{"id":16836491,"url":"https://github.com/orangecms/muen","last_synced_at":"2026-01-03T22:50:23.296Z","repository":{"id":84739294,"uuid":"90462289","full_name":"orangecms/muen","owner":"orangecms","description":"An x86/64 Separation Kernel for High Assurance","archived":false,"fork":false,"pushed_at":"2017-05-15T14:11:29.000Z","size":11404,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-24T10:24:45.017Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ada","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/orangecms.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-06T12:45:16.000Z","updated_at":"2017-05-06T12:47:19.000Z","dependencies_parsed_at":null,"dependency_job_id":"ff7ed680-f90b-441e-830b-049e725c8e22","html_url":"https://github.com/orangecms/muen","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orangecms%2Fmuen","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orangecms%2Fmuen/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orangecms%2Fmuen/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orangecms%2Fmuen/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/orangecms","download_url":"https://codeload.github.com/orangecms/muen/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244147343,"owners_count":20405942,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-13T12:13:37.859Z","updated_at":"2026-01-03T22:50:23.246Z","avatar_url":"https://github.com/orangecms.png","language":"Ada","funding_links":[],"categories":[],"sub_categories":[],"readme":"The Muen Separation Kernel\n==========================\n\nThe Muen Separation Kernel is the world's first Open Source microkernel that\nhas been formally proven to contain no runtime errors at the source code level.\nIt is developed in Switzerland by the Institute for Networked Solutions (INS)\nat the University of Applied Sciences Rapperswil (HSR). Muen was designed\nspecifically to meet the challenging requirements of high-assurance systems on\nthe Intel x86/64 platform. To ensure Muen is suitable for highly critical\nsystems and advanced national security platforms, HSR closely cooperates with\nthe high-security specialist secunet Security Networks AG in Germany.\n\nimage:example.svg[Example Architecture, width=70%]\n\nA Separation Kernel (SK) is a specialized microkernel that provides an\nexecution environment for components that exclusively communicate according to\na given security policy and are otherwise strictly isolated from each other.\nThe covert channel problem, largely ignored by other platforms, is addressed\nexplicitly by these kernels. SKs are generally more static and smaller than\ndynamic microkernels, which minimizes the possibility of kernel failure,\nenables the application of formal verification techniques and the mitigation of\ncovert channels.\n\nMuen uses Intel's hardware-assisted virtualization technology VT-x as core\nmechanism to separate components. The kernel executes in VMX root mode, while\nuser components, so called 'subjects', run in VMX non-root mode. Hardware\npassthrough is realized using Intel's VT-d DMA and interrupt remapping\ntechnology. This enables the secure assignment of PCI devices to subjects.\n\nNOTE: Muen is under active development and verification of kernel properties is\n ongoing.\n\n\nFeatures\n--------\n\nKernel\n~~~~~~\nThe following list outlines the most-prominent features of the Muen kernel:\n\n* Minimal SK for the Intel x86/64 architecture written in SPARK 2014\n* Full availability of source code and documentation\n* Proof of absence of runtime errors\n* Multicore support\n* Nested paging (EPT) and memory typing (PAT)\n* Fixed cyclic scheduling using Intel VMX preemption timer\n* Static assignment of resources according to system policy\n* PCI device passthrough using Intel VT-d (DMAR and IR)\n* Support for Message Signaled Interrupts (MSI)\n* Minimal Zero-Footprint Run-Time (RTS)\n* Event mechanism\n* Shared memory channels for inter-subject communication\n* Support for 64-bit native and 32/64-bit VM subjects\n - Native 64-bit Ada subjects\n - Native 64-bit SPARK 2014 subjects\n - Linux 32/64-bit VMs\n - Genode x86_64 base-hw system \u003c\u003cgenode\u003e\u003e\n - Windows 32-bit VMs\n\nMuen supports the hardware-accelerated virtualization of Microsoft Windows\nthrough the use of a fully de-privileged variant of VirtualBox \u003c\u003cvbox\u003e\u003e running\ninside a strongly isolated VM subject on top of Genode's base-hw kernel. See\nthe release notes of the Genode OS Framework version 16.08 \u003c\u003cgenode_muen\u003e\u003e for\nmore information about this exciting feature.\n\nComponents\n~~~~~~~~~~\nThe Muen platform includes re-usable components which implement common services:\n\n* Subject Monitor (SM) written in SPARK 2014\n* Subject Loader (SL) written in SPARK 2014\n* Timeserver subject written in SPARK 2014\n* Debugserver subject written in Ada 2012\n* Virtual Terminal (VT) subject written in Ada 2012\n\nFurthermore the \u003c\u003cmuenfs\u003e\u003e and \u003c\u003cmuennet\u003e\u003e Linux kernel modules provide virtual\nfilesystem and network interface drivers based on inter-subject memory\nchannels.\n\nToolchain\n~~~~~~~~~\nThe Muen platform includes a versatile toolchain which facilitates the\nspecification and construction of component-based systems in different\napplication domains.\n\nThe \u003c\u003cmugenhwcfg\u003e\u003e tool for automated hardware description generation\nsimplifies the addition of support for new target machines. Scheduling plans\ncan be generated automatically from a scheduling configuration using the\n\u003c\u003cmugenschedcfg\u003e\u003e tool.\n\n\nResources\n---------\n\nDocumentation\n~~~~~~~~~~~~~\nThe following detailed project documentation is available:\n\n* Muen project report:\n https://muen.codelabs.ch/muen-report.pdf\n\n* Muen project presentation:\n https://muen.codelabs.ch/muen-slides.pdf\n\n* Muen toolchain document:\n https://muen.codelabs.ch/muen-toolchain.pdf\n\n* Presentation given at High Integrity Software Conference HIS 2014:\n http://www.slideshare.net/AdaCore/slides-his-2014secunethsr\n\nMailing list\n~~~~~~~~~~~~\nThe muen-dev@googlegroups.com mailing list is used for project announcements and\ndiscussions regarding the Muen Separation Kernel.\n\n* To subscribe to the list, send a (blank) mail to\n mailto:muen-dev+\\subscribe@googlegroups.com[].\n Note: A Google account is *not* required, any email address should work.\n* To post a message to the list write an email to muen-dev@googlegroups.com.\n* The list has a Google Groups web interface:\n https://groups.google.com/group/muen-dev.\n\n\nDownload\n--------\nThe Muen sources are available through the following git repository:\n\n $ git clone --recursive https://git.codelabs.ch/git/muen.git\n\nA browsable version of the repository is available here:\n\nhttps://git.codelabs.ch/?p=muen.git\n\nA ZIP archive of the current Muen sources can be downloaded here:\n\nhttps://git.codelabs.ch/?p=muen.git;a=snapshot;h=HEAD;sf=zip\n\nNOTE: The ZIP archive cannot be used to build the example system since it does\n not contain all sub-projects.\n\n\nBuild\n-----\nThe Muen SK has been developed and successfully tested using the development\nenvironment listed in the following table.\n\n|===================================================================\n| Operating systems | Debian GNU/Linux 8 (jessie), x86_64 +\n Ubuntu 16.04.1 (Xenial Xerus), x86_64\n| Ada compiler | GNAT GPL 2016\n| GCC version | 4.9.6 20160426 for GNAT GPL 2016\n| SPARK version | GPL 2016\n| Emulator | Bochs (\u003e= version 2.6.5)\n| Intel AMT SoL client | amtterm (\u003e= commit 0ece513...)\n| Intel vPro AMT / WSMan | amtc (github.com/schnoddelbotz/amtc)\n|===================================================================\n\nThe following hardware is used for the development of Muen. There is a good\nchance similar hardware works out-of-the box if the microarchitecture is Ivy\nBridge or newer.\n\n|===================================================================\n| Intel NUC 5i5MYHE | Broadwell | i5-5300U\n| Cirrus7 Nimbus | Haswell | i7-4765T\n| Lenovo ThinkPad T440s | Haswell | i7-4600U\n| Lenovo ThinkPad T430s | Ivy Bridge | i7-3520M\n| Intel NUC DC53427HYE | Ivy Bridge | i5-3427U\n| Kontron Technology KTQM77/mITX | Ivy Bridge | i7-3610QE\n|===================================================================\n\nThe first step to build Muen is to install the required packages:\n\n $ sudo apt-get install acpica-tools binutils-dev git-core gnuplot \\\n grub-pc-bin lcov libc6-dev libiberty-dev libxml2-utils make tidy wget \\\n xorriso xsltproc zlib1g-dev\n\nThe Ada and SPARK packages currently available in Debian and Ubuntu are too old\nto build Muen. GNAT/SPARK GPL 2016 from AdaCore's \u003c\u003clibre\u003e\u003e site must be\ninstalled instead. Extend your `PATH` to make the GPL compiler and tools\nvisible to the Muen build system (assuming that they are installed below\n`/opt`):\n\n $ export PATH=/opt/gnat/bin:/opt/spark/bin:$PATH\n\nTo build the Muen tools, RTS, kernel and example components change to the Muen\nsource directory and issue the following command:\n\n $ make\n\nThis will create an image containing the example system which can be booted by\nany Multiboot \u003c\u003cmboot\u003e\u003e compliant bootloader.\n\nOn Ubuntu 16.04.1 you might encounter an error of the form:\n\n /usr/lib/x86_64-linux-gnu/crti.o: unrecognized relocation (0x2a) in section .init\n\nIf this is the case, rename the linker binary `ld` of GNAT GPL 2016 in order to\nuse the one provided by Ubuntu.\n\n $ cd /opt/gnat/libexec/gcc/x86_64-pc-linux-gnu/4.9.4\n $ mv ld ld-archive\n\n\nDeploy\n------\nThe build system provides two ways to instantly deploy and test the created\nsystem image.\n\nEmulation\n~~~~~~~~~\nTo ease kernel development, the Muen project makes use of emulation by\nemploying the Bochs IA-32 emulator \u003c\u003cbochs\u003e\u003e. Among many other features, Bochs\nhas support for multiple processors, APIC emulation and VMX extensions.\n\nDownload Bochs from its project site and issue the following commands to build\nand install it with `/usr/local` prefix:\n\n $ sudo apt-get install g++ libsdl1.2-dev\n $ tar xfvz bochs-2.6.5.tar.gz\n $ cd bochs-2.6.5\n $ ./configure \\\n --prefix=/usr/local \\\n --enable-vmx=2 \\\n --enable-smp \\\n --enable-cdrom \\\n --enable-x86-64 \\\n --enable-avx \\\n --with-sdl\n $ make\n $ sudo make install\n\nIssue the following command in the Muen project directory to start emulation:\n\n $ make emulate\n\nThe Bochs emulator output is located at `emulate/bochsout.txt`, the Muen kernel\nserial console output is written to `emulate/serial.out`.\n\nNOTE: As Bochs is missing IOMMU and PCI MMCONF emulation, device passthrough is\n not supported for this hardware target.\n\nHardware\n~~~~~~~~\nThe top-level Makefile provides two convenient targets to deploy Muen to real\nhardware: `iso` and `deploy`. The first creates a bootable ISO image which can\nbe burned on a CD-ROM or dumped on a USB stick, the second uses network boot to\nshorten round-trips during development.\n\nUSB Stick\n^^^^^^^^^\nTo create a bootable USB stick containing the Muen system, enter the following\ncommands in the top-level directory:\n\n $ make HARDWARE=platform/lenovo-t440s.xml SYSTEM=xml/demo_system_vtd.xml iso\n\nThen follow the instructions on the screen.\n\nNetwork Boot\n^^^^^^^^^^^^\nFor fast deployment of the Muen system image to real hardware, the iPXE\n\u003c\u003cipxe\u003e\u003e boot firmware installed on a USB stick in conjunction with Intel Active\nManagement Technology (AMT) is used. Please refer to the amtterm \u003c\u003camt\u003e\u003e\ndocumentation on how to configure AMT on the target hardware.\n\nTo build and install iPXE with the Muen specific boot script issue the\nfollowing commands:\n\n $ sudo apt-get install liblzma-dev\n $ git clone git://git.ipxe.org/ipxe.git\n $ wget https://muen.codelabs.ch/muen.ipxe\n $ cd ipxe/src\n $ make bin/ipxe.usb EMBED=../../muen.ipxe\n $ sudo dd if=bin/ipxe.usb of=/dev/sdX\n\nThe `/dev/sdX` device is the USB stick (e.g. `/dev/sdc`, without partition\nnumber). *All existing data will be erased*.\n\nWhen booting from the created stick the first NIC (net0) is configured as follows:\n\n IP Address : 192.168.254.2\n Netmask : 255.255.255.0\n Gateway : 192.168.254.1\n\nAfter initialization of the network adapter iPXE tries to download and boot the\nsystem image from the following URL:\n\n http://192.168.254.1:8000/muen.img\n\nThe development machine must be connected to the target hardware via an\ninterface with IP address 192.168.254.1. To actually serve the created system\nimage to the bootloader, issue the following command in the top-level Muen\ndirectory:\n\n $ export AMT_PASSWORD=\u003cyour AMT password\u003e\n $ make deploy\n\nTo view the output of the Muen kernel debug console use the command:\n\n $ amtterm 192.168.254.2\n\nIf your hardware differs from the default configuration, additionally specify\nthe `HARDWARE` variable:\n\n $ make deploy HARDWARE=platform/intel-nuc-dc53427hye.xml\n\nReferences\n----------\n- [[[mboot]]] Multiboot Specification, https://www.gnu.org/software/grub/manual/multiboot/\n- [[[bochs]]] Bochs IA-32 Emulator, http://bochs.sourceforge.net/\n- [[[ipxe]]] iPXE boot firmware, https://ipxe.org/\n- [[[amt]]] Intel AMT SoL client + tools, https://www.kraxel.org/cgit/amtterm/\n- [[[libre]]] AdaCore Libre, https://libre.adacore.com/download/\n- [[[genode]]] Genode OS Framework, https://genode.org/\n- [[[genode_muen]]] Genode 16.08 release notes, https://genode.org/documentation/release-notes/16.08\n- [[[vbox]]] VirtualBox, https://www.virtualbox.org\n- [[[muenfs]]] Muenfs Linux kernel module, https://git.codelabs.ch/?p=muen/linux/muenfs.git\n- [[[muennet]]] Muennet Linux kernel module, https://git.codelabs.ch/?p=muen/linux/muennet.git\n- [[[mugenhwcfg]]] Muen hardware config generator, https://git.codelabs.ch/?p=muen/mugenhwcfg.git\n- [[[mugenschedcfg]]] Muen scheduling plan generator, https://git.codelabs.ch/?p=muen/mugenschedcfg.git\n\n\nLicense\n-------\n--------------------------------------------------------------------------------\nCopyright (C) 2013-2017 Reto Buerki \u003creet@codelabs.ch\u003e\nCopyright (C) 2013-2017 Adrian-Ken Rueegsegger \u003cken@codelabs.ch\u003e\n\nThis program is free software: you can redistribute it and/or modify it under\nthe terms of the GNU General Public License as published by the Free Software\nFoundation, either version 3 of the License, or (at your option) any later\nversion.\n--------------------------------------------------------------------------------\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Forangecms%2Fmuen","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Forangecms%2Fmuen","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Forangecms%2Fmuen/lists"}