##// END OF EJS Templates
kernel features + nexmon monitor mode wlan patch(kali-kernel) with RPI3,RPI3B+ firmware patch...
Unknown -
r502:3d4e292749a1
parent child
Show More
@@ -0,0 +1,97
1 #!/bin/sh
2 #
3 # Build and Setup nexmon with monitor mode patch
4 #
5
6 # Load utility functions
7 . ./functions.sh
8
9 if [ "$ENABLE_NEXMON" = true ] && [ "$ENABLE_WIRELESS" = true ]; then
10 # Copy existing nexmon sources into chroot directory
11 if [ -n "$NEXMONSRC_DIR" ] && [ -d "$NEXMONSRC_DIR" ] ; then
12 # Copy local U-Boot sources
13 cp -r "${NEXMONSRC_DIR}" "${R}/tmp"
14 else
15 # Create temporary directory for nexmon sources
16 temp_dir=$(as_nobody mktemp -d)
17
18 # Fetch nexmon sources
19 as_nobody git -C "${temp_dir}" clone "${NEXMON_URL}"
20
21 # Copy downloaded nexmon sources
22 mv "${temp_dir}/nexmon" "${R}"/tmp/
23
24 # Set permissions of the nexmon sources
25 chown -R root:root "${R}"/tmp/nexmon
26
27 # Remove temporary directory for nexmon sources
28 rm -fr "${temp_dir}"
29 fi
30
31 # Set script Root
32 export NEXMON_ROOT="${R}"/tmp/nexmon
33
34 # Build nexmon firmware outside the build system, if we can.
35 cd "${NEXMON_ROOT}" || exit
36
37 # Make ancient isl build
38 cd buildtools/isl-0.10 || exit
39 ./configure
40 make
41 cd ../.. || exit
42
43 # Disable statistics
44 touch DISABLE_STATISTICS
45
46 # Setup Enviroment: see https://github.com/NoobieDog/nexmon/blob/master/setup_env.sh
47 export KERNEL="${KERNEL_IMAGE}"
48 export ARCH=arm
49 export SUBARCH=arm
50 export CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
51 export CC="${CC}"gcc
52 export CCPLUGIN="${NEXMON_ROOT}"/buildtools/gcc-nexmon-plugin/nexmon.so
53 export ZLIBFLATE="zlib-flate -compress"
54 export Q=@
55 export NEXMON_SETUP_ENV=1
56 export HOSTUNAME=$(uname -s)
57 export PLATFORMUNAME=$(uname -m)
58
59 # Make nexmon
60 make
61
62 # build patches
63 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] ; then
64 cd "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon || exit
65 sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon/Makefile
66 make clean
67
68 # We do this so we don't have to install the ancient isl version into /usr/local/lib on systems.
69 LD_LIBRARY_PATH="${NEXMON_ROOT}"/buildtools/isl-0.10/.libs make ARCH="${KERNEL_ARCH}" CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
70
71 # copy RPi0W & RPi3 firmware
72 mv "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.org.bin
73 cp "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.nexmon.bin
74 cp -f "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin
75 fi
76
77 if [ "$RPI_MODEL" = 3P ] ; then
78 cd "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon || exit
79 sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43455c0/7_45_154/nexmon/Makefile
80 make clean
81
82 # We do this so we don't have to install the ancient isl version into /usr/local/lib on systems.
83 LD_LIBRARY_PATH=${NEXMON_ROOT}/buildtools/isl-0.10/.libs make ARCH="${KERNEL_ARCH}" CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
84
85 # RPi3B+ firmware
86 mv "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.org.bin
87 cp "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.nexmon.bin
88 cp -f "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.bin
89 fi
90
91 #Revert to previous directory
92 cd "${WORKDIR}" || exit
93
94 # Remove nexmon sources
95 rm -fr "${NEXMON_ROOT}"
96
97 fi
@@ -210,6 +210,9 Support for halt,init,poweroff,reboot,runlevel,shutdown,telinit commands
210 210 ---
211 211
212 212 #### Advanced system features:
213 ##### `ENABLE_SYSTEMDSWAP`=false
214 Enables [Systemd-swap service](https://github.com/Nefelim4ag/systemd-swap). Usefull if `KERNEL_ZSWAP` is enabled.
215
213 216 ##### `ENABLE_MINBASE`=false
214 217 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
215 218
@@ -234,6 +237,12 Install and enable the [ARM side libraries for interfacing to Raspberry Pi GPU](
234 237 ##### `VIDEOCORESRC_DIR`=""
235 238 Path to a directory (`userland`) of [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
236 239
240 ##### `ENABLE_NEXMON`=false
241 Install and enable the [Source code for a C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection](https://github.com/seemoo-lab/nexmon.git).
242
243 ##### `NEXMONSRC_DIR`=""
244 Path to a directory (`nexmon`) of [Source code for ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
245
237 246 ##### `ENABLE_IPTABLES`=false
238 247 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
239 248
@@ -345,6 +354,23 With this parameter set to true the script expects the existing kernel sources d
345 354 ##### `RPI_FIRMWARE_DIR`=""
346 355 The directory (`firmware`) containing a local copy of the firmware from the [RaspberryPi firmware project](https://github.com/raspberrypi/firmware). Default is to download the latest firmware directly from the project.
347 356
357 ##### `KERNEL_DEFAULT_GOV`="ONDEMAND"
358 Set the default cpu governor at kernel compilation. Supported values are: PERFORMANCE POWERSAVE USERSPACE ONDEMAND CONSERVATIVE SCHEDUTIL
359
360 ##### `KERNEL_NF`=false
361 Enable Netfilter modules as kernel modules
362
363 ##### `KERNEL_VIRT`=false
364 Enable Kernel KVM support (/dev/kvm)
365
366 ##### `KERNEL_ZSWAP`=false
367 Enable Kernel Zswap support. Best use on high RAM load and mediocre CPU load usecases
368
369 ##### `KERNEL_BPF`=true
370 Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSCALL CONFIG_CGROUP_BPF) [systemd compilations about it - File /lib/systemd/system/systemd-journald.server:36 configures an IP firewall (IPAddressDeny=all), but the local system does not support BPF/cgroup based firewalls]
371
372 ##### `KERNEL_SECURITY`=false
373 Enables Apparmor, integrity subsystem, auditing
348 374 ---
349 375
350 376 #### Reduce disk usage:
@@ -5,6 +5,13
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 # Need to use kali kernel src if nexmon is enabled
9 if [ "$ENABLE_NEXMON" = true ] ; then
10 echo "WARNING: if ENABLE_NEXMON is used remember to put the CORRECT KERNELSRC IN KERNELSRC_DIR!!!!!1!"
11 KERNEL_URL="${KALI_KERNEL_URL}"
12 KERNEL_BRANCH=""
13 fi
14
8 15 # Fetch and build latest raspberry kernel
9 16 if [ "$BUILD_KERNEL" = true ] ; then
10 17 # Setup source directory
@@ -87,6 +94,243 if [ "$BUILD_KERNEL" = true ] ; then
87 94 # Load default raspberry kernel configuration
88 95 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
89 96
97 #Switch to KERNELSRC_DIR so we can use set_kernel_config
98 cd "${KERNEL_DIR}" || exit
99
100 # enable ZSWAP see https://askubuntu.com/a/472227 or https://wiki.archlinux.org/index.php/zswap
101 if [ "$KERNEL_ZSWAP" = true ] ; then
102 set_kernel_config CONFIG_ZPOOL y
103 set_kernel_config CONFIG_ZSWAP y
104 set_kernel_config CONFIG_ZBUD y
105 set_kernel_config CONFIG_Z3FOLD y
106 set_kernel_config CONFIG_ZSMALLOC y
107 set_kernel_config CONFIG_PGTABLE_MAPPING y
108 fi
109
110 # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453
111 if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
112 set_kernel_config CONFIG_VIRTUALIZATION y
113 set_kernel_config CONFIG_KVM y
114 set_kernel_config CONFIG_VHOST_NET m
115 set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y
116 fi
117
118 # enable apparmor,integrity audit,
119 if [ "$KERNEL_SECURITY" = true ] ; then
120
121 # security filesystem, security models and audit
122 set_kernel_config CONFIG_SECURITYFS y
123 set_kernel_config CONFIG_SECURITY y
124 set_kernel_config CONFIG_AUDIT y
125
126 # harden strcpy and memcpy
127 set_kernel_config CONFIG_HARDENED_USERCOPY=y
128 set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
129 set_kernel_config CONFIG_FORTIFY_SOURCE=y
130
131 # integrity sub-system
132 set_kernel_config CONFIG_INTEGRITY=y
133 set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
134 set_kernel_config CONFIG_INTEGRITY_AUDIT=y
135 set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y
136 set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y
137
138 # This option provides support for retaining authentication tokens and access keys in the kernel.
139 set_kernel_config CONFIG_KEYS=y
140 set_kernel_config CONFIG_KEYS_COMPAT=y
141
142 # Apparmor
143 set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0
144 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
145 set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
146 set_kernel_config CONFIG_SECURITY_APPARMOR y
147 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y
148 set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor"
149
150 # restrictions on unprivileged users reading the kernel
151 set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y
152
153 # network security hooks
154 set_kernel_config CONFIG_SECURITY_NETWORK y
155 set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y
156 set_kernel_config CONFIG_SECURITY_PATH=y
157 set_kernel_config CONFIG_SECURITY_YAMA=y
158
159 # New Options
160 if [ "$KERNEL_NF" = true ]
161 set_kernel_config CONFIG_IP_NF_SECURITY m
162 set_kernel_config CONFIG_NETLABEL m
163 set_kernel_config CONFIG_IP6_NF_SECURITY m
164 fi
165 set_kernel_config CONFIG_SECURITY_SELINUX n
166 set_kernel_config CONFIG_SECURITY_SMACK n
167 set_kernel_config CONFIG_SECURITY_TOMOYO n
168 set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n
169 set_kernel_config CONFIG_SECURITY_LOADPIN n
170 set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n
171 set_kernel_config CONFIG_IMA n
172 set_kernel_config CONFIG_EVM n
173 set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y
174 set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
175 set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
176 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
177 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
178 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
179 set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
180 set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
181 fi
182
183 # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
184 if [ "$KERNEL_NF" = true ] ; then
185 set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m
186 set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m
187 set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m
188 set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m
189 set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m
190 set_kernel_config CONFIG_NFT_FIB_INET m
191 set_kernel_config CONFIG_NFT_FIB_IPV4 m
192 set_kernel_config CONFIG_NFT_FIB_IPV6 m
193 set_kernel_config CONFIG_NFT_FIB_NETDEV m
194 set_kernel_config CONFIG_NFT_OBJREF m
195 set_kernel_config CONFIG_NFT_RT m
196 set_kernel_config CONFIG_NFT_SET_BITMAP m
197 set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y
198 set_kernel_config CONFIG_NF_LOG_ARP m
199 set_kernel_config CONFIG_NF_SOCKET_IPV4 m
200 set_kernel_config CONFIG_NF_SOCKET_IPV6 m
201 set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m
202 set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m
203 set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m
204 set_kernel_config CONFIG_IP6_NF_IPTABLES m
205 set_kernel_config CONFIG_IP6_NF_MATCH_AH m
206 set_kernel_config CONFIG_IP6_NF_MATCH_EUI64 m
207 set_kernel_config CONFIG_IP6_NF_NAT m
208 set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m
209 set_kernel_config CONFIG_IP6_NF_TARGET_NPT m
210 set_kernel_config CONFIG_IP_NF_SECURITY m
211 set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m
212 set_kernel_config CONFIG_IP_SET_BITMAP_PORT m
213 set_kernel_config CONFIG_IP_SET_HASH_IP m
214 set_kernel_config CONFIG_IP_SET_HASH_IPMARK m
215 set_kernel_config CONFIG_IP_SET_HASH_IPPORT m
216 set_kernel_config CONFIG_IP_SET_HASH_IPPORTIP m
217 set_kernel_config CONFIG_IP_SET_HASH_IPPORTNET m
218 set_kernel_config CONFIG_IP_SET_HASH_MAC m
219 set_kernel_config CONFIG_IP_SET_HASH_NET m
220 set_kernel_config CONFIG_IP_SET_HASH_NETIFACE m
221 set_kernel_config CONFIG_IP_SET_HASH_NETNET m
222 set_kernel_config CONFIG_IP_SET_HASH_NETPORT m
223 set_kernel_config CONFIG_IP_SET_HASH_NETPORTNET m
224 set_kernel_config CONFIG_IP_SET_LIST_SET m
225 set_kernel_config CONFIG_NETFILTER_XTABLES m
226 set_kernel_config CONFIG_NETFILTER_XTABLES m
227 set_kernel_config CONFIG_NFT_BRIDGE_META m
228 set_kernel_config CONFIG_NFT_BRIDGE_REJECT m
229 set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV4 m
230 set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV6 m
231 set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV4 m
232 set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV6 m
233 set_kernel_config CONFIG_NFT_COMPAT m
234 set_kernel_config CONFIG_NFT_COUNTER m
235 set_kernel_config CONFIG_NFT_CT m
236 set_kernel_config CONFIG_NFT_DUP_IPV4 m
237 set_kernel_config CONFIG_NFT_DUP_IPV6 m
238 set_kernel_config CONFIG_NFT_DUP_NETDEV m
239 set_kernel_config CONFIG_NFT_EXTHDR m
240 set_kernel_config CONFIG_NFT_FWD_NETDEV m
241 set_kernel_config CONFIG_NFT_HASH m
242 set_kernel_config CONFIG_NFT_LIMIT m
243 set_kernel_config CONFIG_NFT_LOG m
244 set_kernel_config CONFIG_NFT_MASQ m
245 set_kernel_config CONFIG_NFT_MASQ_IPV4 m
246 set_kernel_config CONFIG_NFT_MASQ_IPV6 m
247 set_kernel_config CONFIG_NFT_META m
248 set_kernel_config CONFIG_NFT_NAT m
249 set_kernel_config CONFIG_NFT_NUMGEN m
250 set_kernel_config CONFIG_NFT_QUEUE m
251 set_kernel_config CONFIG_NFT_QUOTA m
252 set_kernel_config CONFIG_NFT_REDIR m
253 set_kernel_config CONFIG_NFT_REDIR_IPV4 m
254 set_kernel_config CONFIG_NFT_REDIR_IPV6 m
255 set_kernel_config CONFIG_NFT_REJECT m
256 set_kernel_config CONFIG_NFT_REJECT_INET m
257 set_kernel_config CONFIG_NFT_REJECT_IPV4 m
258 set_kernel_config CONFIG_NFT_REJECT_IPV6 m
259 set_kernel_config CONFIG_NFT_SET_HASH m
260 set_kernel_config CONFIG_NFT_SET_RBTREE m
261 set_kernel_config CONFIG_NF_CONNTRACK_IPV4 m
262 set_kernel_config CONFIG_NF_CONNTRACK_IPV6 m
263 set_kernel_config CONFIG_NF_DEFRAG_IPV4 m
264 set_kernel_config CONFIG_NF_DEFRAG_IPV6 m
265 set_kernel_config CONFIG_NF_DUP_IPV4 m
266 set_kernel_config CONFIG_NF_DUP_IPV6 m
267 set_kernel_config CONFIG_NF_DUP_NETDEV m
268 set_kernel_config CONFIG_NF_LOG_BRIDGE m
269 set_kernel_config CONFIG_NF_LOG_IPV4 m
270 set_kernel_config CONFIG_NF_LOG_IPV6 m
271 set_kernel_config CONFIG_NF_NAT_IPV4 m
272 set_kernel_config CONFIG_NF_NAT_IPV6 m
273 set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV4 m
274 set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV6 m
275 set_kernel_config CONFIG_NF_NAT_PPTP m
276 set_kernel_config CONFIG_NF_NAT_PROTO_GRE m
277 set_kernel_config CONFIG_NF_NAT_REDIRECT m
278 set_kernel_config CONFIG_NF_NAT_SIP m
279 set_kernel_config CONFIG_NF_NAT_SNMP_BASIC m
280 set_kernel_config CONFIG_NF_NAT_TFTP m
281 set_kernel_config CONFIG_NF_REJECT_IPV4 m
282 set_kernel_config CONFIG_NF_REJECT_IPV6 m
283 set_kernel_config CONFIG_NF_TABLES m
284 set_kernel_config CONFIG_NF_TABLES_ARP m
285 set_kernel_config CONFIG_NF_TABLES_BRIDGE m
286 set_kernel_config CONFIG_NF_TABLES_INET m
287 set_kernel_config CONFIG_NF_TABLES_IPV4 m
288 set_kernel_config CONFIG_NF_TABLES_IPV6 m
289 set_kernel_config CONFIG_NF_TABLES_NETDEV m
290 fi
291
292 # Enables BPF syscall for systemd-journald see https://github.com/torvalds/linux/blob/master/init/Kconfig#L848 or https://groups.google.com/forum/#!topic/linux.gentoo.user/_2aSc_ztGpA
293 if [ "$KERNEL_BPF" = true ] ; then
294 set_kernel_config CONFIG_BPF_SYSCALL y
295 set_kernel_config CONFIG_BPF_EVENTS y
296 set_kernel_config CONFIG_BPF_STREAM_PARSER y
297 set_kernel_config CONFIG_CGROUP_BPF y
298 fi
299
300 # KERNEL_DEFAULT_GOV was set by user
301 if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ]; then
302
303 case "$KERNEL_DEFAULT_GOV" in
304 performance)
305 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y
306 ;;
307 userspace)
308 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE y
309 ;;
310 ondemand)
311 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND y
312 ;;
313 conservative)
314 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE y
315 ;;
316 shedutil)
317 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL y
318 ;;
319 *)
320 echo "error: unsupported default cpu governor"
321 exit 1
322 ;;
323 esac
324
325 # unset previous default governor
326 unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE
327 fi
328
329
330
331 #Revert to previous directory
332 cd "${WORKDIR}" || exit
333
90 334 # Set kernel configuration parameters to enable qemu emulation
91 335 if [ "$ENABLE_QEMU" = true ] ; then
92 336 echo "CONFIG_FHANDLE=y" >> "${KERNEL_DIR}"/.config
@@ -126,6 +370,7 if [ "$BUILD_KERNEL" = true ] ; then
126 370 if [ "$KERNEL_MENUCONFIG" = true ] ; then
127 371 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig
128 372 fi
373 # end if "$KERNELSRC_CONFIG" = true
129 374 fi
130 375
131 376 # Use ccache to cross compile the kernel
@@ -142,6 +387,7 if [ "$BUILD_KERNEL" = true ] ; then
142 387 if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
143 388 make -C "${KERNEL_DIR}" -j"${KERNEL_THREADS}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" CC="${cc}" modules
144 389 fi
390 # end if "$KERNELSRC_PREBUILT" = false
145 391 fi
146 392
147 393 # Check if kernel compilation was successful
@@ -237,19 +483,79 if [ "$BUILD_KERNEL" = true ] ; then
237 483 fi
238 484
239 485 else # BUILD_KERNEL=false
240 # Kernel installation
241 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel
486 if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
242 487
243 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
244 chroot_exec apt-get -qq -y install flash-kernel
488 # Use Sakakis modified kernel if ZSWAP is active
489 if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then
490 RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}"
491 fi
492
493 # Create temporary directory for dl
494 temp_dir=$(as_nobody mktemp -d)
495
496 # Fetch kernel dl
497 as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL"
498
499 #extract download
500 tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}"
501
502 #move extracted kernel to /boot/firmware
503 mkdir "${R}/boot/firmware"
504 cp "${temp_dir}"/boot/* "${R}"/boot/firmware/
505 cp -r "${temp_dir}"/lib/* "${R}"/lib/
506
507 # Remove temporary directory for kernel sources
508 rm -fr "${temp_dir}"
509
510 # Set permissions of the kernel sources
511 chown -R root:root "${R}/boot/firmware"
512 chown -R root:root "${R}/lib/modules"
513 fi
514
515 # Install Kernel from hypriot comptabile with all Raspberry PI
516 if [ "$SET_ARCH" = 32 ] ; then
517 # Create temporary directory for dl
518 temp_dir=$(as_nobody mktemp -d)
519
520 # Fetch kernel
521 as_nobody wget -O "${temp_dir}"/kernel.deb -c "$RPI_32_KERNEL_URL"
522
523 # Copy downloaded U-Boot sources
524 mv "${temp_dir}"/kernel.deb "${R}"/tmp/kernel.deb
525
526 # Set permissions
527 chown -R root:root "${R}"/tmp/kernel.deb
528
529 # Install kernel
530 chroot_exec dpkg -i /tmp/kernel.deb
531
532 # move /boot to /boot/firmware to fit script env.
533 #mkdir "${BOOT_DIR}"
534 mkdir "${temp_dir}"/firmware
535 mv "${R}"/boot/* "${temp_dir}"/firmware/
536 mv "${temp_dir}"/firmware "${R}"/boot/
537
538 #same for kernel headers
539 if [ "$KERNEL_HEADERS" = true ] ; then
540 # Fetch kernel header
541 as_nobody wget -O "${temp_dir}"/kernel-header.deb -c "$RPI_32_KERNELHEADER_URL"
542 mv "${temp_dir}"/kernel-header.deb "${R}"/tmp/kernel-header.deb
543 chown -R root:root "${R}"/tmp/kernel-header.deb
544 # Install kernel header
545 chroot_exec dpkg -i /tmp/kernel-header.deb
546 rm -f "${R}"/tmp/kernel-header.deb
547 fi
548
549 # Remove temporary directory and files
550 rm -fr "${temp_dir}"
551 rm -f "${R}"/tmp/kernel.deb
552 fi
245 553
246 554 # Check if kernel installation was successful
247 VMLINUZ="$(ls -1 "${R}"/boot/vmlinuz-* | sort | tail -n 1)"
248 if [ -z "$VMLINUZ" ] ; then
249 echo "error: kernel installation failed! (/boot/vmlinuz-* not found)"
555 KERNEL="$(ls -1 "${R}"/boot/firmware/kernel* | sort | tail -n 1)"
556 if [ -z "$KERNEL" ] ; then
557 echo "error: kernel installation failed! (/boot/kernel* not found)"
250 558 cleanup
251 559 exit 1
252 560 fi
253 # Copy vmlinuz kernel to the boot directory
254 install_readonly "${VMLINUZ}" "${BOOT_DIR}/${KERNEL_IMAGE}"
255 561 fi
@@ -5,7 +5,6
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 if [ "$BUILD_KERNEL" = true ] ; then
9 8 if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then
10 9 # Install boot binaries from local directory
11 10 cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin
@@ -38,7 +37,6 if [ "$BUILD_KERNEL" = true ] ; then
38 37 chown -R root:root "${BOOT_DIR}"
39 38 chmod -R 600 "${BOOT_DIR}"
40 39 fi
41 fi
42 40
43 41 # Setup firmware boot cmdline
44 42 if [ "$ENABLE_SPLITFS" = true ] ; then
@@ -56,18 +54,36 if [ "$ENABLE_CRYPTFS" = true ] ; then
56 54 fi
57 55 fi
58 56
59 #locks cpu at max frequency
60 if [ "$ENABLE_TURBO" = true ] ; then
61 echo "force_turbo=1" >> "${BOOT_DIR}/config.txt"
62 fi
63
57 # Enable Kernel messages on standard output
64 58 if [ "$ENABLE_PRINTK" = true ] ; then
65 59 install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf"
66 60 fi
67 61
68 # Install udev rule for serial alias
62 # Install udev rule for serial alias - serial0 = console serial1=bluetooth
69 63 install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules"
70 64
65 # Remove IPv6 networking support
66 if [ "$ENABLE_IPV6" = false ] ; then
67 CMDLINE="${CMDLINE} ipv6.disable=1"
68 fi
69
70 # Automatically assign predictable network interface names
71 if [ "$ENABLE_IFNAMES" = false ] ; then
72 CMDLINE="${CMDLINE} net.ifnames=0"
73 else
74 CMDLINE="${CMDLINE} net.ifnames=1"
75 fi
76
77 # Install firmware config
78 install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt"
79
80 # Locks CPU frequency at maximum
81 if [ "$ENABLE_TURBO" = true ] ; then
82 echo "force_turbo=1" >> "${BOOT_DIR}/config.txt"
83 # helps to avoid sdcard corruption when force_turbo is enabled.
84 echo "boot_delay=1" >> "${BOOT_DIR}/config.txt"
85 fi
86
71 87 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
72 88
73 89 # RPI0,3,3P Use default ttyS0 (mini-UART)as serial interface
@@ -152,24 +168,49 else
152 168 chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service
153 169 fi
154 170
155 # Remove IPv6 networking support
156 if [ "$ENABLE_IPV6" = false ] ; then
157 CMDLINE="${CMDLINE} ipv6.disable=1"
158 fi
171 if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then
172 # Create temporary directory for systemd-swap sources
173 temp_dir=$(as_nobody mktemp -d)
159 174
160 # Automatically assign predictable network interface names
161 if [ "$ENABLE_IFNAMES" = false ] ; then
162 CMDLINE="${CMDLINE} net.ifnames=0"
175 # Fetch systemd-swap sources
176 as_nobody git -C "${temp_dir}" clone "${SYSTEMDSWAP_URL}"
177
178 # Copy downloaded systemd-swap sources
179 mv "${temp_dir}/systemd-swap" "${R}/tmp/"
180
181 # Set permissions of the systemd-swap sources
182 chown -R root:root "${R}/tmp/systemd-swap"
183
184 # Remove temporary directory for systemd-swap sources
185 rm -fr "${temp_dir}"
186
187 # Change into downloaded src dir
188 cd "${R}/tmp/systemd-swap" || exit
189
190 # Build package
191 . ./package.sh debian
192
193 # Install package
194 chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap-*any.deb
195
196 # Enable service
197 chroot_exec systemctl enable systemd-swap
198
199 # Change back into script root dir
200 cd "${WORKDIR}" || exit
163 201 else
164 CMDLINE="${CMDLINE} net.ifnames=1"
202 # Enable ZSWAP in cmdline if systemd-swap is not used
203 if [ "$KERNEL_ZSWAP" = true ] ; then
204 CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4"
205 fi
206 fi
207 if [ "$KERNEL_SECURITY" = true ] ; then
208 CMDLINE="${CMDLINE} apparmor=1 security=apparmor"
165 209 fi
166 210
167 211 # Install firmware boot cmdline
168 212 echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"
169 213
170 # Install firmware config
171 install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt"
172
173 214 # Setup minimal GPU memory allocation size: 16MB (no X)
174 215 if [ "$ENABLE_MINGPU" = true ] ; then
175 216 echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt"
@@ -9,9 +9,10 if [ "$ENABLE_IPTABLES" = true ] ; then
9 9 # Create iptables configuration directory
10 10 mkdir -p "${ETC_DIR}/iptables"
11 11
12 # make sure iptables-legacy is the used alternatives
12 if [ "$KERNEL_NF" = false ] ; then
13 13 #iptables-save and -restore are slaves of iptables and thus are set accordingly
14 14 chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy
15 fi
15 16
16 17 # Install iptables systemd service
17 18 install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service"
@@ -27,6 +28,10 if [ "$ENABLE_IPTABLES" = true ] ; then
27 28 chroot_exec systemctl enable iptables.service
28 29
29 30 if [ "$ENABLE_IPV6" = true ] ; then
31 if [ "$KERNEL_NF" = false ] ; then
32 #iptables-save and -restore are slaves of iptables and thus are set accordingly
33 chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy
34 fi
30 35 # Install ip6tables systemd service
31 36 install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service"
32 37
@@ -57,6 +57,20 FBTURBO_URL=${FBTURBO_URL:=https://github.com/ssvb/xf86-video-fbturbo.git}
57 57 UBOOT_URL=${UBOOT_URL:=https://git.denx.de/u-boot.git}
58 58 VIDEOCORE_URL=${VIDEOCORE_URL:=https://github.com/raspberrypi/userland}
59 59 BLUETOOTH_URL=${BLUETOOTH_URL:=https://github.com/RPi-Distro/pi-bluetooth.git}
60 NEXMON_URL=${NEXMON_URL:=https://github.com/seemoo-lab/nexmon.git}
61 SYSTEMDSWAP_URL=${SYSTEMDSWAP_URL:=https://github.com/Nefelim4ag/systemd-swap.git}
62
63 # Kernel deb packages for 32bit kernel
64 RPI_32_KERNEL_URL=${RPI_32_KERNEL_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel_20180422-141901_armhf.deb}
65 RPI_32_KERNELHEADER_URL=${RPI_32_KERNELHEADER_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel-headers_20180422-141901_armhf.deb}
66 # Kernel has KVM and zswap enabled - use if KERNEL_* parameters and precompiled kernel are used
67 RPI3_64_BIS_KERNEL_URL=${RPI3_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel-bis/releases/download/4.14.80.20181113/bcmrpi3-kernel-bis-4.14.80.20181113.tar.xz}
68 # Default precompiled 64bit kernel
69 RPI3_64_DEF_KERNEL_URL=${RPI3_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel/releases/download/4.14.80.20181113/bcmrpi3-kernel-4.14.80.20181113.tar.xz}
70 # Generic
71 RPI3_64_KERNEL_URL=${RPI3_64_KERNEL_URL:=$RPI3_64_DEF_KERNEL_URL}
72 # Kali kernel src - used if ENABLE_NEXMON=true (they patch the wlan kernel modul)
73 KALI_KERNEL_URL=${KALI_KERNEL_URL:=https://github.com/Re4son/re4son-raspberrypi-linux.git}
60 74
61 75 # Build directories
62 76 WORKDIR=$(pwd)
@@ -138,14 +152,17 SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""}
138 152 SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""}
139 153
140 154 # Advanced settings
155 ENABLE_SYSTEMDSWAP=${ENABLE_SYSTEMDSWAP:=false}
141 156 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
142 157 ENABLE_REDUCE=${ENABLE_REDUCE:=false}
143 158 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
144 159 UBOOTSRC_DIR=${UBOOTSRC_DIR:=""}
145 160 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
146 161 ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false}
162 ENABLE_NEXMON=${ENABLE_NEXMON:=false}
147 163 VIDEOCORESRC_DIR=${VIDEOCORESRC_DIR:=""}
148 164 FBTURBOSRC_DIR=${FBTURBOSRC_DIR:=""}
165 NEXMONSRC_DIR=${NEXMONSRC_DIR:=""}
149 166 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
150 167 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
151 168 ENABLE_SPLITFS=${ENABLE_SPLITFS:=false}
@@ -162,6 +179,12 KERNEL_MENUCONFIG=${KERNEL_MENUCONFIG:=false}
162 179 KERNEL_REMOVESRC=${KERNEL_REMOVESRC:=true}
163 180 KERNEL_OLDDEFCONFIG=${KERNEL_OLDDEFCONFIG:=false}
164 181 KERNEL_CCACHE=${KERNEL_CCACHE:=false}
182 KERNEL_ZSWAP=${KERNEL_ZSWAP:=false}
183 KERNEL_VIRT=${KERNEL_VIRT:=false}
184 KERNEL_BPF=${KERNEL_BPF:=false}
185 KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=powersave}
186 KERNEL_SECURITY=${KERNEL_SECURITY:=false}
187 KERNEL_NF=${KERNEL_NF:=false}
165 188
166 189 # Kernel compilation from source directory settings
167 190 KERNELSRC_DIR=${KERNELSRC_DIR:=""}
@@ -298,9 +321,12 esac
298 321 # Raspberry PI 0,3,3P with Bluetooth and Wifi onboard
299 322 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
300 323 # Include bluetooth packages on supported boards
301 if [ "$ENABLE_BLUETOOTH" = true ] && [ "$ENABLE_CONSOLE" = false ]; then
324 if [ "$ENABLE_BLUETOOTH" = true ] ; then
302 325 APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez"
303 326 fi
327 if [ "$ENABLE_WIRELESS" = true ] ; then
328 APT_INCLUDES="${APT_INCLUDES},wireless-tools,crda,wireless-regdb"
329 fi
304 330 else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard
305 331 # Check if the internal wireless interface is not supported by the RPi model
306 332 if [ "$ENABLE_WIRELESS" = true ] || [ "$ENABLE_BLUETOOTH" = true ]; then
@@ -309,6 +335,11 else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard
309 335 fi
310 336 fi
311 337
338 if [ "$BUILD_KERNEL" = false ] && [ "$ENABLE_NEXMON" = true ]; then
339 echo "error: You have to compile kernel sources, if you want to enable nexmon"
340 exit 1
341 fi
342
312 343 # Prepare date string for default image file name
313 344 DATE="$(date +%Y-%m-%d)"
314 345 if [ -z "$KERNEL_BRANCH" ] ; then
@@ -330,6 +361,11 if [ "$ENABLE_VIDEOCORE" = true ] ; then
330 361 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cmake"
331 362 fi
332 363
364 # Add deps for nexmon
365 if [ "$ENABLE_NEXMON" = true ] ; then
366 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libgmp3-dev gawk qpdf bison flex make autoconf automake build-essential libtool"
367 fi
368
333 369 # Add libncurses5 to enable kernel menuconfig
334 370 if [ "$KERNEL_MENUCONFIG" = true ] ; then
335 371 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses-dev"
@@ -386,6 +422,11 if [ -n "$SSH_USER_PUB_KEY" ] ; then
386 422 fi
387 423 fi
388 424
425 if [ "$ENABLE_NEXMON" = true ] && [ -n "$KERNEL_BRANCH" ] ; then
426 echo "error: Please unset KERNEL_BRANCH if using ENABLE_NEXMON"
427 exit 1
428 fi
429
389 430 # Check if all required packages are installed on the build system
390 431 for package in $REQUIRED_PACKAGES ; do
391 432 if [ "$(dpkg-query -W -f='${Status}' "$package")" != "install ok installed" ] ; then
@@ -442,6 +483,12 if [ -n "$FBTURBOSRC_DIR" ] && [ ! -d "$FBTURBOSRC_DIR" ] ; then
442 483 exit 1
443 484 fi
444 485
486 # Check if specified NEXMONSRC_DIR directory exists
487 if [ -n "$NEXMONSRC_DIR" ] && [ ! -d "$NEXMONSRC_DIR" ] ; then
488 echo "error: '${NEXMONSRC_DIR}' specified directory not found (NEXMONSRC_DIR)!"
489 exit 1
490 fi
491
445 492 # Check if specified CHROOT_SCRIPTS directory exists
446 493 if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then
447 494 echo "error: ${CHROOT_SCRIPTS} specified directory not found (CHROOT_SCRIPTS)!"
@@ -493,6 +540,10 fi
493 540 if [ "$ENABLE_IPTABLES" = true ] ; then
494 541 APT_INCLUDES="${APT_INCLUDES},iptables,iptables-persistent"
495 542 fi
543 # Add apparmor for KERNEL_SECURITY
544 if [ "$KERNEL_SECURITY" = true ] ; then
545 APT_INCLUDES="${APT_INCLUDES},apparmor,apparmor-utils,apparmor-profiles,apparmor-profiles-extra,libapparmor-perl"
546 fi
496 547
497 548 # Add openssh server package
498 549 if [ "$ENABLE_SSHD" = true ] ; then
@@ -546,16 +597,6 if [ "$ENABLE_SYSVINIT" = false ] ; then
546 597 APT_EXCLUDES="--exclude=${APT_EXCLUDES},init,systemd-sysv"
547 598 fi
548 599
549 # Check if kernel is getting compiled
550 if [ "$BUILD_KERNEL" = false ] ; then
551 echo "Downloading precompiled kernel"
552 echo "error: not configured"
553 exit 1;
554 # BUILD_KERNEL=true
555 else
556 echo "No precompiled kernel repositories were added"
557 fi
558
559 600 # Configure kernel sources if no KERNELSRC_DIR
560 601 if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then
561 602 KERNELSRC_CONFIG=true
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant