For many purposes it is important to know what goes on behind the scenes. In assessing the quality of secrecy and integrity that Gnosis provides it, is at least necessary to know the morphology and magnitude of the code that one is trusting.

The (_kernel) is, by definition, the part of Gnosis that runs with the CPU in privileged mode. The kernel is just that code that runs with real addresses and is never swapped. Obviously, the entire kernel must be entirely trusted. Large parts {perhaps all} of the kernel might be put in micro-code without impacting any program written in compliance with this manual. Indeed the conception of the external specifications of the Gnosis kernel was that the function belonged at the same level as the hardware. Sections (p1,external) and (p2,primary) constitute the external specifications of the kernel.

A collection of programs called (_supplementary systems) comprise the remainder of Gnosis. These systems supplement Gnosis to provide the functions normally expected in an operating system. The supplementary systems are not user replaceable; although the user may make synthetic versions of the systems, the original versions will continue their function. Section (p2,supp) defines the functions of the supplementary systems.

Primordial programs and structures are those that came into existence with Gnosis. They typically have special authority in the form of unique keys. For instance, there must be a primordial space bank. This space bank owns page keys and node keys for all of the pages and nodes in the system. How it got them is a bootstrapping problem that is not discussed here.

Some supplementary systems are not avoidable; the space bank is the only program that can create new nodes and pages. The space bank has special authority with which it can recycle pages and nodes. This special authority is described in (p2,sever). Other programs do not have this authority but may have the authority to call the space bank. Other programs have special authority to create domains. Domains are actually created out of nodes but this fact is of no logical consequence to programs that cannot create them.

Section (p2,impsupp) describes the supplementary systems that are implicitly called by the kernel on behalf of the user. Other supplementary systems are only called explicitly by the user.

Some capabilities which might seem basic to Gnosis have not been mentioned. These include access to terminals, {Tymnet,} card equipment, tapes and printers. Certainly Gnosis supports these in some manner. In each case some raw capability will be recognized by Gnosis for accessing these facilities. Customer programs will never have these capabilities except perhaps for mag tape capabilities. There may be a capability to handle arbitrarily formatted disk packs that don't belong to the Gnosis information structure.

Some such capabilities will be limited to a few System programs; others must be limited to one program at a time. These raw capabilities will be designed with the following criteria, more or less in order of priority: {1} Gnosis must be safe against misuse of them; {2} they must provide for efficient use of the resource involved; {3} they must provide for general use of the facility involved, e.g., even parity 7 track tape; {4} they must not cost too much code in Gnosis; {5} they must be easy to program by the holder of the capability.