Raspi2-3_GenImage Commit - r77:b33dfc51ccaf · Collaboration Tremplin des Sciences

Added: ENABLE_CRYPTFS - encrypted rootfs, use-latest-bootloader, cp-cleanup

Jan Wagner -

r77:b33dfc51ccaf

parent child

Context file:

r77:b33dfc51ccaf

Collapse all files

files/mount/crypttab created 644 +1 0

	@@ -0,0 +1,1
				1	# <target name> <source device> <key file> <options>

.gitignore +1 0

             images
             custom.d
             *.swp
+            *.bak
             *.log

README.md +33 -10

             BUILD_KERNEL=true ENABLE_MINBASE=true ENABLE_IPV6=false ./rpi2-gen-image.sh
             BUILD_KERNEL=true KERNELSRC_DIR=/tmp/linux ./rpi2-gen-image.sh
             ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi2-gen-image.sh
+            ENABLE_CRYPTFS=true CRYPTFS_PASSWORD=changeme EXPANDROOT=false ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi2-gen-image.sh
             ```
             #### APT settings:
             Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
             ##### `APT_INCLUDES`=""
-            A comma seperated list of additional packages to be installed during bootstrapping.
+            A comma separated list of additional packages to be installed during bootstrapping.
             #### General system settings:
             ##### `HOSTNAME`="rpi2-jessie"
             Set extra xkb configuration options.
             #### Networking settings (DHCP):
-            This setting is used to set up networking auto configuration in `/etc/systemd/network/eth.network`.
+            This parameter is used to set up networking auto configuration in `/etc/systemd/network/eth.network`.
             #####`ENABLE_DHCP`=true
             Set the system to use DHCP. This requires an DHCP server.
             #### Networking settings (static):
-            These settings are used to set up a static networking configuration in /etc/systemd/network/eth.network. The following static networking settings are only supported if `ENABLE_DHCP` was set to `false`.
+            These parameters are used to set up a static networking configuration in /etc/systemd/network/eth.network. The following static networking parameters are only supported if `ENABLE_DHCP` was set to `false`.
             #####`NET_ADDRESS`=""
             Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
             Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
             ##### `ENABLE_REDUCE`=false
-            Reduce the disk usage by deleting packages and files. See `REDUCE_*` parameters for detailed information.
+            Reduce the disk space usage by deleting packages and files. See `REDUCE_*` parameters for detailed information.
             ##### `ENABLE_UBOOT`=false
             Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
             Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`.
             ##### `CHROOT_SCRIPTS`=""
-            Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this direcory is run in lexicographical order.
+            Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this directory is run in lexicographical order.
+            ##### `ENABLE_INITRAMFS`=false
+            Create an initramfs that that will be loaded during the Linux startup process. `ENABLE_INITRAMFS` will automatically get enabled if `ENABLE_CRYPTFS`=true. This parameter will be ignored if `BUILD_KERNEL`=false.
             #### Kernel compilation:
             ##### `BUILD_KERNEL`=false
-            Build and install the latest RPi2 Linux kernel. Currently only the default RPi2 kernel configuration is used. Detailed configuration parameters for customizing the kernel and minor bug fixes still need to get implemented. feel free to help.
+            Build and install the latest RPi2 Linux kernel. Currently only the default RPi2 kernel configuration is used.
             ##### `KERNEL_REDUCE`=false
             Reduce the size of the generated kernel by removing unwanted device, network and filesystem drivers (experimental).
             Path to a directory of [RaspberryPi Linux kernel sources](https://github.com/raspberrypi/linux) that will be copied, configured, build and installed inside the chroot.
             ##### `KERNELSRC_CLEAN`=false
-            Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This setting will be ignored if no `KERNELSRC_DIR` was specified or if `KERNELSRC_PREBUILT`=true.
+            Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This parameter will be ignored if no `KERNELSRC_DIR` was specified or if `KERNELSRC_PREBUILT`=true.
             ##### `KERNELSRC_CONFIG`=true
-            Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This setting is automatically set to `true` if no existing kernel sources directory was specified using `KERNELSRC_DIR`. This settings is ignored if `KERNELSRC_PREBUILT`=true.
+            Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This parameter is automatically set to `true` if no existing kernel sources directory was specified using `KERNELSRC_DIR`. This parameter is ignored if `KERNELSRC_PREBUILT`=true.
             ##### `KERNELSRC_PREBUILT`=false
             With this parameter set to true the script expects the existing kernel sources directory to be already successfully cross-compiled. The parameters `KERNELSRC_CLEAN`, `KERNELSRC_CONFIG` and `KERNEL_MENUCONFIG` are ignored and no kernel compilation tasks are performed.
             ##### `REDUCE_MAN`=true
             Remove all man pages and info files (harsh).  Configure APT to not include man pages on future `apt-get` package installations.
-            ##### `REDUCE_VIM`=true
+            ##### `REDUCE_VIM`=false
             Replace `vim-tiny` package by `levee` a tiny vim clone.
             ##### `REDUCE_BASH`=false
             Remove PCI related hwdb files (experimental).
             ##### `REDUCE_SSHD`=true
-            Replace `openssh-server` with dropbear.
+            Replace `openssh-server` with `dropbear`.
             ##### `REDUCE_LOCALE`=true
             Remove all `locale` translation files.
+            #### Encrypted root partition:
+            ##### `ENABLE_CRYPTFS`=false
+            Enable full system encryption with dm-crypt. Setup a fully LUKS encrypted root partition (aes-xts-plain64:sha512) and generate required initramfs. The /boot directory will not be encrypted. This parameter will be ignored if `BUILD_KERNEL`=false. `ENABLE_CRYPTFS` is experimental. `ENABLE_UBOOT`, `ENABLE_SPLITFS`, `EXPANDROOT` and SSH-to-initramfs are currently not supported but will be soon - feel free to help.
+            ##### `CRYPTFS_PASSWORD`=""
+            Set password of the encrypted root partition. This parameter is mandatory if `ENABLE_CRYPTFS`=true.
+            ##### `CRYPTFS_MAPPING`="secure"
+            Set name of dm-crypt managed device-mapper mapping.
+            ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512"
+            Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
+            ##### `CRYPTFS_XTSKEYSIZE`=512
+            Sets key size in bits. The argument has to be a multiple of 8.
             ## Understanding the script
             The functions of this script that are required for the different stages of the bootstrapping are split up into single files located inside the `bootstrap.d` directory. During the bootstrapping every script in this directory gets executed in lexicographical order:
             | `41-uboot.sh` | Build and Setup U-Boot |
             | `42-fbturbo.sh` | Build and Setup fbturbo Xorg driver |
             | `50-firstboot.sh` | First boot actions |
+            | `99-reduce.sh` | Reduce the disk space usage |
             All the required configuration files that will be copied to the generated OS image are located inside the `files` directory. It is not recommended to modify these configuration files manually.
             | Directory | Description |
             | --- | --- |
+            | `apt` | APT management configuration files |
             | `boot` | Boot and RPi2 configuration files |
             | `dpkg` | Package Manager configuration |
             | `firstboot` | Scripts that get executed on first boot  |

bootstrap.d/10-bootstrap.sh +2 -2

             fi
             # Copy qemu emulator binary to chroot
-            cp "${QEMU_BINARY}" "$R/usr/bin"
+            install_exec "${QEMU_BINARY}" "${R}${QEMU_BINARY}"
             # Copy debian-archive-keyring.pgp
             mkdir -p "$R/usr/share/keyrings"
-            cp /usr/share/keyrings/debian-archive-keyring.gpg "$R/usr/share/keyrings/debian-archive-keyring.gpg"
+            install_readonly /usr/share/keyrings/debian-archive-keyring.gpg "$R/usr/share/keyrings/debian-archive-keyring.gpg"
             # Complete the bootstrapping process
             chroot_exec /debootstrap/debootstrap --second-stage

bootstrap.d/11-apt.sh +9 -2

               sed -i "s/\"\"/\"${APT_PROXY}\"/" "$R/etc/apt/apt.conf.d/10proxy"
             fi
+            if [ "$BUILD_KERNEL" = false ] ; then
               # Install APT pinning configuration for flash-kernel package
               install_readonly files/apt/flash-kernel "$R/etc/apt/preferences.d/flash-kernel"
+              # Install APT sources.list
+              install_readonly files/apt/sources.list "$R/etc/apt/sources.list"
+              echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >> "$R/etc/apt/sources.list"
               # Upgrade collabora package index and install collabora keyring
-            echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" > "$R/etc/apt/sources.list"
               chroot_exec apt-get -qq -y update
               chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
+            else # BUILD_KERNEL=true
               # Install APT sources.list
               install_readonly files/apt/sources.list "$R/etc/apt/sources.list"
+              # Use specified APT server and release
               sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "$R/etc/apt/sources.list"
               sed -i "s/ jessie/ ${RELEASE}/" "$R/etc/apt/sources.list"
+            fi
             # Upgrade package index and update all installed packages and changed dependencies
             chroot_exec apt-get -qq -y update

bootstrap.d/13-kernel.sh +63 -11

@@ -110,24 +110,31 if [ "$BUILD_KERNEL" = true ] ; then
110	KERNEL_VERSION=`cat "$R/usr/src/linux/include/config/kernel.release"`	110	KERNEL_VERSION=`cat "$R/usr/src/linux/include/config/kernel.release"`
111		111
112	# Copy kernel configuration file to the boot directory	112	# Copy kernel configuration file to the boot directory
113	cp "$R/usr/src/linux/.config" "$R/boot/config-${KERNEL_VERSION}"	113	install_readonly "$R/usr/src/linux/.config" "$R/boot/config-${KERNEL_VERSION}"
114		114
115	# Copy dts and dtb device tree sources and binaries	115	# Copy dts and dtb device tree sources and binaries
116	mkdir "$R/boot/firmware/overlays/"	116	mkdir "$R/boot/firmware/overlays/"
117	cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/"*.dtb "$R/boot/firmware/"	117	install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/"*.dtb "$R/boot/firmware/"
118	cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/".dtb "$R/boot/firmware/overlays/"	118	install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/".dtb "$R/boot/firmware/overlays/"
119	cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "$R/boot/firmware/overlays/"	119	install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "$R/boot/firmware/overlays/README"
120		120
121	# Co~~nvert kernel zImage and copy it~~ to the boot directory	121	# Copy zImage kernel to the boot directory
122	"$R~~/usr/src/linux/scripts/mkknlimg"~~ "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage" "$R/boot/firmware/kernel7.img"	122	install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage" "$R/boot/firmware/kernel7.img"
123		123
124	# Remove kernel sources	124	# Remove kernel sources
125	if [ "$KERNEL_REMOVESRC" = true ] ; then	125	if [ "$KERNEL_REMOVESRC" = true ] ; then
126	rm -fr "$R/usr/src/linux"	126	rm -fr "$R/usr/src/linux"
127	fi	127	fi
128		128
129	# Install raspberry bootloader and flash-kernel packages	129	# Install latest boot binaries from raspberry/firmware github
130	chroot_exec apt-get -qq -y --no-install-recommends install raspberrypi-bootloader-nokernel	130	wget -q -O "$R/boot/firmware/bootcode.bin" https://github.com/raspberrypi/firmware/raw/master/boot/bootcode.bin
		131	wget -q -O "$R/boot/firmware/fixup_cd.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_cd.dat
		132	wget -q -O "$R/boot/firmware/fixup.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup.dat
		133	wget -q -O "$R/boot/firmware/fixup_x.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_x.dat
		134	wget -q -O "$R/boot/firmware/start_cd.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_cd.elf
		135	wget -q -O "$R/boot/firmware/start.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start.elf
		136	wget -q -O "$R/boot/firmware/start_x.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_x.elf
		137
131	else # BUILD_KERNEL=false	138	else # BUILD_KERNEL=false
132	# Kernel installation	139	# Kernel installation
133	chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel	140	chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel
@@ -135,9 +142,15 else # BUILD_KERNEL=false
135	# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot	142	# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
136	chroot_exec apt-get -qq -y install flash-kernel	143	chroot_exec apt-get -qq -y install flash-kernel
137		144
		145	# Check if kernel installation was successful
138	VMLINUZ="$(ls -1 $R/boot/vmlinuz-* \| sort \| tail -n 1)"	146	VMLINUZ="$(ls -1 $R/boot/vmlinuz-* \| sort \| tail -n 1)"
139	[ -z "$VMLINUZ" ] && ~~exit~~ 1	147	if [ -z "$VMLINUZ" ] ; then
140	cp "$VMLINUZ" "$R/boot/firmware/kernel7.img"	148	echo "error: kernel installation failed! (/boot/vmlinuz-* not found)"
		149	cleanup
		150	exit 1
		151	fi
		152	# Copy vmlinuz kernel to the boot directory
		153	install_readonly "$VMLINUZ" "$R/boot/firmware/kernel7.img"
141	fi	154	fi
142		155
143	# Setup firmware boot cmdline	156	# Setup firmware boot cmdline
@@ -160,6 +173,11 fi
160	# Install firmware boot cmdline	173	# Install firmware boot cmdline
161	echo "${CMDLINE}" > "$R/boot/firmware/cmdline.txt"	174	echo "${CMDLINE}" > "$R/boot/firmware/cmdline.txt"
162		175
		176	# Add encrypted root partition to cmdline.txt
		177	if [ "$ENABLE_CRYPTFS" = true ] ; then
		178	sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/" "$R/boot/firmware/cmdline.txt"
		179	fi
		180
163	# Install firmware config	181	# Install firmware config
164	install_readonly files/boot/config.txt "$R/boot/firmware/config.txt"	182	install_readonly files/boot/config.txt "$R/boot/firmware/config.txt"
165		183
@@ -168,6 +186,11 if [ "$ENABLE_MINGPU" = true ] ; then
168	echo "gpu_mem=16" >> "$R/boot/firmware/config.txt"	186	echo "gpu_mem=16" >> "$R/boot/firmware/config.txt"
169	fi	187	fi
170		188
		189	# Setup boot with initramfs
		190	if [ "$ENABLE_INITRAMFS" = true ] ; then
		191	echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "$R/boot/firmware/config.txt"
		192	fi
		193
171	# Create firmware configuration and cmdline symlinks	194	# Create firmware configuration and cmdline symlinks
172	ln -sf firmware/config.txt "$R/boot/config.txt"	195	ln -sf firmware/config.txt "$R/boot/config.txt"
173	ln -sf firmware/cmdline.txt "$R/boot/cmdline.txt"	196	ln -sf firmware/cmdline.txt "$R/boot/cmdline.txt"
@@ -192,8 +215,37 install_readonly files/modules/raspi-blacklist.conf "$R/etc/modprobe.d/raspi-bla
192		215
193	# Install and setup fstab	216	# Install and setup fstab
194	install_readonly files/mount/fstab "$R/etc/fstab"	217	install_readonly files/mount/fstab "$R/etc/fstab"
		218
		219	# Add usb/sda disk root partition to fstab
195	if [ "$ENABLE_SPLITFS" = true ] ; then	220	if [ "$ENABLE_SPLITFS" = true ] ; then
196	sed -i 's/mmcblk0p2/sda1/' "$R/etc/fstab"	221	sed -i "s/mmcblk0p2/sda1/" "$R/etc/fstab"
		222	fi
		223
		224	# Add encrypted root partition to fstab and crypttab
		225	if [ "$ENABLE_CRYPTFS" = true ] ; then
		226	# Replace fstab root partition with encrypted partition mapping
		227	sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "$R/etc/fstab"
		228
		229	# Add encrypted partition to crypttab and fstab
		230	install_readonly files/mount/crypttab "$R/etc/crypttab"
		231	echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks" >> "$R/etc/crypttab"
		232	fi
		233
		234	# Generate initramfs file
		235	if [ "$ENABLE_INITRAMFS" = true ] ; then
		236	if [ "$ENABLE_CRYPTFS" = true ] ; then
		237	# Dummy mapping required by mkinitramfs
		238	echo "0 1 crypt $(echo ${CRYPTFS_CIPHER} \| cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" \| chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
		239
		240	# Generate initramfs with encrypted root partition support
		241	chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
		242
		243	# Remove dummy mapping
		244	chroot_exec cryptsetup close "${CRYPTFS_MAPPING}"
		245	else
		246	# Generate initramfs without encrypted root partition support
		247	chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
		248	fi
197	fi	249	fi
198		250
199	# Install sysctl.d configuration files	251	# Install sysctl.d configuration files

bootstrap.d/41-uboot.sh +1 -1

               chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
               # Copy compiled bootloader binary and set config.txt to load it
-              cp "$R/tmp/u-boot/u-boot.bin" "$R/boot/firmware/"
+              install_readonly "$R/tmp/u-boot/u-boot.bin" "$R/boot/firmware/u-boot.bin"
               printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> "$R/boot/firmware/config.txt"
               # Install and setup U-Boot command file

bootstrap.d/50-firstboot.sh +1 -2

             cat files/firstboot/10-begin.sh > "$R/etc/rc.firstboot"
             # Ensure openssh server host keys are regenerated on first boot
-            if [ "$ENABLE_SSHD" = true ] && [ "$ENABLE_REDUCE" = false ]; then
+            if [ "$ENABLE_SSHD" = true ] ; then
               cat files/firstboot/21-generate-ssh-keys.sh >> "$R/etc/rc.firstboot"
-              rm -f "$R/etc/ssh/ssh_host_*"
             fi
             # Prepare filesystem auto expand

bootstrap.d/99-reduce.sh +6 0

                 rm -f "$R/boot/firmware/fixup_x.dat"
               fi
+              # Remove kernel and initrd from /boot (already in /boot/firmware)
+              if [ "$BUILD_KERNEL" = false ] ; then
+                rm -r "$R/boot/vmlinuz--*"
+                rm -r "$R/boot/initrd.img-*"
+              fi
               # Clean APT list of repositories
               rm -fr "$R/var/lib/apt/lists/*"
               chroot_exec apt-get -qq -y update

files/apt/sources.list 0 -2

             deb http://security.debian.org/ jessie/updates main contrib
             #deb-src http://security.debian.org/ jessie/updates main contrib
-            deb https://repositories.collabora.co.uk/debian jessie rpi2

files/firstboot/21-generate-ssh-keys.sh +13 -1

@@ -1,8 +1,20
1	logger -t "rc.firstboot" "Generating SSH host keys"	1	logger -t "rc.firstboot" "Generating SSH host keys"
		2
		3	if [ -d "/etc/ssh/" ] ; then
2	rm -f /etc/ssh/ssh_host_*	4	rm -f /etc/ssh/ssh_host_*
		5	systemctl stop sshd
3	ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key	6	ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
4	ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key	7	ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
5	ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key	8	ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
6	ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key	9	ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
		10	systemctl start sshd
		11	fi
7		12
8	systemctl restart sshd	13	if [ -d "/etc/dropbear/" ] ; then
		14	rm -f /etc/dropbear/dropbear_*
		15	systemctl stop dropbear
		16	dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
		17	dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
		18	dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
		19	systemctl start dropbear
		20	fi

files/firstboot/22-expandroot.sh +8 -4

             # Get the starting offset of the root partition
             PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
-            [ "$PART_START" ] || return 1
+            if [ -z "$PART_START" ] ; then
+              logger -t "rc.firstboot" "${ROOT_DEV} unable to get starting sector of the partition"
+              return 1
+            fi
             # Get the possible last sector for the root partition
             PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }')
-            [ "$PART_LAST" ] || return 1
+            if [ -z "$PART_LAST" ] ; then
+              logger -t "rc.firstboot" "${ROOT_DEV} unable to get last sector of the partition"
+              return 1
+            fi
-            # Return value will likely be error for fdisk as it fails to reload the
-            # partition table because the root fs is mounted
             ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
             fdisk /dev/${ROOT_DEV} <<EOF2 || true
             p

files/firstboot/24-create-resolv-symlink.sh +5 -3

             logger -t "rc.firstboot" "Creating /etc/resolv.conf symlink"
             # Check if systemd resolve directory exists
-            if [ -d "/run/systemd/resolve" ] ; then
+            if [ ! -d "/run/systemd/resolve" ] ; then
+              systemctl enable systemd-resolved.service
+              systemctl restart systemd-resolved.service
+            fi
             # Create resolv.conf file if it does not exists
             if [ ! -f "/run/systemd/resolve/resolv.conf" ] ; then
               touch /run/systemd/resolve/resolv.conf
             # Create symlink to /etc/reolv.conf
             ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
-            fi

functions.sh +6 -5

               # Identify and kill all processes still using files
               echo "killing processes using mount point ..."
-              fuser -k $R
+              fuser -k "$R"
               sleep 3
-              fuser -9 -k -v $R
+              fuser -9 -k -v "$R"
               # Clean up all temporary mount points
               echo "removing temporary mount points ..."
-              umount -l $R/proc 2> /dev/null
+              umount -l "$R/proc" 2> /dev/null
-              umount -l $R/sys 2> /dev/null
+              umount -l "$R/sys" 2> /dev/null
-              umount -l $R/dev/pts 2> /dev/null
+              umount -l "$R/dev/pts" 2> /dev/null
               umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
               umount "$BUILDDIR/mount" 2> /dev/null
+              cryptsetup close "${CRYPTFS_MAPPING}" 2> /dev/null
               losetup -d "$ROOT_LOOP" 2> /dev/null
               losetup -d "$FRMW_LOOP" 2> /dev/null
               trap - 0 1 2 3 6

rpi2-gen-image.sh +92 -31

             # Check if ./functions.sh script exists
             if [ ! -r "./functions.sh" ] ; then
-              echo "error: './functions.sh' required script not found. please reinstall the latest script version!"
+              echo "error: './functions.sh' required script not found!"
               exit 1
             fi
             QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static}
             # Build directories
-            BASEDIR=$(pwd)/images/${RELEASE}
+            BASEDIR="$(pwd)/images/${RELEASE}"
-            BUILDDIR=${BASEDIR}/build
+            BUILDDIR="${BASEDIR}/build"
-            R=${BUILDDIR}/chroot
+            R="${BUILDDIR}/chroot"
             # General settings
             HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
             ENABLE_HARDNET=${ENABLE_HARDNET:=false}
             ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
             ENABLE_SPLITFS=${ENABLE_SPLITFS:=false}
+            ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false}
             # Kernel compilation settings
             BUILD_KERNEL=${BUILD_KERNEL:=false}
             REDUCE_APT=${REDUCE_APT:=true}
             REDUCE_DOC=${REDUCE_DOC:=true}
             REDUCE_MAN=${REDUCE_MAN:=true}
-            REDUCE_VIM=${REDUCE_VIM:=true}
+            REDUCE_VIM=${REDUCE_VIM:=false}
             REDUCE_BASH=${REDUCE_BASH:=false}
             REDUCE_HWDB=${REDUCE_HWDB:=true}
             REDUCE_SSHD=${REDUCE_SSHD:=true}
             REDUCE_LOCALE=${REDUCE_LOCALE:=true}
+            # Encrypted filesystem settings
+            ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false}
+            CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
+            CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
+            CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
+            CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
+            # Stop the Crypto Wars
+            DISABLE_FBI=${DISABLE_FBI:=false}
             # Chroot scripts directory
             CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
               REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses5-dev"
             fi
+            # Stop the Crypto Wars
+            if [ "$DISABLE_FBI" = true ] ; then
+              ENABLE_CRYPTFS=true
+            fi
+            # Add cryptsetup package to enable filesystem encryption
+            if [ "$ENABLE_CRYPTFS" = true ]  && [ "$BUILD_KERNEL" = true ] ; then
+              REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
+              APT_INCLUDES="${APT_INCLUDES},cryptsetup"
+              if [ -z "$CRYPTFS_PASSWORD" ] ; then
+                echo "error: no password defined (CRYPTFS_PASSWORD)!"
+                exit 1
+              fi
+              ENABLE_INITRAMFS=true
+            fi
+            # Add initramfs generation tools
+            if [ "$ENABLE_INITRAMFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
+              APT_INCLUDES="${APT_INCLUDES},initramfs-tools"
+            fi
             # Check if all required packages are installed on the build system
             for package in $REQUIRED_PACKAGES ; do
               if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
                exit 1
             fi
+            # Check if specified device mapping already exists (will be used by cryptsetup)
+            if [ -r "/dev/mapping/${CRYPTFS_MAPPING}" ] ; then
+              echo "error: mapping /dev/mapping/${CRYPTFS_MAPPING} already exists, not proceeding"
+              exit 1
+            fi
             # Don't clobber an old build
             if [ -e "$BUILDDIR" ] ; then
               echo "error: directory ${BUILDDIR} already exists, not proceeding"
             # Add required packages for the minbase installation
             if [ "$ENABLE_MINBASE" = true ] ; then
-              APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
+              APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools,ifupdown"
             else
               APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
             fi
             # Remove apt-utils
             chroot_exec apt-get purge -qq -y --force-yes apt-utils
+            # Generate required machine-id
+            MACHINE_ID=$(dbus-uuidgen)
+            echo -n "${MACHINE_ID}" > "$R/var/lib/dbus/machine-id"
+            echo -n "${MACHINE_ID}" > "$R/etc/machine-id"
             # APT Cleanup
             chroot_exec apt-get -y clean
             chroot_exec apt-get -y autoclean
             umount -l "$R/sys"
             # Clean up directories
-            rm -rf "$R/run"
+            rm -rf "$R/run/*"
             rm -rf "$R/tmp/*"
             # Clean up files
+            rm -f "$R/etc/ssh/ssh_host_*"
+            rm -f "$R/etc/dropbear/dropbear_*"
             rm -f "$R/etc/apt/sources.list.save"
             rm -f "$R/etc/resolvconf/resolv.conf.d/original"
             rm -f "$R/etc/*-"
             rm -f "$R/root/.bash_history"
             rm -f "$R/var/lib/urandom/random-seed"
-            rm -f "$R/var/lib/dbus/machine-id"
-            rm -f "$R/etc/machine-id"
             rm -f "$R/etc/apt/apt.conf.d/10proxy"
             rm -f "$R/etc/resolv.conf"
+            rm -f "$R/initrd.img"
+            rm -f "$R/vmlinuz"
             rm -f "${R}${QEMU_BINARY}"
             # Calculate size of the chroot directory in KB
               dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS}
               dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS}
               dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS}
-              # Write partition tables
-              sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" <<EOM
+              # Write firmware/boot partition tables
-            unit: sectors
+              sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" 2> /dev/null <<EOM
+            ${TABLE_SECTORS},${FRMW_SECTORS},c,*
-: start=   ${TABLE_SECTORS}, size=   ${FRMW_SECTORS}, Id= c, bootable
-: start=                  0, size=                 0, Id= 0
-: start=                  0, size=                 0, Id= 0
-: start=                  0, size=                 0, Id= 0
             EOM
-              sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" <<EOM
-            unit: sectors
-: start=   ${TABLE_SECTORS}, size=   ${ROOT_SECTORS}, Id=83
+              # Write root partition table
-: start=                  0, size=                 0, Id= 0
+              sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" 2> /dev/null <<EOM
-: start=                  0, size=                 0, Id= 0
+            ${TABLE_SECTORS},${ROOT_SECTORS},83
-: start=                  0, size=                 0, Id= 0
             EOM
               # Setup temporary loop devices
               FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-frmw.img)"
               ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-root.img)"
-            else
+            else # ENABLE_SPLITFS=false
               dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
               dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
-              # Write partition table
-              sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
-            unit: sectors
-: start=   ${TABLE_SECTORS}, size=   ${FRMW_SECTORS}, Id= c, bootable
+              # Write partition table
-: start=     ${ROOT_OFFSET}, size=   ${ROOT_SECTORS}, Id=83
+              sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" 2> /dev/null <<EOM
-: start=                  0, size=                 0, Id= 0
+            ${TABLE_SECTORS},${FRMW_SECTORS},c,*
-: start=                  0, size=                 0, Id= 0
+            ${ROOT_OFFSET},${ROOT_SECTORS},83
             EOM
               # Setup temporary loop devices
               FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
               ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             fi
+            if [ "$ENABLE_CRYPTFS" = true ] ; then
+              # Create dummy ext4 fs
+              mkfs.ext4 "$ROOT_LOOP"
+              # Setup password keyfile
+              echo -n ${CRYPTFS_PASSWORD} > .password
+              # Initialize encrypted partition
+              echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password
+              # Open encrypted partition and setup mapping
+              cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"
+              # Secure delete password keyfile
+              shred -zu .password
+              # Update temporary loop device
+              ROOT_LOOP="/dev/mapper/${CRYPTFS_MAPPING}"
+              # Wipe encrypted partition (encryption cipher is used for randomness)
+              dd if=/dev/zero of="${ROOT_LOOP}" bs=512 count=$(blockdev --getsz "${ROOT_LOOP}")
+            fi
             # Build filesystems
             mkfs.vfat "$FRMW_LOOP"
             mkfs.ext4 "$ROOT_LOOP"

General Comments 0

Écrire
Preview

Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages