@@ -0,0 +1,1 | |||||
|
1 | # <target name> <source device> <key file> <options> |
@@ -21,6 +21,7 ENABLE_MINBASE=true ./rpi2-gen-image.sh | |||||
21 | BUILD_KERNEL=true ENABLE_MINBASE=true ENABLE_IPV6=false ./rpi2-gen-image.sh |
|
21 | BUILD_KERNEL=true ENABLE_MINBASE=true ENABLE_IPV6=false ./rpi2-gen-image.sh | |
22 | BUILD_KERNEL=true KERNELSRC_DIR=/tmp/linux ./rpi2-gen-image.sh |
|
22 | BUILD_KERNEL=true KERNELSRC_DIR=/tmp/linux ./rpi2-gen-image.sh | |
23 | ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi2-gen-image.sh |
|
23 | ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi2-gen-image.sh | |
|
24 | ENABLE_CRYPTFS=true CRYPTFS_PASSWORD=changeme EXPANDROOT=false ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi2-gen-image.sh | |||
24 | ``` |
|
25 | ``` | |
25 |
|
26 | |||
26 | #### APT settings: |
|
27 | #### APT settings: | |
@@ -31,7 +32,7 Set Debian packages server address. Choose a server from the list of Debian worl | |||||
31 | Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. |
|
32 | Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. | |
32 |
|
33 | |||
33 | ##### `APT_INCLUDES`="" |
|
34 | ##### `APT_INCLUDES`="" | |
34 |
A comma sep |
|
35 | A comma separated list of additional packages to be installed during bootstrapping. | |
35 |
|
36 | |||
36 | #### General system settings: |
|
37 | #### General system settings: | |
37 | ##### `HOSTNAME`="rpi2-jessie" |
|
38 | ##### `HOSTNAME`="rpi2-jessie" | |
@@ -65,13 +66,13 Set the supported variant(s) of the keyboard layout(s). | |||||
65 | Set extra xkb configuration options. |
|
66 | Set extra xkb configuration options. | |
66 |
|
67 | |||
67 | #### Networking settings (DHCP): |
|
68 | #### Networking settings (DHCP): | |
68 |
This |
|
69 | This parameter is used to set up networking auto configuration in `/etc/systemd/network/eth.network`. | |
69 |
|
70 | |||
70 | #####`ENABLE_DHCP`=true |
|
71 | #####`ENABLE_DHCP`=true | |
71 | Set the system to use DHCP. This requires an DHCP server. |
|
72 | Set the system to use DHCP. This requires an DHCP server. | |
72 |
|
73 | |||
73 | #### Networking settings (static): |
|
74 | #### Networking settings (static): | |
74 |
These |
|
75 | These parameters are used to set up a static networking configuration in /etc/systemd/network/eth.network. The following static networking parameters are only supported if `ENABLE_DHCP` was set to `false`. | |
75 |
|
76 | |||
76 | #####`NET_ADDRESS`="" |
|
77 | #####`NET_ADDRESS`="" | |
77 | Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24". |
|
78 | Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24". | |
@@ -131,7 +132,7 Install a user defined window manager for the X Window System. To make sure all | |||||
131 | Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB. |
|
132 | Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB. | |
132 |
|
133 | |||
133 | ##### `ENABLE_REDUCE`=false |
|
134 | ##### `ENABLE_REDUCE`=false | |
134 | Reduce the disk usage by deleting packages and files. See `REDUCE_*` parameters for detailed information. |
|
135 | Reduce the disk space usage by deleting packages and files. See `REDUCE_*` parameters for detailed information. | |
135 |
|
136 | |||
136 | ##### `ENABLE_UBOOT`=false |
|
137 | ##### `ENABLE_UBOOT`=false | |
137 | Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol. |
|
138 | Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol. | |
@@ -159,11 +160,14 Enable IPv4/IPv6 network stack hardening settings. | |||||
159 | Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`. |
|
160 | Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`. | |
160 |
|
161 | |||
161 | ##### `CHROOT_SCRIPTS`="" |
|
162 | ##### `CHROOT_SCRIPTS`="" | |
162 | Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this direcory is run in lexicographical order. |
|
163 | Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this directory is run in lexicographical order. | |
|
164 | ||||
|
165 | ##### `ENABLE_INITRAMFS`=false | |||
|
166 | Create an initramfs that that will be loaded during the Linux startup process. `ENABLE_INITRAMFS` will automatically get enabled if `ENABLE_CRYPTFS`=true. This parameter will be ignored if `BUILD_KERNEL`=false. | |||
163 |
|
167 | |||
164 | #### Kernel compilation: |
|
168 | #### Kernel compilation: | |
165 | ##### `BUILD_KERNEL`=false |
|
169 | ##### `BUILD_KERNEL`=false | |
166 |
Build and install the latest RPi2 Linux kernel. Currently only the default RPi2 kernel configuration is used. |
|
170 | Build and install the latest RPi2 Linux kernel. Currently only the default RPi2 kernel configuration is used. | |
167 |
|
171 | |||
168 | ##### `KERNEL_REDUCE`=false |
|
172 | ##### `KERNEL_REDUCE`=false | |
169 | Reduce the size of the generated kernel by removing unwanted device, network and filesystem drivers (experimental). |
|
173 | Reduce the size of the generated kernel by removing unwanted device, network and filesystem drivers (experimental). | |
@@ -184,10 +188,10 Remove all kernel sources from the generated OS image after it was built and ins | |||||
184 | Path to a directory of [RaspberryPi Linux kernel sources](https://github.com/raspberrypi/linux) that will be copied, configured, build and installed inside the chroot. |
|
188 | Path to a directory of [RaspberryPi Linux kernel sources](https://github.com/raspberrypi/linux) that will be copied, configured, build and installed inside the chroot. | |
185 |
|
189 | |||
186 | ##### `KERNELSRC_CLEAN`=false |
|
190 | ##### `KERNELSRC_CLEAN`=false | |
187 |
Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This |
|
191 | Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This parameter will be ignored if no `KERNELSRC_DIR` was specified or if `KERNELSRC_PREBUILT`=true. | |
188 |
|
192 | |||
189 | ##### `KERNELSRC_CONFIG`=true |
|
193 | ##### `KERNELSRC_CONFIG`=true | |
190 |
Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This |
|
194 | Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This parameter is automatically set to `true` if no existing kernel sources directory was specified using `KERNELSRC_DIR`. This parameter is ignored if `KERNELSRC_PREBUILT`=true. | |
191 |
|
195 | |||
192 | ##### `KERNELSRC_PREBUILT`=false |
|
196 | ##### `KERNELSRC_PREBUILT`=false | |
193 | With this parameter set to true the script expects the existing kernel sources directory to be already successfully cross-compiled. The parameters `KERNELSRC_CLEAN`, `KERNELSRC_CONFIG` and `KERNEL_MENUCONFIG` are ignored and no kernel compilation tasks are performed. |
|
197 | With this parameter set to true the script expects the existing kernel sources directory to be already successfully cross-compiled. The parameters `KERNELSRC_CLEAN`, `KERNELSRC_CONFIG` and `KERNEL_MENUCONFIG` are ignored and no kernel compilation tasks are performed. | |
@@ -204,7 +208,7 Remove all doc files (harsh). Configure APT to not include doc files on future ` | |||||
204 | ##### `REDUCE_MAN`=true |
|
208 | ##### `REDUCE_MAN`=true | |
205 | Remove all man pages and info files (harsh). Configure APT to not include man pages on future `apt-get` package installations. |
|
209 | Remove all man pages and info files (harsh). Configure APT to not include man pages on future `apt-get` package installations. | |
206 |
|
210 | |||
207 |
##### `REDUCE_VIM`= |
|
211 | ##### `REDUCE_VIM`=false | |
208 | Replace `vim-tiny` package by `levee` a tiny vim clone. |
|
212 | Replace `vim-tiny` package by `levee` a tiny vim clone. | |
209 |
|
213 | |||
210 | ##### `REDUCE_BASH`=false |
|
214 | ##### `REDUCE_BASH`=false | |
@@ -214,11 +218,28 Remove `bash` package and switch to `dash` shell (experimental). | |||||
214 | Remove PCI related hwdb files (experimental). |
|
218 | Remove PCI related hwdb files (experimental). | |
215 |
|
219 | |||
216 | ##### `REDUCE_SSHD`=true |
|
220 | ##### `REDUCE_SSHD`=true | |
217 | Replace `openssh-server` with dropbear. |
|
221 | Replace `openssh-server` with `dropbear`. | |
218 |
|
222 | |||
219 | ##### `REDUCE_LOCALE`=true |
|
223 | ##### `REDUCE_LOCALE`=true | |
220 | Remove all `locale` translation files. |
|
224 | Remove all `locale` translation files. | |
221 |
|
225 | |||
|
226 | #### Encrypted root partition: | |||
|
227 | ||||
|
228 | ##### `ENABLE_CRYPTFS`=false | |||
|
229 | Enable full system encryption with dm-crypt. Setup a fully LUKS encrypted root partition (aes-xts-plain64:sha512) and generate required initramfs. The /boot directory will not be encrypted. This parameter will be ignored if `BUILD_KERNEL`=false. `ENABLE_CRYPTFS` is experimental. `ENABLE_UBOOT`, `ENABLE_SPLITFS`, `EXPANDROOT` and SSH-to-initramfs are currently not supported but will be soon - feel free to help. | |||
|
230 | ||||
|
231 | ##### `CRYPTFS_PASSWORD`="" | |||
|
232 | Set password of the encrypted root partition. This parameter is mandatory if `ENABLE_CRYPTFS`=true. | |||
|
233 | ||||
|
234 | ##### `CRYPTFS_MAPPING`="secure" | |||
|
235 | Set name of dm-crypt managed device-mapper mapping. | |||
|
236 | ||||
|
237 | ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512" | |||
|
238 | Set cipher specification string. `aes-xts*` ciphers are strongly recommended. | |||
|
239 | ||||
|
240 | ##### `CRYPTFS_XTSKEYSIZE`=512 | |||
|
241 | Sets key size in bits. The argument has to be a multiple of 8. | |||
|
242 | ||||
222 | ## Understanding the script |
|
243 | ## Understanding the script | |
223 | The functions of this script that are required for the different stages of the bootstrapping are split up into single files located inside the `bootstrap.d` directory. During the bootstrapping every script in this directory gets executed in lexicographical order: |
|
244 | The functions of this script that are required for the different stages of the bootstrapping are split up into single files located inside the `bootstrap.d` directory. During the bootstrapping every script in this directory gets executed in lexicographical order: | |
224 |
|
245 | |||
@@ -235,11 +256,13 The functions of this script that are required for the different stages of the b | |||||
235 | | `41-uboot.sh` | Build and Setup U-Boot | |
|
256 | | `41-uboot.sh` | Build and Setup U-Boot | | |
236 | | `42-fbturbo.sh` | Build and Setup fbturbo Xorg driver | |
|
257 | | `42-fbturbo.sh` | Build and Setup fbturbo Xorg driver | | |
237 | | `50-firstboot.sh` | First boot actions | |
|
258 | | `50-firstboot.sh` | First boot actions | | |
|
259 | | `99-reduce.sh` | Reduce the disk space usage | | |||
238 |
|
260 | |||
239 | All the required configuration files that will be copied to the generated OS image are located inside the `files` directory. It is not recommended to modify these configuration files manually. |
|
261 | All the required configuration files that will be copied to the generated OS image are located inside the `files` directory. It is not recommended to modify these configuration files manually. | |
240 |
|
262 | |||
241 | | Directory | Description | |
|
263 | | Directory | Description | | |
242 | | --- | --- | |
|
264 | | --- | --- | | |
|
265 | | `apt` | APT management configuration files | | |||
243 | | `boot` | Boot and RPi2 configuration files | |
|
266 | | `boot` | Boot and RPi2 configuration files | | |
244 | | `dpkg` | Package Manager configuration | |
|
267 | | `dpkg` | Package Manager configuration | | |
245 | | `firstboot` | Scripts that get executed on first boot | |
|
268 | | `firstboot` | Scripts that get executed on first boot | |
@@ -13,11 +13,11 else | |||||
13 | fi |
|
13 | fi | |
14 |
|
14 | |||
15 | # Copy qemu emulator binary to chroot |
|
15 | # Copy qemu emulator binary to chroot | |
16 | cp "${QEMU_BINARY}" "$R/usr/bin" |
|
16 | install_exec "${QEMU_BINARY}" "${R}${QEMU_BINARY}" | |
17 |
|
17 | |||
18 | # Copy debian-archive-keyring.pgp |
|
18 | # Copy debian-archive-keyring.pgp | |
19 | mkdir -p "$R/usr/share/keyrings" |
|
19 | mkdir -p "$R/usr/share/keyrings" | |
20 |
|
|
20 | install_readonly /usr/share/keyrings/debian-archive-keyring.gpg "$R/usr/share/keyrings/debian-archive-keyring.gpg" | |
21 |
|
21 | |||
22 | # Complete the bootstrapping process |
|
22 | # Complete the bootstrapping process | |
23 | chroot_exec /debootstrap/debootstrap --second-stage |
|
23 | chroot_exec /debootstrap/debootstrap --second-stage |
@@ -11,18 +11,25 if [ -z "$APT_PROXY" ] ; then | |||||
11 | sed -i "s/\"\"/\"${APT_PROXY}\"/" "$R/etc/apt/apt.conf.d/10proxy" |
|
11 | sed -i "s/\"\"/\"${APT_PROXY}\"/" "$R/etc/apt/apt.conf.d/10proxy" | |
12 | fi |
|
12 | fi | |
13 |
|
13 | |||
|
14 | if [ "$BUILD_KERNEL" = false ] ; then | |||
14 | # Install APT pinning configuration for flash-kernel package |
|
15 | # Install APT pinning configuration for flash-kernel package | |
15 | install_readonly files/apt/flash-kernel "$R/etc/apt/preferences.d/flash-kernel" |
|
16 | install_readonly files/apt/flash-kernel "$R/etc/apt/preferences.d/flash-kernel" | |
16 |
|
17 | |||
|
18 | # Install APT sources.list | |||
|
19 | install_readonly files/apt/sources.list "$R/etc/apt/sources.list" | |||
|
20 | echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >> "$R/etc/apt/sources.list" | |||
|
21 | ||||
17 | # Upgrade collabora package index and install collabora keyring |
|
22 | # Upgrade collabora package index and install collabora keyring | |
18 | echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" > "$R/etc/apt/sources.list" |
|
|||
19 | chroot_exec apt-get -qq -y update |
|
23 | chroot_exec apt-get -qq -y update | |
20 | chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring |
|
24 | chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring | |
21 |
|
25 | else # BUILD_KERNEL=true | ||
22 | # Install APT sources.list |
|
26 | # Install APT sources.list | |
23 | install_readonly files/apt/sources.list "$R/etc/apt/sources.list" |
|
27 | install_readonly files/apt/sources.list "$R/etc/apt/sources.list" | |
|
28 | ||||
|
29 | # Use specified APT server and release | |||
24 | sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "$R/etc/apt/sources.list" |
|
30 | sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "$R/etc/apt/sources.list" | |
25 | sed -i "s/ jessie/ ${RELEASE}/" "$R/etc/apt/sources.list" |
|
31 | sed -i "s/ jessie/ ${RELEASE}/" "$R/etc/apt/sources.list" | |
|
32 | fi | |||
26 |
|
33 | |||
27 | # Upgrade package index and update all installed packages and changed dependencies |
|
34 | # Upgrade package index and update all installed packages and changed dependencies | |
28 | chroot_exec apt-get -qq -y update |
|
35 | chroot_exec apt-get -qq -y update |
@@ -110,24 +110,31 if [ "$BUILD_KERNEL" = true ] ; then | |||||
110 | KERNEL_VERSION=`cat "$R/usr/src/linux/include/config/kernel.release"` |
|
110 | KERNEL_VERSION=`cat "$R/usr/src/linux/include/config/kernel.release"` | |
111 |
|
111 | |||
112 | # Copy kernel configuration file to the boot directory |
|
112 | # Copy kernel configuration file to the boot directory | |
113 |
|
|
113 | install_readonly "$R/usr/src/linux/.config" "$R/boot/config-${KERNEL_VERSION}" | |
114 |
|
114 | |||
115 | # Copy dts and dtb device tree sources and binaries |
|
115 | # Copy dts and dtb device tree sources and binaries | |
116 | mkdir "$R/boot/firmware/overlays/" |
|
116 | mkdir "$R/boot/firmware/overlays/" | |
117 |
|
|
117 | install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/"*.dtb "$R/boot/firmware/" | |
118 |
|
|
118 | install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb* "$R/boot/firmware/overlays/" | |
119 |
|
|
119 | install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "$R/boot/firmware/overlays/README" | |
120 |
|
120 | |||
121 |
# Co |
|
121 | # Copy zImage kernel to the boot directory | |
122 |
|
|
122 | install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage" "$R/boot/firmware/kernel7.img" | |
123 |
|
123 | |||
124 | # Remove kernel sources |
|
124 | # Remove kernel sources | |
125 | if [ "$KERNEL_REMOVESRC" = true ] ; then |
|
125 | if [ "$KERNEL_REMOVESRC" = true ] ; then | |
126 | rm -fr "$R/usr/src/linux" |
|
126 | rm -fr "$R/usr/src/linux" | |
127 | fi |
|
127 | fi | |
128 |
|
128 | |||
129 | # Install raspberry bootloader and flash-kernel packages |
|
129 | # Install latest boot binaries from raspberry/firmware github | |
130 | chroot_exec apt-get -qq -y --no-install-recommends install raspberrypi-bootloader-nokernel |
|
130 | wget -q -O "$R/boot/firmware/bootcode.bin" https://github.com/raspberrypi/firmware/raw/master/boot/bootcode.bin | |
|
131 | wget -q -O "$R/boot/firmware/fixup_cd.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_cd.dat | |||
|
132 | wget -q -O "$R/boot/firmware/fixup.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup.dat | |||
|
133 | wget -q -O "$R/boot/firmware/fixup_x.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_x.dat | |||
|
134 | wget -q -O "$R/boot/firmware/start_cd.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_cd.elf | |||
|
135 | wget -q -O "$R/boot/firmware/start.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start.elf | |||
|
136 | wget -q -O "$R/boot/firmware/start_x.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_x.elf | |||
|
137 | ||||
131 | else # BUILD_KERNEL=false |
|
138 | else # BUILD_KERNEL=false | |
132 | # Kernel installation |
|
139 | # Kernel installation | |
133 | chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel |
|
140 | chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel | |
@@ -135,9 +142,15 else # BUILD_KERNEL=false | |||||
135 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot |
|
142 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot | |
136 | chroot_exec apt-get -qq -y install flash-kernel |
|
143 | chroot_exec apt-get -qq -y install flash-kernel | |
137 |
|
144 | |||
|
145 | # Check if kernel installation was successful | |||
138 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" |
|
146 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" | |
139 |
[ -z "$VMLINUZ" ] |
|
147 | if [ -z "$VMLINUZ" ] ; then | |
140 | cp "$VMLINUZ" "$R/boot/firmware/kernel7.img" |
|
148 | echo "error: kernel installation failed! (/boot/vmlinuz-* not found)" | |
|
149 | cleanup | |||
|
150 | exit 1 | |||
|
151 | fi | |||
|
152 | # Copy vmlinuz kernel to the boot directory | |||
|
153 | install_readonly "$VMLINUZ" "$R/boot/firmware/kernel7.img" | |||
141 | fi |
|
154 | fi | |
142 |
|
155 | |||
143 | # Setup firmware boot cmdline |
|
156 | # Setup firmware boot cmdline | |
@@ -160,6 +173,11 fi | |||||
160 | # Install firmware boot cmdline |
|
173 | # Install firmware boot cmdline | |
161 | echo "${CMDLINE}" > "$R/boot/firmware/cmdline.txt" |
|
174 | echo "${CMDLINE}" > "$R/boot/firmware/cmdline.txt" | |
162 |
|
175 | |||
|
176 | # Add encrypted root partition to cmdline.txt | |||
|
177 | if [ "$ENABLE_CRYPTFS" = true ] ; then | |||
|
178 | sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/" "$R/boot/firmware/cmdline.txt" | |||
|
179 | fi | |||
|
180 | ||||
163 | # Install firmware config |
|
181 | # Install firmware config | |
164 | install_readonly files/boot/config.txt "$R/boot/firmware/config.txt" |
|
182 | install_readonly files/boot/config.txt "$R/boot/firmware/config.txt" | |
165 |
|
183 | |||
@@ -168,6 +186,11 if [ "$ENABLE_MINGPU" = true ] ; then | |||||
168 | echo "gpu_mem=16" >> "$R/boot/firmware/config.txt" |
|
186 | echo "gpu_mem=16" >> "$R/boot/firmware/config.txt" | |
169 | fi |
|
187 | fi | |
170 |
|
188 | |||
|
189 | # Setup boot with initramfs | |||
|
190 | if [ "$ENABLE_INITRAMFS" = true ] ; then | |||
|
191 | echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "$R/boot/firmware/config.txt" | |||
|
192 | fi | |||
|
193 | ||||
171 | # Create firmware configuration and cmdline symlinks |
|
194 | # Create firmware configuration and cmdline symlinks | |
172 | ln -sf firmware/config.txt "$R/boot/config.txt" |
|
195 | ln -sf firmware/config.txt "$R/boot/config.txt" | |
173 | ln -sf firmware/cmdline.txt "$R/boot/cmdline.txt" |
|
196 | ln -sf firmware/cmdline.txt "$R/boot/cmdline.txt" | |
@@ -192,8 +215,37 install_readonly files/modules/raspi-blacklist.conf "$R/etc/modprobe.d/raspi-bla | |||||
192 |
|
215 | |||
193 | # Install and setup fstab |
|
216 | # Install and setup fstab | |
194 | install_readonly files/mount/fstab "$R/etc/fstab" |
|
217 | install_readonly files/mount/fstab "$R/etc/fstab" | |
|
218 | ||||
|
219 | # Add usb/sda disk root partition to fstab | |||
195 | if [ "$ENABLE_SPLITFS" = true ] ; then |
|
220 | if [ "$ENABLE_SPLITFS" = true ] ; then | |
196 |
sed -i |
|
221 | sed -i "s/mmcblk0p2/sda1/" "$R/etc/fstab" | |
|
222 | fi | |||
|
223 | ||||
|
224 | # Add encrypted root partition to fstab and crypttab | |||
|
225 | if [ "$ENABLE_CRYPTFS" = true ] ; then | |||
|
226 | # Replace fstab root partition with encrypted partition mapping | |||
|
227 | sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "$R/etc/fstab" | |||
|
228 | ||||
|
229 | # Add encrypted partition to crypttab and fstab | |||
|
230 | install_readonly files/mount/crypttab "$R/etc/crypttab" | |||
|
231 | echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks" >> "$R/etc/crypttab" | |||
|
232 | fi | |||
|
233 | ||||
|
234 | # Generate initramfs file | |||
|
235 | if [ "$ENABLE_INITRAMFS" = true ] ; then | |||
|
236 | if [ "$ENABLE_CRYPTFS" = true ] ; then | |||
|
237 | # Dummy mapping required by mkinitramfs | |||
|
238 | echo "0 1 crypt $(echo ${CRYPTFS_CIPHER} | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}" | |||
|
239 | ||||
|
240 | # Generate initramfs with encrypted root partition support | |||
|
241 | chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" | |||
|
242 | ||||
|
243 | # Remove dummy mapping | |||
|
244 | chroot_exec cryptsetup close "${CRYPTFS_MAPPING}" | |||
|
245 | else | |||
|
246 | # Generate initramfs without encrypted root partition support | |||
|
247 | chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" | |||
|
248 | fi | |||
197 | fi |
|
249 | fi | |
198 |
|
250 | |||
199 | # Install sysctl.d configuration files |
|
251 | # Install sysctl.d configuration files |
@@ -19,7 +19,7 if [ "$ENABLE_UBOOT" = true ] ; then | |||||
19 | chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all |
|
19 | chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all | |
20 |
|
20 | |||
21 | # Copy compiled bootloader binary and set config.txt to load it |
|
21 | # Copy compiled bootloader binary and set config.txt to load it | |
22 |
|
|
22 | install_readonly "$R/tmp/u-boot/u-boot.bin" "$R/boot/firmware/u-boot.bin" | |
23 | printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> "$R/boot/firmware/config.txt" |
|
23 | printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> "$R/boot/firmware/config.txt" | |
24 |
|
24 | |||
25 | # Install and setup U-Boot command file |
|
25 | # Install and setup U-Boot command file |
@@ -9,9 +9,8 | |||||
9 | cat files/firstboot/10-begin.sh > "$R/etc/rc.firstboot" |
|
9 | cat files/firstboot/10-begin.sh > "$R/etc/rc.firstboot" | |
10 |
|
10 | |||
11 | # Ensure openssh server host keys are regenerated on first boot |
|
11 | # Ensure openssh server host keys are regenerated on first boot | |
12 |
if [ "$ENABLE_SSHD" = true ] |
|
12 | if [ "$ENABLE_SSHD" = true ] ; then | |
13 | cat files/firstboot/21-generate-ssh-keys.sh >> "$R/etc/rc.firstboot" |
|
13 | cat files/firstboot/21-generate-ssh-keys.sh >> "$R/etc/rc.firstboot" | |
14 | rm -f "$R/etc/ssh/ssh_host_*" |
|
|||
15 | fi |
|
14 | fi | |
16 |
|
15 | |||
17 | # Prepare filesystem auto expand |
|
16 | # Prepare filesystem auto expand |
@@ -66,6 +66,12 if [ "$ENABLE_REDUCE" = true ] ; then | |||||
66 | rm -f "$R/boot/firmware/fixup_x.dat" |
|
66 | rm -f "$R/boot/firmware/fixup_x.dat" | |
67 | fi |
|
67 | fi | |
68 |
|
68 | |||
|
69 | # Remove kernel and initrd from /boot (already in /boot/firmware) | |||
|
70 | if [ "$BUILD_KERNEL" = false ] ; then | |||
|
71 | rm -r "$R/boot/vmlinuz--*" | |||
|
72 | rm -r "$R/boot/initrd.img-*" | |||
|
73 | fi | |||
|
74 | ||||
69 | # Clean APT list of repositories |
|
75 | # Clean APT list of repositories | |
70 | rm -fr "$R/var/lib/apt/lists/*" |
|
76 | rm -fr "$R/var/lib/apt/lists/*" | |
71 | chroot_exec apt-get -qq -y update |
|
77 | chroot_exec apt-get -qq -y update |
@@ -6,5 +6,3 deb http://ftp.debian.org/debian/ jessie-updates main contrib | |||||
6 |
|
6 | |||
7 | deb http://security.debian.org/ jessie/updates main contrib |
|
7 | deb http://security.debian.org/ jessie/updates main contrib | |
8 | #deb-src http://security.debian.org/ jessie/updates main contrib |
|
8 | #deb-src http://security.debian.org/ jessie/updates main contrib | |
9 |
|
||||
10 | deb https://repositories.collabora.co.uk/debian jessie rpi2 |
|
@@ -1,8 +1,20 | |||||
1 | logger -t "rc.firstboot" "Generating SSH host keys" |
|
1 | logger -t "rc.firstboot" "Generating SSH host keys" | |
|
2 | ||||
|
3 | if [ -d "/etc/ssh/" ] ; then | |||
2 | rm -f /etc/ssh/ssh_host_* |
|
4 | rm -f /etc/ssh/ssh_host_* | |
|
5 | systemctl stop sshd | |||
3 | ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key |
|
6 | ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key | |
4 | ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key |
|
7 | ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key | |
5 | ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key |
|
8 | ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key | |
6 | ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key |
|
9 | ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key | |
|
10 | systemctl start sshd | |||
|
11 | fi | |||
7 |
|
12 | |||
8 | systemctl restart sshd |
|
13 | if [ -d "/etc/dropbear/" ] ; then | |
|
14 | rm -f /etc/dropbear/dropbear_* | |||
|
15 | systemctl stop dropbear | |||
|
16 | dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key | |||
|
17 | dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key | |||
|
18 | dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key | |||
|
19 | systemctl start dropbear | |||
|
20 | fi |
@@ -24,14 +24,18 fi | |||||
24 |
|
24 | |||
25 | # Get the starting offset of the root partition |
|
25 | # Get the starting offset of the root partition | |
26 | PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g') |
|
26 | PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g') | |
27 |
[ "$PART_START" ] |
|
27 | if [ -z "$PART_START" ] ; then | |
|
28 | logger -t "rc.firstboot" "${ROOT_DEV} unable to get starting sector of the partition" | |||
|
29 | return 1 | |||
|
30 | fi | |||
28 |
|
31 | |||
29 | # Get the possible last sector for the root partition |
|
32 | # Get the possible last sector for the root partition | |
30 | PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }') |
|
33 | PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }') | |
31 |
[ "$PART_LAST" ] |
|
34 | if [ -z "$PART_LAST" ] ; then | |
|
35 | logger -t "rc.firstboot" "${ROOT_DEV} unable to get last sector of the partition" | |||
|
36 | return 1 | |||
|
37 | fi | |||
32 |
|
38 | |||
33 | # Return value will likely be error for fdisk as it fails to reload the |
|
|||
34 | # partition table because the root fs is mounted |
|
|||
35 | ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit |
|
39 | ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit | |
36 | fdisk /dev/${ROOT_DEV} <<EOF2 || true |
|
40 | fdisk /dev/${ROOT_DEV} <<EOF2 || true | |
37 | p |
|
41 | p |
@@ -1,8 +1,11 | |||||
1 | logger -t "rc.firstboot" "Creating /etc/resolv.conf symlink" |
|
1 | logger -t "rc.firstboot" "Creating /etc/resolv.conf symlink" | |
2 |
|
2 | |||
3 |
|
||||
4 | # Check if systemd resolve directory exists |
|
3 | # Check if systemd resolve directory exists | |
5 | if [ -d "/run/systemd/resolve" ] ; then |
|
4 | if [ ! -d "/run/systemd/resolve" ] ; then | |
|
5 | systemctl enable systemd-resolved.service | |||
|
6 | systemctl restart systemd-resolved.service | |||
|
7 | fi | |||
|
8 | ||||
6 |
|
|
9 | # Create resolv.conf file if it does not exists | |
7 |
|
|
10 | if [ ! -f "/run/systemd/resolve/resolv.conf" ] ; then | |
8 |
|
|
11 | touch /run/systemd/resolve/resolv.conf | |
@@ -10,4 +13,3 if [ -d "/run/systemd/resolve" ] ; then | |||||
10 |
|
13 | |||
11 |
|
|
14 | # Create symlink to /etc/reolv.conf | |
12 |
|
|
15 | ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf | |
13 | fi |
|
@@ -6,17 +6,18 cleanup (){ | |||||
6 |
|
6 | |||
7 | # Identify and kill all processes still using files |
|
7 | # Identify and kill all processes still using files | |
8 | echo "killing processes using mount point ..." |
|
8 | echo "killing processes using mount point ..." | |
9 | fuser -k $R |
|
9 | fuser -k "$R" | |
10 | sleep 3 |
|
10 | sleep 3 | |
11 | fuser -9 -k -v $R |
|
11 | fuser -9 -k -v "$R" | |
12 |
|
12 | |||
13 | # Clean up all temporary mount points |
|
13 | # Clean up all temporary mount points | |
14 | echo "removing temporary mount points ..." |
|
14 | echo "removing temporary mount points ..." | |
15 | umount -l $R/proc 2> /dev/null |
|
15 | umount -l "$R/proc" 2> /dev/null | |
16 | umount -l $R/sys 2> /dev/null |
|
16 | umount -l "$R/sys" 2> /dev/null | |
17 | umount -l $R/dev/pts 2> /dev/null |
|
17 | umount -l "$R/dev/pts" 2> /dev/null | |
18 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null |
|
18 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null | |
19 | umount "$BUILDDIR/mount" 2> /dev/null |
|
19 | umount "$BUILDDIR/mount" 2> /dev/null | |
|
20 | cryptsetup close "${CRYPTFS_MAPPING}" 2> /dev/null | |||
20 | losetup -d "$ROOT_LOOP" 2> /dev/null |
|
21 | losetup -d "$ROOT_LOOP" 2> /dev/null | |
21 | losetup -d "$FRMW_LOOP" 2> /dev/null |
|
22 | losetup -d "$FRMW_LOOP" 2> /dev/null | |
22 | trap - 0 1 2 3 6 |
|
23 | trap - 0 1 2 3 6 |
@@ -23,7 +23,7 fi | |||||
23 |
|
23 | |||
24 | # Check if ./functions.sh script exists |
|
24 | # Check if ./functions.sh script exists | |
25 | if [ ! -r "./functions.sh" ] ; then |
|
25 | if [ ! -r "./functions.sh" ] ; then | |
26 |
echo "error: './functions.sh' required script not found |
|
26 | echo "error: './functions.sh' required script not found!" | |
27 | exit 1 |
|
27 | exit 1 | |
28 | fi |
|
28 | fi | |
29 |
|
29 | |||
@@ -45,9 +45,9 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig} | |||||
45 | QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static} |
|
45 | QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static} | |
46 |
|
46 | |||
47 | # Build directories |
|
47 | # Build directories | |
48 | BASEDIR=$(pwd)/images/${RELEASE} |
|
48 | BASEDIR="$(pwd)/images/${RELEASE}" | |
49 | BUILDDIR=${BASEDIR}/build |
|
49 | BUILDDIR="${BASEDIR}/build" | |
50 | R=${BUILDDIR}/chroot |
|
50 | R="${BUILDDIR}/chroot" | |
51 |
|
51 | |||
52 | # General settings |
|
52 | # General settings | |
53 | HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}} |
|
53 | HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}} | |
@@ -101,6 +101,7 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} | |||||
101 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} |
|
101 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} | |
102 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} |
|
102 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} | |
103 | ENABLE_SPLITFS=${ENABLE_SPLITFS:=false} |
|
103 | ENABLE_SPLITFS=${ENABLE_SPLITFS:=false} | |
|
104 | ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false} | |||
104 |
|
105 | |||
105 | # Kernel compilation settings |
|
106 | # Kernel compilation settings | |
106 | BUILD_KERNEL=${BUILD_KERNEL:=false} |
|
107 | BUILD_KERNEL=${BUILD_KERNEL:=false} | |
@@ -120,12 +121,22 KERNELSRC_PREBUILT=${KERNELSRC_PREBUILT:=false} | |||||
120 | REDUCE_APT=${REDUCE_APT:=true} |
|
121 | REDUCE_APT=${REDUCE_APT:=true} | |
121 | REDUCE_DOC=${REDUCE_DOC:=true} |
|
122 | REDUCE_DOC=${REDUCE_DOC:=true} | |
122 | REDUCE_MAN=${REDUCE_MAN:=true} |
|
123 | REDUCE_MAN=${REDUCE_MAN:=true} | |
123 |
REDUCE_VIM=${REDUCE_VIM:= |
|
124 | REDUCE_VIM=${REDUCE_VIM:=false} | |
124 | REDUCE_BASH=${REDUCE_BASH:=false} |
|
125 | REDUCE_BASH=${REDUCE_BASH:=false} | |
125 | REDUCE_HWDB=${REDUCE_HWDB:=true} |
|
126 | REDUCE_HWDB=${REDUCE_HWDB:=true} | |
126 | REDUCE_SSHD=${REDUCE_SSHD:=true} |
|
127 | REDUCE_SSHD=${REDUCE_SSHD:=true} | |
127 | REDUCE_LOCALE=${REDUCE_LOCALE:=true} |
|
128 | REDUCE_LOCALE=${REDUCE_LOCALE:=true} | |
128 |
|
129 | |||
|
130 | # Encrypted filesystem settings | |||
|
131 | ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false} | |||
|
132 | CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""} | |||
|
133 | CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"} | |||
|
134 | CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"} | |||
|
135 | CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512} | |||
|
136 | ||||
|
137 | # Stop the Crypto Wars | |||
|
138 | DISABLE_FBI=${DISABLE_FBI:=false} | |||
|
139 | ||||
129 | # Chroot scripts directory |
|
140 | # Chroot scripts directory | |
130 | CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""} |
|
141 | CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""} | |
131 |
|
142 | |||
@@ -149,6 +160,28 if [ "$KERNEL_MENUCONFIG" = true ] ; then | |||||
149 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses5-dev" |
|
160 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses5-dev" | |
150 | fi |
|
161 | fi | |
151 |
|
162 | |||
|
163 | # Stop the Crypto Wars | |||
|
164 | if [ "$DISABLE_FBI" = true ] ; then | |||
|
165 | ENABLE_CRYPTFS=true | |||
|
166 | fi | |||
|
167 | ||||
|
168 | # Add cryptsetup package to enable filesystem encryption | |||
|
169 | if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then | |||
|
170 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup" | |||
|
171 | APT_INCLUDES="${APT_INCLUDES},cryptsetup" | |||
|
172 | ||||
|
173 | if [ -z "$CRYPTFS_PASSWORD" ] ; then | |||
|
174 | echo "error: no password defined (CRYPTFS_PASSWORD)!" | |||
|
175 | exit 1 | |||
|
176 | fi | |||
|
177 | ENABLE_INITRAMFS=true | |||
|
178 | fi | |||
|
179 | ||||
|
180 | # Add initramfs generation tools | |||
|
181 | if [ "$ENABLE_INITRAMFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then | |||
|
182 | APT_INCLUDES="${APT_INCLUDES},initramfs-tools" | |||
|
183 | fi | |||
|
184 | ||||
152 | # Check if all required packages are installed on the build system |
|
185 | # Check if all required packages are installed on the build system | |
153 | for package in $REQUIRED_PACKAGES ; do |
|
186 | for package in $REQUIRED_PACKAGES ; do | |
154 | if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then |
|
187 | if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then | |
@@ -193,6 +226,12 if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then | |||||
193 | exit 1 |
|
226 | exit 1 | |
194 | fi |
|
227 | fi | |
195 |
|
228 | |||
|
229 | # Check if specified device mapping already exists (will be used by cryptsetup) | |||
|
230 | if [ -r "/dev/mapping/${CRYPTFS_MAPPING}" ] ; then | |||
|
231 | echo "error: mapping /dev/mapping/${CRYPTFS_MAPPING} already exists, not proceeding" | |||
|
232 | exit 1 | |||
|
233 | fi | |||
|
234 | ||||
196 | # Don't clobber an old build |
|
235 | # Don't clobber an old build | |
197 | if [ -e "$BUILDDIR" ] ; then |
|
236 | if [ -e "$BUILDDIR" ] ; then | |
198 | echo "error: directory ${BUILDDIR} already exists, not proceeding" |
|
237 | echo "error: directory ${BUILDDIR} already exists, not proceeding" | |
@@ -215,7 +254,7 trap cleanup 0 1 2 3 6 | |||||
215 |
|
254 | |||
216 | # Add required packages for the minbase installation |
|
255 | # Add required packages for the minbase installation | |
217 | if [ "$ENABLE_MINBASE" = true ] ; then |
|
256 | if [ "$ENABLE_MINBASE" = true ] ; then | |
218 | APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools" |
|
257 | APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools,ifupdown" | |
219 | else |
|
258 | else | |
220 | APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup" |
|
259 | APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup" | |
221 | fi |
|
260 | fi | |
@@ -321,6 +360,11 fi | |||||
321 | # Remove apt-utils |
|
360 | # Remove apt-utils | |
322 | chroot_exec apt-get purge -qq -y --force-yes apt-utils |
|
361 | chroot_exec apt-get purge -qq -y --force-yes apt-utils | |
323 |
|
362 | |||
|
363 | # Generate required machine-id | |||
|
364 | MACHINE_ID=$(dbus-uuidgen) | |||
|
365 | echo -n "${MACHINE_ID}" > "$R/var/lib/dbus/machine-id" | |||
|
366 | echo -n "${MACHINE_ID}" > "$R/etc/machine-id" | |||
|
367 | ||||
324 | # APT Cleanup |
|
368 | # APT Cleanup | |
325 | chroot_exec apt-get -y clean |
|
369 | chroot_exec apt-get -y clean | |
326 | chroot_exec apt-get -y autoclean |
|
370 | chroot_exec apt-get -y autoclean | |
@@ -331,19 +375,21 umount -l "$R/proc" | |||||
331 | umount -l "$R/sys" |
|
375 | umount -l "$R/sys" | |
332 |
|
376 | |||
333 | # Clean up directories |
|
377 | # Clean up directories | |
334 | rm -rf "$R/run" |
|
378 | rm -rf "$R/run/*" | |
335 | rm -rf "$R/tmp/*" |
|
379 | rm -rf "$R/tmp/*" | |
336 |
|
380 | |||
337 | # Clean up files |
|
381 | # Clean up files | |
|
382 | rm -f "$R/etc/ssh/ssh_host_*" | |||
|
383 | rm -f "$R/etc/dropbear/dropbear_*" | |||
338 | rm -f "$R/etc/apt/sources.list.save" |
|
384 | rm -f "$R/etc/apt/sources.list.save" | |
339 | rm -f "$R/etc/resolvconf/resolv.conf.d/original" |
|
385 | rm -f "$R/etc/resolvconf/resolv.conf.d/original" | |
340 | rm -f "$R/etc/*-" |
|
386 | rm -f "$R/etc/*-" | |
341 | rm -f "$R/root/.bash_history" |
|
387 | rm -f "$R/root/.bash_history" | |
342 | rm -f "$R/var/lib/urandom/random-seed" |
|
388 | rm -f "$R/var/lib/urandom/random-seed" | |
343 | rm -f "$R/var/lib/dbus/machine-id" |
|
|||
344 | rm -f "$R/etc/machine-id" |
|
|||
345 | rm -f "$R/etc/apt/apt.conf.d/10proxy" |
|
389 | rm -f "$R/etc/apt/apt.conf.d/10proxy" | |
346 | rm -f "$R/etc/resolv.conf" |
|
390 | rm -f "$R/etc/resolv.conf" | |
|
391 | rm -f "$R/initrd.img" | |||
|
392 | rm -f "$R/vmlinuz" | |||
347 | rm -f "${R}${QEMU_BINARY}" |
|
393 | rm -f "${R}${QEMU_BINARY}" | |
348 |
|
394 | |||
349 | # Calculate size of the chroot directory in KB |
|
395 | # Calculate size of the chroot directory in KB | |
@@ -371,43 +417,58 if [ "$ENABLE_SPLITFS" = true ] ; then | |||||
371 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS} |
|
417 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS} | |
372 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS} |
|
418 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS} | |
373 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS} |
|
419 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS} | |
374 | # Write partition tables |
|
420 | ||
375 | sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" <<EOM |
|
421 | # Write firmware/boot partition tables | |
376 | unit: sectors |
|
422 | sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" 2> /dev/null <<EOM | |
377 |
|
423 | ${TABLE_SECTORS},${FRMW_SECTORS},c,* | ||
378 | 1 : start= ${TABLE_SECTORS}, size= ${FRMW_SECTORS}, Id= c, bootable |
|
|||
379 | 2 : start= 0, size= 0, Id= 0 |
|
|||
380 | 3 : start= 0, size= 0, Id= 0 |
|
|||
381 | 4 : start= 0, size= 0, Id= 0 |
|
|||
382 | EOM |
|
424 | EOM | |
383 | sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" <<EOM |
|
|||
384 | unit: sectors |
|
|||
385 |
|
425 | |||
386 | 1 : start= ${TABLE_SECTORS}, size= ${ROOT_SECTORS}, Id=83 |
|
426 | # Write root partition table | |
387 | 2 : start= 0, size= 0, Id= 0 |
|
427 | sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" 2> /dev/null <<EOM | |
388 | 3 : start= 0, size= 0, Id= 0 |
|
428 | ${TABLE_SECTORS},${ROOT_SECTORS},83 | |
389 | 4 : start= 0, size= 0, Id= 0 |
|
|||
390 | EOM |
|
429 | EOM | |
|
430 | ||||
391 | # Setup temporary loop devices |
|
431 | # Setup temporary loop devices | |
392 | FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-frmw.img)" |
|
432 | FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-frmw.img)" | |
393 | ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-root.img)" |
|
433 | ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-root.img)" | |
394 | else |
|
434 | else # ENABLE_SPLITFS=false | |
395 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS} |
|
435 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS} | |
396 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS} |
|
436 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS} | |
397 | # Write partition table |
|
|||
398 | sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM |
|
|||
399 | unit: sectors |
|
|||
400 |
|
437 | |||
401 | 1 : start= ${TABLE_SECTORS}, size= ${FRMW_SECTORS}, Id= c, bootable |
|
438 | # Write partition table | |
402 | 2 : start= ${ROOT_OFFSET}, size= ${ROOT_SECTORS}, Id=83 |
|
439 | sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" 2> /dev/null <<EOM | |
403 | 3 : start= 0, size= 0, Id= 0 |
|
440 | ${TABLE_SECTORS},${FRMW_SECTORS},c,* | |
404 | 4 : start= 0, size= 0, Id= 0 |
|
441 | ${ROOT_OFFSET},${ROOT_SECTORS},83 | |
405 | EOM |
|
442 | EOM | |
|
443 | ||||
406 | # Setup temporary loop devices |
|
444 | # Setup temporary loop devices | |
407 | FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" |
|
445 | FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |
408 | ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" |
|
446 | ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |
409 | fi |
|
447 | fi | |
410 |
|
448 | |||
|
449 | if [ "$ENABLE_CRYPTFS" = true ] ; then | |||
|
450 | # Create dummy ext4 fs | |||
|
451 | mkfs.ext4 "$ROOT_LOOP" | |||
|
452 | ||||
|
453 | # Setup password keyfile | |||
|
454 | echo -n ${CRYPTFS_PASSWORD} > .password | |||
|
455 | ||||
|
456 | # Initialize encrypted partition | |||
|
457 | echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password | |||
|
458 | ||||
|
459 | # Open encrypted partition and setup mapping | |||
|
460 | cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}" | |||
|
461 | ||||
|
462 | # Secure delete password keyfile | |||
|
463 | shred -zu .password | |||
|
464 | ||||
|
465 | # Update temporary loop device | |||
|
466 | ROOT_LOOP="/dev/mapper/${CRYPTFS_MAPPING}" | |||
|
467 | ||||
|
468 | # Wipe encrypted partition (encryption cipher is used for randomness) | |||
|
469 | dd if=/dev/zero of="${ROOT_LOOP}" bs=512 count=$(blockdev --getsz "${ROOT_LOOP}") | |||
|
470 | fi | |||
|
471 | ||||
411 | # Build filesystems |
|
472 | # Build filesystems | |
412 | mkfs.vfat "$FRMW_LOOP" |
|
473 | mkfs.vfat "$FRMW_LOOP" | |
413 | mkfs.ext4 "$ROOT_LOOP" |
|
474 | mkfs.ext4 "$ROOT_LOOP" |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant