##// END OF EJS Templates
Raspi2-3_GenImage
RSS

Cloner depuis https://github.com/drtyhlpr/rpi23-gen-image.git

rebase master testing
Unknown -
r574:5a07e0ab6bd8
parent child
Show More
Show file before | Show file after | Hide comments
@@ -1,532 +1,544
1 1 # rpi23-gen-image
2 2 ## Introduction
3 3 `rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for all Raspberry Pi computers. The script at this time supports the bootstrapping of the Debian (armhf/armel) releases `stretch` and `buster`. Raspberry Pi 0/1/2/3 images are generated for 32-bit mode only. Raspberry Pi 3 supports 64-bit images that can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.14.y```).
4 4
5 5 ## Build dependencies
6 6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7 7
8 8 ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo```
9 9
10 10 It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel) cross-compiler toolchain.
11 11
12 12 The script has been tested using the default `crossbuild-essential-armhf` and `crossbuild-essential-armel` toolchain meta packages on Debian Linux `stretch` build systems. Please check the [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains) for further information.
13 13
14 14 ## Command-line parameters
15 15 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi23-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi23-gen-image.sh` script.
16 16
17 17 ##### Command-line examples:
18 18 ```shell
19 19 ENABLE_UBOOT=true ./rpi23-gen-image.sh
20 20 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi23-gen-image.sh
21 21 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi23-gen-image.sh
22 22 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi23-gen-image.sh
23 23 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi23-gen-image.sh
24 24 ENABLE_MINBASE=true ./rpi23-gen-image.sh
25 25 BUILD_KERNEL=true ENABLE_MINBASE=true ENABLE_IPV6=false ./rpi23-gen-image.sh
26 26 BUILD_KERNEL=true KERNELSRC_DIR=/tmp/linux ./rpi23-gen-image.sh
27 27 ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi23-gen-image.sh
28 28 ENABLE_CRYPTFS=true CRYPTFS_PASSWORD=changeme EXPANDROOT=false ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi23-gen-image.sh
29 29 RELEASE=stretch BUILD_KERNEL=true ./rpi23-gen-image.sh
30 30 RPI_MODEL=3 ENABLE_WIRELESS=true ENABLE_MINBASE=true BUILD_KERNEL=true ./rpi23-gen-image.sh
31 31 RELEASE=stretch RPI_MODEL=3 ENABLE_WIRELESS=true ENABLE_MINBASE=true BUILD_KERNEL=true ./rpi23-gen-image.sh
32 32 ```
33 33
34 34 ## Configuration template files
35 35 To avoid long lists of command-line parameters and to help to store the favourite parameter configurations the `rpi23-gen-image.sh` script supports so called configuration template files (`CONFIG_TEMPLATE`=template). These are simple text files located in the `./templates` directory that contain the list of configuration parameters that will be used. New configuration template files can be added to the `./templates` directory.
36 36
37 37 ##### Command-line examples:
38 38 ```shell
39 39 CONFIG_TEMPLATE=rpi3stretch ./rpi23-gen-image.sh
40 40 CONFIG_TEMPLATE=rpi2stretch ./rpi23-gen-image.sh
41 41 ```
42 42
43 43 ## Supported parameters and settings
44 44 #### APT settings:
45 ##### `APT_SERVER`="ftp.debian.org/debian"
45 ##### `APT_SERVER`="ftp.debian.org"
46 46 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
47 47
48 48 ##### `APT_PROXY`=""
49 49 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. If `apt-cacher-ng` is running on default `http://127.0.0.1:3142` it is autodetected and you don't need to set this.
50 50
51 ##### `KEEP_APT_PROXY`=false
52 Keep the APT_PROXY settings used in the bootsrapping process in the generated image.
53
51 54 ##### `APT_INCLUDES`=""
52 55 A comma-separated list of additional packages to be installed by debootstrap during bootstrapping.
53 56
54 57 ##### `APT_INCLUDES_LATE`=""
55 58 A comma-separated list of additional packages to be installed by apt after bootstrapping and after APT sources are set up. This is useful for packages with pre-depends, which debootstrap do not handle well.
56 59
57 60 ---
58 61
59 62 #### General system settings:
60 63 ##### `SET_ARCH`=32
61 64 Set Architecture to default 32bit. If you want to compile 64-bit (RPI3 or RPI3+) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build.
62 65
63 66 ##### `RPI_MODEL`=2
64 67 Specify the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models:
65 68 - `0` = Raspberry Pi 0 and Raspberry Pi 0 W
66 69 - `1` = Raspberry Pi 1 model A and B
67 70 - `1P` = Raspberry Pi 1 model B+ and A+
68 71 - `2` = Raspberry Pi 2 model B
69 72 - `3` = Raspberry Pi 3 model B
70 73 - `3P` = Raspberry Pi 3 model B+
71 74
72 75 ##### `RELEASE`="buster"
73 76 Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`.
74 77
75 78 ##### `RELEASE_ARCH`="armhf"
76 79 Set the desired Debian release architecture.
77 80
78 81 ##### `HOSTNAME`="rpi$RPI_MODEL-$RELEASE"
79 82 Set system hostname. It's recommended that the hostname is unique in the corresponding subnet.
80 83
81 84 ##### `PASSWORD`="raspberry"
82 85 Set system `root` password. It's **STRONGLY** recommended that you choose a custom password.
83 86
84 87 ##### `USER_PASSWORD`="raspberry"
85 88 Set password for the created non-root user `USER_NAME`=pi. Ignored if `ENABLE_USER`=false. It's **STRONGLY** recommended that you choose a custom password.
86 89
87 90 ##### `DEFLOCAL`="en_US.UTF-8"
88 91 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. Please note that on using this parameter the script will automatically install the required packages `locales`, `keyboard-configuration` and `console-setup`.
89 92
90 93 ##### `TIMEZONE`="Europe/Berlin"
91 94 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
92 95
93 96 ##### `EXPANDROOT`=true
94 97 Expand the root partition and filesystem automatically on first boot.
95 98
96 99 ##### `ENABLE_QEMU`=false
97 100 Generate kernel (`vexpress_defconfig`), file system image (`qcow2`) and DTB files that can be used for QEMU full system emulation (`vexpress-A15`). The output files are stored in the `$(pwd)/images/qemu` directory. You can find more information about running the generated image in the QEMU section of this readme file.
98 101
99 102 ---
100 103
101 104 #### Keyboard settings:
102 105 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
103 106
104 107 ##### `XKB_MODEL`=""
105 108 Set the name of the model of your keyboard type.
106 109
107 110 ##### `XKB_LAYOUT`=""
108 111 Set the supported keyboard layout(s).
109 112
110 113 ##### `XKB_VARIANT`=""
111 114 Set the supported variant(s) of the keyboard layout(s).
112 115
113 116 ##### `XKB_OPTIONS`=""
114 117 Set extra xkb configuration options.
115 118
116 119 ---
117 120
118 121 #### Networking settings (DHCP):
119 122 This parameter is used to set up networking auto-configuration in `/etc/systemd/network/eth.network`. The default location of network configuration files in the Debian `stretch` release was changed to `/lib/systemd/network`.`
120 123
121 124 ##### `ENABLE_DHCP`=true
122 125 Set the system to use DHCP. This requires an DHCP server.
123 126
124 127 ---
125 128
126 129 #### Networking settings (static):
127 130 These parameters are used to set up a static networking configuration in `/etc/systemd/network/eth.network`. The following static networking parameters are only supported if `ENABLE_DHCP` was set to `false`. The default location of network configuration files in the Debian `stretch` release was changed to `/lib/systemd/network`.
128 131
129 132 ##### `NET_ADDRESS`=""
130 133 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
131 134
132 135 ##### `NET_GATEWAY`=""
133 136 Set the IP address for the default gateway.
134 137
135 138 ##### `NET_DNS_1`=""
136 139 Set the IP address for the first DNS server.
137 140
138 141 ##### `NET_DNS_2`=""
139 142 Set the IP address for the second DNS server.
140 143
141 144 ##### `NET_DNS_DOMAINS`=""
142 145 Set the default DNS search domains to use for non fully qualified hostnames.
143 146
144 147 ##### `NET_NTP_1`=""
145 148 Set the IP address for the first NTP server.
146 149
147 150 ##### `NET_NTP_2`=""
148 151 Set the IP address for the second NTP server.
149 152
150 153 ---
151 154
152 155 #### Basic system features:
153 156 ##### `ENABLE_CONSOLE`=true
154 157 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2/3. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system. On RPI `0` `3` `3P` the CPU speed is locked at lowest speed.
155 158
156 159 ##### `ENABLE_PRINTK`=false
157 160 Enables printing kernel messages to konsole. printk is `3 4 1 3` as in raspbian.
158 161
159 162 ##### `ENABLE_BLUETOOTH`=false
160 163 Enable onboard Bluetooth interface on the RPi0/3/3P. See: [Configuring the GPIO serial port on Raspbian jessie and stretch](https://spellfoundry.com/2016/05/29/configuring-gpio-serial-port-raspbian-jessie-including-pi-3/).
161 164
162 165 ##### `ENABLE_MINIUART_OVERLAY`=false
163 166 Enable Bluetooth to use this. Adds overlay to swap UART0 with UART1. Enabling (slower) Bluetooth and full speed serial console. - RPI `0` `3` `3P` have a fast `hardware UART0` (ttyAMA0) and a `mini UART1` (ttyS0)! RPI `1` `1P` `2` only have a `hardware UART0`. `UART0` is considered better, because is faster and more stable than `mini UART1`. By default the Bluetooth modem is mapped to the `hardware UART0` and `mini UART` is used for console. The `mini UART` is a problem for the serial console, because its baudrate depends on the CPU frequency, which is changing on runtime. Resulting in a volatile baudrate and thus in an unusable serial console.
164 167
165 168 ##### `ENABLE_TURBO`=false
166 169 Enable Turbo mode. This setting locks cpu at the highest frequency. As setting ENABLE_CONSOLE=true locks RPI to lowest CPU speed, this is can be used additionally to lock cpu hat max speed. Need a good power supply and probably cooling for the Raspberry PI.
167 170
168 171 ##### `ENABLE_I2C`=false
169 172 Enable I2C interface on the RPi 0/1/2/3. Please check the [RPi 0/1/2/3 pinout diagrams](https://elinux.org/RPi_Low-level_peripherals) to connect the right GPIO pins.
170 173
171 174 ##### `ENABLE_SPI`=false
172 175 Enable SPI interface on the RPi 0/1/2/3. Please check the [RPi 0/1/2/3 pinout diagrams](https://elinux.org/RPi_Low-level_peripherals) to connect the right GPIO pins.
173 176
174 177 ##### `ENABLE_IPV6`=true
175 178 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
176 179
177 180 ##### `ENABLE_SSHD`=true
178 181 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
179 182
180 183 ##### `ENABLE_NONFREE`=false
181 184 Allow the installation of non-free Debian packages that do not comply with the DFSG. This is required to install closed-source firmware binary blobs.
182 185
183 186 ##### `ENABLE_WIRELESS`=false
184 187 Download and install the [closed-source firmware binary blob](https://github.com/RPi-Distro/firmware-nonfree/raw/master/brcm) that is required to run the internal wireless interface of the Raspberry Pi model `3`. This parameter is ignored if the specified `RPI_MODEL` is not `3`.
185 188
186 189 ##### `ENABLE_RSYSLOG`=true
187 190 If set to false, disable and uninstall rsyslog (so logs will be available only in journal files)
188 191
189 192 ##### `ENABLE_SOUND`=true
190 193 Enable sound hardware and install Advanced Linux Sound Architecture.
191 194
192 195 ##### `ENABLE_HWRANDOM`=true
193 196 Enable Hardware Random Number Generator. Strong random numbers are important for most network-based communications that use encryption. It's recommended to be enabled.
194 197
195 198 ##### `ENABLE_MINGPU`=false
196 199 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
197 200
198 201 ##### `ENABLE_DBUS`=true
199 202 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
200 203
201 204 ##### `ENABLE_XORG`=false
202 205 Install Xorg open-source X Window System.
203 206
204 207 ##### `ENABLE_WM`=""
205 208 Install a user-defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi23-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
206 209
207 210 ##### `ENABLE_SYSVINIT`=false
208 211 Support for halt,init,poweroff,reboot,runlevel,shutdown,telinit commands
209 212
210 213 ---
211 214
212 215 #### Advanced system features:
213 216 ##### `ENABLE_SYSTEMDSWAP`=false
214 217 Enables [Systemd-swap service](https://github.com/Nefelim4ag/systemd-swap). Usefull if `KERNEL_ZSWAP` is enabled.
215 218
216 219 ##### `ENABLE_MINBASE`=false
217 220 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
218 221
219 222 ##### `ENABLE_REDUCE`=false
220 223 Reduce the disk space usage by deleting packages and files. See `REDUCE_*` parameters for detailed information.
221 224
222 225 ##### `ENABLE_UBOOT`=false
223 226 Replace the default RPi 0/1/2/3 second stage bootloader (bootcode.bin) with [U-Boot bootloader](https://git.denx.de/?p=u-boot.git;a=summary). U-Boot can boot images via the network using the BOOTP/TFTP protocol.
224 227
225 228 ##### `UBOOTSRC_DIR`=""
226 229 Path to a directory (`u-boot`) of [U-Boot bootloader sources](https://git.denx.de/?p=u-boot.git;a=summary) that will be copied, configured, build and installed inside the chroot.
227 230
228 231 ##### `ENABLE_FBTURBO`=false
229 232 Install and enable the [hardware accelerated Xorg video driver](https://github.com/ssvb/xf86-video-fbturbo) `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
230 233
231 234 ##### `FBTURBOSRC_DIR`=""
232 235 Path to a directory (`xf86-video-fbturbo`) of [hardware accelerated Xorg video driver sources](https://github.com/ssvb/xf86-video-fbturbo) that will be copied, configured, build and installed inside the chroot.
233 236
234 237 ##### `ENABLE_VIDEOCORE`=false
235 238 Install and enable the [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) `vcgencmd`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
236 239
237 240 ##### `VIDEOCORESRC_DIR`=""
238 241 Path to a directory (`userland`) of [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
239 242
240 243 ##### `ENABLE_NEXMON`=false
241 244 Install and enable the [Source code for a C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection](https://github.com/seemoo-lab/nexmon.git).
242 245
243 246 ##### `NEXMONSRC_DIR`=""
244 247 Path to a directory (`nexmon`) of [Source code for ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
245 248
246 249 ##### `ENABLE_IPTABLES`=false
247 250 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
248 251
249 252 ##### `ENABLE_USER`=true
250 253 Create non-root user with password `USER_PASSWORD`=raspberry. Unless overridden with `USER_NAME`=user, the username will be `pi`.
251 254
252 255 ##### `USER_NAME`=pi
253 256 Non-root user to create. Ignored if `ENABLE_USER`=false
254 257
255 258 ##### `ENABLE_ROOT`=false
256 259 Set root user password so root login will be enabled
257 260
258 261 ##### `ENABLE_HARDNET`=false
259 262 Enable IPv4/IPv6 network stack hardening settings.
260 263
261 264 ##### `ENABLE_SPLITFS`=false
262 265 Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`.
263 266
264 267 ##### `CHROOT_SCRIPTS`=""
265 268 Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this directory is run in lexicographical order.
266 269
267 270 ##### `ENABLE_INITRAMFS`=false
268 271 Create an initramfs that that will be loaded during the Linux startup process. `ENABLE_INITRAMFS` will automatically get enabled if `ENABLE_CRYPTFS`=true. This parameter will be ignored if `BUILD_KERNEL`=false.
269 272
270 273 ##### `ENABLE_IFNAMES`=true
271 274 Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names.
272 275
276 ##### `ENABLE_SPLASH`=true
277 Enable default Raspberry Pi boot up rainbow splash screen.
278
279 ##### `ENABLE_LOGO`=true
280 Enable default Raspberry Pi console logo (image of four raspberries in the top left corner).
281
282 ##### `ENABLE_SILENT_BOOT`=false
283 Set the verbosity of console messages shown during boot up to a strict minimum.
284
273 285 ##### `DISABLE_UNDERVOLT_WARNINGS`=
274 286 Disable RPi2/3 under-voltage warnings and overlays. Setting the parameter to `1` will disable the warning overlay. Setting it to `2` will additionally allow RPi2/3 turbo mode when low-voltage is present.
275 287
276 288 ---
277 289
278 290 #### SSH settings:
279 291 ##### `SSH_ENABLE_ROOT`=false
280 292 Enable password-based root login via SSH. This may be a security risk with the default password set, use only in trusted environments. `ENABLE_ROOT` must be set to `true`.
281 293
282 294 ##### `SSH_DISABLE_PASSWORD_AUTH`=false
283 295 Disable password-based SSH authentication. Only public key based SSH (v2) authentication will be supported.
284 296
285 297 ##### `SSH_LIMIT_USERS`=false
286 298 Limit the users that are allowed to login via SSH. Only allow user `USER_NAME`=pi and root if `SSH_ENABLE_ROOT`=true to login. This parameter will be ignored if `dropbear` SSH is used (`REDUCE_SSHD`=true).
287 299
288 300 ##### `SSH_ROOT_PUB_KEY`=""
289 301 Add SSH (v2) public key(s) from specified file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `root`. The specified file can also contain multiple SSH (v2) public keys. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
290 302
291 303 ##### `SSH_USER_PUB_KEY`=""
292 304 Add SSH (v2) public key(s) from specified file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `USER_NAME`=pi. The specified file can also contain multiple SSH (v2) public keys. SSH protocol version 1 is not supported.
293 305
294 306 ---
295 307
296 308 #### Kernel compilation:
297 309 ##### `BUILD_KERNEL`=true
298 310 Build and install the latest RPi 0/1/2/3 Linux kernel. Currently only the default RPi 0/1/2/3 kernel configuration is used.
299 311
300 312 ##### `CROSS_COMPILE`="arm-linux-gnueabihf-"
301 313 This sets the cross-compile environment for the compiler.
302 314
303 315 ##### `KERNEL_ARCH`="arm"
304 316 This sets the kernel architecture for the compiler.
305 317
306 318 ##### `KERNEL_IMAGE`="kernel7.img"
307 319 Name of the image file in the boot partition. If not set, `KERNEL_IMAGE` will be set to "kernel8.img" automatically if building for arm64.
308 320
309 321 ##### `KERNEL_BRANCH`=""
310 322 Name of the requested branch from the GIT location for the RPi Kernel. Default is using the current default branch from the GIT site.
311 323
312 324 ##### `QEMU_BINARY`="/usr/bin/qemu-arm-static"
313 325 Sets the QEMU enviornment for the Debian archive. If not set, `QEMU_BINARY` will be set to "/usr/bin/qemu-aarch64-static" automatically if building for arm64.
314 326
315 327 ##### `KERNEL_DEFCONFIG`="bcm2709_defconfig"
316 328 Sets the default config for kernel compiling. If not set, `KERNEL_DEFCONFIG` will be set to "bcmrpi3\_defconfig" automatically if building for arm64.
317 329
318 330 ##### `KERNEL_REDUCE`=false
319 331 Reduce the size of the generated kernel by removing unwanted devices, network and filesystem drivers (experimental).
320 332
321 333 ##### `KERNEL_THREADS`=1
322 334 Number of parallel kernel building threads. If the parameter is left untouched the script will automatically determine the number of CPU cores to set the number of parallel threads to speed the kernel compilation.
323 335
324 336 ##### `KERNEL_HEADERS`=true
325 337 Install kernel headers with the built kernel.
326 338
327 339 ##### `KERNEL_MENUCONFIG`=false
328 340 Start `make menuconfig` interactive menu-driven kernel configuration. The script will continue after `make menuconfig` was terminated.
329 341
330 342 ##### `KERNEL_OLDDEFCONFIG`=false
331 343 Run `make olddefconfig` to automatically set all new kernel configuration options to their recommended default values.
332 344
333 345 ##### `KERNEL_CCACHE`=false
334 346 Compile the kernel using ccache. This speeds up kernel recompilation by caching previous compilations and detecting when the same compilation is being done again.
335 347
336 348 ##### `KERNEL_REMOVESRC`=true
337 349 Remove all kernel sources from the generated OS image after it was built and installed.
338 350
339 351 ##### `KERNELSRC_DIR`=""
340 352 Path to a directory (`linux`) of [RaspberryPi Linux kernel sources](https://github.com/raspberrypi/linux) that will be copied, configured, build and installed inside the chroot.
341 353
342 354 ##### `KERNELSRC_CLEAN`=false
343 355 Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This parameter will be ignored if no `KERNELSRC_DIR` was specified or if `KERNELSRC_PREBUILT`=true.
344 356
345 357 ##### `KERNELSRC_CONFIG`=true
346 358 Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This parameter is automatically set to `true` if no existing kernel sources directory was specified using `KERNELSRC_DIR`. This parameter is ignored if `KERNELSRC_PREBUILT`=true.
347 359
348 360 ##### `KERNELSRC_USRCONFIG`=""
349 361 Copy own config file to kernel `.config`. If `KERNEL_MENUCONFIG`=true then running after copy.
350 362
351 363 ##### `KERNELSRC_PREBUILT`=false
352 364 With this parameter set to true the script expects the existing kernel sources directory to be already successfully cross-compiled. The parameters `KERNELSRC_CLEAN`, `KERNELSRC_CONFIG`, `KERNELSRC_USRCONFIG` and `KERNEL_MENUCONFIG` are ignored and no kernel compilation tasks are performed.
353 365
354 366 ##### `RPI_FIRMWARE_DIR`=""
355 367 The directory (`firmware`) containing a local copy of the firmware from the [RaspberryPi firmware project](https://github.com/raspberrypi/firmware). Default is to download the latest firmware directly from the project.
356 368
357 369 ##### `KERNEL_DEFAULT_GOV`="ONDEMAND"
358 370 Set the default cpu governor at kernel compilation. Supported values are: PERFORMANCE POWERSAVE USERSPACE ONDEMAND CONSERVATIVE SCHEDUTIL
359 371
360 372 ##### `KERNEL_NF`=false
361 373 Enable Netfilter modules as kernel modules
362 374
363 375 ##### `KERNEL_VIRT`=false
364 376 Enable Kernel KVM support (/dev/kvm)
365 377
366 378 ##### `KERNEL_ZSWAP`=false
367 379 Enable Kernel Zswap support. Best use on high RAM load and mediocre CPU load usecases
368 380
369 381 ##### `KERNEL_BPF`=true
370 382 Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSCALL CONFIG_CGROUP_BPF) [systemd compilations about it - File /lib/systemd/system/systemd-journald.server:36 configures an IP firewall (IPAddressDeny=all), but the local system does not support BPF/cgroup based firewalls]
371 383
372 384 ##### `KERNEL_SECURITY`=false
373 385 Enables Apparmor, integrity subsystem, auditing
374 386 ---
375 387
376 388 #### Reduce disk usage:
377 389 The following list of parameters is ignored if `ENABLE_REDUCE`=false.
378 390
379 391 ##### `REDUCE_APT`=true
380 392 Configure APT to use compressed package repository lists and no package caching files.
381 393
382 394 ##### `REDUCE_DOC`=true
383 395 Remove all doc files (harsh). Configure APT to not include doc files on future `apt-get` package installations.
384 396
385 397 ##### `REDUCE_MAN`=true
386 398 Remove all man pages and info files (harsh). Configure APT to not include man pages on future `apt-get` package installations.
387 399
388 400 ##### `REDUCE_VIM`=false
389 401 Replace `vim-tiny` package by `levee` a tiny vim clone.
390 402
391 403 ##### `REDUCE_BASH`=false
392 404 Remove `bash` package and switch to `dash` shell (experimental).
393 405
394 406 ##### `REDUCE_HWDB`=true
395 407 Remove PCI related hwdb files (experimental).
396 408
397 409 ##### `REDUCE_SSHD`=true
398 410 Replace `openssh-server` with `dropbear`.
399 411
400 412 ##### `REDUCE_LOCALE`=true
401 413 Remove all `locale` translation files.
402 414
403 415 ---
404 416
405 417 #### Encrypted root partition:
406 418 ##### `ENABLE_CRYPTFS`=false
407 419 Enable full system encryption with dm-crypt. Setup a fully LUKS encrypted root partition (aes-xts-plain64:sha512) and generate required initramfs. The /boot directory will not be encrypted. This parameter will be ignored if `BUILD_KERNEL`=false. `ENABLE_CRYPTFS` is experimental. SSH-to-initramfs is currently not supported but will be soon - feel free to help.
408 420
409 421 ##### `CRYPTFS_PASSWORD`=""
410 422 Set password of the encrypted root partition. This parameter is mandatory if `ENABLE_CRYPTFS`=true.
411 423
412 424 ##### `CRYPTFS_MAPPING`="secure"
413 425 Set name of dm-crypt managed device-mapper mapping.
414 426
415 427 ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512"
416 428 Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
417 429
418 430 ##### `CRYPTFS_XTSKEYSIZE`=512
419 431 Sets key size in bits. The argument has to be a multiple of 8.
420 432
421 433 ##### `CRYPTFS_DROPBEAR`=false
422 434 Enable Dropbear Initramfs support
423 435
424 436 ##### `CRYPTFS_DROPBEAR_PUBKEY`=""
425 437 Provide path to dropbear Public RSA-OpenSSH Key
426 438
427 439 ---
428 440
429 441 #### Build settings:
430 442 ##### `BASEDIR`=$(pwd)/images/${RELEASE}
431 443 Set a path to a working directory used by the script to generate an image.
432 444
433 445 ##### `IMAGE_NAME`=${BASEDIR}/${DATE}-${KERNEL_ARCH}-${KERNEL_BRANCH}-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}
434 446 Set a filename for the output file(s). Note: the script will create $IMAGE_NAME.img if `ENABLE_SPLITFS`=false or $IMAGE_NAME-frmw.img and $IMAGE_NAME-root.img if `ENABLE_SPLITFS`=true. Note 2: If the KERNEL_BRANCH is not set, the word "CURRENT" is used.
435 447
436 448 ## Understanding the script
437 449 The functions of this script that are required for the different stages of the bootstrapping are split up into single files located inside the `bootstrap.d` directory. During the bootstrapping every script in this directory gets executed in lexicographical order:
438 450
439 451 | Script | Description |
440 452 | --- | --- |
441 453 | `10-bootstrap.sh` | Debootstrap basic system |
442 454 | `11-apt.sh` | Setup APT repositories |
443 455 | `12-locale.sh` | Setup Locales and keyboard settings |
444 456 | `13-kernel.sh` | Build and install RPi 0/1/2/3 Kernel |
445 457 | `14-fstab.sh` | Setup fstab and initramfs |
446 458 | `15-rpi-config.sh` | Setup RPi 0/1/2/3 config and cmdline |
447 459 | `20-networking.sh` | Setup Networking |
448 460 | `21-firewall.sh` | Setup Firewall |
449 461 | `30-security.sh` | Setup Users and Security settings |
450 462 | `31-logging.sh` | Setup Logging |
451 463 | `32-sshd.sh` | Setup SSH and public keys |
452 464 | `41-uboot.sh` | Build and Setup U-Boot |
453 465 | `42-fbturbo.sh` | Build and Setup fbturbo Xorg driver |
454 466 | `43-videocore.sh` | Build and Setup videocore libraries |
455 467 | `50-firstboot.sh` | First boot actions |
456 468 | `99-reduce.sh` | Reduce the disk space usage |
457 469
458 470 All the required configuration files that will be copied to the generated OS image are located inside the `files` directory. It is not recommended to modify these configuration files manually.
459 471
460 472 | Directory | Description |
461 473 | --- | --- |
462 474 | `apt` | APT management configuration files |
463 475 | `boot` | Boot and RPi 0/1/2/3 configuration files |
464 476 | `dpkg` | Package Manager configuration |
465 477 | `etc` | Configuration files and rc scripts |
466 478 | `firstboot` | Scripts that get executed on first boot |
467 479 | `initramfs` | Initramfs scripts |
468 480 | `iptables` | Firewall configuration files |
469 481 | `locales` | Locales configuration |
470 482 | `modules` | Kernel Modules configuration |
471 483 | `mount` | Fstab configuration |
472 484 | `network` | Networking configuration files |
473 485 | `sysctl.d` | Swapping and Network Hardening configuration |
474 486 | `xorg` | fbturbo Xorg driver configuration |
475 487
476 488 ## Custom packages and scripts
477 489 Debian custom packages, i.e. those not in the debian repositories, can be installed by placing them in the `packages` directory. They are installed immediately after packages from the repositories are installed. Any dependencies listed in the custom packages will be downloaded automatically from the repositories. Do not list these custom packages in `APT_INCLUDES`.
478 490
479 491 Scripts in the custom.d directory will be executed after all other installation is complete but before the image is created.
480 492
481 493 ## Logging of the bootstrapping process
482 494 All information related to the bootstrapping process and the commands executed by the `rpi23-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
483 495
484 496 ```shell
485 497 script -c 'APT_SERVER=ftp.de.debian.org ./rpi23-gen-image.sh' ./build.log
486 498 ```
487 499
488 500 ## Flashing the image file
489 501 After the image file was successfully created by the `rpi23-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi 0/1/2/3 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
490 502
491 503 ##### Flashing examples:
492 504 ```shell
493 505 bmaptool copy ./images/buster/2017-01-23-rpi3-buster.img /dev/mmcblk0
494 506 dd bs=4M if=./images/buster/2017-01-23-rpi3-buster.img of=/dev/mmcblk0
495 507 ```
496 508 If you have set `ENABLE_SPLITFS`, copy the `-frmw` image on the microSD card, then the `-root` one on the USB drive:
497 509 ```shell
498 510 bmaptool copy ./images/buster/2017-01-23-rpi3-buster-frmw.img /dev/mmcblk0
499 511 bmaptool copy ./images/buster/2017-01-23-rpi3-buster-root.img /dev/sdc
500 512 ```
501 513
502 514 ## QEMU emulation
503 515 Start QEMU full system emulation:
504 516 ```shell
505 517 qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -append "root=/dev/mmcblk0p2 rw rootfstype=ext4 console=tty1"
506 518 ```
507 519
508 520 Start QEMU full system emulation and output to console:
509 521 ```shell
510 522 qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -append "root=/dev/mmcblk0p2 rw rootfstype=ext4 console=ttyAMA0,115200 init=/bin/systemd" -serial stdio
511 523 ```
512 524
513 525 Start QEMU full system emulation with SMP and output to console:
514 526 ```shell
515 527 qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -smp cpus=2,maxcpus=2 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -append "root=/dev/mmcblk0p2 rw rootfstype=ext4 console=ttyAMA0,115200 init=/bin/systemd" -serial stdio
516 528 ```
517 529
518 530 Start QEMU full system emulation with cryptfs, initramfs and output to console:
519 531 ```shell
520 532 qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -initrd "initramfs-${KERNEL_VERSION}" -append "root=/dev/mapper/secure cryptdevice=/dev/mmcblk0p2:secure rw rootfstype=ext4 console=ttyAMA0,115200 init=/bin/systemd" -serial stdio
521 533 ```
522 534
523 535 ## External links and references
524 536 * [Debian worldwide mirror sites](https://www.debian.org/mirror/list)
525 537 * [Debian Raspberry Pi 2 Wiki](https://wiki.debian.org/RaspberryPi2)
526 538 * [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains)
527 539 * [Official Raspberry Pi Firmware on github](https://github.com/raspberrypi/firmware)
528 540 * [Official Raspberry Pi Kernel on github](https://github.com/raspberrypi/linux)
529 541 * [U-BOOT git repository](https://git.denx.de/?p=u-boot.git;a=summary)
530 542 * [Xorg DDX driver fbturbo](https://github.com/ssvb/xf86-video-fbturbo)
531 543 * [RPi3 Wireless interface firmware](https://github.com/RPi-Distro/firmware-nonfree/tree/master/brcm80211/brcm)
532 544 * [Collabora RPi2 Kernel precompiled](https://repositories.collabora.co.uk/debian/)
Show file before | Show file after | Hide comments
@@ -1,643 +1,642
1 1 #
2 2 # Build and Setup RPi2/3 Kernel
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Need to use kali kernel src if nexmon is enabled
9 9 if [ "$ENABLE_NEXMON" = true ] ; then
10 10 KERNEL_URL="${KALI_KERNEL_URL}"
11 11 # Clear Branch and KernelSRC_DIR if using nexmon. Everyone will forget to clone kali kernel instead of nomrla kernel
12 12 KERNEL_BRANCH=""
13 13 KERNELSRC_DIR=""
14 14 fi
15 15
16 16 # Fetch and build latest raspberry kernel
17 17 if [ "$BUILD_KERNEL" = true ] ; then
18 18 # Setup source directory
19 19 mkdir -p "${KERNEL_DIR}"
20 20
21 21 # Copy existing kernel sources into chroot directory
22 22 if [ -n "$KERNELSRC_DIR" ] && [ -d "$KERNELSRC_DIR" ] ; then
23 23 # Copy kernel sources and include hidden files
24 24 cp -r "${KERNELSRC_DIR}/". "${KERNEL_DIR}"
25 25
26 26 # Clean the kernel sources
27 27 if [ "$KERNELSRC_CLEAN" = true ] && [ "$KERNELSRC_PREBUILT" = false ] ; then
28 28 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" mrproper
29 29 fi
30 30 else # KERNELSRC_DIR=""
31 31 # Create temporary directory for kernel sources
32 32 temp_dir=$(as_nobody mktemp -d)
33 33
34 34 # Fetch current RPi2/3 kernel sources
35 35 if [ -z "${KERNEL_BRANCH}" ] ; then
36 36 as_nobody -H git -C "${temp_dir}" clone --depth=1 "${KERNEL_URL}" linux
37 37 else
38 38 as_nobody -H git -C "${temp_dir}" clone --depth=1 --branch "${KERNEL_BRANCH}" "${KERNEL_URL}" linux
39 39 fi
40 40
41 41 # Copy downloaded kernel sources
42 42 cp -r "${temp_dir}/linux/"* "${KERNEL_DIR}"
43 43
44 44 # Remove temporary directory for kernel sources
45 45 rm -fr "${temp_dir}"
46 46
47 47 # Set permissions of the kernel sources
48 48 chown -R root:root "${R}/usr/src"
49 49 fi
50 50
51 51 # Calculate optimal number of kernel building threads
52 52 if [ "$KERNEL_THREADS" = "1" ] && [ -r /proc/cpuinfo ] ; then
53 53 KERNEL_THREADS=$(grep -c processor /proc/cpuinfo)
54 54 fi
55 55
56 56 # Configure and build kernel
57 57 if [ "$KERNELSRC_PREBUILT" = false ] ; then
58 58 # Remove device, network and filesystem drivers from kernel configuration
59 59 if [ "$KERNEL_REDUCE" = true ] ; then
60 60 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
61 61 sed -i\
62 62 -e "s/\(^CONFIG_SND.*\=\).*/\1n/"\
63 63 -e "s/\(^CONFIG_SOUND.*\=\).*/\1n/"\
64 64 -e "s/\(^CONFIG_AC97.*\=\).*/\1n/"\
65 65 -e "s/\(^CONFIG_VIDEO_.*\=\).*/\1n/"\
66 66 -e "s/\(^CONFIG_MEDIA_TUNER.*\=\).*/\1n/"\
67 67 -e "s/\(^CONFIG_DVB.*\=\)[ym]/\1n/"\
68 68 -e "s/\(^CONFIG_REISERFS.*\=\).*/\1n/"\
69 69 -e "s/\(^CONFIG_JFS.*\=\).*/\1n/"\
70 70 -e "s/\(^CONFIG_XFS.*\=\).*/\1n/"\
71 71 -e "s/\(^CONFIG_GFS2.*\=\).*/\1n/"\
72 72 -e "s/\(^CONFIG_OCFS2.*\=\).*/\1n/"\
73 73 -e "s/\(^CONFIG_BTRFS.*\=\).*/\1n/"\
74 74 -e "s/\(^CONFIG_HFS.*\=\).*/\1n/"\
75 75 -e "s/\(^CONFIG_JFFS2.*\=\)[ym]/\1n/"\
76 76 -e "s/\(^CONFIG_UBIFS.*\=\).*/\1n/"\
77 77 -e "s/\(^CONFIG_SQUASHFS.*\=\)[ym]/\1n/"\
78 78 -e "s/\(^CONFIG_W1.*\=\)[ym]/\1n/"\
79 79 -e "s/\(^CONFIG_HAMRADIO.*\=\).*/\1n/"\
80 80 -e "s/\(^CONFIG_CAN.*\=\).*/\1n/"\
81 81 -e "s/\(^CONFIG_IRDA.*\=\).*/\1n/"\
82 82 -e "s/\(^CONFIG_BT_.*\=\).*/\1n/"\
83 83 -e "s/\(^CONFIG_WIMAX.*\=\)[ym]/\1n/"\
84 84 -e "s/\(^CONFIG_6LOWPAN.*\=\).*/\1n/"\
85 85 -e "s/\(^CONFIG_IEEE802154.*\=\).*/\1n/"\
86 86 -e "s/\(^CONFIG_NFC.*\=\).*/\1n/"\
87 87 -e "s/\(^CONFIG_FB_TFT=.*\=\).*/\1n/"\
88 88 -e "s/\(^CONFIG_TOUCHSCREEN.*\=\).*/\1n/"\
89 89 -e "s/\(^CONFIG_USB_GSPCA_.*\=\).*/\1n/"\
90 90 -e "s/\(^CONFIG_DRM.*\=\).*/\1n/"\
91 91 "${KERNEL_DIR}/.config"
92 92 fi
93 93
94 94 if [ "$KERNELSRC_CONFIG" = true ] ; then
95 95 # Load default raspberry kernel configuration
96 96 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
97 97
98 98 #Switch to KERNELSRC_DIR so we can use set_kernel_config
99 99 cd "${KERNEL_DIR}" || exit
100 100
101 101 if [ "$KERNEL_ARCH" = arm64 ] ; then
102 #Fix SD_DRIVER mess in 64bit config
103 # use correct driver MMC_BCM2835_MMC instead of MMC_BCM2835_SDHOST - variable naming is bs
102 #Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config
103 # use correct driver MMC_BCM2835_MMC instead of MMC_BCM2835_SDHOST - see https://www.raspberrypi.org/forums/viewtopic.php?t=210225
104 104 set_kernel_config CONFIG_MMC_BCM2835 n
105 105 set_kernel_config CONFIG_MMC_SDHCI_IPROC n
106 106 set_kernel_config CONFIG_USB_DWC2 n
107 107 sed -i "s|depends on MMC_BCM2835_MMC && MMC_BCM2835_DMA|depends on MMC_BCM2835_MMC|" "${KERNEL_DIR}"/drivers/mmc/host/Kconfig
108 108
109 109 #VLAN got disabled without reason in arm64bit
110 110 set_kernel_config CONFIG_IPVLAN m
111 111
112 112 #V4L2 sub-device userspace API
113 113 #set_kernel_config CONFIG_VIDEO_V4L2_SUBDEV_API y
114 114 #VIDEO_MUX y
115 115 #VIDEO_XILINX n
116 116 #VIDEO_XILINX_TPG n
117 117 #VIDEO_ADV7180 m
118 118
119 119 # GPIO-based bitbanging SPI Master
120 120 set_kernel_config CONFIG_SPI_GPIO m
121 121 #SPI Slave protocol
122 122 set_kernel_config CONFIG_SPI_SLAVE y
123 123 set_kernel_config CONFIG_SPI_SLAVE_TIME m
124 124 set_kernel_config CONFIG_SPI_SLAVE_SYSTEM_CONTROL m
125 125
126 126 # Virtual (secure) IP: tunneling
127 127 set_kernel_config CONFIG_NET_IPVTI m
128 128
129 129 #Wlan driver debug info
130 130 set_kernel_config CONFIG_BRCMDBG m
131 131
132 132 #GPIO WATCHDOG
133 133 set_kernel_config CONFIG_GPIO_WATCHDOG m
134 134
135 135 #Camera
136 136 set_kernel_config VIDEO_BCM2835 m
137 137 set_kernel_config VIDEO_BCM2835_UNICAM m
138 138 fi
139 139
140 140 # enable ZSWAP see https://askubuntu.com/a/472227 or https://wiki.archlinux.org/index.php/zswap
141 141 if [ "$KERNEL_ZSWAP" = true ] ; then
142 142 set_kernel_config CONFIG_ZPOOL y
143 143 set_kernel_config CONFIG_ZSWAP y
144 144 set_kernel_config CONFIG_ZBUD y
145 145 set_kernel_config CONFIG_Z3FOLD y
146 146 set_kernel_config CONFIG_ZSMALLOC y
147 147 set_kernel_config CONFIG_PGTABLE_MAPPING y
148 148 set_kernel_config CONFIG_LZO_COMPRESS y
149 149
150 150 fi
151 151
152 152 # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453
153 153 if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
154 154 set_kernel_config CONFIG_HAVE_KVM_IRQCHIP y
155 155 set_kernel_config CONFIG_HAVE_KVM_ARCH_TLB_FLUSH_ALL y
156 156 set_kernel_config CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT y
157 157 set_kernel_config CONFIG_HAVE_KVM_EVENTFD y
158 158 set_kernel_config CONFIG_HAVE_KVM_IRQFD y
159 159 set_kernel_config CONFIG_HAVE_KVM_IRQ_ROUTING y
160 160 set_kernel_config CONFIG_HAVE_KVM_MSI y
161 161 set_kernel_config CONFIG_KVM y
162 162 set_kernel_config CONFIG_KVM_ARM_HOST y
163 163 set_kernel_config CONFIG_KVM_ARM_PMU y
164 164 set_kernel_config CONFIG_KVM_COMPAT y
165 165 set_kernel_config CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT y
166 166 set_kernel_config CONFIG_KVM_MMIO y
167 167 set_kernel_config CONFIG_KVM_VFIO y
168 168 set_kernel_config CONFIG_VHOST m
169 169 set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y
170 170 set_kernel_config CONFIG_VHOST_NET m
171 171 set_kernel_config CONFIG_VIRTUALIZATION y
172 172
173 173 set_kernel_config CONFIG_MMU_NOTIFIER y
174 174
175 175 # erratum
176 176 set_kernel_config ARM64_ERRATUM_834220 y
177 177
178 178 # https://sourceforge.net/p/kvm/mailman/message/18440797/
179 179 set_kernel_config CONFIG_PREEMPT_NOTIFIERS y
180 180 fi
181 181
182 182 # enable apparmor,integrity audit,
183 183 if [ "$KERNEL_SECURITY" = true ] ; then
184 184
185 185 # security filesystem, security models and audit
186 186 set_kernel_config CONFIG_SECURITYFS y
187 187 set_kernel_config CONFIG_SECURITY y
188 188 set_kernel_config CONFIG_AUDIT y
189 189
190 190 # harden strcpy and memcpy
191 191 set_kernel_config CONFIG_HARDENED_USERCOPY y
192 192 set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR y
193 193 set_kernel_config CONFIG_FORTIFY_SOURCE y
194 194
195 195 # integrity sub-system
196 196 set_kernel_config CONFIG_INTEGRITY y
197 197 set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS y
198 198 set_kernel_config CONFIG_INTEGRITY_AUDIT y
199 199 set_kernel_config CONFIG_INTEGRITY_SIGNATURE y
200 200 set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING y
201 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS ""
202 201
203 202 # This option provides support for retaining authentication tokens and access keys in the kernel.
204 203 set_kernel_config CONFIG_KEYS y
205 204 set_kernel_config CONFIG_KEYS_COMPAT y
206 205
207 206 # Apparmor
208 207 set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0
209 208 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
210 209 set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
211 210 set_kernel_config CONFIG_SECURITY_APPARMOR y
212 211 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y
213 212 set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor"
214 213
215 214 # restrictions on unprivileged users reading the kernel
216 215 set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT y
217 216
218 217 # network security hooks
219 218 set_kernel_config CONFIG_SECURITY_NETWORK y
220 219 set_kernel_config CONFIG_SECURITY_NETWORK_XFRM y
221 220 set_kernel_config CONFIG_SECURITY_PATH y
222 221 set_kernel_config CONFIG_SECURITY_YAMA n
223 222
224 223 # New Options
225 224 if [ "$KERNEL_NF" = true ] ; then
226 225 set_kernel_config CONFIG_IP_NF_SECURITY m
227 226 set_kernel_config CONFIG_NETLABEL y
228 227 set_kernel_config CONFIG_IP6_NF_SECURITY m
229 228 fi
230 229 set_kernel_config CONFIG_SECURITY_SELINUX n
231 230 set_kernel_config CONFIG_SECURITY_SMACK n
232 231 set_kernel_config CONFIG_SECURITY_TOMOYO n
233 232 set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n
234 233 set_kernel_config CONFIG_SECURITY_LOADPIN n
235 234 set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n
236 235 set_kernel_config CONFIG_IMA n
237 236 set_kernel_config CONFIG_EVM n
238 237 set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y
239 238 set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
240 239 set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
241 240 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
242 241 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
243 242 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
244 243 set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
245 244 set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
246 245 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS m
247 246 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE 4096
248 247
249 248 set_kernel_config CONFIG_ARM64_CRYPTO y
250 249 set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m
251 250 set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m
252 251 set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m
253 252 set_kernel_config CRYPTO_GHASH_ARM64_CE m
254 253 set_kernel_config CRYPTO_SHA2_ARM64_CE m
255 254 set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m
256 255 set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m
257 256 set_kernel_config CONFIG_CRYPTO_AES_ARM64 m
258 257 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m
259 258 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y
260 259 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y
261 260 set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m
262 261 set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m
263 262 set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m
264 263 echo CONFIG_SYSTEM_TRUSTED_KEYS="" >> .config
265 264 fi
266 265
267 266 # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
268 267 if [ "$KERNEL_NF" = true ] ; then
269 268 set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m
270 269 set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m
271 270 set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m
272 271 set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m
273 272 set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m
274 273 set_kernel_config CONFIG_NFT_FIB_INET m
275 274 set_kernel_config CONFIG_NFT_FIB_IPV4 m
276 275 set_kernel_config CONFIG_NFT_FIB_IPV6 m
277 276 set_kernel_config CONFIG_NFT_FIB_NETDEV m
278 277 set_kernel_config CONFIG_NFT_OBJREF m
279 278 set_kernel_config CONFIG_NFT_RT m
280 279 set_kernel_config CONFIG_NFT_SET_BITMAP m
281 280 set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y
282 281 set_kernel_config CONFIG_NF_LOG_ARP m
283 282 set_kernel_config CONFIG_NF_SOCKET_IPV4 m
284 283 set_kernel_config CONFIG_NF_SOCKET_IPV6 m
285 284 set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m
286 285 set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m
287 286 set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m
288 287 set_kernel_config CONFIG_IP6_NF_IPTABLES m
289 288 set_kernel_config CONFIG_IP6_NF_MATCH_AH m
290 289 set_kernel_config CONFIG_IP6_NF_MATCH_EUI64 m
291 290 set_kernel_config CONFIG_IP6_NF_NAT m
292 291 set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m
293 292 set_kernel_config CONFIG_IP6_NF_TARGET_NPT m
294 293 set_kernel_config CONFIG_IP_NF_SECURITY m
295 294 set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m
296 295 set_kernel_config CONFIG_IP_SET_BITMAP_PORT m
297 296 set_kernel_config CONFIG_IP_SET_HASH_IP m
298 297 set_kernel_config CONFIG_IP_SET_HASH_IPMARK m
299 298 set_kernel_config CONFIG_IP_SET_HASH_IPPORT m
300 299 set_kernel_config CONFIG_IP_SET_HASH_IPPORTIP m
301 300 set_kernel_config CONFIG_IP_SET_HASH_IPPORTNET m
302 301 set_kernel_config CONFIG_IP_SET_HASH_MAC m
303 302 set_kernel_config CONFIG_IP_SET_HASH_NET m
304 303 set_kernel_config CONFIG_IP_SET_HASH_NETIFACE m
305 304 set_kernel_config CONFIG_IP_SET_HASH_NETNET m
306 305 set_kernel_config CONFIG_IP_SET_HASH_NETPORT m
307 306 set_kernel_config CONFIG_IP_SET_HASH_NETPORTNET m
308 307 set_kernel_config CONFIG_IP_SET_LIST_SET m
309 308 set_kernel_config CONFIG_NETFILTER_XTABLES m
310 309 set_kernel_config CONFIG_NETFILTER_XTABLES m
311 310 set_kernel_config CONFIG_NFT_BRIDGE_META m
312 311 set_kernel_config CONFIG_NFT_BRIDGE_REJECT m
313 312 set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV4 m
314 313 set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV6 m
315 314 set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV4 m
316 315 set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV6 m
317 316 set_kernel_config CONFIG_NFT_COMPAT m
318 317 set_kernel_config CONFIG_NFT_COUNTER m
319 318 set_kernel_config CONFIG_NFT_CT m
320 319 set_kernel_config CONFIG_NFT_DUP_IPV4 m
321 320 set_kernel_config CONFIG_NFT_DUP_IPV6 m
322 321 set_kernel_config CONFIG_NFT_DUP_NETDEV m
323 322 set_kernel_config CONFIG_NFT_EXTHDR m
324 323 set_kernel_config CONFIG_NFT_FWD_NETDEV m
325 324 set_kernel_config CONFIG_NFT_HASH m
326 325 set_kernel_config CONFIG_NFT_LIMIT m
327 326 set_kernel_config CONFIG_NFT_LOG m
328 327 set_kernel_config CONFIG_NFT_MASQ m
329 328 set_kernel_config CONFIG_NFT_MASQ_IPV4 m
330 329 set_kernel_config CONFIG_NFT_MASQ_IPV6 m
331 330 set_kernel_config CONFIG_NFT_META m
332 331 set_kernel_config CONFIG_NFT_NAT m
333 332 set_kernel_config CONFIG_NFT_NUMGEN m
334 333 set_kernel_config CONFIG_NFT_QUEUE m
335 334 set_kernel_config CONFIG_NFT_QUOTA m
336 335 set_kernel_config CONFIG_NFT_REDIR m
337 336 set_kernel_config CONFIG_NFT_REDIR_IPV4 m
338 337 set_kernel_config CONFIG_NFT_REDIR_IPV6 m
339 338 set_kernel_config CONFIG_NFT_REJECT m
340 339 set_kernel_config CONFIG_NFT_REJECT_INET m
341 340 set_kernel_config CONFIG_NFT_REJECT_IPV4 m
342 341 set_kernel_config CONFIG_NFT_REJECT_IPV6 m
343 342 set_kernel_config CONFIG_NFT_SET_HASH m
344 343 set_kernel_config CONFIG_NFT_SET_RBTREE m
345 344 set_kernel_config CONFIG_NF_CONNTRACK_IPV4 m
346 345 set_kernel_config CONFIG_NF_CONNTRACK_IPV6 m
347 346 set_kernel_config CONFIG_NF_DEFRAG_IPV4 m
348 347 set_kernel_config CONFIG_NF_DEFRAG_IPV6 m
349 348 set_kernel_config CONFIG_NF_DUP_IPV4 m
350 349 set_kernel_config CONFIG_NF_DUP_IPV6 m
351 350 set_kernel_config CONFIG_NF_DUP_NETDEV m
352 351 set_kernel_config CONFIG_NF_LOG_BRIDGE m
353 352 set_kernel_config CONFIG_NF_LOG_IPV4 m
354 353 set_kernel_config CONFIG_NF_LOG_IPV6 m
355 354 set_kernel_config CONFIG_NF_NAT_IPV4 m
356 355 set_kernel_config CONFIG_NF_NAT_IPV6 m
357 356 set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV4 m
358 357 set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV6 m
359 358 set_kernel_config CONFIG_NF_NAT_PPTP m
360 359 set_kernel_config CONFIG_NF_NAT_PROTO_GRE m
361 360 set_kernel_config CONFIG_NF_NAT_REDIRECT m
362 361 set_kernel_config CONFIG_NF_NAT_SIP m
363 362 set_kernel_config CONFIG_NF_NAT_SNMP_BASIC m
364 363 set_kernel_config CONFIG_NF_NAT_TFTP m
365 364 set_kernel_config CONFIG_NF_REJECT_IPV4 m
366 365 set_kernel_config CONFIG_NF_REJECT_IPV6 m
367 366 set_kernel_config CONFIG_NF_TABLES m
368 367 set_kernel_config CONFIG_NF_TABLES_ARP m
369 368 set_kernel_config CONFIG_NF_TABLES_BRIDGE m
370 369 set_kernel_config CONFIG_NF_TABLES_INET m
371 370 set_kernel_config CONFIG_NF_TABLES_IPV4 m
372 371 set_kernel_config CONFIG_NF_TABLES_IPV6 m
373 372 set_kernel_config CONFIG_NF_TABLES_NETDEV m
374 373 fi
375 374
376 375 # Enables BPF syscall for systemd-journald see https://github.com/torvalds/linux/blob/master/init/Kconfig#L848 or https://groups.google.com/forum/#!topic/linux.gentoo.user/_2aSc_ztGpA
377 376 if [ "$KERNEL_BPF" = true ] ; then
378 377 set_kernel_config CONFIG_BPF_SYSCALL y
379 378 set_kernel_config CONFIG_BPF_EVENTS y
380 379 set_kernel_config CONFIG_BPF_STREAM_PARSER y
381 380 set_kernel_config CONFIG_CGROUP_BPF y
382 381 fi
383 382
384 383 # KERNEL_DEFAULT_GOV was set by user
385 384 if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ] ; then
386 385
387 386 case "$KERNEL_DEFAULT_GOV" in
388 387 performance)
389 388 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y
390 389 ;;
391 390 userspace)
392 391 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE y
393 392 ;;
394 393 ondemand)
395 394 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND y
396 395 ;;
397 396 conservative)
398 397 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE y
399 398 ;;
400 399 shedutil)
401 400 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL y
402 401 ;;
403 402 *)
404 403 echo "error: unsupported default cpu governor"
405 404 exit 1
406 405 ;;
407 406 esac
408 407
409 408 # unset previous default governor
410 409 unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE
411 410 fi
412 411
413 412 #Revert to previous directory
414 413 cd "${WORKDIR}" || exit
415 414
416 415 # Set kernel configuration parameters to enable qemu emulation
417 416 if [ "$ENABLE_QEMU" = true ] ; then
418 417 echo "CONFIG_FHANDLE=y" >> "${KERNEL_DIR}"/.config
419 418 echo "CONFIG_LBDAF=y" >> "${KERNEL_DIR}"/.config
420 419
421 420 if [ "$ENABLE_CRYPTFS" = true ] ; then
422 421 {
423 422 echo "CONFIG_EMBEDDED=y"
424 423 echo "CONFIG_EXPERT=y"
425 424 echo "CONFIG_DAX=y"
426 425 echo "CONFIG_MD=y"
427 426 echo "CONFIG_BLK_DEV_MD=y"
428 427 echo "CONFIG_MD_AUTODETECT=y"
429 428 echo "CONFIG_BLK_DEV_DM=y"
430 429 echo "CONFIG_BLK_DEV_DM_BUILTIN=y"
431 430 echo "CONFIG_DM_CRYPT=y"
432 431 echo "CONFIG_CRYPTO_BLKCIPHER=y"
433 432 echo "CONFIG_CRYPTO_CBC=y"
434 433 echo "CONFIG_CRYPTO_XTS=y"
435 434 echo "CONFIG_CRYPTO_SHA512=y"
436 435 echo "CONFIG_CRYPTO_MANAGER=y"
437 436 } >> "${KERNEL_DIR}"/.config
438 437 fi
439 438 fi
440 439
441 440 # Copy custom kernel configuration file
442 441 if [ -n "$KERNELSRC_USRCONFIG" ] ; then
443 442 cp "$KERNELSRC_USRCONFIG" "${KERNEL_DIR}"/.config
444 443 fi
445 444
446 445 # Set kernel configuration parameters to their default values
447 446 if [ "$KERNEL_OLDDEFCONFIG" = true ] ; then
448 447 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" olddefconfig
449 448 fi
450 449
451 450 # Start menu-driven kernel configuration (interactive)
452 451 if [ "$KERNEL_MENUCONFIG" = true ] ; then
453 452 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig
454 453 fi
455 454 # end if "$KERNELSRC_CONFIG" = true
456 455 fi
457 456
458 457 # Use ccache to cross compile the kernel
459 458 if [ "$KERNEL_CCACHE" = true ] ; then
460 459 cc="ccache ${CROSS_COMPILE}gcc"
461 460 else
462 461 cc="${CROSS_COMPILE}gcc"
463 462 fi
464 463
465 464 # Cross compile kernel and dtbs
466 465 make -C "${KERNEL_DIR}" -j"${KERNEL_THREADS}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" CC="${cc}" "${KERNEL_BIN_IMAGE}" dtbs
467 466
468 467 # Cross compile kernel modules
469 468 if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
470 469 make -C "${KERNEL_DIR}" -j"${KERNEL_THREADS}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" CC="${cc}" modules
471 470 fi
472 471 # end if "$KERNELSRC_PREBUILT" = false
473 472 fi
474 473
475 474 # Check if kernel compilation was successful
476 475 if [ ! -r "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/${KERNEL_BIN_IMAGE}" ] ; then
477 476 echo "error: kernel compilation failed! (kernel image not found)"
478 477 cleanup
479 478 exit 1
480 479 fi
481 480
482 481 # Install kernel modules
483 482 if [ "$ENABLE_REDUCE" = true ] ; then
484 483 if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
485 484 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=../../.. modules_install
486 485 fi
487 486 else
488 487 if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
489 488 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_PATH=../../.. modules_install
490 489 fi
491 490
492 491 # Install kernel firmware
493 492 if grep -q "^firmware_install:" "${KERNEL_DIR}/Makefile" ; then
494 493 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_FW_PATH=../../../lib firmware_install
495 494 fi
496 495 fi
497 496
498 497 # Install kernel headers
499 498 if [ "$KERNEL_HEADERS" = true ] && [ "$KERNEL_REDUCE" = false ] ; then
500 499 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_HDR_PATH=../.. headers_install
501 500 fi
502 501
503 502 # Prepare boot (firmware) directory
504 503 mkdir "${BOOT_DIR}"
505 504
506 505 # Get kernel release version
507 506 KERNEL_VERSION=$(cat "${KERNEL_DIR}/include/config/kernel.release")
508 507
509 508 # Copy kernel configuration file to the boot directory
510 509 install_readonly "${KERNEL_DIR}/.config" "${R}/boot/config-${KERNEL_VERSION}"
511 510
512 511 # Prepare device tree directory
513 512 mkdir "${BOOT_DIR}/overlays"
514 513
515 514 # Ensure the proper .dtb is located
516 515 if [ "$KERNEL_ARCH" = "arm" ] ; then
517 516 for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/"*.dtb ; do
518 517 if [ -f "${dtb}" ] ; then
519 518 install_readonly "${dtb}" "${BOOT_DIR}/"
520 519 fi
521 520 done
522 521 else
523 522 for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/broadcom/"*.dtb ; do
524 523 if [ -f "${dtb}" ] ; then
525 524 install_readonly "${dtb}" "${BOOT_DIR}/"
526 525 fi
527 526 done
528 527 fi
529 528
530 529 # Copy compiled dtb device tree files
531 530 if [ -d "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays" ] ; then
532 531 for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtbo ; do
533 532 if [ -f "${dtb}" ] ; then
534 533 install_readonly "${dtb}" "${BOOT_DIR}/overlays/"
535 534 fi
536 535 done
537 536
538 537 if [ -f "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/README" ] ; then
539 538 install_readonly "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "${BOOT_DIR}/overlays/README"
540 539 fi
541 540 fi
542 541
543 542 if [ "$ENABLE_UBOOT" = false ] ; then
544 543 # Convert and copy kernel image to the boot directory
545 544 "${KERNEL_DIR}/scripts/mkknlimg" "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/${KERNEL_BIN_IMAGE}" "${BOOT_DIR}/${KERNEL_IMAGE}"
546 545 else
547 546 # Copy kernel image to the boot directory
548 547 install_readonly "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/${KERNEL_BIN_IMAGE}" "${BOOT_DIR}/${KERNEL_IMAGE}"
549 548 fi
550 549
551 550 # Remove kernel sources
552 551 if [ "$KERNEL_REMOVESRC" = true ] ; then
553 552 rm -fr "${KERNEL_DIR}"
554 553 else
555 554 # Prepare compiled kernel modules
556 555 if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
557 556 if grep -q "^modules_prepare:" "${KERNEL_DIR}/Makefile" ; then
558 557 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" modules_prepare
559 558 fi
560 559
561 560 # Create symlinks for kernel modules
562 561 chroot_exec ln -sf /usr/src/linux "/lib/modules/${KERNEL_VERSION}/build"
563 562 chroot_exec ln -sf /usr/src/linux "/lib/modules/${KERNEL_VERSION}/source"
564 563 fi
565 564 fi
566 565
567 566 else # BUILD_KERNEL=false
568 567 if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
569 568
570 569 # Use Sakakis modified kernel if ZSWAP is active
571 570 if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then
572 571 RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}"
573 572 fi
574 573
575 574 # Create temporary directory for dl
576 575 temp_dir=$(as_nobody mktemp -d)
577 576
578 577 # Fetch kernel dl
579 578 as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL"
580 579
581 580 #extract download
582 581 tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}"
583 582
584 583 #move extracted kernel to /boot/firmware
585 584 mkdir "${R}/boot/firmware"
586 585 cp "${temp_dir}"/boot/* "${R}"/boot/firmware/
587 586 cp -r "${temp_dir}"/lib/* "${R}"/lib/
588 587
589 588 # Remove temporary directory for kernel sources
590 589 rm -fr "${temp_dir}"
591 590
592 591 # Set permissions of the kernel sources
593 592 chown -R root:root "${R}/boot/firmware"
594 593 chown -R root:root "${R}/lib/modules"
595 594 fi
596 595
597 596 # Install Kernel from hypriot comptabile with all Raspberry PI
598 597 if [ "$SET_ARCH" = 32 ] ; then
599 598 # Create temporary directory for dl
600 599 temp_dir=$(as_nobody mktemp -d)
601 600
602 601 # Fetch kernel
603 602 as_nobody wget -O "${temp_dir}"/kernel.deb -c "$RPI_32_KERNEL_URL"
604 603
605 604 # Copy downloaded U-Boot sources
606 605 mv "${temp_dir}"/kernel.deb "${R}"/tmp/kernel.deb
607 606
608 607 # Set permissions
609 608 chown -R root:root "${R}"/tmp/kernel.deb
610 609
611 610 # Install kernel
612 611 chroot_exec dpkg -i /tmp/kernel.deb
613 612
614 613 # move /boot to /boot/firmware to fit script env.
615 614 #mkdir "${BOOT_DIR}"
616 615 mkdir "${temp_dir}"/firmware
617 616 mv "${R}"/boot/* "${temp_dir}"/firmware/
618 617 mv "${temp_dir}"/firmware "${R}"/boot/
619 618
620 619 #same for kernel headers
621 620 if [ "$KERNEL_HEADERS" = true ] ; then
622 621 # Fetch kernel header
623 622 as_nobody wget -O "${temp_dir}"/kernel-header.deb -c "$RPI_32_KERNELHEADER_URL"
624 623 mv "${temp_dir}"/kernel-header.deb "${R}"/tmp/kernel-header.deb
625 624 chown -R root:root "${R}"/tmp/kernel-header.deb
626 625 # Install kernel header
627 626 chroot_exec dpkg -i /tmp/kernel-header.deb
628 627 rm -f "${R}"/tmp/kernel-header.deb
629 628 fi
630 629
631 630 # Remove temporary directory and files
632 631 rm -fr "${temp_dir}"
633 632 rm -f "${R}"/tmp/kernel.deb
634 633 fi
635 634
636 635 # Check if kernel installation was successful
637 636 KERNEL="$(ls -1 "${R}"/boot/firmware/kernel* | sort | tail -n 1)"
638 637 if [ -z "$KERNEL" ] ; then
639 638 echo "error: kernel installation failed! (/boot/kernel* not found)"
640 639 cleanup
641 640 exit 1
642 641 fi
643 642 fi
Show file before | Show file after | Hide comments
@@ -1,118 +1,116
1 1 #
2 2 # Setup fstab and initramfs
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Install and setup fstab
9 9 install_readonly files/mount/fstab "${ETC_DIR}/fstab"
10 10
11 11 # Add usb/sda disk root partition to fstab
12 12 if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then
13 13 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
14 14 fi
15 15
16 16 # Add encrypted root partition to fstab and crypttab
17 17 if [ "$ENABLE_CRYPTFS" = true ] ; then
18 18 # Replace fstab root partition with encrypted partition mapping
19 19 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab"
20 20
21 21 # Add encrypted partition to crypttab and fstab
22 22 install_readonly files/mount/crypttab "${ETC_DIR}/crypttab"
23 23 echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"
24
25 if [ "$ENABLE_USBBOOT" = true ] ; then
26 # Add usb/sda2 disk to crypttab
27 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab"
28 fi
29 24
30 25 if [ "$ENABLE_SPLITFS" = true ] ; then
31 26 # Add usb/sda1 disk to crypttab
32 27 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
33 28 fi
34 29 fi
35 30
36 31 if [ "$ENABLE_USBBOOT" = true ] ; then
37 32 sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
38 33 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
34
35 # Add usb/sda2 disk to crypttab
36 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab"
39 37 fi
40 38
41 39 # Generate initramfs file
42 40 if [ "$ENABLE_INITRAMFS" = true ] ; then
43 41 if [ "$ENABLE_CRYPTFS" = true ] ; then
44 42 # Include initramfs scripts to auto expand encrypted root partition
45 43 if [ "$EXPANDROOT" = true ] ; then
46 44 install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs"
47 45 install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount"
48 46 install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
49 47 fi
50 48
51 49 if [ "$ENABLE_DHCP" = false ] ; then
52 50 # Get cdir from NET_ADDRESS e.g. 24
53 51 cdir=$(printf ${NET_ADDRESS} | cut -d '/' -f2)
54 52
55 53 # Convert cdir ro netmask e.g. 24 to 255.255.255.0
56 54 NET_MASK=$(cdr2mask "$cdir")
57 55
58 56 # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
59 57 sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
60 58
61 59 # Regenerate initramfs
62 60 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
63 61 fi
64 62
65 63 if [ "$CRYPTFS_DROPBEAR" = true ]; then
66 64 if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
67 65 install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
68 66 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys
69 67 else
70 68 # Create key
71 69 chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear
72 70
73 71 # Convert dropbear key to openssh key
74 72 chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa
75 73
76 74 # Get Public Key Part
77 75 chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub
78 76
79 77 # Delete unwanted lines
80 78 sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
81 79 sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
82 80
83 81 # Trust the new key
84 82 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys
85 83
86 84 # Save Keys - convert with putty from rsa/openssh to puttkey
87 85 cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa
88 86
89 87 # Get unlock script
90 88 install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh
91 89
92 90 # Enable Dropbear inside initramfs
93 91 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
94 92
95 93 # Enable Dropbear inside initramfs
96 94 sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear
97 95 fi
98 96 else
99 97 # Disable SSHD inside initramfs
100 98 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
101 99 fi
102 100
103 101 # Add cryptsetup modules to initramfs
104 102 printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
105 103
106 104 # Dummy mapping required by mkinitramfs
107 105 echo "0 1 crypt $(echo "${CRYPTFS_CIPHER}" | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
108 106
109 107 # Generate initramfs with encrypted root partition support
110 108 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
111 109
112 110 # Remove dummy mapping
113 111 chroot_exec cryptsetup close "${CRYPTFS_MAPPING}"
114 112 else
115 113 # Generate initramfs without encrypted root partition support
116 114 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
117 115 fi
118 116 fi
Show file before | Show file after | Hide comments
@@ -1,295 +1,310
1 1 #
2 2 # Setup RPi2/3 config and cmdline
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then
9 9 # Install boot binaries from local directory
10 10 cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin
11 11 cp "${RPI_FIRMWARE_DIR}"/boot/fixup.dat "${BOOT_DIR}"/fixup.dat
12 12 cp "${RPI_FIRMWARE_DIR}"/boot/fixup_cd.dat "${BOOT_DIR}"/fixup_cd.dat
13 13 cp "${RPI_FIRMWARE_DIR}"/boot/fixup_x.dat "${BOOT_DIR}"/fixup_x.dat
14 14 cp "${RPI_FIRMWARE_DIR}"/boot/start.elf "${BOOT_DIR}"/start.elf
15 15 cp "${RPI_FIRMWARE_DIR}"/boot/start_cd.elf "${BOOT_DIR}"/start_cd.elf
16 16 cp "${RPI_FIRMWARE_DIR}"/boot/start_x.elf "${BOOT_DIR}"/start_x.elf
17 17 else
18 18 # Create temporary directory for boot binaries
19 19 temp_dir=$(as_nobody mktemp -d)
20 20
21 21 # Install latest boot binaries from raspberry/firmware github
22 22 as_nobody wget -q -O "${temp_dir}/bootcode.bin" "${FIRMWARE_URL}/bootcode.bin"
23 23 as_nobody wget -q -O "${temp_dir}/fixup.dat" "${FIRMWARE_URL}/fixup.dat"
24 24 as_nobody wget -q -O "${temp_dir}/fixup_cd.dat" "${FIRMWARE_URL}/fixup_cd.dat"
25 25 as_nobody wget -q -O "${temp_dir}/fixup_x.dat" "${FIRMWARE_URL}/fixup_x.dat"
26 26 as_nobody wget -q -O "${temp_dir}/start.elf" "${FIRMWARE_URL}/start.elf"
27 27 as_nobody wget -q -O "${temp_dir}/start_cd.elf" "${FIRMWARE_URL}/start_cd.elf"
28 28 as_nobody wget -q -O "${temp_dir}/start_x.elf" "${FIRMWARE_URL}/start_x.elf"
29 29
30 30 # Move downloaded boot binaries
31 31 mv "${temp_dir}/"* "${BOOT_DIR}/"
32 32
33 33 # Remove temporary directory for boot binaries
34 34 rm -fr "${temp_dir}"
35 35
36 36 # Set permissions of the boot binaries
37 37 chown -R root:root "${BOOT_DIR}"
38 38 chmod -R 600 "${BOOT_DIR}"
39 39 fi
40 40
41 41 if [ "$ENABLE_KEYGEN" = true ] ; then
42 42
43 43 # go to chroot/boot/
44 44 cd "${BOOT_DIR}/" || exit
45 45
46 46 # Make a copy of start.elf
47 47 cp start.elf start.elf_backup
48 48
49 49 # Remove codec licence checks - thx go to https://github.com/nucular/raspi-keygen - if ENABLE_VIDEOCORE is true, you can check codec status https://elinux.org/RPI_vcgencmd_usage
50 50 perl -pne 's/\x47\xE9362H\x3C\x18/\x47\xE9362H\x3C\x1F/g' < start.elf_backup > start.elf
51 51
52 52 # Back to base dir
53 53 cd "${WORKDIR}" || exit
54 54 fi
55 55
56 56 # Setup firmware boot cmdline
57 57 if [ "$ENABLE_USBBOOT" = true ] ; then
58 58 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
59 59 else
60 60 if [ "$ENABLE_SPLITFS" = true ] ; then
61 61 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
62 62 else
63 63 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
64 64 fi
65 65 fi
66 66
67 67 # Add encrypted root partition to cmdline.txt
68 68 if [ "$ENABLE_CRYPTFS" = true ] ; then
69 69 if [ "$ENABLE_SPLITFS" = true ] ; then
70 70 CMDLINE=$(echo "${CMDLINE}" | sed "s/sda1/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda1:${CRYPTFS_MAPPING}/")
71 71 else
72 72 if [ "$ENABLE_USBBOOT" = true ] ; then
73 73 CMDLINE=$(echo "${CMDLINE}" | sed "s/sda2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda2:${CRYPTFS_MAPPING}/")
74 74 else
75 75 CMDLINE=$(echo "${CMDLINE}" | sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/")
76 76 fi
77 77 fi
78 78 fi
79 79
80 80 # Enable Kernel messages on standard output
81 81 if [ "$ENABLE_PRINTK" = true ] ; then
82 82 install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf"
83 83 fi
84 84
85 85 # Enable Kernel messages on standard output
86 86 if [ "$KERNEL_SECURITY" = true ] ; then
87 87 install_readonly files/sysctl.d/84-rpi-ASLR.conf "${ETC_DIR}/sysctl.d/84-rpi-ASLR.conf"
88 88 fi
89 89
90 90 # Install udev rule for serial alias - serial0 = console serial1=bluetooth
91 91 install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules"
92 92
93 93 # Remove IPv6 networking support
94 94 if [ "$ENABLE_IPV6" = false ] ; then
95 95 CMDLINE="${CMDLINE} ipv6.disable=1"
96 96 fi
97 97
98 98 # Automatically assign predictable network interface names
99 99 if [ "$ENABLE_IFNAMES" = false ] ; then
100 100 CMDLINE="${CMDLINE} net.ifnames=0"
101 101 else
102 102 CMDLINE="${CMDLINE} net.ifnames=1"
103 103 fi
104 104
105 # Disable Raspberry Pi console logo
106 if [ "$ENABLE_LOGO" = false ] ; then
107 CMDLINE="${CMDLINE} logo.nologo"
108 fi
109
110 # Strictly limit verbosity of boot up console messages
111 if [ "$ENABLE_SILENT_BOOT" = true ] ; then
112 CMDLINE="${CMDLINE} quiet loglevel=0 rd.systemd.show_status=auto rd.udev.log_priority=0"
113 fi
114
105 115 # Install firmware config
106 116 install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt"
107 117
118 # Disable Raspberry Pi console logo
119 if [ "$ENABLE_SLASH" = false ] ; then
120 echo "disable_splash=1" >> "${BOOT_DIR}/config.txt"
121 fi
122
108 123 # Locks CPU frequency at maximum
109 124 if [ "$ENABLE_TURBO" = true ] ; then
110 125 echo "force_turbo=1" >> "${BOOT_DIR}/config.txt"
111 126 # helps to avoid sdcard corruption when force_turbo is enabled.
112 127 echo "boot_delay=1" >> "${BOOT_DIR}/config.txt"
113 128 fi
114 129
115 130 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
116 131
117 132 # Bluetooth enabled
118 133 if [ "$ENABLE_BLUETOOTH" = true ] ; then
119 134 # Create temporary directory for Bluetooth sources
120 135 temp_dir=$(as_nobody mktemp -d)
121 136
122 137 # Fetch Bluetooth sources
123 138 as_nobody git -C "${temp_dir}" clone "${BLUETOOTH_URL}"
124 139
125 140 # Copy downloaded sources
126 141 mv "${temp_dir}/pi-bluetooth" "${R}/tmp/"
127 142
128 143 # Bluetooth firmware from arch aur https://aur.archlinux.org/packages/pi-bluetooth/
129 144 as_nobody wget -q -O "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" https://aur.archlinux.org/cgit/aur.git/plain/LICENCE.broadcom_bcm43xx?h=pi-bluetooth
130 145 as_nobody wget -q -O "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" https://aur.archlinux.org/cgit/aur.git/plain/BCM43430A1.hcd?h=pi-bluetooth
131 146
132 147 # Set permissions
133 148 chown -R root:root "${R}/tmp/pi-bluetooth"
134 149
135 150 # Install tools
136 151 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart"
137 152 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper"
138 153
139 154 # make scripts executable
140 155 chmod +x "${R}/usr/bin/bthelper"
141 156 chmod +x "${R}/usr/bin/btuart"
142 157
143 158 # Install bluetooth udev rule
144 159 install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules"
145 160
146 161 # Install Firmware Flash file and apropiate licence
147 162 mkdir -p "$BLUETOOTH_FIRMWARE_DIR"
148 163 install_readonly "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx"
149 164 install_readonly "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx"
150 165 install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service"
151 166 install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service"
152 167
153 168 # Remove temporary directories
154 169 rm -fr "${temp_dir}"
155 170 rm -fr "${R}"/tmp/pi-bluetooth
156 171
157 172 # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0
158 173 if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then
159 174 # set overlay to swap ttyAMA0 and ttyS0
160 175 echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt"
161
176
162 177 if [ "$ENABLE_TURBO" = false ] ; then
163 178 echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
164 179 fi
165 180
166 181 fi
167 182
168 183 # Activate services
169 184 chroot_exec systemctl enable pi-bluetooth.hciuart.service
170 185
171 186 else # if ENABLE_BLUETOOTH = false
172 187 # set overlay to disable bluetooth
173 188 echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt"
174 189 fi # ENABLE_BLUETOOTH end
175 190 fi
176 191
177 192 # may need sudo systemctl disable hciuart
178 193 if [ "$ENABLE_CONSOLE" = true ] ; then
179 194 echo "enable_uart=1" >> "${BOOT_DIR}/config.txt"
180 195 # add string to cmdline
181 196 CMDLINE="${CMDLINE} console=serial0,115200"
182 197
183 198 if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ]|| [ "$RPI_MODEL" = 0 ]; then
184 199 # if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken
185 200 if [ "$ENABLE_TURBO" = false ] ; then
186 201 echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
187 202 fi
188 203 fi
189 204
190 205 # Enable serial console systemd style
191 206 chroot_exec systemctl enable serial-getty@serial0.service
192 207 else
193 208 echo "enable_uart=0" >> "${BOOT_DIR}/config.txt"
194 209 fi
195 210
196 211 if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then
197 212 # Create temporary directory for systemd-swap sources
198 213 temp_dir=$(as_nobody mktemp -d)
199 214
200 215 # Fetch systemd-swap sources
201 216 as_nobody git -C "${temp_dir}" clone "${SYSTEMDSWAP_URL}"
202 217
203 218 # Copy downloaded systemd-swap sources
204 219 mv "${temp_dir}/systemd-swap" "${R}/tmp/"
205 220
206 221 # Change into downloaded src dir
207 222 cd "${R}/tmp/systemd-swap" || exit
208 223
209 224 # Build package
210 225 bash ./package.sh debian
211 226
212 227 # Change back into script root dir
213 228 cd "${WORKDIR}" || exit
214 229
215 230 # Set permissions of the systemd-swap sources
216 231 chown -R root:root "${R}/tmp/systemd-swap"
217 232
218 233 # Install package - IMPROVE AND MAKE IT POSSIBLE WITHOUT VERSION NR.
219 234 chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap_4.0.1_any.deb
220 235
221 236 # Enable service
222 237 chroot_exec systemctl enable systemd-swap
223 238
224 239 # Remove temporary directory for systemd-swap sources
225 240 rm -fr "${temp_dir}"
226 241 else
227 242 # Enable ZSWAP in cmdline if systemd-swap is not used
228 243 if [ "$KERNEL_ZSWAP" = true ] ; then
229 244 CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4"
230 245 fi
231 246 fi
232 247 if [ "$KERNEL_SECURITY" = true ] ; then
233 248 CMDLINE="${CMDLINE} apparmor=1 security=apparmor"
234 249 fi
235 250
236 251 # Install firmware boot cmdline
237 252 echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"
238 253
239 254 # Setup minimal GPU memory allocation size: 16MB (no X)
240 255 if [ "$ENABLE_MINGPU" = true ] ; then
241 256 echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt"
242 257 fi
243 258
244 259 # Setup boot with initramfs
245 260 if [ "$ENABLE_INITRAMFS" = true ] ; then
246 261 echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "${BOOT_DIR}/config.txt"
247 262 fi
248 263
249 264 # Create firmware configuration and cmdline symlinks
250 265 ln -sf firmware/config.txt "${R}/boot/config.txt"
251 266 ln -sf firmware/cmdline.txt "${R}/boot/cmdline.txt"
252 267
253 268 # Install and setup kernel modules to load at boot
254 269 mkdir -p "${LIB_DIR}/modules-load.d/"
255 270 install_readonly files/modules/rpi2.conf "${LIB_DIR}/modules-load.d/rpi2.conf"
256 271
257 272 # Load hardware random module at boot
258 273 if [ "$ENABLE_HWRANDOM" = true ] && [ "$BUILD_KERNEL" = false ] ; then
259 274 sed -i "s/^# bcm2708_rng/bcm2708_rng/" "${LIB_DIR}/modules-load.d/rpi2.conf"
260 275 fi
261 276
262 277 # Load sound module at boot
263 278 if [ "$ENABLE_SOUND" = true ] ; then
264 279 sed -i "s/^# snd_bcm2835/snd_bcm2835/" "${LIB_DIR}/modules-load.d/rpi2.conf"
265 280 else
266 281 echo "dtparam=audio=off" >> "${BOOT_DIR}/config.txt"
267 282 fi
268 283
269 284 # Enable I2C interface
270 285 if [ "$ENABLE_I2C" = true ] ; then
271 286 echo "dtparam=i2c_arm=on" >> "${BOOT_DIR}/config.txt"
272 287 sed -i "s/^# i2c-bcm2708/i2c-bcm2708/" "${LIB_DIR}/modules-load.d/rpi2.conf"
273 288 sed -i "s/^# i2c-dev/i2c-dev/" "${LIB_DIR}/modules-load.d/rpi2.conf"
274 289 fi
275 290
276 291 # Enable SPI interface
277 292 if [ "$ENABLE_SPI" = true ] ; then
278 293 echo "dtparam=spi=on" >> "${BOOT_DIR}/config.txt"
279 294 echo "spi-bcm2708" >> "${LIB_DIR}/modules-load.d/rpi2.conf"
280 295 if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ]; then
281 296 sed -i "s/spi-bcm2708/spi-bcm2835/" "${LIB_DIR}/modules-load.d/rpi2.conf"
282 297 fi
283 298 fi
284 299
285 300 # Disable RPi2/3 under-voltage warnings
286 301 if [ -n "$DISABLE_UNDERVOLT_WARNINGS" ] ; then
287 302 echo "avoid_warnings=${DISABLE_UNDERVOLT_WARNINGS}" >> "${BOOT_DIR}/config.txt"
288 303 fi
289 304
290 305 # Install kernel modules blacklist
291 306 mkdir -p "${ETC_DIR}/modprobe.d/"
292 307 install_readonly files/modules/raspi-blacklist.conf "${ETC_DIR}/modprobe.d/raspi-blacklist.conf"
293 308
294 309 # Install sysctl.d configuration files
295 310 install_readonly files/sysctl.d/81-rpi-vm.conf "${ETC_DIR}/sysctl.d/81-rpi-vm.conf"
Show file before | Show file after | Hide comments
@@ -1,53 +1,54
1 1 #
2 2 # Setup Firewall
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 if [ "$ENABLE_IPTABLES" = true ] ; then
9 9 # Create iptables configuration directory
10 10 mkdir -p "${ETC_DIR}/iptables"
11 11
12 12 if [ "$KERNEL_NF" = false ] ; then
13 13 # iptables-save and -restore are slaves of iptables and thus are set accordingly
14 14 chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy
15 15 fi
16 16
17 17 # Install iptables systemd service
18 18 install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service"
19 19
20 20 # Install flush-table script called by iptables service
21 21 install_exec files/iptables/flush-iptables.sh "${ETC_DIR}/iptables/flush-iptables.sh"
22 22
23 23 # Install iptables rule file
24 24 install_readonly files/iptables/iptables.rules "${ETC_DIR}/iptables/iptables.rules"
25 25
26 26 # Reload systemd configuration and enable iptables service
27 27 chroot_exec systemctl daemon-reload
28 28 chroot_exec systemctl enable iptables.service
29 29
30 30 if [ "$ENABLE_IPV6" = true ] ; then
31 31 if [ "$KERNEL_NF" = false ] ; then
32 # iptables-save and -restore are slaves of iptables and thus are set accordingly
33 chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy
32 # iptables-save and -restore are slaves of iptables and thus are set accordingly
33 chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy
34 34 fi
35
35 36 # Install ip6tables systemd service
36 37 install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service"
37 38
38 39 # Install ip6tables file
39 40 install_exec files/iptables/flush-ip6tables.sh "${ETC_DIR}/iptables/flush-ip6tables.sh"
40 41
41 42 install_readonly files/iptables/ip6tables.rules "${ETC_DIR}/iptables/ip6tables.rules"
42 43
43 44 # Reload systemd configuration and enable iptables service
44 45 chroot_exec systemctl daemon-reload
45 46 chroot_exec systemctl enable ip6tables.service
46 47 fi
47 48
48 49 if [ "$ENABLE_SSHD" = false ] ; then
49 50 # Remove SSHD related iptables rules
50 51 sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/iptables.rules" 2> /dev/null
51 52 sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/ip6tables.rules" 2> /dev/null
52 53 fi
53 54 fi
Show file before | Show file after | Hide comments
@@ -1,115 +1,116
1 #!/bin/sh
2 1 # This file contains utility functions used by rpi23-gen-image.sh
3 2
4 3 cleanup (){
5 4 set +x
6 5 set +e
7 6
8 7 # Remove exports from nexmon
9 8 unset KERNEL
10 9 unset ARCH
11 10 unset SUBARCH
12 11 unset CCPLUGIN
13 12 unset ZLIBFLATE
14 13 unset Q
15 14 unset NEXMON_SETUP_ENV
16 15 unset HOSTUNAME
17 16 unset PLATFORMUNAME
18 17
19 18 # Identify and kill all processes still using files
20 19 echo "killing processes using mount point ..."
21 20 fuser -k "${R}"
22 21 sleep 3
23 22 fuser -9 -k -v "${R}"
24 23
25 24 # Clean up temporary .password file
26 25 if [ -r ".password" ] ; then
27 26 shred -zu .password
28 27 fi
29 28
30 29 # Clean up all temporary mount points
31 30 echo "removing temporary mount points ..."
32 31 umount -l "${R}/proc" 2> /dev/null
33 32 umount -l "${R}/sys" 2> /dev/null
34 33 umount -l "${R}/dev/pts" 2> /dev/null
35 34 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
36 35 umount "$BUILDDIR/mount" 2> /dev/null
37 36 cryptsetup close "${CRYPTFS_MAPPING}" 2> /dev/null
38 37 losetup -d "$ROOT_LOOP" 2> /dev/null
39 38 losetup -d "$FRMW_LOOP" 2> /dev/null
40 39 trap - 0 1 2 3 6
41 40 }
42 41
43 42 chroot_exec() {
44 43 # Exec command in chroot
45 44 LANG=C LC_ALL=C DEBIAN_FRONTEND=noninteractive chroot "${R}" "$@"
46 45 }
47 46
48 47 as_nobody() {
49 48 # Exec command as user nobody
50 49 sudo -E -u nobody LANG=C LC_ALL=C "$@"
51 50 }
52 51
53 52 install_readonly() {
54 53 # Install file with user read-only permissions
55 54 install -o root -g root -m 644 "$@"
56 55 }
57 56
58 57 install_exec() {
59 58 # Install file with root exec permissions
60 59 install -o root -g root -m 744 "$@"
61 60 }
62 61
63 62 use_template () {
64 63 # Test if configuration template file exists
65 64 if [ ! -r "./templates/${CONFIG_TEMPLATE}" ] ; then
66 65 echo "error: configuration template ${CONFIG_TEMPLATE} not found"
67 66 exit 1
68 67 fi
69 68
70 69 # Load template configuration parameters
71 70 . "./templates/${CONFIG_TEMPLATE}"
72 71 }
73 72
74 73 chroot_install_cc() {
75 74 # Install c/c++ build environment inside the chroot
76 75 if [ -z "${COMPILER_PACKAGES}" ] ; then
77 76 COMPILER_PACKAGES=$(chroot_exec apt-get -s install g++ make bc | grep "^Inst " | awk -v ORS=" " '{ print $2 }')
78 77 # Install COMPILER_PACKAGES in chroot - NEVER do "${COMPILER_PACKAGES}" -> breaks uboot
79 78 chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install ${COMPILER_PACKAGES}
80 79 fi
81 80 }
82 81
83 82 chroot_remove_cc() {
84 83 # Remove c/c++ build environment from the chroot
85 84 if [ -n "${COMPILER_PACKAGES}" ] ; then
86 85 chroot_exec apt-get -qq -y --auto-remove purge ${COMPILER_PACKAGES}
87 86 COMPILER_PACKAGES=""
88 87 fi
89 88 }
89
90 # https://serverfault.com/a/682849 - converts e.g. /24 to 255.255.255.0
91 cdr2mask ()
92 {
93 # Number of args to shift, 255..255, first non-255 byte, zeroes
94 set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0
95 [ $1 -gt 1 ] && shift $1 || shift
96 echo ${1-0}.${2-0}.${3-0}.${4-0}
97 }
98
90 99 # GPL v2.0 - #https://github.com/sakaki-/bcmrpi3-kernel-bis/blob/master/conform_config.sh
91 100 set_kernel_config() {
92 101 # flag as $1, value to set as $2, config must exist at "./.config"
93 102 TGT="CONFIG_${1#CONFIG_}"
94 103 REP="${2}"
95 104 if grep -q "^${TGT}[^_]" .config; then
96 105 sed -i "s/^\(${TGT}=.*\|# ${TGT} is not set\)/${TGT}=${REP}/" .config
97 106 else
98 107 echo "${TGT}"="${2}" >> .config
99 108 fi
100 109 }
110
101 111 # unset kernel config parameter
102 112 unset_kernel_config() {
103 113 # unsets flag with the value of $1, config must exist at "./.config"
104 114 TGT="CONFIG_${1#CONFIG_}"
105 115 sed -i "s/^${TGT}=.*/# ${TGT} is not set/" .config
106 }
107
108 # https://serverfault.com/a/682849 - converts e.g. /24 to 255.255.255.0
109 cdr2mask ()
110 {
111 # Number of args to shift, 255..255, first non-255 byte, zeroes
112 set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0
113 [ $1 -gt 1 ] && shift $1 || shift
114 echo ${1-0}.${2-0}.${3-0}.${4-0}
115 116 } No newline at end of file
Show file before | Show file after | Hide comments
@@ -1,884 +1,892
1 1 #!/bin/sh
2 2 ########################################################################
3 3 # rpi23-gen-image.sh 2015-2017
4 4 #
5 5 # Advanced Debian "stretch" and "buster" bootstrap script for Raspberry Pi
6 6 #
7 7 # This program is free software; you can redistribute it and/or
8 8 # modify it under the terms of the GNU General Public License
9 9 # as published by the Free Software Foundation; either version 2
10 10 # of the License, or (at your option) any later version.
11 11 #
12 12 # Copyright (C) 2015 Jan Wagner <mail@jwagner.eu>
13 13 #
14 14 # Big thanks for patches and enhancements by 20+ github contributors!
15 15 ########################################################################
16 16
17 17 # Are we running as root?
18 18 if [ "$(id -u)" -ne "0" ] ; then
19 19 echo "error: this script must be executed with root privileges!"
20 20 exit 1
21 21 fi
22 22
23 23 # Check if ./functions.sh script exists
24 24 if [ ! -r "./functions.sh" ] ; then
25 25 echo "error: './functions.sh' required script not found!"
26 26 exit 1
27 27 fi
28 28
29 29 # Load utility functions
30 30 . ./functions.sh
31 31
32 32 # Load parameters from configuration template file
33 33 if [ -n "$CONFIG_TEMPLATE" ] ; then
34 34 use_template
35 35 fi
36 36
37 37 # Introduce settings
38 38 set -e
39 39 echo -n -e "\n#\n# RPi 0/1/2/3 Bootstrap Settings\n#\n"
40 40 set -x
41 41
42 42 # Raspberry Pi model configuration
43 43 RPI_MODEL=${RPI_MODEL:=2}
44 44
45 45 # Debian release
46 46 RELEASE=${RELEASE:=buster}
47 47
48 48 # Kernel Branch
49 49 KERNEL_BRANCH=${KERNEL_BRANCH:=""}
50 50
51 51 # URLs
52 52 KERNEL_URL=${KERNEL_URL:=https://github.com/raspberrypi/linux}
53 53 FIRMWARE_URL=${FIRMWARE_URL:=https://github.com/raspberrypi/firmware/raw/master/boot}
54 54 WLAN_FIRMWARE_URL=${WLAN_FIRMWARE_URL:=https://github.com/RPi-Distro/firmware-nonfree/raw/master/brcm}
55 55 COLLABORA_URL=${COLLABORA_URL:=https://repositories.collabora.co.uk/debian}
56 56 FBTURBO_URL=${FBTURBO_URL:=https://github.com/ssvb/xf86-video-fbturbo.git}
57 57 UBOOT_URL=${UBOOT_URL:=https://git.denx.de/u-boot.git}
58 58 VIDEOCORE_URL=${VIDEOCORE_URL:=https://github.com/raspberrypi/userland}
59 59 BLUETOOTH_URL=${BLUETOOTH_URL:=https://github.com/RPi-Distro/pi-bluetooth.git}
60 60 NEXMON_URL=${NEXMON_URL:=https://github.com/seemoo-lab/nexmon.git}
61 61 SYSTEMDSWAP_URL=${SYSTEMDSWAP_URL:=https://github.com/Nefelim4ag/systemd-swap.git}
62 62
63
64 63 # Kernel deb packages for 32bit kernel
65 64 RPI_32_KERNEL_URL=${RPI_32_KERNEL_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel_20180422-141901_armhf.deb}
66 65 RPI_32_KERNELHEADER_URL=${RPI_32_KERNELHEADER_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel-headers_20180422-141901_armhf.deb}
67 66 # Kernel has KVM and zswap enabled - use if KERNEL_* parameters and precompiled kernel are used
68 67 RPI3_64_BIS_KERNEL_URL=${RPI3_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel-bis/releases/download/4.14.80.20181113/bcmrpi3-kernel-bis-4.14.80.20181113.tar.xz}
69 68 # Default precompiled 64bit kernel
70 69 RPI3_64_DEF_KERNEL_URL=${RPI3_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel/releases/download/4.14.80.20181113/bcmrpi3-kernel-4.14.80.20181113.tar.xz}
71 70 # Generic
72 71 RPI3_64_KERNEL_URL=${RPI3_64_KERNEL_URL:=$RPI3_64_DEF_KERNEL_URL}
73 72 # Kali kernel src - used if ENABLE_NEXMON=true (they patch the wlan kernel modul)
74 73 KALI_KERNEL_URL=${KALI_KERNEL_URL:=https://github.com/Re4son/re4son-raspberrypi-linux.git}
75 74
76 75 # Build directories
77 76 WORKDIR=$(pwd)
78 77 BASEDIR=${BASEDIR:=${WORKDIR}/images/${RELEASE}}
79 78 BUILDDIR="${BASEDIR}/build"
80 79
81 80 # Chroot directories
82 81 R="${BUILDDIR}/chroot"
83 82 ETC_DIR="${R}/etc"
84 83 LIB_DIR="${R}/lib"
85 84 BOOT_DIR="${R}/boot/firmware"
86 85 KERNEL_DIR="${R}/usr/src/linux"
87 86 WLAN_FIRMWARE_DIR="${LIB_DIR}/firmware/brcm"
88 87 BLUETOOTH_FIRMWARE_DIR="${ETC_DIR}/firmware/bt"
89 88
90 89 # Firmware directory: Blank if download from github
91 90 RPI_FIRMWARE_DIR=${RPI_FIRMWARE_DIR:=""}
92 91
93 92 # General settings
94 93 SET_ARCH=${SET_ARCH:=32}
95 94 HOSTNAME=${HOSTNAME:=rpi${RPI_MODEL}-${RELEASE}}
96 95 PASSWORD=${PASSWORD:=raspberry}
97 96 USER_PASSWORD=${USER_PASSWORD:=raspberry}
98 97 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
99 98 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
100 99 EXPANDROOT=${EXPANDROOT:=true}
101 100
102 101 # Keyboard settings
103 102 XKB_MODEL=${XKB_MODEL:=""}
104 103 XKB_LAYOUT=${XKB_LAYOUT:=""}
105 104 XKB_VARIANT=${XKB_VARIANT:=""}
106 105 XKB_OPTIONS=${XKB_OPTIONS:=""}
107 106
108 107 # Network settings (DHCP)
109 108 ENABLE_DHCP=${ENABLE_DHCP:=true}
110 109
111 110 # Network settings (static)
112 111 NET_ADDRESS=${NET_ADDRESS:=""}
113 112 NET_GATEWAY=${NET_GATEWAY:=""}
114 113 NET_DNS_1=${NET_DNS_1:=""}
115 114 NET_DNS_2=${NET_DNS_2:=""}
116 115 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
117 116 NET_NTP_1=${NET_NTP_1:=""}
118 117 NET_NTP_2=${NET_NTP_2:=""}
119 118
120 119 # APT settings
121 120 APT_PROXY=${APT_PROXY:=""}
122 121 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
122 KEEP_APT_PROXY=${KEEP_APT_PROXY:=false}
123 123
124 124 # Feature settings
125 125 ENABLE_PRINTK=${ENABLE_PRINTK:=false}
126 126 ENABLE_BLUETOOTH=${ENABLE_BLUETOOTH:=false}
127 127 ENABLE_MINIUART_OVERLAY=${ENABLE_MINIUART_OVERLAY:=false}
128 128 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
129 129 ENABLE_I2C=${ENABLE_I2C:=false}
130 130 ENABLE_SPI=${ENABLE_SPI:=false}
131 131 ENABLE_IPV6=${ENABLE_IPV6:=true}
132 132 ENABLE_SSHD=${ENABLE_SSHD:=true}
133 133 ENABLE_NONFREE=${ENABLE_NONFREE:=false}
134 134 ENABLE_WIRELESS=${ENABLE_WIRELESS:=false}
135 135 ENABLE_SOUND=${ENABLE_SOUND:=true}
136 136 ENABLE_DBUS=${ENABLE_DBUS:=true}
137 137 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
138 138 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
139 139 ENABLE_XORG=${ENABLE_XORG:=false}
140 140 ENABLE_WM=${ENABLE_WM:=""}
141 141 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
142 142 ENABLE_USER=${ENABLE_USER:=true}
143 143 USER_NAME=${USER_NAME:="pi"}
144 144 ENABLE_ROOT=${ENABLE_ROOT:=false}
145 145 ENABLE_QEMU=${ENABLE_QEMU:=false}
146 146 ENABLE_SYSVINIT=${ENABLE_SYSVINIT:=false}
147 147 ENABLE_KEYGEN=${ENABLE_KEYGEN:=true}
148 148
149 149 # SSH settings
150 150 SSH_ENABLE_ROOT=${SSH_ENABLE_ROOT:=false}
151 151 SSH_DISABLE_PASSWORD_AUTH=${SSH_DISABLE_PASSWORD_AUTH:=false}
152 152 SSH_LIMIT_USERS=${SSH_LIMIT_USERS:=false}
153 153 SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""}
154 154 SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""}
155 155
156 156 # Advanced settings
157 157 ENABLE_SYSTEMDSWAP=${ENABLE_SYSTEMDSWAP:=false}
158 158 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
159 159 ENABLE_REDUCE=${ENABLE_REDUCE:=false}
160 160 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
161 161 UBOOTSRC_DIR=${UBOOTSRC_DIR:=""}
162 162 ENABLE_USBBOOT=${ENABLE_USBBOOT=false}
163 163 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
164 164 ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false}
165 165 ENABLE_NEXMON=${ENABLE_NEXMON:=false}
166 166 VIDEOCORESRC_DIR=${VIDEOCORESRC_DIR:=""}
167 167 FBTURBOSRC_DIR=${FBTURBOSRC_DIR:=""}
168 168 NEXMONSRC_DIR=${NEXMONSRC_DIR:=""}
169 169 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
170 170 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
171 171 ENABLE_SPLITFS=${ENABLE_SPLITFS:=false}
172 172 ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false}
173 173 ENABLE_IFNAMES=${ENABLE_IFNAMES:=true}
174 ENABLE_SPLASH=${ENABLE_SPLASH:=true}
175 ENABLE_LOGO=${ENABLE_LOGO:=true}
176 ENABLE_SILENT_BOOT=${ENABLE_SILENT_BOOT=false}
174 177 DISABLE_UNDERVOLT_WARNINGS=${DISABLE_UNDERVOLT_WARNINGS:=}
175 178
176 179 # Kernel compilation settings
177 180 BUILD_KERNEL=${BUILD_KERNEL:=true}
178 181 KERNEL_REDUCE=${KERNEL_REDUCE:=false}
179 182 KERNEL_THREADS=${KERNEL_THREADS:=1}
180 183 KERNEL_HEADERS=${KERNEL_HEADERS:=true}
181 184 KERNEL_MENUCONFIG=${KERNEL_MENUCONFIG:=false}
182 185 KERNEL_REMOVESRC=${KERNEL_REMOVESRC:=true}
183 186 KERNEL_OLDDEFCONFIG=${KERNEL_OLDDEFCONFIG:=false}
184 187 KERNEL_CCACHE=${KERNEL_CCACHE:=false}
185 188 KERNEL_ZSWAP=${KERNEL_ZSWAP:=false}
186 189 KERNEL_VIRT=${KERNEL_VIRT:=false}
187 190 KERNEL_BPF=${KERNEL_BPF:=false}
188 191 KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=powersave}
189 192 KERNEL_SECURITY=${KERNEL_SECURITY:=false}
190 193 KERNEL_NF=${KERNEL_NF:=false}
191 194
192 195 # Kernel compilation from source directory settings
193 196 KERNELSRC_DIR=${KERNELSRC_DIR:=""}
194 197 KERNELSRC_CLEAN=${KERNELSRC_CLEAN:=false}
195 198 KERNELSRC_CONFIG=${KERNELSRC_CONFIG:=true}
196 199 KERNELSRC_PREBUILT=${KERNELSRC_PREBUILT:=false}
197 200
198 201 # Reduce disk usage settings
199 202 REDUCE_APT=${REDUCE_APT:=true}
200 203 REDUCE_DOC=${REDUCE_DOC:=true}
201 204 REDUCE_MAN=${REDUCE_MAN:=true}
202 205 REDUCE_VIM=${REDUCE_VIM:=false}
203 206 REDUCE_BASH=${REDUCE_BASH:=false}
204 207 REDUCE_HWDB=${REDUCE_HWDB:=true}
205 208 REDUCE_SSHD=${REDUCE_SSHD:=true}
206 209 REDUCE_LOCALE=${REDUCE_LOCALE:=true}
207 210
208 211 # Encrypted filesystem settings
209 212 ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false}
210 213 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
211 214 CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
212 215 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
213 216 CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
214 217 #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup
215 218 CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false}
216 219 #Provide your own Dropbear Public RSA-OpenSSH Key otherwise it will be generated
217 220 CRYPTFS_DROPBEAR_PUBKEY=${CRYPTFS_DROPBEAR_PUBKEY:=""}
218 221
219 222 # Chroot scripts directory
220 223 CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
221 224
222 225 # Packages required in the chroot build environment
223 226 APT_INCLUDES=${APT_INCLUDES:=""}
224 227 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,apt-utils,ca-certificates,debian-archive-keyring,dialog,sudo,systemd,sysvinit-utils,locales,keyboard-configuration,console-setup,libnss-systemd"
225 228
226 229 # Packages to exclude from chroot build environment
227 230 APT_EXCLUDES=${APT_EXCLUDES:=""}
228 231
229 232 # Packages required for bootstrapping
230 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo netselect-apt"
233 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo"
234 #Requierd=netselect-apt
231 235 MISSING_PACKAGES=""
232 236
233 237 # Packages installed for c/c++ build environment in chroot (keep empty)
234 238 COMPILER_PACKAGES=""
235 239
236 240 # Check if apt-cacher-ng has port 3142 open and set APT_PROXY
237 241 APT_CACHER_RUNNING=$(lsof -i :3142 | cut -d ' ' -f3 | uniq | sed '/^\s*$/d')
238 242 if [ "${APT_CACHER_RUNNING}" = "apt-cacher-ng" ] ; then
239 243 APT_PROXY=http://127.0.0.1:3142/
240 244 fi
241 245
242 246 # netselect-apt does not know buster yet
243 247 #if [ "$RELEASE" = "buster" ] ; then
244 248 # RLS=testing
245 249 #else
246 250 # RLS="$RELEASE"
247 251 #fi
248 252
249 253 #if [ -f "$(pwd)/files/apt/sources.list" ] ; then
250 254 #rm "$(pwd)/files/apt/sources.list"
251 255 #fi
252 256
253 257 #if [ "$ENABLE_NONFREE" = true ] ; then
254 258 # netselect-apt --arch "$RELEASE_ARCH" -t 3 --sources --nonfree --outfile "$(pwd)/files/apt/sources.list" -d "$RLS"
255 259 #else
256 260 # netselect-apt --arch "$RELEASE_ARCH" -t 3 --sources --outfile "$(pwd)/files/apt/sources.list" -d "$RLS"
257 261 #fi
258 262
259 263 # sed and cut the result string so we can use it as APT_SERVER
260 264 #APT_SERVER=$(grep -m 1 http files/apt/sources.list | sed "s|http://| |g" | cut -d ' ' -f 3 | sed 's|/$|''|')
261 265
262 266 # make script easier and more stable to use with convenient setup switch. Just setup SET_ARCH and RPI_MODEL and your good to go!
263 267 if [ -n "$SET_ARCH" ] ; then
264 268 # 64-bit configuration
265 269 if [ "$SET_ARCH" = 64 ] ; then
266 270 # General 64-bit depended settings
267 271 QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-aarch64-static}
268 272 KERNEL_ARCH=${KERNEL_ARCH:=arm64}
269 273 KERNEL_BIN_IMAGE=${KERNEL_BIN_IMAGE:="Image"}
270 274
271 275 # Raspberry Pi model specific settings
272 276 if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
273 277 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-arm64"
274 278 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcmrpi3_defconfig}
275 279 RELEASE_ARCH=${RELEASE_ARCH:=arm64}
276 280 KERNEL_IMAGE=${KERNEL_IMAGE:=kernel8.img}
277 281 CROSS_COMPILE=${CROSS_COMPILE:=aarch64-linux-gnu-}
278 282 else
279 283 echo "error: Only Raspberry PI 3 and 3B+ support 64-bit"
280 284 exit 1
281 285 fi
282 286 fi
283 287
284 288 # 32-bit configuration
285 289 if [ "$SET_ARCH" = 32 ] ; then
286 290 # General 32-bit dependend settings
287 291 QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static}
288 292 KERNEL_ARCH=${KERNEL_ARCH:=arm}
289 293 KERNEL_BIN_IMAGE=${KERNEL_BIN_IMAGE:="zImage"}
290 294
291 295 # Raspberry Pi model specific settings
292 296 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 1 ] || [ "$RPI_MODEL" = 1P ] ; then
293 297 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armel"
294 298 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcmrpi_defconfig}
295 299 RELEASE_ARCH=${RELEASE_ARCH:=armel}
296 300 KERNEL_IMAGE=${KERNEL_IMAGE:=kernel.img}
297 301 CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabi-}
298 302 fi
299 303
300 304 # Raspberry Pi model specific settings
301 305 if [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
302 306 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armhf"
303 307 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig}
304 308 RELEASE_ARCH=${RELEASE_ARCH:=armhf}
305 309 KERNEL_IMAGE=${KERNEL_IMAGE:=kernel7.img}
306 310 CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabihf-}
307 311 fi
308 312 fi
309 313 # SET_ARCH not set
310 314 else
311 315 echo "error: Please set '32' or '64' as value for SET_ARCH"
312 316 exit 1
313 317 fi
314 318 # Device specific configuration and U-Boot configuration
315 319 case "$RPI_MODEL" in
316 320 0)
317 321 DTB_FILE=${DTB_FILE:=bcm2708-rpi-0-w.dtb}
318 322 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_defconfig}
319 323 ;;
320 324 1)
321 325 DTB_FILE=${DTB_FILE:=bcm2708-rpi-b.dtb}
322 326 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_defconfig}
323 327 ;;
324 328 1P)
325 329 DTB_FILE=${DTB_FILE:=bcm2708-rpi-b-plus.dtb}
326 330 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_defconfig}
327 331 ;;
328 332 2)
329 333 DTB_FILE=${DTB_FILE:=bcm2709-rpi-2-b.dtb}
330 334 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_2_defconfig}
331 335 ;;
332 336 3)
333 337 DTB_FILE=${DTB_FILE:=bcm2710-rpi-3-b.dtb}
334 338 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_3_defconfig}
335 339 ;;
336 340 3P)
337 341 DTB_FILE=${DTB_FILE:=bcm2710-rpi-3-b.dtb}
338 342 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_3_defconfig}
339 343 ;;
340 344 *)
341 345 echo "error: Raspberry Pi model $RPI_MODEL is not supported!"
342 346 exit 1
343 347 ;;
344 348 esac
345 349
346 350 # Raspberry PI 0,3,3P with Bluetooth and Wifi onboard
347 351 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
348 352 # Include bluetooth packages on supported boards
349 353 if [ "$ENABLE_BLUETOOTH" = true ] ; then
350 354 APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez"
351 355 fi
352 356 if [ "$ENABLE_WIRELESS" = true ] ; then
353 357 APT_INCLUDES="${APT_INCLUDES},wireless-tools,crda,wireless-regdb,firmware-brcm80211"
354 358 fi
355 359 else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard
356 360 # Check if the internal wireless interface is not supported by the RPi model
357 361 if [ "$ENABLE_WIRELESS" = true ] || [ "$ENABLE_BLUETOOTH" = true ]; then
358 362 echo "error: The selected Raspberry Pi model has no integrated interface for wireless or bluetooth"
359 363 exit 1
360 364 fi
361 365 fi
362 366
363 367 if [ "$BUILD_KERNEL" = false ] && [ "$ENABLE_NEXMON" = true ]; then
364 368 echo "error: You have to compile kernel sources, if you want to enable nexmon"
365 369 exit 1
366 370 fi
367 371
368 372 # Prepare date string for default image file name
369 373 DATE="$(date +%Y-%m-%d)"
370 374 if [ -z "$KERNEL_BRANCH" ] ; then
371 375 IMAGE_NAME=${IMAGE_NAME:=${BASEDIR}/${DATE}-${KERNEL_ARCH}-CURRENT-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}}
372 376 else
373 377 IMAGE_NAME=${IMAGE_NAME:=${BASEDIR}/${DATE}-${KERNEL_ARCH}-${KERNEL_BRANCH}-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}}
374 378 fi
375 379
376 380 # Check if DISABLE_UNDERVOLT_WARNINGS parameter value is supported
377 381 if [ -n "$DISABLE_UNDERVOLT_WARNINGS" ] ; then
378 382 if [ "$DISABLE_UNDERVOLT_WARNINGS" != 1 ] && [ "$DISABLE_UNDERVOLT_WARNINGS" != 2 ] ; then
379 383 echo "error: DISABLE_UNDERVOLT_WARNINGS=${DISABLE_UNDERVOLT_WARNINGS} is not supported"
380 384 exit 1
381 385 fi
382 386 fi
383 387
384 388 set +x
385 389
386 390 # Add cmake to compile videocore sources
387 391 if [ "$ENABLE_KEYGEN" = true ] ; then
388 392 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} perl"
389 393 fi
390 394
391 395 # Add cmake to compile videocore sources
392 396 if [ "$ENABLE_VIDEOCORE" = true ] ; then
393 397 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cmake"
394 398 fi
395 399
396 400 # Add deps for nexmon
397 401 if [ "$ENABLE_NEXMON" = true ] ; then
398 402 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libgmp3-dev gawk qpdf bison flex make autoconf automake build-essential libtool"
399 403 fi
400 404
401 405 # Add libncurses5 to enable kernel menuconfig
402 406 if [ "$KERNEL_MENUCONFIG" = true ] ; then
403 407 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses-dev"
404 408 fi
405 409
406 410 # Add ccache compiler cache for (faster) kernel cross (re)compilation
407 411 if [ "$KERNEL_CCACHE" = true ] ; then
408 412 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} ccache"
409 413 fi
410 414
411 415 # Add cryptsetup package to enable filesystem encryption
412 416 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
413 417 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
414 418 APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup"
415 419
416 420 # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package
417 421 if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then
418 422 APT_INCLUDES="${APT_INCLUDES},dropbear-initramfs"
419 423 fi
420 424
421 425 if [ -z "$CRYPTFS_PASSWORD" ] ; then
422 426 echo "error: no password defined (CRYPTFS_PASSWORD)!"
423 427 exit 1
424 428 fi
425 429 ENABLE_INITRAMFS=true
426 430 fi
427 431
428 432 # Add initramfs generation tools
429 433 if [ "$ENABLE_INITRAMFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
430 434 APT_INCLUDES="${APT_INCLUDES},initramfs-tools"
431 435 fi
432 436
433 437 # Add device-tree-compiler required for building the U-Boot bootloader
434 438 if [ "$ENABLE_UBOOT" = true ] ; then
435 439 APT_INCLUDES="${APT_INCLUDES},device-tree-compiler,bison,flex,bc"
436 440 fi
437 441
438 442 if [ "$ENABLE_USBBOOT" = true ] ; then
439 443 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 1P ] || [ "$RPI_MODEL" = 1 ] || [ "$RPI_MODEL" = 2 ]; then
440 444 echo "error: Booting from USB alone is only supported by Raspberry Pi 3 and 3P"
441 445 exit 1
442 446 fi
443 447 fi
444 448
445 449 # Check if root SSH (v2) public key file exists
446 450 if [ -n "$SSH_ROOT_PUB_KEY" ] ; then
447 451 if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then
448 452 echo "error: '$SSH_ROOT_PUB_KEY' specified SSH public key file not found (SSH_ROOT_PUB_KEY)!"
449 453 exit 1
450 454 fi
451 455 fi
452 456
453 457 # Check if $USER_NAME SSH (v2) public key file exists
454 458 if [ -n "$SSH_USER_PUB_KEY" ] ; then
455 459 if [ ! -f "$SSH_USER_PUB_KEY" ] ; then
456 460 echo "error: '$SSH_USER_PUB_KEY' specified SSH public key file not found (SSH_USER_PUB_KEY)!"
457 461 exit 1
458 462 fi
459 463 fi
460 464
461 465 if [ "$ENABLE_NEXMON" = true ] && [ -n "$KERNEL_BRANCH" ] ; then
462 466 echo "error: Please unset KERNEL_BRANCH if using ENABLE_NEXMON"
463 467 exit 1
464 468 fi
465 469
466 470 # Check if all required packages are installed on the build system
467 471 for package in $REQUIRED_PACKAGES ; do
468 472 if [ "$(dpkg-query -W -f='${Status}' "$package")" != "install ok installed" ] ; then
469 473 MISSING_PACKAGES="${MISSING_PACKAGES} $package"
470 474 fi
471 475 done
472 476
473 477 # If there are missing packages ask confirmation for install, or exit
474 478 if [ -n "$MISSING_PACKAGES" ] ; then
475 479 echo "the following packages needed by this script are not installed:"
476 480 echo "$MISSING_PACKAGES"
477 481
478 482 printf "\ndo you want to install the missing packages right now? [y/n] "
479 483 read -r confirm
480 484 [ "$confirm" != "y" ] && exit 1
481 485
482 486 # Make sure all missing required packages are installed
483 487 apt-get -qq -y install `echo "${MISSING_PACKAGES}" | sed "s/ //"`
484 488 fi
485 489
486 490 # Check if ./bootstrap.d directory exists
487 491 if [ ! -d "./bootstrap.d/" ] ; then
488 492 echo "error: './bootstrap.d' required directory not found!"
489 493 exit 1
490 494 fi
491 495
492 496 # Check if ./files directory exists
493 497 if [ ! -d "./files/" ] ; then
494 498 echo "error: './files' required directory not found!"
495 499 exit 1
496 500 fi
497 501
498 502 # Check if specified KERNELSRC_DIR directory exists
499 503 if [ -n "$KERNELSRC_DIR" ] && [ ! -d "$KERNELSRC_DIR" ] ; then
500 504 echo "error: '${KERNELSRC_DIR}' specified directory not found (KERNELSRC_DIR)!"
501 505 exit 1
502 506 fi
503 507
504 508 # Check if specified UBOOTSRC_DIR directory exists
505 509 if [ -n "$UBOOTSRC_DIR" ] && [ ! -d "$UBOOTSRC_DIR" ] ; then
506 510 echo "error: '${UBOOTSRC_DIR}' specified directory not found (UBOOTSRC_DIR)!"
507 511 exit 1
508 512 fi
509 513
510 514 # Check if specified VIDEOCORESRC_DIR directory exists
511 515 if [ -n "$VIDEOCORESRC_DIR" ] && [ ! -d "$VIDEOCORESRC_DIR" ] ; then
512 516 echo "error: '${VIDEOCORESRC_DIR}' specified directory not found (VIDEOCORESRC_DIR)!"
513 517 exit 1
514 518 fi
515 519
516 520 # Check if specified FBTURBOSRC_DIR directory exists
517 521 if [ -n "$FBTURBOSRC_DIR" ] && [ ! -d "$FBTURBOSRC_DIR" ] ; then
518 522 echo "error: '${FBTURBOSRC_DIR}' specified directory not found (FBTURBOSRC_DIR)!"
519 523 exit 1
520 524 fi
521 525
522 526 # Check if specified NEXMONSRC_DIR directory exists
523 527 if [ -n "$NEXMONSRC_DIR" ] && [ ! -d "$NEXMONSRC_DIR" ] ; then
524 528 echo "error: '${NEXMONSRC_DIR}' specified directory not found (NEXMONSRC_DIR)!"
525 529 exit 1
526 530 fi
527 531
528 532 # Check if specified CHROOT_SCRIPTS directory exists
529 533 if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then
530 534 echo "error: ${CHROOT_SCRIPTS} specified directory not found (CHROOT_SCRIPTS)!"
531 535 exit 1
532 536 fi
533 537
534 538 # Check if specified device mapping already exists (will be used by cryptsetup)
535 539 if [ -r "/dev/mapping/${CRYPTFS_MAPPING}" ] ; then
536 540 echo "error: mapping /dev/mapping/${CRYPTFS_MAPPING} already exists, not proceeding"
537 541 exit 1
538 542 fi
539 543
540 544 # Don't clobber an old build
541 545 if [ -e "$BUILDDIR" ] ; then
542 546 echo "error: directory ${BUILDDIR} already exists, not proceeding"
543 547 exit 1
544 548 fi
545 549
546 550 # Setup chroot directory
547 551 mkdir -p "${R}"
548 552
549 553 # Check if build directory has enough of free disk space >512MB
550 554 if [ "$(df --output=avail "${BUILDDIR}" | sed "1d")" -le "524288" ] ; then
551 555 echo "error: ${BUILDDIR} not enough space left to generate the output image!"
552 556 exit 1
553 557 fi
554 558
555 559 set -x
556 560
557 561 # Call "cleanup" function on various signals and errors
558 562 trap cleanup 0 1 2 3 6
559 563
560 564 # Add required packages for the minbase installation
561 565 if [ "$ENABLE_MINBASE" = true ] ; then
562 566 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools,ifupdown"
563 567 fi
564 568
565 569 # Add parted package, required to get partprobe utility
566 570 if [ "$EXPANDROOT" = true ] ; then
567 571 APT_INCLUDES="${APT_INCLUDES},parted"
568 572 fi
569 573
570 574 # Add dbus package, recommended if using systemd
571 575 if [ "$ENABLE_DBUS" = true ] ; then
572 576 APT_INCLUDES="${APT_INCLUDES},dbus"
573 577 fi
574 578
575 579 # Add iptables IPv4/IPv6 package
576 580 if [ "$ENABLE_IPTABLES" = true ] ; then
577 581 APT_INCLUDES="${APT_INCLUDES},iptables,iptables-persistent"
578 582 fi
579 583 # Add apparmor for KERNEL_SECURITY
580 584 if [ "$KERNEL_SECURITY" = true ] ; then
581 585 APT_INCLUDES="${APT_INCLUDES},apparmor,apparmor-utils,apparmor-profiles,apparmor-profiles-extra,libapparmor-perl"
582 586 fi
583 587
584 588 # Add openssh server package
585 589 if [ "$ENABLE_SSHD" = true ] ; then
586 590 APT_INCLUDES="${APT_INCLUDES},openssh-server"
587 591 fi
588 592
589 593 # Add alsa-utils package
590 594 if [ "$ENABLE_SOUND" = true ] ; then
591 595 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
592 596 fi
593 597
594 598 # Add rng-tools package
595 599 if [ "$ENABLE_HWRANDOM" = true ] ; then
596 600 APT_INCLUDES="${APT_INCLUDES},rng-tools"
597 601 fi
598 602
599 603 # Add fbturbo video driver
600 604 if [ "$ENABLE_FBTURBO" = true ] ; then
601 605 # Enable xorg package dependencies
602 606 ENABLE_XORG=true
603 607 fi
604 608
605 609 # Add user defined window manager package
606 610 if [ -n "$ENABLE_WM" ] ; then
607 611 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
608 612
609 613 # Enable xorg package dependencies
610 614 ENABLE_XORG=true
611 615 fi
612 616
613 617 # Add xorg package
614 618 if [ "$ENABLE_XORG" = true ] ; then
615 619 APT_INCLUDES="${APT_INCLUDES},xorg,dbus-x11"
616 620 fi
617 621
618 622 # Replace selected packages with smaller clones
619 623 if [ "$ENABLE_REDUCE" = true ] ; then
620 624 # Add levee package instead of vim-tiny
621 625 if [ "$REDUCE_VIM" = true ] ; then
622 626 APT_INCLUDES="$(echo ${APT_INCLUDES} | sed "s/vim-tiny/levee/")"
623 627 fi
624 628
625 629 # Add dropbear package instead of openssh-server
626 630 if [ "$REDUCE_SSHD" = true ] ; then
627 631 APT_INCLUDES="$(echo "${APT_INCLUDES}" | sed "s/openssh-server/dropbear/")"
628 632 fi
629 633 fi
630 634
631 635 # Configure systemd-sysv exclude to make halt/reboot/shutdown scripts available
632 636 if [ "$ENABLE_SYSVINIT" = false ] ; then
633 637 APT_EXCLUDES="--exclude=${APT_EXCLUDES},init,systemd-sysv"
634 638 fi
635 639
636 640 # Configure kernel sources if no KERNELSRC_DIR
637 641 if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then
638 642 KERNELSRC_CONFIG=true
639 643 fi
640 644
641 645 # Configure reduced kernel
642 646 if [ "$KERNEL_REDUCE" = true ] ; then
643 647 KERNELSRC_CONFIG=false
644 648 fi
645 649
646 650 # Configure qemu compatible kernel
647 651 if [ "$ENABLE_QEMU" = true ] ; then
648 652 DTB_FILE=vexpress-v2p-ca15_a7.dtb
649 653 UBOOT_CONFIG=vexpress_ca15_tc2_defconfig
650 654 KERNEL_DEFCONFIG="vexpress_defconfig"
651 655 if [ "$KERNEL_MENUCONFIG" = false ] ; then
652 656 KERNEL_OLDDEFCONFIG=true
653 657 fi
654 658 fi
655 659
656 660 # Execute bootstrap scripts
657 661 for SCRIPT in bootstrap.d/*.sh; do
658 662 head -n 3 "$SCRIPT"
659 663 . "$SCRIPT"
660 664 done
661 665
662 666 ## Execute custom bootstrap scripts
663 667 if [ -d "custom.d" ] ; then
664 668 for SCRIPT in custom.d/*.sh; do
665 669 . "$SCRIPT"
666 670 done
667 671 fi
668 672
669 673 # Execute custom scripts inside the chroot
670 674 if [ -n "$CHROOT_SCRIPTS" ] && [ -d "$CHROOT_SCRIPTS" ] ; then
671 675 cp -r "${CHROOT_SCRIPTS}" "${R}/chroot_scripts"
672 676 chroot_exec /bin/bash -x <<'EOF'
673 677 for SCRIPT in /chroot_scripts/* ; do
674 678 if [ -f $SCRIPT -a -x $SCRIPT ] ; then
675 679 $SCRIPT
676 680 fi
677 681 done
678 682 EOF
679 683 rm -rf "${R}/chroot_scripts"
680 684 fi
681 685
682 686 # Remove c/c++ build environment from the chroot
683 687 chroot_remove_cc
684 688
685 689 # Generate required machine-id
686 690 MACHINE_ID=$(dbus-uuidgen)
687 691 echo -n "${MACHINE_ID}" > "${R}/var/lib/dbus/machine-id"
688 692 echo -n "${MACHINE_ID}" > "${ETC_DIR}/machine-id"
689 693
690 694 # APT Cleanup
691 695 chroot_exec apt-get -y clean
692 696 chroot_exec apt-get -y autoclean
693 697 chroot_exec apt-get -y autoremove
694 698
695 699 # Unmount mounted filesystems
696 700 umount -l "${R}/proc"
697 701 umount -l "${R}/sys"
698 702
699 703 # Clean up directories
700 704 rm -rf "${R}/run/*"
701 705 rm -rf "${R}/tmp/*"
702 706
707 # Clean up APT proxy settings
708 if [ "$KEEP_APT_PROXY" = false ] ; then
709 rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy"
710 fi
711
703 712 # Clean up files
704 713 rm -f "${ETC_DIR}/ssh/ssh_host_*"
705 714 rm -f "${ETC_DIR}/dropbear/dropbear_*"
706 715 rm -f "${ETC_DIR}/apt/sources.list.save"
707 716 rm -f "${ETC_DIR}/resolvconf/resolv.conf.d/original"
708 717 rm -f "${ETC_DIR}/*-"
709 rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy"
710 718 rm -f "${ETC_DIR}/resolv.conf"
711 719 rm -f "${R}/root/.bash_history"
712 720 rm -f "${R}/var/lib/urandom/random-seed"
713 721 rm -f "${R}/initrd.img"
714 722 rm -f "${R}/vmlinuz"
715 723 rm -f "${R}${QEMU_BINARY}"
716 724
717 725 if [ "$ENABLE_QEMU" = true ] ; then
718 726 # Setup QEMU directory
719 727 mkdir "${BASEDIR}/qemu"
720 728
721 729 # Copy kernel image to QEMU directory
722 730 install_readonly "${BOOT_DIR}/${KERNEL_IMAGE}" "${BASEDIR}/qemu/${KERNEL_IMAGE}"
723 731
724 732 # Copy kernel config to QEMU directory
725 733 install_readonly "${R}/boot/config-${KERNEL_VERSION}" "${BASEDIR}/qemu/config-${KERNEL_VERSION}"
726 734
727 735 # Copy kernel dtbs to QEMU directory
728 736 for dtb in "${BOOT_DIR}/"*.dtb ; do
729 737 if [ -f "${dtb}" ] ; then
730 738 install_readonly "${dtb}" "${BASEDIR}/qemu/"
731 739 fi
732 740 done
733 741
734 742 # Copy kernel overlays to QEMU directory
735 743 if [ -d "${BOOT_DIR}/overlays" ] ; then
736 744 # Setup overlays dtbs directory
737 745 mkdir "${BASEDIR}/qemu/overlays"
738 746
739 747 for dtb in "${BOOT_DIR}/overlays/"*.dtbo ; do
740 748 if [ -f "${dtb}" ] ; then
741 749 install_readonly "${dtb}" "${BASEDIR}/qemu/overlays/"
742 750 fi
743 751 done
744 752 fi
745 753
746 754 # Copy u-boot files to QEMU directory
747 755 if [ "$ENABLE_UBOOT" = true ] ; then
748 756 if [ -f "${BOOT_DIR}/u-boot.bin" ] ; then
749 757 install_readonly "${BOOT_DIR}/u-boot.bin" "${BASEDIR}/qemu/u-boot.bin"
750 758 fi
751 759 if [ -f "${BOOT_DIR}/uboot.mkimage" ] ; then
752 760 install_readonly "${BOOT_DIR}/uboot.mkimage" "${BASEDIR}/qemu/uboot.mkimage"
753 761 fi
754 762 if [ -f "${BOOT_DIR}/boot.scr" ] ; then
755 763 install_readonly "${BOOT_DIR}/boot.scr" "${BASEDIR}/qemu/boot.scr"
756 764 fi
757 765 fi
758 766
759 767 # Copy initramfs to QEMU directory
760 768 if [ -f "${BOOT_DIR}/initramfs-${KERNEL_VERSION}" ] ; then
761 769 install_readonly "${BOOT_DIR}/initramfs-${KERNEL_VERSION}" "${BASEDIR}/qemu/initramfs-${KERNEL_VERSION}"
762 770 fi
763 771 fi
764 772
765 773 # Calculate size of the chroot directory in KB
766 774 CHROOT_SIZE=$(expr "$(du -s "${R}" | awk '{ print $1 }')")
767 775
768 776 # Calculate the amount of needed 512 Byte sectors
769 777 TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512)
770 778 FRMW_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512)
771 779 ROOT_OFFSET=$(expr "${TABLE_SECTORS}" + "${FRMW_SECTORS}")
772 780
773 781 # The root partition is EXT4
774 782 # This means more space than the actual used space of the chroot is used.
775 783 # As overhead for journaling and reserved blocks 35% are added.
776 784 ROOT_SECTORS=$(expr "$(expr "${CHROOT_SIZE}" + "${CHROOT_SIZE}" \/ 100 \* 35)" \* 1024 \/ 512)
777 785
778 786 # Calculate required image size in 512 Byte sectors
779 787 IMAGE_SECTORS=$(expr "${TABLE_SECTORS}" + "${FRMW_SECTORS}" + "${ROOT_SECTORS}")
780 788
781 789 # Prepare image file
782 790 if [ "$ENABLE_SPLITFS" = true ] ; then
783 791 dd if=/dev/zero of="$IMAGE_NAME-frmw.img" bs=512 count="${TABLE_SECTORS}"
784 792 dd if=/dev/zero of="$IMAGE_NAME-frmw.img" bs=512 count=0 seek="${FRMW_SECTORS}"
785 793 dd if=/dev/zero of="$IMAGE_NAME-root.img" bs=512 count="${TABLE_SECTORS}"
786 794 dd if=/dev/zero of="$IMAGE_NAME-root.img" bs=512 count=0 seek="${ROOT_SECTORS}"
787 795
788 796 # Write firmware/boot partition tables
789 797 sfdisk -q -L -uS -f "$IMAGE_NAME-frmw.img" 2> /dev/null <<EOM
790 798 ${TABLE_SECTORS},${FRMW_SECTORS},c,*
791 799 EOM
792 800
793 801 # Write root partition table
794 802 sfdisk -q -L -uS -f "$IMAGE_NAME-root.img" 2> /dev/null <<EOM
795 803 ${TABLE_SECTORS},${ROOT_SECTORS},83
796 804 EOM
797 805
798 806 # Setup temporary loop devices
799 807 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show "$IMAGE_NAME"-frmw.img)"
800 808 ROOT_LOOP="$(losetup -o 1M -f --show "$IMAGE_NAME"-root.img)"
801 809 else # ENABLE_SPLITFS=false
802 810 dd if=/dev/zero of="$IMAGE_NAME.img" bs=512 count="${TABLE_SECTORS}"
803 811 dd if=/dev/zero of="$IMAGE_NAME.img" bs=512 count=0 seek="${IMAGE_SECTORS}"
804 812
805 813 # Write partition table
806 814 sfdisk -q -L -uS -f "$IMAGE_NAME.img" 2> /dev/null <<EOM
807 815 ${TABLE_SECTORS},${FRMW_SECTORS},c,*
808 816 ${ROOT_OFFSET},${ROOT_SECTORS},83
809 817 EOM
810 818
811 819 # Setup temporary loop devices
812 820 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show "$IMAGE_NAME".img)"
813 821 ROOT_LOOP="$(losetup -o 65M -f --show "$IMAGE_NAME".img)"
814 822 fi
815 823
816 824 if [ "$ENABLE_CRYPTFS" = true ] ; then
817 825 # Create dummy ext4 fs
818 826 mkfs.ext4 "$ROOT_LOOP"
819 827
820 828 # Setup password keyfile
821 829 touch .password
822 830 chmod 600 .password
823 831 echo -n ${CRYPTFS_PASSWORD} > .password
824 832
825 833 # Initialize encrypted partition
826 834 echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password
827 835
828 836 # Open encrypted partition and setup mapping
829 837 cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"
830 838
831 839 # Secure delete password keyfile
832 840 shred -zu .password
833 841
834 842 # Update temporary loop device
835 843 ROOT_LOOP="/dev/mapper/${CRYPTFS_MAPPING}"
836 844
837 845 # Wipe encrypted partition (encryption cipher is used for randomness)
838 846 dd if=/dev/zero of="${ROOT_LOOP}" bs=512 count="$(blockdev --getsz "${ROOT_LOOP}")"
839 847 fi
840 848
841 849 # Build filesystems
842 850 mkfs.vfat "$FRMW_LOOP"
843 851 mkfs.ext4 "$ROOT_LOOP"
844 852
845 853 # Mount the temporary loop devices
846 854 mkdir -p "$BUILDDIR/mount"
847 855 mount "$ROOT_LOOP" "$BUILDDIR/mount"
848 856
849 857 mkdir -p "$BUILDDIR/mount/boot/firmware"
850 858 mount "$FRMW_LOOP" "$BUILDDIR/mount/boot/firmware"
851 859
852 860 # Copy all files from the chroot to the loop device mount point directory
853 861 rsync -a "${R}/" "$BUILDDIR/mount/"
854 862
855 863 # Unmount all temporary loop devices and mount points
856 864 cleanup
857 865
858 866 # Create block map file(s) of image(s)
859 867 if [ "$ENABLE_SPLITFS" = true ] ; then
860 868 # Create block map files for "bmaptool"
861 869 bmaptool create -o "$IMAGE_NAME-frmw.bmap" "$IMAGE_NAME-frmw.img"
862 870 bmaptool create -o "$IMAGE_NAME-root.bmap" "$IMAGE_NAME-root.img"
863 871
864 872 # Image was successfully created
865 873 echo "$IMAGE_NAME-frmw.img ($(expr \( "${TABLE_SECTORS}" + "${FRMW_SECTORS}" \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
866 874 echo "$IMAGE_NAME-root.img ($(expr \( "${TABLE_SECTORS}" + "${ROOT_SECTORS}" \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
867 875 else
868 876 # Create block map file for "bmaptool"
869 877 bmaptool create -o "$IMAGE_NAME.bmap" "$IMAGE_NAME.img"
870 878
871 879 # Image was successfully created
872 880 echo "$IMAGE_NAME.img ($(expr \( "${TABLE_SECTORS}" + "${FRMW_SECTORS}" + "${ROOT_SECTORS}" \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
873 881
874 882 # Create qemu qcow2 image
875 883 if [ "$ENABLE_QEMU" = true ] ; then
876 884 QEMU_IMAGE=${QEMU_IMAGE:=${BASEDIR}/qemu/${DATE}-${KERNEL_ARCH}-CURRENT-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}}
877 885 QEMU_SIZE=16G
878 886
879 887 qemu-img convert -f raw -O qcow2 "$IMAGE_NAME".img "$QEMU_IMAGE".qcow2
880 888 qemu-img resize "$QEMU_IMAGE".qcow2 $QEMU_SIZE
881 889
882 890 echo "$QEMU_IMAGE.qcow2 ($QEMU_SIZE)" ": successfully created"
883 891 fi
884 892 fi
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant