@@ -0,0 +1,1 | |||
|
1 | # <target name> <source device> <key file> <options> |
@@ -21,6 +21,7 ENABLE_MINBASE=true ./rpi2-gen-image.sh | |||
|
21 | 21 | BUILD_KERNEL=true ENABLE_MINBASE=true ENABLE_IPV6=false ./rpi2-gen-image.sh |
|
22 | 22 | BUILD_KERNEL=true KERNELSRC_DIR=/tmp/linux ./rpi2-gen-image.sh |
|
23 | 23 | ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi2-gen-image.sh |
|
24 | ENABLE_CRYPTFS=true CRYPTFS_PASSWORD=changeme EXPANDROOT=false ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi2-gen-image.sh | |
|
24 | 25 | ``` |
|
25 | 26 | |
|
26 | 27 | #### APT settings: |
@@ -31,7 +32,7 Set Debian packages server address. Choose a server from the list of Debian worl | |||
|
31 | 32 | Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. |
|
32 | 33 | |
|
33 | 34 | ##### `APT_INCLUDES`="" |
|
34 |
A comma sep |
|
|
35 | A comma separated list of additional packages to be installed during bootstrapping. | |
|
35 | 36 | |
|
36 | 37 | #### General system settings: |
|
37 | 38 | ##### `HOSTNAME`="rpi2-jessie" |
@@ -65,13 +66,13 Set the supported variant(s) of the keyboard layout(s). | |||
|
65 | 66 | Set extra xkb configuration options. |
|
66 | 67 | |
|
67 | 68 | #### Networking settings (DHCP): |
|
68 |
This |
|
|
69 | This parameter is used to set up networking auto configuration in `/etc/systemd/network/eth.network`. | |
|
69 | 70 | |
|
70 | 71 | #####`ENABLE_DHCP`=true |
|
71 | 72 | Set the system to use DHCP. This requires an DHCP server. |
|
72 | 73 | |
|
73 | 74 | #### Networking settings (static): |
|
74 |
These |
|
|
75 | These parameters are used to set up a static networking configuration in /etc/systemd/network/eth.network. The following static networking parameters are only supported if `ENABLE_DHCP` was set to `false`. | |
|
75 | 76 | |
|
76 | 77 | #####`NET_ADDRESS`="" |
|
77 | 78 | Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24". |
@@ -131,7 +132,7 Install a user defined window manager for the X Window System. To make sure all | |||
|
131 | 132 | Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB. |
|
132 | 133 | |
|
133 | 134 | ##### `ENABLE_REDUCE`=false |
|
134 | Reduce the disk usage by deleting packages and files. See `REDUCE_*` parameters for detailed information. | |
|
135 | Reduce the disk space usage by deleting packages and files. See `REDUCE_*` parameters for detailed information. | |
|
135 | 136 | |
|
136 | 137 | ##### `ENABLE_UBOOT`=false |
|
137 | 138 | Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol. |
@@ -159,11 +160,14 Enable IPv4/IPv6 network stack hardening settings. | |||
|
159 | 160 | Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`. |
|
160 | 161 | |
|
161 | 162 | ##### `CHROOT_SCRIPTS`="" |
|
162 | Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this direcory is run in lexicographical order. | |
|
163 | Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this directory is run in lexicographical order. | |
|
164 | ||
|
165 | ##### `ENABLE_INITRAMFS`=false | |
|
166 | Create an initramfs that that will be loaded during the Linux startup process. `ENABLE_INITRAMFS` will automatically get enabled if `ENABLE_CRYPTFS`=true. This parameter will be ignored if `BUILD_KERNEL`=false. | |
|
163 | 167 | |
|
164 | 168 | #### Kernel compilation: |
|
165 | 169 | ##### `BUILD_KERNEL`=false |
|
166 |
Build and install the latest RPi2 Linux kernel. Currently only the default RPi2 kernel configuration is used. |
|
|
170 | Build and install the latest RPi2 Linux kernel. Currently only the default RPi2 kernel configuration is used. | |
|
167 | 171 | |
|
168 | 172 | ##### `KERNEL_REDUCE`=false |
|
169 | 173 | Reduce the size of the generated kernel by removing unwanted device, network and filesystem drivers (experimental). |
@@ -184,10 +188,10 Remove all kernel sources from the generated OS image after it was built and ins | |||
|
184 | 188 | Path to a directory of [RaspberryPi Linux kernel sources](https://github.com/raspberrypi/linux) that will be copied, configured, build and installed inside the chroot. |
|
185 | 189 | |
|
186 | 190 | ##### `KERNELSRC_CLEAN`=false |
|
187 |
Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This |
|
|
191 | Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This parameter will be ignored if no `KERNELSRC_DIR` was specified or if `KERNELSRC_PREBUILT`=true. | |
|
188 | 192 | |
|
189 | 193 | ##### `KERNELSRC_CONFIG`=true |
|
190 |
Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This |
|
|
194 | Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This parameter is automatically set to `true` if no existing kernel sources directory was specified using `KERNELSRC_DIR`. This parameter is ignored if `KERNELSRC_PREBUILT`=true. | |
|
191 | 195 | |
|
192 | 196 | ##### `KERNELSRC_PREBUILT`=false |
|
193 | 197 | With this parameter set to true the script expects the existing kernel sources directory to be already successfully cross-compiled. The parameters `KERNELSRC_CLEAN`, `KERNELSRC_CONFIG` and `KERNEL_MENUCONFIG` are ignored and no kernel compilation tasks are performed. |
@@ -204,7 +208,7 Remove all doc files (harsh). Configure APT to not include doc files on future ` | |||
|
204 | 208 | ##### `REDUCE_MAN`=true |
|
205 | 209 | Remove all man pages and info files (harsh). Configure APT to not include man pages on future `apt-get` package installations. |
|
206 | 210 | |
|
207 |
##### `REDUCE_VIM`= |
|
|
211 | ##### `REDUCE_VIM`=false | |
|
208 | 212 | Replace `vim-tiny` package by `levee` a tiny vim clone. |
|
209 | 213 | |
|
210 | 214 | ##### `REDUCE_BASH`=false |
@@ -214,11 +218,28 Remove `bash` package and switch to `dash` shell (experimental). | |||
|
214 | 218 | Remove PCI related hwdb files (experimental). |
|
215 | 219 | |
|
216 | 220 | ##### `REDUCE_SSHD`=true |
|
217 | Replace `openssh-server` with dropbear. | |
|
221 | Replace `openssh-server` with `dropbear`. | |
|
218 | 222 | |
|
219 | 223 | ##### `REDUCE_LOCALE`=true |
|
220 | 224 | Remove all `locale` translation files. |
|
221 | 225 | |
|
226 | #### Encrypted root partition: | |
|
227 | ||
|
228 | ##### `ENABLE_CRYPTFS`=false | |
|
229 | Enable full system encryption with dm-crypt. Setup a fully LUKS encrypted root partition (aes-xts-plain64:sha512) and generate required initramfs. The /boot directory will not be encrypted. This parameter will be ignored if `BUILD_KERNEL`=false. `ENABLE_CRYPTFS` is experimental. `ENABLE_UBOOT`, `ENABLE_SPLITFS`, `EXPANDROOT` and SSH-to-initramfs are currently not supported but will be soon - feel free to help. | |
|
230 | ||
|
231 | ##### `CRYPTFS_PASSWORD`="" | |
|
232 | Set password of the encrypted root partition. This parameter is mandatory if `ENABLE_CRYPTFS`=true. | |
|
233 | ||
|
234 | ##### `CRYPTFS_MAPPING`="secure" | |
|
235 | Set name of dm-crypt managed device-mapper mapping. | |
|
236 | ||
|
237 | ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512" | |
|
238 | Set cipher specification string. `aes-xts*` ciphers are strongly recommended. | |
|
239 | ||
|
240 | ##### `CRYPTFS_XTSKEYSIZE`=512 | |
|
241 | Sets key size in bits. The argument has to be a multiple of 8. | |
|
242 | ||
|
222 | 243 | ## Understanding the script |
|
223 | 244 | The functions of this script that are required for the different stages of the bootstrapping are split up into single files located inside the `bootstrap.d` directory. During the bootstrapping every script in this directory gets executed in lexicographical order: |
|
224 | 245 | |
@@ -235,11 +256,13 The functions of this script that are required for the different stages of the b | |||
|
235 | 256 | | `41-uboot.sh` | Build and Setup U-Boot | |
|
236 | 257 | | `42-fbturbo.sh` | Build and Setup fbturbo Xorg driver | |
|
237 | 258 | | `50-firstboot.sh` | First boot actions | |
|
259 | | `99-reduce.sh` | Reduce the disk space usage | | |
|
238 | 260 | |
|
239 | 261 | All the required configuration files that will be copied to the generated OS image are located inside the `files` directory. It is not recommended to modify these configuration files manually. |
|
240 | 262 | |
|
241 | 263 | | Directory | Description | |
|
242 | 264 | | --- | --- | |
|
265 | | `apt` | APT management configuration files | | |
|
243 | 266 | | `boot` | Boot and RPi2 configuration files | |
|
244 | 267 | | `dpkg` | Package Manager configuration | |
|
245 | 268 | | `firstboot` | Scripts that get executed on first boot | |
@@ -13,11 +13,11 else | |||
|
13 | 13 | fi |
|
14 | 14 | |
|
15 | 15 | # Copy qemu emulator binary to chroot |
|
16 | cp "${QEMU_BINARY}" "$R/usr/bin" | |
|
16 | install_exec "${QEMU_BINARY}" "${R}${QEMU_BINARY}" | |
|
17 | 17 | |
|
18 | 18 | # Copy debian-archive-keyring.pgp |
|
19 | 19 | mkdir -p "$R/usr/share/keyrings" |
|
20 |
|
|
|
20 | install_readonly /usr/share/keyrings/debian-archive-keyring.gpg "$R/usr/share/keyrings/debian-archive-keyring.gpg" | |
|
21 | 21 | |
|
22 | 22 | # Complete the bootstrapping process |
|
23 | 23 | chroot_exec /debootstrap/debootstrap --second-stage |
@@ -11,18 +11,25 if [ -z "$APT_PROXY" ] ; then | |||
|
11 | 11 | sed -i "s/\"\"/\"${APT_PROXY}\"/" "$R/etc/apt/apt.conf.d/10proxy" |
|
12 | 12 | fi |
|
13 | 13 | |
|
14 | # Install APT pinning configuration for flash-kernel package | |
|
15 | install_readonly files/apt/flash-kernel "$R/etc/apt/preferences.d/flash-kernel" | |
|
14 | if [ "$BUILD_KERNEL" = false ] ; then | |
|
15 | # Install APT pinning configuration for flash-kernel package | |
|
16 | install_readonly files/apt/flash-kernel "$R/etc/apt/preferences.d/flash-kernel" | |
|
16 | 17 | |
|
17 | # Upgrade collabora package index and install collabora keyring | |
|
18 | echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" > "$R/etc/apt/sources.list" | |
|
19 | chroot_exec apt-get -qq -y update | |
|
20 | chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring | |
|
18 | # Install APT sources.list | |
|
19 | install_readonly files/apt/sources.list "$R/etc/apt/sources.list" | |
|
20 | echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >> "$R/etc/apt/sources.list" | |
|
21 | ||
|
22 | # Upgrade collabora package index and install collabora keyring | |
|
23 | chroot_exec apt-get -qq -y update | |
|
24 | chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring | |
|
25 | else # BUILD_KERNEL=true | |
|
26 | # Install APT sources.list | |
|
27 | install_readonly files/apt/sources.list "$R/etc/apt/sources.list" | |
|
21 | 28 | |
|
22 | # Install APT sources.list | |
|
23 | install_readonly files/apt/sources.list "$R/etc/apt/sources.list" | |
|
24 |
sed -i "s/ |
|
|
25 | sed -i "s/ jessie/ ${RELEASE}/" "$R/etc/apt/sources.list" | |
|
29 | # Use specified APT server and release | |
|
30 | sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "$R/etc/apt/sources.list" | |
|
31 | sed -i "s/ jessie/ ${RELEASE}/" "$R/etc/apt/sources.list" | |
|
32 | fi | |
|
26 | 33 | |
|
27 | 34 | # Upgrade package index and update all installed packages and changed dependencies |
|
28 | 35 | chroot_exec apt-get -qq -y update |
@@ -110,24 +110,31 if [ "$BUILD_KERNEL" = true ] ; then | |||
|
110 | 110 | KERNEL_VERSION=`cat "$R/usr/src/linux/include/config/kernel.release"` |
|
111 | 111 | |
|
112 | 112 | # Copy kernel configuration file to the boot directory |
|
113 |
|
|
|
113 | install_readonly "$R/usr/src/linux/.config" "$R/boot/config-${KERNEL_VERSION}" | |
|
114 | 114 | |
|
115 | 115 | # Copy dts and dtb device tree sources and binaries |
|
116 | 116 | mkdir "$R/boot/firmware/overlays/" |
|
117 |
|
|
|
118 |
|
|
|
119 |
|
|
|
117 | install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/"*.dtb "$R/boot/firmware/" | |
|
118 | install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb* "$R/boot/firmware/overlays/" | |
|
119 | install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "$R/boot/firmware/overlays/README" | |
|
120 | 120 | |
|
121 |
# Co |
|
|
122 |
|
|
|
121 | # Copy zImage kernel to the boot directory | |
|
122 | install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage" "$R/boot/firmware/kernel7.img" | |
|
123 | 123 | |
|
124 | 124 | # Remove kernel sources |
|
125 | 125 | if [ "$KERNEL_REMOVESRC" = true ] ; then |
|
126 | 126 | rm -fr "$R/usr/src/linux" |
|
127 | 127 | fi |
|
128 | 128 | |
|
129 | # Install raspberry bootloader and flash-kernel packages | |
|
130 | chroot_exec apt-get -qq -y --no-install-recommends install raspberrypi-bootloader-nokernel | |
|
129 | # Install latest boot binaries from raspberry/firmware github | |
|
130 | wget -q -O "$R/boot/firmware/bootcode.bin" https://github.com/raspberrypi/firmware/raw/master/boot/bootcode.bin | |
|
131 | wget -q -O "$R/boot/firmware/fixup_cd.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_cd.dat | |
|
132 | wget -q -O "$R/boot/firmware/fixup.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup.dat | |
|
133 | wget -q -O "$R/boot/firmware/fixup_x.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_x.dat | |
|
134 | wget -q -O "$R/boot/firmware/start_cd.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_cd.elf | |
|
135 | wget -q -O "$R/boot/firmware/start.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start.elf | |
|
136 | wget -q -O "$R/boot/firmware/start_x.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_x.elf | |
|
137 | ||
|
131 | 138 | else # BUILD_KERNEL=false |
|
132 | 139 | # Kernel installation |
|
133 | 140 | chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel |
@@ -135,9 +142,15 else # BUILD_KERNEL=false | |||
|
135 | 142 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot |
|
136 | 143 | chroot_exec apt-get -qq -y install flash-kernel |
|
137 | 144 | |
|
145 | # Check if kernel installation was successful | |
|
138 | 146 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" |
|
139 |
[ -z "$VMLINUZ" ] |
|
|
140 | cp "$VMLINUZ" "$R/boot/firmware/kernel7.img" | |
|
147 | if [ -z "$VMLINUZ" ] ; then | |
|
148 | echo "error: kernel installation failed! (/boot/vmlinuz-* not found)" | |
|
149 | cleanup | |
|
150 | exit 1 | |
|
151 | fi | |
|
152 | # Copy vmlinuz kernel to the boot directory | |
|
153 | install_readonly "$VMLINUZ" "$R/boot/firmware/kernel7.img" | |
|
141 | 154 | fi |
|
142 | 155 | |
|
143 | 156 | # Setup firmware boot cmdline |
@@ -160,6 +173,11 fi | |||
|
160 | 173 | # Install firmware boot cmdline |
|
161 | 174 | echo "${CMDLINE}" > "$R/boot/firmware/cmdline.txt" |
|
162 | 175 | |
|
176 | # Add encrypted root partition to cmdline.txt | |
|
177 | if [ "$ENABLE_CRYPTFS" = true ] ; then | |
|
178 | sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/" "$R/boot/firmware/cmdline.txt" | |
|
179 | fi | |
|
180 | ||
|
163 | 181 | # Install firmware config |
|
164 | 182 | install_readonly files/boot/config.txt "$R/boot/firmware/config.txt" |
|
165 | 183 | |
@@ -168,6 +186,11 if [ "$ENABLE_MINGPU" = true ] ; then | |||
|
168 | 186 | echo "gpu_mem=16" >> "$R/boot/firmware/config.txt" |
|
169 | 187 | fi |
|
170 | 188 | |
|
189 | # Setup boot with initramfs | |
|
190 | if [ "$ENABLE_INITRAMFS" = true ] ; then | |
|
191 | echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "$R/boot/firmware/config.txt" | |
|
192 | fi | |
|
193 | ||
|
171 | 194 | # Create firmware configuration and cmdline symlinks |
|
172 | 195 | ln -sf firmware/config.txt "$R/boot/config.txt" |
|
173 | 196 | ln -sf firmware/cmdline.txt "$R/boot/cmdline.txt" |
@@ -192,8 +215,37 install_readonly files/modules/raspi-blacklist.conf "$R/etc/modprobe.d/raspi-bla | |||
|
192 | 215 | |
|
193 | 216 | # Install and setup fstab |
|
194 | 217 | install_readonly files/mount/fstab "$R/etc/fstab" |
|
218 | ||
|
219 | # Add usb/sda disk root partition to fstab | |
|
195 | 220 | if [ "$ENABLE_SPLITFS" = true ] ; then |
|
196 |
sed -i |
|
|
221 | sed -i "s/mmcblk0p2/sda1/" "$R/etc/fstab" | |
|
222 | fi | |
|
223 | ||
|
224 | # Add encrypted root partition to fstab and crypttab | |
|
225 | if [ "$ENABLE_CRYPTFS" = true ] ; then | |
|
226 | # Replace fstab root partition with encrypted partition mapping | |
|
227 | sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "$R/etc/fstab" | |
|
228 | ||
|
229 | # Add encrypted partition to crypttab and fstab | |
|
230 | install_readonly files/mount/crypttab "$R/etc/crypttab" | |
|
231 | echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks" >> "$R/etc/crypttab" | |
|
232 | fi | |
|
233 | ||
|
234 | # Generate initramfs file | |
|
235 | if [ "$ENABLE_INITRAMFS" = true ] ; then | |
|
236 | if [ "$ENABLE_CRYPTFS" = true ] ; then | |
|
237 | # Dummy mapping required by mkinitramfs | |
|
238 | echo "0 1 crypt $(echo ${CRYPTFS_CIPHER} | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}" | |
|
239 | ||
|
240 | # Generate initramfs with encrypted root partition support | |
|
241 | chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" | |
|
242 | ||
|
243 | # Remove dummy mapping | |
|
244 | chroot_exec cryptsetup close "${CRYPTFS_MAPPING}" | |
|
245 | else | |
|
246 | # Generate initramfs without encrypted root partition support | |
|
247 | chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" | |
|
248 | fi | |
|
197 | 249 | fi |
|
198 | 250 | |
|
199 | 251 | # Install sysctl.d configuration files |
@@ -19,7 +19,7 if [ "$ENABLE_UBOOT" = true ] ; then | |||
|
19 | 19 | chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all |
|
20 | 20 | |
|
21 | 21 | # Copy compiled bootloader binary and set config.txt to load it |
|
22 |
|
|
|
22 | install_readonly "$R/tmp/u-boot/u-boot.bin" "$R/boot/firmware/u-boot.bin" | |
|
23 | 23 | printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> "$R/boot/firmware/config.txt" |
|
24 | 24 | |
|
25 | 25 | # Install and setup U-Boot command file |
@@ -9,9 +9,8 | |||
|
9 | 9 | cat files/firstboot/10-begin.sh > "$R/etc/rc.firstboot" |
|
10 | 10 | |
|
11 | 11 | # Ensure openssh server host keys are regenerated on first boot |
|
12 |
if [ "$ENABLE_SSHD" = true ] |
|
|
12 | if [ "$ENABLE_SSHD" = true ] ; then | |
|
13 | 13 | cat files/firstboot/21-generate-ssh-keys.sh >> "$R/etc/rc.firstboot" |
|
14 | rm -f "$R/etc/ssh/ssh_host_*" | |
|
15 | 14 | fi |
|
16 | 15 | |
|
17 | 16 | # Prepare filesystem auto expand |
@@ -66,6 +66,12 if [ "$ENABLE_REDUCE" = true ] ; then | |||
|
66 | 66 | rm -f "$R/boot/firmware/fixup_x.dat" |
|
67 | 67 | fi |
|
68 | 68 | |
|
69 | # Remove kernel and initrd from /boot (already in /boot/firmware) | |
|
70 | if [ "$BUILD_KERNEL" = false ] ; then | |
|
71 | rm -r "$R/boot/vmlinuz--*" | |
|
72 | rm -r "$R/boot/initrd.img-*" | |
|
73 | fi | |
|
74 | ||
|
69 | 75 | # Clean APT list of repositories |
|
70 | 76 | rm -fr "$R/var/lib/apt/lists/*" |
|
71 | 77 | chroot_exec apt-get -qq -y update |
@@ -6,5 +6,3 deb http://ftp.debian.org/debian/ jessie-updates main contrib | |||
|
6 | 6 | |
|
7 | 7 | deb http://security.debian.org/ jessie/updates main contrib |
|
8 | 8 | #deb-src http://security.debian.org/ jessie/updates main contrib |
|
9 | ||
|
10 | deb https://repositories.collabora.co.uk/debian jessie rpi2 |
@@ -1,8 +1,20 | |||
|
1 | 1 | logger -t "rc.firstboot" "Generating SSH host keys" |
|
2 | rm -f /etc/ssh/ssh_host_* | |
|
3 | ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key | |
|
4 | ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key | |
|
5 | ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key | |
|
6 | ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key | |
|
7 | 2 | |
|
8 | systemctl restart sshd | |
|
3 | if [ -d "/etc/ssh/" ] ; then | |
|
4 | rm -f /etc/ssh/ssh_host_* | |
|
5 | systemctl stop sshd | |
|
6 | ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key | |
|
7 | ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key | |
|
8 | ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key | |
|
9 | ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key | |
|
10 | systemctl start sshd | |
|
11 | fi | |
|
12 | ||
|
13 | if [ -d "/etc/dropbear/" ] ; then | |
|
14 | rm -f /etc/dropbear/dropbear_* | |
|
15 | systemctl stop dropbear | |
|
16 | dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key | |
|
17 | dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key | |
|
18 | dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key | |
|
19 | systemctl start dropbear | |
|
20 | fi |
@@ -5,14 +5,14 case "${ROOT_PART}" in | |||
|
5 | 5 | mmcblk0*) ROOT_DEV=mmcblk0 ;; |
|
6 | 6 | sda*) ROOT_DEV=sda ;; |
|
7 | 7 | esac |
|
8 | if [ "$PART_NUM" = "$ROOT_PART" ]; then | |
|
8 | if [ "$PART_NUM" = "$ROOT_PART" ] ; then | |
|
9 | 9 | logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand" |
|
10 | 10 | return 0 |
|
11 | 11 | fi |
|
12 | 12 | |
|
13 | 13 | # NOTE: the NOOBS partition layout confuses parted. For now, let's only |
|
14 | 14 | # agree to work with a sufficiently simple partition layout |
|
15 | if [ "$PART_NUM" -gt 2 ]; then | |
|
15 | if [ "$PART_NUM" -gt 2 ] ; then | |
|
16 | 16 | logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool." |
|
17 | 17 | return 0 |
|
18 | 18 | fi |
@@ -24,14 +24,18 fi | |||
|
24 | 24 | |
|
25 | 25 | # Get the starting offset of the root partition |
|
26 | 26 | PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g') |
|
27 |
[ "$PART_START" ] |
|
|
27 | if [ -z "$PART_START" ] ; then | |
|
28 | logger -t "rc.firstboot" "${ROOT_DEV} unable to get starting sector of the partition" | |
|
29 | return 1 | |
|
30 | fi | |
|
28 | 31 | |
|
29 | 32 | # Get the possible last sector for the root partition |
|
30 | 33 | PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }') |
|
31 |
[ "$PART_LAST" ] |
|
|
34 | if [ -z "$PART_LAST" ] ; then | |
|
35 | logger -t "rc.firstboot" "${ROOT_DEV} unable to get last sector of the partition" | |
|
36 | return 1 | |
|
37 | fi | |
|
32 | 38 | |
|
33 | # Return value will likely be error for fdisk as it fails to reload the | |
|
34 | # partition table because the root fs is mounted | |
|
35 | 39 | ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit |
|
36 | 40 | fdisk /dev/${ROOT_DEV} <<EOF2 || true |
|
37 | 41 | p |
@@ -1,13 +1,15 | |||
|
1 | 1 | logger -t "rc.firstboot" "Creating /etc/resolv.conf symlink" |
|
2 | 2 | |
|
3 | ||
|
4 | 3 | # Check if systemd resolve directory exists |
|
5 | if [ -d "/run/systemd/resolve" ] ; then | |
|
6 | # Create resolv.conf file if it does not exists | |
|
7 | if [ ! -f "/run/systemd/resolve/resolv.conf" ] ; then | |
|
8 | touch /run/systemd/resolve/resolv.conf | |
|
9 | fi | |
|
4 | if [ ! -d "/run/systemd/resolve" ] ; then | |
|
5 | systemctl enable systemd-resolved.service | |
|
6 | systemctl restart systemd-resolved.service | |
|
7 | fi | |
|
10 | 8 | |
|
11 | # Create symlink to /etc/reolv.conf | |
|
12 |
|
|
|
9 | # Create resolv.conf file if it does not exists | |
|
10 | if [ ! -f "/run/systemd/resolve/resolv.conf" ] ; then | |
|
11 | touch /run/systemd/resolve/resolv.conf | |
|
13 | 12 | fi |
|
13 | ||
|
14 | # Create symlink to /etc/reolv.conf | |
|
15 | ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf |
@@ -6,17 +6,18 cleanup (){ | |||
|
6 | 6 | |
|
7 | 7 | # Identify and kill all processes still using files |
|
8 | 8 | echo "killing processes using mount point ..." |
|
9 | fuser -k $R | |
|
9 | fuser -k "$R" | |
|
10 | 10 | sleep 3 |
|
11 | fuser -9 -k -v $R | |
|
11 | fuser -9 -k -v "$R" | |
|
12 | 12 | |
|
13 | 13 | # Clean up all temporary mount points |
|
14 | 14 | echo "removing temporary mount points ..." |
|
15 | umount -l $R/proc 2> /dev/null | |
|
16 | umount -l $R/sys 2> /dev/null | |
|
17 | umount -l $R/dev/pts 2> /dev/null | |
|
15 | umount -l "$R/proc" 2> /dev/null | |
|
16 | umount -l "$R/sys" 2> /dev/null | |
|
17 | umount -l "$R/dev/pts" 2> /dev/null | |
|
18 | 18 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null |
|
19 | 19 | umount "$BUILDDIR/mount" 2> /dev/null |
|
20 | cryptsetup close "${CRYPTFS_MAPPING}" 2> /dev/null | |
|
20 | 21 | losetup -d "$ROOT_LOOP" 2> /dev/null |
|
21 | 22 | losetup -d "$FRMW_LOOP" 2> /dev/null |
|
22 | 23 | trap - 0 1 2 3 6 |
@@ -23,7 +23,7 fi | |||
|
23 | 23 | |
|
24 | 24 | # Check if ./functions.sh script exists |
|
25 | 25 | if [ ! -r "./functions.sh" ] ; then |
|
26 |
echo "error: './functions.sh' required script not found |
|
|
26 | echo "error: './functions.sh' required script not found!" | |
|
27 | 27 | exit 1 |
|
28 | 28 | fi |
|
29 | 29 | |
@@ -45,9 +45,9 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig} | |||
|
45 | 45 | QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static} |
|
46 | 46 | |
|
47 | 47 | # Build directories |
|
48 | BASEDIR=$(pwd)/images/${RELEASE} | |
|
49 | BUILDDIR=${BASEDIR}/build | |
|
50 | R=${BUILDDIR}/chroot | |
|
48 | BASEDIR="$(pwd)/images/${RELEASE}" | |
|
49 | BUILDDIR="${BASEDIR}/build" | |
|
50 | R="${BUILDDIR}/chroot" | |
|
51 | 51 | |
|
52 | 52 | # General settings |
|
53 | 53 | HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}} |
@@ -101,6 +101,7 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} | |||
|
101 | 101 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} |
|
102 | 102 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} |
|
103 | 103 | ENABLE_SPLITFS=${ENABLE_SPLITFS:=false} |
|
104 | ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false} | |
|
104 | 105 | |
|
105 | 106 | # Kernel compilation settings |
|
106 | 107 | BUILD_KERNEL=${BUILD_KERNEL:=false} |
@@ -120,12 +121,22 KERNELSRC_PREBUILT=${KERNELSRC_PREBUILT:=false} | |||
|
120 | 121 | REDUCE_APT=${REDUCE_APT:=true} |
|
121 | 122 | REDUCE_DOC=${REDUCE_DOC:=true} |
|
122 | 123 | REDUCE_MAN=${REDUCE_MAN:=true} |
|
123 |
REDUCE_VIM=${REDUCE_VIM:= |
|
|
124 | REDUCE_VIM=${REDUCE_VIM:=false} | |
|
124 | 125 | REDUCE_BASH=${REDUCE_BASH:=false} |
|
125 | 126 | REDUCE_HWDB=${REDUCE_HWDB:=true} |
|
126 | 127 | REDUCE_SSHD=${REDUCE_SSHD:=true} |
|
127 | 128 | REDUCE_LOCALE=${REDUCE_LOCALE:=true} |
|
128 | 129 | |
|
130 | # Encrypted filesystem settings | |
|
131 | ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false} | |
|
132 | CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""} | |
|
133 | CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"} | |
|
134 | CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"} | |
|
135 | CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512} | |
|
136 | ||
|
137 | # Stop the Crypto Wars | |
|
138 | DISABLE_FBI=${DISABLE_FBI:=false} | |
|
139 | ||
|
129 | 140 | # Chroot scripts directory |
|
130 | 141 | CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""} |
|
131 | 142 | |
@@ -149,6 +160,28 if [ "$KERNEL_MENUCONFIG" = true ] ; then | |||
|
149 | 160 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses5-dev" |
|
150 | 161 | fi |
|
151 | 162 | |
|
163 | # Stop the Crypto Wars | |
|
164 | if [ "$DISABLE_FBI" = true ] ; then | |
|
165 | ENABLE_CRYPTFS=true | |
|
166 | fi | |
|
167 | ||
|
168 | # Add cryptsetup package to enable filesystem encryption | |
|
169 | if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then | |
|
170 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup" | |
|
171 | APT_INCLUDES="${APT_INCLUDES},cryptsetup" | |
|
172 | ||
|
173 | if [ -z "$CRYPTFS_PASSWORD" ] ; then | |
|
174 | echo "error: no password defined (CRYPTFS_PASSWORD)!" | |
|
175 | exit 1 | |
|
176 | fi | |
|
177 | ENABLE_INITRAMFS=true | |
|
178 | fi | |
|
179 | ||
|
180 | # Add initramfs generation tools | |
|
181 | if [ "$ENABLE_INITRAMFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then | |
|
182 | APT_INCLUDES="${APT_INCLUDES},initramfs-tools" | |
|
183 | fi | |
|
184 | ||
|
152 | 185 | # Check if all required packages are installed on the build system |
|
153 | 186 | for package in $REQUIRED_PACKAGES ; do |
|
154 | 187 | if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then |
@@ -193,6 +226,12 if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then | |||
|
193 | 226 | exit 1 |
|
194 | 227 | fi |
|
195 | 228 | |
|
229 | # Check if specified device mapping already exists (will be used by cryptsetup) | |
|
230 | if [ -r "/dev/mapping/${CRYPTFS_MAPPING}" ] ; then | |
|
231 | echo "error: mapping /dev/mapping/${CRYPTFS_MAPPING} already exists, not proceeding" | |
|
232 | exit 1 | |
|
233 | fi | |
|
234 | ||
|
196 | 235 | # Don't clobber an old build |
|
197 | 236 | if [ -e "$BUILDDIR" ] ; then |
|
198 | 237 | echo "error: directory ${BUILDDIR} already exists, not proceeding" |
@@ -215,7 +254,7 trap cleanup 0 1 2 3 6 | |||
|
215 | 254 | |
|
216 | 255 | # Add required packages for the minbase installation |
|
217 | 256 | if [ "$ENABLE_MINBASE" = true ] ; then |
|
218 | APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools" | |
|
257 | APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools,ifupdown" | |
|
219 | 258 | else |
|
220 | 259 | APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup" |
|
221 | 260 | fi |
@@ -321,6 +360,11 fi | |||
|
321 | 360 | # Remove apt-utils |
|
322 | 361 | chroot_exec apt-get purge -qq -y --force-yes apt-utils |
|
323 | 362 | |
|
363 | # Generate required machine-id | |
|
364 | MACHINE_ID=$(dbus-uuidgen) | |
|
365 | echo -n "${MACHINE_ID}" > "$R/var/lib/dbus/machine-id" | |
|
366 | echo -n "${MACHINE_ID}" > "$R/etc/machine-id" | |
|
367 | ||
|
324 | 368 | # APT Cleanup |
|
325 | 369 | chroot_exec apt-get -y clean |
|
326 | 370 | chroot_exec apt-get -y autoclean |
@@ -331,19 +375,21 umount -l "$R/proc" | |||
|
331 | 375 | umount -l "$R/sys" |
|
332 | 376 | |
|
333 | 377 | # Clean up directories |
|
334 | rm -rf "$R/run" | |
|
378 | rm -rf "$R/run/*" | |
|
335 | 379 | rm -rf "$R/tmp/*" |
|
336 | 380 | |
|
337 | 381 | # Clean up files |
|
382 | rm -f "$R/etc/ssh/ssh_host_*" | |
|
383 | rm -f "$R/etc/dropbear/dropbear_*" | |
|
338 | 384 | rm -f "$R/etc/apt/sources.list.save" |
|
339 | 385 | rm -f "$R/etc/resolvconf/resolv.conf.d/original" |
|
340 | 386 | rm -f "$R/etc/*-" |
|
341 | 387 | rm -f "$R/root/.bash_history" |
|
342 | 388 | rm -f "$R/var/lib/urandom/random-seed" |
|
343 | rm -f "$R/var/lib/dbus/machine-id" | |
|
344 | rm -f "$R/etc/machine-id" | |
|
345 | 389 | rm -f "$R/etc/apt/apt.conf.d/10proxy" |
|
346 | 390 | rm -f "$R/etc/resolv.conf" |
|
391 | rm -f "$R/initrd.img" | |
|
392 | rm -f "$R/vmlinuz" | |
|
347 | 393 | rm -f "${R}${QEMU_BINARY}" |
|
348 | 394 | |
|
349 | 395 | # Calculate size of the chroot directory in KB |
@@ -371,43 +417,58 if [ "$ENABLE_SPLITFS" = true ] ; then | |||
|
371 | 417 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS} |
|
372 | 418 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS} |
|
373 | 419 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS} |
|
374 | # Write partition tables | |
|
375 | sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" <<EOM | |
|
376 | unit: sectors | |
|
377 | ||
|
378 | 1 : start= ${TABLE_SECTORS}, size= ${FRMW_SECTORS}, Id= c, bootable | |
|
379 | 2 : start= 0, size= 0, Id= 0 | |
|
380 | 3 : start= 0, size= 0, Id= 0 | |
|
381 | 4 : start= 0, size= 0, Id= 0 | |
|
420 | ||
|
421 | # Write firmware/boot partition tables | |
|
422 | sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" 2> /dev/null <<EOM | |
|
423 | ${TABLE_SECTORS},${FRMW_SECTORS},c,* | |
|
382 | 424 | EOM |
|
383 | sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" <<EOM | |
|
384 | unit: sectors | |
|
385 | 425 | |
|
386 | 1 : start= ${TABLE_SECTORS}, size= ${ROOT_SECTORS}, Id=83 | |
|
387 | 2 : start= 0, size= 0, Id= 0 | |
|
388 | 3 : start= 0, size= 0, Id= 0 | |
|
389 | 4 : start= 0, size= 0, Id= 0 | |
|
426 | # Write root partition table | |
|
427 | sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" 2> /dev/null <<EOM | |
|
428 | ${TABLE_SECTORS},${ROOT_SECTORS},83 | |
|
390 | 429 | EOM |
|
430 | ||
|
391 | 431 | # Setup temporary loop devices |
|
392 | 432 | FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-frmw.img)" |
|
393 | 433 | ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-root.img)" |
|
394 | else | |
|
434 | else # ENABLE_SPLITFS=false | |
|
395 | 435 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS} |
|
396 | 436 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS} |
|
397 | # Write partition table | |
|
398 | sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM | |
|
399 | unit: sectors | |
|
400 | 437 | |
|
401 | 1 : start= ${TABLE_SECTORS}, size= ${FRMW_SECTORS}, Id= c, bootable | |
|
402 | 2 : start= ${ROOT_OFFSET}, size= ${ROOT_SECTORS}, Id=83 | |
|
403 | 3 : start= 0, size= 0, Id= 0 | |
|
404 | 4 : start= 0, size= 0, Id= 0 | |
|
438 | # Write partition table | |
|
439 | sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" 2> /dev/null <<EOM | |
|
440 | ${TABLE_SECTORS},${FRMW_SECTORS},c,* | |
|
441 | ${ROOT_OFFSET},${ROOT_SECTORS},83 | |
|
405 | 442 | EOM |
|
443 | ||
|
406 | 444 | # Setup temporary loop devices |
|
407 | 445 | FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" |
|
408 | 446 | ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" |
|
409 | 447 | fi |
|
410 | 448 | |
|
449 | if [ "$ENABLE_CRYPTFS" = true ] ; then | |
|
450 | # Create dummy ext4 fs | |
|
451 | mkfs.ext4 "$ROOT_LOOP" | |
|
452 | ||
|
453 | # Setup password keyfile | |
|
454 | echo -n ${CRYPTFS_PASSWORD} > .password | |
|
455 | ||
|
456 | # Initialize encrypted partition | |
|
457 | echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password | |
|
458 | ||
|
459 | # Open encrypted partition and setup mapping | |
|
460 | cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}" | |
|
461 | ||
|
462 | # Secure delete password keyfile | |
|
463 | shred -zu .password | |
|
464 | ||
|
465 | # Update temporary loop device | |
|
466 | ROOT_LOOP="/dev/mapper/${CRYPTFS_MAPPING}" | |
|
467 | ||
|
468 | # Wipe encrypted partition (encryption cipher is used for randomness) | |
|
469 | dd if=/dev/zero of="${ROOT_LOOP}" bs=512 count=$(blockdev --getsz "${ROOT_LOOP}") | |
|
470 | fi | |
|
471 | ||
|
411 | 472 | # Build filesystems |
|
412 | 473 | mkfs.vfat "$FRMW_LOOP" |
|
413 | 474 | mkfs.ext4 "$ROOT_LOOP" |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant