
SeL4 is verified on RISC-V - ingve
https://microkerneldude.wordpress.com/2020/06/09/sel4-is-verified-on-risc-v/
======
jakecopp
Just a reminder that the government of Australia has continued to cut CSIRO
funding, the national science agency of Australia that invented/funded SeL4
(amongst WiFi and other things).

[https://www.smh.com.au/national/australia-risks-brain-
drain-...](https://www.smh.com.au/national/australia-risks-brain-drain-as-
csiro-flounders-20190918-p52sl7.html)

[https://www.csiro.au/en/News/News-
releases/2020/seL4-develop...](https://www.csiro.au/en/News/News-
releases/2020/seL4-developers-create-open-source-foundation)

~~~
kragen
We hackers can't continue to depend on the life-and-death high-school
popularity contests that are electoral politics to fund the development of a
better future. We need to find ways to fund public-interest hacking, like the
hacking that produced seL4, that don't come from taxes.

~~~
bjz_
I don't think these kinds of long term, far-seeing projects would survive in
the life-and-death contest of startups and the private sector either.

I dunno what the alternative is, other than political activism, pushing
parties to support progressive tax policies, and educating our peers and
family members. It's not only research on the line here.

~~~
kragen
The key is that money is, for most people, a negative need, not a positive
one. The authors of seL4 didn't write it because they expected to get
superrich — but they could have been prevented from doing it by needing a job
to pay the rent. Remember that Bram Cohen wrote BitTorrent while couchsurfing
on friends' couches and living off credit card balance transfers. YC was
founded with the idea that three months of "ramen money" would be enough to
get a lot of ideas off the ground.

I think there are a lot of things we can do:

1\. Promote free software, peer-to-peer networking, cryptocurrencies, and
privacy software like Tor. Don't forget, governments burn libraries. Free
hardware like RISC-V will become extremely important once we have matter
compilers.

2\. Lobby against patent, copyright, trade secret, noncompete enforceability,
and other legislation that make the contents of employees' minds the property
of their employers and legally impose censorship. We don't need to eliminate
these entirely, but the more we can reduce their scope, the better off we are.
California's pioneering legislation in this area was probably a significant
factor in the 1980s move of the computer world's center of gravity from Boston
to Silicon Valley; China's nonenforcement was probably a significant factor in
its 2000s move from California to China.

3\. Remind people that the freedom to tinker is a human-rights issue, a
government transparency and accountability issue, a consumer-protection issue.
We need all the allies we can get.

4\. Reduce people's dependency on employers and employment for what they need
to survive, through programs like public libraries, public healthcare,
retirement, public education, universal basic income, churches, widespread
solar panel deployment, squatters' rights and easier adverse possession,
homesteading, soup kitchens, the Rainbow Gathering, ashrams, food banks,
police reform, volunteer mental health counseling, decent public housing like
Britain's 1960s council housing, BeWelcome, Hospitality Club, and open
borders. Our current society already produces so much that scarcity of basic
goods need not imperil anybody's survival. (There are of course cases on the
margin like funding Gilead's development of new drugs, and perhaps
synthesizing some drugs that are especially difficult, but that's no reason
for people to die on the streets of homelessness-induced hypothermia.)

5\. Organize programs like GSoC, Patreon, and Kickstarter that can raise funds
to the people working on public goods such as free software. Alex Tabarrok's
"dominant assurance contracts" might provide an incentive structure for this
that improves on Kickstarter's incentive structure.

6\. Organize into collectives such as monasteries, Google, or universities —
organizations like these, imperfect though they are, have often been very
effective at protecting their members from the societal pressures of the
"life-and-death contest of startups and the private sector", not to mention
law enforcement, with constructs such as academic freedom, tenure,
"Googliness", and 20% time. Today's Google, like today's universities, are
unfortunately not as strong as it once was — hierarchical command
relationships make them vulnerable to political takeovers. But a university is
fundamentally a faculty senate organized around a library, and Google was at
one time fundamentally a group of hackers organized around a search engine.
Such things can be destroyed, but they can also be created. They can survive
by receiving donations, as some monasteries do; by providing services to
outside entities, as universities often have; or by earning rent from an
endowment, as state land-grant universities and other monasteries do.

The housing issue is particularly bad because, in many places, legally housing
a person costs hundreds of thousands of dollars, more than an average employee
can earn in many years. I wrote a bit in
[https://news.ycombinator.com/item?id=23264786](https://news.ycombinator.com/item?id=23264786)
about the underlying economics of the situation.

~~~
ngcc_hk
“ China's nonenforcement was probably a significant factor in its 2000s move
from California to China.” one of the most anti-human organisation and
arbitrary ruled organisation is the best to develop software because it is
free. Are you joking.

You need to be free as a person for free software to be meaningful. Imagine
gnu operate in china and run Software in campus (eg
[https://www.gnu.org/education/teaching-my-mit-classes-
with-o...](https://www.gnu.org/education/teaching-my-mit-classes-with-only-
free-libre-software.html)). Imagine ...

------
neilv
I'm really looking forward to (hoping for) fully-open hardware platforms to
build upon, with fully-open toolchains and software stacks atop them, and to
get rid of a lot of crud along the way. RISC-V is one of the inspiring
potential pieces of that.

------
valera_rozuvan
Quote from [1]:

RISC-V has some nice work and support but that software/firmware/optimized OS
ecosystem does not develop itself overnight. And x86 and ARM are still
propitiatory ISAs but also have mature software/firmware/OS(Optimized)
ecosystems.

Now just because the Power9/Power ISA is opened up does not mean that IBM’s
specific hardware implementation that executes that now Open ISA is open, and
ditto for any other MIPS ISA or RISC-V ISA running on others’ custom hardware
implementations. Folks it’s the underlying hardware implementation that gets
the real work done and an ISA is nothing more than a execution template that
can have any specific custom hardware implementation being more efficient or
less efficient depending on that in-hardware implementation that’s engineered
to execute the ISA.

\----------

[1] [https://www.nextplatform.com/2019/08/20/big-blue-open-
source...](https://www.nextplatform.com/2019/08/20/big-blue-open-sources-
power-chip-instruction-set/)

~~~
fluffything
Why cite another source:

* this article acknowledes that while open-source hardware requires an open-source ISA, this requirement is not sufficient

* this article mentions open-source hardware that implements the open-source RISC-V ISA, and the type of applications and research that this hardware is used for (e.g. eliminating Spectre-like timing attacks). It also mentions how such research is pretty much impossible to publish for non-open-source hardware using non-open-source ISAs.

~~~
dathinab
> this article mentions open-source hardware that implements the open-source
> RISC-V ISA, and the type of applications and research that this hardware is
> used for (e.g. eliminating Spectre-like timing attacks). It also mentions
> how such research is pretty much impossible to publish for non-open-source
> hardware using non-open-source ISAs.

Yes, That's the main point IMHO. It's firstly about making research easier and
decoupled from some companies, allowing you to then push given companies to
adopt research. It also slightly increases the chances for more competition on
the CPU marked by making entry easier for new companies. Lastly it's useful
for countries which want to become less dependent on the US.

The idea that somehow an open source ISA will lead to open source hardware
which will replace well established hardware is a bit to optimistic in my
opinion. But it can do a lot good even without it.

~~~
cestith
Personally, I have no doubt RISC-V will largely replace proprietary ISAs and
chips in some market segments. What I doubt is that your desktop, laptop, and
phone are those segments.

------
ur-whale
> This means that it is proved to be bug-free relative to a specification
> formulated in a mathematical logic

But, but, but ... has the specification been proved to be bug-free?

As in does the specification meet eg a set of security constraints?

~~~
lmm
Perhaps you are a brain in a vat being deceived into thinking that the
specification exists. Perhaps any memories you have of reading the
specification are false and implanted. Perhaps this very comment doesn't
actually exist, you are merely hallucinating the memory of having read it.

Nothing can be known with absolute certainty. But a specification is much
smaller than an implementation and misunderstandings of specifications are
much less common than bugs in code. Don't let perfect be the enemy of good.

~~~
MaxBarraclough
Philosophy of that sort offers little insight into correctness in formal
software development, just as it offers little insight into the study of
mathematics.

In practice, bugs can creep in at various stages of a formal development
process, but they're _much_ less common that with non-formal software
development methodologies, as you say.

See page 46 of this case study (giant PDF warning):
[https://www.adacore.com/uploads/downloads/Tokeneer_Report.pd...](https://www.adacore.com/uploads/downloads/Tokeneer_Report.pdf)

~~~
lmm
> Philosophy of that sort offers little insight into correctness in formal
> software development, just as it offers little insight into the study of
> mathematics.

I disagree. Knowing the limits of what is possible is important, so that we
don't waste our time looking for the impossible.

~~~
exikyut
What if our ability to know/reason about what is possible has a hard limit
lower than the limits of what is truly possible?

~~~
lmm
Such a limit would be worth knowing about. But I see no reason to assume that
limit exists in the absence of evidence, particularly as our tools and
reasoning are improving all the time.

~~~
MaxBarraclough
We can be pretty sure there _is_ a limit. We're physical creatures in a
(roughly) deterministic world, so ultimately we're bound by Rice's theorem
just as computers are.

Can the human brain in principle be simulated by a (deterministic) algorithm?
Seems to me the answer is obviously _yes_ , as we are 'merely' extremely
complex machines whose operation is governed by deterministic physical laws.
If you agree, you are forced to agree that we are bound by Rice's theorem.

Whether it's ever likely to be a practical problem, is another matter.

 _edit:_ We already know there are mathematically interesting numbers so
enormous they cannot be represented in our universe, let alone computed by
humans or our machines. That's not really the kind of practical limit we're
interested in, but it still shows a limit of a sort. TREE(3) for instance.

~~~
lmm
My perspective on results like Rice's theorem is that they tell us that the
Turing machine formalism can express incomprehensible programs. I don't see
that as a convincing argument that there are important or useful programs that
we cannot comprehend; rather I see it as a demonstration the Turing machine
model is broad, and an argument that we should look for stricter models that
still admit all the programs we care about (probably based on some form of
typed lambda calculus).

~~~
MaxBarraclough
> My perspective on results like Rice's theorem is that they tell us that the
> Turing machine formalism can express incomprehensible programs.

I'm afraid I don't know what you're saying here.

> I don't see that as a convincing argument that there are important or useful
> programs that we cannot comprehend

I don't see that there's any way to contest it. The only way to deny that we
are bound by Rice's theorem, is to deny that the human mind is algorithmic.
This presumably requires the denial of determinism, which is fairly absurd.

If you're not following my argument, I'd be happy to rephrase it.

> an argument that we should look for stricter models that still admit all the
> programs we care about (probably based on some form of typed lambda
> calculus).

That offers no escape. We're still bound by Rice's theorem. Perhaps it will
never be a practical issue, but the fact remains.

~~~
lmm
> If you're not following my argument, I'd be happy to rephrase it.

I'm not following what it is that you think Rice's theorem tells us.

Rice's theorem says that nontrivial properties of Turing machine programs are
undecidable, i.e. for a given property, there will be Turing-machine programs
for which we can't tell whether they have that property or not.

That doesn't tell us anything about what is possible for programs, or put any
limits on programs that we _do_ understand. It just says that in the Turing
machine model there must exist programs that we don't understand. Fine. Who
cares?

~~~
MaxBarraclough
Sounds like we're completely agreed.

------
robert_g
seL4 hey used Haskell to create an model which was then their specification to
help with the formal verification process [1][2].

[1]
[https://dl.acm.org/doi/pdf/10.1145/1159842.1159850](https://dl.acm.org/doi/pdf/10.1145/1159842.1159850)

[2]
[https://www.sigops.org/s/conferences/sosp/2009/papers/klein-...](https://www.sigops.org/s/conferences/sosp/2009/papers/klein-
sosp09.pdf)

~~~
nix23
Sure...what else ;)

------
corty
Very interesting and useful.

However, does anyone have experience with obtaining RISC-V server hardware on
a commercially useful scale, i.e. more than 1pcs? Back when ARM servers where
all the rage, there were lots of announcements, but almost never products one
could order. Is RISC-V any better in that regard?

~~~
antsoul
From what I got, the future should look like : -You choose the RISC-V design
first. -From that design, you choose the fab that will produce the design.
Each fab has its own price and trustfulness.

~~~
fluffything
The 3 big fabs that you'd like to use are fully booked until 2023 or so. So
you kind of forgot the "wait 4 years" part.

------
anonymousDan
The linked paper on limitations of mainstream ISAs for Spectre mitigation is
super interesting.

------
cmrdporcupine
I still don't understand why Sel4 wasn't chosen for the microkernel for
Fuchsia, why they chose to use their self-developed Zircon instead.

~~~
catwell
They didn't start from scratch, Zircon is based on lk which they already used
in Android.

~~~
exikyut
Say what now?

 _[Digging]_

[https://github.com/littlekernel/lk/wiki/Introduction](https://github.com/littlekernel/lk/wiki/Introduction):

> _LK is the Android bootloader and is also used in Android Trusted Execution
> Environment - "Trusty TEE" Operating System._

> _Newer Android phones have some chance of LK running all the time alongside
> Linux._

TIL!

------
exabrial
It's there an OS built around Sel4?

~~~
im_down_w_otp
Genode.

~~~
dathinab
Through it's not build around SeL4 specifically. It supports a wide range of
mostly L4 based micro kernels as well as some other kernels like e.g. Linux.

Still it's a SeL4 OS if you want it to be one.

