← Church Machine

Figure 15 — Five-Phase Boot Sequence

Hardware initialization state machine. The machine starts in IDLE, resets all capability registers to NULL (failsafe), loads the namespace, initializes threads, loads the nucleus abstractions, and transitions to COMPLETE. Any failure at any phase routes to FAULT. No software runs until the hardware has established a safe, fully-validated initial state.

Hardware Boot State Machine Each phase must complete successfully before the next begins. Any failure routes to FAULT. IDLE Power-on / Reset state = 0x00 RST Phase 1: FAULT_RST All CRs ← NULL GT CR0-CR15 zeroed, flags cleared, PC=0 Failsafe: machine starts with zero authority CRs zeroed Phase 2: LOAD_NS Load Namespace from ROM/Flash Read namespace image → verify integrity hash Populate namespace table: entries, seals, version counters Set CR15 ← namespace root GT (global version = V1) CR15 set Phase 3: INIT_THRD Initialize Thread Infrastructure Create boot thread control block Set CR8 ← thread identity GT (boot thread) Initialize stack pointer, allocate initial call frame CR8 set Phase 4: LOAD_NUC Load Nucleus Abstractions Load Boot abstraction into CR0 (entry point) Load core abstractions: Threads, CapabilityManager, GC Verify all GTs via mLoad (version, seal, permissions) verified Phase 5: COMPLETE CALL CR0 (Boot abstraction) First instruction executes with full GT protection FAULT Any Phase Fails Hash mismatch Seal verify fail Version mismatch Permission denied Namespace corrupt Thread alloc fail Machine halts No recovery path Single FAULT handler for all boot failures Register State at Each Phase Register FAULT_RST LOAD_NS INIT_THRD LOAD_NUC COMPLETE CR0-CR7 NULL NULL NULL CR0=Boot CR0=Boot CR8 NULL NULL Thread ID Thread ID Thread ID CR15 NULL NS Root NS Root NS Root NS Root Flags 0x0000 0x0000 0x0000 0x0000 0x0000 PC 0x0000 0x0000 0x0000 0x0000 Boot entry Why Hardware Boot Matters Phase 1 (FAULT_RST) guarantees zero ambient authority: every register starts NULL. No software executes until Phase 5. The machine is safe before it is useful. Compare to conventional boot: BIOS/UEFI runs with full ring-0 privilege from the first instruction.
IDLE (power-on)
Phase 1: FAULT_RST (zero authority)
Phase 2: LOAD_NS (namespace)
Phase 3: INIT_THRD (threads)
Phase 4: LOAD_NUC (nucleus)
Phase 5: COMPLETE (first CALL)