Rust no_std research OS with explicit capabilities, native userspace, and security gates from day one.
Modular by design. Capability-first. Built toward a serious QEMU release.
Aesynx is a Rust no_std operating-system research project built around
explicit capabilities, per-core ownership, service queues, driver isolation, an
immutable object graph, native userspace, and AI-ready telemetry from day one.
It is explicitly not planned as one huge OS binary: components should remain
separately identified, signed, versioned, updateable, and rollback-capable.
The first major goal is not a desktop OS and not a Unix clone. The first major goal is a serious x86_64 QEMU research release with a coherent security model, clear non-claims, and release gates that block tagging until checks and pentest evidence are complete.
Aesynx is licensed under the European Union Public Licence 1.2.
v0.9.0 is the current register and fault decoding release. It builds a
release-profile freestanding x86_64-unknown-none kernel ELF, packages it into
a Limine ISO, records build and boot tool versions in the image manifest, boots
it in QEMU, normalizes Limine handoff metadata into Aesynx BootInfo, verifies
kernel-owned serial markers, installs basic x86_64 descriptor and interrupt
tables, handles a returning breakpoint exception, and can run opt-in deliberate
panic and page-fault smoke tests with redacted CR2 presence/page-offset, CR3
low-bit, RFLAGS, interrupt-state, and decoded page-fault diagnostics.
| Area | Status | Notes |
|---|---|---|
| Rust workspace | Active | Modular crate layout with no root src/ implementation pile. |
| Toolchain | Active | Stable Rust 1.96.0, edition 2024, resolver 3, and x86_64-unknown-none for the first boot ELF. |
| Kernel crate policy | Active | Crates under crates/ must be no_std, deny unsafe by default, and avoid external dependencies without exceptions. |
| Capability model | Model active | Private non-copy authority values, permission validation, audited derive/grant paths, generation/epoch validation, and revoke authority checks. |
| Memory model | Model active | Page flags make writable+executable and user-global mappings unrepresentable. |
| IPC model | Model active | Kernel-stamped message headers, caller requests, and bounded inline payloads. |
| Bytecode model | Model active | Fuel limit and capability-typed permission checks. |
| Logging model | Model active | Bounded single-record log messages. |
| Build path | Active | x86_64 target metadata, linker script, Cargo config validation, stable freestanding kernel ELF build, and an optional nightly custom-target probe. |
| QEMU first boot | Active | cargo xtask image creates a release-profile Limine ISO and cargo xtask qemu verifies [TEST] exception=ok, [TEST] bootinfo=ok, and [TEST] boot=ok from Rust _start. |
| BootInfo normalization | Tagged | Limine memory map, executable address, HHDM, RSDP, and framebuffer metadata normalize into dependency-free aesynx-boot structures. |
| Early diagnostics | Tagged | Boot phase tracking and cargo xtask qemu --panic-smoke verify readable panic output with [TEST] panic=ok. |
| GDT and TSS | Tagged | Early x86_64 boot installs an Aesynx-owned GDT, TSS, and double-fault IST stack, verified with [TEST] gdt=ok. |
| IDT and exceptions | Tagged | Early x86_64 boot installs an IDT, handles breakpoint, page-fault, and double-fault vectors, and verifies [TEST] exception=ok. |
| Fault decoding | Tagged | v0.9.0; page-fault smoke prints redacted CR2 presence/page offset, CR3 low bits, public RFLAGS, interrupt state, and decoded error bits. |
| Native snapshots | Planned | Content-addressed object roots make snapshots and rollback object-layer primitives rather than path-first filesystem features. |
| Native package manager | Planned | Content-addressed package objects, declarative generations, explicit tracks, SBOM/provenance, and capability manifests. |
| Future bootloader | Planned | Limine is current; a future Rust UEFI bootloader should be a minimal security gateway for signed/measured Aesynx boot capsules. |
| Post-quantum readiness | Planned | Crypto-agile boot, package, update, and identity metadata with room for hybrid classical plus post-quantum validation. |
| Supply-chain checks | Active | cargo deny, cargo audit, SBOM generation, Dependabot, SHA-pinned GitHub Actions, and CodeQL default Rust workflow. |
| Release gate | Active | Tags require local checks, SBOM, CodeQL on GitHub, and a passing pentest report for the exact commit. |
| Area | Status | Target |
|---|---|---|
| Register and fault decoding | Tagged | v0.9.0; expand exception frame diagnostics, decode page-fault error bits, and gate redacted CR2/CR3/RFLAGS output in QEMU. |
| Real arch mechanisms | Planned | Interrupt control, core identity, timestamp, page tables, and CPU setup. |
| Capability services | Planned | Concrete revocation epoch store, audit backend, object registry, and authenticated call paths. |
| Native userspace | Planned | aesh, structured pipelines, WASM components, and capability-scoped command execution. |
| Package manager | Planned | aepkg/aepkgd roadmap for search, install, update, rollback, repair, and future store UI. |
| Post-quantum readiness | Planned | Crypto-agile signature envelopes and trust policy before signed boot capsules, package registries, or update metadata. |
Run the full repository gate:
scripts/checks.shGenerate the source SBOM:
scripts/generate-sbom.shValidate the current kernel build path:
cargo xtask build-kernelCreate and smoke-test the v0.9 Limine QEMU image:
cargo xtask image
cargo xtask qemuRun the deliberate panic diagnostics smoke:
cargo xtask qemu --panic-smokeRun the deliberate exception smoke:
cargo xtask qemu --exception-smokeThese commands require Limine 12.3.2 or newer, xorriso, and
qemu-system-x86_64. The generated manifest records the exact Rust, Limine,
xorriso, and QEMU version banners.
Try the documented custom-target experiment when a nightly toolchain is available:
cargo xtask build-kernel --custom-target-probeAfter a pentest report is completed for a tag:
cargo xtask release-ready v0.9.0Aesynx treats boot, memory, capabilities, IPC, driver authority, userspace ABI, WASM execution, telemetry, AI policy, build tooling, GitHub workflows, and dependency metadata as high-risk. The project prefers internal kernel primitives, narrow unsafe boundaries, no ambient authority, explicit capabilities, and small modules that can be reviewed and tested.
Every release tag is blocked until the exact commit being tagged has a passing
pentest report in security/pentest/<tag>.md.
- Implementation Plan
- Userspace Vision
- Package Manager Roadmap
- Release Plan
- Architecture Decisions
- Build Skeleton
- QEMU Image Skeleton
- First Serial Boot
- BootInfo Normalization
- Early Diagnostics
- v0.7.0 Release Candidate Notes
- v0.9.0 Release Candidate Notes
- v0.8.0 Release Candidate Notes
- Bootloader Roadmap
- Storage Roadmap
- Hosted Execution Roadmap
- Post-Quantum Readiness
- Security Policy
- Threat Model
- Security Controls
- Supply-Chain Security
- Kernel Engineering Policy
- Unsafe Policy
- Modularity Policy
- Licensing Notes
- License
- Initial Idea
