A secure bridge from
human consciousness
to the electron.

CambiOS is a ground-up operating system — microkernel, memory-safe, cryptographic identity, zero-trust everything. No telemetry. No backdoors. Your machine is yours.

Your computer is not your own. Before your OS boots, before your kernel loads — a separate processor with its own OS, network stack, and private keys is already running. You didn't install it, and you can't turn it off.
447 tests passing
x86_64 boots in QEMU
AArch64 boots in QEMU
RISC-V in progress
Bare-metal tooling ready
Kernel
Microkernel in Rust (no_std). Five jobs: scheduling, memory, IPC, capabilities, interrupts. Everything else is user-space.
Security
Capability-based IPC. Zero-trust interceptor. Signed ELF loading. W^X enforcement. Every message carries unforgeable sender identity.
Identity
Ed25519 cryptographic identity. Hardware-backed via YubiKey. No passwords. No central authority. did:key DID method.
Storage
Content-addressed ObjectStore. Blake3 hashing. Ed25519 signatures on every object. Persistent on virtio-blk, survives reboot.
Networking
Virtio-net + Intel I219 drivers. UDP/IP stack. NTP demo. Identity-routed overlay network planned.
Platforms
x86_64 (SMP, 2 CPUs). AArch64 (SMP, GICv3). RISC-V (Sv48 paging, DTB parser, kernel heap running).

Architecture

+============================================================+ | Applications | | Native CambiOS apps | Legacy apps (Win32/POSIX compat) | +============================================================+ | System Services | | Shell | Compositor | Policy service | Update service | +============================================================+ | Compatibility | | Win32 API translation | POSIX layer | PE loader | +============================================================+ | OS Services | | VFS | Network stack | Audio | Graphics | Device drivers | +============================================================+ | Core Services | | AI Engine | Identity | Social protocol | Audit | Logging | +============================================================+ | Microkernel | | Scheduling | Memory | IPC | Capabilities | Interrupts | +============================================================+ | Hardware | | x86_64 | AArch64 | RISC-V | (future) | +============================================================+

Every box above the microkernel is an isolated user-space process. Every arrow between them is a capability-checked IPC message. A buggy filesystem service can't take down the kernel. A compromised network driver can't read another process's memory. Isolation is structural, not policy.

What makes this different

This is not a research prototype and it is not a design document. CambiOS boots, schedules, runs user-space services, signs and verifies binaries, and handles IPC — with a real security model enforced at every boundary. Built by one person, in a few months of coding.

The kernel is honest about what exists and what doesn't. STATUS.md is the single source of truth. Every numeric bound in the codebase is categorized and documented in ASSUMPTIONS.md. Architecture decisions are recorded in ADRs with full rationale and rejected alternatives.

Read the architecture document. Read the manuals — they walk real things through the system. Read the philosophy if you want to know why.

Commitments

No telemetry. No analytics. No phone-home behavior. Ever. Not now, not in future versions. This is a design constraint, not a policy.

No backdoors. No remote access mechanism that bypasses the capability model. No "emergency" channels. No "debug" overrides that work without the user's explicit action.

Your machine is yours. No DRM. No activation. No mandatory accounts. Secure boot protects the owner from unauthorized modifications, not the vendor from the owner.