##// END OF EJS Templates
-using --verbose and debug while creating cryptfs to give a hint by default...
Unknown -
r696:2f2cf24844e7 pull
parent child
Show More
@@ -1,13 +1,13
1 1 # rpi23-gen-image
2 2 ## Introduction
3 `rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for all Raspberry Pi computers. The script at this time supports the bootstrapping of the Debian (armhf/armel) releases `stretch` and `buster`. Raspberry Pi 0/1/2/3 images are generated for 32-bit mode only. Raspberry Pi 3 supports 64-bit images that can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.14.y```).
3 `rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for all Raspberry Pi computers. The script at this time supports the bootstrapping of the Debian (armhf/armel) releases `stretch` and `buster`. Raspberry Pi 0/1/2/3/4 images are generated for 32-bit mode only. Raspberry Pi 3 supports 64-bit images that can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.14.y```).
4 4
5 5 ## Build dependencies
6 6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7 7
8 8 ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo```
9 9
10 It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel) cross-compiler toolchain.
10 It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel/aarch64) cross-compiler toolchain.
11 11
12 12 The script has been tested using the default `crossbuild-essential-armhf` and `crossbuild-essential-armel` toolchain meta packages on Debian Linux `stretch` build systems. Please check the [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains) for further information.
13 13
@@ -61,7 +61,7 A comma-separated list of additional packages to be installed by apt after boots
61 61
62 62 #### General system settings:
63 63 ##### `SET_ARCH`=32
64 Set Architecture to default 32bit. If you want to compile 64-bit (RPI3 or RPI3+) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build.
64 Set Architecture to default 32bit. If you want to compile 64-bit (RPI3/RPI3+/RPI4) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build.
65 65
66 66 ##### `RPI_MODEL`=2
67 67 Specify the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models:
@@ -71,6 +71,7 Specify the target Raspberry Pi hardware model. The script at this time supports
71 71 - `2` = Raspberry Pi 2 model B
72 72 - `3` = Raspberry Pi 3 model B
73 73 - `3P` = Raspberry Pi 3 model B+
74 - `4` = Raspberry Pi 4 model B
74 75
75 76 ##### `RELEASE`="buster"
76 77 Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`.
@@ -230,6 +231,7 Reduce the disk space usage by deleting packages and files. See `REDUCE_*` param
230 231
231 232 ##### `ENABLE_UBOOT`=false
232 233 Replace the default RPi 0/1/2/3 second stage bootloader (bootcode.bin) with [U-Boot bootloader](https://git.denx.de/?p=u-boot.git;a=summary). U-Boot can boot images via the network using the BOOTP/TFTP protocol.
234 RPI4 needs tbd
233 235
234 236 ##### `UBOOTSRC_DIR`=""
235 237 Path to a directory (`u-boot`) of [U-Boot bootloader sources](https://git.denx.de/?p=u-boot.git;a=summary) that will be copied, configured, build and installed inside the chroot.
@@ -313,7 +315,11 Add SSH (v2) public key(s) from specified file to `authorized_keys` file to enab
313 315
314 316 #### Kernel compilation:
315 317 ##### `BUILD_KERNEL`=true
316 Build and install the latest RPi 0/1/2/3 Linux kernel. Currently only the default RPi 0/1/2/3 kernel configuration is used.
318 Build and install the latest RPi 0/1/2/3/4 Linux kernel. The default RPi 0/1/2/3/ kernel configuration is used most of the time.
319 ENABLE_NEXMON - Changes Kernel Source to [https://github.com/Re4son/](Kali Linux Kernel)
320 Precompiled 32bit kernel for RPI0/1/2/3 by [https://github.com/hypriot/](hypriot)
321 Precompiled 64bit kernel for RPI3/4 by [https://github.com/sakaki-/](sakaki)
322
317 323
318 324 ##### `CROSS_COMPILE`="arm-linux-gnueabihf-"
319 325 This sets the cross-compile environment for the compiler.
@@ -390,6 +396,18 Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSC
390 396 ##### `KERNEL_SECURITY`=false
391 397 Enables Apparmor, integrity subsystem, auditing.
392 398
399 ##### `KERNEL_BTRFS`="false"
400 enable btrfs kernel support
401
402 ##### `KERNEL_POEHAT`="false"
403 enable Enable RPI POE HAT fan kernel support
404
405 ##### `KERNEL_NSPAWN`="false"
406 Enable per-interface network priority control - for systemd-nspawn
407
408 ##### `KERNEL_DHKEY`="true"
409 Diffie-Hellman operations on retained keys - required for >keyutils-1.6
410
393 411 ---
394 412
395 413 #### Reduce disk usage:
@@ -431,9 +449,12 Set password of the encrypted root partition. This parameter is mandatory if `EN
431 449 ##### `CRYPTFS_MAPPING`="secure"
432 450 Set name of dm-crypt managed device-mapper mapping.
433 451
434 ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512"
452 ##### `CRYPTFS_CIPHER`="aes-xts-plain64"
435 453 Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
436 454
455 ##### `CRYPTFS_HASH`=sha512
456 Hash function and size to be used
457
437 458 ##### `CRYPTFS_XTSKEYSIZE`=512
438 459 Sets key size in bits. The argument has to be a multiple of 8.
439 460
@@ -16,9 +16,15 install_readonly files/apt/sources.list "${ETC_DIR}/apt/sources.list"
16 16
17 17 # Use specified APT server and release
18 18 sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list"
19
20 #Fix for changing path for security updates in testing/bullseye
19 21 if [ "$RELEASE" = "testing" ] ; then
20 22 sed -i "s,stretch\\/updates,testing-security," "${ETC_DIR}/apt/sources.list"
21 else
23 sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
24 fi
25
26 if [ -z "$RELEASE" ] ; then
27 # Change release in sources list
22 28 sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
23 29 fi
24 30
@@ -103,7 +103,30 if [ "$BUILD_KERNEL" = true ] ; then
103 103 #Switch to KERNELSRC_DIR so we can use set_kernel_config
104 104 cd "${KERNEL_DIR}" || exit
105 105
106 if [ "$KERNEL_ARCH" = arm64 ] ; then
106 # Enable RPI POE HAT fan
107 if [ "$KERNEL_POEHAT" = true ]; then
108 set_kernel_config CONFIG_SENSORS_RPI_POE_FAN m
109 fi
110
111 # Enable per-interface network priority control
112 # (for systemd-nspawn)
113 if [ "$KERNEL_NSPAN" = true ]; then
114 set_kernel_config CONFIG_CGROUP_NET_PRIO y
115 fi
116
117 # Compile in BTRFS
118 if [ "$KERNEL_BTRFS" = true ]; then
119 set_kernel_config CONFIG_BTRFS_FS y
120 set_kernel_config CONFIG_BTRFS_FS_POSIX_ACL y
121 set_kernel_config CONFIG_BTRFS_FS_REF_VERIFY y
122 fi
123
124 # Diffie-Hellman operations on retained keys
125 # (required for >keyutils-1.6)
126 if [ "$KERNEL_DHKEY" = true ]; then
127 set_kernel_config CONFIG_KEY_DH_OPERATIONS y
128 fi
129
107 130 if [ "$KERNEL_ARCH" = arm64 ] && [ "$ENABLE_QEMU" = false ]; then
108 131 # Mask this temporarily during switch to rpi-4.19.y
109 132 #Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config
@@ -8,13 +8,17
8 8 # Install and setup fstab
9 9 install_readonly files/mount/fstab "${ETC_DIR}/fstab"
10 10
11 # Add usb/sda disk root partition to fstab
12 if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then
13 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
11 # Generate initramfs file
12 if [ "$ENABLE_INITRAMFS" = true ] ; then
13 if [ "$ENABLE_CRYPTFS" = true ] ; then
14
15 # Include initramfs scripts to auto expand encrypted root partition
16 if [ "$EXPANDROOT" = true ] ; then
17 install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs"
18 install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount"
19 install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
14 20 fi
15 21
16 # Add encrypted root partition to fstab and crypttab
17 if [ "$ENABLE_CRYPTFS" = true ] ; then
18 22 # Replace fstab root partition with encrypted partition mapping
19 23 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab"
20 24
@@ -22,45 +26,33 if [ "$ENABLE_CRYPTFS" = true ] ; then
22 26 install_readonly files/mount/crypttab "${ETC_DIR}/crypttab"
23 27 echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"
24 28
25 if [ "$ENABLE_SPLITFS" = true ] ; then
26 # Add usb/sda1 disk to crypttab
27 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
28 fi
29 fi
30
31 if [ "$ENABLE_USBBOOT" = true ] ; then
29 if [ "$ENABLE_USBBOOT" = true ] && [ "$ENABLE_SPLITFS" = false ]; then
32 30 sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
33 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
34
35 31 # Add usb/sda2 disk to crypttab
36 32 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab"
37 33 fi
38 34
39 # Generate initramfs file
40 if [ "$ENABLE_INITRAMFS" = true ] ; then
41 if [ "$ENABLE_CRYPTFS" = true ] ; then
42 # Include initramfs scripts to auto expand encrypted root partition
43 if [ "$EXPANDROOT" = true ] ; then
44 install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs"
45 install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount"
46 install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
35 # Add encrypted root partition to fstab and crypttab
36 if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_USBBOOT" = false ]; then
37 # Add usb/sda1 disk to crypttab
38 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
47 39 fi
48 40
41 if [ "$CRYPTFS_DROPBEAR" = true ]; then
49 42 if [ "$ENABLE_DHCP" = false ] ; then
50 43 # Get cdir from NET_ADDRESS e.g. 24
51 cdir=$(${NET_ADDRESS} | cut -d '/' -f2)
44 cdir=$(printf "%s" "${NET_ADDRESS}" | cut -d '/' -f2)
52 45
53 46 # Convert cdir ro netmask e.g. 24 to 255.255.255.0
54 47 NET_MASK=$(cdr2mask "$cdir")
55 48
56 49 # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
57 sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
58
59 # Regenerate initramfs
60 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
50 # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>
51 sed -i "\$a\nIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
52 else
53 sed -i "\$a\nIP=::::${HOSTNAME}::dhcp" "${ETC_DIR}"/initramfs-tools/initramfs.conf
61 54 fi
62 55
63 if [ "$CRYPTFS_DROPBEAR" = true ]; then
64 56 if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
65 57 install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
66 58 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys
@@ -93,23 +85,35 if [ "$ENABLE_INITRAMFS" = true ] ; then
93 85 # Enable Dropbear inside initramfs
94 86 sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear
95 87 fi
88 # CRYPTFSDROPBEAR=false
96 89 else
97 90 # Disable SSHD inside initramfs
98 91 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
99 92 fi
100 93
101 94 # Add cryptsetup modules to initramfs
102 printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
95 #printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
103 96
104 97 # Dummy mapping required by mkinitramfs
105 echo "0 1 crypt $(echo "${CRYPTFS_CIPHER}" | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
98 echo "0 1 crypt "${CRYPTFS_CIPHER}" ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
106 99
107 100 # Generate initramfs with encrypted root partition support
108 101 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
109 102
110 103 # Remove dummy mapping
111 104 chroot_exec cryptsetup close "${CRYPTFS_MAPPING}"
105 # CRYPTFS=false
112 106 else
107 #USB BOOT /boot on sda1 / on sda2
108 if [ "$ENABLE_USBBOOT" = true ] ; then
109 sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
110 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
111 fi
112
113 # Add usb/sda disk root partition to fstab
114 if [ "$ENABLE_SPLITFS" = true ] ; then
115 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
116 fi
113 117 # Generate initramfs without encrypted root partition support
114 118 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
115 119 fi
@@ -198,6 +198,10 KERNEL_BPF=${KERNEL_BPF:=false}
198 198 KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=ondemand}
199 199 KERNEL_SECURITY=${KERNEL_SECURITY:=false}
200 200 KERNEL_NF=${KERNEL_NF:=false}
201 KERNEL_DHKEY=${KERNEL_DHKEY:=true}
202 KERNEL_BTRFS=${KERNEL_BTRFS:=false}
203 KERNEL_NSPAN=${KERNEL_NSPAN:=false}
204 KERNEL_POEHAT=${KERNEL_POEHAT:=false}
201 205
202 206 # Kernel compilation from source directory settings
203 207 KERNELSRC_DIR=${KERNELSRC_DIR:=""}
@@ -219,7 +223,8 REDUCE_LOCALE=${REDUCE_LOCALE:=true}
219 223 ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false}
220 224 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
221 225 CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
222 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
226 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64"}
227 CRYPTFS_HASH=${CRYPTFS_HASH:="sha512"}
223 228 CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
224 229 #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup
225 230 CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false}
@@ -410,7 +415,7 fi
410 415 # Add cryptsetup package to enable filesystem encryption
411 416 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
412 417 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
413 APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup"
418 APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup,cryptsetup-initramfs"
414 419
415 420 # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package
416 421 if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then
@@ -831,7 +836,7 if [ "$ENABLE_CRYPTFS" = true ] ; then
831 836 echo -n ${CRYPTFS_PASSWORD} > .password
832 837
833 838 # Initialize encrypted partition
834 echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password
839 cryptsetup --verbose --debug -q luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -h "${CRYPTFS_HASH}" -s "${CRYPTFS_XTSKEYSIZE}" .password
835 840
836 841 # Open encrypted partition and setup mapping
837 842 cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant