Info: Version 1.8.x is available.

Japanese Page

Last modified: $Date: 2017-11-11 20:51:02 +0900 (Sat, 11 Nov 2017) $

TOMOYO Linux on CAT760

This page describes how to run TOMOYO Linux on CAT760. This page assumes Debian Sarge for x86 architecture as the host environment.


Basic course: Using kernel and rootfs stored on compact flash memory
Advanced course: Using kernel and rootfs stored on flash ROM

Basic course: Using kernel and rootfs stored on compact flash memory

Step 1: Building host environment

Since Debian Sarge is already End Of Life reached, you need to change download server for packages. Login as root user and rewrite /etc/apt/sources.list as follows.

deb http://archive.debian.org/debian-archive/debian/ sarge main contrib non-free
deb http://archive.debian.org/debian-archive/debian-security/ sarge/updates main contrib non-free

Next, install Linux 2.6 kernels so that fdisk command's "-l" option can show list of device files.

# apt-get update
# apt-get -y install kernel-image-2.6.8-4-686-smp

Reboot with 2.6.8-4-686-smp kernel.

# reboot

Step 2: Installing packaged needed for compiling

Create /mnt/cdrom as the mount point for development CDROM and mount the CDROM there.

# mkdir -p /mnt/cdrom
# mount -t iso9660 -o ro /dev/cdrom /mnt/cdrom/

Install packages needed by cross compilers in CDROM.

# apt-get -y install gcc-3.4-base libreadline4

Install cross compilers in CDROM. But uninstall gdb-sh4-linux package because it contains files which conflicts with binutils package.

# dpkg -i /mnt/cdrom/cross-tools/debian-sarge/sh4/*.deb
# dpkg --purge gdb-sh4-linux

Install packages needed for compiling kernel and tools.

# apt-get -y install patch make gcc libc6-dev libncurses5-dev help2man libreadline5-dev

Step 3: Compiling kernel

Extract kernel source.

# cd
# tar -zxf /mnt/cdrom/kernel/linux-2.6.15-cat_20080502.tgz
# cd linux-2.6.15-cat

Download and apply TOMOYO Linux patch.

# wget -O ccs-patch-1.7.3-20171111.tar.gz 'http://osdn.jp/frs/redir.php?m=jaist&f=/tomoyo/43375/ccs-patch-1.7.3-20171111.tar.gz'
# wget -O ccs-patch-1.7.3-20171111.tar.gz.asc 'http://osdn.jp/frs/redir.php?m=jaist&f=/tomoyo/43375/ccs-patch-1.7.3-20171111.tar.gz.asc'
# gpg ccs-patch-1.7.3-20171111.tar.gz.asc
# tar -zxf ccs-patch-1.7.3-20171111.tar.gz
# patch -p1 < patches/ccs-patch-2.6.15-cat-760.diff

Create kernel config.

# make cat760_defconfig

Compile the kernel.

# make
# make modules_install

Loadable kernel modules are installed under /home/ebihara/tmp/lib/modules/2.6.15-sh/ directory by "make modules_install". Thus, copy the kernel to under /home/ebihara/tmp/ directory.

# mkdir -p /home/ebihara/tmp/
# cp -p arch/sh/boot/zImage /home/ebihara/tmp/

Step 4: Compiling tools

Download TOMOYO Linux's tools source code.

# cd
# wget -O - 'http://osdn.jp/projects/tomoyo/svn/view/trunk/1.7.x/ccs-tools/ccstools.tar.gz?root=tomoyo&view=tar' | tar -zxf -

Do cross compilation for CAT760. Cross compiled programs are installed under /home/ebihara/tmp/sbin/ directory and /home/ebihara/tmp/usr/ directory.

# make -C ccstools/ CC=sh4-linux-gcc INSTALLDIR=/home/ebihara/tmp/ install clean

Delete man pages as we don't need them.

# rm -fR /home/ebihara/tmp/usr/share/

To operate from host environment, compile tools for host environment as well. Compiled programs are installed under /sbin/ directory and /usr/ directory.

# make -sC ccstools/ install clean

Step 5: Formatting compact flash memory

Insert a compact flash memory which will be used as / partition on CAT760 to host environment's card slot.

Check device file's name for the compact flash memory using fdisk command.

# fdisk -l

Disk /dev/sda: 4294 MB, 4294967296 bytes
255 heads, 63 sectors/track, 522 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1         522     4192933+  83  Linux

Disk /dev/sdb: 251 MB, 251658240 bytes
8 heads, 60 sectors/track, 1024 cylinders
Units = cylinders of 480 * 512 = 245760 bytes

Disk /dev/sdb doesn't contain a valid partition table

This page, hereafter, assumes device file's name for the compact flash memory in the host environment is /dev/sdb .

Create partitions on the compact flash memory using fdisk command.

# fdisk /dev/sdb
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel. Changes will remain in memory only,
until you decide to write them. After that, of course, the previous
content won't be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-1024, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-1024, default 1024):
Using default value 1024

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Format the compact flash memory as ext2 filesystem so that the compact flash memory can be mounted as / partition.

# mke2fs /dev/sdb1
mke2fs 1.37 (21-Mar-2005)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
61440 inodes, 245728 blocks
12286 blocks (5.00%) reserved for the super user
First data block=1
30 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks:
        8193, 24577, 40961, 57345, 73729, 204801, 221185

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 38 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

Step 6: Copying to compact flash memory

Create /mnt/cfcard as the mount point and mount the compact flash memory there.

# mkdir -p /mnt/cfcard
# mount /dev/sdb1 /mnt/cfcard/

Extract the image file in CDROM into the compact flash memory.

# cd /mnt/cfcard/
# tar -zxf /mnt/cdrom/rootfs/files/target_cat760_20060722.tgz --strip 2

Copy cross compiled kernel and tools to compact flash memory.

# cp -a /home/ebihara/tmp/* /mnt/cfcard/

Unmount the compact flash memory and insert it into CAT760.

# cd
# umount /mnt/cfcard/

Step 7: Initializing policy configuration

Make sure that all switches on SW1 on the SH4-760 board are set to OFF, and power CAT760 on. Then, you will see prompt shown below.

 CAT BOOT for CAT760  Version: 1.07 Feb 27 2007 17:45:59
 RTC clock :2010/05/04 16:44:36
 command line = console=ttySC0,115200 root=/dev/mtdblock2 ro rootfstype=jffs2
 Mac address  = 00:03:82:03:03:C8
 Boot size    = 0x10000
 Kernel size  = 0x130000
>>

Enter the administrator mode. Password is silinux .

admin

Set default commandline. In CAT760 environment, the compact flash memory is accessible via /dev/hda .

setparam zimage=cf0:zImage console=ttySC0,115200 root=/dev/hda1 ro rootfstype=ext2

Boot with TOMOYO Linux disabled because policy is not yet initialized.

boot zimage=cf0:zImage console=ttySC0,115200 root=/dev/hda1 ro rootfstype=ext2 ccsecurity=off

Login as user root , with password root .

SiliconLinux for CAT709/760 supercat ttySC0

supercat login: root
Password:
Unable to change tty /dev/ttySC0: Read-only file system
supercat:~#

Make / read-write mode.

supercat:~# mount -o remount,rw /

Initialize policy configuration. (If the host environment and the target environment are using same architecture, you can do "chroot /mnt/cfcard/ /usr/lib/ccs/init_policy" from the host environment. But since this page uses x86 as a host architecture and sh as a target architecture, you need to do /usr/lib/ccs/init_policy from the target environment in order to obtain correct result.)

supercat:~# /usr/lib/ccs/init_policy
Creating policy directory... OK
Creating exception policy... OK
Creating domain policy... OK
Creating manager policy... OK
Creating default profile... OK
Creating memory quota policy... OK
Creating module loader... OK

Make / read-only mode.

supercat:~# mount -o remount,ro /

Shutdown and eject the compact flash memory.

supercat:~# halt

Step 8: Adjusting policy configuration

Mount the compact flash memory. (If the host environment and the target environment are using same architecture, you can do "chroot /mnt/cfcard/" from the host environment. But since this page uses x86 as a host architecture and sh as a target architecture, you need to do cd . Note that the directory is not /etc/ but etc/ in below steps.)

# mount /dev/sdb1 /mnt/cfcard/
# cd /mnt/cfcard/

To make policy automatically saved upon shutdown, add below lines to just before "halt -d -f -i $poweroff $hddown" in etc/init.d/halt .

halt --help > /dev/null 2>&1
mount -o remount,ro /
mount -o remount,rw /
/usr/sbin/ccs-savepolicy
/usr/sbin/ccs-savepolicy
mount -o remount,ro /

ccs-savepolicy command can save only policy snapshot as of ccs-savepolicy command is executed. Therefore, ccs-savepolicy command needs to be executed twice in order to make sure that permissions needed by ccs-savepolicy command itself are included into the policy snapshot. Also, policy files cannot be saved as of ccs-savepolicy is executed because the filesystem is already remounted as read-only. Therefore, mount command needs to be executed twice before ccs-savepolicy command is executed in order to make sure that permissions needed for temporarily remounting the filesystem as read-write and again remounting the filesystem as read-only are included into the policy snapshot. Likewise, halt command is executed once before ccs-savepolicy command is executed.

Similarly, add below lines to just before "reboot -d -f -i" in etc/init.d/reboot .

reboot --help > /dev/null 2>&1
mount -o remount,ro /
mount -o remount,rw /
/usr/sbin/ccs-savepolicy
/usr/sbin/ccs-savepolicy
mount -o remount,ro /

To be able to edit policy remotely, create etc/init.d/ccs-editpolicy-agent .

# echo '#! /bin/sh' > etc/init.d/ccs-editpolicy-agent
# echo 'exec /usr/lib/ccs/ccs-editpolicy-agent 0.0.0.0:10000 &' >> etc/init.d/ccs-editpolicy-agent
# chmod 700 etc/init.d/ccs-editpolicy-agent

Make etc/init.d/ccs-editpolicy-agent automatically executed upon boot. (If the host environment and the target environment are using same architecture, you can do "chroot /mnt/cfcard/ update-rc.d ccs-editpolicy-agent defaults" from the host environment. But since this page uses x86 as a host architecture and sh as a target architecture, you need to do the equivalent manually.)

# ln -s ../init.d/ccs-editpolicy-agent etc/rcS.d/S60ccs-editpolicy-agent

Add /usr/lib/ccs/ccs-editpolicy-agent to etc/ccs/manager.conf (this file contains list of programs which are permitted to modify policy).

# echo /usr/lib/ccs/ccs-editpolicy-agent >> etc/ccs/manager.conf

Update etc/ccs/domain_policy.conf so that learning mode starts upon boot.

# cat > etc/ccs/domain_policy.conf << EOF
<kernel>
use_profile 1
EOF

Set memory quota using etc/ccs/meminfo.conf . Since CAT760 has 64MB of RAM, this page sets 5MB for policy and 1MB for access logs and 1MB for interactive enforcing mode.

# cat > etc/ccs/meminfo.conf << EOF
Policy:      5242880
Audit logs:  1048576
Query lists: 1048576
EOF

Unmount the compact flash memory.

# cd
# umount /mnt/cfcard/

Step 9: Creating policy configuration

Power on and proceed to the boot loader.

 CAT BOOT for CAT760  Version: 1.07 Feb 27 2007 17:45:59
 RTC clock :2010/05/04 17:14:20
 command line = zimage=cf0:zImage console=ttySC0,115200 root=/dev/hda1 ro rootfstype=ext2
 Mac address  = 00:03:82:03:03:C8
 Boot size    = 0x10000
 Kernel size  = 0x130000
>>

Boot.

boot

Login and operate as you like.

If CAT760's IPv4 address is xxx.xxx.xxx.xxx , you can run

# ccs-editpolicy xxx.xxx.xxx.xxx:10000

from the host environment in order to edit policy from the host environment. Similarly, you can run

# ccs-auditd xxx.xxx.xxx.xxx:10000 /tmp/grant_log.conf /tmp/reject_log.conf

from the host environment in order to save access logs generated on CAT760 in the host environment. Also, you can run

# ccs-savepolicy xxx.xxx.xxx.xxx:10000 /tmp/ d

from the host environment in order to save the content of /proc/ccs/domain_policy on CAT760 into /tmp/domain_policy.conf on the host environment, you can run

# ccs-loadpolicy xxx.xxx.xxx.xxx:10000 /tmp/ d

from the host environment in order to append the content of /tmp/domain_policy.conf on the host environment to /proc/ccs/domain_policy on the CAT760 .

If you cannot boot CAT760 by operation errors, you can boot with TOMOYO Linux disabled by specifying "boot zimage=cf0:zImage console=ttySC0,115200 root=/dev/hda1 ro rootfstype=ext2 ccsecurity=off" at the boot prompt.

Appendix: Restoring factory defaults

To restore boot parameters modified at Step 7, do the below steps.

Power on and proceed to the boot loader.

 CAT BOOT for CAT760  Version: 1.07 Feb 27 2007 17:45:59
 RTC clock :2010/05/04 17:44:10
 command line = zimage=cf0:zImage console=ttySC0,115200 root=/dev/hda1 ro rootfstype=ext2
 Mac address  = 00:03:82:03:03:C8
 Boot size    = 0x10000
 Kernel size  = 0x130000
>>

Enter the administrator mode. Password is silinux .

admin

Set commandline.

setparam console=ttySC0,115200 root=/dev/mtdblock2 ro rootfstype=jffs2

Advanced course: Using kernel and rootfs stored on flash ROM

Step 1: Building host environment

Same with Step 1 in Basic course.

Step 2: Installing packaged needed for compiling

Same with Step 2 in Basic course.

Step 3: Compiling kernel

You don't need to care about the size of kernel if you boot using the kernel stored in compact flash memory. But you need to care about the size of kernel if you boot using the kernel stored in flash ROM. In CAT760's default partition setting, the size of partition for kernel is 1245184 (0x130000) bytes. The size of kernel built with default kernel config is 1212416 (0x128000) bytes. Thus, there is only 32KB of free spaces for kernel partition. (Regarding CAT760A, which is newer product of CAT760, the size of partition for kernel is shrunk to 1179648 (0x120000) bytes since the sector size of flash ROM has changed from 64KB to 128KB. Thus, note that by default insufficient free space for default kernel config.)

If you built TOMOYO Linux's functionality into kernel, the size of kernel increases by about 48KB. Thus, you need to either expand kernel partition by shrinking rootfs partition size or make some modules as loadable kernel modules using kernel config.

You can make most part of TOMOYO Linux's functionality as a loadable kernel module. If you build TOMOYO Linux as a loadable kernel module, the size of kernel increases only about 4KB.

Steps are same with Step 3 in Basic course except that you need to do below operations between "Create kernel config." ( make cat760_defconfig ) and "Compile the kernel." ( make ) if you want to make TOMOYO Linux as a loadable kernel module.

# make menuconfig

Goto "Security options" section and select "Compile as loadable kernel module" in the "CCSecurity support" group.

[ ] Enable access key retention support
[ ] Enable different security models
[*] CCSecurity support
[*]   Compile as loadable kernel module
[ ]   Disable by default
(2048) Default maximal count for learning mode
(/sbin/ccs-init) Default policy loader
(/sbin/ccs-start) Alternative activation trigger
(/sbin/modprobe /sbin/hotplug) Built-in domain initializer programs
[*]   Auditing interface support
(1024)  Default maximal count for grant log
(1024)  Default maximal count for reject log

Select "Exit" twice, and answer "Yes" to the question whether to save kernel config or not.

Step 4: Compiling tools

Same with Step 4 in Basic course.

Step 5: Formatting compact flash memory

Same with Step 5 in Basic course. But since the CAT760's boot loader does not support writing to ext2 partitions, you need to format as fat partition rather than ext2 partition. Thus, use mkfs.vfat command rather than mke2fs command.

# mkfs.vfat /dev/sdb1

Step 6: Making a backup

Insert the compact flash memory into CAT760 and power CAT760 on and proceed to the boot loader.

 CAT BOOT for CAT760  Version: 1.07 Feb 27 2007 17:45:59
 RTC clock :2010/05/04 17:14:20
 command line = zimage=cf0:zImage console=ttySC0,115200 root=/dev/hda1 ro rootfstype=ext2
 Mac address  = 00:03:82:03:03:C8
 Boot size    = 0x10000
 Kernel size  = 0x130000
>>

Get the backup of kernel and rootfs currently stored in flash ROM.

cp rom:zImage cf0:zImage-orig 
cp rom:rootfs cf0:rootfs-orig 

Shutdown and eject the compact flash memory.

Step 7: Editing rootfs

Insert the compact flash memory into the host environment and mount.

# mount /dev/sdb1 /mnt/cfcard/

Install package for mkfs.jffs2 program.

# apt-get install mtd-tools

Load mtdblock kernel module.

# modprobe mtdblock

Load mtdram kernel module.

# modprobe mtdram total_size=16384

Create device file which is used as rootfs .

# mknod /dev/mtdblock2 b 31 2

Copy the rootfs to the device which is used as rootfs .

# cat /mnt/cfcard/rootfs-orig > /dev/mtdblock2

Mount the rootfs .

# mkdir -p /mnt/rootfs
# mount -t jffs2 /dev/mtdblock2 /mnt/rootfs/
# cd /mnt/rootfs/

Edit as needed. (This step corresponds with Basic course's step 7 till step 9.) Be sure to copy /sbin/ccs-init and /etc/ccs/ccs-load-module and files under /lib/modules/2.6.15-sh/ . If you forgot to copy, TOMOYO Linux will not be activated. Also, you need to prepare policy under /etc/ccs/ directory.

Solidify the content of rootfs .

# cd
# mkfs.jffs2 -p -o /mnt/cfcard/rootfs -r /mnt/rootfs/

Unmount the rootfs .

# umount /mnt/rootfs/

Eject the compact flash memory and insert it into CAT760.

# umount /mnt/cfcard/

Step 8: Updating flash ROM

Power on and proceed to the boot loader.

 CAT BOOT for CAT760  Version: 1.07 Feb 27 2007 17:45:59
 RTC clock :2010/05/04 17:44:10
 command line = zimage=cf0:zImage console=ttySC0,115200 root=/dev/hda1 ro rootfstype=ext2
 Mac address  = 00:03:82:03:03:C8
 Boot size    = 0x10000
 Kernel size  = 0x130000
>>

Enter the administrator mode. Password is silinux .

admin

Copy the kernel and rootfs .

cp cf0:zImage rom:zImage
cp cf0:rootfs rom:rootfs

Set default commandline.

setparam console=ttySC0,115200 root=/dev/mtdblock2 ro rootfstype=jffs2

Boot.

boot

That's all.

If you cannot boot, you can boot with TOMOYO Linux disabled by specifying "boot console=ttySC0,115200 root=/dev/mtdblock2 ro rootfstype=jffs2 ccsecurity=off" at the boot prompt.

Appendix: Restoring factory defaults

To restore the backup created at Step 6, do the below steps.

Power on and proceed to the boot loader.

 CAT BOOT for CAT760  Version: 1.07 Feb 27 2007 17:45:59
 RTC clock :2010/05/04 17:44:10
 command line = zimage=cf0:zImage console=ttySC0,115200 root=/dev/hda1 ro rootfstype=ext2
 Mac address  = 00:03:82:03:03:C8
 Boot size    = 0x10000
 Kernel size  = 0x130000
>>

Enter the administrator mode. Password is silinux .

admin

Copy kernel and rootfs .

cp cf0:zImage-orig rom:zImage
cp cf0:rootfs-orig rom:rootfs

Set command line.

setparam console=ttySC0,115200 root=/dev/mtdblock2 ro rootfstype=jffs2

Return to index page.

sflogo.php