x=d)}"
using tee_memories_subtractMgrInsRef by auto
have h22: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (ownership x=d)}"
by (simp add: e3)
have h23: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (ownership x=d)}"
by (simp add: e4)
have h24: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using a3 h14 h15 h16 h22 h23 h3 h7 h8 h9 by force
then show ?thesis
using h1 h2 by blast
}
qed
next
case False
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using d16 by auto
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have h2: "vpeq1 s' d t' = True"
by (meson d13 vpeq1_def)
then show ?thesis by blast
}
qed
qed
qed
qed
qed
qed
} then show ?thesis
using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEEC_CloseSession4_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEEC_CLOSESESSION4))"
using TEEC_CloseSession4_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def by auto
end