A clean-slate Rust operating system built around capabilities, objects, and native services.
Not Unix in new clothes. Not Windows rewritten. A fresh standalone OS path, built carefully from the first boot.
Aesynx is a Rust no_std operating-system project with a clean-slate goal: a
standalone OS that does not begin by copying Unix, Linux, or Windows. Its native
model is built around explicit capabilities, per-core ownership, service queues,
driver isolation, an immutable object graph, structured userspace, and AI-ready
telemetry from day one.
The long-term goal is a different kind of general-purpose system, not a compatibility skin over old assumptions. Paths, processes, packages, drivers, snapshots, and automation should be native Aesynx concepts first. Unix or Linux compatibility can exist later as an isolated service, but it must not define the kernel, userspace, or security model.
Aesynx is also explicitly not planned as one huge OS binary: components should remain separately identified, signed, versioned, updateable, and rollback-capable.
The first major milestone is a serious x86_64 QEMU release with a coherent security model, clear non-claims, and release gates that block tagging until checks and pentest evidence are complete. The project is early, but the direction is intentionally standalone.
Aesynx is licensed under the European Union Public Licence 1.2.
v0.15.0 is the current page-table-mapper implementation candidate. It builds a
release-profile freestanding x86_64-unknown-none kernel ELF, packages it into
a Limine ISO, records build and boot tool versions in the image manifest, boots
it in QEMU, normalizes Limine handoff metadata into Aesynx BootInfo, verifies
kernel-owned serial markers, installs basic x86_64 descriptor and interrupt
tables, remaps and masks the legacy PIC, detects whether the local APIC is present,
publishes checked IRQ vector allocation, handles a returning breakpoint
exception, and can run opt-in deliberate panic and page-fault smoke tests with
redacted CR2 presence/page-offset, CR3 low-bit, RFLAGS, interrupt-state, and
decoded page-fault diagnostics. Normal boot now emits a checked physical memory
report with total, usable, reserved, kernel, bootloader, framebuffer, ACPI, bad,
and frame-count accounting before [TEST] memory-map=ok, then initializes a
bounded early bitmap frame allocator from a usable boot-map window and verifies
one-frame allocation/free, contiguous allocation/free, debug state, and
double-free detection before [TEST] frame-allocator=ok, then exercises a
bounded x86_64-shaped page-table mapper model with map, contiguous range
map/protect/unmap, typed and checked root-table identity, audit-backed
permission lookup, contiguous range lookup, audit-backed permission change,
audit-backed unmapped/mapped range checks, read-only mapping visit, checked
status accounting, checked byte-range
translation, fail-closed single-address translation, virtual range permission
verification, page-presence checks,
mapped-range checks, kernel-only policy checks, kernel high-half user-access
guard checks, user low-half kernel-privilege guard checks, kernel/user
non-empty address-space candidate preflights, audit-backed kernel-range policy
checks, user-range policy checks, write-protected range checks,
non-executable range checks, executable range checks, normal-memory range
checks, no-executable address-space policy checks, no-writable address-space
policy checks, no-device address-space policy checks, no-global address-space
policy checks, no-physical-alias policy checks, redacted mapping summaries,
redacted page-table debug output, fail-closed leaf decoding for
lookup/protect/unmap, consistency audit, empty-table reclamation, and explicit
TLB flush targets before [TEST] page-table=ok. Single-address translation
returns typed errors for unmapped, invalid, or corrupt mapper state. The opt-in timer smoke
path installs a checked IRQ0 handler, programs the legacy PIT for QEMU, observes
three controlled timer ticks, converts ticks into monotonic nanosecond values,
wakes a bounded sleep request for a delayed log event, acknowledges each
interrupt, and then disables the smoke IRQ.
| Area | Status | Notes |
|---|---|---|
| Rust workspace | Active | Modular crate layout with no root src/ implementation pile. |
| Toolchain | Active | Stable Rust 1.96.0, edition 2024, resolver 3, and x86_64-unknown-none for the first boot ELF. |
| Kernel crate policy | Active | Crates under crates/ must be no_std, deny unsafe by default, and avoid external dependencies without exceptions. |
| Capability model | Model active | Private non-copy authority values, permission validation, audited derive/grant paths, generation/epoch validation, and revoke authority checks. |
| Memory model | Model active | Page flags make writable+executable and user-global mappings unrepresentable; long-term memory should become object-native, purpose-tagged, capability-scoped, and snapshot-aware. |
| OS world model | Planned | Kernel-stamped facts should feed a native world service so Aesynx can explain boot, memory, packages, drivers, capabilities, snapshots, and policy decisions without putting a database in ring 0. |
| IPC model | Model active | Kernel-stamped message headers, caller requests, and bounded inline payloads. |
| Bytecode model | Model active | Fuel limit and capability-typed permission checks. |
| Logging model | Model active | Bounded single-record log messages. |
| Build path | Active | x86_64 target metadata, linker script, Cargo config validation, stable freestanding kernel ELF build, and an optional nightly custom-target probe. |
| QEMU first boot | Active | cargo xtask image creates a release-profile Limine ISO and cargo xtask qemu verifies [TEST] irq=ok, [TEST] exception=ok, [TEST] memory-map=ok, [TEST] frame-allocator=ok, [TEST] page-table=ok, [TEST] bootinfo=ok, and [TEST] boot=ok from Rust _start. |
| BootInfo normalization | Tagged | Limine memory map, executable address, HHDM, RSDP, and framebuffer metadata normalize into dependency-free aesynx-boot structures. |
| Early diagnostics | Tagged | Boot phase tracking and cargo xtask qemu --panic-smoke verify readable panic output with [TEST] panic=ok. |
| GDT and TSS | Tagged | Early x86_64 boot installs an Aesynx-owned GDT, TSS, and double-fault IST stack, verified with [TEST] gdt=ok. |
| IDT and exceptions | Tagged | Early x86_64 boot installs an IDT, handles breakpoint, page-fault, and double-fault vectors, and verifies [TEST] exception=ok. |
| Fault decoding | Tagged | v0.9.0; page-fault smoke prints redacted CR2 presence/page offset, CR3 low bits, public RFLAGS, interrupt state, and decoded error bits. |
| Interrupt controller baseline | Tagged | v0.10.0; remaps/masks legacy PIC IRQs, detects local APIC presence, defines checked IRQ vectors, and exposes an EOI path. |
| Timer ticks | Tagged | v0.11.0; opt-in QEMU timer smoke programs PIT IRQ0, records a tick counter, and verifies timer tick 1..3 plus [TEST] timer=ok. |
| Monotonic time and sleeps | Tagged | v0.12.0; converts timer ticks into monotonic instants, schedules a bounded sleep request, and verifies timer delayed-log, [TEST] sleep=ok, and [TEST] timer=ok. |
| Physical memory map | Tagged | v0.13.0; rejects invalid/overlapping regions and reports checked total/usable/reserved bytes, frame counts, and kernel/bootloader reserved accounting with [TEST] memory-map=ok. |
| Bitmap frame allocator | Tagged | v0.14.0; safe aesynx-mm bitmap allocator model plus QEMU smoke for bounded early alloc/free, contiguous allocation, debug states, double-free detection, and atomic failure behavior with [TEST] frame-allocator=ok. |
| Page table mapper | Active candidate | v0.15.0; safe bounded aesynx-mm page-table mapper model with x86_64-shaped tables, mapper-issued typed root-table identity, checked root-table identity, checked status accounting, non-empty kernel and user address-space candidate preflights, audit-backed map/unmap/protect, fail-closed translation, checked contiguous byte-range translation, audit-backed permission lookup, contiguous range map/protect/unmap plus lookup, upfront range validation, bounded range walks, audit-backed unmapped range checks, audit-backed mapped-range checks, page-presence checks, kernel-only policy checks, kernel high-half user-access guard checks, user low-half kernel-privilege guard checks, no-user-space policy checks, no-executable policy checks, no-writable policy checks, no-device policy checks, no-global policy checks, no-physical-alias policy checks, audit-backed kernel-range policy checks, audit-backed user-range policy checks, write-protected range checks, non-executable range checks, executable range checks, normal-memory range checks, local range checks, high-half kernel-space checks, low-half user-space checks, read-only mapping visit, redacted mapping summaries, redacted page-table debug output, virtual range permission verification, fail-closed leaf decoding, permission lookup/change, consistency audit, empty-table reclamation, explicit TLB flush targets, conservative TLB flush merging, and QEMU smoke with [TEST] page-table=ok. |
| Native snapshots | Planned | Content-addressed object roots make snapshots and rollback object-layer primitives rather than path-first filesystem features. |
| Native package manager | Planned | Content-addressed package objects, declarative generations, explicit tracks, SBOM/provenance, and capability manifests. |
| Future bootloader | Planned | Limine is current; a future Rust UEFI bootloader should be a minimal security gateway for signed/measured Aesynx boot capsules. |
| Post-quantum readiness | Planned | Crypto-agile boot, package, update, and identity metadata with room for hybrid classical plus post-quantum validation. |
| Supply-chain checks | Active | cargo deny, cargo audit, SBOM generation, Dependabot, SHA-pinned GitHub Actions, and CodeQL default Rust workflow. |
| Release gate | Active | Tags require local checks, SBOM, CodeQL on GitHub, and a passing pentest report for the exact commit. |
| Area | Status | Target |
|---|---|---|
| Kernel mapping policy | Planned | v0.16.0; apply real kernel text/rodata/data/stack/direct-map permission policy. |
| Real arch mechanisms | Planned | Core identity, timestamp, production page tables, and CPU setup. |
| Capability services | Planned | Concrete revocation epoch store, audit backend, object registry, and authenticated call paths. |
| Native userspace | Planned | aesh, structured pipelines, WASM components, and capability-scoped command execution. |
| OS world service | Planned | Signed/versioned facts, branchable worlds, policy-aware queries, context packs, and AI-safe explanations over deterministic OS evidence. |
| Package manager | Planned | aepkg/aepkgd roadmap for search, install, update, rollback, repair, and future store UI. |
| Post-quantum readiness | Planned | Crypto-agile signature envelopes and trust policy before signed boot capsules, package registries, or update metadata. |
Run the full repository gate:
scripts/checks.shGenerate the source SBOM:
scripts/generate-sbom.shValidate the current kernel build path:
cargo xtask build-kernelCreate and smoke-test the v0.15 Limine QEMU image:
cargo xtask image
cargo xtask qemuRun the full v0.15 QEMU smoke suite:
cargo xtask qemu-suiteRun the deliberate panic diagnostics smoke:
cargo xtask qemu --panic-smokeRun the deliberate exception smoke:
cargo xtask qemu --exception-smokeRun the controlled timer smoke:
cargo xtask qemu --timer-smokeThese commands require Limine 12.3.2 or newer, xorriso, and
qemu-system-x86_64. The generated manifest records the exact Rust, Limine,
xorriso, and QEMU version banners.
Try the documented custom-target experiment when a nightly toolchain is available:
cargo xtask build-kernel --custom-target-probeAfter a pentest report is completed for a tag:
cargo xtask release-ready v0.15.0Aesynx treats boot, memory, capabilities, IPC, driver authority, userspace ABI, WASM execution, telemetry, AI policy, build tooling, GitHub workflows, and dependency metadata as high-risk. The project prefers internal kernel primitives, narrow unsafe boundaries, no ambient authority, explicit capabilities, and small modules that can be reviewed and tested.
Every release tag is blocked until the exact commit being tagged has a passing
pentest report in security/pentest/<tag>.md.
- Implementation Plan
- Userspace Vision
- Memory Model Roadmap
- OS World Roadmap
- Package Manager Roadmap
- Driver Roadmap
- Release Plan
- Architecture Decisions
- Build Skeleton
- QEMU Image Skeleton
- First Serial Boot
- BootInfo Normalization
- Early Diagnostics
- v0.7.0 Release Candidate Notes
- v0.8.0 Release Candidate Notes
- v0.9.0 Release Candidate Notes
- v0.10.0 Release Candidate Notes
- v0.11.0 Release Candidate Notes
- v0.12.0 Release Candidate Notes
- v0.13.0 Release Candidate Notes
- v0.14.0 Release Candidate Notes
- v0.15.0 Release Candidate Notes
- Bootloader Roadmap
- Storage Roadmap
- Hosted Execution Roadmap
- Post-Quantum Readiness
- Security Policy
- Threat Model
- Security Controls
- Supply-Chain Security
- Kernel Engineering Policy
- Unsafe Policy
- Modularity Policy
- Licensing Notes
- License
- Initial Idea
