tech-embed archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: FW: NetBSD File Systems



On Mon, Mar 05, 2001 at 03:30:59PM -0800, Unice, Kyle wrote:
> I am not sure if this made it .. so I am sending it again.
> Forgive the repeat if you already received it.
> Kyle

Generally speaking, in this kind of application I've built compressed
ramdisk kernels and written them to the flash, or used flash with an ATA
interface.  It sounds like neither is quite what you want; to my knowledge
nobody has written a "raw flash" driver for NetBSD and is giving it away
freely, which is why I've always used the ATA flash parts; that and the
fact that the common CompactFlash form factor makes it easy for one's
device to have a *cheap*, *removable* flash disk to boot/run from.

For the "filesystem on ATA flash" method, I generally mount the flash
filesystem read-only, and mount an MFS on /tmp and an MFS on /var to run
from; /var is extracted into its MFS from a tar file kept in the read-only
filesystem.  But I've usually done this to build firewalls or specialized
"bastion hosts" that straddle a firewall DMZ; so my MFS volumes are mounted 
noexec nodev, only the flash can be executed from, and I often load ipf
rules at boot time that allow only "the expected" traffic in and out of the
machine, then flip to securelevel 2 so none of this can be undone.  That
way, you *know* that the only executables on the machine, ever, are what
was on the flash card, and you have to be able to physically swap the CF
card to change them.

If you're not building a host that performs a critical security function,
much of this may not apply to you -- but I thought it might be useful to
you to know what I did.  Another benefit of using ATA flash is that with
the right cable, any machine that can boot from an IDE *disk* can boot from
them; ATA flash parts all act like IDE disks if connected to an IDE bus or
PCMCIA IDE *controllers* if you put them in a PCMCIA slot.  This can let
you build killer embedded widgets from standard PC/PC104 parts; using
commodity things like microATX motherboards can often be *cheaper* than
doing a new board design than "just what you need" even if you're building
a lot of widgets indeed.

In the arm32 world, this is a nice way to get a Shark to not need the
network to boot, but still contain no rotating media... :-)

Thor



Home | Main Index | Thread Index | Old Index