| @@ -97,7 +97,19 if [ "$BUILD_KERNEL" = true ] ; then | |||
|
|
97 | 97 | |
|
|
98 | 98 | #Switch to KERNELSRC_DIR so we can use set_kernel_config |
|
|
99 | 99 | cd "${KERNEL_DIR}" || exit |
|
|
100 | ||
|
|
100 | ||
|
|
101 | if [ "$KERNEL_ARCH" = arm64 ] ; then | |
|
|
102 | #Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config | |
|
|
103 | # use correct driver MMC_BCM2835_MMC instead of MMC_BCM2835_SDHOST - see https://www.raspberrypi.org/forums/viewtopic.php?t=210225 | |
|
|
104 | set_kernel_config CONFIG_MMC_BCM2835 n | |
|
|
105 | set_kernel_config CONFIG_MMC_SDHCI_IPROC n | |
|
|
106 | set_kernel_config CONFIG_USB_DWC2 n | |
|
|
107 | sed -i "s|depends on MMC_BCM2835_MMC && MMC_BCM2835_DMA|depends on MMC_BCM2835_MMC|" "${KERNEL_DIR}"/drivers/mmc/host/Kconfig | |
|
|
108 | ||
|
|
109 | #VLAN got disabled without reason in arm64bit | |
|
|
110 | set_kernel_config CONFIG_IPVLAN m | |
|
|
111 | fi | |
|
|
112 | ||
|
|
101 | 113 | # enable ZSWAP see https://askubuntu.com/a/472227 or https://wiki.archlinux.org/index.php/zswap |
|
|
102 | 114 | if [ "$KERNEL_ZSWAP" = true ] ; then |
|
|
103 | 115 | set_kernel_config CONFIG_ZPOOL y |
| @@ -107,6 +119,7 if [ "$BUILD_KERNEL" = true ] ; then | |||
|
|
107 | 119 | set_kernel_config CONFIG_ZSMALLOC y |
|
|
108 | 120 | set_kernel_config CONFIG_PGTABLE_MAPPING y |
|
|
109 | 121 | set_kernel_config CONFIG_LZO_COMPRESS y |
|
|
122 | ||
|
|
110 | 123 | fi |
|
|
111 | 124 | |
|
|
112 | 125 | # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453 |
| @@ -148,20 +161,20 if [ "$BUILD_KERNEL" = true ] ; then | |||
|
|
148 | 161 | set_kernel_config CONFIG_AUDIT y |
|
|
149 | 162 | |
|
|
150 | 163 | # harden strcpy and memcpy |
|
|
151 |
set_kernel_config CONFIG_HARDENED_USERCOPY |
|
|
|
152 |
set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR |
|
|
|
153 |
set_kernel_config CONFIG_FORTIFY_SOURCE |
|
|
|
164 | set_kernel_config CONFIG_HARDENED_USERCOPY y | |
|
|
165 | set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR y | |
|
|
166 | set_kernel_config CONFIG_FORTIFY_SOURCE y | |
|
|
154 | 167 | |
|
|
155 | 168 | # integrity sub-system |
|
|
156 |
set_kernel_config CONFIG_INTEGRITY |
|
|
|
157 |
set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS |
|
|
|
158 |
set_kernel_config CONFIG_INTEGRITY_AUDIT |
|
|
|
159 |
set_kernel_config CONFIG_INTEGRITY_SIGNATURE |
|
|
|
160 |
set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING |
|
|
|
169 | set_kernel_config CONFIG_INTEGRITY y | |
|
|
170 | set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS y | |
|
|
171 | set_kernel_config CONFIG_INTEGRITY_AUDIT y | |
|
|
172 | set_kernel_config CONFIG_INTEGRITY_SIGNATURE y | |
|
|
173 | set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING y | |
|
|
161 | 174 | |
|
|
162 | 175 | # This option provides support for retaining authentication tokens and access keys in the kernel. |
|
|
163 |
set_kernel_config CONFIG_KEYS |
|
|
|
164 |
set_kernel_config CONFIG_KEYS_COMPAT |
|
|
|
176 | set_kernel_config CONFIG_KEYS y | |
|
|
177 | set_kernel_config CONFIG_KEYS_COMPAT y | |
|
|
165 | 178 | |
|
|
166 | 179 | # Apparmor |
|
|
167 | 180 | set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0 |
| @@ -172,13 +185,13 if [ "$BUILD_KERNEL" = true ] ; then | |||
|
|
172 | 185 | set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor" |
|
|
173 | 186 | |
|
|
174 | 187 | # restrictions on unprivileged users reading the kernel |
|
|
175 |
set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT |
|
|
|
188 | set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT y | |
|
|
176 | 189 | |
|
|
177 | 190 | # network security hooks |
|
|
178 | 191 | set_kernel_config CONFIG_SECURITY_NETWORK y |
|
|
179 |
set_kernel_config CONFIG_SECURITY_NETWORK_XFRM |
|
|
|
180 |
set_kernel_config CONFIG_SECURITY_PATH |
|
|
|
181 |
set_kernel_config CONFIG_SECURITY_YAMA |
|
|
|
192 | set_kernel_config CONFIG_SECURITY_NETWORK_XFRM y | |
|
|
193 | set_kernel_config CONFIG_SECURITY_PATH y | |
|
|
194 | set_kernel_config CONFIG_SECURITY_YAMA n | |
|
|
182 | 195 | |
|
|
183 | 196 | # New Options |
|
|
184 | 197 | if [ "$KERNEL_NF" = true ] ; then |
| @@ -488,7 +501,7 if [ "$BUILD_KERNEL" = true ] ; then | |||
|
|
488 | 501 | |
|
|
489 | 502 | # Copy compiled dtb device tree files |
|
|
490 | 503 | if [ -d "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays" ] ; then |
|
|
491 | for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb ; do | |
|
|
504 | for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtbo ; do | |
|
|
492 | 505 | if [ -f "${dtb}" ] ; then |
|
|
493 | 506 | install_readonly "${dtb}" "${BOOT_DIR}/overlays/" |
|
|
494 | 507 | fi |
| @@ -8,11 +8,6 | |||
|
|
8 | 8 | # Install and setup fstab |
|
|
9 | 9 | install_readonly files/mount/fstab "${ETC_DIR}/fstab" |
|
|
10 | 10 | |
|
|
11 | if [ "$ENABLE_UBOOTUSB" = true ] ; then | |
|
|
12 | sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab" | |
|
|
13 | sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab" | |
|
|
14 | fi | |
|
|
15 | ||
|
|
16 | 11 | # Add usb/sda disk root partition to fstab |
|
|
17 | 12 | if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then |
|
|
18 | 13 | sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab" |
| @@ -28,11 +23,19 if [ "$ENABLE_CRYPTFS" = true ] ; then | |||
|
|
28 | 23 | echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab" |
|
|
29 | 24 | |
|
|
30 | 25 | if [ "$ENABLE_SPLITFS" = true ] ; then |
|
|
31 | # Add usb/sda disk to crypttab | |
|
|
26 | # Add usb/sda1 disk to crypttab | |
|
|
32 | 27 | sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab" |
|
|
33 | 28 | fi |
|
|
34 | 29 | fi |
|
|
35 | 30 | |
|
|
31 | if [ "$ENABLE_USBBOOT" = true ] ; then | |
|
|
32 | sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab" | |
|
|
33 | sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab" | |
|
|
34 | ||
|
|
35 | # Add usb/sda2 disk to crypttab | |
|
|
36 | sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab" | |
|
|
37 | fi | |
|
|
38 | ||
|
|
36 | 39 | # Generate initramfs file |
|
|
37 | 40 | if [ "$ENABLE_INITRAMFS" = true ] ; then |
|
|
38 | 41 | if [ "$ENABLE_CRYPTFS" = true ] ; then |
| @@ -42,40 +45,54 if [ "$ENABLE_INITRAMFS" = true ] ; then | |||
|
|
42 | 45 | install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount" |
|
|
43 | 46 | install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools" |
|
|
44 | 47 | fi |
|
|
48 | ||
|
|
49 | if [ "$ENABLE_DHCP" = false ] ; then | |
|
|
50 | # Get cdir from NET_ADDRESS e.g. 24 | |
|
|
51 | cdir=$(${NET_ADDRESS} | cut -d '/' -f2) | |
|
|
52 | ||
|
|
53 | # Convert cdir ro netmask e.g. 24 to 255.255.255.0 | |
|
|
54 | NET_MASK=$(cdr2mask "$cdir") | |
|
|
55 | ||
|
|
56 | # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf | |
|
|
57 | sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf | |
|
|
58 | ||
|
|
59 | # Regenerate initramfs | |
|
|
60 | chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" | |
|
|
61 | fi | |
|
|
45 | 62 | |
|
|
46 | 63 | if [ "$CRYPTFS_DROPBEAR" = true ]; then |
|
|
47 |
|
|
|
|
48 |
|
|
|
|
49 |
|
|
|
|
50 |
|
|
|
|
51 |
|
|
|
|
52 |
|
|
|
|
64 | if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then | |
|
|
65 | install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | |
|
|
66 | cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys | |
|
|
67 | else | |
|
|
68 | # Create key | |
|
|
69 | chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear | |
|
|
53 | 70 | |
|
|
54 |
|
|
|
|
55 |
|
|
|
|
71 | # Convert dropbear key to openssh key | |
|
|
72 | chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa | |
|
|
56 | 73 | |
|
|
57 |
|
|
|
|
58 |
|
|
|
|
74 | # Get Public Key Part | |
|
|
75 | chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub | |
|
|
59 | 76 | |
|
|
60 |
|
|
|
|
61 |
|
|
|
|
62 |
|
|
|
|
77 | # Delete unwanted lines | |
|
|
78 | sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | |
|
|
79 | sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | |
|
|
63 | 80 | |
|
|
64 |
|
|
|
|
65 |
|
|
|
|
81 | # Trust the new key | |
|
|
82 | cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys | |
|
|
66 | 83 | |
|
|
67 |
|
|
|
|
68 |
|
|
|
|
84 | # Save Keys - convert with putty from rsa/openssh to puttkey | |
|
|
85 | cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa | |
|
|
69 | 86 | |
|
|
70 |
|
|
|
|
71 |
|
|
|
|
87 | # Get unlock script | |
|
|
88 | install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh | |
|
|
72 | 89 | |
|
|
73 |
|
|
|
|
74 |
|
|
|
|
90 | # Enable Dropbear inside initramfs | |
|
|
91 | printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" | |
|
|
75 | 92 | |
|
|
76 |
|
|
|
|
77 |
|
|
|
|
78 |
|
|
|
|
93 | # Enable Dropbear inside initramfs | |
|
|
94 | sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear | |
|
|
95 | fi | |
|
|
79 | 96 | else |
|
|
80 | 97 | # Disable SSHD inside initramfs |
|
|
81 | 98 | printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" |
| @@ -39,10 +39,14 else | |||
|
|
39 | 39 | fi |
|
|
40 | 40 | |
|
|
41 | 41 | # Setup firmware boot cmdline |
|
|
42 |
if [ "$ENABLE_ |
|
|
|
43 |
CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda |
|
|
|
42 | if [ "$ENABLE_USBBOOT" = true ] ; then | |
|
|
43 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd" | |
|
|
44 | 44 | else |
|
|
45 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait console=tty1 init=/bin/systemd" | |
|
|
45 | if [ "$ENABLE_SPLITFS" = true ] ; then | |
|
|
46 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd" | |
|
|
47 | else | |
|
|
48 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd" | |
|
|
49 | fi | |
|
|
46 | 50 | fi |
|
|
47 | 51 | |
|
|
48 | 52 | # Add encrypted root partition to cmdline.txt |
| @@ -50,7 +54,11 if [ "$ENABLE_CRYPTFS" = true ] ; then | |||
|
|
50 | 54 | if [ "$ENABLE_SPLITFS" = true ] ; then |
|
|
51 | 55 | CMDLINE=$(echo "${CMDLINE}" | sed "s/sda1/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda1:${CRYPTFS_MAPPING}/") |
|
|
52 | 56 | else |
|
|
53 | CMDLINE=$(echo "${CMDLINE}" | sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/") | |
|
|
57 | if [ "$ENABLE_USBBOOT" = true ] ; then | |
|
|
58 | CMDLINE=$(echo "${CMDLINE}" | sed "s/sda2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda2:${CRYPTFS_MAPPING}/") | |
|
|
59 | else | |
|
|
60 | CMDLINE=$(echo "${CMDLINE}" | sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/") | |
|
|
61 | fi | |
|
|
54 | 62 | fi |
|
|
55 | 63 | fi |
|
|
56 | 64 | |
| @@ -59,6 +67,11 if [ "$ENABLE_PRINTK" = true ] ; then | |||
|
|
59 | 67 | install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf" |
|
|
60 | 68 | fi |
|
|
61 | 69 | |
|
|
70 | # Enable Kernel messages on standard output | |
|
|
71 | if [ "$KERNEL_SECURITY" = true ] ; then | |
|
|
72 | install_readonly files/sysctl.d/84-rpi-ASLR.conf "${ETC_DIR}/sysctl.d/84-rpi-ASLR.conf" | |
|
|
73 | fi | |
|
|
74 | ||
|
|
62 | 75 | # Install udev rule for serial alias - serial0 = console serial1=bluetooth |
|
|
63 | 76 | install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules" |
|
|
64 | 77 | |
| @@ -143,14 +156,13 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then | |||
|
|
143 | 156 | |
|
|
144 | 157 | # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0 |
|
|
145 | 158 | if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then |
|
|
146 | ||
|
|
147 | 159 | # set overlay to swap ttyAMA0 and ttyS0 |
|
|
148 | 160 | echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt" |
|
|
149 | 161 | |
|
|
150 | # if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken | |
|
|
151 | 162 |
|
|
|
152 |
|
|
|
|
153 | fi | |
|
|
163 | echo "core_freq=250" >> "${BOOT_DIR}/config.txt" | |
|
|
164 | fi | |
|
|
165 | ||
|
|
154 | 166 | fi |
|
|
155 | 167 | |
|
|
156 | 168 | # Activate services |
| @@ -167,14 +179,18 if [ "$ENABLE_CONSOLE" = true ] ; then | |||
|
|
167 | 179 | echo "enable_uart=1" >> "${BOOT_DIR}/config.txt" |
|
|
168 | 180 | # add string to cmdline |
|
|
169 | 181 | CMDLINE="${CMDLINE} console=serial0,115200" |
|
|
182 | ||
|
|
183 | if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ]|| [ "$RPI_MODEL" = 0 ]; then | |
|
|
184 | # if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken | |
|
|
185 | if [ "$ENABLE_TURBO" = false ] ; then | |
|
|
186 | echo "core_freq=250" >> "${BOOT_DIR}/config.txt" | |
|
|
187 | fi | |
|
|
188 | fi | |
|
|
170 | 189 | |
|
|
171 | 190 | # Enable serial console systemd style |
|
|
172 |
chroot_exec systemctl enable serial-getty |
|
|
|
191 | chroot_exec systemctl enable serial-getty@serial0.service | |
|
|
173 | 192 | else |
|
|
174 | 193 | echo "enable_uart=0" >> "${BOOT_DIR}/config.txt" |
|
|
175 | ||
|
|
176 | # disable serial console systemd style | |
|
|
177 | chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service | |
|
|
178 | 194 | fi |
|
|
179 | 195 | |
|
|
180 | 196 | if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then |
| @@ -187,36 +203,35 if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then | |||
|
|
187 | 203 | # Copy downloaded systemd-swap sources |
|
|
188 | 204 | mv "${temp_dir}/systemd-swap" "${R}/tmp/" |
|
|
189 | 205 | |
|
|
190 | # Set permissions of the systemd-swap sources | |
|
|
191 | chown -R root:root "${R}/tmp/systemd-swap" | |
|
|
192 | ||
|
|
193 | # Remove temporary directory for systemd-swap sources | |
|
|
194 | rm -fr "${temp_dir}" | |
|
|
195 | ||
|
|
196 | 206 | # Change into downloaded src dir |
|
|
197 | 207 | cd "${R}/tmp/systemd-swap" || exit |
|
|
198 | ||
|
|
208 | ||
|
|
199 | 209 | # Build package |
|
|
200 |
|
|
|
|
210 | bash ./package.sh debian | |
|
|
201 | 211 | |
|
|
202 | # Install package | |
|
|
203 | chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap-*any.deb | |
|
|
212 | # Change back into script root dir | |
|
|
213 | cd "${WORKDIR}" || exit | |
|
|
204 | 214 | |
|
|
215 | # Set permissions of the systemd-swap sources | |
|
|
216 | chown -R root:root "${R}/tmp/systemd-swap" | |
|
|
217 | ||
|
|
218 | # Install package - IMPROVE AND MAKE IT POSSIBLE WITHOUT VERSION NR. | |
|
|
219 | chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap_4.0.1_any.deb | |
|
|
220 | ||
|
|
205 | 221 | # Enable service |
|
|
206 | 222 | chroot_exec systemctl enable systemd-swap |
|
|
207 | 223 | |
|
|
208 | # Change back into script root dir | |
|
|
209 | cd "${WORKDIR}" || exit | |
|
|
224 | # Remove temporary directory for systemd-swap sources | |
|
|
225 | rm -fr "${temp_dir}" | |
|
|
210 | 226 | else |
|
|
211 | 227 | # Enable ZSWAP in cmdline if systemd-swap is not used |
|
|
212 | 228 | if [ "$KERNEL_ZSWAP" = true ] ; then |
|
|
213 |
CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4" |
|
|
|
229 | CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4" | |
|
|
214 | 230 | fi |
|
|
215 | 231 | fi |
|
|
216 | ||
|
|
217 | if [ "$KERNEL_SECURITY" = true ] ; then | |
|
|
218 | CMDLINE="${CMDLINE} apparmor=1 security=apparmor" | |
|
|
219 | fi | |
|
|
232 | if [ "$KERNEL_SECURITY" = true ] ; then | |
|
|
233 | CMDLINE="${CMDLINE} apparmor=1 security=apparmor" | |
|
|
234 | fi | |
|
|
220 | 235 | |
|
|
221 | 236 | # Install firmware boot cmdline |
|
|
222 | 237 | echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt" |
| @@ -30,6 +30,10 install_readonly files/network/interfaces "${ETC_DIR}/network/interfaces" | |||
|
|
30 | 30 | # Install configuration for interface eth0 |
|
|
31 | 31 | install_readonly files/network/eth.network "${ETC_DIR}/systemd/network/eth.network" |
|
|
32 | 32 | |
|
|
33 | if [ "$RPI_MODEL" = 3P ] ; then | |
|
|
34 | printf "\n[Link]\nGenericReceiveOffload=off\nTCPSegmentationOffload=off\nGenericSegmentationOffload=off" >> "${ETC_DIR}/systemd/network/eth.network" | |
|
|
35 | fi | |
|
|
36 | ||
|
|
33 | 37 | # Install configuration for interface wl* |
|
|
34 | 38 | install_readonly files/network/wlan.network "${ETC_DIR}/systemd/network/wlan.network" |
|
|
35 | 39 | |
| @@ -57,20 +61,6 else # ENABLE_DHCP=false | |||
|
|
57 | 61 | -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\ |
|
|
58 | 62 | -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\ |
|
|
59 | 63 | "${ETC_DIR}/systemd/network/eth.network" |
|
|
60 | ||
|
|
61 | if [ "$CRYPTFS_DROPBEAR" = true ] ; then | |
|
|
62 | # Get cdir from NET_ADDRESS e.g. 24 | |
|
|
63 | cdir=$(${NET_ADDRESS} | cut -d '/' -f2) | |
|
|
64 | ||
|
|
65 | # Convert cdir ro netmask e.g. 24 to 255.255.255.0 | |
|
|
66 | NET_MASK=$(cdr2mask "$cdir") | |
|
|
67 | ||
|
|
68 | # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf | |
|
|
69 | sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf | |
|
|
70 | ||
|
|
71 | # Regenerate initramfs | |
|
|
72 | chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" | |
|
|
73 | fi | |
|
|
74 | 64 | fi |
|
|
75 | 65 | |
|
|
76 | 66 | # Remove empty settings from network configuration |
| @@ -10,7 +10,7 if [ "$ENABLE_IPTABLES" = true ] ; then | |||
|
|
10 | 10 | mkdir -p "${ETC_DIR}/iptables" |
|
|
11 | 11 | |
|
|
12 | 12 | if [ "$KERNEL_NF" = false ] ; then |
|
|
13 | #iptables-save and -restore are slaves of iptables and thus are set accordingly | |
|
|
13 | # iptables-save and -restore are slaves of iptables and thus are set accordingly | |
|
|
14 | 14 | chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy |
|
|
15 | 15 | fi |
|
|
16 | 16 | |
| @@ -29,10 +29,10 if [ "$ENABLE_IPTABLES" = true ] ; then | |||
|
|
29 | 29 | |
|
|
30 | 30 | if [ "$ENABLE_IPV6" = true ] ; then |
|
|
31 | 31 | if [ "$KERNEL_NF" = false ] ; then |
|
|
32 | #iptables-save and -restore are slaves of iptables and thus are set accordingly | |
|
|
32 | # iptables-save and -restore are slaves of iptables and thus are set accordingly | |
|
|
33 | 33 | chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy |
|
|
34 |
|
|
|
|
35 | ||
|
|
34 | fi | |
|
|
35 | ||
|
|
36 | 36 | # Install ip6tables systemd service |
|
|
37 | 37 | install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service" |
|
|
38 | 38 | |
| @@ -79,7 +79,7 if [ "$ENABLE_UBOOT" = true ] ; then | |||
|
|
79 | 79 | fi |
|
|
80 | 80 | |
|
|
81 | 81 | # instead of sd, boot from usb device |
|
|
82 |
if [ "$ENABLE_UBOOT |
|
|
|
82 | if [ "$ENABLE_USBBOOT" = true ] ; then | |
|
|
83 | 83 | sed -i "s|mmc|usb|g" "${BOOT_DIR}/uboot.mkimage" |
|
|
84 | 84 | fi |
|
|
85 | 85 | |
| @@ -158,7 +158,7 ENABLE_MINBASE=${ENABLE_MINBASE:=false} | |||
|
|
158 | 158 | ENABLE_REDUCE=${ENABLE_REDUCE:=false} |
|
|
159 | 159 | ENABLE_UBOOT=${ENABLE_UBOOT:=false} |
|
|
160 | 160 | UBOOTSRC_DIR=${UBOOTSRC_DIR:=""} |
|
|
161 |
ENABLE_UBOOT |
|
|
|
161 | ENABLE_USBBOOT=${ENABLE_USBBOOT=false} | |
|
|
162 | 162 | ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} |
|
|
163 | 163 | ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false} |
|
|
164 | 164 | ENABLE_NEXMON=${ENABLE_NEXMON:=false} |
| @@ -325,17 +325,6 case "$RPI_MODEL" in | |||
|
|
325 | 325 | ;; |
|
|
326 | 326 | esac |
|
|
327 | 327 | |
|
|
328 | if [ "$ENABLE_UBOOTUSB" = true ] ; then | |
|
|
329 | if [ "$ENABLE_UBOOT" = false ] ; then | |
|
|
330 | echo "error: Enabling UBOOTUSB requires u-boot to be enabled" | |
|
|
331 | exit 1 | |
|
|
332 | fi | |
|
|
333 | if [ "$RPI_MODEL" != 3 ] || [ "$RPI_MODEL" != 3P ] ; then | |
|
|
334 | echo "error: Enabling UBOOTUSB requires Raspberry 3" | |
|
|
335 | exit 1 | |
|
|
336 | fi | |
|
|
337 | fi | |
|
|
338 | ||
|
|
339 | 328 | # Raspberry PI 0,3,3P with Bluetooth and Wifi onboard |
|
|
340 | 329 | if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then |
|
|
341 | 330 | # Include bluetooth packages on supported boards |
| @@ -421,6 +410,13 if [ "$ENABLE_UBOOT" = true ] ; then | |||
|
|
421 | 410 | APT_INCLUDES="${APT_INCLUDES},device-tree-compiler,bison,flex,bc" |
|
|
422 | 411 | fi |
|
|
423 | 412 | |
|
|
413 | if [ "$ENABLE_USBBOOT" = true ] ; then | |
|
|
414 | if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 1P ] || [ "$RPI_MODEL" = 1 ] || [ "$RPI_MODEL" = 2 ]; then | |
|
|
415 | echo "error: Booting from USB alone is only supported by Raspberry Pi 3 and 3P" | |
|
|
416 | exit 1 | |
|
|
417 | fi | |
|
|
418 | fi | |
|
|
419 | ||
|
|
424 | 420 | # Check if root SSH (v2) public key file exists |
|
|
425 | 421 | if [ -n "$SSH_ROOT_PUB_KEY" ] ; then |
|
|
426 | 422 | if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then |
| @@ -719,7 +715,7 if [ "$ENABLE_QEMU" = true ] ; then | |||
|
|
719 | 715 | # Setup overlays dtbs directory |
|
|
720 | 716 | mkdir "${BASEDIR}/qemu/overlays" |
|
|
721 | 717 | |
|
|
722 | for dtb in "${BOOT_DIR}/overlays/"*.dtb ; do | |
|
|
718 | for dtb in "${BOOT_DIR}/overlays/"*.dtbo ; do | |
|
|
723 | 719 | if [ -f "${dtb}" ] ; then |
|
|
724 | 720 | install_readonly "${dtb}" "${BASEDIR}/qemu/overlays/" |
|
|
725 | 721 | fi |
|
|
1 | NO CONTENT: file was removed |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant
