##// END OF EJS Templates
Merge remote-tracking branch 'upstream/testing' into swap
Yannick Schinko -
r575:a72a8bcdbff3 Fusion
parent child
Show More
@@ -0,0 +1,97
1 #!/bin/sh
2 #
3 # Build and Setup nexmon with monitor mode patch
4 #
5
6 # Load utility functions
7 . ./functions.sh
8
9 if [ "$ENABLE_NEXMON" = true ] && [ "$ENABLE_WIRELESS" = true ]; then
10 # Copy existing nexmon sources into chroot directory
11 if [ -n "$NEXMONSRC_DIR" ] && [ -d "$NEXMONSRC_DIR" ] ; then
12 # Copy local U-Boot sources
13 cp -r "${NEXMONSRC_DIR}" "${R}/tmp"
14 else
15 # Create temporary directory for nexmon sources
16 temp_dir=$(as_nobody mktemp -d)
17
18 # Fetch nexmon sources
19 as_nobody git -C "${temp_dir}" clone "${NEXMON_URL}"
20
21 # Copy downloaded nexmon sources
22 mv "${temp_dir}/nexmon" "${R}"/tmp/
23
24 # Set permissions of the nexmon sources
25 chown -R root:root "${R}"/tmp/nexmon
26
27 # Remove temporary directory for nexmon sources
28 rm -fr "${temp_dir}"
29 fi
30
31 # Set script Root
32 export NEXMON_ROOT="${R}"/tmp/nexmon
33
34 # Build nexmon firmware outside the build system, if we can.
35 cd "${NEXMON_ROOT}" || exit
36
37 # Make ancient isl build
38 cd buildtools/isl-0.10 || exit
39 ./configure
40 make
41 cd ../.. || exit
42
43 # Disable statistics
44 touch DISABLE_STATISTICS
45
46 # Setup Enviroment: see https://github.com/NoobieDog/nexmon/blob/master/setup_env.sh
47 export KERNEL="${KERNEL_IMAGE}"
48 export ARCH=arm
49 export SUBARCH=arm
50 export CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
51 export CC="${CC}"gcc
52 export CCPLUGIN="${NEXMON_ROOT}"/buildtools/gcc-nexmon-plugin/nexmon.so
53 export ZLIBFLATE="zlib-flate -compress"
54 export Q=@
55 export NEXMON_SETUP_ENV=1
56 export HOSTUNAME=$(uname -s)
57 export PLATFORMUNAME=$(uname -m)
58
59 # Make nexmon
60 make
61
62 # build patches
63 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] ; then
64 cd "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon || exit
65 sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon/Makefile
66 make clean
67
68 # We do this so we don't have to install the ancient isl version into /usr/local/lib on systems.
69 LD_LIBRARY_PATH="${NEXMON_ROOT}"/buildtools/isl-0.10/.libs make ARCH="${KERNEL_ARCH}" CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
70
71 # copy RPi0W & RPi3 firmware
72 mv "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.org.bin
73 cp "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.nexmon.bin
74 cp -f "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin
75 fi
76
77 if [ "$RPI_MODEL" = 3P ] ; then
78 cd "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon || exit
79 sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43455c0/7_45_154/nexmon/Makefile
80 make clean
81
82 # We do this so we don't have to install the ancient isl version into /usr/local/lib on systems.
83 LD_LIBRARY_PATH=${NEXMON_ROOT}/buildtools/isl-0.10/.libs make ARCH="${KERNEL_ARCH}" CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
84
85 # RPi3B+ firmware
86 mv "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.org.bin
87 cp "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.nexmon.bin
88 cp -f "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.bin
89 fi
90
91 #Revert to previous directory
92 cd "${WORKDIR}" || exit
93
94 # Remove nexmon sources
95 rm -fr "${NEXMON_ROOT}"
96
97 fi
@@ -0,0 +1,45
1 #!/bin/sh
2
3 PREREQ="dropbear"
4
5 prereqs() {
6 echo "$PREREQ"
7 }
8
9 case "$1" in
10 prereqs)
11 prereqs
12 exit 0
13 ;;
14 esac
15
16 . "${CONFDIR}/initramfs.conf"
17 . /usr/share/initramfs-tools/hook-functions
18
19 if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
20 cat > "${DESTDIR}/bin/unlock" << EOF
21 #!/bin/sh
22 if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
23 kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\`
24 # following line kill the remote shell right after the passphrase has
25 # been entered.
26 kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\`
27 exit 0
28 fi
29 exit 1
30 EOF
31
32 chmod 755 "${DESTDIR}/bin/unlock"
33
34 mkdir -p "${DESTDIR}/lib/unlock"
35 cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
36 #!/bin/sh
37 [ "\$1" == "--ping" ] && exit 1
38 /bin/plymouth "\$@"
39 EOF
40
41 chmod 755 "${DESTDIR}/lib/unlock/plymouth"
42
43 echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
44
45 fi No newline at end of file
@@ -48,6 +48,9 Set Debian packages server address. Choose a server from the list of Debian worl
48 ##### `APT_PROXY`=""
48 ##### `APT_PROXY`=""
49 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. If `apt-cacher-ng` is running on default `http://127.0.0.1:3142` it is autodetected and you don't need to set this.
49 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. If `apt-cacher-ng` is running on default `http://127.0.0.1:3142` it is autodetected and you don't need to set this.
50
50
51 ##### `KEEP_APT_PROXY`=false
52 Keep the APT_PROXY settings used in the bootsrapping process in the generated image.
53
51 ##### `APT_INCLUDES`=""
54 ##### `APT_INCLUDES`=""
52 A comma-separated list of additional packages to be installed by debootstrap during bootstrapping.
55 A comma-separated list of additional packages to be installed by debootstrap during bootstrapping.
53
56
@@ -213,6 +216,9 Support for halt,init,poweroff,reboot,runlevel,shutdown,telinit commands
213 ---
216 ---
214
217
215 #### Advanced system features:
218 #### Advanced system features:
219 ##### `ENABLE_SYSTEMDSWAP`=false
220 Enables [Systemd-swap service](https://github.com/Nefelim4ag/systemd-swap). Usefull if `KERNEL_ZSWAP` is enabled.
221
216 ##### `ENABLE_MINBASE`=false
222 ##### `ENABLE_MINBASE`=false
217 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
223 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
218
224
@@ -237,6 +243,12 Install and enable the [ARM side libraries for interfacing to Raspberry Pi GPU](
237 ##### `VIDEOCORESRC_DIR`=""
243 ##### `VIDEOCORESRC_DIR`=""
238 Path to a directory (`userland`) of [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
244 Path to a directory (`userland`) of [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
239
245
246 ##### `ENABLE_NEXMON`=false
247 Install and enable the [Source code for a C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection](https://github.com/seemoo-lab/nexmon.git).
248
249 ##### `NEXMONSRC_DIR`=""
250 Path to a directory (`nexmon`) of [Source code for ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
251
240 ##### `ENABLE_IPTABLES`=false
252 ##### `ENABLE_IPTABLES`=false
241 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
253 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
242
254
@@ -264,6 +276,15 Create an initramfs that that will be loaded during the Linux startup process. `
264 ##### `ENABLE_IFNAMES`=true
276 ##### `ENABLE_IFNAMES`=true
265 Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names.
277 Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names.
266
278
279 ##### `ENABLE_SPLASH`=true
280 Enable default Raspberry Pi boot up rainbow splash screen.
281
282 ##### `ENABLE_LOGO`=true
283 Enable default Raspberry Pi console logo (image of four raspberries in the top left corner).
284
285 ##### `ENABLE_SILENT_BOOT`=false
286 Set the verbosity of console messages shown during boot up to a strict minimum.
287
267 ##### `DISABLE_UNDERVOLT_WARNINGS`=
288 ##### `DISABLE_UNDERVOLT_WARNINGS`=
268 Disable RPi2/3 under-voltage warnings and overlays. Setting the parameter to `1` will disable the warning overlay. Setting it to `2` will additionally allow RPi2/3 turbo mode when low-voltage is present.
289 Disable RPi2/3 under-voltage warnings and overlays. Setting the parameter to `1` will disable the warning overlay. Setting it to `2` will additionally allow RPi2/3 turbo mode when low-voltage is present.
269
290
@@ -348,6 +369,23 With this parameter set to true the script expects the existing kernel sources d
348 ##### `RPI_FIRMWARE_DIR`=""
369 ##### `RPI_FIRMWARE_DIR`=""
349 The directory (`firmware`) containing a local copy of the firmware from the [RaspberryPi firmware project](https://github.com/raspberrypi/firmware). Default is to download the latest firmware directly from the project.
370 The directory (`firmware`) containing a local copy of the firmware from the [RaspberryPi firmware project](https://github.com/raspberrypi/firmware). Default is to download the latest firmware directly from the project.
350
371
372 ##### `KERNEL_DEFAULT_GOV`="ONDEMAND"
373 Set the default cpu governor at kernel compilation. Supported values are: PERFORMANCE POWERSAVE USERSPACE ONDEMAND CONSERVATIVE SCHEDUTIL
374
375 ##### `KERNEL_NF`=false
376 Enable Netfilter modules as kernel modules
377
378 ##### `KERNEL_VIRT`=false
379 Enable Kernel KVM support (/dev/kvm)
380
381 ##### `KERNEL_ZSWAP`=false
382 Enable Kernel Zswap support. Best use on high RAM load and mediocre CPU load usecases
383
384 ##### `KERNEL_BPF`=true
385 Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSCALL CONFIG_CGROUP_BPF) [systemd compilations about it - File /lib/systemd/system/systemd-journald.server:36 configures an IP firewall (IPAddressDeny=all), but the local system does not support BPF/cgroup based firewalls]
386
387 ##### `KERNEL_SECURITY`=false
388 Enables Apparmor, integrity subsystem, auditing
351 ---
389 ---
352
390
353 #### Reduce disk usage:
391 #### Reduce disk usage:
@@ -395,6 +433,12 Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
395 ##### `CRYPTFS_XTSKEYSIZE`=512
433 ##### `CRYPTFS_XTSKEYSIZE`=512
396 Sets key size in bits. The argument has to be a multiple of 8.
434 Sets key size in bits. The argument has to be a multiple of 8.
397
435
436 ##### `CRYPTFS_DROPBEAR`=false
437 Enable Dropbear Initramfs support
438
439 ##### `CRYPTFS_DROPBEAR_PUBKEY`=""
440 Provide path to dropbear Public RSA-OpenSSH Key
441
398 ---
442 ---
399
443
400 #### Build settings:
444 #### Build settings:
@@ -11,6 +11,13 if [ -z "$APT_PROXY" ] ; then
11 sed -i "s/\"\"/\"${APT_PROXY}\"/" "${ETC_DIR}/apt/apt.conf.d/10proxy"
11 sed -i "s/\"\"/\"${APT_PROXY}\"/" "${ETC_DIR}/apt/apt.conf.d/10proxy"
12 fi
12 fi
13
13
14 # Install APT sources.list
15 install_readonly files/apt/sources.list "${ETC_DIR}/apt/sources.list"
16
17 # Use specified APT server and release
18 sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list"
19 sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
20
14 # Upgrade package index and update all installed packages and changed dependencies
21 # Upgrade package index and update all installed packages and changed dependencies
15 chroot_exec apt-get -qq -y update
22 chroot_exec apt-get -qq -y update
16 chroot_exec apt-get -qq -y -u dist-upgrade
23 chroot_exec apt-get -qq -y -u dist-upgrade
@@ -5,6 +5,14
5 # Load utility functions
5 # Load utility functions
6 . ./functions.sh
6 . ./functions.sh
7
7
8 # Need to use kali kernel src if nexmon is enabled
9 if [ "$ENABLE_NEXMON" = true ] ; then
10 KERNEL_URL="${KALI_KERNEL_URL}"
11 # Clear Branch and KernelSRC_DIR if using nexmon. Everyone will forget to clone kali kernel instead of nomrla kernel
12 KERNEL_BRANCH=""
13 KERNELSRC_DIR=""
14 fi
15
8 # Fetch and build latest raspberry kernel
16 # Fetch and build latest raspberry kernel
9 if [ "$BUILD_KERNEL" = true ] ; then
17 if [ "$BUILD_KERNEL" = true ] ; then
10 # Setup source directory
18 # Setup source directory
@@ -87,6 +95,283 if [ "$BUILD_KERNEL" = true ] ; then
87 # Load default raspberry kernel configuration
95 # Load default raspberry kernel configuration
88 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
96 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
89
97
98 #Switch to KERNELSRC_DIR so we can use set_kernel_config
99 cd "${KERNEL_DIR}" || exit
100
101 # enable ZSWAP see https://askubuntu.com/a/472227 or https://wiki.archlinux.org/index.php/zswap
102 if [ "$KERNEL_ZSWAP" = true ] ; then
103 set_kernel_config CONFIG_ZPOOL y
104 set_kernel_config CONFIG_ZSWAP y
105 set_kernel_config CONFIG_ZBUD y
106 set_kernel_config CONFIG_Z3FOLD y
107 set_kernel_config CONFIG_ZSMALLOC y
108 set_kernel_config CONFIG_PGTABLE_MAPPING y
109 set_kernel_config CONFIG_LZO_COMPRESS y
110 fi
111
112 # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453
113 if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
114 set_kernel_config CONFIG_HAVE_KVM_IRQCHIP y
115 set_kernel_config CONFIG_HAVE_KVM_ARCH_TLB_FLUSH_ALL y
116 set_kernel_config CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT y
117 set_kernel_config CONFIG_HAVE_KVM_EVENTFD y
118 set_kernel_config CONFIG_HAVE_KVM_IRQFD y
119 set_kernel_config CONFIG_HAVE_KVM_IRQ_ROUTING y
120 set_kernel_config CONFIG_HAVE_KVM_MSI y
121 set_kernel_config CONFIG_KVM y
122 set_kernel_config CONFIG_KVM_ARM_HOST y
123 set_kernel_config CONFIG_KVM_ARM_PMU y
124 set_kernel_config CONFIG_KVM_COMPAT y
125 set_kernel_config CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT y
126 set_kernel_config CONFIG_KVM_MMIO y
127 set_kernel_config CONFIG_KVM_VFIO y
128 set_kernel_config CONFIG_VHOST m
129 set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y
130 set_kernel_config CONFIG_VHOST_NET m
131 set_kernel_config CONFIG_VIRTUALIZATION y
132
133 set_kernel_config CONFIG_MMU_NOTIFIER y
134
135 # erratum
136 set_kernel_config ARM64_ERRATUM_834220 y
137
138 # https://sourceforge.net/p/kvm/mailman/message/18440797/
139 set_kernel_config CONFIG_PREEMPT_NOTIFIERS y
140 fi
141
142 # enable apparmor,integrity audit,
143 if [ "$KERNEL_SECURITY" = true ] ; then
144
145 # security filesystem, security models and audit
146 set_kernel_config CONFIG_SECURITYFS y
147 set_kernel_config CONFIG_SECURITY y
148 set_kernel_config CONFIG_AUDIT y
149
150 # harden strcpy and memcpy
151 set_kernel_config CONFIG_HARDENED_USERCOPY=y
152 set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
153 set_kernel_config CONFIG_FORTIFY_SOURCE=y
154
155 # integrity sub-system
156 set_kernel_config CONFIG_INTEGRITY=y
157 set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
158 set_kernel_config CONFIG_INTEGRITY_AUDIT=y
159 set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y
160 set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y
161
162 # This option provides support for retaining authentication tokens and access keys in the kernel.
163 set_kernel_config CONFIG_KEYS=y
164 set_kernel_config CONFIG_KEYS_COMPAT=y
165
166 # Apparmor
167 set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0
168 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
169 set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
170 set_kernel_config CONFIG_SECURITY_APPARMOR y
171 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y
172 set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor"
173
174 # restrictions on unprivileged users reading the kernel
175 set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y
176
177 # network security hooks
178 set_kernel_config CONFIG_SECURITY_NETWORK y
179 set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y
180 set_kernel_config CONFIG_SECURITY_PATH=y
181 set_kernel_config CONFIG_SECURITY_YAMA=y
182
183 # New Options
184 if [ "$KERNEL_NF" = true ] ; then
185 set_kernel_config CONFIG_IP_NF_SECURITY m
186 set_kernel_config CONFIG_NETLABEL y
187 set_kernel_config CONFIG_IP6_NF_SECURITY m
188 fi
189 set_kernel_config CONFIG_SECURITY_SELINUX n
190 set_kernel_config CONFIG_SECURITY_SMACK n
191 set_kernel_config CONFIG_SECURITY_TOMOYO n
192 set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n
193 set_kernel_config CONFIG_SECURITY_LOADPIN n
194 set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n
195 set_kernel_config CONFIG_IMA n
196 set_kernel_config CONFIG_EVM n
197 set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y
198 set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
199 set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
200 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
201 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
202 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
203 set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
204 set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
205 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS m
206 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE 4096
207
208 set_kernel_config CONFIG_ARM64_CRYPTO y
209 set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m
210 set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m
211 set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m
212 set_kernel_config CRYPTO_GHASH_ARM64_CE m
213 set_kernel_config CRYPTO_SHA2_ARM64_CE m
214 set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m
215 set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m
216 set_kernel_config CONFIG_CRYPTO_AES_ARM64 m
217 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m
218 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y
219 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y
220 set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m
221 set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m
222 set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m
223 set_kernel_config SYSTEM_TRUSTED_KEYS
224 fi
225
226 # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
227 if [ "$KERNEL_NF" = true ] ; then
228 set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m
229 set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m
230 set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m
231 set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m
232 set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m
233 set_kernel_config CONFIG_NFT_FIB_INET m
234 set_kernel_config CONFIG_NFT_FIB_IPV4 m
235 set_kernel_config CONFIG_NFT_FIB_IPV6 m
236 set_kernel_config CONFIG_NFT_FIB_NETDEV m
237 set_kernel_config CONFIG_NFT_OBJREF m
238 set_kernel_config CONFIG_NFT_RT m
239 set_kernel_config CONFIG_NFT_SET_BITMAP m
240 set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y
241 set_kernel_config CONFIG_NF_LOG_ARP m
242 set_kernel_config CONFIG_NF_SOCKET_IPV4 m
243 set_kernel_config CONFIG_NF_SOCKET_IPV6 m
244 set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m
245 set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m
246 set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m
247 set_kernel_config CONFIG_IP6_NF_IPTABLES m
248 set_kernel_config CONFIG_IP6_NF_MATCH_AH m
249 set_kernel_config CONFIG_IP6_NF_MATCH_EUI64 m
250 set_kernel_config CONFIG_IP6_NF_NAT m
251 set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m
252 set_kernel_config CONFIG_IP6_NF_TARGET_NPT m
253 set_kernel_config CONFIG_IP_NF_SECURITY m
254 set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m
255 set_kernel_config CONFIG_IP_SET_BITMAP_PORT m
256 set_kernel_config CONFIG_IP_SET_HASH_IP m
257 set_kernel_config CONFIG_IP_SET_HASH_IPMARK m
258 set_kernel_config CONFIG_IP_SET_HASH_IPPORT m
259 set_kernel_config CONFIG_IP_SET_HASH_IPPORTIP m
260 set_kernel_config CONFIG_IP_SET_HASH_IPPORTNET m
261 set_kernel_config CONFIG_IP_SET_HASH_MAC m
262 set_kernel_config CONFIG_IP_SET_HASH_NET m
263 set_kernel_config CONFIG_IP_SET_HASH_NETIFACE m
264 set_kernel_config CONFIG_IP_SET_HASH_NETNET m
265 set_kernel_config CONFIG_IP_SET_HASH_NETPORT m
266 set_kernel_config CONFIG_IP_SET_HASH_NETPORTNET m
267 set_kernel_config CONFIG_IP_SET_LIST_SET m
268 set_kernel_config CONFIG_NETFILTER_XTABLES m
269 set_kernel_config CONFIG_NETFILTER_XTABLES m
270 set_kernel_config CONFIG_NFT_BRIDGE_META m
271 set_kernel_config CONFIG_NFT_BRIDGE_REJECT m
272 set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV4 m
273 set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV6 m
274 set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV4 m
275 set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV6 m
276 set_kernel_config CONFIG_NFT_COMPAT m
277 set_kernel_config CONFIG_NFT_COUNTER m
278 set_kernel_config CONFIG_NFT_CT m
279 set_kernel_config CONFIG_NFT_DUP_IPV4 m
280 set_kernel_config CONFIG_NFT_DUP_IPV6 m
281 set_kernel_config CONFIG_NFT_DUP_NETDEV m
282 set_kernel_config CONFIG_NFT_EXTHDR m
283 set_kernel_config CONFIG_NFT_FWD_NETDEV m
284 set_kernel_config CONFIG_NFT_HASH m
285 set_kernel_config CONFIG_NFT_LIMIT m
286 set_kernel_config CONFIG_NFT_LOG m
287 set_kernel_config CONFIG_NFT_MASQ m
288 set_kernel_config CONFIG_NFT_MASQ_IPV4 m
289 set_kernel_config CONFIG_NFT_MASQ_IPV6 m
290 set_kernel_config CONFIG_NFT_META m
291 set_kernel_config CONFIG_NFT_NAT m
292 set_kernel_config CONFIG_NFT_NUMGEN m
293 set_kernel_config CONFIG_NFT_QUEUE m
294 set_kernel_config CONFIG_NFT_QUOTA m
295 set_kernel_config CONFIG_NFT_REDIR m
296 set_kernel_config CONFIG_NFT_REDIR_IPV4 m
297 set_kernel_config CONFIG_NFT_REDIR_IPV6 m
298 set_kernel_config CONFIG_NFT_REJECT m
299 set_kernel_config CONFIG_NFT_REJECT_INET m
300 set_kernel_config CONFIG_NFT_REJECT_IPV4 m
301 set_kernel_config CONFIG_NFT_REJECT_IPV6 m
302 set_kernel_config CONFIG_NFT_SET_HASH m
303 set_kernel_config CONFIG_NFT_SET_RBTREE m
304 set_kernel_config CONFIG_NF_CONNTRACK_IPV4 m
305 set_kernel_config CONFIG_NF_CONNTRACK_IPV6 m
306 set_kernel_config CONFIG_NF_DEFRAG_IPV4 m
307 set_kernel_config CONFIG_NF_DEFRAG_IPV6 m
308 set_kernel_config CONFIG_NF_DUP_IPV4 m
309 set_kernel_config CONFIG_NF_DUP_IPV6 m
310 set_kernel_config CONFIG_NF_DUP_NETDEV m
311 set_kernel_config CONFIG_NF_LOG_BRIDGE m
312 set_kernel_config CONFIG_NF_LOG_IPV4 m
313 set_kernel_config CONFIG_NF_LOG_IPV6 m
314 set_kernel_config CONFIG_NF_NAT_IPV4 m
315 set_kernel_config CONFIG_NF_NAT_IPV6 m
316 set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV4 m
317 set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV6 m
318 set_kernel_config CONFIG_NF_NAT_PPTP m
319 set_kernel_config CONFIG_NF_NAT_PROTO_GRE m
320 set_kernel_config CONFIG_NF_NAT_REDIRECT m
321 set_kernel_config CONFIG_NF_NAT_SIP m
322 set_kernel_config CONFIG_NF_NAT_SNMP_BASIC m
323 set_kernel_config CONFIG_NF_NAT_TFTP m
324 set_kernel_config CONFIG_NF_REJECT_IPV4 m
325 set_kernel_config CONFIG_NF_REJECT_IPV6 m
326 set_kernel_config CONFIG_NF_TABLES m
327 set_kernel_config CONFIG_NF_TABLES_ARP m
328 set_kernel_config CONFIG_NF_TABLES_BRIDGE m
329 set_kernel_config CONFIG_NF_TABLES_INET m
330 set_kernel_config CONFIG_NF_TABLES_IPV4 m
331 set_kernel_config CONFIG_NF_TABLES_IPV6 m
332 set_kernel_config CONFIG_NF_TABLES_NETDEV m
333 fi
334
335 # Enables BPF syscall for systemd-journald see https://github.com/torvalds/linux/blob/master/init/Kconfig#L848 or https://groups.google.com/forum/#!topic/linux.gentoo.user/_2aSc_ztGpA
336 if [ "$KERNEL_BPF" = true ] ; then
337 set_kernel_config CONFIG_BPF_SYSCALL y
338 set_kernel_config CONFIG_BPF_EVENTS y
339 set_kernel_config CONFIG_BPF_STREAM_PARSER y
340 set_kernel_config CONFIG_CGROUP_BPF y
341 fi
342
343 # KERNEL_DEFAULT_GOV was set by user
344 if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ] ; then
345
346 case "$KERNEL_DEFAULT_GOV" in
347 performance)
348 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y
349 ;;
350 userspace)
351 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE y
352 ;;
353 ondemand)
354 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND y
355 ;;
356 conservative)
357 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE y
358 ;;
359 shedutil)
360 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL y
361 ;;
362 *)
363 echo "error: unsupported default cpu governor"
364 exit 1
365 ;;
366 esac
367
368 # unset previous default governor
369 unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE
370 fi
371
372 #Revert to previous directory
373 cd "${WORKDIR}" || exit
374
90 # Set kernel configuration parameters to enable qemu emulation
375 # Set kernel configuration parameters to enable qemu emulation
91 if [ "$ENABLE_QEMU" = true ] ; then
376 if [ "$ENABLE_QEMU" = true ] ; then
92 echo "CONFIG_FHANDLE=y" >> "${KERNEL_DIR}"/.config
377 echo "CONFIG_FHANDLE=y" >> "${KERNEL_DIR}"/.config
@@ -126,6 +411,7 if [ "$BUILD_KERNEL" = true ] ; then
126 if [ "$KERNEL_MENUCONFIG" = true ] ; then
411 if [ "$KERNEL_MENUCONFIG" = true ] ; then
127 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig
412 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig
128 fi
413 fi
414 # end if "$KERNELSRC_CONFIG" = true
129 fi
415 fi
130
416
131 # Use ccache to cross compile the kernel
417 # Use ccache to cross compile the kernel
@@ -142,6 +428,7 if [ "$BUILD_KERNEL" = true ] ; then
142 if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
428 if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
143 make -C "${KERNEL_DIR}" -j"${KERNEL_THREADS}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" CC="${cc}" modules
429 make -C "${KERNEL_DIR}" -j"${KERNEL_THREADS}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" CC="${cc}" modules
144 fi
430 fi
431 # end if "$KERNELSRC_PREBUILT" = false
145 fi
432 fi
146
433
147 # Check if kernel compilation was successful
434 # Check if kernel compilation was successful
@@ -237,19 +524,79 if [ "$BUILD_KERNEL" = true ] ; then
237 fi
524 fi
238
525
239 else # BUILD_KERNEL=false
526 else # BUILD_KERNEL=false
240 # Kernel installation
527 if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
241 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel
528
529 # Use Sakakis modified kernel if ZSWAP is active
530 if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then
531 RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}"
532 fi
533
534 # Create temporary directory for dl
535 temp_dir=$(as_nobody mktemp -d)
536
537 # Fetch kernel dl
538 as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL"
242
539
243 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
540 #extract download
244 chroot_exec apt-get -qq -y install flash-kernel
541 tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}"
542
543 #move extracted kernel to /boot/firmware
544 mkdir "${R}/boot/firmware"
545 cp "${temp_dir}"/boot/* "${R}"/boot/firmware/
546 cp -r "${temp_dir}"/lib/* "${R}"/lib/
547
548 # Remove temporary directory for kernel sources
549 rm -fr "${temp_dir}"
550
551 # Set permissions of the kernel sources
552 chown -R root:root "${R}/boot/firmware"
553 chown -R root:root "${R}/lib/modules"
554 fi
555
556 # Install Kernel from hypriot comptabile with all Raspberry PI
557 if [ "$SET_ARCH" = 32 ] ; then
558 # Create temporary directory for dl
559 temp_dir=$(as_nobody mktemp -d)
560
561 # Fetch kernel
562 as_nobody wget -O "${temp_dir}"/kernel.deb -c "$RPI_32_KERNEL_URL"
563
564 # Copy downloaded U-Boot sources
565 mv "${temp_dir}"/kernel.deb "${R}"/tmp/kernel.deb
566
567 # Set permissions
568 chown -R root:root "${R}"/tmp/kernel.deb
569
570 # Install kernel
571 chroot_exec dpkg -i /tmp/kernel.deb
572
573 # move /boot to /boot/firmware to fit script env.
574 #mkdir "${BOOT_DIR}"
575 mkdir "${temp_dir}"/firmware
576 mv "${R}"/boot/* "${temp_dir}"/firmware/
577 mv "${temp_dir}"/firmware "${R}"/boot/
578
579 #same for kernel headers
580 if [ "$KERNEL_HEADERS" = true ] ; then
581 # Fetch kernel header
582 as_nobody wget -O "${temp_dir}"/kernel-header.deb -c "$RPI_32_KERNELHEADER_URL"
583 mv "${temp_dir}"/kernel-header.deb "${R}"/tmp/kernel-header.deb
584 chown -R root:root "${R}"/tmp/kernel-header.deb
585 # Install kernel header
586 chroot_exec dpkg -i /tmp/kernel-header.deb
587 rm -f "${R}"/tmp/kernel-header.deb
588 fi
589
590 # Remove temporary directory and files
591 rm -fr "${temp_dir}"
592 rm -f "${R}"/tmp/kernel.deb
593 fi
245
594
246 # Check if kernel installation was successful
595 # Check if kernel installation was successful
247 VMLINUZ="$(ls -1 "${R}"/boot/vmlinuz-* | sort | tail -n 1)"
596 KERNEL="$(ls -1 "${R}"/boot/firmware/kernel* | sort | tail -n 1)"
248 if [ -z "$VMLINUZ" ] ; then
597 if [ -z "$KERNEL" ] ; then
249 echo "error: kernel installation failed! (/boot/vmlinuz-* not found)"
598 echo "error: kernel installation failed! (/boot/kernel* not found)"
250 cleanup
599 cleanup
251 exit 1
600 exit 1
252 fi
601 fi
253 # Copy vmlinuz kernel to the boot directory
254 install_readonly "${VMLINUZ}" "${BOOT_DIR}/${KERNEL_IMAGE}"
255 fi
602 fi
@@ -8,6 +8,11
8 # Install and setup fstab
8 # Install and setup fstab
9 install_readonly files/mount/fstab "${ETC_DIR}/fstab"
9 install_readonly files/mount/fstab "${ETC_DIR}/fstab"
10
10
11 if [ "$ENABLE_UBOOTUSB" = true ] ; then
12 sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
13 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
14 fi
15
11 # Add usb/sda disk root partition to fstab
16 # Add usb/sda disk root partition to fstab
12 if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then
17 if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then
13 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
18 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
@@ -29,7 +34,7 if [ "$ENABLE_CRYPTFS" = true ] ; then
29 fi
34 fi
30
35
31 # Generate initramfs file
36 # Generate initramfs file
32 if [ "$BUILD_KERNEL" = true ] && [ "$ENABLE_INITRAMFS" = true ] ; then
37 if [ "$ENABLE_INITRAMFS" = true ] ; then
33 if [ "$ENABLE_CRYPTFS" = true ] ; then
38 if [ "$ENABLE_CRYPTFS" = true ] ; then
34 # Include initramfs scripts to auto expand encrypted root partition
39 # Include initramfs scripts to auto expand encrypted root partition
35 if [ "$EXPANDROOT" = true ] ; then
40 if [ "$EXPANDROOT" = true ] ; then
@@ -38,8 +43,43 if [ "$BUILD_KERNEL" = true ] && [ "$ENABLE_INITRAMFS" = true ] ; then
38 install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
43 install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
39 fi
44 fi
40
45
46 if [ "$CRYPTFS_DROPBEAR" = true ]; then
47 if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
48 install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
49 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys
50 else
51 # Create key
52 chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear
53
54 # Convert dropbear key to openssh key
55 chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa
56
57 # Get Public Key Part
58 chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub
59
60 # Delete unwanted lines
61 sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
62 sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
63
64 # Trust the new key
65 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys
66
67 # Save Keys - convert with putty from rsa/openssh to puttkey
68 cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa
69
70 # Get unlock script
71 install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh
72
73 # Enable Dropbear inside initramfs
74 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
75
76 # Enable Dropbear inside initramfs
77 sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear
78 fi
79 else
41 # Disable SSHD inside initramfs
80 # Disable SSHD inside initramfs
42 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
81 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
82 fi
43
83
44 # Add cryptsetup modules to initramfs
84 # Add cryptsetup modules to initramfs
45 printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
85 printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
@@ -5,7 +5,6
5 # Load utility functions
5 # Load utility functions
6 . ./functions.sh
6 . ./functions.sh
7
7
8 if [ "$BUILD_KERNEL" = true ] ; then
9 if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then
8 if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then
10 # Install boot binaries from local directory
9 # Install boot binaries from local directory
11 cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin
10 cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin
@@ -38,7 +37,6 if [ "$BUILD_KERNEL" = true ] ; then
38 chown -R root:root "${BOOT_DIR}"
37 chown -R root:root "${BOOT_DIR}"
39 chmod -R 600 "${BOOT_DIR}"
38 chmod -R 600 "${BOOT_DIR}"
40 fi
39 fi
41 fi
42
40
43 # Setup firmware boot cmdline
41 # Setup firmware boot cmdline
44 if [ "$ENABLE_SPLITFS" = true ] ; then
42 if [ "$ENABLE_SPLITFS" = true ] ; then
@@ -56,22 +54,52 if [ "$ENABLE_CRYPTFS" = true ] ; then
56 fi
54 fi
57 fi
55 fi
58
56
59 #locks cpu at max frequency
57 # Enable Kernel messages on standard output
60 if [ "$ENABLE_TURBO" = true ] ; then
61 echo "force_turbo=1" >> "${BOOT_DIR}/config.txt"
62 fi
63
64 if [ "$ENABLE_PRINTK" = true ] ; then
58 if [ "$ENABLE_PRINTK" = true ] ; then
65 install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf"
59 install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf"
66 fi
60 fi
67
61
68 # Install udev rule for serial alias
62 # Install udev rule for serial alias - serial0 = console serial1=bluetooth
69 install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules"
63 install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules"
70
64
71 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
65 # Remove IPv6 networking support
66 if [ "$ENABLE_IPV6" = false ] ; then
67 CMDLINE="${CMDLINE} ipv6.disable=1"
68 fi
69
70 # Automatically assign predictable network interface names
71 if [ "$ENABLE_IFNAMES" = false ] ; then
72 CMDLINE="${CMDLINE} net.ifnames=0"
73 else
74 CMDLINE="${CMDLINE} net.ifnames=1"
75 fi
76
77 # Disable Raspberry Pi console logo
78 if [ "$ENABLE_LOGO" = false ] ; then
79 CMDLINE="${CMDLINE} logo.nologo"
80 fi
81
82 # Strictly limit verbosity of boot up console messages
83 if [ "$ENABLE_SILENT_BOOT" = true ] ; then
84 CMDLINE="${CMDLINE} quiet loglevel=0 rd.systemd.show_status=auto rd.udev.log_priority=0"
85 fi
86
87 # Install firmware config
88 install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt"
72
89
73 # RPI0,3,3P Use default ttyS0 (mini-UART)as serial interface
90 # Disable Raspberry Pi console logo
74 SET_SERIAL="ttyS0"
91 if [ "$ENABLE_SLASH" = false ] ; then
92 echo "disable_splash=1" >> "${BOOT_DIR}/config.txt"
93 fi
94
95 # Locks CPU frequency at maximum
96 if [ "$ENABLE_TURBO" = true ] ; then
97 echo "force_turbo=1" >> "${BOOT_DIR}/config.txt"
98 # helps to avoid sdcard corruption when force_turbo is enabled.
99 echo "boot_delay=1" >> "${BOOT_DIR}/config.txt"
100 fi
101
102 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
75
103
76 # Bluetooth enabled
104 # Bluetooth enabled
77 if [ "$ENABLE_BLUETOOTH" = true ] ; then
105 if [ "$ENABLE_BLUETOOTH" = true ] ; then
@@ -95,6 +123,10 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
95 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart"
123 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart"
96 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper"
124 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper"
97
125
126 # make scripts executable
127 chmod +x "${R}/usr/bin/bthelper"
128 chmod +x "${R}/usr/bin/btuart"
129
98 # Install bluetooth udev rule
130 # Install bluetooth udev rule
99 install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules"
131 install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules"
100
132
@@ -105,12 +137,12 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
105 install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service"
137 install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service"
106 install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service"
138 install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service"
107
139
108 # Remove temporary directory
140 # Remove temporary directories
109 rm -fr "${temp_dir}"
141 rm -fr "${temp_dir}"
142 rm -fr "${R}"/tmp/pi-bluetooth
110
143
111 # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0
144 # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0
112 if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then
145 if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then
113 SET_SERIAL="ttyAMA0"
114
146
115 # set overlay to swap ttyAMA0 and ttyS0
147 # set overlay to swap ttyAMA0 and ttyS0
116 echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt"
148 echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt"
@@ -119,23 +151,15 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
119 if [ "$ENABLE_TURBO" = false ] ; then
151 if [ "$ENABLE_TURBO" = false ] ; then
120 echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
152 echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
121 fi
153 fi
154 fi
122
155
123 # Activate services
156 # Activate services
124 chroot_exec systemctl enable pi-bluetooth.hciuart.service
157 chroot_exec systemctl enable pi-bluetooth.hciuart.service
125 #chroot_exec systemctl enable pi-bluetooth.bthelper@.service
126 else
127 chroot_exec systemctl enable pi-bluetooth.hciuart.service
128 #chroot_exec systemctl enable pi-bluetooth.bthelper@.service
129 fi
130
158
131 else # if ENABLE_BLUETOOTH = false
159 else # if ENABLE_BLUETOOTH = false
132 # set overlay to disable bluetooth
160 # set overlay to disable bluetooth
133 echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt"
161 echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt"
134 fi # ENABLE_BLUETOOTH end
162 fi # ENABLE_BLUETOOTH end
135
136 else
137 # RPI1,1P,2 Use default ttyAMA0 (full UART) as serial interface
138 SET_SERIAL="ttyAMA0"
139 fi
163 fi
140
164
141 # may need sudo systemctl disable hciuart
165 # may need sudo systemctl disable hciuart
@@ -145,31 +169,58 if [ "$ENABLE_CONSOLE" = true ] ; then
145 CMDLINE="${CMDLINE} console=serial0,115200"
169 CMDLINE="${CMDLINE} console=serial0,115200"
146
170
147 # Enable serial console systemd style
171 # Enable serial console systemd style
148 chroot_exec systemctl enable serial-getty\@"$SET_SERIAL".service
172 chroot_exec systemctl enable serial-getty\@serial0.service
149 else
173 else
150 echo "enable_uart=0" >> "${BOOT_DIR}/config.txt"
174 echo "enable_uart=0" >> "${BOOT_DIR}/config.txt"
175
151 # disable serial console systemd style
176 # disable serial console systemd style
152 chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service
177 chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service
153 fi
178 fi
154
179
155 # Remove IPv6 networking support
180 if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then
156 if [ "$ENABLE_IPV6" = false ] ; then
181 # Create temporary directory for systemd-swap sources
157 CMDLINE="${CMDLINE} ipv6.disable=1"
182 temp_dir=$(as_nobody mktemp -d)
158 fi
159
183
160 # Automatically assign predictable network interface names
184 # Fetch systemd-swap sources
161 if [ "$ENABLE_IFNAMES" = false ] ; then
185 as_nobody git -C "${temp_dir}" clone "${SYSTEMDSWAP_URL}"
162 CMDLINE="${CMDLINE} net.ifnames=0"
186
187 # Copy downloaded systemd-swap sources
188 mv "${temp_dir}/systemd-swap" "${R}/tmp/"
189
190 # Set permissions of the systemd-swap sources
191 chown -R root:root "${R}/tmp/systemd-swap"
192
193 # Remove temporary directory for systemd-swap sources
194 rm -fr "${temp_dir}"
195
196 # Change into downloaded src dir
197 cd "${R}/tmp/systemd-swap" || exit
198
199 # Build package
200 . ./package.sh debian
201
202 # Install package
203 chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap-*any.deb
204
205 # Enable service
206 chroot_exec systemctl enable systemd-swap
207
208 # Change back into script root dir
209 cd "${WORKDIR}" || exit
163 else
210 else
164 CMDLINE="${CMDLINE} net.ifnames=1"
211 # Enable ZSWAP in cmdline if systemd-swap is not used
212 if [ "$KERNEL_ZSWAP" = true ] ; then
213 CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4"
214 fi
215 fi
216
217 if [ "$KERNEL_SECURITY" = true ] ; then
218 CMDLINE="${CMDLINE} apparmor=1 security=apparmor"
165 fi
219 fi
166
220
167 # Install firmware boot cmdline
221 # Install firmware boot cmdline
168 echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"
222 echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"
169
223
170 # Install firmware config
171 install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt"
172
173 # Setup minimal GPU memory allocation size: 16MB (no X)
224 # Setup minimal GPU memory allocation size: 16MB (no X)
174 if [ "$ENABLE_MINGPU" = true ] ; then
225 if [ "$ENABLE_MINGPU" = true ] ; then
175 echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt"
226 echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt"
@@ -57,6 +57,20 else # ENABLE_DHCP=false
57 -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\
57 -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\
58 -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\
58 -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\
59 "${ETC_DIR}/systemd/network/eth.network"
59 "${ETC_DIR}/systemd/network/eth.network"
60
61 if [ "$CRYPTFS_DROPBEAR" = true ] ; then
62 # Get cdir from NET_ADDRESS e.g. 24
63 cdir=$(${NET_ADDRESS} | cut -d '/' -f2)
64
65 # Convert cdir ro netmask e.g. 24 to 255.255.255.0
66 NET_MASK=$(cdr2mask "$cdir")
67
68 # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
69 sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
70
71 # Regenerate initramfs
72 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
73 fi
60 fi
74 fi
61
75
62 # Remove empty settings from network configuration
76 # Remove empty settings from network configuration
@@ -9,9 +9,10 if [ "$ENABLE_IPTABLES" = true ] ; then
9 # Create iptables configuration directory
9 # Create iptables configuration directory
10 mkdir -p "${ETC_DIR}/iptables"
10 mkdir -p "${ETC_DIR}/iptables"
11
11
12 # make sure iptables-legacy is the used alternatives
12 if [ "$KERNEL_NF" = false ] ; then
13 #iptables-save and -restore are slaves of iptables and thus are set accordingly
13 #iptables-save and -restore are slaves of iptables and thus are set accordingly
14 chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy
14 chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy
15 fi
15
16
16 # Install iptables systemd service
17 # Install iptables systemd service
17 install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service"
18 install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service"
@@ -27,6 +28,11 if [ "$ENABLE_IPTABLES" = true ] ; then
27 chroot_exec systemctl enable iptables.service
28 chroot_exec systemctl enable iptables.service
28
29
29 if [ "$ENABLE_IPV6" = true ] ; then
30 if [ "$ENABLE_IPV6" = true ] ; then
31 if [ "$KERNEL_NF" = false ] ; then
32 #iptables-save and -restore are slaves of iptables and thus are set accordingly
33 chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy
34 fi
35
30 # Install ip6tables systemd service
36 # Install ip6tables systemd service
31 install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service"
37 install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service"
32
38
@@ -22,8 +22,3 else
22 # Set no root password to disable root login
22 # Set no root password to disable root login
23 chroot_exec usermod -p \'!\' root
23 chroot_exec usermod -p \'!\' root
24 fi
24 fi
25
26 # Enable serial console systemd style
27 if [ "$ENABLE_CONSOLE" = true ] ; then
28 chroot_exec systemctl enable serial-getty\@ttyAMA0.service
29 fi
@@ -78,6 +78,11 if [ "$ENABLE_UBOOT" = true ] ; then
78 sed -i "s|bootz|booti|g" "${BOOT_DIR}/uboot.mkimage"
78 sed -i "s|bootz|booti|g" "${BOOT_DIR}/uboot.mkimage"
79 fi
79 fi
80
80
81 # instead of sd, boot from usb device
82 if [ "$ENABLE_UBOOTUSB" = true ] ; then
83 sed -i "s|mmc|usb|g" "${BOOT_DIR}/uboot.mkimage"
84 fi
85
81 # Set mkfile to use the correct dtb file
86 # Set mkfile to use the correct dtb file
82 sed -i "s|bcm2709-rpi-2-b.dtb|${DTB_FILE}|" "${BOOT_DIR}/uboot.mkimage"
87 sed -i "s|bcm2709-rpi-2-b.dtb|${DTB_FILE}|" "${BOOT_DIR}/uboot.mkimage"
83
88
@@ -50,4 +50,7 if [ "$ENABLE_VIDEOCORE" = true ] ; then
50
50
51 #back to root of scriptdir
51 #back to root of scriptdir
52 cd "${WORKDIR}"
52 cd "${WORKDIR}"
53
54 # Remove videocore sources
55 rm -fr "${R}"/tmp/userland/
53 fi
56 fi
@@ -1,8 +1,8
1 deb http://ftp.debian.org/debian jessie main contrib
1 deb http://ftp.debian.org/debian stretch main contrib
2 #deb-src http://ftp.debian.org/debian jessie main contrib
2 #deb-src http://ftp.debian.org/debian stretch main contrib
3
3
4 deb http://ftp.debian.org/debian/ jessie-updates main contrib
4 deb http://ftp.debian.org/debian/ stretch-updates main contrib
5 #deb-src http://ftp.debian.org/debian/ jessie-updates main contrib
5 #deb-src http://ftp.debian.org/debian/ stretch-updates main contrib
6
6
7 deb http://security.debian.org/ jessie/updates main contrib
7 deb http://security.debian.org/ stretch/updates main contrib
8 #deb-src http://security.debian.org/ jessie/updates main contrib
8 #deb-src http://security.debian.org/ stretch/updates main contrib
@@ -66,3 +66,11 EOF2
66 partprobe &&
66 partprobe &&
67 resize2fs /dev/${ROOT_PART} &&
67 resize2fs /dev/${ROOT_PART} &&
68 logger -t "rc.firstboot" "Root partition successfully resized."
68 logger -t "rc.firstboot" "Root partition successfully resized."
69
70 # Restart dphys-swapfile service if it exists
71 if systemctl list-units | grep -q dphys-swapfile ; then
72 if systemctl is-enabled dphys-swapfile ; then
73 logger -t "rc.firstboot" "Restarting dphys-swapfile"
74 systemctl restart dphys-swapfile
75 fi
76 fi
@@ -8,6 +8,7 INITRAMFS_UBOOT="${INITRAMFS}.uboot"
8 # Extract kernel arch
8 # Extract kernel arch
9 case "${KERNEL_ARCH}" in
9 case "${KERNEL_ARCH}" in
10 arm*) KERNEL_ARCH=arm ;;
10 arm*) KERNEL_ARCH=arm ;;
11 aarch64) KERNEL_ARCH=arm64 ;;
11 esac
12 esac
12
13
13 # Regenerate initramfs
14 # Regenerate initramfs
@@ -4,6 +4,17 cleanup (){
4 set +x
4 set +x
5 set +e
5 set +e
6
6
7 # Remove exports from nexmon
8 unset KERNEL
9 unset ARCH
10 unset SUBARCH
11 unset CCPLUGIN
12 unset ZLIBFLATE
13 unset Q
14 unset NEXMON_SETUP_ENV
15 unset HOSTUNAME
16 unset PLATFORMUNAME
17
7 # Identify and kill all processes still using files
18 # Identify and kill all processes still using files
8 echo "killing processes using mount point ..."
19 echo "killing processes using mount point ..."
9 fuser -k "${R}"
20 fuser -k "${R}"
@@ -63,15 +74,43 chroot_install_cc() {
63 # Install c/c++ build environment inside the chroot
74 # Install c/c++ build environment inside the chroot
64 if [ -z "${COMPILER_PACKAGES}" ] ; then
75 if [ -z "${COMPILER_PACKAGES}" ] ; then
65 COMPILER_PACKAGES=$(chroot_exec apt-get -s install g++ make bc | grep "^Inst " | awk -v ORS=" " '{ print $2 }')
76 COMPILER_PACKAGES=$(chroot_exec apt-get -s install g++ make bc | grep "^Inst " | awk -v ORS=" " '{ print $2 }')
66 # Install COMPILER_PACKAGES in chroot
77 # Install COMPILER_PACKAGES in chroot - NEVER do "${COMPILER_PACKAGES}" -> breaks uboot
67 chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install "${COMPILER_PACKAGES}"
78 chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install ${COMPILER_PACKAGES}
68 fi
79 fi
69 }
80 }
70
81
71 chroot_remove_cc() {
82 chroot_remove_cc() {
72 # Remove c/c++ build environment from the chroot
83 # Remove c/c++ build environment from the chroot
73 if [ -n "${COMPILER_PACKAGES}" ] ; then
84 if [ -n "${COMPILER_PACKAGES}" ] ; then
74 chroot_exec apt-get -qq -y --auto-remove purge "${COMPILER_PACKAGES}"
85 chroot_exec apt-get -qq -y --auto-remove purge ${COMPILER_PACKAGES}
75 COMPILER_PACKAGES=""
86 COMPILER_PACKAGES=""
76 fi
87 fi
77 }
88 }
89
90 # https://serverfault.com/a/682849 - converts e.g. /24 to 255.255.255.0
91 cdr2mask ()
92 {
93 # Number of args to shift, 255..255, first non-255 byte, zeroes
94 set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0
95 [ $1 -gt 1 ] && shift $1 || shift
96 echo ${1-0}.${2-0}.${3-0}.${4-0}
97 }
98
99 # GPL v2.0 - #https://github.com/sakaki-/bcmrpi3-kernel-bis/blob/master/conform_config.sh
100 set_kernel_config() {
101 # flag as $1, value to set as $2, config must exist at "./.config"
102 TGT="CONFIG_${1#CONFIG_}"
103 REP="${2}"
104 if grep -q "^${TGT}[^_]" .config; then
105 sed -i "s/^\(${TGT}=.*\|# ${TGT} is not set\)/${TGT}=${REP}/" .config
106 else
107 echo "${TGT}"="${2}" >> .config
108 fi
109 }
110
111 # unset kernel config parameter
112 unset_kernel_config() {
113 # unsets flag with the value of $1, config must exist at "./.config"
114 TGT="CONFIG_${1#CONFIG_}"
115 sed -i "s/^${TGT}=.*/# ${TGT} is not set/" .config
116 } No newline at end of file
@@ -57,6 +57,20 FBTURBO_URL=${FBTURBO_URL:=https://github.com/ssvb/xf86-video-fbturbo.git}
57 UBOOT_URL=${UBOOT_URL:=https://git.denx.de/u-boot.git}
57 UBOOT_URL=${UBOOT_URL:=https://git.denx.de/u-boot.git}
58 VIDEOCORE_URL=${VIDEOCORE_URL:=https://github.com/raspberrypi/userland}
58 VIDEOCORE_URL=${VIDEOCORE_URL:=https://github.com/raspberrypi/userland}
59 BLUETOOTH_URL=${BLUETOOTH_URL:=https://github.com/RPi-Distro/pi-bluetooth.git}
59 BLUETOOTH_URL=${BLUETOOTH_URL:=https://github.com/RPi-Distro/pi-bluetooth.git}
60 NEXMON_URL=${NEXMON_URL:=https://github.com/seemoo-lab/nexmon.git}
61 SYSTEMDSWAP_URL=${SYSTEMDSWAP_URL:=https://github.com/Nefelim4ag/systemd-swap.git}
62
63 # Kernel deb packages for 32bit kernel
64 RPI_32_KERNEL_URL=${RPI_32_KERNEL_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel_20180422-141901_armhf.deb}
65 RPI_32_KERNELHEADER_URL=${RPI_32_KERNELHEADER_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel-headers_20180422-141901_armhf.deb}
66 # Kernel has KVM and zswap enabled - use if KERNEL_* parameters and precompiled kernel are used
67 RPI3_64_BIS_KERNEL_URL=${RPI3_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel-bis/releases/download/4.14.80.20181113/bcmrpi3-kernel-bis-4.14.80.20181113.tar.xz}
68 # Default precompiled 64bit kernel
69 RPI3_64_DEF_KERNEL_URL=${RPI3_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel/releases/download/4.14.80.20181113/bcmrpi3-kernel-4.14.80.20181113.tar.xz}
70 # Generic
71 RPI3_64_KERNEL_URL=${RPI3_64_KERNEL_URL:=$RPI3_64_DEF_KERNEL_URL}
72 # Kali kernel src - used if ENABLE_NEXMON=true (they patch the wlan kernel modul)
73 KALI_KERNEL_URL=${KALI_KERNEL_URL:=https://github.com/Re4son/re4son-raspberrypi-linux.git}
60
74
61 # Build directories
75 # Build directories
62 WORKDIR=$(pwd)
76 WORKDIR=$(pwd)
@@ -106,6 +120,7 NET_NTP_2=${NET_NTP_2:=""}
106 # APT settings
120 # APT settings
107 APT_PROXY=${APT_PROXY:=""}
121 APT_PROXY=${APT_PROXY:=""}
108 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
122 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
123 KEEP_APT_PROXY=${KEEP_APT_PROXY:=false}
109
124
110 # Feature settings
125 # Feature settings
111 ENABLE_PRINTK=${ENABLE_PRINTK:=false}
126 ENABLE_PRINTK=${ENABLE_PRINTK:=false}
@@ -139,19 +154,26 SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""}
139 SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""}
154 SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""}
140
155
141 # Advanced settings
156 # Advanced settings
157 ENABLE_SYSTEMDSWAP=${ENABLE_SYSTEMDSWAP:=false}
142 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
158 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
143 ENABLE_REDUCE=${ENABLE_REDUCE:=false}
159 ENABLE_REDUCE=${ENABLE_REDUCE:=false}
144 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
160 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
145 UBOOTSRC_DIR=${UBOOTSRC_DIR:=""}
161 UBOOTSRC_DIR=${UBOOTSRC_DIR:=""}
162 ENABLE_UBOOTUSB=${ENABLE_UBOOTUSB=false}
146 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
163 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
147 ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false}
164 ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false}
165 ENABLE_NEXMON=${ENABLE_NEXMON:=false}
148 VIDEOCORESRC_DIR=${VIDEOCORESRC_DIR:=""}
166 VIDEOCORESRC_DIR=${VIDEOCORESRC_DIR:=""}
149 FBTURBOSRC_DIR=${FBTURBOSRC_DIR:=""}
167 FBTURBOSRC_DIR=${FBTURBOSRC_DIR:=""}
168 NEXMONSRC_DIR=${NEXMONSRC_DIR:=""}
150 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
169 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
151 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
170 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
152 ENABLE_SPLITFS=${ENABLE_SPLITFS:=false}
171 ENABLE_SPLITFS=${ENABLE_SPLITFS:=false}
153 ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false}
172 ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false}
154 ENABLE_IFNAMES=${ENABLE_IFNAMES:=true}
173 ENABLE_IFNAMES=${ENABLE_IFNAMES:=true}
174 ENABLE_SPLASH=${ENABLE_SPLASH:=true}
175 ENABLE_LOGO=${ENABLE_LOGO:=true}
176 ENABLE_SILENT_BOOT=${ENABLE_SILENT_BOOT=false}
155 DISABLE_UNDERVOLT_WARNINGS=${DISABLE_UNDERVOLT_WARNINGS:=}
177 DISABLE_UNDERVOLT_WARNINGS=${DISABLE_UNDERVOLT_WARNINGS:=}
156
178
157 # Kernel compilation settings
179 # Kernel compilation settings
@@ -163,6 +185,12 KERNEL_MENUCONFIG=${KERNEL_MENUCONFIG:=false}
163 KERNEL_REMOVESRC=${KERNEL_REMOVESRC:=true}
185 KERNEL_REMOVESRC=${KERNEL_REMOVESRC:=true}
164 KERNEL_OLDDEFCONFIG=${KERNEL_OLDDEFCONFIG:=false}
186 KERNEL_OLDDEFCONFIG=${KERNEL_OLDDEFCONFIG:=false}
165 KERNEL_CCACHE=${KERNEL_CCACHE:=false}
187 KERNEL_CCACHE=${KERNEL_CCACHE:=false}
188 KERNEL_ZSWAP=${KERNEL_ZSWAP:=false}
189 KERNEL_VIRT=${KERNEL_VIRT:=false}
190 KERNEL_BPF=${KERNEL_BPF:=false}
191 KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=powersave}
192 KERNEL_SECURITY=${KERNEL_SECURITY:=false}
193 KERNEL_NF=${KERNEL_NF:=false}
166
194
167 # Kernel compilation from source directory settings
195 # Kernel compilation from source directory settings
168 KERNELSRC_DIR=${KERNELSRC_DIR:=""}
196 KERNELSRC_DIR=${KERNELSRC_DIR:=""}
@@ -186,6 +214,10 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
186 CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
214 CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
187 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
215 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
188 CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
216 CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
217 #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup
218 CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false}
219 #Provide your own Dropbear Public RSA-OpenSSH Key otherwise it will be generated
220 CRYPTFS_DROPBEAR_PUBKEY=${CRYPTFS_DROPBEAR_PUBKEY:=""}
189
221
190 # Chroot scripts directory
222 # Chroot scripts directory
191 CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
223 CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
@@ -204,11 +236,9 MISSING_PACKAGES=""
204 # Packages installed for c/c++ build environment in chroot (keep empty)
236 # Packages installed for c/c++ build environment in chroot (keep empty)
205 COMPILER_PACKAGES=""
237 COMPILER_PACKAGES=""
206
238
207 set +x
208
209 #Check if apt-cacher-ng has port 3142 open and set APT_PROXY
239 # Check if apt-cacher-ng has port 3142 open and set APT_PROXY
210 APT_CACHER_RUNNING=$(lsof -i :3142 | grep apt-cacher-ng | cut -d ' ' -f3 | uniq)
240 APT_CACHER_RUNNING=$(lsof -i :3142 | cut -d ' ' -f3 | uniq | sed '/^\s*$/d')
211 if [ -n "${APT_CACHER_RUNNING}" ] ; then
241 if [ "${APT_CACHER_RUNNING}" = "apt-cacher-ng" ] ; then
212 APT_PROXY=http://127.0.0.1:3142/
242 APT_PROXY=http://127.0.0.1:3142/
213 fi
243 fi
214
244
@@ -296,12 +326,26 case "$RPI_MODEL" in
296 ;;
326 ;;
297 esac
327 esac
298
328
329 if [ "$ENABLE_UBOOTUSB" = true ] ; then
330 if [ "$ENABLE_UBOOT" = false ] ; then
331 echo "error: Enabling UBOOTUSB requires u-boot to be enabled"
332 exit 1
333 fi
334 if [ "$RPI_MODEL" != 3 ] || [ "$RPI_MODEL" != 3P ] ; then
335 echo "error: Enabling UBOOTUSB requires Raspberry 3"
336 exit 1
337 fi
338 fi
339
299 # Raspberry PI 0,3,3P with Bluetooth and Wifi onboard
340 # Raspberry PI 0,3,3P with Bluetooth and Wifi onboard
300 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
341 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
301 # Include bluetooth packages on supported boards
342 # Include bluetooth packages on supported boards
302 if [ "$ENABLE_BLUETOOTH" = true ] && [ "$ENABLE_CONSOLE" = false ]; then
343 if [ "$ENABLE_BLUETOOTH" = true ] ; then
303 APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez"
344 APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez"
304 fi
345 fi
346 if [ "$ENABLE_WIRELESS" = true ] ; then
347 APT_INCLUDES="${APT_INCLUDES},wireless-tools,crda,wireless-regdb"
348 fi
305 else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard
349 else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard
306 # Check if the internal wireless interface is not supported by the RPi model
350 # Check if the internal wireless interface is not supported by the RPi model
307 if [ "$ENABLE_WIRELESS" = true ] || [ "$ENABLE_BLUETOOTH" = true ]; then
351 if [ "$ENABLE_WIRELESS" = true ] || [ "$ENABLE_BLUETOOTH" = true ]; then
@@ -310,6 +354,11 else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard
310 fi
354 fi
311 fi
355 fi
312
356
357 if [ "$BUILD_KERNEL" = false ] && [ "$ENABLE_NEXMON" = true ]; then
358 echo "error: You have to compile kernel sources, if you want to enable nexmon"
359 exit 1
360 fi
361
313 # Prepare date string for default image file name
362 # Prepare date string for default image file name
314 DATE="$(date +%Y-%m-%d)"
363 DATE="$(date +%Y-%m-%d)"
315 if [ -z "$KERNEL_BRANCH" ] ; then
364 if [ -z "$KERNEL_BRANCH" ] ; then
@@ -331,6 +380,11 if [ "$ENABLE_VIDEOCORE" = true ] ; then
331 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cmake"
380 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cmake"
332 fi
381 fi
333
382
383 # Add deps for nexmon
384 if [ "$ENABLE_NEXMON" = true ] ; then
385 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libgmp3-dev gawk qpdf bison flex make autoconf automake build-essential libtool"
386 fi
387
334 # Add libncurses5 to enable kernel menuconfig
388 # Add libncurses5 to enable kernel menuconfig
335 if [ "$KERNEL_MENUCONFIG" = true ] ; then
389 if [ "$KERNEL_MENUCONFIG" = true ] ; then
336 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses-dev"
390 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses-dev"
@@ -346,6 +400,11 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
346 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
400 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
347 APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup"
401 APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup"
348
402
403 # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package
404 if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then
405 APT_INCLUDES="${APT_INCLUDES},dropbear-initramfs"
406 fi
407
349 if [ -z "$CRYPTFS_PASSWORD" ] ; then
408 if [ -z "$CRYPTFS_PASSWORD" ] ; then
350 echo "error: no password defined (CRYPTFS_PASSWORD)!"
409 echo "error: no password defined (CRYPTFS_PASSWORD)!"
351 exit 1
410 exit 1
@@ -363,14 +422,6 if [ "$ENABLE_UBOOT" = true ] ; then
363 APT_INCLUDES="${APT_INCLUDES},device-tree-compiler,bison,flex,bc"
422 APT_INCLUDES="${APT_INCLUDES},device-tree-compiler,bison,flex,bc"
364 fi
423 fi
365
424
366 if [ "$ENABLE_BLUETOOTH" = true ] ; then
367 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
368 if [ "$ENABLE_CONSOLE" = false ] ; then
369 APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez"
370 fi
371 fi
372 fi
373
374 # Check if root SSH (v2) public key file exists
425 # Check if root SSH (v2) public key file exists
375 if [ -n "$SSH_ROOT_PUB_KEY" ] ; then
426 if [ -n "$SSH_ROOT_PUB_KEY" ] ; then
376 if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then
427 if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then
@@ -387,6 +438,11 if [ -n "$SSH_USER_PUB_KEY" ] ; then
387 fi
438 fi
388 fi
439 fi
389
440
441 if [ "$ENABLE_NEXMON" = true ] && [ -n "$KERNEL_BRANCH" ] ; then
442 echo "error: Please unset KERNEL_BRANCH if using ENABLE_NEXMON"
443 exit 1
444 fi
445
390 # Check if all required packages are installed on the build system
446 # Check if all required packages are installed on the build system
391 for package in $REQUIRED_PACKAGES ; do
447 for package in $REQUIRED_PACKAGES ; do
392 if [ "$(dpkg-query -W -f='${Status}' "$package")" != "install ok installed" ] ; then
448 if [ "$(dpkg-query -W -f='${Status}' "$package")" != "install ok installed" ] ; then
@@ -443,6 +499,12 if [ -n "$FBTURBOSRC_DIR" ] && [ ! -d "$FBTURBOSRC_DIR" ] ; then
443 exit 1
499 exit 1
444 fi
500 fi
445
501
502 # Check if specified NEXMONSRC_DIR directory exists
503 if [ -n "$NEXMONSRC_DIR" ] && [ ! -d "$NEXMONSRC_DIR" ] ; then
504 echo "error: '${NEXMONSRC_DIR}' specified directory not found (NEXMONSRC_DIR)!"
505 exit 1
506 fi
507
446 # Check if specified CHROOT_SCRIPTS directory exists
508 # Check if specified CHROOT_SCRIPTS directory exists
447 if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then
509 if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then
448 echo "error: ${CHROOT_SCRIPTS} specified directory not found (CHROOT_SCRIPTS)!"
510 echo "error: ${CHROOT_SCRIPTS} specified directory not found (CHROOT_SCRIPTS)!"
@@ -499,6 +561,10 fi
499 if [ "$ENABLE_IPTABLES" = true ] ; then
561 if [ "$ENABLE_IPTABLES" = true ] ; then
500 APT_INCLUDES="${APT_INCLUDES},iptables,iptables-persistent"
562 APT_INCLUDES="${APT_INCLUDES},iptables,iptables-persistent"
501 fi
563 fi
564 # Add apparmor for KERNEL_SECURITY
565 if [ "$KERNEL_SECURITY" = true ] ; then
566 APT_INCLUDES="${APT_INCLUDES},apparmor,apparmor-utils,apparmor-profiles,apparmor-profiles-extra,libapparmor-perl"
567 fi
502
568
503 # Add openssh server package
569 # Add openssh server package
504 if [ "$ENABLE_SSHD" = true ] ; then
570 if [ "$ENABLE_SSHD" = true ] ; then
@@ -552,16 +618,6 if [ "$ENABLE_SYSVINIT" = false ] ; then
552 APT_EXCLUDES="--exclude=${APT_EXCLUDES},init,systemd-sysv"
618 APT_EXCLUDES="--exclude=${APT_EXCLUDES},init,systemd-sysv"
553 fi
619 fi
554
620
555 # Check if kernel is getting compiled
556 if [ "$BUILD_KERNEL" = false ] ; then
557 echo "Downloading precompiled kernel"
558 echo "error: not configured"
559 exit 1;
560 # BUILD_KERNEL=true
561 else
562 echo "No precompiled kernel repositories were added"
563 fi
564
565 # Configure kernel sources if no KERNELSRC_DIR
621 # Configure kernel sources if no KERNELSRC_DIR
566 if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then
622 if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then
567 KERNELSRC_CONFIG=true
623 KERNELSRC_CONFIG=true
@@ -629,13 +685,17 umount -l "${R}/sys"
629 rm -rf "${R}/run/*"
685 rm -rf "${R}/run/*"
630 rm -rf "${R}/tmp/*"
686 rm -rf "${R}/tmp/*"
631
687
688 # Clean up APT proxy settings
689 if [ "$KEEP_APT_PROXY" = false ] ; then
690 rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy"
691 fi
692
632 # Clean up files
693 # Clean up files
633 rm -f "${ETC_DIR}/ssh/ssh_host_*"
694 rm -f "${ETC_DIR}/ssh/ssh_host_*"
634 rm -f "${ETC_DIR}/dropbear/dropbear_*"
695 rm -f "${ETC_DIR}/dropbear/dropbear_*"
635 rm -f "${ETC_DIR}/apt/sources.list.save"
696 rm -f "${ETC_DIR}/apt/sources.list.save"
636 rm -f "${ETC_DIR}/resolvconf/resolv.conf.d/original"
697 rm -f "${ETC_DIR}/resolvconf/resolv.conf.d/original"
637 rm -f "${ETC_DIR}/*-"
698 rm -f "${ETC_DIR}/*-"
638 rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy"
639 rm -f "${ETC_DIR}/resolv.conf"
699 rm -f "${ETC_DIR}/resolv.conf"
640 rm -f "${R}/root/.bash_history"
700 rm -f "${R}/root/.bash_history"
641 rm -f "${R}/var/lib/urandom/random-seed"
701 rm -f "${R}/var/lib/urandom/random-seed"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant