CN119377015B

CN119377015B - Method, device, equipment and storage medium for configuring mirror image memory

Info

Publication number: CN119377015B
Application number: CN202411947634.8A
Authority: CN
Inventors: 芦飞; 贾帅帅; 张炳会; 李盛新; 孙秀强
Original assignee: Suzhou Metabrain Intelligent Technology Co Ltd
Current assignee: Suzhou Metabrain Intelligent Technology Co Ltd
Priority date: 2024-12-27
Filing date: 2024-12-27
Publication date: 2025-04-25
Anticipated expiration: 2044-12-27
Also published as: CN119377015A

Abstract

Under an operating system, detecting whether a kernel address space layout randomization function needs to be closed, if so, inputting a compiling instruction into a system guiding manager configuration file to compile the configuration file, and carrying out mirror image processing on a memory address space with a first preset capacity by modifying option parameters of a basic input/output system, wherein the first preset capacity needs to cover the memory address space of the kernel; restarting the operating system based on the compiled system boot manager configuration file and the modified option parameters to achieve mirroring of the first preset capacity size, and storing the memory address of the kernel within the first preset capacity range. The method accurately limits the memory address range of the kernel space, and performs memory mirroring on the system kernel at a small cost, so as to avoid kernel faults generated by the memory UCE.

Description

Method, device, equipment and storage medium for configuring mirror image memory

Technical Field

The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a storage medium for configuring a mirror memory.

Background

Memory address range mirroring (ADDRESS RANGE Memory Mirroring, ARMM) techniques, which have characteristics of memory Reliability, availability and serviceability (Availability, and Serviceability, RAS), provide finer granularity control over certain platforms (e.g., haswell EX) to determine how large memory resources are to be used for redundancy. The ARMM technique allows the definition of the mirrored range of primary and secondary memory on each Home Agent (HA) and can be selectively enabled to reduce the amount of memory lost by mirroring.

In conventional channel mirroring, the memory behind each HA in the system is configured as a mirror, meaning that half of the installed memory is reserved for redundancy. While address range mirroring allows the size of the primary and secondary mirrors to be defined on each HA, this size can be set by a spacing of 64 MB. On an HA that enables address range mirroring, the defined range will be used for redundancy and not be included in the total system memory size. ARRM, while providing a highly reliable technique for memory, there is no efficient way to mirror critical data or code regions, if core address space layout randomization is enabled in the default core configuration, the load address of the core is randomized to improve system security. This randomization is achieved by a kernel address space layout randomization (ADDRESS SPACE Layout Randomization, ASLR) technique that can select a random load address for the kernel at each start-up, thereby increasing the difficulty of an attacker to predict the kernel address.

At present, in the ARMM setting stage, the value stored by the kernel address cannot be guaranteed to cover the kernel memory space anyway, if the set value is larger, the probability of covering the kernel space is larger, but the sacrificed memory space is also increased.

Disclosure of Invention

In view of the above, the present invention provides a method, apparatus, device and storage medium for configuring a mirrored memory, so as to solve the problem that the memory address range mirroring ARMM technology covers the kernel memory space.

In a first aspect, the present invention provides a method for configuring a mirrored memory, where the method includes:

Under an operating system, detecting whether a kernel address space layout randomization function needs to be closed, wherein the system defaults the kernel address space layout randomization function to be in an on state;

if yes, inputting a compiling instruction for closing the function into a configuration file of a system boot manager, compiling the configuration file, wherein the configuration file is used for controlling one or more of a starting item and a starting parameter loaded during system starting;

Performing mirror image processing on a memory address space with a first preset capacity by modifying option parameters of a basic input/output system, wherein the first preset capacity needs to cover the memory address space of a kernel;

Restarting the operating system based on the compiled configuration file of the system boot manager and the modified option parameters to realize mirroring of a first preset capacity, and storing the memory address of the kernel in the range of the first preset capacity.

With reference to the first aspect, in a possible implementation manner, the inputting the compiling instruction for closing the function into the system boot manager configuration file includes searching a target startup item in the system boot manager configuration file, setting a field with a function of closing the system boot manager in the target startup item, and modifying the field.

With reference to the first aspect, in another possible implementation manner, the modifying an option parameter of the basic input output system includes:

Searching options related to the memory in a setting interface of the basic input/output system;

modifying the memory-related option parameters using a modification tool.

With reference to the first aspect, in a further possible implementation manner, before the modifying the option parameters related to the memory using the modifying tool, the method further includes backing up the current option parameters related to the memory.

With reference to the first aspect, in a further possible implementation manner, the storing the memory address of the kernel within the first preset capacity size range includes:

and storing the memory address of the kernel in an address space with 0x1000000 as a base address, wherein the address space with 0x1000000 as the base address is in a range of 0-4G.

With reference to the first aspect, in a further possible implementation manner, the method further includes using a debug tool to view a memory address of the kernel of the first preset capacity size range.

With reference to the first aspect, in another possible implementation manner, the target startup item is a Bootloader startup item, and the option parameters of the basic input/output system include a mirror label field, a unified extensible firmware interface field and a memory address mirror range field;

The modifying option parameters of the basic input output system comprises:

modifying the mirror label field to be Enabled, modifying the unified extensible firmware interface field to be Enabled, and modifying the memory address mirror range field to be 0;

after the modification is completed, the modified option parameters are imported by using the command.

With reference to the first aspect, in a further possible implementation manner, the detecting whether the core address space layout randomization function needs to be turned off further includes:

if not, acquiring a random number through a random number tool under the operating system, wherein the value range of the random number is between the first preset capacity and the second preset capacity, and the first preset capacity is smaller than the second preset capacity;

Assigning the random number to a kernel address space layout randomization seed, and inserting the random number serving as a kernel starting parameter into a kernel;

performing memory mirroring on the memory address space from the first preset capacity to the second preset capacity by modifying the option parameters of the basic input/output system, wherein the memory address space from the first preset capacity to the second preset capacity needs to be covered by the memory address space of the kernel;

Restarting the operating system, storing the memory address of the kernel in the range from the first preset capacity to the second preset capacity according to the kernel starting parameter in the kernel, and realizing memory mirroring in the range from the first preset capacity to the second preset capacity.

With reference to the first aspect, in a further possible implementation manner, the assigning the random number to the kernel address space layout randomization seed is inserted into the kernel as a kernel start parameter, and includes:

acquiring a device tree source file;

Editing the equipment tree source file, finding a selection node in the equipment tree source file, inserting the kernel address space layout randomization seed into the selection node, compiling and generating an equipment tree binary file, wherein the selection node is used for providing additional information required by kernel starting;

and the configuration boot loader loads the device tree binary file.

With reference to the first aspect, in a further possible implementation manner, the method further includes:

If the selected node is not found in the equipment tree source file, a new node is created, the kernel address space layout randomization seed is inserted into the new node, a new equipment tree binary file is generated through compiling, and the new node is used for providing additional information required by kernel starting.

With reference to the first aspect, in a further possible implementation manner, the step of obtaining the random number through a random number tool under the operating system includes the step of inputting a first command through the random number tool under the operating system to generate the random number.

In a second aspect, the present invention provides an apparatus for configuring a mirrored memory, the apparatus comprising:

the detection module is used for detecting whether the kernel address space layout randomization function needs to be closed or not under an operating system, wherein the system defaults the kernel address space layout randomization function to be in an on state;

The compiling module is used for inputting a compiling instruction for closing the function into a configuration file of the system boot manager under the condition that the detecting module detects that the function is closed, compiling the configuration file, wherein the configuration file is used for controlling one or more of a starting item and a starting parameter loaded during system starting;

the processing module is used for mirroring the memory address space with the first preset capacity by modifying the option parameters of the basic input/output system, wherein the first preset capacity needs to cover the memory address space of the kernel;

And the restarting module is used for restarting the operating system based on the compiled configuration file of the system boot manager and the modified option parameters so as to realize mirroring of the first preset capacity and store the memory address of the kernel in the range of the first preset capacity.

In a third aspect, the present invention provides a computer device, including a memory and a processor, where the memory and the processor are communicatively connected to each other, and the memory stores computer instructions, and the processor executes the computer instructions, thereby executing the method for configuring the mirrored memory according to the first aspect or any implementation manner corresponding to the first aspect.

In a fourth aspect, the present invention provides a computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of configuring mirrored memory of the first aspect or any corresponding embodiment thereof.

Furthermore, the present invention provides a computer program product comprising computer instructions for causing a computer to perform the method of configuring mirrored memory of the first aspect or any corresponding embodiment thereof.

According to the method, the device, the equipment and the storage medium for configuring the mirror image memory, on one hand, under the condition of closing the function of randomizing (KASLR) the layout of the memory address space, the compiling instruction is input into the configuration file of the system boot manager, the configuration file is compiled, the mirror image of the memory address space with the first preset capacity is realized by modifying the option parameters of the Basic Input Output System (BIOS), finally, the mirror image with the first preset capacity is realized after the operating system is restarted, and the memory address is ensured to be stored in the first preset capacity range when the memory mirror image is performed, so that the complexity of memory management is simplified, the operation under the scenes of security analysis, fault investigation and the like is facilitated, and the overall safety and the stability of the system are improved.

In addition, the memory address space with the first preset capacity is accurately calculated and set for mirror image processing, and the capacity just covers the memory address space of the kernel, so that unnecessary memory resource waste is avoided. This sophisticated memory management strategy allows more efficient utilization of system resources, especially in environments where memory resources are limited.

On the other hand, under the condition of starting the function of randomizing the layout of the Kernel Address Space (KASLR), the invention performs mirror image processing by precisely calculating and setting the memory address space from the first preset capacity to the second preset capacity, and the range just covers the memory address space of the kernel, and simultaneously fully utilizes the memory resources. Through the introduction of random numbers, even under the condition that KASLR functions are started, effective mapping and access of kernel addresses can be ensured, memory mirror image can be carried out on a system kernel at low cost, kernel faults caused by memory are avoided, and waste of memory resources is avoided.

The invention combines the steps of KASLR function detection, random number generation and assignment, memory mirror image processing, system restarting and the like tightly to form an automatic configuration flow, and the automation technology precisely limits the memory address range of the kernel space. The method not only simplifies the complicated manual configuration steps in the traditional method, but also realizes the update of the memory mirror image and the kernel address space mapping through the restarting operation, and improves the efficiency of system deployment and maintenance.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flow chart of a method for configuring mirrored memory according to an embodiment of the invention;

FIG. 2 is a flow chart of another method for configuring mirrored memory according to an embodiment of the invention;

FIG. 3 is a schematic diagram of storing memory addresses of a kernel in a first predetermined capacity range according to an embodiment of the present invention;

FIG. 4 is a flow chart of another method for configuring mirrored memory according to an embodiment of the invention;

FIG. 5 is a diagram illustrating a memory address of a core stored in a range from a first predetermined capacity to a second predetermined capacity according to an embodiment of the present invention;

FIG. 6 is a flow chart of a method for configuring mirrored memory according to an embodiment of the present invention;

FIG. 7 is a block diagram of a configuration mirror memory device according to an embodiment of the present invention;

fig. 8 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

In the description of the present invention, unless explicitly stated or limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected, mechanically connected, electrically connected, directly connected, indirectly connected via an intervening medium, or in communication between two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art according to the specific circumstances.

Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.

The technical features of the different embodiments of the invention described below may be combined with one another as long as they do not conflict with one another.

Firstly, an application scene and a related background of the technical scheme of the embodiment of the invention are introduced.

Memory address range mirroring (ADDRESS RANGE Memory Mirroring, ARMM) is a technique to copy data in a particular memory address range to another memory address range or to map to another physical address space. The technology can be used for application scenes such as data backup, quick access, memory protection and the like.

The memory address range mirror ARMM has the advantages that:

Reducing memory redundancy address range mirroring may reduce the amount of memory reserved for redundancy, thereby providing more available memory, than traditional full mirroring. Flexible memory management, which allows a system administrator to decide which data needs mirror protection according to service requirements and importance of the data, and which data can realize finer memory management without using mirror. The memory utilization rate is improved by mirroring only key data or code areas, and meanwhile, the high reliability of the system is maintained. Supporting both hot-swapping and online maintenance address range mirroring typically supports both hot-swapping and online maintenance, meaning that memory modules can be replaced without restarting the system, reducing the maintenance time and cost of the system.

For ARMM enablement, ARMM may be enabled on each Home Agent (HA) by a specific configuration register, such as TARGET ADDRESS Decoder 0 (TAD 0) register. TAD0 enables memory mirroring below the 4G address, and TAD1 registers enable memory mirroring above 4G. A mirroring capacity greater than 4GB (Mirrored Amount Above GB) is a configuration parameter associated with ARMM. In ARMM, this parameter is used to specify the amount of memory that needs to be mirrored in more than 4GB of available memory, measured in basic points (1% percentile, i.e., 0.01%). For example, if the total memory in the system is 48GB, if there is more than 4GB for mirroring in the request 12GB, and if TOLM (Top of Low Memory, low top of memory) is 2GB, then the total memory above4GB is 46GB, then the amount of memory required for mirroring is 10GB (because 12GB-2 gb=10 GB), so the percentage of required mirroring is 10≡46≡ 0.21739, and correspondingly, the value of MirroredAmountAbove4GB is 2173.

The Home Agent is a component in the CPU responsible for managing memory access and cache coherency. It is mainly responsible for handling data exchanges between cache lines and memory, ensuring data coherency among multiple processor cores.

Although ARRM provides a highly reliable memory technology, how to mirror critical data or code regions does not provide an effective method, and embodiments of the present invention provide a method for configuring a mirrored memory, which provides a method for mirroring critical data or code regions of an operating system, so as to greatly improve the reliability of the system.

Machine check architecture Recovery (MACHINE CHECK Architecture Recovery, MCA Recovery) is an advanced RAS (reliability, availability, and serviceability) feature that allows a software layer to assist system Recovery when hardware cannot correct certain errors. This recovery mechanism is specific to failures where some hardware is unable to recover, providing opportunities for software isolation and recovery. When the processor identifies an error that the hardware cannot correct, it marks the data as corrupted and triggers an error event that can be captured by the firmware and/or operating system.

Then it is determined whether there is a redundant copy of the data, if so, it can correct the error. The error may be reported by CMCI (corrected MACHINE CHECK interrupt) or MCE (MACHINE CHECK Exception ).

CMCI is a hardware interrupt that is triggered when a processor detects a correctable error (e.g., a single bit error in ECC memory). Such interrupts allow the operating system or hardware management system to capture and process the error, typically by logging the error, attempting to correct the error, or taking other recovery actions. In addition, MCE is a serious hardware error that triggers when the processor detects an uncorrectable error (e.g., a multi-bit error in ECC memory, an intra-processor error, etc.). Such an exception typically results in a system crash or restart because it indicates a serious problem at the hardware level, and the operating system typically cannot safely continue running.

In addition, if the error occurs in the user space, the operating system may notify the application with an event, allowing the application to be further resumed or interrupted while maintaining the operating system running. If an error occurs in the kernel space, the operating system will trigger a kernel failure (KERNEL PANIC).

Therefore, the ARMM technology can be used to successfully mirror the memory space of the kernel, so that the occurrence of kernel faults caused by the memory UCE (Uncorrectable Error, uncorrectable errors) can be prevented. During the START-up of the Linux system kernel, the starting position of the kernel code is determined by the configuration options of the kernel, typically by config_physical_start. According to the search result, this option is set to 0x1000000 by default, i.e., 16MB. This means that without KASLR (KERNEL ADDRESS SPACE Layout Randomization, core address space layout randomization) functionality being enabled, the core would be loaded into the physical address 0x1000000 location and begin execution.

However, the default kernel configuration is KASLR functional, so the loading address of the kernel is randomized to improve system security. This randomization is achieved by a Kernel Address Space Layout Randomization (KASLR) technique that can select a random load address for the kernel at each start-up, thereby increasing the difficulty of an attacker to predict the kernel address. Therefore ARMM sets that the MirroredAmountAbove GB value cannot guarantee that the memory space of the kernel can be covered anyway, if the setting value is larger, the probability of covering the memory space of the kernel is larger, but the sacrifice memory space is larger.

In order to solve the above-mentioned problems, an embodiment of the present invention provides a method for configuring a mirrored memory, where the method can use the memory address range mirroring ARMM technology to cover the kernel memory space under the condition of setting a sufficiently small MirroredAmountAbove GB value, so as to improve the utilization rate of memory resources and avoid sacrificing a larger memory space.

It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.

In addition, the technical scheme of the invention is suitable for all server products supporting the memory address range mirroring technology, and aims to protect kernel space of the kernel, accurately position the kernel space of the kernel and mirror the kernel space of the kernel, thereby solving the problem of downtime of a server or a server cluster caused by memory.

Example 1

In this embodiment, a method for configuring a mirrored memory is provided, which may be used in an operating system, such as a Linux system or a software or functional module having a Linux system, and fig. 1 is a flowchart of a method for configuring a mirrored memory according to an embodiment of the present invention, as shown in fig. 1, where the method includes:

Step S101, under the operating system, detecting whether the kernel address space layout randomization function needs to be closed.

The core address space layout randomization function is KASLR functions. During system operation, the kernel address space layout randomization KASLR function is defaulted to an on state. Whether the KASLR function needs to be turned off or not may be set by a user or by system customization, which is not limited in this embodiment.

Optionally, the operating system is a Linux operating system.

And S102, if so, inputting a compiling instruction for closing the function into a configuration file of the system boot manager, and compiling the configuration file.

The configuration file is used for controlling one or more of a starting item and a starting parameter loaded when the system is started. Alternatively, the configuration file may be a system boot manager configuration file, also referred to as a "Grub configuration file". Grub profiles are key files related to GRand Unified Bootloader (Grub) for controlling Grub's behavior, including which operating systems are loaded at system start-up, load order, boot parameters, etc.

The role of the Grub profile includes defining a boot menu that sets which operating system and kernel versions appear in the launch menu. Default startup item is set, which designates which operating system or kernel is loaded by default at system startup. Configuration of boot parameters-parameters, i.e., parameters used at boot time, such as kernel boot parameters (e.g., root=, init=, etc.), are specified for each operating system or kernel. Loading Grub modules-additional Grub modules are loaded as needed to support more functionality. In this embodiment, the Grub profile is compiled primarily to determine whether to turn off KASLR functions.

Further, if the user chooses to turn off this KASLR function, one implementation is to configure grub_ CMDLINE _linux= "nokaslr" in the system boot manager configuration file. This "nokaslr" field is used to turn off KASLR functions.

Step S103, mirror image processing is carried out on the memory address space with the first preset capacity by modifying the option parameters of the basic input/output system.

The first preset capacity needs to cover the memory address space of the kernel. Optionally, the first preset capacity size is 4G.

The first preset capacity size can be determined according to the size of the kernel address space, and in this embodiment, for ARRM technologies of the Linux operating system, the first preset capacity size range is generally set to be 0-4 g. The first preset capacity size 4G is preconfigured by KASLR functions. The memory address space of the kernel may be 2 g-4 g, and the first preset capacity size 0-4 g covers the memory address space 2 g-4 g of the kernel, so as to ensure that the memory address of the kernel is all stored in the first preset capacity range.

The basic input output system BIOS option parameters include, but are not limited to, a Mirror tag field (Mirror TAD 0), a unified extensible firmware interface field (UEFIARM Mirror), and a memory address Mirror range field (ARM Mirror percentage).

Modifying the option parameters of BIOS, including modifying Mirror tag field (Mirror TAD 0) to Enabled, unified extensible firmware interface field (UEFI ARM Mirror) to Enabled, and memory address Mirror range field (ARM Mirror percentage) to 0;

After the modification is completed, the modified option parameters are imported by using the command. For example, a command statement is:

# ./SCELNX_64 /i /s bios.txt。

Step S104, restarting the operating system based on the compiled configuration file of the system boot manager and the modified option parameters to realize mirroring of the first preset capacity, and storing the memory address of the kernel in the range of the first preset capacity.

The method for storing the memory address of the kernel in the first preset capacity size range comprises the steps of storing the memory address of the kernel in an address space with 0x1000000 as a base address, and storing the memory address of the kernel in the address space with 0x1000000 as the base address in a range of 0-4G. The address space of the whole kernel of the Linux operating system is in a range of 0-TOP, 0 represents the starting address of the address space, and TOP represents the end address of the address space.

In this embodiment, the first preset capacity range is within 0 to 4 g.

As shown in FIG. 2, for the purpose of using command detection to close the Kernel address space before and after KASLR functions, the Kernel (Kernel) address is stored in the address space between 4G-TOP (maximum capacity) before the Kernel image is made, and when BIOS configuration file modification and Grub configuration file compiling are performed, the Linux operating system is restarted to realize that the memory address of the Kernel is stored in the first preset capacity range, such as the range below 4G. Wherein, kernel codes (Kernel codes) are stored in an address space of 0x1000000, and Kernel rodata, KERNEL DATA, kernel bss and other data are also stored in a first preset capacity size range.

Wherein Kernel bss (Block Started by Symbol, block starting with the symbol). In the context of programming and computer science, a BSS generally refers to an uninitialized data segment (Uninitialized DATA SEGMENT) in which all uninitialized global and static variables are typically placed at compile time. In this embodiment, kernel bss refers to an uninitialized data segment used in the Kernel. KERNEL DATA is Kernel data, kernel rodata is a Kernel read-only data segment, wherein the abbreviation of read-only data represents rodata, and Kernel code is Kernel code.

Optionally, in one possible implementation, step S102 inputs the compiling instruction for the shutdown function into the system boot manager configuration file, including searching for a target startup item in the system boot manager configuration file, setting a field having the shutdown system boot manager function in the target startup item, and modifying the field.

The target starting item is a Bootloader starting item. Bootloader is mainly responsible for completing a series of initialization tasks during device startup and preparing the environment for the loading and running of the operating system or user applications. Such as hardware initialization, bootloader will first initialize hardware components of the device, such as memory, CPU, storage devices, and peripherals (e.g., UART, GPIO, etc.). And (3) loading the operating system image into the memory, and jumping to an entry address of the operating system to start execution. This typically involves reading an operating system image from a storage device (e.g., flash, hard disk, etc.).

Optionally, in another possible implementation, the step S103 of modifying the option parameters of the bios includes searching options related to the memory in a setting interface of the bios, and modifying the option parameters related to the memory using a modification tool.

Further, backing up the current memory-related option parameters before using the modification tool to modify the memory-related option parameters to prevent parameter corruption or loss caused by errors or faults when modifying the memory-related option parameters.

In addition, after the step S104, the method further includes checking the memory address of the kernel within the first preset capacity size range by using a debug tool. For example, the debug tool may be an Intel debug tool, and it is observed that the memory space below 4G is indeed mirrored (mirrored), as shown in fig. 2.

In this embodiment, under the condition of closing the Linux Kernel Address Space Layout Randomization (KASLR) function, the scheme is simple to set, and memory mirror space is saved.

The method for configuring the mirror image memory provided by the invention has the advantages that under the condition of closing KASLR functions, the configuration file is compiled by inputting the compiling instruction into the configuration file of the system boot manager, the mirror image of the memory address space with the first preset capacity is realized by modifying the option parameters of the Basic Input Output System (BIOS), finally, the mirror image with the first preset capacity is realized after the operating system is restarted, and the memory address is ensured to be stored in the range of the first preset capacity when the memory mirror image is performed, so that the complexity of memory management is simplified, the operation under the scenes of safety analysis, fault investigation and the like is facilitated, and the overall safety and the stability of the system are improved.

Referring to fig. 3, in a specific implementation manner, the method provided in this embodiment specifically includes:

step S201, starting up the system, changing Grub configuration file to close KASLR functions.

Specifically, a Grub configuration file of the current Linux operating system is obtained, grub configuration parameters are searched in the Grub configuration file, and a grub_ CMDLINE _linux= "nokaslr" field is configured in the Grub file. The Nokaslr field is used to turn off KASLR functions.

The purpose of this step is to turn off the kernel address space randomization KASLR function, which may be fixed below 4G. Wherein 4G is a first preset capacity, set by the system.

Step S202, compiling Grub configuration files, changing Bootloader starting items, and closing KASLR functions.

Commands are used after modification, such as in this embodiment, for example, the RedHat system using a unified extensible firmware interface (Unified Extensible FIRMWARE INTERFACE, UEFI), where RedHat is an open source operating system provider whose operating system is widely used in server, cloud computing, and desktop environments.

Specifically, after inputting a compiling instruction to the Grub configuration file of "nokaslr", a compiling operation is performed to generate a compiled Grub cfg file. Wherein, optionally, the compiling instruction is #grub2-mkconfig-o/boot/EFI/EFI/redhat/grub. And entering the system after compiling.

And S203, using a tool to change BIOS parameters, and opening a mirror image function below 4G.

Specifically, the BIOS parameters are modified using SCE tools or H20UVE, aimed at turning on the below 4G memory mirroring function. For example, using intel's platform EAGLE STREAM platform as a case, modify the Mirror TAD0 field to Enabled, modify the UEFIARM Mirror field to Enabled, and modify ARM Mirror percentage field to 0. After the modification is completed, the command import parameters are used, such as the command #/SCELNX _64/i/s bios.

And S204, after restarting the Linux system, automatically realizing the mirror image below the first preset capacity 4G, and checking the kernel address range. The effect diagram is shown in the foregoing figure 2.

In this embodiment, the system address space is stored in the address space with 0x1000000 as the base address, and 0x1000000 as the base address is within 0-4 g. Optionally, the method further includes detecting the kernel address space before and after closing by using a command, wherein the kernel address space is actually allocated below 4G, and using an intel debugging tool to check that the memory space below 4G is actually mirrored, and in this embodiment, the memory address of the kernel is stored in a first preset capacity range, such as a memory address space of 2G-4G.

Example two

The embodiment limits the random address of the Kernel Address Space Layout Randomization (KASLR) function, and only mirrors the low address range above a certain section 4G in the low address range above the section 4G, thereby effectively controlling the size of the mirror address range and achieving the purpose of saving the memory mirror space.

The first embodiment is different from the first embodiment in that the memory address of the core is stored in a first preset capacity range of 0-4G when the KASLR function is turned off, and the first embodiment stores the memory address of the core in a low address range of more than 4G when the KASLR function is turned on.

As shown in fig. 4, in the step S101, when detecting whether the randomization function of the kernel address space layout needs to be turned off, the method further includes:

step 105, if not, acquiring the random number through a random number tool under the operating system, wherein the value range of the random number is between the first preset capacity and the second preset capacity range.

Wherein the first preset capacity is smaller than the second preset capacity. Further, the second preset capacity is determined according to the acceptable range of the user, and the size of the second preset capacity is generally far smaller than the maximum value TOP of the memory address space. In this embodiment, the second preset capacity size is set to 5GB-64MB.

Specifically, the on or off KASLR function may be selected and determined by the user.

And S106, assigning the random number to a kernel address space layout randomization seed, and inserting the random number serving as a kernel starting parameter into the kernel.

Specifically, one embodiment includes:

step S106-1, obtaining a device tree source file.

The device tree source file (DEVICE TREE) is a data structure that describes the hardware configuration that is passed to the kernel by a Boot loader (e.g., U-Boot or Grub) at system start-up. In DEVICE TREE, the/chosen selection node is a special node that provides additional information needed at kernel start-up, such as start-up parameters, file system location, and kernel address space layout randomization seed (kaslr-seed), etc.

Step S106-2, editing a device tree source file, finding a selection node in the device tree source file, inserting a kernel address space layout randomization seed into the selection node, compiling and generating a device tree binary file, wherein the selection node is used for providing additional information required by kernel starting.

Step S106-3, the configuration boot loader loads the device tree binary file.

It should be noted that, in this embodiment, the method of changing the device tree source file (DEVICE TREE) is used to implement limiting the value range of kaslr-seed, and the kernel start parameter is inserted into the kernel, which includes but is not limited to this method, and other methods may be used, which is not limited in this embodiment.

In addition, step S106-2 includes creating a new node if the selected node is not found in the device tree source file, inserting a kernel address space layout randomization seed (kaslr-seed) into the new node, compiling to generate a new device tree binary file, and the new node is used for providing additional information required by the kernel when starting.

Step S107, performing memory mirroring on the memory address space from the first preset capacity to the second preset capacity range by modifying the option parameters of the basic input/output system.

The memory address space of the kernel needs to be covered from the first preset capacity to the second preset capacity.

Step S108, restarting the operating system, storing the memory address of the kernel in a range from the first preset capacity to the second preset capacity according to the kernel starting parameters in the kernel, and realizing memory mirroring in the range from the first preset capacity to the second preset capacity.

As shown in fig. 5, after the Linux operating system is restarted, the Kernel memory address stores Kernel codes, kernel rodata, KERNEL DATA, kernel bss are stored in the range from the first preset capacity (4G) to the second preset capacity (5 GB-64 MB).

Further, in step S106, the random number is assigned to the kernel address space layout randomization seed and is inserted into the kernel as a kernel start parameter, and specifically includes, in a possible implementation, step S105, obtaining the random number by a random number tool under an operating system, including inputting a first command by the random number tool under the operating system, and generating the random number.

Optionally, the first command is shuf commands, and a random number in the range of 4GB (4294967296) to 5GB (5301600256) is generated according to the shuf commands.

According to the method provided by the embodiment, under the condition that the KASLR function is started, the memory address space in the range from the first preset capacity to the second preset capacity is accurately calculated and set to carry out mirror image processing, the range just covers the memory address space of the kernel, and meanwhile, the memory resource is fully utilized. Through the introduction of random numbers, even under the condition that KASLR functions are started, effective mapping and access of kernel addresses can be ensured, memory mirror image can be carried out on a system kernel at low cost, kernel faults caused by memory are avoided, and waste of memory resources is avoided.

In a specific embodiment, the value range of the limit kaslr-seed is used under the operating system, for example, the range of 4 GB-5 GB-64MB, so that the layout address range of KASLR functions is limited, and then the under-system tool SCE or H2OUVE is used for modifying BIOS parameters to open the memory mirror function below 4G, and simultaneously, the memory address space mirror function of 4 GB-5 GB is opened. The method can ensure the system safety, mirror image of the kernel space on the premise of sacrificing smaller memory space, and reduce downtime risk caused by the memory UCE.

As shown in fig. 6, the specific flow of the method includes:

step S301, the system is started up, and a random number tool is used to acquire a random number in a certain range, such as a random number in a range of 0x1000000 to 0x13C 000000.

In this embodiment, the range of the random number is assumed to be limited to the range of 4GB to (5 GB-64 MB), and correspondingly, the kernel size in this example is 0x37FFFFF-0x 1000000=0x27 FFFFF, and the size is smaller than 64MB, so the random number is limited to the range of 5GB-64 mb=5056 MB, where 5056MB is the second preset capacity size.

Further, one embodiment of this step is to generate a random number within a specified range using, for example, shuf commands. For example, the following command will generate a random number n1 in the range of 4GB to 5 GB.

The command is shuf-i 4294967296-5301600256-n1.

A random number in the range of 4GB (4294967296) to 5GB (5301600256) is generated using shuf commands. The step can realize an automatic process after the equipment tree source file is modified through the script.

Optionally, in this step, it is assumed that the selected random number is 4500000000.

Step S302, editing the device tree source file by using the obtained random number as a random seed (kaslr-seed).

The step corresponds to the step S106, the random number obtained in the step S301 is assigned to kaslr-seed, and the assigned kaslr-seed is used as a kernel start parameter to be inserted into the kernel, so that KASLR uses the kernel address space layout randomizing seed (kaslr-seed) as a base address of the address.

The device tree source file (DEVICE TREE) is a data structure that describes the hardware configuration that is passed to the kernel by a Boot loader (e.g., U-Boot or Grub) at system start-up. In DEVICE TREE, the/chosen selection node is a special node that provides additional information needed at kernel start-up, such as start-up parameters, file system location, and kaslr-seed. Wherein the selected node is a node in the device tree source file.

When configuring/chosen the nodes, it is necessary to edit the device tree source file, such as typically the.dts or. dtsi file, and then recompile the device tree source file to generate a new device tree binary file, such as typically the.dtb or. itb file.

Further, a process of editing a device tree source file includes opening the device tree source file (. Dts or. Dtsi), finding or creating/chosen a selection node. If/chosen the selection node does not exist, a new node needs to be created first as the selection node.

Step S303, recompiling the equipment tree source file.

A device tree compilation tool (e.g., dtc) is used to compile a device tree source file to generate a new device tree binary file. For example, the device tree source file is mydevice. Dts, and the compiled device tree binary file is mydevice. Dtb.

Step S304, the configuration boot loader loads a new device tree.

The configuration method may be different due to the difference in the bootloader. For example, in a U-Boot, an environment variable may be set to specify the location of the device tree. The Grub profile needs to be updated in Grub profiles to specify new device tree files.

Step S305, using SCE or H2OVE tool to modify BIOS parameters, turning on mirror image function below 5G.

The purpose of this step is to open the memory mirror function below 5G, and in one embodiment, using intel's platform EAGLE STREAM as an example, the total system memory MemTotal can be viewed by cat/proc/meminfo, with MirroredAmount Above GB having a value of 1 ≡ (MemTotal-TOLM) ×10000. Wherein, the value of MirroredAmountAbove GB is filled into ARM Mirror percentage. The SCE or H2OUVE tool was used to modify the Mirror TAD0 field to Enabled, the UEFI ARM Mirror to Enabled, and ARM Mirror percentage to the above calculation. After the modification is completed, the command import parameters are used.

Step S306, restarting the system, and checking the kernel address range.

As shown in fig. 5, after restarting the Linux operating system, the memory address of the kernel is stored in the range from the first preset capacity 4G to the second preset capacity 5056MB according to the kernel start parameter in the kernel, and the memory mirror image is implemented in the range from the first preset capacity 4G to the second preset capacity 5056 MB.

According to the method provided by the embodiment, the memory address range of the kernel space is accurately limited by using an automation technology, and the memory mirror image is carried out on the system kernel at a small cost, so that KERNEL PANIC generated by the memory UCE can be avoided.

The embodiment also provides a device for configuring the mirror memory, which is used for implementing the foregoing embodiments and preferred embodiments, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.

The embodiment provides an apparatus for configuring a mirrored memory, as shown in fig. 7, which includes a detection module 710, a compiling module 720, a processing module 730, and a restarting module 740, where the apparatus may further include other more or fewer modules, which is not limited in this embodiment.

The detection module 710 is configured to detect, under an operating system, whether the kernel address space layout randomization function needs to be turned off, where the system defaults to an on state.

The compiling module 720 is configured to input a compiling instruction for closing the function to a configuration file of the system boot manager, and compile the configuration file, where the configuration file is used to control one or more of a startup item and a startup parameter loaded when the system is started.

The processing module 730 is configured to mirror the memory address space of the first preset capacity by modifying the option parameters of the bios, where the first preset capacity needs to cover the memory address space of the kernel.

The restarting module 740 is configured to restart the operating system based on the compiled configuration file of the system boot manager and the modified option parameters, so as to implement mirroring of the first preset capacity, and store the memory address of the kernel in the first preset capacity range.

In some alternative embodiments, the compiling module 720 is specifically configured to find a target startup item in the system boot manager configuration file, set a field in the target startup item that has a function of closing the system boot manager, and modify the field.

In other alternative embodiments, the processing module 730 is further configured to search for options related to the memory in the setting interface of the bios, and modify the option parameters related to the memory using a modification tool.

In yet other alternative embodiments, the processing module 730 is further configured to backup the current memory-related option parameters before modifying the memory-related option parameters using the modification tool.

Optionally, the first preset capacity size is 4G.

In still other alternative embodiments, the restart module 740 is specifically configured to store the memory address of the kernel in an address space with 0x1000000 as a base address, and the address space with 0x1000000 as the base address is in a range of 0-4 g.

The processing module 730 is specifically configured to check, using a debug tool, a memory address of the kernel within the first preset capacity size range.

Optionally, in some other optional embodiments, the target startup item is a Bootloader startup item, and the option parameters of the basic input output system include a mirror label field, a unified extensible firmware interface field and a memory address mirror range field;

The processing module 730 is specifically configured to modify the image tag field to be Enabled, modify the unified extensible firmware interface field to be Enabled, modify the memory address image range field to be 0, and import the modified option parameters using the command after modification.

Optionally, in some specific embodiments, the processing module 730 is further configured to, under the condition that the detecting module 710 detects that the function of KASLR is not closed, obtain, by using a random number tool under an operating system, a random number, where a value range of the random number is between a first preset capacity and a second preset capacity, where the first preset capacity is smaller than the second preset capacity, assign the random number to a kernel address space layout randomizing seed, and insert the random number into the kernel as a kernel start parameter.

The processing module 730 is further configured to perform memory mirroring on the memory address space from the first preset capacity to the second preset capacity by modifying the option parameters of the bios, where the range from the first preset capacity to the second preset capacity needs to cover the memory address space of the kernel.

The restarting module 740 is further configured to restart the operating system, store the memory address of the kernel in a range from the first preset capacity to the second preset capacity according to the kernel starting parameter in the kernel, and implement the memory mirroring in the range from the first preset capacity to the second preset capacity.

Optionally, in some specific embodiments, the processing module 730 is further specifically configured to obtain a device tree source file, edit the device tree source file, find a selection node in the device tree source file, insert a kernel address space layout randomization seed into the selection node, compile a device tree binary file, and select the selection node to provide additional information required by the kernel when starting, and configure a boot loader to load the device tree binary file.

The processing module 730 is further configured to create a new node if the selected node is not found in the device tree source file, insert the kernel address space layout randomization seed into the new node, and compile the new device tree binary file, where the new node is used to provide additional information required when the kernel is started.

In yet other specific embodiments, the processing module 730 is further configured to generate a random number by inputting a first command with a random number tool under an operating system.

Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.

The memory mirroring device in this embodiment is presented in the form of a functional unit, where the unit refers to an ASIC (Application SPECIFIC INTEGRATED Circuit) Circuit, a processor and a memory that execute one or more software or firmware programs, and/or other devices that can provide the above functions.

The embodiment of the invention also provides a computer device, which is provided with the configuration mirror image memory device shown in the figure 7.

Referring to FIG. 8, an alternative embodiment of the present invention provides a computer device that includes one or more processors 10, a memory 20, and interfaces for connecting the components, including a high-speed interface and a low-speed interface. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface.

In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 8.

The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.

Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform a method of configuring mirrored memory as illustrated in the above embodiments.

The memory 20 may include a storage program area that may store an operating system, application programs required for at least one function, and a storage data area that may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may comprise memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The memory 20 may comprise volatile memory, such as random access memory, or nonvolatile memory, such as flash memory, hard disk or solid state disk, or the memory 20 may comprise a combination of the above types of memory.

The computer device further comprises input means 30 and output means 40. The processor 10, memory 20, input device 30, and output device 40 may be connected by a bus or other means, for example in fig. 8.

The input device 30 may receive input numeric or character information and generate signal inputs related to user settings and function control of the computer apparatus, such as a touch screen, a keypad, a mouse, a track pad, a touch pad, a pointer stick, one or more mouse buttons, a track ball, a joystick, and the like. The output means 40 may include a display device, auxiliary lighting means (e.g., LEDs), tactile feedback means (e.g., vibration motors), and the like. Such display devices include, but are not limited to, liquid crystal displays, light emitting diodes, displays and plasma displays. In some alternative implementations, the display device may be a touch screen.

The computer device further includes a communication interface for the computer device to communicate with other devices or communication networks.

The computer device provided in this embodiment includes, but is not limited to, a server cluster, a client, or other network device, etc.

On one hand, under the condition of closing KASLR functions, the computer equipment provided by the invention inputs a compiling instruction into the configuration file of the system boot manager, compiles the configuration file, and realizes mirroring of a memory address space with a first preset capacity by modifying option parameters of a Basic Input Output System (BIOS), finally, after restarting a Linux operating system, mirroring of the first preset capacity is realized, and the memory address is ensured to be stored in the range of the first preset capacity when the memory mirroring is carried out, so that the complexity of memory management is simplified, the operation under the scenes of security analysis, fault investigation and the like is facilitated, and the overall safety and stability of the system are improved.

On the other hand, under the condition of starting KASLR functions, the invention carries out mirror image processing by precisely calculating and setting the memory address space from the first preset capacity to the second preset capacity, and the range just covers the memory address space of the kernel, and simultaneously fully utilizes the memory resources. Through the introduction of random numbers, even under the condition that KASLR functions are started, effective mapping and access of kernel addresses can be ensured, memory mirror image can be carried out on a system kernel at low cost, kernel faults caused by memory are avoided, and waste of memory resources is avoided.

The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware.

The storage medium may be a magnetic disk, an optical disk, a read-only memory, a random-access memory, a flash memory, a hard disk, a solid state disk, or the like, and further, the storage medium may further include a combination of the above types of memories. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.

Embodiments of the present application may also provide a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform the steps of the above-described method. Wherein the computer program product may write program code for performing the operations of embodiments of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server.

The foregoing embodiments are merely for illustrating the technical solutions of the embodiments of the present invention, but not for limiting the same, and although the embodiments of the present invention have been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that modifications may be made to the technical solutions described in the foregoing embodiments or equivalents may be substituted for some of the technical features thereof, and these modifications or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention in essence.

Claims

1. A method for configuring mirrored memory, the method comprising:

2. The method of claim 1, wherein the inputting of the compile instruction to shut down the function into the system boot manager configuration file comprises:

And searching a target starting item in the system boot manager configuration file, setting a field with a function of closing the system boot manager in the target starting item, and modifying the field.

3. The method of claim 1, wherein modifying option parameters of a basic input output system comprises:

modifying the memory-related option parameters using a modification tool.

4. The method of claim 3, further comprising, prior to said modifying said memory-related option parameters using a modification tool:

and backing up the current option parameters related to the memory.

5. The method of claim 1, wherein the first predetermined capacity size is 4G;

The storing the memory address of the kernel within the first preset capacity size range includes:

6. The method according to any one of claims 1-5, further comprising:

And checking the memory address of the kernel within the first preset capacity size range by using a debugging tool.

7. The method of claim 2, wherein the target boot item is a Bootloader boot item, and the option parameters of the basic input output system include a mirror tag field, a unified extensible firmware interface field, and a memory address mirror range field;

The modifying option parameters of the basic input output system comprises:

8. The method of claim 1, wherein the detecting whether a core address space layout randomization function needs to be turned off further comprises:

9. The method of claim 8, wherein assigning the random number to the core address space layout randomization seed is inserted into the core as a core initiation parameter, comprising:

acquiring a device tree source file;

and the configuration boot loader loads the device tree binary file.

10. The method according to claim 9, wherein the method further comprises:

11. The method of claim 8, wherein the obtaining the random number by the random number tool under the operating system comprises:

And under the operating system, inputting a first command by utilizing the random number tool to generate the random number.

12. An apparatus for configuring mirrored memory, the apparatus comprising:

13. A computer device comprising a memory and a processor, the memory and the processor being connected;

the memory having stored therein computer instructions which, upon execution by the processor, perform the method of configuring mirrored memory of any one of claims 1 to 11.

14. A computer-readable storage medium comprising, the computer readable storage medium has stored thereon computer instructions;

the computer instructions for causing a computer to perform the method of configuring mirrored memory of any one of claims 1 to 11.

15. A computer program product comprising computer instructions for causing a computer to perform the method of configuring mirrored memory of any one of claims 1 to 11.