Raspi2-3_GenImage Commit - r20:5e4292ff17c8 · Collaboration Tremplin des Sciences

1

#!/bin/sh

1

#!/bin/sh

2

3

########################################################################

3

########################################################################

4

# rpi2-gen-image.sh ver2a 12/2015

4

# rpi2-gen-image.sh ver2a 12/2015

5

#

5

#

6

# Advanced debian "jessie" bootstrap script for RPi2

6

# Advanced debian "jessie" bootstrap script for RPi2

7

#

7

#

8

# This program is free software; you can redistribute it and/or

8

# This program is free software; you can redistribute it and/or

9

# modify it under the terms of the GNU General Public License

9

# modify it under the terms of the GNU General Public License

10

# as published by the Free Software Foundation; either version 2

10

# as published by the Free Software Foundation; either version 2

11

# of the License, or (at your option) any later version.

11

# of the License, or (at your option) any later version.

12

#

12

#

13

# some parts based on rpi2-build-image:

13

# some parts based on rpi2-build-image:

14

15

16

########################################################################

16

########################################################################

17

18

cleanup (){

18

cleanup (){

19

set +x

19

set +x

20

set +e

20

set +e

21

echo "removing temporary mount points ..."

21

echo "removing temporary mount points ..."

22

umount -l $R/proc 2> /dev/null

22

umount -l $R/proc 2> /dev/null

23

umount -l $R/sys 2> /dev/null

23

umount -l $R/sys 2> /dev/null

24

umount -l $R/dev/pts 2> /dev/null

24

umount -l $R/dev/pts 2> /dev/null

25

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

25

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

26

umount "$BUILDDIR/mount" 2> /dev/null

26

umount "$BUILDDIR/mount" 2> /dev/null

27

losetup -d "$EXT4_LOOP" 2> /dev/null

27

losetup -d "$EXT4_LOOP" 2> /dev/null

28

losetup -d "$VFAT_LOOP" 2> /dev/null

28

losetup -d "$VFAT_LOOP" 2> /dev/null

29

trap - 0 1 2 3 6

29

trap - 0 1 2 3 6

30

}

30

}

31

32

set -e

32

set -e

33

set -x

33

set -x

34

35

RELEASE=${RELEASE:=jessie}

35

RELEASE=${RELEASE:=jessie}

36

37

# Build settings

37

# Build settings

38

BASEDIR=./images/${RELEASE}

38

BASEDIR=./images/${RELEASE}

39

BUILDDIR=${BASEDIR}/build

39

BUILDDIR=${BASEDIR}/build

40

41

# General settings

41

# General settings

42

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

42

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

43

PASSWORD=${PASSWORD:=raspberry}

43

PASSWORD=${PASSWORD:=raspberry}

44

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

44

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

45

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

45

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

46

47

# APT settings

47

# APT settings

48

APT_PROXY=${APT_PROXY:=""}

48

APT_PROXY=${APT_PROXY:=""}

49

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

49

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

50

51

# Feature settings

51

# Feature settings

52

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

52

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

53

ENABLE_IPV6=${ENABLE_IPV6:=true}

53

ENABLE_IPV6=${ENABLE_IPV6:=true}

54

ENABLE_SSHD=${ENABLE_SSHD:=true}

54

ENABLE_SSHD=${ENABLE_SSHD:=true}

55

ENABLE_SOUND=${ENABLE_SOUND:=true}

55

ENABLE_SOUND=${ENABLE_SOUND:=true}

56

ENABLE_DBUS=${ENABLE_DBUS:=true}

56

ENABLE_DBUS=${ENABLE_DBUS:=true}

57

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

57

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

58

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

58

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

59

ENABLE_XORG=${ENABLE_XORG:=false}

59

ENABLE_XORG=${ENABLE_XORG:=false}

60

ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}

60

ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}

61

62

# Advanced settings

62

# Advanced settings

63

ENABLE_MINBASE=${ENABLE_MINBASE:=false}

63

ENABLE_MINBASE=${ENABLE_MINBASE:=false}

64

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

64

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

65

ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}

65

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

66

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

66

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

67

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

67

68

# Image chroot path

69

# Image chroot path

69

R=${BUILDDIR}/chroot

70

R=${BUILDDIR}/chroot

70

71

# Packages required for bootstrapping

72

# Packages required for bootstrapping

72

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

73

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

73

74

# Missing packages that need to be installed

75

# Missing packages that need to be installed

75

MISSING_PACKAGES=""

76

MISSING_PACKAGES=""

76

77

# Packages required in the chroot build enviroment

78

# Packages required in the chroot build environment

78

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"

79

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"

79

80

set +x

81

set +x

81

82

# Are we running as root?

83

# Are we running as root?

83

if [ "$(id -u)" -ne "0" ] ; then

84

if [ "$(id -u)" -ne "0" ] ; then

84

echo "this script must be executed with root privileges"

85

echo "this script must be executed with root privileges"

85

exit 1

86

exit 1

86

fi

87

fi

87

88

# Check if all required packages are installed

89

# Check if all required packages are installed

89

for package in $REQUIRED_PACKAGES ; do

90

for package in $REQUIRED_PACKAGES ; do

90

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

91

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

91

MISSING_PACKAGES="$MISSING_PACKAGES $package"

92

MISSING_PACKAGES="$MISSING_PACKAGES $package"

92

fi

93

fi

93

done

94

done

94

95

# Ask if missing packages should get installed right now

96

# Ask if missing packages should get installed right now

96

if [ -n "$MISSING_PACKAGES" ] ; then

97

if [ -n "$MISSING_PACKAGES" ] ; then

97

echo "the following packages needed by this script are not installed:"

98

echo "the following packages needed by this script are not installed:"

98

echo "$MISSING_PACKAGES"

99

echo "$MISSING_PACKAGES"

99

100

echo -n "\ndo you want to install the missing packages right now? [y/n] "

101

echo -n "\ndo you want to install the missing packages right now? [y/n] "

101

read confirm

102

read confirm

102

if [ "$confirm" != "y" ] ; then

103

if [ "$confirm" != "y" ] ; then

103

exit 1

104

exit 1

104

fi

105

fi

105

fi

106

fi

106

107

# Make sure all required packages are installed

108

# Make sure all required packages are installed

108

apt-get -qq -y install ${REQUIRED_PACKAGES}

109

apt-get -qq -y install ${REQUIRED_PACKAGES}

109

110

# Don't clobber an old build

111

# Don't clobber an old build

111

if [ -e "$BUILDDIR" ]; then

112

if [ -e "$BUILDDIR" ]; then

112

echo "directory $BUILDDIR already exists, not proceeding"

113

echo "directory $BUILDDIR already exists, not proceeding"

113

exit 1

114

exit 1

114

fi

115

fi

115

116

set -x

117

set -x

117

118

# Call "cleanup" function on various signals and errors

119

# Call "cleanup" function on various signals and errors

119

trap cleanup 0 1 2 3 6

120

trap cleanup 0 1 2 3 6

120

121

# Set up chroot directory

122

# Set up chroot directory

122

mkdir -p $R

123

mkdir -p $R

123

124

# Add required packages for the minbase installation

125

# Add required packages for the minbase installation

125

if [ "$ENABLE_MINBASE" = true ] ; then

126

if [ "$ENABLE_MINBASE" = true ] ; then

126

APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"

127

APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"

127

else

128

else

128

APT_INCLUDES="${APT_INCLUDES},locales"

129

APT_INCLUDES="${APT_INCLUDES},locales"

129

fi

130

fi

130

131

# Add dbus package, recommended if using systemd

132

# Add dbus package, recommended if using systemd

132

if [ "$ENABLE_DBUS" = true ] ; then

133

if [ "$ENABLE_DBUS" = true ] ; then

133

APT_INCLUDES="${APT_INCLUDES},dbus"

134

APT_INCLUDES="${APT_INCLUDES},dbus"

134

fi

135

fi

135

136

# Add iptables IPv4/IPv6 package

137

# Add iptables IPv4/IPv6 package

137

if [ "$ENABLE_IPTABLES" = true ] ; then

138

if [ "$ENABLE_IPTABLES" = true ] ; then

138

APT_INCLUDES="${APT_INCLUDES},iptables"

139

APT_INCLUDES="${APT_INCLUDES},iptables"

139

fi

140

fi

140

141

# Add openssh server package

142

# Add openssh server package

142

if [ "$ENABLE_SSHD" = true ] ; then

143

if [ "$ENABLE_SSHD" = true ] ; then

143

APT_INCLUDES="${APT_INCLUDES},openssh-server"

144

APT_INCLUDES="${APT_INCLUDES},openssh-server"

144

fi

145

fi

145

146

# Add rng-tools package

147

# Add rng-tools package

147

if [ "$ENABLE_HWRANDOM" = true ] ; then

148

if [ "$ENABLE_HWRANDOM" = true ] ; then

148

APT_INCLUDES="${APT_INCLUDES},rng-tools"

149

APT_INCLUDES="${APT_INCLUDES},rng-tools"

149

fi

150

fi

150

151

152

# Add fbturbo video driver

153

if [ "$ENABLE_FBTURBO" = true ] ; then

154

# Enable xorg package dependencies

155

ENABLE_XORG=true

156

fi

157

151

# Add fluxbox package with eterm

158

# Add fluxbox package with eterm

152

if [ "$ENABLE_FLUXBOX" = true ] ; then

159

if [ "$ENABLE_FLUXBOX" = true ] ; then

153

APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"

160

APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"

154

161

155

# Enable xorg package dependency

162

# Enable xorg package dependencies

156

ENABLE_XORG=true

163

ENABLE_XORG=true

157

fi

164

fi

158

165

159

# Add xorg package

166

# Add xorg package

160

if [ "$ENABLE_XORG" = true ] ; then

167

if [ "$ENABLE_XORG" = true ] ; then

161

APT_INCLUDES="${APT_INCLUDES},xorg"

168

APT_INCLUDES="${APT_INCLUDES},xorg"

162

fi

169

fi

163

170

164

# Set empty proxy string

171

# Set empty proxy string

165

if [ -z "$APT_PROXY" ] ; then

172

if [ -z "$APT_PROXY" ] ; then

166

APT_PROXY="http://"

173

APT_PROXY="http://"

167

fi

174

fi

168

175

169

# Base debootstrap (unpack only)

176

# Base debootstrap (unpack only)

170

if [ "$ENABLE_MINBASE" = true ] ; then

177

if [ "$ENABLE_MINBASE" = true ] ; then

171

debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

178

debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

172

else

179

else

173

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

180

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

174

fi

181

fi

175

182

176

# Copy qemu emulator binary to chroot

183

# Copy qemu emulator binary to chroot

177

cp /usr/bin/qemu-arm-static $R/usr/bin

184

cp /usr/bin/qemu-arm-static $R/usr/bin

178

185

179

# Copy debian-archive-keyring.pgp

186

# Copy debian-archive-keyring.pgp

180

chroot $R mkdir -p /usr/share/keyrings

187

chroot $R mkdir -p /usr/share/keyrings

181

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

188

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

182

189

183

# Complete the bootstrapping proccess

190

# Complete the bootstrapping process

184

chroot $R /debootstrap/debootstrap --second-stage

191

chroot $R /debootstrap/debootstrap --second-stage

185

192

186

# Mount required filesystems

193

# Mount required filesystems

187

mount -t proc none $R/proc

194

mount -t proc none $R/proc

188

mount -t sysfs none $R/sys

195

mount -t sysfs none $R/sys

189

mount --bind /dev/pts $R/dev/pts

196

mount --bind /dev/pts $R/dev/pts

190

197

191

# Use proxy inside chroot

198

# Use proxy inside chroot

192

if [ -z "$APT_PROXY" ] ; then

199

if [ -z "$APT_PROXY" ] ; then

193

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

200

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

194

fi

201

fi

195

202

196

# Pin package flash-kernel to repositories.collabora.co.uk

203

# Pin package flash-kernel to repositories.collabora.co.uk

197

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

204

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

198

Package: flash-kernel

205

Package: flash-kernel

199

Pin: origin repositories.collabora.co.uk

206

Pin: origin repositories.collabora.co.uk

200

Pin-Priority: 1000

207

Pin-Priority: 1000

201

EOM

208

EOM

202

209

203

# Set up timezone

210

# Set up timezone

204

echo ${TIMEZONE} >$R/etc/timezone

211

echo ${TIMEZONE} >$R/etc/timezone

205

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

212

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

206

213

207

# Set up default locales to "en_US.UTF-8" default

214

# Set up default locales to "en_US.UTF-8" default

208

if [ "$ENABLE_MINBASE" = false ] ; then

215

if [ "$ENABLE_MINBASE" = false ] ; then

209

LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen

216

LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen

210

LANG=C chroot $R locale-gen ${DEFLOCAL}

217

LANG=C chroot $R locale-gen ${DEFLOCAL}

211

fi

218

fi

212

219

213

# Upgrade collabora package index and install collabora keyring

220

# Upgrade collabora package index and install collabora keyring

214

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

221

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

215

LANG=C chroot $R apt-get -qq -y update

222

LANG=C chroot $R apt-get -qq -y update

216

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

223

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

217

224

218

# Set up initial sources.list

225

# Set up initial sources.list

219

cat <<EOM >$R/etc/apt/sources.list

226

cat <<EOM >$R/etc/apt/sources.list

220

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

227

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

221

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

228

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

222

229

223

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

230

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

224

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

231

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

225

232

226

deb http://security.debian.org/ ${RELEASE}/updates main contrib

233

deb http://security.debian.org/ ${RELEASE}/updates main contrib

227

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

234

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

228

235

229

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

236

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

230

EOM

237

EOM

231

238

232

# Upgrade package index and update all installed packages and changed dependencies

239

# Upgrade package index and update all installed packages and changed dependencies

233

LANG=C chroot $R apt-get -qq -y update

240

LANG=C chroot $R apt-get -qq -y update

234

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

241

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

235

242

236

# Kernel installation

243

# Kernel installation

237

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

244

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

238

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

245

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

239

LANG=C chroot $R apt-get -qq -y install flash-kernel

246

LANG=C chroot $R apt-get -qq -y install flash-kernel

240

247

241

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

248

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

242

[ -z "$VMLINUZ" ] && exit 1

249

[ -z "$VMLINUZ" ] && exit 1

243

mkdir -p $R/boot/firmware

250

mkdir -p $R/boot/firmware

244

251

245

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

252

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

246

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

253

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

247

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

254

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

248

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

255

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

249

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

256

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

250

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

257

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

251

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

258

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

252

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

259

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

253

cp $VMLINUZ $R/boot/firmware/kernel7.img

260

cp $VMLINUZ $R/boot/firmware/kernel7.img

254

261

255

# Set up hosts

262

# Set up hosts

256

echo ${HOSTNAME} >$R/etc/hostname

263

echo ${HOSTNAME} >$R/etc/hostname

257

cat <<EOM >$R/etc/hosts

264

cat <<EOM >$R/etc/hosts

258

127.0.0.1 localhost

265

127.0.0.1 localhost

259

127.0.1.1 ${HOSTNAME}

266

127.0.1.1 ${HOSTNAME}

260

EOM

267

EOM

261

268

262

if [ "$ENABLE_IPV6" = true ] ; then

269

if [ "$ENABLE_IPV6" = true ] ; then

263

cat <<EOM >>$R/etc/hosts

270

cat <<EOM >>$R/etc/hosts

264

271

265

::1 localhost ip6-localhost ip6-loopback

272

::1 localhost ip6-localhost ip6-loopback

266

ff02::1 ip6-allnodes

273

ff02::1 ip6-allnodes

267

ff02::2 ip6-allrouters

274

ff02::2 ip6-allrouters

268

EOM

275

EOM

269

fi

276

fi

270

277

271

# Generate crypt(3) password string

278

# Generate crypt(3) password string

272

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

279

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

273

280

274

# Set up default user

281

# Set up default user

275

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

282

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

276

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

283

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

277

284

278

# Set up root password

285

# Set up root password

279

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

286

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

280

287

281

# Set up interfaces

288

# Set up interfaces

282

cat <<EOM >$R/etc/network/interfaces

289

cat <<EOM >$R/etc/network/interfaces

283

# interfaces(5) file used by ifup(8) and ifdown(8)

290

# interfaces(5) file used by ifup(8) and ifdown(8)

284

# Include files from /etc/network/interfaces.d:

291

# Include files from /etc/network/interfaces.d:

285

source-directory /etc/network/interfaces.d

292

source-directory /etc/network/interfaces.d

286

293

287

# The loopback network interface

294

# The loopback network interface

288

auto lo

295

auto lo

289

iface lo inet loopback

296

iface lo inet loopback

290

297

291

# The primary network interface

298

# The primary network interface

292

allow-hotplug eth0

299

allow-hotplug eth0

293

iface eth0 inet dhcp

300

iface eth0 inet dhcp

294

EOM

301

EOM

295

302

296

# Set up firmware boot cmdline

303

# Set up firmware boot cmdline

297

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

304

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

298

305

299

# Set up serial console support (if requested)

306

# Set up serial console support (if requested)

300

if [ "$ENABLE_CONSOLE" = true ] ; then

307

if [ "$ENABLE_CONSOLE" = true ] ; then

301

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

308

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

302

fi

309

fi

303

310

304

# Set up IPv6 networking support

311

# Set up IPv6 networking support

305

if [ "$ENABLE_IPV6" = false ] ; then

312

if [ "$ENABLE_IPV6" = false ] ; then

306

CMDLINE="${CMDLINE} ipv6.disable=1"

313

CMDLINE="${CMDLINE} ipv6.disable=1"

307

fi

314

fi

308

315

309

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

316

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

310

317

311

# Set up firmware config

318

# Set up firmware config

312

cat <<EOM >$R/boot/firmware/config.txt

319

cat <<EOM >$R/boot/firmware/config.txt

313

# For more options and information see

320

# For more options and information see

314

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

321

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

315

# Some settings may impact device functionality. See link above for details

322

# Some settings may impact device functionality. See link above for details

316

323

317

# uncomment if you get no picture on HDMI for a default "safe" mode

324

# uncomment if you get no picture on HDMI for a default "safe" mode

318

#hdmi_safe=1

325

#hdmi_safe=1

319

326

320

# uncomment this if your display has a black border of unused pixels visible

327

# uncomment this if your display has a black border of unused pixels visible

321

# and your display can output without overscan

328

# and your display can output without overscan

322

#disable_overscan=1

329

#disable_overscan=1

323

330

324

# uncomment the following to adjust overscan. Use positive numbers if console

331

# uncomment the following to adjust overscan. Use positive numbers if console

325

# goes off screen, and negative if there is too much border

332

# goes off screen, and negative if there is too much border

326

#overscan_left=16

333

#overscan_left=16

327

#overscan_right=16

334

#overscan_right=16

328

#overscan_top=16

335

#overscan_top=16

329

#overscan_bottom=16

336

#overscan_bottom=16

330

337

331

# uncomment to force a console size. By default it will be display's size minus

338

# uncomment to force a console size. By default it will be display's size minus

332

# overscan.

339

# overscan.

333

#framebuffer_width=1280

340

#framebuffer_width=1280

334

#framebuffer_height=720

341

#framebuffer_height=720

335

342

336

# uncomment if hdmi display is not detected and composite is being output

343

# uncomment if hdmi display is not detected and composite is being output

337

#hdmi_force_hotplug=1

344

#hdmi_force_hotplug=1

338

345

339

# uncomment to force a specific HDMI mode (this will force VGA)

346

# uncomment to force a specific HDMI mode (this will force VGA)

340

#hdmi_group=1

347

#hdmi_group=1

341

#hdmi_mode=1

348

#hdmi_mode=1

342

349

343

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

350

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

344

# DMT (computer monitor) modes

351

# DMT (computer monitor) modes

345

#hdmi_drive=2

352

#hdmi_drive=2

346

353

347

# uncomment to increase signal to HDMI, if you have interference, blanking, or

354

# uncomment to increase signal to HDMI, if you have interference, blanking, or

348

# no display

355

# no display

349

#config_hdmi_boost=4

356

#config_hdmi_boost=4

350

357

351

# uncomment for composite PAL

358

# uncomment for composite PAL

352

#sdtv_mode=2

359

#sdtv_mode=2

353

360

354

# uncomment to overclock the arm. 700 MHz is the default.

361

# uncomment to overclock the arm. 700 MHz is the default.

355

#arm_freq=800

362

#arm_freq=800

356

EOM

363

EOM

357

364

358

# Set smallest possible GPU memory allocation size: 16MB (no X)

365

# Set smallest possible GPU memory allocation size: 16MB (no X)

359

if [ "$ENABLE_MINGPU" = true ] ; then

366

if [ "$ENABLE_MINGPU" = true ] ; then

360

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

367

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

361

fi

368

fi

362

369

363

# Create symlinks

370

# Create symlinks

364

ln -sf firmware/config.txt $R/boot/config.txt

371

ln -sf firmware/config.txt $R/boot/config.txt

365

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

372

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

366

373

367

# Prepare modules-load.d directory

374

# Prepare modules-load.d directory

368

mkdir -p $R/lib/modules-load.d/

375

mkdir -p $R/lib/modules-load.d/

369

376

370

# Load random module on boot

377

# Load random module on boot

371

if [ "$ENABLE_HWRANDOM" = true ] ; then

378

if [ "$ENABLE_HWRANDOM" = true ] ; then

372

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

379

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

373

bcm2708_rng

380

bcm2708_rng

374

EOM

381

EOM

375

fi

382

fi

376

383

377

# Prepare modprobe.d directory

384

# Prepare modprobe.d directory

378

mkdir -p $R/etc/modprobe.d/

385

mkdir -p $R/etc/modprobe.d/

379

386

380

# Blacklist sound modules

387

# Blacklist sound modules

381

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

388

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

382

blacklist snd_soc_core

389

blacklist snd_soc_core

383

blacklist snd_pcm

390

blacklist snd_pcm

384

blacklist snd_pcm_dmaengine

391

blacklist snd_pcm_dmaengine

385

blacklist snd_timer

392

blacklist snd_timer

386

blacklist snd_compress

393

blacklist snd_compress

387

blacklist snd_soc_pcm512x_i2c

394

blacklist snd_soc_pcm512x_i2c

388

blacklist snd_soc_pcm512x

395

blacklist snd_soc_pcm512x

389

blacklist snd_soc_tas5713

396

blacklist snd_soc_tas5713

390

blacklist snd_soc_wm8804

397

blacklist snd_soc_wm8804

391

EOM

398

EOM

392

399

393

# Create default fstab

400

# Create default fstab

394

cat <<EOM >$R/etc/fstab

401

cat <<EOM >$R/etc/fstab

395

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

402

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

396

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

403

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

397

EOM

404

EOM

398

405

399

# Avoid swapping and increase cache sizes

406

# Avoid swapping and increase cache sizes

400

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

407

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

401

408

402

# Avoid swapping and increase cache sizes

409

# Avoid swapping and increase cache sizes

403

vm.swappiness=1

410

vm.swappiness=1

404

vm.dirty_background_ratio=20

411

vm.dirty_background_ratio=20

405

vm.dirty_ratio=40

412

vm.dirty_ratio=40

406

vm.dirty_writeback_centisecs=500

413

vm.dirty_writeback_centisecs=500

407

vm.dirty_expire_centisecs=6000

414

vm.dirty_expire_centisecs=6000

408

EOM

415

EOM

409

416

410

# Enable network stack hardening

417

# Enable network stack hardening

411

if [ "$ENABLE_HARDNET" = true ] ; then

418

if [ "$ENABLE_HARDNET" = true ] ; then

412

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

419

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

413

420

414

# Enable network stack hardening

421

# Enable network stack hardening

415

net.ipv4.tcp_timestamps=0

422

net.ipv4.tcp_timestamps=0

416

net.ipv4.tcp_syncookies=1

423

net.ipv4.tcp_syncookies=1

417

net.ipv4.conf.all.rp_filter=1

424

net.ipv4.conf.all.rp_filter=1

418

net.ipv4.conf.all.accept_redirects=0

425

net.ipv4.conf.all.accept_redirects=0

419

net.ipv4.conf.all.send_redirects=0

426

net.ipv4.conf.all.send_redirects=0

420

net.ipv4.conf.all.accept_source_route=0

427

net.ipv4.conf.all.accept_source_route=0

421

net.ipv4.conf.default.rp_filter=1

428

net.ipv4.conf.default.rp_filter=1

422

net.ipv4.conf.default.accept_redirects=0

429

net.ipv4.conf.default.accept_redirects=0

423

net.ipv4.conf.default.send_redirects=0

430

net.ipv4.conf.default.send_redirects=0

424

net.ipv4.conf.default.accept_source_route=0

431

net.ipv4.conf.default.accept_source_route=0

425

net.ipv4.conf.lo.accept_redirects=0

432

net.ipv4.conf.lo.accept_redirects=0

426

net.ipv4.conf.lo.send_redirects=0

433

net.ipv4.conf.lo.send_redirects=0

427

net.ipv4.conf.lo.accept_source_route=0

434

net.ipv4.conf.lo.accept_source_route=0

428

net.ipv4.conf.eth0.accept_redirects=0

435

net.ipv4.conf.eth0.accept_redirects=0

429

net.ipv4.conf.eth0.send_redirects=0

436

net.ipv4.conf.eth0.send_redirects=0

430

net.ipv4.conf.eth0.accept_source_route=0

437

net.ipv4.conf.eth0.accept_source_route=0

431

net.ipv4.icmp_echo_ignore_broadcasts=1

438

net.ipv4.icmp_echo_ignore_broadcasts=1

432

net.ipv4.icmp_ignore_bogus_error_responses=1

439

net.ipv4.icmp_ignore_bogus_error_responses=1

433

440

434

net.ipv6.conf.all.accept_redirects=0

441

net.ipv6.conf.all.accept_redirects=0

435

net.ipv6.conf.all.accept_source_route=0

442

net.ipv6.conf.all.accept_source_route=0

436

net.ipv6.conf.all.router_solicitations=0

443

net.ipv6.conf.all.router_solicitations=0

437

net.ipv6.conf.all.accept_ra_rtr_pref=0

444

net.ipv6.conf.all.accept_ra_rtr_pref=0

438

net.ipv6.conf.all.accept_ra_pinfo=0

445

net.ipv6.conf.all.accept_ra_pinfo=0

439

net.ipv6.conf.all.accept_ra_defrtr=0

446

net.ipv6.conf.all.accept_ra_defrtr=0

440

net.ipv6.conf.all.autoconf=0

447

net.ipv6.conf.all.autoconf=0

441

net.ipv6.conf.all.dad_transmits=0

448

net.ipv6.conf.all.dad_transmits=0

442

net.ipv6.conf.all.max_addresses=1

449

net.ipv6.conf.all.max_addresses=1

443

450

444

net.ipv6.conf.default.accept_redirects=0

451

net.ipv6.conf.default.accept_redirects=0

445

net.ipv6.conf.default.accept_source_route=0

452

net.ipv6.conf.default.accept_source_route=0

446

net.ipv6.conf.default.router_solicitations=0

453

net.ipv6.conf.default.router_solicitations=0

447

net.ipv6.conf.default.accept_ra_rtr_pref=0

454

net.ipv6.conf.default.accept_ra_rtr_pref=0

448

net.ipv6.conf.default.accept_ra_pinfo=0

455

net.ipv6.conf.default.accept_ra_pinfo=0

449

net.ipv6.conf.default.accept_ra_defrtr=0

456

net.ipv6.conf.default.accept_ra_defrtr=0

450

net.ipv6.conf.default.autoconf=0

457

net.ipv6.conf.default.autoconf=0

451

net.ipv6.conf.default.dad_transmits=0

458

net.ipv6.conf.default.dad_transmits=0

452

net.ipv6.conf.default.max_addresses=1

459

net.ipv6.conf.default.max_addresses=1

453

460

454

net.ipv6.conf.lo.accept_redirects=0

461

net.ipv6.conf.lo.accept_redirects=0

455

net.ipv6.conf.lo.accept_source_route=0

462

net.ipv6.conf.lo.accept_source_route=0

456

net.ipv6.conf.lo.router_solicitations=0

463

net.ipv6.conf.lo.router_solicitations=0

457

net.ipv6.conf.lo.accept_ra_rtr_pref=0

464

net.ipv6.conf.lo.accept_ra_rtr_pref=0

458

net.ipv6.conf.lo.accept_ra_pinfo=0

465

net.ipv6.conf.lo.accept_ra_pinfo=0

459

net.ipv6.conf.lo.accept_ra_defrtr=0

466

net.ipv6.conf.lo.accept_ra_defrtr=0

460

net.ipv6.conf.lo.autoconf=0

467

net.ipv6.conf.lo.autoconf=0

461

net.ipv6.conf.lo.dad_transmits=0

468

net.ipv6.conf.lo.dad_transmits=0

462

net.ipv6.conf.lo.max_addresses=1

469

net.ipv6.conf.lo.max_addresses=1

463

470

464

net.ipv6.conf.eth0.accept_redirects=0

471

net.ipv6.conf.eth0.accept_redirects=0

465

net.ipv6.conf.eth0.accept_source_route=0

472

net.ipv6.conf.eth0.accept_source_route=0

466

net.ipv6.conf.eth0.router_solicitations=0

473

net.ipv6.conf.eth0.router_solicitations=0

467

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

474

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

468

net.ipv6.conf.eth0.accept_ra_pinfo=0

475

net.ipv6.conf.eth0.accept_ra_pinfo=0

469

net.ipv6.conf.eth0.accept_ra_defrtr=0

476

net.ipv6.conf.eth0.accept_ra_defrtr=0

470

net.ipv6.conf.eth0.autoconf=0

477

net.ipv6.conf.eth0.autoconf=0

471

net.ipv6.conf.eth0.dad_transmits=0

478

net.ipv6.conf.eth0.dad_transmits=0

472

net.ipv6.conf.eth0.max_addresses=1

479

net.ipv6.conf.eth0.max_addresses=1

473

EOM

480

EOM

474

481

475

# Enable resolver warnings about spoofed addresses

482

# Enable resolver warnings about spoofed addresses

476

cat <<EOM >>$R/etc/host.conf

483

cat <<EOM >>$R/etc/host.conf

477

spoof warn

484

spoof warn

478

EOM

485

EOM

479

fi

486

fi

480

487

481

# Regenerate openssh server host keys

488

# Regenerate openssh server host keys

482

if [ "$ENABLE_SSHD" = true ] ; then

489

if [ "$ENABLE_SSHD" = true ] ; then

483

rm -fr $R/etc/ssh/ssh_host_*

490

rm -fr $R/etc/ssh/ssh_host_*

484

LANG=C chroot $R dpkg-reconfigure openssh-server

491

LANG=C chroot $R dpkg-reconfigure openssh-server

485

fi

492

fi

486

493

487

# Enable serial console systemd style

494

# Enable serial console systemd style

488

if [ "$ENABLE_CONSOLE" = true ] ; then

495

if [ "$ENABLE_CONSOLE" = true ] ; then

489

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

496

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

490

fi

497

fi

491

498

492

# Enable firewall based on iptables started by systemd service

499

# Enable firewall based on iptables started by systemd service

493

if [ "$ENABLE_IPTABLES" = true ] ; then

500

if [ "$ENABLE_IPTABLES" = true ] ; then

494

# Create iptables configuration directory

501

# Create iptables configuration directory

495

mkdir -p "$R/etc/iptables"

502

mkdir -p "$R/etc/iptables"

496

503

497

# Create iptables systemd service

504

# Create iptables systemd service

498

cat <<EOM >$R/etc/systemd/system/iptables.service

505

cat <<EOM >$R/etc/systemd/system/iptables.service

499

[Unit]

506

[Unit]

500

Description=Packet Filtering Framework

507

Description=Packet Filtering Framework

501

DefaultDependencies=no

508

DefaultDependencies=no

502

After=systemd-sysctl.service

509

After=systemd-sysctl.service

503

Before=sysinit.target

510

Before=sysinit.target

504

[Service]

511

[Service]

505

Type=oneshot

512

Type=oneshot

506

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

513

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

507

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

514

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

508

ExecStop=/etc/iptables/flush-iptables.sh

515

ExecStop=/etc/iptables/flush-iptables.sh

509

RemainAfterExit=yes

516

RemainAfterExit=yes

510

[Install]

517

[Install]

511

WantedBy=multi-user.target

518

WantedBy=multi-user.target

512

EOM

519

EOM

513

520

514

# Create flush-table script called by iptables service

521

# Create flush-table script called by iptables service

515

cat <<EOM >$R/etc/iptables/flush-iptables.sh

522

cat <<EOM >$R/etc/iptables/flush-iptables.sh

516

#!/bin/sh

523

#!/bin/sh

517

iptables -F

524

iptables -F

518

iptables -X

525

iptables -X

519

iptables -t nat -F

526

iptables -t nat -F

520

iptables -t nat -X

527

iptables -t nat -X

521

iptables -t mangle -F

528

iptables -t mangle -F

522

iptables -t mangle -X

529

iptables -t mangle -X

523

iptables -P INPUT ACCEPT

530

iptables -P INPUT ACCEPT

524

iptables -P FORWARD ACCEPT

531

iptables -P FORWARD ACCEPT

525

iptables -P OUTPUT ACCEPT

532

iptables -P OUTPUT ACCEPT

526

EOM

533

EOM

527

534

528

# Create iptables rule file

535

# Create iptables rule file

529

cat <<EOM >$R/etc/iptables/iptables.rules

536

cat <<EOM >$R/etc/iptables/iptables.rules

530

*filter

537

*filter

531

:INPUT DROP [0:0]

538

:INPUT DROP [0:0]

532

:FORWARD DROP [0:0]

539

:FORWARD DROP [0:0]

533

:OUTPUT ACCEPT [0:0]

540

:OUTPUT ACCEPT [0:0]

534

:TCP - [0:0]

541

:TCP - [0:0]

535

:UDP - [0:0]

542

:UDP - [0:0]

536

:SSH - [0:0]

543

:SSH - [0:0]

537

544

538

# Rate limit ping requests

545

# Rate limit ping requests

539

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

546

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

540

-A INPUT -p icmp --icmp-type echo-request -j DROP

547

-A INPUT -p icmp --icmp-type echo-request -j DROP

541

548

542

# Accept established connections

549

# Accept established connections

543

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

550

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

544

551

545

# Accept all traffic on loopback interface

552

# Accept all traffic on loopback interface

546

-A INPUT -i lo -j ACCEPT

553

-A INPUT -i lo -j ACCEPT

547

554

548

# Drop packets declared invalid

555

# Drop packets declared invalid

549

-A INPUT -m conntrack --ctstate INVALID -j DROP

556

-A INPUT -m conntrack --ctstate INVALID -j DROP

550

557

551

# SSH rate limiting

558

# SSH rate limiting

552

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

559

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

553

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

560

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

554

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

561

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

555

-A SSH -m recent --name sshbf --set -j ACCEPT

562

-A SSH -m recent --name sshbf --set -j ACCEPT

556

563

557

# Send TCP and UDP connections to their respective rules chain

564

# Send TCP and UDP connections to their respective rules chain

558

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

565

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

559

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

566

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

560

567

561

# Reject dropped packets with a RFC compliant responce

568

# Reject dropped packets with a RFC compliant responce

562

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

569

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

563

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

570

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

564

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

571

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

565

572

566

## TCP PORT RULES

573

## TCP PORT RULES

567

# -A TCP -p tcp -j LOG

574

# -A TCP -p tcp -j LOG

568

575

569

## UDP PORT RULES

576

## UDP PORT RULES

570

# -A UDP -p udp -j LOG

577

# -A UDP -p udp -j LOG

571

578

572

COMMIT

579

COMMIT

573

EOM

580

EOM

574

581

575

# Reload systemd configuration and enable iptables service

582

# Reload systemd configuration and enable iptables service

576

LANG=C chroot $R systemctl daemon-reload

583

LANG=C chroot $R systemctl daemon-reload

577

LANG=C chroot $R systemctl enable iptables.service

584

LANG=C chroot $R systemctl enable iptables.service

578

585

579

if [ "$ENABLE_IPV6" = true ] ; then

586

if [ "$ENABLE_IPV6" = true ] ; then

580

# Create ip6tables systemd service

587

# Create ip6tables systemd service

581

cat <<EOM >$R/etc/systemd/system/ip6tables.service

588

cat <<EOM >$R/etc/systemd/system/ip6tables.service

582

[Unit]

589

[Unit]

583

Description=Packet Filtering Framework

590

Description=Packet Filtering Framework

584

DefaultDependencies=no

591

DefaultDependencies=no

585

After=systemd-sysctl.service

592

After=systemd-sysctl.service

586

Before=sysinit.target

593

Before=sysinit.target

587

[Service]

594

[Service]

588

Type=oneshot

595

Type=oneshot

589

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

596

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

590

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

597

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

591

ExecStop=/etc/iptables/flush-ip6tables.sh

598

ExecStop=/etc/iptables/flush-ip6tables.sh

592

RemainAfterExit=yes

599

RemainAfterExit=yes

593

[Install]

600

[Install]

594

WantedBy=multi-user.target

601

WantedBy=multi-user.target

595

EOM

602

EOM

596

603

597

# Create ip6tables file

604

# Create ip6tables file

598

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

605

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

599

#!/bin/sh

606

#!/bin/sh

600

ip6tables -F

607

ip6tables -F

601

ip6tables -X

608

ip6tables -X

602

ip6tables -Z

609

ip6tables -Z

603

for table in $(</proc/net/ip6_tables_names)

610

for table in $(</proc/net/ip6_tables_names)

604

do

611

do

605

ip6tables -t \$table -F

612

ip6tables -t \$table -F

606

ip6tables -t \$table -X

613

ip6tables -t \$table -X

607

ip6tables -t \$table -Z

614

ip6tables -t \$table -Z

608

done

615

done

609

ip6tables -P INPUT ACCEPT

616

ip6tables -P INPUT ACCEPT

610

ip6tables -P OUTPUT ACCEPT

617

ip6tables -P OUTPUT ACCEPT

611

ip6tables -P FORWARD ACCEPT

618

ip6tables -P FORWARD ACCEPT

612

EOM

619

EOM

613

620

614

# Create ip6tables rule file

621

# Create ip6tables rule file

615

cat <<EOM >$R/etc/iptables/ip6tables.rules

622

cat <<EOM >$R/etc/iptables/ip6tables.rules

616

*filter

623

*filter

617

:INPUT DROP [0:0]

624

:INPUT DROP [0:0]

618

:FORWARD DROP [0:0]

625

:FORWARD DROP [0:0]

619

:OUTPUT ACCEPT [0:0]

626

:OUTPUT ACCEPT [0:0]

620

:TCP - [0:0]

627

:TCP - [0:0]

621

:UDP - [0:0]

628

:UDP - [0:0]

622

:SSH - [0:0]

629

:SSH - [0:0]

623

630

624

# Drop packets with RH0 headers

631

# Drop packets with RH0 headers

625

-A INPUT -m rt --rt-type 0 -j DROP

632

-A INPUT -m rt --rt-type 0 -j DROP

626

-A OUTPUT -m rt --rt-type 0 -j DROP

633

-A OUTPUT -m rt --rt-type 0 -j DROP

627

-A FORWARD -m rt --rt-type 0 -j DROP

634

-A FORWARD -m rt --rt-type 0 -j DROP

628

635

629

# Rate limit ping requests

636

# Rate limit ping requests

630

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

637

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

631

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

638

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

632

639

633

# Accept established connections

640

# Accept established connections

634

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

641

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

635

642

636

# Accept all traffic on loopback interface

643

# Accept all traffic on loopback interface

637

-A INPUT -i lo -j ACCEPT

644

-A INPUT -i lo -j ACCEPT

638

645

639

# Drop packets declared invalid

646

# Drop packets declared invalid

640

-A INPUT -m conntrack --ctstate INVALID -j DROP

647

-A INPUT -m conntrack --ctstate INVALID -j DROP

641

648

642

# SSH rate limiting

649

# SSH rate limiting

643

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

650

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

644

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

651

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

645

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

652

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

646

-A SSH -m recent --name sshbf --set -j ACCEPT

653

-A SSH -m recent --name sshbf --set -j ACCEPT

647

654

648

# Send TCP and UDP connections to their respective rules chain

655

# Send TCP and UDP connections to their respective rules chain

649

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

656

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

650

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

657

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

651

658

652

# Reject dropped packets with a RFC compliant responce

659

# Reject dropped packets with a RFC compliant responce

653

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

660

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

654

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

661

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

655

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

662

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

656

663

657

## TCP PORT RULES

664

## TCP PORT RULES

658

# -A TCP -p tcp -j LOG

665

# -A TCP -p tcp -j LOG

659

666

660

## UDP PORT RULES

667

## UDP PORT RULES

661

# -A UDP -p udp -j LOG

668

# -A UDP -p udp -j LOG

662

669

663

COMMIT

670

COMMIT

664

EOM

671

EOM

665

672

666

# Reload systemd configuration and enable iptables service

673

# Reload systemd configuration and enable iptables service

667

LANG=C chroot $R systemctl daemon-reload

674

LANG=C chroot $R systemctl daemon-reload

668

LANG=C chroot $R systemctl enable ip6tables.service

675

LANG=C chroot $R systemctl enable ip6tables.service

669

fi

676

fi

670

fi

677

fi

671

678

672

# Remove SSHD related iptables rules

679

# Remove SSHD related iptables rules

673

if [ "$ENABLE_SSHD" = false ] ; then

680

if [ "$ENABLE_SSHD" = false ] ; then

674

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null

681

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null

675

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null

682

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null

676

fi

683

fi

677

684

685

# Install gcc/c++ build environment inside the chroot

686

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

687

# Install minimal gcc/g++ build environment

688

LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

689

fi

690

691

# Fetch and build U-Boot bootloader

678

if [ "$ENABLE_UBOOT" = true ] ; then

692

if [ "$ENABLE_UBOOT" = true ] ; then

679

# Fetch u-boot github

693

# Fetch U-Boot bootloader sources

680

git -C $R/tmp clone git://git.denx.de/u-boot.git

694

git -C $R/tmp clone git://git.denx.de/u-boot.git

681

695

682

# Install minimal gcc/g++ build environment and build u-boot inside chroot

696

# Build and install U-Boot inside chroot

683

LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

684

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

697

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

685

698

686

# Copy compiled bootloader binary and set config.txt to load it

699

# Copy compiled bootloader binary and set config.txt to load it

687

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

700

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

688

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

701

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

689

702

690

# Set ~~u-b~~oot command file

703

# Set U-Boot command file

691

cat <<EOM >$R/boot/firmware/uboot.mkimage

704

cat <<EOM >$R/boot/firmware/uboot.mkimage

692

# Tell Linux that it is booting on a Raspberry Pi2

705

# Tell Linux that it is booting on a Raspberry Pi2

693

setenv machid 0x00000c42

706

setenv machid 0x00000c42

694

707

695

# Set the kernel boot command line

708

# Set the kernel boot command line

696

setenv bootargs "earlyprintk ${CMDLINE}"

709

setenv bootargs "earlyprintk ${CMDLINE}"

697

710

698

# Save these changes to u-boot's environment

711

# Save these changes to u-boot's environment

699

saveenv

712

saveenv

700

713

701

# Load the existing Linux kernel into RAM

714

# Load the existing Linux kernel into RAM

702

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

715

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

703

716

704

# Boot the kernel we have just loaded

717

# Boot the kernel we have just loaded

705

bootz \${kernel_addr_r}

718

bootz \${kernel_addr_r}

706

EOM

719

EOM

707

720

708

# Generate ~~u-b~~oot image from command file

721

# Generate U-Boot image from command file

709

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

722

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

723

fi

724

725

726

# Fetch and build fbturbo Xorg driver

727

if [ "$ENABLE_FBTURBO" = true ] ; then

728

# Fetch fbturbo driver sources

729

git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git

730

731

# Install Xorg build dependencies

732

LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

733

734

# Build and install fbturbo driver inside chroot

735

LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"

736

737

# Add fbturbo driver to Xorg configuration

738

cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf

739

Section "Device"

740

Identifier "Allwinner A10/A13 FBDEV"

741

Driver "fbturbo"

742

Option "fbdev" "/dev/fb0"

743

Option "SwapbuffersWait" "true"

744

EndSection

745

EOM

746

747

# Remove Xorg build dependencies

748

LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

749

fi

710

750

711

# Remove gcc/c++ build enviroment

751

# Remove gcc/c++ build environment from the chroot

752

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

753

# Remove minimal gcc/c++ build environment

712

LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

754

LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

713

fi

755

fi

714

756

715

# Enable systemd-networkd DHCP configuration for the eth0 interface

757

# Enable systemd-networkd DHCP configuration for the eth0 interface

716

printf "[Match]\nName=eth0\n\n[Network]\nDHCP=yes\n" > $R/etc/systemd/network/eth.network

758

printf "[Match]\nName=eth0\n\n[Network]\nDHCP=yes\n" > $R/etc/systemd/network/eth.network

717

759

718

# Set DHCP configuration to IPv4 only

760

# Set DHCP configuration to IPv4 only

719

if [ "$ENABLE_IPV6" = false ] ; then

761

if [ "$ENABLE_IPV6" = false ] ; then

720

sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network

762

sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network

721

fi

763

fi

722

764

723

# Enable systemd-networkd service

765

# Enable systemd-networkd service

724

LANG=C chroot $R systemctl enable systemd-networkd

766

LANG=C chroot $R systemctl enable systemd-networkd

725

767

726

# Place hint about netowrk configuration

768

# Place hint about netowrk configuration

727

cat <<EOM >$R/etc/network/interfaces

769

cat <<EOM >$R/etc/network/interfaces

728

# Debian switched to systemd-networkd configuration files.

770

# Debian switched to systemd-networkd configuration files.

729

# please configure your networks in '/etc/systemd/network/'

771

# please configure your networks in '/etc/systemd/network/'

730

EOM

772

EOM

731

773

732

# Clean cached downloads

774

# Clean cached downloads

733

LANG=C chroot $R apt-get -y clean

775

LANG=C chroot $R apt-get -y clean

734

LANG=C chroot $R apt-get -y autoclean

776

LANG=C chroot $R apt-get -y autoclean

735

LANG=C chroot $R apt-get -y autoremove

777

LANG=C chroot $R apt-get -y autoremove

736

778

737

# Unmount mounted filesystems

779

# Unmount mounted filesystems

738

umount -l $R/proc

780

umount -l $R/proc

739

umount -l $R/sys

781

umount -l $R/sys

740

782

741

# Clean up files

783

# Clean up files

742

rm -f $R/etc/apt/sources.list.save

784

rm -f $R/etc/apt/sources.list.save

743

rm -f $R/etc/resolvconf/resolv.conf.d/original

785

rm -f $R/etc/resolvconf/resolv.conf.d/original

744

rm -rf $R/run

786

rm -rf $R/run

745

mkdir -p $R/run

787

mkdir -p $R/run

746

rm -f $R/etc/*-

788

rm -f $R/etc/*-

747

rm -f $R/root/.bash_history

789

rm -f $R/root/.bash_history

748

rm -rf $R/tmp/*

790

rm -rf $R/tmp/*

749

rm -f $R/var/lib/urandom/random-seed

791

rm -f $R/var/lib/urandom/random-seed

750

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

792

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

751

rm -f $R/etc/machine-id

793

rm -f $R/etc/machine-id

752

rm -fr $R/etc/apt/apt.conf.d/10proxy

794

rm -fr $R/etc/apt/apt.conf.d/10proxy

753

795

754

# Calculate size of the chroot directory

796

# Calculate size of the chroot directory

755

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

797

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

756

798

757

# Calculate required image size

799

# Calculate required image size

758

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

800

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

759

801

760

# Calculate number of sectors for the partition

802

# Calculate number of sectors for the partition

761

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

803

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

762

804

763

# Prepare date string for image file name

805

# Prepare date string for image file name

764

DATE="$(date +%Y-%m-%d)"

806

DATE="$(date +%Y-%m-%d)"

765

807

766

# Prepare image file

808

# Prepare image file

767

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

809

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

768

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

810

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

769

811

770

# Write partition table

812

# Write partition table

771

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

813

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

772

unit: sectors

814

unit: sectors

773

815

774

1 : start= 2048, size= 131072, Id= c, bootable

816

1 : start= 2048, size= 131072, Id= c, bootable

775

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

817

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

776

3 : start= 0, size= 0, Id= 0

818

3 : start= 0, size= 0, Id= 0

777

4 : start= 0, size= 0, Id= 0

819

4 : start= 0, size= 0, Id= 0

778

EOM

820

EOM

779

821

780

# Set up temporary loop devices and build filesystems

822

# Set up temporary loop devices and build filesystems

781

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

823

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

782

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

824

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

783

mkfs.vfat "$VFAT_LOOP"

825

mkfs.vfat "$VFAT_LOOP"

784

mkfs.ext4 "$EXT4_LOOP"

826

mkfs.ext4 "$EXT4_LOOP"

785

827

786

# Mount the temporary loop devices

828

# Mount the temporary loop devices

787

mkdir -p "$BUILDDIR/mount"

829

mkdir -p "$BUILDDIR/mount"

788

mount "$EXT4_LOOP" "$BUILDDIR/mount"

830

mount "$EXT4_LOOP" "$BUILDDIR/mount"

789

831

790

mkdir -p "$BUILDDIR/mount/boot/firmware"

832

mkdir -p "$BUILDDIR/mount/boot/firmware"

791

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

833

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

792

834

793

# Copy all files from the chroot to the loop device mount point directory

835

# Copy all files from the chroot to the loop device mount point directory

794

rsync -a "$R/" "$BUILDDIR/mount/"

836

rsync -a "$R/" "$BUILDDIR/mount/"

795

837

796

# Unmount all temporary loop devices and mount points

838

# Unmount all temporary loop devices and mount points

797

cleanup

839

cleanup

798

840

799

# (optinal) create block map file for "bmaptool"

841

# (optinal) create block map file for "bmaptool"

800

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

842

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

801

843

802

# Image was successfully created

844

# Image was successfully created

803

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

845

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # rpi2-gen-image
             ## Introduction
             `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
             ## Build dependencies
             The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
               ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
             ## Command-line parameters
             The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
             #####Command-line examples:
             ```shell
             ENABLE_UBOOT=true ./rpi2-gen-image.sh
             ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
             ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
             APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
             ENABLE_MINBASE=true ./rpi2-gen-image.sh
              ```
             #### APT settings:
             ##### `APT_SERVER`="ftp.debian.org"
             Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
             ##### `APT_PROXY`=""
             Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
             #### General system settings:
             ##### `HOSTNAME`="rpi2-jessie"
             Set system host name. It's recommended that the host name is unique in the corresponding subnet.
             ##### `PASSWORD`="raspberry"
             Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
             ##### `DEFLOCAL`="en_US.UTF-8"
             Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
             ##### `TIMEZONE`="Europe/Berlin"
             Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
             #### Basic system features:
             ##### `ENABLE_CONSOLE`=true
             Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
             ##### `ENABLE_IPV6`=true
             Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
             ##### `ENABLE_SSHD`=true
             Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
             ##### `ENABLE_SOUND`=true
             Enable sound hardware and install Advanced Linux Sound Architecture.
             ##### `ENABLE_HWRANDOM`=true
             Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
             ##### `ENABLE_MINGPU`=false
             Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
             ##### `ENABLE_DBUS`=true
             Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
             ##### `ENABLE_XORG`=false
             Install Xorg open-source X Window System.
             ##### `ENABLE_FLUXBOX`=false
             Install Fluxbox window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_FLUXBOX` is used.
             #### Advanced sytem features:
             ##### `ENABLE_MINBASE`=false
             Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
             ##### `ENABLE_UBOOT`=false
             Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
+            ##### `ENABLE_FBTURBO`=false
+            Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
             ##### `ENABLE_IPTABLES`=false
             Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
             ##### `ENABLE_HARDNET`=false
             Enable IPv4/IPv6 network stack hardening settings.
             ## Logging of the bootstrapping process
             All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
             ```shell
             script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
             ```
             ## Flashing the image file
             After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
             #####Flashing examples:
             ```shell
             bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
             dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
             ```

             #!/bin/sh
             ########################################################################
             # rpi2-gen-image.sh					   ver2a 12/2015
             #
             # Advanced debian "jessie" bootstrap script for RPi2
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # some parts based on rpi2-build-image:
             # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
             # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
             ########################################################################
             cleanup (){
               set +x
               set +e
               echo "removing temporary mount points ..."
               umount -l $R/proc 2> /dev/null
               umount -l $R/sys 2> /dev/null
               umount -l $R/dev/pts 2> /dev/null
               umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
               umount "$BUILDDIR/mount" 2> /dev/null
               losetup -d "$EXT4_LOOP" 2> /dev/null
               losetup -d "$VFAT_LOOP" 2> /dev/null
               trap - 0 1 2 3 6
             }
             set -e
             set -x
             RELEASE=${RELEASE:=jessie}
             # Build settings
             BASEDIR=./images/${RELEASE}
             BUILDDIR=${BASEDIR}/build
             # General settings
             HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
             PASSWORD=${PASSWORD:=raspberry}
             DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
             TIMEZONE=${TIMEZONE:="Europe/Berlin"}
             # APT settings
             APT_PROXY=${APT_PROXY:=""}
             APT_SERVER=${APT_SERVER:="ftp.debian.org"}
             # Feature settings
             ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
             ENABLE_IPV6=${ENABLE_IPV6:=true}
             ENABLE_SSHD=${ENABLE_SSHD:=true}
             ENABLE_SOUND=${ENABLE_SOUND:=true}
             ENABLE_DBUS=${ENABLE_DBUS:=true}
             ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
             ENABLE_MINGPU=${ENABLE_MINGPU:=false}
             ENABLE_XORG=${ENABLE_XORG:=false}
             ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}
             # Advanced settings
             ENABLE_MINBASE=${ENABLE_MINBASE:=false}
             ENABLE_UBOOT=${ENABLE_UBOOT:=false}
+            ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
             ENABLE_HARDNET=${ENABLE_HARDNET:=false}
             ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
             # Image chroot path
             R=${BUILDDIR}/chroot
             # Packages required for bootstrapping
             REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
             # Missing packages that need to be installed
             MISSING_PACKAGES=""
-            # Packages required in the chroot build enviroment
+            # Packages required in the chroot build environment
             APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
             set +x
             # Are we running as root?
             if [ "$(id -u)" -ne "0" ] ; then
               echo "this script must be executed with root privileges"
               exit 1
             fi
             # Check if all required packages are installed
             for package in $REQUIRED_PACKAGES ; do
               if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
                 MISSING_PACKAGES="$MISSING_PACKAGES $package"
               fi
             done
             # Ask if missing packages should get installed right now
             if [ -n "$MISSING_PACKAGES" ] ; then
               echo "the following packages needed by this script are not installed:"
               echo "$MISSING_PACKAGES"
               echo -n "\ndo you want to install the missing packages right now? [y/n] "
               read confirm
               if [ "$confirm" != "y" ] ; then
                 exit 1
               fi
             fi
             # Make sure all required packages are installed
             apt-get -qq -y install ${REQUIRED_PACKAGES}
             # Don't clobber an old build
             if [ -e "$BUILDDIR" ]; then
               echo "directory $BUILDDIR already exists, not proceeding"
               exit 1
             fi
             set -x
             # Call "cleanup" function on various signals and errors
             trap cleanup 0 1 2 3 6
             # Set up chroot directory
             mkdir -p $R
             # Add required packages for the minbase installation
             if [ "$ENABLE_MINBASE" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
             else
               APT_INCLUDES="${APT_INCLUDES},locales"
             fi
             # Add dbus package, recommended if using systemd
             if [ "$ENABLE_DBUS" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},dbus"
             fi
             # Add iptables IPv4/IPv6 package
             if [ "$ENABLE_IPTABLES" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},iptables"
             fi
             # Add openssh server package
             if [ "$ENABLE_SSHD" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},openssh-server"
             fi
             # Add rng-tools package
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},rng-tools"
             fi
+            # Add fbturbo video driver
+            if [ "$ENABLE_FBTURBO" = true ] ; then
+              # Enable xorg package dependencies
+              ENABLE_XORG=true
+            fi
             # Add fluxbox package with eterm
             if [ "$ENABLE_FLUXBOX" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"
-              # Enable xorg package dependency
+              # Enable xorg package dependencies
               ENABLE_XORG=true
             fi
             # Add xorg package
             if [ "$ENABLE_XORG" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},xorg"
             fi
             # Set empty proxy string
             if [ -z "$APT_PROXY" ] ; then
               APT_PROXY="http://"
             fi
             # Base debootstrap (unpack only)
             if [ "$ENABLE_MINBASE" = true ] ; then
               debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
             else
               debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
             fi
             # Copy qemu emulator binary to chroot
             cp /usr/bin/qemu-arm-static $R/usr/bin
             # Copy debian-archive-keyring.pgp
             chroot $R mkdir -p /usr/share/keyrings
             cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
-            # Complete the bootstrapping proccess
+            # Complete the bootstrapping process
             chroot $R /debootstrap/debootstrap --second-stage
             # Mount required filesystems
             mount -t proc none $R/proc
             mount -t sysfs none $R/sys
             mount --bind /dev/pts $R/dev/pts
             # Use proxy inside chroot
             if [ -z "$APT_PROXY" ] ; then
               echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
             fi
             # Pin package flash-kernel to repositories.collabora.co.uk
             cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
             Package: flash-kernel
             Pin: origin repositories.collabora.co.uk
             Pin-Priority: 1000
             EOM
             # Set up timezone
             echo ${TIMEZONE} >$R/etc/timezone
             LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
             # Set up default locales to "en_US.UTF-8" default
             if [ "$ENABLE_MINBASE" = false ] ; then
               LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
               LANG=C chroot $R locale-gen ${DEFLOCAL}
             fi
             # Upgrade collabora package index and install collabora keyring
             echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
             # Set up initial sources.list
             cat <<EOM >$R/etc/apt/sources.list
             deb http://${APT_SERVER}/debian ${RELEASE} main contrib
             #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
             deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             deb http://security.debian.org/ ${RELEASE}/updates main contrib
             #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
             deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
             EOM
             # Upgrade package index and update all installed packages and changed dependencies
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y -u dist-upgrade
             # Kernel installation
             # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
             LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
             LANG=C chroot $R apt-get -qq -y install flash-kernel
             VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
             [ -z "$VMLINUZ" ] && exit 1
             mkdir -p $R/boot/firmware
             # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
             wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
             wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
             wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
             wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
             wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
             wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
             wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
             cp $VMLINUZ $R/boot/firmware/kernel7.img
             # Set up hosts
             echo ${HOSTNAME} >$R/etc/hostname
             cat <<EOM >$R/etc/hosts
 .0.0.1       localhost
 .0.1.1       ${HOSTNAME}
             EOM
             if [ "$ENABLE_IPV6" = true ] ; then
             cat <<EOM >>$R/etc/hosts
             ::1             localhost ip6-localhost ip6-loopback
             ff02::1         ip6-allnodes
             ff02::2         ip6-allrouters
             EOM
             fi
             # Generate crypt(3) password string
             ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
             # Set up default user
             LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
             LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
             # Set up root password
             LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
             # Set up interfaces
             cat <<EOM >$R/etc/network/interfaces
             # interfaces(5) file used by ifup(8) and ifdown(8)
             # Include files from /etc/network/interfaces.d:
             source-directory /etc/network/interfaces.d
             # The loopback network interface
             auto lo
             iface lo inet loopback
             # The primary network interface
             allow-hotplug eth0
             iface eth0 inet dhcp
             EOM
             # Set up firmware boot cmdline
             CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
             # Set up serial console support (if requested)
             if [ "$ENABLE_CONSOLE" = true ] ; then
               CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
             fi
             # Set up IPv6 networking support
             if [ "$ENABLE_IPV6" = false ] ; then
               CMDLINE="${CMDLINE} ipv6.disable=1"
             fi
             echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
             # Set up firmware config
             cat <<EOM >$R/boot/firmware/config.txt
             # For more options and information see
             # http://www.raspberrypi.org/documentation/configuration/config-txt.md
             # Some settings may impact device functionality. See link above for details
             # uncomment if you get no picture on HDMI for a default "safe" mode
             #hdmi_safe=1
             # uncomment this if your display has a black border of unused pixels visible
             # and your display can output without overscan
             #disable_overscan=1
             # uncomment the following to adjust overscan. Use positive numbers if console
             # goes off screen, and negative if there is too much border
             #overscan_left=16
             #overscan_right=16
             #overscan_top=16
             #overscan_bottom=16
             # uncomment to force a console size. By default it will be display's size minus
             # overscan.
             #framebuffer_width=1280
             #framebuffer_height=720
             # uncomment if hdmi display is not detected and composite is being output
             #hdmi_force_hotplug=1
             # uncomment to force a specific HDMI mode (this will force VGA)
             #hdmi_group=1
             #hdmi_mode=1
             # uncomment to force a HDMI mode rather than DVI. This can make audio work in
             # DMT (computer monitor) modes
             #hdmi_drive=2
             # uncomment to increase signal to HDMI, if you have interference, blanking, or
             # no display
             #config_hdmi_boost=4
             # uncomment for composite PAL
             #sdtv_mode=2
             # uncomment to overclock the arm. 700 MHz is the default.
             #arm_freq=800
             EOM
             # Set smallest possible GPU memory allocation size: 16MB (no X)
             if [ "$ENABLE_MINGPU" = true ] ; then
               echo "gpu_mem=16" >>$R/boot/firmware/config.txt
             fi
             # Create symlinks
             ln -sf firmware/config.txt $R/boot/config.txt
             ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
             # Prepare modules-load.d directory
             mkdir -p $R/lib/modules-load.d/
             # Load random module on boot
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               cat <<EOM >$R/lib/modules-load.d/rpi2.conf
             bcm2708_rng
             EOM
             fi
             # Prepare modprobe.d directory
             mkdir -p $R/etc/modprobe.d/
             # Blacklist sound modules
             cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
             blacklist snd_soc_core
             blacklist snd_pcm
             blacklist snd_pcm_dmaengine
             blacklist snd_timer
             blacklist snd_compress
             blacklist snd_soc_pcm512x_i2c
             blacklist snd_soc_pcm512x
             blacklist snd_soc_tas5713
             blacklist snd_soc_wm8804
             EOM
             # Create default fstab
             cat <<EOM >$R/etc/fstab
             /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
             /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
             EOM
             # Avoid swapping and increase cache sizes
             cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Avoid swapping and increase cache sizes
             vm.swappiness=1
             vm.dirty_background_ratio=20
             vm.dirty_ratio=40
             vm.dirty_writeback_centisecs=500
             vm.dirty_expire_centisecs=6000
             EOM
             # Enable network stack hardening
             if [ "$ENABLE_HARDNET" = true ] ; then
               cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Enable network stack hardening
             net.ipv4.tcp_timestamps=0
             net.ipv4.tcp_syncookies=1
             net.ipv4.conf.all.rp_filter=1
             net.ipv4.conf.all.accept_redirects=0
             net.ipv4.conf.all.send_redirects=0
             net.ipv4.conf.all.accept_source_route=0
             net.ipv4.conf.default.rp_filter=1
             net.ipv4.conf.default.accept_redirects=0
             net.ipv4.conf.default.send_redirects=0
             net.ipv4.conf.default.accept_source_route=0
             net.ipv4.conf.lo.accept_redirects=0
             net.ipv4.conf.lo.send_redirects=0
             net.ipv4.conf.lo.accept_source_route=0
             net.ipv4.conf.eth0.accept_redirects=0
             net.ipv4.conf.eth0.send_redirects=0
             net.ipv4.conf.eth0.accept_source_route=0
             net.ipv4.icmp_echo_ignore_broadcasts=1
             net.ipv4.icmp_ignore_bogus_error_responses=1
             net.ipv6.conf.all.accept_redirects=0
             net.ipv6.conf.all.accept_source_route=0
             net.ipv6.conf.all.router_solicitations=0
             net.ipv6.conf.all.accept_ra_rtr_pref=0
             net.ipv6.conf.all.accept_ra_pinfo=0
             net.ipv6.conf.all.accept_ra_defrtr=0
             net.ipv6.conf.all.autoconf=0
             net.ipv6.conf.all.dad_transmits=0
             net.ipv6.conf.all.max_addresses=1
             net.ipv6.conf.default.accept_redirects=0
             net.ipv6.conf.default.accept_source_route=0
             net.ipv6.conf.default.router_solicitations=0
             net.ipv6.conf.default.accept_ra_rtr_pref=0
             net.ipv6.conf.default.accept_ra_pinfo=0
             net.ipv6.conf.default.accept_ra_defrtr=0
             net.ipv6.conf.default.autoconf=0
             net.ipv6.conf.default.dad_transmits=0
             net.ipv6.conf.default.max_addresses=1
             net.ipv6.conf.lo.accept_redirects=0
             net.ipv6.conf.lo.accept_source_route=0
             net.ipv6.conf.lo.router_solicitations=0
             net.ipv6.conf.lo.accept_ra_rtr_pref=0
             net.ipv6.conf.lo.accept_ra_pinfo=0
             net.ipv6.conf.lo.accept_ra_defrtr=0
             net.ipv6.conf.lo.autoconf=0
             net.ipv6.conf.lo.dad_transmits=0
             net.ipv6.conf.lo.max_addresses=1
             net.ipv6.conf.eth0.accept_redirects=0
             net.ipv6.conf.eth0.accept_source_route=0
             net.ipv6.conf.eth0.router_solicitations=0
             net.ipv6.conf.eth0.accept_ra_rtr_pref=0
             net.ipv6.conf.eth0.accept_ra_pinfo=0
             net.ipv6.conf.eth0.accept_ra_defrtr=0
             net.ipv6.conf.eth0.autoconf=0
             net.ipv6.conf.eth0.dad_transmits=0
             net.ipv6.conf.eth0.max_addresses=1
             EOM
             # Enable resolver warnings about spoofed addresses
               cat <<EOM >>$R/etc/host.conf
             spoof warn
             EOM
             fi
             # Regenerate openssh server host keys
             if [ "$ENABLE_SSHD" = true ] ; then
               rm -fr $R/etc/ssh/ssh_host_*
               LANG=C chroot $R dpkg-reconfigure openssh-server
             fi
             # Enable serial console systemd style
             if [ "$ENABLE_CONSOLE" = true ] ; then
               LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
             fi
             # Enable firewall based on iptables started by systemd service
             if [ "$ENABLE_IPTABLES" = true ] ; then
               # Create iptables configuration directory
               mkdir -p "$R/etc/iptables"
               # Create iptables systemd service
               cat <<EOM >$R/etc/systemd/system/iptables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecStop=/etc/iptables/flush-iptables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
               # Create flush-table script called by iptables service
               cat <<EOM >$R/etc/iptables/flush-iptables.sh
             #!/bin/sh
             iptables -F
             iptables -X
             iptables -t nat -F
             iptables -t nat -X
             iptables -t mangle -F
             iptables -t mangle -X
             iptables -P INPUT ACCEPT
             iptables -P FORWARD ACCEPT
             iptables -P OUTPUT ACCEPT
             EOM
               # Create iptables rule file
               cat <<EOM >$R/etc/iptables/iptables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Rate limit ping requests
             -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmp --icmp-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
             -A INPUT -p tcp -j REJECT --reject-with tcp-rst
             -A INPUT -j REJECT --reject-with icmp-proto-unreachable
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable iptables.service
               if [ "$ENABLE_IPV6" = true ] ; then
                 # Create ip6tables systemd service
                 cat <<EOM >$R/etc/systemd/system/ip6tables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecStop=/etc/iptables/flush-ip6tables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
                 # Create ip6tables file
                 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
             #!/bin/sh
             ip6tables -F
             ip6tables -X
             ip6tables -Z
             for table in $(</proc/net/ip6_tables_names)
             do
                     ip6tables -t \$table -F
                     ip6tables -t \$table -X
                     ip6tables -t \$table -Z
             done
             ip6tables -P INPUT ACCEPT
             ip6tables -P OUTPUT ACCEPT
             ip6tables -P FORWARD ACCEPT
             EOM
                 # Create ip6tables rule file
                 cat <<EOM >$R/etc/iptables/ip6tables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Drop packets with RH0 headers
             -A INPUT -m rt --rt-type 0 -j DROP
             -A OUTPUT -m rt --rt-type 0 -j DROP
             -A FORWARD -m rt --rt-type 0 -j DROP
             # Rate limit ping requests
             -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable ip6tables.service
               fi
             fi
             # Remove SSHD related iptables rules
             if [ "$ENABLE_SSHD" = false ] ; then
              sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
              sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
             fi
+            # Install gcc/c++ build environment inside the chroot
+            if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
+              # Install minimal gcc/g++ build environment
+              LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
+            fi
+            # Fetch and build U-Boot bootloader
             if [ "$ENABLE_UBOOT" = true ] ; then
-              # Fetch u-boot github
+              # Fetch U-Boot bootloader sources
               git -C $R/tmp clone git://git.denx.de/u-boot.git
-              # Install minimal gcc/g++ build environment and build u-boot inside chroot
+              # Build and install U-Boot inside chroot
-              LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
               LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
               # Copy compiled bootloader binary and set config.txt to load it
               cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
               printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
-              # Set u-boot command file
+              # Set U-Boot command file
               cat <<EOM >$R/boot/firmware/uboot.mkimage
             # Tell Linux that it is booting on a Raspberry Pi2
             setenv machid 0x00000c42
             # Set the kernel boot command line
             setenv bootargs "earlyprintk ${CMDLINE}"
             # Save these changes to u-boot's environment
             saveenv
             # Load the existing Linux kernel into RAM
             fatload mmc 0:1 \${kernel_addr_r} kernel7.img
             # Boot the kernel we have just loaded
             bootz \${kernel_addr_r}
             EOM
-              # Generate u-boot image from command file
+              # Generate U-Boot image from command file
               LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
+            fi
+            # Fetch and build fbturbo Xorg driver
+            if [ "$ENABLE_FBTURBO" = true ] ; then
+              # Fetch fbturbo driver sources
+              git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
+              # Install Xorg build dependencies
+              LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
+              # Build and install fbturbo driver inside chroot
+              LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
+              # Add fbturbo driver to Xorg configuration
+              cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
+            Section "Device"
+                    Identifier "Allwinner A10/A13 FBDEV"
+                    Driver "fbturbo"
+                    Option "fbdev" "/dev/fb0"
+                    Option "SwapbuffersWait" "true"
+            EndSection
+            EOM
+              # Remove Xorg build dependencies
+              LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
+            fi
-              # Remove gcc/c++ build enviroment
+            # Remove gcc/c++ build environment from the chroot
+            if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
+              # Remove minimal gcc/c++ build environment
               LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
             fi
             # Enable systemd-networkd DHCP configuration for the eth0 interface
             printf "[Match]\nName=eth0\n\n[Network]\nDHCP=yes\n" > $R/etc/systemd/network/eth.network
             # Set DHCP configuration to IPv4 only
             if [ "$ENABLE_IPV6" = false ] ; then
               sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
             fi
             # Enable systemd-networkd service
             LANG=C chroot $R systemctl enable systemd-networkd
             # Place hint about netowrk configuration
             cat <<EOM >$R/etc/network/interfaces
             # Debian switched to systemd-networkd configuration files.
             # please configure your networks in '/etc/systemd/network/'
             EOM
             # Clean cached downloads
             LANG=C chroot $R apt-get -y clean
             LANG=C chroot $R apt-get -y autoclean
             LANG=C chroot $R apt-get -y autoremove
             # Unmount mounted filesystems
             umount -l $R/proc
             umount -l $R/sys
             # Clean up files
             rm -f $R/etc/apt/sources.list.save
             rm -f $R/etc/resolvconf/resolv.conf.d/original
             rm -rf $R/run
             mkdir -p $R/run
             rm -f $R/etc/*-
             rm -f $R/root/.bash_history
             rm -rf $R/tmp/*
             rm -f $R/var/lib/urandom/random-seed
             [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
             rm -f $R/etc/machine-id
             rm -fr $R/etc/apt/apt.conf.d/10proxy
             # Calculate size of the chroot directory
             CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
             # Calculate required image size
             IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
             # Calculate number of sectors for the partition
             IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
             # Prepare date string for image file name
             DATE="$(date +%Y-%m-%d)"
             # Prepare image file
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
             # Write partition table
             sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
             unit: sectors
 : start=     2048, size=   131072, Id= c, bootable
 : start=   133120, size=  ${IMAGE_SECTORS}, Id=83
 : start=        0, size=        0, Id= 0
 : start=        0, size=        0, Id= 0
             EOM
             # Set up temporary loop devices and build filesystems
             VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             mkfs.vfat "$VFAT_LOOP"
             mkfs.ext4 "$EXT4_LOOP"
             # Mount the temporary loop devices
             mkdir -p "$BUILDDIR/mount"
             mount "$EXT4_LOOP" "$BUILDDIR/mount"
             mkdir -p "$BUILDDIR/mount/boot/firmware"
             mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
             # Copy all files from the chroot to the loop device mount point directory
             rsync -a "$R/" "$BUILDDIR/mount/"
             # Unmount all temporary loop devices and mount points
             cleanup
             # (optinal) create block map file for "bmaptool"
             bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
             # Image was successfully created
             echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"