##// END OF EJS Templates
Raspi2-3_GenImage
RSS

Cloner depuis https://github.com/drtyhlpr/rpi23-gen-image.git

Merge branch 'master' of https://github.com/fpytloun/rpi2-gen-image into fpytloun-master
Jan Wagner -
r50:58eaf5383a31 Fusion
parent child
Show More
Show file before | Show file after | Hide comments
@@ -0,0 +1,43
1 # For more options and information see
2 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
3 # Some settings may impact device functionality. See link above for details
4
5 # uncomment if you get no picture on HDMI for a default "safe" mode
6 #hdmi_safe=1
7
8 # uncomment this if your display has a black border of unused pixels visible
9 # and your display can output without overscan
10 #disable_overscan=1
11
12 # uncomment the following to adjust overscan. Use positive numbers if console
13 # goes off screen, and negative if there is too much border
14 #overscan_left=16
15 #overscan_right=16
16 #overscan_top=16
17 #overscan_bottom=16
18
19 # uncomment to force a console size. By default it will be display's size minus
20 # overscan.
21 #framebuffer_width=1280
22 #framebuffer_height=720
23
24 # uncomment if hdmi display is not detected and composite is being output
25 #hdmi_force_hotplug=1
26
27 # uncomment to force a specific HDMI mode (this will force VGA)
28 #hdmi_group=1
29 #hdmi_mode=1
30
31 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
32 # DMT (computer monitor) modes
33 #hdmi_drive=2
34
35 # uncomment to increase signal to HDMI, if you have interference, blanking, or
36 # no display
37 #config_hdmi_boost=4
38
39 # uncomment for composite PAL
40 #sdtv_mode=2
41
42 # uncomment to overclock the arm. 700 MHz is the default.
43 #arm_freq=800
Show file before | Show file after | Hide comments
@@ -0,0 +1,2
1 #!/bin/sh -e
2 logger -t "rc.firstboot" "Starting first boot actions"
Show file before | Show file after | Hide comments
@@ -0,0 +1,8
1 logger -t "rc.firstboot" "Generating SSH host keys"
2 rm -f /etc/ssh/ssh_host_*
3 ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
4 ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
5 ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
6 ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
7
8 systemctl restart sshd
Show file before | Show file after | Hide comments
@@ -0,0 +1,52
1 logger -t "rc.firstboot" "Expanding root"
2 ROOT_PART=$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p')
3 PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$')
4 case "${ROOT_PART}" in
5 mmcblk0*) ROOT_DEV=mmcblk0 ;;
6 sda*) ROOT_DEV=sda ;;
7 esac
8 if [ "$PART_NUM" = "$ROOT_PART" ]; then
9 logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand"
10 return 0
11 fi
12
13 # NOTE: the NOOBS partition layout confuses parted. For now, let's only
14 # agree to work with a sufficiently simple partition layout
15 if [ "$PART_NUM" -gt 2 ]; then
16 logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool."
17 return 0
18 fi
19 LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
20 if [ $LAST_PART_NUM -ne $PART_NUM ]; then
21 logger -t "rc.firstboot" "$ROOT_PART is not the last partition. Don't know how to expand"
22 return 0
23 fi
24
25 # Get the starting offset of the root partition
26 PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
27 [ "$PART_START" ] || return 1
28
29 # Get the possible last sector for the root partition
30 PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }')
31 [ "$PART_LAST" ] || return 1
32
33 # Return value will likely be error for fdisk as it fails to reload the
34 # partition table because the root fs is mounted
35 ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
36 fdisk /dev/${ROOT_DEV} <<EOF2 || true
37 p
38 d
39 $PART_NUM
40 n
41 p
42 $PART_NUM
43 $PART_START
44 $PART_LAST
45 p
46 w
47 EOF2
48
49 # Reload the partition table, resize root filesystem then remove resizing code from this file
50 partprobe &&
51 resize2fs /dev/${ROOT_PART} &&
52 logger -t "rc.firstboot" "Root partition successfuly resized."
Show file before | Show file after | Hide comments
@@ -0,0 +1,3
1 logger -t "rc.firstboot" "First boot actions finished"
2 rm -f /etc/rc.firstboot
3 sed -i '/.*rc.firstboot/d' /etc/rc.local
Show file before | Show file after | Hide comments
@@ -0,0 +1,2
1 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
2 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
Show file before | Show file after | Hide comments
@@ -0,0 +1,15
1 #!/bin/sh
2 ip6tables -F
3 ip6tables -X
4 ip6tables -Z
5
6 for table in $(</proc/net/ip6_tables_names)
7 do
8 ip6tables -t \$table -F
9 ip6tables -t \$table -X
10 ip6tables -t \$table -Z
11 done
12
13 ip6tables -P INPUT ACCEPT
14 ip6tables -P OUTPUT ACCEPT
15 ip6tables -P FORWARD ACCEPT
Show file before | Show file after | Hide comments
@@ -0,0 +1,10
1 #!/bin/sh
2 iptables -F
3 iptables -X
4 iptables -t nat -F
5 iptables -t nat -X
6 iptables -t mangle -F
7 iptables -t mangle -X
8 iptables -P INPUT ACCEPT
9 iptables -P FORWARD ACCEPT
10 iptables -P OUTPUT ACCEPT
Show file before | Show file after | Hide comments
@@ -0,0 +1,48
1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 :OUTPUT ACCEPT [0:0]
5 :TCP - [0:0]
6 :UDP - [0:0]
7 :SSH - [0:0]
8
9 # Drop packets with RH0 headers
10 -A INPUT -m rt --rt-type 0 -j DROP
11 -A OUTPUT -m rt --rt-type 0 -j DROP
12 -A FORWARD -m rt --rt-type 0 -j DROP
13
14 # Rate limit ping requests
15 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
16 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
17
18 # Accept established connections
19 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
20
21 # Accept all traffic on loopback interface
22 -A INPUT -i lo -j ACCEPT
23
24 # Drop packets declared invalid
25 -A INPUT -m conntrack --ctstate INVALID -j DROP
26
27 # SSH rate limiting
28 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
29 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
30 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
31 -A SSH -m recent --name sshbf --set -j ACCEPT
32
33 # Send TCP and UDP connections to their respective rules chain
34 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
35 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
36
37 # Reject dropped packets with a RFC compliant responce
38 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
39 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
40 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
41
42 ## TCP PORT RULES
43 # -A TCP -p tcp -j LOG
44
45 ## UDP PORT RULES
46 # -A UDP -p udp -j LOG
47
48 COMMIT
Show file before | Show file after | Hide comments
@@ -0,0 +1,15
1 [Unit]
2 Description=Packet Filtering Framework
3 DefaultDependencies=no
4 After=systemd-sysctl.service
5 Before=sysinit.target
6
7 [Service]
8 Type=oneshot
9 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
10 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
11 ExecStop=/etc/iptables/flush-ip6tables.sh
12 RemainAfterExit=yes
13
14 [Install]
15 WantedBy=multi-user.target
Show file before | Show file after | Hide comments
@@ -0,0 +1,43
1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 :OUTPUT ACCEPT [0:0]
5 :TCP - [0:0]
6 :UDP - [0:0]
7 :SSH - [0:0]
8
9 # Rate limit ping requests
10 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
11 -A INPUT -p icmp --icmp-type echo-request -j DROP
12
13 # Accept established connections
14 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
15
16 # Accept all traffic on loopback interface
17 -A INPUT -i lo -j ACCEPT
18
19 # Drop packets declared invalid
20 -A INPUT -m conntrack --ctstate INVALID -j DROP
21
22 # SSH rate limiting
23 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
24 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
25 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
26 -A SSH -m recent --name sshbf --set -j ACCEPT
27
28 # Send TCP and UDP connections to their respective rules chain
29 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
30 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
31
32 # Reject dropped packets with a RFC compliant responce
33 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
34 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
35 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
36
37 ## TCP PORT RULES
38 # -A TCP -p tcp -j LOG
39
40 ## UDP PORT RULES
41 # -A UDP -p udp -j LOG
42
43 COMMIT
Show file before | Show file after | Hide comments
@@ -0,0 +1,15
1 [Unit]
2 Description=Packet Filtering Framework
3 DefaultDependencies=no
4 After=systemd-sysctl.service
5 Before=sysinit.target
6
7 [Service]
8 Type=oneshot
9 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
10 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
11 ExecStop=/etc/iptables/flush-iptables.sh
12 RemainAfterExit=yes
13
14 [Install]
15 WantedBy=multi-user.target
Show file before | Show file after | Hide comments
@@ -0,0 +1,9
1 blacklist snd_soc_core
2 blacklist snd_pcm
3 blacklist snd_pcm_dmaengine
4 blacklist snd_timer
5 blacklist snd_compress
6 blacklist snd_soc_pcm512x_i2c
7 blacklist snd_soc_pcm512x
8 blacklist snd_soc_tas5713
9 blacklist snd_soc_wm8804
Show file before | Show file after | Hide comments
@@ -0,0 +1,6
1 # Avoid swapping and increase cache sizes
2 vm.swappiness=1
3 vm.dirty_background_ratio=20
4 vm.dirty_ratio=40
5 vm.dirty_writeback_centisecs=500
6 vm.dirty_expire_centisecs=6000
Show file before | Show file after | Hide comments
@@ -0,0 +1,59
1 # Enable network stack hardening
2 net.ipv4.tcp_timestamps=0
3 net.ipv4.tcp_syncookies=1
4 net.ipv4.conf.all.rp_filter=1
5 net.ipv4.conf.all.accept_redirects=0
6 net.ipv4.conf.all.send_redirects=0
7 net.ipv4.conf.all.accept_source_route=0
8 net.ipv4.conf.default.rp_filter=1
9 net.ipv4.conf.default.accept_redirects=0
10 net.ipv4.conf.default.send_redirects=0
11 net.ipv4.conf.default.accept_source_route=0
12 net.ipv4.conf.lo.accept_redirects=0
13 net.ipv4.conf.lo.send_redirects=0
14 net.ipv4.conf.lo.accept_source_route=0
15 net.ipv4.conf.eth0.accept_redirects=0
16 net.ipv4.conf.eth0.send_redirects=0
17 net.ipv4.conf.eth0.accept_source_route=0
18 net.ipv4.icmp_echo_ignore_broadcasts=1
19 net.ipv4.icmp_ignore_bogus_error_responses=1
20
21 net.ipv6.conf.all.accept_redirects=0
22 net.ipv6.conf.all.accept_source_route=0
23 net.ipv6.conf.all.router_solicitations=0
24 net.ipv6.conf.all.accept_ra_rtr_pref=0
25 net.ipv6.conf.all.accept_ra_pinfo=0
26 net.ipv6.conf.all.accept_ra_defrtr=0
27 net.ipv6.conf.all.autoconf=0
28 net.ipv6.conf.all.dad_transmits=0
29 net.ipv6.conf.all.max_addresses=1
30
31 net.ipv6.conf.default.accept_redirects=0
32 net.ipv6.conf.default.accept_source_route=0
33 net.ipv6.conf.default.router_solicitations=0
34 net.ipv6.conf.default.accept_ra_rtr_pref=0
35 net.ipv6.conf.default.accept_ra_pinfo=0
36 net.ipv6.conf.default.accept_ra_defrtr=0
37 net.ipv6.conf.default.autoconf=0
38 net.ipv6.conf.default.dad_transmits=0
39 net.ipv6.conf.default.max_addresses=1
40
41 net.ipv6.conf.lo.accept_redirects=0
42 net.ipv6.conf.lo.accept_source_route=0
43 net.ipv6.conf.lo.router_solicitations=0
44 net.ipv6.conf.lo.accept_ra_rtr_pref=0
45 net.ipv6.conf.lo.accept_ra_pinfo=0
46 net.ipv6.conf.lo.accept_ra_defrtr=0
47 net.ipv6.conf.lo.autoconf=0
48 net.ipv6.conf.lo.dad_transmits=0
49 net.ipv6.conf.lo.max_addresses=1
50
51 net.ipv6.conf.eth0.accept_redirects=0
52 net.ipv6.conf.eth0.accept_source_route=0
53 net.ipv6.conf.eth0.router_solicitations=0
54 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
55 net.ipv6.conf.eth0.accept_ra_pinfo=0
56 net.ipv6.conf.eth0.accept_ra_defrtr=0
57 net.ipv6.conf.eth0.autoconf=0
58 net.ipv6.conf.eth0.dad_transmits=0
59 net.ipv6.conf.eth0.max_addresses=1
Show file before | Show file after | Hide comments
@@ -43,6 +43,9 Set default system locale. This setting can also be changed inside the running O
43 43 ##### `TIMEZONE`="Europe/Berlin"
44 44 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
45 45
46 ##### `EXPANDROOT`=true
47 Expand the root partition and filesystem automatically on first boot.
48
46 49 #### Keyboard settings:
47 50 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
48 51 ##### `XKBMODEL`=""
@@ -87,6 +90,10 Enable IPv6 support. The network interface configuration is managed via systemd-
87 90 ##### `ENABLE_SSHD`=true
88 91 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
89 92
93 ##### `ENABLE_RSYSLOG`=true
94 If set to false, disable and uninstall rsyslog (so logs will be available only
95 in journal files)
96
90 97 ##### `ENABLE_SOUND`=true
91 98 Enable sound hardware and install Advanced Linux Sound Architecture.
92 99
@@ -118,6 +125,16 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please
118 125 ##### `ENABLE_IPTABLES`=false
119 126 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
120 127
128 ##### `ENABLE_USER`=true
129 Create pi user with password raspberry
130
131 ##### `ENABLE_ROOT`=true
132 Set root user password so root login will be enabled
133
134 ##### `ENABLE_ROOT_SSH`=true
135 Enable password root login via SSH. May be a security risk with default
136 password, use only in trusted environments.
137
121 138 ##### `ENABLE_HARDNET`=false
122 139 Enable IPv4/IPv6 network stack hardening settings.
123 140
Show file before | Show file after | Hide comments
@@ -30,11 +30,17 cleanup (){
30 30 trap - 0 1 2 3 6
31 31 }
32 32
33 # Exec command in chroot
34 chroot_exec() {
35 LANG=C LC_ALL=C chroot $R $*
36 }
37
33 38 set -e
34 39 set -x
35 40
36 41 # Debian release
37 42 RELEASE=${RELEASE:=jessie}
43 KERNEL=${KERNEL:=3.18.0-trunk-rpi2}
38 44
39 45 # Build settings
40 46 BASEDIR=./images/${RELEASE}
@@ -49,6 +55,7 XKBMODEL=${XKBMODEL:=""}
49 55 XKBLAYOUT=${XKBLAYOUT:=""}
50 56 XKBVARIANT=${XKBVARIANT:=""}
51 57 XKBOPTIONS=${XKBOPTIONS:=""}
58 EXPANDROOT=${EXPANDROOT:=true}
52 59
53 60 # Network settings
54 61 ENABLE_DHCP=${ENABLE_DHCP:=true}
@@ -76,6 +83,10 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
76 83 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
77 84 ENABLE_XORG=${ENABLE_XORG:=false}
78 85 ENABLE_WM=${ENABLE_WM:=""}
86 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
87 ENABLE_USER=${ENABLE_USER:=true}
88 ENABLE_ROOT=${ENABLE_ROOT:=false}
89 ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
79 90
80 91 # Advanced settings
81 92 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
@@ -148,6 +159,11 else
148 159 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
149 160 fi
150 161
162 # Add parted package, required to get partprobe utility
163 if [ "$EXPANDROOT" = true ] ; then
164 APT_INCLUDES="${APT_INCLUDES},parted"
165 fi
166
151 167 # Add dbus package, recommended if using systemd
152 168 if [ "$ENABLE_DBUS" = true ] ; then
153 169 APT_INCLUDES="${APT_INCLUDES},dbus"
@@ -173,6 +189,10 if [ "$ENABLE_HWRANDOM" = true ] ; then
173 189 APT_INCLUDES="${APT_INCLUDES},rng-tools"
174 190 fi
175 191
192 if [ "$ENABLE_USER" = true ]; then
193 APT_INCLUDES="${APT_INCLUDES},sudo"
194 fi
195
176 196 # Add fbturbo video driver
177 197 if [ "$ENABLE_FBTURBO" = true ] ; then
178 198 # Enable xorg package dependencies
@@ -228,12 +248,12 EOM
228 248
229 249 # Set up timezone
230 250 echo ${TIMEZONE} >$R/etc/timezone
231 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
251 chroot_exec dpkg-reconfigure -f noninteractive tzdata
232 252
233 253 # Upgrade collabora package index and install collabora keyring
234 254 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
235 LANG=C chroot $R apt-get -qq -y update
236 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
255 chroot_exec apt-get -qq -y update
256 chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
237 257
238 258 # Set up initial sources.list
239 259 cat <<EOM >$R/etc/apt/sources.list
@@ -250,8 +270,8 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
250 270 EOM
251 271
252 272 # Upgrade package index and update all installed packages and changed dependencies
253 LANG=C chroot $R apt-get -qq -y update
254 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
273 chroot_exec apt-get -qq -y update
274 chroot_exec apt-get -qq -y -u dist-upgrade
255 275
256 276 # Set up default locale and keyboard configuration
257 277 if [ "$ENABLE_MINBASE" = false ] ; then
@@ -259,60 +279,50 if [ "$ENABLE_MINBASE" = false ] ; then
259 279 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
260 280 # ... so we have to set locales manually
261 281 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
262 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
282 chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
263 283 else
264 284 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
265 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
266 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
285 chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
286 chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
267 287 fi
268 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
269 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
270 LANG=C chroot $R locale-gen
271 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
288 chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
289 chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
290 chroot_exec locale-gen
291 chroot_exec update-locale LANG=${DEFLOCAL}
272 292
273 293 # Keyboard configuration, if requested
274 294 if [ "$XKBMODEL" != "" ] ; then
275 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
295 chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
276 296 fi
277 297 if [ "$XKBLAYOUT" != "" ] ; then
278 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
298 chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
279 299 fi
280 300 if [ "$XKBVARIANT" != "" ] ; then
281 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
301 chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
282 302 fi
283 303 if [ "$XKBOPTIONS" != "" ] ; then
284 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
304 chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
285 305 fi
286 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
306 chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
287 307 # Set up font console
288 308 case "${DEFLOCAL}" in
289 309 *UTF-8)
290 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
310 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
291 311 ;;
292 312 *)
293 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
313 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
294 314 ;;
295 315 esac
296 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
316 chroot_exec dpkg-reconfigure -f noninteractive console-setup
297 317 fi
298 318
299 319 # Kernel installation
300 320 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
301 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
302 LANG=C chroot $R apt-get -qq -y install flash-kernel
321 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel
322 chroot_exec apt-get -qq -y install flash-kernel
303 323
304 324 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
305 325 [ -z "$VMLINUZ" ] && exit 1
306 mkdir -p $R/boot/firmware
307
308 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
309 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
310 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
311 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
312 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
313 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
314 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
315 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
316 326 cp $VMLINUZ $R/boot/firmware/kernel7.img
317 327
318 328 # Set up IPv4 hosts
@@ -374,17 +384,27 EOM
374 384 fi
375 385
376 386 # Enable systemd-networkd service
377 LANG=C chroot $R systemctl enable systemd-networkd
387 chroot_exec systemctl enable systemd-networkd
378 388
379 389 # Generate crypt(3) password string
380 390 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
381 391
382 392 # Set up default user
383 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
384 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
393 if [ "$ENABLE_USER" = true ] ; then
394 chroot_exec adduser --gecos \"Raspberry\ PI\ user\" --add_extra_groups --disabled-password pi
395 chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
396 fi
397
398 # Set up root password or not
399 if [ "$ENABLE_ROOT" = true ]; then
400 chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
385 401
386 # Set up root password
387 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
402 if [ "$ENABLE_ROOT_SSH" = true ]; then
403 sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config
404 fi
405 else
406 chroot_exec usermod -p \'!\' root
407 fi
388 408
389 409 # Set up firmware boot cmdline
390 410 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
@@ -402,51 +422,7 fi
402 422 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
403 423
404 424 # Set up firmware config
405 cat <<EOM >$R/boot/firmware/config.txt
406 # For more options and information see
407 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
408 # Some settings may impact device functionality. See link above for details
409
410 # uncomment if you get no picture on HDMI for a default "safe" mode
411 #hdmi_safe=1
412
413 # uncomment this if your display has a black border of unused pixels visible
414 # and your display can output without overscan
415 #disable_overscan=1
416
417 # uncomment the following to adjust overscan. Use positive numbers if console
418 # goes off screen, and negative if there is too much border
419 #overscan_left=16
420 #overscan_right=16
421 #overscan_top=16
422 #overscan_bottom=16
423
424 # uncomment to force a console size. By default it will be display's size minus
425 # overscan.
426 #framebuffer_width=1280
427 #framebuffer_height=720
428
429 # uncomment if hdmi display is not detected and composite is being output
430 #hdmi_force_hotplug=1
431
432 # uncomment to force a specific HDMI mode (this will force VGA)
433 #hdmi_group=1
434 #hdmi_mode=1
435
436 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
437 # DMT (computer monitor) modes
438 #hdmi_drive=2
439
440 # uncomment to increase signal to HDMI, if you have interference, blanking, or
441 # no display
442 #config_hdmi_boost=4
443
444 # uncomment for composite PAL
445 #sdtv_mode=2
446
447 # uncomment to overclock the arm. 700 MHz is the default.
448 #arm_freq=800
449 EOM
425 install -o root -g root -m 644 files/config.txt $R/boot/firmware/config.txt
450 426
451 427 # Load snd_bcm2835 kernel module at boot time
452 428 if [ "$ENABLE_SOUND" = true ] ; then
@@ -476,99 +452,17 fi
476 452 mkdir -p $R/etc/modprobe.d/
477 453
478 454 # Blacklist sound modules
479 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
480 blacklist snd_soc_core
481 blacklist snd_pcm
482 blacklist snd_pcm_dmaengine
483 blacklist snd_timer
484 blacklist snd_compress
485 blacklist snd_soc_pcm512x_i2c
486 blacklist snd_soc_pcm512x
487 blacklist snd_soc_tas5713
488 blacklist snd_soc_wm8804
489 EOM
455 install -o root -g root -m 644 files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-blacklist.conf
490 456
491 457 # Create default fstab
492 cat <<EOM >$R/etc/fstab
493 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
494 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
495 EOM
496
497 # Avoid swapping and increase cache sizes
498 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
458 install -o root -g root -m 644 files/fstab $R/etc/fstab
499 459
500 460 # Avoid swapping and increase cache sizes
501 vm.swappiness=1
502 vm.dirty_background_ratio=20
503 vm.dirty_ratio=40
504 vm.dirty_writeback_centisecs=500
505 vm.dirty_expire_centisecs=6000
506 EOM
461 install -o root -g root -m 644 files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf
507 462
508 463 # Enable network stack hardening
509 464 if [ "$ENABLE_HARDNET" = true ] ; then
510 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
511
512 # Enable network stack hardening
513 net.ipv4.tcp_timestamps=0
514 net.ipv4.tcp_syncookies=1
515 net.ipv4.conf.all.rp_filter=1
516 net.ipv4.conf.all.accept_redirects=0
517 net.ipv4.conf.all.send_redirects=0
518 net.ipv4.conf.all.accept_source_route=0
519 net.ipv4.conf.default.rp_filter=1
520 net.ipv4.conf.default.accept_redirects=0
521 net.ipv4.conf.default.send_redirects=0
522 net.ipv4.conf.default.accept_source_route=0
523 net.ipv4.conf.lo.accept_redirects=0
524 net.ipv4.conf.lo.send_redirects=0
525 net.ipv4.conf.lo.accept_source_route=0
526 net.ipv4.conf.eth0.accept_redirects=0
527 net.ipv4.conf.eth0.send_redirects=0
528 net.ipv4.conf.eth0.accept_source_route=0
529 net.ipv4.icmp_echo_ignore_broadcasts=1
530 net.ipv4.icmp_ignore_bogus_error_responses=1
531
532 net.ipv6.conf.all.accept_redirects=0
533 net.ipv6.conf.all.accept_source_route=0
534 net.ipv6.conf.all.router_solicitations=0
535 net.ipv6.conf.all.accept_ra_rtr_pref=0
536 net.ipv6.conf.all.accept_ra_pinfo=0
537 net.ipv6.conf.all.accept_ra_defrtr=0
538 net.ipv6.conf.all.autoconf=0
539 net.ipv6.conf.all.dad_transmits=0
540 net.ipv6.conf.all.max_addresses=1
541
542 net.ipv6.conf.default.accept_redirects=0
543 net.ipv6.conf.default.accept_source_route=0
544 net.ipv6.conf.default.router_solicitations=0
545 net.ipv6.conf.default.accept_ra_rtr_pref=0
546 net.ipv6.conf.default.accept_ra_pinfo=0
547 net.ipv6.conf.default.accept_ra_defrtr=0
548 net.ipv6.conf.default.autoconf=0
549 net.ipv6.conf.default.dad_transmits=0
550 net.ipv6.conf.default.max_addresses=1
551
552 net.ipv6.conf.lo.accept_redirects=0
553 net.ipv6.conf.lo.accept_source_route=0
554 net.ipv6.conf.lo.router_solicitations=0
555 net.ipv6.conf.lo.accept_ra_rtr_pref=0
556 net.ipv6.conf.lo.accept_ra_pinfo=0
557 net.ipv6.conf.lo.accept_ra_defrtr=0
558 net.ipv6.conf.lo.autoconf=0
559 net.ipv6.conf.lo.dad_transmits=0
560 net.ipv6.conf.lo.max_addresses=1
561
562 net.ipv6.conf.eth0.accept_redirects=0
563 net.ipv6.conf.eth0.accept_source_route=0
564 net.ipv6.conf.eth0.router_solicitations=0
565 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
566 net.ipv6.conf.eth0.accept_ra_pinfo=0
567 net.ipv6.conf.eth0.accept_ra_defrtr=0
568 net.ipv6.conf.eth0.autoconf=0
569 net.ipv6.conf.eth0.dad_transmits=0
570 net.ipv6.conf.eth0.max_addresses=1
571 EOM
465 install -o root -g root -m 644 files/sysctl.d/81-rpi-net-hardening.conf $R/etc/sysctl.d/81-rpi-net-hardening.conf
572 466
573 467 # Enable resolver warnings about spoofed addresses
574 468 cat <<EOM >>$R/etc/host.conf
@@ -576,15 +470,36 spoof warn
576 470 EOM
577 471 fi
578 472
579 # Regenerate openssh server host keys
473 # First boot actions
474 cat files/firstboot/10-begin.sh > $R/etc/rc.firstboot
475
476 # Ensure openssh server host keys are regenerated on first boot
580 477 if [ "$ENABLE_SSHD" = true ] ; then
581 rm -fr $R/etc/ssh/ssh_host_*
582 LANG=C chroot $R dpkg-reconfigure openssh-server
478 cat files/firstboot/21-generate-ssh-keys.sh >> $R/etc/rc.firstboot
479 rm -f $R/etc/ssh/ssh_host_*
480 fi
481
482 if [ "$EXPANDROOT" = true ] ; then
483 cat files/firstboot/22-expandroot.sh >> $R/etc/rc.firstboot
484 fi
485
486 cat files/firstboot/99-finish.sh >> $R/etc/rc.firstboot
487 chmod +x $R/etc/rc.firstboot
488
489 sed -i '/exit 0/d' $R/etc/rc.local
490 echo /etc/rc.firstboot >> $R/etc/rc.local
491 echo exit 0 >> $R/etc/rc.local
492
493 # Disable rsyslog
494 if [ "$ENABLE_RSYSLOG" = false ]; then
495 sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
496 chroot_exec systemctl disable rsyslog
497 chroot_exec apt-get purge -q -y --force-yes rsyslog
583 498 fi
584 499
585 500 # Enable serial console systemd style
586 501 if [ "$ENABLE_CONSOLE" = true ] ; then
587 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
502 chroot_exec systemctl enable serial-getty\@ttyAMA0.service
588 503 fi
589 504
590 505 # Enable firewall based on iptables started by systemd service
@@ -593,177 +508,30 if [ "$ENABLE_IPTABLES" = true ] ; then
593 508 mkdir -p "$R/etc/iptables"
594 509
595 510 # Create iptables systemd service
596 cat <<EOM >$R/etc/systemd/system/iptables.service
597 [Unit]
598 Description=Packet Filtering Framework
599 DefaultDependencies=no
600 After=systemd-sysctl.service
601 Before=sysinit.target
602 [Service]
603 Type=oneshot
604 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
605 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
606 ExecStop=/etc/iptables/flush-iptables.sh
607 RemainAfterExit=yes
608 [Install]
609 WantedBy=multi-user.target
610 EOM
511 install -o root -g root -m 644 files/iptables/iptables.service $R/etc/systemd/system/iptables.service
611 512
612 513 # Create flush-table script called by iptables service
613 cat <<EOM >$R/etc/iptables/flush-iptables.sh
614 #!/bin/sh
615 iptables -F
616 iptables -X
617 iptables -t nat -F
618 iptables -t nat -X
619 iptables -t mangle -F
620 iptables -t mangle -X
621 iptables -P INPUT ACCEPT
622 iptables -P FORWARD ACCEPT
623 iptables -P OUTPUT ACCEPT
624 EOM
514 install -o root -g root -m 755 files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh
625 515
626 516 # Create iptables rule file
627 cat <<EOM >$R/etc/iptables/iptables.rules
628 *filter
629 :INPUT DROP [0:0]
630 :FORWARD DROP [0:0]
631 :OUTPUT ACCEPT [0:0]
632 :TCP - [0:0]
633 :UDP - [0:0]
634 :SSH - [0:0]
635
636 # Rate limit ping requests
637 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
638 -A INPUT -p icmp --icmp-type echo-request -j DROP
639
640 # Accept established connections
641 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
642
643 # Accept all traffic on loopback interface
644 -A INPUT -i lo -j ACCEPT
645
646 # Drop packets declared invalid
647 -A INPUT -m conntrack --ctstate INVALID -j DROP
648
649 # SSH rate limiting
650 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
651 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
652 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
653 -A SSH -m recent --name sshbf --set -j ACCEPT
654
655 # Send TCP and UDP connections to their respective rules chain
656 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
657 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
658
659 # Reject dropped packets with a RFC compliant responce
660 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
661 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
662 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
663
664 ## TCP PORT RULES
665 # -A TCP -p tcp -j LOG
666
667 ## UDP PORT RULES
668 # -A UDP -p udp -j LOG
669
670 COMMIT
671 EOM
517 install -o root -g root -m 644 files/iptables/iptables.rules $R/etc/iptables/iptables.rules
672 518
673 519 # Reload systemd configuration and enable iptables service
674 LANG=C chroot $R systemctl daemon-reload
675 LANG=C chroot $R systemctl enable iptables.service
520 chroot_exec systemctl daemon-reload
521 chroot_exec systemctl enable iptables.service
676 522
677 523 if [ "$ENABLE_IPV6" = true ] ; then
678 524 # Create ip6tables systemd service
679 cat <<EOM >$R/etc/systemd/system/ip6tables.service
680 [Unit]
681 Description=Packet Filtering Framework
682 DefaultDependencies=no
683 After=systemd-sysctl.service
684 Before=sysinit.target
685 [Service]
686 Type=oneshot
687 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
688 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
689 ExecStop=/etc/iptables/flush-ip6tables.sh
690 RemainAfterExit=yes
691 [Install]
692 WantedBy=multi-user.target
693 EOM
525 install -o root -g root -m 644 files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service
694 526
695 527 # Create ip6tables file
696 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
697 #!/bin/sh
698 ip6tables -F
699 ip6tables -X
700 ip6tables -Z
701 for table in $(</proc/net/ip6_tables_names)
702 do
703 ip6tables -t \$table -F
704 ip6tables -t \$table -X
705 ip6tables -t \$table -Z
706 done
707 ip6tables -P INPUT ACCEPT
708 ip6tables -P OUTPUT ACCEPT
709 ip6tables -P FORWARD ACCEPT
710 EOM
711
712 # Create ip6tables rule file
713 cat <<EOM >$R/etc/iptables/ip6tables.rules
714 *filter
715 :INPUT DROP [0:0]
716 :FORWARD DROP [0:0]
717 :OUTPUT ACCEPT [0:0]
718 :TCP - [0:0]
719 :UDP - [0:0]
720 :SSH - [0:0]
528 install -o root -g root -m 755 files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh
721 529
722 # Drop packets with RH0 headers
723 -A INPUT -m rt --rt-type 0 -j DROP
724 -A OUTPUT -m rt --rt-type 0 -j DROP
725 -A FORWARD -m rt --rt-type 0 -j DROP
530 install -o root -g root -m 644 files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules
726 531
727 # Rate limit ping requests
728 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
729 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
730
731 # Accept established connections
732 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
733
734 # Accept all traffic on loopback interface
735 -A INPUT -i lo -j ACCEPT
736
737 # Drop packets declared invalid
738 -A INPUT -m conntrack --ctstate INVALID -j DROP
739
740 # SSH rate limiting
741 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
742 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
743 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
744 -A SSH -m recent --name sshbf --set -j ACCEPT
745
746 # Send TCP and UDP connections to their respective rules chain
747 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
748 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
749
750 # Reject dropped packets with a RFC compliant responce
751 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
752 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
753 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
754
755 ## TCP PORT RULES
756 # -A TCP -p tcp -j LOG
757
758 ## UDP PORT RULES
759 # -A UDP -p udp -j LOG
760
761 COMMIT
762 EOM
763
764 # Reload systemd configuration and enable iptables service
765 LANG=C chroot $R systemctl daemon-reload
766 LANG=C chroot $R systemctl enable ip6tables.service
532 # Reload systemd configuration and enable iptables service
533 chroot_exec systemctl daemon-reload
534 chroot_exec systemctl enable ip6tables.service
767 535 fi
768 536 fi
769 537
@@ -775,7 +543,7 fi
775 543
776 544 # Install gcc/c++ build environment inside the chroot
777 545 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
778 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
546 chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
779 547 fi
780 548
781 549 # Fetch and build U-Boot bootloader
@@ -784,7 +552,7 if [ "$ENABLE_UBOOT" = true ] ; then
784 552 git -C $R/tmp clone git://git.denx.de/u-boot.git
785 553
786 554 # Build and install U-Boot inside chroot
787 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
555 chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
788 556
789 557 # Copy compiled bootloader binary and set config.txt to load it
790 558 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
@@ -809,7 +577,7 bootz \${kernel_addr_r}
809 577 EOM
810 578
811 579 # Generate U-Boot image from command file
812 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
580 chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
813 581 fi
814 582
815 583 # Fetch and build fbturbo Xorg driver
@@ -818,10 +586,10 if [ "$ENABLE_FBTURBO" = true ] ; then
818 586 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
819 587
820 588 # Install Xorg build dependencies
821 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
589 chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
822 590
823 591 # Build and install fbturbo driver inside chroot
824 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
592 chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
825 593
826 594 # Add fbturbo driver to Xorg configuration
827 595 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
@@ -834,18 +602,18 EndSection
834 602 EOM
835 603
836 604 # Remove Xorg build dependencies
837 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
605 chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
838 606 fi
839 607
840 608 # Remove gcc/c++ build environment from the chroot
841 609 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
842 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
610 chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
843 611 fi
844 612
845 613 # Clean cached downloads
846 LANG=C chroot $R apt-get -y clean
847 LANG=C chroot $R apt-get -y autoclean
848 LANG=C chroot $R apt-get -y autoremove
614 chroot_exec apt-get -y clean
615 chroot_exec apt-get -y autoclean
616 chroot_exec apt-get -y autoremove
849 617
850 618 # Unmount mounted filesystems
851 619 umount -l $R/proc
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant