
The SeL4 Foundation: What and Why - ingve
https://microkerneldude.wordpress.com/2020/04/07/the-sel4-foundation-what-and-why/
======
turbinerneiter
I'd be really happy to see seL4 thrive and I like that this blog-post shows
that the people behind it understand what could potential hold it back - the
infrastructure around it. It needs what GNU and systemd are for Linux. And it
needs an Arduino/Raspberry Pi - a halo platform that I can buy and play around
with.

What I wonder is how this formal verification works. seL4 is written in C and
apparently the formal verification is done in a different language. Is it
possible to have a programming language where the compiler does the formal
verification?

~~~
h91wka
> Is it possible to have a programming language where the compiler does the
> formal verification?

Such compiler would require solving halting problem. Most problems related to
search of formal proofs are undecidable.

~~~
wolfgke
> Such compiler would require solving halting problem.

Wrong: Because of the finite memory instead of an unbounded tape (among other
reasons), computers are strictly less expressive than Turing machines.

~~~
tzs
Does the proof that the halting problem is not solvable actually make use of
the unboundedness of the tape?

~~~
wolfgke
Of course it does (implicitly!).

Otherwise the number of possible states of the Turing machine T that we want
to check whether it halts or not is finite and we just have to "simulate" the
program and see whether it terminates or it reaches again a state that it was
already in.

~~~
marcosdumay
How would the "if this program halts then run forever, else halt" algorithm
work on a real computer? I imagine it would fail with stack overflow.

------
microcolonel
That "Verification of the multicore kernel" thing seems like it could use some
bold, underline, and italics. I doubt it is as simple as adding an AArch64
model.

~~~
snvzz
Definitely not simple, but simpler than you might imagine.

Specifically, I'm referring to the fact that the microkernel can't be run from
more than one CPU at once and can't be preempted, which is an important design
decision.

Its execution time is, however, constrained into the WCET, complete with
proof. And that is a very small amount of time, allowing for hard real-time
applications to be built on top of seL4.

~~~
microcolonel
Every time I learn more about seL4, I fall a bit more in love with it. Can't
wait to see what people do in terms of integration over time.

I think it would be super cool to see L4Linux updated again, and on seL4 this
time; maybe start shifting device drivers into tasks behind a low-overhead
abstraction. We're going to have Linux and POSIX applications for a _loooong_
time, but maybe we can make incremental progress toward something a bit less
braindead.

------
segfaultbuserr
Simple question: What are some seL4 "distros" one can install today? Which
types of hardware is supported? And how usable the userland is?

~~~
tptacek
If you're looking for a desktop/end-user operating system (even for a server
of some sort), you're not really looking for L4. You might as well just use
Qubes; the security model will be similar (in that you'll be "using" hosted
Linux, not the underlying OS directly).

L4 gets interesting if you're building another _platform_.

~~~
segfaultbuserr
Well, I think it's an interesting idea in itself to build a full operating
system based on a secure kernel, even if it's server/CLI only, runs in a
virtual machine as a prototype (think GNU Hurd). Isn't it?

~~~
tptacek
If you're going to build a new OS, sure. That's how you should think of L4: as
a toolkit for building new operating systems.

------
exikyut
Looking at all the comments here, one question seems missing yet relevant: why
is CompCert not used?

------
akavel
Hm, as to userland, I wonder why they don't seem to mention GenodeOS in any
way?

~~~
snvzz
Genode is Affero GPL licensed. Very troublesome.

That's probably why.

~~~
akavel
Ohhh, now _that_ is something I totally missed, thanks!

------
jiveturkey
> seL4 is a game-changer

probably overstating the case.

