QuantaVirt Architecture Guide

QV-ARCH-001 Rev 1.0 â€” January 2026

Deep technical reference for the QuantaVirt hypervisor internals. Covers the boot sequence, Intel VMX and AMD SVM execution engines, extended/nested page tables, vCPU scheduling, IOMMU, device emulation, interrupt routing, and the PQC subsystem architecture. Intended for developers extending QuantaVirt and engineers evaluating the platform's security properties.

Architecture Overview #

QuantaVirt is a Type 1 (bare-metal) hypervisor that runs directly on physical hardware without a host operating system. The hypervisor kernel manages CPU virtualization, memory, I/O, and the PQC subsystem. Guest VMs execute in hardware-isolated environments provided by Intel VMX or AMD SVM extensions.

Layer	Component	Responsibility
Ring -1 (VMX Root / SVM Host)	Hypervisor Kernel	VM management, scheduling, memory management, trap handling, device emulation
Ring 0 (VMX Non-Root / SVM Guest)	Guest Kernel	Guest OS kernel execution within hardware-enforced isolation
Ring 3 (VMX Non-Root)	Guest Userspace	Guest applications, completely transparent virtualization
Management Plane	CLI / API / GUI	VM lifecycle, configuration, monitoring, PQC operations
PQC Plane	PQC Subsystem + QUAC 100	Cryptographic operations, key management, QRNG, attestation

Source Tree Layout

quantavirt/
â”œâ”€â”€ boot/                    # Bootloaders (BIOS stage1/stage2, UEFI stub, Multiboot2)
â”œâ”€â”€ hypervisor/
â”‚   â”œâ”€â”€ arch/x86_64/
â”‚   â”‚   â”œâ”€â”€ vmx/             # Intel VMX engine (VMCS, VM-entry/exit, posted interrupts)
â”‚   â”‚   â”œâ”€â”€ svm/             # AMD SVM engine (VMCB, AVIC, decode assists)
â”‚   â”‚   â”œâ”€â”€ ept/             # Intel Extended Page Tables
â”‚   â”‚   â”œâ”€â”€ npt/             # AMD Nested Page Tables
â”‚   â”‚   â”œâ”€â”€ iommu/           # VT-d and AMD-Vi drivers
â”‚   â”‚   â””â”€â”€ nested/          # Nested virtualization (L2 guest support)
â”‚   â”œâ”€â”€ core/
â”‚   â”‚   â”œâ”€â”€ vm/              # VM and vCPU management (vm.h, vcpu.h)
â”‚   â”‚   â”œâ”€â”€ sched/           # Scheduler (credit, credit2, RT)
â”‚   â”‚   â”œâ”€â”€ mm/              # Physical memory manager, hugepages
â”‚   â”‚   â””â”€â”€ irq/             # Interrupt controller emulation (LAPIC, IOAPIC, MSI)
â”‚   â””â”€â”€ devices/
â”‚       â”œâ”€â”€ virtio/          # VirtIO devices (blk, net, gpu, console)
â”‚       â”œâ”€â”€ pci/             # PCI/PCIe bus emulation
â”‚       â”œâ”€â”€ storage/         # AHCI, NVMe, IDE controllers
â”‚       â”œâ”€â”€ net/             # e1000/e1000e emulation
â”‚       â””â”€â”€ usb/             # XHCI USB 3.0 controller
â”œâ”€â”€ pqc/                     # Post-Quantum Cryptography subsystem
â”‚   â”œâ”€â”€ include/pqc/
â”‚   â”‚   â”œâ”€â”€ crypto.h         # Unified PQC API
â”‚   â”‚   â””â”€â”€ quac100.h        # QUAC 100 hardware driver
â”‚   â”œâ”€â”€ src/
â”‚   â”‚   â”œâ”€â”€ mlkem/           # ML-KEM implementations
â”‚   â”‚   â”œâ”€â”€ mldsa/           # ML-DSA implementations
â”‚   â”‚   â”œâ”€â”€ symmetric/       # AES-GCM, ChaCha20-Poly1305
â”‚   â”‚   â””â”€â”€ quac100/         # Hardware driver, DMA engine, key storage
â”‚   â””â”€â”€ security/            # SEV-SNP, TDX, attestation
â”œâ”€â”€ tools/
â”‚   â”œâ”€â”€ quantavirt-cli/      # Rust CLI (Cargo workspace)
â”‚   â”œâ”€â”€ quantavirt-gui/      # Tauri/Svelte GUI
â”‚   â””â”€â”€ quantavirt-api/      # REST/gRPC management daemon
â””â”€â”€ configs/                 # Example VM configurations, JSON schemas

Boot Sequence #

QuantaVirt supports two boot paths: legacy BIOS via a custom two-stage bootloader, and UEFI via an EFI stub application. Both paths converge at the Multiboot2 entry point where the hypervisor kernel initializes.

BIOS Boot Path

Stage	File	Mode	Purpose
Stage 1	`boot/bios/stage1.asm`	Real Mode (16-bit)	MBR bootstrap â€” loads Stage 2 from disk, sets up A20 gate
Stage 2	`boot/bios/stage2.asm`	Protected â†’ Long Mode	E820 memory map, GDT setup, transition to 64-bit, load kernel
Kernel Entry	`hypervisor/entry.asm`	Long Mode (64-bit)	Parse Multiboot2 info, initialize BSP, call `kmain()`

UEFI Boot Path

Stage	File	Mode	Purpose
UEFI App	`boot/uefi/main.c`	Long Mode (64-bit)	EFI application â€” get memory map, GOP framebuffer, exit boot services
Kernel Entry	`hypervisor/entry.asm`	Long Mode (64-bit)	Same entry point as BIOS path, Multiboot2 info structure

Kernel Initialization Sequence

Order	Subsystem	Function	Description
1	Console	`console_init()`	Early serial + VGA console for boot messages
2	Memory	`mm_init()`	Physical page allocator from E820/UEFI memory map, hugepage pool
3	CPU Detection	`cpu_detect()`	CPUID enumeration, VMX/SVM capability check, feature detection
4	Interrupts	`idt_init()`	IDT setup, exception handlers, LAPIC initialization
5	IOMMU	`iommu_init()`	VT-d/AMD-Vi discovery from ACPI DMAR/IVRS tables
6	PCI	`pci_enumerate()`	PCIe bus scan, BAR assignment, QUAC 100 detection
7	VMX/SVM	`vmx_init()` / `svm_init()`	Enable virtualization extensions, allocate per-CPU VMXON regions / host save areas
8	PQC	`pqc_init()`	Initialize PQC subsystem, detect QUAC 100, setup command rings
9	Scheduler	`sched_init()`	Initialize vCPU scheduler (Credit2 default)
10	API	`api_init()`	Start management API listener (Unix socket or TCP)

Intel VMX Execution Engine #

The VMX engine manages VM execution on Intel processors using Virtual Machine Control Structures (VMCS). Each vCPU has a dedicated 4 KB VMCS region that controls VM-entry and VM-exit behavior, guest/host state, and execution controls.

VMCS Layout

VMCS Region	Key Fields	Purpose
Guest State Area	CR0, CR3, CR4, RSP, RIP, RFLAGS, segment registers, GDTR, IDTR, MSRs	Complete guest CPU state loaded on VM-entry, saved on VM-exit
Host State Area	CR0, CR3, CR4, RSP, RIP, segment selectors, GDTR, IDTR, MSRs	Hypervisor CPU state loaded on VM-exit
VM-Execution Controls	Pin-based, Processor-based (Primary + Secondary), VM-entry, VM-exit	Control which operations cause VM-exits
VM-Exit Information	Exit reason, exit qualification, guest-linear/physical address, interruption info	Describes why a VM-exit occurred
EPTP	EPT pointer (PML4 base), memory type, page-walk length	Root of extended page table hierarchy
VPID	Virtual Processor Identifier (16-bit)	TLB tagging to avoid flushes on VM transitions

VM-Execution Control Bits

Control	Bit	QuantaVirt Default	Effect
External-interrupt exiting	Pin[0]	Set	External interrupts cause VM-exit (routed to hypervisor)
NMI exiting	Pin[3]	Set	NMIs handled by hypervisor
Virtual NMIs	Pin[5]	Set	NMI window tracking via virtual-NMI blocking
Posted interrupts	Pin[7]	Set (if available)	Inject interrupts without VM-exit via posted interrupt descriptor
HLT exiting	Proc[7]	Set	Guest HLT traps to scheduler (yields vCPU time)
RDTSC exiting	Proc[12]	Clear	Guest RDTSC executes natively (TSC offsetting used instead)
CR3-load exiting	Proc[15]	Clear (EPT)	Not needed with EPT â€” guest manages own CR3 freely
Use MSR bitmaps	Proc[28]	Set	Selective MSR exit control via 4 KB bitmaps
Enable EPT	Proc2[1]	Set	Extended Page Tables for guest-physical â†’ host-physical translation
Enable VPID	Proc2[5]	Set	TLB tagging avoids full flush on VM-entry/exit
Unrestricted guest	Proc2[7]	Set	Guest can run in real mode and unpaged protected mode
APIC register virt.	Proc2[8]	Set (if available)	LAPIC register accesses handled without VM-exit
Virtual-interrupt delivery	Proc2[9]	Set (if available)	Interrupt injection without VM-exit

VM-Entry / VM-Exit Flow

/* Simplified VMX lifecycle â€” see hypervisor/arch/x86_64/vmx/ for full implementation */

// 1. VM-Entry: transition from hypervisor to guest
vmcs_load(vcpu->vmcs);                     // VMPTRLD â€” activate this vCPU's VMCS
vmcs_write(GUEST_RSP, vcpu->regs.rsp);     // Load guest registers into VMCS
vmcs_write(GUEST_RIP, vcpu->regs.rip);
vmlaunch() / vmresume();                    // Enter VMX non-root mode
// ... guest executes natively on hardware ...

// 2. VM-Exit: hardware transitions back to hypervisor
uint32_t exit_reason = vmcs_read(VM_EXIT_REASON);
uint64_t exit_qual   = vmcs_read(EXIT_QUALIFICATION);

switch (exit_reason) {
    case EXIT_REASON_EPT_VIOLATION:     handle_ept_violation(exit_qual); break;
    case EXIT_REASON_IO_INSTRUCTION:    handle_pio(exit_qual);          break;
    case EXIT_REASON_MSR_READ:          handle_rdmsr(vcpu);             break;
    case EXIT_REASON_MSR_WRITE:         handle_wrmsr(vcpu);             break;
    case EXIT_REASON_CPUID:             handle_cpuid(vcpu);             break;
    case EXIT_REASON_HLT:              sched_yield(vcpu);               break;
    case EXIT_REASON_EXTERNAL_INT:      handle_interrupt();              break;
    case EXIT_REASON_VMCALL:            handle_hypercall(vcpu);          break;
    // ... ~70 exit reasons total ...
}

// 3. Re-enter guest (loop back to VM-Entry)

AMD SVM Execution Engine #

The SVM engine manages VM execution on AMD processors using Virtual Machine Control Blocks (VMCB). The VMCB is a 4 KB page-aligned structure containing the control area (offsets 0x000â€“0x3FF) and the state save area (offsets 0x400â€“0xFFF).

VMCB Structure

Area	Offset Range	Key Fields	Purpose
Control Area	0x000 â€“ 0x3FF	Intercept vectors, IOPM/MSRPM base, ASID, TLB control, event injection, N_CR3, AVIC	Configures which guest operations trap to hypervisor
State Save Area	0x400 â€“ 0xFFF	ESâ€“GS selectors/bases/limits, GDTR, IDTR, CR0â€“CR4, RSP, RIP, RFLAGS, DR6/7, all MSRs	Complete guest state saved/restored on VMRUN/VMEXIT

SVM Intercept Controls

Intercept	Offset	QuantaVirt Default	Effect
CR0 write	0x000[0]	Set (selective)	Trap guest CR0 writes for mode change tracking
IOIO	0x004[0]	Set + IO Bitmap	Port I/O intercepted selectively via IO Permission Map
MSR	0x004[1]	Set + MSR Bitmap	Selective MSR interception via MSR Permission Map
HLT	0x004[8]	Set	Guest HLT yields to scheduler
CPUID	0x004[10]	Set	CPUID interception for feature masking
VMRUN	0x004[16]	Set	Required â€” trap nested VMRUN for nested virt support
VMMCALL	0x004[17]	Set	Hypercall interface for PV guests
NPT fault	â€”	Automatic	Nested page fault generates #VMEXIT with nested fault info

AVIC (Advanced Virtual Interrupt Controller)

On AMD EPYC 7002+ (Rome) and later, QuantaVirt enables AVIC for interrupt virtualization. AVIC provides hardware-accelerated virtual LAPIC access and interrupt injection, reducing VM-exit frequency for interrupt-heavy workloads. The AVIC backing page is a 4 KB page containing the virtual APIC state, mapped into the VMCB control area at offset 0x070.

Memory Virtualization #

QuantaVirt uses hardware-assisted two-dimensional paging â€” Intel EPT and AMD NPT â€” to translate guest-physical addresses (GPA) to host-physical addresses (HPA) without shadow page tables. This provides isolation between VMs and between VMs and the hypervisor.

EPT / NPT Page Table Structure

Level	Intel Name	AMD Name	Bits Indexed	Page Size
4 (PML4)	EPT PML4	NPT PML4	GPA[47:39]	â€”
3 (PDPT)	EPT PDPT	NPT PDP	GPA[38:30]	1 GB (huge page)
2 (PD)	EPT PD	NPT PD	GPA[29:21]	2 MB (large page)
1 (PT)	EPT PT	NPT PT	GPA[20:12]	4 KB (standard)

EPT Entry Format (64-bit)

Bits	Field	Description
0	Read	Allow read access to this page
1	Write	Allow write access to this page
2	Execute	Allow instruction fetch from this page
5:3	Memory Type	0=UC, 1=WC, 4=WT, 5=WP, 6=WB
6	Ignore PAT	Ignore guest PAT for memory type selection
7	Large Page	1 = this entry maps a large page (2 MB at PD level, 1 GB at PDPT)
8	Accessed	Hardware sets on access (if enabled)
9	Dirty	Hardware sets on write (if enabled)
10	Execute (user)	Allow execute for user-mode pages (mode-based execute)
N:12	Physical Address	HPA of next-level table or mapped physical page (4 KB aligned)
63	Suppress #VE	Suppress virtualization exceptions for this page

Memory Management APIs

/* From hypervisor/core/vm/vm.h */

/* Add a memory region to a VM (backed by host physical pages) */
int vm_add_memory_region(struct vm *vm,
                         uint64_t gpa_base,    /* Guest physical address start */
                         uint64_t size,         /* Region size in bytes */
                         uint32_t flags);       /* VM_MEM_READ | VM_MEM_WRITE | VM_MEM_EXEC */

/* Translate guest-physical to host-virtual address */
void *vm_gpa_to_hva(struct vm *vm, uint64_t gpa);

/* Read/write guest memory from hypervisor context */
int vm_read_memory(struct vm *vm, uint64_t gpa, void *buf, size_t len);
int vm_write_memory(struct vm *vm, uint64_t gpa, const void *buf, size_t len);

vCPU Scheduler #

QuantaVirt includes three vCPU scheduling algorithms. The scheduler maps virtual CPUs to physical CPUs, handles preemption, and manages NUMA-aware placement. The default scheduler is Credit2.

Scheduler	Type	Best For	Key Properties
Credit	Proportional fair-share	Server consolidation, mixed workloads	Weight-based CPU allocation, soft affinity, automatic load balancing across pCPUs
Credit2	Proportional fair-share (v2)	General purpose (default)	Improved fairness, runqueue-per-pCPU, NUMA-aware migration, better latency characteristics
RT	Real-time priority	Latency-critical workloads	Fixed-priority scheduling, budget enforcement, dedicated pCPU reservation

Scheduler Configuration

# Set scheduler at boot via kernel parameter
sched=credit2

# Per-VM scheduler weight (higher = more CPU time)
quantavirt vm set ubuntu-server --cpu-weight 256    # Default: 256, range: 1â€“65535

# Per-VM CPU cap (maximum % of one pCPU)
quantavirt vm set ubuntu-server --cpu-cap 0         # 0 = no cap, 100 = one full pCPU

# CPU pinning (bind vCPUs to specific pCPUs)
quantavirt vm set ubuntu-server --cpu-pin 0:2,1:3   # vCPU0â†’pCPU2, vCPU1â†’pCPU3

# NUMA node affinity
quantavirt vm set ubuntu-server --numa-node 0       # Prefer NUMA node 0

IOMMU Subsystem #

The IOMMU subsystem provides DMA remapping for device isolation and PCI passthrough. QuantaVirt discovers IOMMU hardware via ACPI tables: DMAR (DMA Remapping) for Intel VT-d and IVRS (I/O Virtualization Reporting Structure) for AMD-Vi.

Feature	Intel VT-d	AMD-Vi
DMA Remapping	âœ… Per-device page tables	âœ… Per-device page tables
Interrupt Remapping	âœ… Interrupt Remapping Table	âœ… Interrupt Virtualization Table
ATS (Address Translation Services)	âœ… PCIe ATS support	âœ… PRI + PPR support
Pass-through Granularity	Per-function	Per-function
Discovery	ACPI DMAR table	ACPI IVRS table

Device Model #

QuantaVirt's device model provides emulated and paravirtualized hardware to guest VMs. Devices connect to the guest via an emulated PCI Express topology with MMIO and PIO BAR access trapped through EPT/NPT violations and I/O exit handling.

VirtIO Architecture

VirtIO devices follow the VirtIO 1.1 specification using the modern MMIO transport. Each VirtIO device consists of a device-specific configuration space, one or more virtqueues (split or packed), and a notification mechanism. The guest driver and hypervisor device backend communicate through shared memory rings (virtqueues) with doorbell notifications.

Device	VirtIO ID	Queues	Backend	Max Throughput
VirtIO-blk	2	Multi-queue (1 per vCPU)	AIO on raw/qcow2/encrypted	~1M IOPS (raw, multi-queue)
VirtIO-net	1	Multi-queue (RX+TX per vCPU)	vhost-user / vhost-net / userspace	~40 Gbps (vhost-user)
VirtIO-GPU	16	controlq, cursorq, 3D queues	Virgl (3D) / Software (2D)	60 fps @ 1080p (Virgl)
VirtIO-console	3	RX+TX per port	PTY / stdio / socket	~100 MB/s

Interrupt Routing #

QuantaVirt emulates the x86 interrupt architecture: dual 8259A PIC (legacy), IOAPIC, and per-vCPU LAPIC. Modern guests use MSI/MSI-X for device interrupts, which bypass the IOAPIC entirely and are delivered directly to the target vCPU's LAPIC.

Mechanism	Source	Path	Performance
Legacy IRQ (PIC)	Emulated legacy devices	Device â†’ PIC â†’ LAPIC â†’ Guest IDT	Lowest (VM-exit per interrupt)
IOAPIC	Emulated PCI devices	Device â†’ IOAPIC â†’ LAPIC â†’ Guest IDT	Medium (VM-exit per interrupt)
MSI/MSI-X	VirtIO / PCIe devices	Device â†’ write to LAPIC MMIO â†’ Guest IDT	High (may avoid VM-exit with APICv/AVIC)
Posted Interrupts (Intel)	External / IPI	Posted Interrupt Descriptor â†’ Guest IDT	Highest (no VM-exit)
AVIC (AMD)	External / IPI	AVIC backing page â†’ Guest IDT	Highest (no VM-exit)

PQC Subsystem Architecture #

The PQC subsystem is integrated at the hypervisor kernel level, providing cryptographic services to all other subsystems: migration, storage, attestation, and secure boot. The subsystem abstracts over two backends: software (portable, always available) and QUAC 100 hardware (high-performance, requires PCIe card).

PQC API (crypto.h)

/* Backend selection */
typedef enum {
    CRYPTO_BACKEND_SOFTWARE = 0,   /* Validated software implementation */
    CRYPTO_BACKEND_QUAC100  = 1,   /* QUAC 100 hardware acceleration */
    CRYPTO_BACKEND_AUTO     = 2    /* Auto-detect: QUAC 100 if present, else software */
} crypto_backend_t;

/* ML-KEM Key Encapsulation */
int mlkem512_keygen(uint8_t *pk, uint8_t *sk);      /* pk=800B, sk=1632B */
int mlkem512_encaps(const uint8_t *pk, uint8_t *ct, uint8_t *ss);  /* ct=768B, ss=32B */
int mlkem512_decaps(const uint8_t *sk, const uint8_t *ct, uint8_t *ss);

int mlkem768_keygen(uint8_t *pk, uint8_t *sk);      /* pk=1184B, sk=2400B */
int mlkem768_encaps(const uint8_t *pk, uint8_t *ct, uint8_t *ss);  /* ct=1088B, ss=32B */
int mlkem768_decaps(const uint8_t *sk, const uint8_t *ct, uint8_t *ss);

int mlkem1024_keygen(uint8_t *pk, uint8_t *sk);     /* pk=1568B, sk=3168B */
int mlkem1024_encaps(const uint8_t *pk, uint8_t *ct, uint8_t *ss); /* ct=1568B, ss=32B */
int mlkem1024_decaps(const uint8_t *sk, const uint8_t *ct, uint8_t *ss);

/* ML-DSA Digital Signatures */
int mldsa44_keygen(uint8_t *pk, uint8_t *sk);       /* pk=1312B, sk=2560B */
int mldsa44_sign(const uint8_t *sk, const uint8_t *msg, size_t mlen, uint8_t *sig); /* sig=2420B */
int mldsa44_verify(const uint8_t *pk, const uint8_t *msg, size_t mlen, const uint8_t *sig);

int mldsa65_keygen(uint8_t *pk, uint8_t *sk);       /* pk=1952B, sk=4032B */
int mldsa65_sign(const uint8_t *sk, const uint8_t *msg, size_t mlen, uint8_t *sig); /* sig=3293B */
int mldsa65_verify(const uint8_t *pk, const uint8_t *msg, size_t mlen, const uint8_t *sig);

int mldsa87_keygen(uint8_t *pk, uint8_t *sk);       /* pk=2592B, sk=4896B */
int mldsa87_sign(const uint8_t *sk, const uint8_t *msg, size_t mlen, uint8_t *sig); /* sig=4595B */
int mldsa87_verify(const uint8_t *pk, const uint8_t *msg, size_t mlen, const uint8_t *sig);

/* Symmetric / Hash / KDF */
int crypto_aead_encrypt(int alg, const uint8_t *key, ...);  /* AES-256-GCM or ChaCha20-Poly1305 */
int crypto_aead_decrypt(int alg, const uint8_t *key, ...);
int crypto_sha3_256(const uint8_t *in, size_t inlen, uint8_t *out);
int crypto_sha3_512(const uint8_t *in, size_t inlen, uint8_t *out);
int crypto_hkdf(const uint8_t *ikm, size_t ikmlen, ...);
int crypto_random_bytes(uint8_t *buf, size_t len);  /* QRNG if available */

For QUAC 100 hardware details including the register map, command/response ring protocol, and DMA engine, see PQC & Security â€” QUAC 100 Register Map.

Confidential Computing #

QuantaVirt supports hardware-based confidential computing to protect VM memory from the hypervisor itself. This provides defense-in-depth where even a compromised hypervisor cannot read guest secrets.

Technology	Vendor	Protection	Minimum CPU	QuantaVirt Status
SEV (Secure Encrypted Virtualization)	AMD	AES-128 memory encryption per VM	EPYC 7001 (Naples)	âœ… GA
SEV-ES (Encrypted State)	AMD	SEV + encrypted register state on VM-exit	EPYC 7002 (Rome)	âœ… GA
SEV-SNP (Secure Nested Paging)	AMD	SEV-ES + integrity protection, attestation	EPYC 7003 (Milan)	âš ï¸ Beta
TDX (Trust Domain Extensions)	Intel	Encrypted memory + attestation for Trust Domains	Xeon 4th Gen (Sapphire Rapids)	âš ï¸ Beta

Error Codes #

Hypervisor Error Codes

Code	Name	Description
0	`QV_SUCCESS`	Operation completed successfully
-1	`QV_ERR_NOMEM`	Insufficient memory for allocation
-2	`QV_ERR_INVAL`	Invalid argument or parameter
-3	`QV_ERR_NODEV`	Device not found or not available
-4	`QV_ERR_BUSY`	Resource is busy or locked
-5	`QV_ERR_PERM`	Permission denied
-6	`QV_ERR_EXIST`	Resource already exists
-7	`QV_ERR_NOENT`	Resource not found (VM, device, etc.)
-8	`QV_ERR_IO`	I/O error during device or storage operation
-9	`QV_ERR_VMENTRY`	VM-entry failed (check VMCS/VMCB consistency)
-10	`QV_ERR_VMEXIT`	Unhandled VM-exit reason

PQC Error Codes

Code	Name	Description
0	`PQC_SUCCESS`	Cryptographic operation completed successfully
-100	`PQC_ERR_INVALID_KEY`	Invalid key material (wrong size, corrupt)
-101	`PQC_ERR_VERIFY_FAIL`	Signature verification failed
-102	`PQC_ERR_DECAPS_FAIL`	KEM decapsulation failed
-103	`PQC_ERR_AEAD_FAIL`	AEAD decryption/authentication failed
-104	`PQC_ERR_RNG_FAIL`	Random number generation failed (QRNG health check)
-105	`PQC_ERR_NO_BACKEND`	No PQC backend available
-200	`QUAC100_ERR_TIMEOUT`	QUAC 100 command timed out
-201	`QUAC100_ERR_RING_FULL`	Command ring full â€” too many pending operations
-202	`QUAC100_ERR_DMA`	DMA transfer error
-203	`QUAC100_ERR_KEY_SLOT`	Key slot operation failed (full, locked, not found)
-204	`QUAC100_ERR_FW`	Firmware error on QUAC 100

Was this page helpful? Send feedback to docs@dyber.org