System Overview

NØNOS is a zero-trust operating system with cryptographic verification at every layer.

Design Principles

Zero Trust | No component trusts another without cryptographic proof
Minimal Attack Surface | Small codebase, minimal dependencies
Post-Quantum Ready | Quantum-resistant algorithms throughout
Capability-Based Security | Fine-grained, unforgeable access tokens
Verifiable Execution | ZK proofs for privacy-preserving attestation

Architecture Layers

┌─────────────────────────────────────────────┐
│              Applications                   │
├─────────────────────────────────────────────┤
│           Desktop / Terminal                │
├─────────────────────────────────────────────┤
│    Capability System │ Encrypted FS         │
├─────────────────────────────────────────────┤
│   Memory Mgmt │ Scheduler │ Drivers         │
├─────────────────────────────────────────────┤
│            Kernel Core (x86_64)             │
├─────────────────────────────────────────────┤
│           UEFI Bootloader                   │
├─────────────────────────────────────────────┤
│            UEFI Firmware                    │
└─────────────────────────────────────────────┘

Components

`UEFI Bootloader (~300KB)`

Ed25519 signature verification
BLAKE3 hashing
Hardware detection
Memory map preparation
Optional ZK proof verification

`Kernel (~221KB)`

Bare-metal x86_64
Capability-based security
Encrypted filesystem
Network stack (IPv4/IPv6, TCP)
Desktop environment

Memory Layout

Region

Address

Purpose

Kernel Load

0x100000

Physical load address

Kernel Text

Higher-half

Executable code

Kernel Heap

Dynamic

Memory allocation

Stack

64KB

Per-task stacks

Security Model

Chain of Trust

UEFI Secure Boot
       ↓
NØNOS Bootloader (verifies signature)
       ↓
Kernel (capability tokens)
       ↓
Applications (sandboxed)

Cryptographic Primitives

Use Case

Algorithm

Signatures

Ed25519

Hashing

BLAKE3, SHA-512

Encryption

AES-256-GCM, ChaCha20-Poly1305

Key Exchange

ML-KEM-768 (post-quantum)

ZK Proofs

Groth16 (BLS12-381)

Kernel Subsystems

Subsystem

Purpose

arch/x86_64

CPU, GDT, IDT, paging

memory

Heap, physical allocator

process

Scheduler, tasks

capabilities

Access control tokens

drivers

PCI, GPU, storage

fs

VFS, encrypted storage

network

IPv4, IPv6, TCP

crypto

All cryptographic operations

zk_engine

Zero-knowledge verification

ui

Desktop, windows, terminal

Binary Sizes

Component

Size

Bootloader

~300KB

Kernel

~221KB

Total

~521KB

PreviousBooting on Real Hardware NextBoot Process

Last updated 4 days ago

Was this helpful?