Skip to content
grafOS docs

Terminology and Layering

This project uses a few overloaded terms (“BIOS”, “kernel”, “OS”) across the fabricBIOS and grafOS documents. This note standardizes how we use them in this repo.

fabricBIOS (control-plane substrate)

fabricBIOS is a protocol and state-machine contract for:

  • discovery (ANNOUNCE/SOLICIT, relay behavior)
  • trust bootstrap (identity and enrollment workflows)
  • capability tokens
  • leases (create/renew/expire/revoke)
  • lease-bound dataplane bindings (RDMA, NVMe-oF, constrained compatibility bindings)

fabricBIOS is not an operating system kernel. It intentionally does not do: CPU scheduling, paging, process isolation, filesystems, or application policy (see docs/spec/fabricBIOS-design-document.md).

When we say “fabricBIOS runs on bare metal”, we mean there is a small firmware image that implements the fabricBIOS control plane and gates access to local hardware resources; it is still not “the OS”.

grafOS (operating system architecture)

grafOS is an operating system model where system state is a capability-secured resource graph (nodes/ports/edges). It uses fabricBIOS as a substrate to bind remote resources as lease-backed edges.

grafOS has two relevant forms in this repo:

  • grafOS kernel (eventual): the minimal trusted core enforcing isolation, capabilities, accounting, revocation, and eventing (see docs/grafos-design-document.md).
  • grafOS runtime (near-term): a userspace prototype that runs on Linux and exercises the grafOS graph + policy model against simulated or real fabricBIOS nodes. This is the recommended starting point.

Implementation forms (fabricBIOS)

These are deployment shapes for the same fabricBIOS protocol responsibilities:

  • Firmware node: bare-metal image implementing the fabricBIOS endpoint.
  • Sidecar / proxy: a small trusted helper that terminates heavy transports (e.g., TLS) and exposes a minimal authenticated channel to a constrained endpoint (the “PROXIED” profile).
  • Daemon: Linux userspace implementation (fabricbiosd) for development and simulation/harness use.

Common terms

  • Substrate: the lower-layer mechanism (fabricBIOS) that higher layers consume.
  • Capability token: portable, signed authority object used to request/activate a lease.
  • Lease: time-bounded activation of authority; expiry implies teardown.
  • Binding: concrete dataplane material that realizes an edge (QP/rkey, NVMe NQN, dataplane endpoint, etc.).
  • Revocation / fencing: deterministic removal of access and the failure surfaces exposed to consumers when access is removed.

What we should avoid saying (to reduce confusion)

  • “fabricBIOS is the kernel”: it is not.
  • “grafOS is fabricBIOS”: grafOS consumes fabricBIOS; they are different layers.
  • “BIOS” in the PC firmware sense: here “BIOS” is an analogy (“below the OS”), not a claim about UEFI/legacy BIOS compatibility.