@@ -29,7 +29,7 if [ "$BUILD_KERNEL" = true ] ; then | |||||
29 | else # KERNELSRC_DIR="" |
|
29 | else # KERNELSRC_DIR="" | |
30 | # Create temporary directory for kernel sources |
|
30 | # Create temporary directory for kernel sources | |
31 | temp_dir=$(as_nobody mktemp -d) |
|
31 | temp_dir=$(as_nobody mktemp -d) | |
32 |
|
32 | |||
33 | # Fetch current RPi2/3 kernel sources |
|
33 | # Fetch current RPi2/3 kernel sources | |
34 | if [ -z "${KERNEL_BRANCH}" ] ; then |
|
34 | if [ -z "${KERNEL_BRANCH}" ] ; then | |
35 | as_nobody -H git -C "${temp_dir}" clone --depth=1 "${KERNEL_URL}" linux |
|
35 | as_nobody -H git -C "${temp_dir}" clone --depth=1 "${KERNEL_URL}" linux | |
@@ -93,7 +93,7 if [ "$BUILD_KERNEL" = true ] ; then | |||||
93 | if [ "$KERNELSRC_CONFIG" = true ] ; then |
|
93 | if [ "$KERNELSRC_CONFIG" = true ] ; then | |
94 | # Load default raspberry kernel configuration |
|
94 | # Load default raspberry kernel configuration | |
95 | make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}" |
|
95 | make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}" | |
96 |
|
|
96 | ||
97 | #Switch to KERNELSRC_DIR so we can use set_kernel_config |
|
97 | #Switch to KERNELSRC_DIR so we can use set_kernel_config | |
98 | cd "${KERNEL_DIR}" || exit |
|
98 | cd "${KERNEL_DIR}" || exit | |
99 |
|
99 | |||
@@ -106,7 +106,7 if [ "$BUILD_KERNEL" = true ] ; then | |||||
106 | set_kernel_config CONFIG_ZSMALLOC y |
|
106 | set_kernel_config CONFIG_ZSMALLOC y | |
107 | set_kernel_config CONFIG_PGTABLE_MAPPING y |
|
107 | set_kernel_config CONFIG_PGTABLE_MAPPING y | |
108 | fi |
|
108 | fi | |
109 |
|
109 | |||
110 | # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453 |
|
110 | # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453 | |
111 | if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then |
|
111 | if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then | |
112 | set_kernel_config CONFIG_VIRTUALIZATION y |
|
112 | set_kernel_config CONFIG_VIRTUALIZATION y | |
@@ -114,106 +114,106 if [ "$BUILD_KERNEL" = true ] ; then | |||||
114 | set_kernel_config CONFIG_VHOST_NET m |
|
114 | set_kernel_config CONFIG_VHOST_NET m | |
115 | set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y |
|
115 | set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y | |
116 | fi |
|
116 | fi | |
117 |
|
117 | |||
118 | # enable apparmor,integrity audit, |
|
118 | # enable apparmor,integrity audit, | |
119 | if [ "$KERNEL_SECURITY" = true ] ; then |
|
119 | if [ "$KERNEL_SECURITY" = true ] ; then | |
120 |
|
120 | |||
121 | # security filesystem, security models and audit |
|
121 | # security filesystem, security models and audit | |
122 |
|
|
122 | set_kernel_config CONFIG_SECURITYFS y | |
123 |
|
|
123 | set_kernel_config CONFIG_SECURITY y | |
124 | set_kernel_config CONFIG_AUDIT y |
|
124 | set_kernel_config CONFIG_AUDIT y | |
125 |
|
125 | |||
126 |
|
|
126 | # harden strcpy and memcpy | |
127 | set_kernel_config CONFIG_HARDENED_USERCOPY=y |
|
127 | set_kernel_config CONFIG_HARDENED_USERCOPY=y | |
128 | set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y |
|
128 | set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y | |
129 |
|
|
129 | set_kernel_config CONFIG_FORTIFY_SOURCE=y | |
130 |
|
130 | |||
131 |
|
|
131 | # integrity sub-system | |
132 | set_kernel_config CONFIG_INTEGRITY=y |
|
132 | set_kernel_config CONFIG_INTEGRITY=y | |
133 | set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y |
|
133 | set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y | |
134 | set_kernel_config CONFIG_INTEGRITY_AUDIT=y |
|
134 | set_kernel_config CONFIG_INTEGRITY_AUDIT=y | |
135 | set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y |
|
135 | set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y | |
136 | set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y |
|
136 | set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y | |
137 |
|
137 | |||
138 |
|
|
138 | # This option provides support for retaining authentication tokens and access keys in the kernel. | |
139 | set_kernel_config CONFIG_KEYS=y |
|
139 | set_kernel_config CONFIG_KEYS=y | |
140 | set_kernel_config CONFIG_KEYS_COMPAT=y |
|
140 | set_kernel_config CONFIG_KEYS_COMPAT=y | |
141 |
|
141 | |||
142 |
|
|
142 | # Apparmor | |
143 | set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0 |
|
143 | set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0 | |
144 | set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y |
|
144 | set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y | |
145 |
|
|
145 | set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y | |
146 |
|
|
146 | set_kernel_config CONFIG_SECURITY_APPARMOR y | |
147 |
|
|
147 | set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y | |
148 |
|
|
148 | set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor" | |
149 |
|
149 | |||
150 |
|
|
150 | # restrictions on unprivileged users reading the kernel | |
151 | set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y |
|
151 | set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y | |
152 |
|
152 | |||
153 |
|
|
153 | # network security hooks | |
154 | set_kernel_config CONFIG_SECURITY_NETWORK y |
|
154 | set_kernel_config CONFIG_SECURITY_NETWORK y | |
155 | set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y |
|
155 | set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y | |
156 | set_kernel_config CONFIG_SECURITY_PATH=y |
|
156 | set_kernel_config CONFIG_SECURITY_PATH=y | |
157 | set_kernel_config CONFIG_SECURITY_YAMA=y |
|
157 | set_kernel_config CONFIG_SECURITY_YAMA=y | |
158 |
|
158 | |||
159 |
|
|
159 | # New Options | |
160 |
|
|
160 | if [ "$KERNEL_NF" = true ] ; then | |
161 |
|
|
161 | set_kernel_config CONFIG_IP_NF_SECURITY m | |
162 |
|
|
162 | set_kernel_config CONFIG_NETLABEL m | |
163 |
|
|
163 | set_kernel_config CONFIG_IP6_NF_SECURITY m | |
164 |
|
|
164 | fi | |
165 |
|
|
165 | set_kernel_config CONFIG_SECURITY_SELINUX n | |
166 |
|
|
166 | set_kernel_config CONFIG_SECURITY_SMACK n | |
167 |
|
|
167 | set_kernel_config CONFIG_SECURITY_TOMOYO n | |
168 |
|
|
168 | set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n | |
169 |
|
|
169 | set_kernel_config CONFIG_SECURITY_LOADPIN n | |
170 |
|
|
170 | set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n | |
171 |
|
|
171 | set_kernel_config CONFIG_IMA n | |
172 |
|
|
172 | set_kernel_config CONFIG_EVM n | |
173 |
|
|
173 | set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y | |
174 |
|
|
174 | set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y | |
175 |
|
|
175 | set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y | |
176 |
|
|
176 | set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y | |
177 |
|
|
177 | set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y | |
178 |
|
|
178 | set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y | |
179 |
|
|
179 | set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y | |
180 |
|
|
180 | set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n | |
181 |
|
181 | |||
182 |
|
|
182 | set_kernel_config CONFIG_ARM64_CRYPTO y | |
183 |
|
|
183 | set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m | |
184 | set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m |
|
184 | set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m | |
185 |
|
|
185 | set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m | |
186 |
|
|
186 | set_kernel_config CRYPTO_GHASH_ARM64_CE m | |
187 |
|
|
187 | set_kernel_config CRYPTO_SHA2_ARM64_CE m | |
188 |
|
|
188 | set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m | |
189 |
|
|
189 | set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m | |
190 |
|
|
190 | set_kernel_config CONFIG_CRYPTO_AES_ARM64 m | |
191 |
|
|
191 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m | |
192 |
|
|
192 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y | |
193 |
|
|
193 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y | |
194 |
|
|
194 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m | |
195 |
|
|
195 | set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m | |
196 |
|
|
196 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m | |
197 |
|
|
197 | fi | |
198 |
|
198 | |||
199 | # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406 |
|
199 | # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406 | |
200 |
|
|
200 | if [ "$KERNEL_NF" = true ] ; then | |
201 |
|
|
201 | set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m | |
202 |
|
|
202 | set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m | |
203 |
|
|
203 | set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m | |
204 |
|
|
204 | set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m | |
205 |
|
|
205 | set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m | |
206 |
|
|
206 | set_kernel_config CONFIG_NFT_FIB_INET m | |
207 |
|
|
207 | set_kernel_config CONFIG_NFT_FIB_IPV4 m | |
208 |
|
|
208 | set_kernel_config CONFIG_NFT_FIB_IPV6 m | |
209 |
|
|
209 | set_kernel_config CONFIG_NFT_FIB_NETDEV m | |
210 |
|
|
210 | set_kernel_config CONFIG_NFT_OBJREF m | |
211 |
|
|
211 | set_kernel_config CONFIG_NFT_RT m | |
212 |
|
|
212 | set_kernel_config CONFIG_NFT_SET_BITMAP m | |
213 |
|
|
213 | set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y | |
214 |
|
|
214 | set_kernel_config CONFIG_NF_LOG_ARP m | |
215 |
|
|
215 | set_kernel_config CONFIG_NF_SOCKET_IPV4 m | |
216 |
|
|
216 | set_kernel_config CONFIG_NF_SOCKET_IPV6 m | |
217 | set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m |
|
217 | set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m | |
218 | set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m |
|
218 | set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m | |
219 | set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m |
|
219 | set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m | |
@@ -223,7 +223,7 if [ "$BUILD_KERNEL" = true ] ; then | |||||
223 | set_kernel_config CONFIG_IP6_NF_NAT m |
|
223 | set_kernel_config CONFIG_IP6_NF_NAT m | |
224 | set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m |
|
224 | set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m | |
225 | set_kernel_config CONFIG_IP6_NF_TARGET_NPT m |
|
225 | set_kernel_config CONFIG_IP6_NF_TARGET_NPT m | |
226 |
|
|
226 | set_kernel_config CONFIG_IP_NF_SECURITY m | |
227 | set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m |
|
227 | set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m | |
228 | set_kernel_config CONFIG_IP_SET_BITMAP_PORT m |
|
228 | set_kernel_config CONFIG_IP_SET_BITMAP_PORT m | |
229 | set_kernel_config CONFIG_IP_SET_HASH_IP m |
|
229 | set_kernel_config CONFIG_IP_SET_HASH_IP m | |
@@ -312,10 +312,10 if [ "$BUILD_KERNEL" = true ] ; then | |||||
312 | set_kernel_config CONFIG_BPF_STREAM_PARSER y |
|
312 | set_kernel_config CONFIG_BPF_STREAM_PARSER y | |
313 | set_kernel_config CONFIG_CGROUP_BPF y |
|
313 | set_kernel_config CONFIG_CGROUP_BPF y | |
314 | fi |
|
314 | fi | |
315 |
|
315 | |||
316 | # KERNEL_DEFAULT_GOV was set by user |
|
316 | # KERNEL_DEFAULT_GOV was set by user | |
317 | if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ]; then |
|
317 | if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ]; then | |
318 |
|
318 | |||
319 | case "$KERNEL_DEFAULT_GOV" in |
|
319 | case "$KERNEL_DEFAULT_GOV" in | |
320 | performance) |
|
320 | performance) | |
321 | set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y |
|
321 | set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y | |
@@ -337,11 +337,10 if [ "$BUILD_KERNEL" = true ] ; then | |||||
337 | exit 1 |
|
337 | exit 1 | |
338 | ;; |
|
338 | ;; | |
339 | esac |
|
339 | esac | |
340 |
|
340 | |||
341 |
|
|
341 | # unset previous default governor | |
342 | unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE |
|
342 | unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE | |
343 | fi |
|
343 | fi | |
344 |
|
||||
345 |
|
344 | |||
346 |
|
345 | |||
347 | #Revert to previous directory |
|
346 | #Revert to previous directory | |
@@ -507,18 +506,18 else # BUILD_KERNEL=false | |||||
507 | # echo Install precompiled kernel... |
|
506 | # echo Install precompiled kernel... | |
508 | # echo error: not implemented |
|
507 | # echo error: not implemented | |
509 | if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then |
|
508 | if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then | |
510 |
|
509 | |||
511 | # Use Sakakis modified kernel if ZSWAP is active |
|
510 | # Use Sakakis modified kernel if ZSWAP is active | |
512 | if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then |
|
511 | if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then | |
513 | RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}" |
|
512 | RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}" | |
514 | fi |
|
513 | fi | |
515 |
|
514 | |||
516 | # Create temporary directory for dl |
|
515 | # Create temporary directory for dl | |
517 | temp_dir=$(as_nobody mktemp -d) |
|
516 | temp_dir=$(as_nobody mktemp -d) | |
518 |
|
517 | |||
519 | # Fetch kernel dl |
|
518 | # Fetch kernel dl | |
520 | as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL" |
|
519 | as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL" | |
521 |
|
520 | |||
522 | #extract download |
|
521 | #extract download | |
523 | tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}" |
|
522 | tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}" | |
524 |
|
523 | |||
@@ -529,12 +528,12 else # BUILD_KERNEL=false | |||||
529 |
|
528 | |||
530 | # Remove temporary directory for kernel sources |
|
529 | # Remove temporary directory for kernel sources | |
531 | rm -fr "${temp_dir}" |
|
530 | rm -fr "${temp_dir}" | |
532 |
|
531 | |||
533 | # Set permissions of the kernel sources |
|
532 | # Set permissions of the kernel sources | |
534 | chown -R root:root "${R}/boot/firmware" |
|
533 | chown -R root:root "${R}/boot/firmware" | |
535 | chown -R root:root "${R}/lib/modules" |
|
534 | chown -R root:root "${R}/lib/modules" | |
536 | fi |
|
535 | fi | |
537 |
|
536 | |||
538 | # Install Kernel from hypriot comptabile with all Raspberry PI |
|
537 | # Install Kernel from hypriot comptabile with all Raspberry PI | |
539 | if [ "$SET_ARCH" = 32 ] ; then |
|
538 | if [ "$SET_ARCH" = 32 ] ; then | |
540 | # Create temporary directory for dl |
|
539 | # Create temporary directory for dl | |
@@ -548,7 +547,7 else # BUILD_KERNEL=false | |||||
548 |
|
547 | |||
549 | # Set permissions |
|
548 | # Set permissions | |
550 | chown -R root:root "${R}"/tmp/kernel.deb |
|
549 | chown -R root:root "${R}"/tmp/kernel.deb | |
551 |
|
550 | |||
552 | # Install kernel |
|
551 | # Install kernel | |
553 | chroot_exec dpkg -i /tmp/kernel.deb |
|
552 | chroot_exec dpkg -i /tmp/kernel.deb | |
554 |
|
553 | |||
@@ -557,7 +556,7 else # BUILD_KERNEL=false | |||||
557 | mkdir "${temp_dir}"/firmware |
|
556 | mkdir "${temp_dir}"/firmware | |
558 | mv "${R}"/boot/* "${temp_dir}"/firmware/ |
|
557 | mv "${R}"/boot/* "${temp_dir}"/firmware/ | |
559 | mv "${temp_dir}"/firmware "${R}"/boot/ |
|
558 | mv "${temp_dir}"/firmware "${R}"/boot/ | |
560 |
|
559 | |||
561 | #same for kernel headers |
|
560 | #same for kernel headers | |
562 | if [ "$KERNEL_HEADERS" = true ] ; then |
|
561 | if [ "$KERNEL_HEADERS" = true ] ; then | |
563 | # Fetch kernel header |
|
562 | # Fetch kernel header | |
@@ -568,7 +567,7 else # BUILD_KERNEL=false | |||||
568 | chroot_exec dpkg -i /tmp/kernel-header.deb |
|
567 | chroot_exec dpkg -i /tmp/kernel-header.deb | |
569 | rm -f "${R}"/tmp/kernel-header.deb |
|
568 | rm -f "${R}"/tmp/kernel-header.deb | |
570 | fi |
|
569 | fi | |
571 |
|
570 | |||
572 | # Remove temporary directory and files |
|
571 | # Remove temporary directory and files | |
573 | rm -fr "${temp_dir}" |
|
572 | rm -fr "${temp_dir}" | |
574 | rm -f "${R}"/tmp/kernel.deb |
|
573 | rm -f "${R}"/tmp/kernel.deb |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant