Releases: cyphera-labs/cyphera-kernel
Release list
v0.0.666
Release v0.0.666
Builds on v0.0.5. This release brings the kernel to a graphical milestone: it
now boots a full GPU-accelerated, interactive graphical application stack —
rendering, sound, keyboard, and mouse — through the syscall ABI against
unmodified userland, on top of the same memory-safe services layer.
-
GPU-accelerated 3D. The kernel exposes a DRM/KMS display device and a
virtio-gpu 3D render node, bridging an unmodified userland graphics stack to
the host GPU: mode-setting and scanout with page-flip completion events on
the primary node, a render node that negotiates 3D capabilities and maps
host-visible buffers, and the GEM buffer-handle lifecycle. Hardware-
accelerated rendering runs end to end. -
Audio. A virtio-sound playback device plus the ALSA PCM character devices let
unmodified audio software open, configure, and stream to an audible output. -
Input. Virtio-input devices are surfaced as evdev character devices that
report each device's real capabilities, so an unmodified input stack tells a
keyboard from a pointer and reads both — returning promptly rather than
blocking when asked not to. -
Device discovery. A sysfs device topology with writable uevent triggers, a
kernel-uevent netlink broadcast, sender-credential passing over local
sockets, and an inotify watch subsystem together let a standard device
manager enumerate and classify devices the way userland expects. -
Process introspection. The process filesystem now reports what a sleeping
thread is waiting on, so a blocked program is no longer a black box. -
Concurrency correctness. The priority-inheritance mutex handoff was corrected
so a thread granted a contended lock observes itself as the owner before it
resumes, closing an intermittent failure under heavy contention.
The conformance suite — real applications booted under the kernel — continues
to pass in full.
See README.md for what runs today, and docs/ for the architecture, the
verification recipe, and the clean-room policy.
v0.0.5
Release v0.0.5
Builds on v0.0.4. This release is a security-and-fidelity pass: it tightens
the kernel's most sensitive edges and fills in the system-call behaviors
real-world software relies on — far enough that a standard container runtime
now starts a container end to end and the kernel boots an unmodified
distribution to an interactive shell.
-
Hardened security-sensitive edges. Returning from a signal can no longer be
used to hand a program elevated processor flags, and the two signals that
must never be caught or ignored now always take effect. Memory-management
arithmetic is bounds-checked and overflow-checked even in release builds, a
reference-count lifetime hazard is closed, and a program's privileges are
recomputed correctly when it replaces its own image. Socket address lengths
are clamped to what the caller passed, a shared-memory attach race is closed,
and the priority-inheritance and debugger paths now go through the engine's
own entry points. -
Real in-memory file sealing. A program can seal an anonymous in-memory file
against growth, shrinking, or further writes, and those seals are enforced —
including against a later attempt to regain write access through a mapping. -
Faithful memory remapping. Remapping a mapped file or shared region now moves
and resizes it correctly, including a fixed-address move and a partial
sub-range of a shared segment. -
Real mount semantics. Read-only, no-setuid, no-device, and no-exec are
enforced per mount and can be changed by remounting; remounting a bind mount
applies the new flags to the right mount; and the filesystem-statistics call
reports a mount's flags, so software that checks whether it sits on a
read-only mount reads the truth. Each mount namespace carries its own mount
flags, so a change in one namespace cannot alter another's. -
Correct rename and open semantics. Rename honors its no-replace, exchange,
and directory-cycle rules; renaming across filesystems reports the right
error; overwriting rename — on disk and across directories — is correct and
atomic; opening a non-directory as a directory, or a directory for writing,
fails the way callers expect; and truncate-on-open only truncates regular
files, so redirecting output into a device works. -
Faithful executable identity. A process's own executable stays openable
through the process filesystem even after it re-executes itself from an
open file descriptor with no backing path, while still reporting that path
when asked — the startup pattern security-conscious runtimes use to protect
themselves from tampering. -
Runs real container workloads. With the above in place, a standard container
runtime sets up and runs a container to completion, and the kernel boots an
unmodified distribution through its init system to an interactive shell. The
conformance suite — real applications booted under the kernel — passes in
full.
See README.md for what runs today, and docs/ for the architecture, the
verification recipe, and the clean-room policy.
v0.0.4
Release v0.0.4
Builds on v0.0.3. New in this release:
-
A sturdier architecture. The bulk of this release is a deep structural pass
that follows through on the sealed-core groundwork from v0.0.3. The scheduler
and process engine — historically a handful of enormous files that the rest of
the kernel reached into freely — is now split into clearly separated layers
with a small, explicit set of entry points between them, and the largest
source files are broken into focused modules. A single result-and-error
vocabulary runs across every subsystem boundary. Build-time checks enforce the
rules: scheduling and process state can only change through the engine's own
entry points, and lower layers can't reach up into higher ones. None of this
changes what programs see — it makes the kernel far easier to reason about and
much harder to break one part without the build catching it, which is what
lets new work land cleanly from here. -
More faithful signals. Real-time signals now queue in order and respect the
per-user limit on pending signals; a signal that interrupts an open-ended wait
no longer wrongly restarts it; a memory fault arrives as a normal, catchable
signal rather than an unconditional kill; and a debugger can reliably inject
signals into a program it controls. Software that depends on precise signal
behavior — shells, job control, language runtimes — behaves the way its
authors expect. -
Per-process CPU timers. Programs can arm timers that fire based on the
processor time they actually consume, not just elapsed wall-clock time. -
Real memory locking. Locking memory now genuinely pins it in RAM and faults it
in immediately, and a program can ask that everything it maps from then on
stays locked too. If the system runs out of memory while servicing a fault, it
now stops just the offending program with a clean termination instead of
putting the whole machine at risk. -
Durable, precise file writes. Flushing a file writes its pending pages through
to storage, and a range flush writes back exactly the bytes requested, so data
lands when a program asks for it. Pipe buffer capacity can be queried and
resized. -
Correct directory-relative open permissions. Opening a file by a path relative
to an open directory now runs the same permission check as opening it by full
path, closing a gap where the relative form could skip the check. -
Truer introspection. Resource-usage accounting reports real minor and major
page-fault counts; the per-process status view reports the real open-file
ceiling; a per-process login identity is tracked and inherited across programs.
The processor listing shows one entry per online core, and the load average
excludes idle sleepers, so standard monitoring tools read the values they
expect. -
Networking refinements. Non-blocking is honored per individual send and
receive rather than only as a socket-wide mode, local socket pairs preserve
message boundaries for datagram and packet types, and loopback delivery was
corrected. -
Better device and process fidelity. Terminal window size can be set and read
back so full-screen terminal programs lay themselves out correctly; the disk
now appears in the system's device tree so enumeration tools find it; creating
a device node routes it to the right driver; and a child carries its parent's
resource limits across a fork or clone.
See README.md for what runs today, and docs/ for the architecture, the
verification recipe, and the clean-room policy.
v0.0.3
Release v0.0.3
Builds on v0.0.2. New in this release:
-
More usable RAM. Earlier releases topped out near a single gigabyte; that
limit is gone, and the kernel now runs with many gigabytes of memory. Larger
workloads that couldn't fit before have room now. -
On-screen graphics. Programs can draw to the VM's own window, not just the
text console — the kernel sets the display mode, hands out a framebuffer, and
flips it. Rendering is done in software, including continuously animated
output, not only static frames. -
Faster, lighter process creation. Starting a child process no longer copies
the parent's memory up front. The two share their pages until one of them
writes, so a fork is near-instant and uses a fraction of the memory it used
to — even for large programs. Shells, servers, and build tools that fork
constantly run leaner and quicker, and forking stays correct under heavy
multi-core load. -
Real process isolation. Sandboxes and containers can take their own private
views of the system — separate process tables, a separate network stack, and
separate mount and inter-process-communication namespaces — with the tools to
create, join, and inspect them. A program in one namespace cannot see or
disturb another's processes, and what each program sees through the system's
introspection interfaces is scoped to its own view. -
Per-program CPU pinning. A program can ask to run only on specific processor
cores, and the scheduler honors it — useful for latency- or cache-sensitive
work. -
Much broader networking. Datagram sockets, a working connect, and
scatter/gather message send and receive run more clients and simple servers.
Local sockets — streamed, datagram, and abstract — let programs on the same
machine talk the way stock software expects, including passing open files from
one process to another. IPv6 works alongside IPv4, programs can query the
machine's network configuration, and basic reachability testing works. -
Built-in randomness. Programs that need random data — for cryptographic keys,
secure connections, or program hardening — now get a fast, always-available
source built into the kernel, rather than depending on the host to supply one.
It draws from the processor's own randomness and from system timing, never
stalls waiting for a source, and keeps working even when no hardware random
device is present. The generator moves forward after every request, so earlier
output can't be reconstructed from its current state, and it refreshes itself
over time; a power-on self-check verifies it before any program relies on it. -
More of the system-call surface. Vectored reads and writes, the full set of
readiness-wait calls, directory-relative file paths, and an in-memory
filesystem backed by real memory pages for large files. The result: more
stock programs run unmodified. -
A hardened core. The kernel's internal process and scheduling state is now
sealed behind enforced interfaces rather than shared freely across the code,
so a mistake in one part can no longer quietly corrupt another part's
bookkeeping — the boundary is checked when the kernel is built. This is
groundwork: it makes the system easier to reason about and harder to break as
it grows. -
More accurate introspection. The reported boot time, a stable per-boot
identifier, and a live view of mounted filesystems now reflect reality rather
than placeholders, so monitoring and diagnostic tools read correct values. -
Steadier multi-core workloads. A rare crash when one processor cleaned up a
program that another was still tearing down is fixed, and exit bookkeeping was
reworked so a parent always finds its finished child the moment it is told
about it. Connection teardown and non-blocking input/output were tightened so
database and cache servers that hold many connections run to completion instead
of stalling. Process storms — forking, killing, and waiting on many short-lived
programs at once — run clean.
See README.md for what runs today, and docs/ for the architecture, the
verification recipe, and the clean-room policy.
v0.0.2
Release v0.0.2
Builds on v0.0.1. New in this release:
- Graphical framebuffer console: text rendering and keyboard input, so an
interactive shell runs in the VM's graphical window, not only over the
serial line. - ext4 mount hardening: mounts are privilege-gated and reject unsupported
or malformed filesystem images.
See README.md for what runs today, and docs/ for the architecture,
verification recipe, and clean-room policy.