A from-scratch, security-focused 32-bit (i386) operating system kernel, written in C and x86 assembly. Boots via Multiboot2/GRUB, runs in QEMU, and demonstrates a full vertical slice of OS concepts — protected mode, PAE paging with NX/W^X, preemptive multitasking, ring-3 user processes, a TCP/IP stack on a real NIC driver, from-scratch cryptography, and ECDSA-signed-ELF secure boot enforced by default.
Successor to douglasmun/TinyOS — substantially expanded in scope, security, and reliability.
TinyOS Enhanced is a single-developer hobby and learning OS. It is single-core, 32-bit, console-only, and intended to run under QEMU. It is not hardened for, or intended for, production or internet-facing use.
- ✅ Safe for: OS/kernel learning, security-mechanism study, lab/VM experimentation, coursework.
- ❌ Not for: production deployment, untrusted networks, storing sensitive data.
The cryptography is implemented from scratch for educational purposes and has not had external cryptographic review.
- Boot → shell → login — Multiboot2 boot, first-boot root password setup, PBKDF2-HMAC-SHA256 (100k iterations) password hashing.
- Ring-3 user processes — from-scratch ELF32 loader,
int 0x80syscall interface;exec /hello.elfloads a signed binary, runs it in user mode, services its syscalls, and reaps it on exit. - Signed-ELF secure boot — every user binary is verified against a pinned ECDSA P-256 key; unsigned/tampered binaries are rejected (fail-closed) by default.
- Memory protection — PAE paging, NX / W^X enforcement, ASLR, kernel-stack guard pages.
- Networking — TCP/IP stack with DHCP, DNS, ICMP over a real Intel e1000 NIC driver, plus a firewall and intrusion-detection (IDS) layer.
- Filesystems — a VFS layer with FAT32 (
C:) and RAMFS (D:) drives;ls, file read/write, directories. - Security monitoring — a behavioral EDR subsystem (memory/network/crypto/FIM signals).
- From-scratch crypto — AES, SHA-256/512, HMAC, PBKDF2, ECDSA P-256, ECDHE, HKDF, ChaCha20 CSPRNG seeded from hardware RNG (RDRAND/RDSEED) + multi-source entropy.
~50K lines of kernel C across ~80 translation units, plus x86 assembly. Builds clean under -Werror with an aggressive warning set.
You can boot TinyOS Enhanced right in your browser — it runs on the v86 x86-to-WebAssembly emulator, so the whole PC is emulated in the tab and nothing leaves your machine:
Press Start, click the console, and set a root password; then try help, ls D:, and exec /hello.elf. Crypto (PBKDF2 100k, bit-serial ECDSA) is slow under the emulator's JIT, so first boot and the first exec take a little while — a speed cost, not a fault. Limitations: no hard disk (drive C: unavailable; D: RAMFS works) and no networking. Source for the page is in web/.
A prebuilt, bootable demo ISO is published on the Releases page so you can try TinyOS Enhanced without setting up a cross-toolchain. Just QEMU.
Verify the download (recommended). The ISO is signed with minisign. Grab tinyos.iso and tinyos.iso.minisig from the release, then:
minisign -Vm tinyos.iso -P RWSjOIBH4PaSwMQGL52OOQP7tyEu2p3Z83If58oyBxuatlkOnuBo2qOFThe release-signing public key is published here in the README (and in the release notes) so you can obtain it independently of the asset:
RWSjOIBH4PaSwMQGL52OOQP7tyEu2p3Z83If58oyBxuatlkOnuBo2qOF
A plain SHA-256 is also given in the release notes for a quick integrity check. Either way, this is an educational OS — only run it in a throwaway VM.
Recommended — with a virtual NIC (DHCP completes immediately):
qemu-system-i386 -cpu Broadwell,+rdrand,+rdseed -cdrom tinyos.iso -m 256M \
-netdev user,id=net0 -device e1000,netdev=net0The kernel runs DHCP at boot. With the e1000 NIC attached (above), it gets a lease right away via QEMU's user-mode network (an address in the 10.0.2.x NAT range) and drops to the shell promptly — this gives full outbound networking (try curl http://example.com). Getting an address on your real home-router subnet (192.168.0.x) needs bridged networking, which on macOS only works over wired Ethernet, not Wi-Fi — see the User Guide.
Minimal — no network:
qemu-system-i386 -cpu Broadwell,+rdrand,+rdseed -cdrom tinyos.iso -m 256MWithout a NIC, the boot pauses for ~30 seconds on
[NET] DHCP: Waiting for IP address...before timing out and continuing to the shell — that wait is expected, not a hang. Use the recommended command to skip it.
On first boot it asks you to set a root password, then drops to a shell. Try ls, ls C:, ls D:, and exec /hello.elf. For a walkthrough of boot, login, the shell commands, and networking, see the User Guide.
About the demo ISO — please read:
- It is an educational demo image, not a production system (see the status note above). Run it in a VM/QEMU only.
- It contains the kernel plus signed sample user binaries (
hello.elf,shell) and the public ECDSA verification key — no private keys. ELF signature enforcement is on by default.- It is provided for convenience; for anything beyond trying it out, build from source below so you can read exactly what you're running.
Toolchain: an i686-elf cross-compiler (i686-elf-gcc), nasm, xorriso, and qemu-system-i386.
# Build the kernel (warning-clean under -Werror)
make -j8 kernel.elf
# Build a bootable ISO
cp kernel.elf iso/boot/kernel.elf
i686-elf-grub-mkrescue -o dist/tinyos.iso iso # needs xorriso
# Run headless (serial -> log file)
qemu-system-i386 -cpu Broadwell,+rdrand,+rdseed \
-cdrom dist/tinyos.iso -boot d -m 256M \
-netdev user,id=net0 -device e1000,netdev=net0 \
-serial file:serial.log -display none
# Or use the smoke-test harness (GUI, captures serial + verdict)
./verify-exec.shOn first boot you set a root password, then log in. Try ls, ls C:, ls D:, and exec /hello.elf.
Signature enforcement: the build enforces ELF signatures by default (fail-closed). The bundled
hello/shellbinaries are signed with the pinned key, so a normal build boots and runs them. For fast local dev that accepts running unsigned binaries, build with-DELF_PERMISSIVE_SIGNATURES(warn-and-load) — an explicitly named opt-out, never the default.
src/ kernel C + assembly (memory, scheduler, syscalls, net, fs, crypto, EDR, shell)
userspace/ signed user programs (hello.elf, shell)
tools/ build helpers (ELF signing, embedded-array generation)
doc/ design notes, security audits, and the OS comparison/grade
iso/ GRUB boot config
Deeper documentation lives in doc/ — start with doc/USER_GUIDE.md (boot, login, shell, networking) and doc/FIREWALL_AND_IDS_CONFIG.md (configuring the firewall and IDS), then doc/OS_COMPARISON_AND_GRADE.md (where this kernel sits vs. xv6 / ToaruOS / SerenityOS and real-world tiny OSes) and doc/MULTI_AGENT_SECURITY_AUDIT_2026.md (the security audit history).
- Fail-closed signed-ELF secure boot with key pinning — uncommon even among larger hobby OSes.
- Survived an aggressive whole-kernel security review (memory safety, integer/locking/privilege-boundary, page-table correctness) with the findings fixed and adversarially re-audited.
- Clean
-Werrorbuild with header-dependency tracking; a reproducible runtime smoke-test harness (verify-exec.sh).
- Single-core, 32-bit, console-only; targets QEMU (256 MB).
- No long-soak / multi-day stability testing yet.
- A formerly-present SSH server was removed from the build (it never completed a reliable handshake); its sources are retained on disk but are not compiled or linked.
MIT License — see LICENSE. An educational/hobby project; provided
as-is with no warranty (see the status note above).