From 58d6d0dddb48b45237ddb4d9a560bc117e0a7b20 2019-10-25 22:46:35 From: Unknown Date: 2019-10-25 22:46:35 Subject: [PATCH] a --- diff --git a/bootstrap.d/13-kernel.sh b/bootstrap.d/13-kernel.sh index 2802792..6b6faaa 100644 --- a/bootstrap.d/13-kernel.sh +++ b/bootstrap.d/13-kernel.sh @@ -464,22 +464,6 @@ if [ "$BUILD_KERNEL" = true ] ; then set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS m set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE 4096 - - set_kernel_config CONFIG_ARM64_CRYPTO y - set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m - set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m - set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m - set_kernel_config CRYPTO_GHASH_ARM64_CE m - set_kernel_config CRYPTO_SHA2_ARM64_CE m - set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m - set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m - set_kernel_config CONFIG_CRYPTO_AES_ARM64 m - set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m - set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y - set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y - set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m - set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m - set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m fi # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406 @@ -657,22 +641,35 @@ if [ "$BUILD_KERNEL" = true ] ; then echo "CONFIG_LBDAF=y" >> "${KERNEL_DIR}"/.config if [ "$ENABLE_CRYPTFS" = true ] ; then - { - echo "CONFIG_EMBEDDED=y" - echo "CONFIG_EXPERT=y" - echo "CONFIG_DAX=y" - echo "CONFIG_MD=y" - echo "CONFIG_BLK_DEV_MD=y" - echo "CONFIG_MD_AUTODETECT=y" - echo "CONFIG_BLK_DEV_DM=y" - echo "CONFIG_BLK_DEV_DM_BUILTIN=y" - echo "CONFIG_DM_CRYPT=y" - echo "CONFIG_CRYPTO_BLKCIPHER=y" - echo "CONFIG_CRYPTO_CBC=y" - echo "CONFIG_CRYPTO_XTS=y" - echo "CONFIG_CRYPTO_SHA512=y" - echo "CONFIG_CRYPTO_MANAGER=y" - } >> "${KERNEL_DIR}"/.config + set_kernel_configCONFIG_EMBEDDED y + set_kernel_config CONFIG_EXPERT y + set_kernel_config CONFIG_DAX y + set_kernel_config CONFIG_MD y + set_kernel_config CONFIG_BLK_DEV_MD y + set_kernel_config CONFIG_MD_AUTODETECT y + set_kernel_config CONFIG_BLK_DEV_DM y + set_kernel_config CONFIG_BLK_DEV_DM_BUILTIN y + set_kernel_config CONFIG_DM_CRYPT y + set_kernel_config CONFIG_CRYPTO_BLKCIPHER y + set_kernel_config CONFIG_CRYPTO_CBC y + set_kernel_config CONFIG_CRYPTO_XTS y + set_kernel_config CONFIG_CRYPTO_SHA512 y + set_kernel_config CONFIG_CRYPTO_MANAGER y + set_kernel_config CONFIG_ARM64_CRYPTO y + set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m + set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m + set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m + set_kernel_config CRYPTO_GHASH_ARM64_CE m + set_kernel_config CRYPTO_SHA2_ARM64_CE m + set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m + set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m + set_kernel_config CONFIG_CRYPTO_AES_ARM64 m + set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m + set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y + set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y + set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m + set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m + set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m fi fi diff --git a/bootstrap.d/14-fstab.sh b/bootstrap.d/14-fstab.sh index 9134da1..cb46d87 100644 --- a/bootstrap.d/14-fstab.sh +++ b/bootstrap.d/14-fstab.sh @@ -16,9 +16,6 @@ fi if [ "$ENABLE_USBBOOT" = true ] ; then sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab" sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab" - - # Add usb/sda2 disk to crypttab - sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab" fi # Generate initramfs file @@ -60,8 +57,8 @@ if [ "$ENABLE_INITRAMFS" = true ] ; then # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf - # Regenerate initramfs - #chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" + #Regenerate initramfs + chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" fi if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then @@ -106,7 +103,7 @@ if [ "$ENABLE_INITRAMFS" = true ] ; then printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook" # Dummy mapping required by mkinitramfs - echo "0 1 crypt $(echo "${CRYPTFS_CIPHER}" | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}" + echo "0 1 crypt $(echo "${CRYPTFS_CIPHER}" | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup --verbose create "${CRYPTFS_MAPPING}" # Generate initramfs with encrypted root partition support chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"