Asterinas: a new Linux-compatible kernel project
What's a framekernel?
The framekernel concept is explained in the September 2024 paper "Framekernel: A Safe and Efficient Kernel Architecture via Rust-based Intra-kernel Privilege Separation" by Yuke Peng et al. A fuller version of the paper was published in early June.
Traditionally, monolithic kernels lump everything into one kernel-mode address space, whereas microkernels only implement a minimal trusted computing base (TCB) in kernel space and rely on user-mode services for much of the operating system's functionality. This separation implies the use of interprocess communication (IPC) between the microkernel and those services. This IPC often has a performance impact, which is a big part of why microkernels have remained relatively unpopular.
The core of Asterinas's "framekernel" design is the encapsulation of all code that needs Rust's unsafe features inside a library, enabling the rest of the kernel (the services) to be developed using safe abstractions. Those services remain within the kernel's address space, but only have access to the resources that the core library gives to them. This design is meant to improve the safety of the system while retaining the simple and performant shared-memory architecture of monolithic kernels. The Asterinas book on the project's website provides a nice architectural mission statement and overview.
The aptness of the "framekernel" nomenclature can perhaps be debated. The frame part refers to the development framework wrapping the unsafe parts behind a memory-safe API. The concept of the TCB is, of course, not exclusive to microkernel architectures but, because there are strong incentives to strictly scrutinize and, in some contexts, even formally verify the TCB of a system, keeping the TCB as small as possible is a central aspect of microkernel designs.
An update on the project is available on the Asterinas blog in the June 4 post titled "Kernel Memory Safety: Mission Accomplished". The post explains the team's motivations and the need for the industry to address memory-safety problems; it provides some illustrations that explain how the framekernel is different from monolithic kernels and microkernels. It also takes a moment to emphasize that the benefits of Rust don't stop with memory safety; there are improvements to soundness as well. Perhaps most importantly, the post highlights the upcoming Asterinas presentation at the 2025 USENIX Annual Technical Conference.
Related work
In their paper, the authors compare Asterinas to some prior Rust-based operating-system work, exploring the benefits of the language's memory-safety features and explain how Asterinas differs from that previous work. Specifically, the paper contrasts Asterinas with RedLeaf, an operating system written in Rust and presented at the 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI 20) in 2020. Asterinas uses hardware isolation to permit running user-space programs written in any programming language, aims to be general-purpose, and provides a Linux-compatible ABI, while RedLeaf is a microkernel that is designed not to use the hardware's isolation features, and the project focuses on different things.
Another project of interest is Tock, an embedded system that targets SoCs with limited hardware protection functionality. Like Asterinas, Tock also divides the kernel into a trusted core allowed to use unsafe and untrusted "capsules" that are not. As mentioned, Asterinas does rely on hardware protection and isn't intended for strictly embedded use, which differentiates it from Tock.
It bears mentioning that the Rust for Linux project, which is introducing Rust code into the upstream Linux kernel, has similar goals as Asterinas. It also aims to encapsulate kernel interfaces with safe abstractions in such a way that drivers can be written in Rust without any need for unsafe.
Work toward formal verification
One goal of shrinking the TCB of an operating system is to make it feasible to have it formally verified. In February 2025, the Asterinas blog featured a post detailing plans to do just that. The best known formally verified kernel is seL4, an L4-family microkernel.
Asterinas aims to use the framekernel approach to achieve a system that has
a small, formally verified TCB akin to a lean microkernel, but also a
simple shared-memory architecture with Linux ABI compatibility, all at the
same time. This is a radical departure from any previously formally
verified kernel; the blog post describes those kernels as deliberately
small and limited compared to "full-fledged, UNIX-style OSes
".
The Asterinas project is collaborating with a security-auditing company called CertiK to use Verus to formally verify the kernel. There is an extensive report available from CertiK on how Asterinas was audited and the issues that were found.
Libraries and tools
The Asterinas kernel is only one result of the project. The other two are
OSTD, described as "a Rust
OS framework that facilitates the development of and innovation in OS
kernels written in Rust
", and OSDK, a
Cargo addon to assist with the development, building, and testing of
kernels based on OSTD.
There are four stated goals for OSTD as a separate crate. One is to lower the entry bar for operating-system innovation and to lay the groundwork for newcomers to operating-system development. The second is to enhance memory safety for operating systems written in Rust; other projects can benefit from its encapsulation and abstraction of low-level operations. The third is to promote code reuse across Rust-based operating-system projects. The fourth is to boost productivity by enabling testing of new code in user mode, allowing developers to iterate without having to reboot.
It is worth emphasizing that the kernels that can be written with OSTD do not have to be Linux-compatible or, in any way, Unix-like. The APIs provided are more generic than that; they are memory-safe abstractions for functionality like x86 hardware management, booting, virtual memory, SMP, tasks, users, and timers. Like most Rust crates, OSTD is documented on docs.rs.
Asterinas reports Intel, among others, as a sponsor of the project. Intel's interest is likely related to its Trust Domain Extensions (TDX) feature, which provides hardware modes and features to facilitate isolation of virtual machines, and memory encryption. The Asterinas book has a brief section on TDX, and the OSDK supports it.
The OSTD, or at least the parts that Asterinas ends up using, seems to essentially be the restricted TCB that allows unsafe. For an illustrative example, we could take a look at the network kernel component's source code and see that the buffer code uses DMA, locking, allocation, and virtual-memory code from the OSTD through memory-safe APIs.
Current state
Asterinas was first released under the Mozilla Public License in early 2024; it has undergone rapid development over the past year. GitHub lists 45 individual committers, but the majority of the commits are from a handful of PhD students from the Southern University of Science and Technology, Peking University, and Fudan University, as well as a Chinese company called Ant Group, which is a sponsor of Asterinas.
At the time of writing, Asterinas supports two architectures, x86 and RISC-V. In the January blog post linked above, it was reported that Asterinas supported 180 Linux system calls, but the number has since grown to 206 on x86. As of version 6.7, Linux has 368 system calls in total, so there is some way to go yet.
Overall, Asterinas is in early development. There have been no releases, release announcements, changelogs, or much of anything other than Git tags and a short installation guide in the documentation. The Dependents tab of the OSTD crate on crates.io shows that no unrelated, published crate yet uses OSTD.
It does not seem like Asterinas is able to run any applications yet. Issue #1868 in Asterinas's repository outlines preliminary plans toward a first distribution. The initial focus on a custom initramfs and some rudimentary user-space applications, followed by being able to run Docker. There are initial plans to bootstrap a distribution based on Nix. Notably (but unsurprisingly), this issue mentions that Asterinas doesn't support loading Linux kernel modules, nor does it ever plan to.
Near-future goals
The Roadmap section of the Asterinas book says that the near-term goals are to expand the support for CPU architectures and hardware, as well as to focus on real-world usability in the cloud by providing a host OS for virtual machines. Apparently, the support for Linux virtio devices is already there, so a major hurdle has already been cleared. In particular, the Chinese cloud market, in the form of Aliyun (also known as Alibaba Cloud) is a focus. The primary plans involve creating a container host OS with a tight, formally verified TCB and support for some trusted-computing features in Intel hardware, for the Chinese cloud service.
While both Rust for Linux and Asterinas have similar goals (providing a safer kernel by relying on Rust's memory safety), their scopes and approaches are different. Rust for Linux focuses on safe abstractions strictly for new device drivers to be written in safe Rust, but this leaves the rest of the kernel untouched. Asterinas, on the other hand, aims to build a whole new kernel from the ground up, restricting the unsafe-permitting core to the absolute minimum, which can then be formally verified. Asterinas also focuses on containers and cloud computing, at least for now, while Rust for Linux looks to benefit the whole of the Linux ecosystem.
Despite the stated cloud focus, there is more going on, for example building support for X11 and Xfce. Also, the OSTD could, of course, prove interesting for OS development enthusiasts irrespective of the Asterinas project, but so far it remains unknown and untested by a wider audience.
Asterinas is certainly a refreshingly innovative take on principles for
operating-system development, leaning on the safety and soundness
foundations provided by the Rust language and compiler. So far it is at an
early exploratory stage driven by enthusiastic Chinese researchers and
doesn't see any serious practical use, but it is worth keeping an eye
on. It will be interesting to see the reception it will get from the
Rust for Linux team and the Linux community at large.
| Index entries for this article | |
|---|---|
| GuestArticles | Koistinen, Ronja |
Posted Jun 19, 2025 17:49 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (10 responses)
Very much like Singularity OS from Microsoft, but with the borrow checker for memory safety instead of a garbage collector.
Posted Jun 19, 2025 17:54 UTC (Thu)
by khim (subscriber, #9252)
[Link] (9 responses)
Haven't Singularity OS tried to use in-language safety as security boundary? Java have shown is it's terrible idea and I'm pretty sure Singularity OS would have had the same fate if it ever went beyond “demo” stage. But using that boundary to separate TCB from “non-malicious, but potentially buggy code” is an interesting twist: Rust
Posted Jun 19, 2025 18:06 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (8 responses)
Yep, and it worked well.
> Java have shown is it's terrible idea and I'm pretty sure Singularity OS would have had the same fate if it ever went beyond “demo” stage.
Java's security model was just designed badly. It essentially granted elevated privileges to _code_, kinda like the SUID bit in Unix. With obvious pitfals because the input data can be manipulated, and Java also had way too many ways around its own safeties.
Modern sandboxing instead relies on capability passing. Just look at JavaScript/WASM for an example of a resilient language-level sandboxing.
Posted Jun 19, 2025 18:12 UTC (Thu)
by khim (subscriber, #9252)
[Link] (7 responses)
Do you even know of any production use of JavaScript/WASM without non-language sandbox? I think the fact that none (or almost no one) does that spokes volumes about viability of such approach. It's impossible to say whether it “worked well” if it was never tested in an environment where security breach means losses measured in billions, sorry. Java also “worked pretty well” till they deployed it in browsers.
Posted Jun 19, 2025 19:16 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (4 responses)
Sure, modern browsers are an example. A JavaScript sandbox escape is easy to elevate because so many sharp objects have to be exposed to the scripting context (e.g. WebGPU).
Docker also has WASM containers now.
> It's impossible to say whether it “worked well” if it was never tested in an environment where security breach means losses measured in billions, sorry.
Java is literally used for the most secure applications: hardware security modules and payment systems.
Posted Jun 19, 2025 19:30 UTC (Thu)
by khim (subscriber, #9252)
[Link] (2 responses)
What do you call “modern browser” here? Lynx? Coz all browsers that I know of put rendered in a OS-supported sandbox, precisely because they don't trust JavaScript. GPU is, usually, handled by separate GPU-talking process. Docker also has WASM containers now. Does it have in-WASM-image security boundary? Last time I looked it was treating the whole WASM blob as an OS process, with one array imitating “untrusted memory” and without any fine-grained security checks similar to BPF or JVM – poor imitation of OS-level sandboxing, not fire-tuned language-level one. Do they run untrust apples in these? Really? Again: saw some of them, none trust Java-language sandbox. The question is not whether Java or WASM or JavaScript are used in sensitive context but whether they trust language-level security management… I'm yet to see serious system that's built that way.
Posted Jun 19, 2025 19:43 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
Not with WebGPU. It works in the same address space as JS, and allows things like direct buffer manipulation (see: https://markaicode.com/webgpu-2-chrome-2025-performance/ ). The WebGPU library (Dawn/wgpu) make the underlying platform APIs safe, but if you escape the JS sandbox, you can access it directly.
Browsers obviously try to make exploitation harder with OS-level sandboxes, but once you're out of the JS sandbox, it's game over for serious attackers.
> Does it have in-WASM-image security boundary? Last time I looked it was treating the whole WASM blob as an OS process, with one array imitating “untrusted memory” and without any fine-grained security checks similar to BPF or JVM – poor imitation of OS-level sandboxing, not fire-tuned language-level one.
Well, yes. That's the whole idea behind WASM.
> Do they run untrust apples in these? Really? Again: saw some of them, none trust Java-language sandbox.
They do. JavaCards allow third-party apps, and they use a similar capability-based security model.
Posted Jun 19, 2025 20:15 UTC (Thu)
by khim (subscriber, #9252)
[Link]
Then how is it relevant to the discussion about “in-language safety as security boundary”? Since when? I admit that I haven't worked with cardlets for last ten years but when I did it was exact same “cardlet as whole is it's own world with no security boundaries inside” This may be the one example where you are right and language-based is used as a security boundary… and only because of so much sunk cost that it's impossible to fix that design. All other examples that have brought don't use language-level sandbox as security boundary at all – and even browsers are not trusting it entirely. One half-example where language-level sandbox kinda-sorta-works if you squint just right vs dozens of examples where it's ditched for something simpler and thus more robust doesn't look like “it worked well” to me, sorry.
Posted Jun 19, 2025 21:40 UTC (Thu)
by epa (subscriber, #39769)
[Link]
The properties enforced by languages such as Rust don’t try to let you do that, but while they are less concerned with malicious attacks, they do a better job of preventing bugs in practice and letting you formally verify your system. I think that was the OP’s point.
Posted Jun 19, 2025 21:44 UTC (Thu)
by roc (subscriber, #30627)
[Link] (1 responses)
I think you're right that everyone who cares about security uses a hardware-backed (i.e. process) sandbox to protect the host platform from untrusted JS/WASM. At least I hope they do.
But in lots of cases people are still relying on language/VM-level protection to protect mutually distrusting JS/WASM components from each other. While the state of the art in browsers today is full site isolation so that no process mixes code from mutually distrusting Web sites, Safari/Webkit doesn't do it, and on Android I don't think any browser commits to it.
This is even true for systems designed without legacy constraints. Cloudflare Workers runs mutually distrusting workers in the same process using V8 isolates.
Posted Jun 20, 2025 6:22 UTC (Fri)
by gmatht (guest, #58961)
[Link]
Posted Jun 19, 2025 18:24 UTC (Thu)
by shironeko (subscriber, #159952)
[Link] (34 responses)
Posted Jun 20, 2025 10:30 UTC (Fri)
by paulj (subscriber, #341)
[Link] (33 responses)
Already there are phones from major Chinese manufacturers that are now running non-Linux kernels. China is going to rewrite everything for itself, cause the US has shown you absolutely must not - in strategic terms - depend on any technology the US government can have influence over.
Posted Jun 20, 2025 11:33 UTC (Fri)
by georgyo (subscriber, #121727)
[Link] (32 responses)
If you ship a product that modifies the Linux kernel, you must also share that code. While I personally think that is great, I can imagine that companies that want to build a bigger moat would want a proprietary kernel. Then they could have hardware or security features that they don't have to share.
IE, anyone can pretty much make an Android phone, but only Apple has the sources for the iOS kernel. Some might want a similar wall.
Personally, I hope that Linux stays the preferred choice. There is just a ton of value in everyone not reimplementing the wheel over and over again.
Posted Jun 20, 2025 11:46 UTC (Fri)
by farnz (subscriber, #17727)
[Link] (16 responses)
That prevents the Chinese manufacturers from upstreaming their code, forcing them to maintain a fork without even being allowed to tell Linus and Greg what changes make their lives harder, let alone upstreaming general infrastructure improvements that make all devices in their device class easier to drive.
Posted Jun 20, 2025 14:24 UTC (Fri)
by pizza (subscriber, #46)
[Link] (15 responses)
...And how maintaining a fork harder than writing/maintaining their own independent kernel (and userspace)?
Posted Jun 20, 2025 14:34 UTC (Fri)
by farnz (subscriber, #17727)
[Link] (8 responses)
Given that you're not getting any long-term benefit from starting from Linux, however, why not dump the Linux legacy for future products? There's a decent chunk of code in there that you basically don't care about - x86 and x86-64 legacy stuff, SATA drivers etc - and you get a smaller codebase to maintain if you dump it all.
Posted Jun 20, 2025 16:31 UTC (Fri)
by bluca (subscriber, #118303)
[Link] (7 responses)
Come on now, that is not even remotely true. Adding some device drivers for some specific hardware is not nearly the same thing as reimplementing the entire kernel from scheduling, memory, control groups, events, netlink, network, namespaces, mounts, filesystems, and so on and so forth.
ARM vendors have been doing exactly this since forever. They take a kernel version, and they add hundreds of thousands to millions of lines of code of device-specific stuff, freeze it and ship it. New device, new kernel version, rinse and repeat.
Posted Jun 22, 2025 8:23 UTC (Sun)
by farnz (subscriber, #17727)
[Link] (6 responses)
Initially, yes, it'll be cheaper to freeze and ship an ancient kernel, as the ARM vendors do; but the position they're going to find themselves in if the USA cracks down hard is one where they're freezing and shipping the equivalent of 2.6.32 today, with their own code filling in all the features they're missing from 6.14.
Posted Jun 22, 2025 10:13 UTC (Sun)
by bluca (subscriber, #118303)
[Link] (5 responses)
Pretty sure ARM verndors do those kind of things too
> Initially, yes, it'll be cheaper to freeze and ship an ancient kernel, as the ARM vendors do; but the position they're going to find themselves in if the USA cracks down hard is one where they're freezing and shipping the equivalent of 2.6.32 today, with their own code filling in all the features they're missing from 6.14.
Not really though. The "USA" cannot force you to use a specific version of the kernel. The only things they can do is stop sanctioned entities from using services and having two-way partnerships with entities under their jurisdiction. They cannot stop random people from anywhere in the world from using new version of the kernel downloaded from kernel.org.
Posted Jun 22, 2025 12:00 UTC (Sun)
by pizza (subscriber, #46)
[Link]
Smartphone SoC vendors are perhaps the "best" example of this, routinely having 7+ figure LoC differences versus the mainline kernel they forked. And that doesn't count the stuff they ship in the form of binary blobs.
That said, nearly everyone who ships something containing Linux does this. They only differ in degree.
> They cannot stop random people from anywhere in the world from using new version of the kernel downloaded from kernel.org.
Exactly. Why reinvent (and maintain) *everything* instead of only the stuff you actually care about?
Posted Jun 22, 2025 14:55 UTC (Sun)
by farnz (subscriber, #17727)
[Link] (3 responses)
Posted Jun 23, 2025 4:35 UTC (Mon)
by vonbrand (subscriber, #4458)
[Link] (2 responses)
Posted Jun 23, 2025 8:16 UTC (Mon)
by taladar (subscriber, #68407)
[Link] (1 responses)
Posted Jun 23, 2025 9:55 UTC (Mon)
by Wol (subscriber, #4433)
[Link]
I would think the number of people and hosters (if not countries) who actively don't want to interact with any US entities will soon start growing if this nonsense continues much longer ...
Cheers,
Posted Jun 20, 2025 15:01 UTC (Fri)
by paulj (subscriber, #341)
[Link] (5 responses)
If you can no longer interact with a significant chunk of the external expertise for a code-base, because it resides in (or is otherwise subject to) a country that is playing silly geo-political games, then that value is lost. You can't ask for help. You can't submit patches and get them reviewed, thus streamlining their integration with other pending and future work.
You must now rely on your own expertise. Your own internal expertise will much rather develop its own code, that it fully understands, than have to wade through tonnes of other people's code. Especially when there is a language barrier for any available documentation. If they start from scratch, then they can write their own documentation in their own language. As they develop a community around that new project, they will all share a language, making comms much easier, making further development easier, etc.
There are many reasons, they could be good or bad. Regardless of how we might weigh those reasons up, China views it as worthwhile to develop replacements for Linux. And they have multiple efforts in progress. At least one of which is close to full-commercial-release.
Posted Jun 20, 2025 16:04 UTC (Fri)
by Wol (subscriber, #4433)
[Link] (4 responses)
And America seems to think everyone SHOULD share its "view on life". I make no bones that I place "Freedom of Speech" THIRD on a "Pick any two" list, so I certainly don't share America's view of what freedom is. I've seen it commented here that the majority of Chinese are on the whole very happy with their lot. Certainly they don't share "the American Dream". And one only has to look at the current geo-political situation to realise there is a lot of grass-roots (not politically manufactured) anti-Americanism in the Middle East.
The Rest of the World should be developing replacements for American products. And if only Europe could get its act together AS EUROPE, and not a bunch of squabbling fiefdoms, America could easily find itself kow-towing to *our* economic might ...
As pretty much every empire since before the Romans has proved, economic power leads to military power, and the Chinese appear to have taken that lesson to heart. So should we.
(At least the Russians don't seem to have learnt it - not very well, at any rate. Selling raw materials isn't enough ...)
Cheers,
Posted Jun 20, 2025 16:26 UTC (Fri)
by khim (subscriber, #9252)
[Link] (3 responses)
Europe is dead, there are no need to even talk about it. It's Zombie that's still moving, but couldn't survive. Russians learned it better than everyone else. In the coming years the military might would be the deciding factor. And Russia prepared that before anyone else. China is still not ready, and Europe is only just talking about what needs to be done. While time have almost run out. I wonder where have you got that fantasy. Economic power and military power are, of course, interdependent, but if you have economic power and don't have military to protect you, then you are just food. US would rob Europe till it would collapse, then Russia would rip whatever it wants from the rotting carcass. UK would probably be able to grab some small parts of it, too, Portugal and Spain can survive if the Pope calls the people of Latin America to their protection, but the majority of European population have no future… in Europe, at least.
Posted Jun 20, 2025 16:35 UTC (Fri)
by corbet (editor, #1)
[Link] (2 responses)
Posted Jun 20, 2025 16:59 UTC (Fri)
by khim (subscriber, #9252)
[Link] (1 responses)
We don't know that if you don't tell us, actually. Lots of development in Linux and FOSS (that's on-topic for LWN, right?) is driven by that separation of the world into isolated clusters already – and it would be even more serious in the coming years. How would we know if LWN staff have decided to accept that and stopped ignoring it if we wouldn't discuss it? That's fair: you want us to stop and wait few more years till you would accept the fact that even if you decide to ignore political games, it does not mean that political games will agree to ignore you… got it. Let's see where would it go after a year or two? Because it is more difficult for people living closer to the chasm to ignore it, maybe… Or because there are more-and-more development driven by this “offtopic” in areas that LWN is supposed to cover, maybe… But let's discuss that year or two later… there would be more evidence why these things are very much on-topic for LWN by then.
Posted Jun 20, 2025 18:00 UTC (Fri)
by daroc (editor, #160859)
[Link]
Right above the comment box is a bullet point saying "Is the comment on-topic for the article and LWN?"
The article in question here is about Asterinas. Were the first few comments on whether independent OS projects will become more common in the face of current politics on topic? Yes, just. But by the time the discussion got to the international balance of power and history of empire — without any reference to OS development — it stopped being on topic.
I do think it's genuinely important to discuss these things, especially with people who don't share your views. But not every discussion has to happen here, specifically. There are lots of places to discuss these things on the internet, and if we don't all make some amount of effort to sort things by topicality, it gets much harder for people to find the discussions in which they are interested in participating.
Posted Jun 20, 2025 12:16 UTC (Fri)
by paulj (subscriber, #341)
[Link] (2 responses)
Have you not kept abreast of the news here on LWN, where the "Linux Foundation" has a policy on removing/excluding people from Linux development if the US state orders, a policy which all the top US based kernels - particularly Linus - agree with?
https://lwn.net/Articles/1007272/
Have you not kept abreast of the news more widely in the tech industry, where the US threatens European companies with punitive measures if they do not follow its orders to stop selling their products to Chinese tech companies - indeed, they're not even allowed to give support for the equipment they already sold? (And needless to say, US tech companies are following those orders too - NVidia no longer allowed to sell higher-end "GPUs" to China).
> Personally, I hope that Linux stays the preferred choice. There is just a ton of value in everyone not reimplementing the wheel over and over again.
Too late. Chinese tech industry is already hard at work replacing Linux, as far as its own needs are concerned. It is a major strategic objective. There already are phones from the biggest makers coming to market, running their own Chinese developed kernel. This trend will continue. This story is due to that.
Posted Jun 20, 2025 15:04 UTC (Fri)
by Wol (subscriber, #4433)
[Link] (1 responses)
And Europe will be doing the same, if they have any sense. The American "Industrial / Defense" alliance was probably in large part behind their current political dominance in the world, they have the ability to make everything they need for themselves. Europe needs a "Europe first" policy for all defence production, which will probably have massive economic benefits. Which is also why America won't be happy if we do ...
Let's hope Keir and crew have the guts to stand up and say "if we're spending so much more on defence, we need to spend it at home ..."
Cheers,
Posted Jun 20, 2025 16:35 UTC (Fri)
by khim (subscriber, #9252)
[Link]
Do you really believe they would be allowed to spend it in Europe? Why would US allow that and how can Europe oppose them if they have no military to protect their interests? For that matter, why do you think stuff that Europe would pay for would even ever reach the European soil? It would be a prudent decision for US to force Europe to pay for new shiny military toys and then use them in fight with China. P.S. And UK is not Europe. It's closer to the Tabaqui who plans to feed on remnants of Europe after Shere Khan would take its fill… it may even get some small pieces… not sure how big, though.
Posted Jun 20, 2025 19:26 UTC (Fri)
by intelfx (subscriber, #130118)
[Link] (1 responses)
For instance, like this: https://lwn.net/Articles/995186/
Posted Jun 20, 2025 19:30 UTC (Fri)
by pizza (subscriber, #46)
[Link]
What does this mean in a world where most folks paid to work on Linux (to say nothing of actual *users*) are *not* based in the US?
Posted Jun 21, 2025 15:09 UTC (Sat)
by krakensden (subscriber, #72039)
[Link] (9 responses)
Posted Jun 21, 2025 15:46 UTC (Sat)
by pizza (subscriber, #46)
[Link]
No, the LF closed off the "Linux" they maintain (at kernel.org) from contributions from folks employed by sanctioned Russian organizations.
Nothing prevents those organizations from maintaining their own fork. Or collaborating with the numerous long-lived forks maintained outside US jurisdiction.
Posted Jun 22, 2025 15:58 UTC (Sun)
by ceplm (subscriber, #41334)
[Link] (7 responses)
2. What’s much more important, it has absolutely no repercussions for using and developing Linux in Russia. Whatever I think about Russia and their current insane crimes in Ukraine, it didn’t make a zilch change for efforts like Astra Linux. They didn’t flop just because two Russian programmers were banned from contributing to the kernel.org kernel.
Posted Jun 23, 2025 12:50 UTC (Mon)
by paulj (subscriber, #341)
[Link] (6 responses)
The consequence of this is that at least one major Chinese phone company has spent a number of years developing a new phone OS. From the kernel through to the user-space. And that software stack is already shipping in beta form for phones, and will be a full commercial release soon. And the default software on their phones at some point not far off.
Other Chinese companies will go the same way. Yes there is still plenty of general Free Software in there, but they're rewriting the bits they find strategically important to rewrite (kernel, the main UI and its libraries).
I'm not writing anything political in this, just stating facts - things that have happened. Pointing out a direction of travel with regards to software technology in a major economy, which happens to be largely due to foreign policy of another major power. Draw your own conclusions.
Posted Jun 24, 2025 14:59 UTC (Tue)
by rjones (subscriber, #159862)
[Link] (5 responses)
The real motive probably has less to do with a fear of the USA Federal government being idiots and much more to do with consolidating controls over the lives of Chinese citizens. Phones running government controlled applications are increasingly a requirement for any sort of physical movement and economic interactions in China. Totalizing control of the phone platforms themselves is just the next logical step.
Posted Jun 24, 2025 15:02 UTC (Tue)
by dskoll (subscriber, #1630)
[Link] (3 responses)
In China, the state has you under constant surveillance. In the West, corporations have you under constant surveillance.
Neither the CCP nor our corporate overlords are answerable to citizens.
Posted Jun 24, 2025 15:05 UTC (Tue)
by daroc (editor, #160859)
[Link]
Posted Jun 24, 2025 15:18 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (1 responses)
Who is happier - your average Chinese, or your average American? (I'll throw in your average European, too.)
Last I knew, the average American was well below the average European (although the gap is narrowing, the Americans are dragging us down). I don't know about the Chinese, but I doubt they're in third place ...
Cheers,
Posted Jul 3, 2025 2:08 UTC (Thu)
by mathstuf (subscriber, #69389)
[Link]
You're thinking of the Declaration of Independence. The closest the Constitution gets are the amendments that state that government cannot deprive a person of life, liberty, or property (5th and 14th).
Posted Jun 24, 2025 17:02 UTC (Tue)
by paulj (subscriber, #341)
[Link]
> Phones running government controlled applications are increasingly a requirement for any sort of physical movement and economic interactions in China
This is possibly as true in the West as in China. Indeed, in China I can run Alipay and WeChat on my rooted, deGoogled, LineageOS phone (so they can be run completely sandboxed) and pay for stuff no problem. Whereas, in the West generally banking and other FinTech/EMI apps simply do not work on rooted phones. I have to keep a 2nd phone with the blessed manufacturer firmware, if I want to use financial apps. In China my exposure is just those 2 apps - I lack control over them, but I have control over the OS (in principle); whereas in the west my exposure additionally is to 1 or more entities who make the OS firmware.
Further, in the West those bank and Fintech apps, and the OS vendor obviously all co-operate with *numerous* states, both for judicially approved requests and sometimes for extra-judicial requests. For some apps (not banking per se, but other BigTech apps say) at least 1 of those jurisdictions that data or meta-data is shared with has an extremely poor human rights record (down to having international rulings of severe human rights abuses against them, at the ICJ).
You may have different views on which regimes are "good" and "bad" than I do, or what another person in another situation has - and that discussion is off-topic for LWN ;) - however, from a purely technical POV, when it comes to control over the software I can use in my phone (and control over the software I do not trust, i.e. sandboxing tech) to date I feel I have *more* control in China than in the West from a tech perspective.
(Disclaimer: I have only been a tourist to China).
Posted Jun 19, 2025 21:58 UTC (Thu)
by roc (subscriber, #30627)
[Link] (5 responses)
For a better measure you need to run some kernel test suites.
Building a Linux-compatible kernel is pretty much an infinite amount of work. You can "target a subset" but users will always want more. Microsoft tried that path and gave up pretty quickly. I guess gVisor has been modestly successful. It would be interesting for the various "Linux compatible" projects to try to converge on the API subset they support.
I suppose if AGI is going to provide us with a huge number of cheap developers in the near future, projects like this will start to make more sense.
Posted Jun 20, 2025 9:00 UTC (Fri)
by kris.shannon (subscriber, #45828)
[Link]
Another reasonable successful example is the LX Zones in SmartOS I do have to agree with "users will always want more" though.
Posted Jun 20, 2025 11:12 UTC (Fri)
by Karellen (subscriber, #67644)
[Link] (3 responses)
And a lot of "Linux" software isn't that closely tied to Linux, and will happily run on *BSD or other POSIXish OSs. If they can reimplement 99% of the most commonly used syscalls/features behind a Linux-compatible ABI, they'll probably have a lot software which will actually run on the system.
Posted Jun 21, 2025 4:06 UTC (Sat)
by roc (subscriber, #30627)
[Link] (2 responses)
Posted Jun 21, 2025 10:15 UTC (Sat)
by Wol (subscriber, #4433)
[Link] (1 responses)
True, the kernel code base is pretty solid, but there's sharp edges everywhere. The fewer "here be dragons" signs there are, the beter.
Cheers,
Posted Jun 21, 2025 20:34 UTC (Sat)
by roc (subscriber, #30627)
[Link]
Posted Jun 20, 2025 6:52 UTC (Fri)
by nim-nim (subscriber, #34454)
[Link] (3 responses)
Posted Jun 20, 2025 9:33 UTC (Fri)
by xav (guest, #18536)
[Link]
Posted Jun 20, 2025 13:35 UTC (Fri)
by Wol (subscriber, #4433)
[Link] (1 responses)
Personally, I think MPL is actually a very good fit for Rust's crate system - the licence is modular in the same way crates are modular. It's not aggressively copyleft, but it stops you from taking other peoples' code private.
Cheers,
Posted Jul 2, 2025 1:20 UTC (Wed)
by cornelio (guest, #117499)
[Link]
Posted Jun 20, 2025 9:32 UTC (Fri)
by acer (subscriber, #156526)
[Link] (2 responses)
Posted Jun 20, 2025 10:14 UTC (Fri)
by farnz (subscriber, #17727)
[Link]
There's about 10 crates or so in that set that I'd be unsure about, providing things like coloured log output to serial consoles.
The things I would like to see in terms of trust are:
Posted Jun 20, 2025 17:35 UTC (Fri)
by thoughtpolice (subscriber, #87455)
[Link]
For some reason they don't seem to use workspace-level dependencies, instead splitting specific deps between Cargo.toml files, so it's harder to see what the general "surface area" is.
Posted Jun 20, 2025 19:06 UTC (Fri)
by netbsduser (guest, #171655)
[Link]
> Enforced modularity. Extensions are written in Modula3 [Nelson 91], a modular programming language for which the compiler enforces interface boundaries between modules. Extensions, which execute in the kernel’s virtual address space, cannot access memory or execute privileged instructions unless they have been given explicit access through an interface. Modularity enforced by the compiler enables modules to be isolated from one another with low cost
Posted Jun 20, 2025 20:25 UTC (Fri)
by Nikratio (subscriber, #71966)
[Link] (3 responses)
Why “but", rather than a full stop and new sentence? This sounds like PhD students don't actually count as real committed....
Posted Jun 20, 2025 20:33 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link]
After all, who cares about the PhD students?
Posted Jun 21, 2025 6:35 UTC (Sat)
by ronja (subscriber, #164061)
[Link]
Posted Jun 22, 2025 8:22 UTC (Sun)
by farnz (subscriber, #17727)
[Link]
Posted Jun 21, 2025 22:11 UTC (Sat)
by lmb (subscriber, #39048)
[Link] (1 responses)
Posted Jul 3, 2025 10:34 UTC (Thu)
by massimiliano (subscriber, #3048)
[Link]
Or maybe not, or just the opposite?
A framekernel provides separated environments, like a microkernel, but, unlike a microkernel, it does not require address space separation among them.
Actually, once compiled to machine code, a framekernel looks exactly like a monolithic kernel!
If anything, this shows that framekernels try to have the best of both worlds:
Posted Jul 7, 2025 14:46 UTC (Mon)
by dcz (subscriber, #128371)
[Link]
Tock also relies on hardware protections outside the kernel. In fact, this statement about Asterinas applies to Tock as well:
> uses hardware isolation to permit running user-space programs written in any programming language
The shape of the hardware protections is different: Tock OS userspace programs share a address space, but access by each program is limited only to their own piece of that address space (and I don't remember if any of the kernel in a read-only way).
Source: I tried to build a piece of hardware based on Tock OS, attracted by the promise of arbitrary, loadable userspace programs. This failed for several reasons, one of them being that LLVM cannot generate position-independent code on ARM. Because the microcontrollers Tock is aiming don't have a memory-mapping unit, the uploaded program must support being placed at an arbitrary address, or else it may conflict with something else that needs the same address.
Singularity OS v2
Singularity OS v2
usafe is entirely unsuitable against malicious actor (there are numerous soundness bugs in a compiler), but with non-malicious yet not entirely trusted actor… this may even actually work.Singularity OS v2
> Just look at JavaScript/WASM for an example of a resilient language-level sandboxing.
Singularity OS v2
Singularity OS v2
> Sure, modern browsers are an example.
Singularity OS v2
Singularity OS v2
> Well, yes. That's the whole idea behind WASM.
Singularity OS v2
Singularity OS v2
Singularity OS v2
WASM security proofs.
OS development getting more popular again?
OS development getting more popular again?
OS development getting more popular again?
As an example, the US could require that versions of the Linux kernel in the USA (which includes Linus Torvalds' and Greg K-H's work) do not contain drivers for hardware produced by sanctioned entities, and that entities in the USA (Linus and Greg again) do not communicate with sanctioned entities.
US sanctioning Linux
US sanctioning Linux
It's about the same difficulty level, since their code will diverge from the upstream version in significant ways.
US sanctioning Linux
US sanctioning Linux
It's not going to be "just adding drivers" in the medium term; they're going to want to change the core scheduler to work well with their specific variations on small and big cores. They're going to want to change MM to account for their specific ways of sharing memory with accelerators. They'll have their own network offloads that they want to change the kernel to support.
US sanctioning Linux
US sanctioning Linux
US sanctioning Linux
kernel.org is itself a US-run service; given enough sanctions, why spend your engineering effort jumping through hoops to get round sanctions for a kernel you then can't ask for help with, when you can spend it on a kernel that has local expertise available?
US sanctioning Linux
US sanctioning Linux
US sanctioning Linux
US sanctioning Linux
Wol
US sanctioning Linux
US sanctioning Linux
Wol
> And if only Europe could get its act together AS EUROPE, and not a bunch of squabbling fiefdoms, America could easily find itself kow-towing to *our* economic might ...
US sanctioning Linux
Seriously, you all know that this is far off-topic for LWN. Why do we have to keep asking you to stop it? Can everybody pushing this subthread please put an end to it now?
Stop this here
> Seriously, you all know that this is far off-topic for LWN.
Stop this here
Stop this here
OS development getting more popular again?
OS development getting more popular again?
Wol
> Let's hope Keir and crew have the guts to stand up and say "if we're spending so much more on defence, we need to spend it at home ..."
OS development getting more popular again?
OS development getting more popular again?
OS development getting more popular again?
OS development getting more popular again?
OS development getting more popular again?
OS development getting more popular again?
OS development getting more popular again?
OS development getting more popular again?
OS development getting more popular again?
OS development getting more popular again?
OS development getting more popular again?
Wol
OS development getting more popular again?
OS development getting more popular again?
Counting system calls is not a good compatibility metric
Counting system calls is not a good compatibility metric
Counting system calls is not a good compatibility metric
Counting system calls is not a good compatibility metric
Counting system calls is not a good compatibility metric
Wol
Counting system calls is not a good compatibility metric
Licencing
Licencing
Licencing
Wol
Yep, VMware proved beyond doubts that the GPL is not enforceable so they just went clear and adopted a modern license that works for everyone. Good choice!
Licencing
What about project depencencies ?
https://github.com/asterinas/asterinas/blob/main/Cargo.lock
Looking over that list, probably yes. There's a chunk of crates in there that are part of the Asterinas project, it's just that they're building as isolated dependencies instead of a big ball of spaghetti. Then there's a lot of single-purpose crates, which the OS needs (e.g. a printk implementation, some cryptographic primitives, CPU feature flag parsing), and can either share with others, or reimplement itself (with the additional risk of bugs that other people would see).
What about project depencencies ?
What about project depencencies ?
SPIN
Committer count
Committer count
Committer count
One point about PhD students is that they tend to complete their PhD relatively quickly, and then move on; if we're lucky, they get paid to continue their PhD project, while if we're unlucky, they disappear into a part of industry that doesn't want them to ever contribute to open source again.
Committer count
Somewhat tongue-in-cheek, but …
Somewhat tongue-in-cheek, but …
but they do so using a technology (language-enforced separated environments, provided by Rust) that was not there when the original dispute occurred.
Tock OS