Page cover

Kernel Architecture

The NØNOS kernel is a minimal, security-focused x86_64 kernel.

Overview

Property
Value

Language

Rust (no_std)

Target

x86_64 bare metal

Size

~221KB

LoC

~115,000

Module Structure

nonos-kernel/src/
├── arch/x86_64/       # Architecture-specific code
├── boot/              # Early initialization
├── memory/            # Memory management
├── process/           # Scheduler, tasks
├── capabilities/      # Capability tokens
├── drivers/           # Hardware drivers
├── fs/                # Filesystem layer
├── network/           # Network stack
├── crypto/            # Cryptographic primitives
├── zk_engine/         # ZK proof verification
├── ui/                # Desktop, windows
├── interrupts/        # IRQ handling
├── vault/             # Secure key storage
└── lib.rs             # Kernel entry point

Entry Point

The kernel starts at kernel_main:

  1. Initialize VGA output

  2. Set up panic handler

  3. Initialize GDT and IDT

  4. Initialize drivers

  5. Run self-tests

  6. Enter scheduler loop

Memory Management

Physical Allocator

  • Bitmap-based frame allocator

  • 4KB page granularity

  • Tracks free/used frames

Virtual Memory

  • 4-level paging (PML4)

  • Higher-half kernel mapping

  • W^X enforcement (no RWX pages)

  • Guard pages for stack overflow

Heap

  • #[global_allocator] implementation

  • Linked-list allocator

  • Grows on demand

Process Model

Tasks

  • Lightweight execution units

  • Cooperative scheduling (async/await)

  • Per-task stacks (64KB default)

Scheduler

  • Priority-based scheduling

  • Async executor model

  • Preemptive multitasking

Capability System

Unforgeable tokens for access control:

Operations require presenting a valid capability.

Driver Model

Driver
Purpose

pci.rs

PCI bus enumeration

ahci.rs

SATA storage

nvme.rs

NVMe storage

xhci.rs

USB 3.0

gpu.rs

Graphics output

keyboard.rs

PS/2 & USB keyboard

mouse.rs

PS/2 & USB mouse

Filesystem

VFS Layer

Abstract filesystem interface:

  • open(), read(), write(), close()

  • Mount points

  • Path resolution

Implementations

FS
Description

RamFS

In-memory filesystem

CryptoFS

Encrypted storage

Network Stack

Layer
Implementation

L3

IPv4, IPv6

L4

TCP, UDP

Transport

TCP

TLS

Post-quantum TLS

Cryptographic Modules

Located in crypto/:

Module
Algorithm

ed25519.rs

Ed25519 signatures

blake3.rs

BLAKE3 hashing

sha512.rs

SHA-512 (for Ed25519)

aes.rs

AES-256-GCM

chacha.rs

ChaCha20-Poly1305

kyber.rs

ML-KEM key exchange

dilithium.rs

ML-DSA signatures

User Interface

Component
Purpose

Desktop

Window management

Terminal

Shell interface

Window

Application containers

Interrupt Handling

  • APIC-based interrupt routing

  • IDT with 256 entries

  • Handlers for: timer, keyboard, mouse, PCI, exceptions

Safety

No-std Environment

  • No standard library

  • Custom panic handler

  • Manual memory management

Unsafe Code

  • Audited unsafe blocks for hardware access

  • Minimal unsafe in crypto (secure memory zeroing only)

PreviousBoot ProcessNextMemory Management

Last updated

Was this helpful?