diff --git a/README.md b/README.md index 533ec19..43105c0 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,9 @@ Set Debian packages server address. Choose a server from the list of Debian worl ##### `APT_PROXY`="" Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. If `apt-cacher-ng` is running on default `http://127.0.0.1:3142` it is autodetected and you don't need to set this. +##### `KEEP_APT_PROXY`=false +Keep the APT_PROXY settings used in the bootsrapping process in the generated image. + ##### `APT_INCLUDES`="" A comma-separated list of additional packages to be installed by debootstrap during bootstrapping. @@ -94,6 +97,9 @@ Set default system timezone. All available timezones can be found in the `/usr/s ##### `EXPANDROOT`=true Expand the root partition and filesystem automatically on first boot. +##### `ENABLE_DPHYSSWAP`=true +Enable swap. The size of the swapfile is chosen relative to the size of the root partition. It'll use the `dphys-swapfile` package for that. + ##### `ENABLE_QEMU`=false Generate kernel (`vexpress_defconfig`), file system image (`qcow2`) and DTB files that can be used for QEMU full system emulation (`vexpress-A15`). The output files are stored in the `$(pwd)/images/qemu` directory. You can find more information about running the generated image in the QEMU section of this readme file. @@ -211,6 +217,9 @@ Support for halt,init,poweroff,reboot,runlevel,shutdown,telinit commands --- #### Advanced system features: +##### `ENABLE_SYSTEMDSWAP`=false +Enables [Systemd-swap service](https://github.com/Nefelim4ag/systemd-swap). Usefull if `KERNEL_ZSWAP` is enabled. + ##### `ENABLE_MINBASE`=false Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB. @@ -235,6 +244,12 @@ Install and enable the [ARM side libraries for interfacing to Raspberry Pi GPU]( ##### `VIDEOCORESRC_DIR`="" Path to a directory (`userland`) of [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot. +##### `ENABLE_NEXMON`=false +Install and enable the [Source code for a C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection](https://github.com/seemoo-lab/nexmon.git). + +##### `NEXMONSRC_DIR`="" +Path to a directory (`nexmon`) of [Source code for ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot. + ##### `ENABLE_IPTABLES`=false Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service. @@ -262,6 +277,15 @@ Create an initramfs that that will be loaded during the Linux startup process. ` ##### `ENABLE_IFNAMES`=true Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names. +##### `ENABLE_SPLASH`=true +Enable default Raspberry Pi boot up rainbow splash screen. + +##### `ENABLE_LOGO`=true +Enable default Raspberry Pi console logo (image of four raspberries in the top left corner). + +##### `ENABLE_SILENT_BOOT`=false +Set the verbosity of console messages shown during boot up to a strict minimum. + ##### `DISABLE_UNDERVOLT_WARNINGS`= Disable RPi2/3 under-voltage warnings and overlays. Setting the parameter to `1` will disable the warning overlay. Setting it to `2` will additionally allow RPi2/3 turbo mode when low-voltage is present. @@ -346,6 +370,24 @@ With this parameter set to true the script expects the existing kernel sources d ##### `RPI_FIRMWARE_DIR`="" The directory (`firmware`) containing a local copy of the firmware from the [RaspberryPi firmware project](https://github.com/raspberrypi/firmware). Default is to download the latest firmware directly from the project. +##### `KERNEL_DEFAULT_GOV`="ONDEMAND" +Set the default cpu governor at kernel compilation. Supported values are: PERFORMANCE POWERSAVE USERSPACE ONDEMAND CONSERVATIVE SCHEDUTIL + +##### `KERNEL_NF`=false +Enable Netfilter modules as kernel modules + +##### `KERNEL_VIRT`=false +Enable Kernel KVM support (/dev/kvm) + +##### `KERNEL_ZSWAP`=false +Enable Kernel Zswap support. Best use on high RAM load and mediocre CPU load usecases + +##### `KERNEL_BPF`=true +Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSCALL CONFIG_CGROUP_BPF) [systemd compilations about it - File /lib/systemd/system/systemd-journald.server:36 configures an IP firewall (IPAddressDeny=all), but the local system does not support BPF/cgroup based firewalls] + +##### `KERNEL_SECURITY`=false +Enables Apparmor, integrity subsystem, auditing. + --- #### Reduce disk usage: @@ -393,6 +435,12 @@ Set cipher specification string. `aes-xts*` ciphers are strongly recommended. ##### `CRYPTFS_XTSKEYSIZE`=512 Sets key size in bits. The argument has to be a multiple of 8. +##### `CRYPTFS_DROPBEAR`=false +Enable Dropbear Initramfs support + +##### `CRYPTFS_DROPBEAR_PUBKEY`="" +Provide path to dropbear Public RSA-OpenSSH Key + --- #### Build settings: diff --git a/bootstrap.d/11-apt.sh b/bootstrap.d/11-apt.sh index 544781c..33b3cc1 100644 --- a/bootstrap.d/11-apt.sh +++ b/bootstrap.d/11-apt.sh @@ -11,6 +11,13 @@ if [ -z "$APT_PROXY" ] ; then sed -i "s/\"\"/\"${APT_PROXY}\"/" "${ETC_DIR}/apt/apt.conf.d/10proxy" fi +# Install APT sources.list +install_readonly files/apt/sources.list "${ETC_DIR}/apt/sources.list" + +# Use specified APT server and release +sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list" +sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list" + # Upgrade package index and update all installed packages and changed dependencies chroot_exec apt-get -qq -y update chroot_exec apt-get -qq -y -u dist-upgrade diff --git a/bootstrap.d/13-kernel.sh b/bootstrap.d/13-kernel.sh index a662049..536ced0 100644 --- a/bootstrap.d/13-kernel.sh +++ b/bootstrap.d/13-kernel.sh @@ -5,6 +5,14 @@ # Load utility functions . ./functions.sh +# Need to use kali kernel src if nexmon is enabled +if [ "$ENABLE_NEXMON" = true ] ; then + KERNEL_URL="${KALI_KERNEL_URL}" + # Clear Branch and KernelSRC_DIR if using nexmon. Everyone will forget to clone kali kernel instead of nomrla kernel + KERNEL_BRANCH="" + KERNELSRC_DIR="" +fi + # Fetch and build latest raspberry kernel if [ "$BUILD_KERNEL" = true ] ; then # Setup source directory @@ -87,6 +95,296 @@ if [ "$BUILD_KERNEL" = true ] ; then # Load default raspberry kernel configuration make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}" + #Switch to KERNELSRC_DIR so we can use set_kernel_config + cd "${KERNEL_DIR}" || exit + + if [ "$KERNEL_ARCH" = arm64 ] ; then + #Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config + # use correct driver MMC_BCM2835_MMC instead of MMC_BCM2835_SDHOST - see https://www.raspberrypi.org/forums/viewtopic.php?t=210225 + set_kernel_config CONFIG_MMC_BCM2835 n + set_kernel_config CONFIG_MMC_SDHCI_IPROC n + set_kernel_config CONFIG_USB_DWC2 n + sed -i "s|depends on MMC_BCM2835_MMC && MMC_BCM2835_DMA|depends on MMC_BCM2835_MMC|" "${KERNEL_DIR}"/drivers/mmc/host/Kconfig + + #VLAN got disabled without reason in arm64bit + set_kernel_config CONFIG_IPVLAN m + fi + + # enable ZSWAP see https://askubuntu.com/a/472227 or https://wiki.archlinux.org/index.php/zswap + if [ "$KERNEL_ZSWAP" = true ] ; then + set_kernel_config CONFIG_ZPOOL y + set_kernel_config CONFIG_ZSWAP y + set_kernel_config CONFIG_ZBUD y + set_kernel_config CONFIG_Z3FOLD y + set_kernel_config CONFIG_ZSMALLOC y + set_kernel_config CONFIG_PGTABLE_MAPPING y + set_kernel_config CONFIG_LZO_COMPRESS y + + fi + + # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453 + if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then + set_kernel_config CONFIG_HAVE_KVM_IRQCHIP y + set_kernel_config CONFIG_HAVE_KVM_ARCH_TLB_FLUSH_ALL y + set_kernel_config CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT y + set_kernel_config CONFIG_HAVE_KVM_EVENTFD y + set_kernel_config CONFIG_HAVE_KVM_IRQFD y + set_kernel_config CONFIG_HAVE_KVM_IRQ_ROUTING y + set_kernel_config CONFIG_HAVE_KVM_MSI y + set_kernel_config CONFIG_KVM y + set_kernel_config CONFIG_KVM_ARM_HOST y + set_kernel_config CONFIG_KVM_ARM_PMU y + set_kernel_config CONFIG_KVM_COMPAT y + set_kernel_config CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT y + set_kernel_config CONFIG_KVM_MMIO y + set_kernel_config CONFIG_KVM_VFIO y + set_kernel_config CONFIG_VHOST m + set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y + set_kernel_config CONFIG_VHOST_NET m + set_kernel_config CONFIG_VIRTUALIZATION y + + set_kernel_config CONFIG_MMU_NOTIFIER y + + # erratum + set_kernel_config ARM64_ERRATUM_834220 y + + # https://sourceforge.net/p/kvm/mailman/message/18440797/ + set_kernel_config CONFIG_PREEMPT_NOTIFIERS y + fi + + # enable apparmor,integrity audit, + if [ "$KERNEL_SECURITY" = true ] ; then + + # security filesystem, security models and audit + set_kernel_config CONFIG_SECURITYFS y + set_kernel_config CONFIG_SECURITY y + set_kernel_config CONFIG_AUDIT y + + # harden strcpy and memcpy + set_kernel_config CONFIG_HARDENED_USERCOPY y + set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR y + set_kernel_config CONFIG_FORTIFY_SOURCE y + + # integrity sub-system + set_kernel_config CONFIG_INTEGRITY y + set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS y + set_kernel_config CONFIG_INTEGRITY_AUDIT y + set_kernel_config CONFIG_INTEGRITY_SIGNATURE y + set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING y + + # This option provides support for retaining authentication tokens and access keys in the kernel. + set_kernel_config CONFIG_KEYS y + set_kernel_config CONFIG_KEYS_COMPAT y + + # Apparmor + set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0 + set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y + set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y + set_kernel_config CONFIG_SECURITY_APPARMOR y + set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y + set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor" + + # restrictions on unprivileged users reading the kernel + set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT y + + # network security hooks + set_kernel_config CONFIG_SECURITY_NETWORK y + set_kernel_config CONFIG_SECURITY_NETWORK_XFRM y + set_kernel_config CONFIG_SECURITY_PATH y + set_kernel_config CONFIG_SECURITY_YAMA n + + # New Options + if [ "$KERNEL_NF" = true ] ; then + set_kernel_config CONFIG_IP_NF_SECURITY m + set_kernel_config CONFIG_NETLABEL y + set_kernel_config CONFIG_IP6_NF_SECURITY m + fi + set_kernel_config CONFIG_SECURITY_SELINUX n + set_kernel_config CONFIG_SECURITY_SMACK n + set_kernel_config CONFIG_SECURITY_TOMOYO n + set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n + set_kernel_config CONFIG_SECURITY_LOADPIN n + set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n + set_kernel_config CONFIG_IMA n + set_kernel_config CONFIG_EVM n + set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y + set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y + set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y + set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y + set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y + set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y + set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y + set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n + set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS m + set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE 4096 + + set_kernel_config CONFIG_ARM64_CRYPTO y + set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m + set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m + set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m + set_kernel_config CRYPTO_GHASH_ARM64_CE m + set_kernel_config CRYPTO_SHA2_ARM64_CE m + set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m + set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m + set_kernel_config CONFIG_CRYPTO_AES_ARM64 m + set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m + set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y + set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y + set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m + set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m + set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m + set_kernel_config SYSTEM_TRUSTED_KEYS + fi + + # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406 + if [ "$KERNEL_NF" = true ] ; then + set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m + set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m + set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m + set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m + set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m + set_kernel_config CONFIG_NFT_FIB_INET m + set_kernel_config CONFIG_NFT_FIB_IPV4 m + set_kernel_config CONFIG_NFT_FIB_IPV6 m + set_kernel_config CONFIG_NFT_FIB_NETDEV m + set_kernel_config CONFIG_NFT_OBJREF m + set_kernel_config CONFIG_NFT_RT m + set_kernel_config CONFIG_NFT_SET_BITMAP m + set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y + set_kernel_config CONFIG_NF_LOG_ARP m + set_kernel_config CONFIG_NF_SOCKET_IPV4 m + set_kernel_config CONFIG_NF_SOCKET_IPV6 m + set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m + set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m + set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m + set_kernel_config CONFIG_IP6_NF_IPTABLES m + set_kernel_config CONFIG_IP6_NF_MATCH_AH m + set_kernel_config CONFIG_IP6_NF_MATCH_EUI64 m + set_kernel_config CONFIG_IP6_NF_NAT m + set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m + set_kernel_config CONFIG_IP6_NF_TARGET_NPT m + set_kernel_config CONFIG_IP_NF_SECURITY m + set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m + set_kernel_config CONFIG_IP_SET_BITMAP_PORT m + set_kernel_config CONFIG_IP_SET_HASH_IP m + set_kernel_config CONFIG_IP_SET_HASH_IPMARK m + set_kernel_config CONFIG_IP_SET_HASH_IPPORT m + set_kernel_config CONFIG_IP_SET_HASH_IPPORTIP m + set_kernel_config CONFIG_IP_SET_HASH_IPPORTNET m + set_kernel_config CONFIG_IP_SET_HASH_MAC m + set_kernel_config CONFIG_IP_SET_HASH_NET m + set_kernel_config CONFIG_IP_SET_HASH_NETIFACE m + set_kernel_config CONFIG_IP_SET_HASH_NETNET m + set_kernel_config CONFIG_IP_SET_HASH_NETPORT m + set_kernel_config CONFIG_IP_SET_HASH_NETPORTNET m + set_kernel_config CONFIG_IP_SET_LIST_SET m + set_kernel_config CONFIG_NETFILTER_XTABLES m + set_kernel_config CONFIG_NETFILTER_XTABLES m + set_kernel_config CONFIG_NFT_BRIDGE_META m + set_kernel_config CONFIG_NFT_BRIDGE_REJECT m + set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV4 m + set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV6 m + set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV4 m + set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV6 m + set_kernel_config CONFIG_NFT_COMPAT m + set_kernel_config CONFIG_NFT_COUNTER m + set_kernel_config CONFIG_NFT_CT m + set_kernel_config CONFIG_NFT_DUP_IPV4 m + set_kernel_config CONFIG_NFT_DUP_IPV6 m + set_kernel_config CONFIG_NFT_DUP_NETDEV m + set_kernel_config CONFIG_NFT_EXTHDR m + set_kernel_config CONFIG_NFT_FWD_NETDEV m + set_kernel_config CONFIG_NFT_HASH m + set_kernel_config CONFIG_NFT_LIMIT m + set_kernel_config CONFIG_NFT_LOG m + set_kernel_config CONFIG_NFT_MASQ m + set_kernel_config CONFIG_NFT_MASQ_IPV4 m + set_kernel_config CONFIG_NFT_MASQ_IPV6 m + set_kernel_config CONFIG_NFT_META m + set_kernel_config CONFIG_NFT_NAT m + set_kernel_config CONFIG_NFT_NUMGEN m + set_kernel_config CONFIG_NFT_QUEUE m + set_kernel_config CONFIG_NFT_QUOTA m + set_kernel_config CONFIG_NFT_REDIR m + set_kernel_config CONFIG_NFT_REDIR_IPV4 m + set_kernel_config CONFIG_NFT_REDIR_IPV6 m + set_kernel_config CONFIG_NFT_REJECT m + set_kernel_config CONFIG_NFT_REJECT_INET m + set_kernel_config CONFIG_NFT_REJECT_IPV4 m + set_kernel_config CONFIG_NFT_REJECT_IPV6 m + set_kernel_config CONFIG_NFT_SET_HASH m + set_kernel_config CONFIG_NFT_SET_RBTREE m + set_kernel_config CONFIG_NF_CONNTRACK_IPV4 m + set_kernel_config CONFIG_NF_CONNTRACK_IPV6 m + set_kernel_config CONFIG_NF_DEFRAG_IPV4 m + set_kernel_config CONFIG_NF_DEFRAG_IPV6 m + set_kernel_config CONFIG_NF_DUP_IPV4 m + set_kernel_config CONFIG_NF_DUP_IPV6 m + set_kernel_config CONFIG_NF_DUP_NETDEV m + set_kernel_config CONFIG_NF_LOG_BRIDGE m + set_kernel_config CONFIG_NF_LOG_IPV4 m + set_kernel_config CONFIG_NF_LOG_IPV6 m + set_kernel_config CONFIG_NF_NAT_IPV4 m + set_kernel_config CONFIG_NF_NAT_IPV6 m + set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV4 m + set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV6 m + set_kernel_config CONFIG_NF_NAT_PPTP m + set_kernel_config CONFIG_NF_NAT_PROTO_GRE m + set_kernel_config CONFIG_NF_NAT_REDIRECT m + set_kernel_config CONFIG_NF_NAT_SIP m + set_kernel_config CONFIG_NF_NAT_SNMP_BASIC m + set_kernel_config CONFIG_NF_NAT_TFTP m + set_kernel_config CONFIG_NF_REJECT_IPV4 m + set_kernel_config CONFIG_NF_REJECT_IPV6 m + set_kernel_config CONFIG_NF_TABLES m + set_kernel_config CONFIG_NF_TABLES_ARP m + set_kernel_config CONFIG_NF_TABLES_BRIDGE m + set_kernel_config CONFIG_NF_TABLES_INET m + set_kernel_config CONFIG_NF_TABLES_IPV4 m + set_kernel_config CONFIG_NF_TABLES_IPV6 m + set_kernel_config CONFIG_NF_TABLES_NETDEV m + fi + + # Enables BPF syscall for systemd-journald see https://github.com/torvalds/linux/blob/master/init/Kconfig#L848 or https://groups.google.com/forum/#!topic/linux.gentoo.user/_2aSc_ztGpA + if [ "$KERNEL_BPF" = true ] ; then + set_kernel_config CONFIG_BPF_SYSCALL y + set_kernel_config CONFIG_BPF_EVENTS y + set_kernel_config CONFIG_BPF_STREAM_PARSER y + set_kernel_config CONFIG_CGROUP_BPF y + fi + + # KERNEL_DEFAULT_GOV was set by user + if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ] ; then + + case "$KERNEL_DEFAULT_GOV" in + performance) + set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y + ;; + userspace) + set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE y + ;; + ondemand) + set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND y + ;; + conservative) + set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE y + ;; + shedutil) + set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL y + ;; + *) + echo "error: unsupported default cpu governor" + exit 1 + ;; + esac + + # unset previous default governor + unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE + fi + + #Revert to previous directory + cd "${WORKDIR}" || exit + # Set kernel configuration parameters to enable qemu emulation if [ "$ENABLE_QEMU" = true ] ; then echo "CONFIG_FHANDLE=y" >> "${KERNEL_DIR}"/.config @@ -126,6 +424,7 @@ if [ "$BUILD_KERNEL" = true ] ; then if [ "$KERNEL_MENUCONFIG" = true ] ; then make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig fi + # end if "$KERNELSRC_CONFIG" = true fi # Use ccache to cross compile the kernel @@ -142,6 +441,7 @@ if [ "$BUILD_KERNEL" = true ] ; then if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then make -C "${KERNEL_DIR}" -j"${KERNEL_THREADS}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" CC="${cc}" modules fi + # end if "$KERNELSRC_PREBUILT" = false fi # Check if kernel compilation was successful @@ -201,7 +501,7 @@ if [ "$BUILD_KERNEL" = true ] ; then # Copy compiled dtb device tree files if [ -d "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays" ] ; then - for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb ; do + for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtbo ; do if [ -f "${dtb}" ] ; then install_readonly "${dtb}" "${BOOT_DIR}/overlays/" fi @@ -237,19 +537,79 @@ if [ "$BUILD_KERNEL" = true ] ; then fi else # BUILD_KERNEL=false - # Kernel installation - chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel + if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then + + # Use Sakakis modified kernel if ZSWAP is active + if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then + RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}" + fi + + # Create temporary directory for dl + temp_dir=$(as_nobody mktemp -d) + + # Fetch kernel dl + as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL" + + #extract download + tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}" + + #move extracted kernel to /boot/firmware + mkdir "${R}/boot/firmware" + cp "${temp_dir}"/boot/* "${R}"/boot/firmware/ + cp -r "${temp_dir}"/lib/* "${R}"/lib/ + + # Remove temporary directory for kernel sources + rm -fr "${temp_dir}" + + # Set permissions of the kernel sources + chown -R root:root "${R}/boot/firmware" + chown -R root:root "${R}/lib/modules" + fi + + # Install Kernel from hypriot comptabile with all Raspberry PI + if [ "$SET_ARCH" = 32 ] ; then + # Create temporary directory for dl + temp_dir=$(as_nobody mktemp -d) + + # Fetch kernel + as_nobody wget -O "${temp_dir}"/kernel.deb -c "$RPI_32_KERNEL_URL" - # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot - chroot_exec apt-get -qq -y install flash-kernel + # Copy downloaded U-Boot sources + mv "${temp_dir}"/kernel.deb "${R}"/tmp/kernel.deb + + # Set permissions + chown -R root:root "${R}"/tmp/kernel.deb + + # Install kernel + chroot_exec dpkg -i /tmp/kernel.deb + + # move /boot to /boot/firmware to fit script env. + #mkdir "${BOOT_DIR}" + mkdir "${temp_dir}"/firmware + mv "${R}"/boot/* "${temp_dir}"/firmware/ + mv "${temp_dir}"/firmware "${R}"/boot/ + + #same for kernel headers + if [ "$KERNEL_HEADERS" = true ] ; then + # Fetch kernel header + as_nobody wget -O "${temp_dir}"/kernel-header.deb -c "$RPI_32_KERNELHEADER_URL" + mv "${temp_dir}"/kernel-header.deb "${R}"/tmp/kernel-header.deb + chown -R root:root "${R}"/tmp/kernel-header.deb + # Install kernel header + chroot_exec dpkg -i /tmp/kernel-header.deb + rm -f "${R}"/tmp/kernel-header.deb + fi + + # Remove temporary directory and files + rm -fr "${temp_dir}" + rm -f "${R}"/tmp/kernel.deb + fi # Check if kernel installation was successful - VMLINUZ="$(ls -1 "${R}"/boot/vmlinuz-* | sort | tail -n 1)" - if [ -z "$VMLINUZ" ] ; then - echo "error: kernel installation failed! (/boot/vmlinuz-* not found)" + KERNEL="$(ls -1 "${R}"/boot/firmware/kernel* | sort | tail -n 1)" + if [ -z "$KERNEL" ] ; then + echo "error: kernel installation failed! (/boot/kernel* not found)" cleanup exit 1 fi - # Copy vmlinuz kernel to the boot directory - install_readonly "${VMLINUZ}" "${BOOT_DIR}/${KERNEL_IMAGE}" fi diff --git a/bootstrap.d/14-fstab.sh b/bootstrap.d/14-fstab.sh index 2f68cdf..c9e018b 100644 --- a/bootstrap.d/14-fstab.sh +++ b/bootstrap.d/14-fstab.sh @@ -23,13 +23,21 @@ if [ "$ENABLE_CRYPTFS" = true ] ; then echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab" if [ "$ENABLE_SPLITFS" = true ] ; then - # Add usb/sda disk to crypttab + # Add usb/sda1 disk to crypttab sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab" fi fi +if [ "$ENABLE_USBBOOT" = true ] ; then + sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab" + sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab" + + # Add usb/sda2 disk to crypttab + sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab" +fi + # Generate initramfs file -if [ "$BUILD_KERNEL" = true ] && [ "$ENABLE_INITRAMFS" = true ] ; then +if [ "$ENABLE_INITRAMFS" = true ] ; then if [ "$ENABLE_CRYPTFS" = true ] ; then # Include initramfs scripts to auto expand encrypted root partition if [ "$EXPANDROOT" = true ] ; then @@ -37,9 +45,58 @@ if [ "$BUILD_KERNEL" = true ] && [ "$ENABLE_INITRAMFS" = true ] ; then install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount" install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools" fi + + if [ "$ENABLE_DHCP" = false ] ; then + # Get cdir from NET_ADDRESS e.g. 24 + cdir=$(${NET_ADDRESS} | cut -d '/' -f2) + + # Convert cdir ro netmask e.g. 24 to 255.255.255.0 + NET_MASK=$(cdr2mask "$cdir") + + # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf + sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf + + # Regenerate initramfs + chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" + fi + + if [ "$CRYPTFS_DROPBEAR" = true ]; then + if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then + install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys + else + # Create key + chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear + + # Convert dropbear key to openssh key + chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa + + # Get Public Key Part + chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub + + # Delete unwanted lines + sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + + # Trust the new key + cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys + + # Save Keys - convert with putty from rsa/openssh to puttkey + cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa + + # Get unlock script + install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh + + # Enable Dropbear inside initramfs + printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" - # Disable SSHD inside initramfs - printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" + # Enable Dropbear inside initramfs + sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear + fi + else + # Disable SSHD inside initramfs + printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" + fi # Add cryptsetup modules to initramfs printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook" diff --git a/bootstrap.d/15-rpi-config.sh b/bootstrap.d/15-rpi-config.sh index eda69bd..0aacfed 100644 --- a/bootstrap.d/15-rpi-config.sh +++ b/bootstrap.d/15-rpi-config.sh @@ -5,46 +5,48 @@ # Load utility functions . ./functions.sh -if [ "$BUILD_KERNEL" = true ] ; then - if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then - # Install boot binaries from local directory - cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin - cp "${RPI_FIRMWARE_DIR}"/boot/fixup.dat "${BOOT_DIR}"/fixup.dat - cp "${RPI_FIRMWARE_DIR}"/boot/fixup_cd.dat "${BOOT_DIR}"/fixup_cd.dat - cp "${RPI_FIRMWARE_DIR}"/boot/fixup_x.dat "${BOOT_DIR}"/fixup_x.dat - cp "${RPI_FIRMWARE_DIR}"/boot/start.elf "${BOOT_DIR}"/start.elf - cp "${RPI_FIRMWARE_DIR}"/boot/start_cd.elf "${BOOT_DIR}"/start_cd.elf - cp "${RPI_FIRMWARE_DIR}"/boot/start_x.elf "${BOOT_DIR}"/start_x.elf - else - # Create temporary directory for boot binaries - temp_dir=$(as_nobody mktemp -d) - - # Install latest boot binaries from raspberry/firmware github - as_nobody wget -q -O "${temp_dir}/bootcode.bin" "${FIRMWARE_URL}/bootcode.bin" - as_nobody wget -q -O "${temp_dir}/fixup.dat" "${FIRMWARE_URL}/fixup.dat" - as_nobody wget -q -O "${temp_dir}/fixup_cd.dat" "${FIRMWARE_URL}/fixup_cd.dat" - as_nobody wget -q -O "${temp_dir}/fixup_x.dat" "${FIRMWARE_URL}/fixup_x.dat" - as_nobody wget -q -O "${temp_dir}/start.elf" "${FIRMWARE_URL}/start.elf" - as_nobody wget -q -O "${temp_dir}/start_cd.elf" "${FIRMWARE_URL}/start_cd.elf" - as_nobody wget -q -O "${temp_dir}/start_x.elf" "${FIRMWARE_URL}/start_x.elf" - - # Move downloaded boot binaries - mv "${temp_dir}/"* "${BOOT_DIR}/" - - # Remove temporary directory for boot binaries - rm -fr "${temp_dir}" - - # Set permissions of the boot binaries - chown -R root:root "${BOOT_DIR}" - chmod -R 600 "${BOOT_DIR}" - fi +if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then + # Install boot binaries from local directory + cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin + cp "${RPI_FIRMWARE_DIR}"/boot/fixup.dat "${BOOT_DIR}"/fixup.dat + cp "${RPI_FIRMWARE_DIR}"/boot/fixup_cd.dat "${BOOT_DIR}"/fixup_cd.dat + cp "${RPI_FIRMWARE_DIR}"/boot/fixup_x.dat "${BOOT_DIR}"/fixup_x.dat + cp "${RPI_FIRMWARE_DIR}"/boot/start.elf "${BOOT_DIR}"/start.elf + cp "${RPI_FIRMWARE_DIR}"/boot/start_cd.elf "${BOOT_DIR}"/start_cd.elf + cp "${RPI_FIRMWARE_DIR}"/boot/start_x.elf "${BOOT_DIR}"/start_x.elf +else + # Create temporary directory for boot binaries + temp_dir=$(as_nobody mktemp -d) + + # Install latest boot binaries from raspberry/firmware github + as_nobody wget -q -O "${temp_dir}/bootcode.bin" "${FIRMWARE_URL}/bootcode.bin" + as_nobody wget -q -O "${temp_dir}/fixup.dat" "${FIRMWARE_URL}/fixup.dat" + as_nobody wget -q -O "${temp_dir}/fixup_cd.dat" "${FIRMWARE_URL}/fixup_cd.dat" + as_nobody wget -q -O "${temp_dir}/fixup_x.dat" "${FIRMWARE_URL}/fixup_x.dat" + as_nobody wget -q -O "${temp_dir}/start.elf" "${FIRMWARE_URL}/start.elf" + as_nobody wget -q -O "${temp_dir}/start_cd.elf" "${FIRMWARE_URL}/start_cd.elf" + as_nobody wget -q -O "${temp_dir}/start_x.elf" "${FIRMWARE_URL}/start_x.elf" + + # Move downloaded boot binaries + mv "${temp_dir}/"* "${BOOT_DIR}/" + + # Remove temporary directory for boot binaries + rm -fr "${temp_dir}" + + # Set permissions of the boot binaries + chown -R root:root "${BOOT_DIR}" + chmod -R 600 "${BOOT_DIR}" fi # Setup firmware boot cmdline -if [ "$ENABLE_SPLITFS" = true ] ; then - CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait console=tty1 init=/bin/systemd" +if [ "$ENABLE_USBBOOT" = true ] ; then + CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd" else - CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait console=tty1 init=/bin/systemd" + if [ "$ENABLE_SPLITFS" = true ] ; then + CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd" + else + CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd" + fi fi # Add encrypted root partition to cmdline.txt @@ -52,27 +54,66 @@ if [ "$ENABLE_CRYPTFS" = true ] ; then if [ "$ENABLE_SPLITFS" = true ] ; then CMDLINE=$(echo "${CMDLINE}" | sed "s/sda1/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda1:${CRYPTFS_MAPPING}/") else - CMDLINE=$(echo "${CMDLINE}" | sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/") + if [ "$ENABLE_USBBOOT" = true ] ; then + CMDLINE=$(echo "${CMDLINE}" | sed "s/sda2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda2:${CRYPTFS_MAPPING}/") + else + CMDLINE=$(echo "${CMDLINE}" | sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/") + fi fi fi -#locks cpu at max frequency -if [ "$ENABLE_TURBO" = true ] ; then - echo "force_turbo=1" >> "${BOOT_DIR}/config.txt" -fi - +# Enable Kernel messages on standard output if [ "$ENABLE_PRINTK" = true ] ; then install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf" fi -# Install udev rule for serial alias +# Enable Kernel messages on standard output +if [ "$KERNEL_SECURITY" = true ] ; then + install_readonly files/sysctl.d/84-rpi-ASLR.conf "${ETC_DIR}/sysctl.d/84-rpi-ASLR.conf" +fi + +# Install udev rule for serial alias - serial0 = console serial1=bluetooth install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules" +# Remove IPv6 networking support +if [ "$ENABLE_IPV6" = false ] ; then + CMDLINE="${CMDLINE} ipv6.disable=1" +fi + +# Automatically assign predictable network interface names +if [ "$ENABLE_IFNAMES" = false ] ; then + CMDLINE="${CMDLINE} net.ifnames=0" +else + CMDLINE="${CMDLINE} net.ifnames=1" +fi + +# Disable Raspberry Pi console logo +if [ "$ENABLE_LOGO" = false ] ; then + CMDLINE="${CMDLINE} logo.nologo" +fi + +# Strictly limit verbosity of boot up console messages +if [ "$ENABLE_SILENT_BOOT" = true ] ; then + CMDLINE="${CMDLINE} quiet loglevel=0 rd.systemd.show_status=auto rd.udev.log_priority=0" +fi + +# Install firmware config +install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt" + +# Disable Raspberry Pi console logo +if [ "$ENABLE_SLASH" = false ] ; then + echo "disable_splash=1" >> "${BOOT_DIR}/config.txt" +fi + +# Locks CPU frequency at maximum +if [ "$ENABLE_TURBO" = true ] ; then + echo "force_turbo=1" >> "${BOOT_DIR}/config.txt" + # helps to avoid sdcard corruption when force_turbo is enabled. + echo "boot_delay=1" >> "${BOOT_DIR}/config.txt" +fi + if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then - - # RPI0,3,3P Use default ttyS0 (mini-UART)as serial interface - SET_SERIAL="ttyS0" - + # Bluetooth enabled if [ "$ENABLE_BLUETOOTH" = true ] ; then # Create temporary directory for Bluetooth sources @@ -95,6 +136,10 @@ if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart" install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper" + # make scripts executable + chmod +x "${R}/usr/bin/bthelper" + chmod +x "${R}/usr/bin/btuart" + # Install bluetooth udev rule install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules" @@ -104,38 +149,29 @@ if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then install_readonly "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx" install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service" install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service" - - # Remove temporary directory + + # Remove temporary directories rm -fr "${temp_dir}" - + rm -fr "${R}"/tmp/pi-bluetooth + # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0 if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then - SET_SERIAL="ttyAMA0" - # set overlay to swap ttyAMA0 and ttyS0 echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt" - # if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken if [ "$ENABLE_TURBO" = false ] ; then - echo "core_freq=250" >> "${BOOT_DIR}/config.txt" - fi + echo "core_freq=250" >> "${BOOT_DIR}/config.txt" + fi - # Activate services - chroot_exec systemctl enable pi-bluetooth.hciuart.service - #chroot_exec systemctl enable pi-bluetooth.bthelper@.service - else - chroot_exec systemctl enable pi-bluetooth.hciuart.service - #chroot_exec systemctl enable pi-bluetooth.bthelper@.service fi - + + # Activate services + chroot_exec systemctl enable pi-bluetooth.hciuart.service + else # if ENABLE_BLUETOOTH = false # set overlay to disable bluetooth echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt" fi # ENABLE_BLUETOOTH end - -else - # RPI1,1P,2 Use default ttyAMA0 (full UART) as serial interface - SET_SERIAL="ttyAMA0" fi # may need sudo systemctl disable hciuart @@ -143,33 +179,68 @@ if [ "$ENABLE_CONSOLE" = true ] ; then echo "enable_uart=1" >> "${BOOT_DIR}/config.txt" # add string to cmdline CMDLINE="${CMDLINE} console=serial0,115200" - + + if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ]|| [ "$RPI_MODEL" = 0 ]; then + # if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken + if [ "$ENABLE_TURBO" = false ] ; then + echo "core_freq=250" >> "${BOOT_DIR}/config.txt" + fi + fi + # Enable serial console systemd style - chroot_exec systemctl enable serial-getty\@"$SET_SERIAL".service + chroot_exec systemctl enable serial-getty@serial0.service else echo "enable_uart=0" >> "${BOOT_DIR}/config.txt" - # disable serial console systemd style - chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service fi -# Remove IPv6 networking support -if [ "$ENABLE_IPV6" = false ] ; then - CMDLINE="${CMDLINE} ipv6.disable=1" +# Disable dphys-swapfile service. Will get enabled on first boot +if [ "$ENABLE_DPHYSSWAP" = true ] ; then + chroot_exec systemctl disable dphys-swapfile fi -# Automatically assign predictable network interface names -if [ "$ENABLE_IFNAMES" = false ] ; then - CMDLINE="${CMDLINE} net.ifnames=0" +if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then + # Create temporary directory for systemd-swap sources + temp_dir=$(as_nobody mktemp -d) + + # Fetch systemd-swap sources + as_nobody git -C "${temp_dir}" clone "${SYSTEMDSWAP_URL}" + + # Copy downloaded systemd-swap sources + mv "${temp_dir}/systemd-swap" "${R}/tmp/" + + # Change into downloaded src dir + cd "${R}/tmp/systemd-swap" || exit + + # Build package + bash ./package.sh debian + + # Change back into script root dir + cd "${WORKDIR}" || exit + + # Set permissions of the systemd-swap sources + chown -R root:root "${R}/tmp/systemd-swap" + + # Install package - IMPROVE AND MAKE IT POSSIBLE WITHOUT VERSION NR. + chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap_4.0.1_any.deb + + # Enable service + chroot_exec systemctl enable systemd-swap + + # Remove temporary directory for systemd-swap sources + rm -fr "${temp_dir}" else - CMDLINE="${CMDLINE} net.ifnames=1" + # Enable ZSWAP in cmdline if systemd-swap is not used + if [ "$KERNEL_ZSWAP" = true ] ; then + CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4" + fi fi + if [ "$KERNEL_SECURITY" = true ] ; then + CMDLINE="${CMDLINE} apparmor=1 security=apparmor" + fi # Install firmware boot cmdline echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt" -# Install firmware config -install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt" - # Setup minimal GPU memory allocation size: 16MB (no X) if [ "$ENABLE_MINGPU" = true ] ; then echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt" diff --git a/bootstrap.d/20-networking.sh b/bootstrap.d/20-networking.sh index 3aca05f..f80f006 100644 --- a/bootstrap.d/20-networking.sh +++ b/bootstrap.d/20-networking.sh @@ -30,6 +30,10 @@ install_readonly files/network/interfaces "${ETC_DIR}/network/interfaces" # Install configuration for interface eth0 install_readonly files/network/eth.network "${ETC_DIR}/systemd/network/eth.network" +if [ "$RPI_MODEL" = 3P ] ; then +printf "\n[Link]\nGenericReceiveOffload=off\nTCPSegmentationOffload=off\nGenericSegmentationOffload=off" >> "${ETC_DIR}/systemd/network/eth.network" +fi + # Install configuration for interface wl* install_readonly files/network/wlan.network "${ETC_DIR}/systemd/network/wlan.network" diff --git a/bootstrap.d/21-firewall.sh b/bootstrap.d/21-firewall.sh index e6033c4..ee9831d 100644 --- a/bootstrap.d/21-firewall.sh +++ b/bootstrap.d/21-firewall.sh @@ -9,9 +9,10 @@ if [ "$ENABLE_IPTABLES" = true ] ; then # Create iptables configuration directory mkdir -p "${ETC_DIR}/iptables" - # make sure iptables-legacy is the used alternatives - #iptables-save and -restore are slaves of iptables and thus are set accordingly - chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy + if [ "$KERNEL_NF" = false ] ; then + # iptables-save and -restore are slaves of iptables and thus are set accordingly + chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy + fi # Install iptables systemd service install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service" @@ -27,6 +28,11 @@ if [ "$ENABLE_IPTABLES" = true ] ; then chroot_exec systemctl enable iptables.service if [ "$ENABLE_IPV6" = true ] ; then + if [ "$KERNEL_NF" = false ] ; then + # iptables-save and -restore are slaves of iptables and thus are set accordingly + chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy + fi + # Install ip6tables systemd service install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service" diff --git a/bootstrap.d/30-security.sh b/bootstrap.d/30-security.sh index 8ad8275..75e3625 100644 --- a/bootstrap.d/30-security.sh +++ b/bootstrap.d/30-security.sh @@ -22,8 +22,3 @@ else # Set no root password to disable root login chroot_exec usermod -p \'!\' root fi - -# Enable serial console systemd style -if [ "$ENABLE_CONSOLE" = true ] ; then - chroot_exec systemctl enable serial-getty\@ttyAMA0.service -fi diff --git a/bootstrap.d/41-uboot.sh b/bootstrap.d/41-uboot.sh index dded27d..56fca4e 100644 --- a/bootstrap.d/41-uboot.sh +++ b/bootstrap.d/41-uboot.sh @@ -77,6 +77,11 @@ if [ "$ENABLE_UBOOT" = true ] ; then #in 64bit uboot booti is used instead of bootz [like in KERNEL_BIN_IMAGE=zImage (armv7)|| Image(armv8)] sed -i "s|bootz|booti|g" "${BOOT_DIR}/uboot.mkimage" fi + + # instead of sd, boot from usb device + if [ "$ENABLE_USBBOOT" = true ] ; then + sed -i "s|mmc|usb|g" "${BOOT_DIR}/uboot.mkimage" + fi # Set mkfile to use the correct dtb file sed -i "s|bcm2709-rpi-2-b.dtb|${DTB_FILE}|" "${BOOT_DIR}/uboot.mkimage" diff --git a/bootstrap.d/43-videocore.sh b/bootstrap.d/43-videocore.sh index b8ff518..344965c 100644 --- a/bootstrap.d/43-videocore.sh +++ b/bootstrap.d/43-videocore.sh @@ -50,4 +50,7 @@ if [ "$ENABLE_VIDEOCORE" = true ] ; then #back to root of scriptdir cd "${WORKDIR}" + + # Remove videocore sources + rm -fr "${R}"/tmp/userland/ fi diff --git a/bootstrap.d/44-nexmon_monitor_patch.sh b/bootstrap.d/44-nexmon_monitor_patch.sh new file mode 100644 index 0000000..5a260a2 --- /dev/null +++ b/bootstrap.d/44-nexmon_monitor_patch.sh @@ -0,0 +1,97 @@ +#!/bin/sh +# +# Build and Setup nexmon with monitor mode patch +# + +# Load utility functions +. ./functions.sh + +if [ "$ENABLE_NEXMON" = true ] && [ "$ENABLE_WIRELESS" = true ]; then + # Copy existing nexmon sources into chroot directory + if [ -n "$NEXMONSRC_DIR" ] && [ -d "$NEXMONSRC_DIR" ] ; then + # Copy local U-Boot sources + cp -r "${NEXMONSRC_DIR}" "${R}/tmp" + else + # Create temporary directory for nexmon sources + temp_dir=$(as_nobody mktemp -d) + + # Fetch nexmon sources + as_nobody git -C "${temp_dir}" clone "${NEXMON_URL}" + + # Copy downloaded nexmon sources + mv "${temp_dir}/nexmon" "${R}"/tmp/ + + # Set permissions of the nexmon sources + chown -R root:root "${R}"/tmp/nexmon + + # Remove temporary directory for nexmon sources + rm -fr "${temp_dir}" + fi + + # Set script Root + export NEXMON_ROOT="${R}"/tmp/nexmon + + # Build nexmon firmware outside the build system, if we can. + cd "${NEXMON_ROOT}" || exit + + # Make ancient isl build + cd buildtools/isl-0.10 || exit + ./configure + make + cd ../.. || exit + + # Disable statistics + touch DISABLE_STATISTICS + + # Setup Enviroment: see https://github.com/NoobieDog/nexmon/blob/master/setup_env.sh + export KERNEL="${KERNEL_IMAGE}" + export ARCH=arm + export SUBARCH=arm + export CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi- + export CC="${CC}"gcc + export CCPLUGIN="${NEXMON_ROOT}"/buildtools/gcc-nexmon-plugin/nexmon.so + export ZLIBFLATE="zlib-flate -compress" + export Q=@ + export NEXMON_SETUP_ENV=1 + export HOSTUNAME=$(uname -s) + export PLATFORMUNAME=$(uname -m) + + # Make nexmon + make + + # build patches + if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] ; then + cd "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon || exit + sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon/Makefile + make clean + + # We do this so we don't have to install the ancient isl version into /usr/local/lib on systems. + LD_LIBRARY_PATH="${NEXMON_ROOT}"/buildtools/isl-0.10/.libs make ARCH="${KERNEL_ARCH}" CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi- + + # copy RPi0W & RPi3 firmware + mv "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.org.bin + cp "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.nexmon.bin + cp -f "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin + fi + + if [ "$RPI_MODEL" = 3P ] ; then + cd "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon || exit + sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43455c0/7_45_154/nexmon/Makefile + make clean + + # We do this so we don't have to install the ancient isl version into /usr/local/lib on systems. + LD_LIBRARY_PATH=${NEXMON_ROOT}/buildtools/isl-0.10/.libs make ARCH="${KERNEL_ARCH}" CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi- + + # RPi3B+ firmware + mv "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.org.bin + cp "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.nexmon.bin + cp -f "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.bin + fi + +#Revert to previous directory +cd "${WORKDIR}" || exit + +# Remove nexmon sources +rm -fr "${NEXMON_ROOT}" + +fi diff --git a/bootstrap.d/50-firstboot.sh b/bootstrap.d/50-firstboot.sh index cc76f34..1b17876 100644 --- a/bootstrap.d/50-firstboot.sh +++ b/bootstrap.d/50-firstboot.sh @@ -8,30 +8,35 @@ # Prepare rc.firstboot script cat files/firstboot/10-begin.sh > "${ETC_DIR}/rc.firstboot" -# Ensure openssh server host keys are regenerated on first boot -if [ "$ENABLE_SSHD" = true ] ; then - cat files/firstboot/21-generate-ssh-keys.sh >> "${ETC_DIR}/rc.firstboot" -fi - # Prepare filesystem auto expand if [ "$EXPANDROOT" = true ] ; then if [ "$ENABLE_CRYPTFS" = false ] ; then - cat files/firstboot/22-expandroot.sh >> "${ETC_DIR}/rc.firstboot" + cat files/firstboot/20-expandroot.sh >> "${ETC_DIR}/rc.firstboot" else # Regenerate initramfs to remove encrypted root partition auto expand - cat files/firstboot/23-regenerate-initramfs.sh >> "${ETC_DIR}/rc.firstboot" + cat files/firstboot/21-regenerate-initramfs.sh >> "${ETC_DIR}/rc.firstboot" + fi + + # Restart dphys-swapfile so the size of the swap file is relative to the resized root partition + if [ "$ENABLE_DPHYSSWAP" = true ] ; then + cat files/firstboot/23-restart-dphys-swapfile.sh >> "${ETC_DIR}/rc.firstboot" fi fi +# Ensure openssh server host keys are regenerated on first boot +if [ "$ENABLE_SSHD" = true ] ; then + cat files/firstboot/30-generate-ssh-keys.sh >> "${ETC_DIR}/rc.firstboot" +fi + # Ensure that dbus machine-id exists -cat files/firstboot/24-generate-machineid.sh >> "${ETC_DIR}/rc.firstboot" +cat files/firstboot/40-generate-machineid.sh >> "${ETC_DIR}/rc.firstboot" # Create /etc/resolv.conf symlink -cat files/firstboot/25-create-resolv-symlink.sh >> "${ETC_DIR}/rc.firstboot" +cat files/firstboot/41-create-resolv-symlink.sh >> "${ETC_DIR}/rc.firstboot" # Configure automatic network interface names if [ "$ENABLE_IFNAMES" = true ] ; then - cat files/firstboot/26-config-ifnames.sh >> "${ETC_DIR}/rc.firstboot" + cat files/firstboot/42-config-ifnames.sh >> "${ETC_DIR}/rc.firstboot" fi # Finalize rc.firstboot script diff --git a/files/apt/flash-kernel b/files/apt/flash-kernel deleted file mode 100644 index 579e562..0000000 --- a/files/apt/flash-kernel +++ /dev/null @@ -1,3 +0,0 @@ -Package: flash-kernel -Pin: origin repositories.collabora.co.uk -Pin-Priority: 1000 diff --git a/files/apt/sources.list b/files/apt/sources.list index ffc2c9b..07e52dc 100644 --- a/files/apt/sources.list +++ b/files/apt/sources.list @@ -1,8 +1,8 @@ -deb http://ftp.debian.org/debian jessie main contrib -#deb-src http://ftp.debian.org/debian jessie main contrib +deb http://ftp.debian.org/debian stretch main contrib +#deb-src http://ftp.debian.org/debian stretch main contrib -deb http://ftp.debian.org/debian/ jessie-updates main contrib -#deb-src http://ftp.debian.org/debian/ jessie-updates main contrib +deb http://ftp.debian.org/debian/ stretch-updates main contrib +#deb-src http://ftp.debian.org/debian/ stretch-updates main contrib -deb http://security.debian.org/ jessie/updates main contrib -#deb-src http://security.debian.org/ jessie/updates main contrib +deb http://security.debian.org/ stretch/updates main contrib +#deb-src http://security.debian.org/ stretch/updates main contrib diff --git a/files/firstboot/22-expandroot.sh b/files/firstboot/20-expandroot.sh similarity index 100% rename from files/firstboot/22-expandroot.sh rename to files/firstboot/20-expandroot.sh diff --git a/files/firstboot/23-regenerate-initramfs.sh b/files/firstboot/21-regenerate-initramfs.sh similarity index 98% rename from files/firstboot/23-regenerate-initramfs.sh rename to files/firstboot/21-regenerate-initramfs.sh index 78e2922..1c4f03c 100644 --- a/files/firstboot/23-regenerate-initramfs.sh +++ b/files/firstboot/21-regenerate-initramfs.sh @@ -8,6 +8,7 @@ INITRAMFS_UBOOT="${INITRAMFS}.uboot" # Extract kernel arch case "${KERNEL_ARCH}" in arm*) KERNEL_ARCH=arm ;; + aarch64) KERNEL_ARCH=arm64 ;; esac # Regenerate initramfs diff --git a/files/firstboot/23-restart-dphys-swapfile.sh b/files/firstboot/23-restart-dphys-swapfile.sh new file mode 100644 index 0000000..32c8638 --- /dev/null +++ b/files/firstboot/23-restart-dphys-swapfile.sh @@ -0,0 +1,5 @@ +# Restart dphys-swapfile service if it exists +logger -t "rc.firstboot" "Restarting dphys-swapfile" + +systemctl enable dphys-swapfile +systemctl restart dphys-swapfile diff --git a/files/firstboot/21-generate-ssh-keys.sh b/files/firstboot/30-generate-ssh-keys.sh similarity index 100% rename from files/firstboot/21-generate-ssh-keys.sh rename to files/firstboot/30-generate-ssh-keys.sh diff --git a/files/firstboot/24-generate-machineid.sh b/files/firstboot/40-generate-machineid.sh similarity index 100% rename from files/firstboot/24-generate-machineid.sh rename to files/firstboot/40-generate-machineid.sh diff --git a/files/firstboot/25-create-resolv-symlink.sh b/files/firstboot/41-create-resolv-symlink.sh similarity index 100% rename from files/firstboot/25-create-resolv-symlink.sh rename to files/firstboot/41-create-resolv-symlink.sh diff --git a/files/firstboot/26-config-ifnames.sh b/files/firstboot/42-config-ifnames.sh similarity index 100% rename from files/firstboot/26-config-ifnames.sh rename to files/firstboot/42-config-ifnames.sh diff --git a/files/initramfs/crypt_unlock.sh b/files/initramfs/crypt_unlock.sh new file mode 100644 index 0000000..47b6a8b --- /dev/null +++ b/files/initramfs/crypt_unlock.sh @@ -0,0 +1,45 @@ +#!/bin/sh + +PREREQ="dropbear" + +prereqs() { +echo "$PREREQ" +} + +case "$1" in +prereqs) +prereqs +exit 0 +;; +esac + +. "${CONFDIR}/initramfs.conf" +. /usr/share/initramfs-tools/hook-functions + +if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then +cat > "${DESTDIR}/bin/unlock" << EOF +#!/bin/sh +if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then +kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\` +# following line kill the remote shell right after the passphrase has +# been entered. +kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\` +exit 0 +fi +exit 1 +EOF + +chmod 755 "${DESTDIR}/bin/unlock" + +mkdir -p "${DESTDIR}/lib/unlock" +cat > "${DESTDIR}/lib/unlock/plymouth" << EOF +#!/bin/sh +[ "\$1" == "--ping" ] && exit 1 +/bin/plymouth "\$@" +EOF + +chmod 755 "${DESTDIR}/lib/unlock/plymouth" + +echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd + +fi \ No newline at end of file diff --git a/files/sysctl.d/84-rpi-ASLR.conf b/files/sysctl.d/84-rpi-ASLR.conf new file mode 100644 index 0000000..da4ad13 --- /dev/null +++ b/files/sysctl.d/84-rpi-ASLR.conf @@ -0,0 +1,2 @@ +# ASLR +kernel.randomize_va_space = 2 \ No newline at end of file diff --git a/functions.sh b/functions.sh index 74ca846..4733375 100644 --- a/functions.sh +++ b/functions.sh @@ -3,6 +3,17 @@ cleanup (){ set +x set +e + + # Remove exports from nexmon + unset KERNEL + unset ARCH + unset SUBARCH + unset CCPLUGIN + unset ZLIBFLATE + unset Q + unset NEXMON_SETUP_ENV + unset HOSTUNAME + unset PLATFORMUNAME # Identify and kill all processes still using files echo "killing processes using mount point ..." @@ -63,15 +74,43 @@ chroot_install_cc() { # Install c/c++ build environment inside the chroot if [ -z "${COMPILER_PACKAGES}" ] ; then COMPILER_PACKAGES=$(chroot_exec apt-get -s install g++ make bc | grep "^Inst " | awk -v ORS=" " '{ print $2 }') - # Install COMPILER_PACKAGES in chroot - chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install "${COMPILER_PACKAGES}" + # Install COMPILER_PACKAGES in chroot - NEVER do "${COMPILER_PACKAGES}" -> breaks uboot + chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install ${COMPILER_PACKAGES} fi } chroot_remove_cc() { # Remove c/c++ build environment from the chroot if [ -n "${COMPILER_PACKAGES}" ] ; then - chroot_exec apt-get -qq -y --auto-remove purge "${COMPILER_PACKAGES}" + chroot_exec apt-get -qq -y --auto-remove purge ${COMPILER_PACKAGES} COMPILER_PACKAGES="" fi } + +# https://serverfault.com/a/682849 - converts e.g. /24 to 255.255.255.0 +cdr2mask () +{ + # Number of args to shift, 255..255, first non-255 byte, zeroes + set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0 + [ $1 -gt 1 ] && shift $1 || shift + echo ${1-0}.${2-0}.${3-0}.${4-0} +} + +# GPL v2.0 - #https://github.com/sakaki-/bcmrpi3-kernel-bis/blob/master/conform_config.sh +set_kernel_config() { + # flag as $1, value to set as $2, config must exist at "./.config" + TGT="CONFIG_${1#CONFIG_}" + REP="${2}" + if grep -q "^${TGT}[^_]" .config; then + sed -i "s/^\(${TGT}=.*\|# ${TGT} is not set\)/${TGT}=${REP}/" .config + else + echo "${TGT}"="${2}" >> .config + fi +} + +# unset kernel config parameter +unset_kernel_config() { + # unsets flag with the value of $1, config must exist at "./.config" + TGT="CONFIG_${1#CONFIG_}" + sed -i "s/^${TGT}=.*/# ${TGT} is not set/" .config +} \ No newline at end of file diff --git a/rpi23-gen-image.sh b/rpi23-gen-image.sh index 575252a..a530b04 100755 --- a/rpi23-gen-image.sh +++ b/rpi23-gen-image.sh @@ -57,6 +57,20 @@ FBTURBO_URL=${FBTURBO_URL:=https://github.com/ssvb/xf86-video-fbturbo.git} UBOOT_URL=${UBOOT_URL:=https://git.denx.de/u-boot.git} VIDEOCORE_URL=${VIDEOCORE_URL:=https://github.com/raspberrypi/userland} BLUETOOTH_URL=${BLUETOOTH_URL:=https://github.com/RPi-Distro/pi-bluetooth.git} +NEXMON_URL=${NEXMON_URL:=https://github.com/seemoo-lab/nexmon.git} +SYSTEMDSWAP_URL=${SYSTEMDSWAP_URL:=https://github.com/Nefelim4ag/systemd-swap.git} + +# Kernel deb packages for 32bit kernel +RPI_32_KERNEL_URL=${RPI_32_KERNEL_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel_20180422-141901_armhf.deb} +RPI_32_KERNELHEADER_URL=${RPI_32_KERNELHEADER_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel-headers_20180422-141901_armhf.deb} +# Kernel has KVM and zswap enabled - use if KERNEL_* parameters and precompiled kernel are used +RPI3_64_BIS_KERNEL_URL=${RPI3_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel-bis/releases/download/4.14.80.20181113/bcmrpi3-kernel-bis-4.14.80.20181113.tar.xz} +# Default precompiled 64bit kernel +RPI3_64_DEF_KERNEL_URL=${RPI3_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel/releases/download/4.14.80.20181113/bcmrpi3-kernel-4.14.80.20181113.tar.xz} +# Generic +RPI3_64_KERNEL_URL=${RPI3_64_KERNEL_URL:=$RPI3_64_DEF_KERNEL_URL} +# Kali kernel src - used if ENABLE_NEXMON=true (they patch the wlan kernel modul) +KALI_KERNEL_URL=${KALI_KERNEL_URL:=https://github.com/Re4son/re4son-raspberrypi-linux.git} # Build directories WORKDIR=$(pwd) @@ -83,6 +97,7 @@ USER_PASSWORD=${USER_PASSWORD:=raspberry} DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"} TIMEZONE=${TIMEZONE:="Europe/Berlin"} EXPANDROOT=${EXPANDROOT:=true} +ENABLE_DPHYSSWAP=${ENABLE_DPHYSSWAP:=true} # Keyboard settings XKB_MODEL=${XKB_MODEL:=""} @@ -105,6 +120,7 @@ NET_NTP_2=${NET_NTP_2:=""} # APT settings APT_PROXY=${APT_PROXY:=""} APT_SERVER=${APT_SERVER:="ftp.debian.org"} +KEEP_APT_PROXY=${KEEP_APT_PROXY:=false} # Feature settings ENABLE_PRINTK=${ENABLE_PRINTK:=false} @@ -138,19 +154,26 @@ SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""} SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""} # Advanced settings +ENABLE_SYSTEMDSWAP=${ENABLE_SYSTEMDSWAP:=false} ENABLE_MINBASE=${ENABLE_MINBASE:=false} ENABLE_REDUCE=${ENABLE_REDUCE:=false} ENABLE_UBOOT=${ENABLE_UBOOT:=false} UBOOTSRC_DIR=${UBOOTSRC_DIR:=""} +ENABLE_USBBOOT=${ENABLE_USBBOOT=false} ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false} +ENABLE_NEXMON=${ENABLE_NEXMON:=false} VIDEOCORESRC_DIR=${VIDEOCORESRC_DIR:=""} FBTURBOSRC_DIR=${FBTURBOSRC_DIR:=""} +NEXMONSRC_DIR=${NEXMONSRC_DIR:=""} ENABLE_HARDNET=${ENABLE_HARDNET:=false} ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} ENABLE_SPLITFS=${ENABLE_SPLITFS:=false} ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false} ENABLE_IFNAMES=${ENABLE_IFNAMES:=true} +ENABLE_SPLASH=${ENABLE_SPLASH:=true} +ENABLE_LOGO=${ENABLE_LOGO:=true} +ENABLE_SILENT_BOOT=${ENABLE_SILENT_BOOT=false} DISABLE_UNDERVOLT_WARNINGS=${DISABLE_UNDERVOLT_WARNINGS:=} # Kernel compilation settings @@ -162,6 +185,12 @@ KERNEL_MENUCONFIG=${KERNEL_MENUCONFIG:=false} KERNEL_REMOVESRC=${KERNEL_REMOVESRC:=true} KERNEL_OLDDEFCONFIG=${KERNEL_OLDDEFCONFIG:=false} KERNEL_CCACHE=${KERNEL_CCACHE:=false} +KERNEL_ZSWAP=${KERNEL_ZSWAP:=false} +KERNEL_VIRT=${KERNEL_VIRT:=false} +KERNEL_BPF=${KERNEL_BPF:=false} +KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=powersave} +KERNEL_SECURITY=${KERNEL_SECURITY:=false} +KERNEL_NF=${KERNEL_NF:=false} # Kernel compilation from source directory settings KERNELSRC_DIR=${KERNELSRC_DIR:=""} @@ -185,6 +214,10 @@ CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""} CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"} CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"} CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512} +#Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup +CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false} +#Provide your own Dropbear Public RSA-OpenSSH Key otherwise it will be generated +CRYPTFS_DROPBEAR_PUBKEY=${CRYPTFS_DROPBEAR_PUBKEY:=""} # Chroot scripts directory CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""} @@ -203,11 +236,9 @@ MISSING_PACKAGES="" # Packages installed for c/c++ build environment in chroot (keep empty) COMPILER_PACKAGES="" -set +x - -#Check if apt-cacher-ng has port 3142 open and set APT_PROXY -APT_CACHER_RUNNING=$(lsof -i :3142 | grep apt-cacher-ng | cut -d ' ' -f3 | uniq) -if [ -n "${APT_CACHER_RUNNING}" ] ; then +# Check if apt-cacher-ng has port 3142 open and set APT_PROXY +APT_CACHER_RUNNING=$(lsof -i :3142 | cut -d ' ' -f3 | uniq | sed '/^\s*$/d') +if [ "${APT_CACHER_RUNNING}" = "apt-cacher-ng" ] ; then APT_PROXY=http://127.0.0.1:3142/ fi @@ -258,7 +289,7 @@ if [ -n "$SET_ARCH" ] ; then CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabihf-} fi fi -#SET_ARCH not set +# SET_ARCH not set else echo "error: Please set '32' or '64' as value for SET_ARCH" exit 1 @@ -298,9 +329,12 @@ esac # Raspberry PI 0,3,3P with Bluetooth and Wifi onboard if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then # Include bluetooth packages on supported boards - if [ "$ENABLE_BLUETOOTH" = true ] && [ "$ENABLE_CONSOLE" = false ]; then + if [ "$ENABLE_BLUETOOTH" = true ] ; then APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez" fi + if [ "$ENABLE_WIRELESS" = true ] ; then + APT_INCLUDES="${APT_INCLUDES},wireless-tools,crda,wireless-regdb" + fi else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard # Check if the internal wireless interface is not supported by the RPi model if [ "$ENABLE_WIRELESS" = true ] || [ "$ENABLE_BLUETOOTH" = true ]; then @@ -309,6 +343,11 @@ else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard fi fi +if [ "$BUILD_KERNEL" = false ] && [ "$ENABLE_NEXMON" = true ]; then + echo "error: You have to compile kernel sources, if you want to enable nexmon" + exit 1 +fi + # Prepare date string for default image file name DATE="$(date +%Y-%m-%d)" if [ -z "$KERNEL_BRANCH" ] ; then @@ -330,6 +369,11 @@ if [ "$ENABLE_VIDEOCORE" = true ] ; then REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cmake" fi +# Add deps for nexmon +if [ "$ENABLE_NEXMON" = true ] ; then + REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libgmp3-dev gawk qpdf bison flex make autoconf automake build-essential libtool" +fi + # Add libncurses5 to enable kernel menuconfig if [ "$KERNEL_MENUCONFIG" = true ] ; then REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses-dev" @@ -345,6 +389,11 @@ if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup" APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup" + # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package + if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then + APT_INCLUDES="${APT_INCLUDES},dropbear-initramfs" + fi + if [ -z "$CRYPTFS_PASSWORD" ] ; then echo "error: no password defined (CRYPTFS_PASSWORD)!" exit 1 @@ -362,11 +411,10 @@ if [ "$ENABLE_UBOOT" = true ] ; then APT_INCLUDES="${APT_INCLUDES},device-tree-compiler,bison,flex,bc" fi -if [ "$ENABLE_BLUETOOTH" = true ] ; then - if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then - if [ "$ENABLE_CONSOLE" = false ] ; then - APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez" - fi +if [ "$ENABLE_USBBOOT" = true ] ; then + if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 1P ] || [ "$RPI_MODEL" = 1 ] || [ "$RPI_MODEL" = 2 ]; then + echo "error: Booting from USB alone is only supported by Raspberry Pi 3 and 3P" + exit 1 fi fi @@ -386,6 +434,11 @@ if [ -n "$SSH_USER_PUB_KEY" ] ; then fi fi +if [ "$ENABLE_NEXMON" = true ] && [ -n "$KERNEL_BRANCH" ] ; then + echo "error: Please unset KERNEL_BRANCH if using ENABLE_NEXMON" + exit 1 +fi + # Check if all required packages are installed on the build system for package in $REQUIRED_PACKAGES ; do if [ "$(dpkg-query -W -f='${Status}' "$package")" != "install ok installed" ] ; then @@ -442,6 +495,12 @@ if [ -n "$FBTURBOSRC_DIR" ] && [ ! -d "$FBTURBOSRC_DIR" ] ; then exit 1 fi +# Check if specified NEXMONSRC_DIR directory exists +if [ -n "$NEXMONSRC_DIR" ] && [ ! -d "$NEXMONSRC_DIR" ] ; then + echo "error: '${NEXMONSRC_DIR}' specified directory not found (NEXMONSRC_DIR)!" + exit 1 +fi + # Check if specified CHROOT_SCRIPTS directory exists if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then echo "error: ${CHROOT_SCRIPTS} specified directory not found (CHROOT_SCRIPTS)!" @@ -484,6 +543,11 @@ if [ "$EXPANDROOT" = true ] ; then APT_INCLUDES="${APT_INCLUDES},parted" fi +# Add dphys-swapfile package, required to enable swap +if [ "$ENABLE_DPHYSSWAP" = true ] ; then + APT_INCLUDES="${APT_INCLUDES},dphys-swapfile" +fi + # Add dbus package, recommended if using systemd if [ "$ENABLE_DBUS" = true ] ; then APT_INCLUDES="${APT_INCLUDES},dbus" @@ -493,6 +557,10 @@ fi if [ "$ENABLE_IPTABLES" = true ] ; then APT_INCLUDES="${APT_INCLUDES},iptables,iptables-persistent" fi +# Add apparmor for KERNEL_SECURITY +if [ "$KERNEL_SECURITY" = true ] ; then + APT_INCLUDES="${APT_INCLUDES},apparmor,apparmor-utils,apparmor-profiles,apparmor-profiles-extra,libapparmor-perl" +fi # Add openssh server package if [ "$ENABLE_SSHD" = true ] ; then @@ -546,16 +614,6 @@ if [ "$ENABLE_SYSVINIT" = false ] ; then APT_EXCLUDES="--exclude=${APT_EXCLUDES},init,systemd-sysv" fi -# Check if kernel is getting compiled -if [ "$BUILD_KERNEL" = false ] ; then - echo "Downloading precompiled kernel" - echo "error: not configured" - exit 1; -# BUILD_KERNEL=true -else - echo "No precompiled kernel repositories were added" -fi - # Configure kernel sources if no KERNELSRC_DIR if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then KERNELSRC_CONFIG=true @@ -623,13 +681,17 @@ umount -l "${R}/sys" rm -rf "${R}/run/*" rm -rf "${R}/tmp/*" +# Clean up APT proxy settings +if [ "$KEEP_APT_PROXY" = false ] ; then + rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy" +fi + # Clean up files rm -f "${ETC_DIR}/ssh/ssh_host_*" rm -f "${ETC_DIR}/dropbear/dropbear_*" rm -f "${ETC_DIR}/apt/sources.list.save" rm -f "${ETC_DIR}/resolvconf/resolv.conf.d/original" rm -f "${ETC_DIR}/*-" -rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy" rm -f "${ETC_DIR}/resolv.conf" rm -f "${R}/root/.bash_history" rm -f "${R}/var/lib/urandom/random-seed" @@ -659,7 +721,7 @@ if [ "$ENABLE_QEMU" = true ] ; then # Setup overlays dtbs directory mkdir "${BASEDIR}/qemu/overlays" - for dtb in "${BOOT_DIR}/overlays/"*.dtb ; do + for dtb in "${BOOT_DIR}/overlays/"*.dtbo ; do if [ -f "${dtb}" ] ; then install_readonly "${dtb}" "${BASEDIR}/qemu/overlays/" fi