@@ -29,7 +29,7 if [ "$BUILD_KERNEL" = true ] ; then | |||
|
29 | 29 | else # KERNELSRC_DIR="" |
|
30 | 30 | # Create temporary directory for kernel sources |
|
31 | 31 | temp_dir=$(as_nobody mktemp -d) |
|
32 | ||
|
32 | ||
|
33 | 33 | # Fetch current RPi2/3 kernel sources |
|
34 | 34 | if [ -z "${KERNEL_BRANCH}" ] ; then |
|
35 | 35 | as_nobody -H git -C "${temp_dir}" clone --depth=1 "${KERNEL_URL}" linux |
@@ -93,7 +93,7 if [ "$BUILD_KERNEL" = true ] ; then | |||
|
93 | 93 | if [ "$KERNELSRC_CONFIG" = true ] ; then |
|
94 | 94 | # Load default raspberry kernel configuration |
|
95 | 95 | make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}" |
|
96 |
|
|
|
96 | ||
|
97 | 97 | #Switch to KERNELSRC_DIR so we can use set_kernel_config |
|
98 | 98 | cd "${KERNEL_DIR}" || exit |
|
99 | 99 | |
@@ -106,7 +106,7 if [ "$BUILD_KERNEL" = true ] ; then | |||
|
106 | 106 | set_kernel_config CONFIG_ZSMALLOC y |
|
107 | 107 | set_kernel_config CONFIG_PGTABLE_MAPPING y |
|
108 | 108 | fi |
|
109 | ||
|
109 | ||
|
110 | 110 | # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453 |
|
111 | 111 | if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then |
|
112 | 112 | set_kernel_config CONFIG_VIRTUALIZATION y |
@@ -114,106 +114,106 if [ "$BUILD_KERNEL" = true ] ; then | |||
|
114 | 114 | set_kernel_config CONFIG_VHOST_NET m |
|
115 | 115 | set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y |
|
116 | 116 | fi |
|
117 | ||
|
117 | ||
|
118 | 118 | # enable apparmor,integrity audit, |
|
119 | 119 | if [ "$KERNEL_SECURITY" = true ] ; then |
|
120 | 120 | |
|
121 | 121 | # security filesystem, security models and audit |
|
122 |
|
|
|
123 |
|
|
|
122 | set_kernel_config CONFIG_SECURITYFS y | |
|
123 | set_kernel_config CONFIG_SECURITY y | |
|
124 | 124 | set_kernel_config CONFIG_AUDIT y |
|
125 | 125 | |
|
126 |
|
|
|
126 | # harden strcpy and memcpy | |
|
127 | 127 | set_kernel_config CONFIG_HARDENED_USERCOPY=y |
|
128 | 128 | set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y |
|
129 |
|
|
|
130 | ||
|
131 |
|
|
|
129 | set_kernel_config CONFIG_FORTIFY_SOURCE=y | |
|
130 | ||
|
131 | # integrity sub-system | |
|
132 | 132 | set_kernel_config CONFIG_INTEGRITY=y |
|
133 | 133 | set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y |
|
134 | 134 | set_kernel_config CONFIG_INTEGRITY_AUDIT=y |
|
135 | 135 | set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y |
|
136 | 136 | set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y |
|
137 | ||
|
138 |
|
|
|
137 | ||
|
138 | # This option provides support for retaining authentication tokens and access keys in the kernel. | |
|
139 | 139 | set_kernel_config CONFIG_KEYS=y |
|
140 | 140 | set_kernel_config CONFIG_KEYS_COMPAT=y |
|
141 | ||
|
142 |
|
|
|
141 | ||
|
142 | # Apparmor | |
|
143 | 143 | set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0 |
|
144 | 144 | set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y |
|
145 |
|
|
|
146 |
|
|
|
147 |
|
|
|
148 |
|
|
|
149 | ||
|
150 |
|
|
|
145 | set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y | |
|
146 | set_kernel_config CONFIG_SECURITY_APPARMOR y | |
|
147 | set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y | |
|
148 | set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor" | |
|
149 | ||
|
150 | # restrictions on unprivileged users reading the kernel | |
|
151 | 151 | set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y |
|
152 | ||
|
153 |
|
|
|
152 | ||
|
153 | # network security hooks | |
|
154 | 154 | set_kernel_config CONFIG_SECURITY_NETWORK y |
|
155 | 155 | set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y |
|
156 | 156 | set_kernel_config CONFIG_SECURITY_PATH=y |
|
157 | 157 | set_kernel_config CONFIG_SECURITY_YAMA=y |
|
158 | ||
|
159 |
|
|
|
160 |
|
|
|
161 |
|
|
|
162 |
|
|
|
163 |
|
|
|
164 |
|
|
|
165 |
|
|
|
166 |
|
|
|
167 |
|
|
|
168 |
|
|
|
169 |
|
|
|
170 |
|
|
|
171 |
|
|
|
172 |
|
|
|
173 |
|
|
|
174 |
|
|
|
175 |
|
|
|
176 |
|
|
|
177 |
|
|
|
178 |
|
|
|
179 |
|
|
|
180 |
|
|
|
181 | ||
|
182 |
|
|
|
183 |
|
|
|
158 | ||
|
159 | # New Options | |
|
160 | if [ "$KERNEL_NF" = true ] ; then | |
|
161 | set_kernel_config CONFIG_IP_NF_SECURITY m | |
|
162 | set_kernel_config CONFIG_NETLABEL m | |
|
163 | set_kernel_config CONFIG_IP6_NF_SECURITY m | |
|
164 | fi | |
|
165 | set_kernel_config CONFIG_SECURITY_SELINUX n | |
|
166 | set_kernel_config CONFIG_SECURITY_SMACK n | |
|
167 | set_kernel_config CONFIG_SECURITY_TOMOYO n | |
|
168 | set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n | |
|
169 | set_kernel_config CONFIG_SECURITY_LOADPIN n | |
|
170 | set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n | |
|
171 | set_kernel_config CONFIG_IMA n | |
|
172 | set_kernel_config CONFIG_EVM n | |
|
173 | set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y | |
|
174 | set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y | |
|
175 | set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y | |
|
176 | set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y | |
|
177 | set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y | |
|
178 | set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y | |
|
179 | set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y | |
|
180 | set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n | |
|
181 | ||
|
182 | set_kernel_config CONFIG_ARM64_CRYPTO y | |
|
183 | set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m | |
|
184 | 184 | set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m |
|
185 |
|
|
|
186 |
|
|
|
187 |
|
|
|
188 |
|
|
|
189 |
|
|
|
190 |
|
|
|
191 |
|
|
|
192 |
|
|
|
193 |
|
|
|
194 |
|
|
|
195 |
|
|
|
196 |
|
|
|
197 |
|
|
|
198 | ||
|
185 | set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m | |
|
186 | set_kernel_config CRYPTO_GHASH_ARM64_CE m | |
|
187 | set_kernel_config CRYPTO_SHA2_ARM64_CE m | |
|
188 | set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m | |
|
189 | set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m | |
|
190 | set_kernel_config CONFIG_CRYPTO_AES_ARM64 m | |
|
191 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m | |
|
192 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y | |
|
193 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y | |
|
194 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m | |
|
195 | set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m | |
|
196 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m | |
|
197 | fi | |
|
198 | ||
|
199 | 199 | # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406 |
|
200 |
|
|
|
201 |
|
|
|
202 |
|
|
|
203 |
|
|
|
204 |
|
|
|
205 |
|
|
|
206 |
|
|
|
207 |
|
|
|
208 |
|
|
|
209 |
|
|
|
210 |
|
|
|
211 |
|
|
|
212 |
|
|
|
213 |
|
|
|
214 |
|
|
|
215 |
|
|
|
216 |
|
|
|
200 | if [ "$KERNEL_NF" = true ] ; then | |
|
201 | set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m | |
|
202 | set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m | |
|
203 | set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m | |
|
204 | set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m | |
|
205 | set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m | |
|
206 | set_kernel_config CONFIG_NFT_FIB_INET m | |
|
207 | set_kernel_config CONFIG_NFT_FIB_IPV4 m | |
|
208 | set_kernel_config CONFIG_NFT_FIB_IPV6 m | |
|
209 | set_kernel_config CONFIG_NFT_FIB_NETDEV m | |
|
210 | set_kernel_config CONFIG_NFT_OBJREF m | |
|
211 | set_kernel_config CONFIG_NFT_RT m | |
|
212 | set_kernel_config CONFIG_NFT_SET_BITMAP m | |
|
213 | set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y | |
|
214 | set_kernel_config CONFIG_NF_LOG_ARP m | |
|
215 | set_kernel_config CONFIG_NF_SOCKET_IPV4 m | |
|
216 | set_kernel_config CONFIG_NF_SOCKET_IPV6 m | |
|
217 | 217 | set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m |
|
218 | 218 | set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m |
|
219 | 219 | set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m |
@@ -223,7 +223,7 if [ "$BUILD_KERNEL" = true ] ; then | |||
|
223 | 223 | set_kernel_config CONFIG_IP6_NF_NAT m |
|
224 | 224 | set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m |
|
225 | 225 | set_kernel_config CONFIG_IP6_NF_TARGET_NPT m |
|
226 |
|
|
|
226 | set_kernel_config CONFIG_IP_NF_SECURITY m | |
|
227 | 227 | set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m |
|
228 | 228 | set_kernel_config CONFIG_IP_SET_BITMAP_PORT m |
|
229 | 229 | set_kernel_config CONFIG_IP_SET_HASH_IP m |
@@ -312,10 +312,10 if [ "$BUILD_KERNEL" = true ] ; then | |||
|
312 | 312 | set_kernel_config CONFIG_BPF_STREAM_PARSER y |
|
313 | 313 | set_kernel_config CONFIG_CGROUP_BPF y |
|
314 | 314 | fi |
|
315 | ||
|
315 | ||
|
316 | 316 | # KERNEL_DEFAULT_GOV was set by user |
|
317 | 317 | if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ]; then |
|
318 | ||
|
318 | ||
|
319 | 319 | case "$KERNEL_DEFAULT_GOV" in |
|
320 | 320 | performance) |
|
321 | 321 | set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y |
@@ -337,11 +337,10 if [ "$BUILD_KERNEL" = true ] ; then | |||
|
337 | 337 | exit 1 |
|
338 | 338 | ;; |
|
339 | 339 | esac |
|
340 | ||
|
341 |
|
|
|
340 | ||
|
341 | # unset previous default governor | |
|
342 | 342 | unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE |
|
343 | 343 | fi |
|
344 | ||
|
345 | 344 | |
|
346 | 345 | |
|
347 | 346 | #Revert to previous directory |
@@ -507,18 +506,18 else # BUILD_KERNEL=false | |||
|
507 | 506 | # echo Install precompiled kernel... |
|
508 | 507 | # echo error: not implemented |
|
509 | 508 | if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then |
|
510 | ||
|
509 | ||
|
511 | 510 | # Use Sakakis modified kernel if ZSWAP is active |
|
512 | 511 | if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then |
|
513 | 512 | RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}" |
|
514 | 513 | fi |
|
515 | ||
|
514 | ||
|
516 | 515 | # Create temporary directory for dl |
|
517 | 516 | temp_dir=$(as_nobody mktemp -d) |
|
518 | 517 | |
|
519 | 518 | # Fetch kernel dl |
|
520 | 519 | as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL" |
|
521 | ||
|
520 | ||
|
522 | 521 | #extract download |
|
523 | 522 | tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}" |
|
524 | 523 | |
@@ -529,12 +528,12 else # BUILD_KERNEL=false | |||
|
529 | 528 | |
|
530 | 529 | # Remove temporary directory for kernel sources |
|
531 | 530 | rm -fr "${temp_dir}" |
|
532 | ||
|
531 | ||
|
533 | 532 | # Set permissions of the kernel sources |
|
534 | 533 | chown -R root:root "${R}/boot/firmware" |
|
535 | 534 | chown -R root:root "${R}/lib/modules" |
|
536 | 535 | fi |
|
537 | ||
|
536 | ||
|
538 | 537 | # Install Kernel from hypriot comptabile with all Raspberry PI |
|
539 | 538 | if [ "$SET_ARCH" = 32 ] ; then |
|
540 | 539 | # Create temporary directory for dl |
@@ -548,7 +547,7 else # BUILD_KERNEL=false | |||
|
548 | 547 | |
|
549 | 548 | # Set permissions |
|
550 | 549 | chown -R root:root "${R}"/tmp/kernel.deb |
|
551 | ||
|
550 | ||
|
552 | 551 | # Install kernel |
|
553 | 552 | chroot_exec dpkg -i /tmp/kernel.deb |
|
554 | 553 | |
@@ -557,7 +556,7 else # BUILD_KERNEL=false | |||
|
557 | 556 | mkdir "${temp_dir}"/firmware |
|
558 | 557 | mv "${R}"/boot/* "${temp_dir}"/firmware/ |
|
559 | 558 | mv "${temp_dir}"/firmware "${R}"/boot/ |
|
560 | ||
|
559 | ||
|
561 | 560 | #same for kernel headers |
|
562 | 561 | if [ "$KERNEL_HEADERS" = true ] ; then |
|
563 | 562 | # Fetch kernel header |
@@ -568,7 +567,7 else # BUILD_KERNEL=false | |||
|
568 | 567 | chroot_exec dpkg -i /tmp/kernel-header.deb |
|
569 | 568 | rm -f "${R}"/tmp/kernel-header.deb |
|
570 | 569 | fi |
|
571 | ||
|
570 | ||
|
572 | 571 | # Remove temporary directory and files |
|
573 | 572 | rm -fr "${temp_dir}" |
|
574 | 573 | rm -f "${R}"/tmp/kernel.deb |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant