##// END OF EJS Templates
Raspi2-3_GenImage
RSS

Cloner depuis https://github.com/drtyhlpr/rpi23-gen-image.git

Added: ENABLE_FBTURBO
Jan Wagner -
r20:5e4292ff17c8
parent child
Show More
Show file before | Show file after | Hide comments
@@ -1,97 +1,100
1 1 # rpi2-gen-image
2 2 ## Introduction
3 3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
4 4
5 5 ## Build dependencies
6 6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7 7
8 8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
9 9
10 10 ## Command-line parameters
11 11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
12 12
13 13 #####Command-line examples:
14 14 ```shell
15 15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
16 16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
17 17 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
18 18 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
19 19 ENABLE_MINBASE=true ./rpi2-gen-image.sh
20 20 ```
21 21
22 22 #### APT settings:
23 23 ##### `APT_SERVER`="ftp.debian.org"
24 24 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
25 25
26 26 ##### `APT_PROXY`=""
27 27 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
28 28
29 29 #### General system settings:
30 30 ##### `HOSTNAME`="rpi2-jessie"
31 31 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
32 32
33 33 ##### `PASSWORD`="raspberry"
34 34 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
35 35
36 36 ##### `DEFLOCAL`="en_US.UTF-8"
37 37 Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
38 38
39 39 ##### `TIMEZONE`="Europe/Berlin"
40 40 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
41 41
42 42 #### Basic system features:
43 43 ##### `ENABLE_CONSOLE`=true
44 44 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
45 45
46 46 ##### `ENABLE_IPV6`=true
47 47 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
48 48
49 49 ##### `ENABLE_SSHD`=true
50 50 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
51 51
52 52 ##### `ENABLE_SOUND`=true
53 53 Enable sound hardware and install Advanced Linux Sound Architecture.
54 54
55 55 ##### `ENABLE_HWRANDOM`=true
56 56 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
57 57
58 58 ##### `ENABLE_MINGPU`=false
59 59 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
60 60
61 61 ##### `ENABLE_DBUS`=true
62 62 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
63 63
64 64 ##### `ENABLE_XORG`=false
65 65 Install Xorg open-source X Window System.
66 66
67 67 ##### `ENABLE_FLUXBOX`=false
68 68 Install Fluxbox window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_FLUXBOX` is used.
69 69
70 70 #### Advanced sytem features:
71 71 ##### `ENABLE_MINBASE`=false
72 72 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
73 73
74 74 ##### `ENABLE_UBOOT`=false
75 75 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
76 76
77 ##### `ENABLE_FBTURBO`=false
78 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
79
77 80 ##### `ENABLE_IPTABLES`=false
78 81 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
79 82
80 83 ##### `ENABLE_HARDNET`=false
81 84 Enable IPv4/IPv6 network stack hardening settings.
82 85
83 86 ## Logging of the bootstrapping process
84 87 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
85 88
86 89 ```shell
87 90 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
88 91 ```
89 92
90 93 ## Flashing the image file
91 94 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
92 95
93 96 #####Flashing examples:
94 97 ```shell
95 98 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
96 99 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
97 100 ```
Show file before | Show file after | Hide comments
@@ -1,803 +1,845
1 1 #!/bin/sh
2 2
3 3 ########################################################################
4 4 # rpi2-gen-image.sh ver2a 12/2015
5 5 #
6 6 # Advanced debian "jessie" bootstrap script for RPi2
7 7 #
8 8 # This program is free software; you can redistribute it and/or
9 9 # modify it under the terms of the GNU General Public License
10 10 # as published by the Free Software Foundation; either version 2
11 11 # of the License, or (at your option) any later version.
12 12 #
13 13 # some parts based on rpi2-build-image:
14 14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 16 ########################################################################
17 17
18 18 cleanup (){
19 19 set +x
20 20 set +e
21 21 echo "removing temporary mount points ..."
22 22 umount -l $R/proc 2> /dev/null
23 23 umount -l $R/sys 2> /dev/null
24 24 umount -l $R/dev/pts 2> /dev/null
25 25 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
26 26 umount "$BUILDDIR/mount" 2> /dev/null
27 27 losetup -d "$EXT4_LOOP" 2> /dev/null
28 28 losetup -d "$VFAT_LOOP" 2> /dev/null
29 29 trap - 0 1 2 3 6
30 30 }
31 31
32 32 set -e
33 33 set -x
34 34
35 35 RELEASE=${RELEASE:=jessie}
36 36
37 37 # Build settings
38 38 BASEDIR=./images/${RELEASE}
39 39 BUILDDIR=${BASEDIR}/build
40 40
41 41 # General settings
42 42 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
43 43 PASSWORD=${PASSWORD:=raspberry}
44 44 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
45 45 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
46 46
47 47 # APT settings
48 48 APT_PROXY=${APT_PROXY:=""}
49 49 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
50 50
51 51 # Feature settings
52 52 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
53 53 ENABLE_IPV6=${ENABLE_IPV6:=true}
54 54 ENABLE_SSHD=${ENABLE_SSHD:=true}
55 55 ENABLE_SOUND=${ENABLE_SOUND:=true}
56 56 ENABLE_DBUS=${ENABLE_DBUS:=true}
57 57 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
58 58 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
59 59 ENABLE_XORG=${ENABLE_XORG:=false}
60 60 ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}
61 61
62 62 # Advanced settings
63 63 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
64 64 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
65 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
65 66 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
66 67 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
67 68
68 69 # Image chroot path
69 70 R=${BUILDDIR}/chroot
70 71
71 72 # Packages required for bootstrapping
72 73 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
73 74
74 75 # Missing packages that need to be installed
75 76 MISSING_PACKAGES=""
76 77
77 # Packages required in the chroot build enviroment
78 # Packages required in the chroot build environment
78 79 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
79 80
80 81 set +x
81 82
82 83 # Are we running as root?
83 84 if [ "$(id -u)" -ne "0" ] ; then
84 85 echo "this script must be executed with root privileges"
85 86 exit 1
86 87 fi
87 88
88 89 # Check if all required packages are installed
89 90 for package in $REQUIRED_PACKAGES ; do
90 91 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
91 92 MISSING_PACKAGES="$MISSING_PACKAGES $package"
92 93 fi
93 94 done
94 95
95 96 # Ask if missing packages should get installed right now
96 97 if [ -n "$MISSING_PACKAGES" ] ; then
97 98 echo "the following packages needed by this script are not installed:"
98 99 echo "$MISSING_PACKAGES"
99 100
100 101 echo -n "\ndo you want to install the missing packages right now? [y/n] "
101 102 read confirm
102 103 if [ "$confirm" != "y" ] ; then
103 104 exit 1
104 105 fi
105 106 fi
106 107
107 108 # Make sure all required packages are installed
108 109 apt-get -qq -y install ${REQUIRED_PACKAGES}
109 110
110 111 # Don't clobber an old build
111 112 if [ -e "$BUILDDIR" ]; then
112 113 echo "directory $BUILDDIR already exists, not proceeding"
113 114 exit 1
114 115 fi
115 116
116 117 set -x
117 118
118 119 # Call "cleanup" function on various signals and errors
119 120 trap cleanup 0 1 2 3 6
120 121
121 122 # Set up chroot directory
122 123 mkdir -p $R
123 124
124 125 # Add required packages for the minbase installation
125 126 if [ "$ENABLE_MINBASE" = true ] ; then
126 127 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
127 128 else
128 129 APT_INCLUDES="${APT_INCLUDES},locales"
129 130 fi
130 131
131 132 # Add dbus package, recommended if using systemd
132 133 if [ "$ENABLE_DBUS" = true ] ; then
133 134 APT_INCLUDES="${APT_INCLUDES},dbus"
134 135 fi
135 136
136 137 # Add iptables IPv4/IPv6 package
137 138 if [ "$ENABLE_IPTABLES" = true ] ; then
138 139 APT_INCLUDES="${APT_INCLUDES},iptables"
139 140 fi
140 141
141 142 # Add openssh server package
142 143 if [ "$ENABLE_SSHD" = true ] ; then
143 144 APT_INCLUDES="${APT_INCLUDES},openssh-server"
144 145 fi
145 146
146 147 # Add rng-tools package
147 148 if [ "$ENABLE_HWRANDOM" = true ] ; then
148 149 APT_INCLUDES="${APT_INCLUDES},rng-tools"
149 150 fi
150 151
152 # Add fbturbo video driver
153 if [ "$ENABLE_FBTURBO" = true ] ; then
154 # Enable xorg package dependencies
155 ENABLE_XORG=true
156 fi
157
151 158 # Add fluxbox package with eterm
152 159 if [ "$ENABLE_FLUXBOX" = true ] ; then
153 160 APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"
154 161
155 # Enable xorg package dependency
162 # Enable xorg package dependencies
156 163 ENABLE_XORG=true
157 164 fi
158 165
159 166 # Add xorg package
160 167 if [ "$ENABLE_XORG" = true ] ; then
161 168 APT_INCLUDES="${APT_INCLUDES},xorg"
162 169 fi
163 170
164 171 # Set empty proxy string
165 172 if [ -z "$APT_PROXY" ] ; then
166 173 APT_PROXY="http://"
167 174 fi
168 175
169 176 # Base debootstrap (unpack only)
170 177 if [ "$ENABLE_MINBASE" = true ] ; then
171 178 debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
172 179 else
173 180 debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
174 181 fi
175 182
176 183 # Copy qemu emulator binary to chroot
177 184 cp /usr/bin/qemu-arm-static $R/usr/bin
178 185
179 186 # Copy debian-archive-keyring.pgp
180 187 chroot $R mkdir -p /usr/share/keyrings
181 188 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
182 189
183 # Complete the bootstrapping proccess
190 # Complete the bootstrapping process
184 191 chroot $R /debootstrap/debootstrap --second-stage
185 192
186 193 # Mount required filesystems
187 194 mount -t proc none $R/proc
188 195 mount -t sysfs none $R/sys
189 196 mount --bind /dev/pts $R/dev/pts
190 197
191 198 # Use proxy inside chroot
192 199 if [ -z "$APT_PROXY" ] ; then
193 200 echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
194 201 fi
195 202
196 203 # Pin package flash-kernel to repositories.collabora.co.uk
197 204 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
198 205 Package: flash-kernel
199 206 Pin: origin repositories.collabora.co.uk
200 207 Pin-Priority: 1000
201 208 EOM
202 209
203 210 # Set up timezone
204 211 echo ${TIMEZONE} >$R/etc/timezone
205 212 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
206 213
207 214 # Set up default locales to "en_US.UTF-8" default
208 215 if [ "$ENABLE_MINBASE" = false ] ; then
209 216 LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
210 217 LANG=C chroot $R locale-gen ${DEFLOCAL}
211 218 fi
212 219
213 220 # Upgrade collabora package index and install collabora keyring
214 221 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
215 222 LANG=C chroot $R apt-get -qq -y update
216 223 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
217 224
218 225 # Set up initial sources.list
219 226 cat <<EOM >$R/etc/apt/sources.list
220 227 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
221 228 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
222 229
223 230 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
224 231 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
225 232
226 233 deb http://security.debian.org/ ${RELEASE}/updates main contrib
227 234 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
228 235
229 236 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
230 237 EOM
231 238
232 239 # Upgrade package index and update all installed packages and changed dependencies
233 240 LANG=C chroot $R apt-get -qq -y update
234 241 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
235 242
236 243 # Kernel installation
237 244 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
238 245 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
239 246 LANG=C chroot $R apt-get -qq -y install flash-kernel
240 247
241 248 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
242 249 [ -z "$VMLINUZ" ] && exit 1
243 250 mkdir -p $R/boot/firmware
244 251
245 252 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
246 253 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
247 254 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
248 255 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
249 256 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
250 257 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
251 258 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
252 259 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
253 260 cp $VMLINUZ $R/boot/firmware/kernel7.img
254 261
255 262 # Set up hosts
256 263 echo ${HOSTNAME} >$R/etc/hostname
257 264 cat <<EOM >$R/etc/hosts
258 265 127.0.0.1 localhost
259 266 127.0.1.1 ${HOSTNAME}
260 267 EOM
261 268
262 269 if [ "$ENABLE_IPV6" = true ] ; then
263 270 cat <<EOM >>$R/etc/hosts
264 271
265 272 ::1 localhost ip6-localhost ip6-loopback
266 273 ff02::1 ip6-allnodes
267 274 ff02::2 ip6-allrouters
268 275 EOM
269 276 fi
270 277
271 278 # Generate crypt(3) password string
272 279 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
273 280
274 281 # Set up default user
275 282 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
276 283 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
277 284
278 285 # Set up root password
279 286 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
280 287
281 288 # Set up interfaces
282 289 cat <<EOM >$R/etc/network/interfaces
283 290 # interfaces(5) file used by ifup(8) and ifdown(8)
284 291 # Include files from /etc/network/interfaces.d:
285 292 source-directory /etc/network/interfaces.d
286 293
287 294 # The loopback network interface
288 295 auto lo
289 296 iface lo inet loopback
290 297
291 298 # The primary network interface
292 299 allow-hotplug eth0
293 300 iface eth0 inet dhcp
294 301 EOM
295 302
296 303 # Set up firmware boot cmdline
297 304 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
298 305
299 306 # Set up serial console support (if requested)
300 307 if [ "$ENABLE_CONSOLE" = true ] ; then
301 308 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
302 309 fi
303 310
304 311 # Set up IPv6 networking support
305 312 if [ "$ENABLE_IPV6" = false ] ; then
306 313 CMDLINE="${CMDLINE} ipv6.disable=1"
307 314 fi
308 315
309 316 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
310 317
311 318 # Set up firmware config
312 319 cat <<EOM >$R/boot/firmware/config.txt
313 320 # For more options and information see
314 321 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
315 322 # Some settings may impact device functionality. See link above for details
316 323
317 324 # uncomment if you get no picture on HDMI for a default "safe" mode
318 325 #hdmi_safe=1
319 326
320 327 # uncomment this if your display has a black border of unused pixels visible
321 328 # and your display can output without overscan
322 329 #disable_overscan=1
323 330
324 331 # uncomment the following to adjust overscan. Use positive numbers if console
325 332 # goes off screen, and negative if there is too much border
326 333 #overscan_left=16
327 334 #overscan_right=16
328 335 #overscan_top=16
329 336 #overscan_bottom=16
330 337
331 338 # uncomment to force a console size. By default it will be display's size minus
332 339 # overscan.
333 340 #framebuffer_width=1280
334 341 #framebuffer_height=720
335 342
336 343 # uncomment if hdmi display is not detected and composite is being output
337 344 #hdmi_force_hotplug=1
338 345
339 346 # uncomment to force a specific HDMI mode (this will force VGA)
340 347 #hdmi_group=1
341 348 #hdmi_mode=1
342 349
343 350 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
344 351 # DMT (computer monitor) modes
345 352 #hdmi_drive=2
346 353
347 354 # uncomment to increase signal to HDMI, if you have interference, blanking, or
348 355 # no display
349 356 #config_hdmi_boost=4
350 357
351 358 # uncomment for composite PAL
352 359 #sdtv_mode=2
353 360
354 361 # uncomment to overclock the arm. 700 MHz is the default.
355 362 #arm_freq=800
356 363 EOM
357 364
358 365 # Set smallest possible GPU memory allocation size: 16MB (no X)
359 366 if [ "$ENABLE_MINGPU" = true ] ; then
360 367 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
361 368 fi
362 369
363 370 # Create symlinks
364 371 ln -sf firmware/config.txt $R/boot/config.txt
365 372 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
366 373
367 374 # Prepare modules-load.d directory
368 375 mkdir -p $R/lib/modules-load.d/
369 376
370 377 # Load random module on boot
371 378 if [ "$ENABLE_HWRANDOM" = true ] ; then
372 379 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
373 380 bcm2708_rng
374 381 EOM
375 382 fi
376 383
377 384 # Prepare modprobe.d directory
378 385 mkdir -p $R/etc/modprobe.d/
379 386
380 387 # Blacklist sound modules
381 388 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
382 389 blacklist snd_soc_core
383 390 blacklist snd_pcm
384 391 blacklist snd_pcm_dmaengine
385 392 blacklist snd_timer
386 393 blacklist snd_compress
387 394 blacklist snd_soc_pcm512x_i2c
388 395 blacklist snd_soc_pcm512x
389 396 blacklist snd_soc_tas5713
390 397 blacklist snd_soc_wm8804
391 398 EOM
392 399
393 400 # Create default fstab
394 401 cat <<EOM >$R/etc/fstab
395 402 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
396 403 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
397 404 EOM
398 405
399 406 # Avoid swapping and increase cache sizes
400 407 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
401 408
402 409 # Avoid swapping and increase cache sizes
403 410 vm.swappiness=1
404 411 vm.dirty_background_ratio=20
405 412 vm.dirty_ratio=40
406 413 vm.dirty_writeback_centisecs=500
407 414 vm.dirty_expire_centisecs=6000
408 415 EOM
409 416
410 417 # Enable network stack hardening
411 418 if [ "$ENABLE_HARDNET" = true ] ; then
412 419 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
413 420
414 421 # Enable network stack hardening
415 422 net.ipv4.tcp_timestamps=0
416 423 net.ipv4.tcp_syncookies=1
417 424 net.ipv4.conf.all.rp_filter=1
418 425 net.ipv4.conf.all.accept_redirects=0
419 426 net.ipv4.conf.all.send_redirects=0
420 427 net.ipv4.conf.all.accept_source_route=0
421 428 net.ipv4.conf.default.rp_filter=1
422 429 net.ipv4.conf.default.accept_redirects=0
423 430 net.ipv4.conf.default.send_redirects=0
424 431 net.ipv4.conf.default.accept_source_route=0
425 432 net.ipv4.conf.lo.accept_redirects=0
426 433 net.ipv4.conf.lo.send_redirects=0
427 434 net.ipv4.conf.lo.accept_source_route=0
428 435 net.ipv4.conf.eth0.accept_redirects=0
429 436 net.ipv4.conf.eth0.send_redirects=0
430 437 net.ipv4.conf.eth0.accept_source_route=0
431 438 net.ipv4.icmp_echo_ignore_broadcasts=1
432 439 net.ipv4.icmp_ignore_bogus_error_responses=1
433 440
434 441 net.ipv6.conf.all.accept_redirects=0
435 442 net.ipv6.conf.all.accept_source_route=0
436 443 net.ipv6.conf.all.router_solicitations=0
437 444 net.ipv6.conf.all.accept_ra_rtr_pref=0
438 445 net.ipv6.conf.all.accept_ra_pinfo=0
439 446 net.ipv6.conf.all.accept_ra_defrtr=0
440 447 net.ipv6.conf.all.autoconf=0
441 448 net.ipv6.conf.all.dad_transmits=0
442 449 net.ipv6.conf.all.max_addresses=1
443 450
444 451 net.ipv6.conf.default.accept_redirects=0
445 452 net.ipv6.conf.default.accept_source_route=0
446 453 net.ipv6.conf.default.router_solicitations=0
447 454 net.ipv6.conf.default.accept_ra_rtr_pref=0
448 455 net.ipv6.conf.default.accept_ra_pinfo=0
449 456 net.ipv6.conf.default.accept_ra_defrtr=0
450 457 net.ipv6.conf.default.autoconf=0
451 458 net.ipv6.conf.default.dad_transmits=0
452 459 net.ipv6.conf.default.max_addresses=1
453 460
454 461 net.ipv6.conf.lo.accept_redirects=0
455 462 net.ipv6.conf.lo.accept_source_route=0
456 463 net.ipv6.conf.lo.router_solicitations=0
457 464 net.ipv6.conf.lo.accept_ra_rtr_pref=0
458 465 net.ipv6.conf.lo.accept_ra_pinfo=0
459 466 net.ipv6.conf.lo.accept_ra_defrtr=0
460 467 net.ipv6.conf.lo.autoconf=0
461 468 net.ipv6.conf.lo.dad_transmits=0
462 469 net.ipv6.conf.lo.max_addresses=1
463 470
464 471 net.ipv6.conf.eth0.accept_redirects=0
465 472 net.ipv6.conf.eth0.accept_source_route=0
466 473 net.ipv6.conf.eth0.router_solicitations=0
467 474 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
468 475 net.ipv6.conf.eth0.accept_ra_pinfo=0
469 476 net.ipv6.conf.eth0.accept_ra_defrtr=0
470 477 net.ipv6.conf.eth0.autoconf=0
471 478 net.ipv6.conf.eth0.dad_transmits=0
472 479 net.ipv6.conf.eth0.max_addresses=1
473 480 EOM
474 481
475 482 # Enable resolver warnings about spoofed addresses
476 483 cat <<EOM >>$R/etc/host.conf
477 484 spoof warn
478 485 EOM
479 486 fi
480 487
481 488 # Regenerate openssh server host keys
482 489 if [ "$ENABLE_SSHD" = true ] ; then
483 490 rm -fr $R/etc/ssh/ssh_host_*
484 491 LANG=C chroot $R dpkg-reconfigure openssh-server
485 492 fi
486 493
487 494 # Enable serial console systemd style
