theory TEE_IPC_SEC
imports "../GPTEE_Instantiation" "./TEE_SEC_Common" "./TEEC_SEC_Common"
begin
section "TEE OpenTASession proof"
subsection "Integrity"
lemma TEE_OpenTASession1_integrity:
assumes p1: "a = hyperc (TEE_OPENTASESSION1)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof -
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "((the (domain_of_event s a)) ∖↝ d)"
assume a3: "(s,s') ∈ exec_event a"
have a4: "exec_event a = {(s,s'). s'∈{fst(TEE_OpenTASession1 sysconf s)}}"
using p1 exec_event_def by auto
have a5: "s≠s'⟶((the (domain_of_event s a)) ∖↝ (TEE sysconf))"
by (metis a2 ins_no_intf_tee ins_tee_intf_all non_interference1_def)
have a6:"s'=fst(TEE_OpenTASession1 sysconf s)"
using exec_event_def a4 a3 by simp
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?clientId = "param1 ?p"
let ?serverId =" param2 ?p"
let ?ctx = "param5 ?p"
let ?time_out =" param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?s1= "s⦇exec_prime:=tl ?exec⦈"
let ?param = "⦇param1=?clientId, param2=?serverId, param3=None,
param4=param4 ?p, param5=?ctx, param6=?time_out, param7=?in_params,
param8=?out_params, param9=None,param10=param10 ?p,param11=param11 ?p,param12=None, param13=None⦈"
let ?s2 =" ?s1⦇current:=TEE sysconf, exec_prime:=(?param, TEE_OP2)#(exec_prime ?s1)⦈"
have "(s ∼ d ∼ s')"
proof(cases "current s ≠ the(?clientId)∨current s=REE sysconf∨current s=TEE sysconf∨(exec_prime s) ≠ []∨snd (hd (exec_prime s)) ≠ TEE_OP1")
case True
then have "s=fst(TEE_OpenTASession1 sysconf s)"
using TEE_OpenTASession1_def by simp
then show ?thesis
using a3 a4 by auto
next
case False
then have b0:"¬ (current s ≠ the(?clientId)∨current s=REE sysconf∨current s=TEE sysconf∨(exec_prime s) ≠ []∨snd (hd (exec_prime s)) ≠ TEE_OP1)" by simp
show ?thesis
proof(cases "d=TEE sysconf")
case True
then have b2:"(s ∼ d ∼ s') =vpeq_TEE s d s'"
using vpeq1_def True by auto
have b3:"TEE_state s =TEE_state s'"
proof -
{
have c1:"s' = (s⦇exec_prime:=tl ?exec⦈)⦇current:=TEE sysconf,exec_prime:=(?param,TEE_OP2)#(exec_prime (s⦇exec_prime:=tl ?exec⦈))⦈"
using a6 TEE_OpenTASession1_def b0 by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
then show ?thesis by simp
}
qed
then show ?thesis using b2 by auto
next
case False
have b4:"d≠TEE sysconf" using False by simp
show ?thesis
proof(cases "d=REE sysconf")
case True
then have b5:"(s ∼ d ∼ s') =vpeq_REE s d s'"
using vpeq1_def True using b4 by auto
have b6:"REE_state s =REE_state s'"
proof -
{
have c1:"s' = (s⦇exec_prime:=tl ?exec⦈)⦇current:=TEE sysconf,exec_prime:=(?param,TEE_OP2)#(exec_prime (s⦇exec_prime:=tl ?exec⦈))⦈"
using a6 TEE_OpenTASession1_def b0 by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
then show ?thesis by simp
}
qed
then show ?thesis using b6 b5 by auto
next
case False
then have b7:"d≠REE sysconf" by simp
have b8:"is_TA sysconf d" using b4 b7 by auto
then have b9:"(s ∼ d ∼ s') =vpeq_TA s d s'"
using vpeq1_def by auto
have b10:"TEE_state s =TEE_state s'"
proof -
{
have c1:"s' = (s⦇exec_prime:=tl ?exec⦈)⦇current:=TEE sysconf,exec_prime:=(?param,TEE_OP2)#(exec_prime (s⦇exec_prime:=tl ?exec⦈))⦈"
using a6 TEE_OpenTASession1_def b0 by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
then show ?thesis by simp
}
qed
then show ?thesis using b10 b9 by auto
qed
qed
qed
}
then show ?thesis by blast
qed
lemma TEE_OpenTASession1_integrity_e:
"integrity_e (hyperc (TEE_OPENTASESSION1))"
using TEE_OpenTASession1_integrity integrity_e_def
by fastforce
lemma TEE_OpenTASession2_integrity:
assumes p1: "a = hyperc (TEE_OPENTASESSION2)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof -
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "((the (domain_of_event s a)) ∖↝ d)"
assume a3: "(s,s') ∈ exec_event a"
let ?domain = "the (domain_of_event s a)"
let ?exec = "exec_prime s"
let ?p = "fst (hd (?exec))"
let ?opt = "the(param3 ?p)"
let ?uuid = "the (param1 ?p)"
let ?cli = "the (param4 ?p)"
let ?ctx1 = "the (param5 ?p)"
let ?s0 = "s⦇exec_prime:=tl ?exec⦈"
have a4: "exec_event a = {(s,s'). s'∈{fst(TEE_OpenTASession2 sysconf s)}}"
using p1 exec_event_def by auto
have a5: "s≠s'⟶((the (domain_of_event s a)) ∖↝ (TEE sysconf))"
by (metis a2 ins_no_intf_tee ins_tee_intf_all non_interference1_def)
have a6:"s'=fst(TEE_OpenTASession2 sysconf s)"
using exec_event_def a4 a3 by simp
have "(s ∼ d ∼ s')"
proof(cases "current s≠TEE sysconf∨(exec_prime s) =[]∨snd (hd (exec_prime s)) ≠TEE_OP2")
case True
then have "s=fst(TEE_OpenTASession2 sysconf s)"
using TEE_OpenTASession2_def by auto
then show ?thesis
using a3 a4 by auto
next
case False
then have b0:"¬ (current s ≠ TEE sysconf ∨ exec_prime s = [] ∨ snd (hd (exec_prime s)) ≠ TEE_OP2)" by simp
then have b1:"current s=TEE sysconf" by simp
have b2:"(s ∼ d ∼ ?s0)" by auto
have b3:"(?s0 ∼ d ∼ s')"
proof(cases "d=TEE sysconf")
case True
show ?thesis using True a2 interference1_def b1 by simp
next
case False
have b4:"d≠TEE sysconf" using False by simp
show ?thesis
proof(cases "d=REE sysconf")
case True
then show ?thesis using True a2 interference1_def b1 by auto
next
case False
then have b5:"d≠REE sysconf" by simp
have b6:"is_TA sysconf d" using b4 b5 by auto
then show ?thesis using b6 a2 interference1_def b1 by simp
qed
qed
thus ?thesis using b2
using vpeq_transitive_lemma by blast
qed
}
then show ?thesis by blast
qed
lemma TEE_OpenTASession2_integrity_e:
"integrity_e (hyperc (TEE_OPENTASESSION2))"
using TEE_OpenTASession2_integrity integrity_e_def
by fastforce
lemma TEE_OpenTASession3_integrity:
assumes p1: "a = hyperc (TEE_OPENTASESSION3 sid)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof -
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "((the (domain_of_event s a)) ∖↝ d)"
assume a3: "(s,s') ∈ exec_event a"
let ?domain = "the (domain_of_event s a)"
let ?exec = "exec_prime s"
let ?p = "fst (hd (?exec))"
let ?ses_id = "the (param2 ?p)"
let ?opt = "the(param3 ?p)"
let ?uuid = "the (param1 ?p)"
let ?ctx1 = "the (param5 ?p)"
let ?s0 = "s⦇exec_prime:=tl ?exec⦈"
let ?s1 = "initTAProcess ?s0 ?opt ?uuid ?ses_id"
let ?ta_ses= "(TA_sessions(the((TAs_state s) ?uuid)))"
let ?init1="(TA_instance_init(the((TAs_state s) ?uuid)))"
let ?s2 ="TA_OpenSessionEntryPoint sysconf ?s1 ?opt ?uuid"
let ?param="⦇param1=Some ?uuid,param2=Some ?ses_id,param3=None,param4=None,
param5=None,param6=None,param7=None,param8=None,param9=None,param10=None,param11=None,param12=None, param13=Some TEE_SUCCESS⦈"
let ?s4= "?s2⦇current:=TEE sysconf,exec_prime:=(?param,TEE_OP4)#(exec_prime ?s2)⦈"
have a4: "exec_event a = {(s,s'). s'∈{fst (TEE_OpenTASession3 sysconf s sid)}}"
using p1 exec_event_def
by auto
have a41: "s' = fst (TEE_OpenTASession3 sysconf s sid)" using a3 a4 by auto
have a5: "s≠s'⟶((the (domain_of_event s a)) ∖↝ (TEE sysconf))"
by (metis a2 ins_no_intf_tee ins_tee_intf_all non_interference1_def)
have a6: "?domain ≠d" using a2 nintf_neq by blast
have a7: "?domain = (current s)" using domain_of_event_def
using p1 by auto
have "s∼ d ∼ s'"
proof(cases "?exec = []∨snd (hd ?exec)≠TEE_OP3∨sid≠?ses_id∨TEE sysconf=current s∨REE sysconf=current s∨current s≠?uuid")
case True
then have "s=s'" using TEE_OpenTASession3_def a41
by (smt (z3) old.prod.inject prod.collapse)
then show ?thesis
using vpeq_reflexive_lemma by blast
next
case False
then have b1: "?exec ≠[]∧snd (hd ?exec) =TEE_OP3∧sid=?ses_id∧TEE sysconf≠current s∧REE sysconf≠current s∧current s=?uuid" by auto
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have b2:"(s ∼ d ∼ s') = vpeq_REE s d s'"
using tee_no_ree vpeq1_def by presburger
have b3:"ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧driver_mem(REE_state s) = driver_mem(REE_state s')"
proof -
{
have c1:"REE_state ?s0 =REE_state s"
by simp
have c2:"REE_state ?s0 =REE_state ?s1"
proof(cases "(∃a. a∈set(?ta_ses)∧a=?ses_id)")
case True
then have "?s1=?s0" using initTAProcess_def by simp
then show ?thesis
by simp
next
case False
then show ?thesis
proof(cases "?init1 =False")
case True
then show ?thesis using initTAProcess_def addTASession_def TA_CreateEntryPoint_def
by auto
next
case False
then show ?thesis using initTAProcess_def addTASession_def
by simp
qed
qed
have c3:"vpeq_REE ?s1 =vpeq_REE s" using c1 c2 vpeq_REE_def
by presburger
have c4:"REE_state ?s2 = REE_state ?s1" using TA_OpenSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE by blast
have c7:"vpeq_REE ?s4 d s" using c1 c2 c3 c4 by simp
have c8:"s'=?s4"
by (smt (verit) False State.fold_congs(6) State.unfold_congs(1) TEE_OpenTASession3_def a41 fst_conv)
have c9:"vpeq_REE s' = vpeq_REE s"
using c7 c8 by fastforce
show ?thesis using c9 vpeq_REE_def by metis
} qed
show ?thesis using b3 b2 by simp
next
case False
then have b4:"d≠REE sysconf" by simp
show ?thesis
proof(cases "d=TEE sysconf")
case True
then have b5:"d=TEE sysconf" by simp
then have b6:"(s ∼ d ∼ s') = vpeq_TEE s d s'" by simp
have b7:"{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
proof -
{
have c1:"TEE_state ?s0 =TEE_state s"
by simp
have c2:"TEE_state ?s0 =TEE_state ?s1"
proof(cases "(∃a. a∈set(?ta_ses)∧a=?ses_id)")
case True
then have "?s1=?s0" using initTAProcess_def by simp
then show ?thesis
by simp
next
case False
then show ?thesis
proof(cases "?init1 =False")
case True
then show ?thesis using initTAProcess_def addTASession_def TA_CreateEntryPoint_def
by auto
next
case False
then show ?thesis using initTAProcess_def addTASession_def
by simp
qed
qed
have c3:"vpeq_TEE ?s1 =vpeq_TEE s" using c1 c2 vpeq_TEE_def
by presburger
have c4:"vpeq_TEE ?s2 = vpeq_TEE ?s1" using TA_OpenSessionEntryPoint_def OpenSessionEntryPoint_not_change_TEE by fastforce
have c7:"vpeq_TEE ?s2 d s" using c3 c4
using vpeq_TEE_reflexive by presburger
have c8:"s'=?s4"
by (smt (verit) False State.fold_congs(6) State.unfold_congs(1) TEE_OpenTASession3_def b1 a41 fst_conv)
have c9:"vpeq_TEE s' = vpeq_TEE s"
using c7 c8 by fastforce
show ?thesis using c9 vpeq_TEE_def
by (metis (mono_tags, lifting))
}qed
then show ?thesis using b6 b7 by simp
next
case False
then have b8:"is_TA sysconf d" using b4 by auto
then have b9:"(s ∼ d ∼ s') = vpeq_TA s d s'" by simp
show ?thesis
proof(cases "d=?uuid")
case True
then show ?thesis using a2 b1 by force
next
case False
then have b00:"d≠current s" using b1 by simp
have b10:"{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
proof -
{
have c1:"TEE_state ?s0 =TEE_state s"
by simp
have c2:"TEE_state ?s0 =TEE_state ?s1"
proof(cases "(∃a. a∈set(?ta_ses)∧a=?ses_id)")
case True
then have "?s1=?s0" using initTAProcess_def by simp
then show ?thesis
by simp
next
case False
then show ?thesis
proof(cases "?init1 =False")
case True
then show ?thesis using initTAProcess_def addTASession_def TA_CreateEntryPoint_def
by auto
next
case False
then show ?thesis using initTAProcess_def addTASession_def
by simp
qed
qed
have c3:"vpeq_TA ?s1 =vpeq_TA s" using c1 c2 vpeq_TA_def
by presburger
have c4:"{x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s2))∧ (ownership x=d)}"
using TA_OpenSessionEntryPoint_def OpenSessionEntryPoint_not_change_other_TA b00
using False by blast
have c7:"vpeq_TA ?s2 d s" using c1 c2 c3 c4 by simp
have c8:"s'=?s4"
by (smt (verit) False State.fold_congs(6) State.unfold_congs(1) TEE_OpenTASession3_def b1 a41 fst_conv)
have c9:"vpeq_TA s' d s"
using c7 c8 vpeq_TA_def by auto
show ?thesis using c9 vpeq_TA_def
by (metis (mono_tags, lifting))
}qed
then show ?thesis using b9 b10 by simp
qed
qed
qed
qed
}
then show ?thesis by blast
qed
lemma TEE_OpenTASession3_integrity_e:
"integrity_e (hyperc (TEE_OPENTASESSION3 sid))"
using TEE_OpenTASession3_integrity integrity_e_def
by fastforce
lemma TEE_OpenTASession4_integrity:
assumes p1: "a = hyperc (TEE_OPENTASESSION4)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof -
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "((the (domain_of_event s a)) ∖↝ d)"
assume a3: "(s,s') ∈ exec_event a"
let ?domain = "the (domain_of_event s a)"
let ?exec = "exec_prime s"
let ?p = "fst (hd (?exec))"
let ?tid1 = "the(param1 ?p)"
let ?sesid = "the (param2 ?p)"
let ?cli = "the (param4 ?p)"
let ?s0 = "s⦇exec_prime:=tl ?exec⦈"
have a4: "exec_event a = {(s,s'). s'∈{fst(TEE_OpenTASession4 sysconf s)}}"
using p1 exec_event_def by auto
have a5: "s≠s'⟶((the (domain_of_event s a)) ∖↝ (TEE sysconf))"
by (metis a2 ins_no_intf_tee ins_tee_intf_all non_interference1_def)
have a6:"s'=fst(TEE_OpenTASession4 sysconf s)"
using exec_event_def a4 a3 by simp
have "(s ∼ d ∼ s')"
proof(cases "current s≠TEE sysconf∨(exec_prime s) =[]∨snd (hd (exec_prime s)) ≠TEE_OP4")
case True
then have "s=fst(TEE_OpenTASession4 sysconf s)"
using TEE_OpenTASession4_def by auto
then show ?thesis
using a3 a4 by auto
next
case False
then have b0:"¬ (current s ≠ TEE sysconf ∨ exec_prime s = [] ∨ snd (hd (exec_prime s)) ≠ TEE_OP4)" by simp
then have b1:"current s=TEE sysconf" by simp
have b2:"(s ∼ d ∼ ?s0)" by auto
have b3:"(?s0 ∼ d ∼ s')"
proof(cases "d=TEE sysconf")
case True
show ?thesis using True a2 interference1_def b1 by simp
next
case False
have b4:"d≠TEE sysconf" using False by simp
show ?thesis
proof(cases "d=REE sysconf")
case True
then show ?thesis using True a2 interference1_def b1 by auto
next
case False
then have b5:"d≠REE sysconf" by simp
have b6:"is_TA sysconf d" using b4 b5 by auto
then show ?thesis using b6 a2 interference1_def b1 by simp
qed
qed
thus ?thesis using b2
using vpeq_transitive_lemma by blast
qed
}
then show ?thesis by blast
qed
lemma TEE_OpenTASession4_integrity_e:
"integrity_e (hyperc (TEE_OPENTASESSION4))"
using TEE_OpenTASession4_integrity integrity_e_def
by fastforce
subsection "Confidentiality"
lemma TEE_OpenTASession1_weak_confidentiality:
assumes p1: "a = hyperc (TEE_OPENTASESSION1)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s=get_exec_prime t)∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof -
{
fix s t d s' t'
assume a1:"reachable0 s"
assume a2:"reachable0 t"
assume a3:"s∼d∼t"
assume a31:"exec_prime s=exec_prime t"
assume a4:"(domain_of_event s a) = (domain_of_event t a)"
assume a5:"(the (domain_of_event s a)) ↝ d"
assume a6:"s ∼ (the (domain_of_event s a)) ∼ t"
assume a7:"(s, s') ∈ exec_event a"
assume a8:"(t, t') ∈ exec_event a"
have "s'∼d∼t'"
proof -
{
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?clientId = "param1 ?p"
let ?serverId =" param2 ?p"
let ?ctx = "param5 ?p"
let ?time_out =" param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?s1= "s⦇exec_prime:=tl ?exec⦈"
let ?t1= "t⦇exec_prime:=tl ?exec⦈"
let ?param = "⦇param1=?clientId, param2=?serverId, param3=None,
param4=param4 ?p, param5=?ctx, param6=?time_out, param7=?in_params,
param8=?out_params, param9=None,param10=param10 ?p,param11=param11 ?p,param12=None, param13=None⦈"
let ?s2 =" ?s1⦇current:=TEE sysconf, exec_prime:=(?param, TEE_OP2)#(exec_prime ?s1)⦈"
let ?t2 =" ?t1⦇current:=TEE sysconf, exec_prime:=(?param, TEE_OP2)#(exec_prime ?t1)⦈"
have b1:"s'=fst(TEE_OpenTASession1 sysconf s )"
using exec_event_def p1 a7 by simp
have b2:"t'=fst(TEE_OpenTASession1 sysconf t )"
using exec_event_def p1 a8 by simp
have b3:"current s=current t"
using domain_of_event_def a4 by simp
show ?thesis
proof(cases "current s ≠ the(?clientId)∨current s=REE sysconf∨current s=TEE sysconf∨(exec_prime s) ≠ []∨snd (hd (exec_prime s)) ≠ TEE_OP1")
case True
have b11:"s=fst(TEE_OpenTASession1 sysconf s)" using TEE_OpenTASession1_def True b1 by simp
have b12:"t=fst(TEE_OpenTASession1 sysconf t)" using TEE_OpenTASession1_def True b2 a31 b3 by simp
then show ?thesis using TEE_OpenTASession1_def a3 b11 b12 b1 b2 by metis
next
case False
have c1:"¬ (current s ≠ the(?clientId)∨current s=REE sysconf∨current s=TEE sysconf∨(exec_prime s) ≠ []∨snd (hd (exec_prime s)) ≠ TEE_OP1)"
using False by simp
show ?thesis
proof(cases "d=TEE sysconf")
case True
then show ?thesis using a5 interference1_def domain_of_event_def
by (metis c1 ins_no_intf_tee option.sel)
next
case False
then have c2:"d≠TEE sysconf" by simp
then show ?thesis
proof(cases "d=REE sysconf")
case True
then show ?thesis using a5 interference1_def domain_of_event_def
by (metis c1 ins_no_intf_tee option.sel)
next
case False
then have c22:"is_TA sysconf d" using c2 by auto
then show ?thesis
proof -
{
have d1:"(s'∼d∼t') = (vpeq_TA s' d t')"
using vpeq1_def c22 by fastforce
have d3:"s'=?s2" using b1 c1 TEE_OpenTASession1_def
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
have d4:"?t2 = t⦇current:=TEE sysconf, exec_prime:=(?param, TEE_OP2)#(tl (exec_prime t))⦈"
using TEE_OpenTASession1_def b1 c1 a31 by auto
have d5:"t'=?t2" using b2 c1 d4 a31 b3 TEE_OpenTASession1_def
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
have d6:"TEE_state s' =TEE_state s" using d3 a113 by auto
have d7:"TEE_state t' =TEE_state t" using d5 a113 by auto
then show ?thesis using d6 d7 a3 d1 c22 by fastforce
}
qed
qed
qed
qed
}
qed
}
then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEE_OpenTASession1_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEE_OPENTASESSION1))"
using TEE_OpenTASession1_weak_confidentiality weak_confidentiality_e_def get_exec_prime_def
by (smt (verit) Pair_inject)
lemma TEE_OpenTASession2_weak_confidentiality:
assumes p1: "a = hyperc (TEE_OPENTASESSION2)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s=get_exec_prime t)∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof -
{
fix s t d s' t'
assume a1:"reachable0 s"
assume a2:"reachable0 t"
assume a3:"s∼d∼t"
assume a31:"exec_prime s=exec_prime t"
assume a32: "ta_mgr(TEE_state s) =ta_mgr(TEE_state t)"
assume a4:"(domain_of_event s a) = (domain_of_event t a)"
assume a5:"(the (domain_of_event s a)) ↝ d"
assume a6:"s ∼ (the (domain_of_event s a)) ∼ t"
assume a7:"(s, s') ∈ exec_event a"
assume a8:"(t, t') ∈ exec_event a"
let ?domain = "the (domain_of_event s a)"
let ?exec = "exec_prime s"
let ?exec_t = "exec_prime t"
let ?p = "fst (hd (?exec))"
let ?opt = "the(param3 ?p)"
let ?realctid = "the (param2 ?p)"
let ?cli = "the (param4 ?p)"
let ?uuid = "the (id ?cli)"
let ?ctx1 = "the (param5 ?p)"
let ?mem_t0 = "(the (param10 ?p),the (param11 ?p))"
let ?s0 = "s⦇exec_prime:=tl ?exec⦈"
let ?t0 = "t⦇exec_prime:=tl ?exec_t⦈"
have "s'∼d∼t'"
proof -
{
have b1:"s'=fst(TEE_OpenTASession2 sysconf s)"
using exec_event_def p1 a7 by simp
have b2:"t'=fst(TEE_OpenTASession2 sysconf t)"
using exec_event_def p1 a8 by simp
have b3:"current s=current t"
using domain_of_event_def a4 by simp
show ?thesis
proof(cases "current s≠TEE sysconf∨(exec_prime s) =[]∨snd (hd (exec_prime s)) ≠TEE_OP2")
case True
then have z1:"s=fst(TEE_OpenTASession2 sysconf s)"
using TEE_OpenTASession2_def by auto
have z2:"t=fst(TEE_OpenTASession2 sysconf t)"
using TEE_OpenTASession2_def True a31 b3 by auto
show ?thesis
using z1 z2 b1 b2 a3 by argo
next
case False
then have b4:"¬ (current s ≠ TEE sysconf ∨ exec_prime s = [] ∨ snd (hd (exec_prime s)) ≠ TEE_OP2)" by simp
then have b5:"current s=TEE sysconf" by simp
have final:"s'∼ d ∼ t'"
proof -
{
let ?r1="newSessionId ?s0"
let ?ses_id = "fst ?r1"
let ?s1="addMgrSession ?s0 ?ses_id"
let ?attr = "findInstanceATTRInMgr ?s1 ?uuid"
let ?load_result = "LoadNewTA2 sysconf ?s1 ?uuid ?opt ?ses_id ?cli ?ctx1 ?mem_t0"
let ?r1_t="newSessionId ?t0"
let ?ses_id_t = "fst ?r1_t"
let ?t1="addMgrSession ?t0 ?ses_id_t"
let ?attr_t = "findInstanceATTRInMgr ?t1 ?uuid"
let ?load_result_t = "LoadNewTA2 sysconf ?t1 ?uuid ?opt ?ses_id_t ?cli ?ctx1 ?mem_t0"
let ?s2 = "fst ?load_result"
let ?t2 = "fst ?load_result_t"
let ?ls1="fst(addMgrInstance ?s1 sysconf ?uuid ?ses_id)"
let ?lt1="fst(addMgrInstance ?t1 sysconf ?uuid ?ses_id_t)"
let ?tid="snd((addMgrInstance ?s1 sysconf ?uuid ?ses_id))"
let ?tid_t="snd((addMgrInstance ?t1 sysconf ?uuid ?ses_id_t))"
let ?mem_tl = "TEE_pre_process ?mem_t0 ?tid"
let ?mem_tlft = "TEE_pre_process ?mem_t0 ?tid_t"
let ?ls2 = "TA_Memory_Init ?ls1 sysconf bin_mem_size ?tid"
let ?lt2 = "TA_Memory_Init ?lt1 sysconf bin_mem_size ?tid_t"
let ?size1 =bin_mem_size
let ?smid = "(let
new_total = (tee_total_size (TEE_state ?ls1)) -?size1;
new_memList = ⦇block_id = newMemBlockID3 ?ls1,size=?size1,ownership = ?tid,
access_right =(λx. None)(?tid:=Some READWRITE) ,is_SecureMem=True,related= None⦈#(tee_memories(TEE_state ?ls1));
s1 = ?ls1⦇TEE_state:=(TEE_state ?ls1)
⦇tee_total_size := new_total, tee_memories := new_memList,
ta_mgr:=ta_mgr(TEE_state ?ls1)⦇BIDpointer:=BIDpointer(ta_mgr (TEE_state ?ls1))+1 ⦈⦈⦈ in s1)"
let ?tmid = "(let
new_total = (tee_total_size (TEE_state ?lt1)) -?size1;
new_memList = ⦇block_id = newMemBlockID3 ?lt1,size=?size1,ownership = ?tid_t,
access_right =(λx. None)(?tid_t:=Some READWRITE) ,is_SecureMem=True,related= None⦈#(tee_memories(TEE_state ?lt1));
s1 = ?lt1⦇TEE_state:=(TEE_state ?lt1)
⦇tee_total_size := new_total, tee_memories := new_memList,
ta_mgr:=ta_mgr(TEE_state ?lt1)⦇BIDpointer:=BIDpointer(ta_mgr (TEE_state ?lt1))+1 ⦈⦈⦈ in s1)"
let ?ls3 = "InitMgrSession (fst ?ls2) ?cli ?ses_id ?tid"
let ?lt3 = "InitMgrSession (fst ?lt2) ?cli ?ses_id_t ?tid_t"
let ?ls4 = "?ls3⦇current:=?tid,exec_prime:=(⦇param1=Some ?tid,param2=Some ?ses_id,param3=Some ?opt,param4=None,param5=Some ?ctx1
,param6=None,param7=None,param8=None,param9=None
,param10=Some(fst ?mem_tl),param11=Some(snd ?mem_tl),param12=None, param13=None⦈,TEE_OP3)#(exec_prime ?ls3)⦈"
let ?lt4 = "?lt3⦇current:=?tid_t,exec_prime:=(⦇param1=Some ?tid_t,param2=Some ?ses_id_t,param3=Some ?opt,param4=None,param5=Some ?ctx1
,param6=None,param7=None,param8=None,param9=None
,param10=Some(fst ?mem_tlft),param11=Some(snd ?mem_tlft),param12=None, param13=None⦈,TEE_OP3)#(exec_prime ?lt3)⦈"
let ?ins_lst =" (mgr_ta_instances (ta_mgr (TEE_state ?s0)))"
let ?ins_lst_t =" (mgr_ta_instances (ta_mgr (TEE_state ?t0)))"
let ?cur_instance =" (SOME a. a∈set ?ins_lst ∧ ta_id a = ?uuid)"
let ?cur_instance_t =" (SOME a. a∈set ?ins_lst_t ∧ ta_id a = ?uuid)"
let ?cnt = "(reference_cnt ?cur_instance)"
let ?b = "busy ?cur_instance"
let ?tid1 = "cur_ta_thread_id ?cur_instance"
let ?tid1_t = "cur_ta_thread_id ?cur_instance_t"
let ?mem_ta = "TEE_pre_process ?mem_t0 ?tid1"
let ?mem_tft = "TEE_pre_process ?mem_t0 ?tid1_t"
let ?param = "⦇param1=Some ?tid1,param2=Some ?ses_id,param3=Some ?opt,param4=None,param5=Some ?ctx1,
param6=None,param7=None,param8=None,param9=None
,param10=Some(fst ?mem_ta),param11=Some(snd ?mem_ta),param12=None, param13=None⦈"
let ?param_t = "⦇param1=Some ?tid1_t,param2=Some ?ses_id_t,param3=Some ?opt,param4=None,param5=Some ?ctx1,
param6=None,param7=None,param8=None,param9=None
,param10=Some(fst ?mem_tft),param11=Some(snd ?mem_tft),param12=None, param13=None⦈"
let ?s3="plusRefInstance ?s1 ?uuid"
let ?s4="InitMgrSession ?s3 ?cli ?ses_id ?tid1"
let ?s5="setBusyInstance ?s4 ?uuid"
let ?s6="?s5⦇current:=?tid1,exec_prime:=(?param,TEE_OP3)#(exec_prime ?s5)⦈"
let ?t3="plusRefInstance ?t1 ?uuid"
let ?t4="InitMgrSession ?t3 ?cli ?ses_id_t ?tid1"
let ?t5="setBusyInstance ?t4 ?uuid"
let ?t6="?t5⦇current:=?tid1_t,exec_prime:=(?param,TEE_OP3)#(exec_prime ?t5)⦈"
have e2:"newMemBlockID3 ?ls1 =newMemBlockID3 ?lt1"
using a32 addMgrSession_not_change_BID addMgrInstance_not_change_BID
using newMemBlockID3_def by fastforce
have e22:"BIDpointer(ta_mgr(TEE_state ?ls1)) = BIDpointer(ta_mgr(TEE_state ?lt1))"
using a32 addMgrSession_not_change_BID addMgrInstance_not_change_BID
using newMemBlockID3_def by fastforce
have e23:"BIDpointer(ta_mgr(TEE_state ?smid)) = BIDpointer(ta_mgr(TEE_state ?ls1)) +1" by auto
have e24:"BIDpointer(ta_mgr(TEE_state ?tmid)) = BIDpointer(ta_mgr(TEE_state ?lt1)) +1" by auto
have e3:"newMemBlockID3 ?smid=newMemBlockID3 ?tmid" using e22 newMemBlockID3_def e23 e24
by presburger
have a9:"ta_mgr(TEE_state s) = ta_mgr(TEE_state t)" using a32 by auto
have a91:"ta_mgr(TEE_state ?s0) = ta_mgr(TEE_state ?t0)" using a9 by simp
have a10:"?r1=?r1_t" using newSessionId_def a9 by simp
have c11:"ta_mgr(TEE_state ?s1) = ta_mgr(TEE_state ?t1)" using a91 a10 addMgrSession_def by simp
have c12:"tee_memories (TEE_state ?s1) = tee_memories (TEE_state ?s0)"using addMgrSession_def by simp
have c13:"tee_memories (TEE_state ?t1) = tee_memories (TEE_state ?t0)" using addMgrSession_def by auto
have c2:"?attr=?attr_t"
proof -
{
have c21:"(∃a. a∈set (mgr_ta_instances (ta_mgr (TEE_state ?s1))) ∧ ta_id a = ?uuid)
=(∃a. a∈set (mgr_ta_instances (ta_mgr (TEE_state ?t1))) ∧ ta_id a = ?uuid) "
using c11 by auto
show ?thesis
proof(cases "∃a. a∈set (mgr_ta_instances (ta_mgr (TEE_state ?s1))) ∧ ta_id a = ?uuid")
case True
have z1:"?attr=(Some (attribute (SOME a. a∈set (mgr_ta_instances (ta_mgr (TEE_state ?s1))) ∧ ta_id a = ?uuid)))"
using findInstanceATTRInMgr_def True
by (smt (verit, ccfv_SIG) Eps_cong)
have z2:"?attr_t=(Some (attribute (SOME a. a∈set (mgr_ta_instances (ta_mgr (TEE_state ?t1))) ∧ ta_id a = ?uuid)))"
using findInstanceATTRInMgr_def True a10
using c11 z1 by fastforce
then show ?thesis using z1 z2 c11 by simp
next
case False
have z1:"?attr = None" using findInstanceATTRInMgr_def False by simp
have z2:"?attr_t=None" using findInstanceATTRInMgr_def False c21 by simp
then show ?thesis using z1 z2 by auto
qed
}
qed
show ?thesis
proof(cases "d=TEE sysconf")
case True
then have d1:"d=TEE sysconf" by simp
have d2:"(s'∼ d ∼ t') =(vpeq_TEE s' d t')" using d1 by simp
have c0:"vpeq_TEE ?s0 d ?t0" using vpeq_TEE_def a9 a3 d1 by fastforce
have c01:"{x ∈ set (tee_memories (TEE_state ?s0)). block_id x = 0} = {x ∈ set (tee_memories (TEE_state ?t0)). block_id x = 0}" using c0 vpeq_TEE_def by blast
have c14:"{x ∈ set (tee_memories (TEE_state ?s1)). block_id x = 0}
= {x ∈ set (tee_memories (TEE_state ?t1)). block_id x = 0}" using c12 c13 c01 by auto
have d3:"vpeq_TEE ?s1 d ?t1" using vpeq_TEE_def c11 c14 by blast
show ?thesis
proof(cases "?attr=None")
case True
then have z1:"?attr=None" by simp
have c3:"vpeq_TEE ?s2 d ?t2"
proof -
{
let ?load="(Load_TA_Service sysconf (Some ?uuid))"
show ?thesis
proof(cases "fst(?load)≠TEEC_SUCCESS")
case True
have z3:"?s2=?s1" using LoadNewTA2_def True by auto
have z4:"?t2=?t1" using LoadNewTA2_def True by auto
then show ?thesis using z3 z4 d3 by simp
next
case False
have e1:"vpeq_TEE ?ls1 d ?lt1" using d3 addMgrInstance_not_change_TEE_mem by auto
have z13:"{x. x∈set(tee_memories (TEE_state (fst ?ls2)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ( ?ls1)))∧ (block_id x=0)}" using TA_Memory_Init_def TA_Memory_Init_not_change_TEE by blast
have z14:"{x. x∈set(tee_memories (TEE_state (fst ?lt2)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ( ?lt1)))∧ (block_id x=0)}" using TA_Memory_Init_def TA_Memory_Init_not_change_TEE by blast
have z15:"{x. x∈set(tee_memories (TEE_state (fst ?ls2)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state (fst ?lt2)))∧ (block_id x=0)}" using z13 z14
using addMgrInstance_not_change_TEE_mem c14 by presburger
have z16:"vpeq_TEE (fst ?ls2) d (fst ?lt2)" using z15 by simp
have z17:"{x. x∈set(tee_memories (TEE_state (?ls3)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ( ?lt3)))∧ (block_id x=0)}" using InitMgrSession_not_change_TEE_mem z16 by simp
have z18:"vpeq_TEE ( ?ls3) d ( ?lt3)" using z17 by simp
have z19:"vpeq_TEE (?ls4) d (?lt4)" using a113 z18 by simp
have z21:"?ls3= (InitMgrSession (fst (TA_Memory_Init (fst(addMgrInstance ?s1 sysconf ?uuid ?ses_id)) sysconf bin_mem_size ?tid)) ?cli ?ses_id ?tid) " by blast
have z20:"vpeq_TEE (?ls3) d (?ls4)" using LoadNewTA2_def False a113 by simp
have z200:"vpeq_TEE (?lt3) d (?lt4)" using LoadNewTA2_def False a113 by simp
have z22:"vpeq_TEE (?ls4) d (?s2)" using LoadNewTA2_def False z20
State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TEE_symmetric vpeq_TEE_transitive
by (smt (z3) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TEE_symmetric vpeq_TEE_transitive)
have z23:"vpeq_TEE (?lt4) d (?t2)" using LoadNewTA2_def False z200
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TEE_symmetric vpeq_TEE_transitive)
have z24:"vpeq_TEE (?s2) d (?t2)" using z22 z23 z19 by simp
then show ?thesis using LoadNewTA2_def z24 by blast
qed
}qed
have c4:"s'=?s2" using b1 TEE_OpenTASession2_def b4 ioctrl2_def z1
by (smt (verit, ccfv_SIG) State.fold_congs(6) fstI)
have c5:"t'=?t2" using b2 TEE_OpenTASession2_def a31 b3 b4 ioctrl2_def z1 c2 a10
by (smt (verit, del_insts) State.fold_congs(6) fst_conv)
show ?thesis using c3 c4 c5 d2 by blast
next
case False
then have z1:"?attr≠None" by simp
have x11:"?attr_t≠None" using z1 c2 by simp
show ?thesis
proof(cases "singleInstance (the ?attr) = True")
case True
then have z2:"singleInstance (the ?attr) = True" by simp
have z21:"singleInstance (the ?attr_t) = True" using z2 c2 by simp
then show ?thesis
proof(cases "(multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True")
case True
then have z3:"(multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True" by simp
have z31:"(multiSession (the ?attr_t) = False ∧ ?cnt ≠ 0)∨?b = True" using z3 c2 by simp
have z4:"s'=?s0" using TEE_OpenTASession2_def b1 b4 ioctrl2_def z1 z2 z3
by (smt (verit) Eps_cong State.fold_congs(6) fst_conv)
have z5:"t'=?t0" using TEE_OpenTASession2_def b2 b4 ioctrl2_def x11 z21 z31 a31 b3 a91
by (smt (z3) Eps_cong State.fold_congs(6) prod.collapse prod.inject)
show ?thesis using z4 z5 c0 d2 by simp
next
case False
then have z6:"¬((multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True)" by simp
have z7:"vpeq_TEE ?s3 d ?s1" using plusRefInstance_not_change_TEE_mem by auto
have z8:"vpeq_TEE ?s4 d ?s3" using InitMgrSession_not_change_TEE_mem by auto
have z9:"vpeq_TEE ?s5 d ?s4" using setBusyInstance_not_change_TEE_mem by auto
have z10:"vpeq_TEE ?s6 d ?s5" using a113 by simp
have z71:"vpeq_TEE ?t3 d ?t1" using plusRefInstance_not_change_TEE_mem by auto
have z81:"vpeq_TEE ?t4 d ?t3" using InitMgrSession_not_change_TEE_mem by auto
have z91:"vpeq_TEE ?t5 d ?t4" using setBusyInstance_not_change_TEE_mem by auto
have z101:"vpeq_TEE ?t6 d ?t5" using a113 by simp
have z11:"vpeq_TEE ?s6 d s" using z7 z8 z9 z10 c12 by auto
have z111:"vpeq_TEE ?t6 d t" using z71 z81 z91 z101 c13 by auto
have z14:" s'= ?s6"
by (smt (verit) State.unfold_congs(1) Eps_cong State.unfold_congs(6) TEE_OpenTASession2_def b1 b4 fst_conv ioctrl2_def z1 z2 z6)
have z15:"t'=?t6"
by (smt (verit) State.unfold_congs(1) Eps_cong State.unfold_congs(6) TEE_OpenTASession2_def a31 a91 b2 b3 b4 c2 fst_conv ioctrl2_def z1 z2 z6 a10)
have z16:"vpeq_TEE s d t" using a3 d1 vpeq1_def by simp
then show ?thesis using z14 z15 z11 z111 a3 d1 z16 by auto
qed
next
case False
then have z222:"singleInstance (the ?attr) ≠ True" by simp
have c3:"vpeq_TEE ?s2 d ?t2"
proof -
{
let ?load="(Load_TA_Service sysconf (Some ?uuid))"
show ?thesis
proof(cases "fst(?load)≠TEEC_SUCCESS")
case True
have z3:"?s2=?s1" using LoadNewTA2_def True by auto
have z4:"?t2=?t1" using LoadNewTA2_def True by auto
then show ?thesis using z3 z4 d3 by simp
next
case False
have e1:"vpeq_TEE ?ls1 d ?lt1" using d3 addMgrInstance_not_change_TEE_mem by auto
have z13:"{x. x∈set(tee_memories (TEE_state (fst ?ls2)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ( ?ls1)))∧ (block_id x=0)}" using TA_Memory_Init_def TA_Memory_Init_not_change_TEE by blast
have z14:"{x. x∈set(tee_memories (TEE_state (fst ?lt2)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ( ?lt1)))∧ (block_id x=0)}" using TA_Memory_Init_def TA_Memory_Init_not_change_TEE by blast
have z15:"{x. x∈set(tee_memories (TEE_state (fst ?ls2)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state (fst ?lt2)))∧ (block_id x=0)}" using z13 z14
using addMgrInstance_not_change_TEE_mem c14 by presburger
have z16:"vpeq_TEE (fst ?ls2) d (fst ?lt2)" using z15 by simp
have z17:"{x. x∈set(tee_memories (TEE_state (?ls3)))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ( ?lt3)))∧ (block_id x=0)}" using InitMgrSession_not_change_TEE_mem z16 by simp
have z18:"vpeq_TEE ( ?ls3) d ( ?lt3)" using z17 by simp
have z19:"vpeq_TEE (?ls4) d (?lt4)" using a113 z18 by simp
have z21:"?ls3= (InitMgrSession (fst (TA_Memory_Init (fst(addMgrInstance ?s1 sysconf ?uuid ?ses_id)) sysconf bin_mem_size ?tid)) ?cli ?ses_id ?tid) " by blast
have z20:"vpeq_TEE (?ls3) d (?ls4)" using LoadNewTA2_def False a113 by simp
have z200:"vpeq_TEE (?lt3) d (?lt4)" using LoadNewTA2_def False a113 by simp
have z22:"vpeq_TEE (?ls4) d (?s2)" using LoadNewTA2_def False z20
by (smt (z3) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TEE_symmetric vpeq_TEE_transitive)
have z23:"vpeq_TEE (?lt4) d (?t2)" using LoadNewTA2_def False z200
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TEE_symmetric vpeq_TEE_transitive )
have z24:"vpeq_TEE (?s2) d (?t2)" using z22 z23 z19 by simp
then show ?thesis using LoadNewTA2_def z24 by blast
qed
}qed
have c4:"s'=?s2" using b1 TEE_OpenTASession2_def c2 b4 ioctrl2_def z1 z222
by (smt (verit, ccfv_SIG) State.fold_congs(6) fstI)
have c5:"t'=?t2" using b2 TEE_OpenTASession2_def a31 b3 b4 ioctrl2_def z1 c2 z222
by (smt (verit, del_insts) State.fold_congs(6) fst_conv)
show ?thesis using c3 c4 c5 using d2 by blast
qed
qed
next
case False
then have d0: "d≠TEE sysconf" by simp
then show ?thesis
proof(cases "d=REE sysconf")
case True
then have d1:"d=REE sysconf" by simp
have d2:"(s'∼ d ∼ t') =(vpeq_REE s' d t')" using d1 vpeq1_def False by auto
have c0:"vpeq_REE ?s0 d ?t0" using vpeq_REE_def d1 a3 False by auto
have d3:"vpeq_REE ?s1 d ?t1" using vpeq_TEE_def c0
using addMgrSession_not_change_REE by fastforce
show ?thesis
proof(cases "?attr=None")
case True
then have z1:"?attr=None" by simp
have c3:"vpeq_REE ?s2 d ?t2"
proof -
{
let ?load="(Load_TA_Service sysconf (Some ?uuid))"
show ?thesis
proof(cases "fst(?load)≠TEEC_SUCCESS")
case True
have z3:"?s2=?s1" using LoadNewTA2_def True by auto
have z4:"?t2=?t1" using LoadNewTA2_def True by auto
then show ?thesis using z3 z4 d3 by simp
next
case False
have e1:"vpeq_REE ?ls1 d ?lt1" using d3 addMgrInstance_not_change_REE addMgrInstance_def a10
by (smt (verit, del_insts) State.select_convs(3) State.surjective State.update_convs(2) State.update_convs(4) fst_conv vpeq_REE_def)
have z14:"REE_state (fst ?ls2)=REE_state ( ?ls1)" using TA_Memory_Init_not_change_REE by simp
have z15:"REE_state (fst ?lt2)=REE_state ( ?lt1)" using TA_Memory_Init_not_change_REE by simp
have z16:"vpeq_REE (fst ?ls2) d (fst ?lt2)" using z14 z15 e1 by auto
have z18:"vpeq_REE ( ?ls3) d ( ?lt3)" using z16 InitMgrSession_not_change_REE by auto
have z19:"vpeq_REE (?ls4) d (?lt4)" using a113 z18 by simp
have z21:"?ls3= (InitMgrSession (fst (TA_Memory_Init (fst(addMgrInstance ?s1 sysconf ?uuid ?ses_id)) sysconf bin_mem_size ?tid)) ?cli ?ses_id ?tid) " by blast
have z20:"vpeq_REE (?ls3) d (?ls4)" using LoadNewTA2_def False a113 by simp
have z200:"vpeq_REE (?lt3) d (?lt4)" using LoadNewTA2_def False a113 by simp
have z22:"vpeq_REE (?ls4) d (?s2)" using LoadNewTA2_def False z20 a31
by (smt (verit, best) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_REE_reflexive)
have z23:"vpeq_REE (?lt4) d (?t2)" using LoadNewTA2_def False z200
by (smt (z3) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_REE_reflexive)
have z24:"vpeq_REE (?s2) d (?t2)" using z22 z23 z19 by simp
then show ?thesis using LoadNewTA2_def z24 by blast
qed
}qed
have c4:"s'=?s2" using b1 TEE_OpenTASession2_def b4 ioctrl2_def z1
by (smt (verit, ccfv_SIG) State.fold_congs(6) fstI)
have c5:"t'=?t2" using b2 TEE_OpenTASession2_def a31 b3 b4 ioctrl2_def z1 c2 a10
by (smt (z3) State.fold_congs(6) fst_conv)
show ?thesis using c3 c4 c5 using d2 by blast
next
case False
then have z1:"?attr≠None" by simp
have x11:"?attr_t≠None" using z1 c2 by simp
show ?thesis
proof(cases "singleInstance (the ?attr) = True")
case True
then have z2:"singleInstance (the ?attr) = True" by simp
have z21:"singleInstance (the ?attr_t) = True" using z2 c2 by simp
then show ?thesis
proof(cases "(multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True")
case True
then have z3:"(multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True" by simp
have z31:"(multiSession (the ?attr_t) = False ∧ ?cnt ≠ 0)∨?b = True" using z3 c2 by simp
have z4:"s'=?s0" using TEE_OpenTASession2_def b1 b4 ioctrl2_def z1 z2 z3 b3 x11
Eps_cong State.fold_congs(6) old.prod.inject prod.collapse
by (smt (verit, ccfv_SIG))
have z5:"t'=?t0" using TEE_OpenTASession2_def b2 b4 ioctrl2_def x11 z21 z31 a31 b3 a91
by (smt (z3) Eps_cong State.fold_congs(6) prod.collapse prod.inject)
show ?thesis using z4 z5 c0 d2 by simp
next
case False
then have z6:"¬((multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True)" by simp
have z7:"vpeq_REE ?s3 d ?s1" using plusRefInstance_not_change_REE by auto
have z8:"vpeq_REE ?s4 d ?s3" using InitMgrSession_not_change_REE by auto
have z9:"vpeq_REE ?s5 d ?s4" using setBusyInstance_not_change_REE by auto
have z10:"vpeq_REE ?s6 d ?s5" using a113 by simp
have z71:"vpeq_REE ?t3 d ?t1" using plusRefInstance_not_change_REE by auto
have z81:"vpeq_REE ?t4 d ?t3" using InitMgrSession_not_change_REE by auto
have z91:"vpeq_REE ?t5 d ?t4" using setBusyInstance_not_change_REE by auto
have z101:"vpeq_REE ?t6 d ?t5" using a113 by simp
have c21:"vpeq_REE ?s1 d s" using addMgrSession_not_change_REE addMgrSession_def a114 by simp
have c31:"vpeq_REE ?t1 d t" using addMgrSession_not_change_REE addMgrSession_def a114 by simp
have z11:"vpeq_REE ?s5 d s" using z7 z8 z9 z10 c21 by auto
have z111:"vpeq_REE ?t5 d t" using z71 z81 z91 z101 c31 by auto
have z14:" s'= ?s6"
by (smt (verit) State.unfold_congs(1) Eps_cong State.unfold_congs(6) TEE_OpenTASession2_def b1 b4 fst_conv ioctrl2_def z1 z2 z6 )
have z15:"t'=?t6"
by (smt (verit) State.unfold_congs(1) Eps_cong State.unfold_congs(6) TEE_OpenTASession2_def a31 a91 b2 b3 b4 c2 fst_conv ioctrl2_def z1 z2 z6 a10)
have z16:"vpeq_REE s d t" using a3 d1 vpeq1_def d0 by simp
then show ?thesis using z14 z15 z11 z111 a3 d1 z16 d0 by auto
qed
next
case False
then have z222:"singleInstance (the ?attr) ≠ True" by simp
have c3:"vpeq_REE ?s2 d ?t2"
proof -
{
let ?load="(Load_TA_Service sysconf (Some ?uuid))"
show ?thesis
proof(cases "fst(?load)≠TEEC_SUCCESS")
case True
have z3:"?s2=?s1" using LoadNewTA2_def True by auto
have z4:"?t2=?t1" using LoadNewTA2_def True by auto
then show ?thesis using z3 z4 d3 by simp
next
case False
have e1:"vpeq_REE ?ls1 d ?lt1" using d3 addMgrInstance_not_change_REE addMgrInstance_def a10
by (smt (verit, del_insts) State.select_convs(3) State.surjective State.update_convs(2) State.update_convs(4) fst_conv vpeq_REE_def)
have z14:"REE_state (fst ?ls2)=REE_state ( ?ls1)" using TA_Memory_Init_not_change_REE by simp
have z15:"REE_state (fst ?lt2)=REE_state ( ?lt1)" using TA_Memory_Init_not_change_REE by simp
have z16:"vpeq_REE (fst ?ls2) d (fst ?lt2)" using z14 z15 e1 by auto
have z18:"vpeq_REE ( ?ls3) d ( ?lt3)" using z16 InitMgrSession_not_change_REE InitMgrSession_def by auto
have z19:"vpeq_REE (?ls4) d (?lt4)" using a113 z18 by simp
have z21:"?ls3= (InitMgrSession (fst (TA_Memory_Init (fst(addMgrInstance ?s1 sysconf ?uuid ?ses_id)) sysconf bin_mem_size ?tid)) ?cli ?ses_id ?tid) " by blast
have z20:"vpeq_REE (?ls3) d (?ls4)" using LoadNewTA2_def False a113 by simp
have z200:"vpeq_REE (?lt3) d (?lt4)" using LoadNewTA2_def False a113 by simp
have z22:"vpeq_REE (?ls4) d (?s2)" using LoadNewTA2_def False z20 a31
by (smt (verit, best) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_REE_reflexive)
have z23:"vpeq_REE (?lt4) d (?t2)" using LoadNewTA2_def False z200
by (smt (z3) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_REE_reflexive)
have z24:"vpeq_REE (?s2) d (?t2)" using z22 z23 z19 by simp
then show ?thesis using LoadNewTA2_def z24 by blast
qed
}qed
have c4:"s'=?s2" using b1 TEE_OpenTASession2_def c2 b4 ioctrl2_def z1 z222
by (smt (verit, ccfv_SIG) State.fold_congs(6) fstI)
have c5:"t'=?t2" using b2 TEE_OpenTASession2_def a31 b3 b4 ioctrl2_def z1 c2 z222
by (smt (verit, del_insts) State.fold_congs(6) fst_conv)
show ?thesis using c3 c4 c5 using d2 by blast
qed
qed
next
case False
then have d1:"is_TA sysconf d" using d0 is_TA_def by auto
have d2:"(s'∼ d ∼ t') =(vpeq_TA s' d t')" using d1 by simp
have c0:"vpeq_TA ?s0 d ?t0" using vpeq_TA_def a9 a3 d1 by fastforce
have c01:"{x ∈ set (tee_memories (TEE_state ?s0)). ownership x = d} = {x ∈ set (tee_memories (TEE_state ?t0)). ownership x = d}" using c0 vpeq_TA_def by blast
have c14:"{x ∈ set (tee_memories (TEE_state ?s1)). ownership x = d}
= {x ∈ set (tee_memories (TEE_state ?t1)). ownership x = d}" using c12 c13 c01 by auto
have d3:"vpeq_TA ?s1 d ?t1" using vpeq_TA_def c11 c14 by blast
show ?thesis
proof(cases "?attr=None")
case True
then have z1:"?attr=None" by simp
have c3:"vpeq_TA ?s2 d ?t2"
proof -
{
let ?load="(Load_TA_Service sysconf (Some ?uuid))"
show ?thesis
proof(cases "fst(?load)≠TEEC_SUCCESS")
case True
have z3:"?s2=?s1" using LoadNewTA2_def True by auto
have z4:"?t2=?t1" using LoadNewTA2_def True by auto
then show ?thesis using z3 z4 d3 by simp
next
case False
have e1:"vpeq_TA ?ls1 d ?lt1" using d3 addMgrInstance_not_change_TEE_mem by auto
have z111:"?tid=newInstancethread ?s1" using addMgrInstance_def
by (metis snd_conv)
have z112:"?tid_t=newInstancethread ?t1" using addMgrInstance_def
by (metis snd_conv)
have z113:"?tid=?tid_t" using z111 z112 newInstancethread_def c11 by simp
have z16:"vpeq_TA (fst ?ls2) d (fst ?lt2)"
proof -
{
show ?thesis
proof(cases "d≠?tid")
case True
have z161:"{x. x∈set(tee_memories (TEE_state (fst ?ls2)))∧ ownership x = d} =
{x. x∈set(tee_memories (TEE_state ( ?ls1)))∧ ownership x = d}"
using TA_Memory_Init_not_change_otherTA TA_Memory_Init_def True by blast
have z162:"{x. x∈set(tee_memories (TEE_state (fst ?lt2)))∧ ownership x = d} =
{x. x∈set(tee_memories (TEE_state ( ?lt1)))∧ ownership x = d}"
using TA_Memory_Init_not_change_otherTA TA_Memory_Init_def True a10 z113 by fastforce
show ?thesis using z161 z162 e1 by simp
next
case False
have z163:"(fst ?ls2)=(let new_total1 = (tee_total_size (TEE_state ?smid)) -?size1;
new_memList1 = ⦇block_id = newMemBlockID3 ?smid,size=?size1,ownership = ?tid,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈#(tee_memories(TEE_state ?smid));
s2 =?smid⦇TEE_state:=(TEE_state ?smid)
⦇tee_total_size := new_total1, tee_memories := new_memList1,
ta_mgr:=ta_mgr(TEE_state ?smid)⦇BIDpointer:=BIDpointer(ta_mgr (TEE_state ?smid))+1 ⦈⦈⦈ in
s2)" using TA_Memory_Init_def by (metis fst_conv)
have z164:"(fst ?lt2)=(let new_total1 = (tee_total_size (TEE_state ?tmid)) -?size1;
new_memList1 = ⦇block_id = newMemBlockID3 ?tmid,size=?size1,ownership = ?tid_t,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈#(tee_memories(TEE_state ?tmid));
s2 =?tmid⦇TEE_state:=(TEE_state ?tmid)
⦇tee_total_size := new_total1, tee_memories := new_memList1,
ta_mgr:=ta_mgr(TEE_state ?tmid)⦇BIDpointer:=BIDpointer(ta_mgr (TEE_state ?tmid))+1 ⦈⦈⦈ in
s2)" using TA_Memory_Init_def by (metis fst_conv)
have z165:"⦇block_id = newMemBlockID3 ?ls1,size=?size1,ownership = ?tid,
access_right =(λx. None)(?tid:=Some READWRITE) ,is_SecureMem=True,related= None⦈ =
⦇block_id = newMemBlockID3 ?lt1,size=?size1,ownership = ?tid_t,
access_right =(λx. None)(?tid_t:=Some READWRITE) ,is_SecureMem=True,related= None⦈" using z113 e2 by simp
have z166:"⦇block_id = newMemBlockID3 ?smid,size=?size1,ownership = ?tid,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈=
⦇block_id = newMemBlockID3 ?tmid,size=?size1,ownership = ?tid_t,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈" using z113 e3 by simp
have z167:"vpeq_TA ?smid d ?tmid" using e1 False z165 by auto
have z167:"vpeq_TA ?smid d ?tmid" using e1 False z165 by auto
then show ?thesis using z163 z164 z113 e1 False z166 z167 by auto
qed
}qed
have z17:"{x. x∈set(tee_memories (TEE_state (?ls3)))∧ ownership x = d} =
{x. x∈set(tee_memories (TEE_state ( ?lt3)))∧ ownership x = d}" using InitMgrSession_not_change_TEE_mem z16 by simp
have z18:"vpeq_TA ( ?ls3) d ( ?lt3)" using z17 by simp
have z19:"vpeq_TA (?ls4) d (?lt4)" using a113 z18 by simp
have z21:"?ls3= (InitMgrSession (fst (TA_Memory_Init (fst(addMgrInstance ?s1 sysconf ?uuid ?ses_id)) sysconf bin_mem_size ?tid)) ?cli ?ses_id ?tid) " by blast
have z20:"vpeq_TA (?ls3) d (?ls4)" using LoadNewTA2_def False a113 by simp
have z200:"vpeq_TA (?lt3) d (?lt4)" using LoadNewTA2_def False a113 by simp
have z22:"vpeq_TA (?ls4) d (?s2)" using LoadNewTA2_def False z20 a31
by (smt (verit, best) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TA_reflexive)
have z23:"vpeq_TA (?lt4) d (?t2)" using LoadNewTA2_def False z200
by (smt (z3) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TA_reflexive)
have z24:"vpeq_TA (?s2) d (?t2)" using z22 z23 z19 by simp
then show ?thesis using LoadNewTA2_def z24 by blast
qed
}qed
have c4:"s'=?s2" using b1 TEE_OpenTASession2_def b4 ioctrl2_def z1
by (smt (verit, ccfv_SIG) State.fold_congs(6) fstI)
have c5:"t'=?t2" using b2 TEE_OpenTASession2_def a31 b3 b4 ioctrl2_def z1 c2 a10
by (smt (z3) State.fold_congs(6) fst_conv)
show ?thesis using c3 c4 c5 using d2 by blast
next
case False
then have z1:"?attr≠None" by simp
have x11:"?attr_t≠None" using z1 c2 by simp
show ?thesis
proof(cases "singleInstance (the ?attr) = True")
case True
then have z2:"singleInstance (the ?attr) = True" by simp
have z21:"singleInstance (the ?attr_t) = True" using z2 c2 by simp
then show ?thesis
proof(cases "(multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True")
case True
then have z3:"(multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True" by simp
have z31:"(multiSession (the ?attr_t) = False ∧ ?cnt ≠ 0)∨?b = True" using z3 c2 by simp
have z4:"s'=?s0" using TEE_OpenTASession2_def b1 b4 ioctrl2_def z1 z2 z3 x11
by (smt (verit) Eps_cong State.fold_congs(6) fst_conv)
have z5:"t'=?t0" using TEE_OpenTASession2_def b2 b4 ioctrl2_def x11 z21 z31 a31 b3 a91
by (smt (z3) Eps_cong State.fold_congs(6) prod.collapse prod.inject)
show ?thesis using z4 z5 c0 d2 by simp
next
case False
then have z6:"¬((multiSession (the ?attr) = False ∧ ?cnt ≠ 0)∨?b = True)" by simp
have z7:"vpeq_TA ?s3 d ?s1" using plusRefInstance_not_change_TEE_mem by auto
have z8:"vpeq_TA ?s4 d ?s3" using InitMgrSession_not_change_TEE_mem by auto
have z9:"vpeq_TA ?s5 d ?s4" using setBusyInstance_not_change_TEE_mem by auto
have z10:"vpeq_TA ?s6 d ?s5" using a113 by simp
have z71:"vpeq_TA ?t3 d ?t1" using plusRefInstance_not_change_TEE_mem by auto
have z81:"vpeq_TA ?t4 d ?t3" using InitMgrSession_not_change_TEE_mem by auto
have z91:"vpeq_TA ?t5 d ?t4" using setBusyInstance_not_change_TEE_mem by auto
have z101:"vpeq_TA ?t6 d ?t5" using a113 by simp
have z11:"vpeq_TA ?s5 d s" using z7 z8 z9 z10 c12 by auto
have z111:"vpeq_TA ?t5 d t" using z71 z81 z91 z101 c13 by auto
have z14:" s'= ?s6"
by (smt (verit) State.unfold_congs(1) Eps_cong State.unfold_congs(6) TEE_OpenTASession2_def b1 b4 fst_conv ioctrl2_def z1 z2 z6 )
have z15:"t'=?t6"
by (smt (verit) State.unfold_congs(1) Eps_cong State.unfold_congs(6) TEE_OpenTASession2_def a31 a91 b2 b3 b4 c2 fst_conv ioctrl2_def z1 z2 z6 a10)
have z16:"vpeq_TA s d t" using a3 d1 vpeq1_def by auto
show ?thesis using z14 z15 z16 z11 z111 d2 by auto
qed
next
case False
then have z222:"singleInstance (the ?attr) ≠ True" by simp
have c3:"vpeq_TA ?s2 d ?t2"
proof -
{
let ?load="(Load_TA_Service sysconf (Some ?uuid))"
show ?thesis
proof(cases "fst(?load)≠TEEC_SUCCESS")
case True
have z3:"?s2=?s1" using LoadNewTA2_def True by auto
have z4:"?t2=?t1" using LoadNewTA2_def True by auto
then show ?thesis using z3 z4 d3 by simp
next
case False
have z9:"(let attr = getATTRfromBin sysconf ?uuid;
ctid = (newInstancethread ?s1) in
⦇ta_id=?uuid,cur_ta_session_list=[?ses_id],reference_cnt=1,
busy=True,cur_ta_thread_id=ctid,attribute=attr⦈) =
(let attr = getATTRfromBin sysconf ?uuid;
ctid = (newInstancethread ?t1) in
⦇ta_id=?uuid,cur_ta_session_list=[?ses_id_t],reference_cnt=1,
busy=True,cur_ta_thread_id=ctid,attribute=attr⦈)" using a10
using c11 newInstancethread_def by auto
have e1:"vpeq_TA ?ls1 d ?lt1" using d3 addMgrInstance_not_change_TEE_mem by auto
have z111:"?tid=newInstancethread ?s1" using addMgrInstance_def
by (metis snd_conv)
have z112:"?tid_t=newInstancethread ?t1" using addMgrInstance_def
by (metis snd_conv)
have z113:"?tid=?tid_t" using z111 z112 newInstancethread_def c11 by simp
have z16:"vpeq_TA (fst ?ls2) d (fst ?lt2)"
proof -
{
show ?thesis
proof(cases "d≠?tid")
case True
have z161:"{x. x∈set(tee_memories (TEE_state (fst ?ls2)))∧ ownership x = d} =
{x. x∈set(tee_memories (TEE_state ( ?ls1)))∧ ownership x = d}"
using TA_Memory_Init_not_change_otherTA TA_Memory_Init_def True by blast
have z162:"{x. x∈set(tee_memories (TEE_state (fst ?lt2)))∧ ownership x = d} =
{x. x∈set(tee_memories (TEE_state ( ?lt1)))∧ ownership x = d}"
using TA_Memory_Init_not_change_otherTA TA_Memory_Init_def True a10 z113 by fastforce
show ?thesis using z161 z162 e1 by simp
next
case False
have z163:"(fst ?ls2)=(let new_total1 = (tee_total_size (TEE_state ?smid)) -?size1;
new_memList1 = ⦇block_id = newMemBlockID3 ?smid,size=?size1,ownership = ?tid,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈#(tee_memories(TEE_state ?smid));
s2 =?smid⦇TEE_state:=(TEE_state ?smid)
⦇tee_total_size := new_total1, tee_memories := new_memList1,
ta_mgr:=ta_mgr(TEE_state ?smid)⦇BIDpointer:=BIDpointer(ta_mgr (TEE_state ?smid))+1 ⦈⦈⦈ in
s2)" using TA_Memory_Init_def by (metis fst_conv)
have z164:"(fst ?lt2)=(let new_total1 = (tee_total_size (TEE_state ?tmid)) -?size1;
new_memList1 = ⦇block_id = newMemBlockID3 ?tmid,size=?size1,ownership = ?tid_t,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈#(tee_memories(TEE_state ?tmid));
s2 =?tmid⦇TEE_state:=(TEE_state ?tmid)
⦇tee_total_size := new_total1, tee_memories := new_memList1,
ta_mgr:=ta_mgr(TEE_state ?tmid)⦇BIDpointer:=BIDpointer(ta_mgr (TEE_state ?tmid))+1 ⦈⦈⦈ in
s2)" using TA_Memory_Init_def by (metis fst_conv)
have z165:"⦇block_id = newMemBlockID3 ?ls1,size=?size1,ownership = ?tid,
access_right =(λx. None)(?tid:=Some READWRITE) ,is_SecureMem=True,related= None⦈ =
⦇block_id = newMemBlockID3 ?lt1,size=?size1,ownership = ?tid_t,
access_right =(λx. None)(?tid_t:=Some READWRITE) ,is_SecureMem=True,related= None⦈" using z113 e2 by simp
have z166:"⦇block_id = newMemBlockID3 ?smid,size=?size1,ownership = ?tid,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈=
⦇block_id = newMemBlockID3 ?tmid,size=?size1,ownership = ?tid_t,
access_right = (λx. None)((TEE sysconf):=Some READ) ,is_SecureMem=True,related =None⦈" using z113 e3 by simp
have z167:"vpeq_TA ?smid d ?tmid" using e1 False z165 by auto
have z167:"vpeq_TA ?smid d ?tmid" using e1 False z165 by auto
then show ?thesis using z163 z164 z113 e1 False z166 z167 by auto
qed
}qed
have z17:"{x. x∈set(tee_memories (TEE_state (?ls3)))∧ ownership x = d} =
{x. x∈set(tee_memories (TEE_state ( ?lt3)))∧ ownership x = d}" using InitMgrSession_not_change_TEE_mem z16 by simp
have z18:"vpeq_TA ( ?ls3) d ( ?lt3)" using z17 by simp
have z19:"vpeq_TA (?ls4) d (?lt4)" using a113 z18 by simp
have z21:"?ls3= (InitMgrSession (fst (TA_Memory_Init (fst(addMgrInstance ?s1 sysconf ?uuid ?ses_id)) sysconf bin_mem_size ?tid)) ?cli ?ses_id ?tid) " by blast
have z20:"vpeq_TA (?ls3) d (?ls4)" using LoadNewTA2_def False a113 by simp
have z200:"vpeq_TA (?lt3) d (?lt4)" using LoadNewTA2_def False a113 by simp
have z22:"vpeq_TA (?ls4) d (?s2)" using LoadNewTA2_def False z20 a31
by (smt (verit, best) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TA_reflexive)
have z23:"vpeq_TA (?lt4) d (?t2)" using LoadNewTA2_def False z200
by (smt (z3) State.fold_congs(1) State.fold_congs(6) fst_conv vpeq_TA_reflexive)
have z24:"vpeq_TA (?s2) d (?t2)" using z22 z23 z19 by simp
then show ?thesis using LoadNewTA2_def z24 by blast
qed
}qed
have c4:"s'=?s2" using b1 TEE_OpenTASession2_def c2 b4 ioctrl2_def z1 z222
by (smt (verit, ccfv_SIG) State.fold_congs(6) fstI)
have c5:"t'=?t2" using b2 TEE_OpenTASession2_def a31 b3 b4 ioctrl2_def z1 c2 z222
by (smt (verit, del_insts) State.fold_congs(6) fst_conv)
show ?thesis using c3 c4 c5 using d2 by blast
qed
qed
qed
qed
}
qed
then show ?thesis by blast
qed
}qed
}
then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEE_OpenTASession2_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEE_OPENTASESSION2))"
using TEE_OpenTASession2_weak_confidentiality weak_confidentiality_e_def get_exec_prime_def
by (smt (verit) Pair_inject)
lemma TEE_OpenTASession3_weak_confidentiality:
assumes p1: "a = hyperc (TEE_OPENTASESSION3 sid)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s=get_exec_prime t)∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof -
{
fix s t d s' t'
assume a1:"reachable0 s"
assume a2:"reachable0 t"
assume a3:"s∼d∼t"
assume a31:"exec_prime s=exec_prime t"
assume a4:"(domain_of_event s a) = (domain_of_event t a)"
assume a5:"(the (domain_of_event s a)) ↝ d"
assume a6:"s ∼ (the (domain_of_event s a)) ∼ t"
assume a7:"(s, s') ∈ exec_event a"
assume a8:"(t, t') ∈ exec_event a"
let ?domain = "the (domain_of_event s a)"
let ?exec = "exec_prime s"
let ?p = "fst (hd (?exec))"
let ?ses_id = "the (param2 ?p)"
let ?opt = "the(param3 ?p)"
let ?uuid = "the (param1 ?p)"
let ?ctx1 = "the (param5 ?p)"
let ?s0 = "s⦇exec_prime:=tl ?exec⦈"
let ?s1 = "initTAProcess ?s0 ?opt ?uuid ?ses_id"
let ?ta_ses= "(TA_sessions(the((TAs_state s) ?uuid)))"
let ?init1="(TA_instance_init(the((TAs_state s) ?uuid)))"
let ?s2 ="TA_OpenSessionEntryPoint sysconf ?s1 ?opt ?uuid"
let ?exec_t = "exec_prime s"
let ?t0 = "t⦇exec_prime:=tl ?exec_t⦈"
let ?t1 = "initTAProcess ?t0 ?opt ?uuid ?ses_id"
let ?ta_ses_t= "(TA_sessions(the((TAs_state t) ?uuid)))"
let ?init1_t="(TA_instance_init(the((TAs_state t) ?uuid)))"
let ?t2 ="TA_OpenSessionEntryPoint sysconf ?t1 ?opt ?uuid"
let ?param="⦇param1=Some ?uuid,param2=Some ?ses_id,param3=None,param4=None,
param5=None,param6=None,param7=None,param8=None,param9=None,param10=None,param11=None,param12=None,param13=Some TEE_SUCCESS⦈"
let ?s4= "?s2⦇current:=TEE sysconf,exec_prime:=(?param,TEE_OP4)#(exec_prime ?s2)⦈"
let ?t4= "?t2⦇current:=TEE sysconf,exec_prime:=(?param,TEE_OP4)#(exec_prime ?t2)⦈"
have "s'∼d∼t'"
proof -
{
have b1:"s'=fst(TEE_OpenTASession3 sysconf s sid)"
using exec_event_def p1 a7 by simp
have b2:"t'=fst(TEE_OpenTASession3 sysconf t sid)"
using exec_event_def p1 a8 by simp
have b3:"current s=current t"
using domain_of_event_def a4 by simp
show ?thesis
proof(cases "?exec = []∨snd (hd ?exec)≠TEE_OP3∨sid≠?ses_id∨TEE sysconf=current s∨REE sysconf=current s∨?uuid≠current s")
case True
then have c1:"?exec = []∨snd (hd ?exec)≠TEE_OP3∨sid≠?ses_id∨TEE sysconf=current s∨REE sysconf=current s∨?uuid≠current s" by simp
have c2:"s'=s" using c1 b1 TEE_OpenTASession3_def by auto
have c3:"t'=t" using c1 b2 TEE_OpenTASession3_def a31 b3 by auto
then show ?thesis using a3 c2 c3 by blast
next
case False
then have c4:"¬(?exec = []∨snd (hd ?exec)≠TEE_OP3∨sid≠?ses_id∨TEE sysconf=current s∨REE sysconf=current s∨?uuid≠current s)" by simp
then have c5:"is_TA sysconf (current s)" using is_TA_def by blast
show ?thesis
proof(cases "d=TEE sysconf")
case True
then show ?thesis using a5 c5 by auto
next
case False
then have c6:"d≠TEE sysconf" by simp
then show ?thesis
proof(cases "d=REE sysconf")
case True
then show ?thesis using a5 c5 by auto
next
case False
then have c7:"is_TA sysconf d" using is_TA_def c6 by blast
show ?thesis
proof(cases "d=current s")
case False
then show ?thesis using a5 domain_of_event_def c5 interference1_def by auto
next
case True
then have c71:"d=current s" by simp
then have c72:"d=?uuid" using c4 by simp
have c73:"(s'∼d∼t') = (vpeq_TA s' d t')" using c7 by auto
have c74:"vpeq_TA s d t" using c7 a3 by fastforce
have c8:"{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
proof -
{
have d1:"{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s0))∧ (ownership x=d)}"
by simp
have d2:"{x. x∈set(tee_memories (TEE_state ?s0))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)}"
proof(cases "(∃a. a∈set(?ta_ses)∧a=?ses_id)")
case True
then have "?s1=?s0" using initTAProcess_def by simp
then show ?thesis
by simp
next
case False
then show ?thesis
proof(cases "?init1 =False")
case True
then show ?thesis using initTAProcess_def addTASession_def TA_CreateEntryPoint_def
by auto
next
case False
then show ?thesis using initTAProcess_def addTASession_def
by simp
qed
qed
have d3:"{x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}" using d1 d2 vpeq_TA_def
by presburger
have d4:"{x. x∈set(tee_memories (TEE_state ?t0))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
by simp
have d5:"{x. x∈set(tee_memories (TEE_state ?t0))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t1))∧ (ownership x=d)}"
proof(cases "(∃a. a∈set(?ta_ses_t)∧a=?ses_id)")
case True
then have "?t1=?t0" using initTAProcess_def a31 b3 by simp
then show ?thesis
by simp
next
case False
then show ?thesis
proof(cases "?init1_t =False")
case True
then show ?thesis using initTAProcess_def addTASession_def TA_CreateEntryPoint_def
by auto
next
case False
then show ?thesis using initTAProcess_def addTASession_def
by simp
qed
qed
have d6:"{x. x∈set(tee_memories (TEE_state ?t1))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}" using d4 d5 vpeq_TA_def
by presburger
have d7:"vpeq_TA ?s1 d ?t1" using d3 d6 vpeq_TA_def c74 by simp
have d8:"{x. x∈set(tee_memories (TEE_state ?s2))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t2))∧ (ownership x=d)}"
using OpenSessionEntryPoint_not_change_mem TA_OpenSessionEntryPoint_def
using d7 by force
have d12:"s'=?s4"
using TEE_OpenTASession3_def b1 c4
by (smt (verit) False State.fold_congs(6) State.unfold_congs(1) c4 b1 fst_conv)
have d17:"t'=?t4"
using TEE_OpenTASession3_def b2 c4 a31 b3
by (smt (verit) False State.fold_congs(6) State.unfold_congs(1) c4 b1 fst_conv)
show ?thesis using d8 d12 d17 by simp
}qed
show ?thesis using c73 c8 by simp
qed
qed
qed
qed
}qed
}
then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEE_OpenTASession3_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEE_OPENTASESSION3 sid))"
using TEE_OpenTASession3_weak_confidentiality weak_confidentiality_e_def get_exec_prime_def
by (smt (verit) Pair_inject)
lemma TEE_OpenTASession4_weak_confidentiality:
assumes p1: "a = hyperc (TEE_OPENTASESSION4)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s=get_exec_prime t)∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof -
{
fix s t d s' t'
assume a1:"reachable0 s"
assume a2:"reachable0 t"
assume a3:"s∼d∼t"
assume a31:"exec_prime s=exec_prime t"
assume a4:"(domain_of_event s a) = (domain_of_event t a)"
assume a5:"(the (domain_of_event s a)) ↝ d"
assume a6:"s ∼ (the (domain_of_event s a)) ∼ t"
assume a7:"(s, s') ∈ exec_event a"
assume a8:"(t, t') ∈ exec_event a"
let ?domain = "the (domain_of_event s a)"
let ?exec = "exec_prime s"
let ?exec_t = "exec_prime t"
let ?p = "fst (hd (?exec))"
let ?sesid = "the (param2 ?p)"
let ?tid1 = "the (param1 ?p)"
let ?ctx1 = "the (param5 ?p)"
let ?ctid = "the (param6 ?p)"
let ?res = "the(param13 ?p)"
let ?memt0 = "(the (param10 ?p),the (param11 ?p))"
let ?s0 = "s⦇exec_prime:=tl ?exec⦈"
let ?t0 = "t⦇exec_prime:=tl ?exec_t⦈"
let ?sa= "MgrPostOperation ?s0 ?tid1"
let ?ta= "MgrPostOperation ?t0 ?tid1"
let ?sb ="addSesToInstance ?sa ?ctid ?sesid"
let ?tb ="addSesToInstance ?ta ?ctid ?sesid"
let ?param="⦇param1=Some ?sesid,param2=Some ?tid1,param3=None,param4=Some ⦇login=DTC_IDENTITY,id=Some 0⦈,
param5=None,param6=None,param7=None,param8=None,param9=None,param10=None,param11=None,param12=None,param13=None⦈"
let ?s1="?sa⦇current:=TEE sysconf,exec_prime:=(?param,TEE_CS2)#(exec_prime ?sa)⦈"
let ?t1="?ta⦇current:=TEE sysconf,exec_prime:=(?param,TEE_CS2)#(exec_prime ?ta)⦈"
have "s'∼d∼t'"
proof -
{
have b1:"s'=fst(TEE_OpenTASession4 sysconf s)"
using exec_event_def p1 a7 by simp
have b2:"t'=fst(TEE_OpenTASession4 sysconf t)"
using exec_event_def p1 a8 by simp
have b3:"current s=current t"
using domain_of_event_def a4 by simp
show ?thesis
proof(cases "current s≠TEE sysconf∨(exec_prime s) =[]∨snd (hd (exec_prime s)) ≠TEE_OP4")
case True
then have z1:"s=fst(TEE_OpenTASession4 sysconf s)"
using TEE_OpenTASession4_def by auto
have z2:"t=fst(TEE_OpenTASession4 sysconf t)"
using TEE_OpenTASession4_def True a31 b3 by auto
show ?thesis
using z1 z2 b1 b2 a3 by argo
next
case False
then have b4:"¬ (current s ≠ TEE sysconf ∨ exec_prime s = [] ∨ snd (hd (exec_prime s)) ≠ TEE_OP4)" by simp
then have b5:"current s=TEE sysconf" by simp
show ?thesis
proof(cases "?res=TEE_SUCCESS")
case True
have b7 :"?res=TEE_SUCCESS" using True by simp
show ?thesis
proof(cases "d=TEE sysconf")
case True
then have c1:"d=TEE sysconf" by simp
then have c2:"(s'∼ d ∼ t') =(vpeq_TEE s' d t')" by simp
have c3:"vpeq_TEE ?s0 d ?t0" using a3 c1 by auto
have c31:"tee_memories(TEE_state ?sa )=tee_memories( TEE_state ?s0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c32:"tee_memories(TEE_state ?ta )=tee_memories( TEE_state ?t0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c4:"vpeq_TEE ?sa d ?ta" using c3 a3 c1 c31 c32 by auto
have c41:"vpeq_TEE ?sb d ?tb"
using c4 addSesToInstance_not_change_TEE_mem vpeq_TEE_def by fastforce
have c5:"?sb=s'" using b1 b4 b7 TEE_OpenTASession4_def
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
have c6:"?tb=t'" using b2 b4 b7 TEE_OpenTASession4_def b3 a31
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
show ?thesis using c2 c41 c5 c6 by blast
next
case False
then have c0:"d≠TEE sysconf" by simp
show ?thesis
proof(cases "d=REE sysconf")
case True
then have c1:"d=REE sysconf" by simp
then have c2:"(s'∼ d ∼ t') =(vpeq_REE s' d t')" using c0 by simp
have c3:"vpeq_REE ?s0 d ?t0" using a3 c1 c0 by auto
have c31:"REE_state ?sa = REE_state ?s0" using MgrPostOperation_def MgrPostOperation_not_change_REE by blast
have c32:"REE_state ?ta = REE_state ?t0" using MgrPostOperation_def MgrPostOperation_not_change_REE by blast
have c4:"vpeq_REE ?sa d ?ta" using c3 a3 c1 c0 c31 c32 by auto
have c41:"vpeq_REE ?sb d ?tb"
using c4 addSesToInstance_not_change_REE vpeq_TEE_def by fastforce
have c5:"?sb=s'" using b1 b4 b7 TEE_OpenTASession4_def
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
have c6:"?tb=t'" using b2 b4 b7 TEE_OpenTASession4_def b3 a31
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
show ?thesis using c2 c41 c5 c6 by blast
next
case False
then have c1:"is_TA sysconf d" using is_TA_def c0 by auto
then have c2:"(s'∼ d ∼ t') =(vpeq_TA s' d t')" by simp
have c3:"vpeq_TA ?s0 d ?t0" using a3 c1 by auto
have c31:"tee_memories(TEE_state ?sa )=tee_memories( TEE_state ?s0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c32:"tee_memories(TEE_state ?ta )=tee_memories( TEE_state ?t0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c4:"vpeq_TA ?sa d ?ta" using c3 a3 c1 c31 c32 by auto
have c41:"vpeq_TA ?sb d ?tb"
using c4 addSesToInstance_not_change_TEE_mem vpeq_TEE_def by fastforce
have c5:"?sb=s'" using b1 b4 b7 TEE_OpenTASession4_def
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
have c6:"?tb=t'" using b2 b4 b7 TEE_OpenTASession4_def b3 a31
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
show ?thesis using c2 c41 c5 c6 by blast
qed
qed
next
case False
have b7:"?res≠TEE_SUCCESS" using False by simp
show ?thesis
proof(cases "d=TEE sysconf")
case True
then have c1:"d=TEE sysconf" by simp
then have c2:"(s'∼ d ∼ t') =(vpeq_TEE s' d t')" by simp
have c3:"vpeq_TEE ?s0 d ?t0" using a3 c1 by auto
have c31:"tee_memories(TEE_state ?sa )=tee_memories( TEE_state ?s0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c32:"tee_memories(TEE_state ?ta )=tee_memories( TEE_state ?t0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c4:"vpeq_TEE ?s1 d ?t1" using c3 a3 c1 c31 c32 by auto
have c5:"?s1=s'" using b1 b4 b7 TEE_OpenTASession4_def
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
have c6:"?t1=t'" using b2 b4 b7 TEE_OpenTASession4_def b3 a31
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
show ?thesis using c2 c4 c5 c6 by blast
next
case False
then have c0:"d≠TEE sysconf" by simp
show ?thesis
proof(cases "d=REE sysconf")
case True
then have c1:"d=REE sysconf" by simp
then have c2:"(s'∼ d ∼ t') =(vpeq_REE s' d t')" using c0 by simp
have c3:"vpeq_REE ?s0 d ?t0" using a3 c1 c0 by auto
have c31:"REE_state ?sa = REE_state ?s0" using MgrPostOperation_def MgrPostOperation_not_change_REE by blast
have c32:"REE_state ?ta = REE_state ?t0" using MgrPostOperation_def MgrPostOperation_not_change_REE by blast
have c4:"vpeq_REE ?s1 d ?t1" using c3 a3 c1 c0 c31 c32 by auto
have c5:"?s1=s'" using b1 b4 b7 TEE_OpenTASession4_def
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
have c6:"?t1=t'" using b2 b4 b7 TEE_OpenTASession4_def b3 a31
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
show ?thesis using c2 c4 c5 c6 by blast
next
case False
then have c1:"is_TA sysconf d" using is_TA_def c0 by auto
then have c2:"(s'∼ d ∼ t') =(vpeq_TA s' d t')" by simp
have c3:"vpeq_TA ?s0 d ?t0" using a3 c1 by auto
have c31:"tee_memories(TEE_state ?sa )=tee_memories( TEE_state ?s0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c32:"tee_memories(TEE_state ?ta )=tee_memories( TEE_state ?t0)"
using MgrPostOperation_def MgrPostOperation_not_change_TEE_mem by blast
have c4:"vpeq_TA ?s1 d ?t1" using c3 a3 c1 c31 c32 by auto
have c5:"?s1=s'" using b1 b4 b7 TEE_OpenTASession4_def
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
have c6:"?t1=t'" using b2 b4 b7 TEE_OpenTASession4_def b3 a31
by (smt (verit) Pair_inject State.fold_congs(1) State.fold_congs(6) prod.exhaust_sel)
show ?thesis using c2 c4 c5 c6 by blast
qed
qed
qed
qed
} qed
}
then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEE_OpenTASession4_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEE_OPENTASESSION4))"
using TEE_OpenTASession4_weak_confidentiality weak_confidentiality_e_def get_exec_prime_def
by (smt (verit) Pair_inject)
section "TEE_InvokeTACommand proof"
subsection "TEE_InvokeTACommand1"
lemma TEE_InvokeTACommand1_integrity :
assumes p1: "a = hyperc (TEE_INVOKETACOMMAND1 memBlock_memRef)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?time_out = "param2 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?sesID = "the ?ses_id"
let ?clientTid = "findSesCliTid s ?sesID"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?pre_param_ops = "TEE_pre_param_operation ?in_params"
let ?nextFuncStepParam = "⦇param1 = ?ses_id, param2 = ?time_out, param3 = None, param4 = None,
param5 = None, param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10=Some (fst memBlock_memRef), param11=Some (snd memBlock_memRef), param12=None, param13=None⦈"
let ?s1 = "?s_rev_event⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEE_IC2)#(exec_prime ?s_rev_event)⦈"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEE_InvokeTACommand1 sysconf s memBlock_memRef)}}"
using p1 exec_event_def
by auto
have a4_1: "s' = fst (TEE_InvokeTACommand1 sysconf s memBlock_memRef)"
using a3 a4 by auto
have a4_2: "?pre_param_ops = TEE_SUCCESS"
by (simp add: TEE_pre_param_operation_def)
have "(s ∼ d ∼ s')"
proof(cases "current s ≠ the(?clientTid) ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEE_IC1")
case True
then have "s = s'" using TEE_InvokeTACommand1_def a4_1
by (smt (z3) fstI)
then show ?thesis
by auto
next
case False
then have b1: "current s = the(?clientTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_IC1 ∧ ?pre_param_ops = TEE_SUCCESS"
using a4_2 by blast
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have p1: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have f1: "vpeq1 s d s' = vpeq_TEE s d s'"
using p1 vpeq1_def by fastforce
have f2: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s1)"
by simp
have f3: "ta_mgr (TEE_state s) =ta_mgr (TEE_state ?s1)"
by auto
have f4: "fst (TEE_InvokeTACommand1 sysconf s memBlock_memRef) = ?s1"
by (smt (verit, best) Pair_inject State.fold_congs(6) State.unfold_congs(1) TEE_InvokeTACommand1_def b1 prod.exhaust_sel)
have f5: "s' = ?s1"
using a4_1 f4 by blast
have f6: "tee_memories (TEE_state s) = tee_memories (TEE_state s')"
using f2 f4 f5 by blast
have f7: "ta_mgr (TEE_state s) =ta_mgr (TEE_state s')"
using f3 f4 f5 by blast
have f8: "(s ∼ d ∼ s') = (vpeq_TEE s d s')"
using f1 by auto
have f9: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}∧
ta_mgr (TEE_state s) =ta_mgr (TEE_state s')"
using f6 f7 by fastforce
then show ?thesis
using f8 vpeq_TEE_def by blast
}
qed
next
case False
have p2: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have p3: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True p2 by auto
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_REE s d s'"
using True p2 by auto
have e2: "ree_total_size(REE_state s) = ree_total_size (REE_state ?s1)"
by simp
have e3: "driver_mem(REE_state s) = driver_mem(REE_state ?s1)"
by simp
have e4: "fst (TEE_InvokeTACommand1 sysconf s memBlock_memRef) = ?s1"
by (smt (verit, best) Pair_inject State.fold_congs(6) State.unfold_congs(1) TEE_InvokeTACommand1_def b1 prod.exhaust_sel)
have e5: "s' = ?s1"
by (simp add: a4_1 e4)
have e6: "ree_total_size(REE_state s) = ree_total_size (REE_state s')"
using e2 e4 e5 by blast
have e7: "driver_mem(REE_state s) = driver_mem(REE_state s')"
using e3 e4 e5 by blast
have e8: "(s ∼ d ∼ s') = (vpeq_REE s d s')"
using e1 by auto
have e9: "ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧driver_mem(REE_state s) = driver_mem(REE_state s')"
by (simp add: e6 e7)
then show ?thesis
by (metis e8 vpeq_REE_def)
}
qed
next
case False
have p4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False p2)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
have p5: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False True p2 by blast
then show ?thesis
proof-
{
have d1: "vpeq1 s d s' = vpeq_TA s d s'"
using False True p2 vpeq1_def by presburger
have d2: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s1)"
by simp
have d3: "fst (TEE_InvokeTACommand1 sysconf s memBlock_memRef) = ?s1"
by (smt (verit, best) Pair_inject State.fold_congs(6) State.unfold_congs(1) TEE_InvokeTACommand1_def b1 prod.exhaust_sel)
have d4: "s' = ?s1"
by (simp add: a4_1 d3)
have d5: "tee_memories (TEE_state s) = tee_memories (TEE_state s')"
using d2 d4
by blast
have d6: "(s ∼ d ∼ s') = (vpeq_TA s d s')"
using d1 by auto
have d7: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
using d5 by fastforce
then show ?thesis
using d6 vpeq_TA_def by blast
}
qed
next
case False
have p6: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using False p4 by auto
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False is_TA_def p4 by blast
then show ?thesis
by blast
}
qed
qed
qed
qed
qed
} then show ?thesis by blast
qed
lemma TEE_InvokeTACommand1_integrity_e:
"integrity_e (hyperc (TEE_INVOKETACOMMAND1 memBlock_memRef))"
using TEE_InvokeTACommand1_integrity integrity_e_def get_exec_prime_def
proof -
have "∀e. integrity_e e = (∀n s sa. (¬ reachable0 s ∨ ¬ non_interference (the (domain_of_event s e)) n ∨ (s, sa) ∉ exec_event e) ∨ s ∼ n ∼ sa)"
using integrity_e_def by blast
then obtain ss :: "Event ⇒ State" and nn :: "Event ⇒ nat" and ssa :: "Event ⇒ State" where
f1: "∀e. (¬ integrity_e e ∨ (∀n s sa. (¬ reachable0 s ∨ ¬ non_interference (the (domain_of_event s e)) n ∨ (s, sa) ∉ exec_event e) ∨ s ∼ n ∼ sa)) ∧ (integrity_e e ∨ (reachable0 (ss e) ∧ non_interference (the (domain_of_event (ss e) e)) (nn e) ∧ (ss e, ssa e) ∈ exec_event e) ∧ ¬ ss e ∼ nn e ∼ ssa e)"
by metis
have "the (domain_of_event (ss (hyperc (TEE_INVOKETACOMMAND1 memBlock_memRef))) (hyperc (TEE_INVOKETACOMMAND1 memBlock_memRef))) ∖↝ nn (hyperc (TEE_INVOKETACOMMAND1 memBlock_memRef)) ∨ the (domain_of_event (ss (hyperc (TEE_INVOKETACOMMAND1 memBlock_memRef))) (hyperc (TEE_INVOKETACOMMAND1 memBlock_memRef))) ↝ nn (hyperc (TEE_INVOKETACOMMAND1 memBlock_memRef))"
by (metis non_interference1_def)
then show ?thesis
using f1 by (meson TEE_InvokeTACommand1_integrity non_interference_def)
qed
lemma TEE_InvokeTACommand1_weak_confidentiality:
assumes p1: "a = hyperc (TEE_INVOKETACOMMAND1 memBlock_memRef)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a51: "ta_mgr(TEE_state s) =ta_mgr(TEE_state t)"
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?time_out = "param2 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?sesID = "the ?ses_id"
let ?clientTid = "findSesCliTid s ?sesID"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?nextFuncStepParam = "⦇param1 = ?ses_id, param2 = ?time_out, param3 = None, param4 = None,
param5 = None, param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10=Some (fst memBlock_memRef), param11=Some (snd memBlock_memRef), param12=None, param13=None⦈"
let ?s1 = "?s_rev_event⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEE_IC2)#(exec_prime ?s_rev_event)⦈"
let ?exec_t = "(exec_prime t)"
let ?p_t = "fst (hd ?exec_t)"
let ?ses_id_t = "param1 ?p_t"
let ?time_out_t = "param2 ?p_t"
let ?cmd_id_t = "param6 ?p_t"
let ?in_params_t = "param7 ?p_t"
let ?out_params_t = "param8 ?p_t"
let ?sesID_t = "the ?ses_id_t"
let ?clientTid_t = "findSesCliTid t ?sesID_t"
let ?t_rev_event = "t⦇exec_prime := tl ?exec_t⦈"
let ?nextFuncStepParam_t = "⦇param1 = ?ses_id_t, param2 = ?time_out_t, param3 = None, param4 = None,
param5 = None, param6 = ?cmd_id_t, param7 = ?in_params_t, param8 = ?out_params_t, param9 = None,
param10=Some (fst memBlock_memRef), param11=Some (snd memBlock_memRef), param12=None, param13=None⦈"
let ?t1 = "?t_rev_event⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam_t, TEE_IC2)#(exec_prime ?t_rev_event)⦈"
have a10: "s' = fst (TEE_InvokeTACommand1 sysconf s memBlock_memRef)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEE_InvokeTACommand1 sysconf t memBlock_memRef)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t" using domain_of_event_def a4
by (metis option.sel)
have a13: "ta_mgr(TEE_state s) = ta_mgr(TEE_state t)" using a3 vpeq1_def a51 by auto
have a14: "?clientTid = ?clientTid_t" using findSesCliTid_def a13
by (simp add: a5)
have "(s' ∼ d ∼ t')"
proof(cases "current s ≠ the(?clientTid) ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEE_IC1")
case True
have b1: "current s ≠ the(?clientTid) ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEE_IC1"
using True by auto
have b2: "s = s'"
using b1 TEE_InvokeTACommand1_def a10 findSesCliTid_def
by (smt (z3) fstI)
have b4: "current t ≠ the(?clientTid_t) ∨ (exec_prime t) = [] ∨ snd (hd (exec_prime s)) ≠ TEE_IC1"
using a12 a5 b1 a14 by auto
have b5: "t = t'"
using b4 TEE_InvokeTACommand1_def a11 findSesCliTid_def
by (smt (z3) a5 prod.collapse prod.inject)
then show ?thesis
proof-
{
have c1: "(s' ∼ d ∼ t')"
using b2 b5 a3 by blast
then show ?thesis by auto
}
qed
next
case False
have d2: "¬(current s ≠ the(?clientTid) ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEE_IC1)"
using False by auto
have d3: "?s1 = fst (TEE_InvokeTACommand1 sysconf s memBlock_memRef)"
using TEE_InvokeTACommand1_def a10 d2
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have d4: "?s1 = s'"
using a10 d3 by blast
have d5: "current t = the(?clientTid_t) ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEE_IC1"
using False a12 a14 a5 by auto
have d7: "?t1 = fst (TEE_InvokeTACommand1 sysconf t memBlock_memRef)"
using TEE_InvokeTACommand1_def a11
by (smt (z3) State.unfold_congs(1) State.unfold_congs(6) d5 fst_conv)
have d8: "?t1 = t'"
using a11 d7 by blast
then show ?thesis
proof(cases "d = TEE sysconf")
case True
then have d9: "d = TEE sysconf" by simp
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: d9)
have h2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
using d9 by fastforce
have h4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 h3 by auto
have h6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
using tee_memories_exec_prime_tl by auto
have h7: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
using tee_memories_exec_prime_tl by auto
have h8: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s1))∧ (block_id x=0)}"
by simp
have h9: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t1))∧ (block_id x=0)}"
by simp
have h10: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s1))∧ (block_id x=0)}"
by auto
have h11: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t1))∧ (block_id x=0)}"
by auto
have h12: "{x. x∈set(tee_memories (TEE_state ?s1))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
using d4 by auto
have h13: "{x. x∈set(tee_memories (TEE_state ?t1))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using d8 by blast
have h14: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using h5 h10 h11 h12 h13
by presburger
then show ?thesis
using h1 by auto
}
qed
next
case False
then have d10: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have d11: "d ≠ TEE sysconf ∧ d = REE sysconf"
using d10 by auto
then show ?thesis
proof-
{
have g1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d10 by auto
have g2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧driver_mem(REE_state s') = driver_mem(REE_state t'))"
by fastforce
have g3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d10 by auto
have g4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have g5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 g3 by auto
have g6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 g3 by auto
have g7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have g8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s1)"
by fastforce
have g9: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have g10: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t1)"
by simp
have g11: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s1)"
using g7 g8 by linarith
have g12: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t1)"
using g10 g9 by linarith
have g13: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have g14: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s1)"
by fastforce
have g15: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have g16: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t1)"
by fastforce
have g17: "driver_mem(REE_state s) = driver_mem(REE_state ?s1)"
using g13 g14 by presburger
have g18: "driver_mem(REE_state t) = driver_mem(REE_state ?t1)"
by fastforce
have g19: "driver_mem(REE_state s') = driver_mem(REE_state ?s1)"
using d4 by auto
have g20: "driver_mem(REE_state t') = driver_mem(REE_state ?t1)"
using d8 by blast
have g21: "driver_mem(REE_state ?s1) = driver_mem(REE_state ?t1)"
using g13 g14 g15 g16 g6 by presburger
have g22: "driver_mem(REE_state s') = driver_mem(REE_state t')"
using g21 g19 g20 by presburger
have g23: "ree_total_size(REE_state s') = ree_total_size(REE_state ?s1)"
using d4 by fastforce
have g24: "ree_total_size(REE_state t') = ree_total_size(REE_state ?t1)"
using d8 by auto
have g25: "ree_total_size(REE_state ?s1) = ree_total_size(REE_state ?t1)"
using g10 g11 g5 g9 by presburger
have g26: "ree_total_size(REE_state s') = ree_total_size(REE_state t')"
using g23 g24 g25 by presburger
have g27: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
by (simp add: g22 g26)
then show ?thesis
using g1 by auto
}
qed
next
case False
then have d12: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d10)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False d10 by blast
then show ?thesis
proof-
{
have f1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson False True d10 vpeq1_def)
have f2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have f3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson False True d10 vpeq1_def)
have f4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have f5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 f3 f4 by blast
have f6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
using tee_memories_exec_prime_tl by auto
have f7: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
using tee_memories_exec_prime_tl by auto
have f8: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)}"
by simp
have f9: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t1))∧ (ownership x=d)}"
by simp
have f10: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)}"
by auto
have f11: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t1))∧ (ownership x=d)}"
by auto
have f12: "{x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
using d4 by auto
have f13: "{x. x∈set(tee_memories (TEE_state ?t1))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using d8 by blast
have f14: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using f5 f10 f11 f12 f13
by presburger
then show ?thesis
using f1 by auto
}
qed
next
case False
then have d14: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using d12 by auto
then show ?thesis
proof-
{
have e1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
using vpeq1_def by simp
have e2: "vpeq1 s' d t' = True"
using d14 by auto
then show ?thesis by blast
}
qed
qed
qed
qed
qed
} then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEE_InvokeTACommand1_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEE_INVOKETACOMMAND1 memBlock_memRef))"
using TEE_InvokeTACommand1_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def
by (smt (verit))
subsection "TEE_InvokeTACommand2"
lemma TEE_InvokeTACommand2_integrity:
assumes p1: "a = hyperc (TEE_INVOKETACOMMAND2)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?time_out = "param2 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?s_tee_invokeCmd = "tee_invokeTACommand_TEEDomain sysconf ?s_rev_event ?ses_id ?time_out ?cmd_id ?in_params ?out_params"
let ?s_ret = "fst ?s_tee_invokeCmd"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEE_InvokeTACommand2 sysconf s)}}"
using p1 exec_event_def by auto
have a4_1: "s' = fst (TEE_InvokeTACommand2 sysconf s)"
using a3 a4 by auto
have "(s ∼ d ∼ s')"
proof(cases "current s ≠ TEE sysconf ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEE_IC2")
case True
then have "s = s'" using TEE_InvokeTACommand2_def a4_1
by (smt (verit, best) prod.collapse prod.inject)
then show ?thesis
using vpeq_reflexive_lemma by blast
next
case False
then have b1: "current s = TEE sysconf ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_IC2"
by auto
then have b2: "s' = fst (tee_invokeTACommand_TEEDomain sysconf ?s_rev_event ?ses_id ?time_out ?cmd_id ?in_params ?out_params)"
using a3 a4 a4_1 b1 TEE_InvokeTACommand2_def
proof -
{
have "⋀s sa. (if current s ≠ TEE sa then (s, TEE_ORIGIN_TEE, TEE_ERROR_BAD_PARAMETERS, param8 (fst (hd (exec_prime s)))) else if exec_prime s = [] then (s, TEE_ORIGIN_TEE, TEE_ERROR_BAD_PARAMETERS, param8 (fst (hd (exec_prime s)))) else if snd (hd (exec_prime s)) ≠ TEE_IC2 then (s, TEE_ORIGIN_TEE, TEE_ERROR_BAD_PARAMETERS, param8 (fst (hd (exec_prime s)))) else tee_invokeTACommand_TEEDomain sa (s⦇exec_prime := tl (exec_prime s)⦈) (param1 (fst (hd (exec_prime s)))) (param2 (fst (hd (exec_prime s)))) (param6 (fst (hd (exec_prime s)))) (param7 (fst (hd (exec_prime s)))) (param8 (fst (hd (exec_prime s))))) = TEE_InvokeTACommand2 sa s"
by (smt (z3) TEE_InvokeTACommand2_def prod.collapse)
then show ?thesis
using a4_1 b1 by presburger
}
qed
then have b3: "?s_ret = s'"
by simp
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have tmp1: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
using a2 tmp1 b1 by auto
next
case False
have p2: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have p3: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True p2 by auto
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_REE s d s'"
using True p2 by auto
have e2: "vpeq_REE s d s' = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have e3: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_rev_event)"
by simp
have e4: "ree_total_size (REE_state ?s_rev_event) = ree_total_size (REE_state ?s_ret)"
using ree_total_size_tee_invokeTACommand_TEEDomain by auto
have e5: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_ret)"
by (metis e3 e4)
have e6: "?s_ret = s'"
by (simp add: b3)
have e7: "ree_total_size (REE_state s) = ree_total_size (REE_state s')"
using e5 e6 by simp
have e8: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by simp
have e9: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_ret)"
using driver_mem_tee_invokeTACommand_TEEDomain by auto
have e10: "driver_mem(REE_state s) = driver_mem(REE_state ?s_ret)"
using e9 by auto
have e11: "driver_mem(REE_state s) = driver_mem(REE_state s')"
using e6 e10 by simp
have e12: "(s ∼ d ∼ s') = vpeq_REE s d s'"
using e1 by auto
have e13: "ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s')"
by (simp add: e11 e7)
then show ?thesis
using e12 by auto
}
qed
next
case False
have p4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False p2)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
have p5: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ is_TA sysconf d"
using False True p2 by blast
then show ?thesis
proof-
{
have d1: "vpeq1 s d s' = vpeq_TA s d s'"
using False True p2 vpeq1_def by presburger
have d3: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state s)"
by simp
have d2: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state ?s_ret)"
using tee_invokeCmd_teeDomain
by auto
have d4: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_ret)"
by (metis d2 d3)
have d5: "?s_ret = s'"
by (simp add: b2)
have d6: "tee_memories (TEE_state s) = tee_memories (TEE_state s')"
using d4 d5
by simp
have d7: "(s ∼ d ∼ s') = vpeq_TA s d s'"
using d1 by auto
have d8: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
by (simp add: d6)
then show ?thesis using d8
using d7 vpeq_TA_def by blast
}
qed
next
case False
have p6: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using False p4 by auto
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False is_TA_def p4 by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
qed
} then show ?thesis by blast
qed
lemma TEE_InvokeTACommand2_integrity_e:
"integrity_e (hyperc (TEE_INVOKETACOMMAND2))"
using TEE_InvokeTACommand2_integrity integrity_e_def
using get_exec_prime_def by auto
lemma TEE_InvokeTACommand2_weak_confidentiality:
assumes p1: "a = hyperc (TEE_INVOKETACOMMAND2)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?time_out = "param2 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?s_tee_invokeCmd = "tee_invokeTACommand_TEEDomain sysconf ?s_rev_event ?ses_id ?time_out ?cmd_id ?in_params ?out_params"
let ?s_ret = "fst ?s_tee_invokeCmd"
let ?s_ret_origin = "fst(snd ?s_tee_invokeCmd)"
let ?s_ret_code = "fst(snd (snd ?s_tee_invokeCmd))"
let ?s_params = "snd(snd(snd ?s_tee_invokeCmd))"
let ?exec_t = "(exec_prime t)"
let ?p_t = "fst (hd ?exec_t)"
let ?ses_id_t = "param1 ?p_t"
let ?time_out_t = "param2 ?p_t"
let ?cmd_id_t = "param6 ?p_t"
let ?in_params_t = "param7 ?p_t"
let ?out_params_t = "param8 ?p_t"
let ?t_rev_event = "t⦇exec_prime := tl ?exec_t⦈"
let ?t_tee_invokeCmd = "tee_invokeTACommand_TEEDomain sysconf ?t_rev_event ?ses_id_t ?time_out_t ?cmd_id_t ?in_params_t ?out_params_t"
let ?t_ret = "fst ?t_tee_invokeCmd"
let ?t_ret_origin = "fst(snd ?t_tee_invokeCmd)"
let ?t_ret_code = "fst(snd (snd ?t_tee_invokeCmd))"
let ?t_params = "snd(snd(snd ?t_tee_invokeCmd))"
have a10: "s' = fst (TEE_InvokeTACommand2 sysconf s)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEE_InvokeTACommand2 sysconf t)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t" using domain_of_event_def a4
by (metis option.sel)
have "(s' ∼ d ∼ t')"
proof(cases "current s ≠ TEE sysconf ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEE_IC2")
case True
have b1: "current s ≠ TEE sysconf ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEE_IC2"
using True by blast
have b2: "current t ≠ TEE sysconf ∨ (exec_prime t) = [] ∨ snd (hd (exec_prime t)) ≠ TEE_IC2"
by (metis a12 a5 b1)
have b3: "s = s'"
using b1 TEE_InvokeTACommand2_def a10 findSesCliTid_def
by (smt (z3) fstI)
have b4: "t = t'"
using b2 TEE_InvokeTACommand2_def a11 findSesCliTid_def
by (smt (z3) fstI)
then show ?thesis
proof-
{
have c1: "(s' ∼ d ∼ t')"
using a3 b3 b4 by blast
then show ?thesis
by auto
}
qed
next
case False
have d1: "current s = TEE sysconf ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_IC2"
using False by blast
have d2: "?s_ret = fst (TEE_InvokeTACommand2 sysconf s)"
using TEE_InvokeTACommand2_def a10 d1
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have d3: "?s_ret = s'"
by (simp add: a10 d2)
have d4: "current t = TEE sysconf ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEE_IC2"
using False a12 a5 by force
have d5: "?t_ret = fst (TEE_InvokeTACommand2 sysconf t)"
using TEE_InvokeTACommand2_def a11 d4
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have d6: "?t_ret = t'"
by (simp add: a11 d5)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
then have d7: "d = TEE sysconf" by simp
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: d7)
have h2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: d7)
have h4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 h3 by auto
have h6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
using tee_memories_exec_prime_tl by auto
have h7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_ret))∧ (block_id x=0)}"
using tee_invokeCmd_teeDomain by force
have h8: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_ret))∧ (block_id x=0)}"
using h6 h7 by auto
have h9: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
using tee_memories_exec_prime_tl by auto
have h10: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_ret))∧ (block_id x=0)}"
using tee_invokeCmd_teeDomain by force
have h11: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_ret))∧ (block_id x=0)}"
using h10 h9 by blast
have h12: "{x. x∈set(tee_memories (TEE_state ?s_ret))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
by (simp add: d3)
have h13: "{x. x∈set(tee_memories (TEE_state ?t_ret))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using d6 by blast
have h13: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using h5 h8 h11 h12 h13 by presburger
then show ?thesis
using h1 h2 by blast
}
qed
next
case False
then have d8: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have d9: "d ≠ TEE sysconf ∧ d = REE sysconf"
using d8 by auto
then show ?thesis
proof-
{
have g1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d8 by auto
have g2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by fastforce
have g3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d8 by auto
have g4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have g5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 g3 by auto
have g6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 g3 by auto
have g7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
using ree_total_size_exec_prime_tl by blast
have g8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_ret)"
using ree_total_size_tee_invokeTACommand_TEEDomain by auto
have g9: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_ret)"
using g8 by auto
have g10: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
using ree_total_size_exec_prime_tl by blast
have g11: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_ret)"
using ree_total_size_tee_invokeTACommand_TEEDomain by auto
have g12: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_ret)"
using g11 by auto
have g13: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by auto
have g14: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_ret)"
using driver_mem_tee_invokeTACommand_TEEDomain by auto
have g15: "driver_mem(REE_state s) = driver_mem(REE_state ?s_ret)"
using g14 by auto
have g16: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
using driver_mem_exec_prime_tl by auto
have g17: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_ret)"
using driver_mem_tee_invokeTACommand_TEEDomain by auto
have g18: "driver_mem(REE_state t) = driver_mem(REE_state ?t_ret)"
using g17 by auto
have g19: "driver_mem(REE_state s') = driver_mem(REE_state ?s_ret)"
by (simp add: d3)
have g20: "driver_mem(REE_state t') = driver_mem(REE_state ?t_ret)"
by (simp add: d6)
have g21: "driver_mem(REE_state ?s_ret) = driver_mem(REE_state ?t_ret)"
using g15 g18 g6 by auto
have g22: "driver_mem(REE_state s') = driver_mem(REE_state t')"
using g19 g20 g21 by simp
have g23: "ree_total_size(REE_state s') = ree_total_size(REE_state ?s_ret)"
by (simp add: d3)
have g24: "ree_total_size(REE_state t') = ree_total_size(REE_state ?t_ret)"
by (simp add: d6)
have g25: "ree_total_size(REE_state ?s_ret) = ree_total_size(REE_state ?t_ret)"
using g10 g11 g5 g7 g8 by presburger
have g26: "ree_total_size(REE_state s') = ree_total_size(REE_state t')"
using g23 g24 g25 by presburger
have g27: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
by (simp add: g22 g26)
then show ?thesis
using g1 by auto
}
qed
next
case False
then have d10: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d8)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d11: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using d10 by blast
then show ?thesis
proof-
{
have f1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson False True d8 vpeq1_def)
have f2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have f3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using False d8 is_TA_def vpeq1_def by presburger
have f4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have f5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 f3 by auto
have f6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have f7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_ret))∧ (ownership x=d)}"
using tee_invokeCmd_teeDomain by force
have f8: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_ret))∧ (ownership x=d)}"
using f7 by auto
have f9: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have f10: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_ret))∧ (ownership x=d)}"
using tee_invokeCmd_teeDomain by auto
have f11: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_ret))∧ (ownership x=d)}"
using f10 f9 by blast
have f12: "{x. x∈set(tee_memories (TEE_state ?s_ret))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_ret))∧ (ownership x=d)}"
using f11 f5 f8 by blast
then show ?thesis
using d3 d6 f1 f2 by blast
}
qed
next
case False
then have d12: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using d10 by auto
then show ?thesis
proof-
{
have e1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have e2: "vpeq1 s' d t' = True"
using False d10 by auto
then show ?thesis by blast
}
qed
qed
qed
qed
qed
} then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEE_InvokeTACommand2_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEE_INVOKETACOMMAND2))"
using TEE_InvokeTACommand2_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def by auto
subsection "TEE_InvokeTACommand3"
lemma TEE_InvokeTACommand3_integrity:
assumes p1: "a = hyperc (TEE_INVOKETACOMMAND3)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?time_out = "param2 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?sesID = "the ?ses_id"
let ?serverID = "findSesServTid s ?sesID"
let ?server_tid = "the(findSesServTid s ?sesID)"
let ?curServTaState = "(TAs_state s) (the ?serverID)"
let ?curServSessList = "TA_sessions (the ?curServTaState)"
let ?isSessIdInSessList = "isSessIdInTaInsSessList ?curServSessList ?sesID"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?s_invoke = "TA_InvokeCommandEntryPoint sysconf ?s_rev_event ?cmd_id ?server_tid"
let ?s_postOps = "TEE_MgrPostOps ?s_invoke ?server_tid"
let ?post_param_ops = "TEE_post_param_operation ?in_params"
let ?param_error = "⦇param1 = ?ses_id, param2 = ?time_out, param3 = None, param4 = None, param5 = None,
param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12=None, param13=Some TEE_ERROR_BAD_PARAMETERS⦈"
let ?s_error_ret = "setCurDomainAndEvent ?s_rev_event (TEE sysconf) (?param_error, TEE_IC4)"
let ?param_success = "⦇param1 = ?ses_id, param2 = ?time_out, param3 = None, param4 = None, param5 = None,
param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12=None, param13=Some TEE_SUCCESS⦈"
let ?s_success_ret = "setCurDomainAndEvent ?s_postOps (TEE sysconf) (?param_success, TEE_IC4)"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEE_InvokeTACommand3 sysconf s)}}"
using p1 exec_event_def by auto
have a4_1: "s' = fst (TEE_InvokeTACommand3 sysconf s)"
using a3 a4 by auto
have "(s ∼ d ∼ s')"
proof(cases "?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEE_IC3")
case True
have m1: "?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEE_IC3"
using True by blast
have k1: "s' = s"
using TEE_InvokeTACommand3_def a4_1 m1
by (smt (verit, best) prod.collapse prod.inject)
then show ?thesis
using vpeq_reflexive_lemma by blast
next
case False
have m2: "¬(?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEE_IC3)"
using False by blast
then show ?thesis
proof(cases "?ses_id = None ∨ ?cmd_id = None ∨ ?isSessIdInSessList ≠ True ∨ ?serverID = None")
case True
have m3: "?ses_id = None ∨ ?cmd_id = None ∨ ?isSessIdInSessList ≠ True ∨ ?serverID = None"
using True by auto
then have b1: "s' = ?s_error_ret" using TEE_InvokeTACommand3_def a4_1 m2 m3
by (smt (z3) State.fold_congs(6) a4_1 old.prod.inject prod.collapse)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have p5: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have e1: "(s ∼ d ∼ s') = (vpeq_TEE s d s')"
by (simp add: p5)
have e2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)})"
by simp
have e3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
using tee_memories_exec_prime_tl
by auto
have e4: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state ?s_error_ret)"
using tee_memories_setCurDomainAndEvent by auto
then show ?thesis
using b1 e1 by auto
}
qed
next
case False
have p6: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have p7: "d = REE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have f1: "(s ∼ d ∼ s') = (vpeq_REE s d s')"
using p6 p7 by auto
have f2: "(vpeq_REE s d s') = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have f3: "ree_total_size(REE_state s) = ree_total_size (REE_state ?s_rev_event)"
using ree_total_size_exec_prime_tl by auto
have f4: "ree_total_size(REE_state ?s_rev_event) = ree_total_size (REE_state ?s_error_ret)"
using ree_total_size_setCurDomainAndEvent by auto
have f5: "driver_mem (REE_state s) = driver_mem (REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by auto
have f6: "driver_mem (REE_state ?s_rev_event) = driver_mem (REE_state ?s_error_ret)"
using driver_mem_tee_setCurDomainAndEvent by blast
then show ?thesis
using b1 f1 f2 f3 f4 f5 by presburger
}
qed
next
case False
have p8: "d ≠ REE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
have p9: "is_TA sysconf d"
using True by auto
then show ?thesis
proof-
{
have g1: "(s ∼ d ∼ s') = (vpeq_TA s d s')"
by (meson p6 p8 p9 vpeq1_def)
have g2: "(vpeq_TA s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)})"
by simp
have g3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
using tee_memories_exec_prime_tl
by auto
have g4: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state ?s_error_ret)"
using tee_memories_setCurDomainAndEvent by auto
then show ?thesis
using b1 g1 by force
}
qed
next
case False
have p10: "¬(is_TA sysconf d)"
using False by auto
have p11: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using p10 p6 p8 by auto
then show ?thesis
proof-
{
have d1: "vpeq1 s d s' = True"
using is_TA_def p10 p6 p8 by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
next
case False
have m4: "¬(?ses_id = None ∨ ?cmd_id = None ∨ ?isSessIdInSessList ≠ True ∨ ?serverID = None)"
using False by auto
then have b2: "¬(?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEE_IC3 ∨ ?ses_id = None ∨ ?cmd_id = None ∨ ?isSessIdInSessList ≠ True ∨ ?serverID = None)"
using m2 by blast
have b3: "s' = ?s_success_ret"
by (smt (z3) State.unfold_congs(6) TEE_InvokeTACommand3_def a4_1 b2 fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have p0: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have h1: "(s ∼ d ∼ s') = (vpeq_TEE s d s')"
by (simp add: p0)
have h2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)})"
by simp
have h3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
using tee_memories_exec_prime_tl
by auto
have h4: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (block_id x=0)}"
using TA_InvokeCommandEntryPoint_not_change_TEE
by presburger
have h5: "{x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (block_id x=0)}"
proof-
{
have h5_0: "?s_postOps = TEE_MgrPostOps ?s_invoke ?server_tid"
by simp
have h5_1: "TEE_MgrPostOps ?s_invoke ?server_tid = setTaInsBusyByThreadId ?s_invoke ?server_tid False"
by (simp add: TEE_MgrPostOps_def)
have h5_2: "tee_memories (TEE_state ?s_invoke) = tee_memories (TEE_state (setTaInsBusyByThreadId ?s_invoke ?server_tid False))"
using tee_memories_setTaInsBusy
by simp
then show ?thesis
by (simp add: TEE_MgrPostOps_def)
}
qed
have h6: "{x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state ?s_success_ret))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
then show ?thesis
using TA_InvokeCommandEntryPoint_not_change_TEE b3 h1 h5 by force
}
qed
next
case False
have p2: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have p3: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True p2 by auto
then show ?thesis
proof-
{
have i1: "(s ∼ d ∼ s') = (vpeq_REE s d s')"
using True p2 by auto
have i2: "(vpeq_REE s d s') = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have i3: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have i4: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_invoke)"
using ree_total_size_TA_InvokeCommandEntryPoint
by auto
have i5: "ree_total_size(REE_state ?s_invoke) = ree_total_size(REE_state ?s_postOps)"
by (simp add: TEE_MgrPostOps_def ree_total_size_setTaInsBusy)
have i5_1: "ree_total_size(REE_state ?s_postOps) = ree_total_size(REE_state ?s_success_ret)"
by (simp add: ree_total_size_setCurDomainAndEvent)
have i6: "ree_total_size(REE_state s) = ree_total_size (REE_state s')"
using b3 i3 i4 i5 i5_1
by auto
have i7: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have i8: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_invoke)"
using driver_mem_TA_InvokeCommandEntryPoint by auto
have i9: "driver_mem(REE_state ?s_invoke) = driver_mem(REE_state ?s_postOps)"
by (simp add: TEE_MgrPostOps_def driver_mem_tee_setTaInsBusy)
have i9_1: "driver_mem(REE_state ?s_postOps) = driver_mem(REE_state ?s_success_ret)"
by (simp add: driver_mem_tee_setCurDomainAndEvent)
have i10: "driver_mem(REE_state s) = driver_mem(REE_state s')"
using b3 i7 i8 i9 i9_1
by auto
then show ?thesis
using i1 i6 i10
by auto
}
qed
next
case False
have p4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False p2)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
have p5: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ is_TA sysconf d"
using False True p2 by blast
then show ?thesis
proof(cases "d = current s")
case True
have tmp1: "d = current s"
by (simp add: True)
then show ?thesis
using a2 p5 tmp1 by auto
next
case False
have tmp2: "d ≠ current s"
by (simp add: False)
then show ?thesis
proof-
{
have d0: "current s = ?server_tid"
using b2 by auto
have d1: "?server_tid ≠ d"
using d0 tmp2 by auto
have d2: "(s ∼ d ∼ s') = (vpeq_TA s d s')"
by (meson p5 vpeq1_def)
have d3: "(vpeq_TA s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)})"
by simp
have d4: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by simp
have d5: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (ownership x=d)}"
using TA_InvokeCommandEntryPoint_not_change_other_TA
using d0 tee_memories_TA_InvokeCommandEntryPoint tmp2 by presburger
have d6: "tee_memories (TEE_state ?s_invoke) = tee_memories (TEE_state ?s_postOps)"
by (simp add: TEE_MgrPostOps_def tee_memories_setTaInsBusy)
have d7: "tee_memories (TEE_state ?s_postOps) = tee_memories (TEE_state ?s_success_ret)"
by (simp add: tee_memories_setCurDomainAndEvent)
then show ?thesis
using b3 d2 d5 d6 d7 by auto
}
qed
qed
next
case False
have p5: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using False p4 by blast
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False is_TA_def p4 by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
qed
qed
} then show ?thesis by blast
qed
lemma TEE_InvokeTACommand3_integrity_e:
"integrity_e (hyperc (TEE_INVOKETACOMMAND3))"
using TEE_InvokeTACommand3_integrity integrity_e_def
using get_exec_prime_def by auto
lemma TEE_InvokeTACommand3_weak_confidentiality:
assumes p1: "a = hyperc (TEE_INVOKETACOMMAND3)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a51: "ta_mgr(TEE_state s) =ta_mgr(TEE_state t)"
assume a52: "TAs_state s =TAs_state t"
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?time_out = "param2 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?sesID = "the ?ses_id"
let ?serverID = "findSesServTid s ?sesID"
let ?server_tid = "the(findSesServTid s ?sesID)"
let ?curServTaState = "(TAs_state s) (the ?serverID)"
let ?curServSessList = "TA_sessions (the ?curServTaState)"
let ?isSessIdInSessList = "isSessIdInTaInsSessList ?curServSessList ?sesID"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?s_invoke = "TA_InvokeCommandEntryPoint sysconf ?s_rev_event ?cmd_id ?server_tid"
let ?s_postOps = "TEE_MgrPostOps ?s_invoke ?server_tid"
let ?post_param_ops = "TEE_post_param_operation ?in_params"
let ?param_error = "⦇param1 = ?ses_id, param2 = ?time_out, param3 = None, param4 = None, param5 = None,
param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12=None, param13=Some TEE_ERROR_BAD_PARAMETERS⦈"
let ?s_error_ret = "setCurDomainAndEvent ?s_rev_event (TEE sysconf) (?param_error, TEE_IC4)"
let ?param_success = "⦇param1 = ?ses_id, param2 = ?time_out, param3 = None, param4 = None, param5 = None,
param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12=None, param13=Some TEE_SUCCESS⦈"
let ?s_success_ret = "setCurDomainAndEvent ?s_postOps (TEE sysconf) (?param_success, TEE_IC4)"
let ?exec_t = "(exec_prime t)"
let ?p_t = "fst (hd ?exec_t)"
let ?ses_id_t = "param1 ?p_t"
let ?time_out_t = "param2 ?p_t"
let ?cmd_id_t = "param6 ?p_t"
let ?in_params_t = "param7 ?p_t"
let ?out_params_t = "param8 ?p_t"
let ?sesID_t = "the ?ses_id_t"
let ?serverID_t = "findSesServTid t ?sesID_t"
let ?server_tid_t = "the(findSesServTid t ?sesID_t)"
let ?curServTaState_t = "(TAs_state t) (the ?serverID_t)"
let ?curServSessList_t = "TA_sessions (the ?curServTaState_t)"
let ?isSessIdInSessList_t = "isSessIdInTaInsSessList ?curServSessList_t ?sesID_t"
let ?t_rev_event = "t⦇exec_prime := tl ?exec_t⦈"
let ?t_invoke = "TA_InvokeCommandEntryPoint sysconf ?t_rev_event ?cmd_id_t ?server_tid_t"
let ?t_postOps = "TEE_MgrPostOps ?t_invoke ?server_tid_t"
let ?post_param_ops_t = "TEE_post_param_operation ?in_params_t"
let ?param_error_t = "⦇param1 = ?ses_id_t, param2 = ?time_out_t, param3 = None, param4 = None, param5 = None,
param6 = ?cmd_id_t, param7 = ?in_params_t, param8 = ?out_params_t, param9 = None,
param10 = None, param11 = None, param12=None, param13=Some TEE_ERROR_BAD_PARAMETERS⦈"
let ?t_error_ret = "setCurDomainAndEvent ?t_rev_event (TEE sysconf) (?param_error_t, TEE_IC4)"
let ?param_success_t = "⦇param1 = ?ses_id_t, param2 = ?time_out_t, param3 = None, param4 = None, param5 = None,
param6 = ?cmd_id_t, param7 = ?in_params_t, param8 = ?out_params_t, param9 = None,
param10 = None, param11 = None, param12=None, param13=Some TEE_SUCCESS⦈"
let ?t_success_ret = "setCurDomainAndEvent ?t_postOps (TEE sysconf) (?param_success_t, TEE_IC4)"
have a10: "s' = fst (TEE_InvokeTACommand3 sysconf s)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEE_InvokeTACommand3 sysconf t)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t" using domain_of_event_def a4
by (metis option.sel)
have a13: "ta_mgr(TEE_state s) = ta_mgr(TEE_state t)" using a3 vpeq1_def a51 by auto
have a14: "?sesID = ?sesID_t"
by (simp add: a5)
have a15: "?serverID = ?serverID_t"
using mgr_ta_sessions_findSesServTid
by (metis a13 a5)
have a16: "?ses_id = ?ses_id_t"
by (simp add: a5)
have a17: "?cmd_id = ?cmd_id_t"
by (simp add: a5)
have a18: "?isSessIdInSessList = ?isSessIdInSessList_t" using a52 isSessIdInTaInsSessList_def
using a15 a5 by auto
have "(s' ∼ d ∼ t')"
proof(cases "?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEE_IC3")
case True
have m1: "?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEE_IC3"
using True by auto
have m2: "?exec_t = [] ∨ ?ses_id_t = None ∨ ?serverID_t = None ∨ current t = TEE sysconf ∨ current t = REE sysconf ∨ current t ≠ ?server_tid_t ∨ snd (hd (exec_prime t)) ≠ TEE_IC3"
using a12 a5 m1 a15 a18 by auto
have k1: "s' = s"
using TEE_InvokeTACommand3_def a10 m1
by (smt (verit, best) prod.collapse prod.inject)
have k2: "t' = t"
using TEE_InvokeTACommand3_def a11 m2
by (smt (z3) State.fold_congs(6) old.prod.inject prod.collapse)
then show ?thesis
using a3 k1 by blast
next
case False
have m3: "¬(?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEE_IC3)"
using False by auto
have m4: "¬(?exec_t = [] ∨ ?ses_id_t = None ∨ ?serverID_t = None ∨ current t = TEE sysconf ∨ current t = REE sysconf ∨ current t ≠ ?server_tid_t ∨ snd (hd (exec_prime t)) ≠ TEE_IC3)"
by (metis a12 a15 a5 m3)
then show ?thesis
proof(cases "?ses_id = None ∨ ?cmd_id = None ∨ ?isSessIdInSessList ≠ True ∨ ?serverID = None")
case True
have m5: "?ses_id = None ∨ ?cmd_id = None ∨ ?isSessIdInSessList ≠ True ∨ ?serverID = None"
using True by auto
have m6: "?ses_id_t = None ∨ ?cmd_id_t = None ∨ ?isSessIdInSessList_t ≠ True ∨ ?serverID_t = None"
using a15 a18 a5 m5 by auto
have b3: "s' = ?s_error_ret"
using TEE_InvokeTACommand3_def m3 m5 a10
by (smt (z3) State.fold_congs(6) old.prod.inject prod.collapse)
have b4: "t' = ?t_error_ret"
using TEE_InvokeTACommand3_def m4 m6 a11
by (smt (z3) State.fold_congs(6) old.prod.inject prod.collapse)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have d6: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have i1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: d6)
have i2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have i3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: d6)
have i4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have i5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 i3 i4 by blast
have i6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by auto
have i7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_error_ret))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
have i8: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by auto
have i9: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_error_ret))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
have i10: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using i6 i7 i8 i9 b3 b4 i5 by blast
then show ?thesis
using i1 i2 by blast
}
qed
next
case False
have d8: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have d9: "d ≠ TEE sysconf ∧ d = REE sysconf"
using d8 by auto
then show ?thesis
proof-
{
have j1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d8 by auto
have j2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have j3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d8 by auto
have j4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have j5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 j3 by auto
have j6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 j3 by auto
have j6: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have j6_1: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_error_ret)"
using ree_total_size_setCurDomainAndEvent by auto
have j7: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have j7_1: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_error_ret)"
using ree_total_size_setCurDomainAndEvent by auto
have j8: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have j8_1: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_error_ret)"
using driver_mem_tee_setCurDomainAndEvent by auto
have j9: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have j9_1: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_error_ret)"
using driver_mem_tee_setCurDomainAndEvent by blast
have j10: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?t_rev_event)"
by (metis a3 j3 j4 j8 j9)
have j11: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?t_rev_event)"
by (metis j5 j6 j7)
have j12: "ree_total_size(REE_state ?s_error_ret) = ree_total_size(REE_state s')"
by (simp add: b3)
have j13: "ree_total_size(REE_state ?t_error_ret) = ree_total_size(REE_state t')"
by (simp add: b4)
have j14: "driver_mem(REE_state ?s_error_ret) = driver_mem(REE_state s')"
by (simp add: b3)
have j15: "driver_mem(REE_state ?t_error_ret) = driver_mem(REE_state t')"
by (simp add: b4)
have j16: "(ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
using j10 j11 j12 j13 j14 j15
using j6_1 j7_1 j8_1 j9_1 by presburger
then show ?thesis
using j1 by auto
}
qed
next
case False
then have d10: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d8)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d11: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False d8 by blast
then show ?thesis
proof-
{
have k1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson False True d8 vpeq1_def)
have k2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have k3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using False True d8 vpeq1_def by presburger
have k4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have k5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 k3 by auto
have k6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have k7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_error_ret))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by auto
have k8: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have k9: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_error_ret))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by auto
have k10: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
using k5 k6 k7 k8 k9 by blast
then show ?thesis
using b4 b3 d11 k1 k2 k7 k9 by presburger
}
qed
next
case False
then have d12: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using d10 by auto
then show ?thesis
proof-
{
have e1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have e2: "vpeq1 s' d t' = True"
using False d10 by auto
then show ?thesis by blast
}
qed
qed
qed
qed
next
case False
have m7: "¬(?ses_id = None ∨ ?cmd_id = None ∨ ?isSessIdInSessList ≠ True ∨ ?serverID = None)"
using False by blast
have m8: "¬(?ses_id_t = None ∨ ?cmd_id_t = None ∨ ?isSessIdInSessList_t ≠ True ∨ ?serverID_t = None)"
using a15 a5 a52 m7 by auto
have p1: "¬(?exec = [] ∨ ?ses_id = None ∨ ?serverID = None ∨ current s = TEE sysconf ∨ current s = REE sysconf ∨ current s ≠ ?server_tid ∨ snd (hd (exec_prime s)) ≠ TEE_IC3 ∨ ?ses_id = None ∨ ?cmd_id = None ∨ ?isSessIdInSessList ≠ True ∨ ?serverID = None)"
using m3 m7 by auto
have p2: "s' = ?s_success_ret"
by (smt (verit, best) False Pair_inject State.surjective State.update_convs(6) TEE_InvokeTACommand3_def a10 p1 surjective_pairing)
have p3: "¬(?exec_t = [] ∨ ?ses_id_t = None ∨ ?serverID_t = None ∨ current t = TEE sysconf ∨ current t = REE sysconf ∨ current t ≠ ?server_tid_t ∨ snd (hd (exec_prime t)) ≠ TEE_IC3 ∨ ?ses_id_t = None ∨ ?cmd_id_t = None ∨ ?isSessIdInSessList_t ≠ True ∨ ?serverID_t = None)"
using a12 a15 a18 a5 p1 by auto
have p4: "t' = ?t_success_ret"
using a11 TEE_InvokeTACommand3_def a12 a15 a5 p3
by (smt (verit, best) False Pair_inject State.surjective State.update_convs(6) TEEC_InvokeCommand3_def a10 p1 surjective_pairing)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
then have g1: "d = TEE sysconf" by simp
then show ?thesis
proof-
{
have l1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
using g1 by fastforce
have l2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have l3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: g1)
have l4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have l5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 l3 l4 by blast
have l6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by force
have l7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (block_id x=0)}"
using TA_InvokeCommandEntryPoint_not_change_TEE by auto
have l8: "{x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (block_id x=0)}"
using TEE_MgrPostOps_def tee_memories_setTaInsBusy by fastforce
have l8_1: "{x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_success_ret))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
have l9: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by force
have l10: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_invoke))∧ (block_id x=0)}"
using TA_InvokeCommandEntryPoint_not_change_TEE by auto
have l11: "{x. x∈set(tee_memories (TEE_state ?t_invoke))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_postOps))∧ (block_id x=0)}"
using TEE_MgrPostOps_def tee_memories_setTaInsBusy by fastforce
have l11_1: "{x. x∈set(tee_memories (TEE_state ?t_postOps))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_success_ret))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
have l12: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (block_id x=0)}"
using l6 l7 l8 by blast
have l13: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_postOps))∧ (block_id x=0)}"
using l10 l11 l9 by presburger
have l14: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using l12 l13 l2 l5 p2 p4 l11_1 l8_1 by presburger
then show ?thesis
using l1 l2 by blast
}
qed
next
case False
then have g2: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have g3: "d ≠ TEE sysconf ∧ d = REE sysconf"
using g2 by auto
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True g2 by auto
have m2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True g2 by auto
have m4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by (meson vpeq_REE_def)
have m5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 m3 by auto
have m6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 m3 by auto
have m7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have m8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_invoke)"
using ree_total_size_TA_InvokeCommandEntryPoint by auto
have m9: "ree_total_size(REE_state ?s_invoke) = ree_total_size(REE_state ?s_postOps)"
by (simp add: TEE_MgrPostOps_def ree_total_size_setTaInsBusy)
have m10: "ree_total_size(REE_state ?s_postOps) = ree_total_size(REE_state ?s_success_ret)"
by (simp add: ree_total_size_setCurDomainAndEvent)
have m10_sree: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_success_ret)"
using m8 m9 m10 by auto
have m7_t: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have m8_t: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_invoke)"
using ree_total_size_TA_InvokeCommandEntryPoint by auto
have m9_t: "ree_total_size(REE_state ?t_invoke) = ree_total_size(REE_state ?t_postOps)"
by (simp add: TEE_MgrPostOps_def ree_total_size_setTaInsBusy)
have m10_t: "ree_total_size(REE_state ?t_postOps) = ree_total_size(REE_state ?t_success_ret)"
by (simp add: ree_total_size_setCurDomainAndEvent)
have m10_sree: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_success_ret)"
using m8_t m9_t m10_t by auto
have m11: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by blast
have m12: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_invoke)"
using driver_mem_TA_InvokeCommandEntryPoint by auto
have m13: "driver_mem(REE_state ?s_invoke) = driver_mem(REE_state ?s_postOps)"
by (simp add: TEE_MgrPostOps_def driver_mem_tee_setTaInsBusy)
have m13_1: "driver_mem(REE_state ?s_postOps) = driver_mem(REE_state ?s_success_ret)"
by (simp add: driver_mem_tee_setCurDomainAndEvent)
have m14: "driver_mem(REE_state s) = driver_mem(REE_state ?s_success_ret)"
using m12 m13 m13_1 by auto
have m11_t: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
using driver_mem_exec_prime_tl by blast
have m12_t: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_invoke)"
using driver_mem_TA_InvokeCommandEntryPoint by auto
have m13_t: "driver_mem(REE_state ?t_invoke) = driver_mem(REE_state ?t_postOps)"
by (simp add: TEE_MgrPostOps_def driver_mem_tee_setTaInsBusy)
have m13_t_1: "driver_mem(REE_state ?t_postOps) = driver_mem(REE_state ?t_success_ret)"
by (simp add: driver_mem_tee_setCurDomainAndEvent)
have m14_t: "driver_mem(REE_state t) = driver_mem(REE_state ?t_postOps)"
using m12_t m13_t by auto
have m15: "driver_mem(REE_state s') = driver_mem(REE_state ?s_success_ret)"
by (simp add: p2)
have m16: "driver_mem(REE_state t') = driver_mem(REE_state ?t_success_ret)"
by (simp add: p4)
have m17: "driver_mem(REE_state ?s_success_ret) = driver_mem(REE_state ?t_success_ret)"
using m11_t m12_t m13_t m13_t_1 m14 m6 by presburger
have m18: "driver_mem(REE_state s') = driver_mem(REE_state t')"
by (simp add: m15 m16 m17)
have m19: "ree_total_size(REE_state s') = ree_total_size(REE_state ?s_success_ret)"
by (simp add: p2)
have m20: "ree_total_size(REE_state t') = ree_total_size(REE_state ?t_success_ret)"
by (simp add: p4)
have m21: "ree_total_size(REE_state ?s_success_ret) = ree_total_size(REE_state ?t_success_ret)"
using m10 m10_t m5 m7 m7_t m8 m8_t m9 m9_t by presburger
have m22: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
by (simp add: m18 m19 m20 m21)
then show ?thesis
using m1 by auto
}
qed
next
case False
then have g4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: g2)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have g5: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)" by simp
then show ?thesis
proof(cases "d ≠ ?server_tid")
case True
have f9_1: "d ≠ ?server_tid" using True by simp
have f9_2: "d ≠ ?server_tid_t" using True
using a15 by auto
then show ?thesis
proof-
{
have n1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson g5 vpeq1_def)
have n2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have n3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using g5 by auto
have n4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have n5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 n3 n4 by blast
have n6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have n7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (ownership x=d)}"
proof-
{
have v1: "TEE_state s = TEE_state ?s_rev_event" by simp
have v2: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (ownership x=d)}"
using f9_1 tee_memories_TA_InvokeCommandEntryPoint by auto
then show ?thesis
by auto
}
qed
have n8: "{x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (ownership x=d)}"
using TEE_MgrPostOps_def tee_memories_setTaInsBusy by auto
have n8_1: "{x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_success_ret))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by auto
have n9: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have n10: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_invoke))∧ (ownership x=d)}"
using f9_2 tee_memories_TA_InvokeCommandEntryPoint by auto
have n11: "{x. x∈set(tee_memories (TEE_state ?t_invoke))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_postOps))∧ (ownership x=d)}"
using TEE_MgrPostOps_def tee_memories_setTaInsBusy by auto
have n11_1: "{x. x∈set(tee_memories (TEE_state ?t_postOps))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_success_ret))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by fastforce
have n12: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_success_ret))∧ (ownership x=d)}"
using n10 n11 n9 n11_1 by presburger
then show ?thesis
using n1 n2 n5 n6 n7 n8 n8_1 p2 p4 by blast
}
qed
next
case False
have f10_1: "d = ?server_tid" using False by simp
have f10_2: "d = ?server_tid_t" using False
using a15 by auto
have f11_1: "d = current s"
by (metis False p1)
have f11_2: "d = current t"
by (simp add: a12 f11_1)
have f12: "vpeq_TA s d t"
by (meson a3 g5 vpeq1_def)
have f13: "(s'∼d∼t') = (vpeq_TA s' d t')"
by (meson g5 vpeq1_def)
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using f13 by auto
have m2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using a3 f12 by blast
have m4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using f12 m4 by blast
have m6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (ownership x=d)}"
using TA_InvokeCommandEntryPoint_def OpenSessionEntryPoint_not_change_mem TA_OpenSessionEntryPoint_def by auto
have m8: "{x. x∈set(tee_memories (TEE_state ?s_invoke))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (ownership x=d)}"
using TEE_MgrPostOps_def tee_memories_setTaInsBusy by force
have m9: "{x. x∈set(tee_memories (TEE_state ?s_postOps))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_success_ret))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by auto
have m11: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_success_ret))∧ (ownership x=d)}"
using m7 m8 tee_memories_setCurDomainAndEvent by force
have m12: "tee_memories (TEE_state t) = tee_memories (TEE_state ?t_rev_event)"
by auto
have m13: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_invoke))∧ (ownership x=d)}"
using TA_InvokeCommandEntryPoint_def OpenSessionEntryPoint_not_change_mem TA_OpenSessionEntryPoint_def by auto
have m14: "{x. x∈set(tee_memories (TEE_state ?t_invoke))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_postOps))∧ (ownership x=d)}"
using TEE_MgrPostOps_def tee_memories_setTaInsBusy by force
have m15: "{x. x∈set(tee_memories (TEE_state ?t_postOps))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_success_ret))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by fastforce
have m17: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_success_ret))∧ (ownership x=d)}"
using m13 m14 tee_memories_setCurDomainAndEvent by force
have m18: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_success_ret))∧ (ownership x=d)}"
by (simp add: p2)
have m19: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_success_ret))∧ (ownership x=d)}"
by (simp add: p4)
have h20: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using m18 m19
using m11 m17 m5 by presburger
then show ?thesis
using m1 m2 by blast
}
qed
qed
next
case False
then have d12: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using g4 by auto
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have h2: "vpeq1 s' d t' = True"
using False g4 by auto
then show ?thesis by blast
}
qed
qed
qed
qed
qed
qed
} then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEE_InvokeTACommand3_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEE_INVOKETACOMMAND3))"
using TEE_InvokeTACommand3_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def by auto
subsection "TEE_InvokeTACommand4"
lemma TEE_InvokeTACommand4_integrity:
assumes p1: "a = hyperc (TEE_INVOKETACOMMAND4)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?time_out = "param2 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?teec_ret_code = "param12 ?p"
let ?tee_ret_code = "param13 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?param_call_closeSession = "⦇param1 = ?ses_id, param2 = ?time_out, param3 = None, param4 = Some ⦇login=DTC_IDENTITY,id=Some 0⦈,
param5 = None, param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12=?teec_ret_code, param13=?tee_ret_code⦈"
let ?s_call_closeSession = "setCurDomainAndEvent ?s_rev_event (TEE sysconf) (?param_call_closeSession, TEE_CS2)"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEE_InvokeTACommand4 sysconf s)}}"
using p1 exec_event_def by auto
have a4_1: "s' = fst (TEE_InvokeTACommand4 sysconf s)"
using a3 a4 by auto
have "(s ∼ d ∼ s')"
proof(cases "(exec_prime s) =[] ∨ snd (hd (exec_prime s)) ≠ TEE_IC4 ∨ current s ≠ TEE sysconf")
case True
then have "s' = s" using TEE_InvokeTACommand4_def a4_1
by (smt (verit, best) prod.collapse prod.inject)
then show ?thesis
using vpeq_reflexive_lemma by blast
next
case False
have d1: "¬((exec_prime s) =[] ∨ snd (hd (exec_prime s)) ≠ TEE_IC4 ∨ current s ≠ TEE sysconf)"
using False by auto
then show ?thesis
proof(cases "?tee_ret_code ≠ (Some TEE_SUCCESS)")
case True
have d1_1: "?tee_ret_code ≠ (Some TEE_SUCCESS)"
by (simp add: True)
have d2: "?s_call_closeSession = fst (TEE_InvokeTACommand4 sysconf s)"
using TEE_InvokeTACommand4_def a4_1 d1 d1_1
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have d4: "s' = ?s_call_closeSession"
by (simp add: a4_1 d2)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have tmp1: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
using a2 tmp1 d1 by auto
next
case False
have p2: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have p3: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True p2 by auto
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_REE s d s'"
using True p2 by auto
have e2: "vpeq_REE s d s' = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have e3: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_rev_event)"
by simp
have e4: "ree_total_size (REE_state ?s_rev_event) = ree_total_size (REE_state ?s_call_closeSession)"
using ree_total_size_setCurDomainAndEvent by auto
have e5: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_call_closeSession)"
by (metis e3 e4)
have e6: "?s_call_closeSession = s'"
by (simp add: d4)
have e7: "ree_total_size (REE_state s) = ree_total_size (REE_state s')"
using e5 e6 by simp
have e8: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by simp
have e9: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_call_closeSession)"
using driver_mem_tee_setCurDomainAndEvent by auto
have e10: "driver_mem(REE_state s) = driver_mem(REE_state ?s_call_closeSession)"
using e9 by auto
have e11: "driver_mem(REE_state s) = driver_mem(REE_state s')"
using e6 e10 by simp
have e12: "(s ∼ d ∼ s') = vpeq_REE s d s'"
using e1 by auto
have e13: "ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s')"
by (simp add: e11 e7)
then show ?thesis
using e12 by auto
}
qed
next
case False
have p4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False p2)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
have p5: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ is_TA sysconf d"
using False True p2 by blast
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_TA s d s'"
using False True p2 vpeq1_def by presburger
have e3: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state s)"
by simp
have e2: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state ?s_call_closeSession)"
using tee_memories_setCurDomainAndEvent by auto
have e4: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_call_closeSession)"
by (metis e2 e3)
have e5: "?s_call_closeSession = s'"
by (simp add: d4)
have e6: "tee_memories (TEE_state s) = tee_memories (TEE_state s')"
using e4 e5 by simp
have e7: "(s ∼ d ∼ s') = vpeq_TA s d s'"
using e1 by auto
have e8: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
by (simp add: e6)
then show ?thesis using e8
using e7 vpeq_TA_def by blast
}
qed
next
case False
have p6: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using False p4 by auto
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False is_TA_def p4 by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
next
case False
have p7_1: "?tee_ret_code = (Some TEE_SUCCESS)"
using False by auto
have p7: "¬((exec_prime s) =[] ∨ snd (hd (exec_prime s)) ≠ TEE_IC4 ∨ current s ≠ TEE sysconf ∨ (?tee_ret_code ≠ (Some TEE_SUCCESS)))"
using False d1 by auto
have p8: "s' = ?s_rev_event"
using p7 a4_1 TEE_InvokeTACommand4_def
by (smt (verit, best) State.unfold_congs(1) State.unfold_congs(6) fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have tmp1: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
using a2 tmp1 d1 by auto
next
case False
have p2: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have p3: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True p2 by auto
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_REE s d s'"
using True p2 by auto
have e2: "vpeq_REE s d s' = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have e3: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_rev_event)"
by simp
have e6: "?s_rev_event = s'"
by (simp add: p8)
have e7: "ree_total_size (REE_state s) = ree_total_size (REE_state s')"
using e3 e6
by auto
have e8: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by simp
have e11: "driver_mem(REE_state s) = driver_mem(REE_state s')"
using e6 e8 by auto
have e12: "(s ∼ d ∼ s') = vpeq_REE s d s'"
using e1 by auto
have e13: "ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s')"
by (simp add: e11 e7)
then show ?thesis
using e12 by auto
}
qed
next
case False
have p4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False p2)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
have p5: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ is_TA sysconf d"
using False True p2 by blast
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_TA s d s'"
using False True p2 vpeq1_def by presburger
have e3: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state s)"
by simp
have e5: "?s_rev_event = s'"
by (simp add: p8)
have e6: "tee_memories (TEE_state s) = tee_memories (TEE_state s')"
using e3 e5 by (simp add: e3)
have e7: "(s ∼ d ∼ s') = vpeq_TA s d s'"
using e1 by auto
have e8: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
by (simp add: e6)
then show ?thesis using e8
using e7 vpeq_TA_def by blast
}
qed
next
case False
have p6: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using False p4 by auto
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False is_TA_def p4 by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
qed
qed
} then show ?thesis by blast
qed
lemma TEE_InvokeTACommand4_integrity_e:
"integrity_e (hyperc (TEE_INVOKETACOMMAND4))"
using TEE_InvokeTACommand4_integrity integrity_e_def
using get_exec_prime_def by auto
lemma TEE_InvokeTACommand4_weak_confidentiality:
assumes p1: "a = hyperc (TEE_INVOKETACOMMAND4)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?time_out = "param2 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?teec_ret_code = "param12 ?p"
let ?tee_ret_code = "param13 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?param_call_closeSession = "⦇param1 = ?ses_id, param2 = ?time_out, param3 = None, param4 = Some ⦇login=DTC_IDENTITY,id=Some 0⦈,
param5 = None, param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12=?teec_ret_code, param13=?tee_ret_code⦈"
let ?s_call_closeSession = "setCurDomainAndEvent ?s_rev_event (TEE sysconf) (?param_call_closeSession, TEE_CS2)"
let ?exec_t = "(exec_prime t)"
let ?p_t = "fst (hd ?exec_t)"
let ?ses_id_t = "param1 ?p_t"
let ?time_out_t = "param2 ?p_t"
let ?cmd_id_t = "param6 ?p_t"
let ?in_params_t = "param7 ?p_t"
let ?out_params_t = "param8 ?p_t"
let ?teec_ret_code_t = "param12 ?p_t"
let ?tee_ret_code_t = "param13 ?p_t"
let ?t_rev_event = "t⦇exec_prime := tl ?exec_t⦈"
let ?param_call_closeSession_t = "⦇param1 = ?ses_id_t, param2 = ?time_out_t, param3 = None, param4 = Some ⦇login=DTC_IDENTITY,id=Some 0⦈,
param5 = None, param6 = ?cmd_id_t, param7 = ?in_params_t, param8 = ?out_params_t, param9 = None,
param10 = None, param11 = None, param12=?teec_ret_code_t, param13=?tee_ret_code_t⦈"
let ?t_call_closeSession = "setCurDomainAndEvent ?t_rev_event (TEE sysconf) (?param_call_closeSession_t, TEE_CS2)"
have a10: "s' = fst (TEE_InvokeTACommand4 sysconf s)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEE_InvokeTACommand4 sysconf t)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t" using domain_of_event_def a4
by (metis option.sel)
have "(s' ∼ d ∼ t')"
proof(cases "(exec_prime s) =[] ∨ snd (hd (exec_prime s)) ≠ TEE_IC4 ∨ current s ≠ TEE sysconf")
case True
have b1: "(exec_prime s) =[] ∨ snd (hd (exec_prime s)) ≠ TEE_IC4 ∨ current s ≠ TEE sysconf"
using True by auto
have b2: "(exec_prime t) =[] ∨ snd (hd (exec_prime t)) ≠ TEE_IC4 ∨ current t ≠ TEE sysconf"
by (metis a12 a5 b1)
have b3: "s = s'"
using b1 TEE_InvokeTACommand4_def a10
by (smt (z3) fstI)
have b4: "t = t'"
using b2 TEE_InvokeTACommand4_def a11
by (smt (z3) fstI)
then show ?thesis
proof-
{
have c1: "(s' ∼ d ∼ t')"
using a3 b3 b4 by blast
then show ?thesis by auto
}
qed
next
case False
have d1: "¬((exec_prime s) =[] ∨ snd (hd (exec_prime s)) ≠ TEE_IC4 ∨ current s ≠ TEE sysconf)"
using False by auto
have d2: "¬((exec_prime t) =[] ∨ snd (hd (exec_prime t)) ≠ TEE_IC4 ∨ current t ≠ TEE sysconf)"
using a12 a5 d1 by auto
then show ?thesis
proof(cases "?tee_ret_code ≠ (Some TEE_SUCCESS)")
case True
have p3: "?tee_ret_code ≠ (Some TEE_SUCCESS)"
by (simp add: True)
have p4: "?tee_ret_code_t ≠ (Some TEE_SUCCESS)"
using a5 p3 by auto
have p5: "?s_call_closeSession = fst (TEE_InvokeTACommand4 sysconf s)"
using TEE_InvokeTACommand4_def a10 d1 p3
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have p6: "?s_call_closeSession = s'"
by (simp add: a10 p5)
have p7: "?t_call_closeSession = fst (TEE_InvokeTACommand4 sysconf t)"
using TEE_InvokeTACommand4_def a10 d2 p4
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have p8: "?t_call_closeSession = t'"
by (simp add: a11 p7)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
then have d7: "d = TEE sysconf" by simp
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: d7)
have h2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: d7)
have h4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 h3 by auto
have h6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
using tee_memories_exec_prime_tl by auto
have h7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_call_closeSession))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
have h8: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_call_closeSession))∧ (block_id x=0)}"
using h6 h7 by auto
have h9: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
using tee_memories_exec_prime_tl by auto
have h10: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_call_closeSession))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
have h11: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_call_closeSession))∧ (block_id x=0)}"
using h10 h9 by blast
have h12: "{x. x∈set(tee_memories (TEE_state ?s_call_closeSession))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
by (simp add: p6)
have h13: "{x. x∈set(tee_memories (TEE_state ?t_call_closeSession))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
by (simp add: p8)
have h14: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using h5 h8 h11 h12 h13 by presburger
then show ?thesis
using h1 h2 by blast
}
qed
next
case False
then have d8: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have d9: "d ≠ TEE sysconf ∧ d = REE sysconf"
using d8 by auto
then show ?thesis
proof-
{
have g1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d8 by auto
have g2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by fastforce
have g3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d8 by auto
have g4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have g5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 g3 by auto
have g6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 g3 by auto
have g7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
using ree_total_size_exec_prime_tl by blast
have g8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_call_closeSession)"
using ree_total_size_setCurDomainAndEvent by auto
have g9: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_call_closeSession)"
using g8 by auto
have g10: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
using ree_total_size_exec_prime_tl by blast
have g11: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_call_closeSession)"
using ree_total_size_setCurDomainAndEvent by auto
have g12: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_call_closeSession)"
using g11 by auto
have g13: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by auto
have g14: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_call_closeSession)"
using driver_mem_tee_setCurDomainAndEvent by blast
have g15: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have g16: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_call_closeSession)"
using driver_mem_tee_setCurDomainAndEvent by auto
have g17: "driver_mem(REE_state s) = driver_mem(REE_state ?s_call_closeSession)"
using g14 by auto
have g18: "driver_mem(REE_state t) = driver_mem(REE_state ?t_call_closeSession)"
using g16 by auto
have g19: "driver_mem(REE_state s') = driver_mem(REE_state ?s_call_closeSession)"
by (simp add: p6)
have g20: "driver_mem(REE_state t') = driver_mem(REE_state ?t_call_closeSession)"
by (simp add: p8)
have g21: "driver_mem(REE_state ?s_call_closeSession) = driver_mem(REE_state ?t_call_closeSession)"
using g13 g14 g15 g16 g6 by presburger
have g22: "driver_mem(REE_state s') = driver_mem(REE_state t')"
using g21 g19 g20 by presburger
have g23: "ree_total_size(REE_state s') = ree_total_size(REE_state ?s_call_closeSession)"
by (simp add: p6)
have g24: "ree_total_size(REE_state t') = ree_total_size(REE_state ?t_call_closeSession)"
by (simp add: p8)
have g25: "ree_total_size(REE_state ?s_call_closeSession) = ree_total_size(REE_state ?t_call_closeSession)"
using g10 g11 g5 g9 by presburger
have g26: "ree_total_size(REE_state s') = ree_total_size(REE_state t')"
using g23 g24 g25 by presburger
have g27: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
by (simp add: g22 g26)
then show ?thesis using g1 by auto
}
qed
next
case False
then have d12: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d8)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False d8 by blast
then show ?thesis
proof-
{
have f1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using False True d8 vpeq1_def by presburger
have f2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have f3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson False True d8 vpeq1_def)
have f4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have f5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 f3 f4 by blast
have f6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have f7: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have f8: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_call_closeSession))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by auto
have f9: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_call_closeSession))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by auto
have f10: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_call_closeSession))∧ (ownership x=d)}"
using f6 f8 by presburger
have f11: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_call_closeSession))∧ (ownership x=d)}"
using f7 f9 by blast
have f12: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_call_closeSession))∧ (ownership x=d)}"
by (simp add: p6)
have f13: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_call_closeSession))∧ (ownership x=d)}"
by (simp add: p8)
have f14: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using f10 f12 f13 f5 f7 f9 by presburger
then show ?thesis using f1 by auto
}
qed
next
case False
then have d14: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using d12 by auto
then show ?thesis
proof-
{
have e1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
using vpeq1_def by simp
have e2: "vpeq1 s' d t' = True"
using d14 by auto
then show ?thesis by blast
}
qed
qed
qed
qed
next
case False
have p3: "?tee_ret_code = (Some TEE_SUCCESS)"
by (meson False)
have p4: "?tee_ret_code_t = (Some TEE_SUCCESS)"
using a5 p3 by auto
have p5: "?s_rev_event = fst (TEE_InvokeTACommand4 sysconf s)"
using TEE_InvokeTACommand4_def a10 d1 p3
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have p6: "?s_rev_event = s'"
by (simp add: a10 p5)
have p7: "?t_rev_event = fst (TEE_InvokeTACommand4 sysconf t)"
using TEE_InvokeTACommand4_def a10 d2 p4
by (smt (z3) False State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have p8: "?t_rev_event = t'"
by (simp add: a11 p7)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
then have d7: "d = TEE sysconf" by simp
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: d7)
have h2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: d7)
have h4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 h3 by auto
have h6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
using tee_memories_exec_prime_tl by auto
have h9: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
using tee_memories_exec_prime_tl by auto
have h12: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
by (simp add: p6)
have h13: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
by (simp add: p8)
have h14: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using h5 h6 h9 p6 p8 by blast
then show ?thesis
using h1 h2 by blast
}
qed
next
case False
then have d8: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have d9: "d ≠ TEE sysconf ∧ d = REE sysconf"
using d8 by auto
then show ?thesis
proof-
{
have g1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d8 by auto
have g2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by fastforce
have g3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d8 by auto
have g4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have g5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 g3 by auto
have g6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 g3 by auto
have g7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
using ree_total_size_exec_prime_tl by blast
have g10: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
using ree_total_size_exec_prime_tl by blast
have g13: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by auto
have g15: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have g19: "driver_mem(REE_state s') = driver_mem(REE_state ?s_rev_event)"
by (simp add: p6)
have g20: "driver_mem(REE_state t') = driver_mem(REE_state ?t_rev_event)"
by (simp add: p8)
have g23: "ree_total_size(REE_state s') = ree_total_size(REE_state ?s_rev_event)"
by (simp add: p6)
have g24: "ree_total_size(REE_state t') = ree_total_size(REE_state ?t_rev_event)"
by (simp add: p8)
have g27: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
using g19 g20 g23 g24 g7 g10 g13 g15
using g5 g6 by presburger
then show ?thesis using g1 by auto
}
qed
next
case False
then have d12: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d8)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False d8 by blast
then show ?thesis
proof-
{
have f1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using False True d8 vpeq1_def by presburger
have f2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have f3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson False True d8 vpeq1_def)
have f4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have f5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 f3 f4 by blast
have f6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have f7: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have f12: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by (simp add: p6)
have f13: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by (simp add: p8)
have f14: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using f12 f13 f5 f7 f6 by blast
then show ?thesis using f1 by auto
}
qed
next
case False
then have d14: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using d12 by auto
then show ?thesis
proof-
{
have e1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
using vpeq1_def by simp
have e2: "vpeq1 s' d t' = True"
using d14 by auto
then show ?thesis by blast
}
qed
qed
qed
qed
qed
qed
} then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEE_InvokeTACommand4_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEE_INVOKETACOMMAND4))"
using TEE_InvokeTACommand4_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def by auto
section "TEE_CloseTASession proof"
subsection "TEE_CloseTASession1"
lemma TEE_CloseTASession1_integrity:
assumes p1: "a = hyperc (TEE_CLOSETASESSION1)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?sesID = "the ?ses_id"
let ?clientTid = "findSesCliTid s ?sesID"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?pre_param_ops = "TEE_pre_param_operation ?in_params"
let ?taIns = "getTAInsCtx s (the ?clientTid)"
let ?taId_cli = "ta_id ?taIns"
let ?clientTa = "⦇login = TRUSTED_APP, id = Some ?taId_cli⦈"
let ?nextFuncStepParam = "⦇param1 = ?ses_id, param2 = None, param3 = None, param4 = Some ?clientTa,
param5 = None, param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12=None, param13=None⦈"
let ?s1 = "setCurDomainAndEvent ?s_rev_event (TEE sysconf) (?nextFuncStepParam, TEE_CS2)"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEE_CloseTASession1 sysconf s)}}"
using p1 exec_event_def
by auto
have a4_1: "s' = fst (TEE_CloseTASession1 sysconf s)"
using a3 a4 by auto
have a4_2: "?pre_param_ops = TEE_SUCCESS"
by (simp add: TEE_pre_param_operation_def)
have "(s ∼ d ∼ s')"
proof(cases "current s ≠ the(?clientTid) ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEE_CS1")
case True
then have "s = s'" using TEE_CloseTASession1_def a4_1
by (smt (z3) fstI)
then show ?thesis
by auto
next
case False
then have b1: "current s = the(?clientTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_CS1 ∧ ?pre_param_ops = TEE_SUCCESS"
using a4_2 by blast
then have pre1: "s' = ?s1"
by (smt (verit, ccfv_SIG) State.unfold_congs(6) TEE_CloseTASession1_def a4_1 fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
then have b2: "d = TEE sysconf"
by simp
then show ?thesis
proof-
{
have f1: "vpeq1 s d s' = (vpeq_TEE s d s')"
by (simp add: b2)
have f2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)})"
by simp
have f3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have f4: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state ?s1)"
using tee_memories_setCurDomainAndEvent by auto
have f5: "tee_memories (TEE_state s) = tee_memories (TEE_state s')"
using pre1 f4 by auto
then show ?thesis
using f1 by force
}
qed
next
case False
then have b3: "d ≠ TEE sysconf"
by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have b4: "d = REE sysconf"
by simp
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_REE s d s'"
by (metis b3 b4 vpeq1_def)
have e2: "vpeq_REE s d s' = (ree_total_size (REE_state s) = ree_total_size (REE_state s')
∧ driver_mem (REE_state s) = driver_mem (REE_state s'))"
by simp
have e3: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_rev_event)"
by auto
have e4: "ree_total_size (REE_state ?s_rev_event) = ree_total_size (REE_state ?s1)"
using ree_total_size_setCurDomainAndEvent by auto
have e5: "s' = ?s1"
by (simp add: pre1)
have e5: "ree_total_size (REE_state s) = ree_total_size (REE_state s')"
using e5 e4 by auto
have e6: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have e7: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s1)"
using driver_mem_tee_setCurDomainAndEvent by auto
have e8: "driver_mem(REE_state s) = driver_mem(REE_state s')"
using e5 e6 e7 pre1 by auto
then show ?thesis
using e5 e8 e1 e2 by blast
}
qed
next
case False
then have b5: "d ≠ REE sysconf ∧ d ≠ TEE sysconf"
by (simp add: b3)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have b6: "d ≠ REE sysconf ∧ d ≠ TEE sysconf ∧ (is_TA sysconf d)"
by auto
then show ?thesis
proof-
{
have d1: "vpeq1 s d s' = (vpeq_TA s d s')"
using False True b3 vpeq1_def by presburger
have d2: "(vpeq_TA s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)})"
by simp
have d3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have d4: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state ?s1)"
using tee_memories_setCurDomainAndEvent by blast
have d5: "(s ∼ d ∼ s') = (vpeq_TA s d s')"
using d1 by auto
have d6: "tee_memories (TEE_state s) = tee_memories (TEE_state s')"
using d3 d4 pre1 by fastforce
then show ?thesis
using d2 d5 by presburger
}
qed
next
case False
then have b7: "d ≠ REE sysconf ∧ d ≠ TEE sysconf ∧ ¬(is_TA sysconf d)"
using b5 by auto
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False b5 is_TA_def by blast
then show ?thesis
by blast
}
qed
qed
qed
qed
qed
} then show ?thesis by blast
qed
lemma TEE_CloseTASession1_integrity_e:
"integrity_e (hyperc (TEE_CLOSETASESSION1))"
using TEE_CloseTASession1_integrity integrity_e_def
using get_exec_prime_def by auto
lemma TEE_CloseTASession1_weak_confidentiality:
assumes p1: "a = hyperc (TEE_CLOSETASESSION1)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a51: "ta_mgr(TEE_state s) =ta_mgr(TEE_state t)"
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?sesID = "the ?ses_id"
let ?clientTid = "findSesCliTid s ?sesID"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?pre_param_ops = "TEE_pre_param_operation ?in_params"
let ?taIns = "getTAInsCtx s (the ?clientTid)"
let ?taId_cli = "ta_id ?taIns"
let ?clientTa = "⦇login = TRUSTED_APP, id = Some ?taId_cli⦈"
let ?nextFuncStepParam = "⦇param1 = ?ses_id, param2 = None, param3 = None, param4 = Some ?clientTa,
param5 = None, param6 = ?cmd_id, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10 = None, param11 = None, param12=None, param13=None⦈"
let ?s1 = "setCurDomainAndEvent ?s_rev_event (TEE sysconf) (?nextFuncStepParam, TEE_CS2)"
let ?exec_t = "(exec_prime t)"
let ?p_t = "fst (hd ?exec_t)"
let ?ses_id_t = "param1 ?p_t"
let ?cmd_id_t = "param6 ?p_t"
let ?in_params_t = "param7 ?p_t"
let ?out_params_t = "param8 ?p_t"
let ?sesID_t = "the ?ses_id_t"
let ?clientTid_t = "findSesCliTid t ?sesID_t"
let ?t_rev_event = "t⦇exec_prime := tl ?exec_t⦈"
let ?pre_param_ops_t = "TEE_pre_param_operation ?in_params_t"
let ?taIns_t = "getTAInsCtx t (the ?clientTid_t)"
let ?taId_cli_t = "ta_id ?taIns_t"
let ?clientTa_t = "⦇login = TRUSTED_APP, id = Some ?taId_cli_t⦈"
let ?nextFuncStepParam_t = "⦇param1 = ?ses_id_t, param2 = None, param3 = None, param4 = Some ?clientTa_t,
param5 = None, param6 = ?cmd_id_t, param7 = ?in_params_t, param8 = ?out_params_t, param9 = None,
param10 = None, param11 = None, param12=None, param13=None⦈"
let ?t1 = "setCurDomainAndEvent ?t_rev_event (TEE sysconf) (?nextFuncStepParam_t, TEE_CS2)"
have a10: "s' = fst (TEE_CloseTASession1 sysconf s)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEE_CloseTASession1 sysconf t)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t"
using domain_of_event_def a4 by (metis option.sel)
have a13: "ta_mgr(TEE_state s) = ta_mgr(TEE_state t)" using a3 vpeq1_def a51 by auto
have a14: "?sesID = ?sesID_t"
by (simp add: a5)
have a15: "?clientTid = ?clientTid_t"
using a13 a14 mgr_ta_sessions_findSesCliTid
by blast
have "(s' ∼ d ∼ t')"
proof(cases "current s ≠ the(?clientTid) ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEE_CS1")
case True
have b1: "current s ≠ the(?clientTid) ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEE_CS1"
using True by blast
have b2: "current t ≠ the(?clientTid_t) ∨ (exec_prime t) = [] ∨ snd (hd (exec_prime t)) ≠ TEE_CS1 "
using a12 a15 a5 b1 by auto
have b3: "s = s'"
using b1 TEE_CloseTASession1_def a10
by (smt (z3) prod.collapse prod.inject)
have b4: "t = t'"
using b2 TEE_CloseTASession1_def a11 findSesServTid_def
by (smt (z3) prod.collapse prod.inject)
then show ?thesis
proof-
{
have c1: "(s' ∼ d ∼ t')"
using a3 b3 b4 by blast
then show ?thesis by auto
}
qed
next
case False
have d1: "current s = the(?clientTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_CS1"
using False by auto
have d2: "?pre_param_ops = TEE_SUCCESS"
by (simp add: TEE_pre_param_operation_def)
have d3: "?pre_param_ops_t = TEE_SUCCESS"
by (simp add: TEE_pre_param_operation_def)
have d4: "current s = the(?clientTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_CS1 ∧ ?pre_param_ops = TEE_SUCCESS"
using False d2 by auto
have d5: "current t = the(?clientTid_t) ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEE_CS1 ∧ ?pre_param_ops_t = TEE_SUCCESS"
using a12 a15 a5 d4 by auto
have d6: "s' = ?s1"
using a10 d2 d4 TEE_CloseTASession1_def
by (smt (verit, ccfv_SIG) State.unfold_congs(6) TEE_CloseTASession1_def fst_conv)
have d7: "t' = ?t1"
using a11 d3 d5 TEE_CloseTASession1_def
by (smt (verit, ccfv_SIG) State.unfold_congs(6) TEE_CloseTASession1_def fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have d8: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have e1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: d8)
have e2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have e3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: d8)
have e4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have e5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 e3 e4 by blast
have e6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by fastforce
have e7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s1))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
have e8: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s1))∧ (block_id x=0)}"
using e6 e7 by auto
have e9: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by fastforce
have e10: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t1))∧ (block_id x=0)}"
using tee_memories_setCurDomainAndEvent by auto
have e11: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t1))∧ (block_id x=0)}"
using e9 e10 by auto
have e12: " {x. x∈set(tee_memories (TEE_state ?s1))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
using d6 by auto
have e13: "{x. x∈set(tee_memories (TEE_state ?t1))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using d7 by auto
have e14: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using e12 e13 e5 e11 e8
by blast
then show ?thesis
using e1 e2 by blast
}
qed
next
case False
have d9: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have d10: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True d9 by auto
then show ?thesis
proof-
{
have j1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
by (metis True d9 vpeq1_def)
have j2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have j3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d9 by fastforce
have j4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have j5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 j3 by auto
have j6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 j3 by auto
have j7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have j8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s1)"
using ree_total_size_setCurDomainAndEvent by auto
have j9: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have j10: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t1)"
using ree_total_size_setCurDomainAndEvent by auto
have j11: "ree_total_size(REE_state ?t1) = ree_total_size(REE_state ?s1)"
using j10 j5 j7 j8 j9 by presburger
have j12: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have j13: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s1)"
using driver_mem_tee_setCurDomainAndEvent by auto
have j14: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have j15: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t1)"
using driver_mem_tee_setCurDomainAndEvent by auto
have j16: "driver_mem(REE_state ?t1) = driver_mem(REE_state ?s1)"
using j12 j13 j14 j15 j6 by presburger
have j17: "ree_total_size(REE_state ?t1) = ree_total_size(REE_state t')"
by (simp add: d7)
have j18: "ree_total_size(REE_state ?s1) = ree_total_size(REE_state s')"
by (simp add: d6)
have j19: "driver_mem(REE_state ?t1) = driver_mem(REE_state t')"
by (simp add: d7)
have j20: "driver_mem(REE_state ?s1) = driver_mem(REE_state s')"
by (simp add: d6)
have j21: "(ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
using j11 j17 j18 j16 j19 j20
by auto
then show ?thesis using j21 j1
by auto
}
qed
next
case False
then have d11: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d9)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d12: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
by (metis False d9)
then show ?thesis
proof-
{
have k1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using False d9 is_TA_def vpeq1_def by presburger
have k2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have k3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using False d9 is_TA_def vpeq1_def by presburger
have k4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have k5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 k3 k4 by blast
have k6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have k7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by fastforce
have k8: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have k9: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t1))∧ (ownership x=d)}"
using tee_memories_setCurDomainAndEvent by fastforce
have k10: "{x. x∈set(tee_memories (TEE_state ?s1))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t1))∧ (ownership x=d)}"
using k5 k6 k7 k8 k9 by blast
then show ?thesis
using d6 d7 k1 by fastforce
}
qed
next
case False
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using d11 by blast
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have h2: "vpeq1 s' d t' = True"
using False d11 is_TA_def by blast
then show ?thesis by blast
}
qed
qed
qed
qed
qed
} then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEE_CloseTASession1_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEE_CLOSETASESSION1))"
using TEE_CloseTASession1_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def by auto
subsection "TEE_CloseTASession2"
lemma TEE_CloseTASession2_integrity:
assumes p1: "a = hyperc (TEE_CLOSETASESSION2)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?client_type = "param4 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?pre_param_ops = "TEE_pre_param_operation ?in_params"
let ?isSesIdinMgrSesIdList = "isSesIdinMgrSesList (mgr_ta_sessions (ta_mgr (TEE_state ?s_rev_event))) (the ?ses_id)"
let ?s_ret = "tee_ta_close_session_teeDomain_pre sysconf ?s_rev_event ?ses_id ?client_type ?in_params ?out_params"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEE_CloseTASession2 sysconf s)}}"
using p1 exec_event_def by auto
have a4_1: "s' = fst (TEE_CloseTASession2 sysconf s)"
using a3 a4 by auto
have a4_2: "?pre_param_ops = TEE_SUCCESS"
by (simp add: TEE_pre_param_operation_def)
have "(s ∼ d ∼ s')"
proof(cases "current s ≠ TEE sysconf ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_CS2")
case True
then have "s = s'"
using TEE_CloseTASession2_def a4_1
by (smt (verit, ccfv_SIG) fst_conv)
then show ?thesis
using vpeq_reflexive_lemma by blast
next
case False
then have b1: "current s = TEE sysconf ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS2 ∧ ?pre_param_ops = TEE_SUCCESS"
using a4_2 by auto
then have b4: "current s = TEE sysconf"
by simp
then have b5: "(the (domain_of_event s a)) = current s"
by (metis domain_of_event_def option.sel)
then have b6: "(the (domain_of_event s a)) ↝ d"
using b4 ins_tee_intf_all by presburger
then show ?thesis
proof(cases "?isSesIdinMgrSesIdList = False")
case True
then have b2: "?isSesIdinMgrSesIdList = False"
by auto
then have b3: "s' = ?s_rev_event"
using a3 a4 b1 b2 a4_1 TEE_CloseTASession2_def a2 b6 non_interference1_def by blast
then show ?thesis
using b6 a2
by auto
next
case False
then show ?thesis
using b6 a2 by auto
qed
qed
} then show ?thesis by blast
qed
lemma TEE_CloseTASession2_integrity_e:
"integrity_e (hyperc (TEE_CLOSETASESSION2))"
using TEE_CloseTASession2_integrity integrity_e_def
using get_exec_prime_def by auto
lemma TEE_CloseTASession2_weak_confidentiality:
assumes p1: "a = hyperc (TEE_CLOSETASESSION2)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a51: "ta_mgr(TEE_state s) =ta_mgr(TEE_state t)"
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?client_type = "param4 ?p"
let ?cmd_id = "param6 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?sesID = "the ?ses_id"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?client_tid = "findSesCliTid ?s_rev_event ?sesID"
let ?pre_param_ops = "TEE_pre_param_operation ?in_params"
let ?taIns = "getTAInsCtx ?s_rev_event (the ?client_tid)"
let ?taId_cli = "ta_id ?taIns"
let ?mgrTaInsCtxs = "mgr_ta_instances (ta_mgr (TEE_state ?s_rev_event))"
let ?clientTaIns = "getTAInsCtx ?s_rev_event (the ?client_tid)"
let ?client_id = "ta_id ?clientTaIns"
let ?clientType = "getClientType TRUSTED_APP ?client_id"
let ?isSesIdinMgrSesIdList = "isSesIdinMgrSesList (mgr_ta_sessions (ta_mgr (TEE_state ?s_rev_event))) (the ?ses_id)"
let ?s_ret = "tee_ta_close_session_teeDomain_pre sysconf ?s_rev_event ?ses_id ?client_type ?in_params ?out_params"
let ?exec_t = "(exec_prime t)"
let ?p_t = "fst (hd ?exec_t)"
let ?ses_id_t = "param1 ?p_t"
let ?client_type_t = "param4 ?p_t"
let ?cmd_id_t = "param6 ?p_t"
let ?in_params_t = "param7 ?p_t"
let ?out_params_t = "param8 ?p_t"
let ?sesID_t = "the ?ses_id_t"
let ?t_rev_event = "t⦇exec_prime := tl ?exec_t⦈"
let ?client_tid_t = "findSesCliTid ?t_rev_event ?sesID_t"
let ?pre_param_ops_t = "TEE_pre_param_operation ?in_params_t"
let ?taIns_t = "getTAInsCtx ?t_rev_event (the ?client_tid_t)"
let ?taId_cli_t = "ta_id ?taIns_t"
let ?mgrTaInsCtxs_t = "mgr_ta_instances (ta_mgr (TEE_state ?t_rev_event))"
let ?clientTaIns_t = "getTAInsCtx ?t_rev_event (the ?client_tid_t)"
let ?client_id_t = "ta_id ?clientTaIns_t"
let ?clientType_t = "getClientType TRUSTED_APP ?client_id_t"
let ?isSesIdinMgrSesIdList_t = "isSesIdinMgrSesList (mgr_ta_sessions (ta_mgr (TEE_state ?t_rev_event))) (the ?ses_id_t)"
let ?t_ret = "tee_ta_close_session_teeDomain_pre sysconf ?t_rev_event ?ses_id_t ?client_type_t ?in_params_t ?out_params_t"
have a10: "s' = fst (TEE_CloseTASession2 sysconf s)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEE_CloseTASession2 sysconf t)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t"
using domain_of_event_def a4 by (metis option.sel)
have a13: "ta_mgr(TEE_state s) = ta_mgr(TEE_state t)" using a3 vpeq1_def a51 by auto
have a14: "?sesID = ?sesID_t"
by (simp add: a5)
have "(s' ∼ d ∼ t')"
proof(cases "current s ≠ TEE sysconf ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_CS2")
case True
have b1: "current s ≠ TEE sysconf ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEEC_CS2"
using True by auto
have b2: "current t ≠ TEE sysconf ∨ (exec_prime t) = [] ∨ snd (hd (exec_prime t)) ≠ TEEC_CS2"
using a12 a5 b1 by auto
have b3: "s = s'"
using b1 TEE_CloseTASession2_def a10
by (smt (z3) prod.collapse prod.inject)
have b4: "t = t'"
using b2 TEE_CloseTASession2_def a11 findSesServTid_def
by (smt (z3) fst_conv)
then show ?thesis
using a3 b3 by blast
next
case False
have d1: "current s = TEE sysconf ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS2"
using False by auto
have d2: "?pre_param_ops = TEE_SUCCESS"
by (simp add: TEE_pre_param_operation_def)
have d3: "?pre_param_ops_t = TEE_SUCCESS"
by (simp add: TEE_pre_param_operation_def)
have d4: "current s = TEE sysconf ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEEC_CS2 ∧ ?pre_param_ops = TEE_SUCCESS"
using False d2 by auto
have d5: "current t = TEE sysconf ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEEC_CS2 ∧ ?pre_param_ops_t = TEE_SUCCESS"
using False a12 a5 d3 by auto
have d8: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have d9: "?isSesIdinMgrSesIdList = ?isSesIdinMgrSesIdList_t"
using isSesIdinMgrSesList_cur_ta_session_list a13 d8
by (simp add: a5)
then show ?thesis
proof(cases "?isSesIdinMgrSesIdList = False")
case True
have d6: "?isSesIdinMgrSesIdList = False"
using True by auto
have d10: "?isSesIdinMgrSesIdList_t = False"
using d6 d9 by auto
have d11: "s' = ?s_rev_event"
using a10 d2 d4 d6 TEE_CloseTASession2_def
by (smt (verit, ccfv_SIG) State.unfold_congs(6) fst_conv)
have d12: "t' = ?t_rev_event"
using a11 d3 d5 d10 TEE_CloseTASession2_def
by (smt (verit, ccfv_SIG) State.unfold_congs(6) fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have d13: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have e1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: d13)
have e2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have e3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: d13)
have e4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have e5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 e3 e4 by blast
have e6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by fastforce
have e7: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by fastforce
have e8: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using d11 d12 e5 e6 e7 by blast
then show ?thesis
using e1 by auto
}
qed
next
case False
have d14: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have d15: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True d14 by auto
then show ?thesis
proof-
{
have j1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d14 by auto
have j2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have j3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d14 by fastforce
have j4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have j5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 j3 by auto
have j6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 j3 by auto
have j7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have j8: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have j9: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?t_rev_event)"
using j5 j7 j8 by linarith
have j10: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have j11: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have j12: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?s_rev_event)"
using j10 j11 j6 by presburger
have j13: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state t')"
by (simp add: d12)
have j14: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state s')"
by (simp add: d11)
have j15: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state t')"
by (simp add: d12)
have j16: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state s')"
by (simp add: d11)
have j17: "(ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
using j9 j12 j13 j14 j15 j16
by auto
then show ?thesis using j17 j1 by auto
}
qed
next
case False
then have d16: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d14)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d17: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using d16 by blast
then show ?thesis
proof-
{
have k1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson False True d14 vpeq1_def)
have k2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have k3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using False d14 is_TA_def vpeq1_def by presburger
have k4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have k5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 k3 k4 by blast
have k6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have k7: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have k10: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
using k5 k6 k7 by blast
then show ?thesis
using d11 d12 k1 k2 by blast
}
qed
next
case False
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
by (metis d16)
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have h2: "vpeq1 s' d t' = True"
using False d16 is_TA_def by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
next
case False
have f1: "?isSesIdinMgrSesIdList = True"
using False by auto
have f2: "?isSesIdinMgrSesIdList_t = True"
using False d9 by auto
have f3: "s' = fst ?s_ret"
using d4 f1 TEE_CloseTASession2_def a10
by (smt (verit, ccfv_SIG) State.unfold_congs(6) fst_conv)
have f4: "t' = fst ?t_ret"
using d5 f2 TEE_CloseTASession2_def a11
by (smt (verit, ccfv_SIG) State.unfold_congs(6) fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have f5: "d = TEE sysconf" by (simp add: True)
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: f5)
have m2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: f5)
have m4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 m3 by auto
have m6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state (fst ?s_ret)))∧ (block_id x=0)}"
using tee_memories_tee_ta_close_session_teeDomain
by simp
have m8: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by fastforce
have m9: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state (fst ?t_ret)))∧ (block_id x=0)}"
using tee_memories_tee_ta_close_session_teeDomain
by simp
have m10: "{x. x∈set(tee_memories (TEE_state (fst ?s_ret)))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
by (simp add: f3)
have m11: "{x. x∈set(tee_memories (TEE_state (fst ?t_ret)))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
by (simp add: f4)
have m11: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using m5 m10 m11 m6 m7 m8 m9 by presburger
then show ?thesis
using m1 by auto
}
qed
next
case False
then have f6: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have f7: "d ≠ TEE sysconf ∧ d = REE sysconf"
using f6 by auto
then show ?thesis
proof-
{
have g1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True f6 by auto
have g2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have g3: "(s ∼ d ∼ t) = vpeq_REE s d t"
by (metis True tee_no_ree vpeq1_def)
have g4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have g5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 g3 by auto
have g6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 g3 by auto
have g7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
using ree_total_size_exec_prime_tl by blast
have g8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state (fst ?s_ret))"
using ree_total_size_tee_ta_close_session_teeDomain
by simp
have g9: "ree_total_size(REE_state s) = ree_total_size(REE_state (fst ?s_ret))"
using g8 by auto
have g10: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have g11: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state (fst ?t_ret))"
using ree_total_size_tee_ta_close_session_teeDomain
by simp
have g12: "ree_total_size(REE_state t) = ree_total_size(REE_state (fst ?t_ret))"
using g11 by auto
have g13: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by auto
have g14: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state (fst ?s_ret))"
using driver_mem_tee_ta_close_session_teeDomain
by simp
have g15: "driver_mem(REE_state s) = driver_mem(REE_state (fst ?s_ret))"
using g14 by auto
have g16: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
using driver_mem_exec_prime_tl by auto
have g17: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state (fst ?t_ret))"
using driver_mem_tee_ta_close_session_teeDomain
by simp
have g18: "driver_mem(REE_state t) = driver_mem(REE_state (fst ?t_ret))"
using g17 by auto
have g19: "driver_mem(REE_state s') = driver_mem(REE_state (fst ?s_ret))"
by (simp add: f3)
have g20: "driver_mem(REE_state t') = driver_mem(REE_state (fst ?t_ret))"
using f4 by fastforce
have g21: "driver_mem(REE_state (fst ?s_ret)) = driver_mem(REE_state (fst ?t_ret))"
using g13 g14 g16 g17 g6 by presburger
have g22: "driver_mem(REE_state s') = driver_mem(REE_state t')"
by (simp add: g19 g20 g21)
have g23: "ree_total_size(REE_state s') = ree_total_size(REE_state (fst ?s_ret))"
by (simp add: f3)
have g24: "ree_total_size(REE_state t') = ree_total_size(REE_state (fst ?t_ret))"
by (simp add: f4)
have g25: "ree_total_size(REE_state (fst ?s_ret)) = ree_total_size(REE_state (fst ?t_ret))"
using g10 g11 g5 g7 g8 by linarith
have g26: "ree_total_size(REE_state s') = ree_total_size(REE_state t')"
by (simp add: g23 g24 g25)
have g27: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
using g22 g26 by blast
then show ?thesis
using g1 g2 by blast
}
qed
next
case False
then have f8: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: f6)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have f9: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False f6 by blast
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson False True f6 vpeq1_def)
have h2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson False True f6 vpeq1_def)
have h4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
by (metis a3 h3 h4)
have h6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have h7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state (fst ?s_ret)))∧ (ownership x=d)}"
using tee_memories_tee_ta_close_session_teeDomain
by simp
have h8: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have h9: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state (fst ?t_ret)))∧ (ownership x=d)}"
using tee_memories_tee_ta_close_session_teeDomain
by simp
have h10: "{x. x∈set(tee_memories (TEE_state (fst ?s_ret)))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state (fst ?t_ret)))∧ (ownership x=d)}"
using h5 h6 h7 h8 h9 by blast
then show ?thesis
using f3 f4 h1 by fastforce
}
qed
next
case False
then have f10: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using f8 by auto
then show ?thesis
proof-
{
have i1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have i2: "vpeq1 s' d t' = True"
using f10 False by auto
then show ?thesis by blast
}
qed
qed
qed
qed
qed
qed
} then show ?thesis using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEE_CloseTASession2_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEE_CLOSETASESSION2))"
using TEE_CloseTASession2_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def by auto
subsection "TEE_CloseTASession3"
lemma TEE_CloseTASession3_integrity:
assumes p1: "a = hyperc (TEE_CLOSETASESSION3)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?servTid = "param2 ?p"
let ?clientType = "param4 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?isSesIdInTaStateSesList = "isSessIdInTaStateSessList s ?ses_id ?servTid"
let ?nextFuncStepParam = "⦇param1 = ?ses_id, param2 = ?servTid, param3 = None, param4 = ?clientType,
param5 = None, param6 =None, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10=None, param11=None, param12=None, param13=None⦈"
let ?s_taCloseSessionEntry = "TA_CloseSessionEntryPoint ?s_rev_event (the ?servTid)"
let ?s_removeSess_inTaState = "removeAllSessIdInTaStateSessList ?s_taCloseSessionEntry (the ?ses_id) (the ?in_params) (the ?out_params)"
let ?taState = "(TAs_state s) (the ?servTid)"
let ?taSesListInTaState = "(TA_sessions (the ?taState))"
let ?ta_attr = "TA_attribute (the ?taState)"
let ?isSingleInstance = "singleInstance ?ta_attr"
let ?isKeepAlive = "keepAlive ?ta_attr"
let ?s_sesIdNotInTaStateSesList = "?s_rev_event⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEE_CS4)#(exec_prime ?s_rev_event)⦈"
let ?s_taDestroyEntryPoint = "TA_DestroyEntryPoint ?s_removeSess_inTaState"
let ?s_deleteTaStateBackTEE = "?s_taDestroyEntryPoint⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEE_CS4)#(exec_prime ?s_taDestroyEntryPoint)⦈"
let ?s_notDeleteTaStateBackTEE = "?s_removeSess_inTaState⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEE_CS4)#(exec_prime ?s_removeSess_inTaState)⦈"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEE_CloseTASession3 sysconf s)}}"
using p1 exec_event_def by auto
have a4_1: "s' = fst (TEE_CloseTASession3 sysconf s)"
using a3 a4 by auto
have "(s ∼ d ∼ s')"
proof(cases "current s ≠ (the ?servTid) ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEE_CS3")
case True
then have "s = s'" using TEE_CloseTASession3_def a4_1
by (smt (z3) fst_conv)
then show ?thesis
using vpeq_reflexive_lemma by blast
next
case False
then have b1: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_CS3"
by auto
then show ?thesis
proof(cases "?isSesIdInTaStateSesList = False")
case True
have c1 : "current s = (the ?servTid) ∧ (exec_prime s) ≠ []
∧ snd (hd (exec_prime s)) = TEE_CS3 ∧ ?isSesIdInTaStateSesList = False"
using False True by auto
have c2 : "s' = ?s_sesIdNotInTaStateSesList"
using TEE_CloseTASession3_def a4_1 c1
by (smt (verit, best) State.unfold_congs(1) State.unfold_congs(6) fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have c3: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have d1: "(s ∼ d ∼ s') = (vpeq_TEE s d s')"
by (simp add: c3)
have d2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s')) ∧ (block_id x=0)})"
by simp
have d5: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_sesIdNotInTaStateSesList)"
by auto
then show ?thesis
using c2 d1 d2 by presburger
}
qed
next
case False
have c4: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have c5: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True c4 by auto
then show ?thesis
proof-
{
have f1: "(s ∼ d ∼ s') = (vpeq_REE s d s')"
using True c4 by auto
have f2: "(vpeq_REE s d s') = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have f5: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_sesIdNotInTaStateSesList)"
by simp
have f8: "driver_mem(REE_state s) = driver_mem(REE_state ?s_sesIdNotInTaStateSesList)"
by simp
then show ?thesis
using c2 f1 f2 f5 f8 by presburger
}
qed
next
case False
have c6: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False c4)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
have b7: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ is_TA sysconf d"
using False True c4 by blast
then show ?thesis
proof(cases "d = current s")
case True
have tmp1: "d = current s"
by (simp add: True)
then show ?thesis
by (metis a2 domain_of_event_def nintf_neq option.sel)
next
case False
have tmp2: "d ≠ current s"
by (simp add: False)
then show ?thesis
proof-
{
have g1: "(s ∼ d ∼ s') = (vpeq_TA s d s')"
using b7 by auto
have g2: "(vpeq_TA s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)})"
by simp
have g3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_sesIdNotInTaStateSesList)"
by simp
then show ?thesis
using c2 g1 g2 g3 by presburger
}
qed
qed
next
case False
have b8: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using False c6 by auto
then show ?thesis
proof-
{
have c1: "vpeq1 s d s' = True"
using False c6 is_TA_def by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
next
case False
have b9: "?isSesIdInTaStateSesList ≠ False"
using False by auto
have b10: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_CS3 ∧ ?isSesIdInTaStateSesList ≠ False"
using b1 b9 by auto
then show ?thesis
proof(cases "¬(?isSingleInstance = True ∧ ?isKeepAlive = True) ∧ ?taSesListInTaState = []")
case True
have b11: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_CS3 ∧ ?isSesIdInTaStateSesList ≠ False
∧ ¬(?isSingleInstance = True ∧ ?isKeepAlive = True) ∧ ?taSesListInTaState = []"
using True b1 b9 by auto
have b12: "s' = ?s_deleteTaStateBackTEE"
using TEE_CloseTASession3_def a4_1 b11
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_eqD)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have b13: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have d1: "(s ∼ d ∼ s') = (vpeq_TEE s d s')"
by (simp add: b13)
have d2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s')) ∧ (block_id x=0)})"
by simp
have d3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have d4: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (block_id x=0)}"
using CloseSessionEntryPoint_not_change_TEE TA_CloseSessionEntryPoint_def
by (metis d3)
have d5: "{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}"
using tee_memories_removeAllSessIdInTaStateSessList by simp
have d6: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (block_id x=0)}"
by (simp add: TA_DestroyEntryPoint_def)
have d7: "{x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (block_id x=0)}"
by simp
have d8: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (block_id x=0)}"
using d3 d4 d5 d6 d7 by presburger
then show ?thesis
using b12 d1 d2 by blast
}
qed
next
case False
then have b14: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
have b15: "d ≠ TEE sysconf ∧ d = REE sysconf"
using b14 True by auto
then show ?thesis
proof-
{
have e1: "vpeq1 s d s' = vpeq_REE s d s'"
using True b14 by auto
have e2: "vpeq_REE s d s' = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have e3: "ree_total_size (REE_state s) = ree_total_size (REE_state ?s_rev_event)"
by simp
have e4: "ree_total_size (REE_state ?s_rev_event) = ree_total_size (REE_state ?s_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have e5: "ree_total_size (REE_state ?s_taCloseSessionEntry) = ree_total_size (REE_state ?s_removeSess_inTaState)"
by (simp add: ree_total_size_removeAllSessIdInTaStateSessList)
have e6: "ree_total_size (REE_state ?s_removeSess_inTaState) = ree_total_size (REE_state ?s_taDestroyEntryPoint)"
by (simp add: TA_DestroyEntryPoint_def)
have e7: "ree_total_size (REE_state ?s_taDestroyEntryPoint) = ree_total_size (REE_state ?s_deleteTaStateBackTEE)"
by simp
have e8: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by simp
have e9: "driver_mem (REE_state ?s_rev_event) = driver_mem (REE_state ?s_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have e10: "driver_mem (REE_state ?s_taCloseSessionEntry) = driver_mem (REE_state ?s_removeSess_inTaState)"
by (simp add: driver_mem_removeAllSessIdInTaStateSessList)
have e11: "driver_mem (REE_state ?s_removeSess_inTaState) = driver_mem (REE_state ?s_taDestroyEntryPoint)"
by (simp add: TA_DestroyEntryPoint_def)
have e12: "driver_mem (REE_state ?s_taDestroyEntryPoint) = driver_mem (REE_state ?s_deleteTaStateBackTEE)"
by simp
have e13: "(s ∼ d ∼ s') = vpeq_REE s d s'"
using e1 by auto
have e14: "ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s')"
using e1 e2 e3 e4 e5 e6 e7 e8 e9 e10 e11 e12 e13 b12
by presburger
then show ?thesis using e14
using e13 by auto
}
qed
next
case False
have p4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False b14)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False b14 by blast
then show ?thesis
proof(cases "d = (the ?servTid)")
case True
then show ?thesis using a2 b10 by force
next
case False
then have d14: "d ≠ current s"
by (simp add: b1)
then have d15: "(s ∼ d ∼ s') = vpeq_TA s d s'"
using d13 by auto
have t1: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
proof-
{
have u1: "TEE_state s = TEE_state ?s_rev_event" by simp
have u2: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def CloseSessionEntryPoint_not_change_other_TA d14
using False CloseSessionEntryPoint_not_change_other_TA_aux b10 get_exec_prime_def mem_Collect_eq u1
by (metis (mono_tags, lifting))
have u3: "tee_memories(TEE_state ?s_taCloseSessionEntry)=tee_memories( TEE_state ?s_removeSess_inTaState)"
by (simp add: tee_memories_removeAllSessIdInTaStateSessList)
have u4: "tee_memories(TEE_state ?s_removeSess_inTaState)=tee_memories( TEE_state ?s_taDestroyEntryPoint)"
by (simp add: TA_DestroyEntryPoint_def)
have u5: "tee_memories(TEE_state ?s_taDestroyEntryPoint)=tee_memories( TEE_state ?s_deleteTaStateBackTEE)"
by simp
have u6: "vpeq_TA s' d s"
using u1 u2 u3 u4 u5 b12 vpeq_TA_def
by presburger
then show ?thesis
by auto
}
qed
then show ?thesis using t1
using d15 vpeq_TA_def by blast
qed
next
case False
then show ?thesis
using is_TA_def p4 by blast
qed
qed
qed
next
case False
have d16: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_CS3 ∧ ?isSesIdInTaStateSesList ≠ False
∧ ((?isSingleInstance = True ∧ ?isKeepAlive = True) ∨ ?taSesListInTaState ≠ [])"
using False b1 b9 by auto
have d17: "s' = ?s_notDeleteTaStateBackTEE"
using d16 TEE_CloseTASession3_def a4_1
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_eqD)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have d18: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have e1: "(s ∼ d ∼ s') = (vpeq_TEE s d s')"
by (simp add: d18)
have e2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s')) ∧ (block_id x=0)})"
by simp
have e3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have e4: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (block_id x=0)}"
using CloseSessionEntryPoint_not_change_TEE TA_CloseSessionEntryPoint_def
by (metis e3)
have e5: "{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}"
using tee_memories_removeAllSessIdInTaStateSessList by simp
have e6: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (block_id x=0)}"
by force
then show ?thesis
using d17 e1 e3 e4 e5 vpeq_TEE_def by presburger
}
qed
next
case False
then have p4: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
have p5: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True p4 by auto
then show ?thesis
proof-
{
have q1: "(s ∼ d ∼ s') = (vpeq_REE s d s')"
using True p4 by auto
have q2: "(vpeq_REE s d s') = (ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s'))"
by simp
have q3: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have q4: "ree_total_size (REE_state ?s_rev_event) = ree_total_size (REE_state ?s_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have q5: "ree_total_size (REE_state ?s_taCloseSessionEntry) = ree_total_size (REE_state ?s_removeSess_inTaState)"
by (simp add: ree_total_size_removeAllSessIdInTaStateSessList)
have q6: "ree_total_size (REE_state ?s_removeSess_inTaState) = ree_total_size (REE_state ?s_notDeleteTaStateBackTEE)"
by simp
have q8: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by simp
have q9: "driver_mem (REE_state ?s_rev_event) = driver_mem (REE_state ?s_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have q10: "driver_mem (REE_state ?s_taCloseSessionEntry) = driver_mem (REE_state ?s_removeSess_inTaState)"
by (simp add: driver_mem_removeAllSessIdInTaStateSessList)
have q11: "driver_mem (REE_state ?s_removeSess_inTaState) = driver_mem (REE_state ?s_notDeleteTaStateBackTEE)"
by (simp add: TA_DestroyEntryPoint_def)
have q13: "(s ∼ d ∼ s') = vpeq_REE s d s'"
using q1 by auto
have q14: "ree_total_size(REE_state s) = ree_total_size (REE_state s')
∧ driver_mem(REE_state s) = driver_mem(REE_state s')"
using q1 q2 q3 q4 q5 q6 q8 q9 q10 q11 d17
by presburger
then show ?thesis using q14 q13
by auto
}
qed
next
case False
have p4: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: False p4)
then show ?thesis
proof(cases "d = (the ?servTid)")
case True
then show ?thesis using a2 b10 by force
next
case False
then have p14: "d ≠ current s"
by (simp add: b1)
then have p15: "(s ∼ d ∼ s') = vpeq_TA s d s'"
using is_TA_def p4 vpeq1_def by presburger
have t2: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}"
proof-
{
have v1: "TEE_state s = TEE_state ?s_rev_event" by simp
have v2: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def CloseSessionEntryPoint_not_change_other_TA p14
using False CloseSessionEntryPoint_not_change_other_TA_aux b10 get_exec_prime_def mem_Collect_eq v1
by (metis (mono_tags, lifting))
have v3: "tee_memories(TEE_state ?s_taCloseSessionEntry)=tee_memories( TEE_state ?s_removeSess_inTaState)"
by (simp add: tee_memories_removeAllSessIdInTaStateSessList)
have v5: "tee_memories(TEE_state ?s_removeSess_inTaState)=tee_memories( TEE_state ?s_notDeleteTaStateBackTEE)"
by simp
have u6: "vpeq_TA s' d s"
using v1 v2 v3 v5 d17 vpeq_TA_def
by presburger
then show ?thesis by auto
}
qed
then show ?thesis using t2
using p15 vpeq_TA_def by blast
qed
qed
qed
qed
qed
qed
} then show ?thesis
by blast
qed
lemma TEE_CloseTASession3_integrity_e:
"integrity_e (hyperc (TEE_CLOSETASESSION3))"
using TEE_CloseTASession3_integrity integrity_e_def
using get_exec_prime_def by auto
lemma TEE_CloseTASession3_weak_confidentiality:
assumes p1: "a = hyperc (TEE_CLOSETASESSION3)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a52: "TAs_state s =TAs_state t "
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?servTid = "param2 ?p"
let ?clientType = "param4 ?p"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?isSesIdInTaStateSesList = "isSessIdInTaStateSessList s ?ses_id ?servTid"
let ?nextFuncStepParam = "⦇param1 = ?ses_id, param2 = ?servTid, param3 = None, param4 = ?clientType,
param5 = None, param6 =None, param7 = ?in_params, param8 = ?out_params, param9 = None,
param10=None, param11=None, param12=None, param13=None⦈"
let ?s_taCloseSessionEntry = "TA_CloseSessionEntryPoint ?s_rev_event (the ?servTid)"
let ?s_removeSess_inTaState = "removeAllSessIdInTaStateSessList ?s_taCloseSessionEntry (the ?ses_id) (the ?in_params) (the ?out_params)"
let ?taState = "(TAs_state s) (the ?servTid)"
let ?taSesListInTaState = "(TA_sessions (the ?taState))"
let ?ta_attr = "TA_attribute (the ?taState)"
let ?isSingleInstance = "singleInstance ?ta_attr"
let ?isKeepAlive = "keepAlive ?ta_attr"
let ?s_sesIdNotInTaStateSesList = "?s_rev_event⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEE_CS4)#(exec_prime ?s_rev_event)⦈"
let ?s_taDestroyEntryPoint = "TA_DestroyEntryPoint ?s_removeSess_inTaState"
let ?s_deleteTaStateBackTEE = "?s_taDestroyEntryPoint⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEE_CS4)#(exec_prime ?s_taDestroyEntryPoint)⦈"
let ?s_notDeleteTaStateBackTEE = "?s_removeSess_inTaState⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam, TEE_CS4)#(exec_prime ?s_removeSess_inTaState)⦈"
let ?exec_t = "(exec_prime t)"
let ?p_t = "fst (hd ?exec_t)"
let ?ses_id_t = "param1 ?p_t"
let ?servTid_t = "param2 ?p_t"
let ?clientType_t = "param4 ?p_t"
let ?in_params_t = "param7 ?p_t"
let ?out_params_t = "param8 ?p_t"
let ?t_rev_event = "t⦇exec_prime := tl ?exec_t⦈"
let ?isSesIdInTaStateSesList_t = "isSessIdInTaStateSessList t ?ses_id_t ?servTid_t"
let ?nextFuncStepParam_t = "⦇param1 = ?ses_id_t, param2 = ?servTid_t, param3 = None, param4 = ?clientType_t,
param5 = None, param6 =None, param7 = ?in_params_t, param8 = ?out_params_t, param9 = None,
param10=None, param11=None, param12=None, param13=None⦈"
let ?t_taCloseSessionEntry = "TA_CloseSessionEntryPoint ?t_rev_event (the ?servTid_t)"
let ?t_removeSess_inTaState = "removeAllSessIdInTaStateSessList ?t_taCloseSessionEntry (the ?ses_id_t) (the ?in_params_t) (the ?out_params_t)"
let ?taState_t = "(TAs_state t) (the ?servTid_t)"
let ?taSesListInTaState_t = "(TA_sessions (the ?taState_t))"
let ?ta_attr_t = "TA_attribute (the ?taState_t)"
let ?isSingleInstance_t = "singleInstance ?ta_attr_t"
let ?isKeepAlive_t = "keepAlive ?ta_attr_t"
let ?t_sesIdNotInTaStateSesList = "?t_rev_event⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam_t, TEE_CS4)#(exec_prime ?t_rev_event)⦈"
let ?t_taDestroyEntryPoint = "TA_DestroyEntryPoint ?t_removeSess_inTaState"
let ?t_deleteTaStateBackTEE = "?t_taDestroyEntryPoint⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam_t, TEE_CS4)#(exec_prime ?t_taDestroyEntryPoint)⦈"
let ?t_notDeleteTaStateBackTEE = "?t_removeSess_inTaState⦇current := TEE sysconf, exec_prime := (?nextFuncStepParam_t, TEE_CS4)#(exec_prime ?t_removeSess_inTaState)⦈"
have a10: "s' = fst (TEE_CloseTASession3 sysconf s)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEE_CloseTASession3 sysconf t)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t"
using domain_of_event_def a4 by (metis option.sel)
have a14: "(TAs_state s) = (TAs_state t)" using a52 by auto
have a15: "?servTid = ?servTid_t"
by (simp add: a5)
have "(s' ∼ d ∼ t')"
proof(cases "current s ≠ (the ?servTid) ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEE_CS3")
case True
have b1: "current s ≠ (the ?servTid) ∨ (exec_prime s) = [] ∨ snd (hd (exec_prime s)) ≠ TEE_CS3"
using True by auto
have b2: "current t ≠ (the ?servTid_t) ∨ (exec_prime t) = [] ∨ snd (hd (exec_prime t)) ≠ TEE_CS3"
using a12 a5 b1 by auto
have b3: "s = s'"
using b1 TEE_CloseTASession3_def a10
by (smt (z3) prod.collapse prod.inject)
have b4: "t = t'"
using b2 TEE_CloseTASession3_def a11
by (smt (z3) prod.collapse prod.inject)
then show ?thesis
proof-
{
have c1: "(s' ∼ d ∼ t')"
using a3 b3 b4 by blast
then show ?thesis by auto
}
qed
next
case False
have d1: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_CS3"
using False by auto
have d2: "current t = (the ?servTid_t) ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEE_CS3"
using False a12 a5 by auto
have e2: "?isSesIdInTaStateSesList = ?isSesIdInTaStateSesList_t"
using isSessIdInTaStateSessList_def a14 a5
by (metis (no_types, lifting))
then show ?thesis
proof(cases "?isSesIdInTaStateSesList = False")
case True
have e1: "?isSesIdInTaStateSesList = False"
by (simp add: True)
have e3: "current s = (the ?servTid) ∧ (exec_prime s) ≠ []
∧ snd (hd (exec_prime s)) = TEE_CS3 ∧ ?isSesIdInTaStateSesList = False"
using False e1 by auto
have e4: "current t = (the ?servTid_t) ∧ (exec_prime t) ≠ []
∧ snd (hd (exec_prime t)) = TEE_CS3 ∧ ?isSesIdInTaStateSesList_t = False"
using d2 e2 e3 by auto
have e5: "s' = ?s_sesIdNotInTaStateSesList"
using TEE_CloseTASession3_def a10 e3
by (smt (verit, best) State.unfold_congs(1) State.unfold_congs(6) fst_conv)
have e6: "t' = ?t_sesIdNotInTaStateSesList"
using TEE_CloseTASession3_def a11 e4
by (smt (verit, best) State.unfold_congs(1) State.unfold_congs(6) fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have d3: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have f1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: d3)
have f2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have f3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: d3)
have f4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have f5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 f3 f4 by blast
have f6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by fastforce
have f7: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by fastforce
have e8: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using e5 e6 f5 f6 f7
using setCurDomainAndEvent_def tee_memories_setCurDomainAndEvent by presburger
then show ?thesis
using e8
using f1 by auto
}
qed
next
case False
have d14: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have d15: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True d14 by auto
then show ?thesis
proof-
{
have j1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d14 by auto
have j2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have j3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d14 by fastforce
have j4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have j5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 j3 by auto
have j6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 j3 by auto
have j7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have j8: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have j9: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?t_rev_event)"
using j5 j7 j8 by linarith
have j10: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have j11: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have j12: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?s_rev_event)"
using j10 j11 j6 by presburger
have j13: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state t')"
by (simp add: e6)
have j14: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state s')"
by (simp add: e5)
have j15: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state t')"
by (simp add: e6)
have j16: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state s')"
by (simp add: e5)
have j17: "(ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
using j9 j12 j13 j14 j15 j16
by auto
then show ?thesis using j17 j1 by auto
}
qed
next
case False
then have d16: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d14)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d17: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using d16 by blast
then show ?thesis
proof-
{
have k1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson False True d14 vpeq1_def)
have k2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have k3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using False d14 is_TA_def vpeq1_def by presburger
have k4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have k5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using a3 k3 k4 by blast
have k6: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}"
by auto
have k7: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
by auto
have k10: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}"
using k5 k6 k7 by blast
then show ?thesis
using e5 e6 k1 k2
by auto
}
qed
next
case False
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
by (metis d16)
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have h2: "vpeq1 s' d t' = True"
using False d16 is_TA_def by blast
then show ?thesis
by auto
}
qed
qed
qed
qed
next
case False
have g1: "?isSesIdInTaStateSesList = True"
using False by auto
have g2: "?isSesIdInTaStateSesList_t = True"
using False e2 by auto
have g3: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_CS3 ∧ ?isSesIdInTaStateSesList ≠ False"
using d1 g1 by auto
have g4: "current t = (the ?servTid_t) ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEE_CS3 ∧ ?isSesIdInTaStateSesList_t ≠ False"
using d2 g2 by auto
then show ?thesis
proof(cases "¬(?isSingleInstance = True ∧ ?isKeepAlive = True) ∧ ?taSesListInTaState = []")
case True
have g5: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_CS3 ∧ ?isSesIdInTaStateSesList ≠ False
∧ ¬(?isSingleInstance = True ∧ ?isKeepAlive = True) ∧ ?taSesListInTaState = []"
using True g3 by auto
have g6: "current t = (the ?servTid_t) ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEE_CS3 ∧ ?isSesIdInTaStateSesList_t ≠ False
∧ ¬(?isSingleInstance_t = True ∧ ?isKeepAlive_t = True) ∧ ?taSesListInTaState_t = []"
using True g4
using a14 a5 by auto
have g7: "s' = ?s_deleteTaStateBackTEE"
using TEE_CloseTASession3_def a10 g5
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_eqD)
have g8: "t' = ?t_deleteTaStateBackTEE"
using TEE_CloseTASession3_def a11 g6
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_eqD)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have b13: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: b13)
have m2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: b13)
have m4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 m3 by auto
have m6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}"
using CloseSessionEntryPoint_not_change_TEE_aux tee_memories_removeAllSessIdInTaStateSessList by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (block_id x=0)}"
by (simp add: TA_DestroyEntryPoint_def)
have m8: "{x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (block_id x=0)}"
by fastforce
have m9: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (block_id x=0)}"
using CloseSessionEntryPoint_not_change_TEE_aux tee_memories_removeAllSessIdInTaStateSessList by auto
have m10: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_taDestroyEntryPoint))∧ (block_id x=0)}"
by (simp add: TA_DestroyEntryPoint_def)
have m11: "{x. x∈set(tee_memories (TEE_state ?t_taDestroyEntryPoint))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_deleteTaStateBackTEE))∧ (block_id x=0)}"
by fastforce
have m12: "{x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
by (simp add: g7)
have m11: "{x. x∈set(tee_memories (TEE_state ?t_deleteTaStateBackTEE))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
by (simp add: g8)
have m11: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using m5 m10 m11 m6 m7 m8 m9 g6
by (metis isSesIdinSesIdList.simps(1) isSessIdInTaStateSessList_def)
then show ?thesis
using m1 by auto
}
qed
next
case False
then have f6: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
then have f7: "d ≠ TEE sysconf ∧ d = REE sysconf"
using f6 by auto
then show ?thesis
proof-
{
have n1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True f6 by auto
have n2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have n3: "(s ∼ d ∼ t) = vpeq_REE s d t"
by (metis True tee_no_ree vpeq1_def)
have n4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have n5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 n3 by auto
have n6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 n3 by auto
have n7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
using ree_total_size_exec_prime_tl by blast
have n8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have n9: "ree_total_size (REE_state ?s_taCloseSessionEntry) = ree_total_size (REE_state ?s_removeSess_inTaState)"
by (simp add: ree_total_size_removeAllSessIdInTaStateSessList)
have n10: "ree_total_size (REE_state ?s_removeSess_inTaState) = ree_total_size (REE_state ?s_taDestroyEntryPoint)"
by (simp add: TA_DestroyEntryPoint_def)
have n11: "ree_total_size (REE_state ?s_taDestroyEntryPoint) = ree_total_size (REE_state ?s_deleteTaStateBackTEE)"
by simp
have n12: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
using ree_total_size_exec_prime_tl by blast
have n8: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have n9: "ree_total_size (REE_state ?t_taCloseSessionEntry) = ree_total_size (REE_state ?t_removeSess_inTaState)"
by (simp add: ree_total_size_removeAllSessIdInTaStateSessList)
have n10: "ree_total_size (REE_state ?t_removeSess_inTaState) = ree_total_size (REE_state ?t_taDestroyEntryPoint)"
by (simp add: TA_DestroyEntryPoint_def)
have n11: "ree_total_size (REE_state ?t_taDestroyEntryPoint) = ree_total_size (REE_state ?t_deleteTaStateBackTEE)"
by simp
have n12: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_deleteTaStateBackTEE)"
using g6 by (metis isSesIdinSesIdList.simps(1) isSessIdInTaStateSessList_def)
have n321: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_deleteTaStateBackTEE)"
using g6 isSessIdInTaStateSessList_def by force
have n13: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by auto
have n14: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_taCloseSessionEntry)"
using g6 isSessIdInTaStateSessList_def by force
have n15: "driver_mem(REE_state ?s_taCloseSessionEntry) = driver_mem(REE_state ?s_removeSess_inTaState)"
by (simp add: driver_mem_removeAllSessIdInTaStateSessList)
have n16: "driver_mem(REE_state ?s_removeSess_inTaState) = driver_mem(REE_state ?s_deleteTaStateBackTEE)"
by (simp add: TA_DestroyEntryPoint_def)
have n17: "driver_mem(REE_state s) = driver_mem(REE_state ?s_deleteTaStateBackTEE)"
using n14 n15 n16 by auto
have n18: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
using driver_mem_exec_prime_tl by auto
have n19: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_taCloseSessionEntry)"
using g6 isSessIdInTaStateSessList_def by force
have n20: "driver_mem(REE_state ?t_taCloseSessionEntry) = driver_mem(REE_state ?t_removeSess_inTaState)"
by (simp add: driver_mem_removeAllSessIdInTaStateSessList)
have n21: "driver_mem(REE_state ?t_removeSess_inTaState) = driver_mem(REE_state ?t_deleteTaStateBackTEE)"
by (simp add: TA_DestroyEntryPoint_def)
have n22: "driver_mem(REE_state t) = driver_mem(REE_state ?t_deleteTaStateBackTEE)"
using n18 n19 n20 n21 by presburger
have n23: "driver_mem(REE_state s') = driver_mem(REE_state ?s_deleteTaStateBackTEE)"
using g7 by auto
have n24: "driver_mem(REE_state t') = driver_mem(REE_state ?t_deleteTaStateBackTEE)"
by (simp add: g8)
have n25: "driver_mem(REE_state ?s_deleteTaStateBackTEE) = driver_mem(REE_state ?t_deleteTaStateBackTEE)"
using n17 n18 n19 n20 n21 n6 by presburger
have n26: "driver_mem(REE_state s') = driver_mem(REE_state t')"
using n23 n24 n25 by force
have n27: "ree_total_size(REE_state s') = ree_total_size(REE_state ?s_deleteTaStateBackTEE)"
by (simp add: g7)
have n28: "ree_total_size(REE_state t') = ree_total_size(REE_state ?t_deleteTaStateBackTEE)"
by (simp add: g8)
have n29: "ree_total_size(REE_state ?s_deleteTaStateBackTEE) = ree_total_size(REE_state ?t_deleteTaStateBackTEE)"
using n12 n321 n5 by presburger
have n30: "ree_total_size(REE_state s') = ree_total_size(REE_state t')"
using n27 n28 n29 by linarith
have n31: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
by (simp add: n26 n30)
then show ?thesis
using n1 by auto
}
qed
next
case False
then have f8: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: f6)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have f9: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False f6 by blast
have f9_1: "current s = (the ?servTid)"
by (simp add: d1)
then show ?thesis
proof(cases "d ≠ (the ?servTid)")
case True
have f9_1: "d ≠ (the ?servTid)" using True by simp
have f9_2: "d ≠ (the ?servTid_t)" using True
using a5 by auto
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using f9 vpeq1_def by presburger
have h2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson f9 vpeq1_def)
have h4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
by (metis a3 h3 h4)
have h6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have h7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
proof-
{
have v1: "TEE_state s = TEE_state ?s_rev_event" by simp
have v2: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def CloseSessionEntryPoint_not_change_other_TA f9_1
using False CloseSessionEntryPoint_not_change_other_TA_aux g5 get_exec_prime_def mem_Collect_eq v1
by blast
have v3: "tee_memories(TEE_state ?s_taCloseSessionEntry)=tee_memories( TEE_state ?s_removeSess_inTaState)"
by (simp add: tee_memories_removeAllSessIdInTaStateSessList)
have v5: "tee_memories(TEE_state ?s_removeSess_inTaState)=tee_memories( TEE_state ?s_notDeleteTaStateBackTEE)"
by simp
have v6: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using v2 by auto
then show ?thesis by auto
}
qed
have h8: "{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have h9: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (ownership x=d)}"
by (simp add: TA_DestroyEntryPoint_def)
have h10: "{x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (ownership x=d)}"
by simp
have h11: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (ownership x=d)}"
using h6 h7 h8 h9 h10
by presburger
have h12: "tee_memories (TEE_state t) = tee_memories (TEE_state ?t_rev_event)"
by auto
have h13: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
proof-
{
have v1: "TEE_state t = TEE_state ?t_rev_event" by simp
have v2: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def CloseSessionEntryPoint_not_change_other_TA f9_2
using False CloseSessionEntryPoint_not_change_other_TA_aux g5 get_exec_prime_def mem_Collect_eq v1
by blast
have v3: "tee_memories(TEE_state ?t_taCloseSessionEntry)=tee_memories( TEE_state ?t_removeSess_inTaState)"
by (simp add: tee_memories_removeAllSessIdInTaStateSessList)
have v5: "tee_memories(TEE_state ?t_removeSess_inTaState)=tee_memories( TEE_state ?t_notDeleteTaStateBackTEE)"
by simp
have v6: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using v2 by auto
then show ?thesis by auto
}
qed
have h14: "{x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have h15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taDestroyEntryPoint))∧ (ownership x=d)}"
by (simp add: TA_DestroyEntryPoint_def)
have h16: "{x. x∈set(tee_memories (TEE_state ?t_taDestroyEntryPoint))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_deleteTaStateBackTEE))∧ (ownership x=d)}"
by simp
have h17: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using h12 h13 h14 h15 h16
by presburger
have h18: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using g6 isSessIdInTaStateSessList_def by force
have h19: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using g8 h14 h15 h16 by presburger
have h20: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using h18 h19
by (metis h17 h5 h6 h7)
then show ?thesis
using h1 h2 by blast
}
qed
next
case False
have f10_1: "d = (the ?servTid)" using False by simp
have f10_2: "d = (the ?servTid_t)" using False
using a5 by auto
have f11_1: "d = current s"
using False d1 by auto
have f11_2: "d = current t"
by (simp add: a12 f11_1)
have f12: "vpeq_TA s d t"
by (meson a3 f9 vpeq1_def)
have f13: "(s'∼d∼t') = (vpeq_TA s' d t')"
using f9 vpeq1_def by presburger
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using f13 by auto
have m2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson f9 vpeq1_def)
have m4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using f12 m4 by blast
have m6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_mem TA_OpenSessionEntryPoint_def by auto
have m8: "{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have m9: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (ownership x=d)}"
by (simp add: TA_DestroyEntryPoint_def)
have m10: "{x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (ownership x=d)}"
by simp
have m11: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_deleteTaStateBackTEE))∧ (ownership x=d)}"
using g6 isSessIdInTaStateSessList_def by force
have m12: "tee_memories (TEE_state t) = tee_memories (TEE_state ?t_rev_event)"
by auto
have m13: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_mem TA_OpenSessionEntryPoint_def by auto
have m14: "{x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have m15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taDestroyEntryPoint))∧ (ownership x=d)}"
by (simp add: TA_DestroyEntryPoint_def)
have m16: "{x. x∈set(tee_memories (TEE_state ?t_taDestroyEntryPoint))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_deleteTaStateBackTEE))∧ (ownership x=d)}"
by simp
have m17: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using m13 by auto
have m18: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using g6 isSessIdInTaStateSessList_def by force
have m19: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using g8 m14 m15 m16 by presburger
have h20: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using m18 m19
by (metis m17 m5 m6 m7)
then show ?thesis
using m1 m2 by blast
}
qed
qed
next
case False
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using f8 by auto
then show ?thesis
proof-
{
have l1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have l2: "vpeq1 s' d t' = True"
using False f8 is_TA_def by blast
then show ?thesis by blast
}
qed
qed
qed
qed
next
case False
have u5: "current s = (the ?servTid) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_CS3 ∧ ?isSesIdInTaStateSesList ≠ False
∧ ¬(¬(?isSingleInstance = True ∧ ?isKeepAlive = True) ∧ ?taSesListInTaState = [])"
using False g3 by blast
have u6: "current t = (the ?servTid_t) ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEE_CS3 ∧ ?isSesIdInTaStateSesList_t ≠ False
∧ ¬(¬(?isSingleInstance_t = True ∧ ?isKeepAlive_t = True) ∧ ?taSesListInTaState_t = [])"
using False a14 a5 g4 by auto
have u7: "s' = ?s_notDeleteTaStateBackTEE"
using TEE_CloseTASession3_def a10 u5
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_eqD)
have u8: "t' = ?t_notDeleteTaStateBackTEE"
using TEE_CloseTASession3_def a11 u6
by (smt (verit) State.fold_congs(1) State.fold_congs(6) fst_eqD)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have b13: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: b13)
have m2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: b13)
have m4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 m3 by auto
have m6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}"
using CloseSessionEntryPoint_not_change_TEE_aux tee_memories_removeAllSessIdInTaStateSessList by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (block_id x=0)}"
by fastforce
have m8: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (block_id x=0)}"
using CloseSessionEntryPoint_not_change_TEE_aux tee_memories_removeAllSessIdInTaStateSessList by auto
have m9: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_notDeleteTaStateBackTEE))∧ (block_id x=0)}"
by fastforce
have m10: "{x. x∈set(tee_memories (TEE_state ?t_notDeleteTaStateBackTEE))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}"
using m5 m6 m7 m8 m9 u7 by presburger
have m11: "{x. x∈set(tee_memories (TEE_state ?t_notDeleteTaStateBackTEE))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using u8 by blast
have m11: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using m5 m10 m11 by presburger
then show ?thesis
using m1 by auto
}
qed
next
case False
then have f6: "d ≠ TEE sysconf" by simp
then show ?thesis
proof(cases "d = REE sysconf")
case True
have f7: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True f6 by auto
then show ?thesis
proof-
{
have n1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True f6 by auto
have n2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have n3: "(s ∼ d ∼ t) = vpeq_REE s d t"
by (metis True tee_no_ree vpeq1_def)
have n4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have n5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 n3 by auto
have n6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 n3 by auto
have n7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
using ree_total_size_exec_prime_tl by blast
have n8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have n9: "ree_total_size (REE_state ?s_taCloseSessionEntry) = ree_total_size (REE_state ?s_removeSess_inTaState)"
by (simp add: ree_total_size_removeAllSessIdInTaStateSessList)
have n10: "ree_total_size (REE_state ?s_removeSess_inTaState) = ree_total_size (REE_state ?s_notDeleteTaStateBackTEE)"
by (simp add: TA_DestroyEntryPoint_def)
have n11: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
using ree_total_size_exec_prime_tl by blast
have n12: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_taCloseSessionEntry)"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have n13: "ree_total_size (REE_state ?t_taCloseSessionEntry) = ree_total_size (REE_state ?t_removeSess_inTaState)"
by (simp add: ree_total_size_removeAllSessIdInTaStateSessList)
have n14: "ree_total_size (REE_state ?t_removeSess_inTaState) = ree_total_size (REE_state ?t_notDeleteTaStateBackTEE)"
by (simp add: TA_DestroyEntryPoint_def)
have n15: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_notDeleteTaStateBackTEE)"
using u5 n7 n8 n9 n10
by presburger
have n16: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_notDeleteTaStateBackTEE)"
using n11 n12 n13 n14
by linarith
have n13: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
using driver_mem_exec_prime_tl by auto
have n14: "REE_state ?s_rev_event = REE_state ?s_taCloseSessionEntry"
using TA_CloseSessionEntryPoint_def
using OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have n15: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_taCloseSessionEntry)"
using u5 n14 by simp
have n16: "driver_mem(REE_state ?s_taCloseSessionEntry) = driver_mem(REE_state ?s_removeSess_inTaState)"
by (simp add: driver_mem_removeAllSessIdInTaStateSessList)
have n17: "driver_mem(REE_state ?s_removeSess_inTaState) = driver_mem(REE_state ?s_deleteTaStateBackTEE)"
by (simp add: TA_DestroyEntryPoint_def)
have n18: "driver_mem(REE_state s) = driver_mem(REE_state ?s_deleteTaStateBackTEE)"
using n13 n14 n15 n16 n17 by auto
have n19: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
using driver_mem_exec_prime_tl by auto
have n20: "REE_state ?t_rev_event = REE_state ?t_taCloseSessionEntry"
using TA_CloseSessionEntryPoint_def
using OpenSessionEntryPoint_not_change_REE TA_OpenSessionEntryPoint_def by auto
have n21: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_taCloseSessionEntry)"
using u6 n20 by simp
have n22: "driver_mem(REE_state ?t_taCloseSessionEntry) = driver_mem(REE_state ?t_removeSess_inTaState)"
by (simp add: driver_mem_removeAllSessIdInTaStateSessList)
have n23: "driver_mem(REE_state ?t_removeSess_inTaState) = driver_mem(REE_state ?t_deleteTaStateBackTEE)"
by (simp add: TA_DestroyEntryPoint_def)
have n24: "driver_mem(REE_state t) = driver_mem(REE_state ?t_deleteTaStateBackTEE)"
using n19 n20 n20 n21 n22 n23 by auto
have n25: "driver_mem(REE_state s') = driver_mem(REE_state ?s_notDeleteTaStateBackTEE)"
using u7 by auto
have n26: "driver_mem(REE_state t') = driver_mem(REE_state ?t_notDeleteTaStateBackTEE)"
by (simp add: u8)
have n27: "driver_mem(REE_state ?s_notDeleteTaStateBackTEE) = driver_mem(REE_state ?t_notDeleteTaStateBackTEE)"
using TA_DestroyEntryPoint_def driver_mem_removeAllSessIdInTaStateSessList n18 n20 n6 by auto
have n28: "driver_mem(REE_state s') = driver_mem(REE_state t')"
using n25 n26 n27 by force
have n29: "ree_total_size(REE_state s') = ree_total_size(REE_state ?s_notDeleteTaStateBackTEE)"
by (simp add: u7)
have n30: "ree_total_size(REE_state t') = ree_total_size(REE_state ?t_notDeleteTaStateBackTEE)"
by (simp add: u8)
have n31: "ree_total_size(REE_state ?s_notDeleteTaStateBackTEE) = ree_total_size(REE_state ?t_notDeleteTaStateBackTEE)"
using n14 n20 n5 ree_total_size_removeAllSessIdInTaStateSessList by auto
have n32: "ree_total_size(REE_state s') = ree_total_size(REE_state t')"
using n29 n30 n31 by linarith
have n31: "(driver_mem(REE_state s') = driver_mem(REE_state t'))
∧ (ree_total_size(REE_state s') = ree_total_size(REE_state t'))"
by (simp add: n28 n32)
then show ?thesis
using n1 by auto
}
qed
next
case False
then have f8: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: f6)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have f9: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using False f6 by blast
have f9_1: "current s = (the ?servTid)"
by (simp add: d1)
then show ?thesis
proof(cases "d ≠ (the ?servTid)")
case True
have f9_1: "d ≠ (the ?servTid)" using True by simp
have f9_2: "d ≠ (the ?servTid_t)" using True
using a5 by auto
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using f9 vpeq1_def by presburger
have h2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson f9 vpeq1_def)
have h4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
by (metis a3 h3 h4)
have h6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have h7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
proof-
{
have v1: "TEE_state s = TEE_state ?s_rev_event" by simp
have v2: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def CloseSessionEntryPoint_not_change_other_TA f9_1
using False CloseSessionEntryPoint_not_change_other_TA_aux u5 get_exec_prime_def mem_Collect_eq v1
by blast
have v3: "tee_memories(TEE_state ?s_taCloseSessionEntry)=tee_memories( TEE_state ?s_removeSess_inTaState)"
by (simp add: tee_memories_removeAllSessIdInTaStateSessList)
have v5: "tee_memories(TEE_state ?s_removeSess_inTaState)=tee_memories( TEE_state ?s_notDeleteTaStateBackTEE)"
by simp
have v6: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using v2 by auto
then show ?thesis by auto
}
qed
have h8: "{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have h9: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taDestroyEntryPoint))∧ (ownership x=d)}"
by (simp add: TA_DestroyEntryPoint_def)
have h10: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
by simp
have h11: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
using h6 h7 h8 h9 h10
by presburger
have h12: "tee_memories (TEE_state t) = tee_memories (TEE_state ?t_rev_event)"
by auto
have h13: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
proof-
{
have v1: "TEE_state t = TEE_state ?t_rev_event" by simp
have v2: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)} =
{x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def CloseSessionEntryPoint_not_change_other_TA f9_2
using False CloseSessionEntryPoint_not_change_other_TA_aux u5 get_exec_prime_def mem_Collect_eq v1
by blast
have v3: "tee_memories(TEE_state ?t_taCloseSessionEntry)=tee_memories( TEE_state ?t_removeSess_inTaState)"
by (simp add: tee_memories_removeAllSessIdInTaStateSessList)
have v5: "tee_memories(TEE_state ?t_removeSess_inTaState)=tee_memories( TEE_state ?t_notDeleteTaStateBackTEE)"
by simp
have v6: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using v2 by auto
then show ?thesis by auto
}
qed
have h14: "{x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have h15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
by simp
have h16: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using h12 h13 h14 h15
by presburger
have h18: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
using u5 isSessIdInTaStateSessList_def
by (simp add: u7)
have h19: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using u8 h14 h15 h16 by presburger
have h20: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using h18 h19
using h11 h16 h5 by presburger
then show ?thesis
using h1 h2 by blast
}
qed
next
case False
have f10_1: "d = (the ?servTid)" using False by simp
have f10_2: "d = (the ?servTid_t)" using False
using a5 by auto
have f11_1: "d = current s"
using False d1 by auto
have f11_2: "d = current t"
by (simp add: a12 f11_1)
have f12: "vpeq_TA s d t"
by (meson a3 f9 vpeq1_def)
have f13: "(s'∼d∼t') = (vpeq_TA s' d t')"
using f9 vpeq1_def by presburger
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
using f13 by auto
have m2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TA s d t"
by (meson f9 vpeq1_def)
have m4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
using f12 m4 by blast
have m6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_mem TA_OpenSessionEntryPoint_def by auto
have m8: "{x. x∈set(tee_memories (TEE_state ?s_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have m9: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
by simp
have m10: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
using u6 isSessIdInTaStateSessList_def
using m6 m7 m8 m9 by presburger
have m12: "tee_memories (TEE_state t) = tee_memories (TEE_state ?t_rev_event)"
by auto
have m13: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}"
using TA_CloseSessionEntryPoint_def OpenSessionEntryPoint_not_change_mem TA_OpenSessionEntryPoint_def by auto
have m14: "{x. x∈set(tee_memories (TEE_state ?t_taCloseSessionEntry))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaStateSessList by auto
have m15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inTaState))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
using m13 m5 m7 tee_memories_removeAllSessIdInTaStateSessList by auto
have m17: "{x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
using m10 m5 by presburger
have m18: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
using u6 isSessIdInTaStateSessList_def
using u7 by fastforce
have m19: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_notDeleteTaStateBackTEE))∧ (ownership x=d)}"
using u8 m14 m15 by fastforce
have h20: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using m18 m19 a113 m10 m12 m13 m5
by (metis tee_memories_removeAllSessIdInTaStateSessList)
then show ?thesis
using m1 m2 by blast
}
qed
qed
next
case False
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using f8 by auto
then show ?thesis
proof-
{
have l1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have l2: "vpeq1 s' d t' = True"
using False f8 is_TA_def by blast
then show ?thesis by blast
}
qed
qed
qed
qed
qed
qed
qed
} then show ?thesis
using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEE_CloseTASession3_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEE_CLOSETASESSION3))"
using TEE_CloseTASession3_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def by auto
subsection "TEE_CloseTASession4"
lemma TEE_CloseTASession4_integrity:
assumes p1: "a = hyperc (TEE_CLOSETASESSION4)"
shows "∀ d s s'. reachable0 s ∧ ((the (domain_of_event s a)) ∖↝ d) ∧ (s, s') ∈ exec_event a ⟶ (s ∼ d ∼ s')"
proof-
{
fix s s' d
assume a1: "reachable0 s"
assume a2: "(the (domain_of_event s a)) ∖↝ d"
assume a3: "(s, s') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?servTid = "(param2 ?p)"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?client_tid = "the(findSesCliTid s (the ?ses_id))"
let ?mgrSes = "the(findMgrSessionFromList s (the ?ses_id))"
let ?clientType = "client_id ?mgrSes"
let ?loginType = "login ?clientType"
let ?mgrTaInsList = "mgr_ta_instances (ta_mgr (TEE_state s))"
let ?curMgrTaIns = "findTaInsInMgrByTid ?mgrTaInsList (the ?servTid)"
let ?curMgrTaIns_attr = "attribute (the ?curMgrTaIns)"
let ?isSingleInstance = "singleInstance ?curMgrTaIns_attr"
let ?isKeepAlive = "keepAlive ?curMgrTaIns_attr"
let ?curMgrTaIns_refCnt = "reference_cnt (the ?curMgrTaIns) - 1"
let ?s_removeSess_inMgrTaSes = "removeAllSessionInMgrSesList ?s_rev_event (the ?ses_id)"
let ?s_removeSess_inMgrClientTaInsSesList = "removeAllSessIdInTaInsSessList ?s_removeSess_inMgrTaSes ?client_tid (the ?ses_id) (the ?in_params) (the ?out_params)"
let ?s_setNotBusy = "setTaInsBusyByThreadId ?s_removeSess_inMgrClientTaInsSesList (the ?servTid) False"
let ?s_subRef = "fst(subtractMgrInsRef ?s_setNotBusy (the ?servTid))"
let ?curTa_curTaSessionList = "cur_ta_session_list (the ?curMgrTaIns)"
let ?s_removeTaInTaIns = "fst (removeTaInsInMgrInsList ?s_subRef (the ?servTid))"
let ?s_closeCurTaInsSessList = "addCloseSessionEvent sysconf ?s_removeTaInTaIns (the ?in_params) (the ?out_params) ?curTa_curTaSessionList"
let ?s_teeState_deleteCurTa = "deleteTaStateByThreadId ?s_closeCurTaInsSessList (the ?servTid)"
let ?s_removeTaMemInTee = "removeTaMemInTeeDomain ?s_teeState_deleteCurTa (the ?servTid)"
have a4: "exec_event a = {(s, s'). s'∈{fst (TEE_CloseTASession4 sysconf s)}}"
using p1 exec_event_def by auto
have a4_1: "s' = fst (TEE_CloseTASession4 sysconf s)"
using a3 a4 by auto
have "(s ∼ d ∼ s')"
proof(cases "current s ≠ (TEE sysconf) ∨ (exec_prime s) = [] ∨ (snd (hd (exec_prime s)) ≠ TEE_CS4)")
case True
then have "s = s'" using TEE_CloseTASession4_def a4_1
by (smt (z3) fst_conv)
then show ?thesis
using vpeq_reflexive_lemma by blast
next
case False
then have b1: "current s = (TEE sysconf) ∧ (exec_prime s) ≠ [] ∧ (snd (hd (exec_prime s)) = TEE_CS4)"
by auto
then show ?thesis
proof(cases "?curMgrTaIns_refCnt = 0 ∧ (¬(?isKeepAlive = True ∧ ?isSingleInstance = True) | ?loginType = DTC_IDENTITY)")
case True
have c1: "current s = (TEE sysconf) ∧ (exec_prime s) ≠ [] ∧ (snd (hd (exec_prime s)) = TEE_CS4)
∧ ?curMgrTaIns_refCnt = 0 ∧ (¬(?isKeepAlive = True ∧ ?isSingleInstance = True) | ?loginType = DTC_IDENTITY)"
using False True by blast
have c2 : "s' = ?s_removeTaMemInTee"
using TEE_CloseTASession4_def a4_1 c1
by (smt (verit, best) State.unfold_congs(1) State.unfold_congs(6) fst_conv)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have c3: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have d1: "(s ∼ d ∼ s') = (vpeq_TEE s d s')"
by (simp add: c3)
have d2: "(vpeq_TEE s d s') = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)} =
{x. x∈set(tee_memories (TEE_state s')) ∧ (block_id x=0)})"
by simp
have d3: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have d4: "tee_memories (TEE_state ?s_rev_event) = tee_memories (TEE_state ?s_removeSess_inMgrTaSes)"
by (metis a225 removeAllSessionInMgrSesList_def)
have d4_0: "tee_memories (TEE_state ?s_removeSess_inMgrTaSes) = tee_memories (TEE_state ?s_removeSess_inMgrClientTaInsSesList)"
by (simp add: tee_memories_removeAllSessIdInTaInsSessList)
have d5: "tee_memories (TEE_state ?s_removeSess_inMgrClientTaInsSesList) = tee_memories (TEE_state ?s_setNotBusy)"
using tee_memories_setTaInsBusy by blast
have d6: "tee_memories (TEE_state ?s_setNotBusy) = tee_memories (TEE_state ?s_subRef)"
using subtractMgrInsRef_def tee_memories_subtractMgrInsRef
by blast
have d7: "tee_memories (TEE_state ?s_subRef) = tee_memories (TEE_state ?s_removeTaInTaIns)"
by (simp add: tee_memories_removeTaInsInMgrInsList)
have d8: "tee_memories (TEE_state ?s_removeTaInTaIns) = tee_memories (TEE_state ?s_closeCurTaInsSessList)"
using tee_memories_addCloseSessionEvent
by simp
have d9: "tee_memories (TEE_state ?s_closeCurTaInsSessList) = tee_memories (TEE_state ?s_teeState_deleteCurTa)"
using deleteTaStateByThreadId_def tee_memories_deleteTaStateByThreadId
by simp
then show ?thesis using True a2 interference1_def b1 by simp
}
qed
next
case False
have b4:"d ≠ TEE sysconf" using False by simp
then show ?thesis
proof(cases "d=REE sysconf")
case True
then show ?thesis using True a2 interference1_def b1 by auto
next
case False
then have b5:"d≠REE sysconf" by simp
have b6:"is_TA sysconf d" using b4 b5 by auto
then show ?thesis using b6 a2 interference1_def b1 by simp
qed
qed
next
case False
have d1: "¬(?curMgrTaIns_refCnt = 0 ∧ (¬(?isKeepAlive = True ∧ ?isSingleInstance = True) | ?loginType = DTC_IDENTITY))"
using False by auto
have d2: "current s = (TEE sysconf) ∧ (exec_prime s) ≠ [] ∧ (snd (hd (exec_prime s)) = TEE_CS4)
∧ ¬(?curMgrTaIns_refCnt = 0 ∧ (¬(?isKeepAlive = True ∧ ?isSingleInstance = True) | ?loginType = DTC_IDENTITY))"
using b1 d1 by blast
then show ?thesis
proof(cases "d=TEE sysconf")
case True
then show ?thesis using True a2 interference1_def b1 by simp
next
case False
have b4:"d≠TEE sysconf" using False by simp
then show ?thesis
proof(cases "d=REE sysconf")
case True
then show ?thesis using True a2 interference1_def b1 by auto
next
case False
then have b5:"d≠REE sysconf" by simp
have b6:"is_TA sysconf d" using b4 b5 by auto
then show ?thesis using b6 a2 interference1_def b1 by simp
qed
qed
qed
qed
} then show ?thesis
by blast
qed
lemma TEE_CloseTASession4_integrity_e:
"integrity_e (hyperc (TEE_CLOSETASESSION4))"
using TEE_CloseTASession4_integrity integrity_e_def
using get_exec_prime_def by auto
lemma removeAllBlockbyTid: "∀x::MemBlock. (x∈set(removeAllMemBlockInMemBlockList tid memlist)⟶ownership x ≠ tid)"
apply(induct memlist)
apply simp
apply simp
apply auto
done
lemma prop1: "∀x::MemBlock. (ownership x=tid⟶x∉set(removeAllMemBlockInMemBlockList tid memlist))" using removeAllBlockbyTid
by blast
lemma prop2: "set(removeAllMemBlockInMemBlockList tid memlist) = set(filter (λx. ownership x ≠ tid) memlist)"
apply(induct memlist)
apply simp
apply simp
done
lemma prop3: "∀x. x∈set(memlist)∧ownership x ≠ tid ⟶ x∈set(removeAllMemBlockInMemBlockList tid memlist)"
proof (cases "memlist = []")
case True
then show ?thesis
by simp
next
case False
then show ?thesis using prop2
by simp
qed
lemma prop4: "tee_memories (TEE_state (removeTaMemInTeeDomain s d)) =
tee_memories (TEE_state (s⦇TEE_state:=(TEE_state s)⦇tee_total_size := ((tee_total_size (TEE_state s)) + (calMemBlockInMemBlockList d (tee_memories (TEE_state s)))),tee_memories:=(removeAllMemBlockInMemBlockList d (tee_memories (TEE_state s)))⦈⦈))"
using removeTaMemInTeeDomain_def
by metis
lemma prop5: "tee_memories (TEE_state (removeTaMemInTeeDomain s d)) =
tee_memories (TEE_state (s⦇TEE_state:=(TEE_state s)⦇tee_memories:=(removeAllMemBlockInMemBlockList d (tee_memories (TEE_state s)))⦈⦈))"
using prop4
by simp
lemma prop6: "tee_memories (TEE_state (removeTaMemInTeeDomain s d)) = removeAllMemBlockInMemBlockList d (tee_memories (TEE_state s))"
using prop5
by simp
axiomatization where prop7: "∀x::MemBlock. block_id x = 0 ⟶ ownership x = 1"
lemma prop8: "∀x::MemBlock. ownership x ≠ 1 ⟶ block_id x ≠ 0"
using prop7
by auto
lemma TEE_CloseTASession4_weak_confidentiality:
assumes p1: "a = hyperc (TEE_CLOSETASESSION4)"
shows "∀ d s t.
reachable0 s ∧
reachable0 t ∧
(s ∼ d ∼ t) ∧
((domain_of_event s a) = (domain_of_event t a)) ∧
(get_exec_prime s = get_exec_prime t) ∧
((the (domain_of_event s a)) ↝ d) ∧
(s ∼ (the (domain_of_event s a)) ∼ t) ⟶
(∀ s' t'. (s, s') ∈ exec_event a ∧ (t, t') ∈ exec_event a ⟶ (s' ∼ d ∼ t'))"
proof-
{
fix s t d s' t'
assume a1: "reachable0 s"
assume a2: "reachable0 t"
assume a3: "(s ∼ d ∼ t)"
assume a4: "(domain_of_event s a) = (domain_of_event t a)"
assume a5: "exec_prime s = exec_prime t"
assume a51: "ta_mgr(TEE_state s) =ta_mgr(TEE_state t)"
assume a6: "(the (domain_of_event s a)) ↝ d"
assume a7: "(s ∼ (the (domain_of_event s a)) ∼ t)"
assume a8: "(s, s') ∈ exec_event a"
assume a9: "(t, t') ∈ exec_event a"
let ?exec = "(exec_prime s)"
let ?p = "fst (hd ?exec)"
let ?ses_id = "param1 ?p"
let ?servTid = "(param2 ?p)"
let ?in_params = "param7 ?p"
let ?out_params = "param8 ?p"
let ?s_rev_event = "s⦇exec_prime := tl ?exec⦈"
let ?client_tid = "the(findSesCliTid s (the ?ses_id))"
let ?mgrSes = "the(findMgrSessionFromList s (the ?ses_id))"
let ?clientType = "client_id ?mgrSes"
let ?loginType = "login ?clientType"
let ?mgrTaInsList = "mgr_ta_instances (ta_mgr (TEE_state s))"
let ?curMgrTaIns = "findTaInsInMgrByTid ?mgrTaInsList (the ?servTid)"
let ?curMgrTaIns_attr = "attribute (the ?curMgrTaIns)"
let ?isSingleInstance = "singleInstance ?curMgrTaIns_attr"
let ?isKeepAlive = "keepAlive ?curMgrTaIns_attr"
let ?curMgrTaIns_refCnt = "reference_cnt (the ?curMgrTaIns) - 1"
let ?s_removeSess_inMgrTaSes = "removeAllSessionInMgrSesList ?s_rev_event (the ?ses_id)"
let ?s_removeSess_inMgrClientTaInsSesList = "removeAllSessIdInTaInsSessList ?s_removeSess_inMgrTaSes ?client_tid (the ?ses_id) (the ?in_params) (the ?out_params)"
let ?s_setNotBusy = "setTaInsBusyByThreadId ?s_removeSess_inMgrClientTaInsSesList (the ?servTid) False"
let ?s_subRef = "fst(subtractMgrInsRef ?s_setNotBusy (the ?servTid))"
let ?curTa_curTaSessionList = "cur_ta_session_list (the ?curMgrTaIns)"
let ?s_removeTaInTaIns = "fst (removeTaInsInMgrInsList ?s_subRef (the ?servTid))"
let ?s_closeCurTaInsSessList = "addCloseSessionEvent sysconf ?s_removeTaInTaIns (the ?in_params) (the ?out_params) ?curTa_curTaSessionList"
let ?s_teeState_deleteCurTa = "deleteTaStateByThreadId ?s_closeCurTaInsSessList (the ?servTid)"
let ?s_removeTaMemInTee = "removeTaMemInTeeDomain ?s_teeState_deleteCurTa (the ?servTid)"
let ?exec_t = "(exec_prime t)"
let ?p_t = "fst (hd ?exec_t)"
let ?ses_id_t = "param1 ?p_t"
let ?servTid_t = "(param2 ?p_t)"
let ?in_params_t = "param7 ?p_t"
let ?out_params_t = "param8 ?p_t"
let ?t_rev_event = "t⦇exec_prime := tl ?exec_t⦈"
let ?client_tid_t = "the(findSesCliTid t (the ?ses_id_t))"
let ?mgrSes_t = "the(findMgrSessionFromList t (the ?ses_id_t))"
let ?clientType_t = "client_id ?mgrSes_t"
let ?loginType_t = "login ?clientType_t"
let ?mgrTaInsList_t = "mgr_ta_instances (ta_mgr (TEE_state t))"
let ?curMgrTaIns_t = "findTaInsInMgrByTid ?mgrTaInsList_t (the ?servTid_t)"
let ?curMgrTaIns_attr_t = "attribute (the ?curMgrTaIns_t)"
let ?isSingleInstance_t = "singleInstance ?curMgrTaIns_attr_t"
let ?isKeepAlive_t = "keepAlive ?curMgrTaIns_attr_t"
let ?curMgrTaIns_refCnt_t = "reference_cnt (the ?curMgrTaIns_t) - 1"
let ?t_removeSess_inMgrTaSes = "removeAllSessionInMgrSesList ?t_rev_event (the ?ses_id_t)"
let ?t_removeSess_inMgrClientTaInsSesList = "removeAllSessIdInTaInsSessList ?t_removeSess_inMgrTaSes ?client_tid_t (the ?ses_id_t) (the ?in_params_t) (the ?out_params_t)"
let ?t_setNotBusy = "setTaInsBusyByThreadId ?t_removeSess_inMgrClientTaInsSesList (the ?servTid_t) False"
let ?t_subRef = "fst(subtractMgrInsRef ?t_setNotBusy (the ?servTid_t))"
let ?curTa_curTaSessionList_t = "cur_ta_session_list (the ?curMgrTaIns_t)"
let ?t_removeTaInTaIns = "fst (removeTaInsInMgrInsList ?t_subRef (the ?servTid_t))"
let ?t_closeCurTaInsSessList = "addCloseSessionEvent sysconf ?t_removeTaInTaIns (the ?in_params_t) (the ?out_params_t) ?curTa_curTaSessionList_t"
let ?t_teeState_deleteCurTa = "deleteTaStateByThreadId ?t_closeCurTaInsSessList (the ?servTid_t)"
let ?t_removeTaMemInTee = "removeTaMemInTeeDomain ?t_teeState_deleteCurTa (the ?servTid_t)"
have a10: "s' = fst (TEE_CloseTASession4 sysconf s)"
using p1 a8 exec_event_def by auto
have a11: "t' = fst (TEE_CloseTASession4 sysconf t)"
using p1 a9 exec_event_def by auto
have a12: "current s = current t"
using domain_of_event_def a4 by (metis option.sel)
have a13: "ta_mgr(TEE_state s) = ta_mgr(TEE_state t)" using a3 vpeq1_def a51 by auto
have a15: "?servTid = ?servTid_t"
by (simp add: a5)
have "(s' ∼ d ∼ t')"
proof(cases "current s ≠ (TEE sysconf) ∨ (exec_prime s) = [] ∨ (snd (hd (exec_prime s)) ≠ TEE_CS4)")
case True
have b1: "current s ≠ (TEE sysconf) ∨ (exec_prime s) = [] ∨ (snd (hd (exec_prime s)) ≠ TEE_CS4)"
using True by auto
have b2: "current t ≠ (TEE sysconf) ∨ (exec_prime t) = [] ∨ (snd (hd (exec_prime t)) ≠ TEE_CS4)"
using a12 a5 b1 by auto
have b3: "s = s'"
using b1 TEE_CloseTASession4_def a10
by (smt (z3) prod.collapse prod.inject)
have b4: "t = t'"
using b2 TEE_CloseTASession4_def a11
by (smt (z3) prod.collapse prod.inject)
then show ?thesis
proof-
{
have c1: "(s' ∼ d ∼ t')"
using a3 b3 b4 by blast
then show ?thesis by auto
}
qed
next
case False
have d0: "current s = TEE sysconf"
using False by auto
have d1: "current s = (TEE sysconf) ∧ (exec_prime s) ≠ [] ∧ snd (hd (exec_prime s)) = TEE_CS4"
using False by auto
have d2: "current t = (TEE sysconf) ∧ (exec_prime t) ≠ [] ∧ snd (hd (exec_prime t)) = TEE_CS4"
using False a12 a5 by auto
have d3: "?servTid = ?servTid_t"
by (simp add: a5)
have d4: "ta_mgr(TEE_state s) = ta_mgr(TEE_state t)"
by (simp add: a13)
have d5: "ta_mgr(TEE_state ?s_rev_event) = ta_mgr(TEE_state ?t_rev_event)"
by (simp add: d4)
have d6: "?mgrTaInsList = ?mgrTaInsList_t"
by (simp add: d4)
have d7: "?curMgrTaIns = ?curMgrTaIns_t"
using d6 d3 by simp
have d8: "?curMgrTaIns_attr = ?curMgrTaIns_attr_t"
by (simp add: a5 d4)
have d9: "?isSingleInstance = ?isSingleInstance_t"
by (simp add: a5 d4)
have d10: "?isKeepAlive = ?isKeepAlive_t"
by (simp add: a5 d4)
have d11: "reference_cnt (the ?curMgrTaIns) = reference_cnt (the ?curMgrTaIns_t)"
by (simp add: a5 d4)
have d12: "?curMgrTaIns_refCnt = ?curMgrTaIns_refCnt_t"
by (simp add: a5 d4)
have d13: "findMgrSessionFromList s (the ?ses_id) = findMgrSessionFromList t (the ?ses_id_t)"
proof-
{
let ?mgr = "(ta_mgr(TEE_state s))"
let ?lst = "mgr_ta_sessions (ta_mgr (TEE_state s))"
let ?index = "(SOME x. (the ?ses_id) = session_id (?lst!x))"
let ?mgr_session = "?lst!?index"
let ?mgr_t = "(ta_mgr(TEE_state t))"
let ?lst_t = "mgr_ta_sessions (ta_mgr (TEE_state t))"
let ?index_t = "(SOME x. (the ?ses_id_t) = session_id (?lst_t!x))"
let ?mgr_session_t = "?lst_t!?index_t"
have d13_0: "?mgr = ?mgr_t"
by (simp add: d4)
have d13_1: "?lst = ?lst_t"
by (simp add: d4)
have d13_2: "?index = ?index_t"
by (simp add: a5 d4)
have d13_3: "?mgr_session = ?mgr_session_t"
by (simp add: a5 d4)
then show ?thesis
by (metis findMgrSessionFromList_def)
}
qed
have d14: "?mgrSes = ?mgrSes_t"
using d13 by simp
have d15: "?loginType = ?loginType_t"
by (simp add: d13)
then show ?thesis
proof(cases "?curMgrTaIns_refCnt = 0 ∧ (¬(?isKeepAlive = True ∧ ?isSingleInstance = True) | ?loginType = DTC_IDENTITY)")
case True
have c1: "?curMgrTaIns_refCnt = 0 ∧ (¬(?isKeepAlive = True ∧ ?isSingleInstance = True) | ?loginType = DTC_IDENTITY)"
using True by auto
have c2: "?curMgrTaIns_refCnt_t = 0 ∧ (¬(?isKeepAlive_t = True ∧ ?isSingleInstance_t = True) | ?loginType_t = DTC_IDENTITY)"
using a5 c1 d13 d4 by force
have c3: "s' = ?s_removeTaMemInTee"
using TEE_CloseTASession4_def a10 c1 d1
by (smt (z3) False State.fold_congs(6) old.prod.inject prod.collapse)
have c4: "t' = ?t_removeTaMemInTee"
using TEE_CloseTASession4_def a11 c2 d2
by (smt (z3) False State.fold_congs(6) old.prod.inject prod.collapse)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have c5: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: c5)
have m2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: c5)
have m4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 m3 by auto
have m6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (block_id x=0)}"
using removeAllSessionInMgrSesList_def by auto
have m7_0: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrClientTaInsSesList))∧ (block_id x=0)}"
using removeAllSessIdInTaInsSessList_def
using tee_memories_removeAllSessIdInTaInsSessList by presburger
have m8: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrClientTaInsSesList))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (block_id x=0)}"
using tee_memories_setTaInsBusy by auto
have m9: "{x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (block_id x=0)}"
using tee_memories_subtractMgrInsRef by auto
have m10: "{x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeTaInTaIns))∧ (block_id x=0)}"
using tee_memories_removeTaInsInMgrInsList by force
have m11: "{x. x∈set(tee_memories (TEE_state ?s_removeTaInTaIns))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_closeCurTaInsSessList))∧ (block_id x=0)}"
using tee_memories_addCloseSessionEvent by auto
have m12: "{x. x∈set(tee_memories (TEE_state ?s_closeCurTaInsSessList))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))∧ (block_id x=0)}"
using tee_memories_deleteTaStateByThreadId by auto
have m13: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by auto
have m14: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (block_id x=0)}"
using removeAllSessionInMgrSesList_def by auto
have m14_0: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrClientTaInsSesList))∧ (block_id x=0)}"
using m14 m5 m7 tee_memories_removeAllSessIdInTaInsSessList by auto
have m15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrClientTaInsSesList))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (block_id x=0)}"
using tee_memories_setTaInsBusy by auto
have m16: "{x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (block_id x=0)}"
using tee_memories_subtractMgrInsRef by auto
have m17: "{x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeTaInTaIns))∧ (block_id x=0)}"
using tee_memories_removeTaInsInMgrInsList by force
have m18: "{x. x∈set(tee_memories (TEE_state ?t_removeTaInTaIns))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_closeCurTaInsSessList))∧ (block_id x=0)}"
using tee_memories_addCloseSessionEvent by auto
have m19: "{x. x∈set(tee_memories (TEE_state ?t_closeCurTaInsSessList))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))∧ (block_id x=0)}"
using tee_memories_deleteTaStateByThreadId by auto
have m20: "{x. x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))∧ (block_id x=0)}"
using m14 m14_0 m5 m7 m7_0 tee_memories_addCloseSessionEvent tee_memories_deleteTaStateByThreadId
tee_memories_removeTaInsInMgrInsList tee_memories_setTaInsBusy tee_memories_subtractMgrInsRef
by force
have m21: "{x. x∈set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ (block_id x=0)}"
proof -{
have m211: "?s_removeTaMemInTee = removeTaMemInTeeDomain ?s_teeState_deleteCurTa (the ?servTid)"
by simp
have m212: "?t_removeTaMemInTee = removeTaMemInTeeDomain ?t_teeState_deleteCurTa (the ?servTid)"
using a5
by simp
show ?thesis
proof (cases "(the ?servTid) = 1")
case True
have m216:"∀x::MemBlock. (ownership x=1⟶x∉set(removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?s_teeState_deleteCurTa))))"
using prop1 True
by simp
have m217:"tee_memories (TEE_state ?s_removeTaMemInTee) = (removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?s_teeState_deleteCurTa)))"
using m211 removeTaMemInTeeDomain_def prop6
by simp
have m218:"{x. x∈set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ (block_id x=0)}= {}"
using prop7 m217 m216
by auto
have m219:"∀x::MemBlock. (ownership x=1⟶x∉set(removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?t_teeState_deleteCurTa))))"
using prop1 True
by simp
have m220:"tee_memories (TEE_state ?t_removeTaMemInTee) = (removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?t_teeState_deleteCurTa)))"
using m212 removeTaMemInTeeDomain_def prop6
by simp
have m211:"{x. x∈set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ (block_id x=0)}= {}"
using prop7 m219 m220
by auto
show ?thesis using m218 m220 m211
by blast
next
case False
have m213: "(the ?servTid) ≠ 1" using False
by blast
have m2131: "∀x::MemBlock. (ownership x=(the ?servTid)⟶x∉set(removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?s_teeState_deleteCurTa))))"
using prop1
by blast
have m2132: "tee_memories (TEE_state ?s_removeTaMemInTee) = (removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?s_teeState_deleteCurTa)))"
using m211 removeTaMemInTeeDomain_def prop6
by simp
have m21321: "∀x::MemBlock. x∉set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))⟶ownership x = (the ?servTid)"
using m2132 prop3
by auto
have m21322: "∀x::MemBlock. x∉set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))⟶block_id x ≠ 0"
using m213 m21321 prop8
by simp
have m2134: "∀x::MemBlock. (ownership x=(the ?servTid)⟶x∉set(removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?t_teeState_deleteCurTa))))"
using prop1
by simp
have m21341: "∀x::MemBlock. x∉set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))⟶ownership x = (the ?servTid)"
using m2134 prop3 a5 prop6
by auto
have m21342: "∀x::MemBlock. x∉set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))⟶block_id x ≠ 0"
using m213 m21341 prop8
by simp
have m2135: "tee_memories (TEE_state ?t_removeTaMemInTee) = (removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?t_teeState_deleteCurTa)))"
using m212 m211 removeTaMemInTeeDomain_def prop6
by simp
have m214: "{x. x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ (block_id x=0)}" using m21322 m2132 prop2
by auto
have m215: "{x. x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ (block_id x=0)}" using m21342 m2135 prop2
by auto
then show ?thesis using m214 m215 m20
by simp
qed
}
qed
have m22: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using m21 by (simp add: c3 c4)
then show ?thesis using m22
using m1 by auto
}
qed
next
case False
have d14: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have d15: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True d14 by auto
then show ?thesis
proof-
{
have j1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d14 by auto
have j2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have j3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d14 by fastforce
have j4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have j5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 j3 by auto
have j6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 j3 by auto
have j7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have j8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j8_1: "ree_total_size(REE_state ?s_removeSess_inMgrTaSes) = ree_total_size(REE_state ?s_removeSess_inMgrClientTaInsSesList)"
using removeAllSessIdInTaInsSessList_def ree_total_size_removeAllSessIdInTaInsSessList
by blast
have j9: "ree_total_size(REE_state ?s_removeSess_inMgrClientTaInsSesList) = ree_total_size(REE_state ?s_setNotBusy)"
by (simp add: ree_total_size_setTaInsBusy)
have j10: "ree_total_size(REE_state ?s_setNotBusy) = ree_total_size(REE_state ?s_subRef)"
by (simp add: ree_total_size_subtractMgrInsRef)
have j11: "ree_total_size(REE_state ?s_subRef) = ree_total_size(REE_state ?s_removeTaInTaIns)"
by (simp add: ree_total_size_removeTaInsInMgrInsList)
have j12: "ree_total_size(REE_state ?s_removeTaInTaIns) = ree_total_size(REE_state ?s_closeCurTaInsSessList)"
using ree_total_size_addCloseSessionEvent by simp
have j13: "ree_total_size(REE_state ?s_closeCurTaInsSessList) = ree_total_size(REE_state ?s_teeState_deleteCurTa)"
using ree_total_size_deleteTaStateByThreadId by simp
have j14: "ree_total_size(REE_state ?s_teeState_deleteCurTa) = ree_total_size(REE_state ?s_removeTaMemInTee)"
by (simp add: ree_total_size_removeTaMemInTeeDomain)
have j15: "ree_total_size(REE_state ?s_removeTaMemInTee) = ree_total_size(REE_state ?s_removeTaMemInTee)"
by linarith
have j16: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have j17: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j17_1: "ree_total_size(REE_state ?t_removeSess_inMgrTaSes) = ree_total_size(REE_state ?t_removeSess_inMgrClientTaInsSesList)"
using removeAllSessionInMgrSesList_def
using ree_total_size_removeAllSessIdInTaInsSessList by blast
have j18: "ree_total_size(REE_state ?t_removeSess_inMgrClientTaInsSesList) = ree_total_size(REE_state ?t_setNotBusy)"
by (simp add: ree_total_size_setTaInsBusy)
have j19: "ree_total_size(REE_state ?t_setNotBusy) = ree_total_size(REE_state ?t_subRef)"
by (simp add: ree_total_size_subtractMgrInsRef)
have j20: "ree_total_size(REE_state ?t_subRef) = ree_total_size(REE_state ?t_removeTaInTaIns)"
by (simp add: ree_total_size_removeTaInsInMgrInsList)
have j21: "ree_total_size(REE_state ?t_removeTaInTaIns) = ree_total_size(REE_state ?t_closeCurTaInsSessList)"
using ree_total_size_addCloseSessionEvent by simp
have j22: "ree_total_size(REE_state ?t_closeCurTaInsSessList) = ree_total_size(REE_state ?t_teeState_deleteCurTa)"
using ree_total_size_deleteTaStateByThreadId by simp
have j23: "ree_total_size(REE_state ?t_teeState_deleteCurTa) = ree_total_size(REE_state ?t_removeTaMemInTee)"
by (simp add: ree_total_size_removeTaMemInTeeDomain)
have j24: "ree_total_size(REE_state ?t_removeTaMemInTee) = ree_total_size(REE_state ?t_removeTaMemInTee)"
by linarith
have j25: "ree_total_size(REE_state ?s_removeTaMemInTee) = ree_total_size(REE_state ?t_removeTaMemInTee)"
using j10 j11 j12 j13 j14 j16 j17 j17_1 j18 j19 j20 j21 j22 j23 j5 j7 j8 j8_1 j9
by presburger
have j26: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have j27: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j27_1: "driver_mem(REE_state ?s_removeSess_inMgrTaSes) = driver_mem(REE_state ?s_removeSess_inMgrClientTaInsSesList)"
using driver_mem_removeAllSessIdInTaInsSessList
by blast
have j28: "driver_mem(REE_state ?s_removeSess_inMgrClientTaInsSesList) = driver_mem(REE_state ?s_setNotBusy)"
by (simp add: driver_mem_setTaInsBusy)
have j29: "driver_mem(REE_state ?s_setNotBusy) = driver_mem(REE_state ?s_subRef)"
by (simp add: driver_mem_subtractMgrInsRef)
have j30: "driver_mem(REE_state ?s_subRef) = driver_mem(REE_state ?s_removeTaInTaIns)"
by (simp add: driver_mem_removeTaInsInMgrInsList)
have j31: "driver_mem(REE_state ?s_removeTaInTaIns) = driver_mem(REE_state ?s_closeCurTaInsSessList)"
using driver_mem_addCloseSessionEvent by simp
have j32: "driver_mem(REE_state ?s_closeCurTaInsSessList) = driver_mem(REE_state ?s_teeState_deleteCurTa)"
using driver_mem_deleteTaStateByThreadId by simp
have j33: "driver_mem(REE_state ?s_teeState_deleteCurTa) = driver_mem(REE_state ?s_removeTaMemInTee)"
by (simp add: driver_mem_removeTaMemInTeeDomain)
have j34: "driver_mem(REE_state ?s_removeTaMemInTee) = driver_mem(REE_state ?s_removeTaMemInTee)"
by simp
have j35: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have j36: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j36_0: "driver_mem(REE_state ?t_removeSess_inMgrTaSes) = driver_mem(REE_state ?t_removeSess_inMgrClientTaInsSesList)"
by (simp add: driver_mem_removeAllSessIdInTaInsSessList)
have j37: "driver_mem(REE_state ?t_removeSess_inMgrClientTaInsSesList) = driver_mem(REE_state ?t_setNotBusy)"
by (simp add: driver_mem_setTaInsBusy)
have j38: "driver_mem(REE_state ?t_setNotBusy) = driver_mem(REE_state ?t_subRef)"
by (simp add: driver_mem_subtractMgrInsRef)
have j39: "driver_mem(REE_state ?t_subRef) = driver_mem(REE_state ?t_removeTaInTaIns)"
by (simp add: driver_mem_removeTaInsInMgrInsList)
have j40: "driver_mem(REE_state ?t_removeTaInTaIns) = driver_mem(REE_state ?t_closeCurTaInsSessList)"
using driver_mem_addCloseSessionEvent by simp
have j41: "driver_mem(REE_state ?t_closeCurTaInsSessList) = driver_mem(REE_state ?t_teeState_deleteCurTa)"
using driver_mem_deleteTaStateByThreadId by simp
have j42: "driver_mem(REE_state ?t_teeState_deleteCurTa) = driver_mem(REE_state ?t_removeTaMemInTee)"
by (simp add: driver_mem_removeTaMemInTeeDomain)
have j44: "driver_mem(REE_state ?s_removeTaMemInTee) = driver_mem(REE_state ?t_removeTaMemInTee)"
using j26 j27 j27_1 j28 j29 j30 j31 j32 j33 j35 j36 j36_0 j37 j38 j39 j40 j41 j42 j6
by presburger
have j13: "driver_mem(REE_state ?t_removeTaMemInTee) = driver_mem(REE_state t')"
by (simp add: c4)
have j14: "driver_mem(REE_state ?s_removeTaMemInTee) = driver_mem(REE_state s')"
by (simp add: c3)
have j15: "ree_total_size(REE_state ?t_removeTaMemInTee) = ree_total_size(REE_state t')"
by (simp add: c4)
have j16: "ree_total_size(REE_state ?s_removeTaMemInTee) = ree_total_size(REE_state s')"
by (simp add: c3)
have j17: "(ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
using j9 j12 j13 j14 j15 j16 j25 j44
by presburger
then show ?thesis using j17 j1 by auto
}
qed
next
case False
then have d16: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d14)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d17: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using d16 by blast
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson d17 vpeq1_def)
have h2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using d17 by auto
have h4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
by (metis a3 h3 h4)
have h6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have h7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (ownership x=d)}"
using removeAllSessionInMgrSesList_def by auto
have h7_0: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrClientTaInsSesList))∧ (ownership x=d)}"
using removeAllSessIdInTaInsSessList_def
using tee_memories_removeAllSessIdInTaInsSessList by presburger
have h8: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrClientTaInsSesList))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (ownership x=d)}"
using tee_memories_setTaInsBusy by auto
have h9: "{x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (ownership x=d)}"
using tee_memories_subtractMgrInsRef by auto
have h10: "{x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeTaInTaIns))∧ (ownership x=d)}"
using tee_memories_removeTaInsInMgrInsList by fastforce
have h11: "{x. x∈set(tee_memories (TEE_state ?s_removeTaInTaIns))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_closeCurTaInsSessList))∧ (ownership x=d)}"
using tee_memories_addCloseSessionEvent by auto
have h12: "{x. x∈set(tee_memories (TEE_state ?s_closeCurTaInsSessList))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))∧ (ownership x=d)}"
using tee_memories_deleteTaStateByThreadId by auto
have h13: "tee_memories (TEE_state t) = tee_memories (TEE_state ?t_rev_event)"
by auto
have h14: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (ownership x=d)}"
using removeAllSessionInMgrSesList_def by auto
have h14_0: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrClientTaInsSesList))∧ (ownership x=d)}"
using removeAllSessionInMgrSesList_def
using tee_memories_removeAllSessIdInTaInsSessList by force
have h15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrClientTaInsSesList))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (ownership x=d)}"
using tee_memories_setTaInsBusy by auto
have h16: "{x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (ownership x=d)}"
using tee_memories_subtractMgrInsRef by auto
have h17: "{x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeTaInTaIns))∧ (ownership x=d)}"
using tee_memories_removeTaInsInMgrInsList by fastforce
have h18: "{x. x∈set(tee_memories (TEE_state ?t_removeTaInTaIns))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_closeCurTaInsSessList))∧ (ownership x=d)}"
using tee_memories_addCloseSessionEvent by auto
have h19: "{x. x∈set(tee_memories (TEE_state ?t_closeCurTaInsSessList))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))∧ (ownership x=d)}"
using tee_memories_deleteTaStateByThreadId by auto
have h20: "{x. x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))∧ (ownership x=d)}"
using h14 h14_0 h5 h7 h7_0 tee_memories_deleteTaStateByThreadId tee_memories_addCloseSessionEvent
tee_memories_removeTaInsInMgrInsList tee_memories_setTaInsBusy tee_memories_subtractMgrInsRef
by force
have h21: "{x. x∈set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ (ownership x=d)}"
proof (cases "d = (the ?servTid)")
case True
have h215: "?s_removeTaMemInTee = removeTaMemInTeeDomain ?s_teeState_deleteCurTa d"
using True
by simp
have h2151: "∀x::MemBlock. (ownership x=d⟶x∉set(removeAllMemBlockInMemBlockList d (tee_memories (TEE_state ?s_teeState_deleteCurTa))))"
using prop1
by blast
have h2152: "tee_memories (TEE_state ?s_removeTaMemInTee) = (removeAllMemBlockInMemBlockList d (tee_memories (TEE_state ?s_teeState_deleteCurTa)))"
using h215 removeTaMemInTeeDomain_def prop6
by simp
have h217: "∀x::MemBlock. (ownership x=d⟶x∉set(tee_memories (TEE_state ?s_removeTaMemInTee)))"
using h2151 h2152
by simp
have h219: "?t_removeTaMemInTee = removeTaMemInTeeDomain ?t_teeState_deleteCurTa d"
using True a5
by simp
have h2191: "∀x::MemBlock. (ownership x=d⟶x∉set(removeAllMemBlockInMemBlockList d (tee_memories (TEE_state ?t_teeState_deleteCurTa))))"
using prop1
by blast
have h2192: "tee_memories (TEE_state ?t_removeTaMemInTee) = (removeAllMemBlockInMemBlockList d (tee_memories (TEE_state ?t_teeState_deleteCurTa)))"
using h219 removeTaMemInTeeDomain_def prop6
by auto
have h218: "∀x. ownership x=d⟶x∉set(tee_memories (TEE_state ?t_removeTaMemInTee))"
using h2191 h2192
by simp
show ?thesis
using h217 h218
by blast
next
case False
have h216: "?s_removeTaMemInTee = removeTaMemInTeeDomain ?s_teeState_deleteCurTa (the ?servTid)"
by simp
have h2111: "tee_memories (TEE_state ?s_removeTaMemInTee) = removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?s_teeState_deleteCurTa))"
using removeTaMemInTeeDomain_def h216 prop6
by blast
have h2112: "∀x. x∈set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ownership x ≠ (the ?servTid) ⟶ x∈set(removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?s_teeState_deleteCurTa)))"
using h2111 prop3
by simp
have h211: "{x. x∈set(tee_memories (TEE_state ?s_teeState_deleteCurTa))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ (ownership x=d)}"
using False removeTaMemInTeeDomain_def h216 prop2 h2111 h2112
by auto
have h212: "{x. x∈set(tee_memories (TEE_state ?t_teeState_deleteCurTa))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ (ownership x=d)}"
proof -{
have h2120: "?t_removeTaMemInTee = removeTaMemInTeeDomain ?t_teeState_deleteCurTa (the ?servTid)"
using a5
by auto
have h2121: "tee_memories (TEE_state ?t_removeTaMemInTee) = removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?t_teeState_deleteCurTa))"
using removeTaMemInTeeDomain_def h2120 prop6
by simp
have h2122: "∀x. x∈set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ownership x ≠ (the ?servTid) ⟶ x∈set(removeAllMemBlockInMemBlockList (the ?servTid) (tee_memories (TEE_state ?t_teeState_deleteCurTa)))"
using h2120 prop6
by simp
show ?thesis
using h2120 h2121 h2122 removeTaMemInTeeDomain_def False prop2
by auto
}
qed
show ?thesis
using False h20 h211 h212
by simp
qed
have h22: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeTaMemInTee))∧ (ownership x=d)}"
using c3 by fastforce
have h23: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeTaMemInTee))∧ (ownership x=d)}"
using c4 by blast
have h24: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
by (simp add: h21 h22 h23)
then show ?thesis
using h1 h2 by blast
}
qed
next
case False
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using d16 by auto
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have h2: "vpeq1 s' d t' = True"
by (meson d13 vpeq1_def)
then show ?thesis by blast
}
qed
qed
qed
qed
next
case False
have e1: "¬(?curMgrTaIns_refCnt = 0 ∧ (¬(?isKeepAlive = True ∧ ?isSingleInstance = True) | ?loginType = DTC_IDENTITY))"
using False by blast
have e2: "¬(?curMgrTaIns_refCnt_t = 0 ∧ (¬(?isKeepAlive_t = True ∧ ?isSingleInstance_t = True) | ?loginType_t = DTC_IDENTITY))"
using a5 d13 d4 e1 by presburger
have e3: "s' = ?s_subRef"
using TEE_CloseTASession4_def a10 e1 d1
by (smt (z3) False State.fold_congs(6) old.prod.inject prod.collapse)
have e4: "t' = ?t_subRef"
using TEE_CloseTASession4_def a11 e2 d2
by (smt (z3) False State.fold_congs(6) old.prod.inject prod.collapse)
then show ?thesis
proof(cases "d = TEE sysconf")
case True
have c5: "d = TEE sysconf"
by (simp add: True)
then show ?thesis
proof-
{
have m1: "(s' ∼ d ∼ t') = vpeq_TEE s' d t'"
by (simp add: c5)
have m2: "vpeq_TEE s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)})"
by simp
have m3: "(s ∼ d ∼ t) = vpeq_TEE s d t"
by (simp add: c5)
have m4: "vpeq_TEE s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)})"
by simp
have m5: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}"
using a3 m3 by auto
have m6: "{x. x∈set(tee_memories (TEE_state s))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}"
by auto
have m7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (block_id x=0)}"
using removeAllSessionInMgrSesList_def by auto
have m7_0: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrClientTaInsSesList))∧ (block_id x=0)}"
using removeAllSessionInMgrSesList_def
using tee_memories_removeAllSessIdInTaInsSessList by presburger
have m8: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrClientTaInsSesList))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (block_id x=0)}"
using tee_memories_setTaInsBusy by auto
have m9: "{x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (block_id x=0)}"
using tee_memories_subtractMgrInsRef by auto
have m13: "{x. x∈set(tee_memories (TEE_state t))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}"
by auto
have m14: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (block_id x=0)}"
using removeAllSessionInMgrSesList_def by auto
have m14_0: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrClientTaInsSesList))∧ (block_id x=0)}"
using removeAllSessionInMgrSesList_def
using tee_memories_removeAllSessIdInTaInsSessList by auto
have m15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrClientTaInsSesList))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (block_id x=0)}"
using tee_memories_setTaInsBusy by auto
have m16: "{x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (block_id x=0)}"
using tee_memories_subtractMgrInsRef by auto
have m20: "{x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (block_id x=0)}"
using m14 m5 m7 m14_0 m7_0 tee_memories_addCloseSessionEvent2 tee_memories_deleteTaStateByThreadId
tee_memories_removeTaInsInMgrInsList tee_memories_setTaInsBusy tee_memories_subtractMgrInsRef by force
have m22: "{x. x∈set(tee_memories (TEE_state s'))∧ (block_id x=0)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (block_id x=0)}"
using m20
by (simp add: e3 e4)
then show ?thesis using m22
using m1 by auto
}
qed
next
case False
have d14: "d ≠ TEE sysconf"
by (simp add: False)
then show ?thesis
proof(cases "d = REE sysconf")
case True
have d15: "d ≠ TEE sysconf ∧ d = REE sysconf"
using True d14 by auto
then show ?thesis
proof-
{
have j1: "(s' ∼ d ∼ t') = vpeq_REE s' d t'"
using True d14 by auto
have j2: "vpeq_REE s' d t' = (ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
by simp
have j3: "(s ∼ d ∼ t) = vpeq_REE s d t"
using True d14 by fastforce
have j4: "vpeq_REE s d t = (ree_total_size(REE_state s) = ree_total_size (REE_state t)
∧ driver_mem(REE_state s) = driver_mem(REE_state t))"
by simp
have j5: "ree_total_size(REE_state s) = ree_total_size (REE_state t)"
using a3 j3 by auto
have j6: "driver_mem(REE_state s) = driver_mem(REE_state t)"
using a3 j3 by auto
have j7: "ree_total_size(REE_state s) = ree_total_size(REE_state ?s_rev_event)"
by auto
have j8: "ree_total_size(REE_state ?s_rev_event) = ree_total_size(REE_state ?s_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j8_0: "ree_total_size(REE_state ?s_removeSess_inMgrTaSes) = ree_total_size(REE_state ?s_removeSess_inMgrClientTaInsSesList)"
by (simp add: ree_total_size_removeAllSessIdInTaInsSessList)
have j9: "ree_total_size(REE_state ?s_removeSess_inMgrClientTaInsSesList) = ree_total_size(REE_state ?s_setNotBusy)"
by (simp add: ree_total_size_setTaInsBusy)
have j10: "ree_total_size(REE_state ?s_setNotBusy) = ree_total_size(REE_state ?s_subRef)"
by (simp add: ree_total_size_subtractMgrInsRef)
have j16: "ree_total_size(REE_state t) = ree_total_size(REE_state ?t_rev_event)"
by auto
have j17: "ree_total_size(REE_state ?t_rev_event) = ree_total_size(REE_state ?t_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j17_0: "ree_total_size(REE_state ?t_removeSess_inMgrTaSes) = ree_total_size(REE_state ?t_removeSess_inMgrClientTaInsSesList)"
by (simp add: ree_total_size_removeAllSessIdInTaInsSessList)
have j18: "ree_total_size(REE_state ?t_removeSess_inMgrClientTaInsSesList) = ree_total_size(REE_state ?t_setNotBusy)"
by (simp add: ree_total_size_setTaInsBusy)
have j19: "ree_total_size(REE_state ?t_setNotBusy) = ree_total_size(REE_state ?t_subRef)"
by (simp add: ree_total_size_subtractMgrInsRef)
have j25: "ree_total_size(REE_state ?s_setNotBusy) = ree_total_size(REE_state ?t_setNotBusy)"
using j16 j17 j17_0 j18 j5 j7 j8 j8_0 j9 by presburger
have j26: "driver_mem(REE_state s) = driver_mem(REE_state ?s_rev_event)"
by auto
have j27: "driver_mem(REE_state ?s_rev_event) = driver_mem(REE_state ?s_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j27_0: "driver_mem(REE_state ?s_removeSess_inMgrTaSes) = driver_mem(REE_state ?s_removeSess_inMgrClientTaInsSesList)"
using driver_mem_removeAllSessIdInTaInsSessList by auto
have j28: "driver_mem(REE_state ?s_removeSess_inMgrClientTaInsSesList) = driver_mem(REE_state ?s_setNotBusy)"
by (simp add: driver_mem_setTaInsBusy)
have j29: "driver_mem(REE_state ?s_setNotBusy) = driver_mem(REE_state ?s_subRef)"
by (simp add: driver_mem_subtractMgrInsRef)
have j35: "driver_mem(REE_state t) = driver_mem(REE_state ?t_rev_event)"
by auto
have j36: "driver_mem(REE_state ?t_rev_event) = driver_mem(REE_state ?t_removeSess_inMgrTaSes)"
using removeAllSessionInMgrSesList_def by auto
have j36_0: "driver_mem(REE_state ?t_removeSess_inMgrTaSes) = driver_mem(REE_state ?t_removeSess_inMgrClientTaInsSesList)"
by (simp add: driver_mem_removeAllSessIdInTaInsSessList)
have j37: "driver_mem(REE_state ?t_removeSess_inMgrClientTaInsSesList) = driver_mem(REE_state ?t_setNotBusy)"
by (simp add: driver_mem_setTaInsBusy)
have j44: "driver_mem(REE_state ?s_setNotBusy) = driver_mem(REE_state ?t_setNotBusy)"
using driver_mem_tee_setTaInsBusy j26 j27 j27_0 j35 j36 j36_0 j6 by presburger
have j13: "driver_mem(REE_state ?t_subRef) = driver_mem(REE_state t')"
using driver_mem_subtractMgrInsRef e4 j44 by auto
have j14: "driver_mem(REE_state ?s_subRef) = driver_mem(REE_state s')"
using e3 by fastforce
have j15: "ree_total_size(REE_state ?t_subRef) = ree_total_size(REE_state t')"
by (simp add: e4)
have j16: "ree_total_size(REE_state ?s_subRef) = ree_total_size(REE_state s')"
by (simp add: e3)
have j17: "(ree_total_size(REE_state s') = ree_total_size (REE_state t')
∧ driver_mem(REE_state s') = driver_mem(REE_state t'))"
using driver_mem_subtractMgrInsRef j10 j13 j14 j15 j16 j19 j25 j26 j27 j28 j35 j36 j37 j6 j27_0 j36_0
by presburger
then show ?thesis using j17 j1 by auto
}
qed
next
case False
then have d16: "d ≠ TEE sysconf ∧ d ≠ REE sysconf"
by (simp add: d14)
then show ?thesis
proof(cases "is_TA sysconf d")
case True
then have d17: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ (is_TA sysconf d)"
using d16 by blast
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq_TA s' d t'"
by (meson d17 vpeq1_def)
have h2: "vpeq_TA s' d t' = ({x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)})"
by simp
have h3: "(s ∼ d ∼ t) = vpeq_TA s d t"
using d17 by auto
have h4: "vpeq_TA s d t = ({x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)})"
by simp
have h5: "{x. x∈set(tee_memories (TEE_state s))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t))∧ (ownership x=d)}"
by (metis a3 h3 h4)
have h6: "tee_memories (TEE_state s) = tee_memories (TEE_state ?s_rev_event)"
by auto
have h7: "{x. x∈set(tee_memories (TEE_state ?s_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (ownership x=d)}"
using removeAllSessionInMgrSesList_def by auto
have h7_0: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrTaSes))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrClientTaInsSesList))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaInsSessList by auto
have h8: "{x. x∈set(tee_memories (TEE_state ?s_removeSess_inMgrClientTaInsSesList))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (ownership x=d)}"
using tee_memories_setTaInsBusy by auto
have h9: "{x. x∈set(tee_memories (TEE_state ?s_setNotBusy))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (ownership x=d)}"
using tee_memories_subtractMgrInsRef by auto
have h13: "tee_memories (TEE_state t) = tee_memories (TEE_state ?t_rev_event)"
by auto
have h14: "{x. x∈set(tee_memories (TEE_state ?t_rev_event))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (ownership x=d)}"
using removeAllSessionInMgrSesList_def by auto
have h14_0: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrTaSes))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrClientTaInsSesList))∧ (ownership x=d)}"
using tee_memories_removeAllSessIdInTaInsSessList by fastforce
have h15: "{x. x∈set(tee_memories (TEE_state ?t_removeSess_inMgrClientTaInsSesList))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (ownership x=d)}"
using tee_memories_setTaInsBusy by auto
have h16: "{x. x∈set(tee_memories (TEE_state ?t_setNotBusy))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (ownership x=d)}"
using tee_memories_subtractMgrInsRef by auto
have h22: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?s_subRef))∧ (ownership x=d)}"
by (simp add: e3)
have h23: "{x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state ?t_subRef))∧ (ownership x=d)}"
by (simp add: e4)
have h24: "{x. x∈set(tee_memories (TEE_state s'))∧ (ownership x=d)}
= {x. x∈set(tee_memories (TEE_state t'))∧ (ownership x=d)}"
using a3 h14 h15 h16 h22 h23 h3 h7 h8 h9 h7_0 h14_0 by force
then show ?thesis
using h1 h2 by blast
}
qed
next
case False
then have d13: "d ≠ TEE sysconf ∧ d ≠ REE sysconf ∧ ¬(is_TA sysconf d)"
using d16 by auto
then show ?thesis
proof-
{
have h1: "(s' ∼ d ∼ t') = vpeq1 s' d t'"
by simp
have h2: "vpeq1 s' d t' = True"
by (meson d13 vpeq1_def)
then show ?thesis by blast
}
qed
qed
qed
qed
qed
qed
} then show ?thesis
using get_exec_prime_def
by (smt (verit, best) Pair_inject)
qed
lemma TEE_CloseTASession4_weak_confidentiality_e:
"weak_confidentiality_e (hyperc (TEE_CLOSETASESSION4))"
using TEE_CloseTASession4_weak_confidentiality weak_confidentiality_e_def
using get_exec_prime_def by auto
end