About MesaLock Linux
What is MesaLock Linux?
MesaLock Linux is a general purpose Linux distribution which aims to provide a safe and secure user space environment. To eliminate high-severe vulnerabilities caused by memory corruption, the whole user space applications are rewritten in memory-safe programming languages like Rust and Go.
This extremely reduces attack surfaces of an operating system exposed in the wild, leaving the remaining attack surfaces auditable and restricted. Therefore, MesaLock Linux can substantially improve the security of the Linux ecosystem. Additionally, thanks to the Linux kernel, MesaLock Linux supports a broad hardware environment, making it deployable in many places.
Two main usage scenarios of MesaLock Linux are containers and security-sensitive embedded devices. With the growth of the ecosystem, MesaLock Linux would also be adopted in the server/cloud environment.
Fatal bugs introduced by non-memory-safe languages (C/C++/etc.) are one of the oldest yet persistent problems in computer security. By using memory-safe programming languages like Rust and Go, developers can obtained guarantees of type soundness, memory safety, and thread safety. We believe that using memory-safe programming languages will eliminate memory issues and provide a safe and secure environment. Therefore, we decide to focus on providing a memory-safe Linux distribution.
At last, if you care about the memory safety, you may also interested in our sister projects:
- MesaLink: a memory-safe and OpenSSL-compatible TLS library
- Rust SGX SDK: an SDK helps developers write Intel SGX applications in Rust programming language
You can quickly experience MesaLock Linux in the container environment using Docker.
$ docker run -it mesalocklinux/mesalock-linux
Currently, MesaLock Linux is provided in two versions: live ISO and rootfs. The live ISO image can be used to create a bootable live USB, or boot in a virtual machine. The rootfs (i.e., root file system) can be used as a minimal root image for a container.
Clone MesaLock repository
$ mkdir mesalock-linux && cd mesalock-linux $ git clone https://github.com/mesalock-linux/mesalock-distro.git $ git clone https://github.com/mesalock-linux/packages.git $ cd mesalock-distro
Build in Docker
We provide a
Dockerfile for building MesaLock Linux with all dependencies
installed. You can build the docker image first and then in the building
container environment, you can build packages, live ISO, and rootfs.
$ docker build --rm -t mesalocklinux/build-mesalock-linux -f Dockerfile.build . $ docker run -v $(dirname $(pwd)):/mesalock-linux -w /mesalock-linux/mesalock-distro \ -it mesalocklinux/build-mesalock-linux /bin/bash
The image of building environment are also provided from Docker
Hub. You can
pull and run the container with the repo name
Build on Ubuntu
You can also build a Ubuntu machine, please install these building dependencies first:
$ # install packages $ apt-get update && \ apt-get install -q -y --no-install-recommends \ curl \ git \ build-essential \ cmake \ wget \ bc \ gawk \ parallel \ pigz \ cpio \ xorriso \ fakeroot \ syslinux-utils \ uuid-dev \ libmpc-dev \ libisl-dev \ libz-dev \ python-pip \ python-setuptools \ software-properties-common $ # install dependencies of building pypy $ apt-get install -q -y --no-install-recommends \ pypy \ gcc \ make \ libffi-dev \ pkg-config \ zlib1g-dev \ libbz2-dev \ libsqlite3-dev \ libncurses5-dev \ libexpat1-dev \ libssl-dev \ libgdbm-dev \ tk-dev \ libgc-dev \ python-cffi \ liblzma-dev \ libncursesw5-dev $ # install wheel and sphinx $ pip install wheel $ pip install sphinx $ # install Go $ add-apt-repository -y ppa:gophers/archive && \ apt-get update && \ apt-get install -q -y --no-install-recommends \ golang-1.9-go $ # install Rust $ curl https://sh.rustup.rs -sSf | sh -s -- -y && \ rustup override set nightly-2018-01-14 $ # setup PATH $ export PATH="$HOME/.cargo/bin:/usr/lib/go-1.9/bin:$PATH"
Build packages, live ISO, and rootfs
After installing building dependencies, you can run following commands to build packages, live ISO, and rootfs.
- First build all packages:
- Build the live ISO:
- Build the container rootfs:
- Build a specific package only:
The live ISO (
mesalock-linux.iso) and rootfs (
rootfs.tar.xz) can be found
MesaLock Linux can be run in real devices (e.g., boot from a Live USB), virtual machines, and docker containers.
You can try MesaLock Linux with Live ISO or in a docker container. Here are steps to try MesaLock Linux in VirtualBox.
- Open VirtualBox and "New" a VM.
- In the VM settings, choose
mesalock-linux.isoas "Optical Drive".
- Start the VM and explore MesaLock Linux.
We provide a simple
Dockerfile for MesaLock Linux. Here are steps to try
MesaLock Linux in a docker container.
- Build packages and rootfs:
./mkpkg && ./mesalockrootfs
- Build the docker image:
docker build --rm -t mesalocklinux/mesalock-linux .
- Run the image and expeience MesaLock Linux:
docker run --rm -it mesalocklinux/mesalock-linux
The latest rootfs image with all pacakges are pushed to Docker
Hub. You can also
directly run the image with the repo name
Hosting web servers
mesalock-demo package provides several examples and will be installed
/root/mesalock-demo directory. For instance, we made several web
server demos written in Rocket,
which is a web framework written in Rust. To try these demos in the VM, please
follow these instructions.
- In the VM settings, select "NAT" for network adapter and use port
forwarding function in the advanced settings to bind host and guest
machines. Here we add a new rule to bind host IP (
127.0.0.1:8080) with guest IP (
- Start MesaLock Linux.
- Bring up all network devices. Here we use
``` $ ip link set lo up $ ip link set eth0 up ```
- Setup IP address of the network devices.
``` $ ip address add 10.0.2.15/24 dev eth0 ```
- Run a web server.
``` $ cd /root/mesalock-demo/rocket-hello-world && ./hello_world $ # or $ cd /root/mesalock-demo/rocket-tls && ./tls ```
- Finally, connect to the web server using a browser. In this example, type
http://127.0.0.1:8080in the browser.
You can also try our demos in the docker image directly.
- Run the MesaLock docker and export port 8000 to 8000:
docker run -it -p 8000:8000 mesalocklinux/mesalock-linux
- Run a web server in the
- Visit the website in the browser.
Working on machine learning tasks
Rusty-machine is a general
purpose machine learning library implemented entirely in Rust. We put several
demo examples of machine learning tasks in the
mesalock-demo package. You can
find them in the
We are very open to the open source community. If you are interested in the
MesaLock Linux project, please find us on the
#mesalock-linux-cn (in Chinese) IRC channels at the freenode
server and the bridged room on Matrix. If you're not
familiar with IRC, we recommend chatting through Matrix via
Riot or via the Kiwi
web IRC client.
List of our IRC channels:
- #mesalock-linux: general discussion on MesaLock Linux
- #mesalock-linux-cn: discussion in Chinese
- #medalock-linux-devel: discussion on design and development
If you prefer to chat with our developers directly, you can also drop an email
MesaLock Linux is very young and at an early stage. Some important components are still missing or work-in-progress. Building a safe and secure Linux distro relies on the whole community, and you are very welcome to contribute to the MesaLock Linux project.
You can get involved in various forms:
- Try to use MesaLock Linux, report issue, enhancement suggestions, etc
- Contribute to MesaLock Linux: optimize development process, improve documents, closing issues, etc
- Contribute to core packages of MesaLock Linux: improving
- Writing applications using memory safe programming languages like Rust/Go, and joining the the MesaLock Linux packages
- Auditing source code of the MesaLock Linux projects and related packages
You are welcome to send pull requests and report issues on GitHub. Note that the MesaLock Linux project follows the Git flow development model.
The MesaLock Linux project have many repositories. All code are open-sourced and maintained under the MesaLock Linux organization in GitHub.
mesalock-distro: scripts to build different distributions like docker images, rootfs, ISO, etc.
packages: building scripts for all MesaLock packages
mkpkg: utility to build packages
minit: init written in Rust
mgetty: getty written in Rust
giprout2: iproute2 written in Go
loginutils: loging-related utilities
docs: documentation and wiki
The idea of MesaLock logo was from Kongming lock, a traditional Chinese puzzle.
|MesaLock logo (horizontal)||PNG|
|MesaLock Wallpaper Grey (2880 x 1800)||JPG|
|MesaLock Wallpaper Blue (2880 x 1800)||JPG|