Count from April/13/2005 |
HTTP-FUSE-KNOPPIX / Xenoppix
[CAUTION] The home pages related to KNOPPIX Japanese Edition, VMKnoppix,
etc moved to http://www.rcis.aist.go.jp/project/knoppix/index-en.html
Please visit the new home page for latest information.
Japanese
Special Topic:
- Release: HTTP-FUSE KNOPPIX for Trusted Computing Geeks 101
- "Trusted HTTP-FUSE KNOPPIX" is released.
- We developed a trusted network loopback block device "Trusted HTTP-FUSE CLOOP" and integrated it to KNOPPIX. It also includes Trusted GRUB and enables Trusted Boot with TPM1.1. It keeps log of attached devices and accessed block. We can confirm the
attestation from the log. The Bootable CD size is only 9MB, because the block device is obtain via Internet using Trusted HTTP-FUSE
KNOPPIX.
-
 |
 |
| Steps of Chain of Trust. The devices and accessed block devices are measured
and logged as a SHA1 Digest. The chain of SHA1 Digest is stored to PCR(Platform
Configuration Register) of TPM. |
Detail of Chain of Trust on Trusted GRUB and Trusted HTTP-FUSE CLOOP |
- ISO file (only 9MB) httpfuse-trusted_20061101.iso (MD5: c98fcc4b77404b69dcc96b71de1d6a3d)
- Usage
- Requirement:
- Internet connection.
- PC which can deal with Trusted boot using TPM1.1. Please turn on TPM in
BIOS. We confirmed Trusted Boot on IBM ThinkPAD X30&T42.
- Burn a CD-ROM with the iso file. Boot from the CD-ROM. You can add options
at GRUB stage 1.5. During booting you finds menu for download server of
block files. Please select the nearest server. (3 servers in EU, 3 servers
in US, and 13 servers in Japan.)
- Additional Options:
- http_proxy=
- Designate proxy URL.
- Example http_proxy=http://proxy.aist.go.jp:8080
- staticipaddress
- Set Static IP address during boot sequence.
- "IPaddress:", "Netmask:", "Default Gateway:",
"Name Server:"
- memcache
- Download block files to RAM DISK. Requires much memory.
- nocache
- Block files aren't saved.
- fuse_uri=
- Designate direct URI of block files.
- Example fuse_uri=http://ring.aist.go.jp/archives/linux/knoppix/knx501tpm/knoppix501en
- How to check Trusted Boot (Example: on ThinkPAD T42 & X30 with Atmel TPM 1.1 Chip)
- Check the Trusted Boot
- Preparation
- # modprobe atml_tpm
- # mount -t security none /sys/kernel/security
- Check the log of Trusted Boot
- # cat /sys/kernel/security/tpm0/ascii_bios_measurement
5 2907b0a74e2e025f863bda3dd55a9ada385dcf28 04 [Event Separator]
6 2907b0a74e2e025f863bda3dd55a9ada385dcf28 04 [Event Separator]
7 2907b0a74e2e025f863bda3dd55a9ada385dcf28 04 [Event Separator]
4 c1e25c3f6b0dc78d57296aa2870ca6f782ccf80f 05 [Calling INT 19h]
4 38f30a0a967fcf2bfee1e3b2971de540115048c8 05 [Returned INT 19h]
4 7ca42b22324927c400263bae94e1e7cc28655532 05 [Booting CD ROM]
4 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 01 [POST CODE]
5 3315669a981d24f825eff4f2cc6f1d35093dfe8b 01 [POST CODE]
8 27fb6f0e387394ff8a125e225ab0eed21496f773 01 [POST CODE] *** kernel "linux"
8 0e8daebdd20d97a3761803c473bc77ed82a5e996 01 [POST CODE] *** miniroot "minirt.gz"
- Confrim the SHA1 value.
# sha1 /mnt/cdrom/boot/isolinux/linux
27fb6f0e387394ff8a125e225ab0eed21496f773 /mnt/cdrom/boot/isolinux/linux
# sha1 /mnt/cdrom/boot/isolinux/minirt.gz
0e8daebdd20d97a3761803c473bc77ed82a5e996 /mnt/cdrom/boot/isolinux/minirt.gz
- Check the Register of TPM
- # cat /sys/device/platform/tpm_atmel/pcrs
PCR-00: EC 44 13 64 3D 36 06 10 C0 26 D2 90 79 FD 95 A4 D6 FC B9 C1
PCR-01: C0 A9 46 A3 A4 24 B2 F0 61 2C BA B7 9D 81 E4 F8 1A 71 AC 67
PCR-02: EB B3 BA AE E7 57 4B B6 37 AA AB 67 0F 9A C1 BC EB 6F 80 F3
PCR-03: 04 FD EC DD 50 1D AF 0F 62 4C 1F 99 60 12 CF 30 44 FF 46 10
PCR-04: 01 56 4F A7 09 AE 00 B1 90 84 28 D3 09 09 A1 F9 AD B5 53 29
PCR-05: 1A F1 39 04 08 69 63 DE 79 41 E4 2E 68 DE 2E B0 B7 85 BD 82
PCR-06: 04 FD EC DD 50 1D AF 0F 62 4C 1F 99 60 12 CF 30 44 FF 46 10
PCR-07: 04 FD EC DD 50 1D AF 0F 62 4C 1F 99 60 12 CF 30 44 FF 46 10
PCR-08: AF 8F 70 C0 A6 92 7C 6F A6 FA 6B F1 D8 94 AC F0 F2 04 BC CA
PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- Check the log of Trusted HTTP-FUSE CLOOP
- # tail -f /var/log/fs_wrapper_PID.log
1150452051.109: #00000000(845b31ded38e15c1fa8febf97fe0781f23af98c3) :missed.
1150452051.112: #00000000(845b31ded38e15c1fa8febf97fe0781f23af98c3) :hits.
1150452051.112: #00000001(166cbaedbb1cc836e7c95d7d9943efde5a53829e) :missed.
1150452051.113: #00000002(29c4e363dbad648072751ca1f856e5780dd2981d) :missed.
1150452051.114: #00000003(fa8ad05b713a9cf8a701636ca6c353dc58fd6bfd) :missed.
1150452051.114: #00000004(1f82a543fa9310c44eff6a13618beca3cacffc12) :missed.
- When you run a application, accessed blocks are logged. Please confirm.
- Related Publications:
- "Trusted Boot of HTTP-FUSE KNOPPIX", Kuniyasu Suzaki, Toshiki
Yagi, Kengo Iijima(AIST), Megumi Nakamura, Seiji Munetoh (IBM Japan), Linux-Kongress 2006
- "Security Enhancement of HTTP-FUSE Knoppix Client by Trusted Computing", Megumi Nakamura, Seiji Munetoh (IBM Japan), Kuniyasu Suzaki, Kengo
Iijima, Toshiki Yagi, Ichiro Osawa (AIST), ISEC2006 (Written in Japanese)
- Linux-Kongress 2006 at Nurnberg, Germany
- Slide of "HTTP-FUSE Xenoppix" at Ottawa Linux Symposium 2006
- Ottawa Linux Symposium 2006
- "HTTP-FUSE Xenoppix" is presented.
- HTTP-FUSE KNOPPIX/Xenoppix Box (SH4-Linux Router with TFTP and HTTP Proxy) is exhibit at CE Linux Forum DEMO Booth at OLS2006.
- HTTP-FUSE-KNOPPIX-4.0.2 is released.
- knoppix-fuse-4.0.2_20060207.iso (MD5: 130c0fc1eb520cc5b76899157b379f18)
- This version enables to use CD-Knoppix4..0.2(700MB) or DVD-KNOPPIX4.0.2(3.2GB).
- Debian package and source code of HTTP-FUSE CLOOP is released. The detail is described at "HTTP-FUSE mount & mkmd5files".
- Boot Menu
-
| Select a near download site. |
 |
| Select CD-KNOPPIX402 or DVD-KNOPPIX402. |
 |
- The download site become world wide as well as HTTP-FUSE Xenoppix.
-
Figure shows the "Google Map", please click.
# All site might not be available. |
 |
-
| Comparison of HTTP-FUSE KNOPPIX(4.7MB) with CD-Knoppix4..0.2(700MB) or
DVD-KNOPPIX4.0.2(3.2GB). |
 |
- HTTP-FUSE Xenoppix is released.
- Home page of HTTP-FUSE Xenoppix is
- HTTP-FUSE-KNOPPIX-4.0 is released.
- HTTP-FUSE-KNOPPIX-4.0 is only 5MB CD image and enalbes us to DVD KNOPPIX 4.0. We don't need to download 3.8GB iso image at one time and burn DVD.
- 5MB CD iso image http://unit.aist.go.jp/itri/knoppix/http-fuse/knoppix-fuse-4.0_20050831.iso
- Manual http://unit.aist.go.jp/itri/knoppix/http-fuse/knoppix-fuse40en.pdf
- The contents of this page is for HTTP-FUSE KNOPPIX 3.7. So it's a little
bit old. Please refer the PDF manual.
- Following figuare shows differnece of normal DVD KNOPPIX and HTTP-FUSE
KNOPPIX. Please click each figure to show wider.
-
| Normal DVD KNOPPIX |
HTTP-FUSE KNOPPIX |
 |
 |
- Performance test.
We measure the boot time, Amount of Traffic and Throughput of HTTP-FUSE
KNOPPIX. NON-DL means no DownLoadAhead function. DL-2500 means 2500 files
DownLoadAhead function. DL-FULL means FULL (3000 files) DownLoadAhead function.
Click graph to show the detail.
-
No Delay
BOOT TIME:
DL-FULL 97sec
DL-2500 98sec
NON-DL 113sec
(DVD-BOOT TIME 295sec) |
200msec Delay (caused by BSD dummy-net)
BOOT TIME:
DL-FULL 437sec
DL-2500 644sec
NON-DL 1413sec
(DVD-BOOT TIME 295sec) |
Amount of Traffic |
Amount of Traffc |
Throghput |
Thoughput |
Introduction
HTTP-FUSE-KNOPPIX is a "pile-up" KNOPPIX. HTTP-FUSE KNOPPIX downloads
pieces of Root Filesystem from a HTTP server when the piece is requested,
although normal KNOPPIX requires whole 700MB ISO image at first. The piece
is "piled up" on your PC.
The first minimum parts of HTTP-FUSE-KNOPPIX are bootloader with "Linux kernel" and "miniroot". The size is only 6MB. The rest of parts "ROOT file system" which size is 700MB is downloaded on demand as a small piece of block device.
The original block device which includes ROOT file system is split into small data-piece. Each small data-piece is compressed and saved to a file. The files are called "split-and-compressed block files". Split-and-compressed block files is downloaded when it is required. Split-and-compressed
block files compose a virtual block device with HTTP-FUSE..
# HTTP-FUSE is based on FUSE (Filesystem in Userspace) http://fuse.sourceforge.net/.
HTTP-FUSE-KNOPPIX selects ROOT file system at boot time. It means HTTP-FUSE-KNOPPIX
doesn't make a CD-ROM for customization. It just upload the customized
Root File system on HTTP server.
Furthermore the uploaded "split-and-compressed block files" for customized KNOPPIX are difference only. The most split-and-compressed
blocks files are shared between original KNOPPIX and customized KNOPPIX.
The feature makes small volume of a server when customized KNOPPIX is added.
The following figures show the difference of "Normal KNOPPIX"
and "HTTP-FUSE-KNOPPIX".
Normal KNOPPIX
ISO image is 700MB.
It includes everything (bootloader, kernel, miniroot, and cloop file which
includes ROOT file system).
|
 |
HTTP-FUSE-KNOPPIX
The fist boot image is 6MB. It includes bootloader, kernel, and miniroot.
ROOT File System (cloop file) is changed to "split-and-compressed block files".
The files are obtained form HTTP server via HTTP-FUSE. and re-composed
The pieces of cloop file is plied to local storage. They are re-usable.
ROOT File System is selectable at boot time. We don't need to burn CD-ROM
for customized KNOPPIX.
The same block files are shared between original and customized KNOPPIX. |
 |
How to boot first
The boot time of HTTP-FUSE-KNOPPIX deeply depends on network latency.
We use CDN(Contents Delivery Network) to distribute block files. The current
target CDNs are RING Project Mirror servers and "Coralised" servers ("Coral" is project for P2P proxies) . The CDNs have many sites and allocate near (short latency) sites for a client by DNS in the CDN. Many Ring servers exist in Japan and offers broad-band network for Japanese clients. Coral Proxies are distributed by PlanetLab and covers world wide.
Furthermore HTTP-FUSE-KNOPPIX use "netselect" to find a nearest site among CDNs. It enables us to get shortest network latency at anywhere in the world.
 |
| "netselect" finds the closest site on CDN. |
The summary of benefits
- HTTP-FUSE-KNOPPIX enables to use many KNOPPIX offshoots with only one CD-ROM.
- It enables to select a ROOT file system (cloop file) at boot time.
- Reduce Network traffic.
- The first download image of HTTP-FUSE-KNOPPIX is only 6MB bootloader, although
normal KNOPPIX is 700MB full set.
- After boot, only necessary block files (parts of Root Filesystem) are downloaded.
The downloaded block files can be saved and re-used.
- Reduce volume of HTTP server for customized KNOPPIX.
- Block files which have same contents are shared.
- HTTP-FUSE-KNOPPIX is compatible for normal KNOPPIX.
- It uses same kernel version and a cloop file. AutoConfig loads same device
drivers.
- Hard Disk installer works in the same manner.
------------------------------------
Learn a bitter lesson from SFS-KNOPPIX
Before HTTP-FUSE-KNOPPIX, we made SFS-KNOPPIX which boots form Internet with a cloop (ROOT file system) on SFS(Self-certifying File System). We learn a bitter lesson form SFS-KNOPPIX. SFS servers exists in Japan. There is long network latency (more than 100msec) form US and EU. It causes 30 MINUTES to boot SFS-KNOPPIX from US and EU.
The problem is caused by Server-Client model on Internet. SFS-KNOPPIX have
to connect SFS to mount ROOT file system every boot and can't escape form
latency. To solve the problem we make HTTP-FUSE-KNOPPIX. The points are
the following.
- Make a transparent block device and pile up the parts of block device.
- This implementation can cancel latency problem at re-boot.
- Distribute block files by HTTP.
- SFS server is not easy to extend, because it requires special software and No.4 port.
- HTTP is common way to distribute files. There are many methods to expand
distribution. For example proxies, mirror-server, etc. If a client can find a near proxy or server, the client reduce the
affect of latency.
Download
HTTP-FUSE-KNOPPIX(CD Version)
HTTP-FUSE-KNOPPIX(USB Version)
Requirement
- Internet connection.
- Desirable memory is more than 256MB.
- More than 128MB free space of storage, if you want to save block files. The most popular device is USB memory.
- The best free space is 700MB to save split-and-compressed block files of
cloop.
Preparation
HTTP-FUSE-KNOPPIX(CD Version)
- Please burn a CD-ROM with iso file.
HTTP-FUSE-KNOPPIX(USB Version)
HTTP-FUSE-KNOPPIX USB version can install from WindowsXP/2000.
- Connect USB memory and confirm the drive name (Ex: "D:").
- Download HTTP-FUSE-KNOPPIX USB version. It is a zip file. Extract files.
- Please move to extracted directory "FUSE_boot_usb_Installer"
and click "install".
- Please install HTTP-FUSE-KNOPPIX to USB device.
- The USB device become bootable device and move some files for HTTP-FUSE-KNOPPIX
- Finished installation. Files on USB memory is as follows. Please reboot
and select boot form "USB-HDD".
To save block files
- Make a "knxblock"directory on the top of devices (Drive of Windows). For example make
"knxblock"directory on the file system of USB memory.
- The file system which includes "knxblock"directory must be Writable
(FAT, EXT2, etc) and more than 128MB.
- "knxblock" directory is detected automatically and saved block
files.
BOOT
- CD Version: Insert CD to the CD-ROM drive and boot form CD-ROM.
- USB Version: Connect USB memory, and boot from USB-HDD.
- It works as normal KNOPPIX. Boot options are also effective.
- If you want to use English, please designate "lang=us" boot option.
- boot: knoppix lang=us
- CDN selection Menu will be opened. Please select one. The default is "NETSELECT" which finds the nearest download site.
- block file selection Menu will be opened. The left side is the simple explanatory
note. Please select one.
- If you select "NETSELECT", the nearest site is searched.
- HTTP-FUSE-KNOPPIX is used as a normal KNOPPIX. Have fun!
Special Boot Option
- http_proxy=
- Designate proxy URL.
- Example boot: knoppix26 http_proxy=http://proxy.aist.go.jp:8080
- staticipaddress
- Set Static IP address during boot sequence.
- "IPaddress:", "Netmask:", "Default Gateway:",
"Name Server:"
- memcache
- Download block files to RAM DISK. Requires much memory.
- fuse_uri=
- Designate direct URI of block files.
- Example boot: knoppix26 fuse_uri=unit.aist.go.jp/itri/knoppix/knxblock/knoppix37JP/
HTTP Servers & Block files
List of HTTP Servers: http://unit.aist.go.jp/itri/knoppix/knxblock/deliver_menu
- Ring Project: Mirror servers for free software.
- Coralised server.
List of blocks files: http://unit.aist.go.jp/itri/knoppix/knxblock/contents_menu
"*.cue" file is a list of block files. You can check the difference
with "diff" command.
Detail of Implementation
The figure shows the detail of cloop driver. A cloop file is made of a
block device. Block Device is split to 64KB and compressed. They are stored
to a cloop file. The header of cloop file has location data of split-and-compressed
blocks. Cloop driver re-configures a virtual block device with cloop file
when it is accessed.
The figure shows the detail of HTTP-FUSE and cloop driver. Block Device is split to 64KB and compressed Each piece is save as a file. We call it "split-and-compressed block file".HTTP-FUSE gets split-and-compressed block files and re-configures a coop files.
The figure shows HTTP-FUSE driver gets split-and-compressed block files
from HTTP server
Reduce the block files for customized KNOPPIX, because the most block files aren't changed and reusable. The following figure shows how to get the difference block files.
HTTP-FUSE mount & mkmd5files
- Debian Package for "HTTP-FUSE mount & mkmd5files" are released.
They are effective on KNOPPIX 4.0.2 using UNIONFS.
- Required packages
- INSTALL
- # dpkg -i fs-wrapper_0.4-3_i386.deb
- SETUPU&MOUNT
- Sample1:
- # mkdir /mnt/knoppix402cd-tmp
- # mkdir /mnt/loop3
- # fs_wrapper /mnt/knoppix402cd-tmp -f http://knoppix.alpha.co.jp/http-fuse-knoppix/knxblock402/knoppix402cd.idx
- On another console.
- # cd /mnt/knoppix402cd-tmp
- # losetup /dev/cloop3 KNOPPIX
- # mount /dev/cloop3 /mnt/knoppix402cd
- Sample2:
- # mkdir /mnt/knoppix402dvd2-tmp
- # mkdir /mnt/knoppix402dvd2
- # fs_wrapper /mnt/knoppix402dvd2-tmp -f http://knoppix.alpha.co.jp/http-fuse-knoppix/knxblock402/knoppix402dvd_2.idx
- On another console.
- # cd /mnt/knoppix402dvd2-tmp
- # losetup /dev/cloop3 KNOPPIX
- # mount /dev/cloop3 /mnt/knoppix402cd
- mkmd5files makes "split-and-compressed block files" for HTTP FUSE from a block device.
- Usage: mkmd5files <block device> <index file name> <split-block
size>
- You can try on KNOPPIX CD as following.
- # mkmd5files /dev/cloop knoppix402.idx 262144
- 256KB spit-and-block files are created under "blockfile" directory.
- The split-and-block files are opened by HTTP server and can be mounted by "fs_wrapper".
(OLD) HTTP-FUSE mount & mkmd5files
- 4 Debian Packages for "HTTP-FUSE mount & mkmd5files" are
released. They are effective on KNOPPIX 3.9 using UNIONFS.
- How to install and use
- Change to ROOT user by "su" command.
- Install Debian Packages. (The order of package means the dependency relation.)
- # dpkg -i libfuse2_2.2.1-4_i386.deb fuse-utils_2.2.1-4_i386.deb fuse-module-2.6.11_2.2.1-4_i386.deb
fs-wrapper_0.1-2_i386.deb
- fuse-utils requires "group name" for http-fuse mount. Please
designate "root".
- Make a directory for http-fuse.
- Run "fuse-wrapper" with a directory and URL of HTTP-FUSE.
- # fs_wrapper /tmp/fuse -f http://aist.ring.gr.jp/archives/linux/knoppix/knxblock/KNOPPIX37FSFE/
- or # fs_wrapper /tmp/fuse -f http://aist.ring.gr.jp/archives/linux/knoppix/knxblock/KNOPPIX37JP/
- or # fs_wrapper /tmp/fuse -f http://aist.ring.gr.jp/archives/linux/knoppix/knxblock/KNOPPIX37Edu/
- or # fs_wrapper /tmp/fuse -f http://aist.ring.gr.jp/archives/linux/knoppix/knxblock/KNOPPIX37Math/
- This process tell us log of fs-wrapper.
- Please open another terminal. You find a cloop file at "/tmp/fuse/knoppix". Please setup loopback mount.
- # losetup /dev/cloop1 /tmp/fuse/KNOPPIX
- # mkdir /mnt/http-fuse
- # mount /dev/cloop1 /mnt/http-fuse
- You use files at "/mnt/http-fuse/". When you touch a files under
/mnt/http-fuse, the blocks are downloaded at "/tmp/blocks/[00-ff]/".
- mkmd5files makes "split-and-compressed block files" for HTTP FUSE from a block device.
- Usage: mkmd5files <block device> <target directory for split-and-block
files> <split-block size>
- You try on KNOPPIX CD as following.
- # mkmd5files /dev/cloop /tmp/http-fuse/ 262144
- 256KB spit-and-block files are created under /tmp/http-fuse/. The file
space requires approximately 700MB.
- The split-and-block files are opened by HTTP server and can be mounted by "fs_wrapper".
Problems and Solutions
- HTTP-FUSE-KNOPPIX stops when the client finds time difference with DNS
or DHCP.
- The boot stops after "Running Linux Kernel 2.6.9" message.
- Please designate "nodhcp" and Time Zone. For examples,
- boot: knoppix26 lang=us utc nodhcp
- boot: knoppix26 lang=us nodhcp TZ=Asia/Tokyo
- Shutdown may take time if block files has not been saved to a storage yet.
- You will find the following message at shutdown. Please wait for several
minutes to save files to a storage from RAM-Disk.
- could not umount /KNOPPIX -trying /dev/cloop instead
- USB-memory boot depend on BIOS.
- Bootable PC
- IBM ThinkPAD T42: Press F12 key at boot time and select USB-HDD in HDD list.
- IBM ThinkPAD X30 & T23: Press F1 key at boot time and enter BIOS setup. Move to "Startup"
-> "Boot" -> "Hard Drive". Move "USB-HDD"
at top in the bootable HDD list. Press "F10" key for "Save
and Exit". After reboot, press F12 key and select "Hard Drive".
Reference
Related work
Acknowledgement
A part of this development is supported by Exploratory Software Project of IPA (Information Technology Promotion Agency, Japan). We would like to thank Fumitoshi Ukai(Project Manager) and Jun Okajima(Co-developer) for idea and implementation.
