Raspi2-3_GenImage Commit - r696:2f2cf24844e7 · Collaboration Tremplin des Sciences

-using --verbose and debug while creating cryptfs to give a hint by default...

Unknown -

r696:2f2cf24844e7 pull

parent child

Context file:

r696:2f2cf24844e7

Collapse all files

README.md +26 -5

             # rpi23-gen-image
             ## Introduction
-            `rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for all Raspberry Pi computers. The script at this time supports the bootstrapping of the Debian (armhf/armel) releases `stretch` and `buster`. Raspberry Pi 0/1/2/3 images are generated for 32-bit mode only. Raspberry Pi 3 supports 64-bit images that can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.14.y```).
+            `rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for all Raspberry Pi computers. The script at this time supports the bootstrapping of the Debian (armhf/armel) releases `stretch` and `buster`. Raspberry Pi 0/1/2/3/4 images are generated for 32-bit mode only. Raspberry Pi 3 supports 64-bit images that can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.14.y```).
             ## Build dependencies
             The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
               ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo```
-            It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel) cross-compiler toolchain.
+            It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel/aarch64) cross-compiler toolchain.
             The script has been tested using the default `crossbuild-essential-armhf` and `crossbuild-essential-armel` toolchain meta packages on Debian Linux `stretch` build systems. Please check the [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains) for further information.
             #### General system settings:
             ##### `SET_ARCH`=32
-            Set Architecture to default 32bit. If you want to compile 64-bit (RPI3 or RPI3+) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build.
+            Set Architecture to default 32bit. If you want to compile 64-bit (RPI3/RPI3+/RPI4) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build.
             ##### `RPI_MODEL`=2
             Specify the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models:
             - `2`  = Raspberry Pi 2 model B
             - `3`  = Raspberry Pi 3 model B
             - `3P` = Raspberry Pi 3 model B+
+            - `4`  = Raspberry Pi 4 model B
             ##### `RELEASE`="buster"
             Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`.
             ##### `ENABLE_UBOOT`=false
             Replace the default RPi 0/1/2/3 second stage bootloader (bootcode.bin) with [U-Boot bootloader](https://git.denx.de/?p=u-boot.git;a=summary). U-Boot can boot images via the network using the BOOTP/TFTP protocol.
+            RPI4 needs tbd
             ##### `UBOOTSRC_DIR`=""
             Path to a directory (`u-boot`) of [U-Boot bootloader sources](https://git.denx.de/?p=u-boot.git;a=summary) that will be copied, configured, build and installed inside the chroot.
             #### Kernel compilation:
             ##### `BUILD_KERNEL`=true
-            Build and install the latest RPi 0/1/2/3 Linux kernel. Currently only the default RPi 0/1/2/3 kernel configuration is used.
+            Build and install the latest RPi 0/1/2/3/4 Linux kernel. The default RPi 0/1/2/3/ kernel configuration is used most of the time.
+            ENABLE_NEXMON - Changes Kernel Source to [https://github.com/Re4son/](Kali Linux Kernel)
+            Precompiled 32bit kernel for RPI0/1/2/3 by [https://github.com/hypriot/](hypriot)
+            Precompiled 64bit kernel for RPI3/4 by [https://github.com/sakaki-/](sakaki)
             ##### `CROSS_COMPILE`="arm-linux-gnueabihf-"
             This sets the cross-compile environment for the compiler.
             ##### `KERNEL_SECURITY`=false
             Enables Apparmor, integrity subsystem, auditing.
+            ##### `KERNEL_BTRFS`="false"
+            enable btrfs kernel support
+            ##### `KERNEL_POEHAT`="false"
+            enable Enable RPI POE HAT fan kernel support
+            ##### `KERNEL_NSPAWN`="false"
+            Enable per-interface network priority control - for systemd-nspawn
+            ##### `KERNEL_DHKEY`="true"
+            Diffie-Hellman operations on retained keys - required for >keyutils-1.6
             ---
             #### Reduce disk usage:
             ##### `CRYPTFS_MAPPING`="secure"
             Set name of dm-crypt managed device-mapper mapping.
-            ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512"
+            ##### `CRYPTFS_CIPHER`="aes-xts-plain64"
             Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
+            ##### `CRYPTFS_HASH`=sha512
+            Hash function and size to be used
             ##### `CRYPTFS_XTSKEYSIZE`=512
             Sets key size in bits. The argument has to be a multiple of 8.

bootstrap.d/11-apt.sh +7 -1

             # Use specified APT server and release
             sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list"
+            #Fix for changing path for security updates in testing/bullseye
             if [ "$RELEASE" = "testing" ] ; then
             sed -i "s,stretch\\/updates,testing-security," "${ETC_DIR}/apt/sources.list"
-            else
+            sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
+            fi
+            if [ -z "$RELEASE" ] ; then
+            # Change release in sources list
             sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
             fi

bootstrap.d/13-kernel.sh +24 -1

@@ -103,7 +103,30 if [ "$BUILD_KERNEL" = true ] ; then
103	#Switch to KERNELSRC_DIR so we can use set_kernel_config	103	#Switch to KERNELSRC_DIR so we can use set_kernel_config
104	cd "${KERNEL_DIR}" \|\| exit	104	cd "${KERNEL_DIR}" \|\| exit
105		105
106	if [ "$KERNEL_ARCH" = arm64 ] ; then	106	# Enable RPI POE HAT fan
		107	if [ "$KERNEL_POEHAT" = true ]; then
		108	set_kernel_config CONFIG_SENSORS_RPI_POE_FAN m
		109	fi
		110
		111	# Enable per-interface network priority control
		112	# (for systemd-nspawn)
		113	if [ "$KERNEL_NSPAN" = true ]; then
		114	set_kernel_config CONFIG_CGROUP_NET_PRIO y
		115	fi
		116
		117	# Compile in BTRFS
		118	if [ "$KERNEL_BTRFS" = true ]; then
		119	set_kernel_config CONFIG_BTRFS_FS y
		120	set_kernel_config CONFIG_BTRFS_FS_POSIX_ACL y
		121	set_kernel_config CONFIG_BTRFS_FS_REF_VERIFY y
		122	fi
		123
		124	# Diffie-Hellman operations on retained keys
		125	# (required for >keyutils-1.6)
		126	if [ "$KERNEL_DHKEY" = true ]; then
		127	set_kernel_config CONFIG_KEY_DH_OPERATIONS y
		128	fi
		129
107	if [ "$KERNEL_ARCH" = arm64 ] && [ "$ENABLE_QEMU" = false ]; then	130	if [ "$KERNEL_ARCH" = arm64 ] && [ "$ENABLE_QEMU" = false ]; then
108	# Mask this temporarily during switch to rpi-4.19.y	131	# Mask this temporarily during switch to rpi-4.19.y
109	#Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config	132	#Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config

bootstrap.d/14-fstab.sh +34 -30

             # Install and setup fstab
             install_readonly files/mount/fstab "${ETC_DIR}/fstab"
-            # Add usb/sda disk root partition to fstab
+            # Generate initramfs file
-            if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then
+            if [ "$ENABLE_INITRAMFS" = true ] ; then
-              sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
+              if [ "$ENABLE_CRYPTFS" = true ] ; then
+                # Include initramfs scripts to auto expand encrypted root partition
+                if [ "$EXPANDROOT" = true ] ; then
+                  install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs"
+                  install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount"
+                  install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
                 fi
-            # Add encrypted root partition to fstab and crypttab
-            if [ "$ENABLE_CRYPTFS" = true ] ; then
                 # Replace fstab root partition with encrypted partition mapping
                 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab"
                 install_readonly files/mount/crypttab "${ETC_DIR}/crypttab"
                 echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"
-              if [ "$ENABLE_SPLITFS" = true ] ; then
+            	if [ "$ENABLE_USBBOOT" = true ] && [ "$ENABLE_SPLITFS" = false ]; then
-                # Add usb/sda1 disk to crypttab
-                sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
-              fi
-            fi
-            if [ "$ENABLE_USBBOOT" = true ] ; then
             	  sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
-              sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
                   # Add usb/sda2 disk to crypttab
                   sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab"
                 fi
-            # Generate initramfs file
+                # Add encrypted root partition to fstab and crypttab
-            if [ "$ENABLE_INITRAMFS" = true ] ; then
+                if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_USBBOOT" = false ]; then
-              if [ "$ENABLE_CRYPTFS" = true ] ; then
+                  # Add usb/sda1 disk to crypttab
-                # Include initramfs scripts to auto expand encrypted root partition
+                  sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
-                if [ "$EXPANDROOT" = true ] ; then
-                  install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs"
-                  install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount"
-                  install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
                 fi
+                if [ "$CRYPTFS_DROPBEAR" = true ]; then
                   if [ "$ENABLE_DHCP" = false ] ; then
                     # Get cdir from NET_ADDRESS e.g. 24
-                  cdir=$(${NET_ADDRESS} | cut -d '/' -f2)
+                    cdir=$(printf "%s" "${NET_ADDRESS}" | cut -d '/' -f2)
                     # Convert cdir ro netmask e.g. 24 to 255.255.255.0
                     NET_MASK=$(cdr2mask "$cdir")
                     # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
-                  sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
+                    # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>
+                    sed -i "\$a\nIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
-            	  # Regenerate initramfs
+                  else
-            	  chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
+                    sed -i "\$a\nIP=::::${HOSTNAME}::dhcp" "${ETC_DIR}"/initramfs-tools/initramfs.conf
                   fi
-            	if [ "$CRYPTFS_DROPBEAR" = true ]; then
                   if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
                     install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
                     cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys
                     # Enable Dropbear inside initramfs
                     sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear
                   fi
+                # CRYPTFSDROPBEAR=false
                 else
                   # Disable SSHD inside initramfs
                   printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
                 fi
                 # Add cryptsetup modules to initramfs
-                printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
+                #printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
                 # Dummy mapping required by mkinitramfs
-                echo "0 1 crypt $(echo "${CRYPTFS_CIPHER}" | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
+                echo "0 1 crypt "${CRYPTFS_CIPHER}" ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
                 # Generate initramfs with encrypted root partition support
                 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
                 # Remove dummy mapping
                 chroot_exec cryptsetup close "${CRYPTFS_MAPPING}"
+              # CRYPTFS=false
               else
+              	#USB BOOT /boot on sda1 / on sda2
+            	if [ "$ENABLE_USBBOOT" = true ] ; then
+              	  sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
+              	  sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
+            	fi
+            	# Add usb/sda disk root partition to fstab
+            	if [ "$ENABLE_SPLITFS" = true ] ; then
+              	  sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
+            	fi
                 # Generate initramfs without encrypted root partition support
                 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
               fi

rpi23-gen-image.sh +8 -3

             KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=ondemand}
             KERNEL_SECURITY=${KERNEL_SECURITY:=false}
             KERNEL_NF=${KERNEL_NF:=false}
+            KERNEL_DHKEY=${KERNEL_DHKEY:=true}
+            KERNEL_BTRFS=${KERNEL_BTRFS:=false}
+            KERNEL_NSPAN=${KERNEL_NSPAN:=false}
+            KERNEL_POEHAT=${KERNEL_POEHAT:=false}
             # Kernel compilation from source directory settings
             KERNELSRC_DIR=${KERNELSRC_DIR:=""}
             ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false}
             CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
             CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
-            CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
+            CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64"}
+            CRYPTFS_HASH=${CRYPTFS_HASH:="sha512"}
             CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
             #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup
             CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false}
             # Add cryptsetup package to enable filesystem encryption
             if [ "$ENABLE_CRYPTFS" = true ]  && [ "$BUILD_KERNEL" = true ] ; then
               REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
-              APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup"
+              APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup,cryptsetup-initramfs"
               # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package
               if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then
               echo -n ${CRYPTFS_PASSWORD} > .password
               # Initialize encrypted partition
-              echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password
+              cryptsetup --verbose --debug -q luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -h "${CRYPTFS_HASH}" -s "${CRYPTFS_XTSKEYSIZE}" .password
               # Open encrypted partition and setup mapping
               cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"

General Comments 0

Écrire
Preview

Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages