##// END OF EJS Templates
Added: ENABLE_CRYPTFS - encrypted rootfs, use-latest-bootloader, cp-cleanup
Jan Wagner -
r77:b33dfc51ccaf
parent child
Show More
@@ -0,0 +1,1
1 # <target name> <source device> <key file> <options>
@@ -1,4 +1,5
1 1 images
2 2 custom.d
3 3 *.swp
4 *.bak
4 5 *.log
@@ -1,273 +1,296
1 1 # rpi2-gen-image
2 2 ## Introduction
3 3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
4 4
5 5 ## Build dependencies
6 6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7 7
8 8 ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core```
9 9
10 10 ## Command-line parameters
11 11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
12 12
13 13 #####Command-line examples:
14 14 ```shell
15 15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
16 16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
17 17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
18 18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
19 19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
20 20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
21 21 BUILD_KERNEL=true ENABLE_MINBASE=true ENABLE_IPV6=false ./rpi2-gen-image.sh
22 22 BUILD_KERNEL=true KERNELSRC_DIR=/tmp/linux ./rpi2-gen-image.sh
23 23 ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi2-gen-image.sh
24 ENABLE_CRYPTFS=true CRYPTFS_PASSWORD=changeme EXPANDROOT=false ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi2-gen-image.sh
24 25 ```
25 26
26 27 #### APT settings:
27 28 ##### `APT_SERVER`="ftp.debian.org"
28 29 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
29 30
30 31 ##### `APT_PROXY`=""
31 32 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
32 33
33 34 ##### `APT_INCLUDES`=""
34 A comma seperated list of additional packages to be installed during bootstrapping.
35 A comma separated list of additional packages to be installed during bootstrapping.
35 36
36 37 #### General system settings:
37 38 ##### `HOSTNAME`="rpi2-jessie"
38 39 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
39 40
40 41 ##### `PASSWORD`="raspberry"
41 42 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
42 43
43 44 ##### `DEFLOCAL`="en_US.UTF-8"
44 45 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
45 46
46 47 ##### `TIMEZONE`="Europe/Berlin"
47 48 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
48 49
49 50 ##### `EXPANDROOT`=true
50 51 Expand the root partition and filesystem automatically on first boot.
51 52
52 53 #### Keyboard settings:
53 54 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
54 55
55 56 ##### `XKB_MODEL`=""
56 57 Set the name of the model of your keyboard type.
57 58
58 59 ##### `XKB_LAYOUT`=""
59 60 Set the supported keyboard layout(s).
60 61
61 62 ##### `XKB_VARIANT`=""
62 63 Set the supported variant(s) of the keyboard layout(s).
63 64
64 65 ##### `XKB_OPTIONS`=""
65 66 Set extra xkb configuration options.
66 67
67 68 #### Networking settings (DHCP):
68 This setting is used to set up networking auto configuration in `/etc/systemd/network/eth.network`.
69 This parameter is used to set up networking auto configuration in `/etc/systemd/network/eth.network`.
69 70
70 71 #####`ENABLE_DHCP`=true
71 72 Set the system to use DHCP. This requires an DHCP server.
72 73
73 74 #### Networking settings (static):
74 These settings are used to set up a static networking configuration in /etc/systemd/network/eth.network. The following static networking settings are only supported if `ENABLE_DHCP` was set to `false`.
75 These parameters are used to set up a static networking configuration in /etc/systemd/network/eth.network. The following static networking parameters are only supported if `ENABLE_DHCP` was set to `false`.
75 76
76 77 #####`NET_ADDRESS`=""
77 78 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
78 79
79 80 #####`NET_GATEWAY`=""
80 81 Set the IP address for the default gateway.
81 82
82 83 #####`NET_DNS_1`=""
83 84 Set the IP address for the first DNS server.
84 85
85 86 #####`NET_DNS_2`=""
86 87 Set the IP address for the second DNS server.
87 88
88 89 #####`NET_DNS_DOMAINS`=""
89 90 Set the default DNS search domains to use for non fully qualified host names.
90 91
91 92 #####`NET_NTP_1`=""
92 93 Set the IP address for the first NTP server.
93 94
94 95 #####`NET_NTP_2`=""
95 96 Set the IP address for the second NTP server.
96 97
97 98 #### Basic system features:
98 99 ##### `ENABLE_CONSOLE`=true
99 100 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
100 101
101 102 ##### `ENABLE_IPV6`=true
102 103 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
103 104
104 105 ##### `ENABLE_SSHD`=true
105 106 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
106 107
107 108 ##### `ENABLE_RSYSLOG`=true
108 109 If set to false, disable and uninstall rsyslog (so logs will be available only
109 110 in journal files)
110 111
111 112 ##### `ENABLE_SOUND`=true
112 113 Enable sound hardware and install Advanced Linux Sound Architecture.
113 114
114 115 ##### `ENABLE_HWRANDOM`=true
115 116 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
116 117
117 118 ##### `ENABLE_MINGPU`=false
118 119 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
119 120
120 121 ##### `ENABLE_DBUS`=true
121 122 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
122 123
123 124 ##### `ENABLE_XORG`=false
124 125 Install Xorg open-source X Window System.
125 126
126 127 ##### `ENABLE_WM`=""
127 128 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
128 129
129 130 #### Advanced system features:
130 131 ##### `ENABLE_MINBASE`=false
131 132 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
132 133
133 134 ##### `ENABLE_REDUCE`=false
134 Reduce the disk usage by deleting packages and files. See `REDUCE_*` parameters for detailed information.
135 Reduce the disk space usage by deleting packages and files. See `REDUCE_*` parameters for detailed information.
135 136
136 137 ##### `ENABLE_UBOOT`=false
137 138 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
138 139
139 140 ##### `ENABLE_FBTURBO`=false
140 141 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
141 142
142 143 ##### `ENABLE_IPTABLES`=false
143 144 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
144 145
145 146 ##### `ENABLE_USER`=true
146 147 Create pi user with password raspberry
147 148
148 149 ##### `ENABLE_ROOT`=true
149 150 Set root user password so root login will be enabled
150 151
151 152 ##### `ENABLE_ROOT_SSH`=true
152 153 Enable password root login via SSH. May be a security risk with default
153 154 password, use only in trusted environments.
154 155
155 156 ##### `ENABLE_HARDNET`=false
156 157 Enable IPv4/IPv6 network stack hardening settings.
157 158
158 159 ##### `ENABLE_SPLITFS`=false
159 160 Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`.
160 161
161 162 ##### `CHROOT_SCRIPTS`=""
162 Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this direcory is run in lexicographical order.
163 Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this directory is run in lexicographical order.
164
165 ##### `ENABLE_INITRAMFS`=false
166 Create an initramfs that that will be loaded during the Linux startup process. `ENABLE_INITRAMFS` will automatically get enabled if `ENABLE_CRYPTFS`=true. This parameter will be ignored if `BUILD_KERNEL`=false.
163 167
164 168 #### Kernel compilation:
165 169 ##### `BUILD_KERNEL`=false
166 Build and install the latest RPi2 Linux kernel. Currently only the default RPi2 kernel configuration is used. Detailed configuration parameters for customizing the kernel and minor bug fixes still need to get implemented. feel free to help.
170 Build and install the latest RPi2 Linux kernel. Currently only the default RPi2 kernel configuration is used.
167 171
168 172 ##### `KERNEL_REDUCE`=false
169 173 Reduce the size of the generated kernel by removing unwanted device, network and filesystem drivers (experimental).
170 174
171 175 ##### `KERNEL_THREADS`=1
172 176 Number of parallel kernel building threads. If the parameter is left untouched the script will automatically determine the number of CPU cores to set the number of parallel threads to speed the kernel compilation.
173 177
174 178 ##### `KERNEL_HEADERS`=true
175 179 Install kernel headers with built kernel.
176 180
177 181 ##### `KERNEL_MENUCONFIG`=false
178 182 Start `make menuconfig` interactive menu-driven kernel configuration. The script will continue after `make menuconfig` was terminated.
179 183
180 184 ##### `KERNEL_REMOVESRC`=true
181 185 Remove all kernel sources from the generated OS image after it was built and installed.
182 186
183 187 ##### `KERNELSRC_DIR`=""
184 188 Path to a directory of [RaspberryPi Linux kernel sources](https://github.com/raspberrypi/linux) that will be copied, configured, build and installed inside the chroot.
185 189
186 190 ##### `KERNELSRC_CLEAN`=false
187 Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This setting will be ignored if no `KERNELSRC_DIR` was specified or if `KERNELSRC_PREBUILT`=true.
191 Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This parameter will be ignored if no `KERNELSRC_DIR` was specified or if `KERNELSRC_PREBUILT`=true.
188 192
189 193 ##### `KERNELSRC_CONFIG`=true
190 Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This setting is automatically set to `true` if no existing kernel sources directory was specified using `KERNELSRC_DIR`. This settings is ignored if `KERNELSRC_PREBUILT`=true.
194 Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This parameter is automatically set to `true` if no existing kernel sources directory was specified using `KERNELSRC_DIR`. This parameter is ignored if `KERNELSRC_PREBUILT`=true.
191 195
192 196 ##### `KERNELSRC_PREBUILT`=false
193 197 With this parameter set to true the script expects the existing kernel sources directory to be already successfully cross-compiled. The parameters `KERNELSRC_CLEAN`, `KERNELSRC_CONFIG` and `KERNEL_MENUCONFIG` are ignored and no kernel compilation tasks are performed.
194 198
195 199 #### Reduce disk usage:
196 200 The following list of parameters is ignored if `ENABLE_REDUCE`=false.
197 201
198 202 ##### `REDUCE_APT`=true
199 203 Configure APT to use compressed package repository lists and no package caching files.
200 204
201 205 ##### `REDUCE_DOC`=true
202 206 Remove all doc files (harsh). Configure APT to not include doc files on future `apt-get` package installations.
203 207
204 208 ##### `REDUCE_MAN`=true
205 209 Remove all man pages and info files (harsh). Configure APT to not include man pages on future `apt-get` package installations.
206 210
207 ##### `REDUCE_VIM`=true
211 ##### `REDUCE_VIM`=false
208 212 Replace `vim-tiny` package by `levee` a tiny vim clone.
209 213
210 214 ##### `REDUCE_BASH`=false
211 215 Remove `bash` package and switch to `dash` shell (experimental).
212 216
213 217 ##### `REDUCE_HWDB`=true
214 218 Remove PCI related hwdb files (experimental).
215 219
216 220 ##### `REDUCE_SSHD`=true
217 Replace `openssh-server` with dropbear.
221 Replace `openssh-server` with `dropbear`.
218 222
219 223 ##### `REDUCE_LOCALE`=true
220 224 Remove all `locale` translation files.
221 225
226 #### Encrypted root partition:
227
228 ##### `ENABLE_CRYPTFS`=false
229 Enable full system encryption with dm-crypt. Setup a fully LUKS encrypted root partition (aes-xts-plain64:sha512) and generate required initramfs. The /boot directory will not be encrypted. This parameter will be ignored if `BUILD_KERNEL`=false. `ENABLE_CRYPTFS` is experimental. `ENABLE_UBOOT`, `ENABLE_SPLITFS`, `EXPANDROOT` and SSH-to-initramfs are currently not supported but will be soon - feel free to help.
230
231 ##### `CRYPTFS_PASSWORD`=""
232 Set password of the encrypted root partition. This parameter is mandatory if `ENABLE_CRYPTFS`=true.
233
234 ##### `CRYPTFS_MAPPING`="secure"
235 Set name of dm-crypt managed device-mapper mapping.
236
237 ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512"
238 Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
239
240 ##### `CRYPTFS_XTSKEYSIZE`=512
241 Sets key size in bits. The argument has to be a multiple of 8.
242
222 243 ## Understanding the script
223 244 The functions of this script that are required for the different stages of the bootstrapping are split up into single files located inside the `bootstrap.d` directory. During the bootstrapping every script in this directory gets executed in lexicographical order:
224 245
225 246 | Script | Description |
226 247 | --- | --- |
227 248 | `10-bootstrap.sh` | Debootstrap basic system |
228 249 | `11-apt.sh` | Setup APT repositories |
229 250 | `12-locale.sh` | Setup Locales and keyboard settings |
230 251 | `13-kernel.sh` | Build and install RPi2 Kernel |
231 252 | `20-networking.sh` | Setup Networking |
232 253 | `21-firewall.sh` | Setup Firewall |
233 254 | `30-security.sh` | Setup Users and Security settings |
234 255 | `31-logging.sh` | Setup Logging |
235 256 | `41-uboot.sh` | Build and Setup U-Boot |
236 257 | `42-fbturbo.sh` | Build and Setup fbturbo Xorg driver |
237 258 | `50-firstboot.sh` | First boot actions |
259 | `99-reduce.sh` | Reduce the disk space usage |
238 260
239 261 All the required configuration files that will be copied to the generated OS image are located inside the `files` directory. It is not recommended to modify these configuration files manually.
240 262
241 263 | Directory | Description |
242 264 | --- | --- |
265 | `apt` | APT management configuration files |
243 266 | `boot` | Boot and RPi2 configuration files |
244 267 | `dpkg` | Package Manager configuration |
245 268 | `firstboot` | Scripts that get executed on first boot |
246 269 | `iptables` | Firewall configuration files |
247 270 | `locales` | Locales configuration |
248 271 | `modules` | Kernel Modules configuration |
249 272 | `mount` | Fstab configuration |
250 273 | `network` | Networking configuration files |
251 274 | `sysctl.d` | Swapping and Network Hardening configuration |
252 275 | `xorg` | fbturbo Xorg driver configuration |
253 276
254 277 ## Logging of the bootstrapping process
255 278 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
256 279
257 280 ```shell
258 281 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
259 282 ```
260 283
261 284 ## Flashing the image file
262 285 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
263 286
264 287 #####Flashing examples:
265 288 ```shell
266 289 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
267 290 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
268 291 ```
269 292 If you have set `ENABLE_SPLITFS`, copy the `-frmw` image on the microSD card, then the `-root` one on the USB drive:
270 293 ```shell
271 294 bmaptool copy ./images/jessie/2015-12-13-debian-jessie-frmw.img /dev/mmcblk0
272 295 bmaptool copy ./images/jessie/2015-12-13-debian-jessie-root.img /dev/sdc
273 296 ```
@@ -1,28 +1,28
1 1 #
2 2 # Debootstrap basic system
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Base debootstrap (unpack only)
9 9 if [ "$ENABLE_MINBASE" = true ] ; then
10 10 http_proxy=${APT_PROXY} debootstrap --arch="${RELEASE_ARCH}" --foreign --variant=minbase --include="${APT_INCLUDES}" "${RELEASE}" "$R" "http://${APT_SERVER}/debian"
11 11 else
12 12 http_proxy=${APT_PROXY} debootstrap --arch="${RELEASE_ARCH}" --foreign --include="${APT_INCLUDES}" "${RELEASE}" "$R" "http://${APT_SERVER}/debian"
13 13 fi
14 14
15 15 # Copy qemu emulator binary to chroot
16 cp "${QEMU_BINARY}" "$R/usr/bin"
16 install_exec "${QEMU_BINARY}" "${R}${QEMU_BINARY}"
17 17
18 18 # Copy debian-archive-keyring.pgp
19 19 mkdir -p "$R/usr/share/keyrings"
20 cp /usr/share/keyrings/debian-archive-keyring.gpg "$R/usr/share/keyrings/debian-archive-keyring.gpg"
20 install_readonly /usr/share/keyrings/debian-archive-keyring.gpg "$R/usr/share/keyrings/debian-archive-keyring.gpg"
21 21
22 22 # Complete the bootstrapping process
23 23 chroot_exec /debootstrap/debootstrap --second-stage
24 24
25 25 # Mount required filesystems
26 26 mount -t proc none "$R/proc"
27 27 mount -t sysfs none "$R/sys"
28 28 mount --bind /dev/pts "$R/dev/pts"
@@ -1,30 +1,37
1 1 #
2 2 # Setup APT repositories
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Install and setup APT proxy configuration
9 9 if [ -z "$APT_PROXY" ] ; then
10 10 install_readonly files/apt/10proxy "$R/etc/apt/apt.conf.d/10proxy"
11 11 sed -i "s/\"\"/\"${APT_PROXY}\"/" "$R/etc/apt/apt.conf.d/10proxy"
12 12 fi
13 13
14 if [ "$BUILD_KERNEL" = false ] ; then
14 15 # Install APT pinning configuration for flash-kernel package
15 16 install_readonly files/apt/flash-kernel "$R/etc/apt/preferences.d/flash-kernel"
16 17
18 # Install APT sources.list
19 install_readonly files/apt/sources.list "$R/etc/apt/sources.list"
20 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >> "$R/etc/apt/sources.list"
21
17 22 # Upgrade collabora package index and install collabora keyring
18 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" > "$R/etc/apt/sources.list"
19 23 chroot_exec apt-get -qq -y update
20 24 chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
21
25 else # BUILD_KERNEL=true
22 26 # Install APT sources.list
23 27 install_readonly files/apt/sources.list "$R/etc/apt/sources.list"
28
29 # Use specified APT server and release
24 30 sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "$R/etc/apt/sources.list"
25 31 sed -i "s/ jessie/ ${RELEASE}/" "$R/etc/apt/sources.list"
32 fi
26 33
27 34 # Upgrade package index and update all installed packages and changed dependencies
28 35 chroot_exec apt-get -qq -y update
29 36 chroot_exec apt-get -qq -y -u dist-upgrade
30 37 chroot_exec apt-get -qq -y check
@@ -1,200 +1,252
1 1 #
2 2 # Build and Setup RPi2 Kernel
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Fetch and build latest raspberry kernel
9 9 if [ "$BUILD_KERNEL" = true ] ; then
10 10 # Setup source directory
11 11 mkdir -p "$R/usr/src"
12 12
13 13 # Copy existing kernel sources into chroot directory
14 14 if [ -n "$KERNELSRC_DIR" ] && [ -d "$KERNELSRC_DIR" ] ; then
15 15 # Copy kernel sources
16 16 cp -r "${KERNELSRC_DIR}" "${R}/usr/src"
17 17
18 18 # Clean the kernel sources
19 19 if [ "$KERNELSRC_CLEAN" = true ] && [ "$KERNELSRC_PREBUILT" = false ] ; then
20 20 make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" mrproper
21 21 fi
22 22 else # KERNELSRC_DIR=""
23 23 # Fetch current raspberrypi kernel sources
24 24 git -C "$R/usr/src" clone --depth=1 https://github.com/raspberrypi/linux
25 25 fi
26 26
27 27 # Calculate optimal number of kernel building threads
28 28 if [ "$KERNEL_THREADS" = "1" ] && [ -r /proc/cpuinfo ] ; then
29 29 KERNEL_THREADS=$(grep -c processor /proc/cpuinfo)
30 30 fi
31 31
32 32 # Configure and build kernel
33 33 if [ "$KERNELSRC_PREBUILT" = false ] ; then
34 34 # Remove device, network and filesystem drivers from kernel configuration
35 35 if [ "$KERNEL_REDUCE" = true ] ; then
36 36 make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
37 37 sed -i\
38 38 -e "s/\(^CONFIG_SND.*\=\).*/\1n/"\
39 39 -e "s/\(^CONFIG_SOUND.*\=\).*/\1n/"\
40 40 -e "s/\(^CONFIG_AC97.*\=\).*/\1n/"\
41 41 -e "s/\(^CONFIG_VIDEO_.*\=\).*/\1n/"\
42 42 -e "s/\(^CONFIG_MEDIA_TUNER.*\=\).*/\1n/"\
43 43 -e "s/\(^CONFIG_DVB.*\=\)[ym]/\1n/"\
44 44 -e "s/\(^CONFIG_REISERFS.*\=\).*/\1n/"\
45 45 -e "s/\(^CONFIG_JFS.*\=\).*/\1n/"\
46 46 -e "s/\(^CONFIG_XFS.*\=\).*/\1n/"\
47 47 -e "s/\(^CONFIG_GFS2.*\=\).*/\1n/"\
48 48 -e "s/\(^CONFIG_OCFS2.*\=\).*/\1n/"\
49 49 -e "s/\(^CONFIG_BTRFS.*\=\).*/\1n/"\
50 50 -e "s/\(^CONFIG_HFS.*\=\).*/\1n/"\
51 51 -e "s/\(^CONFIG_JFFS2.*\=\)[ym]/\1n/"\
52 52 -e "s/\(^CONFIG_UBIFS.*\=\).*/\1n/"\
53 53 -e "s/\(^CONFIG_SQUASHFS.*\=\)[ym]/\1n/"\
54 54 -e "s/\(^CONFIG_W1.*\=\)[ym]/\1n/"\
55 55 -e "s/\(^CONFIG_HAMRADIO.*\=\).*/\1n/"\
56 56 -e "s/\(^CONFIG_CAN.*\=\).*/\1n/"\
57 57 -e "s/\(^CONFIG_IRDA.*\=\).*/\1n/"\
58 58 -e "s/\(^CONFIG_BT_.*\=\).*/\1n/"\
59 59 -e "s/\(^CONFIG_WIMAX.*\=\)[ym]/\1n/"\
60 60 -e "s/\(^CONFIG_6LOWPAN.*\=\).*/\1n/"\
61 61 -e "s/\(^CONFIG_IEEE802154.*\=\).*/\1n/"\
62 62 -e "s/\(^CONFIG_NFC.*\=\).*/\1n/"\
63 63 -e "s/\(^CONFIG_FB_TFT=.*\=\).*/\1n/"\
64 64 -e "s/\(^CONFIG_TOUCHSCREEN.*\=\).*/\1n/"\
65 65 -e "s/\(^CONFIG_USB_GSPCA_.*\=\).*/\1n/"\
66 66 -e "s/\(^CONFIG_DRM.*\=\).*/\1n/"\
67 67 "$R/usr/src/linux/.config"
68 68 fi
69 69
70 70 if [ "$KERNELSRC_CONFIG" = true ] ; then
71 71 # Load default raspberry kernel configuration
72 72 make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
73 73
74 74 # Start menu-driven kernel configuration (interactive)
75 75 if [ "$KERNEL_MENUCONFIG" = true ] ; then
76 76 make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig
77 77 fi
78 78 fi
79 79
80 80 # Cross compile kernel and modules
81 81 make -C "$R/usr/src/linux" -j${KERNEL_THREADS} ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" zImage modules dtbs
82 82 fi
83 83
84 84 # Check if kernel compilation was successful
85 85 if [ ! -r "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage" ] ; then
86 86 echo "error: kernel compilation failed! (zImage not found)"
87 87 cleanup
88 88 exit 1
89 89 fi
90 90
91 91 # Install kernel modules
92 92 if [ "$ENABLE_REDUCE" = true ] ; then
93 93 make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=../../.. modules_install
94 94 else
95 95 make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_PATH=../../.. modules_install
96 96
97 97 # Install kernel firmware
98 98 make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_FW_PATH=../../../lib firmware_install
99 99 fi
100 100
101 101 # Install kernel headers
102 102 if [ "$KERNEL_HEADERS" = true ] && [ "$KERNEL_REDUCE" = false ] ; then
103 103 make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_HDR_PATH=../.. headers_install
104 104 fi
105 105
106 106 # Prepare boot (firmware) directory
107 107 mkdir "$R/boot/firmware/"
108 108
109 109 # Get kernel release version
110 110 KERNEL_VERSION=`cat "$R/usr/src/linux/include/config/kernel.release"`
111 111
112 112 # Copy kernel configuration file to the boot directory
113 cp "$R/usr/src/linux/.config" "$R/boot/config-${KERNEL_VERSION}"
113 install_readonly "$R/usr/src/linux/.config" "$R/boot/config-${KERNEL_VERSION}"
114 114
115 115 # Copy dts and dtb device tree sources and binaries
116 116 mkdir "$R/boot/firmware/overlays/"
117 cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/"*.dtb "$R/boot/firmware/"
118 cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb* "$R/boot/firmware/overlays/"
119 cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "$R/boot/firmware/overlays/"
117 install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/"*.dtb "$R/boot/firmware/"
118 install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb* "$R/boot/firmware/overlays/"
119 install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "$R/boot/firmware/overlays/README"
120 120
121 # Convert kernel zImage and copy it to the boot directory
122 "$R/usr/src/linux/scripts/mkknlimg" "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage" "$R/boot/firmware/kernel7.img"
121 # Copy zImage kernel to the boot directory
122 install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage" "$R/boot/firmware/kernel7.img"
123 123
124 124 # Remove kernel sources
125 125 if [ "$KERNEL_REMOVESRC" = true ] ; then
126 126 rm -fr "$R/usr/src/linux"
127 127 fi
128 128
129 # Install raspberry bootloader and flash-kernel packages
130 chroot_exec apt-get -qq -y --no-install-recommends install raspberrypi-bootloader-nokernel
129 # Install latest boot binaries from raspberry/firmware github
130 wget -q -O "$R/boot/firmware/bootcode.bin" https://github.com/raspberrypi/firmware/raw/master/boot/bootcode.bin
131 wget -q -O "$R/boot/firmware/fixup_cd.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_cd.dat
132 wget -q -O "$R/boot/firmware/fixup.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup.dat
133 wget -q -O "$R/boot/firmware/fixup_x.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_x.dat
134 wget -q -O "$R/boot/firmware/start_cd.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_cd.elf
135 wget -q -O "$R/boot/firmware/start.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start.elf
136 wget -q -O "$R/boot/firmware/start_x.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_x.elf
137
131 138 else # BUILD_KERNEL=false
132 139 # Kernel installation
133 140 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel
134 141
135 142 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
136 143 chroot_exec apt-get -qq -y install flash-kernel
137 144
145 # Check if kernel installation was successful
138 146 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
139 [ -z "$VMLINUZ" ] && exit 1
140 cp "$VMLINUZ" "$R/boot/firmware/kernel7.img"
147 if [ -z "$VMLINUZ" ] ; then
148 echo "error: kernel installation failed! (/boot/vmlinuz-* not found)"
149 cleanup
150 exit 1
151 fi
152 # Copy vmlinuz kernel to the boot directory
153 install_readonly "$VMLINUZ" "$R/boot/firmware/kernel7.img"
141 154 fi
142 155
143 156 # Setup firmware boot cmdline
144 157 if [ "$ENABLE_SPLITFS" = true ] ; then
145 158 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}"
146 159 else
147 160 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}"
148 161 fi
149 162
150 163 # Add serial console support
151 164 if [ "$ENABLE_CONSOLE" = true ] ; then
152 165 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
153 166 fi
154 167
155 168 # Remove IPv6 networking support
156 169 if [ "$ENABLE_IPV6" = false ] ; then
157 170 CMDLINE="${CMDLINE} ipv6.disable=1"
158 171 fi
159 172
160 173 # Install firmware boot cmdline
161 174 echo "${CMDLINE}" > "$R/boot/firmware/cmdline.txt"
162 175
176 # Add encrypted root partition to cmdline.txt
177 if [ "$ENABLE_CRYPTFS" = true ] ; then
178 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/" "$R/boot/firmware/cmdline.txt"
179 fi
180
163 181 # Install firmware config
164 182 install_readonly files/boot/config.txt "$R/boot/firmware/config.txt"
165 183
166 184 # Setup minimal GPU memory allocation size: 16MB (no X)
167 185 if [ "$ENABLE_MINGPU" = true ] ; then
168 186 echo "gpu_mem=16" >> "$R/boot/firmware/config.txt"
169 187 fi
170 188
189 # Setup boot with initramfs
190 if [ "$ENABLE_INITRAMFS" = true ] ; then
191 echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "$R/boot/firmware/config.txt"
192 fi
193
171 194 # Create firmware configuration and cmdline symlinks
172 195 ln -sf firmware/config.txt "$R/boot/config.txt"
173 196 ln -sf firmware/cmdline.txt "$R/boot/cmdline.txt"
174 197
175 198 # Install and setup kernel modules to load at boot
176 199 mkdir -p "$R/lib/modules-load.d/"
177 200 install_readonly files/modules/rpi2.conf "$R/lib/modules-load.d/rpi2.conf"
178 201
179 202 # Load hardware random module at boot
180 203 if [ "$ENABLE_HWRANDOM" = true ] ; then
181 204 sed -i "s/^# bcm2708_rng/bcm2708_rng/" "$R/lib/modules-load.d/rpi2.conf"
182 205 fi
183 206
184 207 # Load sound module at boot
185 208 if [ "$ENABLE_SOUND" = true ] ; then
186 209 sed -i "s/^# snd_bcm2835/snd_bcm2835/" "$R/lib/modules-load.d/rpi2.conf"
187 210 fi
188 211
189 212 # Install kernel modules blacklist
190 213 mkdir -p "$R/etc/modprobe.d/"
191 214 install_readonly files/modules/raspi-blacklist.conf "$R/etc/modprobe.d/raspi-blacklist.conf"
192 215
193 216 # Install and setup fstab
194 217 install_readonly files/mount/fstab "$R/etc/fstab"
218
219 # Add usb/sda disk root partition to fstab
195 220 if [ "$ENABLE_SPLITFS" = true ] ; then
196 sed -i 's/mmcblk0p2/sda1/' "$R/etc/fstab"
221 sed -i "s/mmcblk0p2/sda1/" "$R/etc/fstab"
222 fi
223
224 # Add encrypted root partition to fstab and crypttab
225 if [ "$ENABLE_CRYPTFS" = true ] ; then
226 # Replace fstab root partition with encrypted partition mapping
227 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "$R/etc/fstab"
228
229 # Add encrypted partition to crypttab and fstab
230 install_readonly files/mount/crypttab "$R/etc/crypttab"
231 echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks" >> "$R/etc/crypttab"
232 fi
233
234 # Generate initramfs file
235 if [ "$ENABLE_INITRAMFS" = true ] ; then
236 if [ "$ENABLE_CRYPTFS" = true ] ; then
237 # Dummy mapping required by mkinitramfs
238 echo "0 1 crypt $(echo ${CRYPTFS_CIPHER} | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
239
240 # Generate initramfs with encrypted root partition support
241 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
242
243 # Remove dummy mapping
244 chroot_exec cryptsetup close "${CRYPTFS_MAPPING}"
245 else
246 # Generate initramfs without encrypted root partition support
247 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
248 fi
197 249 fi
198 250
199 251 # Install sysctl.d configuration files
200 252 install_readonly files/sysctl.d/81-rpi-vm.conf "$R/etc/sysctl.d/81-rpi-vm.conf"
@@ -1,31 +1,31
1 1 #
2 2 # Build and Setup U-Boot
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Install gcc/c++ build environment inside the chroot
9 9 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ] ; then
10 10 chroot_exec apt-get -q -y --force-yes --no-install-recommends install linux-compiler-gcc-4.9-arm g++ make bc
11 11 fi
12 12
13 13 # Fetch and build U-Boot bootloader
14 14 if [ "$ENABLE_UBOOT" = true ] ; then
15 15 # Fetch U-Boot bootloader sources
16 16 git -C "$R/tmp" clone git://git.denx.de/u-boot.git
17 17
18 18 # Build and install U-Boot inside chroot
19 19 chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
20 20
21 21 # Copy compiled bootloader binary and set config.txt to load it
22 cp "$R/tmp/u-boot/u-boot.bin" "$R/boot/firmware/"
22 install_readonly "$R/tmp/u-boot/u-boot.bin" "$R/boot/firmware/u-boot.bin"
23 23 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> "$R/boot/firmware/config.txt"
24 24
25 25 # Install and setup U-Boot command file
26 26 install_readonly files/boot/uboot.mkimage "$R/boot/firmware/uboot.mkimage"
27 27 printf "# Set the kernel boot command line\nsetenv bootargs \"earlyprintk ${CMDLINE}\"\n\n$(cat $R/boot/firmware/uboot.mkimage)" > "$R/boot/firmware/uboot.mkimage"
28 28
29 29 # Generate U-Boot bootloader image
30 30 chroot_exec /tmp/u-boot/tools/mkimage -A "${KERNEL_ARCH}" -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n RPi2 -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
31 31 fi
@@ -1,35 +1,34
1 1 #
2 2 # First boot actions
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Prepare rc.firstboot script
9 9 cat files/firstboot/10-begin.sh > "$R/etc/rc.firstboot"
10 10
11 11 # Ensure openssh server host keys are regenerated on first boot
12 if [ "$ENABLE_SSHD" = true ] && [ "$ENABLE_REDUCE" = false ]; then
12 if [ "$ENABLE_SSHD" = true ] ; then
13 13 cat files/firstboot/21-generate-ssh-keys.sh >> "$R/etc/rc.firstboot"
14 rm -f "$R/etc/ssh/ssh_host_*"
15 14 fi
16 15
17 16 # Prepare filesystem auto expand
18 17 if [ "$EXPANDROOT" = true ] ; then
19 18 cat files/firstboot/22-expandroot.sh >> "$R/etc/rc.firstboot"
20 19 fi
21 20
22 21 # Ensure that dbus machine-id exists
23 22 cat files/firstboot/23-generate-machineid.sh >> "$R/etc/rc.firstboot"
24 23
25 24 # Create /etc/resolv.conf symlink
26 25 cat files/firstboot/24-create-resolv-symlink.sh >> "$R/etc/rc.firstboot"
27 26
28 27 # Finalize rc.firstboot script
29 28 cat files/firstboot/99-finish.sh >> "$R/etc/rc.firstboot"
30 29 chmod +x "$R/etc/rc.firstboot"
31 30
32 31 # Add rc.firstboot script to rc.local
33 32 sed -i '/exit 0/d' "$R/etc/rc.local"
34 33 echo /etc/rc.firstboot >> "$R/etc/rc.local"
35 34 echo exit 0 >> "$R/etc/rc.local"
@@ -1,72 +1,78
1 1 #
2 2 # Reduce system disk usage
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Reduce the image size by various operations
9 9 if [ "$ENABLE_REDUCE" = true ] ; then
10 10 if [ "$REDUCE_APT" = true ] ; then
11 11 # Install dpkg configuration file
12 12 if [ "$REDUCE_DOC" = true ] || [ "$REDUCE_MAN" = true ] ; then
13 13 install_readonly files/dpkg/01nodoc "$R/etc/dpkg/dpkg.cfg.d/01nodoc"
14 14 fi
15 15
16 16 # Install APT configuration files
17 17 install_readonly files/apt/02nocache "$R/etc/apt/apt.conf.d/02nocache"
18 18 install_readonly files/apt/03compress "$R/etc/apt/apt.conf.d/03compress"
19 19 install_readonly files/apt/04norecommends "$R/etc/apt/apt.conf.d/04norecommends"
20 20
21 21 # Remove APT cache files
22 22 rm -fr "$R/var/cache/apt/pkgcache.bin"
23 23 rm -fr "$R/var/cache/apt/srcpkgcache.bin"
24 24 fi
25 25
26 26 # Remove all doc files
27 27 if [ "$REDUCE_DOC" = true ] ; then
28 28 find "$R/usr/share/doc" -depth -type f ! -name copyright | xargs rm || true
29 29 find "$R/usr/share/doc" -empty | xargs rmdir || true
30 30 fi
31 31
32 32 # Remove all man pages and info files
33 33 if [ "$REDUCE_MAN" = true ] ; then
34 34 rm -rf "$R/usr/share/man" "$R/usr/share/groff" "$R/usr/share/info" "$R/usr/share/lintian" "$R/usr/share/linda" "$R/var/cache/man"
35 35 fi
36 36
37 37 # Remove all locale translation files
38 38 if [ "$REDUCE_LOCALE" = true ] ; then
39 39 find "$R/usr/share/locale" -mindepth 1 -maxdepth 1 ! -name 'en' | xargs rm -r
40 40 fi
41 41
42 42 # Remove hwdb PCI device classes (experimental)
43 43 if [ "$REDUCE_HWDB" = true ] ; then
44 44 rm -fr "/lib/udev/hwdb.d/20-pci-*"
45 45 fi
46 46
47 47 # Replace bash shell by dash shell (experimental)
48 48 if [ "$REDUCE_BASH" = true ] ; then
49 49 echo "Yes, do as I say!" | chroot_exec apt-get purge -qq -y --force-yes bash
50 50 chroot_exec update-alternatives --install /bin/bash bash /bin/dash 100
51 51 fi
52 52
53 53 # Remove sound utils and libraries
54 54 if [ "$ENABLE_SOUND" = false ] ; then
55 55 chroot_exec apt-get -qq -y --force-yes purge alsa-utils libsamplerate0 libasound2 libasound2-data
56 56 fi
57 57
58 58 # Re-install tools for managing kernel moduless
59 59 chroot_exec apt-get -qq -y --force-yes install module-init-tools
60 60
61 61 # Remove GPU kernels
62 62 if [ "$ENABLE_MINGPU" = true ] ; then
63 63 rm -f "$R/boot/firmware/start.elf"
64 64 rm -f "$R/boot/firmware/fixup.dat"
65 65 rm -f "$R/boot/firmware/start_x.elf"
66 66 rm -f "$R/boot/firmware/fixup_x.dat"
67 67 fi
68 68
69 # Remove kernel and initrd from /boot (already in /boot/firmware)
70 if [ "$BUILD_KERNEL" = false ] ; then
71 rm -r "$R/boot/vmlinuz--*"
72 rm -r "$R/boot/initrd.img-*"
73 fi
74
69 75 # Clean APT list of repositories
70 76 rm -fr "$R/var/lib/apt/lists/*"
71 77 chroot_exec apt-get -qq -y update
72 78 fi
@@ -1,10 +1,8
1 1 deb http://ftp.debian.org/debian jessie main contrib
2 2 #deb-src http://ftp.debian.org/debian jessie main contrib
3 3
4 4 deb http://ftp.debian.org/debian/ jessie-updates main contrib
5 5 #deb-src http://ftp.debian.org/debian/ jessie-updates main contrib
6 6
7 7 deb http://security.debian.org/ jessie/updates main contrib
8 8 #deb-src http://security.debian.org/ jessie/updates main contrib
9
10 deb https://repositories.collabora.co.uk/debian jessie rpi2
@@ -1,8 +1,20
1 1 logger -t "rc.firstboot" "Generating SSH host keys"
2
3 if [ -d "/etc/ssh/" ] ; then
2 4 rm -f /etc/ssh/ssh_host_*
5 systemctl stop sshd
3 6 ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
4 7 ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
5 8 ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
6 9 ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
10 systemctl start sshd
11 fi
7 12
8 systemctl restart sshd
13 if [ -d "/etc/dropbear/" ] ; then
14 rm -f /etc/dropbear/dropbear_*
15 systemctl stop dropbear
16 dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
17 dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
18 dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
19 systemctl start dropbear
20 fi
@@ -1,52 +1,56
1 1 logger -t "rc.firstboot" "Expanding root"
2 2 ROOT_PART=$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p')
3 3 PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$')
4 4 case "${ROOT_PART}" in
5 5 mmcblk0*) ROOT_DEV=mmcblk0 ;;
6 6 sda*) ROOT_DEV=sda ;;
7 7 esac
8 8 if [ "$PART_NUM" = "$ROOT_PART" ]; then
9 9 logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand"
10 10 return 0
11 11 fi
12 12
13 13 # NOTE: the NOOBS partition layout confuses parted. For now, let's only
14 14 # agree to work with a sufficiently simple partition layout
15 15 if [ "$PART_NUM" -gt 2 ]; then
16 16 logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool."
17 17 return 0
18 18 fi
19 19 LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
20 20 if [ $LAST_PART_NUM -ne $PART_NUM ]; then
21 21 logger -t "rc.firstboot" "$ROOT_PART is not the last partition. Don't know how to expand"
22 22 return 0
23 23 fi
24 24
25 25 # Get the starting offset of the root partition
26 26 PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
27 [ "$PART_START" ] || return 1
27 if [ -z "$PART_START" ] ; then
28 logger -t "rc.firstboot" "${ROOT_DEV} unable to get starting sector of the partition"
29 return 1
30 fi
28 31
29 32 # Get the possible last sector for the root partition
30 33 PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }')
31 [ "$PART_LAST" ] || return 1
34 if [ -z "$PART_LAST" ] ; then
35 logger -t "rc.firstboot" "${ROOT_DEV} unable to get last sector of the partition"
36 return 1
37 fi
32 38
33 # Return value will likely be error for fdisk as it fails to reload the
34 # partition table because the root fs is mounted
35 39 ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
36 40 fdisk /dev/${ROOT_DEV} <<EOF2 || true
37 41 p
38 42 d
39 43 $PART_NUM
40 44 n
41 45 p
42 46 $PART_NUM
43 47 $PART_START
44 48 $PART_LAST
45 49 p
46 50 w
47 51 EOF2
48 52
49 53 # Reload the partition table, resize root filesystem then remove resizing code from this file
50 54 partprobe &&
51 55 resize2fs /dev/${ROOT_PART} &&
52 56 logger -t "rc.firstboot" "Root partition successfuly resized."
@@ -1,13 +1,15
1 1 logger -t "rc.firstboot" "Creating /etc/resolv.conf symlink"
2 2
3
4 3 # Check if systemd resolve directory exists
5 if [ -d "/run/systemd/resolve" ] ; then
4 if [ ! -d "/run/systemd/resolve" ] ; then
5 systemctl enable systemd-resolved.service
6 systemctl restart systemd-resolved.service
7 fi
8
6 9 # Create resolv.conf file if it does not exists
7 10 if [ ! -f "/run/systemd/resolve/resolv.conf" ] ; then
8 11 touch /run/systemd/resolve/resolv.conf
9 12 fi
10 13
11 14 # Create symlink to /etc/reolv.conf
12 15 ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
13 fi
@@ -1,38 +1,39
1 1 # This file contains utility functions used by rpi2-gen-image.sh
2 2
3 3 cleanup (){
4 4 set +x
5 5 set +e
6 6
7 7 # Identify and kill all processes still using files
8 8 echo "killing processes using mount point ..."
9 fuser -k $R
9 fuser -k "$R"
10 10 sleep 3
11 fuser -9 -k -v $R
11 fuser -9 -k -v "$R"
12 12
13 13 # Clean up all temporary mount points
14 14 echo "removing temporary mount points ..."
15 umount -l $R/proc 2> /dev/null
16 umount -l $R/sys 2> /dev/null
17 umount -l $R/dev/pts 2> /dev/null
15 umount -l "$R/proc" 2> /dev/null
16 umount -l "$R/sys" 2> /dev/null
17 umount -l "$R/dev/pts" 2> /dev/null
18 18 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
19 19 umount "$BUILDDIR/mount" 2> /dev/null
20 cryptsetup close "${CRYPTFS_MAPPING}" 2> /dev/null
20 21 losetup -d "$ROOT_LOOP" 2> /dev/null
21 22 losetup -d "$FRMW_LOOP" 2> /dev/null
22 23 trap - 0 1 2 3 6
23 24 }
24 25
25 26 chroot_exec() {
26 27 # Exec command in chroot
27 28 LANG=C LC_ALL=C DEBIAN_FRONTEND=noninteractive chroot $R $*
28 29 }
29 30
30 31 install_readonly() {
31 32 # Install file with user read-only permissions
32 33 install -o root -g root -m 644 $*
33 34 }
34 35
35 36 install_exec() {
36 37 # Install file with root exec permissions
37 38 install -o root -g root -m 744 $*
38 39 }
@@ -1,443 +1,504
1 1 #!/bin/sh
2 2
3 3 ########################################################################
4 4 # rpi2-gen-image.sh ver2a 12/2015
5 5 #
6 6 # Advanced debian "jessie" bootstrap script for RPi2
7 7 #
8 8 # This program is free software; you can redistribute it and/or
9 9 # modify it under the terms of the GNU General Public License
10 10 # as published by the Free Software Foundation; either version 2
11 11 # of the License, or (at your option) any later version.
12 12 #
13 13 # some parts based on rpi2-build-image:
14 14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 16 ########################################################################
17 17
18 18 # Are we running as root?
19 19 if [ "$(id -u)" -ne "0" ] ; then
20 20 echo "error: this script must be executed with root privileges!"
21 21 exit 1
22 22 fi
23 23
24 24 # Check if ./functions.sh script exists
25 25 if [ ! -r "./functions.sh" ] ; then
26 echo "error: './functions.sh' required script not found. please reinstall the latest script version!"
26 echo "error: './functions.sh' required script not found!"
27 27 exit 1
28 28 fi
29 29
30 30 # Load utility functions
31 31 . ./functions.sh
32 32
33 33 # Introduce settings
34 34 set -e
35 35 echo -n -e "\n#\n# RPi2 Bootstrap Settings\n#\n"
36 36 set -x
37 37
38 38 # Debian release
39 39 RELEASE=${RELEASE:=jessie}
40 40 KERNEL_ARCH=${KERNEL_ARCH:=arm}
41 41 RELEASE_ARCH=${RELEASE_ARCH:=armhf}
42 42 CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabihf-}
43 43 COLLABORA_KERNEL=${COLLABORA_KERNEL:=3.18.0-trunk-rpi2}
44 44 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig}
45 45 QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static}
46 46
47 47 # Build directories
48 BASEDIR=$(pwd)/images/${RELEASE}
49 BUILDDIR=${BASEDIR}/build
50 R=${BUILDDIR}/chroot
48 BASEDIR="$(pwd)/images/${RELEASE}"
49 BUILDDIR="${BASEDIR}/build"
50 R="${BUILDDIR}/chroot"
51 51
52 52 # General settings
53 53 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
54 54 PASSWORD=${PASSWORD:=raspberry}
55 55 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
56 56 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
57 57 EXPANDROOT=${EXPANDROOT:=true}
58 58
59 59 # Keyboard settings
60 60 XKB_MODEL=${XKB_MODEL:=""}
61 61 XKB_LAYOUT=${XKB_LAYOUT:=""}
62 62 XKB_VARIANT=${XKB_VARIANT:=""}
63 63 XKB_OPTIONS=${XKB_OPTIONS:=""}
64 64
65 65 # Network settings (DHCP)
66 66 ENABLE_DHCP=${ENABLE_DHCP:=true}
67 67
68 68 # Network settings (static)
69 69 NET_ADDRESS=${NET_ADDRESS:=""}
70 70 NET_GATEWAY=${NET_GATEWAY:=""}
71 71 NET_DNS_1=${NET_DNS_1:=""}
72 72 NET_DNS_2=${NET_DNS_2:=""}
73 73 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
74 74 NET_NTP_1=${NET_NTP_1:=""}
75 75 NET_NTP_2=${NET_NTP_2:=""}
76 76
77 77 # APT settings
78 78 APT_PROXY=${APT_PROXY:=""}
79 79 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
80 80
81 81 # Feature settings
82 82 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
83 83 ENABLE_IPV6=${ENABLE_IPV6:=true}
84 84 ENABLE_SSHD=${ENABLE_SSHD:=true}
85 85 ENABLE_SOUND=${ENABLE_SOUND:=true}
86 86 ENABLE_DBUS=${ENABLE_DBUS:=true}
87 87 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
88 88 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
89 89 ENABLE_XORG=${ENABLE_XORG:=false}
90 90 ENABLE_WM=${ENABLE_WM:=""}
91 91 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
92 92 ENABLE_USER=${ENABLE_USER:=true}
93 93 ENABLE_ROOT=${ENABLE_ROOT:=false}
94 94 ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
95 95
96 96 # Advanced settings
97 97 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
98 98 ENABLE_REDUCE=${ENABLE_REDUCE:=flase}
99 99 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
100 100 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
101 101 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
102 102 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
103 103 ENABLE_SPLITFS=${ENABLE_SPLITFS:=false}
104 ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false}
104 105
105 106 # Kernel compilation settings
106 107 BUILD_KERNEL=${BUILD_KERNEL:=false}
107 108 KERNEL_REDUCE=${KERNEL_REDUCE:=false}
108 109 KERNEL_THREADS=${KERNEL_THREADS:=1}
109 110 KERNEL_HEADERS=${KERNEL_HEADERS:=true}
110 111 KERNEL_MENUCONFIG=${KERNEL_MENUCONFIG:=false}
111 112 KERNEL_REMOVESRC=${KERNEL_REMOVESRC:=true}
112 113
113 114 # Kernel compilation from source directory settings
114 115 KERNELSRC_DIR=${KERNELSRC_DIR:=""}
115 116 KERNELSRC_CLEAN=${KERNELSRC_CLEAN:=false}
116 117 KERNELSRC_CONFIG=${KERNELSRC_CONFIG:=true}
117 118 KERNELSRC_PREBUILT=${KERNELSRC_PREBUILT:=false}
118 119
119 120 # Reduce disk usage settings
120 121 REDUCE_APT=${REDUCE_APT:=true}
121 122 REDUCE_DOC=${REDUCE_DOC:=true}
122 123 REDUCE_MAN=${REDUCE_MAN:=true}
123 REDUCE_VIM=${REDUCE_VIM:=true}
124 REDUCE_VIM=${REDUCE_VIM:=false}
124 125 REDUCE_BASH=${REDUCE_BASH:=false}
125 126 REDUCE_HWDB=${REDUCE_HWDB:=true}
126 127 REDUCE_SSHD=${REDUCE_SSHD:=true}
127 128 REDUCE_LOCALE=${REDUCE_LOCALE:=true}
128 129
130 # Encrypted filesystem settings
131 ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false}
132 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
133 CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
134 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
135 CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
136
137 # Stop the Crypto Wars
138 DISABLE_FBI=${DISABLE_FBI:=false}
139
129 140 # Chroot scripts directory
130 141 CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
131 142
132 143 # Packages required in the chroot build environment
133 144 APT_INCLUDES=${APT_INCLUDES:=""}
134 145 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,apt-utils,ca-certificates,debian-archive-keyring,dialog,sudo"
135 146
136 147 # Packages required for bootstrapping
137 148 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
138 149 MISSING_PACKAGES=""
139 150
140 151 set +x
141 152
142 153 # Add packages required for kernel cross compilation
143 154 if [ "$BUILD_KERNEL" = true ] ; then
144 155 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armhf"
145 156 fi
146 157
147 158 # Add libncurses5 to enable kernel menuconfig
148 159 if [ "$KERNEL_MENUCONFIG" = true ] ; then
149 160 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses5-dev"
150 161 fi
151 162
163 # Stop the Crypto Wars
164 if [ "$DISABLE_FBI" = true ] ; then
165 ENABLE_CRYPTFS=true
166 fi
167
168 # Add cryptsetup package to enable filesystem encryption
169 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
170 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
171 APT_INCLUDES="${APT_INCLUDES},cryptsetup"
172
173 if [ -z "$CRYPTFS_PASSWORD" ] ; then
174 echo "error: no password defined (CRYPTFS_PASSWORD)!"
175 exit 1
176 fi
177 ENABLE_INITRAMFS=true
178 fi
179
180 # Add initramfs generation tools
181 if [ "$ENABLE_INITRAMFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
182 APT_INCLUDES="${APT_INCLUDES},initramfs-tools"
183 fi
184
152 185 # Check if all required packages are installed on the build system
153 186 for package in $REQUIRED_PACKAGES ; do
154 187 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
155 188 MISSING_PACKAGES="${MISSING_PACKAGES} $package"
156 189 fi
157 190 done
158 191
159 192 # Ask if missing packages should get installed right now
160 193 if [ -n "$MISSING_PACKAGES" ] ; then
161 194 echo "the following packages needed by this script are not installed:"
162 195 echo "$MISSING_PACKAGES"
163 196
164 197 echo -n "\ndo you want to install the missing packages right now? [y/n] "
165 198 read confirm
166 199 [ "$confirm" != "y" ] && exit 1
167 200 fi
168 201
169 202 # Make sure all required packages are installed
170 203 apt-get -qq -y install ${REQUIRED_PACKAGES}
171 204
172 205 # Check if ./bootstrap.d directory exists
173 206 if [ ! -d "./bootstrap.d/" ] ; then
174 207 echo "error: './bootstrap.d' required directory not found!"
175 208 exit 1
176 209 fi
177 210
178 211 # Check if ./files directory exists
179 212 if [ ! -d "./files/" ] ; then
180 213 echo "error: './files' required directory not found!"
181 214 exit 1
182 215 fi
183 216
184 217 # Check if specified KERNELSRC_DIR directory exists
185 218 if [ -n "$KERNELSRC_DIR" ] && [ ! -d "$KERNELSRC_DIR" ] ; then
186 219 echo "error: '${KERNELSRC_DIR}' specified directory not found (KERNELSRC_DIR)!"
187 220 exit 1
188 221 fi
189 222
190 223 # Check if specified CHROOT_SCRIPTS directory exists
191 224 if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then
192 225 echo "error: ${CHROOT_SCRIPTS} specified directory not found (CHROOT_SCRIPTS)!"
193 226 exit 1
194 227 fi
195 228
229 # Check if specified device mapping already exists (will be used by cryptsetup)
230 if [ -r "/dev/mapping/${CRYPTFS_MAPPING}" ] ; then
231 echo "error: mapping /dev/mapping/${CRYPTFS_MAPPING} already exists, not proceeding"
232 exit 1
233 fi
234
196 235 # Don't clobber an old build
197 236 if [ -e "$BUILDDIR" ] ; then
198 237 echo "error: directory ${BUILDDIR} already exists, not proceeding"
199 238 exit 1
200 239 fi
201 240
202 241 # Setup chroot directory
203 242 mkdir -p "$R"
204 243
205 244 # Check if build directory has enough of free disk space >512MB
206 245 if [ "$(df --output=avail ${BUILDDIR} | sed "1d")" -le "524288" ] ; then
207 246 echo "error: ${BUILDDIR} not enough space left to generate the output image!"
208 247 exit 1
209 248 fi
210 249
211 250 set -x
212 251
213 252 # Call "cleanup" function on various signals and errors
214 253 trap cleanup 0 1 2 3 6
215 254
216 255 # Add required packages for the minbase installation
217 256 if [ "$ENABLE_MINBASE" = true ] ; then
218 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
257 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools,ifupdown"
219 258 else
220 259 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
221 260 fi
222 261
223 262 # Add parted package, required to get partprobe utility
224 263 if [ "$EXPANDROOT" = true ] ; then
225 264 APT_INCLUDES="${APT_INCLUDES},parted"
226 265 fi
227 266
228 267 # Add dbus package, recommended if using systemd
229 268 if [ "$ENABLE_DBUS" = true ] ; then
230 269 APT_INCLUDES="${APT_INCLUDES},dbus"
231 270 fi
232 271
233 272 # Add iptables IPv4/IPv6 package
234 273 if [ "$ENABLE_IPTABLES" = true ] ; then
235 274 APT_INCLUDES="${APT_INCLUDES},iptables"
236 275 fi
237 276
238 277 # Add openssh server package
239 278 if [ "$ENABLE_SSHD" = true ] ; then
240 279 APT_INCLUDES="${APT_INCLUDES},openssh-server"
241 280 fi
242 281
243 282 # Add alsa-utils package
244 283 if [ "$ENABLE_SOUND" = true ] ; then
245 284 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
246 285 fi
247 286
248 287 # Add rng-tools package
249 288 if [ "$ENABLE_HWRANDOM" = true ] ; then
250 289 APT_INCLUDES="${APT_INCLUDES},rng-tools"
251 290 fi
252 291
253 292 # Add fbturbo video driver
254 293 if [ "$ENABLE_FBTURBO" = true ] ; then
255 294 # Enable xorg package dependencies
256 295 ENABLE_XORG=true
257 296 fi
258 297
259 298 # Add user defined window manager package
260 299 if [ -n "$ENABLE_WM" ] ; then
261 300 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
262 301
263 302 # Enable xorg package dependencies
264 303 ENABLE_XORG=true
265 304 fi
266 305
267 306 # Add xorg package
268 307 if [ "$ENABLE_XORG" = true ] ; then
269 308 APT_INCLUDES="${APT_INCLUDES},xorg"
270 309 fi
271 310
272 311 # Replace selected packages with smaller clones
273 312 if [ "$ENABLE_REDUCE" = true ] ; then
274 313 # Add levee package instead of vim-tiny
275 314 if [ "$REDUCE_VIM" = true ] ; then
276 315 APT_INCLUDES="$(echo ${APT_INCLUDES} | sed "s/vim-tiny/levee/")"
277 316 fi
278 317
279 318 # Add dropbear package instead of openssh-server
280 319 if [ "$REDUCE_SSHD" = true ] ; then
281 320 APT_INCLUDES="$(echo ${APT_INCLUDES} | sed "s/openssh-server/dropbear/")"
282 321 fi
283 322 fi
284 323
285 324 # Configure kernel sources if no KERNELSRC_DIR
286 325 if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then
287 326 KERNELSRC_CONFIG=true
288 327 fi
289 328
290 329 # Configure reduced kernel
291 330 if [ "$KERNEL_REDUCE" = true ] ; then
292 331 KERNELSRC_CONFIG=false
293 332 fi
294 333
295 334 # Execute bootstrap scripts
296 335 for SCRIPT in bootstrap.d/*.sh; do
297 336 head -n 3 "$SCRIPT"
298 337 . "$SCRIPT"
299 338 done
300 339
301 340 ## Execute custom bootstrap scripts
302 341 if [ -d "custom.d" ] ; then
303 342 for SCRIPT in custom.d/*.sh; do
304 343 . "$SCRIPT"
305 344 done
306 345 fi
307 346
308 347 # Execute custom scripts inside the chroot
309 348 if [ -n "$CHROOT_SCRIPTS" ] && [ -d "$CHROOT_SCRIPTS" ] ; then
310 349 cp -r "${CHROOT_SCRIPTS}" "${R}/chroot_scripts"
311 350 chroot_exec /bin/bash -x <<'EOF'
312 351 for SCRIPT in /chroot_scripts/* ; do
313 352 if [ -f $SCRIPT -a -x $SCRIPT ] ; then
314 353 $SCRIPT
315 354 fi
316 355 done
317 356 EOF
318 357 rm -rf "$R/chroot_scripts"
319 358 fi
320 359
321 360 # Remove apt-utils
322 361 chroot_exec apt-get purge -qq -y --force-yes apt-utils
323 362
363 # Generate required machine-id
364 MACHINE_ID=$(dbus-uuidgen)
365 echo -n "${MACHINE_ID}" > "$R/var/lib/dbus/machine-id"
366 echo -n "${MACHINE_ID}" > "$R/etc/machine-id"
367
324 368 # APT Cleanup
325 369 chroot_exec apt-get -y clean
326 370 chroot_exec apt-get -y autoclean
327 371 chroot_exec apt-get -y autoremove
328 372
329 373 # Unmount mounted filesystems
330 374 umount -l "$R/proc"
331 375 umount -l "$R/sys"
332 376
333 377 # Clean up directories
334 rm -rf "$R/run"
378 rm -rf "$R/run/*"
335 379 rm -rf "$R/tmp/*"
336 380
337 381 # Clean up files
382 rm -f "$R/etc/ssh/ssh_host_*"
383 rm -f "$R/etc/dropbear/dropbear_*"
338 384 rm -f "$R/etc/apt/sources.list.save"
339 385 rm -f "$R/etc/resolvconf/resolv.conf.d/original"
340 386 rm -f "$R/etc/*-"
341 387 rm -f "$R/root/.bash_history"
342 388 rm -f "$R/var/lib/urandom/random-seed"
343 rm -f "$R/var/lib/dbus/machine-id"
344 rm -f "$R/etc/machine-id"
345 389 rm -f "$R/etc/apt/apt.conf.d/10proxy"
346 390 rm -f "$R/etc/resolv.conf"
391 rm -f "$R/initrd.img"
392 rm -f "$R/vmlinuz"
347 393 rm -f "${R}${QEMU_BINARY}"
348 394
349 395 # Calculate size of the chroot directory in KB
350 396 CHROOT_SIZE=$(expr `du -s "$R" | awk '{ print $1 }'`)
351 397
352 398 # Calculate the amount of needed 512 Byte sectors
353 399 TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512)
354 400 FRMW_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512)
355 401 ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${FRMW_SECTORS})
356 402
357 403 # The root partition is EXT4
358 404 # This means more space than the actual used space of the chroot is used.
359 405 # As overhead for journaling and reserved blocks 20% are added.
360 406 ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 20) \* 1024 \/ 512)
361 407
362 408 # Calculate required image size in 512 Byte sectors
363 409 IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS})
364 410
365 411 # Prepare date string for image file name
366 412 DATE="$(date +%Y-%m-%d)"
367 413
368 414 # Prepare image file
369 415 if [ "$ENABLE_SPLITFS" = true ] ; then
370 416 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=${TABLE_SECTORS}
371 417 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS}
372 418 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS}
373 419 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS}
374 # Write partition tables
375 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" <<EOM
376 unit: sectors
377
378 1 : start= ${TABLE_SECTORS}, size= ${FRMW_SECTORS}, Id= c, bootable
379 2 : start= 0, size= 0, Id= 0
380 3 : start= 0, size= 0, Id= 0
381 4 : start= 0, size= 0, Id= 0
420
421 # Write firmware/boot partition tables
422 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" 2> /dev/null <<EOM
423 ${TABLE_SECTORS},${FRMW_SECTORS},c,*
382 424 EOM
383 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" <<EOM
384 unit: sectors
385 425
386 1 : start= ${TABLE_SECTORS}, size= ${ROOT_SECTORS}, Id=83
387 2 : start= 0, size= 0, Id= 0
388 3 : start= 0, size= 0, Id= 0
389 4 : start= 0, size= 0, Id= 0
426 # Write root partition table
427 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" 2> /dev/null <<EOM
428 ${TABLE_SECTORS},${ROOT_SECTORS},83
390 429 EOM
430
391 431 # Setup temporary loop devices
392 432 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-frmw.img)"
393 433 ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-root.img)"
394 else
434 else # ENABLE_SPLITFS=false
395 435 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
396 436 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
397 # Write partition table
398 sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
399 unit: sectors
400 437
401 1 : start= ${TABLE_SECTORS}, size= ${FRMW_SECTORS}, Id= c, bootable
402 2 : start= ${ROOT_OFFSET}, size= ${ROOT_SECTORS}, Id=83
403 3 : start= 0, size= 0, Id= 0
404 4 : start= 0, size= 0, Id= 0
438 # Write partition table
439 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" 2> /dev/null <<EOM
440 ${TABLE_SECTORS},${FRMW_SECTORS},c,*
441 ${ROOT_OFFSET},${ROOT_SECTORS},83
405 442 EOM
443
406 444 # Setup temporary loop devices
407 445 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
408 446 ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
409 447 fi
410 448
449 if [ "$ENABLE_CRYPTFS" = true ] ; then
450 # Create dummy ext4 fs
451 mkfs.ext4 "$ROOT_LOOP"
452
453 # Setup password keyfile
454 echo -n ${CRYPTFS_PASSWORD} > .password
455
456 # Initialize encrypted partition
457 echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password
458
459 # Open encrypted partition and setup mapping
460 cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"
461
462 # Secure delete password keyfile
463 shred -zu .password
464
465 # Update temporary loop device
466 ROOT_LOOP="/dev/mapper/${CRYPTFS_MAPPING}"
467
468 # Wipe encrypted partition (encryption cipher is used for randomness)
469 dd if=/dev/zero of="${ROOT_LOOP}" bs=512 count=$(blockdev --getsz "${ROOT_LOOP}")
470 fi
471
411 472 # Build filesystems
412 473 mkfs.vfat "$FRMW_LOOP"
413 474 mkfs.ext4 "$ROOT_LOOP"
414 475
415 476 # Mount the temporary loop devices
416 477 mkdir -p "$BUILDDIR/mount"
417 478 mount "$ROOT_LOOP" "$BUILDDIR/mount"
418 479
419 480 mkdir -p "$BUILDDIR/mount/boot/firmware"
420 481 mount "$FRMW_LOOP" "$BUILDDIR/mount/boot/firmware"
421 482
422 483 # Copy all files from the chroot to the loop device mount point directory
423 484 rsync -a "$R/" "$BUILDDIR/mount/"
424 485
425 486 # Unmount all temporary loop devices and mount points
426 487 cleanup
427 488
428 489 # Create block map file(s) of image(s)
429 490 if [ "$ENABLE_SPLITFS" = true ] ; then
430 491 # Create block map files for "bmaptool"
431 492 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img"
432 493 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}-root.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}-root.img"
433 494
434 495 # Image was successfully created
435 496 echo "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
436 497 echo "$BASEDIR/${DATE}-debian-${RELEASE}-root.img ($(expr \( ${TABLE_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
437 498 else
438 499 # Create block map file for "bmaptool"
439 500 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
440 501
441 502 # Image was successfully created
442 503 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
443 504 fi
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant