diff --git a/bootstrap.d/13-kernel.sh b/bootstrap.d/13-kernel.sh index 5237a1a..f7a4037 100644 --- a/bootstrap.d/13-kernel.sh +++ b/bootstrap.d/13-kernel.sh @@ -7,9 +7,10 @@ # Need to use kali kernel src if nexmon is enabled if [ "$ENABLE_NEXMON" = true ] ; then - echo "WARNING: if ENABLE_NEXMON is used remember to put the CORRECT KERNELSRC IN KERNELSRC_DIR!!!!!1!" KERNEL_URL="${KALI_KERNEL_URL}" + # Clear Branch and KernelSRC_DIR if using nexmon. Everyone will forget to clone kali kernel instead of nomrla kernel KERNEL_BRANCH="" + KERNELSRC_DIR="" fi # Fetch and build latest raspberry kernel @@ -93,7 +94,7 @@ if [ "$BUILD_KERNEL" = true ] ; then if [ "$KERNELSRC_CONFIG" = true ] ; then # Load default raspberry kernel configuration make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}" - + #Switch to KERNELSRC_DIR so we can use set_kernel_config cd "${KERNEL_DIR}" || exit @@ -106,7 +107,7 @@ if [ "$BUILD_KERNEL" = true ] ; then set_kernel_config CONFIG_ZSMALLOC y set_kernel_config CONFIG_PGTABLE_MAPPING y fi - + # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453 if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then set_kernel_config CONFIG_VIRTUALIZATION y @@ -114,90 +115,109 @@ if [ "$BUILD_KERNEL" = true ] ; then set_kernel_config CONFIG_VHOST_NET m set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y fi - + # enable apparmor,integrity audit, if [ "$KERNEL_SECURITY" = true ] ; then # security filesystem, security models and audit - set_kernel_config CONFIG_SECURITYFS y - set_kernel_config CONFIG_SECURITY y + set_kernel_config CONFIG_SECURITYFS y + set_kernel_config CONFIG_SECURITY y set_kernel_config CONFIG_AUDIT y - # harden strcpy and memcpy + # harden strcpy and memcpy set_kernel_config CONFIG_HARDENED_USERCOPY=y set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y - set_kernel_config CONFIG_FORTIFY_SOURCE=y - - # integrity sub-system + set_kernel_config CONFIG_FORTIFY_SOURCE=y + + # integrity sub-system set_kernel_config CONFIG_INTEGRITY=y set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y set_kernel_config CONFIG_INTEGRITY_AUDIT=y set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y - - # This option provides support for retaining authentication tokens and access keys in the kernel. + + # This option provides support for retaining authentication tokens and access keys in the kernel. set_kernel_config CONFIG_KEYS=y set_kernel_config CONFIG_KEYS_COMPAT=y - - # Apparmor + + # Apparmor set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y - set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y - set_kernel_config CONFIG_SECURITY_APPARMOR y - set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y - set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor" - - # restrictions on unprivileged users reading the kernel + set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y + set_kernel_config CONFIG_SECURITY_APPARMOR y + set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y + set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor" + + # restrictions on unprivileged users reading the kernel set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y - - # network security hooks + + # network security hooks set_kernel_config CONFIG_SECURITY_NETWORK y set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y set_kernel_config CONFIG_SECURITY_PATH=y set_kernel_config CONFIG_SECURITY_YAMA=y - - # New Options - if [ "$KERNEL_NF" = true ] ; then - set_kernel_config CONFIG_IP_NF_SECURITY m - set_kernel_config CONFIG_NETLABEL m - set_kernel_config CONFIG_IP6_NF_SECURITY m - fi - set_kernel_config CONFIG_SECURITY_SELINUX n - set_kernel_config CONFIG_SECURITY_SMACK n - set_kernel_config CONFIG_SECURITY_TOMOYO n - set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n - set_kernel_config CONFIG_SECURITY_LOADPIN n - set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n - set_kernel_config CONFIG_IMA n - set_kernel_config CONFIG_EVM n - set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y - set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y - set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y - set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y - set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y - set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y - set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y - set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n - fi - + + # New Options + if [ "$KERNEL_NF" = true ] ; then + set_kernel_config CONFIG_IP_NF_SECURITY m + set_kernel_config CONFIG_NETLABEL y + set_kernel_config CONFIG_IP6_NF_SECURITY m + fi + set_kernel_config CONFIG_SECURITY_SELINUX n + set_kernel_config CONFIG_SECURITY_SMACK n + set_kernel_config CONFIG_SECURITY_TOMOYO n + set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n + set_kernel_config CONFIG_SECURITY_LOADPIN n + set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n + set_kernel_config CONFIG_IMA n + set_kernel_config CONFIG_EVM n + set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y + set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y + set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y + set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y + set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y + set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y + set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y + set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n + set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS m + set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE 4096 + + set_kernel_config CONFIG_ARM64_CRYPTO y + set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m + set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m + set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m + set_kernel_config CRYPTO_GHASH_ARM64_CE m + set_kernel_config CRYPTO_SHA2_ARM64_CE m + set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m + set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m + set_kernel_config CONFIG_CRYPTO_AES_ARM64 m + set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m + set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y + set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y + set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m + set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m + set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m + set_kernel_config SYSTEM_TRUSTED_KEYS + fi + # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406 - if [ "$KERNEL_NF" = true ] ; then - set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m - set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m - set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m - set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m - set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m - set_kernel_config CONFIG_NFT_FIB_INET m - set_kernel_config CONFIG_NFT_FIB_IPV4 m - set_kernel_config CONFIG_NFT_FIB_IPV6 m - set_kernel_config CONFIG_NFT_FIB_NETDEV m - set_kernel_config CONFIG_NFT_OBJREF m - set_kernel_config CONFIG_NFT_RT m - set_kernel_config CONFIG_NFT_SET_BITMAP m - set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y - set_kernel_config CONFIG_NF_LOG_ARP m - set_kernel_config CONFIG_NF_SOCKET_IPV4 m - set_kernel_config CONFIG_NF_SOCKET_IPV6 m + if [ "$KERNEL_NF" = true ] ; then + set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m + set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m + set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m + set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m + set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m + set_kernel_config CONFIG_NFT_FIB_INET m + set_kernel_config CONFIG_NFT_FIB_IPV4 m + set_kernel_config CONFIG_NFT_FIB_IPV6 m + set_kernel_config CONFIG_NFT_FIB_NETDEV m + set_kernel_config CONFIG_NFT_OBJREF m + set_kernel_config CONFIG_NFT_RT m + set_kernel_config CONFIG_NFT_SET_BITMAP m + set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y + set_kernel_config CONFIG_NF_LOG_ARP m + set_kernel_config CONFIG_NF_SOCKET_IPV4 m + set_kernel_config CONFIG_NF_SOCKET_IPV6 m set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m @@ -207,7 +227,7 @@ if [ "$BUILD_KERNEL" = true ] ; then set_kernel_config CONFIG_IP6_NF_NAT m set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m set_kernel_config CONFIG_IP6_NF_TARGET_NPT m - set_kernel_config CONFIG_IP_NF_SECURITY m + set_kernel_config CONFIG_IP_NF_SECURITY m set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m set_kernel_config CONFIG_IP_SET_BITMAP_PORT m set_kernel_config CONFIG_IP_SET_HASH_IP m @@ -296,10 +316,10 @@ if [ "$BUILD_KERNEL" = true ] ; then set_kernel_config CONFIG_BPF_STREAM_PARSER y set_kernel_config CONFIG_CGROUP_BPF y fi - + # KERNEL_DEFAULT_GOV was set by user - if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ]; then - + if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ] ; then + case "$KERNEL_DEFAULT_GOV" in performance) set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y @@ -321,12 +341,10 @@ if [ "$BUILD_KERNEL" = true ] ; then exit 1 ;; esac - - # unset previous default governor + + # unset previous default governor unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE fi - - #Revert to previous directory cd "${WORKDIR}" || exit @@ -484,18 +502,18 @@ if [ "$BUILD_KERNEL" = true ] ; then else # BUILD_KERNEL=false if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then - + # Use Sakakis modified kernel if ZSWAP is active if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}" fi - + # Create temporary directory for dl temp_dir=$(as_nobody mktemp -d) # Fetch kernel dl as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL" - + #extract download tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}" @@ -506,12 +524,12 @@ else # BUILD_KERNEL=false # Remove temporary directory for kernel sources rm -fr "${temp_dir}" - + # Set permissions of the kernel sources chown -R root:root "${R}/boot/firmware" chown -R root:root "${R}/lib/modules" fi - + # Install Kernel from hypriot comptabile with all Raspberry PI if [ "$SET_ARCH" = 32 ] ; then # Create temporary directory for dl @@ -525,7 +543,7 @@ else # BUILD_KERNEL=false # Set permissions chown -R root:root "${R}"/tmp/kernel.deb - + # Install kernel chroot_exec dpkg -i /tmp/kernel.deb @@ -534,7 +552,7 @@ else # BUILD_KERNEL=false mkdir "${temp_dir}"/firmware mv "${R}"/boot/* "${temp_dir}"/firmware/ mv "${temp_dir}"/firmware "${R}"/boot/ - + #same for kernel headers if [ "$KERNEL_HEADERS" = true ] ; then # Fetch kernel header @@ -545,7 +563,7 @@ else # BUILD_KERNEL=false chroot_exec dpkg -i /tmp/kernel-header.deb rm -f "${R}"/tmp/kernel-header.deb fi - + # Remove temporary directory and files rm -fr "${temp_dir}" rm -f "${R}"/tmp/kernel.deb diff --git a/bootstrap.d/14-fstab.sh b/bootstrap.d/14-fstab.sh index 2f68cdf..e94fd5d 100644 --- a/bootstrap.d/14-fstab.sh +++ b/bootstrap.d/14-fstab.sh @@ -8,6 +8,11 @@ # Install and setup fstab install_readonly files/mount/fstab "${ETC_DIR}/fstab" +if [ "$ENABLE_UBOOTUSB" = true ] ; then + sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab" + sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab" +fi + # Add usb/sda disk root partition to fstab if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab" @@ -29,7 +34,7 @@ if [ "$ENABLE_CRYPTFS" = true ] ; then fi # Generate initramfs file -if [ "$BUILD_KERNEL" = true ] && [ "$ENABLE_INITRAMFS" = true ] ; then +if [ "$ENABLE_INITRAMFS" = true ] ; then if [ "$ENABLE_CRYPTFS" = true ] ; then # Include initramfs scripts to auto expand encrypted root partition if [ "$EXPANDROOT" = true ] ; then diff --git a/bootstrap.d/41-uboot.sh b/bootstrap.d/41-uboot.sh index dded27d..e81dcd9 100644 --- a/bootstrap.d/41-uboot.sh +++ b/bootstrap.d/41-uboot.sh @@ -77,6 +77,11 @@ if [ "$ENABLE_UBOOT" = true ] ; then #in 64bit uboot booti is used instead of bootz [like in KERNEL_BIN_IMAGE=zImage (armv7)|| Image(armv8)] sed -i "s|bootz|booti|g" "${BOOT_DIR}/uboot.mkimage" fi + + # instead of sd, boot from usb device + if [ "$ENABLE_UBOOTUSB" = true ] ; then + sed -i "s|mmc|usb|g" "${BOOT_DIR}/uboot.mkimage" + fi # Set mkfile to use the correct dtb file sed -i "s|bcm2709-rpi-2-b.dtb|${DTB_FILE}|" "${BOOT_DIR}/uboot.mkimage" diff --git a/rpi23-gen-image.sh b/rpi23-gen-image.sh index 07dd320..c017612 100755 --- a/rpi23-gen-image.sh +++ b/rpi23-gen-image.sh @@ -157,6 +157,7 @@ ENABLE_MINBASE=${ENABLE_MINBASE:=false} ENABLE_REDUCE=${ENABLE_REDUCE:=false} ENABLE_UBOOT=${ENABLE_UBOOT:=false} UBOOTSRC_DIR=${UBOOTSRC_DIR:=""} +ENABLE_UBOOTUSB=${ENABLE_UBOOTUSB=false} ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false} ENABLE_NEXMON=${ENABLE_NEXMON:=false} @@ -318,6 +319,17 @@ case "$RPI_MODEL" in ;; esac +if [ "$ENABLE_UBOOTUSB" = true ] ; then + if [ "$ENABLE_UBOOT" = false ] ; then + echo "error: Enabling UBOOTUSB requires u-boot to be enabled" + exit 1 + fi + if [ "$RPI_MODEL" != 3 ] || [ "$RPI_MODEL" != 3P ] ; then + echo "error: Enabling UBOOTUSB requires Raspberry 3" + exit 1 + fi +fi + # Raspberry PI 0,3,3P with Bluetooth and Wifi onboard if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then # Include bluetooth packages on supported boards @@ -398,14 +410,6 @@ if [ "$ENABLE_UBOOT" = true ] ; then APT_INCLUDES="${APT_INCLUDES},device-tree-compiler,bison,flex,bc" fi -if [ "$ENABLE_BLUETOOTH" = true ] ; then - if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then - if [ "$ENABLE_CONSOLE" = false ] ; then - APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez" - fi - fi -fi - # Check if root SSH (v2) public key file exists if [ -n "$SSH_ROOT_PUB_KEY" ] ; then if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then