From Rocq to Metal: A Pipeline for Formally Verified Microcontroller Firmware
This work provides a practical pipeline for formally verified firmware on resource-constrained microcontrollers, addressing safety concerns in AI-generated code.
The authors built Encore!, a bare-metal CPS VM that runs Rocq-extracted Scheme on microcontrollers, enabling formally verified firmware. They structured firmware as a pure state-transition function, making the core fully provable in Rocq while keeping the unverified host layer constant.
Enforcing invariants in safety-critical systems is increasingly urgent as AI-generated code becomes widespread. Unfortunately, the runtimes required to support high-level specification languages are too large for most embedded targets. In this article, we show how formally verified firmware is achievable today. We built Encore!, a bare-metal Continuation Passing Style (CPS) virtual machine (VM) that runs Rocq-extracted Scheme on microcontrollers. We also show how to structure firmware as a pure state-transition function, making its core fully provable in Rocq while keeping the unverified host layer constant regardless of firmware complexity. Large Language Model (LLM)-assisted tactic synthesis fits naturally into this workflow: formal theorem statements replace manual code review, allowing AI-generated firmware to prove itself.