MesaLock Linux: a memory-safe Linux distribution.
MesaLock Linux is a general purpose Linux distribution which aims to provide a safe and secure user space environment. To eliminate high-severe vulnerabilities caused by memory corruption, the whole user space applications are rewritten in memory-safe programming languages like Rust and Go. This extremely reduces attack surfaces of an operating system exposed in the wild, leaving the remaining attack surfaces auditable and restricted. Therefore, MesaLock Linux can substantially improve the security of the Linux ecosystem. Additionally, thanks to the Linux kernel, MesaLock Linux supports a broad hardware environment, making it deployable in many places. Two main usage scenarios of MesaLock Linux are for containers and security-sensitive embedded devices. With the growth of the ecosystem, MesaLock Linux would also be adopted in the server environment in the future.
To get better functionality along with strong security guarantees, MesaLock Linux follows the following rules-of-thumb for hybrid memory-safe architecture design proposed by the Rust SGX SDK project.
You can quickly experience MesaLock Linux in the container environment using Docker.
$ docker run -it mesalocklinux/mesalock-linux
Currently, MesaLock Linux is provided in two versions: live ISO and rootfs. The live ISO image can be used to create a bootable live USB, or boot in a virtual machine. The rootfs (i.e., root file system) can be used as a minimal root image for a container.
Clone mesalock-distro
and packages
repositories.
$ mkdir mesalock-linux && cd mesalock-linux
$ git clone https://github.com/mesalock-linux/mesalock-distro.git
$ git clone https://github.com/mesalock-linux/packages.git
$ cd mesalock-distro
We provide a Dockerfile
for building MesaLock Linux with all dependencies
installed. You can build the docker image first and then in the
container build environment you can build packages, live ISO, and rootfs.
$ docker build --rm -t mesalocklinux/build-mesalock-linux -f Dockerfile.build .
$ docker run -v $(dirname $(pwd)):/mesalock-linux -w /mesalock-linux/mesalock-distro \
-it mesalocklinux/build-mesalock-linux /bin/bash
The image of build environment is also provided from Docker
Hub. You can
pull and run the container with the repo name mesalocklinux/build-mesalock-linux
.
You can also build on Ubuntu machine. Please install these build dependencies first:
# install packages
$ apt-get update && \
apt-get install -q -y --no-install-recommends \
curl \
git \
build-essential \
cmake \
wget \
bc \
gawk \
parallel \
pigz \
cpio \
xorriso \
fakeroot \
syslinux-utils \
uuid-dev \
libmpc-dev \
libisl-dev \
libz-dev \
python-pip \
python-setuptools \
software-properties-common
# install build dependencies for pypy
$ apt-get install -q -y --no-install-recommends \
pypy \
gcc \
make \
libffi-dev \
pkg-config \
zlib1g-dev \
libbz2-dev \
libsqlite3-dev \
libncurses5-dev \
libexpat1-dev \
libssl-dev \
libgdbm-dev \
tk-dev \
libgc-dev \
python-cffi \
liblzma-dev \
libncursesw5-dev
# install wheel and sphinx
$ pip install wheel
$ pip install sphinx
# install Go
$ add-apt-repository -y ppa:gophers/archive && \
apt-get update && \
apt-get install -q -y --no-install-recommends \
golang-1.9-go
# install Rust
$ curl https://sh.rustup.rs -sSf | sh -s -- -y
$ rustup install nightly-2018-05-30 # we need this because some packages still depend on nightly
$ rustup default 1.27.2
# setup PATH
$ export PATH="$HOME/.cargo/bin:/usr/lib/go-1.9/bin:$PATH"
After installing build dependencies, you can run following commands to build packages, live ISO, and rootfs.
./mkpkg
./mesalockiso
./mesalockrootfs
./mkpkg <package_name>
The live ISO (mesalock-linux.iso
) and rootfs (rootfs.tar.xz
) can be found
in the build
directory.
MesaLock Linux can be run in real devices (e.g., boot from a Live USB), virtual machines, and docker containers.
You can try MesaLock Linux with Live ISO or in a docker container. Here are steps to try MesaLock Linux in VirtualBox.
mesalock-linux.iso
as "Optical Drive".We provide a simple Dockerfile
for MesaLock Linux. Here are steps to try
MesaLock Linux in a docker container.
./mkpkg && ./mesalockrootfs
docker build --rm -t mesalocklinux/mesalock-linux .
docker run --rm -it mesalocklinux/mesalock-linux
The latest rootfs image with all packages is pushed to Docker
Hub. You can also
directly run the image with the repo name mesalocklinux/mesalock-linux
.
The mesalock-demo
package provides several examples and will be installed
under the /root/mesalock-demo
directory. For instance, we made several web
server demos written in Rocket,
which is a web framework written in Rust. To try these demos in the VM, please
follow these instructions.
127.0.0.1:8080
) with
guest IP (10.0.2.15:8000
).ip
command:```
$ ip link set lo up
$ ip link set eth0 up
```
```
$ ip address add 10.0.2.15/24 dev eth0
```
```
$ cd /root/mesalock-demo/rocket-hello-world && ./hello_world
# or
$ cd /root/mesalock-demo/rocket-tls && ./tls
```
http://127.0.0.1:8080
in the browser.You can also try our demos in the docker image directly.
docker run -it -p 8000:8000 mesalocklinux/mesalock-linux
/root/mesalock-demo/
directory.Rusty-machine is a general
purpose machine learning library implemented entirely in Rust. We put several
demo examples of machine learning tasks in the mesalock-demo
package. You can
find them in the /root/mesalock-demo/rusty-machine/
directory.
MesaLock Linux provides many packages with memory safety in mind. All user space applications are written in Rust and Go. Thanks to the open source community, they have created many useful and high-quality tools. The number of packages will increase as the time goes on.
brotli
: compression tool written in Rust (dropbox/rust-brotli)busybox
: busybox tool set for testing only (busybox)exa
: replacement for ls written in Rust (ogham/exa)fd-find
: simple, fast and user-friendly alternative to find (sharkdp/fd)filesystem
: base filesystem layout (maintained by MesaLock Linux)gcc-libs
: GCC library, only libgcc_s.so
is used (gcc)giproute2
: ip tool written in Go (maintained by MesaLock Linux)glibc
: the GNU C library (glibc)init
: init script (maintained by MesaLock Linux)ion-shell
: shell written in Rust (redox-os/ion)linux
: Linux kernel (linux)mesalock-demo
: some demo projects (maintained by MesaLock Linux)mgetty
: getty written in Rust (maintained by MesaLock Linux)micro
: modern and intuitive terminal-based text editor written in Go (zyedidia/micro)minit
: init written in Rust (maintained by MesaLock Linux)ripgrep
: ripgrep combines the usability of The Silver Searcher with the raw
speed of grep, written in Rust (BurntSushi/ripgrep)syslinux
: bootloader (syslinux)tokei
: count your code, quickly, in Rust (Aaronepower/tokei)tzdata
: timezone data (tzdata)uutils-coreutils
: cross-platform Rust rewrite of the GNU coreutils (uutils/coreutils)uutils-findutils
: rust implementation of findutils (uutils/findutils)xi-core
: a modern editor with a backend written in Rust (google/xi-editor)xi-term
: a terminal frontend for Xi (xi-frontend/xi-term)MesaLock Linux is a very young and at an early stage. Some important components are still missing or work-in-progress. Building safe and secure Linux distro relies on the whole community, and you are very welcome to contribute to the MesaLock Linux project.
You can get involved in various forms:
minit
, mgetty
,
giproute2
, etcYou are welcome to send pull requests and report issues on GitHub. Note that the MesaLock Linux project follows the Git flow development model.
If you are interested in the MesaLock Linux project, please find us on the
#mesalock-linux
or #mesalock-linux-cn
(in Chinese) IRC channels at the freenode
server
and the bridged room on Matrix. If you're not familiar with IRC, we recommend
chatting through Matrix via
Riot or via the Kiwi
web IRC client.
List of our IRC channels:
<[email protected]>
@mssun
MesaLock Linux is provided under the BSD license.