These docs are under active development and cover the v0.20 Kobicha security model.
Peios Learn

Memory management

Concept
Understanding the Address Space

Per-process virtual memory on Peios — what each process sees, how the kernel partitions it, and how introspection through /proc is gated.

 Concept
Memory Mapping

How processes shape their address space — mmap, mprotect, madvise, and the protection model. The bread-and-butter calls of Peios memory management.

 Concept
Shared Memory

Shared-memory primitives on Peios — POSIX shm, memfd, file sealing, and how the security model applies to memory shared between processes.

 Concept
Huge Pages

Huge-page support on Peios — transparent huge pages, hugetlbfs, page sizes, and the admin tunables that control them.

 Concept
NUMA Support

NUMA topology and memory policy on Peios — controlling where memory comes from on multi-socket systems, and the gates on cross-process migration.

 Concept
Overcommit and OOM

How Peios handles memory exhaustion — the overcommit model, the OOM killer, and the privilege gate on opting out of OOM victim selection.

 Concept
Swap

Swap on Peios — what it is, the SeCreatePagefilePrivilege model for swapon/swapoff, swap files vs partitions, and the boot-time activation pattern.

 Concept
Page Cache

How Peios caches file content in memory — the page cache, readahead, fadvise/madvise hints, drop_caches, and the bypass paths.

 Concept
Kernel Address Space Hardening

Kernel-side memory hardening on Peios — KASLR, KPTI, and the Spectre family of speculative-execution mitigations. Image-built-in defences.

 Concept
userfaultfd

userfaultfd on Peios — what it does, why it became a kernel-exploit primitive, and the three-value policy knob that gates its dangerous mode.

 Concept
Memory Sealing

The mseal syscall on Peios — preventing further changes to a memory region as a defence-in-depth primitive against bugs and exploits.

 Concept
KSM (Kernel Same-page Merging)

KSM on Peios — opportunistic cross-process memory deduplication, the timing side channel it produces, and the default-dormant policy.

 Concept
Memory Locking

Pinning memory in physical RAM on Peios — the mlock family, SeLockMemoryPrivilege, and the relationship with secret protection.

 Concept
Memory Protection Keys

Memory protection keys on Peios — per-thread, hardware-enforced access control over memory regions, configurable from userspace without syscalls.

 reference
Other Memory Features

Smaller memory-management features on Peios — process_mrelease, DAMON, mmap_min_addr, max_map_count, MAP_32BIT, stack clash protection, MAP_UNINITIALIZED.