GOATd Kernel: A Rust-powered Orchestrator for High-Performance & Hardened Arch Kernels

Showcase
1

Hi everyone,

I’ve been working on a project I’m calling GOATd Kernel, and I feel it’s finally at a stage where I’d love to share it with this community and get some honest feedback.

What is GOATd Kernel?

I started this project because I wanted a simpler, more intuitive way to build and test Linux kernels that are specifically tuned for my hardware. By focusing on the modern Clang and LLVM toolchain, I wanted to explore how we can push the performance and security boundaries of the kernel while making the entire process accessible.

On a personal level, this app was also an opportunity for me to dive deeper into the Rust ecosystem. I used it as a way to learn more and sharpen my Rust skills and explore different GUI frameworks until I found one that I really enjoyed—egui—which has been fantastic for building these kinds of user-facing performance tools.

Using a modern LLVM and Clang toolchain, it gives you a streamlined workspace to take full control of your system’s “brain.” But it’s not just a build tool, it’s also a diagnostic suite. I wanted users to be able to actually see the impact of their changes. With integrated live monitoring and built in benchmark, you can benchmark your build in real time, moving the kernel compile process from a “black box” into something more transparent and manageable for everyone.

image
image1201×710 72.2 KB

image
image1201×710 92.9 KB

image
image1201×710 94.5 KB

image
image1201×710 60.9 KB

image
image1201×710 58.6 KB

Key Features:

  • Scheduler Hot-Swapping: The app provides a central hub to swap scx (sched_ext) schedulers like bpfland, lavd, or rusty on the fly. You can change the “brain” of your system in real-time based on whether you’re gaming, compiling code, or recording audio.
  • Real-time “Pulse” Telemetry: The app includes a live Performance Spectrum that monitors context switches, jitter, and syscall latency. When you swap a scheduler or change a profile, you can actually see the impact on stability and response times through live graphs.
  • Hardware-Aware Optimization: Automatically detects your microarchitecture (-march=native) and uses modprobed-db to exclude drivers you don’t actually need, drastically reducing the kernel’s footprint and attack surface.
  • LLVM-First Toolchain: This project moves away from the generic GCC standard to focus exclusively on a modern LLVM/Clang 19+ baseline. By using an LLVM-only pipeline, the kernel leverages advanced optimizations and modern security features like Control Flow Integrity (CFI) that are baked directly into the compiler’s logic.

What is LTO and why use it?

Link-Time Optimization (LTO) is often misunderstood as just a “speed booster,” but its real value is structural.

  • Security (The CFI Factor): The primary reason to use Full LTO is security. Full LTO allows the compiler to analyze the entire kernel at once, which is a hard requirement for Control Flow Integrity (CFI).
    • How it works: CFI creates a rigid “map” of all valid indirect function calls. If an exploit tries to hijack the kernel’s execution flow (like a ROP attack), the kernel detects that the jump target isn’t on the approved map and immediately halts. This restricts over 55% of indirect calls to just a handful of valid targets, making exploitation significantly harder.
  • Performance (When LTO Wins): While LTO isn’t a magic “FPS booster” for every game, it excels in high-throughput and syscall-heavy workloads.
    • Real Gains: You’ll see measurable improvements in network socket performance, HTTPS handling (Nginx/PostgreSQL), and complex memory operations. By inlining functions across the entire source and pruning “dead code,” LTO reduces the overhead of modern hardware mitigations and improves cache hit rates.
  • The Trade-off: Full LTO is resource-heavy. It can increase build times by ~2x and requires significant RAM. GOATd lets you choose between None, Thin, or Full LTO so you can decide if you need maximum CFI protection or faster rebuild cycles.

The Bottom Line:

The result is a bespoke, performance-hardened binary built specifically for your machine.

  • The “Win-Win”: You get a kernel that is objectively “snappier” and more responsive with faster boot times, while simultaneously being much more resilient to modern exploits.
  • Massive Attack Surface Reduction: By utilizing hardware auto-discovery, we can often reduce the module count from the ~6,500+ found in generic kernels to well below 200. If a driver isn’t compiled in, it can’t be exploited. This also results in significantly faster load times and a leaner memory footprint.
  • Optimized Execution: Beyond security, LTO improves the overall code quality, leading to better cache utilization and more efficient execution across the board.

The only real trade-off is the time it takes to compile. In exchange for that build time, you get a system that is faster, tighter, and significantly more hardened than any “one-size-fits-all” distribution kernel.

Current State & Feedback

This is very much a passion project and is still evolving. I know there are a few “little bugs” here and there, and the UI is still being stabilized. I am one person working on this, so it isn’t perfect.

I would love for you to try it out, try and break it, and tell me what you think. Whether it’s about the UI, the build logic, or the performance metrics, all feedback is welcome.

How to try it:

This is only for Arch Linux and Arch based distros.

The easiest way is through the AUR:

yay -S goatdkernel
# or
paru -S goatdkernel

Alternatively, you can check out the source and build the app yourself:

GitHub: GitHub - MadGoatHaz/GOATd-Kernel

Looking forward to hearing your thoughts!

1 Like
Weekly Forum Summary