MONEROCHAN OS

Abstract

We present MONEROCHAN OS, a freestanding RISC-V (rv32ima) microkernel designed from the ground up to host a Monero full node (monerod) with hardware-enforced privilege separation between cryptographic, storage, and network subsystems. Unlike conventional approaches that layer isolation atop general-purpose operating systems—via hypervisors, containers, or manual seccomp policy—MONEROCHAN OS enforces separation at the kernel syscall boundary using a per-process capability bitmask checked on every inter-process communication (IPC) call. The system comprises an approximately 1,650-line C kernel implementing SV32 two-level page tables, a bump physical-memory allocator, a cooperative round-robin scheduler with naked context switching, legacy VirtIO-blk I/O, a ustar TAR filesystem, and a synchronous blocking IPC rendezvous. Four isolated services—crypto_service, kv_store, network_service, and monerod—are spawned with disjoint capability sets; a full remote-code-execution exploit inside network_service provably cannot reach crypto_service's Ed25519 private-key material, because the required CAP_CRYPTO bit is absent from its process control block and enforced atomically in the kernel. To our knowledge this is the first published capability-microkernel purpose-architected for a privacy-coin node, and the first to run Monero daemon logic inside a sub-2,000-line trusted computing base. The system boots under QEMU's RISC-V virt machine via OpenSBI and is available as open-source hardware-software co-design.