# NØNOS Operating System *** ### What is NØNOS? **NØNOS** is a zero-trust, quantum-resistant operating system built from the ground up in Rust. Unlike traditional operating systems that rely on software trust boundaries, NØNOS implements **cryptographic verification at every layer** from the moment your hardware powers on to every instruction that executes. {% embed url="" %} #### The Problem with Traditional Operating Systems | Traditional OS | NØNOS | | --------------------------------- | ----------------------------------------------- | | Trust the bootloader blindly | Cryptographically verify bootloader | | Kernel loads without verification | Ed25519 signature verification before execution | | Software-based access control | Hardware-enforced capability tokens | | Vulnerable to quantum attacks | Post-quantum cryptography (ML-KEM, ML-DSA) | | Large kernel (\~5MB+ compressed) | Minimal kernel (\~221KB stripped) | | Opaque execution | Zero-knowledge attestation | *** #### Core Philosophy NØNOS is built on three foundational principles: 1. **Zero Trust;** No component trusts another without cryptographic proof. The bootloader verifies the kernel. The kernel verifies modules. Every boundary requires authentication. 2. **Minimal Attack Surface;** The kernel is \~221KB stripped. Less code means fewer vulnerabilities. Every line is auditable. 3. **Quantum Readiness;** Classical cryptography will be broken by quantum computers. NØNOS implements NIST-standardized post-quantum algorithms today. *** ### Architecture Overview ``` ┌─────────────────────────────────────────────────────────────────┐ │ USER APPLICATIONS │ │ ┌──────────────┐ ┌──────────────┐ ┌────────────────────────┐ │ │ │ Desktop │ │ Terminal │ │ Network Services │ │ │ └──────────────┘ └──────────────┘ └────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────────┐ │ CAPABILITY LAYER │ │ ┌──────────────┐ ┌──────────────┐ ┌────────────────────────┐ │ │ │ Token Verify │ │ Permission │ │ Resource Binding │ │ │ └──────────────┘ └──────────────┘ └────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────────┐ │ NONOS KERNEL (~221KB) │ │ ┌──────────────┐ ┌──────────────┐ ┌────────────────────────┐ │ │ │ Scheduler │ │ Memory │ │ Crypto Primitives │ │ │ │ │ │ Management │ │ Ed25519 | BLAKE3 │ │ │ │ │ │ │ │ ML-KEM | AES-GCM │ │ │ └──────────────┘ └──────────────┘ └────────────────────────┘ │ │ ┌──────────────┐ ┌──────────────┐ ┌────────────────────────┐ │ │ │ Drivers │ │ Filesystem │ │ ZK Engine │ │ │ │ PCI | GPU │ │ VFS | Crypt │ │ Groth16 | Halo2 │ │ │ └──────────────┘ └──────────────┘ └────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────────┐ │ UEFI BOOTLOADER (~300KB) │ │ ┌──────────────┐ ┌──────────────┐ ┌────────────────────────┐ │ │ │ Ed25519 │ │ BLAKE3 │ │ Groth16 ZK │ │ │ │ Signature │ │ Hashing │ │ Verification │ │ │ │ Verify │ │ │ │ (Optional) │ │ │ └──────────────┘ └──────────────┘ └────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────────┐ │ UEFI FIRMWARE │ │ Hardware Root of Trust (Secure Boot) │ └─────────────────────────────────────────────────────────────────┘ ``` *** ### Key Features #### Cryptographic Boot Chain Every boot is verified: 1. **UEFI Secure Boot** verifies the NØNOS bootloader 2. **Bootloader** computes BLAKE3 hash of kernel 3. **Ed25519 signature** verified against embedded public keys 4. **Optional ZK proof** for privacy-preserving attestation 5. **Only then** does the kernel execute *** #### Post-Quantum Cryptography NØNOS implements NIST FIPS 203/204 standards: | Algorithm | Purpose | Security Level | | ----------- | ------------------ | --------------------------------- | | ML-KEM-768 | Key encapsulation | NIST Level 3 (AES-192 equivalent) | | ML-DSA-65 | Digital signatures | NIST Level 3 | | Ed25519 | Fast signatures | 128-bit classical | | BLAKE3 | Hashing | 256-bit | | AES-256-GCM | Encryption | 256-bit | #### Capability-Based Security Access control through unforgeable tokens: ``` ┌────────────────────────────────┐ │ Capability Token │ ├────────────────────────────────┤ │ Resource ID │ unique ref │ │ Permissions │ READ|WRITE │ │ Expiry │ optional TTL │ │ Crypto Tag │ HMAC proof │ └────────────────────────────────┘ ``` No token = no access. Tokens cannot be forged or escalated. *** #### Zero-Knowledge Proofs Prove statements without revealing secrets: * **Boot attestation;** Prove kernel is valid without revealing internals * **Anonymous auth;** Prove membership without revealing identity * **Privacy credentials;** Verify attributes without exposing data *** ### Technical Specifications | Component | Specification | | ---------------- | ------------------------------------- | | **Architecture** | x86\_64 (ARM64 planned) | | **Language** | Rust (no\_std, zero unsafe in crypto) | | **Bootloader** | \~300KB (UEFI) | | **Kernel** | \~221KB (stripped) | | **ISO Image** | \~65MB | *** ### Quick Start ```bash # Clone both repositories git clone https://github.com/NON-OS/nonos-kernel.git git clone https://github.com/NON-OS/nonos-boot.git ***POSSIBILY A MONOREPO SOON at https://github.com/NON-OS/nonos-kernel*** # Build kernel cd nonos-kernel make # Run in QEMU make run ``` See Quick Start Guide for detailed instructions. *** ### Development Status NØNOS is under **active development**. Current implementation status: | Component | Status | Notes | | ----------------- | --------------------- | ---------------------------------------- | | UEFI Bootloader | Complete | Ed25519 verification, BLAKE3 hashing | | Kernel Core | Complete | Scheduler, memory management, interrupts | | Cryptography | Complete (Test phase) | Ed25519, BLAKE3, AES-GCM, ML-KEM | | Capability System | Complete | Token generation and verification | | ZK Engine | Partially completed | Groth16 verification | | Desktop/UI | Complete | Basic window management | | Network Stack | In Progress | IPv4, IPv6, TCP (smoltcp) | | Filesystem | In Progress | VFS, encrypted storage | | ARM64 Support | Planned | — | *** ### Official Links | Resource | Link | | -------------- | ------------------------------------------------------------ | | **Whitepaper** | [nonos.systems/whitepaper](https://nonos.systems/whitepaper) | | **Website** | [nonos.systems](https://nonos.systems) | | **GitHub** | [github.com/NON-OS](https://github.com/NON-OS) | *** ### License NØNOS is released under **AGPL-3.0**. *** ### Documentation Sections
Cover image
Getting StartedBuild and run NØNOS in 5 minuteshttps://docs.nonos.systems/~/revisions/4Rs9Gk1Qn6FOI1OjRtBd/getting-started-osphoto_2025-12-18 1.59.36 AM.jpeg
ArchitectureDeep dive into system designphoto_2025-12-18 12.12.26 PM.jpeg
CryptographySigning, encryption, post-quantumphoto_2025-12-18 2.41.17 AM.jpeg
Zero-KnowledgeZK circuits and verificationphoto_2025-12-18 5.51.38 AM.jpeg
BuildingComplete build documentationhttps://docs.nonos.systems/~/revisions/4Rs9Gk1Qn6FOI1OjRtBd/building-nonos-osphoto_2025-12-18 12.12.40 PM.jpeg
ContributingJoin the developmentphoto_2025-12-18 5.51.25 AM.jpeg