Skip to content

NONOS 0.8.9-alpha

Pre-release
Pre-release

Choose a tag to compare

View all tags
@eKisNonos eKisNonos released this 10 Jun 11:49
· 160 commits to main since this release
v0.8.9-alpha
add7fc8

NONOS 0.8.9-alpha

First public alpha of the NONOS microkernel. This is an alpha pre-beta
release: a 30-day window for the community to clone, boot, verify and
build against a frozen image before the beta line opens. It is feature
complete enough to run a real desktop and to be verified end to end; it
is not yet hardened for production deployment of your own data.

What this is

A privacy-first microkernel where nothing runs unless it can prove
itself. The boot chain verifies the kernel, and the kernel re-verifies
every capsule's zero-knowledge proof at every spawn. The whole network
stack (IP, TCP, DNS, the Nym mixnet client) runs as sandboxed capsules,
not kernel code.

This image is the exact system make nonos-mk-run boots:
microkernel-desktop-gui, 59 ZK-attested capsules, verified against the
five-contributor ceremony verifying key 6cd2015037ea6181,
59 verified / 0 failed.

How to run it

NONOS needs a UEFI host with a virtio-gpu. The supported and tested
path is QEMU. VirtualBox is not supported in this release (the
kernel stalls on VirtualBox's ACPI, and the desktop needs virtio-gpu,
which VirtualBox does not emulate).

Easiest, with the bundled script:

chmod +x run-nonos.sh
./run-nonos.sh nonos-0.8.9-alpha.iso

It finds your OVMF firmware, picks KVM (Linux) or HVF (macOS)
acceleration, and boots the ISO with virtio-gpu. Manual invocation:

qemu-system-x86_64 -m 2G -machine q35 -smp 2 \
  -cdrom nonos-0.8.9-alpha.iso \
  -drive if=pflash,format=raw,readonly=on,file=/path/to/edk2-x86_64-code.fd \
  -drive if=pflash,format=raw,file=/path/to/edk2-x86_64-vars.fd \
  -device virtio-vga,xres=1024,yres=768 -device qemu-xhci -device virtio-rng-pci

At the firmware terminal press F10 to boot; the verified-boot splash
runs the full attestation chain and hands off to the desktop.

Artifacts

File What
nonos-0.8.9-alpha.iso bootable UEFI ISO (QEMU)
nonos-0.8.9-alpha-esp.img raw FAT32 EFI System Partition image (QEMU drive, or dd to a USB stick for real UEFI x86_64 hardware)
run-nonos.sh portable QEMU launcher
nonos-kernel-0.8.9-alpha.x86_64.elf the signed kernel image
nonos-bootloader-0.8.9-alpha.efi the UEFI bootloader
ATTESTATION.json build provenance + every hash + ceremony fingerprint
SHA256SUMS, BLAKE3SUMS checksums for all of the above
attestation-receipt.txt the per-capsule live verification receipt

Verify before you boot

sha256sum -c SHA256SUMS
b3sum -c BLAKE3SUMS

Then re-prove every shipped capsule against the public verifying key,
from a fresh clone, with no signing keys and nothing rebuilt:

git clone --recursive https://github.com/NON-OS/nonos-micro-kernel.git
cd nonos-micro-kernel && git checkout v0.8.9-alpha
make nonos-mk-verify-attestation

Build provenance (kernel, trust keystore and CI commits) is pinned in
ATTESTATION.json.

Build on it

QUICKSTART.md walks the path from an empty folder to your own signed,
attested capsule on the desktop. CONTRIBUTING-ZK.md covers earning NOX
for verifiable security work.

Known scope of this alpha

  • QEMU is the supported hypervisor. VirtualBox and VMware are not yet
    supported; the GPU and ACPI bring-up for them is a roadmap item.
  • Anti-rollback wants a TPM for a persistent floor; without one the
    measured-boot floor is per-session.
  • This is a verification and developer-preview image, not a daily-driver
    install. Treat the 30-day window as exactly that.

License

GNU AGPL-3.0.

Assets 12
Loading