Boot and trust establishment

Boot is the sequence that takes a freshly-started kernel from "no userspace" to "fully-running system with real identities and policies". The kernel sets up bootstrap tokens before any userspace exists; prelude runs the initramfs and mounts the real root; peinit takes over as PID 1; authd starts and assumes responsibility for real identity creation. This page is the map for the sequence.

Before any userspace process exists, the kernel directly constructs two tokens — SYSTEM and Anonymous — that bootstrap the identity model. SYSTEM is authority-maximal and runs init; Anonymous is identity-minimal and backs Anonymous-level impersonation. This page covers what each carries, how they're constructed without going through kacs_create_token, and why they persist for the kernel's lifetime.

Between the kernel finishing its own initialisation and peinit taking over on the real root, Peios runs a small in-memory userspace stage — the initramfs — with prelude as its PID 1. prelude prepares the environment, runs the hooks that mount the real root, and hands the machine off. This page covers what the initramfs stage is for, the prelude component, the /system/boot/prelude/ directory the initramfs is built from, how it is kept current, and the handoff to the real root.

A boot hook is a shell script the initramfs runs before the real root is mounted. Hooks do every deployment-specific part of early boot — loading drivers, unlocking encryption, assembling volumes, mounting the real root. Each hook declares the capabilities it provides and requires, and the build resolves a safe running order from those declarations. This page covers where hooks live, the metadata format, the capability vocabulary, how ordering and failures behave, and how to write one.

peinit is the init system of the real root, signed at TCB trust level, running with the SYSTEM token — it takes over once the initramfs has mounted the real root. It is responsible for the rest of userspace boot — applying mount policies, launching services, transitioning to a steady-state system. This page covers what peinit does, why it has to be PID 1, and the service-launching pattern that's its primary job.

When authd starts, the system transitions from SYSTEM-everywhere to real identities. authd takes over token minting, populates the kernel's CAAP cache, becomes the answer to "what is this principal allowed to be". This page covers authd's startup work and the handoff from kernel-direct identity to authd-managed identity.

The boot chain relies on a handful of kernel-level invariants — the LSM stack must include PKM and exclude MAC LSMs, certain build-config flags must be set, the kernel must verify these at initialisation. This page covers the invariants the boot chain depends on and the failure modes if any are missing.