介紹作業系統概念的投影片
Transcription
介紹作業系統概念的投影片
Basic OS concept CCL HungLin Chou Basic OS concept The history of Operating System From first processor to modern OS Digging out kernel/system calls and static/dynamic libraries in various OS environments Real/Protected Mode (Rings) User/Kernel Mode Evil Hackers/Virus/Protocol Attacks issues Virtual memory management Inter-Process Communication Device Driver Programming and how to work with user applications File-system internals and how to built-in various FS format Operating System sub-systems From the view of Microsoft to modern competitors CCL The history of computer A good book about this history 意外的電腦王國 Accidental empires :how the boys of Silicon Valley make their millions, battle foreign competition, and still can’t get a date 從大型電腦、小型電腦到個人電腦、微電腦的演變,美國數以千計的電腦業者竄起又跌落, 甚至蘋果(Apple)、微軟(Microsoft)、康百克(Compaq)等著名公司也數度面臨 絕境,其背後的艱辛、計謀及喜悅不僅代表了高科技人員的智慧,更流露出他們的血淚與無 奈。 在即將跨越20世紀的尾聲,作者斷言,穩坐龍頭地位數十年的IBM將要衰落,硬體業者難 以翻身,您可知道IBM的恐慌? 1999年12月31日,IBM大電腦就要跟我們說再見了!未來的世界景象--您可知道? CCL The history of operating system First software programmer in the world ADA 伯爵夫人 (work with Charles Babbage, 1792-1871) for a like-computer concept design 1981年美國國防部以此命名 ADA Language Intel (Integrated Electronics) In 1971, Busicom a Japanese company ask intel to design a processing-chip. In this project, hoff create a new concept let “software” reside in memory and executed by computing-processunit The first personal “CPU” product was produced by Intel named “4004”. in 1973,8bits Intel 8086 CCL The history of operating system CP/M (Control Program/Monitor) In 1974, Dr. Gary Kildall design CP/M CP/M-80 for Intel 8080 CP/M-86 for Intel 8088、8086 CP/M-68K for Motorola 68000 Microsoft In 1979,IBM ask Microsoft to design a operating system on Intel 8086 Microsoft buy the previous DOS (Disk operating system) source code from engineer Tim Paterson and then make the following DOS version and the compete with CP/M for IBM personal computer In 1987,IBM and Microsoft co-work to design OS/2 In 1990/5,released Windows 3.0 In 1992,released Windows NT CCL Why operating system? Pack low level system design including Hardware platform dependent procedure Support uniform system calls for upper layer program calling and speed up the production of software Not all program need to know the hardware spec.! OS and device drivers will handle those low level design issue Multi-Task and Memory Management Multi-process/thread schedule on single processor Support user-mode/kernel-mode to ensure the system stable/security issue Map different process into separate memory space to provide convenient process-level memory management and avoid the process-crash to effect the unstable issue of whole system CCL Why operating system? CPU initial booting address Boot loader OS Environment CPU System/Hardware initialization User User program program User program User program User program SDRAM Device Driver and IO control interface CCL Storage ex:HD、Flash I/O and Bus How to execute OS code? CPU Initial SDRAM 1 2 0xFFFFFFFF Boot Loader CPU Load 3 OS Storage ex:HD、Flash I/O and Bus 4 Load file system Physical Memory 0x00000000 CCL How to generate execution file? Compiler C、Basic、Pascal Assembly Machine Code Execution File Format Code Section Data Section Other dynamic environment section CCL Memory Space How OS load execution file? OS program loader Check file format OS Environment Initial environment or re-direct to the interpreter Memory Space execve Load called Load called DLLs Load called DLLs DLLs Execution File Format Code Section Dlls Dlls Dlls Data Section Execution File Image Other dynamic environment section CCL Kernel Calls Modern OSs will provide a set of kernel calls or device driver function interface for the kernel-mode programmer design issue DOS is a single mode OS, and it provide Interrupt 21h for programmer to control whole system Any program could access any hardware without any limitation A evil program/virus could easily crash/infect OS and propagate itself continuously Just could address to limited 1MB memory space The program could only use the 0-640kbytes. After Intel 80286 Intel support a “ Protected–mode” technology could support 32-bits command/address The previous DSO program is in “Real-mode” Microsoft release the DPMI(DOS Protected Mode Interface, interrupt 2f/31) solution on DOS and let the DOS program could access 4GB memory space easily CCL Kernel Calls Kernel calls could reside in Single-mode OS Privileged-enable OS Device driver interface will pack the kernel call function into more convenient function for the hardware driver designer User-mode program couldn’t call the kernel calls directly and must called via system calls CCL System Calls Operating system could define a set of system calls for upper layer programs. Usually it use the same way for the single mode kernel calls Under privileged mode, system calls is used just to user-mode program If the kernel mode code also want to use system calls, it will modify the data segment let the system map the correct data memory space The OS’s system calls will define the upper program limitation “capability” of this OS CCL Static library For simple program distribution purpose, don’t need to pack with any other libraries The defects of static library Big-Size for each execution file Hard to upgrade the function of system Need to recompile all programs with those functions Sample product Embedded English-Dictionary For non-mmu processor, it is hard to provide dynamic library Static-library support will be the default setting for that system architecture CCL Dynamic library Could divide different function into multiple dynamic library files Easy to upgrade the function Easy to maintain and need suitable memory mapping mechanism Execution files don’t need to contain all functions it used Minimum file size and system environment storage requirement CCL Real mode – x86 Single-Task Program could access any hardware and change system configuration Max-1MB memory addressing Hard to provide high-performance GUI Text-mode dialog based GUI CCL Protected Rings . Processor will be in real-mode first and then enter protected-mode The outside of the inner circles couldn’t access the inside code directly Based on the privileged level Rare OSs support ring 1 device driver to protect the ring 0 kernel code CCL Protected mode -x86 setting the PE bit in CR0 causes the 80386 to begin executing in protected mode current privilege level (CPL) starts at zero the segment registers continue to point to the same linear addresses as in real address mode mov or mov jmp eax,cr0 ax,1 cr0,eax $+2 ; ; ; ; Get control register 0 Set PE bit (bit #0) in (e)ax Activate protected mode! To flush the instruction queue. //The CPU is now executing in 16-bit protected mode. Make a far jump in order to //load CS with a selector to a 32-bit executable code descriptor. FJMP32 ...... ......... Start32: 08h,Start32 ; Jump to Start32 (below) CCL User-mode and kernel-mode memory space CCL User-mode Separate memory-space Any process execution status don’t effect other process User-mode program couldn’t access I/O device directly CCL Kernel-mode User-mode program couldn’t access kernel-mode code segment and data segment directly In X86 environment User could set “cr0” register to enter protected mode From 16-bits to 32-bits CCL How virus work? Usually it will infect System MBR System boot sector Hack to kernel-mode (Ring 0) from user-mode (Ring 3) Hack into OS from internet protocol defects Based on the protocol black-hole Based on the programming bugs Buffer-overflow File system Open/Read/Write actions Fill in the file format empty section (ex:PE) Move execution file entry code to other position and run the virus code first then jump to the original code Intercept the dynamic library function calls Based on file-format Execution file import table Directly modify the header of function calls CCL Boot - virus Infect the MBR/Boot sector Virus code will load before operating system Virus just could call BIOS interrupt or directly access hardware Current operating system won’t use BIOS calls after entering privileged mode Usually infect in the past operating system MS-dos CCL 384 bytes MBR Code Boot-sector Boot-sector Boot-sector File-inflected virus Infect file format and file system Infect file format Don’t change any file size Find the empty region of file format Infect file system Hook open/read/write operation Check it if doubly infect CCL Invade kernel mode For the system that IOPL (Input/output privileged level) equal ring 3 It will be easy to hack kernel just modify IDT (interrupt Descriptor Table) and trigger specific interrupt to hacking ring 0 For the kernel-mode protocol bug Hacker could use buffer-overflow or other protocol black-hole to hack OS and enter the kernel-mode protocol memory space to enter the ring 0 kernel-mode Infect the device driver file format Not a good idea,but it workss。。^_^ CCL Invade protocol layer Buffer-Overflow Stack Evil Code Function Parameters Specific addr. …….. Function Parameters Return Address Local variables ……. CCL Virtual memory management 31-22 21-12 11-0 Page Table Number Page Number Offset Page Table Entry Address Page Page Page Page Page Page Table Table Table Table Table Table Number Number Number Number Number Number Page Number Page Number …… 1024 entries Page Number 4Kbytes Page 4Kbytes Page Page Number Page Number …… 1024 entries Page Number 4Kbytes Page 4Kbytes Page Page Number Page Number …… 1024 entries Page Number 4Kbytes Page 4Kbytes Page 4Kbytes Page 4Kbytes Page ………. (2^10 = 1024 entries) Page Table Number Page Table Number Page Table Number 32-bits CCL 32-bits 4Kbytes Page Virtual memory management Virtual memory address translation PTE based address = 0x12340000 Virtual address = 0x1cc151a0 (binary = 0001 1100 1100 0001 0101 0001 1010 0000) Page Table Number: 0x073 (binary = 0001 1100 11) Page Number: 0x015 (binary = 00 0001 0101) Offset: 0x1a0 (binary = 0001 1010 0000) Every entry is 4-bytes Page Table Offset = 0x073 * 4 = 0x1cc Page Number Offset = 0x015*4= 0x054 Get Page table at the address 0x123401cc Page Table starting address 0x1258a000 Get page address 0x1258a054 Get the final page address “0x00020000” of physical memory The final data address is “0x000201a0” in the physical memory address CCL Inter-Process communication Mutex For application to check if any resource is used to decide waiting for free or leaving out Semaphore Sema = CreateSemaphore(the number of semaphore) Turn = WaitForSingleObject (Sema, 0) //check it there is any free semaphore and return immediately Mail-box Socket layer user-mode and kernel-mode could both use socket layer “port” for communication Shared-memory User-mode application could share the same memory space to exchange big data Send Message – win32 For small and not too many data exchange Good for win32 application to realize IPC CCL Device Driver Programming Bind IRQ and provide interrupt handling routine Re-map physical hardware address to virtual memory in kernel mode If it enable MMU Support DMA (Direct Memory Access) and continuous memory space Define a set of APIs for upper layer CCL How driver work with user-mode Application User-mode 1,DeviceIOControl (ioctl) 2,Blocking-Read (Driver Read Operation) 3,System Message 4,Via Socket Layer Kernel-mode Device Driver IRQ I/O Space CCL How application control hardware? Application User-mode 1,Re-Map Physical memory to user-mode virtual memory space via MMU 2,Device driver support device node with ioctl/read/write operation 3,Device driver define message type for application and driver communication Kernel-mode Device Driver IRQ I/O Space CCL File-system internal Windows 9x/ME IFSMgr A book Inside the Windows 95 File System IFSMgr, The Installable File System Manager CIFS (Common Internet File System) FAT (File Allocation Table)12/16/32 Support 32-bits and 16-bits file system access code Win32 interface 16-bits V86 mode interface CCL File-system internal Windows 9x/ME IFSMgr Application File System Interface OS IFSMgr Installable File System VFAT FSD Input/Output Supervisor CD ROM FSD Network Redirector Other OtherOtherOther Driver Driver DriverDriver SCSI Port Port Port Driver Driver Driver Miniport Driver CCL Network Subsystem File-system internal Windows 9x/ME IFSMgr + Network FS CCL File-system internal Linux VFS File system CCL File-system internal Linux VFS File system ….............. …..............….............. Starting kswapd VFS: Diskquotas version dquot_6.5.0 initialized devfs: v1.10 (20020120) Richard Gooch ([email protected]) devfs: devfs_debug: 0x0 devfs: boot_options: 0x1 Detected PS/2 Mouse Port. pty: 2048 Unix98 ptys configured Serial driver version 5.05c (2001-07-08) with MANY_PORTS MULTIPORT SHARE_IRQ S ….............. ….............. ….............. CCL Operating System Sub-system Windows NT Sub-System CCL Operating System Sub-system Sample of executing program in sub-system CCL Operating System Sub-system Lookup Sub-system in PE file format Device Driver *.SYS Win32 GUI Program Win32 Console Program CCL Operating System Sub-system Windows NT Sub-system mapping filename Services.exe Service Controller Process Winlogon.exe Logon Process Smss.exe Session Manager Process Psxss.exe POSIX Subsystem Process OS2ss.exe OS/2 Subsystem Process Csrss.exe Win32 Subsystem Process Ntdll.dll Internal Support Functions and System Service Dispatch stubs to Executive Functions Kernel32.dll Win32 Subsystem DLLs User32.dll GDI32.dll Psxdll.dll POSIX Subsystem DLL NTOSKRNL.EXE Executive and Kernel Hal.dll Hardware Abstraction Layer CCL Operating System Sub-system Windows NT DOS Script Sub-system Use cmd.exe to emulate command.com Could help to execute script files CCL Operating System Sub-system Windows NT DOS/Win16 Subsystem NTVDM.EXE DOS and Win16 program use the same subsystem CCL Operating System Sub-system Windows NT DOS/Win16 Subsystem Run more than one DOS/Win16 program CCL Linux CCL Linux The history of Linux Compare linux with various OSs From Kernel to user mode Hacking linux Kernel calls System calls Libraries Various modern linux solution Embedded linux GUI linux CCL Introduction of linux Embedded Linux attract many companies to join Linux 2.4+glibc+X Window+Mozilla Support many embedded windows system Tiny-X Microwindow Embedded QT.............etc 486 PC 做成的單張1.44MB磁片開機的Linux Router LRP﹝Linux Router Project﹞ 有許多Open Source 的Server,像Apache、SAMBA、Wu-FTP、Squid、 SendMail、Qmail、Postgres SQL...…,這些眾多的Server都可以整合到 1—16MB的Flash上 基於GPL,在自由開放的前提下吸引各地好手加入開發的行列 缺點在於使用者端的應用軟體仍有待加強 Internet Resource http://sourceforge.net/ http://freshmeat.net/ http://www.linuxdevices.com CCL The history of linux In 1987 Andrew Tanenbaum implement MINIX In 1991 Linus Torvalds don’t satisfy with the performance of minix Decide to develop a OS on INTEL 80386 User will need to find other third-party or open source solution for real-time requirement Linux is a monolithic kernel(集成式核心) not micro-kernel After 2.0 kernel,linux support dynamic loading kernel drivers (modules). It will be the first step to go ahead to micro-kernel. Linux is for generous purpose not RT-Kernel. In the future plan,linux will Separate more kernel component into different module More like micro-kernel architecture to support more flexibility CCL Non-MMU Linux uCLinux uÎ Micro CÎ Control Micro Control Linux For microcontrollers without Memory Management Units (MMUs). Block drivers Blkmem driver RAM disk driver use the Linux RAM disk device. This is commonly used in standard Linux for diskless booting. MTD driver The oldest and may well still be the most common choice for uClinux Specifically designed for uClinux, but it is relatively simple and only supports a handful of common NOR Flash memory types Support a huge variety of Flash devices, and offer powerful mechanisms for defining partitions and mappings. Root file-system for uCLinux Execution in Flash Compressed File-system CramFSÎ Efficient flash usage, not support XIP, need more memory to execute program, Read-Only Journaled Filesystem RomfsÎ Simple architecture, light-weight system resource ,Read-Only, Support XIP (Execute in place) JFFS/JFFS2Î Read/Write File-system, Log-Based (also support compression) ,not support XIP CCL RamdiskÎ Excellent Read/Write Performance ext2 Non-MMU Linux uCLinux kernel size is smaller than origial linux kernel Common Linux API uCkernel < 512 kb uCkernel + tools < 900 kb Original Linux use virtual memory to achieve it (even the physical memory space isn’t continuous) Not Design for Real-Time issue uClinux comes equipped with a full TCP/IP stack, as well as support for numerous other networking protocols Real memory mapping and no address translation table System need to allocate enough continuous memory space Use “flat” to execute program. ELF binary VS FLAT (elf2flt) FLAT format is designed to be a very light weight application binary format, no symbols, no debug info, and only a simple small header. CCL Non-MMU Linux uClinux booting Linear Memory Addressing BootLoader Linux Kernel RootFS Memory Technology Device Init Process (from busybox) CCL Process N-3 Process N-2 Process N-1 Process N Static Library Blkmem on uclinux Flash必須要可以讓CPU直接定址,運行程式碼 Ramdisk driver initialized : 16 ramdisks of 4096K size Blkmem copyright 1998,1999 D. Jeff Dionne Blkmem copyright 1998 Kenneth Albanowski Blkmem 1 disk images: 0: 309EF3C-638EF33B (RO) …………………………….. # more mounts << mounts >> /dev/root / romfs rw 0 0 /dev/ram0 /var ext2 rw 0 0 proc /proc proc rw 0 0 # CCL Compare linux with other OSs Network Performance Linux is usually used in networkenable device Linux network layer could bring you complete internet services in many hardware platforms CCL Compare linux with other OSs Network Performance In Pentium II 350 + 224MB memory, compare Linux 2.4.3 and Windows 2000 Server network performance Operating System Linux 2.4.3 Windows 2000 Transmit 10000 Packets(512bytes) 0.087 s 3.465 s Transmit 10000 Packets(1kbytes) 0.143 s 3.545 s Transmit 10000 Packets(2kbytes) 0.230 s 3.715 s Transmit 10000 Packets(64kbytes) 7.369 s 18.327 s Transmit 10000 Packets(512kbytes) 64.584 s 151.548 s Transmit 10000 Packets(1Mbytes) 129.938 s 309.635 s CCL Compare linux with other OSs Network Performance In Pentium II 350 + 224MB memory, compare Linux 2.4.3 and Windows 2000 Server network performance Operating System Linux 2.4.3 Windows 2000 Bandwidth in packet size 512bytes 56.124 MB/sec. 1.409 MB/sec. Bandwidth in packet size 1kbytes 68.291 MB/sec. 3.837 MB/sec. Bandwidth in packet size 2kbytes 84.918 MB/sec. 5.257 MB/sec. Bandwidth in packet size 64kbytes 84.815 MB/sec. 34.103 MB/sec. Bandwidth in packet size 512kbytes 77.419 MB/sec. 32.993 MB/sec. Bandwidth in packet size 1MB 76.96MB/sec. 32.296MB/sec. CCL Compare linux with other OSs Memory Architecture Linux 3-4GB Kernel Mode 0-3GB User Mode User processes are all running in user-mode memory CCL Compare linux with other OSs Memory Architecture Solaries in X86 在X86的機器上面, Solaris 8的Kernel Mode 是劃分到最上層 的記憶體位址,而真正 屬於Kernel Mode的 記憶體大小為512MB, 應用程式使用的動態函 式庫載入位址則由 0xE000000開始向下 延伸。應用程式載入的 起始點則由 0x08050000開始 CCL Compare linux with other OSs Memory Architecture Windows 9x/ME Every process use private memory space in 0-2GB 3-4GBÎWindows 9x/ME Kernel 2-3GBÎWin16 program and system shared library 0-2GBÎEvery process has its own memory space and specific library CCL Compare linux with other OSs Memory Architecture Windows 2000/XP 2-4GBÎKernel mode memory 0-2GBÎUser mode memory CCL Compare linux with other OSs System Calls Operating system support numerous functions in kernel-mode and called by user-mode program via “system-call” User-mode program couldn’t access privileged-level operation and must call those services with system-call Kernel could support this feature by Call-gate Interrupt-gate CCL Compare linux with other OSs System Calls Windows 2000/XP CCL Compare linux with other OSs System Calls Windows 2000/XP NTDLL.DLL中的NtAlertThread函式 B8 07 00 00 00 mov eax,7 8D 54 24 04 lea edx,dword ptr [esp+4] CD 2E int 2Eh C2 04 00 ret 4 CCL NtAlertThread(IN HANDLE ThreadHandle); eax(使用的函式編號) edx(NtAlertThread 所使用參數位址) Compare linux with other OSs System Calls Solaris CCL Compare linux with other OSs System Calls Solaris int my_fork() Call Gates { __asm__(" movl $0x2,%eax //SYS_fork lcall $0x27,$0x0 "); 透過一個遠程呼叫,改變CS﹝Code Segment﹞ 的值到Kernel Mode﹝Ring 0﹞中,如此可以 讓在User Mode﹝Ring 3﹞的程式,可以藉此 呼叫並執行位於Kernel Mode﹝Ring 0﹞的程 式碼。 } CCL Compare linux with other OSs System Calls ///usr/include/sys/syscall.h ....… Solaris 目前Solaris 8版本中,共定義了 256個 System Call的Number﹝由0--255﹞ CCL #define SYS_exit 1 #define SYS_fork 2 #define SYS_read 3 #define SYS_write 4 #define SYS_open 5 #define SYS_close 6 #define SYS_wait 7 ....… #define SYS_mount 21 #define SYS_umount 22 #define SYS_setuid 23 #define SYS_getuid 24 ....… Compare linux with other OSs System Calls Solaris Some system calls are implemented by Interrupt-gate gethrvtime b8 04 00 00 00 cd d2 c3 CCL movl $0x4,%eax int $0xd2 ret Compare linux with other OSs System Calls Linux ///arch/i386/kernel/entry.S int my_fork() { __asm__(" movl $0x2,%eax //SYS_fork int "); } CCL $0x80 Compare linux with other OSs System Calls Linux ARM Software Interrupt 00010c30 <__libc_open>: 00010c50 <__libc_read>: 10c30: ef900005 swi 10c34: e3700a01 cmn 10c38: 2a00035c bcs 10c3c: e1a0f00e mov 0x00900005 10c50: ef900003 swi 10c54: e3700a01 cmn 119b0 <__syscall_error> 10c58: 2a000354 bcs pc, lr 10c5c: e1a0f00e mov r0, #4096 ; 0x1000 00010c40 <__close>: 0x00900003 r0, #4096 ; 0x1000 119b0 <__syscall_error> pc, lr 00010c60 <__libc_write>: 10c40: ef900006 swi 10c44: e3700a01 cmn 10c48: 2a000358 bcs 10c4c: e1a0f00e mov 0x00900006 10c60: ef900004 swi 10c64: e3700a01 cmn 119b0 <__syscall_error> 10c68: 2a000350 bcs pc, lr 10c6c: e1a0f00e mov r0, #4096 ; 0x1000 CCL 0x00900004 r0, #4096 ; 0x1000 119b0 <__syscall_error> pc, lr Compare linux with other OSs System Calls Linux 2.1.x 比起 2.0.x 增加 了System Call,其中 包括了針對新架構 module所增加的 System Call﹝2.0.35 有166個,2.2.12 有 190個﹞ We can use Interrupt 80 to call Linux System Call From /linux/arch/i386/kernel/entry.s .long SYMBOL_NAME(sys_sched_get_priority_min) /* 160 */ .long SYMBOL_NAME(sys_sched_rr_get_interval) .long SYMBOL_NAME(sys_nanosleep) .long SYMBOL_NAME(sys_mremap) .long SYMBOL_NAME(sys_setresuid) .long SYMBOL_NAME(sys_getresuid)/* 165 */ .long SYMBOL_NAME(sys_vm86) .long SYMBOL_NAME(sys_query_module) .long SYMBOL_NAME(sys_poll) .long SYMBOL_NAME(sys_nfsservctl) .long SYMBOL_NAME(sys_setresgid)/* 170 */ .long SYMBOL_NAME(sys_getresgid) CCL Compare linux with other OSs System Calls Linux In arch/arm/kernel/calls.S __syscall_start: /* 0 */ .long sys_ni_syscall .long sys_exit .long sys_fork_wrapper .long sys_read .long sys_write /* 5 */ .long sys_open .long sys_close .long sys_ni_syscall /* was sys_waitpid */ .long sys_creat .long sys_link ……………………… CCL Compare linux with other OSs Kernel calls Operating system support numerous kernel calls for kernel-mode implementation and device-driver programming The code or module in kernel mode could call those functions directly CCL Compare linux with other OSs Kernel calls Windows 9x/ME Take a look at Windows 9x/ME system architecture Layer 1(Ring 0) VMM32.VXD (including multiple VXD) LE (Linear Execution) Format DPMI (Dos Protect Mode Interface) Server Layer 2 (Ring3) KRNL386.exe is 16-bits NE (New Execution) user-mode kernel code DPMI Client Layer 3 (Ring 3) Shell Interface Layer 4 (Ring 3) Other Windows Applications CCL Compare linux with other OSs Kernel calls Windows 9x/ME VMM32.vxd Is Windows 9x/ME real “kernel-mode” kernel It contain multiple kernel component With a MZ header but not a standard LE driver file format CCL Compare linux with other OSs Kernel calls Windows 9x/ME Use Microsoft command “exehdr” to show krnl386.exe NE Header and information CCL Compare linux with other OSs Kernel calls Windows 9x/ME Use interrupt 20h as kernel call interface The following “000100A7” is Use DDK (Device Driver Kit) to compile the following code VMMCall _Allocate_Device_CB_Area, <<SIZE VwatchD_CB_STRUCT>, 0> 0001 is the device id of VXD Service 00A7 is the service number in that VXD Service Table User could look up those device id and service number in DDK include files(ex: VMM.inc) And disassemble the binary file 6A 00 6A 04 CD 20 A7 00 01 00 83 C4 08 CCL push 0 push 4 int 20h dd 000100A7 add ESP,08 Compare linux with other OSs Kernel calls Windows 9x/ME How to make it more efficiently Kernel will translate interrupt calls into function address after the first time calling CCL Compare linux with other OSs Kernel calls Windows 9x/ME How Windows 98/ME support dual-format device driver WDM (Windows driver model) in PE format VXD in LE format Use DDK (Device Driver Kit) to compile the following code ntStatus = IoCreateDevice(DriverObject, sizeof(DEVICE_EXTENSION), &deviceNameUnicodeString, FILE_DEVICE_UNKNOWN, 0,FALSE,DeviceObject); And disassemble the binary file FF1578020100 CALL DWORD PTR [NTOSKRNL=>IoCreateDevice] Then load the driver to memory and Windows 98/ME disassemble it use NTKERN.VXD to FF15380000FF CALL [FF000038] emulate Î0028:FF000038 DC 98 29 C0 Windows NT 0xC02998DC mapped to NTKERN.VXD ’s kernel “NTOSKRNL.EXE” memory space CCL Compare linux with other OSs Kernel calls Windows 2000/XP Called by function address and translated via import-table Device driver in PE format The same as user-mode program and dynamic libraries CCL Compare linux with other OSs Import Descriptor Original First Thunk: 001F3DB4 Time Date Stamp: 00000000 Forwarder Chain: 00000000 Windows XP Name: 001F3D94 (HAL.dll) First Thunk: 00000580 ntoskrnl.exe Ordn Name Export Directory 32 HalReportResourceUsage Section Header Characteristics: 00000000 5 HalAllProcessorsStarted Name: .text Time Date Stamp: 41108004 ........................ Virtual Size: 00071DC1 Version: 0.00 001F3EB8 Virtual Address: 00000580 Name: 001AE116 (ntoskrnl.exe) Original First Thunk: Time Date Stamp: 00000000 Size of Raw Data: 00071E00 Base: 00000001 Forwarder Chain: 00000000 Pointer to Raw Data: 00000580 Number of Functions: 000005CB Name: 001F3D9C Pointer to Relocations: 00000000 Number of Names: 000005CB (BOOTVID.dll) Pointer to Line Numbers: 00000000Address of Functions: 001AA728 First Thunk: 00000684 Number of Relocations: 0000 Address of Names: 001ABE54 Ordn Name Number of Line Numbers: 0000 Address of Name Ordinals: 001AD580 5 VidInitialize Characteristics: 68000020 Func Adr Ordn Name 3 VidDisplayString Contains Code 000047D5 1 ExAcquireFastMutexUnsafe ............................ Mem not pageable 000937AF 2 ExAcquireRundownProtection 001F3EE4 Mem executable 0016CB50 3 ExAcquireRundownProtectionEx Original First Thunk: Time Date Stamp: 00000000 Mem readable 0016CB17 4 ExInitializeRundownProtection Forwarder Chain: 00000000 0000C495 5 ExInterlockedAddLargeStatistic 001F3DA8 (KDCOM.dll) 0000C5BE 6 ExInterlockedCompareExchange64 Name: First Thunk: 000006B0 0000B9C9 7 ExInterlockedFlushSList Ordn Name 0000B9EF 8 ExInterlockedPopEntrySList 0 KdD0Transition 0000BA10 9 ExInterlockedPushEntrySList 1 KdD3Transition 0016CB27 10 ExReInitializeRundownProtection 5 KdRestore 000047FA 11 ExReleaseFastMutexUnsafe ....................... 00004BD0 12 ExReleaseResourceLite 000937ED 13 ExReleaseRundownProtection 0016CBA3 14 ExReleaseRundownProtectionEx ....................... Kernel calls CCL Compare linux with other OSs Kernel calls Windows XP Other kernel-mode drivers (*.sys) Kernel-mode core components NTOSKRNL.exe hal.dll kdcom.dll bootvid.dll CCL Compare linux with other OSs Kernel calls Solaris DDI﹝Device Driver Interface﹞ DKI﹝Driver Kernel Interface﹞ Support “source code” level compatible CCL Compare linux with other OSs Kernel calls Solaris DDI functions /usr/ccs/bin/nm /kernel/genunix ............ [3333] | [3447] | [2917] | [2447] | [2083] | [1048] | [3472] | [1038] | [3643] | [3622] | [4525] | [2406] | ............ 532448| 550456| 518812| 518800| 518824| 550024| 532480| 536420| 516844| 532244| 518484| 518528| 12|FUNC |GLOB |0 40|FUNC |GLOB |0 12|FUNC |GLOB |0 12|FUNC |GLOB |0 48|FUNC |GLOB |0 160|FUNC |LOCL |0 224|FUNC |GLOB |0 124|FUNC |LOCL |0 12|FUNC |GLOB |0 8|FUNC |GLOB |0 44|FUNC |GLOB |0 44|FUNC |GLOB |0 CCL |1 |1 |1 |1 |1 |1 |1 |1 |1 |1 |1 |1 |ddi_add_child |ddi_add_eventcall |ddi_add_fastintr |ddi_add_intr |ddi_add_softintr |ddi_all_drivers_devid_to_devlist |ddi_append_dev |ddi_append_minor_node |ddi_apply_range |ddi_binding_name |ddi_btop |ddi_btopr Compare linux with other OSs Kernel calls Solaris Kernel “genunix” is loaded by krtld CCL Compare linux with other OSs Kernel calls Solaris 標示為 “FUNC” 的Symbol就是我們可以在撰寫Solaris驅動程式時呼叫的函式。 # /usr/ccs/bin/elfdump /dev/ksyms ............….... ksyms (kernel [1] 0xfe8051c4 0x0000000e FUNC LOCL 0 ABS symbols [2] 0xfe81dffe 0x00000000 NOTY LOCL 0 ABS driver) will update the [3] 0xfe8051d4 0x0000000e FUNC LOCL 0 ABS kernel [4] 0xfe8051e4 0x0000000e FUNC LOCL 0 ABS symbol table [5] 0xfe8051f4 0x0000000e FUNC LOCL 0 ABS after we [6] 0xfe805204 0x0000000e FUNC LOCL 0 ABS load/unload [7] 0xfe805214 0x0000000e FUNC LOCL 0 ABS any kernel[8] 0xfec024bc 0x00000008 OBJT LOCL 0 ABS mode driver [9] 0xfe81d022 0x00000000 NOTY LOCL 0 ABS Drivers could [10] 0xfe805224 0x0000000e FUNC LOCL 0 ABS call each[11] 0xfec04f10 0x00000000 NOTY LOCL 0 ABS other ............….... functions [7048] 0xfea777c4 0x00000250 FUNC LOCL 0 ABS based on “driver-stack” [7049] 0xfe80e900 0x00000014 FUNC GLOB 0 ABS [7050] 0xfe80e8c4 0x00000014 FUNC GLOB 0 ABS resolved [7051] 0xfe81d3b0 0x0000001a FUNC GLOB 0 ABS ............….... CCL kadb_error10 audit_anchorpath_L kadb_error11 kadb_error12 kadb_error13 kadb_error14 kadb_error15 kstat_hash_table recv_L kadb_error16 sec_svc_control_inf fdc_enhance_probe ddi_dma_unbindhdl ddi_dma_allochdl lm_shrlock Compare linux with other OSs Kernel calls Linux Usually we name Linux device driver as “module” It support dynamic-driver loading after kernel version 2.0 Kernel will maintain driver function symbol and kernel current symbol into the same kernel symbol table and could be called by other kernel-mode modules CCL Compare linux with other OSs Kernel calls Linux ELF <Executable and Linking Format> is a common file format in Linux Linux Driver Driver is a ELF relocatable file﹝Object file﹞ It will be dynamic-link when loading into kernel,otherwise it will show error message “unresolved symbo ”。 CCL Compare linux with other OSs Kernel calls Linux The function names in /proc/ksyms could be called by linux device driver Some of them are from Kernelsource code and declare ”EXPORT _SYMBOL()” Some of them are from device driver 函式後方的編號,是該版本 的32位元CRC資料,用來確 認函式呼為正確版本 CCL Compare linux with other OSs Kernel calls Linux Declare kernel export function and driver “Only” could call those limitedfunctions The other kernel functions are invisible for linux device driver From linux/kernel/ksyms.c EXPORT_SYMBOL(panic); EXPORT_SYMBOL(printk); EXPORT_SYMBOL(sprintf); EXPORT_SYMBOL(vsprintf); EXPORT_SYMBOL(kdevname); EXPORT_SYMBOL(bdevname); EXPORT_SYMBOL(cdevname); EXPORT_SYMBOL(simple_strtoul); EXPORT_SYMBOL(system_utsname);/* UTS data */ EXPORT_SYMBOL(uts_sem);/* UTS semaphore */ EXPORT_SYMBOL(sys_call_table); EXPORT_SYMBOL(machine_restart); EXPORT_SYMBOL(machine_halt); CCL Compare linux with other OSs Kernel calls Linux CCL Compare linux with other OSs Kernel calls Linux “printk_R2gig_1b7d4074” 前 面有一個符號 “U”,這即表示 printk這個symbol尚未經過連 結。 函式”printk”之後的” R2gig_1b7d4074”字串,為 Linux解決kernel 版本問題,而 在各kernel symbol之後附加的 32位元的CRC(Cyclic Redundancy Code) 。 當module載入到系統時, insmod會去比對所載入module 使用的symbol CRC值是否與目 前kernel所提供的CRC值一致。 兩者如果一樣的話,表示此函式 與載入module所要呼叫的函式相 同,並未有版本相容的問題。除 了CRC值的確認外,並透過取得 module中所紀錄 的 ”kernel_version”,與目前的 kernel版本做比較 CCL Compare linux with other OSs Dynamic Library Why we need dynamic-loading libraries Compact the memory space requirement Minimum the execution file size Easy to maintain shared-libraries functions. After we update some functions, don’t need to re-compile all execution files What we need for getting dynamic-libraries supports Memory-mapping mechanism Multiple virtual memory space map to the same physical memory space Shared the same “Code” segment and support copy-on-write to avoid any advanced programming skill “hacking-code” Windows 9x/ME load system-dlls in 2-3GB memory space Linux/Windows 2000/XP map individual dll into separately process memory space to avoid evil “code-injecting” Execution file format need to support those tables at the begin of file, and program loader will parse those relative tables to load specific dynamic libraries CCL Compare linux with other OSs Dynamic Library Windows 9x/ME/2000/XP Support PE format Dynamic Loading Libraries User-mode program could refer to the same DLL in different virtual-address mapped to the same physical-space Use copy-on-write mechanism to minimum the physical memory requirement CCL Compare linux with other OSs Dynamic Library Windows 9x/ME/2000/XP For a execution file CCL Import Descriptor Original First Thunk: 0001F678 Time Date Stamp: FFFFFFFF Forwarder Chain: FFFFFFFF Name: 0001F650 (msvcrt.dll) First Thunk: 00001000 Ordn Name 133 __p__fmode 128 __p__commode 182 _adjust_fdiv 154 __setusermatherr 315 _initterm ........ Original First Thunk: 0001F7A0 Time Date Stamp: FFFFFFFF Forwarder Chain: FFFFFFFF Name: 0001F65C (KERNEL32.dll) First Thunk: 00001128 Ordn Name 229 FlushConsoleInputBuffer 577 LoadLibraryA ........ Original First Thunk: 0001F964 Time Date Stamp: FFFFFFFF Forwarder Chain: FFFFFFFF Name: 0001F66A (USER32.dll) First Thunk: 000012EC Ordn Name 359 GetUserObjectInformationW 353 GetThreadDesktop 475 MessageBeep ........ Compare linux with other OSs Dynamic Library Windows 9x/ME/2000/XP Export Directory For a dll file Import Descriptor Original First Thunk: Time Date Stamp: Forwarder Chain: Name: First Thunk: Ordn Name 21 7 54 WSARecvFrom 52 WSARecv 000030C8 FFFFFFFF FFFFFFFF 000030AC (WS2_32.dll) 00001000 Original First Thunk: 000030DC Time Date Stamp: FFFFFFFF Forwarder Chain: FFFFFFFF Name: 000030B8 (KERNEL32.dll) First Thunk: 00001014 Ordn Name 137 DisableThreadLibraryCalls 445 GetSystemTimeAsFileTime 316 GetCurrentProcessId 318 GetCurrentThreadId ....... Characteristics: 00000000 Time Date Stamp: 41107EDB Version: 0.00 Name: 0000248E (WSOCK32.dll) Base: 00000001 Number of Functions: 00000476 Number of Names: 0000004B Address of Functions: 000010F4 Address of Names: 000022CC Address of Name Ordinals: 000023F8 Func Adr Ordn Name 00002BE7 1 accept (Forward Chain: ws2_32.accept) 00002BF5 2 bind (Forward Chain: ws2_32.bind) 00002C01 3 closesocket (Forward Chain: ws2_32.closesocket) 00002C14 4 connect (Forward Chain: ws2_32.connect) 00002C87 5 getpeername (Forward Chain: ws2_32.getpeername) 00002CF2 6 getsockname (Forward Chain: ws2_32.getsockname) 00002EDA 7 getsockopt 00002D05 8 htonl (Forward Chain: ws2_32.htonl) 00002D12 9 htons (Forward Chain: ws2_32.htons) 00002D1F 10 inet_addr (Forward Chain: ws2_32.inet_addr) 00002D45 11 inet_ntoa (Forward Chain: ws2_32.inet_ntoa) 00002D56 12 ioctlsocket (Forward Chain: ws2_32.ioctlsocket) CCL Compare linux with other OSs Dynamic Library Windows 9x/ME/2000 /XP How to hack windows dynamic libraries CCL Compare linux with other OSs Dynamic Library Windows 9x/ME/2000/X P How to hack windows dynamic libraries CCL Compare linux with other OSs Dynamic Library Linux #include <stdio.h> int main() { printf("\ntest"); } [root@hlchou /root]# gcc test.c -o test [root@hlchou /root]# ldd test libc.so.6 => /lib/libc.so.6 (0x40016000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) CCL Compare linux with other OSs Dynamic Library Linux [root@hlchou /root]# file test test: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (use s shared libs), not stripped CCL Compare linux with other OSs Dynamic Library Linux [root@hlchou /root]# ls -l test -rwxr-xr-x 1 root root 11694 Oct 24 02:31 test 經過strip後,則變為 3004 bytes [root@hlchou /root]# strip test [root@hlchou /root]# ls -l test -rwxr-xr-x 1 root root 3004 Oct 24 02:48 test CCL Compare linux with other OSs Dynamic Library Linux [root@hlchou /root]# gcc -static test.c -o test [root@hlchou /root]# ldd test not a dynamic executable [root@hlchou /root]# file test test: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, not stripped [root@hlchou /root]# ls -l test -rwxr-xr-x 1 root root 932258 Oct 24 02:51 test [root@hlchou /root]# strip test [root@hlchou /root]# ls -l test -rwxr-xr-x 1 root root 215364 Oct 24 02:55 test CCL Compare linux with other OSs Dynamic Library Linux 用來刪去動態函式庫中不必要函式的工具,針對這個只用到了 printf的程式來產生新的 libc.so的話,我們可以得到一個精簡過的 libc.so 大小約為 219068 bytes [root@hlchoua lib]# ls -l libc.so* -rwxr-xr-x 1 root lrwxrwxrwx 1 root root root 219068 Nov 2 04:47 libc.so 7 Nov 1 03:40 libc.so.6 -> libc.so CCL Compare linux with other OSs Dynamic Library Linux [root@hlchoua /root]# ldd /bin/ls libc.so.6 => /lib/libc.so.6 (0x40016000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) [root@hlchoua /root]# ldd /bin/pwd libc.so.6 => /lib/libc.so.6 (0x40016000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) [root@hlchoua /root]# ldd /bin/vi libtermcap.so.2 => /lib/libtermcap.so.2 (0x40016000) libc.so.6 => /lib/libc.so.6 (0x4001b000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) CCL Compare linux with other OSs Dynamic Library Linux [root@hlchoua /root]# ldd /lib/libc.so.6 /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) [root@hlchoua /root]# ldd /lib/ld-linux.so.2 statically linked CCL Compare linux with other OSs Dynamic Library Linux 當我們執行程式時,系統會到哪些目錄去搜尋執行檔所用到的函式庫呢? 其實如果我們去檢 視 ”/etc/ld.so.conf” 檔案中的內容如下: /usr/X11R6/lib /usr/i486-linux-libc5/lib CCL Compare linux with other OSs Dynamic Library Linux 程式用到了libreadline.so.3這個動態函式庫,若把這個函式庫移除了,所以實際上,它並不存 在這台電腦中,當啟動有用到libreadline.so.3的執行檔時,系統會先去檢視這個函式庫是否在 動態函式庫的快取(檔名為ld.so.cache)中存在,如果不存在的話,系統仍會試著去找尋這個動 態函式庫的檔案,它所搜尋的路徑如下順序 /lib/i686/mmx/libreadline.so.3 /lib/i686/libreadline.so.3 /lib/mmx/libreadline.so.3 /lib/libreadline.so.3 /usr/lib/i686/mmx/libreadline.so.3 /usr/lib/i686/libreadline.so.3 /usr/lib/mmx/libreadline.so.3 /usr/lib/libreadline.so.3 CCL Compare linux with other OSs Dynamic Library Linux 這種逐一目錄尋找的方式很缺乏效率,因此Linux提供了一個動態函式庫快 取的機制,它所存在的檔案位置為 /etc/ld.so.cache,舉我們之前的例子來說, 在ld.so.conf裡面紀錄了系統搜尋動態函式庫時所會依序去尋找的路徑,如 果把所要加入的動態函式庫檔案所存在的路徑加入此處,或是以下路徑的 其中之一,這樣我們執行程式時,便可以縮短函式庫搜尋所花的時間 /lib/ /usr/lib/ CCL Compare linux with other OSs Dynamic Library Linux 把libreadline.so.3放到 /root/lib中,並且修改/etc/ld.so.conf檔案的內容如下 /usr/X11R6/lib /usr/i486-linux-libc5/lib /root/lib 接著把動態函式庫檔案libreadline.so.3移到/root/lib目錄下,執行ldconfig –D, 可以看到它會依序到以下目錄去建立動態函式庫的快取 /usr/X11R6/lib /usr/i486-linux-libc5/lib /root/lib /usr/lib /lib CCL Compare linux with other OSs Dynamic Library Linux 在這張圖中,程式是由記憶體0x08048000開始載入的,而所用 到的動態函式庫則是在記憶體位置0x40000000開始載入 40000000-40001000 /usr/share/locale/en_US/LC_MESSAGES/SYS_LC_MESSAGE S 40001000-40002000 /usr/share/locale/en_US/LC_MONETARY 40002000-40003000 /usr/share/locale/en_US/LC_TIME 40003000-4000b000 /lib/libnss_files-2.1.2.so 4000b000-4000c000 /lib/libnss_files-2.1.2.so 4000c000-400f7000 /lib/libc-2.1.2.so 400f7000-400fb000 /lib/libc-2.1.2.so 400fb000-400ff000 0 400ff000-40111000 /lib/ld-2.1.2.so 40111000-40112000 /lib/ld-2.1.2.so 40112000-4011b000 /lib/libnss_nisplus-2.1.2.so ......…(more) CCL Compare linux with other OSs Dynamic Library Linux How linux kernel load a execution program CCL Compare linux with other OSs Dynamic Library Linux 在函式do_load_elf_binary () 執行時,首先會去檢視目前的檔案是否為ELF 格式,如下程式碼 if (elf_ex.e_ident[0] != 0x7f || strncmp(&elf_ex.e_ident[1], "ELF", 3) != 0) goto out; 便是去檢查該檔的前四個 bytes是否為 0x7f 加上 “ELF” (0x 45 0x4c 0x46), 若非,則結束do_load_elf_binary的執行。之後,便是去檢視我們之前提過 的 e_type 屬性,來得知是否為ET_EXEC(Executable File) 或是 ET_DYN(Shared Object File) 這兩個值的其中之一 if (elf_ex.e_type != ET_EXEC && elf_ex.e_type != ET_DYN) goto out; 如果都不是這兩個值之一,便結束do_load_elf_binary的執行 之後便是一連串讀取ELF 檔表格的動作,在此就不多說,各位可以自行參閱 /usr/src/linux/fs/binfmt_elf.c的內容即可。 CCL How to minimum dynamic libraries? Dynamic Library (*.so) obj obj obj obj obj obj obj obj A thin library for embedded device CCL How to minimum dynamic libraries? Parsing ELF Header Parsing ELF Header Execution file Execution file Execution file Execution file Execution file Execution Executionfile file Library Project Library Project Library Project Library LibraryProject Project All functions provided from each obj file All functions Mapping CCL Re-link a new library package How to minimum dynamic libraries? [/root/VoIP/wavplay-1.4]nm wavfile.o 00000134 T WaveReadHeader 0000003c T WaveWriteHeader U __errno_location U __udivsi3 00000014 b buffer.91 00000000 t err 000003d4 T findchunk 00000000 t gcc2_compiled. U lseek U memcpy 00000000 r rcsid U read U sys_errlist 00000414 b v_erf 00000000 b waveformat.90 00000000 d waveheader U write [/root/VoIP/wavplay-1.4] CCL Linux booting # fdisk /dev/hda Command (m for help): p Disk /dev/hda: 255 heads, 63 sectors, 9729 cylinders Units = cylinders of 16065 * 512 bytes Device Boot Start /dev/hda1 * 1 /dev/hda2 7 /dev/hda3 9665 End 6 Blocks Id System 48163+ 83 Linux 9664 77577885 83 Linux 9729 522112+ 82 Linux swap Command (m for help): CCL Linux booting ./dump -h /dev/hda|more 0000001b 0000 0000 0000 0000 CF6E 3DBA 0000 8001 0000001c 0100 83FE 3F05 3F00 0000 4778 0100 0000 0000001d 0106 83FE FFFF 8678 0100 3A7D 3F09 00FE 0000001e FFFF 82FE FFFF C0F5 4009 01EF 0F00 0000 0000001f 0000 0000 0000 0000 0000 0000 0000 55AA CCL Linux booting (IDE) C:\debug -a100 0DAE:0100 mov ax,0201 <讀取一個磁區> 0DAE:0103 mov bx,200 <載入到記憶體篇移位址ES:200即0DAE:0200 - 0DAE:03FF共512bytes> 0DAE:0106 mov cx,1 0DAE:0109 mov dx,80 <即為讀取第一個硬碟的Partition> 0DAE:010C int 13 0DAE:010E int 3 <int 3 為 debug 中斷> •AH = function number, 02h in this case 0DAE:010F •AL = number of sectors to read (must be nonzero) -g=100 •CH = low 8 bits of cylinder number 0DAE:03B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 01 ................ 0DAE:03C0 01 00 06 3F BF 3B 3F 00-00 00 C1 30 23 00 80 00 ...?.;?....0#... •CL = high 2 bits of cylinder number and 6-bit sector number as follows: 0DAE:03D0 81 3C 83 3F FF 26 00 31-23 00 40 75 0E 00 00 00 .<.?.&.1#.@u.... •high-order bits 6-7 (hard disk only) contain high 2 bits of cylinder number 0DAE:03E0 C1 27 82 3F FF 3A 40 A6-31 00 00 3B 01 00 00 00 .'.?.:@.1..;.... •low-order bits 0-5 contain sector number (1-63) 0DAE:03F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA ..............U. •DH = head number •DL = drive number (bit 7 set for hard disk) •ES:BX = data buffer CCL Linux booting (IDE) 每個硬碟共有 16 byets的空間來記錄,它所紀錄下的資料分別為 00h --> 啟動指示,若為80h 代表可啟動的分割 01h-03h --> Begin CHS 04h --> 作業系統指示 05h--07 --> End CHS 08h --> Partition Start 0ch --> Partition Size (CHS(Cylinder(10bits), heads(8bits), sectors(6bits)) 8GB limited from “512bytes * CHS[1024x256x63] “= 8GB) C = ((byte2 & 0xc0) << 2) + byte3 H = byte1 S = byte2 & 0x3f 作業系統指示的資料又有 00h --> 無 01h -->DOS 12 bit 的FAT 04h -->DOS 16 bit 的 FAT 05h 06h 07h -->DOS 3.3+ 的延伸分割 (即為延伸分割區,裡面還可以再包含其它的邏輯分割區) -->DOS 大型檔案系統 (Win NT的 16bit FAT 即為此) --> OS/2 HPFS 0Ah --> OS/2 boot manage 0Bh -->使用 Win 95 32bit FAT 即為此 82h -->Linux swap 的分割區 83h -->Linux native的分割區 CCL Linux booting (Floppy) objcopy -O binary -R .note -R .comment -S compressed/bvmlinux compressed/bvmlinux.out tools/build -b bbootsect bsetup compressed/bvmlinux.out CURRENT > bzImage Boot sector 512 bytes. Setup is 4792 bytes. System is 1022 kB CCL Linux booting (loadlin.exe) Support “DOS” command mode Linux Loader (could work with Free-DOS) loadlin c:\linux\vmlinuz root=/dev/hda3 CCL Linux booting (syslinux) Easy-to-use MS DOS environment linux booting utility // config file “syslinux.cfg” default linux prompt 1 timeout 1 label linux kernel linux append ramdisk_size=32768 initrd=image.gz CCL Linux booting (lilo) Could install in Boot Sector MBR(Master Boot Record) (446bytes) Use BIOS interrupt to access hard disk // /etc/lilo.conf 裝置 prompt timeout=50 default=linux IDE1 master hda, hda1, hda2 IDE1 slave hdb, hdb1, hdb2 IDE2 master hdc, hdc1, hdc2 IDE2 slave hdd, hdd1, hdd2 lba32 ÎLBA mode image=/boot/vmlinuz label=linux root=/dev/hda2 read-only CCL Lilo Linux booting (grub) Need a separate partition to place Grub files Support CHS/LBA could boot kernel after 8GB offset Support User Menu 裝置 // /boot/grub/grub.conf title Red Hat Linux (2.4.18-3) Grub IDE1 master (hd0), (hd0,0), (hd0,1) IDE1 slave (hd1), (hd1,0), (hd1,1) root (hd0,0) kernel /vmlinuz-2.4.18-3 ro root=/dev/hda2 IDE2 master initrd /initrd-2.4.18-3.img IDE2 slave CCL (hd2), (hd2,0), (hd2,1) (hd3), (hd3,0), (hd3,1) Linux booting (initrd file) //In RedHat initrd-2.4.18-3.img is used to support “ext3” or “SCSI” to avoid “kernel” not supporting it and making “booting” failure [root@pc085229 check_initrd]# ls initrd-2.4.18-3.img [root@pc085229 check_initrd]# gzip -dc initrd-2.4.18-3.img > initrd-2.4.18-3 [root@pc085229 check_initrd]# mkdir test [root@pc085229 check_initrd]# mount -o loop initrd-2.4.18-3 test [root@pc085229 check_initrd]# ls test bin dev etc lib linuxrc loopfs proc sbin sysroot [root@pc085229 check_initrd]# CCL Hacking linux kernel Linux Kernel Message We will use the two packages Sysklogd and utillinux in Linux environment Sysklogd klogd是紀錄Linux 核心訊息與Linux核心模組訊息,每當核心程 式呼叫printk時,就可以由這個User-Mode的klogd程式來負責 把此時的核心訊息紀錄下來 syslogd則是負責User-Mode程式所需紀錄的系統訊息(例如紀 錄在/var/log/messages的系統訊息). util-linux 包含許多有用的系統工具軟體 arch(取得硬體架構) ipcs(取得目前Process間通訊機制的資訊 dmesg可以在User-Mode動態的查詢目前系統的核心訊息. CCL Hacking linux kernel Linux Kernel Message Start End CCL Hacking linux kernel Linux Kernel Message Ring Buffer for Linux Kernel Message CCL Hacking linux kernel Linux Kernel Message Ring Buffer for Linux Kernel Message Ring Buffer的運作為在log_buf所配置的記憶體空間裡 log_start紀錄著下一筆要透過sys_syslog讀出的訊息位址 con_start紀錄著下一筆要在使用者電腦console前輸出的訊息位址 log_end紀錄著可供下一筆訊息寫入的位址,如果使用者寫入 log_buf的訊息超過了log_buf所配置的記憶體空間,就會從log_buf的起始 位址繼續寫入. 不過由於log_start,log_end都是會不斷的增加,所以在 log_buf中定址時,會與LOG_BUF_MASK作 "&" 運算,讓 log_start,log_end的值只在0-LOG_BUF_LEN的範圍內 CCL Hacking linux kernel Linux Kernel Message Ring Buffer for Linux Kernel Message (log_end&LOG_BUF_MASK) 超過了log_buf的記憶體空間後,又 由log_buf起始點開始寫入,如此就如同一個環形,可以不斷的把訊息寫 入,並且維持一個最大為LOG_BUF_LEN大小的訊息儲存空間. CCL Hacking linux kernel Linux Kernel Message Klogd and dmesg Klogd(klogd -f /dev/pts/0 )與dmesg主要用到兩個System Call,分別為 sys_syslog(103)與sys_get_kernel_syms(130).這兩個Linux System Call會定義在 X86Îsrc/arch/i386/kernel/entry.S ArmÎsrc/arch/arm/kernel/calls.S .long SYMBOL_NAME(sys_syslog) /* 103 */ .long SYMBOL_NAME( sys_get_kernel_syms ) /* 130 */ CCL Hacking linux kernel Linux Kernel Message CCL Hacking linux kernel Linux driver module Kerneld VS Kmod Linux 2.0.xÎ主要是透過一個User Mode的 ”Kerneld” Daemon, 處理來自Kernel要求載入Driver的工作,並經由執行 “modprobe” 指令載入所需的Driver Linux 2.1.xÎ則交由 “kmod” 這個Kernel Mode程式,透過產生 一個kernel thread來執行”modprobe”指令載入Driver CCL Hacking linux kernel Linux driver module Kerneld CCL Hacking linux kernel Linux driver module Kerneld kerneld在啟動時會把自己初始化 為一個user mode的daemon, 在程式一切準備就緒後,便開始 接收系統所發出的IPC(Internal Process Comunication) Message。若kernel要把某個 module載入系統時,便會透過發 出IPC Message的方式,來通知 kerneld載入該module。它所能 辨識的Message Type有數種, 我在圖中僅列出其中的兩種。 如果收到的Message Type為 KERNELD_REQUEST_MODUL E,則透過外部呼叫,執行 “modprobe”這隻程式,來把所要 求的module載入系統中。若收到 的Message Type為 KERNELD_RELEASE_MODUL E,亦透過”modprobe”來移除 module。 CCL Hacking linux kernel Linux driver module kmod CCL Hacking linux kernel Linux driver module Kmod kernel 2.1.x之後Îkernel載入Driver時,透過kmod, 無須由kernel發出IPC Message給user mode 的 kerneld,可直接在kernel mode執行 request_module()透過 ”modprobe”載入module 函式request_module()呼叫 ”kernel_thread()” 產生 kernel thread來執行 “exec_modprobe()”。 在 ”exec_modprobe()” 中則透過”execve()” 以在 kernel mode裡外部執行modprobe。 直接在Kernel 中載入驅動程式,比起Kerneld更加簡潔 與有效率 CCL Hacking linux kernel Linux driver module kmod CCL Hacking linux kernel Linux driver module lsmod Linux 2.0.xΔlsmod”開啟檔案“/proc/modules” Linux 2.1.x Î系統提供了函式” query_module” 在kernel 2.0.x時,指令”lsmod”是去開啟檔案 “/proc/modules” 來得知系統中,已載入哪些Module。不過到 了kernel 2.1.x以後,系統提供了函式” query_module”。因此, 此時”lsmod”的實作便是透過呼叫query_module來取得系統已 載入module的相關資料。有關lsmod的實作,可以參考 modutils-2.1.85中的lsmod.c。 CCL Hacking linux kernel Linux driver module lsmod .long .long .long .long .long .long .long .long .long .long .long .long .long .long .long SYMBOL_NAME(sys_sched_get_priority_min)/* 160 */ SYMBOL_NAME(sys_sched_rr_get_interval) SYMBOL_NAME(sys_nanosleep) SYMBOL_NAME(sys_mremap) SYMBOL_NAME(sys_setresuid) SYMBOL_NAME(sys_getresuid)/* 165 */ SYMBOL_NAME(sys_vm86) SYMBOL_NAME(sys_query_module) SYMBOL_NAME(sys_poll) SYMBOL_NAME(sys_nfsservctl) SYMBOL_NAME(sys_setresgid)/* 170 */ SYMBOL_NAME(sys_getresgid) SYMBOL_NAME(sys_prctl) SYMBOL_NAME(sys_rt_sigreturn) SYMBOL_NAME(sys_rt_sigaction) CCL kernel 2.1.x之後所提供的函 式”query_module”,我們以 /arch/i386/kernel/entry.s 這檔案來比較kernel 2.0.35 與2.2.12在sys_call_table的 不同。其中,2.0.35共有0— 166個System Call (亦即 80 號中斷的服務),而2.2.12則 有0---190個System Call, 其中所提到的函 式”query_module”則為第 167個函式。 Hacking linux kernel Linux driver module Modprobe Modprobe 會解決 Module Stack的問題, 避免Module載入過程中呼叫其它未載入Module所提 供函式,而造成的”unresolved symbol” 錯誤 Modprobe透過函式 system()執行insmod來載 入其它module CCL Hacking linux kernel Linux driver module modprobe CCL Hacking linux kernel Linux driver module CCL Hacking linux kernel Linux driver module CCL Hacking linux kernel Linux driver module insmod 載入流程大略簡化如下 ﹝1﹞搜尋Module所在的路徑(呼叫search_module_path() ) ﹝2﹞比對目前環境Kernel版本與Module是否一致 ﹝3﹞比對Kernel與Module的CRC值是否正確 ﹝4﹞把目前Module中尚未定義的symbol,與目前kernel及已載入的 module之symbol做連結。 ﹝5﹞把載入Module時使用者所加入的引數傳給Module ﹝6﹞建立新Module的Symbol Table ﹝7﹞在Kernel配置記憶體給Module,並把載入的Module由User Mode重 置到Kernel Mode的記憶體,執行init_module() 進行初始化 Linux 動態載入 Module 介紹 CCL http://www.linuxfab.com/indexColumnData.php?CID=84&FIRSTHI T=1 Hacking linux kernel Linux driver module stack Module所Reference到的Symbol也可能存在其它Module中 例﹕ÎModule A 使用了Module B的函式,當A Module載入到系統時,若B Module此時不存在系統中,便會發生unresolved symbol的錯誤。因此要解決 Module Stack所引發的問題,我們可以在insmod A Module前,先把B Module 載入到系統中 如下圖的例子 module Y呼叫了module X所提供的函式,則module Y->deps會指向一個 module_ref結構 module X被module Y呼叫,所以module X->refs會指向圖中的module_ref結 構 module Y並未被其它的module所呼叫,所以module Y->refs為NULL module X沒有呼叫其它的module,所以module X->deps為NULL module Y呼叫module X的函式,需參考圖中的module_ref,所以 module_ref->ref指向module Y module_ref依賴module X來提供資訊給module Y,所以module_ref->dep指 向module X 沒有同一個module函式被一個以上的module呼叫。所以,在圖中的 module_ref->next_ref為NULL CCL Hacking linux kernel Linux driver module stack struct module Y struct module X size_of_struct *next size_of_struct *next *name usecount flags *name usecount flags nsyms ndeps *syms nsyms ndeps *syms *deps *refs *init *cleanup *ex_table_start *ex_table_end *persist_start *persist_end *can_unloadCCL *dep *ref *next_ref struct module_ref *deps *refs *init *cleanup *ex_table_start *ex_table_end *persist_start *persist_end *can_unload Hacking linux kernel Linux driver module stack 如下圖,在載入module X與module Y後,接著載入module Z。module Z 同時呼叫了module X與module Y的函式。 首先,module Z呼叫module Y的函式,所以module Z->deps指向 module_ref A module Z並沒有被其它module所呼叫,故module Z->refs為NULL。而 module Y函式被module Z呼叫,module Y->refs指向module_ref A 如之前例子的說明,module_ref A->ref指向module Z,而module_ref A>dep指向module Y。 接著,我們再看呼叫module X函式的情形。 module Z與module Y都呼叫了module X的函式,我們可以看到module_ref B 所在位置為module_ref A之後,而module_ref B->ref指向module Z, module Z透過參考module_ref B來取得module X資訊。 而module_ref B->dep指向module X,值得注意的是module_ref B的 next_ref指向module_ref C。因為module Z與module Y共同呼叫了module X 的函式,所以這兩個module_ref亦建立了關係。 在module_ref C中,module_ref C->ref指向module Y,而 module_ref C>dep指向module X,module_ref C->next_ref為NULL。由於module Y呼叫 了module X的函式,所以在圖中,module Y->deps指向module_ref C。 CCL Hacking linux kernel Linux driver module stack struct module Z struct module Y struct module X size_of_struct size_of_struct size_of_struct *next *name usecount flags nsyms ndeps *syms *next *name usecount flags nsyms ndeps *syms *next *name usecount flags nsyms ndeps *syms *deps *refs *init *cleanup *ex_table_start *ex_table_end *persist_start *persist_end *deps *refs *init *cleanup *ex_table_start *ex_table_end *persist_start *persist_end *can_unload module_ref A *dep *ref *next_ref *dep *ref *next_ref CCLmodule_ref B *can_unload module_ref C *dep *ref *next_ref *deps *refs *init *cleanup *ex_table_start *ex_table_end *persist_start *persist_end *can_unload Linux program debugging tools strace strace /bin/ls execve("/bin/ls", ["/bin/ls"], [/* 20 vars */]) = 0 uname({sys="Linux", node="localhost.localdomain", ...}) = 0 brk(0) = 0x80535c4 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) =3 fstat64(3, {st_mode=S_IFREG|0644, st_size=70378, ...}) = 0 old_mmap(NULL, 70378, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40016000 close(3) =0 open("/lib/libtermcap.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260\r\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=11832, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40028000 old_mmap(NULL, 14932, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40029000 。。。。。。。 old_mmap(NULL, 1271364, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4002d000 old_mmap(0x4015e000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x131000) = 0x4015e000 old_mmap(0x40161000, 9796, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40161000 close(3) =0 munmap(0x40016000, 70378) =0 brk(0) = 0x80535c4 brk(0x80745c4) = 0x80745c4 brk(0) = 0x80745c4 brk(0x8075000) = 0x8075000 open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=32145024, ...}) = 0 mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40164000 mmap2(NULL, 204800, PROT_READ, MAP_PRIVATE, 3, 0xc17) = 0x40364000 CCL Linux program debugging tools ltrace __register_frame_info(0x080530c0, 0x080532f4, 0x40029bbe, 0x0804954e, 0) = 0x080490e8 setlocale(6, "") = "en_US.iso885915" bindtextdomain("fileutils", "/usr/share/locale") = "/usr/share/locale" ltrace /bin/ls textdomain("fileutils") = "fileutils" __libc_start_main(0x08049740, 1, 0xbffffab4, 0x08049060, 0x0804fcb0 <unfinished ...> signal(15, 0x08049620) = NULL signal(9, 0x08049620) = 0xffffffff signal(19, 0x08049620) = 0xffffffff __cxa_atexit(0x0804d910, 0, 0, -1, -1) =0 isatty(1) =0 getenv("QUOTING_STYLE") = NULL getenv("LS_BLOCK_SIZE") = NULL getenv("BLOCK_SIZE") = NULL getenv("POSIXLY_CORRECT") = NULL getenv("COLUMNS") = NULL ioctl(1, 21523, 0xbffffa18) = -1 getenv("POSIXLY_CORRECT") = NULL getenv("TABSIZE") = NULL getopt_long(1, 0xbffffab4, "abcdfghiklmnopqrstuvw:xABCDFGHI:"..., 0x0804fd4c, NULL) = -1 malloc(36) = 0x08053f18 malloc(36) = 0x08053f40 malloc(11600) = 0x08053f68 malloc(12) = 0x08056cc0 strlen(0x080509e1, 0x080509e1, 0xbffffa18, 0x4009d163, 0x401613a0) = 1 malloc(2) = 0x08056cd0 strcpy(0x08056cd0, ".") = 0x08056cd0 __errno_location() = 0x40160ce0 opendir(".") = 0x08056ce0 readdir64(0x08056ce0, 0x08056ce0, 0xbffffa38, 0x0804ab4a, 0x400a3c70) = 0x08056d10 readdir64(0x08056ce0, 0x08056ce0, 0xbffffa38, 0x0804ab4a, 0x400a3c70) = 0x08056d28 readdir64(0x08056ce0, 0x08056ce0, 0xbffffa38, 0x0804ab4a, 0x400a3c70) = 0x08056d40 。。。。。 CCL Various modern linux system solution Device File System What is Devfs? Originate from Richard Gooch in Australia. Liunx 核心2.2.x尚未把Devfs附屬在Linux Kernel的原 始碼當中,所以需要在2.2.x環境中使用Devfs的話,還 需要經過一些Kernel的Patch 過去透過major 與 minor 識別device,為了廣泛相容性 都會預先建立額外的device node In RedHat 7.0,it have more than 6000 device node in /dev directory Devfs support a NameSpace mechanism to provide meaningful device naming support CCL Various modern linux system solution Devfs and VFS 在系統初始化時,會先 進入函式 start_kernel﹝﹞,之 後進入init﹝﹞。而在 函式init﹝﹞中會先進 入do_basic_setup﹝﹞ 再由函式 do_initcalls﹝﹞來初 始化Devfs的檔案系統, 如圖所示 init_devfs_fs﹝﹞函 式會呼叫 register_filesystem ﹝﹞對系統註冊Devfs 檔案系統 CCL Various modern linux system solution Devfs and VFS Major號碼主要的意義就是Device ID,例 如﹕軟碟機floppy=02,音效裝置 audio=14,ISDN設備isdn=45,第一個排 線上的硬碟機hda=3.......等 Minor號碼則是代表了所屬Device ID的裝 置編號,例如以硬碟機為例子,hda的 Partition Table部分的Minor號碼為0、第 一個分割區為1、第二個分割區為2......… CCL Various modern linux system solution Devfs and VFS /dev (In RedHat 7.0) MAKEDEV* md5 sdag7 sdci15 sdr1 ttyF185 ttySR323 X0R@ md6 sdag8 sdci2 sdr10 ttyF186 ttySR324 aaa md7 sdag9 sdci3 sdr11 ttyF187 ttySR325 adbmouse md8 sdah sdci4 sdr12 ttyF188 ttySR326 agpgart md9 sdah1 sdci5 sdr13 ttyF189 ttySR327 amigamouse mdsp1 sdah10 sdci6 sdr14 ttyF19 ttySR328 amigamouse1 mdsp10 sdah11 sdci7 sdr15 ttyF190 ttySR329 apm_bios mdsp11 sdah12 sdci8 sdr2 ttyF191 ttySR33 atarimouse mdsp12 sdah13 sdci9 sdr3 ttyF192 ttySR330 atibm mdsp13 sdah14 sdcj sdr4 ttyF193 ttySR331 atimouse mdsp14 sdah15 sdcj1 sdr5 ttyF194 ttySR332 audio mdsp15 sdah2 sdcj10 sdr6 ttyF195 ttySR333 audio1 mdsp16 sdah3 sdcj11 sdr7 ttyF196 ttySR334 audioctl mdsp2 sdah4 sdcj12 sdr8 ttyF197 ttySR335 aztcd mdsp3 sdah5 sdcj13 sdr9 ttyF198 ttySR336 bpcd mdsp4 sdah6 sdcj14 sds ttyF199 ttySR337 bttv0@ mdsp5 sdah7 sdcj15 sds1 ttyF2 ttySR338 capi20 mdsp6 sdah8 sdcj2 sds10 ttyF20 ttySR339 CCL ......… Various modern linux system solution Devfs and VFS 支援Devfs檔案系統的驅動程式,都必須要加入 Devfs的註冊函式,也就是說在我們所使用的環 境中可能會存在有舊版本的驅動程式,如果為 了相容性的問題,其實就算同時保留了過去的 裝置檔案也是可以的。有支援Devfs的驅動程式, 則只要在初始化的過程中呼叫函式 devfs_register()即可對Devfs檔案系統註冊該 裝置檔案 CCL Various modern linux system solution Devfs and VFS /devfs檔案系統目錄 ./shm ./vc ./misc ./pty ./pts ./vcc ./tts ./cua ./ide/host0/bus0/target0/lun0 ./ide/host0/bus0/target0 ./ide/host0/bus0/target1/lun0 ./ide/host0/bus0/target1 ./ide/host0/bus0 ./ide/host0 ./ide ./cdroms ./discs ./floppy CCL Various modern linux system solution Devfs and VFS 在核心編譯的選項,需要把如下的選項打開 /dev file system support (EXPERIMENTAL) (CONFIG_DEVFS_FS) [Y/n/?] 如果希望可以在開機時自動的啟動Devfs服務,則須把以下選項打開 Automatically mount at boot (CONFIG_DEVFS_MOUNT) [Y/n/?] 必須在開機時Script檔案前先把使用者端的常駐程式devfsd載入 [root@hlchou linux]# more /etc/rc.d/rc.sysinit #!/bin/bash ......… # If we're using devfs, start devfsd now - we need the old device names [ -e /dev/.devfsd -a -x /sbin/devfsd ] && /sbin/devfsd /dev CCL Various modern linux system solution Devfs and VFS 如果我們不打算在一開機時就啟動Devfs的話,就可以關 閉該選項,只需在開機進入系統後,透過手動方式執行 以下指令即可 mount -t devfs /mnt1 /mnt2 mnt1使用者可以輸入任意的目錄名稱。mnt2為Devfs 所要載入的目錄,例如我們可以設定為/devfs CCL Various modern linux system solution Devfs and VFS [root@hlchou /root]# ls /devfs [root@hlchou /root]# mount -t devfs /mnt1 /devfs [root@hlchou /root]# ls /devfs cdroms/ discs/ ide/ misc/ ptmx random tts/ vc/ console floppy/ kmem null pts/ root@ tty vcc/ cua/ full mem port pty/ shm/ urandom zero [root@hlchou /root]# echo "test /devfs/tty" > /devfs/tty test /devfs/tty [root@hlchou /root]# CCL Various modern linux system solution Devfs and VFS 在核心載入Devfs後,我們還需要透過使用者端的devfsd常駐程式來建立與之前裝置檔案系統的相容性,如下所示 [root@hlchou /root]# devfsd /devfs Started device management daemon for /devfs [root@hlchou /root]# ls /devfs agpgart@ ptyb3@ ptydd@ ptyq7@ ptyt1@ ptyvb@ ptyy5@ tty13@ tty51@ cdroms/ ptyb4@ ptyde@ ptyq8@ ptyt2@ ptyvc@ ptyy6@ tty14@ tty52@ console ptyb5@ ptydf@ ptyq9@ ptyt3@ ptyvd@ ptyy7@ tty15@ tty53@ cua/ ptyb6@ ptye0@ ptyqa@ ptyt4@ ptyve@ ptyy8@ tty16@ tty54@ cua0@ ptyb7@ ptye1@ ptyqb@ ptyt5@ ptyvf@ ptyy9@ tty17@ tty55@ cua1@ ptyb8@ ptye2@ ptyqc@ ptyt6@ ptyw0@ ptyya@ tty18@ tty56@ discs/ ptyb9@ ptye3@ ptyqd@ ptyt7@ ptyw1@ ptyyb@ tty19@ tty57@ fd@ ptyba@ ptye4@ ptyqe@ ptyt8@ ptyw2@ ptyyc@ tty2@ tty58@ floppy/ ptybb@ ptye5@ ptyqf@ ptyt9@ ptyw3@ ptyyd@ tty20@ tty59@ full ptybc@ ptye6@ ptyr0@ ptyta@ ptyw4@ ptyye@ tty21@ tty6@ hda@ ptybd@ ptye7@ ptyr1@ ptytb@ ptyw5@ ptyyf@ tty22@ tty60@ hda1@ ptybe@ ptye8@ ptyr2@ ptytc@ ptyw6@ ptyz0@ tty23@ tty61@ ………………………………………………… ………………………………… ptyb1@ ptydb@ ptyq5@ ptysf@ ptyv9@ ptyy3@ tty11@ tty5@ CCL ptyy4@ tty12@ tty50@ ptyb2@ ptydc@ ptyq6@ ptyt0@ ptyva@ Various modern linux system solution Devfs and VFS 透過/dev與/devfs 目錄查看第一個磁碟機的第一個分割區所對應到的裝置檔案 [root@hlchou /root]# ls /dev/hda -l brw-rw---- 1 root disk 3, 0 8月 24 2000 /dev/hda [root@hlchou /root]# ls /devfs/hda -l lr-xr-xr-x 1 root root 32 6月 13 20:02 /devfs/hda -> ide/host0/bus0/target0/lun0/disc 透過不同的裝置檔案系統架構﹝過去的/dev與目前的/devfs﹞,來讀取第一個磁碟機的MBR [root@hlchou /root]# dd if=/dev/hda of=/mbr_dev bs=512 count=1 1+0 records in 1+0 records out [root@hlchou /root]# dd if=/devfs/hda of=/mbr_devfs bs=512 count=1 1+0 records in 1+0 records out [root@hlchou/root]# dd if=/devfs/ide/host0/bus0/target0/lun0/disc of=/mbr_devf bs=512 count=1 1+0 records in 1+0 records out CCL Various modern linux system solution Devfs and VFS 分別透過hexdump來查看剛剛所讀取出來的磁碟機MBR資料是否正確無誤 [root@hlchou /root]# hexdump /mbr_dev 0000000 ebfa 6c7c 6162 494c 4f4c 0001 0415 005a 0000010 0000 0000 cbd5 3b20 ac80 4cc0 8101 c0ac .........… 00001f0 0000 0000 0000 0000 0000 0000 0000 aa55 0000200 [root@hlchou /root]# hexdump /mbr_devfs 0000000 ebfa 6c7c 6162 494c 4f4c 0001 0415 005a 0000010 0000 0000 cbd5 3b20 ac80 4cc0 8101 c0ac ........... 00001f0 0000 0000 0000 0000 0000 0000 0000 aa55 0000200 [root@hlchou /root]# hexdump /mbr_devfs2 0000000 ebfa 6c7c 6162 494c 4f4c 0001 0415 005a 0000010 0000 0000 cbd5 3b20 ac80 4cc0 8101 c0ac ........... 00001f0 0000 0000 0000 0000 0000 0000 0000 aa55 0000200 CCL Various modern linux system solution Devfs initial process 在函式init﹝﹞中, do_basic_setup﹝﹞函式結 束後,會進入函式 prepare_namespace﹝﹞, 之後會呼叫 mount_devfs_fs﹝﹞去確認 我們是否選擇要在一開機時 就把Devfs自動的載入檔案 系統,不過自動載入的預設 目錄為/dev,對於希望把 Devfs檔案系統與原本的裝 置檔案系統目錄分開的使用 者來說,其實可以透過 mount指令自行把Devfs檔案 系統選擇載入到特定的目錄。 CCL Various modern linux system solution Devfs initial process 假設Devfs檔案系統並 不會在一開機時就自動 載入,而是在系統開機 完成後,由使用者透 過”mount”指令自行載 入 CCL Various modern linux system solution Devfs initial process devfs_register﹝﹞的函式原型如下 devfs_handle_t devfs_register (devfs_handle_t dir, const char *name,unsigned int flags,unsigned int major, unsigned int minor, umode_t mode, void *ops, void *info) dir: 為一個指向裝置檔案在devfs中所屬主目錄進入點﹝例如﹕/devfs/cdroms﹞的參數。如果為NULL的話, 那就表示這個新的裝置檔案是相對於devfs的根目錄﹝例如﹕/devfs﹞。 name: 該裝置檔案進入點的名稱。 flags:設定該裝置檔案的旗標﹝詳細內容可參閱Linux原始碼 /linux/include/linux/devfs_fs_kernel.h﹞。 major: The major number. Not needed for regular files. minor: The minor number. Not needed for regular files. mode: 設定裝置檔案的狀態﹝例如﹕區塊、字元裝置檔案......等,可參閱Linux原始碼 /linux/include/linux/stat.h﹞。 ops: 定義對該裝置檔案操作的基本函式,例如對一個ide介面的裝置,其中ops宣告如下 struct block_device_operations ide_fops[] = {{ open: ide_open, release: ide_release, ioctl: ide_ioctl, check_media_change: ide_check_media_change, revalidate: ide_revalidate_disk}}; CCL Various modern linux system solution Devfs 當核心Devfs檔案系統有 新的裝置產生或是有一些 狀態的改變時,會呼叫函 式 devfsd_notify_one﹝﹞ 把需要處理的事件加入 queue中。因為queue中 新增了需要處理的事件, 所以devfsd程式就會從 Read動作中讀取到資料, 進而分析所讀取的資料, 再來對目前Devfs檔案系 統所屬的目錄做出對應的 動作 CCL Various modern linux system solution Linux MISC Filesystem and JAVA environment J2EE主要應用是針對企業市場,因此考量上主要針對伺服器端 ﹝Server-Side﹞程式的開發與應用,例如它的執行環境中支援了Java Beans來支援企業的分散式運算,及Servlet/JSP以供企業應用在網站的 服務中 J2SE主要針對個人電腦用戶的運算平台,在這平台上廣泛支援了一般 Java所會使用到的執行環境。 J2ME主要針對執行環境資源有限的平台,例如:嵌入式系統的應用, J2ME主要分為兩個版本,分別為 CDC﹝Connected Device Configuration ﹞ CVM(C Virtual Machine)與一組核心函式庫,主要運作在32-bits的處理器與 RAM、Flash或ROM總和在2Mbytes以上的裝置,CDC主要是針對像智慧型 手機、汽車導航系統或是資訊家電…....等 CLDC﹝Connected Limited Device Configuration ﹞。 KVM,K Virtual Machine﹞,主要運作在RAM、Flash或ROM總和在160— 512Kbytes的裝置上,具備低耗電與有限的連網能力,例如現在在Palm OS 中所使用的大多為KVM CCL Various modern linux system solution Linux MISC Filesystem and JAVA environment Linux kernel support MISC filesystem to let user could execute java bytecode directly. It is suitable for a Java-enable device to support in Linux Kernel. 在編譯核心時把支援MISC檔案系統的選項加入,如下: Kernel support for a.out binaries (CONFIG_BINFMT_AOUT) [y/m/N/?] Kernel support for ELF binaries (CONFIG_BINFMT_ELF) [Y/m/n/?] Kernel support for MISC binaries (CONFIG_BINFMT_MISC) [Y/m/n/?] CCL Various modern linux system solution Linux MISC Filesystem and JAVA environment Linux MISC File System could support different file format to provide various application CCL Various modern linux system solution Linux MISC Filesystem and JAVA environment echo ':Java:M::\xca\xfe\xba\xbe::/usr/local/jdk1.2.2/bin/javawrapper:' > /proc/sys/fs/binfmt_misc/register //Java Application echo ':Applet:E::html::/usr/local/jdk1.2.2/bin/appletviewer:' > /proc/sys/fs/binfmt_misc/register //副檔名為 ”html” echo ':Applet:M::<!--applet::/usr/local/jdk1.2.2/bin/appletviewer:' > /proc/sys/fs/binfmt_misc/register //檔頭為 “<!--applet” 而每個參數所代表的意義如下表所示 欄位順序 名稱 1 Name 產生在 “/proc/sys/fs/binfmt_misc” 目錄下的檔案名稱,用來識別所支援的執行檔環境 2 Type 3 Offset M 表示透過比對檔頭來辨認執行檔 E 表示透過延伸的副檔名來辨認執行檔 用來標示比對檔頭資料所偏移的位置,通常為0,表示由檔頭的起始位置開始比對 4 Magic 所要比對的檔頭資料或是副檔名的名稱 5 Mask 可以用來mask部分比對字串的位元,通常不使用 6 Interpreter 意義 指向我們所要採用的載入器,而我們使用的執行檔會成為這個載入器的第一個變數 CCL Various modern linux system solution Linux MISC Filesystem and JAVA environment 以以下這段簡單的Java程式碼為例子 class HelloWorldApp { public static void main (String args[]) { System.out.println("Hello World!"); } } 首先,把它存檔為 “HelloWorldApp.java”,透過程式 javac來進行編譯 [root@Proxy bin]# ls HelloWorldApp.java cvm [root@Proxy bin]# javac HelloWorldApp.java [root@Proxy bin]# ls HelloWorldApp.class HelloWorldApp.java cvm [root@Proxy bin]# CCL Various modern linux system solution Linux MISC Filesystem and JAVA environment 透過jar把Java的Class檔壓縮,以便於日後在使用Java Class時,便於利用jar所壓縮的Java class壓縮檔,來減 少耗用的系統空間,接下來我們執行以下指令 [root@Proxy bin]# jar -cvf HelloWorldApp.jar HelloWorldApp.class added manifest adding: HelloWorldApp.class(in = 432) (out= 290)(deflated 32%) [root@Proxy bin]# ls HelloWorldApp.class HelloWorldApp.jar HelloWorldApp.java cvm 現在就可以透過我們剛剛編譯好的J2ME CDC版本的JVM﹝在目錄cdcfoundation/build/linux/bin/﹞來執行 Java的程式了,如下 [root@Proxy bin]# ./cvm -Djava.class.path=./HelloWorldApp.jar HelloWorldApp GC[SS]: Initialized semi-space gen for generational GC Size of *each* semispace in bytes=1048576 Limits of generation = [0x40159200,0x40359200) First semispace = [0x40159200,0x40259200) Second semispace = [0x40259200,0x40359200) GC[MC]: Initialized mark-compact gen for generational GC Size of the space in bytes=3145728 Limits of generation = [0x40359200,0x40659200) GC[generational]: Auxiliary data structures heapBaseMemoryArea=[0x40159008,0x40659208) cardTable=[0x830dc98,0x8310498) objectHeaderTable=[0x83104a0,0x8312ca0) summaryTable=[0x8312ca8,0x831cca8) CCL security properties not found. using defaults. Hello World! [root@Proxy bin]# Various modern linux system solution Linux MISC Filesystem and JAVA environment 修改檔案 “/usr/local/jdk1.2.2/bin/ javawrapper”,把最後一行的 /usr/local/jdk1.2.2/bin/java $FQCLASS "$@" 修改為 /home/hlchou/javavm/cdcfoundation/build/linux/bin/cvm -Djava.class.path=./ $FQCLASS "$@" 使得我們在執行Java Class時,會直接引用到J2ME CDC的JVM,在此我把參數 “java.class.path” 改為 “./” ,這是 假設我們會在Java Class所在的目錄中執行Java Class,各位可以根據自己不同的需求來加以修改,修改完後的環境,如 下所示 [root@Proxy bin]# ./HelloWorldApp.class GC[SS]: Initialized semi-space gen for generational GC Size of *each* semispace in bytes=1048576 Limits of generation = [0x40159200,0x40359200) First semispace = [0x40159200,0x40259200) Second semispace = [0x40259200,0x40359200) GC[MC]: Initialized mark-compact gen for generational GC Size of the space in bytes=3145728 Limits of generation = [0x40359200,0x40659200) GC[generational]: Auxiliary data structures heapBaseMemoryArea=[0x40159008,0x40659208) cardTable=[0x830dc98,0x8310498) objectHeaderTable=[0x83104a0,0x8312ca0) summaryTable=[0x8312ca8,0x831cca8) CCL security properties not found. using defaults. Hello World! [root@Proxy bin]# Various modern linux system solution Linux MISC Filesystem and JAVA environment CCL Various modern linux system solution Linux kernel mode http daemon A kernel-mode http daemon suitable for heavy loading server Almost all commercial web servers are running in user-mode. AdvantageÎmaintenance is easy DisadvantageÎextra user-kernel mode memory copy CCL Various modern linux system solution Linux kernel mode kHTTPd 0.1.3 (marked "1.3", running kernel 2.2.10) http"kernel236_zeus", daemon running kernel 2.3.6) Zeus (marked Apache 1.3.3 (no tuning): (X-axis = number of cuncurrent requests (-c parameter from ApacheBench), Y-axis = achieved requests per second) All benchmarks are done on a K6-2 350 Mhz server with ApacheBench fetching a static 1K file on a K6-2 300 Mhz client, over a 100BaseT (100 Mbit, full duplex) network-connection. CCL Various modern linux system solution Linux kernel mode http daemon User-mode http server CCL Various modern linux system solution Linux kernel mode http daemon switch(call) { case SYS_SOCKET: err = sys_socket(a0,a1,a[2]); break; case SYS_BIND: err = sys_bind(a0,(struct sockaddr *)a1, a[2]); break; case SYS_CONNECT: err = sys_connect(a0, (struct sockaddr *)a1, a[2]); break; case SYS_LISTEN: err = sys_listen(a0,a1); break; case SYS_ACCEPT: err = sys_accept(a0,(struct sockaddr *)a1, (int *)a[2]); break; ………………….. } User-mode socket In net/socket.c System Call "sys_socketcall" CCL Various modern linux system solution Linux kernel mode http daemon User-mode socket 參數 說明 所呼叫的核心函式 SYS_SOCKET 產生新的Socket sys_socket SYS_CONNECT 建立TCP/IP連線 sys_connect SYS_LISTEN 等待連線要求 sys_listen SYS_ACCEPT 接收連線要求 sys_accept SYS_SEND 送出TCP/IP封包 sys_send SYS_SENDTO 送出UDP/IP封包 sys_sendto SYS_RECV 接收TCP/IP封包 sys_recv SYS_RECVFROM 接收UDP/IP封包 sys_recvfrom CCL Various modern linux system solution Linux kernel mode http daemon Usr-mode socket User Mode的程式位於Ring 3,Kernel Mode的程式位於Ring 0, 所以說Ring 3的程式並不能隨意的讀寫位於Ring 0程式所掌握的 記憶體,而位於Ring 0的程式﹝Kernel Mode﹞,卻可以讀寫 Ring 3﹝User Mode﹞的記憶體。因為這樣的特性,如果說我們 的網頁伺服器是屬於User Mode的應用程式,每一次的收送封包 資料,都要進行一次User Mode與Kernel Mode資料的拷貝與交 換,對於系統效能上也有一定程度的影響。 CCL Various modern linux system solution Linux kernel mode http daemon Kernel-mode http server CCL Various modern linux system solution Linux kernel mode http daemon //in net/khttpd/main.c int __init khttpd_init(void) { ........…. (void)kernel_thread(ManagementDaemon,NULL, CLONE_FS | CLONE_FILES | CLONE_SIGHAND); ..….. } CCL Various modern linux system solution Linux kernel mode http daemon //in /usr/src/linux/net/khttpd/sockets.c int StartListening(const int Port) { ..….... error = sock_create(PF_INET,SOCK_STREAM,IPPROTO_TCP,&sock); ......… error = sock->ops->bind(sock,(struct sockaddr*)&sin,sizeof(sin)); ....... error=sock->ops->listen(sock,48); ......... } CCL Various modern linux system solution Linux kernel mode http daemon //The same as User-Mode Socket Procedure asmlinkage long sys_bind(int fd, struct sockaddr *umyaddr, int addrlen) { ..….. if((sock = sockfd_lookup(fd,&err))!=NULL) { if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0) err = sock->ops->bind(sock, (struct sockaddr *)address,addrlen); sockfd_put(sock); } return err;} asmlinkage long sys_listen(int fd, int backlog) { struct socket *sock; int err; if ((sock = sockfd_lookup(fd, &err)) != NULL) { if ((unsigned) backlog > SOMAXCONN) backlog = SOMAXCONN; err=sock->ops->listen(sock, backlog); sockfd_put(sock); } return err;} CCL Various modern linux system solution Linux kernel mode http daemon CCL Embedded linux Linux support many hardware platform [root@ arch]# pwd /hal/linux/arch [root@ arch]# ls alpha/ cris/ ia64/ mips/ parisc/ s390/ sh/ sparc64/ arm/ i386/ m68k/ mips64/ ppc/ s390x/ sparc/ [root@ arch]# CCL Embedded linux Build crosscompiler CCL Embedded linux A basic Linux root files system CCL Embedded linux Busybox CCL Embedded linux Linux kernel booting CCL File system on embedded linux Flash Why we need flash? High reliability Wear levelingÎextend device lifetime. 以Flash技術的應用來說,主要可以分為儲存資料 (Data Storage)與儲存程式碼,(Code Storage) Code Storage會注重於資料的容錯性以及讀寫的可靠 度 Data Storage主要是著重在容量大,速度快與單價低 CCL File system on embedded linux NOR Flash 單位容量售價高,裝置可儲存空間小,可如同 RAM線性隨機存取,並且支援XIP(eXecute In Place),可以如同記憶體一樣在Flash中執行應 用程式,而不必把程式把讀到記憶體(RAM)中. . 消除資料速度慢(消除區塊大小為64-128KB,約 需要5s),讀取資料速度快,主要設計用於ROM的 裝置上,目前Intel/Sharp與AMD/Fujitsu為產 能與技術主要的提供者 CCL File system on embedded linux NAND Flash 單位容量售價低,裝置單元密度高,可提供高容量的儲存空 間,讀取方式為區塊存取,每個區塊可以有多個分頁(分頁 大小為512byes),每個分頁達到寫入次數上限時,就需要整 個區塊重新寫入,每個分頁都有額外16 bytes空間,可以用來 給日誌式檔案系統做為日誌記錄標記. 消除資料速度快 (消除區塊大小為8-32KB,約需要4ms). Toshiba為這領域主 要的供應商,主要設計可用來取代例如磁碟的儲存媒體 由於目前Flash媒體每個區塊平均最多可以消除100000次 (NAND Flash最多可以消除1百萬次),為了確保整個Flash裝置 可以獲得最佳化的利用,都會盡可能的把消除資料的位置平均 分散在整個Flash的空間(wear levelling),以提高Flash的使用壽命. CCL File system on embedded linux Flash Translation Layers (FTL) Emulate a standard block device Use a normal file system on top of that M-Systems have granted a licence for FTL to be used on all PCMCIA devices NFTL to be used only on DiskOnChip devices. CCL File system on embedded linux LEGAL NOTE: The FTL format is patented by M-Systems. They have granted a license for its use with PCMCIA devices: "M-Systems grants a royalty-free, non-exclusive license under any presently existing M-Systems intellectual property rights necessary for the design and development of FTL-compatible drivers, file systems and utilities using the data formats with PCMCIA PC Cards as described in the PCMCIA Flash Translation Layer (FTL) Specification." Use of the FTL format for non-PCMCIA applications may be an infringement of these patents. For additional information, contact M-Systems (http://www.m-sys.com) directly. CCL File system on embedded linux Flash Translation Layer CCL File system on embedded linux Flash Translation Layer wear levelling and reliable operation sectors of the emulated block device are stored in varying locations on the physical medium ``Translation Layer'' is used to keep track of the current location of each sector in the emulated block device. Product PCMCIA Flash CardÎNAND Flash Disk On Chip(M-System)Î NAND Flash Disk On ModuleÎNAND Flash CCL File system on embedded linux Ramdisk User could use memory as block device. Based on ramdisk we could support common filesystem on it. CCL File system on embedded linux Ramdisk Block devices ---> <*> RAM disk support (4096) Default RAM disk size (NEW) [*] Initial RAM disk (initrd) support CCL File system on embedded linux Memory Technology Device mtdchar 可以把MTD裝置註 冊成為Char Device mtdblock 把MTD裝置註冊為 Block Device CCL File system on embedded linux Mtdram modprobe mtdram total_size=32768 erase_size=256 可以在載入到記憶體時,定義 所要透過記憶體模擬MTD空間的大小,例如 total_sizeÎ指定MTD裝置大小(單位KB) erase_sizeÎ指定每個可抹除區塊基本大小(單位 KB) CCL File system on embedded linux My linux-MTD and NOR flash Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200 …. ……………. …. flash device: 400000 at 1fc00000 Amd/Fujitsu Extended Query Table v1.1 at 0x0040 number of JEDEC chips: 1 1: offset=0x10000,size=0x10000,blocks=63 Creating 4 MTD partitions on "Physically mapped flash": 0x00000000-0x00040000 : "pmon" 0x00040000-0x003e0000 : "linux" 0x00100000-0x003e0000 : "rootfs" 0x003e0000-0x00400000 : "nvram" CCL File system on embedded linux CramFS CramFS是Linus Torvalds在Transmeta任職時, 所參與開發的檔案系統 CramFS is a read-only filesystem. All data are compressed into each block and decompress when we read it. In Linux Kernel Compressed ROM file system support (CONFIG_CRAMFS) [Y/m/n/?] CCL File system on embedded linux CramFS 把Linux的原始碼解開後,可以在” linux/scripts/cramfs”找到工具程式mkcramfs的原始碼, 在這目錄下可以透過 make 指令來把mkcramfs原始碼編 譯為可執行檔。首先,mkcramfs其實就是一個包含在 Linux核心原始碼環境中,用來製作CramFS檔案系統映像 檔的工具程式,我們只要把規劃好的使用者環境,透過 這個工具來壓縮處理,就可以生成屬於CramFS檔案系統 的映像檔,而透過mkcramfs生成的映像檔將會包含有 Superblock與完整的檔案系統結構......等,因為有了 這些基本的CramFS檔案系統結構,所以我們可以直接把 製作好的CramFS檔案系統映像檔裝置到我們目標儲存裝 置中。 CCL File system on embedded linux CramFS 一個CramFS檔案系統映像檔的結 構,首先我們可以看到最前面就 是CramFS的Superblock,大小共 76 bytes。之後便是CramFS的 inode結構,最需要注意的一點就 是每個cramfs_inode的結構大小 為12 bytes,而每個 cramfs_inode所代表的檔案名稱 直接就會接在cramfs_inode的後 面,以0x00結尾。並 且 ”cramfs_inode + 檔案名稱”的 長度必須為4的倍數,如果不足的 部份就會補0,如果長度恰好為4 的倍數,那就不補0直接連接下一 個cramfs_inode。 如此 ”cramfs_inode + 檔案名 稱”+ ”cramfs_inode + 檔案名稱” + ”cramfs_inode + 檔案名 稱”........,的方式就構成了 CramFS檔案系統映像檔的目錄結 構。 CCL File system on embedded linux CramFS 把製作好的執行環境放到目錄tree底下,透過指令du來查看目錄 中所有檔案的大小與總和,如下所示, [root@hlchou /cramfs]# du tree 4.0k tree/lost+found 92k tree/bin 4.0k tree/dev 12k tree/etc/rc.d 72k tree/etc 1.2M tree/lib 4.0k tree/proc 360k tree/sbin 4.0k tree/tmp 4.0k tree/usr 4.0k tree/var 1.8M tree 透過du指令,我們可以發現目前tree目錄底下所有的檔案大小總 和為1.8Mbytes,這是目前尚未經過壓縮的大小。 CCL File system on embedded linux CramFS [root@hlchou /cramfs]# ./mkcramfs tree tree.CramFS ..... -71.09% (-51852 bytes) libpthread.so.0 -53.75% (-11660 bytes) libcrypt.so.1 -56.82% (-5052 bytes) libutil.so.1 -57.70% (-6088 bytes) libdl.so.2 166.67% (+15 bytes) linuxrc -45.60% (-69868 bytes) init -46.45% (-3768 bytes) mingetty 300.00% (+12 bytes) update -50.62% (-21632 bytes) ifconfig -50.81% (-19096 bytes) route -51.99% (-12980 bytes) modprobe -48.43% (-14160 bytes) insmod -45.58% (-12328 bytes) syslogd -49.05% (-9964 bytes) klogd Everything: 816 kilobytes [root@hlchou /cramfs]# ls -l *.CramFS -rw-r--r-- 1 root root 835584 Jul 16 18:41 tree.CramFS 我們可以發現原本為1.8Mbytes大小的目錄內容,被壓縮成一個835kbytes 的CramFS檔案系統映像檔 CCL File system on embedded linux CramFS 函式cramfs_read_super﹝﹞中,會呼叫函式cramfs_read﹝﹞把Superblock讀取到記憶體中,並 且進行Superblock磁區的型態確認,例如 //確認Superblock的參數magic是否為 0x28cd3d45, //若非則結束函式,並傳回NULL if (super.magic != CRAMFS_MAGIC) { printk("wrong magic\n"); goto out; } //確認Superblock的參數signature是否為 "Compressed ROMFS", //若非則結束函式,並傳回NULL if (memcmp(super.signature, CRAMFS_SIGNATURE, sizeof(super.signature))) { printk("wrong signature\n"); goto out; } //參數flags預設值為0,而CRAMFS_SUPPORTED_FLAGS值為0xff, //在&運算後,若為1則結束函式,並傳回NULL if (super.flags & ~CRAMFS_SUPPORTED_FLAGS) { printk("unsupported filesystem features\n"); goto out; } 函式cramfs_read_super﹝﹞的最後,會呼叫函式get_cramfs_inode﹝﹞,取得CramFS檔案系統 根目錄的資訊。 CCL File system on embedded linux List CramFS directory CCL File system on embedded linux List CramFS directory 首先我們可以由Superblock取得根目錄﹝”/”﹞的cramfs_inode,例如﹕根目錄的offset為19 mode:41ffh uid:0h size:204 gid:0h namelen:0 offset:19 根目錄 也就是說這個根目錄底下的檔案或是目錄的資料會放在由CramFS磁區起始往後偏移19*4=76 bytes的 位置。接下來,我們偏移到76 bytes的位置,依序把”cramfs_inode + name”的結構讀取出來,得到 如下的結果 mode:41edh mode:41edh mode:45edh mode:45edh mode:41edh mode:a1ffh mode:45edh mode:45edh mode:41edh mode:45edh mode:41edh uid:0h uid:0h uid:0h uid:0h uid:0h uid:0h uid:0h uid:0h uid:0h uid:0h uid:0h size:0 gid:0h namelen:3 offset:0 lost+found size:1208 gid:0h namelen:1 offset:70 bin size:3536 gid:f6h namelen:1 offset:372 dev size:264 gid:f6h namelen:1 offset:1256 etc size:184 gid:0h namelen:1 offset:1334 lib size:9 gid:0h namelen:2 offset:163264 linuxrc size:0 gid:f6h namelen:1 offset:0 proc size:176 gid:f6h namelen:1 offset:1380 sbin size:0 gid:0h namelen:1 offset:0 tmp size:0 gid:f6h namelen:1 offset:0 usr size:0 gid:0h namelen:1 offset:0 var 其中,mode的值可以用來判斷目前的cramfs_inode是為目錄或是檔案型態。 CCL File system on embedded linux List CramFS directory 如果說我們現在要查看etc目錄下的所有檔案或是目錄名稱,因為”etc”cramfs_inode的offset值為 1256,所以etc目錄底下的資料會存放在距離CramFS磁區起始位置偏移1256*4=5024 bytes的 cramfs_inode。所以我們現在由CramFS磁區起始位置偏移5024bytes,得到如下的結果 mode:45edh uid:0h size:48 gid:f6h namelen:1 offset:1322 rc.d mode:81a4h uid:0h size:376 gid:f6h namelen:2 offset:12288 inittab mode:81edh uid:0h size:21 gid:f6h namelen:2 offset:12331 passwd mode:81edh uid:0h size:13 gid:f6h namelen:2 offset:12339 group mode:81a4h uid:0h size:437 gid:f6h namelen:2 offset:12345 profile mode:81a4h uid:0h size:97 gid:f6h namelen:3 offset:12411 protocols mode:81a4h uid:0h size:11349 gid:f6h namelen:2 offset:12435 services mode:81a4h uid:0h size:20 gid:f6h namelen:2 offset:13602 hosts mode:81a4h uid:0h size:26 gid:f6h namelen:3 offset:13610 host.conf .......... .......................... .......... 透過這樣的方式,我們就可以把CramFS檔案系統映像檔的目錄內容解讀出來囉。不論是目錄的內容或是檔 案壓縮過的資料儲存位置,都可以經由Offset值來推算出來,並且讀取解壓縮到記憶體中。 CCL File system on embedded linux Read file from CramFS CCL File system on embedded linux Read file from CramFS CramFS檔案系統預設是每次都會解壓縮4Kbytes的資料到Linux Cache Memory中。所以說,如果讀者去觀察CramFS的讀取運 作時,會發現只有第一次檔案被讀取時才會動態的去解壓縮,第 二次與第二次以後的檔案讀取動作就會直接去該檔案目前所對應 到的Linux Cache Memory來讀取,而不會再去解壓縮,耗費系 統運算資源。這樣的運作原理,與我們一般使用的Linux 檔案系 統﹝例如﹕Ext2﹞是一致的,透過一個Cache的機制,讓目前被 讀取的檔案不必要每次都從磁碟機中讀取出來,浪費許多磁碟機 搜尋的時間,把目前使用的資料暫存在Cache中,可以增加每一 次讀取檔案的速度。如果在CramFS檔案系統中,檔案大小超過 4Kbytes的話,就會分多次來解壓縮。 CCL File system on embedded linux Read file from CramFS 在Linux+CramFS的環境下,解決讀取大 型檔案的方式為,當使用者開啟一個大型 檔案時,系統並不會一口氣就把該檔的內 容讀取到記憶體中,所採取的方式是當使 用者讀取到檔案的某個位置時,在依據該 檔案目前所讀取內容儲存的磁區,來動態 的從磁碟系統中讀取出來,載入到記憶體 中。 CCL File system on embedded linux JFFS Journal Flash File System Axis Communications AB released in 1999 Based on log-structured file system Needn’t extra layer(Like FTL) Direct access flash devices CCL File system on embedded linux JFFS Components JFFS是純粹的LogStructured Filesystem,系統只存 在一種Node Type為 jffs_raw_inode Data Node的結構 inode numberÎ32bits, 每個inode值都是唯 一且不重複 VersionÎ 32 bits , 所以每個inode允許 有40億次的修改,但這 對於Flash的壽命 (100000次)而言基 本上是相當足夠的. CCL File system on embedded linux JFFS Operations At mount time Entire medium is scanned Build the directory hierarchy and inode map Write Simply writing a new node to the end of the log Read Read nodes in reverse version order CCL File system on embedded linux JFFS Operations CCL File system on embedded linux JFFS Operations CCL File system on embedded linux JFFS Garbage Collection When empty spaces reach threshold Garbage collection will be triggered How to proceed the garbage collection Erase dirty blocks and becomes available for reuse Proceed linearly from head to tail in the log Write out a new data to the tail of the log CCL File system on embedded linux JFFS Garbage Collection CCL File system on embedded linux JFFS2 January, 2001, David Woodhouse of Red Hat Under both GPL and eCos Public License Improvements Compression Non-Sequential Log Structure Improved memory usage Different node type for medium Hard link support ln <old name> <new name> symbolic linkÎln -s source_file myfile CCL File system on embedded linux JFFS2 Based on MTD [root@loda jffs2]# mount -t jffs2 /dev/hda3 test mount: wrong fs type, bad option, bad superblock on /dev/hda3, or too many mounted file systems [root@loda jffs2]# jffs2: read_super for device 03:03 jffs2: attempt to mount non-MTD device 03:03 CCL Embedded Windows Solution CCL Embedded Linux + Windows What is the embedded windows solution for Linux Embedded Qt Embedded gtk tinyX Pocket Linux MicroWindows MiniGUI W-Windows CCL Embedded qt We can get binary or source code version from trolltech http://www.trolltech.com/ The latest version is 2.2.4 Qt is written in C++ and is fully object-oriented Trolltech can offer training, partnerships and first class support. CCL Embedded qt The Qt Free Edition is provided under the GNU General Public License, GPL. This specifies that you may freely use the Qt/Embedded Free Edition for: Running GPL software developed by others. Development of GPL software. The Qt/Embedded Professional / Enterprise Editions are available for development of commercial/proprietary software. CCL Embedded qt The Qt library, with full source code Licensing to create commercial applications with Qt One year of free upgrades to all new versions of Qt One year of free email support Personal license certificate The complete reference documentation in both HTML and man-page format (Postscript is also available) There are no royalties, run-time licenses or other additional costs. You can distribute your Qt-based programs either statically or dynamically linked without any additional charges. CCL Embedded qt Konqueror has SSL、Cookie、Java Script、HTML4/CSS ... 。 It’s size is between 2.1 MB and 2.8 MB CCL Embedded gtk AniMeta SPARROW GTK / Embedded Window System & MicroBrowser http://www.animeta.com Easy installation and programming guide for rapid application development Well-integrated hardware with ready-to-use IA solutions. Immediate experience of AniMeta's reputable SPARROW and GTK/embedded. Easy UI customization GTK+ API programming provides easy and standard application development. Fast time to market for IA products. CCL Access Browser for gtk HTML 3.2, some HTML 4.0, frames, cookies, JavaScript, JV-Lite 1.3.1(plug-in), and SSL 2.0/3。0 http://www.access.co.jp CCL EmGTK www.emsoftltd.com CCL tinyX tinyX can run X Windows under 4 MB Ram http://www.superant.com/smalllinux/smallX/tinyX01. html We can download somw tinyX demo package from http://www.tux.org/pub/distributions/tinylinux/tinyX/ tinyX is a GPL Project for embedded windows CCL Pocket Linux PocketLinux can run on X86、Strong Arm...…etc http://www.pocketlinux.com/ We can download source code from http://www.pocketlinux.com/ftp/latest/src/ PocketLinux is distributed as Open Source under the GNU General Public License. CCL Pocket Linux PocketLinux is built on 4 key pieces of technology: Linux 2.4.x - the latest incarnation of the Linux kernel reengineered for small devices - such as PDAs, cellphones and TVs. Kaffe - our Open Source Java implementation developed with embedded devices in mind - it enables PocketLinux to provide a uniform programming engine on any device, regardless of hardware. XML - used to represent all data in PocketLinux whether it is the configuration database, the incoming email and news feeds, or the way applications look on the screen. This enables maximal interoperation between devices. The Web - our webserver and data proxy can deliver a consistent interface to news, email, and other content, whether you're using a desktop machine or another device CCL Pocket Linux PocketLinux can run on any hardware, and because we use XML and Java we can run the same applications anywhere... on the web, on a cellphone, anywhere CCL MicroWindows Microwindows is a Open Source project Century has developed support for StrongARM, MIPS, PPC, SuperH, and x86 CPUs http://www.century.com/ http://embedded.censoft.com/ The product for century is “Century Embedded Operating Environment and Development Toolkit for Linux” Esfia ‘s RedBlue Linux will use Tiny-X and Microwindows ﹐and browser is ViewML http://www.esfia.com/ CCL MicroWindows Microwindows 圖形化視窗 系統﹐觸控式螢幕、點選式 鍵盤﹐手寫文字辨識。 嵌入式網頁瀏覽器 ViewML (版本 0.18)﹐2MB 大小、 相容於 HTML 3.2。 FLNX(版本 0.14)發展工 具組、函式庫。 ScreenTop 視窗管理員。能 自定圖示、工具列﹐和應用 程式外觀。 應用程式:終端機模擬、負 載監控、時鐘、電池監控、 冷光切換﹐和時間/日期顯 示... 等等 CCL MinuGUI MiniGUI is base on SVGALib and LinuxThread http://www.minigui.org/ MiniGUI is a graphics user interface (GUI) system, and it can also run X-Windows and WinCE MiniGUI has two Layer﹝for hardware independent﹞ Graphics Abstract Layer (GAL) Input Abstract Layer (IAL) MiniGUI libraries, including minigui and mywins, use LGPL license http://www.minigui.org/license.html CCL MinuGUI CCL MinuGUI CCL W-Windows W-Windows is a GPL Project http://vhl-tools.sourceforge.net/wdoc/clients.html http://vhl-tools.sourceforge.net/ Main Page http://devnull.owl.de/~frank/W.html CCL W-Windows CCL Conclusion CCL