##// END OF EJS Templates
Merge pull request #16 from drtyhlpr/master...
burnbabyburn -
r731:22034dc0fa1c Fusion
parent child
Show More
@@ -1,13 +1,13
1 1 # rpi23-gen-image
2 2 ## Introduction
3 `rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for all Raspberry Pi computers. The script at this time supports the bootstrapping of the Debian (armhf/armel) releases `stretch` and `buster`. Raspberry Pi 0/1/2/3 images are generated for 32-bit mode only. Raspberry Pi 3 supports 64-bit images that can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.14.y```).
3 `rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for all Raspberry Pi computers. The script at this time supports the bootstrapping of the Debian (armhf/armel) releases `stretch` and `buster`. Raspberry Pi 0/1/2/3/4 images are generated for 32-bit mode only. Raspberry Pi 3 supports 64-bit images that can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.14.y```).
4 4
5 5 ## Build dependencies
6 6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7 7
8 8 ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo```
9 9
10 It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel) cross-compiler toolchain.
10 It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel/aarch64) cross-compiler toolchain.
11 11
12 12 The script has been tested using the default `crossbuild-essential-armhf` and `crossbuild-essential-armel` toolchain meta packages on Debian Linux `stretch` build systems. Please check the [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains) for further information.
13 13
@@ -61,7 +61,7 A comma-separated list of additional packages to be installed by apt after boots
61 61
62 62 #### General system settings:
63 63 ##### `SET_ARCH`=32
64 Set Architecture to default 32bit. If you want to compile 64-bit (RPI3 or RPI3+) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build.
64 Set Architecture to default 32bit. If you want to compile 64-bit (RPI3/RPI3+/RPI4) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build.
65 65
66 66 ##### `RPI_MODEL`=2
67 67 Specify the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models:
@@ -71,6 +71,7 Specify the target Raspberry Pi hardware model. The script at this time supports
71 71 - `2` = Raspberry Pi 2 model B
72 72 - `3` = Raspberry Pi 3 model B
73 73 - `3P` = Raspberry Pi 3 model B+
74 - `4` = Raspberry Pi 4 model B
74 75
75 76 ##### `RELEASE`="buster"
76 77 Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`.
@@ -216,6 +217,9 Support for halt,init,poweroff,reboot,runlevel,shutdown,telinit commands
216 217 ---
217 218
218 219 #### Advanced system features:
220 ##### `ENABLE_KEYGEN`=false
221 Recover your lost codec license
222
219 223 ##### `ENABLE_SYSTEMDSWAP`=false
220 224 Enables [Systemd-swap service](https://github.com/Nefelim4ag/systemd-swap). Usefull if `KERNEL_ZSWAP` is enabled.
221 225
@@ -227,6 +231,7 Reduce the disk space usage by deleting packages and files. See `REDUCE_*` param
227 231
228 232 ##### `ENABLE_UBOOT`=false
229 233 Replace the default RPi 0/1/2/3 second stage bootloader (bootcode.bin) with [U-Boot bootloader](https://git.denx.de/?p=u-boot.git;a=summary). U-Boot can boot images via the network using the BOOTP/TFTP protocol.
234 RPI4 needs tbd
230 235
231 236 ##### `UBOOTSRC_DIR`=""
232 237 Path to a directory (`u-boot`) of [U-Boot bootloader sources](https://git.denx.de/?p=u-boot.git;a=summary) that will be copied, configured, build and installed inside the chroot.
@@ -310,7 +315,11 Add SSH (v2) public key(s) from specified file to `authorized_keys` file to enab
310 315
311 316 #### Kernel compilation:
312 317 ##### `BUILD_KERNEL`=true
313 Build and install the latest RPi 0/1/2/3 Linux kernel. Currently only the default RPi 0/1/2/3 kernel configuration is used.
318 Build and install the latest RPi 0/1/2/3/4 Linux kernel. The default RPi 0/1/2/3/ kernel configuration is used most of the time.
319 ENABLE_NEXMON - Changes Kernel Source to [https://github.com/Re4son/](Kali Linux Kernel)
320 Precompiled 32bit kernel for RPI0/1/2/3 by [https://github.com/hypriot/](hypriot)
321 Precompiled 64bit kernel for RPI3/4 by [https://github.com/sakaki-/](sakaki)
322
314 323
315 324 ##### `CROSS_COMPILE`="arm-linux-gnueabihf-"
316 325 This sets the cross-compile environment for the compiler.
@@ -387,6 +396,18 Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSC
387 396 ##### `KERNEL_SECURITY`=false
388 397 Enables Apparmor, integrity subsystem, auditing.
389 398
399 ##### `KERNEL_BTRFS`="false"
400 enable btrfs kernel support
401
402 ##### `KERNEL_POEHAT`="false"
403 enable Enable RPI POE HAT fan kernel support
404
405 ##### `KERNEL_NSPAWN`="false"
406 Enable per-interface network priority control - for systemd-nspawn
407
408 ##### `KERNEL_DHKEY`="true"
409 Diffie-Hellman operations on retained keys - required for >keyutils-1.6
410
390 411 ---
391 412
392 413 #### Reduce disk usage:
@@ -428,9 +449,12 Set password of the encrypted root partition. This parameter is mandatory if `EN
428 449 ##### `CRYPTFS_MAPPING`="secure"
429 450 Set name of dm-crypt managed device-mapper mapping.
430 451
431 ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512"
452 ##### `CRYPTFS_CIPHER`="aes-xts-plain64"
432 453 Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
433 454
455 ##### `CRYPTFS_HASH`=sha512
456 Hash function and size to be used
457
434 458 ##### `CRYPTFS_XTSKEYSIZE`=512
435 459 Sets key size in bits. The argument has to be a multiple of 8.
436 460
@@ -16,7 +16,17 install_readonly files/apt/sources.list "${ETC_DIR}/apt/sources.list"
16 16
17 17 # Use specified APT server and release
18 18 sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list"
19
20 #Fix for changing path for security updates in testing/bullseye
21 if [ "$RELEASE" = "testing" ] ; then
22 sed -i "s,stretch\\/updates,testing-security," "${ETC_DIR}/apt/sources.list"
19 23 sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
24 fi
25
26 if [ -z "$RELEASE" ] ; then
27 # Change release in sources list
28 sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
29 fi
20 30
21 31 # Upgrade package index and update all installed packages and changed dependencies
22 32 chroot_exec apt-get -qq -y update
@@ -52,6 +52,11 if [ "$BUILD_KERNEL" = true ] ; then
52 52 if [ "$KERNEL_THREADS" = "1" ] && [ -r /proc/cpuinfo ] ; then
53 53 KERNEL_THREADS=$(grep -c processor /proc/cpuinfo)
54 54 fi
55
56 #Copy 32bit config to 64bit
57 if [ "$ENABLE_QEMU" = true ] && [ "$KERNEL_ARCH" = arm64 ]; then
58 cp "${KERNEL_DIR}"/arch/arm/configs/vexpress_defconfig "${KERNEL_DIR}"/arch/arm64/configs/
59 fi
55 60
56 61 # Configure and build kernel
57 62 if [ "$KERNELSRC_PREBUILT" = false ] ; then
@@ -98,13 +103,38 if [ "$BUILD_KERNEL" = true ] ; then
98 103 #Switch to KERNELSRC_DIR so we can use set_kernel_config
99 104 cd "${KERNEL_DIR}" || exit
100 105
101 if [ "$KERNEL_ARCH" = arm64 ] ; then
106 # Enable RPI POE HAT fan
107 if [ "$KERNEL_POEHAT" = true ]; then
108 set_kernel_config CONFIG_SENSORS_RPI_POE_FAN m
109 fi
110
111 # Enable per-interface network priority control
112 # (for systemd-nspawn)
113 if [ "$KERNEL_NSPAN" = true ]; then
114 set_kernel_config CONFIG_CGROUP_NET_PRIO y
115 fi
116
117 # Compile in BTRFS
118 if [ "$KERNEL_BTRFS" = true ]; then
119 set_kernel_config CONFIG_BTRFS_FS y
120 set_kernel_config CONFIG_BTRFS_FS_POSIX_ACL y
121 set_kernel_config CONFIG_BTRFS_FS_REF_VERIFY y
122 fi
123
124 # Diffie-Hellman operations on retained keys
125 # (required for >keyutils-1.6)
126 if [ "$KERNEL_DHKEY" = true ]; then
127 set_kernel_config CONFIG_KEY_DH_OPERATIONS y
128 fi
129
130 if [ "$KERNEL_ARCH" = arm64 ] && [ "$ENABLE_QEMU" = false ]; then
131 # Mask this temporarily during switch to rpi-4.19.y
102 132 #Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config
103 133 # use correct driver MMC_BCM2835_MMC instead of MMC_BCM2835_SDHOST - see https://www.raspberrypi.org/forums/viewtopic.php?t=210225
104 set_kernel_config CONFIG_MMC_BCM2835 n
105 set_kernel_config CONFIG_MMC_SDHCI_IPROC n
106 set_kernel_config CONFIG_USB_DWC2 n
107 sed -i "s|depends on MMC_BCM2835_MMC && MMC_BCM2835_DMA|depends on MMC_BCM2835_MMC|" "${KERNEL_DIR}"/drivers/mmc/host/Kconfig
134 #set_kernel_config CONFIG_MMC_BCM2835 n
135 #set_kernel_config CONFIG_MMC_SDHCI_IPROC n
136 #set_kernel_config CONFIG_USB_DWC2 n
137 #sed -i "s|depends on MMC_BCM2835_MMC && MMC_BCM2835_DMA|depends on MMC_BCM2835_MMC|" "${KERNEL_DIR}"/drivers/mmc/host/Kconfig
108 138
109 139 #VLAN got disabled without reason in arm64bit
110 140 set_kernel_config CONFIG_IPVLAN m
@@ -118,12 +148,234 if [ "$BUILD_KERNEL" = true ] ; then
118 148 set_kernel_config CONFIG_Z3FOLD y
119 149 set_kernel_config CONFIG_ZSMALLOC y
120 150 set_kernel_config CONFIG_PGTABLE_MAPPING y
121 set_kernel_config CONFIG_LZO_COMPRESS y
122
151 set_kernel_config CONFIG_LZO_COMPRESS y
152 fi
153
154 if [ "$RPI_MODEL" = 4 ] ; then
155 # Following are set in current 32-bit LPAE kernel
156 set_kernel_config CONFIG_CGROUP_PIDS y
157 set_kernel_config CONFIG_NET_IPVTI m
158 set_kernel_config CONFIG_NF_TABLES_SET m
159 set_kernel_config CONFIG_NF_TABLES_INET y
160 set_kernel_config CONFIG_NF_TABLES_NETDEV y
161 set_kernel_config CONFIG_NF_FLOW_TABLE m
162 set_kernel_config CONFIG_NFT_FLOW_OFFLOAD m
163 set_kernel_config CONFIG_NFT_CONNLIMIT m
164 set_kernel_config CONFIG_NFT_TUNNEL m
165 set_kernel_config CONFIG_NFT_OBJREF m
166 set_kernel_config CONFIG_NFT_FIB_IPV4 m
167 set_kernel_config CONFIG_NFT_FIB_IPV6 m
168 set_kernel_config CONFIG_NFT_FIB_INET m
169 set_kernel_config CONFIG_NFT_SOCKET m
170 set_kernel_config CONFIG_NFT_OSF m
171 set_kernel_config CONFIG_NFT_TPROXY m
172 set_kernel_config CONFIG_NF_DUP_NETDEV m
173 set_kernel_config CONFIG_NFT_DUP_NETDEV m
174 set_kernel_config CONFIG_NFT_FWD_NETDEV m
175 set_kernel_config CONFIG_NFT_FIB_NETDEV m
176 set_kernel_config CONFIG_NF_FLOW_TABLE_INET m
177 set_kernel_config CONFIG_NF_FLOW_TABLE m
178 set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m
179 set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV6 m
180 set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV6 m
181 set_kernel_config CONFIG_NFT_MASQ_IPV6 m
182 set_kernel_config CONFIG_NFT_REDIR_IPV6 m
183 set_kernel_config CONFIG_NFT_REJECT_IPV6 m
184 set_kernel_config CONFIG_NFT_DUP_IPV6 m
185 set_kernel_config CONFIG_NFT_FIB_IPV6 m
186 set_kernel_config CONFIG_NF_FLOW_TABLE_IPV6 m
187 set_kernel_config CONFIG_NF_TABLES_BRIDGE m
188 set_kernel_config CONFIG_NFT_BRIDGE_REJECT m
189 set_kernel_config CONFIG_NF_LOG_BRIDGE m
190 set_kernel_config CONFIG_MT76_CORE m
191 set_kernel_config CONFIG_MT76_LEDS m
192 set_kernel_config CONFIG_MT76_USB m
193 set_kernel_config CONFIG_MT76x2_COMMON m
194 set_kernel_config CONFIG_MT76x0U m
195 set_kernel_config CONFIG_MT76x2U m
196 set_kernel_config CONFIG_TOUCHSCREEN_ILI210X m
197 set_kernel_config CONFIG_BCM_VC_SM m
198 set_kernel_config CONFIG_BCM2835_SMI_DEV m
199 set_kernel_config CONFIG_RPIVID_MEM m
200 set_kernel_config CONFIG_HW_RANDOM_BCM2835 y
201 set_kernel_config CONFIG_TCG_TPM m
202 set_kernel_config CONFIG_HW_RANDOM_TPM y
203 set_kernel_config CONFIG_TCG_TIS m
204 set_kernel_config CONFIG_TCG_TIS_SPI m
205 set_kernel_config CONFIG_I2C_MUX m
206 set_kernel_config CONFIG_I2C_MUX_GPMUX m
207 set_kernel_config CONFIG_I2C_MUX_PCA954x m
208 set_kernel_config CONFIG_SPI_GPIO m
209 set_kernel_config CONFIG_BATTERY_MAX17040 m
210 set_kernel_config CONFIG_SENSORS_GPIO_FAN m
211 set_kernel_config CONFIG_SENSORS_RASPBERRYPI_HWMON m
212 set_kernel_config CONFIG_BCM2835_THERMAL y
213 set_kernel_config CONFIG_RC_CORE y
214 set_kernel_config CONFIG_RC_MAP y
215 set_kernel_config CONFIG_LIRC y
216 set_kernel_config CONFIG_RC_DECODERS y
217 set_kernel_config CONFIG_IR_NEC_DECODER m
218 set_kernel_config CONFIG_IR_RC5_DECODER m
219 set_kernel_config CONFIG_IR_RC6_DECODER m
220 set_kernel_config CONFIG_IR_JVC_DECODER m
221 set_kernel_config CONFIG_IR_SONY_DECODER m
222 set_kernel_config CONFIG_IR_SANYO_DECODER m
223 set_kernel_config CONFIG_IR_SHARP_DECODER m
224 set_kernel_config CONFIG_IR_MCE_KBD_DECODER m
225 set_kernel_config CONFIG_IR_XMP_DECODER m
226 set_kernel_config CONFIG_IR_IMON_DECODER m
227 set_kernel_config CONFIG_RC_DEVICES y
228 set_kernel_config CONFIG_RC_ATI_REMOTE m
229 set_kernel_config CONFIG_IR_IMON m
230 set_kernel_config CONFIG_IR_MCEUSB m
231 set_kernel_config CONFIG_IR_REDRAT3 m
232 set_kernel_config CONFIG_IR_STREAMZAP m
233 set_kernel_config CONFIG_IR_IGUANA m
234 set_kernel_config CONFIG_IR_TTUSBIR m
235 set_kernel_config CONFIG_RC_LOOPBACK m
236 set_kernel_config CONFIG_IR_GPIO_CIR m
237 set_kernel_config CONFIG_IR_GPIO_TX m
238 set_kernel_config CONFIG_IR_PWM_TX m
239 set_kernel_config CONFIG_VIDEO_V4L2_SUBDEV_API y
240 set_kernel_config CONFIG_VIDEO_AU0828_RC y
241 set_kernel_config CONFIG_VIDEO_CX231XX m
242 set_kernel_config CONFIG_VIDEO_CX231XX_RC y
243 set_kernel_config CONFIG_VIDEO_CX231XX_ALSA m
244 set_kernel_config CONFIG_VIDEO_CX231XX_DVB m
245 set_kernel_config CONFIG_VIDEO_TM6000 m
246 set_kernel_config CONFIG_VIDEO_TM6000_ALSA m
247 set_kernel_config CONFIG_VIDEO_TM6000_DVB m
248 set_kernel_config CONFIG_DVB_USB m
249 set_kernel_config CONFIG_DVB_USB_DIB3000MC m
250 set_kernel_config CONFIG_DVB_USB_A800 m
251 set_kernel_config CONFIG_DVB_USB_DIBUSB_MB m
252 set_kernel_config CONFIG_DVB_USB_DIBUSB_MB_FAULTY y
253 set_kernel_config CONFIG_DVB_USB_DIBUSB_MC m
254 set_kernel_config CONFIG_DVB_USB_DIB0700 m
255 set_kernel_config CONFIG_DVB_USB_UMT_010 m
256 set_kernel_config CONFIG_DVB_USB_CXUSB m
257 set_kernel_config CONFIG_DVB_USB_M920X m
258 set_kernel_config CONFIG_DVB_USB_DIGITV m
259 set_kernel_config CONFIG_DVB_USB_VP7045 m
260 set_kernel_config CONFIG_DVB_USB_VP702X m
261 set_kernel_config CONFIG_DVB_USB_GP8PSK m
262 set_kernel_config CONFIG_DVB_USB_NOVA_T_USB2 m
263 set_kernel_config CONFIG_DVB_USB_TTUSB2 m
264 set_kernel_config CONFIG_DVB_USB_DTT200U m
265 set_kernel_config CONFIG_DVB_USB_OPERA1 m
266 set_kernel_config CONFIG_DVB_USB_AF9005 m
267 set_kernel_config CONFIG_DVB_USB_AF9005_REMOTE m
268 set_kernel_config CONFIG_DVB_USB_PCTV452E m
269 set_kernel_config CONFIG_DVB_USB_DW2102 m
270 set_kernel_config CONFIG_DVB_USB_CINERGY_T2 m
271 set_kernel_config CONFIG_DVB_USB_DTV5100 m
272 set_kernel_config CONFIG_DVB_USB_AZ6027 m
273 set_kernel_config CONFIG_DVB_USB_TECHNISAT_USB2 m
274 set_kernel_config CONFIG_DVB_USB_AF9015 m
275 set_kernel_config CONFIG_DVB_USB_LME2510 m
276 set_kernel_config CONFIG_DVB_USB_RTL28XXU m
277 set_kernel_config CONFIG_VIDEO_EM28XX_RC m
278 set_kernel_config CONFIG_SMS_SIANO_RC m
279 set_kernel_config CONFIG_VIDEO_IR_I2C m
280 set_kernel_config CONFIG_VIDEO_ADV7180 m
281 set_kernel_config CONFIG_VIDEO_TC358743 m
282 set_kernel_config CONFIG_VIDEO_OV5647 m
283 set_kernel_config CONFIG_DVB_M88DS3103 m
284 set_kernel_config CONFIG_DVB_AF9013 m
285 set_kernel_config CONFIG_DVB_RTL2830 m
286 set_kernel_config CONFIG_DVB_RTL2832 m
287 set_kernel_config CONFIG_DVB_SI2168 m
288 set_kernel_config CONFIG_DVB_GP8PSK_FE m
289 set_kernel_config CONFIG_DVB_USB m
290 set_kernel_config CONFIG_DVB_LGDT3306A m
291 set_kernel_config CONFIG_FB_SIMPLE y
292 set_kernel_config CONFIG_SND_BCM2708_SOC_IQAUDIO_CODEC m
293 set_kernel_config CONFIG_SND_BCM2708_SOC_I_SABRE_Q2M m
294 set_kernel_config CONFIG_SND_AUDIOSENSE_PI m
295 set_kernel_config CONFIG_SND_SOC_AD193X m
296 set_kernel_config CONFIG_SND_SOC_AD193X_SPI m
297 set_kernel_config CONFIG_SND_SOC_AD193X_I2C m
298 set_kernel_config CONFIG_SND_SOC_CS4265 m
299 set_kernel_config CONFIG_SND_SOC_DA7213 m
300 set_kernel_config CONFIG_SND_SOC_ICS43432 m
301 set_kernel_config CONFIG_SND_SOC_TLV320AIC32X4 m
302 set_kernel_config CONFIG_SND_SOC_TLV320AIC32X4_I2C m
303 set_kernel_config CONFIG_SND_SOC_I_SABRE_CODEC m
304 set_kernel_config CONFIG_HID_BIGBEN_FF m
305 #set_kernel_config CONFIG_USB_XHCI_PLATFORM y
306 set_kernel_config CONFIG_USB_TMC m
307 set_kernel_config CONFIG_USB_UAS y
308 set_kernel_config CONFIG_USBIP_VUDC m
309 set_kernel_config CONFIG_USB_CONFIGFS m
310 set_kernel_config CONFIG_USB_CONFIGFS_SERIAL y
311 set_kernel_config CONFIG_USB_CONFIGFS_ACM y
312 set_kernel_config CONFIG_USB_CONFIGFS_OBEX y
313 set_kernel_config CONFIG_USB_CONFIGFS_NCM y
314 set_kernel_config CONFIG_USB_CONFIGFS_ECM y
315 set_kernel_config CONFIG_USB_CONFIGFS_ECM_SUBSET y
316 set_kernel_config CONFIG_USB_CONFIGFS_RNDIS y
317 set_kernel_config CONFIG_USB_CONFIGFS_EEM y
318 set_kernel_config CONFIG_USB_CONFIGFS_MASS_STORAGE y
319 set_kernel_config CONFIG_USB_CONFIGFS_F_LB_SS y
320 set_kernel_config CONFIG_USB_CONFIGFS_F_FS y
321 set_kernel_config CONFIG_USB_CONFIGFS_F_UAC1 y
322 set_kernel_config CONFIG_USB_CONFIGFS_F_UAC2 y
323 set_kernel_config CONFIG_USB_CONFIGFS_F_MIDI y
324 set_kernel_config CONFIG_USB_CONFIGFS_F_HID y
325 set_kernel_config CONFIG_USB_CONFIGFS_F_UVC y
326 set_kernel_config CONFIG_USB_CONFIGFS_F_PRINTER y
327 set_kernel_config CONFIG_LEDS_PCA963X m
328 set_kernel_config CONFIG_LEDS_IS31FL32XX m
329 set_kernel_config CONFIG_LEDS_TRIGGER_NETDEV m
330 set_kernel_config CONFIG_RTC_DRV_RV3028 m
331 set_kernel_config CONFIG_AUXDISPLAY y
332 set_kernel_config CONFIG_HD44780 m
333 set_kernel_config CONFIG_FB_TFT_SH1106 m
334 set_kernel_config CONFIG_VIDEO_CODEC_BCM2835 m
335 set_kernel_config CONFIG_BCM2835_POWER y
336 set_kernel_config CONFIG_INV_MPU6050_IIO m
337 set_kernel_config CONFIG_INV_MPU6050_I2C m
338 set_kernel_config CONFIG_SECURITYFS y
339
340 # Safer to build this in
341 set_kernel_config CONFIG_BINFMT_MISC y
342
343 # pulseaudio wants a buffer of at least this size
344 set_kernel_config CONFIG_SND_HDA_PREALLOC_SIZE 2048
345
346 # PR#3063: enable 3D acceleration with 64-bit kernel on RPi4
347 # set the appropriate kernel configs unlocked by this PR
348 set_kernel_config CONFIG_ARCH_BCM y
349 set_kernel_config CONFIG_ARCH_BCM2835 y
350 set_kernel_config CONFIG_DRM_V3D m
351 set_kernel_config CONFIG_DRM_VC4 m
352 set_kernel_config CONFIG_DRM_VC4_HDMI_CEC y
353
354 # PR#3144: add arm64 pcie bounce buffers; enables 4GiB on RPi4
355 # required by PR#3144; should already be applied, but just to be safe
356 set_kernel_config CONFIG_PCIE_BRCMSTB y
357 set_kernel_config CONFIG_BCM2835_MMC y
358
359 # Snap needs squashfs. The ubuntu eoan-preinstalled-server image at
360 # http://cdimage.ubuntu.com/ubuntu-server/daily-preinstalled/current/ uses snap
361 # during cloud-init setup at first boot. Without this the login accounts are not
362 # created and the user can not login.
363 set_kernel_config CONFIG_SQUASHFS y
364
365 # Ceph support for Block Device (RBD) and Filesystem (FS)
366 # https://docs.ceph.com/docs/master/
367 set_kernel_config CONFIG_CEPH_LIB m
368 set_kernel_config CONFIG_CEPH_LIB_USE_DNS_RESOLVER y
369 set_kernel_config CONFIG_CEPH_FS m
370 set_kernel_config CONFIG_CEPH_FSCACHE y
371 set_kernel_config CONFIG_CEPH_FS_POSIX_ACL y
372 set_kernel_config CONFIG_BLK_DEV_RBD m
123 373 fi
124 374
125 375 # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453
126 if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
376 if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ]; } ; then
377 set_kernel_config CONFIG_HAVE_KVM y
378 set_kernel_config CONFIG_HIGH_RES_TIMERS y
127 379 set_kernel_config CONFIG_HAVE_KVM_IRQCHIP y
128 380 set_kernel_config CONFIG_HAVE_KVM_ARCH_TLB_FLUSH_ALL y
129 381 set_kernel_config CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT y
@@ -138,11 +390,13 if [ "$BUILD_KERNEL" = true ] ; then
138 390 set_kernel_config CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT y
139 391 set_kernel_config CONFIG_KVM_MMIO y
140 392 set_kernel_config CONFIG_KVM_VFIO y
393 set_kernel_config CONFIG_KVM_MMU_AUDIT y
141 394 set_kernel_config CONFIG_VHOST m
142 395 set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y
143 396 set_kernel_config CONFIG_VHOST_NET m
144 397 set_kernel_config CONFIG_VIRTUALIZATION y
145
398 set_kernel_config CONFIG_SLAB_FREELIST_RANDOM=y
399 set_kernel_config CONFIG_SLAB_FREELIST_HARDENED=y
146 400 set_kernel_config CONFIG_MMU_NOTIFIER y
147 401
148 402 # erratum
@@ -193,12 +447,6 if [ "$BUILD_KERNEL" = true ] ; then
193 447 set_kernel_config CONFIG_SECURITY_PATH y
194 448 set_kernel_config CONFIG_SECURITY_YAMA n
195 449
196 # New Options
197 if [ "$KERNEL_NF" = true ] ; then
198 set_kernel_config CONFIG_IP_NF_SECURITY m
199 set_kernel_config CONFIG_NETLABEL y
200 set_kernel_config CONFIG_IP6_NF_SECURITY m
201 fi
202 450 set_kernel_config CONFIG_SECURITY_SELINUX n
203 451 set_kernel_config CONFIG_SECURITY_SMACK n
204 452 set_kernel_config CONFIG_SECURITY_TOMOYO n
@@ -211,7 +459,6 if [ "$BUILD_KERNEL" = true ] ; then
211 459 set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
212 460 set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
213 461 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
214 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
215 462 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
216 463 set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
217 464 set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
@@ -233,11 +480,13 if [ "$BUILD_KERNEL" = true ] ; then
233 480 set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m
234 481 set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m
235 482 set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m
236 set_kernel_config SYSTEM_TRUSTED_KEYS
237 483 fi
238 484
239 485 # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
240 486 if [ "$KERNEL_NF" = true ] ; then
487 set_kernel_config CONFIG_IP_NF_SECURITY m
488 set_kernel_config CONFIG_NETLABEL y
489 set_kernel_config CONFIG_IP6_NF_SECURITY m
241 490 set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m
242 491 set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m
243 492 set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m
@@ -263,7 +512,6 if [ "$BUILD_KERNEL" = true ] ; then
263 512 set_kernel_config CONFIG_IP6_NF_NAT m
264 513 set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m
265 514 set_kernel_config CONFIG_IP6_NF_TARGET_NPT m
266 set_kernel_config CONFIG_IP_NF_SECURITY m
267 515 set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m
268 516 set_kernel_config CONFIG_IP_SET_BITMAP_PORT m
269 517 set_kernel_config CONFIG_IP_SET_HASH_IP m
@@ -326,11 +574,11 if [ "$BUILD_KERNEL" = true ] ; then
326 574 set_kernel_config CONFIG_NF_LOG_IPV6 m
327 575 set_kernel_config CONFIG_NF_NAT_IPV4 m
328 576 set_kernel_config CONFIG_NF_NAT_IPV6 m
329 set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV4 m
330 set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV6 m
577 set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV4 y
578 set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV6 y
331 579 set_kernel_config CONFIG_NF_NAT_PPTP m
332 580 set_kernel_config CONFIG_NF_NAT_PROTO_GRE m
333 set_kernel_config CONFIG_NF_NAT_REDIRECT m
581 set_kernel_config CONFIG_NF_NAT_REDIRECT y
334 582 set_kernel_config CONFIG_NF_NAT_SIP m
335 583 set_kernel_config CONFIG_NF_NAT_SNMP_BASIC m
336 584 set_kernel_config CONFIG_NF_NAT_TFTP m
@@ -340,17 +588,35 if [ "$BUILD_KERNEL" = true ] ; then
340 588 set_kernel_config CONFIG_NF_TABLES_ARP m
341 589 set_kernel_config CONFIG_NF_TABLES_BRIDGE m
342 590 set_kernel_config CONFIG_NF_TABLES_INET m
343 set_kernel_config CONFIG_NF_TABLES_IPV4 m
344 set_kernel_config CONFIG_NF_TABLES_IPV6 m
591 set_kernel_config CONFIG_NF_TABLES_IPV4 y
592 set_kernel_config CONFIG_NF_TABLES_IPV6 y
345 593 set_kernel_config CONFIG_NF_TABLES_NETDEV m
594 set_kernel_config CONFIG_NF_TABLES_SET m
595 set_kernel_config CONFIG_NF_TABLES_INET y
596 set_kernel_config CONFIG_NF_TABLES_NETDEV y
597 set_kernel_config CONFIG_NFT_CONNLIMIT m
598 set_kernel_config CONFIG_NFT_TUNNEL m
599 set_kernel_config CONFIG_NFT_SOCKET m
600 set_kernel_config CONFIG_NFT_TPROXY m
601 set_kernel_config CONFIG_NF_FLOW_TABLE m
602 set_kernel_config CONFIG_NFT_FLOW_OFFLOAD m
603 set_kernel_config CONFIG_NF_FLOW_TABLE_INET m
604 set_kernel_config CONFIG_NF_TABLES_ARP y
605 set_kernel_config CONFIG_NF_FLOW_TABLE_IPV4 y
606 set_kernel_config CONFIG_NF_FLOW_TABLE_IPV6 y
607 set_kernel_config CONFIG_NF_TABLES_BRIDGE y
608 set_kernel_config CONFIG_NF_CT_NETLINK_TIMEOUT m
609 set_kernel_config CONFIG_NFT_OSF m
610
346 611 fi
347 612
348 613 # Enables BPF syscall for systemd-journald see https://github.com/torvalds/linux/blob/master/init/Kconfig#L848 or https://groups.google.com/forum/#!topic/linux.gentoo.user/_2aSc_ztGpA
349 614 if [ "$KERNEL_BPF" = true ] ; then
350 615 set_kernel_config CONFIG_BPF_SYSCALL y
351 set_kernel_config CONFIG_BPF_EVENTS y
352 set_kernel_config CONFIG_BPF_STREAM_PARSER y
616 set_kernel_config CONFIG_BPF_EVENTS y
617 set_kernel_config CONFIG_BPF_STREAM_PARSER y
353 618 set_kernel_config CONFIG_CGROUP_BPF y
619 set_kernel_config CONFIG_XDP_SOCKETS y
354 620 fi
355 621
356 622 # KERNEL_DEFAULT_GOV was set by user
@@ -358,10 +624,10 if [ "$BUILD_KERNEL" = true ] ; then
358 624
359 625 case "$KERNEL_DEFAULT_GOV" in
360 626 performance)
361 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y
627 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y
362 628 ;;
363 629 userspace)
364 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE y
630 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE y
365 631 ;;
366 632 ondemand)
367 633 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND y
@@ -537,20 +803,28 if [ "$BUILD_KERNEL" = true ] ; then
537 803 fi
538 804
539 805 else # BUILD_KERNEL=false
540 if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
541
542 # Use Sakakis modified kernel if ZSWAP is active
543 if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then
544 RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}"
545 fi
806 if [ "$SET_ARCH" = 64 ] ; then
807 if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
808 # Use Sakakis modified kernel if ZSWAP is active
809 if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then
810 RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}"
811 fi
546 812
547 # Create temporary directory for dl
548 temp_dir=$(as_nobody mktemp -d)
813 # Create temporary directory for dl
814 temp_dir=$(as_nobody mktemp -d)
549 815
550 # Fetch kernel dl
551 as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL"
816 # Fetch kernel dl
817 as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL"
818 fi
819 if [ "$SET_ARCH" = 64 ] && [ "$RPI_MODEL" = 4 ] ; then
820 # Create temporary directory for dl
821 temp_dir=$(as_nobody mktemp -d)
552 822
553 #extract download
823 # Fetch kernel dl
824 as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI4_64_KERNEL_URL"
825 fi
826
827 #extract download
554 828 tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}"
555 829
556 830 #move extracted kernel to /boot/firmware
@@ -566,15 +840,15 else # BUILD_KERNEL=false
566 840 chown -R root:root "${R}/lib/modules"
567 841 fi
568 842
569 # Install Kernel from hypriot comptabile with all Raspberry PI
570 if [ "$SET_ARCH" = 32 ] ; then
843 # Install Kernel from hypriot comptabile with all Raspberry PI (dunno if its compatible with RPI4 - better compile your own kernel)
844 if [ "$SET_ARCH" = 32 ] && [ "$RPI_MODEL" != 4 ] ; then
571 845 # Create temporary directory for dl
572 846 temp_dir=$(as_nobody mktemp -d)
573 847
574 848 # Fetch kernel
575 849 as_nobody wget -O "${temp_dir}"/kernel.deb -c "$RPI_32_KERNEL_URL"
576 850
577 # Copy downloaded U-Boot sources
851 # Copy downloaded kernel package
578 852 mv "${temp_dir}"/kernel.deb "${R}"/tmp/kernel.deb
579 853
580 854 # Set permissions
@@ -8,108 +8,112
8 8 # Install and setup fstab
9 9 install_readonly files/mount/fstab "${ETC_DIR}/fstab"
10 10
11 # Add usb/sda disk root partition to fstab
12 if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then
13 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
14 fi
15
16 # Add encrypted root partition to fstab and crypttab
17 if [ "$ENABLE_CRYPTFS" = true ] ; then
18 # Replace fstab root partition with encrypted partition mapping
19 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab"
20
21 # Add encrypted partition to crypttab and fstab
22 install_readonly files/mount/crypttab "${ETC_DIR}/crypttab"
23 echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"
24
25 if [ "$ENABLE_SPLITFS" = true ] ; then
26 # Add usb/sda1 disk to crypttab
27 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
28 fi
29 fi
30
31 if [ "$ENABLE_USBBOOT" = true ] ; then
32 sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
33 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
34
35 # Add usb/sda2 disk to crypttab
36 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab"
37 fi
38
39 11 # Generate initramfs file
40 12 if [ "$ENABLE_INITRAMFS" = true ] ; then
41 13 if [ "$ENABLE_CRYPTFS" = true ] ; then
14
42 15 # Include initramfs scripts to auto expand encrypted root partition
43 16 if [ "$EXPANDROOT" = true ] ; then
44 17 install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs"
45 18 install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount"
46 19 install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
47 20 fi
48
49 if [ "$ENABLE_DHCP" = false ] ; then
50 # Get cdir from NET_ADDRESS e.g. 24
51 cdir=$(${NET_ADDRESS} | cut -d '/' -f2)
21
22 # Replace fstab root partition with encrypted partition mapping
23 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab"
52 24
53 # Convert cdir ro netmask e.g. 24 to 255.255.255.0
54 NET_MASK=$(cdr2mask "$cdir")
25 # Add encrypted partition to crypttab and fstab
26 install_readonly files/mount/crypttab "${ETC_DIR}/crypttab"
27 echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"
55 28
56 # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
57 sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
58
59 # Regenerate initramfs
60 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
29 if [ "$ENABLE_USBBOOT" = true ] && [ "$ENABLE_SPLITFS" = false ]; then
30 sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
31 # Add usb/sda2 disk to crypttab
32 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab"
33 fi
34
35 # Add encrypted root partition to fstab and crypttab
36 if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_USBBOOT" = false ]; then
37 # Add usb/sda1 disk to crypttab
38 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
61 39 fi
62 40
63 if [ "$CRYPTFS_DROPBEAR" = true ]; then
64 if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
65 install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
66 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys
67 else
68 # Create key
69 chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear
70
71 # Convert dropbear key to openssh key
72 chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa
73
74 # Get Public Key Part
75 chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub
76
77 # Delete unwanted lines
78 sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
79 sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
80
81 # Trust the new key
82 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys
83
84 # Save Keys - convert with putty from rsa/openssh to puttkey
85 cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa
86
87 # Get unlock script
88 install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh
89
90 # Enable Dropbear inside initramfs
91 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
41 if [ "$CRYPTFS_DROPBEAR" = true ]; then
42 if [ "$ENABLE_DHCP" = false ] ; then
43 # Get cdir from NET_ADDRESS e.g. 24
44 cdir=$(printf "%s" "${NET_ADDRESS}" | cut -d '/' -f2)
92 45
93 # Enable Dropbear inside initramfs
94 sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear
95 fi
96 else
97 # Disable SSHD inside initramfs
98 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
99 fi
46 # Convert cdir ro netmask e.g. 24 to 255.255.255.0
47 NET_MASK=$(cdr2mask "$cdir")
48
49 # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
50 # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>
51 sed -i "\$a\nIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
52 else
53 sed -i "\$a\nIP=::::${HOSTNAME}::dhcp" "${ETC_DIR}"/initramfs-tools/initramfs.conf
54 fi
55
56 if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
57 install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
58 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys
59 else
60 # Create key
61 chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear
62
63 # Convert dropbear key to openssh key
64 chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa
65
66 # Get Public Key Part
67 chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub
68
69 # Delete unwanted lines
70 sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
71 sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
72
73 # Trust the new key
74 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys
75
76 # Save Keys - convert with putty from rsa/openssh to puttkey
77 cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa
78
79 # Get unlock script
80 install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh
81
82 # Enable Dropbear inside initramfs
83 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
84
85 # Enable Dropbear inside initramfs
86 sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear
87 fi
88 # CRYPTFSDROPBEAR=false
89 else
90 # Disable SSHD inside initramfs
91 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
92 fi
100 93
101 94 # Add cryptsetup modules to initramfs
102 printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
95 #printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
103 96
104 97 # Dummy mapping required by mkinitramfs
105 echo "0 1 crypt $(echo "${CRYPTFS_CIPHER}" | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
98 echo "0 1 crypt "${CRYPTFS_CIPHER}" ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
106 99
107 100 # Generate initramfs with encrypted root partition support
108 101 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
109 102
110 103 # Remove dummy mapping
111 104 chroot_exec cryptsetup close "${CRYPTFS_MAPPING}"
105 # CRYPTFS=false
112 106 else
107 #USB BOOT /boot on sda1 / on sda2
108 if [ "$ENABLE_USBBOOT" = true ] ; then
109 sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
110 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
111 fi
112
113 # Add usb/sda disk root partition to fstab
114 if [ "$ENABLE_SPLITFS" = true ] ; then
115 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
116 fi
113 117 # Generate initramfs without encrypted root partition support
114 118 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
115 119 fi
@@ -112,7 +112,7 if [ "$ENABLE_TURBO" = true ] ; then
112 112 echo "boot_delay=1" >> "${BOOT_DIR}/config.txt"
113 113 fi
114 114
115 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
115 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ]; then
116 116
117 117 # Bluetooth enabled
118 118 if [ "$ENABLE_BLUETOOTH" = true ] ; then
@@ -125,12 +125,12 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
125 125 # Copy downloaded sources
126 126 mv "${temp_dir}/pi-bluetooth" "${R}/tmp/"
127 127
128 # Bluetooth firmware from arch aur https://aur.archlinux.org/packages/pi-bluetooth/
129 as_nobody wget -q -O "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" https://aur.archlinux.org/cgit/aur.git/plain/LICENCE.broadcom_bcm43xx?h=pi-bluetooth
130 as_nobody wget -q -O "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/master/broadcom/BCM43430A1.hcd
131
132 128 # Set permissions
133 129 chown -R root:root "${R}/tmp/pi-bluetooth"
130
131 # Bluetooth firmware from arch aur https://aur.archlinux.org/packages/pi-bluetooth/
132 wget -q -O "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" https://aur.archlinux.org/cgit/aur.git/plain/LICENCE.broadcom_bcm43xx?h=pi-bluetooth
133 wget -q -O "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/master/broadcom/BCM43430A1.hcd
134 134
135 135 # Install tools
136 136 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart"
@@ -210,7 +210,11 if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then
210 210
211 211 # Change into downloaded src dir
212 212 cd "${R}/tmp/systemd-swap" || exit
213
213
214 # Get Verion
215 VERSION=$(git tag | tail -n 1)
216 #sed -i "s/DEB_NAME=.*/DEB_NAME=systemd-swap_all/g" "${R}/tmp/systemd-swap/package.sh"
217
214 218 # Build package
215 219 bash ./package.sh debian
216 220
@@ -221,7 +225,7 if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then
221 225 chown -R root:root "${R}/tmp/systemd-swap"
222 226
223 227 # Install package - IMPROVE AND MAKE IT POSSIBLE WITHOUT VERSION NR.
224 chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap_4.0.1_any.deb
228 chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap_"$VERSION"_all.deb
225 229
226 230 # Enable service
227 231 chroot_exec systemctl enable systemd-swap
@@ -106,7 +106,7 if [ "$ENABLE_WIRELESS" = true ] ; then
106 106 temp_dir=$(as_nobody mktemp -d)
107 107
108 108 # Fetch firmware binary blob for RPI3B+
109 if [ "$RPI_MODEL" = 3P ] ; then
109 if [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ] ; then
110 110 # Fetch firmware binary blob for RPi3P
111 111 as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.bin"
112 112 as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.txt"
@@ -34,11 +34,11 if [ "$ENABLE_VIDEOCORE" = true ] ; then
34 34 cd "${R}"/tmp/userland/build
35 35
36 36 if [ "$RELEASE_ARCH" = "arm64" ] ; then
37 cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DARM64=ON -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_CXX_COMPILER=aarch64-linux-gnu-g++ -DCMAKE_ASM_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
37 cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_TOOLCHAIN_FILE="${R}"/tmp/userland/makefiles/cmake/toolchains/aarch64-linux-gnu.cmake -DARM64=ON -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_CXX_COMPILER=aarch64-linux-gnu-g++ -DCMAKE_ASM_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
38 38 fi
39 39
40 40 if [ "$RELEASE_ARCH" = "armel" ] ; then
41 cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_C_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_CXX_COMPILER=arm-linux-gnueabi-g++ -DCMAKE_ASM_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DCMAKE_SYSTEM_PROCESSOR="arm" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
41 cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_TOOLCHAIN_FILE="${R}"/tmp/userland/makefiles/cmake/toolchains/arm-linux-gnueabihf.cmake -DCMAKE_C_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_CXX_COMPILER=arm-linux-gnueabi-g++ -DCMAKE_ASM_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DCMAKE_SYSTEM_PROCESSOR="arm" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
42 42 fi
43 43
44 44 if [ "$RELEASE_ARCH" = "armhf" ] ; then
@@ -74,7 +74,7 if [ "$ENABLE_NEXMON" = true ] && [ "$ENABLE_WIRELESS" = true ]; then
74 74 cp -f "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin
75 75 fi
76 76
77 if [ "$RPI_MODEL" = 3P ] ; then
77 if [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ] ; then
78 78 cd "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon || exit
79 79 sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43455c0/7_45_154/nexmon/Makefile
80 80 make clean
@@ -44,6 +44,9 RPI_MODEL=${RPI_MODEL:=2}
44 44
45 45 # Debian release
46 46 RELEASE=${RELEASE:=buster}
47 if [ $RELEASE = "bullseye" ] ; then
48 RELEASE=testing
49 fi
47 50
48 51 # Kernel Branch
49 52 KERNEL_BRANCH=${KERNEL_BRANCH:=""}
@@ -52,7 +55,6 KERNEL_BRANCH=${KERNEL_BRANCH:=""}
52 55 KERNEL_URL=${KERNEL_URL:=https://github.com/raspberrypi/linux}
53 56 FIRMWARE_URL=${FIRMWARE_URL:=https://github.com/raspberrypi/firmware/raw/master/boot}
54 57 WLAN_FIRMWARE_URL=${WLAN_FIRMWARE_URL:=https://github.com/RPi-Distro/firmware-nonfree/raw/master/brcm}
55 COLLABORA_URL=${COLLABORA_URL:=https://repositories.collabora.co.uk/debian}
56 58 FBTURBO_URL=${FBTURBO_URL:=https://github.com/ssvb/xf86-video-fbturbo.git}
57 59 UBOOT_URL=${UBOOT_URL:=https://git.denx.de/u-boot.git}
58 60 VIDEOCORE_URL=${VIDEOCORE_URL:=https://github.com/raspberrypi/userland}
@@ -64,11 +66,16 SYSTEMDSWAP_URL=${SYSTEMDSWAP_URL:=https://github.com/Nefelim4ag/systemd-swap.gi
64 66 RPI_32_KERNEL_URL=${RPI_32_KERNEL_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel_20180422-141901_armhf.deb}
65 67 RPI_32_KERNELHEADER_URL=${RPI_32_KERNELHEADER_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel-headers_20180422-141901_armhf.deb}
66 68 # Kernel has KVM and zswap enabled - use if KERNEL_* parameters and precompiled kernel are used
67 RPI3_64_BIS_KERNEL_URL=${RPI3_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel-bis/releases/download/4.14.80.20181113/bcmrpi3-kernel-bis-4.14.80.20181113.tar.xz}
69 RPI3_64_BIS_KERNEL_URL=${RPI3_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel-bis/releases/download/4.19.80.20191022/bcmrpi3-kernel-bis-4.19.80.20191022.tar.xz}
68 70 # Default precompiled 64bit kernel
69 RPI3_64_DEF_KERNEL_URL=${RPI3_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel/releases/download/4.14.80.20181113/bcmrpi3-kernel-4.14.80.20181113.tar.xz}
71 RPI3_64_DEF_KERNEL_URL=${RPI3_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel/releases/download/4.19.80.20191022/bcmrpi3-kernel-4.19.80.20191022.tar.xz}
72 # Sakaki BIS Kernel RPI4 - https://github.com/sakaki-/bcm2711-kernel-bis
73 RPI4_64_BIS_KERNEL_URL=${RPI4_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcm2711-kernel-bis/releases/download/4.19.59.20190724/bcm2711-kernel-bis-4.19.59.20190724.tar.xz}
74 # Default precompiled 64bit kernel - https://github.com/sakaki-/bcm2711-kernel
75 RPI4_64_DEF_KERNEL_URL=${RPI4_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcm2711-kernel-bis/releases/download/4.19.59.20190724/bcm2711-kernel-bis-4.19.59.20190724.tar.xz}
70 76 # Generic
71 77 RPI3_64_KERNEL_URL=${RPI3_64_KERNEL_URL:=$RPI3_64_DEF_KERNEL_URL}
78 RPI4_64_KERNEL_URL=${RPI4_64_KERNEL_URL:=$RPI4_64_DEF_KERNEL_URL}
72 79 # Kali kernel src - used if ENABLE_NEXMON=true (they patch the wlan kernel modul)
73 80 KALI_KERNEL_URL=${KALI_KERNEL_URL:=https://github.com/Re4son/re4son-raspberrypi-linux.git}
74 81
@@ -191,6 +198,10 KERNEL_BPF=${KERNEL_BPF:=false}
191 198 KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=ondemand}
192 199 KERNEL_SECURITY=${KERNEL_SECURITY:=false}
193 200 KERNEL_NF=${KERNEL_NF:=false}
201 KERNEL_DHKEY=${KERNEL_DHKEY:=true}
202 KERNEL_BTRFS=${KERNEL_BTRFS:=false}
203 KERNEL_NSPAN=${KERNEL_NSPAN:=false}
204 KERNEL_POEHAT=${KERNEL_POEHAT:=false}
194 205
195 206 # Kernel compilation from source directory settings
196 207 KERNELSRC_DIR=${KERNELSRC_DIR:=""}
@@ -212,7 +223,8 REDUCE_LOCALE=${REDUCE_LOCALE:=true}
212 223 ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false}
213 224 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
214 225 CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
215 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
226 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64"}
227 CRYPTFS_HASH=${CRYPTFS_HASH:="sha512"}
216 228 CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
217 229 #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup
218 230 CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false}
@@ -224,13 +236,13 CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
224 236
225 237 # Packages required in the chroot build environment
226 238 APT_INCLUDES=${APT_INCLUDES:=""}
227 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,apt-utils,ca-certificates,debian-archive-keyring,dialog,sudo,systemd,sysvinit-utils,locales,keyboard-configuration,console-setup,libnss-systemd"
239 APT_INCLUDES="${APT_INCLUDES},flex,bison,libssl-dev,apt-transport-https,apt-utils,ca-certificates,debian-archive-keyring,dialog,sudo,systemd,sysvinit-utils,locales,keyboard-configuration,console-setup,libnss-systemd"
228 240
229 241 # Packages to exclude from chroot build environment
230 242 APT_EXCLUDES=${APT_EXCLUDES:=""}
231 243
232 244 # Packages required for bootstrapping
233 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo"
245 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus bison flex libssl-dev sudo"
234 246 MISSING_PACKAGES=""
235 247
236 248 # Packages installed for c/c++ build environment in chroot (keep empty)
@@ -289,13 +301,15 if [ -n "$SET_ARCH" ] ; then
289 301 if [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ] ; then
290 302 if [ "$RPI_MODEL" != 4 ] ; then
291 303 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig}
304 KERNEL_IMAGE=${KERNEL_IMAGE:=kernel7.img}
292 305 else
293 306 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2711_defconfig}
307 KERNEL_IMAGE=${KERNEL_IMAGE:=kernel7l.img}
294 308 fi
295 309
296 310 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armhf"
297 311 RELEASE_ARCH=${RELEASE_ARCH:=armhf}
298 KERNEL_IMAGE=${KERNEL_IMAGE:=kernel7.img}
312
299 313 CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabihf-}
300 314 fi
301 315 fi
@@ -385,7 +399,7 fi
385 399
386 400 # Add deps for nexmon
387 401 if [ "$ENABLE_NEXMON" = true ] ; then
388 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libgmp3-dev gawk qpdf bison flex make autoconf automake build-essential libtool"
402 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libgmp3-dev gawk qpdf make autoconf automake build-essential libtool"
389 403 fi
390 404
391 405 # Add libncurses5 to enable kernel menuconfig
@@ -401,7 +415,7 fi
401 415 # Add cryptsetup package to enable filesystem encryption
402 416 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
403 417 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
404 APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup"
418 APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup,cryptsetup-initramfs"
405 419
406 420 # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package
407 421 if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then
@@ -470,7 +484,7 if [ -n "$MISSING_PACKAGES" ] ; then
470 484 [ "$confirm" != "y" ] && exit 1
471 485
472 486 # Make sure all missing required packages are installed
473 apt-get -qq -y install `echo "${MISSING_PACKAGES}" | sed "s/ //"`
487 apt-get update && apt-get -qq -y install `echo "${MISSING_PACKAGES}" | sed "s/ //"`
474 488 fi
475 489
476 490 # Check if ./bootstrap.d directory exists
@@ -822,7 +836,7 if [ "$ENABLE_CRYPTFS" = true ] ; then
822 836 echo -n ${CRYPTFS_PASSWORD} > .password
823 837
824 838 # Initialize encrypted partition
825 echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password
839 cryptsetup --verbose --debug -q luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -h "${CRYPTFS_HASH}" -s "${CRYPTFS_XTSKEYSIZE}" .password
826 840
827 841 # Open encrypted partition and setup mapping
828 842 cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant