Sovereign Init

Complete

Sovereign Init is the Nexus boot sequence — a deterministic two-stage process that brings the system from power-on to a fully operational state.

Two-Stage Boot

Stage 1: Hardware Initialization (Zig HAL)

1. nexus-boot (bootloader) loads the kernel image and jumps to the entry point
2. The Zig HAL initializes hardware in a fixed order:
   • MMU / page tables
   • UART (serial console)
   • GIC / PLIC (interrupt controller)
   • Timer
   • VirtIO devices (block, net, console)
3. The SysTable is written at its fixed physical address
4. Control is transferred to the Nim kernel entry point

Stage 2: Kernel Bring-Up (Nim Logic)

1. The scheduler is initialized with four spectrum queues
2. Core fibers are spawned in fixed order:
   • ION fiber — manages ION Ring allocation and mapping
   • Compositor fiber — display composition (if display profile)
   • NetSwitch fiber — network L2 demux + DHCP
   • NexShell fiber — user-facing shell
   • Subject fibers — NPL/NPK payloads from the boot manifest
3. KDL service definitions are parsed from the BKDL manifest
4. Each service is spawned as a fiber with its declared pledge mask and capability set
5. The system is operational

Boot Manifest (BKDL)

The boot manifest is embedded in the kernel ELF as a .nexus.manifest section. It uses a binary-packed KDL format:

• Magic: 0x4E585553 ("NXUS")
• Format: ustar TAR containing KDL service definitions
• Content: Declares which NPLs to load, their pledge masks, capability grants, and ION Ring assignments

This means the boot configuration is baked into the kernel image. No external config files to parse. No filesystem access needed during early boot.

Boot Timing

Phase	Target	Notes
Bootloader → HAL entry	<400ms	nexus-boot is <300 LOC
HAL initialization	<50ms	Hardware init is sequential, deterministic
Kernel bring-up	<100ms	All fibers spawned cooperatively
First NPL operational	<600ms	Total boot to operational state

Boot Extension Block (BEB)

The BEB is an updatable microcode region that extends Rumpk without modifying its frozen core. This is critical for:

• In-orbit updates: Satellite firmware can receive BEB patches via uplink
• Radiation recovery: BEB contains ECC scrubbing routines and watchdog logic
• Dual-bank flash: Two BEB slots allow atomic updates with rollback

The BEB is verified against ProvChain before execution. An unsigned or tampered BEB is rejected.

ProvChain Boot Logging

Every boot is logged to the ProvChain ledger:

1. Boot event: Timestamp, hardware fingerprint, SysTable checksum
2. HAL verification: BLAKE3 hash of the HAL image matches the signed manifest
3. Kernel verification: BLAKE3 hash of the Nim kernel matches
4. NPL loads: Each NPL load is logged with its Variant-CID and pledge mask
5. Boot complete: Final entry records total boot time and fiber count

nexus verify can check any running system against its ProvChain record to detect tampering.