diff --git a/README-CN.md b/README-CN.md index 2c9f0d6..7a5f0de 100644 --- a/README-CN.md +++ b/README-CN.md @@ -1,5 +1,5 @@ ## 介绍 -`rpi23-gen-image.sh` 是一个自动生成树莓派2/3系统镜像的脚本工具, 当前支持自动生成32位 armhf 架构的Debian, 发行版本`jessie`, `stretch` 和 `buster`. 树莓派3 64位镜像需要使用特定的配置参数 (```templates/rpi3-stretch-arm64-4.11.y```). +`rpi23-gen-image.sh` 是一个自动生成树莓派2/3系统镜像的脚本工具, 当前支持自动生成32位 armhf 架构的Debian, 发行版本`jessie`, `stretch` 和 `buster`. 树莓派3 64位镜像需要使用特定的配置参数 (```templates/rpi3-stretch-arm64-4.14.y```). ## 构建环境所依赖的包 一定要安装好下列deb包, 他们是构建过程需要的核心包. 脚本会自动检查, 如果缺少,经用户确认后会自动安装. diff --git a/README.md b/README.md index e97b491..a074381 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # rpi23-gen-image ## Introduction -`rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for Raspberry Pi 2 (RPi2) and Raspberry Pi 3 (RPi3) computers. The script at this time supports the bootstrapping of the Debian (armhf) releases `stretch` and `buster`. Raspberry Pi 3 images are generated for 32-bit mode only. Raspberry Pi 3 64-bit images can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.11.y```). +`rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for Raspberry Pi 2 (RPi2) and Raspberry Pi 3 (RPi3) computers. The script at this time supports the bootstrapping of the Debian (armhf) releases `stretch` and `buster`. Raspberry Pi 3 images are generated for 32-bit mode only. Raspberry Pi 3 64-bit images can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.14.y```). ## Build dependencies The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user. diff --git a/bootstrap.d/11-apt.sh b/bootstrap.d/11-apt.sh index b833dfa..544781c 100644 --- a/bootstrap.d/11-apt.sh +++ b/bootstrap.d/11-apt.sh @@ -11,29 +11,23 @@ if [ -z "$APT_PROXY" ] ; then sed -i "s/\"\"/\"${APT_PROXY}\"/" "${ETC_DIR}/apt/apt.conf.d/10proxy" fi -if [ "$BUILD_KERNEL" = false ] ; then - echo "Downloading precompiled kernel" - echo "error: not configured" - exit 1; -# BUILD_KERNEL=true -else - echo "No precompiled kernel repositories were added" -fi - # Upgrade package index and update all installed packages and changed dependencies chroot_exec apt-get -qq -y update chroot_exec apt-get -qq -y -u dist-upgrade +# Install additional packages if [ "$APT_INCLUDES_LATE" ] ; then chroot_exec apt-get -qq -y install "$(echo "$APT_INCLUDES_LATE" |tr , ' ')" fi +# Install Debian custom packages if [ -d packages ] ; then for package in packages/*.deb ; do cp "$package" "${R}"/tmp chroot_exec dpkg --unpack /tmp/"$(basename "$package")" done fi + chroot_exec apt-get -qq -y -f install chroot_exec apt-get -qq -y check diff --git a/bootstrap.d/15-rpi-config.sh b/bootstrap.d/15-rpi-config.sh index 6c93cf6..de86adf 100644 --- a/bootstrap.d/15-rpi-config.sh +++ b/bootstrap.d/15-rpi-config.sh @@ -107,36 +107,21 @@ if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then # Set permissions chown -R root:root "${R}/tmp/pi-bluetooth" - # Install files to chroot # Install tools install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart" install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper" # Install bluetooth udev rule install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules" - #aur - #install_readonly "${R}/tmp/pi-bluetooth/50-bluetooth-hci-auto-poweron.rules" "${ETC_DIR}/udev/rules.d/50-bluetooth-hci-auto-poweron.rules" # Install Firmware Flash file and apropiate licence mkdir "${ETC_DIR}/firmware/" - #aur https://aur.archlinux.org/packages/pi-bluetooth/ - #install_readonly "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" "${ETC_DIR}/firmware/LICENCE.broadcom_bcm43xx" - #install_readonly "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" "${ETC_DIR}/firmware/BCM43430A1.hcd" - wget -O "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" https://aur.archlinux.org/cgit/aur.git/plain/LICENCE.broadcom_bcm43xx?h=pi-bluetooth wget -O "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" https://aur.archlinux.org/cgit/aur.git/plain/BCM43430A1.hcd?h=pi-bluetooth - # Install systemd service for bluetooth - #install_readonly "${R}/tmp/pi-bluetooth/brcm43438.service" "${ETC_DIR}/systemd/system/brcm43438.service" - - # Remove temporary directory - #rm -fr "${temp_dir}" - # Get /dev/serial back for compability - # Raspberry-sys-mod package wget -O "${ETC_DIR}/udev/rules.d/99-com.rules" https://raw.githubusercontent.com/RPi-Distro/raspberrypi-sys-mods/master/etc.armhf/udev/rules.d/99-com.rules - fi fi diff --git a/bootstrap.d/20-networking.sh b/bootstrap.d/20-networking.sh index f92e76d..3ca9f60 100644 --- a/bootstrap.d/20-networking.sh +++ b/bootstrap.d/20-networking.sh @@ -95,7 +95,7 @@ fi # Download the firmware binary blob required to use the RPi3 wireless interface if [ "$ENABLE_WIRELESS" = true ] ; then if [ ! -d "${WLAN_FIRMWARE_DIR}" ] ; then - mkdir -p "${WLAN_FIRMWARE_DIR}" + mkdir -p "${WLAN_FIRMWARE_DIR}" fi # Create temporary directory for firmware binary blob @@ -103,20 +103,21 @@ if [ "$ENABLE_WIRELESS" = true ] ; then # Fetch firmware binary blob for RPI3B+ if [ "$RPI_MODEL" = 3P ] ; then - as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.bin" - as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.txt" - as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.clm_blob" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.clm_blob" + # Fetch firmware binary blob for RPi3P + as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.bin" + as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.txt" + as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.clm_blob" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.clm_blob" elif [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 0 ] ; then - # Fetch firmware binary blob for RPI3 - as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.bin" - as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.txt" + # Fetch firmware binary blob for RPi3 + as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.bin" + as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.txt" fi # Move downloaded firmware binary blob if [ "$RPI_MODEL" = 3P ] ; then - mv "${temp_dir}/brcmfmac43455-sdio."* "${WLAN_FIRMWARE_DIR}/" + mv "${temp_dir}/brcmfmac43455-sdio."* "${WLAN_FIRMWARE_DIR}/" elif [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 0 ] ; then - mv "${temp_dir}/brcmfmac43430-sdio."* "${WLAN_FIRMWARE_DIR}/" + mv "${temp_dir}/brcmfmac43430-sdio."* "${WLAN_FIRMWARE_DIR}/" fi # Remove temporary directory for firmware binary blob @@ -124,10 +125,10 @@ if [ "$ENABLE_WIRELESS" = true ] ; then # Set permissions of the firmware binary blob if [ "$RPI_MODEL" = 3P ] ; then - chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."* - chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."* + chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."* + chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."* elif [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 0 ] ; then - chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."* - chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."* + chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."* + chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."* fi fi diff --git a/bootstrap.d/41-uboot.sh b/bootstrap.d/41-uboot.sh index 940d317..6d42bde 100644 --- a/bootstrap.d/41-uboot.sh +++ b/bootstrap.d/41-uboot.sh @@ -72,7 +72,7 @@ if [ "$ENABLE_UBOOT" = true ] ; then printf "\n# 64bit-mode" >> "${BOOT_DIR}/config.txt" printf "\n# arm_control=0x200 is deprecated https://www.raspberrypi.org/documentation/configuration/config-txt/misc.md" >> "${BOOT_DIR}/config.txt" printf "\narm_64bit=1" >> "${BOOT_DIR}/config.txt" - #in 64bit uboot booti is used instead of bootz [like in KERNEL_BIN_IMAGE=zImage (armv7)|| Image(armv8)] + sed -i "s|bootz|booti|g" "${BOOT_DIR}/uboot.mkimage" fi diff --git a/bootstrap.d/16-videocore.sh b/bootstrap.d/43-videocore.sh similarity index 100% rename from bootstrap.d/16-videocore.sh rename to bootstrap.d/43-videocore.sh index 026b9ee..d42590c 100644 --- a/bootstrap.d/16-videocore.sh +++ b/bootstrap.d/43-videocore.sh @@ -29,6 +29,7 @@ if [ "$ENABLE_VIDEOCORE" = true ] ; then # Create build dir mkdir "${R}"/tmp/userland/build + # push us to build directory pushd "${R}"/tmp/userland/build @@ -46,6 +47,7 @@ if [ "$ENABLE_VIDEOCORE" = true ] ; then #build userland make -j "$(nproc)" + #pop us out of build dir popd fi diff --git a/files/iptables/nftables.rules b/files/iptables/nftables.rules new file mode 100644 index 0000000..6881564 --- /dev/null +++ b/files/iptables/nftables.rules @@ -0,0 +1,21 @@ +add table ip filter +add chain ip filter INPUT { type filter hook input priority 0; } +add chain ip filter FORWARD { type filter hook forward priority 0; } +add chain ip filter OUTPUT { type filter hook output priority 0; } +add chain ip filter TCP +add chain ip filter UDP +add chain ip filter SSH +add rule ip filter INPUT icmp type echo-request limit rate 30/minute burst 8 packets counter accept +add rule ip filter INPUT icmp type echo-request counter drop +add rule ip filter INPUT ct state related,established counter accept +add rule ip filter INPUT iifname lo counter accept +add rule ip filter INPUT ct state invalid counter drop +add rule ip filter INPUT tcp dport 22 ct state new counter jump SSH +# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP +# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP +# -t filter -A SSH -m recent --name sshbf --set -j ACCEPT +add rule ip filter INPUT ip protocol udp ct state new counter jump UDP +add rule ip filter INPUT tcp flags & fin|syn|rst|ack == syn ct state new counter jump TCP +add rule ip filter INPUT ip protocol udp counter reject +add rule ip filter INPUT ip protocol tcp counter reject with tcp reset +add rule ip filter INPUT counter reject with icmp type prot-unreachable diff --git a/files/iptables/nftables6.rules b/files/iptables/nftables6.rules new file mode 100644 index 0000000..38f1755 --- /dev/null +++ b/files/iptables/nftables6.rules @@ -0,0 +1,24 @@ +add table ip6 filter +add chain ip6 filter INPUT { type filter hook input priority 0; } +add chain ip6 filter FORWARD { type filter hook forward priority 0; } +add chain ip6 filter OUTPUT { type filter hook output priority 0; } +add chain ip6 filter TCP +add chain ip6 filter UDP +add chain ip6 filter SSH +add rule ip6 filter INPUT rt type 0 counter drop +add rule ip6 filter OUTPUT rt type 0 counter drop +add rule ip6 filter FORWARD rt type 0 counter drop +add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request limit rate 30/minute burst 8 packets counter accept +add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request counter drop +add rule ip6 filter INPUT ct state related,established counter accept +add rule ip6 filter INPUT iifname lo counter accept +add rule ip6 filter INPUT ct state invalid counter drop +add rule ip6 filter INPUT tcp dport 22 ct state new counter jump SSH +# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP +# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP +# -t filter -A SSH -m recent --name sshbf --set -j ACCEPT +add rule ip6 filter INPUT meta l4proto udp ct state new counter jump UDP +add rule ip6 filter INPUT tcp flags & fin|syn|rst|ack == syn ct state new counter jump TCP +add rule ip6 filter INPUT meta l4proto udp counter reject with icmpv6 type admin-prohibited +add rule ip6 filter INPUT meta l4proto tcp counter reject with icmpv6 type admin-prohibited +add rule ip6 filter INPUT counter reject with icmpv6 type admin-prohibited diff --git a/rpi23-gen-image.sh b/rpi23-gen-image.sh index d4a4190..d84fa74 100755 --- a/rpi23-gen-image.sh +++ b/rpi23-gen-image.sh @@ -45,7 +45,7 @@ RPI_MODEL=${RPI_MODEL:=2} # Debian release RELEASE=${RELEASE:=buster} -#Kernel Branch +# Kernel Branch KERNEL_BRANCH=${KERNEL_BRANCH:=""} # URLs @@ -146,7 +146,7 @@ ENABLE_REDUCE=${ENABLE_REDUCE:=false} ENABLE_UBOOT=${ENABLE_UBOOT:=false} UBOOTSRC_DIR=${UBOOTSRC_DIR:=""} ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} -ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=true} +ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false} VIDEOCORESRC_DIR=${VIDEOCORESRC_DIR:=""} FBTURBOSRC_DIR=${FBTURBOSRC_DIR:=""} ENABLE_HARDNET=${ENABLE_HARDNET:=false} @@ -196,7 +196,7 @@ CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""} APT_INCLUDES=${APT_INCLUDES:=""} APT_INCLUDES="${APT_INCLUDES},apt-transport-https,apt-utils,ca-certificates,debian-archive-keyring,dialog,sudo,systemd,sysvinit-utils,locales,keyboard-configuration,console-setup" -#Packages to exclude from chroot build environment +# Packages to exclude from chroot build environment APT_EXCLUDES=${APT_EXCLUDES:=""} # Packages required for bootstrapping @@ -208,29 +208,17 @@ COMPILER_PACKAGES="" set +x -#If init and systemd-sysv are wanted e.g. halt/reboot/shutdown scripts -if [ "$ENABLE_SYSVINIT" = false ] ; then -APT_EXCLUDES="--exclude=${APT_EXCLUDES},init,systemd-sysv" -fi - -#Check if apt-cacher-ng has its default port open on and set APT_PROXY -if [ -n "$(lsof -i :3142)" ] ; then -HTTP_PROXY=http://127.0.0.1:3142/ -fi - -#make script easier and more stable to use with convenient setup switch. Just setup SET_ARCH and RPI_MODEL and your good to go! +# Setup architecture specific settings if [ -n "$SET_ARCH" ] ; then - echo "Setting Architecture specific settings" - ################################## - # 64 bit config - ################################## + + # 64 bit configuration if [ "$SET_ARCH" = 64 ] ; then - echo "64 bit mode selected - Setting up enviroment" - # 64 bit depended settings + # General 64 bit depended settings QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-aarch64-static} KERNEL_ARCH=${KERNEL_ARCH:=arm64} KERNEL_BIN_IMAGE=${KERNEL_BIN_IMAGE:="Image"} + # Board specific settings if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-arm64" KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcmrpi3_defconfig} @@ -238,32 +226,29 @@ if [ -n "$SET_ARCH" ] ; then KERNEL_IMAGE=${KERNEL_IMAGE:=kernel8.img} CROSS_COMPILE=${CROSS_COMPILE:=aarch64-linux-gnu-} else - echo "error: Only Raspberry PI 3 and 3B+ support 64bit" + echo "error: Only Raspberry PI 3 and 3B+ support 64 bit" exit 1 fi fi - ################################## - # 32 bit config - ################################## + # 32 bit configuration if [ "$SET_ARCH" = 32 ] ; then - echo "32 bit mode selected - Setting up enviroment" - #General 32bit configuration + # General 32 bit dependend settings QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static} KERNEL_ARCH=${KERNEL_ARCH:=arm} KERNEL_BIN_IMAGE=${KERNEL_BIN_IMAGE:="zImage"} - #Raspberry setting grouped by board compability + # Hardware specific settings if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 1 ] || [ "$RPI_MODEL" = 1P ] ; then - echo "Setting settings for bcm2835 Raspberry PI boards" REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armel" KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcmrpi_defconfig} RELEASE_ARCH=${RELEASE_ARCH:=armel} KERNEL_IMAGE=${KERNEL_IMAGE:=kernel.img} CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabi-} fi + + # Hardware specific settings if [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then - echo "Setting settings for bcm2837 Raspberry PI boards" REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armhf" KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig} RELEASE_ARCH=${RELEASE_ARCH:=armhf} @@ -276,9 +261,7 @@ else echo "error: Please set '32' or '64' as value for SET_ARCH" exit 1 fi - - #Device specific configuration and uboot-config - echo "Select DTB-File" + # Device specific configuration and U-Boot configuration case "$RPI_MODEL" in 0) DTB_FILE=${DTB_FILE:=bcm2708-rpi-0-w.dtb} @@ -329,6 +312,7 @@ if [ -n "$DISABLE_UNDERVOLT_WARNINGS" ] ; then fi fi +# Add cmake to compile videocore sources if [ "$ENABLE_VIDEOCORE" = true ] ; then REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cmake" fi @@ -536,6 +520,21 @@ if [ "$ENABLE_REDUCE" = true ] ; then fi fi +# Configure systemd-sysv exclude to make halt/reboot/shutdown scripts available +if [ "$ENABLE_SYSVINIT" = false ] ; then + APT_EXCLUDES="--exclude=${APT_EXCLUDES},init,systemd-sysv" +fi + +# Check if kernel is getting compiled +if [ "$BUILD_KERNEL" = false ] ; then + echo "Downloading precompiled kernel" + echo "error: not configured" + exit 1; +# BUILD_KERNEL=true +else + echo "No precompiled kernel repositories were added" +fi + # Configure kernel sources if no KERNELSRC_DIR if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then KERNELSRC_CONFIG=true diff --git a/templates/rpi2jessie b/templates/rpi2jessie deleted file mode 100644 index c4d27dd..0000000 --- a/templates/rpi2jessie +++ /dev/null @@ -1,2 +0,0 @@ -# Configuration template file used by rpi23-gen-image.sh -RELEASE=jessie diff --git a/templates/rpi3-stretch-arm64-4.11.y b/templates/rpi3-stretch-arm64-4.14.y similarity index 92% rename from templates/rpi3-stretch-arm64-4.11.y rename to templates/rpi3-stretch-arm64-4.14.y index 0523a0b..0c5cfaf 100644 --- a/templates/rpi3-stretch-arm64-4.11.y +++ b/templates/rpi3-stretch-arm64-4.14.y @@ -11,5 +11,5 @@ QEMU_BINARY=/usr/bin/qemu-aarch64-static KERNEL_DEFCONFIG=bcmrpi3_defconfig KERNEL_BIN_IMAGE=Image KERNEL_IMAGE=kernel8.img -KERNEL_BRANCH=rpi-4.11.y +KERNEL_BRANCH=rpi-4.14.y ENABLE_WIRELESS=true diff --git a/templates/rpi3jessie b/templates/rpi3jessie deleted file mode 100644 index 6a4f72f..0000000 --- a/templates/rpi3jessie +++ /dev/null @@ -1,4 +0,0 @@ -# Configuration template file used by rpi23-gen-image.sh -RPI_MODEL=3 -RELEASE=jessie -BUILD_KERNEL=true