Emilia/website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
website/sleepeesoftware.fr/html/SterlingOsDesign.html
fatmeat 87bb15eecf my brain is leaking
2025-06-06 16:42:49 +02:00

159 lines
5.5 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="../assets/IosevkaSS15-Regular.ttf" rel="stylesheet">
<link rel="stylesheet" href="../css/sterling.css">
<link rel="stylesheet" href="../css/global.css">
<script src="../js/sterling.js"></script>
<title>Sterling OS Design Document</title>
</head>
<body>
<div style="width:100%">
<header>
<h1>Sterling OS Design Document</h1>
<input type="text" id="searchInput" placeholder="Search..." oninput="filterContent()">
<div class="controls">
<!--<button onclick="toggleTheme()">Toggle Theme</button>-->
<button onclick="window.print()">Export to PDF</button>
<button onclick="downloadOfflineVersion()">Download Offline</button>
</div>
</header>
<main id="doc-content">
<h1>Minimal Capability-Based Operating System</h1>
<h2>Design Principles</h2>
<ul>
<li>No global filesystem, no path resolution</li>
<li>No drivers in kernel, only sandboxed userspace driver processes</li>
<li>No GPU acceleration, all rendering is deterministic software-based</li>
<li>All resources accessed via capability tokens</li>
<li>Processes are strictly sandboxed</li>
<li>Programs operate on memory buffers, not raw file handles</li>
<li>Desktop environment is a sandboxed coordinator, not a privileged process</li>
</ul>
<h2>Authorization Token Model</h2>
<p>Programs delegate access via opaque, kernel-managed tokens.</p>
<pre><code>grant_token(target_pid, resource_id, flags) -&gt; token_id
accept_token(token_id) -&gt; resource_handle
revoke_token(token_id)</code></pre>
<h2>File Editing Flow</h2>
<ol>
<li>DE requests file via storage service</li>
<li>Storage service provides a memory buffer</li>
<li>Editor process receives buffer handle, edits</li>
<li>Changes submitted back to storage via DE</li>
</ol>
<h2>Driver Model</h2>
<ul>
<li>All drivers run as fully unprivileged user processes</li>
<li>No driver registration or kernel mediation required</li>
<li>Drivers communicate with hardware via explicit kernel-exposed capability channels</li>
<li>No dynamic linking or privileged probing allowed</li>
<li>Users can run or replace any driver without OS permission</li>
</ul>
<h2>Graphics System</h2>
<ul>
<li>No GPU support, no shaders</li>
<li>Software renderer processes draw via shared memory</li>
<li>DE composites framebuffers deterministically</li>
</ul>
<h2>Programming Language Requirements</h2>
<ul>
<li>Manual memory management</li>
<li>Low-level data layout control</li>
<li>Inline assembly support</li>
<li>Pattern matching and compile-time macros</li>
<li>No runtime, no global init, no dynamic linking</li>
</ul>
<h2>Execution Model</h2>
<ul>
<li>Programs are spawned with exact buffer and token permissions</li>
<li>No shared global state</li>
<li>All IO is mediated via explicit capability-based services</li>
<li>Everything is inspectable and reproducible</li>
</ul>
<h2>Sandboxing Model</h2>
<p>All processes are isolated via strict memory boundaries and capability-scoped access. No process can access global state, shared memory, or system calls without explicit capability grants.</p>
<h3>Memory Layout</h3>
<pre class="diagram">
+-----------------------+
| Code (RX) |
+-----------------------+
| Data (RW) |
+-----------------------+
| Shared Buffers (RWX?) | ← only if explicitly mapped by kernel
+-----------------------+
| Stack (RW) |
+-----------------------+
</pre>
<h3>Process Launch</h3>
<ul>
<li>Preallocated memory map (no heap growth)</li>
<li>Passed a syscall pointer table, token list, and init buffer</li>
<li>Cannot request global system resources directly</li>
</ul>
<h3>Capability Enforcement</h3>
<p>All access is mediated via capability tokens, handed off securely:</p>
<pre><code>
token_id = request_token(pid, SERVICE_IO, READ_WRITE);
handle = accept_token(token_id);
</code></pre>
<ul>
<li>Token scope, rights, and duration enforced by kernel</li>
<li>No access without explicit grant</li>
<li>All capability use is auditable and revocable</li>
</ul>
<h3>Filesystem Abstraction</h3>
<ul>
<li>No global file system</li>
<li>Programs receive only memory buffers with scoped access</li>
<li>Read/write must go through kernel-mapped tokens</li>
</ul>
<h3>Driver Isolation</h3>
<ul>
<li>Drivers are userland processes only</li>
<li>No direct port I/O or DMA access</li>
<li>Hardware is accessed via kernel-exposed capability channels</li>
</ul>
<h3>IPC</h3>
<ul>
<li>All inter-process communication is routed via the kernel</li>
<li>Uses named ports and token-authenticated message queues</li>
<li>No shared memory by default</li>
</ul>
<h3>Future Additions</h3>
<ul>
<li>Deterministic scheduler</li>
<li>Audit trail of all token activity</li>
<li>Formal capability typing system</li>
</ul>
<h2>Philosophy</h2>
<p>This OS is not a POSIX clone. It is a deterministic, capability-secure, user-controlled computing environment built to reject legacy complexity and embrace verifiable simplicity.</p>
</main>
<footer>
<p style="text-align: center;">Copyright @ 2025 <a href="mailto:dev@sleepeesoftware.fr">Sleepee Software</a><br>Verbatim copying and redistribution of this entire page are permitted provided this notice is preserved.<br>
Verbatim copying and redistribution of any of the photos in the photos subdirectory is permitted under the <a href="https://opensource.org/license/mit">MIT License</a></p>
</footer>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink