##// END OF EJS Templates
<y
burnbabyburn -
r508:aa36bf91dc60
parent child
Show More
@@ -29,7 +29,7 if [ "$BUILD_KERNEL" = true ] ; then
29 else # KERNELSRC_DIR=""
29 else # KERNELSRC_DIR=""
30 # Create temporary directory for kernel sources
30 # Create temporary directory for kernel sources
31 temp_dir=$(as_nobody mktemp -d)
31 temp_dir=$(as_nobody mktemp -d)
32
32
33 # Fetch current RPi2/3 kernel sources
33 # Fetch current RPi2/3 kernel sources
34 if [ -z "${KERNEL_BRANCH}" ] ; then
34 if [ -z "${KERNEL_BRANCH}" ] ; then
35 as_nobody -H git -C "${temp_dir}" clone --depth=1 "${KERNEL_URL}" linux
35 as_nobody -H git -C "${temp_dir}" clone --depth=1 "${KERNEL_URL}" linux
@@ -93,7 +93,7 if [ "$BUILD_KERNEL" = true ] ; then
93 if [ "$KERNELSRC_CONFIG" = true ] ; then
93 if [ "$KERNELSRC_CONFIG" = true ] ; then
94 # Load default raspberry kernel configuration
94 # Load default raspberry kernel configuration
95 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
95 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
96
96
97 #Switch to KERNELSRC_DIR so we can use set_kernel_config
97 #Switch to KERNELSRC_DIR so we can use set_kernel_config
98 cd "${KERNEL_DIR}" || exit
98 cd "${KERNEL_DIR}" || exit
99
99
@@ -106,7 +106,7 if [ "$BUILD_KERNEL" = true ] ; then
106 set_kernel_config CONFIG_ZSMALLOC y
106 set_kernel_config CONFIG_ZSMALLOC y
107 set_kernel_config CONFIG_PGTABLE_MAPPING y
107 set_kernel_config CONFIG_PGTABLE_MAPPING y
108 fi
108 fi
109
109
110 # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453
110 # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453
111 if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
111 if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
112 set_kernel_config CONFIG_VIRTUALIZATION y
112 set_kernel_config CONFIG_VIRTUALIZATION y
@@ -114,106 +114,106 if [ "$BUILD_KERNEL" = true ] ; then
114 set_kernel_config CONFIG_VHOST_NET m
114 set_kernel_config CONFIG_VHOST_NET m
115 set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y
115 set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y
116 fi
116 fi
117
117
118 # enable apparmor,integrity audit,
118 # enable apparmor,integrity audit,
119 if [ "$KERNEL_SECURITY" = true ] ; then
119 if [ "$KERNEL_SECURITY" = true ] ; then
120
120
121 # security filesystem, security models and audit
121 # security filesystem, security models and audit
122 set_kernel_config CONFIG_SECURITYFS y
122 set_kernel_config CONFIG_SECURITYFS y
123 set_kernel_config CONFIG_SECURITY y
123 set_kernel_config CONFIG_SECURITY y
124 set_kernel_config CONFIG_AUDIT y
124 set_kernel_config CONFIG_AUDIT y
125
125
126 # harden strcpy and memcpy
126 # harden strcpy and memcpy
127 set_kernel_config CONFIG_HARDENED_USERCOPY=y
127 set_kernel_config CONFIG_HARDENED_USERCOPY=y
128 set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
128 set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
129 set_kernel_config CONFIG_FORTIFY_SOURCE=y
129 set_kernel_config CONFIG_FORTIFY_SOURCE=y
130
130
131 # integrity sub-system
131 # integrity sub-system
132 set_kernel_config CONFIG_INTEGRITY=y
132 set_kernel_config CONFIG_INTEGRITY=y
133 set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
133 set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
134 set_kernel_config CONFIG_INTEGRITY_AUDIT=y
134 set_kernel_config CONFIG_INTEGRITY_AUDIT=y
135 set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y
135 set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y
136 set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y
136 set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y
137
137
138 # This option provides support for retaining authentication tokens and access keys in the kernel.
138 # This option provides support for retaining authentication tokens and access keys in the kernel.
139 set_kernel_config CONFIG_KEYS=y
139 set_kernel_config CONFIG_KEYS=y
140 set_kernel_config CONFIG_KEYS_COMPAT=y
140 set_kernel_config CONFIG_KEYS_COMPAT=y
141
141
142 # Apparmor
142 # Apparmor
143 set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0
143 set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0
144 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
144 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
145 set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
145 set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
146 set_kernel_config CONFIG_SECURITY_APPARMOR y
146 set_kernel_config CONFIG_SECURITY_APPARMOR y
147 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y
147 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y
148 set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor"
148 set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor"
149
149
150 # restrictions on unprivileged users reading the kernel
150 # restrictions on unprivileged users reading the kernel
151 set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y
151 set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y
152
152
153 # network security hooks
153 # network security hooks
154 set_kernel_config CONFIG_SECURITY_NETWORK y
154 set_kernel_config CONFIG_SECURITY_NETWORK y
155 set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y
155 set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y
156 set_kernel_config CONFIG_SECURITY_PATH=y
156 set_kernel_config CONFIG_SECURITY_PATH=y
157 set_kernel_config CONFIG_SECURITY_YAMA=y
157 set_kernel_config CONFIG_SECURITY_YAMA=y
158
158
159 # New Options
159 # New Options
160 if [ "$KERNEL_NF" = true ] ; then
160 if [ "$KERNEL_NF" = true ] ; then
161 set_kernel_config CONFIG_IP_NF_SECURITY m
161 set_kernel_config CONFIG_IP_NF_SECURITY m
162 set_kernel_config CONFIG_NETLABEL m
162 set_kernel_config CONFIG_NETLABEL m
163 set_kernel_config CONFIG_IP6_NF_SECURITY m
163 set_kernel_config CONFIG_IP6_NF_SECURITY m
164 fi
164 fi
165 set_kernel_config CONFIG_SECURITY_SELINUX n
165 set_kernel_config CONFIG_SECURITY_SELINUX n
166 set_kernel_config CONFIG_SECURITY_SMACK n
166 set_kernel_config CONFIG_SECURITY_SMACK n
167 set_kernel_config CONFIG_SECURITY_TOMOYO n
167 set_kernel_config CONFIG_SECURITY_TOMOYO n
168 set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n
168 set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n
169 set_kernel_config CONFIG_SECURITY_LOADPIN n
169 set_kernel_config CONFIG_SECURITY_LOADPIN n
170 set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n
170 set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n
171 set_kernel_config CONFIG_IMA n
171 set_kernel_config CONFIG_IMA n
172 set_kernel_config CONFIG_EVM n
172 set_kernel_config CONFIG_EVM n
173 set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y
173 set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y
174 set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
174 set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
175 set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
175 set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
176 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
176 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
177 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
177 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
178 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
178 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
179 set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
179 set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
180 set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
180 set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
181
181
182 set_kernel_config CONFIG_ARM64_CRYPTO y
182 set_kernel_config CONFIG_ARM64_CRYPTO y
183 set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m
183 set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m
184 set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m
184 set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m
185 set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m
185 set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m
186 set_kernel_config CRYPTO_GHASH_ARM64_CE m
186 set_kernel_config CRYPTO_GHASH_ARM64_CE m
187 set_kernel_config CRYPTO_SHA2_ARM64_CE m
187 set_kernel_config CRYPTO_SHA2_ARM64_CE m
188 set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m
188 set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m
189 set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m
189 set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m
190 set_kernel_config CONFIG_CRYPTO_AES_ARM64 m
190 set_kernel_config CONFIG_CRYPTO_AES_ARM64 m
191 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m
191 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m
192 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y
192 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y
193 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y
193 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y
194 set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m
194 set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m
195 set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m
195 set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m
196 set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m
196 set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m
197 fi
197 fi
198
198
199 # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
199 # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
200 if [ "$KERNEL_NF" = true ] ; then
200 if [ "$KERNEL_NF" = true ] ; then
201 set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m
201 set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m
202 set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m
202 set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m
203 set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m
203 set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m
204 set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m
204 set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m
205 set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m
205 set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m
206 set_kernel_config CONFIG_NFT_FIB_INET m
206 set_kernel_config CONFIG_NFT_FIB_INET m
207 set_kernel_config CONFIG_NFT_FIB_IPV4 m
207 set_kernel_config CONFIG_NFT_FIB_IPV4 m
208 set_kernel_config CONFIG_NFT_FIB_IPV6 m
208 set_kernel_config CONFIG_NFT_FIB_IPV6 m
209 set_kernel_config CONFIG_NFT_FIB_NETDEV m
209 set_kernel_config CONFIG_NFT_FIB_NETDEV m
210 set_kernel_config CONFIG_NFT_OBJREF m
210 set_kernel_config CONFIG_NFT_OBJREF m
211 set_kernel_config CONFIG_NFT_RT m
211 set_kernel_config CONFIG_NFT_RT m
212 set_kernel_config CONFIG_NFT_SET_BITMAP m
212 set_kernel_config CONFIG_NFT_SET_BITMAP m
213 set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y
213 set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y
214 set_kernel_config CONFIG_NF_LOG_ARP m
214 set_kernel_config CONFIG_NF_LOG_ARP m
215 set_kernel_config CONFIG_NF_SOCKET_IPV4 m
215 set_kernel_config CONFIG_NF_SOCKET_IPV4 m
216 set_kernel_config CONFIG_NF_SOCKET_IPV6 m
216 set_kernel_config CONFIG_NF_SOCKET_IPV6 m
217 set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m
217 set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m
218 set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m
218 set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m
219 set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m
219 set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m
@@ -223,7 +223,7 if [ "$BUILD_KERNEL" = true ] ; then
223 set_kernel_config CONFIG_IP6_NF_NAT m
223 set_kernel_config CONFIG_IP6_NF_NAT m
224 set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m
224 set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m
225 set_kernel_config CONFIG_IP6_NF_TARGET_NPT m
225 set_kernel_config CONFIG_IP6_NF_TARGET_NPT m
226 set_kernel_config CONFIG_IP_NF_SECURITY m
226 set_kernel_config CONFIG_IP_NF_SECURITY m
227 set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m
227 set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m
228 set_kernel_config CONFIG_IP_SET_BITMAP_PORT m
228 set_kernel_config CONFIG_IP_SET_BITMAP_PORT m
229 set_kernel_config CONFIG_IP_SET_HASH_IP m
229 set_kernel_config CONFIG_IP_SET_HASH_IP m
@@ -312,10 +312,10 if [ "$BUILD_KERNEL" = true ] ; then
312 set_kernel_config CONFIG_BPF_STREAM_PARSER y
312 set_kernel_config CONFIG_BPF_STREAM_PARSER y
313 set_kernel_config CONFIG_CGROUP_BPF y
313 set_kernel_config CONFIG_CGROUP_BPF y
314 fi
314 fi
315
315
316 # KERNEL_DEFAULT_GOV was set by user
316 # KERNEL_DEFAULT_GOV was set by user
317 if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ]; then
317 if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ]; then
318
318
319 case "$KERNEL_DEFAULT_GOV" in
319 case "$KERNEL_DEFAULT_GOV" in
320 performance)
320 performance)
321 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y
321 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y
@@ -337,11 +337,10 if [ "$BUILD_KERNEL" = true ] ; then
337 exit 1
337 exit 1
338 ;;
338 ;;
339 esac
339 esac
340
340
341 # unset previous default governor
341 # unset previous default governor
342 unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE
342 unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE
343 fi
343 fi
344
345
344
346
345
347 #Revert to previous directory
346 #Revert to previous directory
@@ -507,18 +506,18 else # BUILD_KERNEL=false
507 # echo Install precompiled kernel...
506 # echo Install precompiled kernel...
508 # echo error: not implemented
507 # echo error: not implemented
509 if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
508 if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
510
509
511 # Use Sakakis modified kernel if ZSWAP is active
510 # Use Sakakis modified kernel if ZSWAP is active
512 if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then
511 if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then
513 RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}"
512 RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}"
514 fi
513 fi
515
514
516 # Create temporary directory for dl
515 # Create temporary directory for dl
517 temp_dir=$(as_nobody mktemp -d)
516 temp_dir=$(as_nobody mktemp -d)
518
517
519 # Fetch kernel dl
518 # Fetch kernel dl
520 as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL"
519 as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL"
521
520
522 #extract download
521 #extract download
523 tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}"
522 tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}"
524
523
@@ -529,12 +528,12 else # BUILD_KERNEL=false
529
528
530 # Remove temporary directory for kernel sources
529 # Remove temporary directory for kernel sources
531 rm -fr "${temp_dir}"
530 rm -fr "${temp_dir}"
532
531
533 # Set permissions of the kernel sources
532 # Set permissions of the kernel sources
534 chown -R root:root "${R}/boot/firmware"
533 chown -R root:root "${R}/boot/firmware"
535 chown -R root:root "${R}/lib/modules"
534 chown -R root:root "${R}/lib/modules"
536 fi
535 fi
537
536
538 # Install Kernel from hypriot comptabile with all Raspberry PI
537 # Install Kernel from hypriot comptabile with all Raspberry PI
539 if [ "$SET_ARCH" = 32 ] ; then
538 if [ "$SET_ARCH" = 32 ] ; then
540 # Create temporary directory for dl
539 # Create temporary directory for dl
@@ -548,7 +547,7 else # BUILD_KERNEL=false
548
547
549 # Set permissions
548 # Set permissions
550 chown -R root:root "${R}"/tmp/kernel.deb
549 chown -R root:root "${R}"/tmp/kernel.deb
551
550
552 # Install kernel
551 # Install kernel
553 chroot_exec dpkg -i /tmp/kernel.deb
552 chroot_exec dpkg -i /tmp/kernel.deb
554
553
@@ -557,7 +556,7 else # BUILD_KERNEL=false
557 mkdir "${temp_dir}"/firmware
556 mkdir "${temp_dir}"/firmware
558 mv "${R}"/boot/* "${temp_dir}"/firmware/
557 mv "${R}"/boot/* "${temp_dir}"/firmware/
559 mv "${temp_dir}"/firmware "${R}"/boot/
558 mv "${temp_dir}"/firmware "${R}"/boot/
560
559
561 #same for kernel headers
560 #same for kernel headers
562 if [ "$KERNEL_HEADERS" = true ] ; then
561 if [ "$KERNEL_HEADERS" = true ] ; then
563 # Fetch kernel header
562 # Fetch kernel header
@@ -568,7 +567,7 else # BUILD_KERNEL=false
568 chroot_exec dpkg -i /tmp/kernel-header.deb
567 chroot_exec dpkg -i /tmp/kernel-header.deb
569 rm -f "${R}"/tmp/kernel-header.deb
568 rm -f "${R}"/tmp/kernel-header.deb
570 fi
569 fi
571
570
572 # Remove temporary directory and files
571 # Remove temporary directory and files
573 rm -fr "${temp_dir}"
572 rm -fr "${temp_dir}"
574 rm -f "${R}"/tmp/kernel.deb
573 rm -f "${R}"/tmp/kernel.deb
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant