CN113127077B - Server-based microkernel operating system deployment method and operating system - Google Patents

Abstract

The embodiment of the invention provides a server-based microkernel operating system deployment method, which comprises the following steps: acquiring a kernel source code of a Linux system with a kernel prototype; selectively configuring the kernel source code to obtain a simplified kernel; compiling the simplified kernel, and installing a kernel module and the kernel to obtain a microkernel operating system; verifying the microkernel and printing a kernel security patch on the microkernel; the file configuration method comprises the steps of configuring a file system, specifically configuring an Initranmfs virtual memory file system based on a Tmpfs file system; initializing the microkernel operating system and finishing the deployment of the microkernel operating system. By cutting the kernel, the system has extremely small volume, occupies less resources during operation and has high speed; the system is operated in the memory by the file system which is arranged in advance, so that the system operation speed is further increased, and data loss caused by accidents of the memory and the hard disk in data exchange is prevented.

Description

Server-based microkernel operating system deployment method and operating system

Technical Field

The invention relates to the technical field of anti-counterfeiting of graphic labels, in particular to a server-based microkernel operating system deployment method and a corresponding operating system.

Background

Linux, named GNU/Linux in its entirety, is a UNIX-like operating system free of charge and free of propagation, the kernel of which was first released by Lin Nasi Bennakt Towa in 1991 on 10.5.M, and is mainly inspired by Minix and Unix ideas, and is a multi-user, multi-task, multi-thread and multi-CPU supporting operating system based on POSIX. It can run major Unix tool software, applications, and network protocols. It supports 32-bit and 64-bit hardware. Linux inherits the design idea that Unix takes network as core, and is a multi-user network operating system with stable performance.

At present, domestic autonomous controllable operating systems on the market are operating systems developed based on Linux kernels or some Linux distribution versions (such as redhatt, ubuntu), and have the advantages and characteristics of openness (source code openness) of the Linux operating systems, support of various platforms, multiple users, multiple tasks, device independence, rich network functions, long-time stable operation (no need of restarting for years) and the like.

The Linux in the current market has the following problems that firstly, a system is huge and occupies more hardware resources; secondly, based on the server, the graphical interface makes the system unstable under the condition of long-time operation; thirdly, most of the unused software occupies a large amount of storage space due to the integration of excessive supporting software during application; fourthly, the operation is too professional, and the system is possibly down after misoperation; fifthly, the System starting time is longer due to the adoption of a service starting program initialized by a systematic or System V style init heavyweight System; sixthly, the processing speed of the network data packet does not reach the highest due to an excessively complex kernel network protocol stack; seventh, the expected safety requirements cannot be met without proper configuration; eighth, as a network switching server, the network card driver and the network interface parameter setting of the server also need professional formulation to achieve the optimal performance; ninthly, the functions of the Linux kernel part based on the open source only support common modules, and the functions cannot meet the requirements; tenth, the configuration of important server stability functions such as load balancing is complex; eleventh, the host security part needs to be strengthened; therefore, further improvements are needed.

Disclosure of Invention

In view of the above, embodiments of the present invention are proposed to provide a server-based microkernel operating system deployment method and a corresponding microkernel operating system that overcome or at least partially solve the above problems.

In order to solve the above problem, an embodiment of the present invention discloses a method for deploying a server-based microkernel operating system, including:

acquiring a kernel source code of a Linux system with a kernel prototype;

selectively configuring the kernel source code to obtain a simplified kernel;

compiling the simplified kernel, and installing a kernel module and the kernel to obtain a microkernel operating system;

verifying the microkernel and installing a kernel security patch on the microkernel;

the file configuration method comprises the steps of configuring a file system, specifically configuring an Initranmfs virtual memory file system based on a Tmpfs file system;

initializing a microkernel operating system and finishing the deployment of the microkernel operating system.

Further, the selectively configuring the kernel source code to obtain the reduced kernel includes:

and selecting and cutting a corresponding module of the kernel source code, and removing a kernel module irrelevant to the application of the server to be customized to obtain a simplified kernel.

Further, the selecting and cutting of the corresponding module of the kernel source code to remove the kernel module irrelevant to the application of the server to be customized and obtain the simplified kernel includes:

the system comprises an IPSET module, an advanced configuration and power management interface error reporting interface module, an industrial standard Internet tunneling protocol (L2 TP) module, a Mulit-queue priority scheduler module, an apple computer device driver, an Ethernet card driver support module, an asynchronous transmission module, a network card module which is different from a currently used network card, a computer touch panel, a handwriting panel and touch screen driver, a sensor, a multimedia device, a coding and decoding module, a network camera module, a digital satellite broadcasting system module, a man-machine interaction device module, a sound card driver, ISDN, dallas's 1-wire, an unnecessary input device support module, an unnecessary peripheral device driver, a mobile storage interface driver, an X86 platform driver module, a display card driver, a non-currently used network type supported by a kernel, a hardware device monitoring module, a hardware virtual machine support module, a software virtual machine support module, a kernel debug module and a kernel hack module.

Further, the selecting and cutting of the corresponding module of the kernel source code, and removing the kernel module irrelevant to the application of the server to be customized to obtain the simplified kernel, further includes:

and when the kernel module is cut, reserving a power management basic function, a basic file system, partial functions of a currently used hard disk storage device driver and a currently used network file system for file sharing.

Further, the compiling the simplified kernel, and installing the kernel module and the kernel to obtain the microkernel operating system includes:

the microkernel operating system occupies no more than 50MB.

Further, the verifying the microkernel and patching a kernel security patch on the microkernel includes:

a kernel vulnerability security patch, a kernel protocol stack patch, a kernel network card driver patch, and a hardware driver patch.

Further, the configuring of the file system includes configuring a core file system, and specifically, after configuring an initramfs virtual memory file system based on a Tmpfs file system, the configuring of the file system further includes:

when the system runs, the microkernel operating system is called into the memory to run through the core file system.

Further, the initializing the microkernel operating system and completing the deployment of the microkernel operating system includes the following steps:

configuring a system starting mechanism and a system service operation mechanism based on the microkernel operating system;

deploying support software according to the file system;

deploying a network and a security policy;

and completing the deployment of the microkernel operating system.

Further, the configuring a system boot mechanism and a system service operation mechanism based on the microkernel operating system includes:

configuring an initialization process module, specifically, modifying an INIT process script based on BUSYBOX, and setting a corresponding console running environment;

and configuring basic services of the console operation environment.

Further, the deploying supporting software according to the file system includes:

dynamically compiling a BUSYBOX module, including modifying BUSYBOX source codes and adding new commands into the BUSYBOX source codes; the new command is applied to syslog system logs, EUDEV equipment enumeration, an Openssl SSL protocol library, an application program and a cryptographic algorithm library;

and realizing a PAM authentication module and a library file thereof through an Openssh SSH protocol to form a core part of the microkernel operating system.

Further, the deploying the network and the security policy includes:

determining a network protocol according to a preset server type, and improving the network protocol;

and configuring a security reinforcement strategy for the microkernel operating system.

The embodiment of the invention also discloses a microkernel operating system, which is applied to a server and safety customization equipment and comprises:

the physical equipment module comprises basic hardware for carrying out system operation;

the system guide module is used for guiding the system to start when starting up;

the basic system driving module is used for providing an operation interface of the basic hardware and the system software;

the microkernel module is used for providing a basis for system operation;

the system compiling module is used for compiling a system kernel and various modules;

the Tmpfs-based security system module is used for supporting system-level module operation;

the system supporting module is based on a SQUASHFS and is used for constructing an interactive channel between a system level module and an application level module;

the core dynamic library comprises an application software dependency library, a system support file dependency library and a core file system dependency library which are sequentially in a dependency relationship and is used for ensuring the normal operation of a file system;

and the exchange type application module is used for carrying and supporting the application program based on the EXT 4.

The embodiment of the invention also discloses electronic equipment, which comprises a processor, a memory and a computer program which is stored on the memory and can run on the processor, wherein the computer program realizes the steps of the deployment method of the micro-kernel operating system based on the server when being executed by the processor.

The embodiment of the invention also discloses a computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, and when the computer program is executed by a processor, the steps of the server-based microkernel operating system deployment method are realized.

The embodiment of the invention has the following advantages:

(1) By cutting the kernel, the system has extremely small volume, occupies less resources during operation and has high speed;

(2) The system is operated in the memory by a pre-deployed file system, so that the system operation speed is further increased, and data loss caused by accidents in data exchange between the memory and the hard disk is prevented;

(3) The system is safer to operate through the kernel patch;

(4) The use of the system by the user is safer by deploying the security policy;

(5) The booting speed is further increased when the system is started or restarted by customizing the booting module;

(6) According to the improved network security module, the network security of the system is further enhanced;

(7) And the graphical interface and the corresponding display card drive are removed, so that the system resources are further saved.

Drawings

FIG. 1 is a flowchart illustrating the steps of an embodiment of a method for deploying a server-based microkernel operating system of the present invention;

FIG. 2 is a block diagram of a microkernel operating system embodiment of the present invention;

FIG. 3 is a block diagram of a computer device of an embodiment of the present invention.

Detailed Description

In order to make the aforementioned objects, features and advantages of the present invention more comprehensible, the present invention is described in detail with reference to the accompanying drawings and the detailed description thereof.

One of core concepts of the embodiment of the invention is that a basic file system is compiled through source codes, a security operating system established by software is supported, and through (1) kernel cutting, (2) kernel security patches, (3) protocol stack cutting, (4) system cutting, (5) a memory file system is used, a kernel (6) NetFilter framework is developed again and an application program corresponding to a user space is developed, (7) a network policy and a security policy are customized, (8) host security reinforcement software (including account correlation, access control, service correlation, data protection and other enhancements and equipment control and other active defenses) for realizing security enhancement of a science and security operating system from an operating system bottom layer (9) and enhanced security audit and system centralized management functions are provided, and (10) high-availability technology is supported at the same time, so that disaster recovery backup of a link is realized. The design of realizing the safe operating system is designed in the face of a safe exchange server, so that the performance is more stable, the running speed is higher, the system volume is smaller and safer, and the operating system basic software is convenient to install.

The English explanation of the part that this application refers to is as follows:

GNU (GNU's Not Unix, not Unix); tmpfs temporary file system; the Internet; layer Two Tunneling Protocol (L2 TP); carrying out multi-queue priority scheduler on the Mulit-queue; ethernet team driver support; ISDN (Integrated Services Digital Network) Integrated Services Digital Network; dallas's 1-wire Dallas unibus; debugging debug; BUSYBOX LINUX common commands and tools; an INIT Linux daemon; syslog system logs; an EUDEV extended device manager; openssl releases a software library package of source codes; free open source implementation of SSL Secure Sockets Layer Secure socket protocol opennsshSSH SSH (Secure Shell) protocol; PAM (plug Authentication Modules) Pluggable Authentication module; a SHELL computer SHELL layer; SQUASHFS compressed read-only file system; EXT4 fourth generation extended file systems; a netfilter network filter; a USB (Universal Serial Bus); ATM (Asynchronous Transfer Mode) Asynchronous Transfer Mode; an LED (light-emitting diode); CAN (Controller Area Network) Controller Area Network; DTP (Dynamic relay Protocol) Dynamic relay Protocol; FPGA (Field Programmable Gate Array) Field Programmable logic Gate Array; OSI (Open System Interconnection) Open System Interconnection; TCP/IP (Transmission Control Protocol/Internet Protocol), transmission Control Protocol/Internet Protocol; a PROCFS Process file system Process file system; GRO (general Receive Offload) general Receive Offload; LRO (Large Receive Offlood) bulk reception is reduced; DMA (Direct Memory Access) Direct Memory Access; NAPI New API (NEW Application Programming Interface) New Application program Interface; an SPI (serial peripheral interface) serial interface device; GPIO (General-purpose input/output) General-purpose input/output; a qid queue identification number; tid thread identification number; a pid process identification number; DSA MASTER (Digital Signature Algorithm Master) Digital Signature Algorithm Master; the Institute of Electrical and electronics Engineers (IEee); atf (ARM Trusted firmware) ARM Trusted firmware; ARM (Advanced RISC Machines) Advanced reduced instruction set processors; reduced Instruction Set Computing (RISC) Reduced Instruction Set Computer (RISC); dsi (digital-speech interpolation) digital speech interpolation; a token; null is empty; taprio (Tucson Amateur Packet Radio IO) Packet wireless network IO; a clk clock; schedule; preemptt real-time precedence; IPV4 (Internet Protocol version 4) Internet Protocol version 4; IPV6 (Internet Protocol version 6) Internet Protocol version 6; GSO (genetic segmentation offload) general segment offload; SKB (Socket Buffer) Socket caching; MSI/MSI-X (Message Signaled Interrupt) Message Signaled Interrupt; a CPU (Central Processing Unit) Central Processing Unit; mount the Mount; size; RAM (Random Access Memory) Random Access Memory; UMOUNT unloading; BASH-SHELL; SH a SHELL; a SERVICE; ebtables filter table; preRoute, input, forward forwarding, output and PostRoute; hook; conntrack connection tracking; a helper; SIP (Session Initiation Protocol) Session Initiation Protocol; OPC DA (OLE for Process control data Access) is applied to the data Access of the OLE of the Process control; modbus, a communication protocol, IEC (International electrotechnical Commission); DNP (Distributed Network Protocol) communication Protocol; ARP (Address Resolution Protocol) Address Resolution Protocol; FTP (File Transfer Protocol) File Transfer Protocol; detecting the clavavirus; snort intrusion detection systems; DOS (dental of Service) refuses to prevent unloading; a SYNPROXY synchronization agent.

Referring to fig. 1, a flowchart illustrating steps of an embodiment of a method for deploying a server-based microkernel operating system according to the present invention is shown, which may specifically include the following steps:

s100, acquiring a kernel source code of the Linux system with a kernel prototype;

s200, selectively configuring the kernel source code to obtain a simplified kernel;

further comprising: selecting and cutting a corresponding module of the kernel source code, removing a kernel module irrelevant to the application of the server to be customized, and obtaining a simplified kernel;

specifically, the method comprises the following steps: the method comprises the steps of removing an IPSET module, an advanced configuration and power management interface error reporting interface module, an industry standard Internet tunneling protocol L2TP module, a Mulit-queue priority scheduler module, an apple computer device driver, an Ethernet card driver support module, an asynchronous transmission module, a network card module (such as a USB network card interface, a wireless network card and the like and a corresponding network card debug module) which is different from the currently used network card, a computer touch pad, a handwriting pad and touch screen driver, a sensor, a multimedia device (such as a camera, a television card and the like), a coding and decoding module (such as an audio coder, an audio decoder, a video coder and a video decoder), a network camera module, a digital satellite broadcasting system module, a human-computer interaction device module and a sound card driver, ISDN, dallas's 1-wire, unnecessary input device support modules (e.g., mouse, joystick, etc.), unnecessary peripheral drivers (e.g., 802.15.4 device driver, ATM device driver, network card driver, LED device driver), mobile storage interface drivers (e.g., flash card device driver, USB device driver), X86 platform driver modules (e.g., X86 platform character device driver, timer, infrared, bluetooth, radio, car CAN bus driver), graphics card driver, kernel-supported non-currently used network types, hardware device monitoring module, hardware virtual machine support module, software virtual machine support module, kernel debug module, kernel hack module;

further still include: and when the kernel module is cut, reserving a power management basic function, a basic file system, partial functions of a currently used hard disk storage device driver and a currently used network file system for file sharing.

Step S300, compiling the simplified kernel, and installing a kernel module and a kernel to obtain a microkernel operating system; the microkernel operating system occupies no more than 50MB. Therefore, the system is minimized, unnecessary modules do not need to be loaded when the system runs, the running speed of the system is increased, and the data processing efficiency of the system is improved.

Step S400, verifying the micro kernel and printing a kernel security patch on the micro kernel;

further, the verifying the microkernel and patching a kernel security patch on the microkernel includes: a kernel vulnerability security patch, a kernel protocol stack patch, a kernel network card driver patch, and a hardware driver patch. The kernel patch includes: CVE-2020-27675 vulnerability patch, CVE-2020-16119 vulnerability patch, CVE-2020-25211 vulnerability patch, CVE-2020-14386 vulnerability patch, CVE-2020-14385 vulnerability patch, CVE-2020-16166 vulnerability patch, CVE-2020-10757 vulnerability patch, CVE-2020-12888 vulnerability patch, CVE-2020-12655 vulnerability patch, CVE-2020-11107, CVE-2020-8835 vulnerability patch, CVE-2019-19769 vulnerability patch, CVE-2020-2732 vulnerability patch, CVE-2019-18808 vulnerability patch, CVE-2019-18809 vulnerability patch, CVE-2019-18811 vulnerability patch, CVE-2019-18812 vulnerability patch, CVE-2019-11135 vulnerability patch, CVE-2018-12207 vulnerability patch, CVE-2019-18855 vulnerability patch, CVE-2019-012019-3900 vulnerability patch, CVE-2020-2529-3900 vulnerability patch;

the kernel protocol stack patch comprises a customized network transport protocol (zkxa _ DTP protocol), understandably, the service scenario of the present application is a security switching type and security isolation type server, so that an exchange boundary isolation FPGA-based exchange isolation board similar to a gatekeeper is inevitably required to be used, the FPGA-based exchange isolation board realizes the isolation of a physical layer and a data link layer in an OSI seven-layer network model, but if the isolation of an internal network and an external network is really required, the isolation of a transport layer is required to be realized, mainly a TCP protocol is required, data is supported to pass through, a proprietary transport protocol of a protocol floor becomes a necessary kernel function required to be provided by the exchange system, and therefore, the zkxa _ DTP protocol and a corresponding control module thereof are realized in a kernel of a security operating system deployed by the present scheme, specifically, firstly, a zkxa _ DTP special communication protocol conversion module is configured, in order to eliminate security holes existing in a general network protocol TCP/IP protocol, an isolation gateway utilizes a special communication protocol, a DTP physical isolation channel control system controls a data channel between an internal terminal and an external terminal, all data passing through the gateway are firstly stripped into pure data without any additional information, the pure data are processed and forwarded according to the special communication protocol after data are strictly checked to be legal, the special communication protocol is converted into the general network protocol before the data reach a destination, various attacks from an external network are blocked outside the external terminal through protocol conversion, and a good protection effect is achieved on the internal network; secondly, setting a zkxa _ DTP kernel module and a user space interaction module, starting and configuring zkxa _ DTP by using procfs, and recording data of a real-time display DTP module; in this embodiment, the main network data is the safety exchange and isolation data, so that it is necessary to modify the data passing through the network protocol stack of the Linux kernel conveniently, support a more advanced application layer protocol, and interact with the user space conveniently, and to achieve such an effect, it is necessary to modify the standard Netfilter framework correspondingly, and to support the corresponding user space application program (for modifying and configuring the Netfilter framework, refer to the relevant steps of network safety deployment).

The kernel network card driver patch comprises a network card chip which is usually purchased in the market, such as Intel gigabit and some driver models of ten-gigabit network cards, and makes full use of NAPI technology, DMA technology, GRO and LRO technology to accelerate the network card to receive and send data, specifically, the kernel network card driver patch mainly modifies the allocation sending and receiving DMA buffer area, and comprises: (1) Distributing a sending/receiving descriptor queue, and respectively carrying out consistent DMA mapping on the sending/receiving descriptor queue; (2) A register for allocating network card hardware for storing DMA description Fu Jizhi, DMA descriptor number and DMA descriptor address to be read next by the DMA controller; (3) Pre-allocating a queue of a received message buffer area, carrying out stream type DMA mapping on each buffer area, writing a mapped bus address into a received descriptor queue, in a closing module, correspondingly completing the operations of canceling the stream type DMA mapping of the received message buffer area, releasing the queue of the received message buffer area, releasing the memory of a sending/receiving descriptor queue and the like;

understandably, the above hardware driver patches include, but are not limited to, adding drivers to Cadence SPI controllers, repairing problems with client driver corruption when GPIO descriptors are used, repairing problems with tid jams due to erroneous updates qid, unbinding all switches from the tree when DSA master is unbiased, checking if atf in ieee80211_ schedule _ txq has been disabled, allowing for the use of non-continuous DSI clocks, repairing false NULL pointer checks, using napi _ schedule () for PREEMPT _ RT, repairing processes of token types not supported in rxrpc _ READ (), repairing clk error processes, repairing taprio plan configurations, repairing potential NULL pointer dereferences, in some cases, READ _ ONCE () shall be used to READ the call state, avoid unnecessary kmap _ atomic calls, set the appropriate input size for OID _ GEN _ PHYSICAL _ media request, remove Asym _ Pause support, increase the critical threshold for ASIC hotspots, repair NULL dereferencing in tipc _ link _ xmit (), verify GSO skcp before IPv6 processing is completed, repair MSI/MSI-x interrupts, upgrade 210x usb to serial drivers.

Step S500, configuring a file system, including configuring a core file system, specifically configuring an Initranmfs virtual memory file system based on a Tmpfs file system;

further, the configuring the file system includes configuring a core file system, and specifically, after configuring an initramfs virtual memory file system based on a Tmpfs file system, the configuring further includes: when the system runs, the microkernel operating system is called into the memory to run through the core file system. The data reading and writing speed of the memory is much faster than that of the storage equipment such as the hard disk, and the system in the application runs in the memory directly, so that the running speed of the system is greatly accelerated.

More understandably, under the normal condition, an operating system is installed on a hard disk, necessary system files are copied from the hard disk to run in a memory through data copying according to needs, all application programs, whether the application programs are system or application types, have the fastest running speed in the memory, but the memory capacity is limited so as to accelerate the running of the programs, except that a CPU (central processing unit) is upgraded, the memory is enlarged, distributed computing is used, 1,2-level cache is used, the hit rate of a multi-core CPU (Central processing Unit) is improved, data exchange between the memory and the hard disk is accelerated by using an ssh (secure storage) hard disk, a unique operating system can be designed according to the reality of products of the secure exchange type, and the running rate of the products is accelerated from the bottom layer;

furthermore, a memory file system operation mechanism is adopted to accelerate the operation speed of the operating system and improve the stability of the system from the operation space of the file system, the basic file system is directly and completely operated in the memory, the file moving-in and moving-out operation between the memory and the hard disk during the operation of the common system is avoided, and meanwhile, due to the fact that the file system is operated and in the memory, even if important system files are carelessly deleted in the operation process of the system, the deleted system files are only images of the operating system loaded in the memory once, a real file system is not deleted, all the system files are reloaded after the system is restarted, all the mistakenly deleted system files are automatically recovered, and the fault tolerance of the system is improved.

Further, initramfs is a Tmpfs-based virtual memory file system, which is different from the traditional Ramdisk implemented in a block device form and from Ramfs for physical memory. The Tmpfs may use physical memory or swap partitions.

Understandably, in the Linux kernel, the virtual memory resources are composed of physical memory (RAM) and switch partitions, and these resources are allocated and managed by a virtual memory subsystem in the kernel. Tmpfs requests pages from the virtual memory subsystem to store a file, which, like the portions of other requested pages in Linux, does not know whether the page allocated to itself is in memory or in a swap partition. Like Ramfs, its size is not fixed, but dynamically increases or decreases with the space required. It has one advantage over Ramfs: the Size parameter specified at mount is active, which ensures the security of the system, but unlike Ramfs, the system is hung up inadvertently because the write data is too large to eat all the memories of the optical system.

Tmpfs has the following advantages in addition to the above-mentioned advantages:

(1) Tmpfs automatically increases and decreases the capacity as the data therein increases and decreases.

(2) There is no duplicate data between Ttmps and page cache/dentry cache.

(3) Tmpfs reuses the code of Linux catching, so the kernel size is hardly increased, and the code of catching is well tested, so the code quality of Tmpfs is also guaranteed.

(4) No additional file system driver is required.

(5) The writing speed is 1.2G/S-1.3G/S, and the reloaded data disappears after umount.

In the above embodiment, the functions mainly completed by the kernel operating system file of the operating system include loading of a driver module, service control, and system boot. The part directly runs in the memory after being started, and the fastest running speed of the core function of the operating system is obtained by using a cache mechanism of the kernel.

Step S600, initializing a microkernel operating system and finishing deployment of the microkernel operating system;

further, the method comprises the following substeps:

step S601, configuring a system starting mechanism and a system service running mechanism based on the microkernel operating system;

further, the configuring a system boot mechanism and a system service operation mechanism based on the microkernel operating system includes:

configuring an initialization process module, specifically, modifying an INIT process script based on BUSYBOX, and setting a corresponding console running environment, wherein the consoles operable in the system are set, and comprise BASH and SH consoles;

and configuring the basic service of the console operating environment, wherein the basic service is used for supporting starting and closing the SHELL script, and enabling a user to write the SHELL script to be placed in a configuration directory (such as an/etc/init.d directory to realize a service command control architecture) according to needs.

It can be understood that, in the above embodiment, the design of the secure operating system is originally designed for the secure switching class and the secure isolation class servers, and is similar to the requirement that the init service loading flow of the BUSYBOX type completely meets, and the structure flow is simple and clear, and the code amount is small. Therefore, by taking the design of the init program of the BUSYBOX as a reference, in the above embodiment, the secure operating system independently designs the init program which simultaneously supports the system service loading of the bash and sh console operating environments, for basic services, such as ssh and network, the start and the close of the shell script in the form of service start/stop/restart is already realized, and the framework that the subsequent user program can realize that the service shell script can be placed in the/etc/init.d directory by itself and can be controlled by using the service command is supported.

Step S602, deploying supporting software according to the file system;

further comprising: dynamically compiling a BUSYBOX module, specifically, modifying a BUSYBOX source code, and adding a new command into the BUSYBOX source code; the new command is applied to syslog system logs, EUDEV equipment enumeration, an Openssl SSL protocol library, an application program and a cryptographic algorithm library; and realizing a PAM authentication module and a library file thereof through an Openssh SSH protocol to form a core part of the microkernel operating system.

A root file system architecture constructed based on BUSYBOX, in this embodiment, a basic root file system architecture is preferably constructed by using BUSYBOX 1.30, and in order to make an executable file of BUSYBOX smaller, dynamic compilation BUSYBOX is used; BUSYBOX is a piece of software that integrates over three hundred of the most commonly used Linux commands and tools. BUSYBOX includes simple tools such as ls, cat, and echo, among others, and larger, more complex tools such as grep, find, mount, and telnet. Busycox combines many small versions of UNIX tools with commonality into a single executable file. The set can replace most common tools such as GNU files, shellcuils and the like, and BUSYBOX provides a relatively perfect environment and can be suitable for any small embedded system. The BUSYBOX only keeps the most core functions of the Linux commands, so that for a server operating system, some Linux command lines of the BUSYBOX are sufficient, while some Linux command lines of the BUSYBOX are insufficient for later maintenance safety exchange and isolation products in the application, a large full-function Linux command compiled by Linux source codes is required to be strengthened, and other Linux command lines, such as an ethnool command line, are not possessed by the BUSYBOX per se, need to be compiled and installed by the source codes alone to complete the support of the system, and meanwhile, aiming at some special requirements, new commands are added into the BUSYBOX by modifying the BUSYBOX source codes; adding a syslog system log, eudev device enumeration, an Openssl protocol library, an application program and a cryptographic algorithm library, realizing free open source of an Openssh SSH (Secure Shell) protocol, forming a most core operating system by a PAM authentication module and library files from the PAM authentication module and the library files, loading the operating system into a memory after the operating system is started, interacting with a kernel through a cache to obtain the fastest core operating system running speed, placing other important subsequent system software under a/srv/directory, separately mounting a readable and writable partition by a/srv directory to store the application program and system configuration files which are not expected to be reset after the system is restarted, still having a gray space between a read-only root system partition and the readable and writable partition which are mounted under the srv, for example, setting a network card device file/etc/ud/rud/70-persistent file carrying multiple hardware devices as a network card device file which can not be wrongly stored in a network card device file management package (the network card device file/srv directory package can not be wrongly stored) because the network card device file/copy/read by the network card software, and the network card device file can not be wrongly stored in the system configuration files (the network card management package) because the network card management package can be wrongly stored after the system is wrongly stored). Therefore, the safety of the system file is guaranteed, and the file is prevented from being damaged and lost in the operation process or being lost due to hardware failure.

Step S603, network and security policy deployment;

further comprising: determining a network protocol according to a preset server type, and improving the network protocol; and configuring a security reinforcement strategy for the microkernel operating system.

It can be understood that Netfilter framework zkxa _ Netfilter is based on an open-source Linux kernel framework, and zkxa _ Ebtables are based on five hook points of standard Netfilter data link PreRoute, input, forward, output and PostRoute. On the basis of a Netflter framework, a great deal of optimization and improvement are performed on a filtering class, an NAT class and a connection tracking class of the Netflter framework to adapt to different application scenarios, for example, in an embodiment, a kernel protocol module support for a protocol with a desired connection for an SIP protocol, an OPC DA and the like and an industrial protocol such as stateless Modbus, IEC, DNP3.0, S7 and the like is added on the basis of a Conntrack and a Helper.

In one embodiment, link tracking, expected link tracking and nat address conversion can be achieved in the kernel aiming at various application layer protocols through the self-developed kernel modules, and the transmission efficiency of data packets is greatly improved. The real-time tracking control of zkxa _ nfct _ cmd connected by a link is realized by using a Netlink technology, zkxa _ nfct with Netfilter expansion module function is dynamically loaded as required, and meanwhile, based on the great requirements of the existing use scene on load balancing and high available technology, the high availability of two host master-slave modes and zkxa _ nfctd daemon process with the master-slave mode and the load balancing are realized by using TCP or UDP on the basis of the Netlink technology, so that a user only needs to concentrate on the content of network exchange which the user wants to control, namely, a kernel proxy server for realizing an application protocol in a kernel mode can be realized easily, the efficiency is stable, and meanwhile, aiming at data stream channels such as RTP, FTP and the like, an application layer proxy server is also developed in an application software part, and actual data streams are controlled in a kernel layer, so that the operations such as landing and virus killing of the actual data streams are facilitated.

In an embodiment, the IPv6 firewall module in the network layer processes the packet in the IPv6 protocol stack, and the configuration tool corresponding to the user space is Ip6tables, which is based on the second implementation of the IPv4 function.

It can be understood that, aiming at the problems that each mapping in the arpables and arptable _ filter kernel module design needs to add a corresponding ip address in the system, the system addresses are too much difficult to maintain, and the function conflicts with the system setting device addresses are solved, so that the opposite side of network connection is deceived by directly responding to the arp mode, and the connection is initiated to the host. Adding another kernel module zkxa _ arp _ reply to the arptable _ filter kernel module, and registering a structure of xt _ target to the system, as shown below

static struct xt_target arpt_reply_reg__read_mostly＝{

.name＝"zkxa_arp_reply",

.family＝NFPROTO_ARP,

.target＝target,

.targetsize＝sizeof(struct arpt_reply),

.checkentry＝checkentry,

.me＝THIS_MODULE,

}；

It can be understood that when the system receives the ARP data packet, static unscigned int target (struct sk _ buf _ skb, const struct xt _ target _ param _ par) is called, in the target function, it is judged whether the received ARP is ARPOP _ REQUEST, the requested address is compared with the address set by iptables, if it is the ARP address resolution response packet of the reply requesting party. zkxa _ arpables customizes own kernel modules on the basis of a Netfilter framework, thereby greatly simplifying and facilitating the simultaneous operation of a large number of ARP.

In one embodiment, configuring a security hardening policy for the microkernel operating system includes: a host security reinforcement policy; understandably, the microkernel operating system corrects and reinforces security items such as account security, minimized service, access control, user authentication, auditing strategy and the like of the system, so as to achieve the purposes of improving the system security and enabling the system to resist certain degree of attack behaviors;

specific examples of the method include (a) identity authentication, including (1) password security policy: detecting whether the password minimum length of the password setting strategy meets the specification, (d) detecting that the warning days before the password of the password setting strategy expires are not less than 7, (e) forbidding using the password used for the last five times; (2) login failure policy: if the login failure processing function is started, measures such as ending the session, limiting the illegal login times, automatically exiting and the like can be taken; when the password is cracked, the account is temporarily locked, and the possibility that the password is guessed and decoded is reduced; (3) a safe remote management mode: (a) closing telnet service; (b) prohibiting root users from directly logging in; (c) restricting FTP login to the system account; (d) Openssh and Openssl, which are easy to upgrade, and their security configurations; (II) access control: (a) Redundant and overdue accounts should be deleted in time to avoid the existence of shared accounts; (b) And deleting or forbidding the temporary, expired and suspicious accounts to prevent illegal utilization. And (III) safety audit, specifically comprising the following steps of (1) auditing strategy starting: the auditing range should cover every operating system user and database user on the server and important client; and (4) starting an auditing strategy, checking system log files if a system has a fault and a safety accident in the future, eliminating the fault, tracing the information of an intruder and the like. (2) log attribute setting: the audit record should be protected from unexpected deletion, modification or coverage; preventing important log information from being overwritten; and the log file is dumped for one month, the information of 6 months is reserved, and the current configuration is checked firstly. (IV) intrusion prevention, including that the operating system follows the principle of minimum installation, only installs required components and application programs, closes services irrelevant or unnecessary to system services, and reduces the risk of the system being attacked and infiltrated by hackers; the clav and snort are started in the form of services. And (five) system resource control, specifically, (1) access control: the terminal login is limited by setting conditions such as a terminal access mode, a network address range and the like; and the IP, the mode and the like of the access server are limited, so that illegal intrusion can be prevented. (2) timeout locking: setting the operation timeout locking of the login terminal according to the security policy; and the login timeout time is set, the system resources are released, and the safety of the server is also improved.

In one embodiment, the security hardening policy further comprises: DOS attack defense, an agent module of a built-in kernel SYNPROXY, a historical command, a login IP address, command execution time and the like added for the historical command, an operating system and a kernel version are hidden, an invalid timing task is deleted, an invalid one-time task is deleted, and process management is carried out; thereby further enhancing the security of the system.

And step S604, finishing the deployment of the microkernel operating system.

The invention has the beneficial effects that:

(1) By cutting the kernel, the system has extremely small volume, occupies less resources during operation and has high speed;

(2) The system is operated in the memory by a pre-deployed file system, so that the system operation speed is further increased, and data loss caused by accidents in data exchange between the memory and the hard disk is prevented;

(3) The system is safer to operate through the kernel patch;

(4) The use of the system by the user is safer by deploying the security policy;

(5) The boot-up speed is further increased when the system is started up or restarted by customizing the boot module;

(6) According to the improved network security module, the network security of the system is further enhanced;

(7) The graphical interface and the corresponding display card drive are removed, and system resources are further saved;

(8) The system has good fault tolerance.

It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.

In the embodiment of the present invention, referring to fig. 2, a block diagram of a microkernel operating system according to an embodiment of the present invention is shown, where the operating system is applied to a server, and the security customization specifically includes the following modules:

a physical device module 100 including basic hardware for operating on-board the system; the system booting module 300 is used for booting the system when the system is started; a basic system driver module 400, configured to provide an operation interface between the basic hardware and the system software; a microkernel module 200 for providing a basis for system operation; a system compiling module 900 for compiling a system kernel and various modules; a Tmpfs-based security system module 500 for supporting system-level module operation, including a SHELL module; the SQUASHFS-based system support module 600 is used for constructing an interaction channel between a system level module and an application level module; the core dynamic library 800 comprises an application software dependency library 803, a system support file dependency library 802 and a core file system dependency library 801 in sequence according to dependency relations, and is used for guaranteeing normal operation of a file system; and the exchange class application module 700 is used for carrying and supporting the application program based on the EXT 4.

For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.

Referring to fig. 3, in an embodiment of the present invention, the present invention further provides a computer device, where the computer device 12 is represented in a form of a general-purpose computing device, and components of the computer device 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including the system memory 28 and the processing unit 16.

Bus 18 represents one or more of any of several types of bus 18 structures, including a memory bus 18 or memory controller, a peripheral bus 18, an accelerated graphics port, and a processor or local bus 18 using any of a variety of bus 18 architectures. By way of example, such architectures include, but are not limited to, industry Standard Architecture (ISA) bus 18, micro-channel architecture (MAC) bus 18, enhanced ISA bus 18, audio Video Electronics Standards Association (VESA) local bus 18, and Peripheral Component Interconnect (PCI) bus 18.

Computer device 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer device 12 and includes both volatile and nonvolatile media, removable and non-removable media.

The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM) 31 and/or cache memory 32. Computer device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (commonly referred to as a "hard disk drive"). Although not shown in FIG. 3, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. The memory may include at least one program product having a set (e.g., at least one) of program modules 42, with the program modules 42 configured to carry out the functions of embodiments of the invention.

A program/utility 41 having a set (at least one) of program modules 42 may be stored, for example, in memory, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules 42, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.

Computer device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, camera, etc.), with one or more devices that enable a user to interact with computer device 12, and/or with any devices (e.g., network card, modem, etc.) that enable computer device 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, computer device 12 may communicate with one or more networks (e.g., a Local Area Network (LAN)), a Wide Area Network (WAN), and/or a public network (e.g., the Internet) via network adapter 20. As shown, the network adapter 21 communicates with the other modules of the computer device 12 via the bus 18. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with computer device 12, including but not limited to: microcode, device drivers, redundant processing units 16, external disk drive arrays, RAID systems, tape drives, and data backup storage systems 34, among others.

The processing unit 16 executes various functional applications and data processing by executing programs stored in the system memory 28, for example, to implement the server-based microkernel operating system deployment method provided by the embodiment of the present invention.

That is, the processing unit 16 implements, when executing the program: acquiring a kernel source code of a Linux system with a kernel prototype; selectively configuring the kernel source code to obtain a simplified kernel; compiling the simplified kernel, and installing a kernel module and the kernel to obtain a microkernel operating system; verifying the microkernel and installing a kernel security patch on the microkernel; the file configuration method comprises the steps of configuring a file system, specifically configuring an Initranmfs virtual memory file system based on a Tmpfs file system; initializing a microkernel operating system and finishing the deployment of the microkernel operating system.

In an embodiment of the present invention, the present invention further provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements the method for deploying the server-based microkernel operating system as provided in all embodiments of the present application.

That is, the program when executed by the processor implements: acquiring a kernel source code of a Linux system with a kernel prototype; selectively configuring the kernel source code to obtain a simplified kernel; compiling the simplified kernel, and installing a kernel module and the kernel to obtain a microkernel operating system; verifying the microkernel and installing a kernel security patch on the microkernel; the file configuration method comprises the steps of configuring a file system, specifically configuring an Initranmfs virtual memory file system based on a Tmpfs file system; initializing a microkernel operating system and finishing the deployment of the microkernel operating system.

Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + +, python, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).

The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the invention.

Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or terminal apparatus that comprises the element.

The method for deploying the server-based microkernel operating system and the microkernel operating system provided by the invention are described in detail, specific examples are applied in the description to explain the principle and the implementation of the invention, and the description of the above embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (7)

1. A method for deploying a server-based microkernel operating system is characterized by comprising the following steps:

acquiring a kernel source code of a Linux system with a kernel prototype;

selectively configuring the kernel source codes to obtain a simplified kernel, specifically, selectively cutting corresponding modules of the kernel source codes, removing kernel modules irrelevant to the application of the server to be customized, and obtaining the simplified kernel;

compiling the simplified kernel, and installing a kernel module and the kernel to obtain a microkernel operating system; wherein the microkernel operating system occupies no more than 50MB of space;

verifying the microkernel and printing a kernel security patch on the microkernel; the kernel security patch includes: a kernel vulnerability security patch, a kernel protocol stack patch, a kernel network card driver patch and a hardware driver patch; specifically, the kernel protocol stack patch includes a customized network transport protocol;

the file configuration method comprises the steps of configuring a file system, specifically configuring an Initranmfs virtual memory file system based on a Tmpfs file system;

initializing a microkernel operating system and finishing deployment of the microkernel operating system; specifically, a system starting mechanism and a system service operation mechanism are configured based on the microkernel operating system; deploying supporting software according to the file system; deploying a network and a security policy; and completing the deployment of the microkernel operating system.

2. The method of claim 1, wherein selectively clipping the corresponding module of the kernel source code to remove kernel modules irrelevant to the desired customized server application to obtain a reduced kernel comprises:

the system comprises an IPSET module, an advanced configuration and power management interface error reporting interface module, an industrial standard Internet tunneling protocol (L2 TP) module, a Mulit-queue priority scheduler module, an apple computer device driver, an Ethernet card driver support module, an asynchronous transmission module, a network card module which is different from a currently used network card, a computer touch panel, a handwriting panel and touch screen driver, a sensor, a multimedia device, a coding and decoding module, a network camera module, a digital satellite broadcasting system module, a man-machine interaction device module, a sound card driver, ISDN, dallas's 1-wire, an unnecessary input device support module, an unnecessary peripheral device driver, a mobile storage interface driver, an X86 platform driver module, a display card driver, a non-currently used network type supported by a kernel, a hardware device monitoring module, a hardware virtual machine support module, a software virtual machine support module, a kernel debug module and a kernel hack module.

3. The method according to claim 1, wherein the configuring the file system comprises configuring a core file system, and in particular, after configuring an initramfs virtual memory file system based on a Tmpfs file system, the configuring further comprises:

when the system runs, the microkernel operating system is called into the memory to run through the core file system.

4. The method of claim 3, wherein configuring a system boot mechanism and a system service run mechanism based on the microkernel operating system comprises:

configuring an initialization process module, specifically, modifying an INIT process script based on BUSYBOX, and setting a corresponding console running environment;

and configuring basic services of the console operation environment.

5. The method of claim 4, wherein said deploying support software according to the file system comprises:

dynamically compiling a BUSYBOX module, including modifying BUSYBOX source codes and adding new commands into the BUSYBOX source codes; the new command is applied to syslog system logs, EUDEV equipment enumeration, an Opensl SSL protocol library, an application program and a cryptographic algorithm library;

and realizing a PAM authentication module and a library file thereof through an Openssh SSH protocol to form a core part of the microkernel operating system.

6. The operating system of the method according to any one of claims 1 to 5, applied to a server, secure customization device, comprising:

the physical equipment module comprises basic hardware for carrying out system operation;

the system guide module is used for guiding the system to start when starting up;

the basic system driving module is used for providing an operation interface of the basic hardware and the system software;

the microkernel module is used for providing a basis for system operation;

the system compiling module is used for compiling a system kernel and various modules;

the Tmpfs-based security system module is used for supporting system-level module operation;

the system support module based on the SQUASHFS is used for constructing an interaction channel between a system level module and an application level module;

the core dynamic library comprises an application software dependency library, a system support file dependency library and a core file system dependency library which are sequentially in a dependency relationship and is used for ensuring the normal operation of a file system;

and the exchange application module based on the EXT4 is used for carrying and supporting the application program.

7. Electronic device, characterized in that it comprises a processor, a memory and a computer program stored on said memory and capable of running on said processor, said computer program comprising an operating system, said computer program realizing the steps of the server-based microkernel operating system deployment method according to any one of claims 1 to 5 when executed by said processor.

Images