##// END OF EJS Templates
-using --verbose and debug while creating cryptfs to give a hint by default...
Unknown -
r696:2f2cf24844e7 pull
parent child
Show More
@@ -1,13 +1,13
1 # rpi23-gen-image
1 # rpi23-gen-image
2 ## Introduction
2 ## Introduction
3 `rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for all Raspberry Pi computers. The script at this time supports the bootstrapping of the Debian (armhf/armel) releases `stretch` and `buster`. Raspberry Pi 0/1/2/3 images are generated for 32-bit mode only. Raspberry Pi 3 supports 64-bit images that can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.14.y```).
3 `rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for all Raspberry Pi computers. The script at this time supports the bootstrapping of the Debian (armhf/armel) releases `stretch` and `buster`. Raspberry Pi 0/1/2/3/4 images are generated for 32-bit mode only. Raspberry Pi 3 supports 64-bit images that can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.14.y```).
4
4
5 ## Build dependencies
5 ## Build dependencies
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7
7
8 ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo```
8 ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo```
9
9
10 It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel) cross-compiler toolchain.
10 It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel/aarch64) cross-compiler toolchain.
11
11
12 The script has been tested using the default `crossbuild-essential-armhf` and `crossbuild-essential-armel` toolchain meta packages on Debian Linux `stretch` build systems. Please check the [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains) for further information.
12 The script has been tested using the default `crossbuild-essential-armhf` and `crossbuild-essential-armel` toolchain meta packages on Debian Linux `stretch` build systems. Please check the [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains) for further information.
13
13
@@ -61,7 +61,7 A comma-separated list of additional packages to be installed by apt after boots
61
61
62 #### General system settings:
62 #### General system settings:
63 ##### `SET_ARCH`=32
63 ##### `SET_ARCH`=32
64 Set Architecture to default 32bit. If you want to compile 64-bit (RPI3 or RPI3+) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build.
64 Set Architecture to default 32bit. If you want to compile 64-bit (RPI3/RPI3+/RPI4) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build.
65
65
66 ##### `RPI_MODEL`=2
66 ##### `RPI_MODEL`=2
67 Specify the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models:
67 Specify the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models:
@@ -71,6 +71,7 Specify the target Raspberry Pi hardware model. The script at this time supports
71 - `2` = Raspberry Pi 2 model B
71 - `2` = Raspberry Pi 2 model B
72 - `3` = Raspberry Pi 3 model B
72 - `3` = Raspberry Pi 3 model B
73 - `3P` = Raspberry Pi 3 model B+
73 - `3P` = Raspberry Pi 3 model B+
74 - `4` = Raspberry Pi 4 model B
74
75
75 ##### `RELEASE`="buster"
76 ##### `RELEASE`="buster"
76 Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`.
77 Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`.
@@ -230,6 +231,7 Reduce the disk space usage by deleting packages and files. See `REDUCE_*` param
230
231
231 ##### `ENABLE_UBOOT`=false
232 ##### `ENABLE_UBOOT`=false
232 Replace the default RPi 0/1/2/3 second stage bootloader (bootcode.bin) with [U-Boot bootloader](https://git.denx.de/?p=u-boot.git;a=summary). U-Boot can boot images via the network using the BOOTP/TFTP protocol.
233 Replace the default RPi 0/1/2/3 second stage bootloader (bootcode.bin) with [U-Boot bootloader](https://git.denx.de/?p=u-boot.git;a=summary). U-Boot can boot images via the network using the BOOTP/TFTP protocol.
234 RPI4 needs tbd
233
235
234 ##### `UBOOTSRC_DIR`=""
236 ##### `UBOOTSRC_DIR`=""
235 Path to a directory (`u-boot`) of [U-Boot bootloader sources](https://git.denx.de/?p=u-boot.git;a=summary) that will be copied, configured, build and installed inside the chroot.
237 Path to a directory (`u-boot`) of [U-Boot bootloader sources](https://git.denx.de/?p=u-boot.git;a=summary) that will be copied, configured, build and installed inside the chroot.
@@ -313,7 +315,11 Add SSH (v2) public key(s) from specified file to `authorized_keys` file to enab
313
315
314 #### Kernel compilation:
316 #### Kernel compilation:
315 ##### `BUILD_KERNEL`=true
317 ##### `BUILD_KERNEL`=true
316 Build and install the latest RPi 0/1/2/3 Linux kernel. Currently only the default RPi 0/1/2/3 kernel configuration is used.
318 Build and install the latest RPi 0/1/2/3/4 Linux kernel. The default RPi 0/1/2/3/ kernel configuration is used most of the time.
319 ENABLE_NEXMON - Changes Kernel Source to [https://github.com/Re4son/](Kali Linux Kernel)
320 Precompiled 32bit kernel for RPI0/1/2/3 by [https://github.com/hypriot/](hypriot)
321 Precompiled 64bit kernel for RPI3/4 by [https://github.com/sakaki-/](sakaki)
322
317
323
318 ##### `CROSS_COMPILE`="arm-linux-gnueabihf-"
324 ##### `CROSS_COMPILE`="arm-linux-gnueabihf-"
319 This sets the cross-compile environment for the compiler.
325 This sets the cross-compile environment for the compiler.
@@ -390,6 +396,18 Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSC
390 ##### `KERNEL_SECURITY`=false
396 ##### `KERNEL_SECURITY`=false
391 Enables Apparmor, integrity subsystem, auditing.
397 Enables Apparmor, integrity subsystem, auditing.
392
398
399 ##### `KERNEL_BTRFS`="false"
400 enable btrfs kernel support
401
402 ##### `KERNEL_POEHAT`="false"
403 enable Enable RPI POE HAT fan kernel support
404
405 ##### `KERNEL_NSPAWN`="false"
406 Enable per-interface network priority control - for systemd-nspawn
407
408 ##### `KERNEL_DHKEY`="true"
409 Diffie-Hellman operations on retained keys - required for >keyutils-1.6
410
393 ---
411 ---
394
412
395 #### Reduce disk usage:
413 #### Reduce disk usage:
@@ -431,9 +449,12 Set password of the encrypted root partition. This parameter is mandatory if `EN
431 ##### `CRYPTFS_MAPPING`="secure"
449 ##### `CRYPTFS_MAPPING`="secure"
432 Set name of dm-crypt managed device-mapper mapping.
450 Set name of dm-crypt managed device-mapper mapping.
433
451
434 ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512"
452 ##### `CRYPTFS_CIPHER`="aes-xts-plain64"
435 Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
453 Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
436
454
455 ##### `CRYPTFS_HASH`=sha512
456 Hash function and size to be used
457
437 ##### `CRYPTFS_XTSKEYSIZE`=512
458 ##### `CRYPTFS_XTSKEYSIZE`=512
438 Sets key size in bits. The argument has to be a multiple of 8.
459 Sets key size in bits. The argument has to be a multiple of 8.
439
460
@@ -16,9 +16,15 install_readonly files/apt/sources.list "${ETC_DIR}/apt/sources.list"
16
16
17 # Use specified APT server and release
17 # Use specified APT server and release
18 sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list"
18 sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list"
19
20 #Fix for changing path for security updates in testing/bullseye
19 if [ "$RELEASE" = "testing" ] ; then
21 if [ "$RELEASE" = "testing" ] ; then
20 sed -i "s,stretch\\/updates,testing-security," "${ETC_DIR}/apt/sources.list"
22 sed -i "s,stretch\\/updates,testing-security," "${ETC_DIR}/apt/sources.list"
21 else
23 sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
24 fi
25
26 if [ -z "$RELEASE" ] ; then
27 # Change release in sources list
22 sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
28 sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
23 fi
29 fi
24
30
@@ -103,7 +103,30 if [ "$BUILD_KERNEL" = true ] ; then
103 #Switch to KERNELSRC_DIR so we can use set_kernel_config
103 #Switch to KERNELSRC_DIR so we can use set_kernel_config
104 cd "${KERNEL_DIR}" || exit
104 cd "${KERNEL_DIR}" || exit
105
105
106 if [ "$KERNEL_ARCH" = arm64 ] ; then
106 # Enable RPI POE HAT fan
107 if [ "$KERNEL_POEHAT" = true ]; then
108 set_kernel_config CONFIG_SENSORS_RPI_POE_FAN m
109 fi
110
111 # Enable per-interface network priority control
112 # (for systemd-nspawn)
113 if [ "$KERNEL_NSPAN" = true ]; then
114 set_kernel_config CONFIG_CGROUP_NET_PRIO y
115 fi
116
117 # Compile in BTRFS
118 if [ "$KERNEL_BTRFS" = true ]; then
119 set_kernel_config CONFIG_BTRFS_FS y
120 set_kernel_config CONFIG_BTRFS_FS_POSIX_ACL y
121 set_kernel_config CONFIG_BTRFS_FS_REF_VERIFY y
122 fi
123
124 # Diffie-Hellman operations on retained keys
125 # (required for >keyutils-1.6)
126 if [ "$KERNEL_DHKEY" = true ]; then
127 set_kernel_config CONFIG_KEY_DH_OPERATIONS y
128 fi
129
107 if [ "$KERNEL_ARCH" = arm64 ] && [ "$ENABLE_QEMU" = false ]; then
130 if [ "$KERNEL_ARCH" = arm64 ] && [ "$ENABLE_QEMU" = false ]; then
108 # Mask this temporarily during switch to rpi-4.19.y
131 # Mask this temporarily during switch to rpi-4.19.y
109 #Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config
132 #Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config
@@ -8,108 +8,112
8 # Install and setup fstab
8 # Install and setup fstab
9 install_readonly files/mount/fstab "${ETC_DIR}/fstab"
9 install_readonly files/mount/fstab "${ETC_DIR}/fstab"
10
10
11 # Add usb/sda disk root partition to fstab
12 if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then
13 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
14 fi
15
16 # Add encrypted root partition to fstab and crypttab
17 if [ "$ENABLE_CRYPTFS" = true ] ; then
18 # Replace fstab root partition with encrypted partition mapping
19 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab"
20
21 # Add encrypted partition to crypttab and fstab
22 install_readonly files/mount/crypttab "${ETC_DIR}/crypttab"
23 echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"
24
25 if [ "$ENABLE_SPLITFS" = true ] ; then
26 # Add usb/sda1 disk to crypttab
27 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
28 fi
29 fi
30
31 if [ "$ENABLE_USBBOOT" = true ] ; then
32 sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
33 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
34
35 # Add usb/sda2 disk to crypttab
36 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab"
37 fi
38
39 # Generate initramfs file
11 # Generate initramfs file
40 if [ "$ENABLE_INITRAMFS" = true ] ; then
12 if [ "$ENABLE_INITRAMFS" = true ] ; then
41 if [ "$ENABLE_CRYPTFS" = true ] ; then
13 if [ "$ENABLE_CRYPTFS" = true ] ; then
14
42 # Include initramfs scripts to auto expand encrypted root partition
15 # Include initramfs scripts to auto expand encrypted root partition
43 if [ "$EXPANDROOT" = true ] ; then
16 if [ "$EXPANDROOT" = true ] ; then
44 install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs"
17 install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs"
45 install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount"
18 install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount"
46 install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
19 install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
47 fi
20 fi
48
21
49 if [ "$ENABLE_DHCP" = false ] ; then
22 # Replace fstab root partition with encrypted partition mapping
50 # Get cdir from NET_ADDRESS e.g. 24
23 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab"
51 cdir=$(${NET_ADDRESS} | cut -d '/' -f2)
52
24
53 # Convert cdir ro netmask e.g. 24 to 255.255.255.0
25 # Add encrypted partition to crypttab and fstab
54 NET_MASK=$(cdr2mask "$cdir")
26 install_readonly files/mount/crypttab "${ETC_DIR}/crypttab"
27 echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"
55
28
56 # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
29 if [ "$ENABLE_USBBOOT" = true ] && [ "$ENABLE_SPLITFS" = false ]; then
57 sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
30 sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
58
31 # Add usb/sda2 disk to crypttab
59 # Regenerate initramfs
32 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab"
60 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
33 fi
34
35 # Add encrypted root partition to fstab and crypttab
36 if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_USBBOOT" = false ]; then
37 # Add usb/sda1 disk to crypttab
38 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
61 fi
39 fi
62
40
63 if [ "$CRYPTFS_DROPBEAR" = true ]; then
41 if [ "$CRYPTFS_DROPBEAR" = true ]; then
64 if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
42 if [ "$ENABLE_DHCP" = false ] ; then
65 install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
43 # Get cdir from NET_ADDRESS e.g. 24
66 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys
44 cdir=$(printf "%s" "${NET_ADDRESS}" | cut -d '/' -f2)
67 else
68 # Create key
69 chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear
70
71 # Convert dropbear key to openssh key
72 chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa
73
74 # Get Public Key Part
75 chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub
76
77 # Delete unwanted lines
78 sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
79 sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
80
81 # Trust the new key
82 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys
83
84 # Save Keys - convert with putty from rsa/openssh to puttkey
85 cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa
86
87 # Get unlock script
88 install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh
89
90 # Enable Dropbear inside initramfs
91 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
92
45
93 # Enable Dropbear inside initramfs
46 # Convert cdir ro netmask e.g. 24 to 255.255.255.0
94 sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear
47 NET_MASK=$(cdr2mask "$cdir")
95 fi
48
96 else
49 # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
97 # Disable SSHD inside initramfs
50 # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>
98 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
51 sed -i "\$a\nIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
99 fi
52 else
53 sed -i "\$a\nIP=::::${HOSTNAME}::dhcp" "${ETC_DIR}"/initramfs-tools/initramfs.conf
54 fi
55
56 if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
57 install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
58 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys
59 else
60 # Create key
61 chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear
62
63 # Convert dropbear key to openssh key
64 chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa
65
66 # Get Public Key Part
67 chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub
68
69 # Delete unwanted lines
70 sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
71 sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
72
73 # Trust the new key
74 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys
75
76 # Save Keys - convert with putty from rsa/openssh to puttkey
77 cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa
78
79 # Get unlock script
80 install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh
81
82 # Enable Dropbear inside initramfs
83 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
84
85 # Enable Dropbear inside initramfs
86 sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear
87 fi
88 # CRYPTFSDROPBEAR=false
89 else
90 # Disable SSHD inside initramfs
91 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
92 fi
100
93
101 # Add cryptsetup modules to initramfs
94 # Add cryptsetup modules to initramfs
102 printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
95 #printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
103
96
104 # Dummy mapping required by mkinitramfs
97 # Dummy mapping required by mkinitramfs
105 echo "0 1 crypt $(echo "${CRYPTFS_CIPHER}" | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
98 echo "0 1 crypt "${CRYPTFS_CIPHER}" ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
106
99
107 # Generate initramfs with encrypted root partition support
100 # Generate initramfs with encrypted root partition support
108 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
101 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
109
102
110 # Remove dummy mapping
103 # Remove dummy mapping
111 chroot_exec cryptsetup close "${CRYPTFS_MAPPING}"
104 chroot_exec cryptsetup close "${CRYPTFS_MAPPING}"
105 # CRYPTFS=false
112 else
106 else
107 #USB BOOT /boot on sda1 / on sda2
108 if [ "$ENABLE_USBBOOT" = true ] ; then
109 sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
110 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
111 fi
112
113 # Add usb/sda disk root partition to fstab
114 if [ "$ENABLE_SPLITFS" = true ] ; then
115 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
116 fi
113 # Generate initramfs without encrypted root partition support
117 # Generate initramfs without encrypted root partition support
114 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
118 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
115 fi
119 fi
@@ -198,6 +198,10 KERNEL_BPF=${KERNEL_BPF:=false}
198 KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=ondemand}
198 KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=ondemand}
199 KERNEL_SECURITY=${KERNEL_SECURITY:=false}
199 KERNEL_SECURITY=${KERNEL_SECURITY:=false}
200 KERNEL_NF=${KERNEL_NF:=false}
200 KERNEL_NF=${KERNEL_NF:=false}
201 KERNEL_DHKEY=${KERNEL_DHKEY:=true}
202 KERNEL_BTRFS=${KERNEL_BTRFS:=false}
203 KERNEL_NSPAN=${KERNEL_NSPAN:=false}
204 KERNEL_POEHAT=${KERNEL_POEHAT:=false}
201
205
202 # Kernel compilation from source directory settings
206 # Kernel compilation from source directory settings
203 KERNELSRC_DIR=${KERNELSRC_DIR:=""}
207 KERNELSRC_DIR=${KERNELSRC_DIR:=""}
@@ -219,7 +223,8 REDUCE_LOCALE=${REDUCE_LOCALE:=true}
219 ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false}
223 ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false}
220 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
224 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
221 CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
225 CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
222 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
226 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64"}
227 CRYPTFS_HASH=${CRYPTFS_HASH:="sha512"}
223 CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
228 CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
224 #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup
229 #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup
225 CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false}
230 CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false}
@@ -410,7 +415,7 fi
410 # Add cryptsetup package to enable filesystem encryption
415 # Add cryptsetup package to enable filesystem encryption
411 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
416 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
412 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
417 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
413 APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup"
418 APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup,cryptsetup-initramfs"
414
419
415 # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package
420 # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package
416 if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then
421 if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then
@@ -831,7 +836,7 if [ "$ENABLE_CRYPTFS" = true ] ; then
831 echo -n ${CRYPTFS_PASSWORD} > .password
836 echo -n ${CRYPTFS_PASSWORD} > .password
832
837
833 # Initialize encrypted partition
838 # Initialize encrypted partition
834 echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password
839 cryptsetup --verbose --debug -q luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -h "${CRYPTFS_HASH}" -s "${CRYPTFS_XTSKEYSIZE}" .password
835
840
836 # Open encrypted partition and setup mapping
841 # Open encrypted partition and setup mapping
837 cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"
842 cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant