# Kernel Architecture

***

### Overview

| Property | Value              |
| -------- | ------------------ |
| Language | Rust (no\_std)     |
| Target   | x86\_64 bare metal |
| Size     | \~221KB            |
| LoC      | \~115,000          |

***

### Module Structure

```
nonos-kernel/src/
├── arch/x86_64/       # Architecture-specific code
├── boot/              # Early initialization
├── memory/            # Memory management
├── process/           # Scheduler, tasks
├── capabilities/      # Capability tokens
├── drivers/           # Hardware drivers
├── fs/                # Filesystem layer
├── network/           # Network stack
├── crypto/            # Cryptographic primitives
├── zk_engine/         # ZK proof verification
├── ui/                # Desktop, windows
├── interrupts/        # IRQ handling
├── vault/             # Secure key storage
└── lib.rs             # Kernel entry point
```

***

### Entry Point

The kernel starts at `kernel_main`:

1. Initialize VGA output
2. Set up panic handler
3. Initialize GDT and IDT
4. Initialize drivers
5. Run self-tests
6. Enter scheduler loop

***

### Memory Management

#### `Physical Allocator`

* Bitmap-based frame allocator
* 4KB page granularity
* Tracks free/used frames

#### `Virtual Memory`

* 4-level paging (PML4)
* Higher-half kernel mapping
* W^X enforcement (no RWX pages)
* Guard pages for stack overflow

#### `Heap`

* `#[global_allocator]` implementation
* Linked-list allocator
* Grows on demand

***

### Process Model

#### `Tasks`

* Lightweight execution units
* Cooperative scheduling (async/await)
* Per-task stacks (64KB default)

#### `Scheduler`

* Priority-based scheduling
* Async executor model
* Preemptive multitasking

***

### Capability System

Unforgeable tokens for access control:

```
┌──────────────────────────┐
│     Capability Token     │
├──────────────────────────┤
│  Object Reference        │
│  Permissions Bitmap      │
│  Cryptographic Tag       │
└──────────────────────────┘
```

Operations require presenting a valid capability.

***

### Driver Model

| Driver        | Purpose             |
| ------------- | ------------------- |
| `pci.rs`      | PCI bus enumeration |
| `ahci.rs`     | SATA storage        |
| `nvme.rs`     | NVMe storage        |
| `xhci.rs`     | USB 3.0             |
| `gpu.rs`      | Graphics output     |
| `keyboard.rs` | PS/2 & USB keyboard |
| `mouse.rs`    | PS/2 & USB mouse    |

***

### Filesystem

#### VFS Layer

Abstract filesystem interface:

* `open()`, `read()`, `write()`, `close()`
* Mount points
* Path resolution

#### Implementations

| FS       | Description          |
| -------- | -------------------- |
| RamFS    | In-memory filesystem |
| CryptoFS | Encrypted storage    |

***

### Network Stack

| Layer     | Implementation   |
| --------- | ---------------- |
| L3        | IPv4, IPv6       |
| L4        | TCP, UDP         |
| Transport | TCP              |
| TLS       | Post-quantum TLS |

***

### Cryptographic Modules

Located in `crypto/`:

| Module         | Algorithm             |
| -------------- | --------------------- |
| `ed25519.rs`   | Ed25519 signatures    |
| `blake3.rs`    | BLAKE3 hashing        |
| `sha512.rs`    | SHA-512 (for Ed25519) |
| `aes.rs`       | AES-256-GCM           |
| `chacha.rs`    | ChaCha20-Poly1305     |
| `kyber.rs`     | ML-KEM key exchange   |
| `dilithium.rs` | ML-DSA signatures     |

### User Interface

| Component | Purpose                |
| --------- | ---------------------- |
| Desktop   | Window management      |
| Terminal  | Shell interface        |
| Window    | Application containers |

***

### Interrupt Handling

* APIC-based interrupt routing
* IDT with 256 entries
* Handlers for: timer, keyboard, mouse, PCI, exceptions

***

### Safety

#### `No-std Environment`

* No standard library
* Custom panic handler
* Manual memory management

#### `Unsafe Code`

* Audited unsafe blocks for hardware access
* Minimal unsafe in crypto (secure memory zeroing only)