Skip to main content

Kernel

lion_core::kernel

Struct Kernel 

Source 
pub struct Kernel { /* private fields */ }
Expand description

High-level kernel interface wrapping the verified state machine.

All state transitions go through State and Step, which have machine-checked correspondence to the Lean specification.

§Examples

use lion_core::{Kernel, SecurityLevel};

let mut kernel = Kernel::new();
kernel.register_plugin(1, SecurityLevel::Public, 4096).unwrap();
assert_eq!(kernel.plugin_count(), 1);
assert_eq!(kernel.plugin_level(1), Some(SecurityLevel::Public));

Implementations§

Source§

impl Kernel

Source

pub fn new() -> Self

Create a new kernel with empty state.

Source

pub fn state(&self) -> &State

Get a reference to the underlying verified state.

Source

pub fn time(&self) -> u64

Get the current logical time.

Source

pub fn tick(&mut self) -> Result<(), Error>

Advance the logical clock by one tick.

§Errors

Returns Error if the time counter would overflow u64::MAX.

Source

pub fn execute(&mut self, step: &Step) -> Result<(), Error>

Execute a step against the current state.

The step is validated and executed atomically. On success, the internal state is updated. On failure, the state is unchanged.

§Errors

Returns Error::Step if the step’s preconditions are not met or execution fails.

Source

pub fn execute_mut(&mut self, step: &Step) -> Result<(), Error>

Execute a step by mutating state in place (production path).

Same validation as execute but avoids the full-state clone. On failure, partial mutations may have occurred – callers should treat failure as non-recoverable (same as the pure path which discards the failed clone).

§Errors

Returns Error::Step if the step’s preconditions are not met or execution fails.

Source

pub fn register_plugin( &mut self, id: PluginId, level: SecurityLevel, mem_size: Size, ) -> Result<(), Error>

Register a new plugin with the given security level and memory size.

§Errors

Returns an error if a plugin with the same ID already exists.

Source

pub fn plugin_level(&self, id: PluginId) -> Option<SecurityLevel>

Get the security level of a plugin.

Source

pub fn get_cap(&self, cap_id: CapId) -> Option<&Capability>

Get a capability by ID.

Source

pub fn cap_is_valid(&self, cap_id: CapId) -> bool

Check if a capability is valid (not revoked).

Source

pub fn plugin_holds(&self, pid: PluginId, cap_id: CapId) -> bool

Check if a plugin holds a specific capability.

Source

pub fn delegate_cap( &mut self, parent_id: CapId, target: PluginId, requested_rights: Rights, ) -> Result<CapId, Error>

Delegate a capability to a target plugin.

The kernel mints the child capability internally:

  • Validates the parent exists and is valid
  • Allocates a fresh capability ID
  • Intersects requested rights with parent rights
  • Computes the HMAC seal with the current key
  • Inserts the child and grants it to the target plugin
§Arguments
  • parent_id - The parent capability to derive from
  • target - The plugin to receive the delegated capability
  • requested_rights - The rights requested (will be intersected with parent)
§Errors

Returns Error::Capability(CapabilityError::Revoked) if the parent capability is revoked. Returns Error::Capability(CapabilityError::EmptyRights) if the rights intersection is empty. Returns Error::Kernel(KernelError::CapNotFound) if the parent capability does not exist. Returns Error::Kernel(KernelError::CapIdExhausted) if the capability ID space is exhausted. Returns Error::Kernel(KernelError::CapIdCollision) if the allocated ID already exists (should not happen).

Source

pub fn insert_cap_raw( &mut self, cap: Capability, target: PluginId, ) -> Result<(), Error>

Insert a pre-formed capability (kernel-internal / test use only).

This bypasses kernel minting. Use delegate_cap() for the safe delegation path.

§Errors

Returns Error::Kernel(KernelError::CapIdCollision) if a capability with the same ID already exists.

Source

pub fn revoke_cap(&mut self, cap_id: CapId) -> Result<(), Error>

Revoke a capability transitively.

The capability and all capabilities derived from it are marked invalid. Uses the O(k) children-index fast path with proper BFS traversal.

§Errors

Returns Error::Kernel(KernelError::CapNotFound) if the capability does not exist.

Source

pub fn alloc(&mut self, owner: PluginId, size: Size) -> u64

Allocate a memory resource, returning its address.

Source

pub fn free(&mut self, addr: u64) -> Result<(), Error>

Free a memory resource.

§Errors

Returns an error if valid capabilities still target this address (temporal safety) or if the address is not live.

Source

pub fn plugin_count(&self) -> usize

Get the number of registered plugins.

Source

pub fn actor_count(&self) -> usize

Get the number of actors.

Source

pub fn resource_count(&self) -> usize

Get the number of resources.

Source

pub fn workflow_count(&self) -> usize

Get the number of workflows.

Trait Implementations§

Source§

impl Clone for Kernel

Source§

fn clone(&self) -> Kernel

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Kernel

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for Kernel

Source§

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.