Loregd

§2.1.1 Command-line interface

loregd <HiveName>=<DatabasePath> [<HiveName>=<DatabasePath> ...]

Each argument declares a hive name and the filesystem path to its SQLite database file. loregd registers all declared hives with LCS at startup.

Examples:

loregd Machine=/var/lib/registry/machine.regdb Users=/var/lib/registry/users.regdb
loregd Machine=/var/lib/registry/machine.regdb Users=/var/lib/registry/users.regdb Roles=/var/lib/registry/roles.regdb

loregd MUST accept one or more hive arguments. Zero arguments is an error (exit immediately with a non-zero status).

Hive names are case-insensitive for routing purposes but loregd preserves the case provided on the command line for registration with LCS.

Database paths MUST be absolute. Relative paths are an error.

§2.1.2 No configuration

loregd has no configuration file, no environment variable configuration, and no registry-based self-configuration. It is the configuration store — it does not need to be configured.

All operational behaviour is determined by:

• The command-line arguments (hive names and database paths)
• The SQLite database contents
• Compiled-in defaults (WAL mode, connection pool sizes, etc.)

§2.1.3 Startup sequence

1. Parse arguments. Extract hive name → database path mappings. Validate: at least one hive, all paths absolute, no duplicate hive names.

2. Open databases. For each hive, open (or create) the SQLite database file at the declared path. Enable WAL mode. Run PRAGMA journal_mode=wal and PRAGMA foreign_keys=ON.

3. Attach volatile stores. For each hive, create a shared in-memory database for volatile key storage using SQLite's shared-cache URI: ATTACH 'file:<hivename>_volatile?mode=memory&cache=shared' AS volatile. This URI MUST be identical across all connections (read and write) for the same hive, ensuring all connections share the same volatile store. Each hive has its own volatile store (distinct URI per hive).

4. Run schema migrations. Ensure the database schema matches the current loregd version. Create tables if the database is new. Migrate if the schema version is older. Refuse to start if the schema version is newer than loregd supports (prevents downgrade corruption).

5. First-boot detection. For each hive, check whether a root key record exists. If not, this is a first boot for this hive: generate a random GUID for the root key, create the root key record with the appropriate default SD (PSD-005 §3.1.4), and persist it.

6. Crash recovery. For each hive, clean up orphaned GUIDs: delete key records that have no corresponding path entries in any layer. Cascade to values and blanket tombstones. SQLite's WAL recovery handles any uncommitted transactions automatically when the database is opened.

7. Compute max sequence. For each hive, query the maximum sequence number across all tables (path_entries, values, blanket_tombstones). Report the global maximum across all hives in the registration handshake.

8. Open /dev/pkm_registry. Requires SeTcbPrivilege in the calling thread's token.

9. Register hives. Issue REG_SRC_REGISTER with all hive names, root GUIDs, the global max sequence number, and flags (no private hives — loregd registers global hives only).

10. Enter request loop. Begin reading RSI requests from /dev/pkm_registry and dispatching to the appropriate hive database.

§2.1.4 Exit behaviour

loregd exits when:

• /dev/pkm_registry is closed by the kernel (LCS shutdown)
• A fatal database error occurs (corruption, disk full)
• peinit sends a termination signal

On exit, loregd closes all database connections. SQLite finalises any open WAL transactions. The volatile stores (in-memory databases) are destroyed — volatile keys are gone. LCS detects the source disconnect and marks all hives as unavailable.

Each hive has its own SQLite database. The schema is identical across all hive databases. loregd creates these tables on first boot and migrates them on schema version changes.

§3.1.1 Schema version tracking

CREATE TABLE schema_version (
    version INTEGER NOT NULL
);

A single row. The current schema version is 1 (the initial release defined by this specification). loregd checks this at startup. If the version is older, loregd runs migrations. If newer, loregd refuses to start (prevents downgrade corruption). On first boot (empty database), loregd creates the schema and inserts version 1.

§3.1.2 Keys table

CREATE TABLE keys (
    guid           BLOB NOT NULL PRIMARY KEY,
    name           TEXT NOT NULL,
    name_folded    TEXT NOT NULL,
    parent_guid    BLOB,
    sd             BLOB NOT NULL,
    volatile       INTEGER NOT NULL DEFAULT 0,
    symlink        INTEGER NOT NULL DEFAULT 0,
    last_write_time INTEGER NOT NULL
);

• guid: 16-byte GUID assigned by LCS. Primary key.
• name: Case-preserving key name component.
• name_folded: Unicode Simple Case Folded form of name. Used for case-insensitive lookups.
• parent_guid: GUID of the parent key. NULL for hive root.
• sd: Security Descriptor in PSD-004 binary format.
• volatile: 1 if volatile, 0 if persistent. Volatile keys are stored in the attached in-memory database, not this table. This column exists only for persistent keys and is always 0 in the on-disk database. See §3.1.6.
• symlink: 1 if this key is a symbolic link, 0 otherwise.
• last_write_time: Unix nanoseconds.

§3.1.3 Path entries table

CREATE TABLE path_entries (
    parent_guid    BLOB NOT NULL,
    child_name     TEXT NOT NULL,
    child_name_folded TEXT NOT NULL,
    layer          TEXT NOT NULL,
    target_type    INTEGER NOT NULL,
    target_guid    BLOB,
    sequence       INTEGER NOT NULL,
    PRIMARY KEY (parent_guid, child_name_folded, layer)
);

CREATE INDEX idx_path_entries_target
    ON path_entries (target_guid)
    WHERE target_type = 0;

• parent_guid: GUID of the parent key.
• child_name: Case-preserving child name.
• child_name_folded: Folded form for case-insensitive primary key.
• layer: Layer name (case-sensitive, binary comparison).
• target_type: 0 = GUID (key exists in this layer), 1 = HIDDEN (tombstone masking lower layers).
• target_guid: The key GUID if target_type=0. NULL if HIDDEN.
• sequence: Monotonic sequence number assigned by LCS.

The index on target_guid (for non-HIDDEN entries) enables efficient orphan detection: keys whose GUID does not appear in any path entry.

§3.1.4 Values table

CREATE TABLE values (
    key_guid       BLOB NOT NULL,
    name           TEXT NOT NULL,
    name_folded    TEXT NOT NULL,
    layer          TEXT NOT NULL,
    type           INTEGER NOT NULL,
    data           BLOB,
    sequence       INTEGER NOT NULL,
    PRIMARY KEY (key_guid, name_folded, layer)
);

• key_guid: GUID of the key this value belongs to.
• name: Case-preserving value name. Empty string for the default value.
• name_folded: Folded form. Empty string for the default value.
• layer: Layer name.
• type: Registry value type (REG_SZ=1, REG_DWORD=4, etc.). REG_TOMBSTONE (0xFFFF) for tombstones.
• data: Value payload. NULL for tombstones.
• sequence: Monotonic sequence number.

§3.1.5 Blanket tombstones table

CREATE TABLE blanket_tombstones (
    key_guid       BLOB NOT NULL,
    layer          TEXT NOT NULL,
    sequence       INTEGER NOT NULL,
    PRIMARY KEY (key_guid, layer)
);

• key_guid: GUID of the key this blanket tombstone belongs to.
• layer: Layer name.
• sequence: Monotonic sequence number.

§3.1.6 Volatile key schema

Volatile keys are stored in the ATTACHed shared in-memory database (volatile). The volatile store uses SQLite's shared-cache URI (file:<hivename>_volatile?mode=memory&cache=shared) so all connections (read and write) for the same hive share the same volatile data. The volatile database has identical table structures:

-- In the 'volatile' attached database:
CREATE TABLE volatile.keys          (...same columns as main.keys...);
CREATE TABLE volatile.path_entries  (...same columns as main.path_entries...);
CREATE TABLE volatile.values        (...same columns as main.values...);
CREATE TABLE volatile.blanket_tombstones (...same columns...);

CREATE INDEX volatile.idx_path_entries_target
    ON path_entries (target_guid)
    WHERE target_type = 0;

When processing RSI operations, loregd checks the volatile flag on the target key to determine which database to query/write:

• volatile=1 → query/write volatile.* tables
• volatile=0 → query/write main.* tables

For RSI_LOOKUP and RSI_ENUM_CHILDREN, loregd MUST query both the main and volatile tables and merge the results, since a parent key may be persistent while a child is volatile (or vice versa, though a non-volatile child under a volatile parent is forbidden by PSD-005 §2.1).

For RSI_CREATE_KEY, loregd stores the key in the volatile database if the volatile flag is set in the request, otherwise in the main database.

§3.1.7 Case folding

The name_folded and child_name_folded columns store the Unicode Simple Case Folded form (CaseFolding.txt, status S and C entries, Unicode 16.0 per PSD-005 §2.3) of the corresponding name. loregd computes the folded form at write time and uses the folded column in all WHERE clauses and primary key lookups.

This avoids the need for a custom SQLite collation function. Queries use exact binary comparison on the folded column:

-- Lookup by name (case-insensitive):
SELECT * FROM path_entries
WHERE parent_guid = ? AND child_name_folded = ?

The canonical (case-preserving) name is stored separately and returned in RSI responses. Callers see the original case; storage comparisons use the folded form.

loregd uses SQLite's WAL (Write-Ahead Logging) mode for each hive database. WAL mode enables concurrent reads with serialised writes.

§4.1.1 Connection pool

For each hive database, loregd maintains:

• One write connection. All mutating RSI operations (RSI_CREATE_KEY, RSI_CREATE_ENTRY, RSI_SET_VALUE, RSI_DELETE_ENTRY, RSI_HIDE_ENTRY, RSI_DELETE_VALUE_ENTRY, RSI_WRITE_KEY, RSI_DROP_KEY, RSI_SET_BLANKET_TOMBSTONE, RSI_DELETE_LAYER, RSI_FLUSH) are dispatched to this connection. SQLite's single-writer model serialises all writes at the database level.

• Multiple read connections. Read-only RSI operations (RSI_LOOKUP, RSI_READ_KEY, RSI_QUERY_VALUES, RSI_ENUM_CHILDREN) are dispatched to a pool of read connections. WAL mode allows concurrent readers that do not block writers and are not blocked by writers. Each reader sees a consistent snapshot from the point at which its transaction began.

The number of read connections is a compiled-in default. A reasonable starting point is the number of available CPU cores, capped at a maximum (e.g., 16). This is not configurable via the registry (loregd has no self-configuration).

Volatile store concurrency. The volatile store uses SQLite shared-cache mode, not WAL mode (in-memory databases do not support WAL). Shared-cache uses table-level locking: concurrent reads are allowed, but a write to a volatile table blocks readers of that table and vice versa. This is coarser than WAL's MVCC snapshot isolation. In practice, volatile key contention is low (volatile keys are typically transient runtime state, not hot-path configuration), so the difference is negligible.

§4.1.2 Request dispatch

RSI requests arrive multiplexed on the /dev/pkm_registry fd. Each request carries a request_id and (for requests within a transaction) a txn_id in the header.

loregd dispatches requests as follows:

1. Identify the target hive. The request's key GUID or parent GUID determines the hive. loregd maintains an in-memory GUID→hive cache, seeded at startup with each hive's root GUID. On RSI_CREATE_KEY, loregd adds the new GUID to the cache. On RSI_DROP_KEY, loregd removes it. For a GUID not in the cache (e.g., after restart with existing data), loregd queries each hive database (SELECT 1 FROM keys WHERE guid = ? LIMIT 1) and caches the result. For RSI_LOOKUP and RSI_ENUM_CHILDREN, the parent_guid identifies the hive. For all other operations, the key GUID identifies it.

2. Classify as read or write. Read operations go to the read pool. Write operations go to the write connection.

3. Transaction routing. RSI_BEGIN_TRANSACTION does not require hive identification — loregd records the txn_id and returns RSI_OK. For subsequent operations with a non-zero txn_id:

   • For the first mutating operation: identify the target hive from the operation's GUID, acquire the write connection for that hive, and begin a SQLite transaction (BEGIN IMMEDIATE). Associate the txn_id with this hive's write connection. If SQLITE_BUSY, return RSI_TXN_BUSY.
   • For subsequent operations: verify the txn_id is associated with the same hive. LCS enforces hive-scoping at the kernel level, so loregd should never receive a cross-hive operation within a transaction.
   • For read operations within a transaction: use the write connection (to get read-your-own-writes isolation).

4. Execute and respond. Process the operation against the appropriate database, construct the RSI response, and write it to /dev/pkm_registry.

§4.1.3 Write serialisation

SQLite WAL mode serialises writers at the database level. If two RSI write requests arrive concurrently for the same hive:

• If no transaction is active, each write auto-commits independently. The second write blocks briefly while SQLite acquires the write lock, then proceeds. No RSI_TXN_BUSY.

• If an explicit transaction holds the write connection, non- transactional writes wait for the transaction to commit or abort. If the wait exceeds SQLite's busy timeout, loregd returns RSI_TXN_BUSY.

loregd configures SQLite's busy timeout to a compiled-in default of 25000 milliseconds (25 seconds), shorter than LCS's default RequestTimeoutMs (30 seconds). This ensures loregd responds with RSI_TXN_BUSY before LCS times out the caller.

§4.1.4 Cross-hive transactions

Transactions are hive-scoped. LCS enforces this at the kernel level — if a transaction bound to Machine\ receives an operation targeting Users, LCS returns EXDEV to the caller before the request reaches loregd. loregd never receives cross-hive operations within a transaction and does not need to handle this case.

This section describes how loregd handles each RSI operation. For wire format details, see PSD-005 §11.3.

§5.1.1 Transaction-aware request routing

Every RSI request carries a txn_id in the header. When txn_id is non-zero and the transaction is bound to a hive (a prior mutating operation established the binding), loregd routes the request to that hive's write connection — even for read operations. This provides read-your-own-writes isolation: reads within a transaction see the transaction's uncommitted writes.

When txn_id is non-zero but the transaction is not yet bound (no prior mutating operation), reads use the normal read connection pool. There are no uncommitted writes to see.

When txn_id is zero, the request is dispatched normally: reads to the read pool, writes to the write connection.

§5.1.2 RSI_LOOKUP

Query: select all path entries for (parent_guid, child_name_folded) across all layers, from both main and volatile databases.

SELECT child_name, layer, target_type, target_guid, sequence
FROM main.path_entries
WHERE parent_guid = ? AND child_name_folded = ?
UNION ALL
SELECT child_name, layer, target_type, target_guid, sequence
FROM volatile.path_entries
WHERE parent_guid = ? AND child_name_folded = ?

For each unique target_guid (excluding HIDDEN entries), also fetch the key metadata:

SELECT guid, sd, volatile, symlink, last_write_time
FROM main.keys WHERE guid IN (?)
UNION ALL
SELECT guid, sd, volatile, symlink, last_write_time
FROM volatile.keys WHERE guid IN (?)

Return all entries and metadata in the RSI response. loregd MUST NOT filter or resolve layers.

§5.1.3 RSI_CREATE_ENTRY

Insert a path entry:

INSERT INTO <main|volatile>.path_entries
    (parent_guid, child_name, child_name_folded, layer,
     target_type, target_guid, sequence)
VALUES (?, ?, fold(?), ?, 0, ?, ?)

The target database (main or volatile) is determined by looking up the target_guid in both databases to find the key's volatile flag. If the key is volatile, the path entry goes in the volatile database. If persistent, it goes in main.

Return RSI_ALREADY_EXISTS if the (parent_guid, child_name_folded, layer) primary key already exists.

§5.1.4 RSI_HIDE_ENTRY

Insert a HIDDEN path entry:

INSERT OR REPLACE INTO <main|volatile>.path_entries
    (parent_guid, child_name, child_name_folded, layer,
     target_type, target_guid, sequence)
VALUES (?, ?, fold(?), ?, 1, NULL, ?)

HIDDEN entries go in the main database unless the parent key is volatile (in which case the entire subtree is volatile).

§5.1.5 RSI_DELETE_ENTRY

Delete a specific path entry:

DELETE FROM main.path_entries
WHERE parent_guid = ? AND child_name_folded = ? AND layer = ?;
DELETE FROM volatile.path_entries
WHERE parent_guid = ? AND child_name_folded = ? AND layer = ?;

Execute against both databases. Idempotent — deleting a non-existent entry is not an error.

§5.1.6 RSI_ENUM_CHILDREN

Query all children under a parent, across all layers, from both databases:

SELECT child_name, child_name_folded, layer, target_type,
       target_guid, sequence
FROM main.path_entries WHERE parent_guid = ?
UNION ALL
SELECT child_name, child_name_folded, layer, target_type,
       target_guid, sequence
FROM volatile.path_entries WHERE parent_guid = ?

Collect unique target_guids and fetch metadata (same as RSI_LOOKUP). Return the full result set.

§5.1.7 RSI_CREATE_KEY

Insert a new key record:

INSERT INTO <main|volatile>.keys
    (guid, name, name_folded, parent_guid, sd, volatile, symlink,
     last_write_time)
VALUES (?, ?, fold(?), ?, ?, ?, ?, ?)

The last_write_time field is not provided in the RSI request. loregd sets it to the current wall-clock time (Unix nanoseconds) at key creation.

Target database: volatile database if the volatile flag is set, main database otherwise.

Return RSI_ALREADY_EXISTS if the GUID already exists.

§5.1.8 RSI_READ_KEY

Fetch a key record by GUID:

SELECT name, parent_guid, sd, volatile, symlink, last_write_time
FROM main.keys WHERE guid = ?
UNION ALL
SELECT name, parent_guid, sd, volatile, symlink, last_write_time
FROM volatile.keys WHERE guid = ?

Return the first match. Return RSI_NOT_FOUND if the GUID does not exist in either database.

§5.1.9 RSI_WRITE_KEY

Update mutable fields on a key:

loregd builds a single UPDATE statement from the field_mask, setting only the fields whose bits are present:

-- Combined update (example with both bits set):
UPDATE <main|volatile>.keys
SET sd = ?, last_write_time = ?
WHERE guid = ?

If no explicit transaction is active, this single statement is auto-committed atomically. If an explicit transaction is active, it runs within that transaction.

Determine which database by querying both for the GUID. Return RSI_INVALID if the field_mask has any bits set at positions other than 0 (SD) and 1 (last_write_time). Valid masks are 0x00, 0x01, 0x02, and 0x03. Any other value indicates an attempt to modify immutable fields.

§5.1.10 RSI_DROP_KEY

Purge all data for a GUID across both databases:

DELETE FROM main.keys WHERE guid = ?;
DELETE FROM main.path_entries WHERE target_guid = ?;
DELETE FROM main.values WHERE key_guid = ?;
DELETE FROM main.blanket_tombstones WHERE key_guid = ?;
DELETE FROM volatile.keys WHERE guid = ?;
DELETE FROM volatile.path_entries WHERE target_guid = ?;
DELETE FROM volatile.values WHERE key_guid = ?;
DELETE FROM volatile.blanket_tombstones WHERE key_guid = ?;

Idempotent — dropping a non-existent GUID is RSI_OK.

§5.1.11 RSI_QUERY_VALUES

Fetch all layer entries for a specific value (or all values if query_all flag set):

-- Single value:
SELECT name, layer, type, data, sequence
FROM main.values
WHERE key_guid = ? AND name_folded = ?
UNION ALL
SELECT name, layer, type, data, sequence
FROM volatile.values
WHERE key_guid = ? AND name_folded = ?

-- Query all (query_all flag set):
SELECT name, layer, type, data, sequence
FROM main.values WHERE key_guid = ?
UNION ALL
SELECT name, layer, type, data, sequence
FROM volatile.values WHERE key_guid = ?

Also return blanket tombstone state:

SELECT layer, sequence
FROM main.blanket_tombstones WHERE key_guid = ?
UNION ALL
SELECT layer, sequence
FROM volatile.blanket_tombstones WHERE key_guid = ?

§5.1.12 RSI_SET_VALUE

Insert or replace a value entry:

INSERT OR REPLACE INTO <main|volatile>.values
    (key_guid, name, name_folded, layer, type, data, sequence)
VALUES (?, ?, fold(?), ?, ?, ?, ?)

Conditional write (expected_sequence non-zero): Before writing, atomically check the current entry:

-- Within a single transaction:
SELECT sequence FROM <main|volatile>.values
WHERE key_guid = ? AND name_folded = ? AND layer = ?

If the row does not exist or the sequence does not match expected_sequence, return RSI_CAS_FAILED without writing. SQLite's transaction isolation guarantees atomicity within the write connection.

Target database: determined by the key's volatile flag (look up the GUID in both databases). If the key GUID does not exist in either database, return RSI_NOT_FOUND.

§5.1.13 RSI_DELETE_VALUE_ENTRY

Delete a specific value entry:

DELETE FROM main.values
WHERE key_guid = ? AND name_folded = ? AND layer = ?;
DELETE FROM volatile.values
WHERE key_guid = ? AND name_folded = ? AND layer = ?;

Idempotent.

§5.1.14 RSI_SET_BLANKET_TOMBSTONE

Set or remove a blanket tombstone:

-- Set:
INSERT OR REPLACE INTO <main|volatile>.blanket_tombstones
    (key_guid, layer, sequence)
VALUES (?, ?, ?)

-- Remove:
DELETE FROM <main|volatile>.blanket_tombstones
WHERE key_guid = ? AND layer = ?

Target database: determined by the key's volatile flag.

§5.1.15 RSI_DELETE_LAYER

Remove all entries for a layer across all tables in both databases:

BEGIN;

-- Capture orphaned GUIDs before deletion (both databases)
SELECT DISTINCT target_guid FROM (
    SELECT target_guid FROM main.path_entries
    WHERE layer = ? AND target_type = 0
    UNION ALL
    SELECT target_guid FROM volatile.path_entries
    WHERE layer = ? AND target_type = 0
) AS deleted_entries
WHERE target_guid NOT IN (
    SELECT target_guid FROM main.path_entries
    WHERE layer != ? AND target_type = 0
    UNION
    SELECT target_guid FROM volatile.path_entries
    WHERE layer != ? AND target_type = 0
);

DELETE FROM main.path_entries WHERE layer = ?;
DELETE FROM main.values WHERE layer = ?;
DELETE FROM main.blanket_tombstones WHERE layer = ?;
DELETE FROM volatile.path_entries WHERE layer = ?;
DELETE FROM volatile.values WHERE layer = ?;
DELETE FROM volatile.blanket_tombstones WHERE layer = ?;

COMMIT;

Return the set of orphaned GUIDs in the response.

§5.1.16 RSI_BEGIN_TRANSACTION

Record the txn_id as a pending transaction. No SQLite transaction is opened at this point — hive binding and BEGIN IMMEDIATE are deferred until the first mutating operation arrives with this txn_id (see §4.1). Return RSI_OK immediately.

The actual SQLite transaction lifecycle:

• First mutating op with this txn_id: loregd identifies the target hive from the operation's GUID, opens BEGIN IMMEDIATE on that hive's write connection, and associates the txn_id with the hive. If SQLITE_BUSY, return RSI_TXN_BUSY.
• RSI_COMMIT_TRANSACTION: COMMIT on the associated connection.
• RSI_ABORT_TRANSACTION: ROLLBACK on the associated connection.

§5.1.17 RSI_COMMIT_TRANSACTION

Commit the SQLite transaction:

COMMIT;

Return RSI_OK on success. If COMMIT fails (I/O error), return RSI_STORAGE_ERROR. The transaction remains open for retry or abort.

§5.1.18 RSI_ABORT_TRANSACTION

Roll back the SQLite transaction:

ROLLBACK;

Disassociate the txn_id from the write connection. Always succeeds.

§5.1.19 RSI_FLUSH

The request carries a hive name. loregd maps the hive name to the corresponding database connection and forces a WAL checkpoint:

PRAGMA wal_checkpoint(TRUNCATE);

Returns when the checkpoint completes and all data is durable. If the hive name does not match any hive registered by this loregd instance, return RSI_INVALID.