##// END OF EJS Templates
Added: ENABLE_CRYPTFS - encrypted rootfs, use-latest-bootloader, cp-cleanup
Jan Wagner -
r77:b33dfc51ccaf
parent child
Show More
@@ -0,0 +1,1
1 # <target name> <source device> <key file> <options>
@@ -1,4 +1,5
1 1 images
2 2 custom.d
3 3 *.swp
4 *.bak
4 5 *.log
@@ -21,6 +21,7 ENABLE_MINBASE=true ./rpi2-gen-image.sh
21 21 BUILD_KERNEL=true ENABLE_MINBASE=true ENABLE_IPV6=false ./rpi2-gen-image.sh
22 22 BUILD_KERNEL=true KERNELSRC_DIR=/tmp/linux ./rpi2-gen-image.sh
23 23 ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi2-gen-image.sh
24 ENABLE_CRYPTFS=true CRYPTFS_PASSWORD=changeme EXPANDROOT=false ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi2-gen-image.sh
24 25 ```
25 26
26 27 #### APT settings:
@@ -31,7 +32,7 Set Debian packages server address. Choose a server from the list of Debian worl
31 32 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
32 33
33 34 ##### `APT_INCLUDES`=""
34 A comma seperated list of additional packages to be installed during bootstrapping.
35 A comma separated list of additional packages to be installed during bootstrapping.
35 36
36 37 #### General system settings:
37 38 ##### `HOSTNAME`="rpi2-jessie"
@@ -65,13 +66,13 Set the supported variant(s) of the keyboard layout(s).
65 66 Set extra xkb configuration options.
66 67
67 68 #### Networking settings (DHCP):
68 This setting is used to set up networking auto configuration in `/etc/systemd/network/eth.network`.
69 This parameter is used to set up networking auto configuration in `/etc/systemd/network/eth.network`.
69 70
70 71 #####`ENABLE_DHCP`=true
71 72 Set the system to use DHCP. This requires an DHCP server.
72 73
73 74 #### Networking settings (static):
74 These settings are used to set up a static networking configuration in /etc/systemd/network/eth.network. The following static networking settings are only supported if `ENABLE_DHCP` was set to `false`.
75 These parameters are used to set up a static networking configuration in /etc/systemd/network/eth.network. The following static networking parameters are only supported if `ENABLE_DHCP` was set to `false`.
75 76
76 77 #####`NET_ADDRESS`=""
77 78 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
@@ -131,7 +132,7 Install a user defined window manager for the X Window System. To make sure all
131 132 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
132 133
133 134 ##### `ENABLE_REDUCE`=false
134 Reduce the disk usage by deleting packages and files. See `REDUCE_*` parameters for detailed information.
135 Reduce the disk space usage by deleting packages and files. See `REDUCE_*` parameters for detailed information.
135 136
136 137 ##### `ENABLE_UBOOT`=false
137 138 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
@@ -159,11 +160,14 Enable IPv4/IPv6 network stack hardening settings.
159 160 Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`.
160 161
161 162 ##### `CHROOT_SCRIPTS`=""
162 Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this direcory is run in lexicographical order.
163 Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this directory is run in lexicographical order.
164
165 ##### `ENABLE_INITRAMFS`=false
166 Create an initramfs that that will be loaded during the Linux startup process. `ENABLE_INITRAMFS` will automatically get enabled if `ENABLE_CRYPTFS`=true. This parameter will be ignored if `BUILD_KERNEL`=false.
163 167
164 168 #### Kernel compilation:
165 169 ##### `BUILD_KERNEL`=false
166 Build and install the latest RPi2 Linux kernel. Currently only the default RPi2 kernel configuration is used. Detailed configuration parameters for customizing the kernel and minor bug fixes still need to get implemented. feel free to help.
170 Build and install the latest RPi2 Linux kernel. Currently only the default RPi2 kernel configuration is used.
167 171
168 172 ##### `KERNEL_REDUCE`=false
169 173 Reduce the size of the generated kernel by removing unwanted device, network and filesystem drivers (experimental).
@@ -184,10 +188,10 Remove all kernel sources from the generated OS image after it was built and ins
184 188 Path to a directory of [RaspberryPi Linux kernel sources](https://github.com/raspberrypi/linux) that will be copied, configured, build and installed inside the chroot.
185 189
186 190 ##### `KERNELSRC_CLEAN`=false
187 Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This setting will be ignored if no `KERNELSRC_DIR` was specified or if `KERNELSRC_PREBUILT`=true.
191 Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This parameter will be ignored if no `KERNELSRC_DIR` was specified or if `KERNELSRC_PREBUILT`=true.
188 192
189 193 ##### `KERNELSRC_CONFIG`=true
190 Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This setting is automatically set to `true` if no existing kernel sources directory was specified using `KERNELSRC_DIR`. This settings is ignored if `KERNELSRC_PREBUILT`=true.
194 Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This parameter is automatically set to `true` if no existing kernel sources directory was specified using `KERNELSRC_DIR`. This parameter is ignored if `KERNELSRC_PREBUILT`=true.
191 195
192 196 ##### `KERNELSRC_PREBUILT`=false
193 197 With this parameter set to true the script expects the existing kernel sources directory to be already successfully cross-compiled. The parameters `KERNELSRC_CLEAN`, `KERNELSRC_CONFIG` and `KERNEL_MENUCONFIG` are ignored and no kernel compilation tasks are performed.
@@ -204,7 +208,7 Remove all doc files (harsh). Configure APT to not include doc files on future `
204 208 ##### `REDUCE_MAN`=true
205 209 Remove all man pages and info files (harsh). Configure APT to not include man pages on future `apt-get` package installations.
206 210
207 ##### `REDUCE_VIM`=true
211 ##### `REDUCE_VIM`=false
208 212 Replace `vim-tiny` package by `levee` a tiny vim clone.
209 213
210 214 ##### `REDUCE_BASH`=false
@@ -214,11 +218,28 Remove `bash` package and switch to `dash` shell (experimental).
214 218 Remove PCI related hwdb files (experimental).
215 219
216 220 ##### `REDUCE_SSHD`=true
217 Replace `openssh-server` with dropbear.
221 Replace `openssh-server` with `dropbear`.
218 222
219 223 ##### `REDUCE_LOCALE`=true
220 224 Remove all `locale` translation files.
221 225
226 #### Encrypted root partition:
227
228 ##### `ENABLE_CRYPTFS`=false
229 Enable full system encryption with dm-crypt. Setup a fully LUKS encrypted root partition (aes-xts-plain64:sha512) and generate required initramfs. The /boot directory will not be encrypted. This parameter will be ignored if `BUILD_KERNEL`=false. `ENABLE_CRYPTFS` is experimental. `ENABLE_UBOOT`, `ENABLE_SPLITFS`, `EXPANDROOT` and SSH-to-initramfs are currently not supported but will be soon - feel free to help.
230
231 ##### `CRYPTFS_PASSWORD`=""
232 Set password of the encrypted root partition. This parameter is mandatory if `ENABLE_CRYPTFS`=true.
233
234 ##### `CRYPTFS_MAPPING`="secure"
235 Set name of dm-crypt managed device-mapper mapping.
236
237 ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512"
238 Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
239
240 ##### `CRYPTFS_XTSKEYSIZE`=512
241 Sets key size in bits. The argument has to be a multiple of 8.
242
222 243 ## Understanding the script
223 244 The functions of this script that are required for the different stages of the bootstrapping are split up into single files located inside the `bootstrap.d` directory. During the bootstrapping every script in this directory gets executed in lexicographical order:
224 245
@@ -235,11 +256,13 The functions of this script that are required for the different stages of the b
235 256 | `41-uboot.sh` | Build and Setup U-Boot |
236 257 | `42-fbturbo.sh` | Build and Setup fbturbo Xorg driver |
237 258 | `50-firstboot.sh` | First boot actions |
259 | `99-reduce.sh` | Reduce the disk space usage |
238 260
239 261 All the required configuration files that will be copied to the generated OS image are located inside the `files` directory. It is not recommended to modify these configuration files manually.
240 262
241 263 | Directory | Description |
242 264 | --- | --- |
265 | `apt` | APT management configuration files |
243 266 | `boot` | Boot and RPi2 configuration files |
244 267 | `dpkg` | Package Manager configuration |
245 268 | `firstboot` | Scripts that get executed on first boot |
@@ -13,11 +13,11 else
13 13 fi
14 14
15 15 # Copy qemu emulator binary to chroot
16 cp "${QEMU_BINARY}" "$R/usr/bin"
16 install_exec "${QEMU_BINARY}" "${R}${QEMU_BINARY}"
17 17
18 18 # Copy debian-archive-keyring.pgp
19 19 mkdir -p "$R/usr/share/keyrings"
20 cp /usr/share/keyrings/debian-archive-keyring.gpg "$R/usr/share/keyrings/debian-archive-keyring.gpg"
20 install_readonly /usr/share/keyrings/debian-archive-keyring.gpg "$R/usr/share/keyrings/debian-archive-keyring.gpg"
21 21
22 22 # Complete the bootstrapping process
23 23 chroot_exec /debootstrap/debootstrap --second-stage
@@ -11,18 +11,25 if [ -z "$APT_PROXY" ] ; then
11 11 sed -i "s/\"\"/\"${APT_PROXY}\"/" "$R/etc/apt/apt.conf.d/10proxy"
12 12 fi
13 13
14 # Install APT pinning configuration for flash-kernel package
15 install_readonly files/apt/flash-kernel "$R/etc/apt/preferences.d/flash-kernel"
14 if [ "$BUILD_KERNEL" = false ] ; then
15 # Install APT pinning configuration for flash-kernel package
16 install_readonly files/apt/flash-kernel "$R/etc/apt/preferences.d/flash-kernel"
16 17
17 # Upgrade collabora package index and install collabora keyring
18 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" > "$R/etc/apt/sources.list"
19 chroot_exec apt-get -qq -y update
20 chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
18 # Install APT sources.list
19 install_readonly files/apt/sources.list "$R/etc/apt/sources.list"
20 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >> "$R/etc/apt/sources.list"
21
22 # Upgrade collabora package index and install collabora keyring
23 chroot_exec apt-get -qq -y update
24 chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
25 else # BUILD_KERNEL=true
26 # Install APT sources.list
27 install_readonly files/apt/sources.list "$R/etc/apt/sources.list"
21 28
22 # Install APT sources.list
23 install_readonly files/apt/sources.list "$R/etc/apt/sources.list"
24 sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "$R/etc/apt/sources.list"
25 sed -i "s/ jessie/ ${RELEASE}/" "$R/etc/apt/sources.list"
29 # Use specified APT server and release
30 sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "$R/etc/apt/sources.list"
31 sed -i "s/ jessie/ ${RELEASE}/" "$R/etc/apt/sources.list"
32 fi
26 33
27 34 # Upgrade package index and update all installed packages and changed dependencies
28 35 chroot_exec apt-get -qq -y update
@@ -110,24 +110,31 if [ "$BUILD_KERNEL" = true ] ; then
110 110 KERNEL_VERSION=`cat "$R/usr/src/linux/include/config/kernel.release"`
111 111
112 112 # Copy kernel configuration file to the boot directory
113 cp "$R/usr/src/linux/.config" "$R/boot/config-${KERNEL_VERSION}"
113 install_readonly "$R/usr/src/linux/.config" "$R/boot/config-${KERNEL_VERSION}"
114 114
115 115 # Copy dts and dtb device tree sources and binaries
116 116 mkdir "$R/boot/firmware/overlays/"
117 cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/"*.dtb "$R/boot/firmware/"
118 cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb* "$R/boot/firmware/overlays/"
119 cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "$R/boot/firmware/overlays/"
117 install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/"*.dtb "$R/boot/firmware/"
118 install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb* "$R/boot/firmware/overlays/"
119 install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "$R/boot/firmware/overlays/README"
120 120
121 # Convert kernel zImage and copy it to the boot directory
122 "$R/usr/src/linux/scripts/mkknlimg" "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage" "$R/boot/firmware/kernel7.img"
121 # Copy zImage kernel to the boot directory
122 install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage" "$R/boot/firmware/kernel7.img"
123 123
124 124 # Remove kernel sources
125 125 if [ "$KERNEL_REMOVESRC" = true ] ; then
126 126 rm -fr "$R/usr/src/linux"
127 127 fi
128 128
129 # Install raspberry bootloader and flash-kernel packages
130 chroot_exec apt-get -qq -y --no-install-recommends install raspberrypi-bootloader-nokernel
129 # Install latest boot binaries from raspberry/firmware github
130 wget -q -O "$R/boot/firmware/bootcode.bin" https://github.com/raspberrypi/firmware/raw/master/boot/bootcode.bin
131 wget -q -O "$R/boot/firmware/fixup_cd.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_cd.dat
132 wget -q -O "$R/boot/firmware/fixup.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup.dat
133 wget -q -O "$R/boot/firmware/fixup_x.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_x.dat
134 wget -q -O "$R/boot/firmware/start_cd.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_cd.elf
135 wget -q -O "$R/boot/firmware/start.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start.elf
136 wget -q -O "$R/boot/firmware/start_x.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_x.elf
137
131 138 else # BUILD_KERNEL=false
132 139 # Kernel installation
133 140 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel
@@ -135,9 +142,15 else # BUILD_KERNEL=false
135 142 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
136 143 chroot_exec apt-get -qq -y install flash-kernel
137 144
145 # Check if kernel installation was successful
138 146 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
139 [ -z "$VMLINUZ" ] && exit 1
140 cp "$VMLINUZ" "$R/boot/firmware/kernel7.img"
147 if [ -z "$VMLINUZ" ] ; then
148 echo "error: kernel installation failed! (/boot/vmlinuz-* not found)"
149 cleanup
150 exit 1
151 fi
152 # Copy vmlinuz kernel to the boot directory
153 install_readonly "$VMLINUZ" "$R/boot/firmware/kernel7.img"
141 154 fi
142 155
143 156 # Setup firmware boot cmdline
@@ -160,6 +173,11 fi
160 173 # Install firmware boot cmdline
161 174 echo "${CMDLINE}" > "$R/boot/firmware/cmdline.txt"
162 175
176 # Add encrypted root partition to cmdline.txt
177 if [ "$ENABLE_CRYPTFS" = true ] ; then
178 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/" "$R/boot/firmware/cmdline.txt"
179 fi
180
163 181 # Install firmware config
164 182 install_readonly files/boot/config.txt "$R/boot/firmware/config.txt"
165 183
@@ -168,6 +186,11 if [ "$ENABLE_MINGPU" = true ] ; then
168 186 echo "gpu_mem=16" >> "$R/boot/firmware/config.txt"
169 187 fi
170 188
189 # Setup boot with initramfs
190 if [ "$ENABLE_INITRAMFS" = true ] ; then
191 echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "$R/boot/firmware/config.txt"
192 fi
193
171 194 # Create firmware configuration and cmdline symlinks
172 195 ln -sf firmware/config.txt "$R/boot/config.txt"
173 196 ln -sf firmware/cmdline.txt "$R/boot/cmdline.txt"
@@ -192,8 +215,37 install_readonly files/modules/raspi-blacklist.conf "$R/etc/modprobe.d/raspi-bla
192 215
193 216 # Install and setup fstab
194 217 install_readonly files/mount/fstab "$R/etc/fstab"
218
219 # Add usb/sda disk root partition to fstab
195 220 if [ "$ENABLE_SPLITFS" = true ] ; then
196 sed -i 's/mmcblk0p2/sda1/' "$R/etc/fstab"
221 sed -i "s/mmcblk0p2/sda1/" "$R/etc/fstab"
222 fi
223
224 # Add encrypted root partition to fstab and crypttab
225 if [ "$ENABLE_CRYPTFS" = true ] ; then
226 # Replace fstab root partition with encrypted partition mapping
227 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "$R/etc/fstab"
228
229 # Add encrypted partition to crypttab and fstab
230 install_readonly files/mount/crypttab "$R/etc/crypttab"
231 echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks" >> "$R/etc/crypttab"
232 fi
233
234 # Generate initramfs file
235 if [ "$ENABLE_INITRAMFS" = true ] ; then
236 if [ "$ENABLE_CRYPTFS" = true ] ; then
237 # Dummy mapping required by mkinitramfs
238 echo "0 1 crypt $(echo ${CRYPTFS_CIPHER} | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
239
240 # Generate initramfs with encrypted root partition support
241 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
242
243 # Remove dummy mapping
244 chroot_exec cryptsetup close "${CRYPTFS_MAPPING}"
245 else
246 # Generate initramfs without encrypted root partition support
247 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
248 fi
197 249 fi
198 250
199 251 # Install sysctl.d configuration files
@@ -19,7 +19,7 if [ "$ENABLE_UBOOT" = true ] ; then
19 19 chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
20 20
21 21 # Copy compiled bootloader binary and set config.txt to load it
22 cp "$R/tmp/u-boot/u-boot.bin" "$R/boot/firmware/"
22 install_readonly "$R/tmp/u-boot/u-boot.bin" "$R/boot/firmware/u-boot.bin"
23 23 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> "$R/boot/firmware/config.txt"
24 24
25 25 # Install and setup U-Boot command file
@@ -9,9 +9,8
9 9 cat files/firstboot/10-begin.sh > "$R/etc/rc.firstboot"
10 10
11 11 # Ensure openssh server host keys are regenerated on first boot
12 if [ "$ENABLE_SSHD" = true ] && [ "$ENABLE_REDUCE" = false ]; then
12 if [ "$ENABLE_SSHD" = true ] ; then
13 13 cat files/firstboot/21-generate-ssh-keys.sh >> "$R/etc/rc.firstboot"
14 rm -f "$R/etc/ssh/ssh_host_*"
15 14 fi
16 15
17 16 # Prepare filesystem auto expand
@@ -66,6 +66,12 if [ "$ENABLE_REDUCE" = true ] ; then
66 66 rm -f "$R/boot/firmware/fixup_x.dat"
67 67 fi
68 68
69 # Remove kernel and initrd from /boot (already in /boot/firmware)
70 if [ "$BUILD_KERNEL" = false ] ; then
71 rm -r "$R/boot/vmlinuz--*"
72 rm -r "$R/boot/initrd.img-*"
73 fi
74
69 75 # Clean APT list of repositories
70 76 rm -fr "$R/var/lib/apt/lists/*"
71 77 chroot_exec apt-get -qq -y update
@@ -6,5 +6,3 deb http://ftp.debian.org/debian/ jessie-updates main contrib
6 6
7 7 deb http://security.debian.org/ jessie/updates main contrib
8 8 #deb-src http://security.debian.org/ jessie/updates main contrib
9
10 deb https://repositories.collabora.co.uk/debian jessie rpi2
@@ -1,8 +1,20
1 1 logger -t "rc.firstboot" "Generating SSH host keys"
2 rm -f /etc/ssh/ssh_host_*
3 ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
4 ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
5 ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
6 ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
7 2
8 systemctl restart sshd
3 if [ -d "/etc/ssh/" ] ; then
4 rm -f /etc/ssh/ssh_host_*
5 systemctl stop sshd
6 ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
7 ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
8 ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
9 ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
10 systemctl start sshd
11 fi
12
13 if [ -d "/etc/dropbear/" ] ; then
14 rm -f /etc/dropbear/dropbear_*
15 systemctl stop dropbear
16 dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
17 dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
18 dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
19 systemctl start dropbear
20 fi
@@ -5,14 +5,14 case "${ROOT_PART}" in
5 5 mmcblk0*) ROOT_DEV=mmcblk0 ;;
6 6 sda*) ROOT_DEV=sda ;;
7 7 esac
8 if [ "$PART_NUM" = "$ROOT_PART" ]; then
8 if [ "$PART_NUM" = "$ROOT_PART" ] ; then
9 9 logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand"
10 10 return 0
11 11 fi
12 12
13 13 # NOTE: the NOOBS partition layout confuses parted. For now, let's only
14 14 # agree to work with a sufficiently simple partition layout
15 if [ "$PART_NUM" -gt 2 ]; then
15 if [ "$PART_NUM" -gt 2 ] ; then
16 16 logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool."
17 17 return 0
18 18 fi
@@ -24,14 +24,18 fi
24 24
25 25 # Get the starting offset of the root partition
26 26 PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
27 [ "$PART_START" ] || return 1
27 if [ -z "$PART_START" ] ; then
28 logger -t "rc.firstboot" "${ROOT_DEV} unable to get starting sector of the partition"
29 return 1
30 fi
28 31
29 32 # Get the possible last sector for the root partition
30 33 PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }')
31 [ "$PART_LAST" ] || return 1
34 if [ -z "$PART_LAST" ] ; then
35 logger -t "rc.firstboot" "${ROOT_DEV} unable to get last sector of the partition"
36 return 1
37 fi
32 38
33 # Return value will likely be error for fdisk as it fails to reload the
34 # partition table because the root fs is mounted
35 39 ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
36 40 fdisk /dev/${ROOT_DEV} <<EOF2 || true
37 41 p
@@ -1,13 +1,15
1 1 logger -t "rc.firstboot" "Creating /etc/resolv.conf symlink"
2 2
3
4 3 # Check if systemd resolve directory exists
5 if [ -d "/run/systemd/resolve" ] ; then
6 # Create resolv.conf file if it does not exists
7 if [ ! -f "/run/systemd/resolve/resolv.conf" ] ; then
8 touch /run/systemd/resolve/resolv.conf
9 fi
4 if [ ! -d "/run/systemd/resolve" ] ; then
5 systemctl enable systemd-resolved.service
6 systemctl restart systemd-resolved.service
7 fi
10 8
11 # Create symlink to /etc/reolv.conf
12 ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
9 # Create resolv.conf file if it does not exists
10 if [ ! -f "/run/systemd/resolve/resolv.conf" ] ; then
11 touch /run/systemd/resolve/resolv.conf
13 12 fi
13
14 # Create symlink to /etc/reolv.conf
15 ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
@@ -6,17 +6,18 cleanup (){
6 6
7 7 # Identify and kill all processes still using files
8 8 echo "killing processes using mount point ..."
9 fuser -k $R
9 fuser -k "$R"
10 10 sleep 3
11 fuser -9 -k -v $R
11 fuser -9 -k -v "$R"
12 12
13 13 # Clean up all temporary mount points
14 14 echo "removing temporary mount points ..."
15 umount -l $R/proc 2> /dev/null
16 umount -l $R/sys 2> /dev/null
17 umount -l $R/dev/pts 2> /dev/null
15 umount -l "$R/proc" 2> /dev/null
16 umount -l "$R/sys" 2> /dev/null
17 umount -l "$R/dev/pts" 2> /dev/null
18 18 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
19 19 umount "$BUILDDIR/mount" 2> /dev/null
20 cryptsetup close "${CRYPTFS_MAPPING}" 2> /dev/null
20 21 losetup -d "$ROOT_LOOP" 2> /dev/null
21 22 losetup -d "$FRMW_LOOP" 2> /dev/null
22 23 trap - 0 1 2 3 6
@@ -23,7 +23,7 fi
23 23
24 24 # Check if ./functions.sh script exists
25 25 if [ ! -r "./functions.sh" ] ; then
26 echo "error: './functions.sh' required script not found. please reinstall the latest script version!"
26 echo "error: './functions.sh' required script not found!"
27 27 exit 1
28 28 fi
29 29
@@ -45,9 +45,9 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig}
45 45 QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static}
46 46
47 47 # Build directories
48 BASEDIR=$(pwd)/images/${RELEASE}
49 BUILDDIR=${BASEDIR}/build
50 R=${BUILDDIR}/chroot
48 BASEDIR="$(pwd)/images/${RELEASE}"
49 BUILDDIR="${BASEDIR}/build"
50 R="${BUILDDIR}/chroot"
51 51
52 52 # General settings
53 53 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
@@ -101,6 +101,7 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
101 101 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
102 102 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
103 103 ENABLE_SPLITFS=${ENABLE_SPLITFS:=false}
104 ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false}
104 105
105 106 # Kernel compilation settings
106 107 BUILD_KERNEL=${BUILD_KERNEL:=false}
@@ -120,12 +121,22 KERNELSRC_PREBUILT=${KERNELSRC_PREBUILT:=false}
120 121 REDUCE_APT=${REDUCE_APT:=true}
121 122 REDUCE_DOC=${REDUCE_DOC:=true}
122 123 REDUCE_MAN=${REDUCE_MAN:=true}
123 REDUCE_VIM=${REDUCE_VIM:=true}
124 REDUCE_VIM=${REDUCE_VIM:=false}
124 125 REDUCE_BASH=${REDUCE_BASH:=false}
125 126 REDUCE_HWDB=${REDUCE_HWDB:=true}
126 127 REDUCE_SSHD=${REDUCE_SSHD:=true}
127 128 REDUCE_LOCALE=${REDUCE_LOCALE:=true}
128 129
130 # Encrypted filesystem settings
131 ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false}
132 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
133 CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
134 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
135 CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
136
137 # Stop the Crypto Wars
138 DISABLE_FBI=${DISABLE_FBI:=false}
139
129 140 # Chroot scripts directory
130 141 CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
131 142
@@ -149,6 +160,28 if [ "$KERNEL_MENUCONFIG" = true ] ; then
149 160 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses5-dev"
150 161 fi
151 162
163 # Stop the Crypto Wars
164 if [ "$DISABLE_FBI" = true ] ; then
165 ENABLE_CRYPTFS=true
166 fi
167
168 # Add cryptsetup package to enable filesystem encryption
169 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
170 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
171 APT_INCLUDES="${APT_INCLUDES},cryptsetup"
172
173 if [ -z "$CRYPTFS_PASSWORD" ] ; then
174 echo "error: no password defined (CRYPTFS_PASSWORD)!"
175 exit 1
176 fi
177 ENABLE_INITRAMFS=true
178 fi
179
180 # Add initramfs generation tools
181 if [ "$ENABLE_INITRAMFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
182 APT_INCLUDES="${APT_INCLUDES},initramfs-tools"
183 fi
184
152 185 # Check if all required packages are installed on the build system
153 186 for package in $REQUIRED_PACKAGES ; do
154 187 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
@@ -193,6 +226,12 if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then
193 226 exit 1
194 227 fi
195 228
229 # Check if specified device mapping already exists (will be used by cryptsetup)
230 if [ -r "/dev/mapping/${CRYPTFS_MAPPING}" ] ; then
231 echo "error: mapping /dev/mapping/${CRYPTFS_MAPPING} already exists, not proceeding"
232 exit 1
233 fi
234
196 235 # Don't clobber an old build
197 236 if [ -e "$BUILDDIR" ] ; then
198 237 echo "error: directory ${BUILDDIR} already exists, not proceeding"
@@ -215,7 +254,7 trap cleanup 0 1 2 3 6
215 254
216 255 # Add required packages for the minbase installation
217 256 if [ "$ENABLE_MINBASE" = true ] ; then
218 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
257 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools,ifupdown"
219 258 else
220 259 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
221 260 fi
@@ -321,6 +360,11 fi
321 360 # Remove apt-utils
322 361 chroot_exec apt-get purge -qq -y --force-yes apt-utils
323 362
363 # Generate required machine-id
364 MACHINE_ID=$(dbus-uuidgen)
365 echo -n "${MACHINE_ID}" > "$R/var/lib/dbus/machine-id"
366 echo -n "${MACHINE_ID}" > "$R/etc/machine-id"
367
324 368 # APT Cleanup
325 369 chroot_exec apt-get -y clean
326 370 chroot_exec apt-get -y autoclean
@@ -331,19 +375,21 umount -l "$R/proc"
331 375 umount -l "$R/sys"
332 376
333 377 # Clean up directories
334 rm -rf "$R/run"
378 rm -rf "$R/run/*"
335 379 rm -rf "$R/tmp/*"
336 380
337 381 # Clean up files
382 rm -f "$R/etc/ssh/ssh_host_*"
383 rm -f "$R/etc/dropbear/dropbear_*"
338 384 rm -f "$R/etc/apt/sources.list.save"
339 385 rm -f "$R/etc/resolvconf/resolv.conf.d/original"
340 386 rm -f "$R/etc/*-"
341 387 rm -f "$R/root/.bash_history"
342 388 rm -f "$R/var/lib/urandom/random-seed"
343 rm -f "$R/var/lib/dbus/machine-id"
344 rm -f "$R/etc/machine-id"
345 389 rm -f "$R/etc/apt/apt.conf.d/10proxy"
346 390 rm -f "$R/etc/resolv.conf"
391 rm -f "$R/initrd.img"
392 rm -f "$R/vmlinuz"
347 393 rm -f "${R}${QEMU_BINARY}"
348 394
349 395 # Calculate size of the chroot directory in KB
@@ -371,43 +417,58 if [ "$ENABLE_SPLITFS" = true ] ; then
371 417 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS}
372 418 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS}
373 419 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS}
374 # Write partition tables
375 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" <<EOM
376 unit: sectors
377
378 1 : start= ${TABLE_SECTORS}, size= ${FRMW_SECTORS}, Id= c, bootable
379 2 : start= 0, size= 0, Id= 0
380 3 : start= 0, size= 0, Id= 0
381 4 : start= 0, size= 0, Id= 0
420
421 # Write firmware/boot partition tables
422 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" 2> /dev/null <<EOM
423 ${TABLE_SECTORS},${FRMW_SECTORS},c,*
382 424 EOM
383 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" <<EOM
384 unit: sectors
385 425
386 1 : start= ${TABLE_SECTORS}, size= ${ROOT_SECTORS}, Id=83
387 2 : start= 0, size= 0, Id= 0
388 3 : start= 0, size= 0, Id= 0
389 4 : start= 0, size= 0, Id= 0
426 # Write root partition table
427 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" 2> /dev/null <<EOM
428 ${TABLE_SECTORS},${ROOT_SECTORS},83
390 429 EOM
430
391 431 # Setup temporary loop devices
392 432 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-frmw.img)"
393 433 ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-root.img)"
394 else
434 else # ENABLE_SPLITFS=false
395 435 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
396 436 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
397 # Write partition table
398 sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
399 unit: sectors
400 437
401 1 : start= ${TABLE_SECTORS}, size= ${FRMW_SECTORS}, Id= c, bootable
402 2 : start= ${ROOT_OFFSET}, size= ${ROOT_SECTORS}, Id=83
403 3 : start= 0, size= 0, Id= 0
404 4 : start= 0, size= 0, Id= 0
438 # Write partition table
439 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" 2> /dev/null <<EOM
440 ${TABLE_SECTORS},${FRMW_SECTORS},c,*
441 ${ROOT_OFFSET},${ROOT_SECTORS},83
405 442 EOM
443
406 444 # Setup temporary loop devices
407 445 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
408 446 ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
409 447 fi
410 448
449 if [ "$ENABLE_CRYPTFS" = true ] ; then
450 # Create dummy ext4 fs
451 mkfs.ext4 "$ROOT_LOOP"
452
453 # Setup password keyfile
454 echo -n ${CRYPTFS_PASSWORD} > .password
455
456 # Initialize encrypted partition
457 echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password
458
459 # Open encrypted partition and setup mapping
460 cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"
461
462 # Secure delete password keyfile
463 shred -zu .password
464
465 # Update temporary loop device
466 ROOT_LOOP="/dev/mapper/${CRYPTFS_MAPPING}"
467
468 # Wipe encrypted partition (encryption cipher is used for randomness)
469 dd if=/dev/zero of="${ROOT_LOOP}" bs=512 count=$(blockdev --getsz "${ROOT_LOOP}")
470 fi
471
411 472 # Build filesystems
412 473 mkfs.vfat "$FRMW_LOOP"
413 474 mkfs.ext4 "$ROOT_LOOP"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant