From 14de70396904f0dc9fb65148735c94b5bcefc2d9 2017-01-31 20:36:59 From: drtyhlpr Date: 2017-01-31 20:36:59 Subject: [PATCH] Updated: Dropping privileges, chroot compiler install, dropbear sshd config --- diff --git a/README.md b/README.md index 120b1bb..f409aab 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ ## Build dependencies The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user. - ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus``` + ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo``` It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the RPi3 this is mandetory. Kernel compilation and linking will be performed on the build system using an ARM (armhf) cross-compiler toolchain. @@ -197,11 +197,14 @@ Reduce the disk space usage by deleting packages and files. See `REDUCE_*` param Replace the default RPi2/3 second stage bootloader (bootcode.bin) with [U-Boot bootloader](http://git.denx.de/?p=u-boot.git;a=summary). U-Boot can boot images via the network using the BOOTP/TFTP protocol. ##### `UBOOTSRC_DIR`="" -Path to a directory of [U-Boot bootloader sources](http://git.denx.de/?p=u-boot.git;a=summary) that will be copied, configured, build and installed inside the chroot. +Path to a directory (`u-boot`) of [U-Boot bootloader sources](http://git.denx.de/?p=u-boot.git;a=summary) that will be copied, configured, build and installed inside the chroot. ##### `ENABLE_FBTURBO`=false Install and enable the [hardware accelerated Xorg video driver](https://github.com/ssvb/xf86-video-fbturbo) `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling. +##### `FBTURBOSRC_DIR`="" +Path to a directory (`xf86-video-fbturbo`) of [hardware accelerated Xorg video driver sources](https://github.com/ssvb/xf86-video-fbturbo) that will be copied, configured, build and installed inside the chroot. + ##### `ENABLE_IPTABLES`=false Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service. @@ -242,7 +245,7 @@ Enable password root login via SSH. This may be a security risk with default pas Disable password based SSH authentication. Only public key based SSH (v2) authentication will be supported. ##### `SSH_LIMIT_USERS`=false -Limit the users that are allowed to login via SSH. Only allow user `USER_NAME`=pi and root if `SSH_ENABLE_ROOT`=true to login. +Limit the users that are allowed to login via SSH. Only allow user `USER_NAME`=pi and root if `SSH_ENABLE_ROOT`=true to login. This parameter will be ignored if `dropbear` SSH is used (`REDUCE_SSHD`=true). ##### `SSH_ROOT_PUB_KEY`="" Add SSH (v2) public key(s) from specified file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `root`. The specified file can also contain multiple SSH (v2) public keys. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`. @@ -272,7 +275,7 @@ Start `make menuconfig` interactive menu-driven kernel configuration. The script Remove all kernel sources from the generated OS image after it was built and installed. ##### `KERNELSRC_DIR`="" -Path to a directory of [RaspberryPi Linux kernel sources](https://github.com/raspberrypi/linux) that will be copied, configured, build and installed inside the chroot. +Path to a directory (`linux`) of [RaspberryPi Linux kernel sources](https://github.com/raspberrypi/linux) that will be copied, configured, build and installed inside the chroot. ##### `KERNELSRC_CLEAN`=false Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This parameter will be ignored if no `KERNELSRC_DIR` was specified or if `KERNELSRC_PREBUILT`=true. @@ -287,7 +290,7 @@ Copy own config file to kernel `.config`. If `KERNEL_MENUCONFIG`=true then runni With this parameter set to true the script expects the existing kernel sources directory to be already successfully cross-compiled. The parameters `KERNELSRC_CLEAN`, `KERNELSRC_CONFIG`, `KERNELSRC_USRCONFIG` and `KERNEL_MENUCONFIG` are ignored and no kernel compilation tasks are performed. ##### `RPI_FIRMWARE_DIR`="" -The directory containing a local copy of the firmware from the [RaspberryPi firmware project](https://github.com/raspberrypi/firmware). Default is to download the latest firmware directly from the project. +The directory (`firmware`) containing a local copy of the firmware from the [RaspberryPi firmware project](https://github.com/raspberrypi/firmware). Default is to download the latest firmware directly from the project. --- diff --git a/bootstrap.d/11-apt.sh b/bootstrap.d/11-apt.sh index 7117c6d..a3870bd 100644 --- a/bootstrap.d/11-apt.sh +++ b/bootstrap.d/11-apt.sh @@ -21,7 +21,7 @@ if [ "$BUILD_KERNEL" = false ] ; then # Upgrade collabora package index and install collabora keyring chroot_exec apt-get -qq -y update - chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring + chroot_exec apt-get -qq -y --allow-unauthenticated install collabora-obs-archive-keyring else # BUILD_KERNEL=true # Install APT sources.list install_readonly files/apt/sources.list "${ETC_DIR}/apt/sources.list" diff --git a/bootstrap.d/13-kernel.sh b/bootstrap.d/13-kernel.sh index 082b75e..919cea8 100644 --- a/bootstrap.d/13-kernel.sh +++ b/bootstrap.d/13-kernel.sh @@ -20,8 +20,20 @@ if [ "$BUILD_KERNEL" = true ] ; then make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" mrproper fi else # KERNELSRC_DIR="" - # Fetch current raspberrypi kernel sources - git -C "${R}/usr/src" clone --depth=1 "${KERNEL_URL}" + # Create temporary directory for kernel sources + temp_dir=$(sudo -u nobody mktemp -d) + + # Fetch current RPi2/3 kernel sources + sudo -u nobody git -C "${temp_dir}" clone --depth=1 "${KERNEL_URL}" + + # Copy downloaded kernel sources + mv "${temp_dir}/linux" "${R}/usr/src/" + + # Remove temporary directory for kernel sources + rm -fr "${temp_dir}" + + # Set permissions of the kernel sources + chown -R root:root "${R}/usr/src" fi # Calculate optimal number of kernel building threads diff --git a/bootstrap.d/15-rpi-config.sh b/bootstrap.d/15-rpi-config.sh index 5ce837e..37834cd 100644 --- a/bootstrap.d/15-rpi-config.sh +++ b/bootstrap.d/15-rpi-config.sh @@ -16,14 +16,27 @@ if [ "$BUILD_KERNEL" = true ] ; then cp ${RPI_FIRMWARE_DIR}/boot/start_cd.elf ${BOOT_DIR}/start_cd.elf cp ${RPI_FIRMWARE_DIR}/boot/start_x.elf ${BOOT_DIR}/start_x.elf else + # Create temporary directory for boot binaries + temp_dir=$(sudo -u nobody mktemp -d) + # Install latest boot binaries from raspberry/firmware github - wget -q -O "${BOOT_DIR}/bootcode.bin" "${FIRMWARE_URL}/bootcode.bin" - wget -q -O "${BOOT_DIR}/fixup.dat" "${FIRMWARE_URL}/fixup.dat" - wget -q -O "${BOOT_DIR}/fixup_cd.dat" "${FIRMWARE_URL}/fixup_cd.dat" - wget -q -O "${BOOT_DIR}/fixup_x.dat" "${FIRMWARE_URL}/fixup_x.dat" - wget -q -O "${BOOT_DIR}/start.elf" "${FIRMWARE_URL}/start.elf" - wget -q -O "${BOOT_DIR}/start_cd.elf" "${FIRMWARE_URL}/start_cd.elf" - wget -q -O "${BOOT_DIR}/start_x.elf" "${FIRMWARE_URL}/start_x.elf" + sudo -u nobody wget -q -O "${temp_dir}/bootcode.bin" "${FIRMWARE_URL}/bootcode.bin" + sudo -u nobody wget -q -O "${temp_dir}/fixup.dat" "${FIRMWARE_URL}/fixup.dat" + sudo -u nobody wget -q -O "${temp_dir}/fixup_cd.dat" "${FIRMWARE_URL}/fixup_cd.dat" + sudo -u nobody wget -q -O "${temp_dir}/fixup_x.dat" "${FIRMWARE_URL}/fixup_x.dat" + sudo -u nobody wget -q -O "${temp_dir}/start.elf" "${FIRMWARE_URL}/start.elf" + sudo -u nobody wget -q -O "${temp_dir}/start_cd.elf" "${FIRMWARE_URL}/start_cd.elf" + sudo -u nobody wget -q -O "${temp_dir}/start_x.elf" "${FIRMWARE_URL}/start_x.elf" + + # Move downloaded boot binaries + mv "${temp_dir}/"* "${BOOT_DIR}/" + + # Remove temporary directory for boot binaries + rm -fr "${temp_dir}" + + # Set permissions of the boot binaries + chown -R root:root "${BOOT_DIR}" + chmod -R 600 "${BOOT_DIR}" fi fi @@ -105,6 +118,8 @@ fi # Load sound module at boot if [ "$ENABLE_SOUND" = true ] ; then sed -i "s/^# snd_bcm2835/snd_bcm2835/" "${R}/lib/modules-load.d/rpi2.conf" +else + echo "dtparam=audio=off" >> "${BOOT_DIR}/config.txt" fi # Enable I2C interface diff --git a/bootstrap.d/20-networking.sh b/bootstrap.d/20-networking.sh index c82a037..bd3ce0a 100644 --- a/bootstrap.d/20-networking.sh +++ b/bootstrap.d/20-networking.sh @@ -88,6 +88,20 @@ if [ "$ENABLE_WIRELESS" = true ] ; then mkdir -p ${WLAN_FIRMWARE_DIR} fi - wget -q -O "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.bin" - wget -q -O "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.txt" + # Create temporary directory for firmware binary blob + temp_dir=$(sudo -u nobody mktemp -d) + + # Fetch firmware binary blob + sudo -u nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.bin" + sudo -u nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.txt" + + # Move downloaded firmware binary blob + mv "${temp_dir}/brcmfmac43430-sdio."* "${WLAN_FIRMWARE_DIR}/" + + # Remove temporary directory for firmware binary blob + rm -fr "${temp_dir}" + + # Set permissions of the firmware binary blob + chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."* + chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."* fi diff --git a/bootstrap.d/31-logging.sh b/bootstrap.d/31-logging.sh index 4269afc..0e2415e 100644 --- a/bootstrap.d/31-logging.sh +++ b/bootstrap.d/31-logging.sh @@ -9,5 +9,5 @@ if [ "$ENABLE_RSYSLOG" = false ] ; then sed -i "s|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g" "${ETC_DIR}/systemd/journald.conf" chroot_exec systemctl disable rsyslog - chroot_exec apt-get -qq -y --force-yes purge rsyslog + chroot_exec apt-get -qq -y purge rsyslog fi diff --git a/bootstrap.d/32-sshd.sh b/bootstrap.d/32-sshd.sh index 2c891d6..162fdb2 100644 --- a/bootstrap.d/32-sshd.sh +++ b/bootstrap.d/32-sshd.sh @@ -6,14 +6,26 @@ . ./functions.sh if [ "$ENABLE_SSHD" = true ] ; then + DROPBEAR_ARGS="" + if [ "$SSH_ENABLE_ROOT" = false ] ; then - # User root is not allowed to log in - sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin no|g" "${ETC_DIR}/ssh/sshd_config" + if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then + # User root is not allowed to log in + sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin no|g" "${ETC_DIR}/ssh/sshd_config" + else + # User root is not allowed to log in + DROPBEAR_ARGS="-w" + fi fi if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then - # Permit SSH root login - sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config" + if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then + # Permit SSH root login + sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config" + else + # Permit SSH root login + DROPBEAR_ARGS="" + fi # Add SSH (v2) public key for user root if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then @@ -31,8 +43,10 @@ if [ "$ENABLE_SSHD" = true ] ; then chroot_exec chmod 600 "/root/.ssh/authorized_keys" chroot_exec chown root:root "/root/.ssh/authorized_keys" - # Allow SSH public key authentication - sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config" + if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then + # Allow SSH public key authentication + sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config" + fi fi fi @@ -53,13 +67,15 @@ if [ "$ENABLE_SSHD" = true ] ; then chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys" chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys" - # Allow SSH public key authentication - sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config" + if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then + # Allow SSH public key authentication + sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config" + fi fi fi # Limit the users that are allowed to login via SSH - if [ "$SSH_LIMIT_USERS" = true ] ; then + if [ "$SSH_LIMIT_USERS" = true ] && [ "$ENABLE_REDUCE" = false ] ; then allowed_users="" if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then allowed_users="root" @@ -77,11 +93,24 @@ if [ "$ENABLE_SSHD" = true ] ; then # Disable password-based authentication if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then - sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin without-password|g" "${ETC_DIR}/ssh/sshd_config" + if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then + sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin without-password|g" "${ETC_DIR}/ssh/sshd_config" + else + DROPBEAR_ARGS="-g" + fi fi - sed -i "s|[#]*PasswordAuthentication.*|PasswordAuthentication no|g" "${ETC_DIR}/ssh/sshd_config" - sed -i "s|[#]*ChallengeResponseAuthentication no.*|ChallengeResponseAuthentication no|g" "${ETC_DIR}/ssh/sshd_config" - sed -i "s|[#]*UsePAM.*|UsePAM no|g" "${ETC_DIR}/ssh/sshd_config" + if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then + sed -i "s|[#]*PasswordAuthentication.*|PasswordAuthentication no|g" "${ETC_DIR}/ssh/sshd_config" + sed -i "s|[#]*ChallengeResponseAuthentication no.*|ChallengeResponseAuthentication no|g" "${ETC_DIR}/ssh/sshd_config" + sed -i "s|[#]*UsePAM.*|UsePAM no|g" "${ETC_DIR}/ssh/sshd_config" + else + DROPBEAR_ARGS="${DROPBEAR_ARGS} -s" + fi + fi + + # Update dropbear SSH configuration + if [ "$ENABLE_REDUCE" = true ] && [ "$REDUCE_SSHD" = true ] ; then + sed "s|^DROPBEAR_EXTRA_ARGS=.*|DROPBEAR_EXTRA_ARGS=\"${DROPBEAR_ARGS}\"|g" "${ETC_DIR}/default/dropbear" fi fi diff --git a/bootstrap.d/41-uboot.sh b/bootstrap.d/41-uboot.sh index 83f391b..68198ec 100644 --- a/bootstrap.d/41-uboot.sh +++ b/bootstrap.d/41-uboot.sh @@ -5,21 +5,30 @@ # Load utility functions . ./functions.sh -# Install gcc/c++ build environment inside the chroot -if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ] ; then - COMPILER_PACKAGES=$(chroot_exec apt-get -s install ${COMPILER_PACKAGES} | grep "^Inst " | awk -v ORS=" " '{ print $2 }') - chroot_exec apt-get -q -y --force-yes --no-install-recommends install ${COMPILER_PACKAGES} -fi - # Fetch and build U-Boot bootloader if [ "$ENABLE_UBOOT" = true ] ; then + # Install c/c++ build environment inside the chroot + chroot_install_cc + # Copy existing U-Boot sources into chroot directory if [ -n "$UBOOTSRC_DIR" ] && [ -d "$UBOOTSRC_DIR" ] ; then # Copy local U-Boot sources cp -r "${UBOOTSRC_DIR}" "${R}/tmp" else + # Create temporary directory for U-Boot sources + temp_dir=$(sudo -u nobody mktemp -d) + # Fetch U-Boot sources - git -C "${R}/tmp" clone "${UBOOT_URL}" + sudo -u nobody git -C "${temp_dir}" clone "${UBOOT_URL}" + + # Copy downloaded U-Boot sources + mv "${temp_dir}/u-boot" "${R}/tmp/" + + # Set permissions of the U-Boot sources + chown -R root:root "${R}/tmp/u-boot" + + # Remove temporary directory for U-Boot sources + rm -fr "${temp_dir}" fi # Build and install U-Boot inside chroot diff --git a/bootstrap.d/42-fbturbo.sh b/bootstrap.d/42-fbturbo.sh index ef745eb..0e8b064 100644 --- a/bootstrap.d/42-fbturbo.sh +++ b/bootstrap.d/42-fbturbo.sh @@ -6,11 +6,33 @@ . ./functions.sh if [ "$ENABLE_FBTURBO" = true ] ; then - # Fetch fbturbo driver sources - git -C "${R}/tmp" clone "${FBTURBO_URL}" + # Install c/c++ build environment inside the chroot + chroot_install_cc + + # Copy existing fbturbo sources into chroot directory + if [ -n "$FBTURBOSRC_DIR" ] && [ -d "$FBTURBOSRC_DIR" ] ; then + # Copy local fbturbo sources + cp -r "${FBTURBOSRC_DIR}" "${R}/tmp" + else + # Create temporary directory for fbturbo sources + temp_dir=$(sudo -u nobody mktemp -d) + + # Fetch fbturbo sources + sudo -u nobody git -C "${temp_dir}" clone "${FBTURBO_URL}" + + # Move downloaded fbturbo sources + mv "${temp_dir}/xf86-video-fbturbo" "${R}/tmp/" + + # Remove temporary directory for fbturbo sources + rm -fr "${temp_dir}" + fi # Install Xorg build dependencies - chroot_exec apt-get -q -y --force-yes --no-install-recommends install xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev + if [ "$RELEASE" = "jessie" ] ; then + chroot_exec apt-get -q -y --no-install-recommends install xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev + elif [ "$RELEASE" = "stretch" ] ; then + chroot_exec apt-get -q -y --no-install-recommends --allow-unauthenticated install xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev + fi # Build and install fbturbo driver inside chroot chroot_exec /bin/bash -x <<'EOF' @@ -27,8 +49,3 @@ EOF # Remove Xorg build dependencies chroot_exec apt-get -qq -y --auto-remove purge xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev fi - -# Remove gcc/c++ build environment from the chroot -if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ] ; then - chroot_exec apt-get -qq -y --auto-remove purge ${COMPILER_PACKAGES} -fi diff --git a/bootstrap.d/99-reduce.sh b/bootstrap.d/99-reduce.sh index 3965940..adcc98a 100644 --- a/bootstrap.d/99-reduce.sh +++ b/bootstrap.d/99-reduce.sh @@ -46,18 +46,23 @@ if [ "$ENABLE_REDUCE" = true ] ; then # Replace bash shell by dash shell (experimental) if [ "$REDUCE_BASH" = true ] ; then - echo "Yes, do as I say!" | chroot_exec apt-get purge -qq -y --force-yes bash + if [ "$RELEASE" = "stretch" ] ; then + echo "Yes, do as I say!" | chroot_exec apt-get purge -qq -y --allow-remove-essential bash + else + echo "Yes, do as I say!" | chroot_exec apt-get purge -qq -y --force-yes bash + fi + chroot_exec update-alternatives --install /bin/bash bash /bin/dash 100 fi # Remove sound utils and libraries if [ "$ENABLE_SOUND" = false ] ; then - chroot_exec apt-get -qq -y --force-yes purge alsa-utils libsamplerate0 libasound2 libasound2-data + chroot_exec apt-get -qq -y purge alsa-utils libsamplerate0 libasound2 libasound2-data fi - # Re-install tools for managing kernel moduless + # Re-install tools for managing kernel modules if [ "$RELEASE" = "jessie" ] ; then - chroot_exec apt-get -qq -y --force-yes install module-init-tools + chroot_exec apt-get -qq -y install module-init-tools fi # Remove GPU kernels diff --git a/functions.sh b/functions.sh index c8f1b16..52f9c35 100644 --- a/functions.sh +++ b/functions.sh @@ -53,3 +53,24 @@ use_template () { # Load template configuration parameters . "./templates/${CONFIG_TEMPLATE}" } + +chroot_install_cc() { + # Install c/c++ build environment inside the chroot + if [ -z "${COMPILER_PACKAGES}" ] ; then + COMPILER_PACKAGES=$(chroot_exec apt-get -s install g++ make bc | grep "^Inst " | awk -v ORS=" " '{ print $2 }') + + if [ "$RELEASE" = "jessie" ] ; then + chroot_exec apt-get -q -y --no-install-recommends install ${COMPILER_PACKAGES} + elif [ "$RELEASE" = "stretch" ] ; then + chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install ${COMPILER_PACKAGES} + fi + fi +} + +chroot_remove_cc() { + # Remove c/c++ build environment from the chroot + if [ ! -z "${COMPILER_PACKAGES}" ] ; then + chroot_exec apt-get -qq -y --auto-remove purge ${COMPILER_PACKAGES} + COMPILER_PACKAGES="" + fi +} diff --git a/rpi23-gen-image.sh b/rpi23-gen-image.sh index f816a20..51a9dcb 100755 --- a/rpi23-gen-image.sh +++ b/rpi23-gen-image.sh @@ -145,6 +145,7 @@ ENABLE_REDUCE=${ENABLE_REDUCE:=false} ENABLE_UBOOT=${ENABLE_UBOOT:=false} UBOOTSRC_DIR=${UBOOTSRC_DIR:=""} ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} +FBTURBOSRC_DIR=${FBTURBOSRC_DIR:=""} ENABLE_HARDNET=${ENABLE_HARDNET:=false} ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} ENABLE_SPLITFS=${ENABLE_SPLITFS:=false} @@ -194,9 +195,12 @@ APT_INCLUDES=${APT_INCLUDES:=""} APT_INCLUDES="${APT_INCLUDES},apt-transport-https,apt-utils,ca-certificates,debian-archive-keyring,dialog,sudo,systemd,sysvinit-utils" # Packages required for bootstrapping -REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus" +REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo" MISSING_PACKAGES="" +# Packages installed for c/c++ build environment in chroot (keep empty) +COMPILER_PACKAGES="" + set +x # Set Raspberry Pi model specific configuration @@ -226,15 +230,9 @@ if [ ! -z "$DISABLE_UNDERVOLT_WARNINGS" ] ; then fi fi -# Set compiler packages and build RPi2/3 Linux kernel if required by Debian release -if [ "$RELEASE" = "jessie" ] ; then - COMPILER_PACKAGES="linux-compiler-gcc-4.8-arm g++ make bc" -elif [ "$RELEASE" = "stretch" ] ; then - COMPILER_PACKAGES="g++ make bc" +# Build RPi2/3 Linux kernel if required by Debian release +if [ "$RELEASE" = "stretch" ] ; then BUILD_KERNEL=true -else - echo "error: Debian release ${RELEASE} is not supported!" - exit 1 fi # Add packages required for kernel cross compilation @@ -334,6 +332,12 @@ if [ -n "$UBOOTSRC_DIR" ] && [ ! -d "$UBOOTSRC_DIR" ] ; then exit 1 fi +# Check if specified FBTURBOSRC_DIR directory exists +if [ -n "$FBTURBOSRC_DIR" ] && [ ! -d "$FBTURBOSRC_DIR" ] ; then + echo "error: '${FBTURBOSRC_DIR}' specified directory not found (FBTURBOSRC_DIR)!" + exit 1 +fi + # Check if specified CHROOT_SCRIPTS directory exists if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then echo "error: ${CHROOT_SCRIPTS} specified directory not found (CHROOT_SCRIPTS)!" @@ -474,6 +478,9 @@ EOF rm -rf "${R}/chroot_scripts" fi +# Remove c/c++ build environment from the chroot +chroot_remove_cc + # Remove apt-utils if [ "$RELEASE" = "jessie" ] ; then chroot_exec apt-get purge -qq -y --force-yes apt-utils @@ -567,8 +574,9 @@ if [ "$ENABLE_CRYPTFS" = true ] ; then mkfs.ext4 "$ROOT_LOOP" # Setup password keyfile - echo -n ${CRYPTFS_PASSWORD} > .password + touch .password chmod 600 .password + echo -n ${CRYPTFS_PASSWORD} > .password # Initialize encrypted partition echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password