##// END OF EJS Templates
<y
burnbabyburn -
r508:aa36bf91dc60
parent child
Show More
@@ -29,7 +29,7 if [ "$BUILD_KERNEL" = true ] ; then
29 29 else # KERNELSRC_DIR=""
30 30 # Create temporary directory for kernel sources
31 31 temp_dir=$(as_nobody mktemp -d)
32
32
33 33 # Fetch current RPi2/3 kernel sources
34 34 if [ -z "${KERNEL_BRANCH}" ] ; then
35 35 as_nobody -H git -C "${temp_dir}" clone --depth=1 "${KERNEL_URL}" linux
@@ -93,7 +93,7 if [ "$BUILD_KERNEL" = true ] ; then
93 93 if [ "$KERNELSRC_CONFIG" = true ] ; then
94 94 # Load default raspberry kernel configuration
95 95 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
96
96
97 97 #Switch to KERNELSRC_DIR so we can use set_kernel_config
98 98 cd "${KERNEL_DIR}" || exit
99 99
@@ -106,7 +106,7 if [ "$BUILD_KERNEL" = true ] ; then
106 106 set_kernel_config CONFIG_ZSMALLOC y
107 107 set_kernel_config CONFIG_PGTABLE_MAPPING y
108 108 fi
109
109
110 110 # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453
111 111 if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
112 112 set_kernel_config CONFIG_VIRTUALIZATION y
@@ -114,106 +114,106 if [ "$BUILD_KERNEL" = true ] ; then
114 114 set_kernel_config CONFIG_VHOST_NET m
115 115 set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y
116 116 fi
117
117
118 118 # enable apparmor,integrity audit,
119 119 if [ "$KERNEL_SECURITY" = true ] ; then
120 120
121 121 # security filesystem, security models and audit
122 set_kernel_config CONFIG_SECURITYFS y
123 set_kernel_config CONFIG_SECURITY y
122 set_kernel_config CONFIG_SECURITYFS y
123 set_kernel_config CONFIG_SECURITY y
124 124 set_kernel_config CONFIG_AUDIT y
125 125
126 # harden strcpy and memcpy
126 # harden strcpy and memcpy
127 127 set_kernel_config CONFIG_HARDENED_USERCOPY=y
128 128 set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
129 set_kernel_config CONFIG_FORTIFY_SOURCE=y
130
131 # integrity sub-system
129 set_kernel_config CONFIG_FORTIFY_SOURCE=y
130
131 # integrity sub-system
132 132 set_kernel_config CONFIG_INTEGRITY=y
133 133 set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
134 134 set_kernel_config CONFIG_INTEGRITY_AUDIT=y
135 135 set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y
136 136 set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y
137
138 # This option provides support for retaining authentication tokens and access keys in the kernel.
137
138 # This option provides support for retaining authentication tokens and access keys in the kernel.
139 139 set_kernel_config CONFIG_KEYS=y
140 140 set_kernel_config CONFIG_KEYS_COMPAT=y
141
142 # Apparmor
141
142 # Apparmor
143 143 set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0
144 144 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
145 set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
146 set_kernel_config CONFIG_SECURITY_APPARMOR y
147 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y
148 set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor"
149
150 # restrictions on unprivileged users reading the kernel
145 set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
146 set_kernel_config CONFIG_SECURITY_APPARMOR y
147 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y
148 set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor"
149
150 # restrictions on unprivileged users reading the kernel
151 151 set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y
152
153 # network security hooks
152
153 # network security hooks
154 154 set_kernel_config CONFIG_SECURITY_NETWORK y
155 155 set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y
156 156 set_kernel_config CONFIG_SECURITY_PATH=y
157 157 set_kernel_config CONFIG_SECURITY_YAMA=y
158
159 # New Options
160 if [ "$KERNEL_NF" = true ] ; then
161 set_kernel_config CONFIG_IP_NF_SECURITY m
162 set_kernel_config CONFIG_NETLABEL m
163 set_kernel_config CONFIG_IP6_NF_SECURITY m
164 fi
165 set_kernel_config CONFIG_SECURITY_SELINUX n
166 set_kernel_config CONFIG_SECURITY_SMACK n
167 set_kernel_config CONFIG_SECURITY_TOMOYO n
168 set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n
169 set_kernel_config CONFIG_SECURITY_LOADPIN n
170 set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n
171 set_kernel_config CONFIG_IMA n
172 set_kernel_config CONFIG_EVM n
173 set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y
174 set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
175 set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
176 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
177 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
178 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
179 set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
180 set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
181
182 set_kernel_config CONFIG_ARM64_CRYPTO y
183 set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m
158
159 # New Options
160 if [ "$KERNEL_NF" = true ] ; then
161 set_kernel_config CONFIG_IP_NF_SECURITY m
162 set_kernel_config CONFIG_NETLABEL m
163 set_kernel_config CONFIG_IP6_NF_SECURITY m
164 fi
165 set_kernel_config CONFIG_SECURITY_SELINUX n
166 set_kernel_config CONFIG_SECURITY_SMACK n
167 set_kernel_config CONFIG_SECURITY_TOMOYO n
168 set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n
169 set_kernel_config CONFIG_SECURITY_LOADPIN n
170 set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n
171 set_kernel_config CONFIG_IMA n
172 set_kernel_config CONFIG_EVM n
173 set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y
174 set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
175 set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
176 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
177 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
178 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
179 set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
180 set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
181
182 set_kernel_config CONFIG_ARM64_CRYPTO y
183 set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m
184 184 set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m
185 set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m
186 set_kernel_config CRYPTO_GHASH_ARM64_CE m
187 set_kernel_config CRYPTO_SHA2_ARM64_CE m
188 set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m
189 set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m
190 set_kernel_config CONFIG_CRYPTO_AES_ARM64 m
191 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m
192 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y
193 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y
194 set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m
195 set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m
196 set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m
197 fi
198
185 set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m
186 set_kernel_config CRYPTO_GHASH_ARM64_CE m
187 set_kernel_config CRYPTO_SHA2_ARM64_CE m
188 set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m
189 set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m
190 set_kernel_config CONFIG_CRYPTO_AES_ARM64 m
191 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m
192 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y
193 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y
194 set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m
195 set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m
196 set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m
197 fi
198
199 199 # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
200 if [ "$KERNEL_NF" = true ] ; then
201 set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m
202 set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m
203 set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m
204 set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m
205 set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m
206 set_kernel_config CONFIG_NFT_FIB_INET m
207 set_kernel_config CONFIG_NFT_FIB_IPV4 m
208 set_kernel_config CONFIG_NFT_FIB_IPV6 m
209 set_kernel_config CONFIG_NFT_FIB_NETDEV m
210 set_kernel_config CONFIG_NFT_OBJREF m
211 set_kernel_config CONFIG_NFT_RT m
212 set_kernel_config CONFIG_NFT_SET_BITMAP m
213 set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y
214 set_kernel_config CONFIG_NF_LOG_ARP m
215 set_kernel_config CONFIG_NF_SOCKET_IPV4 m
216 set_kernel_config CONFIG_NF_SOCKET_IPV6 m
200 if [ "$KERNEL_NF" = true ] ; then
201 set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m
202 set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m
203 set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m
204 set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m
205 set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m
206 set_kernel_config CONFIG_NFT_FIB_INET m
207 set_kernel_config CONFIG_NFT_FIB_IPV4 m
208 set_kernel_config CONFIG_NFT_FIB_IPV6 m
209 set_kernel_config CONFIG_NFT_FIB_NETDEV m
210 set_kernel_config CONFIG_NFT_OBJREF m
211 set_kernel_config CONFIG_NFT_RT m
212 set_kernel_config CONFIG_NFT_SET_BITMAP m
213 set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y
214 set_kernel_config CONFIG_NF_LOG_ARP m
215 set_kernel_config CONFIG_NF_SOCKET_IPV4 m
216 set_kernel_config CONFIG_NF_SOCKET_IPV6 m
217 217 set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m
218 218 set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m
219 219 set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m
@@ -223,7 +223,7 if [ "$BUILD_KERNEL" = true ] ; then
223 223 set_kernel_config CONFIG_IP6_NF_NAT m
224 224 set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m
225 225 set_kernel_config CONFIG_IP6_NF_TARGET_NPT m
226 set_kernel_config CONFIG_IP_NF_SECURITY m
226 set_kernel_config CONFIG_IP_NF_SECURITY m
227 227 set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m
228 228 set_kernel_config CONFIG_IP_SET_BITMAP_PORT m
229 229 set_kernel_config CONFIG_IP_SET_HASH_IP m
@@ -312,10 +312,10 if [ "$BUILD_KERNEL" = true ] ; then
312 312 set_kernel_config CONFIG_BPF_STREAM_PARSER y
313 313 set_kernel_config CONFIG_CGROUP_BPF y
314 314 fi
315
315
316 316 # KERNEL_DEFAULT_GOV was set by user
317 317 if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ]; then
318
318
319 319 case "$KERNEL_DEFAULT_GOV" in
320 320 performance)
321 321 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y
@@ -337,11 +337,10 if [ "$BUILD_KERNEL" = true ] ; then
337 337 exit 1
338 338 ;;
339 339 esac
340
341 # unset previous default governor
340
341 # unset previous default governor
342 342 unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE
343 343 fi
344
345 344
346 345
347 346 #Revert to previous directory
@@ -507,18 +506,18 else # BUILD_KERNEL=false
507 506 # echo Install precompiled kernel...
508 507 # echo error: not implemented
509 508 if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
510
509
511 510 # Use Sakakis modified kernel if ZSWAP is active
512 511 if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then
513 512 RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}"
514 513 fi
515
514
516 515 # Create temporary directory for dl
517 516 temp_dir=$(as_nobody mktemp -d)
518 517
519 518 # Fetch kernel dl
520 519 as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL"
521
520
522 521 #extract download
523 522 tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}"
524 523
@@ -529,12 +528,12 else # BUILD_KERNEL=false
529 528
530 529 # Remove temporary directory for kernel sources
531 530 rm -fr "${temp_dir}"
532
531
533 532 # Set permissions of the kernel sources
534 533 chown -R root:root "${R}/boot/firmware"
535 534 chown -R root:root "${R}/lib/modules"
536 535 fi
537
536
538 537 # Install Kernel from hypriot comptabile with all Raspberry PI
539 538 if [ "$SET_ARCH" = 32 ] ; then
540 539 # Create temporary directory for dl
@@ -548,7 +547,7 else # BUILD_KERNEL=false
548 547
549 548 # Set permissions
550 549 chown -R root:root "${R}"/tmp/kernel.deb
551
550
552 551 # Install kernel
553 552 chroot_exec dpkg -i /tmp/kernel.deb
554 553
@@ -557,7 +556,7 else # BUILD_KERNEL=false
557 556 mkdir "${temp_dir}"/firmware
558 557 mv "${R}"/boot/* "${temp_dir}"/firmware/
559 558 mv "${temp_dir}"/firmware "${R}"/boot/
560
559
561 560 #same for kernel headers
562 561 if [ "$KERNEL_HEADERS" = true ] ; then
563 562 # Fetch kernel header
@@ -568,7 +567,7 else # BUILD_KERNEL=false
568 567 chroot_exec dpkg -i /tmp/kernel-header.deb
569 568 rm -f "${R}"/tmp/kernel-header.deb
570 569 fi
571
570
572 571 # Remove temporary directory and files
573 572 rm -fr "${temp_dir}"
574 573 rm -f "${R}"/tmp/kernel.deb
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant