CHERIoT-Ibex—the first CHERI-enhanced RISC-V microcontroller supporting compressed capability formats—lacks end-to-end formal assurance of behavioral equivalence between its RTL implementation and the Sail-defined ISA specification, particularly concerning memory interaction. Method: We introduce a microarchitecture-agnostic observational correctness abstraction and develop a custom Sail-to-SystemVerilog translation framework that integrates interactive theorem proving with model checking. Contribution/Results: This enables the first full-stack formal verification of a CHERI processor supporting compressed capabilities, establishing behavioral equivalence between RTL and ISA semantics for all initial states. Crucially, we prove not only functional correctness but also liveness-preserving equivalence at the RTL level—a first for CHERI hardware. Our verification provides the strongest known functional and liveness guarantees for any CHERI implementation to date.

The CHERI architecture equips conventional RISC ISAs with significant architectural extensions that provide a hardware-enforced mechanism for memory protection and software compartmentalisation. Architectural capabilities replace conventional integer pointers with memory addresses bound to permissions constraining their use. We present the first comprehensive formal verification of a capability extended RISC-V processor with internally 'compressed' capabilities - a concise encoding of capabilities with some resemblance to floating point number representations. The reference model for RTL correctness is a minor variant of the full and definitive ISA description written in the Sail ISA specification language. This is made accessible to formal verification tools by a prototype flow for translation of Sail into SystemVerilog. Our verification demonstrates a methodology for establishing that the processor always produces a stream of interactions with memory that is identical to that specified in Sail, when started in the same initial state. We additionally establish liveness. This abstract, microarchitecture-independent observational correctness property provides a comprehensive and clear assurance of functional correctness for the CHERIoT-Ibex processor's observable interactions with memory.