@@ -150,6 +150,9 password, use only in trusted environments. | |||
|
150 | 150 | ##### `ENABLE_HARDNET`=false |
|
151 | 151 | Enable IPv4/IPv6 network stack hardening settings. |
|
152 | 152 | |
|
153 | ##### `ENABLE_SPLITFS`=false | |
|
154 | Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`. | |
|
155 | ||
|
153 | 156 | ##### `CHROOT_SCRIPTS`="" |
|
154 | 157 | Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this direcory is run in lexicographical order. |
|
155 | 158 | |
@@ -212,3 +215,8 After the image file was successfully created by the `rpi2-gen-image.sh` script | |||
|
212 | 215 | bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0 |
|
213 | 216 | dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0 |
|
214 | 217 | ``` |
|
218 | If you have set `ENABLE_SPLITFS`, copy the `-frmw` image on the microSD card, then the `-root` one on the USB drive: | |
|
219 | ```shell | |
|
220 | bmaptool copy ./images/jessie/2015-12-13-debian-jessie-frmw.img /dev/mmcblk0 | |
|
221 | bmaptool copy ./images/jessie/2015-12-13-debian-jessie-root.img /dev/sdc | |
|
222 | ``` |
@@ -61,7 +61,11 else | |||
|
61 | 61 | fi |
|
62 | 62 | |
|
63 | 63 | # Set up firmware boot cmdline |
|
64 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}" | |
|
64 | if [ "$ENABLE_SPLITFS" = true ] ; then | |
|
65 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}" | |
|
66 | else | |
|
67 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}" | |
|
68 | fi | |
|
65 | 69 | |
|
66 | 70 | # Set up serial console support (if requested) |
|
67 | 71 | if [ "$ENABLE_CONSOLE" = true ] ; then |
@@ -110,6 +114,9 install_readonly files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-b | |||
|
110 | 114 | |
|
111 | 115 | # Create default fstab |
|
112 | 116 | install_readonly files/mount/fstab $R/etc/fstab |
|
117 | if [ "$ENABLE_SPLITFS" = true ] ; then | |
|
118 | sed -i 's/mmcblk0p2/sda1/' $R/etc/fstab | |
|
119 | fi | |
|
113 | 120 | |
|
114 | 121 | # Avoid swapping and increase cache sizes |
|
115 | 122 | install_readonly files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf |
@@ -60,7 +60,7 chroot_exec systemctl enable systemd-networkd | |||
|
60 | 60 | |
|
61 | 61 | # Enable network stack hardening |
|
62 | 62 | if [ "$ENABLE_HARDNET" = true ] ; then |
|
63 |
install_readonly files/sysctl.d/8 |
|
|
63 | install_readonly files/sysctl.d/82-rpi-net-hardening.conf $R/etc/sysctl.d/82-rpi-net-hardening.conf | |
|
64 | 64 | |
|
65 | 65 | # Enable resolver warnings about spoofed addresses |
|
66 | 66 | cat <<EOM >>$R/etc/host.conf |
@@ -17,8 +17,8 cleanup (){ | |||
|
17 | 17 | umount -l $R/dev/pts 2> /dev/null |
|
18 | 18 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null |
|
19 | 19 | umount "$BUILDDIR/mount" 2> /dev/null |
|
20 |
losetup -d "$ |
|
|
21 |
losetup -d "$ |
|
|
20 | losetup -d "$ROOT_LOOP" 2> /dev/null | |
|
21 | losetup -d "$FRMW_LOOP" 2> /dev/null | |
|
22 | 22 | trap - 0 1 2 3 6 |
|
23 | 23 | } |
|
24 | 24 |
@@ -81,6 +81,7 ENABLE_UBOOT=${ENABLE_UBOOT:=false} | |||
|
81 | 81 | ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} |
|
82 | 82 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} |
|
83 | 83 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} |
|
84 | ENABLE_SPLITFS=${ENABLE_SPLITFS:=false} | |
|
84 | 85 | |
|
85 | 86 | # Kernel compilation settings |
|
86 | 87 | BUILD_KERNEL=${BUILD_KERNEL:=false} |
@@ -259,8 +260,8 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'`) | |||
|
259 | 260 | |
|
260 | 261 | # Calculate the amount of needed 512 Byte sectors |
|
261 | 262 | TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512) |
|
262 |
|
|
|
263 |
ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${ |
|
|
263 | FRMW_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512) | |
|
264 | ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${FRMW_SECTORS}) | |
|
264 | 265 | |
|
265 | 266 | # The root partition is EXT4 |
|
266 | 267 | # This means more space than the actual used space of the chroot is used. |
@@ -268,37 +269,64 ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS}) | |||
|
268 | 269 | ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 20) \* 1024 \/ 512) |
|
269 | 270 | |
|
270 | 271 | # Calculate required image size in 512 Byte sectors |
|
271 |
IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${ |
|
|
272 | IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS}) | |
|
272 | 273 | |
|
273 | 274 | # Prepare date string for image file name |
|
274 | 275 | DATE="$(date +%Y-%m-%d)" |
|
275 | 276 | |
|
276 | 277 | # Prepare image file |
|
277 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS} | |
|
278 |
dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count= |
|
|
278 | if [ "$ENABLE_SPLITFS" = true ] ; then | |
|
279 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=${TABLE_SECTORS} | |
|
280 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS} | |
|
281 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS} | |
|
282 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS} | |
|
283 | # Write partition tables | |
|
284 | sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" <<EOM | |
|
285 | unit: sectors | |
|
279 | 286 | |
|
280 | # Write partition table | |
|
281 | sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM | |
|
287 | 1 : start= ${TABLE_SECTORS}, size= ${FRMW_SECTORS}, Id= c, bootable | |
|
288 | 2 : start= 0, size= 0, Id= 0 | |
|
289 | 3 : start= 0, size= 0, Id= 0 | |
|
290 | 4 : start= 0, size= 0, Id= 0 | |
|
291 | EOM | |
|
292 | sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" <<EOM | |
|
293 | unit: sectors | |
|
294 | ||
|
295 | 1 : start= ${TABLE_SECTORS}, size= ${ROOT_SECTORS}, Id=83 | |
|
296 | 2 : start= 0, size= 0, Id= 0 | |
|
297 | 3 : start= 0, size= 0, Id= 0 | |
|
298 | 4 : start= 0, size= 0, Id= 0 | |
|
299 | EOM | |
|
300 | # Set up temporary loop devices | |
|
301 | FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-frmw.img)" | |
|
302 | ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-root.img)" | |
|
303 | else | |
|
304 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS} | |
|
305 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS} | |
|
306 | # Write partition table | |
|
307 | sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM | |
|
282 | 308 | unit: sectors |
|
283 | 309 | |
|
284 |
1 : start= ${TABLE_SECTORS}, size= ${ |
|
|
310 | 1 : start= ${TABLE_SECTORS}, size= ${FRMW_SECTORS}, Id= c, bootable | |
|
285 | 311 | 2 : start= ${ROOT_OFFSET}, size= ${ROOT_SECTORS}, Id=83 |
|
286 | 312 | 3 : start= 0, size= 0, Id= 0 |
|
287 | 313 | 4 : start= 0, size= 0, Id= 0 |
|
288 | 314 | EOM |
|
315 | # Set up temporary loop devices | |
|
316 | FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |
|
317 | ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |
|
318 | fi | |
|
289 | 319 | |
|
290 | # Set up temporary loop devices and build filesystems | |
|
291 | VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |
|
292 | EXT4_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |
|
293 | mkfs.vfat "$VFAT_LOOP" | |
|
294 | mkfs.ext4 "$EXT4_LOOP" | |
|
320 | # Build filesystems | |
|
321 | mkfs.vfat "$FRMW_LOOP" | |
|
322 | mkfs.ext4 "$ROOT_LOOP" | |
|
295 | 323 | |
|
296 | 324 | # Mount the temporary loop devices |
|
297 | 325 | mkdir -p "$BUILDDIR/mount" |
|
298 |
mount "$ |
|
|
326 | mount "$ROOT_LOOP" "$BUILDDIR/mount" | |
|
299 | 327 | |
|
300 | 328 | mkdir -p "$BUILDDIR/mount/boot/firmware" |
|
301 |
mount "$ |
|
|
329 | mount "$FRMW_LOOP" "$BUILDDIR/mount/boot/firmware" | |
|
302 | 330 | |
|
303 | 331 | # Copy all files from the chroot to the loop device mount point directory |
|
304 | 332 | rsync -a "$R/" "$BUILDDIR/mount/" |
@@ -306,8 +334,19 rsync -a "$R/" "$BUILDDIR/mount/" | |||
|
306 | 334 | # Unmount all temporary loop devices and mount points |
|
307 | 335 | cleanup |
|
308 | 336 | |
|
309 |
# Create block map file |
|
|
310 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img" | |
|
337 | # Create block map file(s) of image(s) | |
|
338 | if [ "$ENABLE_SPLITFS" = true ] ; then | |
|
339 | # Create block map files for "bmaptool" | |
|
340 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" | |
|
341 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}-root.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" | |
|
311 | 342 | |
|
312 | # Image was successfully created | |
|
313 |
echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${ |
|
|
343 | # Image was successfully created | |
|
344 | echo "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img ($(expr ${TABLE_SECTORS} + ${FRMW_SECTORS} \* 512 \/ 1024 \/ 1024)M)" ": successfully created" | |
|
345 | echo "$BASEDIR/${DATE}-debian-${RELEASE}-root.img ($(expr ${TABLE_SECTORS} + ${ROOT_SECTORS} \* 512 \/ 1024 \/ 1024)M)" ": successfully created" | |
|
346 | else | |
|
347 | # Create block map file for "bmaptool" | |
|
348 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img" | |
|
349 | ||
|
350 | # Image was successfully created | |
|
351 | echo "$BASEDIR/${DATE}-debian-${RELEASE}.img ($(expr ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS} \* 512 \/ 1024 \/ 1024)M)" ": successfully created" | |
|
352 | fi |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant