Emilia/SterlingOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
SterlingOS/docs/SterlingOsDesign.html
fatmeat 5418892fa5 working on sterling lang
2025-05-18 16:37:41 +02:00

164 lines
4.9 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Operating System Design Manifesto</title>
<style>
body {
font-family: monospace;
background-color: #fefefe;
color: #111;
max-width: 960px;
margin: auto;
padding: 2rem;
}
h1, h2, h3 {
border-bottom: 1px solid #ddd;
padding-bottom: 0.2em;
margin-top: 2em;
}
pre {
background: #eee;
padding: 1em;
overflow: auto;
}
code {
background: #eee;
padding: 0.1em 0.3em;
}
ul {
padding-left: 1.5em;
}
</style>
</head>
<body>
<h1>Minimal Capability-Based Operating System</h1>
<h2>Design Principles</h2>
<ul>
<li>No global filesystem, no path resolution</li>
<li>No drivers in kernel, only sandboxed userspace driver processes</li>
<li>No GPU acceleration, all rendering is deterministic software-based</li>
<li>All resources accessed via capability tokens</li>
<li>Processes are strictly sandboxed</li>
<li>Programs operate on memory buffers, not raw file handles</li>
<li>Desktop environment is a sandboxed coordinator, not a privileged process</li>
</ul>
<h2>Authorization Token Model</h2>
<p>Programs delegate access via opaque, kernel-managed tokens.</p>
<pre><code>grant_token(target_pid, resource_id, flags) -&gt; token_id
accept_token(token_id) -&gt; resource_handle
revoke_token(token_id)</code></pre>
<h2>File Editing Flow</h2>
<ol>
<li>DE requests file via storage service</li>
<li>Storage service provides a memory buffer</li>
<li>Editor process receives buffer handle, edits</li>
<li>Changes submitted back to storage via DE</li>
</ol>
<h2>Driver Model</h2>
<ul>
<li>All drivers run as fully unprivileged user processes</li>
<li>No driver registration or kernel mediation required</li>
<li>Drivers communicate with hardware via explicit kernel-exposed capability channels</li>
<li>No dynamic linking or privileged probing allowed</li>
<li>Users can run or replace any driver without OS permission</li>
</ul>
<h2>Graphics System</h2>
<ul>
<li>No GPU support, no shaders</li>
<li>Software renderer processes draw via shared memory</li>
<li>DE composites framebuffers deterministically</li>
</ul>
<h2>Programming Language Requirements</h2>
<ul>
<li>Manual memory management</li>
<li>Low-level data layout control</li>
<li>Inline assembly support</li>
<li>Pattern matching and compile-time macros</li>
<li>No runtime, no global init, no dynamic linking</li>
</ul>
<h2>Execution Model</h2>
<ul>
<li>Programs are spawned with exact buffer and token permissions</li>
<li>No shared global state</li>
<li>All IO is mediated via explicit capability-based services</li>
<li>Everything is inspectable and reproducible</li>
</ul>
<h2>Sandboxing Model</h2>
<p>All processes are isolated via strict memory boundaries and capability-scoped access. No process can access global state, shared memory, or system calls without explicit capability grants.</p>
<h3>Memory Layout</h3>
<pre class="diagram">
+-----------------------+
| Code (RX) |
+-----------------------+
| Data (RW) |
+-----------------------+
| Shared Buffers (RWX?) | ← only if explicitly mapped by kernel
+-----------------------+
| Stack (RW) |
+-----------------------+
</pre>
<h3>Process Launch</h3>
<ul>
<li>Preallocated memory map (no heap growth)</li>
<li>Passed a syscall pointer table, token list, and init buffer</li>
<li>Cannot request global system resources directly</li>
</ul>
<h3>Capability Enforcement</h3>
<p>All access is mediated via capability tokens, handed off securely:</p>
<pre><code>
token_id = request_token(pid, SERVICE_IO, READ_WRITE);
handle = accept_token(token_id);
</code></pre>
<ul>
<li>Token scope, rights, and duration enforced by kernel</li>
<li>No access without explicit grant</li>
<li>All capability use is auditable and revocable</li>
</ul>
<h3>Filesystem Abstraction</h3>
<ul>
<li>No global file system</li>
<li>Programs receive only memory buffers with scoped access</li>
<li>Read/write must go through kernel-mapped tokens</li>
</ul>
<h3>Driver Isolation</h3>
<ul>
<li>Drivers are userland processes only</li>
<li>No direct port I/O or DMA access</li>
<li>Hardware is accessed via kernel-exposed capability channels</li>
</ul>
<h3>IPC</h3>
<ul>
<li>All inter-process communication is routed via the kernel</li>
<li>Uses named ports and token-authenticated message queues</li>
<li>No shared memory by default</li>
</ul>
<h3>Future Additions</h3>
<ul>
<li>Deterministic scheduler</li>
<li>Audit trail of all token activity</li>
<li>Formal capability typing system</li>
</ul>
<h2>Philosophy</h2>
<p>This OS is not a POSIX clone. It is a deterministic, capability-secure, user-controlled computing environment built to reject legacy complexity and embrace verifiable simplicity.</p>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink