Gapfruit OS
Deployed for OEMs building devices where trust
must be proven, not assumed.
For regulated industrial, energy, and communication environments where device authenticity, integrity, and resilience are required throughout long operational lifecycles.
LATENCY
// SECURITY RATE
What makes Gapfruit OS different
Gapfruit OS implements the Seven Properties of Highly Secure Devices.
The Seven Properties of Highly Secure Devices define the architectural conditions required for trustworthy, attack-resilient systems. Gapfruit OS implements these properties natively and extends them to long-lived, safety- and security-critical deployments.
The Seven Properties of Highly Secure Devices define the architectural conditions required for trustworthy, attack-resilient systems. Gapfruit OS implements these properties natively and extends them to long-lived, safety- and security-critical deployments.
Hardware-Based Root of Trust
Gapfruit OS anchors device identity and measurements in TPM-backed hardware, enabling cryptographic proof of device origin and state from manufacturing onward.
TPM-attested device identity at first boot
No addidional infrastructure required
Verifiable for the ntire device lifecycle
Small Trusted Computing Base
Only the microkernel and minimal runtime components are trusted; device drivers, file systems, and network stacks run outside the TCB.
Isolation instead of shared-fate execution
Microkernel, not monolithic
Reduced verification scope
Defense in Depth
Multiple independent mechanisms prevent escalation even when individual layers fail.
Capability-based access control
Service and parent–child resource control
Signed artifacts and remote attestation
Compartmentalization
Each component runs in isolated sandboxed compartments with least privilege and minimal access to resources.
Drivers in userspace
Application isolation
Faults do not propagate
Certificate-Based Authentication
Device identity is established using TPM attestation and PKI-backed certificates (Birth Certificates, update signatures, service identities).
No shared keys
No identity spoofing
No unauthenticated onboarding
Renewal / Updatability
Gapfruit enables secure lifecycle evolution through transactional, signed, and reversible updates.
SBOM-defined content
M-of-N approval
Automatic rollback
Failure Reporting
Runtime faults are reported, recoverable, and traceable without halting critical system functio
Deterministic fault handling
Self-healing runtime behavior
Component-level restart, not system reset
NOPCPU OPCODE · 1960s · NO OPERATION
Why Gapfruit OS exists
Todays monolithic operating systems were never designed for
long-lived, trustworthy devices.
long-lived, trustworthy devices.
Current security requirements and regulatory expectations expose structural limits in traditional operating systems:
A single kernel compromise affects the entire system
Driver code runs with full privilege and no isolation
BSPs freeze early and block long-term lifecycle maintenance
Security patches do not provide verifiable integrity over time
Identities are added in software instead of being rooted in hardware
Components share fate instead of being isolated by design
These aren’t implementation gaps. They are architectural constraints.
Gapfruit OS exists because trustworthiness cannot be retrofitted into systems that were never designed for it.
Gapfruit OS exists because trustworthiness cannot be retrofitted into systems that were never designed for it.
JMP
ASSEMBLER · 1950s · CONTROL FLOW
Core principles
Architecture that enforces trust, rather than assuming it.
Strong Isolation
Each component executes inside a microkernel-enforced sandbox with least-privilege capabilities. There is no ambient authority; all access must be explicitly granted. Isolation is bidirectional:
Outside-in — external components cannot
influence the internal state
influence the internal state
Inside-out — compromised components cannot escalate or propagate
Even under fault or attack, isolation boundaries remain intact, preventing lateral movement and shared-fate failures.
A vulnerability may exist, but its impact is contained
Controlled Dependencies
Gapfruit OS governs system relationships at three levels to maintain predictable behavior and verifiable integrity across the entire lifecycle.
Resource Distribution: Each component receives a defined budget for CPU, memory, and capabilities — enforced by the parent–child hierarchy.
Service Topology: All communication flows through a declarative service graph with enforced access rights, not ad-hoc linking or shared namespaces.
Software Dependencies (SBOM): A transactional package manager defines and verifies the complete SBOM, enabling safe evolution, signed updates, and deterministic rollback
Dependencies exist, but they are explicit, controlled, and verifiable
INT
x86 · 1978 · INTERRUPT
How Gapfruit OS enforces trustworthiness in the field
Security is not a startup condition. Itis a runtime property.
Compromise becomes containment, not escalation. Gapfruit OS avoids systemic failures by eliminating shared-fate execution paths:
Drivers execute unprivileged in userspace compartments
Exploits cannot traverse component boundaries
No implicit access to memory, interfaces, or services
Dynamic compartments isolate runtime risks
Faults recover without bringing down the system
A vulnerability may exist, but its consequences are constrained.
Failures remain local events.
The system monitors component behavior and restores function deterministically:
The system monitors component behavior and restores function deterministically:
Faults trigger safe restart of individual components
Critical functions remain isolated from failing parts
Resource limits enforce real-time stability
Predictable failure modes maintain operational continuity
Execution continues even when individual components misbehave.
Identity and integrity are proven, not assumed. Gapfruit OS integrates hardware-backed trust anchors natively:
Authenticated and measured boot
Remote attestation of device state
Policy-scoped secrets and key usage
TPM-backed device identities and secure counters
Security teams gain assurance without implementing trust mechanics manually.
Linux drivers without monolithic risk.
Gapfruit OS incorporates Linux drivers through the Device Driver Environment (DDE):
Gapfruit OS incorporates Linux drivers through the Device Driver Environment (DDE):
Drivers run in isolated userspace sandboxes
No kernel-level execution paths
Hardware access mediated through capability controls
Broad driver support without expanding the TCB
Compatibility increases, but the attack surface does not.
.avif)
Security that endures deployment.
Gapfruit OS devices operate as fully defined, cryptographically versioned digital twins:
Gapfruit OS devices operate as fully defined, cryptographically versioned digital twins:
TPM-backed provisioning
Declarative system definitions
Atomic, rollback-safe transactional updates
Signed SBOM execution through the package manager
Long-term maintainability without BSP freeze
Trustworthiness persists over the entire product lifecycle—not just at launch.
fork()
UNIX · 1971 · PROCESS CREATION
Trust isn’t claimed — it’s engineered.
Gapfruit OS ensures authenticity, integrity, and resilience arise from architecture, enabling devices to remain trustworthy throughout their operational lifetime.
// MODE
// OPERATIING SYSTEM
OPERATING
SWI_
