erix/rootd
1
0
Fork 0
generated from erix/meta
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
rootd is the first user-space policy authority launched by kernel. It receives the kernel -> root handoff and bootstraps critical early services.
63 commits 1 branch 0 tags 1.9 MiB
  • Rust 100%
Find a file
Exact
Erik Inkinen 0f2c527a9f
All checks were successful
CI / test (push) Successful in 6s
Details
CI / security (push) Successful in 1m26s
Details
CI / minimal-versions (push) Successful in 12s
Details
rootd: drop unstable rustfmt options for stable toolchains
2026-03-23 10:19:56 +02:00
.github refactor: Update milestone terminology to component milestone tracking in templates 2026-03-05 11:56:11 +02:00
src rootd: split runtime orchestration into focused modules 2026-03-23 09:37:38 +02:00
.editorconfig Initial commit 2026-02-26 17:49:22 +01:00
.gitignore Initial commit 2026-02-26 17:49:22 +01:00
ARCHITECTURE.md rootd: treat deviced driver nodes as non-blocking policy activations 2026-03-17 13:52:29 +02:00
Cargo.toml rootd: gate framebuffer probe verification behind phase3 fbcond feature 2026-03-15 01:16:06 +02:00
CODE_OF_CONDUCT.md Initial commit 2026-02-26 17:49:22 +01:00
CONTRIBUTING.md Initial commit 2026-02-26 17:49:22 +01:00
LICENSE Initial commit 2026-02-26 17:49:22 +01:00
linker.ld Add initial implementation of rootd with M0 intake and validation features 2026-03-02 14:25:30 +02:00
README.md rootd: treat deviced driver nodes as non-blocking policy activations 2026-03-17 13:52:29 +02:00
ROADMAP.md rootd: treat deviced driver nodes as non-blocking policy activations 2026-03-17 13:52:29 +02:00
rustfmt.toml rootd: drop unstable rustfmt options for stable toolchains 2026-03-23 10:19:56 +02:00
SECURITY.md docs: align security policy phase numbering 2026-03-11 05:28:15 +02:00

README.md

EriX Root Task (rootd)

rootd is the first user-space policy authority launched by kernel. It receives the kernel -> root handoff and bootstraps critical early services.

Scope

  • validate kernel bootstrap info and capability inventory
  • parse required boot-config payload and establish deterministic launch DAG
  • transfer least-privilege capabilities to each service
  • track bootstrap readiness and fail deterministically on required-service errors

Out of Scope

  • low-level kernel object implementation
  • implicit authority distribution

Service Bring-up Responsibilities

rootd launches services according to boot-config DAG entries. The current runtime baseline still resolves to:

  • foundation substrate: memd -> vspaced -> pagerd -> procd
  • coordination core: named -> logd -> crashd -> timed
  • hardware mediation core: irqd -> deviced -> probed -> hotplugd
  • console/input stack: seriald -> fbcond -> inputd

After procd is up, subsequent services are spawned through the typed procd service-spawn API (IPC_PHASE0_PROCD_OP_SPAWN_SERVICE), not by direct kernel process creation from rootd.

Driver daemons are owned by deviced; rootd requests driver lifecycle through deviced RPCs. BOOTCFG_LAUNCH_KIND_DEVICED_DRIVER entries are treated as policy nodes (seed/seal intent), not synchronous rootd wait points.

Interfaces

  • input: docs/handoff/kernel-to-root.md
  • output: docs/handoff/root-to-services.md
  • shared wire/layout helpers: lib-handoff

Invariants

  • no service receives undeclared authority
  • required-service startup failures halt bootstrap progression
  • startup IPC and capability transfer are auditable and deterministic
  • framebuffer-mode bootstrap requires both fbcond and console-font module inputs
  • missing/invalid boot-config is fail-closed
  • rootd attempts capability shedding checkpoints:
    • after procd readiness: untyped drop sweep and transfer of kernel-object management copies to procd/deviced
    • after deviced readiness: device-control slot drop (SLOT_IRQ_CONTROL)
  • rootd does not emit driver-ready stamps; driver-ready observability is emitted by deviced (ERIX_DEVICED:READY:*).

Build Status

Implemented M0 baseline:

  • no_std root task binary with x86_64 SysV entry ABI:
    • rdi = kernel_root_handoff_ptr
    • rsi = kernel_root_handoff_size
    • rdx = root_endpoint_slot
  • strict kernel -> root handoff intake validation (lib-handoff parser + descriptor checks)
  • deterministic rootd status model (READY, HANDOFF_INVALID, CONTRACT_INVALID, INTERNAL_ERROR, SERVICE_BOOTSTRAP_FAILED)
  • required boot-config discovery and v1 parse/validate path (ERIXBCFG)
  • config-driven async dependency startup event loop
  • launch dispatch by launch_kind:
    • rootd direct service startup
    • deviced-managed driver startup (START_DRIVER)
  • feature-gated integration reporting path:
    • runtime bootstrap path uses one binary and consumes boot-config validation_profile (none for runtime image builds, phase profile IDs for smoke/integration scenario builds)
    • compatibility smoke aliases: rootd-integration-* map to runtime phase features
    • force-fail controls remain integration-only:
    • rootd-integration-smoke
    • rootd-integration-force-fail
    • rootd-integration-force-service-fail
    • rootd-integration-force-spawn-fail

Implemented Phase0 orchestration baseline:

  • deterministic required module discovery for memd, vspaced, pagerd, procd, and phase0-probe
  • deterministic service launch-order state machine:
    • intake validated
    • module set discovered
    • per-service (memd -> vspaced -> pagerd -> procd) startup-envelope synthesis/validation
    • probe spawn request contract synthesis/validation
  • role-based startup envelope generation using lib-bootstrap + lib-capabi transfer bundle validation
  • integration stage progress reporting (ROOTD_STAGE:*) via feature-gated rootd-report syscall path

Runtime-oriented bring-up path:

  • service launch requests issued through kernel-control IPC (CREATE_PROCESS, REGISTER_PAGER, MAP_FRAME, START_PROCESS)
  • per-service startup envelope delivery and readiness handshake over endpoint CALL/REPLY
  • probe spawn request via procd plus async probe-completion event wait on the root endpoint before reporting READY

Current runtime-mode policy:

  • runtime builds are bootstrap-only (no synthetic probe/client/stress execution)
  • smoke/integration builds retain synthetic checks for CI verification
  • phase3-framebuffer bootstrap fails closed if console-font is not present
  • phase3-input bootstrap requires drv-i8042, drv-ps2-kbd, drv-ps2-mouse, and inputd