488 495 if [ "$ENABLE_CONSOLE" = true ] ; then
489 496 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
490 497 fi
491 498
492 499 # Enable firewall based on iptables started by systemd service
493 500 if [ "$ENABLE_IPTABLES" = true ] ; then
494 501 # Create iptables configuration directory
495 502 mkdir -p "$R/etc/iptables"
496 503
497 504 # Create iptables systemd service
498 505 cat <<EOM >$R/etc/systemd/system/iptables.service
499 506 [Unit]
500 507 Description=Packet Filtering Framework
501 508 DefaultDependencies=no
502 509 After=systemd-sysctl.service
503 510 Before=sysinit.target
504 511 [Service]
505 512 Type=oneshot
506 513 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
507 514 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
508 515 ExecStop=/etc/iptables/flush-iptables.sh
509 516 RemainAfterExit=yes
510 517 [Install]
511 518 WantedBy=multi-user.target
512 519 EOM
513 520
514 521 # Create flush-table script called by iptables service
515 522 cat <<EOM >$R/etc/iptables/flush-iptables.sh
516 523 #!/bin/sh
517 524 iptables -F
518 525 iptables -X
519 526 iptables -t nat -F
520 527 iptables -t nat -X
521 528 iptables -t mangle -F
522 529 iptables -t mangle -X
523 530 iptables -P INPUT ACCEPT
524 531 iptables -P FORWARD ACCEPT
525 532 iptables -P OUTPUT ACCEPT
526 533 EOM
527 534
528 535 # Create iptables rule file
529 536 cat <<EOM >$R/etc/iptables/iptables.rules
530 537 *filter
531 538 :INPUT DROP [0:0]
532 539 :FORWARD DROP [0:0]
533 540 :OUTPUT ACCEPT [0:0]
534 541 :TCP - [0:0]
535 542 :UDP - [0:0]
536 543 :SSH - [0:0]
537 544
538 545 # Rate limit ping requests
539 546 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
540 547 -A INPUT -p icmp --icmp-type echo-request -j DROP
541 548
542 549 # Accept established connections
543 550 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
544 551
545 552 # Accept all traffic on loopback interface
546 553 -A INPUT -i lo -j ACCEPT
547 554
548 555 # Drop packets declared invalid
549 556 -A INPUT -m conntrack --ctstate INVALID -j DROP
550 557
551 558 # SSH rate limiting
552 559 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
553 560 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
554 561 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
555 562 -A SSH -m recent --name sshbf --set -j ACCEPT
556 563
557 564 # Send TCP and UDP connections to their respective rules chain
558 565 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
559 566 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
560 567
561 568 # Reject dropped packets with a RFC compliant responce
562 569 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
563 570 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
564 571 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
565 572
566 573 ## TCP PORT RULES
567 574 # -A TCP -p tcp -j LOG
568 575
569 576 ## UDP PORT RULES
570 577 # -A UDP -p udp -j LOG
571 578
572 579 COMMIT
573 580 EOM
574 581
575 582 # Reload systemd configuration and enable iptables service
576 583 LANG=C chroot $R systemctl daemon-reload
577 584 LANG=C chroot $R systemctl enable iptables.service
578 585
579 586 if [ "$ENABLE_IPV6" = true ] ; then
580 587 # Create ip6tables systemd service
581 588 cat <<EOM >$R/etc/systemd/system/ip6tables.service
582 589 [Unit]
583 590 Description=Packet Filtering Framework
584 591 DefaultDependencies=no
585 592 After=systemd-sysctl.service
586 593 Before=sysinit.target
587 594 [Service]
588 595 Type=oneshot
589 596 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
590 597 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
591 598 ExecStop=/etc/iptables/flush-ip6tables.sh
592 599 RemainAfterExit=yes
593 600 [Install]
594 601 WantedBy=multi-user.target
595 602 EOM
596 603
597 604 # Create ip6tables file
598 605 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
599 606 #!/bin/sh
600 607 ip6tables -F
601 608 ip6tables -X
602 609 ip6tables -Z
603 610 for table in $(</proc/net/ip6_tables_names)
604 611 do
605 612 ip6tables -t \$table -F
606 613 ip6tables -t \$table -X
607 614 ip6tables -t \$table -Z
608 615 done
609 616 ip6tables -P INPUT ACCEPT
610 617 ip6tables -P OUTPUT ACCEPT
611 618 ip6tables -P FORWARD ACCEPT
612 619 EOM
613 620
614 621 # Create ip6tables rule file
615 622 cat <<EOM >$R/etc/iptables/ip6tables.rules
616 623 *filter
617 624 :INPUT DROP [0:0]
618 625 :FORWARD DROP [0:0]
619 626 :OUTPUT ACCEPT [0:0]
620 627 :TCP - [0:0]
621 628 :UDP - [0:0]
622 629 :SSH - [0:0]
623 630
624 631 # Drop packets with RH0 headers
625 632 -A INPUT -m rt --rt-type 0 -j DROP
626 633 -A OUTPUT -m rt --rt-type 0 -j DROP
627 634 -A FORWARD -m rt --rt-type 0 -j DROP
628 635
629 636 # Rate limit ping requests
630 637 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
631 638 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
632 639
633 640 # Accept established connections
634 641 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
635 642
636 643 # Accept all traffic on loopback interface
637 644 -A INPUT -i lo -j ACCEPT
638 645
639 646 # Drop packets declared invalid
640 647 -A INPUT -m conntrack --ctstate INVALID -j DROP
641 648
642 649 # SSH rate limiting
643 650 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
644 651 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
645 652 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
646 653 -A SSH -m recent --name sshbf --set -j ACCEPT
647 654
648 655 # Send TCP and UDP connections to their respective rules chain
649 656 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
650 657 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
651 658
652 659 # Reject dropped packets with a RFC compliant responce
653 660 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
654 661 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
655 662 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
656 663
657 664 ## TCP PORT RULES
658 665 # -A TCP -p tcp -j LOG
659 666
660 667 ## UDP PORT RULES
661 668 # -A UDP -p udp -j LOG
662 669
663 670 COMMIT
664 671 EOM
665 672
666 673 # Reload systemd configuration and enable iptables service
667 674 LANG=C chroot $R systemctl daemon-reload
668 675 LANG=C chroot $R systemctl enable ip6tables.service
669 676 fi
670 677 fi
671 678
672 679 # Remove SSHD related iptables rules
673 680 if [ "$ENABLE_SSHD" = false ] ; then
674 681 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
675 682 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
676 683 fi
677 684
685 # Install gcc/c++ build environment inside the chroot
686 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
687 # Install minimal gcc/g++ build environment
688 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
689 fi
690
691 # Fetch and build U-Boot bootloader
678 692 if [ "$ENABLE_UBOOT" = true ] ; then
679 # Fetch u-boot github
693 # Fetch U-Boot bootloader sources
680 694 git -C $R/tmp clone git://git.denx.de/u-boot.git
681 695
682 # Install minimal gcc/g++ build environment and build u-boot inside chroot
683 LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
696 # Build and install U-Boot inside chroot
684 697 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
685 698
686 699 # Copy compiled bootloader binary and set config.txt to load it
687 700 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
688 701 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
689 702
690 # Set u-boot command file
703 # Set U-Boot command file
691 704 cat <<EOM >$R/boot/firmware/uboot.mkimage
692 705 # Tell Linux that it is booting on a Raspberry Pi2
693 706 setenv machid 0x00000c42
694 707
695 708 # Set the kernel boot command line
696 709 setenv bootargs "earlyprintk ${CMDLINE}"
697 710
698 711 # Save these changes to u-boot's environment
699 712 saveenv
700 713
701 714 # Load the existing Linux kernel into RAM
702 715 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
703 716
704 717 # Boot the kernel we have just loaded
705 718 bootz \${kernel_addr_r}
706 719 EOM
707 720
708 # Generate u-boot image from command file
721 # Generate U-Boot image from command file
709 722 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
723 fi
724
725
726 # Fetch and build fbturbo Xorg driver
727 if [ "$ENABLE_FBTURBO" = true ] ; then
728 # Fetch fbturbo driver sources
729 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
730
731 # Install Xorg build dependencies
732 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
733
734 # Build and install fbturbo driver inside chroot
735 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
736
737 # Add fbturbo driver to Xorg configuration
738 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
739 Section "Device"
740 Identifier "Allwinner A10/A13 FBDEV"
741 Driver "fbturbo"
742 Option "fbdev" "/dev/fb0"
743 Option "SwapbuffersWait" "true"
744 EndSection
745 EOM
746
747 # Remove Xorg build dependencies
748 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
749 fi
710 750
711 # Remove gcc/c++ build enviroment
751 # Remove gcc/c++ build environment from the chroot
752 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
753 # Remove minimal gcc/c++ build environment
712 754 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
713 755 fi
714 756
715 757 # Enable systemd-networkd DHCP configuration for the eth0 interface
716 758 printf "[Match]\nName=eth0\n\n[Network]\nDHCP=yes\n" > $R/etc/systemd/network/eth.network
717 759
718 760 # Set DHCP configuration to IPv4 only
719 761 if [ "$ENABLE_IPV6" = false ] ; then
720 762 sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
721 763 fi
722 764
723 765 # Enable systemd-networkd service
724 766 LANG=C chroot $R systemctl enable systemd-networkd
725 767
726 768 # Place hint about netowrk configuration
727 769 cat <<EOM >$R/etc/network/interfaces
728 770 # Debian switched to systemd-networkd configuration files.
729 771 # please configure your networks in '/etc/systemd/network/'
730 772 EOM
731 773
732 774 # Clean cached downloads
733 775 LANG=C chroot $R apt-get -y clean
734 776 LANG=C chroot $R apt-get -y autoclean
735 777 LANG=C chroot $R apt-get -y autoremove
736 778
737 779 # Unmount mounted filesystems
738 780 umount -l $R/proc
739 781 umount -l $R/sys
740 782
741 783 # Clean up files
742 784 rm -f $R/etc/apt/sources.list.save
743 785 rm -f $R/etc/resolvconf/resolv.conf.d/original
744 786 rm -rf $R/run
745 787 mkdir -p $R/run
746 788 rm -f $R/etc/*-
747 789 rm -f $R/root/.bash_history
748 790 rm -rf $R/tmp/*
749 791 rm -f $R/var/lib/urandom/random-seed
750 792 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
751 793 rm -f $R/etc/machine-id
752 794 rm -fr $R/etc/apt/apt.conf.d/10proxy
753 795
754 796 # Calculate size of the chroot directory
755 797 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
756 798
757 799 # Calculate required image size
758 800 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
759 801
760 802 # Calculate number of sectors for the partition
761 803 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
762 804
763 805 # Prepare date string for image file name
764 806 DATE="$(date +%Y-%m-%d)"
765 807
766 808 # Prepare image file
767 809 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
768 810 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
769 811
770 812 # Write partition table
771 813 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
772 814 unit: sectors
773 815
774 816 1 : start= 2048, size= 131072, Id= c, bootable
775 817 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
776 818 3 : start= 0, size= 0, Id= 0
777 819 4 : start= 0, size= 0, Id= 0
778 820 EOM
779 821
780 822 # Set up temporary loop devices and build filesystems
781 823 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
782 824 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
783 825 mkfs.vfat "$VFAT_LOOP"
784 826 mkfs.ext4 "$EXT4_LOOP"
785 827
786 828 # Mount the temporary loop devices
787 829 mkdir -p "$BUILDDIR/mount"
788 830 mount "$EXT4_LOOP" "$BUILDDIR/mount"
789 831
790 832 mkdir -p "$BUILDDIR/mount/boot/firmware"
791 833 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
792 834
793 835 # Copy all files from the chroot to the loop device mount point directory
794 836 rsync -a "$R/" "$BUILDDIR/mount/"
795 837
796 838 # Unmount all temporary loop devices and mount points
797 839 cleanup
798 840
799 841 # (optinal) create block map file for "bmaptool"
800 842 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
801 843
802 844 # Image was successfully created
803 845 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant