Figure 11 — Boot Sequence State Machine
Five-phase hardware initialization. Each phase writes specific CRs with defined boot permissions. All loads go through mLoad validation except CR15 (the one hardwired bootstrap GT).
STATE MACHINE: 5-PHASE HARDWARE BOOT SEQUENCE
IDLE
Phase 0
Awaiting boot signal
All hardware quiescent
boot signal
1
FAULT_RST
Clear all registers
Cold restart
Actions
CR0-CR15
→ NULL type (10)
DR0-DR15
→ 0x0000000000000000
Flags
→ cleared (N=Z=C=V=0)
LAMBDA flag
→ 0
Excl. monitors
→ released
2
LOAD_NS
Load namespace root
Hardwired GT
Actions
CR15
→ Namespace GT
GT: — | CR: M
⚠ HARDWIRED (no mLoad)
3
INIT_THRD
Initialize thread
+ services C-List
Actions
CR8
→ Thread GT
GT: — | CR: M
CR5
→ Services C-List GT
GT: E | CR: M (transient)
4
LOAD_NUC
Load nucleus code
+ active C-List
Actions
CR14
→ Nucleus code GT
GT: X (+R) | CR: —
CR6
→ Active C-List GT
GT: E | CR: M (transient)
NIA (PC) → 0x00000000
5
COMPLETE
Begin instruction fetch
Machine running
Machine State
Fetch from CR14 at NIA = 0
Boot code begins execution
any FAULT → restart
CONTEXT REGISTER STATE AT EACH PHASE
Register
1: FAULT_RST
2: LOAD_NS
3: INIT_THRD
4: LOAD_NUC
GT Perms
CR Elevation
Stability
CR15
NULL
★ NS GT
—
—
— (none)
M only
Stable
CR8
NULL
—
★ Thread GT
—
— (none)
M only
Stable
CR5
NULL
—
★ Svc C-List
—
E only
M (transient)
Stable
CR6
NULL
—
—
★ Act C-List
E only
M (transient)
Dynamic
CR14
NULL
—
—
★ Nucleus GT
X (+R)
—
Dynamic
CR0-CR4
NULL
NULL
NULL
NULL
—
—
User-managed
VALIDATION PATH: mLoad vs HARDWIRED
CR15 (Namespace): HARDWIRED Bootstrap
Loaded from fixed hardware address — the one exception to mLoad. This is the
CR8, CR5, CR6, CR14: All loaded through mLoad validation
Permission → Bounds → MAC → G-bit reset → Thread table shadow update
chicken-and-egg bootstrap.
KEY INSIGHTS
Phase 1 guarantees clean slate (Claim 2a):
Every CR set to NULL type (10). Every DR zeroed. Every flag cleared. No residual state from previous
execution. A FAULT at any point during execution returns the machine to Phase 1 — total restart.
One hardwired GT — the bootstrap chicken-and-egg:
CR15 (Namespace root) cannot be loaded via mLoad because mLoad needs the Namespace to validate MACs.
This single hardwired GT is the only exception. Every subsequent load goes through mLoad validation.
Strict ordering guarantees safety:
Phase 2 must complete before Phase 3 (Thread needs Namespace). Phase 3 before Phase 4 (Nucleus needs
Thread context). Each phase builds on the previous, and any failure at any point faults back to Phase 1.
BOOT PERMISSION DOMAIN MAP
Metadata Domain (M only)
CR15 (Namespace): pure metadata
CR8 (Thread): pure metadata
Capability Domain (E + M transient)
CR5 (Services C-List): stable
CR6 (Active C-List): dynamic
Execution Domain (X)
CR14 (Active Nucleus): dynamic
X = execute, optional R for constants
CRs hold capabilities exclusively. DRs hold values exclusively. No mixing — "oil and water."
mLoad is the single gate between domains.
CR0-CR4: remain NULL at boot. Populated by user code via mLoad (CAP.LOAD) during execution.