← Church Machine

Figure 3 — B-bit Capability Propagation Control

The B (Bind) bit controls whether a Golden Token can be saved into a c-list. B defaults to 0 on all new capabilities. CALL auto-clears B on preserved CRs passed to the callee ("use it, don't keep it"). Only an explicit TPERM with B modifier sets B=1, enabling delegation. mSave enforces B=1 before committing any write.

1 B=0 Default on New Capabilities Namespace Entry word1 bit 31 = 0 Every new GT starts B = 0 (not bindable) This means a freshly LOADed capability cannot be SAVEd into any c-list. The holder can USE the GT (read, execute, call) but cannot propagate it to another domain. 2 CALL Auto-Clears B on Preserved CRs Caller Context CR0 [B=1] CR1 [B=1] CR2 [B=0] CR3 [B=1] CALL B auto-cleared Callee Receives CR0 [B=0] CR1 [B=0] CR2 [B=0] CR3 [B=0] "Use it, don't keep it" Callee can read, execute, call with any GT but cannot SAVE any of them to a c-list Hardware default: CALL clears B on all preserved context registers (CR0-CR4 in RV32, CR0-CR7 in CTMM). No exceptions. 3 TPERM Sets B=1 for Explicit Bind Permission Before TPERM CR0 [B=0] TPERM CR0, EB After TPERM CR0 [B=1] Explicit delegation grant Caller consciously permits callee to SAVE this GT RV32: CAP.TPERM x0, CRn (rd=0 sets B-bit) TPERM is the only instruction that can set B=1. This is the conscious, auditable act of granting bind permission. 4 mSave Checks B=1 Before Committing Write CR0 [B=1] Source GT SAVE mSave Pipeline Version → Seal → Bounds → B=1? ✓ → F-bit → Commit B-bit check is stage 4 of 8 in mSave ✓ Committed to C-List Saved copy gets B=0 (default) 5 FAULT on Attempted Save with B=0 CR0 [B=0] Source GT SAVE mSave Pipeline Version → Seal → Bounds → B=0? ✗ Pipeline halts at stage 4 — B-bit check fails FAULT BIND violation No recovery. No fallback. Security Invariant: No capability can be propagated without an explicit, auditable TPERM B grant by the delegating domain. B-bit is the hardware-enforced "consent to delegate" mechanism. It prevents confused deputy and ambient authority attacks.
Default state / CALL behavior
TPERM grant / success path
mSave pipeline / B-bit check
B=0 / FAULT