Secure by design.

Contact Licensing
01 — Why μKernel

Security isn't a feature. It's the architecture.

Problem Certifying Linux is prohibitively expensive. 30 million lines of C means years of analysis and seven-figure evidence packages. Most programs run Linux in a VM on top of a certified RTOS, paying for both.
μKernel ~5,000 lines of Rust. 617 auditable unsafe blocks. DO-178C DAL C certification evidence in progress. DAL A achievable — MC/DC on 5K lines is a bounded effort, not a multi-year program.
Problem You're paying Wind River for VxWorks, Helix, and certification evidence separately. Per-seat development licenses. Per-unit runtime royalties. Every deployed system increases your COGS.
μKernel One product includes the RTOS, hypervisor, and container runtime. License each component independently — pay for what you deploy, not what you don't.
Problem The datacenter hypervisor market is in flux. Licensing changes have organizations re-evaluating their virtualization stack. Anyone entering that space needs VM hosting, containers, and hardware-enforced partitioning in a single product.
μKernel Built-in Type-1 hypervisor with Hyper-V enlightenments and virtio. Native POSIX container runtime without a guest OS underneath. Hardware-enforced domain isolation via NPT.
Problem Your embedded team writes Rust. There's no production-ready certified Rust RTOS. You're writing Rust applications on top of a C kernel and hoping the FFI boundary doesn't introduce the bugs Rust was supposed to prevent.
μKernel Rust from the kernel up. The compiler eliminates memory safety bugs in the kernel, not just in your application. Every unsafe block is audited, justified, and tracked by CI.
Problem Your RTOS vendor's source code is a black box. You can't audit the kernel your mission software runs on. Supply chain provenance stops at the license agreement.
μKernel Source access under license agreement. American company, American developer. Two third-party crates in the TCB (log, serde) — both open source, both widely audited. The entire supply chain is auditable.
02 — Specifications

The numbers

15 Syscalls
617 Unsafe Blocks
~5K Lines of Code
PSE52+ POSIX Profile
DAL C Certifiable
03 — Architecture

One binary. Everything inside.

The certified boundary is three Rust crates enforced by the build system. The hypervisor, container runtime, and dataplane run outside the TCB under kernel supervision.

CERTIFIED TCB 617 unsafe blocks sys-kernel 186 unsafes 15 syscalls, capabilities, IPC, scheduler sys-hal 385 unsafes MMIO, MSR, NPT, SVM/VMX, ARM Stage 2 sys-traits 46 unsafes Cross-platform trait interfaces ──────────────────────────────────────────────────────────────── OUTSIDE TCB Under kernel supervision sys-vmm 394 unsafes Type-1 hypervisor (VM lifecycle, device emulation) POSIX shim ~100 syscalls Container runtime (Linux ABI translation) Dataplane VPP-class packet forwarding Domains Customer workloads (VMs, containers, applications)
VxWorks + Helix INTEGRITY μKernel
LanguageCCRust
Platform LOC~500,000~10,000~5,000
Unsafe AuditN/A (all C)N/A (all C)617 blocks
HypervisorHelix (separate license)Separate productBuilt-in
ContainersLinux VM requiredLinux VM requiredNative POSIX domain
CertificationDAL ADAL ADAL C (in progress)
PartitioningARINC 653MILSCBS + NPT
OwnershipAptiv PLC (Ireland)Green Hills SoftwareAmerican
License *Per-seat + unit + HelixPer-seat + unitComponent-based

* Competitor licensing based on publicly available information. Actual terms may vary by contract.

04 — Markets

Where it runs

Aerospace & Defense

Autonomous UAS, mission computers, satellite processors. Hardware-enforced partitioning with formal scheduling guarantees. NDAA compliant. DO-178C certifiable.

Enterprise Infrastructure

Hyperconverged appliances, security gateways, container platforms. Wire-speed dataplane on dedicated cores.

Industrial & Embedded

CNC controllers, robotics, medical devices, automotive ECUs. Deterministic real-time scheduling on commodity ARM and x86 hardware.

05 — Certification

Yes... we're certifiable.

Designed for certification. Not retrofitted.

The small TCB, Rust type system, and CI-enforced safety gates make certification a bounded effort — not a multi-year program.

Common Criteria

Target
EAL4+ (NDcPP v3.0e + Virtualization PP)
TOE
sys-kernel + sys-hal + sys-traits
Evidence
Security Target, ADV/ATE/AVA documentation
Status
In progress

DO-178C

Target
DAL C (statement + decision coverage)
Scope
Microkernel TCB (617 unsafe blocks)
Evidence
PSAC, SRD, SDD, SVP, traceability matrix
Status
First drafts complete
DAL A available as a customer-funded upgrade. MC/DC coverage on 5,000 lines of Rust is achievable. Contact us for scoping.
06 — Licensing

Simple licensing. No surprises.

License each component independently. Terms structured to fit your deployment — from single-board prototypes to fleet-scale production.

Kernel
Runtime License

RTOS, scheduler, domain isolation, and capability-based IPC. The foundation everything else runs on.

Hypervisor
Runtime License

Type-1 hypervisor with Hyper-V enlightenments, virtio backends, and NPT isolation. VM lifecycle management.

POSIX Runtime
Runtime License

Native container runtime with Linux ABI translation. ~100 syscalls. No guest OS required.

Development Access
Per-Seat

Full source access under NDA. Build, test, integrate. 12 months of updates and engineering support.

Board Support Package
Per-Target

BSP for TI TDA4VM, x86 reference, and custom hardware. Includes bring-up support.

Certification Evidence
Per-Architecture

DO-178C DAL C evidence package. Produced once, licensed independently per program.

Enterprise site licenses available for high-volume programs.

Contact Licensing