A modern, minimal, secure x86_64 operating system written entirely in Rust — designed specifically for virtual machines. Fast boot, reproducible images, Linux-compatible syscall ABI, and a full Unix utility layer, all built from scratch with no C in the kernel.
- Live status & metrics:
docs/STATUS.md— test counts, CI gates, success-criteria dashboard (updated on every feature merge) - Capability inventory:
docs/CAPABILITIES.md— kernel subsystems, syscalls, /proc files, userland binaries - Per-feature history:
CHANGELOG.md— what shipped, when, with what trade-offs - Design rationale:
Learnings.MD— what was hard, root causes, non-obvious decisions - Roadmap:
ROADMAP.md— tiered follow-up work - Validation:
VALIDATION.md— proof against the 11 success criteria - Wiki: github.com/mohnkhan/MyOS2026/wiki — architecture overviews, getting-started guides, HOWTOs, compatibility matrices
- Boots in under 2 seconds to an
nsh$prompt on BIOS-headless QEMU, with SSH ready in under 5 seconds. - Reproducible images (identical SHA-256 across runs) and verified boot (BLAKE2b → ed25519 attestation chain) by default.
- Written entirely in Rust with ~170 LOC of hand-written assembly. KASAN + FASAN catch memory-safety bugs at the corruption site, not the crash site.
- Linux-compatible syscall ABI on x86_64 — statically-linked musl and glibc ELF binaries run unmodified; 400+ syscalls implemented and differential-tested against Linux.
- OS learning platform — every subsystem fits in your head, written in safe Rust with no hidden C glue.
- Secure ephemeral VMs — sandbox + verified boot + fast teardown via snapshot/rollback.
- CI/CD throwaway environments — sub-2-second boot, 18 MB image, SSH ready in under 1 second.
- Kernel and systems-programming research — modify the kernel, rebuild, boot in under 2 minutes.
# Prerequisites
apt install qemu-system-x86 ovmf sgdisk mtools e2fsprogs qemu-utils nasm python3
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
rustup toolchain install nightly
rustup component add rust-src --toolchain nightly
rustup target add x86_64-unknown-linux-musl
# Build and boot
RELEASE=1 bash build/scripts/assemble-image.sh myos.qcow2
make qemuSave your SSD:
make tmpfs-setupredirectstarget/anddist/(the only large gitignored output trees) into/tmp/MyOS/<hash>/so the write-heavy build cycle hits RAM. Reversible, idempotent, opt-in, no-op on CI. Seedocs/dev-tmpfs.md.
Boot in a graphical window with the kernel framebuffer terminal, and SSH in on port 2222 simultaneously:
make qemu-sdl
ssh -p 2222 -i tests/keys/test_id_ed25519 \
-o StrictHostKeyChecking=no root@127.0.0.1For headless and VirtualBox boot recipes, see docs/CAPABILITIES.md and specs/001-vm-optimized-os/quickstart.md.
nsh$ prompt with mybox applets, pipe chains, and standard utilities — captured via make screenshot.
Real nsh session over SSH — uname, /proc/meminfo, /proc/cpuinfo, ps, a base64 pipe, and the colored prompt. Generated via make demo-gif.
A complete, self-contained OS stack — kernel, drivers, networking, filesystem, security, and a full Unix userland:
+-------------------------------------------------------+
| User Space init | nsh | mybox (432 applets) | mymc |
| cloud-init | dropbear | sandbox |
+-------------------------------------------------------+
| Security Per-process syscall allowlist |
| Real UID/GID + supplementary groups |
| Credential audit ring |
| Verified boot (BLAKE2b → ed25519) |
+-------------------------------------------------------+
| System VFS | Syscall dispatch | Pipes | IPC |
| MLFQ scheduler | Linux ELF compat |
| epoll(7) | poll(2) | WaitQueue<N> |
+-------------------------------------------------------+
| Kernel MM (demand paging + CoW fork) |
| APIC/HPET | smoltcp | DHCP | ext2 |
| procfs (100+ nodes: /net /sys per-PID) |
| KASAN + FASAN + DWARF panic backtraces |
+-------------------------------------------------------+
| Drivers virtio-{blk,net,console,rng,scsi} |
| LSI Logic MPT SCSI | Intel E1000 |
+-------------------------------------------------------+
| Hardware QEMU q35 (primary) | VirtualBox |
+-------------------------------------------------------+
For the full enumeration of subsystems, syscalls, and userland binaries, see docs/CAPABILITIES.md.
A multi-call binary providing 432 Unix applets via symlinks in /bin. Dispatch is purely by argv[0] basename — no runtime overhead per applet. Covers file ops, text processing, filesystem inspection, process control, system info, archives, shell utilities, networking (DNS, HTTP, nc, ping), and strace.
nsh$ /bin/grep -i root /etc/passwd
root:x:0:0:root:/root:/bin/sh
nsh$ /bin/ls -la /bin/ls
lrwxrwxrwx 10 ls -> /bin/mybox
nsh$ mybox --list | wc -l
432Statically-linked musl ELF binaries compiled on Linux run directly on MyOS2026 without modification:
# On a Linux host:
musl-gcc -static -o hello hello.c
# Copy to MyOS2026 and run:
nsh$ /bin/hello
Hello, World!Full System V AMD64 ABI initial stack with correct AT_PHDR (vaddr-not-file-offset) and AT_SECURE on suid exec. All musl startup syscalls supported. Invalid accesses deliver SIGSEGV; stack overflows are caught at the guard. Dynamically-linked glibc binaries are also supported via the bundled ld-linux-x86-64.so.2. See docs/CAPABILITIES.md.
nsh$ sandbox --allow=read,write,exit /usr/bin/exploit-test
BLOCKED (errno=1) ← mount(2) blocked by kernel allowlistThe kernel enforces a deny-by-default syscall filter per process, installed via SYS_SANDBOX_ENTER. Filters survive execve and are independent across processes.
Every RELEASE build embeds a BLAKE2b hash chain:
UEFI → Limine (config hash enrolled) → kernel.elf (BLAKE2b verified)
→ kernel_main ([vboot] ACTIVE pubkey: be5f7844108bcdd1)
Any binary tampering before a single kernel instruction executes causes an immediate boot abort.
Two independent builds from identical source produce byte-identical QCOW2. Achieved via SOURCE_DATE_EPOCH, pinned GPT/FAT UUIDs, and build/scripts/fix-ext2-timestamps.py.
| Principle | Choice |
|---|---|
| Kernel type | Minimal monolithic (Rust, no_std) |
| Bootloader | Limine v8.x (BIOS + UEFI, single config) |
| I/O model | virtio-only (blk / net / console / rng / scsi) |
| Network | smoltcp 0.11 (pure Rust, no_std) |
| Filesystem | ext2 (custom pure-Rust read/write driver) |
| SSH | Dropbear (userspace, cross-compiled for musl) |
| Userland | Rust + statically linked musl |
| Assembly | ~170 LOC total (entry stub, ISR trampoline, context-switch) |
kernel/ Rust kernel (no_std)
userland/ Userspace crates (musl-static): init, nsh, mybox, mymc, ...
bootloader/ Limine config + vendored binaries
build/ Makefile, image assembly scripts, CI helpers
tests/ Boot, SSH, shell, sandbox, syscall, scheduler integration tests
specs/ Per-feature specs (NNN-name/{spec,plan,tasks,quickstart}.md)
docs/ STATUS.md, CAPABILITIES.md, dev-tmpfs.md, syscall-diff.md
For the full layout, see docs/CAPABILITIES.md.
- Per-feature spec-kit workflow — every feature has
specs/NNN-name/{spec,plan,research,tasks}.mdand a quickstart. Implementation follows tests-before-code per the project constitution. - CI gate on every PR — clippy (
-D warnings), unit tests in parallel + sequential modes, boot integration undersmp ∈ {1, 2}, SSH login, sandbox, KASAN, ABI-drift, and docs-gate (per the constituent jobs listed indocs/STATUS.md). - Run the pipeline locally before pushing:
make ci-local # ~15 min; same step order and timeouts as remote CI - In-kernel diagnostics: dmesg ring (
/proc/dmesg), per-PID syscall trace (/proc/<pid>/trace), symbolized panic backtraces with DWARF line numbers,kassert!with PCB context, KASAN + FASAN memory-safety sanitizers.
All changes go through a feature branch and pull request — direct commits to master are prohibited.
- Fork the repository.
- Create a feature branch:
git checkout -b NNN-short-description origin/master. - Read the constitution at
.specify/memory/constitution.mdand the existing specs inspecs/. - Use the spec-kit workflow:
/speckit-specify,/speckit-plan,/speckit-tasks,/speckit-implement. - Run
make ci-localbefore pushing. - Open a PR targeting
master. Every feature PR must updateLearnings.MD,CHANGELOG.md, anddocs/STATUS.md(enforced by thedocs-gateCI step; bypass with[no-docs]in any commit message for docs-only or infra-only PRs).
For project conventions, MANDATORY workflows, and operational guides (in-kernel dmesg + GDB, KASAN, syscall-diff harness, tmpfs build redirection), see CLAUDE.md.
Good first issues:
- POSIX
lstat()that does not follow the final symlink component - Dynamic ELF loader (PT_INTERP support) — enables glibc-linked binaries
- GPG signing pipeline for release artifacts
See the issue tracker for follow-up work tagged good-first-issue and follow-up.
MyOS2026 is the third generation in a personal operating-systems family built by Mohiuddin Khan Inamdar, carrying forward lessons learned across two earlier generations:
- MyRTOS family — bare-metal real-time operating systems in C; established the interrupt model, timer substrate, scheduling fundamentals, and boot-sequencing patterns that this kernel refines in Rust.
- MyOS-Mini family — minimal x86 OS experiments that validated the VFS layer, process model, and memory-management architecture later rewritten here with Rust's ownership model.
Inspirations from the broader OS world:
- BSD (FreeBSD, OpenBSD, NetBSD) — process and credential model, VFS layer design, the philosophy of small auditable subsystems with clear contracts, and the importance of a rigorous manual-page ABI.
- Linux — the x86_64 syscall ABI that MyOS2026 targets for compatibility, ELF loading conventions,
/procfilesystem layout, virtio device model, and theno_stddiscipline shown by the kernel's C99 environment. - Academic kernels (xv6, Minix, L4) — clarity-over-features design discipline; every subsystem in MyOS2026 should be explainable from first principles in a single sitting.
- Rust OS community (Redox, blog_os, Tock) — prior art on applying Rust's ownership model to kernel concurrency,
no_stdecosystem crate choices, and inline-assembly idioms.
Mozilla Public License 2.0