From 5f25ae0fa1531dcd00d7ec68f1d2bd2e541498ab 2020-01-08 01:05:09 From: g-vidal Date: 2020-01-08 01:05:09 Subject: [PATCH] Merge branch 'drtyhlpr-master' --- diff --git a/README.md b/README.md index a0a5d67..8fd9fcb 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ The following list of Debian packages must be installed on the build system beca ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo``` It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel) cross-compiler toolchain. +It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel/aarch64) cross-compiler toolchain. The script has been tested using the default `crossbuild-essential-armhf` and `crossbuild-essential-armel` toolchain meta packages on Debian Linux `stretch` build systems. Please check the [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains) for further information. @@ -66,6 +67,7 @@ A comma-separated list of additional packages to be installed by apt after boots #### General system settings: ##### `SET_ARCH`=32 Set Architecture to default 32bit. If you want to compile 64-bit (RPI3 or RPI3+) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build. +Set Architecture to default 32bit. If you want to compile 64-bit (RPI3/RPI3+/RPI4) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build. ##### `RPI_MODEL`=2 Specify the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models: @@ -75,6 +77,7 @@ Specify the target Raspberry Pi hardware model. The script at this time supports - `2` = Raspberry Pi 2 model B - `3` = Raspberry Pi 3 model B - `3P` = Raspberry Pi 3 model B+ +- `4` = Raspberry Pi 4 model B ##### `RELEASE`="buster" Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`. @@ -220,6 +223,9 @@ Support for halt,init,poweroff,reboot,runlevel,shutdown,telinit commands --- #### Advanced system features: +##### `ENABLE_KEYGEN`=false +Recover your lost codec license + ##### `ENABLE_SYSTEMDSWAP`=false Enables [Systemd-swap service](https://github.com/Nefelim4ag/systemd-swap). Usefull if `KERNEL_ZSWAP` is enabled. @@ -231,6 +237,7 @@ Reduce the disk space usage by deleting packages and files. See `REDUCE_*` param ##### `ENABLE_UBOOT`=false Replace the default RPi 0/1/2/3 second stage bootloader (bootcode.bin) with [U-Boot bootloader](https://git.denx.de/?p=u-boot.git;a=summary). U-Boot can boot images via the network using the BOOTP/TFTP protocol. +RPI4 needs tbd ##### `UBOOTSRC_DIR`="" Path to a directory (`u-boot`) of [U-Boot bootloader sources](https://git.denx.de/?p=u-boot.git;a=summary) that will be copied, configured, build and installed inside the chroot. @@ -315,6 +322,11 @@ Add SSH (v2) public key(s) from specified file to `authorized_keys` file to enab #### Kernel compilation: ##### `BUILD_KERNEL`=true Build and install the latest RPi 0/1/2/3 Linux kernel. Currently only the default RPi 0/1/2/3 kernel configuration is used. +Build and install the latest RPi 0/1/2/3/4 Linux kernel. The default RPi 0/1/2/3/ kernel configuration is used most of the time. +ENABLE_NEXMON - Changes Kernel Source to [https://github.com/Re4son/](Kali Linux Kernel) +Precompiled 32bit kernel for RPI0/1/2/3 by [https://github.com/hypriot/](hypriot) +Precompiled 64bit kernel for RPI3/4 by [https://github.com/sakaki-/](sakaki) + ##### `CROSS_COMPILE`="arm-linux-gnueabihf-" This sets the cross-compile environment for the compiler. @@ -391,6 +403,18 @@ Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSC ##### `KERNEL_SECURITY`=false Enables Apparmor, integrity subsystem, auditing. +##### `KERNEL_BTRFS`="false" +enable btrfs kernel support + +##### `KERNEL_POEHAT`="false" +enable Enable RPI POE HAT fan kernel support + +##### `KERNEL_NSPAWN`="false" +Enable per-interface network priority control - for systemd-nspawn + +##### `KERNEL_DHKEY`="true" +Diffie-Hellman operations on retained keys - required for >keyutils-1.6 + --- #### Reduce disk usage: @@ -433,8 +457,12 @@ Set password of the encrypted root partition. This parameter is mandatory if `EN Set name of dm-crypt managed device-mapper mapping. ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512" +##### `CRYPTFS_CIPHER`="aes-xts-plain64" Set cipher specification string. `aes-xts*` ciphers are strongly recommended. +##### `CRYPTFS_HASH`=sha512 +Hash function and size to be used + ##### `CRYPTFS_XTSKEYSIZE`=512 Sets key size in bits. The argument has to be a multiple of 8. diff --git a/bootstrap.d/11-apt.sh b/bootstrap.d/11-apt.sh index ed81db0..15fe12a 100644 --- a/bootstrap.d/11-apt.sh +++ b/bootstrap.d/11-apt.sh @@ -35,7 +35,17 @@ fi # Use specified APT server and release sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list" + +#Fix for changing path for security updates in testing/bullseye +if [ "$RELEASE" = "testing" ] ; then +sed -i "s,stretch\\/updates,testing-security," "${ETC_DIR}/apt/sources.list" sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list" +fi + +if [ -z "$RELEASE" ] ; then +# Change release in sources list +sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list" +fi # Upgrade package index and update all installed packages and changed dependencies chroot_exec apt-get -qq -y update diff --git a/bootstrap.d/14-fstab.sh b/bootstrap.d/14-fstab.sh index c9e018b..2ca1567 100644 --- a/bootstrap.d/14-fstab.sh +++ b/bootstrap.d/14-fstab.sh @@ -8,108 +8,114 @@ # Install and setup fstab install_readonly files/mount/fstab "${ETC_DIR}/fstab" -# Add usb/sda disk root partition to fstab -if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then - sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab" -fi - -# Add encrypted root partition to fstab and crypttab -if [ "$ENABLE_CRYPTFS" = true ] ; then - # Replace fstab root partition with encrypted partition mapping - sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab" - - # Add encrypted partition to crypttab and fstab - install_readonly files/mount/crypttab "${ETC_DIR}/crypttab" - echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab" - - if [ "$ENABLE_SPLITFS" = true ] ; then - # Add usb/sda1 disk to crypttab - sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab" - fi -fi - -if [ "$ENABLE_USBBOOT" = true ] ; then - sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab" - sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab" - - # Add usb/sda2 disk to crypttab - sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab" -fi - # Generate initramfs file if [ "$ENABLE_INITRAMFS" = true ] ; then if [ "$ENABLE_CRYPTFS" = true ] ; then + # Include initramfs scripts to auto expand encrypted root partition if [ "$EXPANDROOT" = true ] ; then install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs" install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount" install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools" fi - - if [ "$ENABLE_DHCP" = false ] ; then - # Get cdir from NET_ADDRESS e.g. 24 - cdir=$(${NET_ADDRESS} | cut -d '/' -f2) + + # Replace fstab root partition with encrypted partition mapping + sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab" - # Convert cdir ro netmask e.g. 24 to 255.255.255.0 - NET_MASK=$(cdr2mask "$cdir") + # Add encrypted partition to crypttab and fstab + install_readonly files/mount/crypttab "${ETC_DIR}/crypttab" + echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab" - # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf - sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf - - # Regenerate initramfs - chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" + if [ "$ENABLE_USBBOOT" = true ] && [ "$ENABLE_SPLITFS" = false ]; then + sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab" + # Add usb/sda2 disk to crypttab + sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab" + fi + + # Add encrypted root partition to fstab and crypttab + if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_USBBOOT" = false ]; then + # Add usb/sda1 disk to crypttab + sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab" fi - if [ "$CRYPTFS_DROPBEAR" = true ]; then - if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then - install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub - cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys - else - # Create key - chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear - - # Convert dropbear key to openssh key - chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa - - # Get Public Key Part - chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub - - # Delete unwanted lines - sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub - sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub - - # Trust the new key - cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys - - # Save Keys - convert with putty from rsa/openssh to puttkey - cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa - - # Get unlock script - install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh - - # Enable Dropbear inside initramfs - printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" + if [ "$CRYPTFS_DROPBEAR" = true ]; then + if [ "$ENABLE_DHCP" = false ] ; then + # Get cdir from NET_ADDRESS e.g. 24 + cdir=$(printf "%s" "${NET_ADDRESS}" | cut -d '/' -f2) - # Enable Dropbear inside initramfs - sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear - fi - else - # Disable SSHD inside initramfs - printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" - fi + # Convert cdir ro netmask e.g. 24 to 255.255.255.0 + NET_MASK=$(cdr2mask "$cdir") + + # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf + # ip=:::::: + sed -i "\$a\nIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf + else + sed -i "\$a\nIP=::::${HOSTNAME}::dhcp" "${ETC_DIR}"/initramfs-tools/initramfs.conf + fi + + if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then + install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys + else + # Create key + chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear + + # Convert dropbear key to openssh key + chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa + + # Get Public Key Part + chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub + + # Delete unwanted lines + sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + + # Trust the new key + cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys + + # Save Keys - convert with putty from rsa/openssh to puttkey + cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa + + # Get unlock script + install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh + + # Enable Dropbear inside initramfs + printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" + + # Enable Dropbear inside initramfs + sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear + fi + # CRYPTFSDROPBEAR=false + else + # Disable SSHD inside initramfs + printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" + fi # Add cryptsetup modules to initramfs printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook" + #printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook" # Dummy mapping required by mkinitramfs echo "0 1 crypt $(echo "${CRYPTFS_CIPHER}" | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}" + echo "0 1 crypt "${CRYPTFS_CIPHER}" ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}" # Generate initramfs with encrypted root partition support chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" # Remove dummy mapping chroot_exec cryptsetup close "${CRYPTFS_MAPPING}" + # CRYPTFS=false else + #USB BOOT /boot on sda1 / on sda2 + if [ "$ENABLE_USBBOOT" = true ] ; then + sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab" + sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab" + fi + + # Add usb/sda disk root partition to fstab + if [ "$ENABLE_SPLITFS" = true ] ; then + sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab" + fi # Generate initramfs without encrypted root partition support chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" fi diff --git a/bootstrap.d/15-rpi-config.sh b/bootstrap.d/15-rpi-config.sh index b7a8684..a35279e 100644 --- a/bootstrap.d/15-rpi-config.sh +++ b/bootstrap.d/15-rpi-config.sh @@ -113,6 +113,7 @@ if [ "$ENABLE_TURBO" = true ] ; then fi if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then +if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ]; then # Bluetooth enabled if [ "$ENABLE_BLUETOOTH" = true ] ; then @@ -131,6 +132,10 @@ if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then # Set permissions chown -R root:root "${R}/tmp/pi-bluetooth" + + # Bluetooth firmware from arch aur https://aur.archlinux.org/packages/pi-bluetooth/ + wget -q -O "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" https://aur.archlinux.org/cgit/aur.git/plain/LICENCE.broadcom_bcm43xx?h=pi-bluetooth + wget -q -O "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/master/broadcom/BCM43430A1.hcd # Install tools install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart" @@ -211,6 +216,11 @@ if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then # Change into downloaded src dir cd "${R}/tmp/systemd-swap" || exit + + # Get Verion + VERSION=$(git tag | tail -n 1) + #sed -i "s/DEB_NAME=.*/DEB_NAME=systemd-swap_all/g" "${R}/tmp/systemd-swap/package.sh" + # Build package bash ./package.sh debian @@ -222,6 +232,7 @@ if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then # Install package - IMPROVE AND MAKE IT POSSIBLE WITHOUT VERSION NR. chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap_4.0.1_any.deb + chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap_"$VERSION"_all.deb # Enable service chroot_exec systemctl enable systemd-swap diff --git a/bootstrap.d/20-networking.sh b/bootstrap.d/20-networking.sh index f80f006..2b9450c 100644 --- a/bootstrap.d/20-networking.sh +++ b/bootstrap.d/20-networking.sh @@ -107,6 +107,7 @@ if [ "$ENABLE_WIRELESS" = true ] ; then # Fetch firmware binary blob for RPI3B+ if [ "$RPI_MODEL" = 3P ] ; then + if [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ] ; then # Fetch firmware binary blob for RPi3P as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.bin" as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.txt" diff --git a/bootstrap.d/43-videocore.sh b/bootstrap.d/43-videocore.sh index 344965c..9cf856f 100644 --- a/bootstrap.d/43-videocore.sh +++ b/bootstrap.d/43-videocore.sh @@ -35,10 +35,12 @@ if [ "$ENABLE_VIDEOCORE" = true ] ; then if [ "$RELEASE_ARCH" = "arm64" ] ; then cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DARM64=ON -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_CXX_COMPILER=aarch64-linux-gnu-g++ -DCMAKE_ASM_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland" + cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_TOOLCHAIN_FILE="${R}"/tmp/userland/makefiles/cmake/toolchains/aarch64-linux-gnu.cmake -DARM64=ON -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_CXX_COMPILER=aarch64-linux-gnu-g++ -DCMAKE_ASM_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland" fi if [ "$RELEASE_ARCH" = "armel" ] ; then cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_C_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_CXX_COMPILER=arm-linux-gnueabi-g++ -DCMAKE_ASM_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DCMAKE_SYSTEM_PROCESSOR="arm" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland" + cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_TOOLCHAIN_FILE="${R}"/tmp/userland/makefiles/cmake/toolchains/arm-linux-gnueabihf.cmake -DCMAKE_C_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_CXX_COMPILER=arm-linux-gnueabi-g++ -DCMAKE_ASM_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DCMAKE_SYSTEM_PROCESSOR="arm" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland" fi if [ "$RELEASE_ARCH" = "armhf" ] ; then diff --git a/bootstrap.d/44-nexmon_monitor_patch.sh b/bootstrap.d/44-nexmon_monitor_patch.sh index 5a260a2..3479c93 100644 --- a/bootstrap.d/44-nexmon_monitor_patch.sh +++ b/bootstrap.d/44-nexmon_monitor_patch.sh @@ -75,6 +75,7 @@ if [ "$ENABLE_NEXMON" = true ] && [ "$ENABLE_WIRELESS" = true ]; then fi if [ "$RPI_MODEL" = 3P ] ; then + if [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ] ; then cd "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon || exit sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43455c0/7_45_154/nexmon/Makefile make clean diff --git a/rpi23-gen-image.sh b/rpi23-gen-image.sh index b07beb1..74766eb 100755 --- a/rpi23-gen-image.sh +++ b/rpi23-gen-image.sh @@ -44,6 +44,9 @@ RPI_MODEL=${RPI_MODEL:=2} # Debian release RELEASE=${RELEASE:=buster} +if [ $RELEASE = "bullseye" ] ; then + RELEASE=testing +fi # Kernel Branch KERNEL_BRANCH=${KERNEL_BRANCH:=""} @@ -65,10 +68,17 @@ RPI_32_KERNEL_URL=${RPI_32_KERNEL_URL:=https://github.com/hypriot/rpi-kernel/rel RPI_32_KERNELHEADER_URL=${RPI_32_KERNELHEADER_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel-headers_20180422-141901_armhf.deb} # Kernel has KVM and zswap enabled - use if KERNEL_* parameters and precompiled kernel are used RPI3_64_BIS_KERNEL_URL=${RPI3_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel-bis/releases/download/4.14.80.20181113/bcmrpi3-kernel-bis-4.14.80.20181113.tar.xz} +RPI3_64_BIS_KERNEL_URL=${RPI3_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel-bis/releases/download/4.19.80.20191022/bcmrpi3-kernel-bis-4.19.80.20191022.tar.xz} # Default precompiled 64bit kernel RPI3_64_DEF_KERNEL_URL=${RPI3_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel/releases/download/4.14.80.20181113/bcmrpi3-kernel-4.14.80.20181113.tar.xz} +RPI3_64_DEF_KERNEL_URL=${RPI3_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel/releases/download/4.19.80.20191022/bcmrpi3-kernel-4.19.80.20191022.tar.xz} +# Sakaki BIS Kernel RPI4 - https://github.com/sakaki-/bcm2711-kernel-bis +RPI4_64_BIS_KERNEL_URL=${RPI4_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcm2711-kernel-bis/releases/download/4.19.59.20190724/bcm2711-kernel-bis-4.19.59.20190724.tar.xz} +# Default precompiled 64bit kernel - https://github.com/sakaki-/bcm2711-kernel +RPI4_64_DEF_KERNEL_URL=${RPI4_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcm2711-kernel-bis/releases/download/4.19.59.20190724/bcm2711-kernel-bis-4.19.59.20190724.tar.xz} # Generic RPI3_64_KERNEL_URL=${RPI3_64_KERNEL_URL:=$RPI3_64_DEF_KERNEL_URL} +RPI4_64_KERNEL_URL=${RPI4_64_KERNEL_URL:=$RPI4_64_DEF_KERNEL_URL} # Kali kernel src - used if ENABLE_NEXMON=true (they patch the wlan kernel modul) KALI_KERNEL_URL=${KALI_KERNEL_URL:=https://github.com/Re4son/re4son-raspberrypi-linux.git} @@ -191,6 +201,10 @@ KERNEL_BPF=${KERNEL_BPF:=false} KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=ondemand} KERNEL_SECURITY=${KERNEL_SECURITY:=false} KERNEL_NF=${KERNEL_NF:=false} +KERNEL_DHKEY=${KERNEL_DHKEY:=true} +KERNEL_BTRFS=${KERNEL_BTRFS:=false} +KERNEL_NSPAN=${KERNEL_NSPAN:=false} +KERNEL_POEHAT=${KERNEL_POEHAT:=false} # Kernel compilation from source directory settings KERNELSRC_DIR=${KERNELSRC_DIR:=""} @@ -213,6 +227,8 @@ ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false} CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""} CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"} CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"} +CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64"} +CRYPTFS_HASH=${CRYPTFS_HASH:="sha512"} CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512} #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false} @@ -225,12 +241,14 @@ CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""} # Packages required in the chroot build environment APT_INCLUDES=${APT_INCLUDES:=""} APT_INCLUDES="${APT_INCLUDES},apt-transport-https,apt-utils,ca-certificates,debian-archive-keyring,dialog,sudo,systemd,sysvinit-utils,locales,keyboard-configuration,console-setup,libnss-systemd" +APT_INCLUDES="${APT_INCLUDES},flex,bison,libssl-dev,apt-transport-https,apt-utils,ca-certificates,debian-archive-keyring,dialog,sudo,systemd,sysvinit-utils,locales,keyboard-configuration,console-setup,libnss-systemd" # Packages to exclude from chroot build environment APT_EXCLUDES=${APT_EXCLUDES:=""} # Packages required for bootstrapping REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo" +REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus bison flex libssl-dev sudo" MISSING_PACKAGES="" # Packages installed for c/c++ build environment in chroot (keep empty) @@ -289,13 +307,16 @@ if [ -n "$SET_ARCH" ] ; then if [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ] ; then if [ "$RPI_MODEL" != 4 ] ; then KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig} + KERNEL_IMAGE=${KERNEL_IMAGE:=kernel7.img} else KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2711_defconfig} + KERNEL_IMAGE=${KERNEL_IMAGE:=kernel7l.img} fi REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armhf" RELEASE_ARCH=${RELEASE_ARCH:=armhf} KERNEL_IMAGE=${KERNEL_IMAGE:=kernel7.img} + CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabihf-} fi fi @@ -386,6 +407,7 @@ fi # Add deps for nexmon if [ "$ENABLE_NEXMON" = true ] ; then REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libgmp3-dev gawk qpdf bison flex make autoconf automake build-essential libtool" + REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libgmp3-dev gawk qpdf make autoconf automake build-essential libtool" fi # Add libncurses5 to enable kernel menuconfig @@ -402,6 +424,7 @@ fi if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup" APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup" + APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup,cryptsetup-initramfs" # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then @@ -471,6 +494,7 @@ if [ -n "$MISSING_PACKAGES" ] ; then # Make sure all missing required packages are installed apt-get -qq -y install `echo "${MISSING_PACKAGES}" | sed "s/ //"` + apt-get update && apt-get -qq -y install `echo "${MISSING_PACKAGES}" | sed "s/ //"` fi # Check if ./bootstrap.d directory exists @@ -823,6 +847,7 @@ if [ "$ENABLE_CRYPTFS" = true ] ; then # Initialize encrypted partition echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password + cryptsetup --verbose --debug -q luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -h "${CRYPTFS_HASH}" -s "${CRYPTFS_XTSKEYSIZE}" .password # Open encrypted partition and setup mapping cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"