GitHub - ArturR0k3r/AkiraOS: AkiraOS is a modular, security-focused embedded platform for resource-constrained devices. Built on Zephyr RTOS with WebAssembly (WASM) runtime support and container technology

5 min read Original article ↗

AkiraOS Logo

WebAssembly Runtime for Microcontrollers

Every app is a sandboxed .wasm module. Deploy over-the-air. No firmware flash required.

Version Zephyr WAMR License OSHWA Stars codecov

Quick Start · Architecture · AkiraSDK · Hardware · Docs

What is AkiraOS?

AkiraOS is a Zephyr-based embedded OS that runs sandboxed WebAssembly applications on microcontrollers.

The core idea: separate the OS from the application. The firmware stays stable. Apps are .wasm binaries — isolated, portable, and deployable over-the-air without touching the OS.

Your App (C/C++/Python)  →  compile  →  app.wasm  →  SecureDeploy  →  runs on device
                                                              OS unchanged

Why this matters:

  • Update apps in the field without a firmware flash cycle
  • One binary runs on ESP32-S3, nRF5x, or STM32 — no recompile
  • Bad app crashes? Runtime catches it at the boundary. Device stays up.
  • Every app gets only the hardware access it explicitly requested

Architecture

┌─────────────────────────────────────────────────────┐
│              USER SPACE — WASM Apps                 │
│   [app1.wasm]   [app2.wasm]   [your_app.wasm]       │
│   50KB–200KB per app · max 8 installed · 2 running  │
└──────────────────────┬──────────────────────────────┘
                       │ capability-checked calls
┌──────────────────────▼──────────────────────────────┐
│              AKIRAZ RUNTIME                         │
│  App Manager · Capability Guard · Native Bridge     │
│  UI Framework (32 widgets) · Shell · 18 API modules │
│  WAMR: interpreter (1x) or AOT (10–50x perf)        │
└──────────┬──────────────────────┬───────────────────┘
           │                      │
┌──────────▼──────────┐  ┌───────▼───────────────────┐
│  CONNECTIVITY       │  │  ZEPHYR RTOS               │
│  HTTP · OTA         │  │  Scheduler · Network Stack  │
│  BLE · AkiraMesh    │  │  Drivers · LittleFS         │
└─────────────────────┘  └────────────────────────────┘

Capability Guard — every native API call goes through an inline permission check (~60ns overhead). Apps declare required capabilities in a manifest. No capability = no access. Period.

{
  "name": "my_sensor_app",
  "capabilities": ["gpio.read", "display.write", "sensor.read"]
}

Full architecture docs → docs.akiraos.dev/architecture

Quick Start

No hardware? No problem. AkiraOS runs on native_sim — test everything on your Linux host first.

Prerequisites

  • Linux or WSL2 (Ubuntu 20.04+)
  • Python 3.8+
  • westpip install west

1 — Clone

mkdir akira-workspace && cd akira-workspace
git clone --recurse-submodules https://github.com/ArturR0k3r/AkiraOS.git
cd AkiraOS
west init -l . && cd .. && west update

2 — Install Zephyr SDK

cd ~
wget https://github.com/zephyrproject-rtos/sdk-ng/releases/download/v0.17.4/zephyr-sdk-0.17.4_linux-x86_64.tar.xz
tar xvf zephyr-sdk-0.17.4_linux-x86_64.tar.xz
cd zephyr-sdk-0.17.4 && ./setup.sh

3 — Build and run

cd akira-workspace/AkiraOS

# Run on your host — no hardware needed
./build.sh

# Build and flash to ESP32-S3
cd .. && west blobs fetch hal_espressif && cd AkiraOS
./build.sh -b esp32s3_devkitm_esp32s3_procpu -r a
west espmonitor

Full setup guide → QUICKSTART.md

WASM App Development

Install the AkiraSDK toolchain (clang/wasi-sdk used as a cross-compiler only — AkiraOS apps target the AkiraZ native API, not a WASI runtime), then:

# Build your first app
cd AkiraSDK/wasm_apps/hello_world
../../build_wasm_app.sh -o hello_world.wasm main.c

# Deploy to a running device over WiFi — no reflash needed
curl -X POST -F "file=@hello_world.wasm" http://<device-ip>/upload

Example apps in AkiraSDK/wasm_apps/:

App Description
hello_world Minimal starter
sensor_demo Read hardware sensors
display_graphics Graphics rendering
gui_demo Full UI with 32 widget types
hid_keyboard_demo USB HID input
blink_led GPIO control
logic_analyzer Data capture

Native API Modules (18 total): BLE · Display · GPIO · HID · I2C · IPC · Lifecycle · Memory · Net · Power · PWM · RF · Sensor · Storage · Timer · UART · and more.

Full API reference → docs.akiraos.dev/api-reference

Supported Hardware

Platform Status Architecture Tier Notes
AkiraConsole ✅ Supported Xtensa LX7 Tier 1 ESP32-S3 · Custom HW
ESP32 ✅ Supported Xtensa LX7 / RISC-V Tier 1 -S3 (LX7) · -H2 · -C6 (RISC-V)
native_sim ✅ Supported Host (x86_64) Tier 1 Fast iteration, no hardware needed
nRF54L15 ✅ Supported ARM Cortex-M33 Tier 2 BLE 5.4 · Nordic
STM32 ✅ Supported ARM Cortex-M Tier 2 B-U585I-IOT02A · STEVAL-STWINBX1 · H753 · H723

Recommended: ESP32-S3 DevKitM — or AkiraConsole V3 (coming to CrowdSupply).

AkiraConsole

The reference hardware platform for AkiraOS.

V3 - OSHWA Certified — UID: MD000003

Rev A.2: CrowdSupply campaign coming soon.

→ ESP32-S3 dual-core 240MHz · 8MB PSRAM → TFT display · ~33 FPS in AkiraOS → 8 tactile buttons · Dial → CC1121 sub-GHz radio · LR2021 LoRa → MicroSD · USB-C · Expansion headers

akiraos.dev/akiraconsole

What's in v1.5.x

125 commits · 350 files · ~40,600 lines of changes

  • WAMR Runtime replaces legacy OCRE engine
  • Capability Guard security model — per-app permission enforcement
  • Full WASM Peripheral API — GPIO, Display, BLE, HID, Sensors, Storage
  • AkiraSDK as independent git submodule
  • AkiraConsole board bringup complete

Full changelog →

Build System

./build.sh -b esp32s3_devkitm_esp32s3_procpu        # ESP32-S3
./build.sh -b esp32_devkitc_procpu                  # ESP32
./build.sh -b esp32c3_devkitm                       # ESP32-C3
./build.sh -b native_sim                            # Simulation
./build.sh -b esp32s3_devkitm_esp32s3_procpu -r all # Clean rebuild

Key config files: prj.conf · boards/*.conf · boards/*.overlay · west.yml

Security Model

  1. WASM Sandboxing — no direct memory access to kernel space, stack/heap isolated per app
  2. Capability Guard — inline checks on every native API call, manifest-declared permissions
  3. Secure Boot — MCUboot validates firmware signature, WAMR validates module checksum
  4. OTA Security — SHA-256 integrity, atomic updates, rollback on failure

Security architecture →

Contributing

git checkout -b feature/your-feature
./build.sh                                           # test on native_sim first
./build.sh -b esp32s3_devkitm_esp32s3_procpu -r a   # then on hardware

See CONTRIBUTING.md · Code style: Zephyr C · Commits: conventional format

Links
📖 Docs docs.akiraos.dev
🖥️ Hardware akiraos.dev/akiraconsole
🏷️ OSHWA certification.oshwa.org/md000003.html
💬 Discussions GitHub Discussions
📢 Telegram @theguywithpen
🛒 CrowdSupply Coming soon — akiraos.dev/akiraconsole

Acknowledgments

Zephyr Project · Bytecode Alliance / WAMR · Espressif Systems · Nordic Semiconductor · MCUboot