Kernel — Rumpk
v0.9 Complete
Rumpk is the Nexus sovereign unikernel. At 280KB, it is one of the smallest production kernels ever built. It runs in a single address space, uses event-driven cooperative scheduling, and enforces capability-based security at every level.
Design Philosophy
The QNX Axiom: A crashed driver must never crash the system. Rumpk achieves this through isolated fibers, ION Ring IPC, and automatic restart. A driver (NPL) that faults is killed and restarted within 2ms. The kernel never panics.
The Silence Doctrine: The kernel does not log by default. It does not print. It does not notify unless explicitly asked. Silence is the default state of a healthy system.
Key Numbers
| Metric | Value |
|---|---|
| Kernel size | 280KB (v0.9 unikernel) |
| Core target | <2KB (12 syscalls + 1 meta-slot) |
| SysTable size | 240 bytes |
| Address space | Single (no userland/kernel split in unikernel mode) |
| SMP model | DragonflyBSD LWKT message-passing |
| Supported architectures | RISC-V 64, ARM64, x86_64 |
Core Components
- Architecture — The four-layer model (Rumkv → Rumpk → ABI → NPL)
- Harmonic Scheduler — Four time spectrums for deterministic scheduling
- ION Rings — Lock-free IPC ring buffers
- Sovereign Init — Two-stage boot with KDL service definitions
- Hypervisor (Rumkv) — Type-1 hypervisor for hardware isolation
Languages
The kernel is dual-language by design:
- Nim handles kernel logic, metaprogramming, the scheduler, and all high-level control flow. Uses ARC for deterministic memory management.
- Zig handles the hardware abstraction layer, VirtIO drivers, interrupt vectors, MMU setup, and all bare-metal interfaces.
The boundary is strict: Zig talks to hardware. Nim talks to everything else. They meet at the SysTable — a fixed ABI at a known physical address.
Driver Model — NPLs
Drivers run as NPL (Nip Library) fibers — isolated execution contexts with their own capability spaces. An NPL communicates with the kernel through ION Rings and 9P-style message passing.
If an NPL crashes:
- The kernel detects the fault
- The fiber is killed
- A new instance is spawned from the signed binary
- State is recovered from the ProvChain checkpoint
- The system continues — no reboot, no panic
This is the Blink Recovery model. The system blinks; it never dies.