Raspi2-3_GenImage Commit - r582:36b4cae925f5 · Collaboration Tremplin des Sciences

Merge pull request #180 from burnbabyburn/pull...

drtyhlpr -

r582:36b4cae925f5

parent child

Context file:

r582:36b4cae925f5

Collapse all files

files/sysctl.d/84-rpi-ASLR.conf created 644 +2 0

@@ -0,0 +1,2
	1	# ASLR
	2	kernel.randomize_va_space = 2 No newline at end of file

bootstrap.d/13-kernel.sh +28 -15

                   #Switch to KERNELSRC_DIR so we can use set_kernel_config
                   cd "${KERNEL_DIR}" || exit
+            	  if [ "$KERNEL_ARCH" = arm64 ] ; then
+            	    #Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config
+            	    # use correct driver MMC_BCM2835_MMC instead of MMC_BCM2835_SDHOST - see https://www.raspberrypi.org/forums/viewtopic.php?t=210225
+            	    set_kernel_config CONFIG_MMC_BCM2835 n
+            	    set_kernel_config CONFIG_MMC_SDHCI_IPROC n
+            	    set_kernel_config CONFIG_USB_DWC2 n
+            	    sed -i "s|depends on MMC_BCM2835_MMC && MMC_BCM2835_DMA|depends on MMC_BCM2835_MMC|" "${KERNEL_DIR}"/drivers/mmc/host/Kconfig
+            	    #VLAN got disabled without reason in arm64bit
+            	    set_kernel_config CONFIG_IPVLAN m
+            	  fi
             	  # enable ZSWAP see https://askubuntu.com/a/472227 or https://wiki.archlinux.org/index.php/zswap
                   if [ "$KERNEL_ZSWAP" = true ] ; then
                     set_kernel_config CONFIG_ZPOOL y
                     set_kernel_config CONFIG_ZSMALLOC y
                     set_kernel_config CONFIG_PGTABLE_MAPPING y
             		set_kernel_config CONFIG_LZO_COMPRESS y
             	  fi
                   # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453
                     set_kernel_config CONFIG_AUDIT y
                     # harden strcpy and memcpy
-                    set_kernel_config CONFIG_HARDENED_USERCOPY=y
+                    set_kernel_config CONFIG_HARDENED_USERCOPY y
-                    set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
+                    set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR y
-                    set_kernel_config CONFIG_FORTIFY_SOURCE=y
+                    set_kernel_config CONFIG_FORTIFY_SOURCE y
                     # integrity sub-system
-                    set_kernel_config CONFIG_INTEGRITY=y
+                    set_kernel_config CONFIG_INTEGRITY y
-                    set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+                    set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS y
-                    set_kernel_config CONFIG_INTEGRITY_AUDIT=y
+                    set_kernel_config CONFIG_INTEGRITY_AUDIT y
-                    set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y
+                    set_kernel_config CONFIG_INTEGRITY_SIGNATURE y
-                    set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y
+                    set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING y
                     # This option provides support for retaining authentication tokens and access keys in the kernel.
-                    set_kernel_config CONFIG_KEYS=y
+                    set_kernel_config CONFIG_KEYS y
-                    set_kernel_config CONFIG_KEYS_COMPAT=y
+                    set_kernel_config CONFIG_KEYS_COMPAT y
                     # Apparmor
                     set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0
                     set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor"
                     # restrictions on unprivileged users reading the kernel
-                    set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y
+                    set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT y
                     # network security hooks
                     set_kernel_config CONFIG_SECURITY_NETWORK y
-                    set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y
+                    set_kernel_config CONFIG_SECURITY_NETWORK_XFRM y
-                    set_kernel_config CONFIG_SECURITY_PATH=y
+                    set_kernel_config CONFIG_SECURITY_PATH y
-                    set_kernel_config CONFIG_SECURITY_YAMA=y
+                    set_kernel_config CONFIG_SECURITY_YAMA n
                     # New Options
                     if [ "$KERNEL_NF" = true ] ; then
               # Copy compiled dtb device tree files
               if [ -d "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays" ] ; then
-                for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb ; do
+                for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtbo ; do
                   if [ -f "${dtb}" ] ; then
                     install_readonly "${dtb}" "${BOOT_DIR}/overlays/"
                   fi

bootstrap.d/14-fstab.sh +23 -6

             # Install and setup fstab
             install_readonly files/mount/fstab "${ETC_DIR}/fstab"
-            if [ "$ENABLE_UBOOTUSB" = true ] ; then
-              sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
-              sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
-            fi
             # Add usb/sda disk root partition to fstab
             if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then
               sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
               echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"
               if [ "$ENABLE_SPLITFS" = true ] ; then
-                # Add usb/sda disk to crypttab
+                # Add usb/sda1 disk to crypttab
                 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
               fi
             fi
+            if [ "$ENABLE_USBBOOT" = true ] ; then
+              sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
+              sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
+              # Add usb/sda2 disk to crypttab
+              sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab"
+            fi
             # Generate initramfs file
             if [ "$ENABLE_INITRAMFS" = true ] ; then
               if [ "$ENABLE_CRYPTFS" = true ] ; then
                   install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
                 fi
+            	if [ "$ENABLE_DHCP" = false ] ; then
+                  # Get cdir from NET_ADDRESS e.g. 24
+                  cdir=$(${NET_ADDRESS} | cut -d '/' -f2)
+                  # Convert cdir ro netmask e.g. 24 to 255.255.255.0
+                  NET_MASK=$(cdr2mask "$cdir")
+            	  # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
+                  sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
+            	  # Regenerate initramfs
+            	  chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
+                fi
             	if [ "$CRYPTFS_DROPBEAR" = true ]; then
             	  if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
              	    install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub

bootstrap.d/15-rpi-config.sh +35 -20

             fi
             # Setup firmware boot cmdline
+            if [ "$ENABLE_USBBOOT" = true ] ; then
+              CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
+            else
               if [ "$ENABLE_SPLITFS" = true ] ; then
-              CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait console=tty1 init=/bin/systemd"
+                CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
               else
-              CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait console=tty1 init=/bin/systemd"
+                CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
+              fi
             fi
             # Add encrypted root partition to cmdline.txt
               if [ "$ENABLE_SPLITFS" = true ] ; then
                 CMDLINE=$(echo "${CMDLINE}" | sed "s/sda1/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda1:${CRYPTFS_MAPPING}/")
               else
+                if [ "$ENABLE_USBBOOT" = true ] ; then
+                  CMDLINE=$(echo "${CMDLINE}" | sed "s/sda2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda2:${CRYPTFS_MAPPING}/")
+                else
                   CMDLINE=$(echo "${CMDLINE}" | sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/")
                 fi
               fi
+            fi
             # Enable Kernel messages on standard output
             if [ "$ENABLE_PRINTK" = true ] ; then
               install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf"
             fi
+            # Enable Kernel messages on standard output
+            if [ "$KERNEL_SECURITY" = true ] ; then
+              install_readonly files/sysctl.d/84-rpi-ASLR.conf "${ETC_DIR}/sysctl.d/84-rpi-ASLR.conf"
+            fi
             # Install udev rule for serial alias - serial0 = console serial1=bluetooth
             install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules"
                 # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0
                 if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then
             	  # set overlay to swap ttyAMA0 and ttyS0
                   echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt"
-            	  # if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken
             	  if [ "$ENABLE_TURBO" = false ] ; then
                     echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
                   fi
             	fi
             	# Activate services
               # add string to cmdline
               CMDLINE="${CMDLINE} console=serial0,115200"
+              if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ]|| [ "$RPI_MODEL" = 0 ]; then
+                # if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken
+                if [ "$ENABLE_TURBO" = false ] ; then
+                  echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
+                fi
+              fi
               # Enable serial console systemd style
-              chroot_exec systemctl enable serial-getty\@serial0.service
+              chroot_exec systemctl enable serial-getty@serial0.service
             else
               echo "enable_uart=0"  >> "${BOOT_DIR}/config.txt"
-              # disable serial console systemd style
-              chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service
             fi
             if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then
               # Copy downloaded systemd-swap sources
               mv "${temp_dir}/systemd-swap" "${R}/tmp/"
-              # Set permissions of the systemd-swap sources
-              chown -R root:root "${R}/tmp/systemd-swap"
-              # Remove temporary directory for systemd-swap sources
-              rm -fr "${temp_dir}"
               # Change into downloaded src dir
               cd "${R}/tmp/systemd-swap" || exit
               # Build package
-              . ./package.sh debian
+              bash ./package.sh debian
-              # Install package
+              # Change back into script root dir
-              chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap-*any.deb
+              cd "${WORKDIR}" || exit
+              # Set permissions of the systemd-swap sources
+              chown -R root:root "${R}/tmp/systemd-swap"
+              # Install package - IMPROVE AND MAKE IT POSSIBLE WITHOUT VERSION NR.
+              chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap_4.0.1_any.deb
               # Enable service
               chroot_exec systemctl enable systemd-swap
-              # Change back into script root dir
+              # Remove temporary directory for systemd-swap sources
-              cd "${WORKDIR}" || exit
+              rm -fr "${temp_dir}"
             else
               # Enable ZSWAP in cmdline if systemd-swap is not used
               if [ "$KERNEL_ZSWAP" = true ] ; then
                 CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4"
               fi
             fi
               if [ "$KERNEL_SECURITY" = true ] ; then
                 CMDLINE="${CMDLINE} apparmor=1 security=apparmor"
               fi

bootstrap.d/20-networking.sh +4 -14

@@ -30,6 +30,10 install_readonly files/network/interfaces "${ETC_DIR}/network/interfaces"
30	# Install configuration for interface eth0	30	# Install configuration for interface eth0
31	install_readonly files/network/eth.network "${ETC_DIR}/systemd/network/eth.network"	31	install_readonly files/network/eth.network "${ETC_DIR}/systemd/network/eth.network"
32		32
		33	if [ "$RPI_MODEL" = 3P ] ; then
		34	printf "\n[Link]\nGenericReceiveOffload=off\nTCPSegmentationOffload=off\nGenericSegmentationOffload=off" >> "${ETC_DIR}/systemd/network/eth.network"
		35	fi
		36
33	# Install configuration for interface wl*	37	# Install configuration for interface wl*
34	install_readonly files/network/wlan.network "${ETC_DIR}/systemd/network/wlan.network"	38	install_readonly files/network/wlan.network "${ETC_DIR}/systemd/network/wlan.network"
35		39
@@ -57,20 +61,6 else # ENABLE_DHCP=false
57	-e "0,/NTP=\$/ s\|NTP=\$\|NTP=${NET_NTP_1}\|"\	61	-e "0,/NTP=\$/ s\|NTP=\$\|NTP=${NET_NTP_1}\|"\
58	-e "0,/NTP=\$/ s\|NTP=\$\|NTP=${NET_NTP_2}\|"\	62	-e "0,/NTP=\$/ s\|NTP=\$\|NTP=${NET_NTP_2}\|"\
59	"${ETC_DIR}/systemd/network/eth.network"	63	"${ETC_DIR}/systemd/network/eth.network"
60
61	if [ "$CRYPTFS_DROPBEAR" = true ] ; then
62	# Get cdir from NET_ADDRESS e.g. 24
63	cdir=$(${NET_ADDRESS} \| cut -d '/' -f2)
64
65	# Convert cdir ro netmask e.g. 24 to 255.255.255.0
66	NET_MASK=$(cdr2mask "$cdir")
67
68	# Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
69	sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
70
71	# Regenerate initramfs
72	chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
73	fi
74	fi	64	fi
75		65
76	# Remove empty settings from network configuration	66	# Remove empty settings from network configuration

bootstrap.d/21-firewall.sh 0 0

NO CONTENT: modified file

bootstrap.d/41-uboot.sh +1 -1

               fi
               # instead of sd, boot from usb device
-              if [ "$ENABLE_UBOOTUSB" = true ] ; then
+              if [ "$ENABLE_USBBOOT" = true ] ; then
                 sed -i "s|mmc|usb|g" "${BOOT_DIR}/uboot.mkimage"
               fi

rpi23-gen-image.sh +9 -13

             ENABLE_REDUCE=${ENABLE_REDUCE:=false}
             ENABLE_UBOOT=${ENABLE_UBOOT:=false}
             UBOOTSRC_DIR=${UBOOTSRC_DIR:=""}
-            ENABLE_UBOOTUSB=${ENABLE_UBOOTUSB=false}
+            ENABLE_USBBOOT=${ENABLE_USBBOOT=false}
             ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
             ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false}
             ENABLE_NEXMON=${ENABLE_NEXMON:=false}
                 ;;
             esac
-            if [ "$ENABLE_UBOOTUSB" = true ] ; then
-              if [ "$ENABLE_UBOOT" = false ] ; then
-                echo "error: Enabling UBOOTUSB requires u-boot to be enabled"
-            	exit 1
-              fi
-              if [ "$RPI_MODEL" != 3 ] || [ "$RPI_MODEL" != 3P ] ; then
-                echo "error: Enabling UBOOTUSB requires Raspberry 3"
-            	exit 1
-              fi
-            fi
             # Raspberry PI 0,3,3P with Bluetooth and Wifi onboard
             if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
               # Include bluetooth packages on supported boards
               APT_INCLUDES="${APT_INCLUDES},device-tree-compiler,bison,flex,bc"
             fi
+            if [ "$ENABLE_USBBOOT" = true ] ; then
+              if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 1P ] || [ "$RPI_MODEL" = 1 ] || [ "$RPI_MODEL" = 2 ]; then
+                echo "error: Booting from USB alone is only supported by Raspberry Pi 3 and 3P"
+                exit 1
+              fi
+            fi
             # Check if root SSH (v2) public key file exists
             if [ -n "$SSH_ROOT_PUB_KEY" ] ; then
               if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then
                 # Setup overlays dtbs directory
                 mkdir "${BASEDIR}/qemu/overlays"
-                for dtb in "${BOOT_DIR}/overlays/"*.dtb ; do
+                for dtb in "${BOOT_DIR}/overlays/"*.dtbo ; do
                   if [ -f "${dtb}" ] ; then
                     install_readonly "${dtb}" "${BASEDIR}/qemu/overlays/"
                   fi

files/apt/flash-kernel removed 0 -3

NO CONTENT: file was removed

General Comments 0

Écrire
Preview

Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages