Aether Enclave | THESNMC Quantum Observatory
System Live: v0.4.2-Alpha

Aether Enclave

Bare-Metal WASM Unikernel for extreme edge deployments. High-security, deterministic execution for quantum-resistant nodes.

Visit GitHub open_in_new
Abstract Circuitry

Design Objectives

lock_reset

No persistent secrets

Memory is scrubbed at every context switch. Zero-trace execution environment for volatile edge states.

shield

Guest isolation

Hardware-level ring-3 sandboxing for WASM payloads. The kernel remains unreachable by design.

timer

Deterministic wake

Jitter-free interrupt handling ensures execution latency is predictable to the nanosecond.

verified_user

Hardware-attested

Remote attestation via TPM 2.0 signatures ensures binary integrity before every boot cycle.

Physical & Logical Topology

+——————————————+ | WASM GUEST PAYLOAD (Ring 3) | | +————————————+ | | | User Logic / Edge Function | | | +————————————+ | +——————–|———————+ | aether_syscall() +——————–v———————+ | AETHER HOST (wasmi / Ring 0) | | +————————————+ | | | Import Resolver / VMM Layer | | | +————————————+ | +——————–|———————+ | IDT / Vector 0x80 +——————–v———————+ | ENCLAVE KERNEL (Physical Entry) | | [ GDT ] [ IDT ] [ Paging ] [ ISRs ] | +——————————————+

Enclave Kernel (Ring 0)

Low-level assembly entry point. Manages the Interrupt Descriptor Table (IDT) and direct hardware mapping without standard POSIX overhead.

AetherHost VMM

A minimal WebAssembly interpreter optimized for bare-metal. Provides the “aether” import namespace for guests to access IO.

WASM Guest (Ring 3)

Isolated user-space. No direct access to memory or CPU instructions outside of the WASM specification.

Ring-0 Boot Sequence

Phase Operation Target State
01. PROT_ENTRY Jump from Multiboot2, initialize 64-bit Long Mode, GDT setup. Architecture Locked
02. MEM_MAP Zero-out Guest Heap, allocate Host Bump Arena, Setup ISR stacks. Memory Sanitized
03. WASM_INIT Validate payload signature, JIT/AOT compile guest module. Payload Verified
04. EXEC_LOOP Transfer control to WASM _start, enter interrupt-driven loop. Active Execution

Memory Architecture

Guest Sandbox 0x200000 – 0xA00000

Strictly isolated WASM linear memory. Page faults here cause immediate annihilation.

Host Bump Arena 0xA00000 – 0xF00000

High-speed allocation arena for the VMM host. No deallocation permitted during runtime.

ISR Stack 0xF00000 – 0xFFFFFF

Reserved stack for hardware interrupts. Locked and non-executable.

MAP_V2

[KERNEL_RESERVED] – Physical Address 0x000
[LDT/GDT_TABLES] – Offset 0x1000
[WASM_LINEAR_RAM] – Dynamic Scale
[GUARD_PAGE] – Protected Segment
Tech Visualization

WASM Host Bridge

The aether import namespace provides a low-overhead interface for interacting with hardware via bitmask status flags.

Exported Contract
(import "aether" "get_status" (func $gs (result i32)))
(import "aether" "emit_signal" (func $es (param i32)))
(import "aether" "shred_self" (func $ss))
Status Bitmask Flags
0x01 PHY_LINK_UP
0x02 CRYPTO_RDY
0x04 ENTROPY_LOW
0x08 THERMAL_TRIP

Self-Annihilation Protocol

In the event of compromise or completion, Aether Enclave executes a destructive exit sequence to ensure zero data persistence.

01 Halt WASM VM Execution
02 Overwrite Heap with Random Noise
03 Zero-out CPU Registers (RAX..R15)
04 Invalidate TLB & Paging Tables
05 Flush CPU Cache (L1/L2/L3)
06 Issue Out-Port QEMU_EXIT(33)
EXIT 33
Success Path Confirmed