diff --git a/bootstrap.d/13-kernel.sh b/bootstrap.d/13-kernel.sh index 8cbe81e..f088036 100644 --- a/bootstrap.d/13-kernel.sh +++ b/bootstrap.d/13-kernel.sh @@ -7,12 +7,13 @@ # Need to use kali kernel src if nexmon is enabled if [ "$ENABLE_NEXMON" = true ] ; then + echo "WARNING: if ENABLE_NEXMON is used remember to put the CORRECT KERNELSRC IN KERNELSRC_DIR!!!!!1!" KERNEL_URL="${KALI_KERNEL_URL}" + KERNEL_BRANCH="" fi # Fetch and build latest raspberry kernel if [ "$BUILD_KERNEL" = true ] ; then - echo "WARNING: if ENABLE_NEXMON is used remember to put the CORRECT KERNELSRC IN KERNELSRC_DIR!!!!!1!" # Setup source directory mkdir -p "${KERNEL_DIR}" @@ -230,24 +231,22 @@ if [ "$BUILD_KERNEL" = true ] ; then fi # KERNEL_DEFAULT_GOV was set by user - if ! [ "$KERNEL_DEFAULT_GOV" = POWERSAVE ] && [ -n "$KERNEL_DEFAULT_GOV" ]; then - # unset default governor - unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE + if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ]; then case "$KERNEL_DEFAULT_GOV" in - "performance") + performance) set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y ;; - "userspace") + userspace) set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE y ;; - "ondemand") + ondemand) set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND y ;; - "conservative") + conservative) set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE y ;; - "shedutil") + shedutil) set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL y ;; *) @@ -255,6 +254,9 @@ if [ "$BUILD_KERNEL" = true ] ; then exit 1 ;; esac + + # unset previous default governor + unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE fi diff --git a/bootstrap.d/14-fstab.sh b/bootstrap.d/14-fstab.sh index 85782ae..4ecba25 100644 --- a/bootstrap.d/14-fstab.sh +++ b/bootstrap.d/14-fstab.sh @@ -42,7 +42,7 @@ if [ "$ENABLE_INITRAMFS" = true ] ; then install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount" install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools" fi - + if [ "$CRYPTFS_DROPBEAR" = true ]; then if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub @@ -50,29 +50,29 @@ if [ "$ENABLE_INITRAMFS" = true ] ; then else # Create key chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear - + # Convert dropbear key to openssh key chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa - + # Get Public Key Part chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub - + # Delete unwanted lines sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub - + # Trust the new key cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys # Save Keys - convert with putty from rsa/openssh to puttkey cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa - + # Get unlock script install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh - + # Enable Dropbear inside initramfs printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" - + # Enable Dropbear inside initramfs sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear fi diff --git a/bootstrap.d/15-rpi-config.sh b/bootstrap.d/15-rpi-config.sh index 02be83c..93dbedb 100644 --- a/bootstrap.d/15-rpi-config.sh +++ b/bootstrap.d/15-rpi-config.sh @@ -64,6 +64,7 @@ if [ "$ENABLE_CRYPTFS" = true ] ; then fi fi +# Enable Kernel messages on standard output if [ "$ENABLE_PRINTK" = true ] ; then install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf" fi @@ -86,7 +87,7 @@ fi # Install firmware config install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt" -#locks cpu at max frequency +# Locks CPU frequency at maximum if [ "$ENABLE_TURBO" = true ] ; then echo "force_turbo=1" >> "${BOOT_DIR}/config.txt" # helps to avoid sdcard corruption when force_turbo is enabled. @@ -149,7 +150,6 @@ if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then # Activate services chroot_exec systemctl enable pi-bluetooth.hciuart.service - chroot_exec systemctl enable pi-bluetooth.bthelper@serial1.service else # if ENABLE_BLUETOOTH = false # set overlay to disable bluetooth @@ -167,13 +167,6 @@ if [ "$ENABLE_CONSOLE" = true ] ; then chroot_exec systemctl enable serial-getty@serial0.service else echo "enable_uart=0" >> "${BOOT_DIR}/config.txt" - # disable serial console systemd style - #chroot_exec systemctl disable serial-getty@serial0.service -fi - -# Remove cmdline.txt entry of starting zswap -if [ "$KERNEL_ZSWAP" = true ] ; then - CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4" fi if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then @@ -211,6 +204,11 @@ if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then # Change back into script root dir cd "${WORKDIR}" || exit +else + # Enable ZSWAP in cmdline if systemd-swap is not used + if [ "$KERNEL_ZSWAP" = true ] ; then + CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4" + fi fi # Install firmware boot cmdline diff --git a/bootstrap.d/20-networking.sh b/bootstrap.d/20-networking.sh index 3aca05f..4e001fe 100644 --- a/bootstrap.d/20-networking.sh +++ b/bootstrap.d/20-networking.sh @@ -57,6 +57,20 @@ else # ENABLE_DHCP=false -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\ -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\ "${ETC_DIR}/systemd/network/eth.network" + + if [ "$CRYPTFS_DROPBEAR" = true ] ; then + # Get cdir from NET_ADDRESS e.g. 24 + cdir=$(${NET_ADDRESS} | cut -d '/' -f2) + + # Convert cdir ro netmask e.g. 24 to 255.255.255.0 + NET_MASK=$(cdr2mask "$cdir") + + # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf + sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf + + # Regenerate initramfs + chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" + fi fi # Remove empty settings from network configuration diff --git a/functions.sh b/functions.sh index 5cb348e..607b327 100644 --- a/functions.sh +++ b/functions.sh @@ -87,8 +87,7 @@ chroot_remove_cc() { COMPILER_PACKAGES="" fi } -#GPL v2.0 -#https://github.com/sakaki-/bcmrpi3-kernel-bis/blob/master/conform_config.sh +# GPL v2.0 - #https://github.com/sakaki-/bcmrpi3-kernel-bis/blob/master/conform_config.sh set_kernel_config() { # flag as $1, value to set as $2, config must exist at "./.config" TGT="CONFIG_${1#CONFIG_}" @@ -99,10 +98,18 @@ set_kernel_config() { echo "${TGT}"="${2}" >> .config fi } - +# unset kernel config parameter unset_kernel_config() { # unsets flag with the value of $1, config must exist at "./.config" TGT="CONFIG_${1#CONFIG_}" sed -i "s/^${TGT}=.*/# ${TGT} is not set/" .config } -# \ No newline at end of file + +# https://serverfault.com/a/682849 - converts e.g. /24 to 255.255.255.0 +cdr2mask () +{ + # Number of args to shift, 255..255, first non-255 byte, zeroes + set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0 + [ $1 -gt 1 ] && shift $1 || shift + echo ${1-0}.${2-0}.${3-0}.${4-0} +} \ No newline at end of file diff --git a/rpi23-gen-image.sh b/rpi23-gen-image.sh index 18ef56d..79bcd3a 100755 --- a/rpi23-gen-image.sh +++ b/rpi23-gen-image.sh @@ -183,7 +183,7 @@ KERNEL_CCACHE=${KERNEL_CCACHE:=false} KERNEL_ZSWAP=${KERNEL_ZSWAP:=false} KERNEL_VIRT=${KERNEL_VIRT:=false} KERNEL_BPF=${KERNEL_BPF:=false} -KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=POWERSAVE} +KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=powersave} # Kernel compilation from source directory settings KERNELSRC_DIR=${KERNELSRC_DIR:=""} @@ -229,13 +229,13 @@ MISSING_PACKAGES="" # Packages installed for c/c++ build environment in chroot (keep empty) COMPILER_PACKAGES="" -#Check if apt-cacher-ng has port 3142 open and set APT_PROXY +# Check if apt-cacher-ng has port 3142 open and set APT_PROXY APT_CACHER_RUNNING=$(lsof -i :3142 | cut -d ' ' -f3 | uniq | sed '/^\s*$/d') if [ "${APT_CACHER_RUNNING}" = "apt-cacher-ng" ] ; then APT_PROXY=http://127.0.0.1:3142/ fi -#netselect-apt does not know buster yet +# netselect-apt does not know buster yet if [ "$RELEASE" = "buster" ] ; then RLS=testing else @@ -252,10 +252,10 @@ else netselect-apt --arch "$RELEASE_ARCH" -t 3 --sources --outfile "$(pwd)/files/apt/sources.list" -d "$RLS" fi -#sed and cut the result string so we can use it as APT_SERVER +# sed and cut the result string so we can use it as APT_SERVER APT_SERVER=$(grep -m 1 http files/apt/sources.list | sed "s|http://| |g" | cut -d ' ' -f 3 | sed 's|/$|''|') -#make script easier and more stable to use with convenient setup switch. Just setup SET_ARCH and RPI_MODEL and your good to go! +# make script easier and more stable to use with convenient setup switch. Just setup SET_ARCH and RPI_MODEL and your good to go! if [ -n "$SET_ARCH" ] ; then # 64-bit configuration if [ "$SET_ARCH" = 64 ] ; then @@ -302,7 +302,7 @@ if [ -n "$SET_ARCH" ] ; then CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabihf-} fi fi -#SET_ARCH not set +# SET_ARCH not set else echo "error: Please set '32' or '64' as value for SET_ARCH" exit 1 @@ -345,6 +345,9 @@ if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then if [ "$ENABLE_BLUETOOTH" = true ] ; then APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez" fi + if [ "$ENABLE_WIRELESS" = true ] ; then + APT_INCLUDES="${APT_INCLUDES},wireless-tools,crda,wireless-regdb" + fi else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard # Check if the internal wireless interface is not supported by the RPi model if [ "$ENABLE_WIRELESS" = true ] || [ "$ENABLE_BLUETOOTH" = true ]; then @@ -401,7 +404,7 @@ if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup" APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup" - #If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package + # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then APT_INCLUDES="${APT_INCLUDES},dropbear-initramfs" fi