Asterinas is a new Linux-ABI-compatible kernel project written in Rust, based on what the authors call a "framekernel architecture". The project overlaps somewhat with the goals of the Rust for Linux project, but approaches the problem space from a different direction by trying to get the best from both monolithic and microkernel designs.
Asterinas 是一个用 Rust 编写的、兼容 Linux ABI 的新内核项目,其架构基于作者所谓的“framekernel(框架内核)”理念。该项目在目标上与 Rust for Linux 项目有所重叠,但采用了不同的路径,试图结合单体内核和微内核的优势。
What's a framekernel?
The framekernel concept is explained in the September 2024 paper "Framekernel: A Safe and Efficient Kernel Architecture via Rust-based Intra-kernel Privilege Separation" by Yuke Peng et al. A fuller version of the paper was published in early June.
“framekernel” 的概念最初由彭煜柯等人在 2024 年 9 月发表的论文《Framekernel: A Safe and Efficient Kernel Architecture via Rust-based Intra-kernel Privilege Separation》中提出,该论文的完整版已于 2025 年 6 月初发布。
Traditionally, monolithic kernels lump everything into one kernel-mode address space, whereas microkernels only implement a minimal trusted computing base (TCB) in kernel space and rely on user-mode services for much of the operating system's functionality. This separation implies the use of interprocess communication (IPC) between the microkernel and those services. This IPC often has a performance impact, which is a big part of why microkernels have remained relatively unpopular.
传统的单体内核将所有内容集中在一个内核态地址空间中,而微内核则仅在内核空间中实现一个最小可信计算基(TCB),并将大部分操作系统功能交由用户态服务处理。这种结构意味着微内核需要依赖进程间通信(IPC)与各个服务交互,而 IPC 的开销通常会影响性能,这也是微内核架构始终不太受欢迎的主要原因之一。
The core of Asterinas's "framekernel" design is the encapsulation of all code that needs Rust's unsafe features inside a library, enabling the rest of the kernel (the services) to be developed using safe abstractions. Those services remain within the kernel's address space, but only have access to the resources that the core library gives to them. This design is meant to improve the safety of the system while retaining the simple and performant shared-memory architecture of monolithic kernels. The Asterinas book on the project's website provides a nice architectural mission statement and overview.
Asterinas 所谓 “framekernel” 的核心设计在于将所有需要使用 Rust 中 unsafe 特性的代码封装在一个库中,内核的其余部分(即服务)则使用安全抽象来开发。这些服务仍然运行在内核地址空间中,但只能访问核心库明确提供的资源。该设计旨在提升系统的安全性,同时保留单体内核那种简单且高性能的共享内存架构。项目网站上的《Asterinas Book》提供了架构目标与整体设计的良好概述。
The aptness of the "framekernel" nomenclature can perhaps be debated. The frame part refers to the development framework wrapping the unsafe parts behind a memory-safe API. The concept of the TCB is, of course, not exclusive to microkernel architectures but, because there are strong incentives to strictly scrutinize and, in some contexts, even formally verify the TCB of a system, keeping the TCB as small as possible is a central aspect of microkernel designs.
“framekernel” 这一命名是否贴切可能还有争议。“frame” 一词指的是开发框架,它将不安全部分封装在一个内存安全的 API 背后。TCB 的概念当然不仅限于微内核架构,但由于在安全敏感场景下通常需要对 TCB 进行严格审查,甚至进行形式化验证,因此尽可能缩小 TCB 是微内核设计的核心目标之一。
An update on the project is available on the Asterinas blog in the Ju