MesaLock Logo

MesaLock Linux is a general purpose Linux distribution which aims to provide a safe and secure user space environment. To eliminate high-severe vulnerabilities caused by memory corruption, the whole user space applications are rewritten in memory-safe programming languages like Rust and Go. This extremely reduces attack surfaces of an operating system exposed in the wild, leaving the remaining attack surfaces auditable and restricted. Therefore, MesaLock Linux can substantially improve the security of the Linux ecosystem. Additionally, thanks to the Linux kernel, MesaLock Linux supports a broad hardware environment, making it deployable in many places. Two main usage scenarios of MesaLock Linux are for containers and security-sensitive embedded devices. With the growth of the ecosystem, MesaLock Linux would also be adopted in the server environment in the future.

To get better functionality along with strong security guarantees, MesaLock Linux follows the following rules-of-thumb for hybrid memory-safe architecture designing proposed by the Rust SGX SDK project.

  1. Unsafe components should be appropriately isolated and modularized, and the size should be small (or minimized).
  2. Unsafe components should not weaken the safe, especially, public APIs and data structures.
  3. Unsafe components should be clearly identified and easily upgraded.

The MesaLock Linux project is released under the BSD license and source code is on GitHub https://github.com/mesalock-linux. There are three main parts of the MesaLock Linux project:

  • mesalock-distro: providing scripts to build the MesaLock Linux distributions such as building packages, Live ISO, and rootfs. Live ISO can be bootstrap in the virutal machine or real devices, while rootfs is for docker container.
  • packages: this project includes all building scripts of packages. We provide many essential packages written in Rust and Go, which are memory safe programming languages. These packages includes shell, coreutils, findutils, editor, etc.
  • minit, mgetty, and giproute2: providing some core components for bootstraping MesaLock Linux.

We also provide documentations of building, using MesaLock Linux and contributing new packages.

Becase MesaLock Linux provides a root filesystem for docker container, You can quickly get started using this command:

$ docker run -p 8000:8000 --rm -it mesalocklinux/mesalock-linux

This will bring you to a shell, then you can start experience MesaLock Linux. You can also try our demo program, which contains some micro web service writtin in Rocket (a web framework written in Rust). The demo programs are in /root/mesalock-demo directory. Because the 8000 port is forwarded, you can execute /root/mesalock-demo/rocket-hello-world/hello_world and visit the demo website on your host machine.

The MesaLock Linux project is released under BSD license, which is a permissive free software license, imposing minimal restrictions on the use and redistribution. We would like to make a secure and open operating system for all people appreciate security. In the meantime, the growth of the MesaLock Linux cannot be done without you guys regardless from the community, industry, and academia. Therefore, you are very welcomed to contribute and support MesaLock Linux. There are many ways to support MeaLock Linux:

  • Try to use MesaLock Linux, report issue, enhancement suggestions, etc
  • Contribute to MesaLock Linux: optimize development process, improve documents, closing issues, etc
  • Contribute to core packages of MesaLock Linux: improving minit, mgetty, giproute2, etc
  • Writing applications using memory safe programming languages like Rust/Go, and joining the the MesaLock Linux packages
  • Auditing source code of the MesaLock Linux projects and related packages

If you are interested in the MesaLock Linux project, please find us on the #mesalock-linux IRC channel on the freenode server at irc://chat.freenode.net and the bridged room on Matrix. If you're not familiar with IRC, we recommend chatting through Matrix via Riot (https://riot.im/app/#/room/#mesalock-linux:matrix.org) or via the Kiwi web IRC client (https://kiwiirc.com/client/irc.mozilla.org/#mesalock-linux).

Note: the MeasLock logo is originated from the Chinese traditional artifact - Kongming Lock.

MesaLock Linux:一个用户空间内存安全的 Linux 发行版

MesaLock Linux 是一个通用 Linux 发行版本,其目标是用 Rust、Go 等内存安全语言重写用户空间应用 (user space applications),以在用户空间中逐步消除高危的内存安全漏洞。这将极大的降低整个系统的攻击面,并且使得剩余的攻击面可审计、可收敛。MesaLock Linux 将在保留 Linux 硬件兼容性的前提下,实质性地提升 Linux 生态的安全性。MesaLock Linux 的主要目标应用场景是容器(例如:docker 镜像),以及高安全性嵌入式环境,以后随着逐渐成熟,也可以向服务器或其他场景延伸。

为提供完善的功能,并保证强健的安全性,MesaLock Linux 将遵循 Rust SGX SDK 项目中提出的混合代码内存安全架构三原则:

  1. 隔离并模块化由非内存安全代码编写的组件,并最小化其代码量。
  2. 由非内存安全代码编写的组件不应减弱安全模块的安全性,尤其是公共 API 和公共数据结构。
  3. 由非内存安全代码编写的组件需清晰可辨识并且易于更新。

MesaLock Linux 已经开源在 GitHub 上,地址是 https://github.com/mesalock-linux,目前 MesaLock Linux 项目主要包括三个方面:

  • mesalock-distro:提供了 MesaLock Linux 发行版的编译程序,提供了 Live ISO 和 rootfs 两种发行方式。Live ISO 可以在虚拟机中启动或者直接在设备上运行,rootfs 主要为 docker 容器使用。
  • packages:这里面包括了 MesaLock Linux 提供的软件包的编译脚本,我们提供了使用内存安全的编程语言 Go 和 Rust 编写的一些常用软件,包括 shell、coreutils、findutils、文本编辑器等等。
  • minit, mgetty, giproute2:我们同时提供了用 Rust/Go 编写了启动 MesaLock Linux 过程中的核心组件。

除此之外,我们也提供了相关的文档,包括编译和使用 MesaLock Linux,编写新的软件包。

因为 MesaLock Linux 提供了 Docker 容器的运行环境,如果想要简单快速的尝试 MesaLock Linux,你只需运行:

$ docker run -p 8000:8000 --rm -it mesalocklinux/mesalock-linux

以上命令将进入 MesaLock Linux 的 shell,可以开始使用 MesaLock 中的其他工具。当然,也可以试用我们提供的 demo 程序,由 Rocket(Rust 编写的 web framework)写的网络微服务。demo 存放在 /root/mesalock-demo 目录下 。因为 docker 将 container 中的 8000 端口转发到 host 机器的 8000 端口,运行 /root/mesalock-demo/rocket-hello-world/hello_world,即可以在 host 机器上访问 demo。

MesaLock Linux 项目及其子项目选择使用 BSD 开源协议下开源。BSD 开源协议是一个给于使用者很大自由的协议,我们希望有更多的人来使用 MesaLock Linux,保护整个 Linux 系统的安全生态。同时,安全生态的可持续发展也离不开开源社区、工业界、学术界的共同参与,我们非常欢迎大家的贡献和支持。支持 MesaLock Linux 的途径有很多,例如:

  • 尝试使用 MesaLock Linux,给我们反馈使用感受和改进的建议等
  • 参与贡献 MesaLock Linux 的开发流程、完善文档、帮助解答常见问题等
  • 参与贡献 MesaLock Linux 维护的核心工具代码,比如说 minit、mgetty 等
  • 尝试使用 Go、Rust 这类内存安全的编程语言编写用户空间应用,我们将非常欢迎新的应用加入 MesaLock Linux 大家庭
  • 参与审计 MesaLock Linux 及其子项目和相关软件包的代码安全

如果你对于 MesaLock Linux 感兴趣,可以参与社区讨论,主要方式是 IRC 讨论组,请访问 freenode 服务器 (irc://chat.freenode.net) 中的 #mesalock-linux 频道。如果你不是非常熟悉 IRC,也可以使用 Riot (https://riot.im/app/#/room/#mesalock-linux:matrix.org),Riot 和 IRC 的讨论内容会自动同步。

注:MesaLock 的 logo 灵感来自于中国古代的孔明锁。