Skip to content

Releases: cyphera-labs/cyphera-kernel

v0.0.666

Choose a tag to compare

@lgutschow lgutschow released this 27 Jun 20:37

Release v0.0.666

Builds on v0.0.5. This release brings the kernel to a graphical milestone: it
now boots a full GPU-accelerated, interactive graphical application stack —
rendering, sound, keyboard, and mouse — through the syscall ABI against
unmodified userland, on top of the same memory-safe services layer.

  • GPU-accelerated 3D. The kernel exposes a DRM/KMS display device and a
    virtio-gpu 3D render node, bridging an unmodified userland graphics stack to
    the host GPU: mode-setting and scanout with page-flip completion events on
    the primary node, a render node that negotiates 3D capabilities and maps
    host-visible buffers, and the GEM buffer-handle lifecycle. Hardware-
    accelerated rendering runs end to end.

  • Audio. A virtio-sound playback device plus the ALSA PCM character devices let
    unmodified audio software open, configure, and stream to an audible output.

  • Input. Virtio-input devices are surfaced as evdev character devices that
    report each device's real capabilities, so an unmodified input stack tells a
    keyboard from a pointer and reads both — returning promptly rather than
    blocking when asked not to.

  • Device discovery. A sysfs device topology with writable uevent triggers, a
    kernel-uevent netlink broadcast, sender-credential passing over local
    sockets, and an inotify watch subsystem together let a standard device
    manager enumerate and classify devices the way userland expects.

  • Process introspection. The process filesystem now reports what a sleeping
    thread is waiting on, so a blocked program is no longer a black box.

  • Concurrency correctness. The priority-inheritance mutex handoff was corrected
    so a thread granted a contended lock observes itself as the owner before it
    resumes, closing an intermittent failure under heavy contention.

The conformance suite — real applications booted under the kernel — continues
to pass in full.

See README.md for what runs today, and docs/ for the architecture, the
verification recipe, and the clean-room policy.

v0.0.5

Choose a tag to compare

@lgutschow lgutschow released this 24 Jun 03:57

Release v0.0.5

Builds on v0.0.4. This release is a security-and-fidelity pass: it tightens
the kernel's most sensitive edges and fills in the system-call behaviors
real-world software relies on — far enough that a standard container runtime
now starts a container end to end and the kernel boots an unmodified
distribution to an interactive shell.

  • Hardened security-sensitive edges. Returning from a signal can no longer be
    used to hand a program elevated processor flags, and the two signals that
    must never be caught or ignored now always take effect. Memory-management
    arithmetic is bounds-checked and overflow-checked even in release builds, a
    reference-count lifetime hazard is closed, and a program's privileges are
    recomputed correctly when it replaces its own image. Socket address lengths
    are clamped to what the caller passed, a shared-memory attach race is closed,
    and the priority-inheritance and debugger paths now go through the engine's
    own entry points.

  • Real in-memory file sealing. A program can seal an anonymous in-memory file
    against growth, shrinking, or further writes, and those seals are enforced —
    including against a later attempt to regain write access through a mapping.

  • Faithful memory remapping. Remapping a mapped file or shared region now moves
    and resizes it correctly, including a fixed-address move and a partial
    sub-range of a shared segment.

  • Real mount semantics. Read-only, no-setuid, no-device, and no-exec are
    enforced per mount and can be changed by remounting; remounting a bind mount
    applies the new flags to the right mount; and the filesystem-statistics call
    reports a mount's flags, so software that checks whether it sits on a
    read-only mount reads the truth. Each mount namespace carries its own mount
    flags, so a change in one namespace cannot alter another's.

  • Correct rename and open semantics. Rename honors its no-replace, exchange,
    and directory-cycle rules; renaming across filesystems reports the right
    error; overwriting rename — on disk and across directories — is correct and
    atomic; opening a non-directory as a directory, or a directory for writing,
    fails the way callers expect; and truncate-on-open only truncates regular
    files, so redirecting output into a device works.

  • Faithful executable identity. A process's own executable stays openable
    through the process filesystem even after it re-executes itself from an
    open file descriptor with no backing path, while still reporting that path
    when asked — the startup pattern security-conscious runtimes use to protect
    themselves from tampering.

  • Runs real container workloads. With the above in place, a standard container
    runtime sets up and runs a container to completion, and the kernel boots an
    unmodified distribution through its init system to an interactive shell. The
    conformance suite — real applications booted under the kernel — passes in
    full.

See README.md for what runs today, and docs/ for the architecture, the
verification recipe, and the clean-room policy.

v0.0.4

Choose a tag to compare

@lgutschow lgutschow released this 22 Jun 05:37

Release v0.0.4

Builds on v0.0.3. New in this release:

  • A sturdier architecture. The bulk of this release is a deep structural pass
    that follows through on the sealed-core groundwork from v0.0.3. The scheduler
    and process engine — historically a handful of enormous files that the rest of
    the kernel reached into freely — is now split into clearly separated layers
    with a small, explicit set of entry points between them, and the largest
    source files are broken into focused modules. A single result-and-error
    vocabulary runs across every subsystem boundary. Build-time checks enforce the
    rules: scheduling and process state can only change through the engine's own
    entry points, and lower layers can't reach up into higher ones. None of this
    changes what programs see — it makes the kernel far easier to reason about and
    much harder to break one part without the build catching it, which is what
    lets new work land cleanly from here.

  • More faithful signals. Real-time signals now queue in order and respect the
    per-user limit on pending signals; a signal that interrupts an open-ended wait
    no longer wrongly restarts it; a memory fault arrives as a normal, catchable
    signal rather than an unconditional kill; and a debugger can reliably inject
    signals into a program it controls. Software that depends on precise signal
    behavior — shells, job control, language runtimes — behaves the way its
    authors expect.

  • Per-process CPU timers. Programs can arm timers that fire based on the
    processor time they actually consume, not just elapsed wall-clock time.

  • Real memory locking. Locking memory now genuinely pins it in RAM and faults it
    in immediately, and a program can ask that everything it maps from then on
    stays locked too. If the system runs out of memory while servicing a fault, it
    now stops just the offending program with a clean termination instead of
    putting the whole machine at risk.

  • Durable, precise file writes. Flushing a file writes its pending pages through
    to storage, and a range flush writes back exactly the bytes requested, so data
    lands when a program asks for it. Pipe buffer capacity can be queried and
    resized.

  • Correct directory-relative open permissions. Opening a file by a path relative
    to an open directory now runs the same permission check as opening it by full
    path, closing a gap where the relative form could skip the check.

  • Truer introspection. Resource-usage accounting reports real minor and major
    page-fault counts; the per-process status view reports the real open-file
    ceiling; a per-process login identity is tracked and inherited across programs.
    The processor listing shows one entry per online core, and the load average
    excludes idle sleepers, so standard monitoring tools read the values they
    expect.

  • Networking refinements. Non-blocking is honored per individual send and
    receive rather than only as a socket-wide mode, local socket pairs preserve
    message boundaries for datagram and packet types, and loopback delivery was
    corrected.

  • Better device and process fidelity. Terminal window size can be set and read
    back so full-screen terminal programs lay themselves out correctly; the disk
    now appears in the system's device tree so enumeration tools find it; creating
    a device node routes it to the right driver; and a child carries its parent's
    resource limits across a fork or clone.

See README.md for what runs today, and docs/ for the architecture, the
verification recipe, and the clean-room policy.

v0.0.3

Choose a tag to compare

@lgutschow lgutschow released this 21 Jun 02:21

Release v0.0.3

Builds on v0.0.2. New in this release:

  • More usable RAM. Earlier releases topped out near a single gigabyte; that
    limit is gone, and the kernel now runs with many gigabytes of memory. Larger
    workloads that couldn't fit before have room now.

  • On-screen graphics. Programs can draw to the VM's own window, not just the
    text console — the kernel sets the display mode, hands out a framebuffer, and
    flips it. Rendering is done in software, including continuously animated
    output, not only static frames.

  • Faster, lighter process creation. Starting a child process no longer copies
    the parent's memory up front. The two share their pages until one of them
    writes, so a fork is near-instant and uses a fraction of the memory it used
    to — even for large programs. Shells, servers, and build tools that fork
    constantly run leaner and quicker, and forking stays correct under heavy
    multi-core load.

  • Real process isolation. Sandboxes and containers can take their own private
    views of the system — separate process tables, a separate network stack, and
    separate mount and inter-process-communication namespaces — with the tools to
    create, join, and inspect them. A program in one namespace cannot see or
    disturb another's processes, and what each program sees through the system's
    introspection interfaces is scoped to its own view.

  • Per-program CPU pinning. A program can ask to run only on specific processor
    cores, and the scheduler honors it — useful for latency- or cache-sensitive
    work.

  • Much broader networking. Datagram sockets, a working connect, and
    scatter/gather message send and receive run more clients and simple servers.
    Local sockets — streamed, datagram, and abstract — let programs on the same
    machine talk the way stock software expects, including passing open files from
    one process to another. IPv6 works alongside IPv4, programs can query the
    machine's network configuration, and basic reachability testing works.

  • Built-in randomness. Programs that need random data — for cryptographic keys,
    secure connections, or program hardening — now get a fast, always-available
    source built into the kernel, rather than depending on the host to supply one.
    It draws from the processor's own randomness and from system timing, never
    stalls waiting for a source, and keeps working even when no hardware random
    device is present. The generator moves forward after every request, so earlier
    output can't be reconstructed from its current state, and it refreshes itself
    over time; a power-on self-check verifies it before any program relies on it.

  • More of the system-call surface. Vectored reads and writes, the full set of
    readiness-wait calls, directory-relative file paths, and an in-memory
    filesystem backed by real memory pages for large files. The result: more
    stock programs run unmodified.

  • A hardened core. The kernel's internal process and scheduling state is now
    sealed behind enforced interfaces rather than shared freely across the code,
    so a mistake in one part can no longer quietly corrupt another part's
    bookkeeping — the boundary is checked when the kernel is built. This is
    groundwork: it makes the system easier to reason about and harder to break as
    it grows.

  • More accurate introspection. The reported boot time, a stable per-boot
    identifier, and a live view of mounted filesystems now reflect reality rather
    than placeholders, so monitoring and diagnostic tools read correct values.

  • Steadier multi-core workloads. A rare crash when one processor cleaned up a
    program that another was still tearing down is fixed, and exit bookkeeping was
    reworked so a parent always finds its finished child the moment it is told
    about it. Connection teardown and non-blocking input/output were tightened so
    database and cache servers that hold many connections run to completion instead
    of stalling. Process storms — forking, killing, and waiting on many short-lived
    programs at once — run clean.

See README.md for what runs today, and docs/ for the architecture, the
verification recipe, and the clean-room policy.

v0.0.2

Choose a tag to compare

@lgutschow lgutschow released this 07 Jun 22:43

Release v0.0.2

Builds on v0.0.1. New in this release:

  • Graphical framebuffer console: text rendering and keyboard input, so an
    interactive shell runs in the VM's graphical window, not only over the
    serial line.
  • ext4 mount hardening: mounts are privilege-gated and reject unsupported
    or malformed filesystem images.

See README.md for what runs today, and docs/ for the architecture,
verification recipe, and clean-room policy.

v0.0.1

Choose a tag to compare

@lgutschow lgutschow released this 07 Jun 21:43

Cyphera Kernel v0.0.1

An independent, memory-safe Rust kernel that implements the Linux syscall ABI,
for virtual machines.

See README.md to run it, and docs/ for how it works and how to verify a build.