Raspi2-3_GenImage Commit - r627:b39cf2ca3729 · Collaboration Tremplin des Sciences

Merge branch 'master' into drtyhlpr-master

Gérard Vidal -

r627:b39cf2ca3729 drtyhlpr-master

parent child

Context file:

r627:b39cf2ca3729

Expand all files

bootstrap.d/43-videocore.sh created 644 +56 0

@@ -0,0 +1,56
	1	#
	2	# Setup videocore - Raspberry Userland
	3	#
	4
	5	# Load utility functions
	6	. ./functions.sh
	7
	8	if [ "$ENABLE_VIDEOCORE" = true ] ; then
	9	# Copy existing videocore sources into chroot directory
	10	if [ -n "$VIDEOCORESRC_DIR" ] && [ -d "$VIDEOCORESRC_DIR" ] ; then
	11	# Copy local videocore sources
	12	cp -r "${VIDEOCORESRC_DIR}" "${R}/tmp/userland"
	13	else
	14	# Create temporary directory for videocore sources
	15	temp_dir=$(as_nobody mktemp -d)
	16
	17	# Fetch videocore sources
	18	as_nobody git -C "${temp_dir}" clone "${VIDEOCORE_URL}"
	19
	20	# Copy downloaded videocore sources
	21	mv "${temp_dir}/userland" "${R}/tmp/"
	22
	23	# Set permissions of the U-Boot sources
	24	chown -R root:root "${R}/tmp/userland"
	25
	26	# Remove temporary directory for U-Boot sources
	27	rm -fr "${temp_dir}"
	28	fi
	29
	30	# Create build dir
	31	mkdir "${R}"/tmp/userland/build
	32
	33	# push us to build directory
	34	cd "${R}"/tmp/userland/build
	35
	36	if [ "$RELEASE_ARCH" = "arm64" ] ; then
	37	cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DARM64=ON -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_CXX_COMPILER=aarch64-linux-gnu-g++ -DCMAKE_ASM_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
	38	fi
	39
	40	if [ "$RELEASE_ARCH" = "armel" ] ; then
	41	cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_C_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_CXX_COMPILER=arm-linux-gnueabi-g++ -DCMAKE_ASM_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DCMAKE_SYSTEM_PROCESSOR="arm" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
	42	fi
	43
	44	if [ "$RELEASE_ARCH" = "armhf" ] ; then
	45	cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_TOOLCHAIN_FILE="${R}"/tmp/userland/makefiles/cmake/toolchains/arm-linux-gnueabihf.cmake -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
	46	fi
	47
	48	#build userland
	49	make -j "$(nproc)"
	50
	51	#back to root of scriptdir
	52	cd "${WORKDIR}"
	53
	54	# Remove videocore sources
	55	rm -fr "${R}"/tmp/userland/
	56	fi

bootstrap.d/44-nexmon_monitor_patch.sh created 644 +97 0

@@ -0,0 +1,97
	1	#!/bin/sh
	2	#
	3	# Build and Setup nexmon with monitor mode patch
	4	#
	5
	6	# Load utility functions
	7	. ./functions.sh
	8
	9	if [ "$ENABLE_NEXMON" = true ] && [ "$ENABLE_WIRELESS" = true ]; then
	10	# Copy existing nexmon sources into chroot directory
	11	if [ -n "$NEXMONSRC_DIR" ] && [ -d "$NEXMONSRC_DIR" ] ; then
	12	# Copy local U-Boot sources
	13	cp -r "${NEXMONSRC_DIR}" "${R}/tmp"
	14	else
	15	# Create temporary directory for nexmon sources
	16	temp_dir=$(as_nobody mktemp -d)
	17
	18	# Fetch nexmon sources
	19	as_nobody git -C "${temp_dir}" clone "${NEXMON_URL}"
	20
	21	# Copy downloaded nexmon sources
	22	mv "${temp_dir}/nexmon" "${R}"/tmp/
	23
	24	# Set permissions of the nexmon sources
	25	chown -R root:root "${R}"/tmp/nexmon
	26
	27	# Remove temporary directory for nexmon sources
	28	rm -fr "${temp_dir}"
	29	fi
	30
	31	# Set script Root
	32	export NEXMON_ROOT="${R}"/tmp/nexmon
	33
	34	# Build nexmon firmware outside the build system, if we can.
	35	cd "${NEXMON_ROOT}" \|\| exit
	36
	37	# Make ancient isl build
	38	cd buildtools/isl-0.10 \|\| exit
	39	./configure
	40	make
	41	cd ../.. \|\| exit
	42
	43	# Disable statistics
	44	touch DISABLE_STATISTICS
	45
	46	# Setup Enviroment: see https://github.com/NoobieDog/nexmon/blob/master/setup_env.sh
	47	export KERNEL="${KERNEL_IMAGE}"
	48	export ARCH=arm
	49	export SUBARCH=arm
	50	export CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
	51	export CC="${CC}"gcc
	52	export CCPLUGIN="${NEXMON_ROOT}"/buildtools/gcc-nexmon-plugin/nexmon.so
	53	export ZLIBFLATE="zlib-flate -compress"
	54	export Q=@
	55	export NEXMON_SETUP_ENV=1
	56	export HOSTUNAME=$(uname -s)
	57	export PLATFORMUNAME=$(uname -m)
	58
	59	# Make nexmon
	60	make
	61
	62	# build patches
	63	if [ "$RPI_MODEL" = 0 ] \|\| [ "$RPI_MODEL" = 3 ] ; then
	64	cd "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon \|\| exit
	65	sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon/Makefile
	66	make clean
	67
	68	# We do this so we don't have to install the ancient isl version into /usr/local/lib on systems.
	69	LD_LIBRARY_PATH="${NEXMON_ROOT}"/buildtools/isl-0.10/.libs make ARCH="${KERNEL_ARCH}" CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
	70
	71	# copy RPi0W & RPi3 firmware
	72	mv "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.org.bin
	73	cp "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.nexmon.bin
	74	cp -f "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin
	75	fi
	76
	77	if [ "$RPI_MODEL" = 3P ] ; then
	78	cd "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon \|\| exit
	79	sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43455c0/7_45_154/nexmon/Makefile
	80	make clean
	81
	82	# We do this so we don't have to install the ancient isl version into /usr/local/lib on systems.
	83	LD_LIBRARY_PATH=${NEXMON_ROOT}/buildtools/isl-0.10/.libs make ARCH="${KERNEL_ARCH}" CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
	84
	85	# RPi3B+ firmware
	86	mv "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.org.bin
	87	cp "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.nexmon.bin
	88	cp -f "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.bin
	89	fi
	90
	91	#Revert to previous directory
	92	cd "${WORKDIR}" \|\| exit
	93
	94	# Remove nexmon sources
	95	rm -fr "${NEXMON_ROOT}"
	96
	97	fi

files/etc/99-com.rules created 644 +33 0

@@ -0,0 +1,33
	1	SUBSYSTEM=="input", GROUP="input", MODE="0660"
	2	SUBSYSTEM=="i2c-dev", GROUP="i2c", MODE="0660"
	3	SUBSYSTEM=="spidev", GROUP="spi", MODE="0660"
	4	SUBSYSTEM=="bcm2835-gpiomem", GROUP="gpio", MODE="0660"
	5
	6	SUBSYSTEM=="gpio", GROUP="gpio", MODE="0660"
	7	SUBSYSTEM=="gpio*", PROGRAM="/bin/sh -c '\
	8	chown -R root:gpio /sys/class/gpio && chmod -R 770 /sys/class/gpio;\
	9	chown -R root:gpio /sys/devices/virtual/gpio && chmod -R 770 /sys/devices/virtual/gpio;\
	10	chown -R root:gpio /sys$devpath && chmod -R 770 /sys$devpath\
	11	'"
	12
	13	KERNEL=="ttyAMA[01]", PROGRAM="/bin/sh -c '\
	14	ALIASES=/proc/device-tree/aliases; \
	15	if cmp -s $ALIASES/uart0 $ALIASES/serial0; then \
	16	echo 0;\
	17	elif cmp -s $ALIASES/uart0 $ALIASES/serial1; then \
	18	echo 1; \
	19	else \
	20	exit 1; \
	21	fi\
	22	'", SYMLINK+="serial%c"
	23
	24	KERNEL=="ttyS0", PROGRAM="/bin/sh -c '\
	25	ALIASES=/proc/device-tree/aliases; \
	26	if cmp -s $ALIASES/uart1 $ALIASES/serial0; then \
	27	echo 0; \
	28	elif cmp -s $ALIASES/uart1 $ALIASES/serial1; then \
	29	echo 1; \
	30	else \
	31	exit 1; \
	32	fi \
	33	'", SYMLINK+="serial%c"

files/firstboot/23-restart-dphys-swapfile.sh created 644 +5 0

@@ -0,0 +1,5
	1	# Restart dphys-swapfile service if it exists
	2	logger -t "rc.firstboot" "Restarting dphys-swapfile"
	3
	4	systemctl enable dphys-swapfile
	5	systemctl restart dphys-swapfile

files/initramfs/crypt_unlock.sh created 644 +45 0

@@ -0,0 +1,45
	1	#!/bin/sh
	2
	3	PREREQ="dropbear"
	4
	5	prereqs() {
	6	echo "$PREREQ"
	7	}
	8
	9	case "$1" in
	10	prereqs)
	11	prereqs
	12	exit 0
	13	;;
	14	esac
	15
	16	. "${CONFDIR}/initramfs.conf"
	17	. /usr/share/initramfs-tools/hook-functions
	18
	19	if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
	20	cat > "${DESTDIR}/bin/unlock" << EOF
	21	#!/bin/sh
	22	if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
	23	kill \`ps \| grep cryptroot \| grep -v "grep" \| awk '{print \$1}'\`
	24	# following line kill the remote shell right after the passphrase has
	25	# been entered.
	26	kill -9 \`ps \| grep "\-sh" \| grep -v "grep" \| awk '{print \$1}'\`
	27	exit 0
	28	fi
	29	exit 1
	30	EOF
	31
	32	chmod 755 "${DESTDIR}/bin/unlock"
	33
	34	mkdir -p "${DESTDIR}/lib/unlock"
	35	cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
	36	#!/bin/sh
	37	[ "\$1" == "--ping" ] && exit 1
	38	/bin/plymouth "\$@"
	39	EOF
	40
	41	chmod 755 "${DESTDIR}/lib/unlock/plymouth"
	42
	43	echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
	44
	45	fi No newline at end of file

files/iptables/nftables.rules created 644 +21 0

@@ -0,0 +1,21
	1	add table ip filter
	2	add chain ip filter INPUT { type filter hook input priority 0; }
	3	add chain ip filter FORWARD { type filter hook forward priority 0; }
	4	add chain ip filter OUTPUT { type filter hook output priority 0; }
	5	add chain ip filter TCP
	6	add chain ip filter UDP
	7	add chain ip filter SSH
	8	add rule ip filter INPUT icmp type echo-request limit rate 30/minute burst 8 packets counter accept
	9	add rule ip filter INPUT icmp type echo-request counter drop
	10	add rule ip filter INPUT ct state related,established counter accept
	11	add rule ip filter INPUT iifname lo counter accept
	12	add rule ip filter INPUT ct state invalid counter drop
	13	add rule ip filter INPUT tcp dport 22 ct state new counter jump SSH
	14	# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
	15	# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
	16	# -t filter -A SSH -m recent --name sshbf --set -j ACCEPT
	17	add rule ip filter INPUT ip protocol udp ct state new counter jump UDP
	18	add rule ip filter INPUT tcp flags & fin\|syn\|rst\|ack == syn ct state new counter jump TCP
	19	add rule ip filter INPUT ip protocol udp counter reject
	20	add rule ip filter INPUT ip protocol tcp counter reject with tcp reset
	21	add rule ip filter INPUT counter reject with icmp type prot-unreachable

files/iptables/nftables6.rules created 644 +24 0

@@ -0,0 +1,24
	1	add table ip6 filter
	2	add chain ip6 filter INPUT { type filter hook input priority 0; }
	3	add chain ip6 filter FORWARD { type filter hook forward priority 0; }
	4	add chain ip6 filter OUTPUT { type filter hook output priority 0; }
	5	add chain ip6 filter TCP
	6	add chain ip6 filter UDP
	7	add chain ip6 filter SSH
	8	add rule ip6 filter INPUT rt type 0 counter drop
	9	add rule ip6 filter OUTPUT rt type 0 counter drop
	10	add rule ip6 filter FORWARD rt type 0 counter drop
	11	add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request limit rate 30/minute burst 8 packets counter accept
	12	add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request counter drop
	13	add rule ip6 filter INPUT ct state related,established counter accept
	14	add rule ip6 filter INPUT iifname lo counter accept
	15	add rule ip6 filter INPUT ct state invalid counter drop
	16	add rule ip6 filter INPUT tcp dport 22 ct state new counter jump SSH
	17	# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
	18	# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
	19	# -t filter -A SSH -m recent --name sshbf --set -j ACCEPT
	20	add rule ip6 filter INPUT meta l4proto udp ct state new counter jump UDP
	21	add rule ip6 filter INPUT tcp flags & fin\|syn\|rst\|ack == syn ct state new counter jump TCP
	22	add rule ip6 filter INPUT meta l4proto udp counter reject with icmpv6 type admin-prohibited
	23	add rule ip6 filter INPUT meta l4proto tcp counter reject with icmpv6 type admin-prohibited
	24	add rule ip6 filter INPUT counter reject with icmpv6 type admin-prohibited

files/network/wlan.network created 644 +12 0

@@ -0,0 +1,12
	1	[Match]
	2	Name=wlan0
	3
	4	[Network]
	5	DHCP=no
	6	Address=
	7	Gateway=
	8	DNS=
	9	DNS=
	10	Domains=
	11	NTP=
	12	NTP=

files/sysctl.d/83-rpi-printk.conf created 644 +1 0

	@@ -0,0 +1,1
				1	kernel.printk = 3 4 1 3 No newline at end of file

files/sysctl.d/84-rpi-ASLR.conf created 644 +2 0

@@ -0,0 +1,2
	1	# ASLR
	2	kernel.randomize_va_space = 2 No newline at end of file

templates/rpi0buster created 644 +5 0

@@ -0,0 +1,5
	1	# Configuration template file used by rpi23-gen-image.sh
	2	RPI_MODEL=0
	3	RELEASE=buster
	4	BUILD_KERNEL=true
	5	# ENABLE_BLUETOOTH=false

templates/rpi0stretch created 644 +5 0

@@ -0,0 +1,5
	1	# Configuration template file used by rpi23-gen-image.sh
	2	RPI_MODEL=0
	3	RELEASE=stretch
	4	BUILD_KERNEL=true
	5	# ENABLE_BLUETOOTH=false

templates/rpi1Pbuster created 644 +4 0

@@ -0,0 +1,4
	1	# Configuration template file used by rpi23-gen-image.sh
	2	RPI_MODEL=1P
	3	RELEASE=buster
	4	BUILD_KERNEL=true

templates/rpi1Pstretch created 644 +4 0

@@ -0,0 +1,4
	1	# Configuration template file used by rpi23-gen-image.sh
	2	RPI_MODEL=1P
	3	RELEASE=stretch
	4	BUILD_KERNEL=true

templates/rpi1stretch created 644 +4 0

@@ -0,0 +1,4
	1	# Configuration template file used by rpi23-gen-image.sh
	2	RPI_MODEL=2
	3	RELEASE=stretch
	4	BUILD_KERNEL=true

templates/rpi3Pbuster created 644 +6 0

@@ -0,0 +1,6
	1	# Configuration template file used by rpi23-gen-image.sh
	2	RPI_MODEL=3P
	3	RELEASE=buster
	4	BUILD_KERNEL=true
	5	# ENABLE_WIRELESS=false
	6	# ENABLE_BLUETOOTH=false

templates/rpi3Pstretch created 644 +6 0

@@ -0,0 +1,6
	1	# Configuration template file used by rpi23-gen-image.sh
	2	RPI_MODEL=3P
	3	RELEASE=stretch
	4	BUILD_KERNEL=true
	5	# ENABLE_WIRELESS=false
	6	# ENABLE_BLUETOOTH=false

README-CN.md +6 -6

             ## 介绍
-            `rpi23-gen-image.sh` 是一个自动生成树莓派2/3系统镜像的脚本工具, 当前支持自动生成32位 armhf 架构的Debian, 发行版本`jessie`, `stretch` 和 `buster`. 树莓派3 64位镜像需要使用特定的配置参数 (```templates/rpi3-stretch-arm64-4.11.y```).
+            `rpi23-gen-image.sh` 是一个自动生成树莓派2/3系统镜像的脚本工具, 当前支持自动生成32位 armhf 架构的Debian, 发行版本`jessie`, `stretch` 和 `buster`. 树莓派3 64位镜像需要使用特定的配置参数 (```templates/rpi3-stretch-arm64-4.14.y```).
             ## 构建环境所依赖的包
             一定要安装好下列deb包, 他们是构建过程需要的核心包. 脚本会自动检查, 如果缺少,经用户确认后会自动安装.
               ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo```
             推荐通过配置 `rpi23-gen-image.sh` 脚本编译安装最新的树莓派 Linux 内核, 对于树莓派3, 只能如此. 在构建系统上使用 ARM (armhf) 交叉编译工具链编译内核.
             脚本已经在Debian Liux `jessie` 和`stretch` 构建系统下使用默认的 `crossbuild-essential-armhf` 工具链进行过测试. 获取更多信息请查看 [Debian 交叉工具链 Wiki](https://wiki.debian.org/CrossToolchains) .
             如果使用Debian Linux `jessie` 构建系统, 先要添加交叉编译工具链的源 [Debian 交叉工具链仓库](http://emdebian.org/tools/debian/):
             ```
             echo "deb http://emdebian.org/tools/debian/ jessie main" > /etc/apt/sources.list.d/crosstools.list
             sudo -u nobody wget -O - http://emdebian.org/tools/debian/emdebian-toolchain-archive.key | apt-key add -
             dpkg --add-architecture armhf
             apt-get update
             ```
             ## 命令行参数
             脚本可以使用特定的命令行参数来允许或禁止操作系统的某些特性、服务和配置信息. 这些参数通过（简单）脚本变量传递给 `rpi23-gen-image.sh`. 不同于环境变量, （简单）脚本变量在调用`rpi23-gen-image.sh`的命令行前面定义.
             ##### 命令行示例:
             ```shell
             ENABLE_UBOOT=true ./rpi23-gen-image.sh
             ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi23-gen-image.sh
             ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi23-gen-image.sh
             ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi23-gen-image.sh
             APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi23-gen-image.sh
             ENABLE_MINBASE=true ./rpi23-gen-image.sh
             BUILD_KERNEL=true ENABLE_MINBASE=true ENABLE_IPV6=false ./rpi23-gen-image.sh
             BUILD_KERNEL=true KERNELSRC_DIR=/tmp/linux ./rpi23-gen-image.sh
             ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi23-gen-image.sh
             ENABLE_CRYPTFS=true CRYPTFS_PASSWORD=changeme EXPANDROOT=false ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi23-gen-image.sh
             RELEASE=stretch BUILD_KERNEL=true ./rpi23-gen-image.sh
             RPI_MODEL=3 ENABLE_WIRELESS=true ENABLE_MINBASE=true BUILD_KERNEL=true ./rpi23-gen-image.sh
             RELEASE=stretch RPI_MODEL=3 ENABLE_WIRELESS=true ENABLE_MINBASE=true BUILD_KERNEL=true ./rpi23-gen-image.sh
             ```
             ## 参数模板文件
             为了避免冗长的命令行参数以及存储感兴趣的参数配置, `rpi23-gen-image.sh` 支持所谓的参数模板文件 (`CONFIG_TEMPLATE`=template). 这些文本文件位于 `./templates` 目录, 文件中含有将会使用的配置参数. 新的配置模板文件会被添加到 `./templates` 目录.
             ##### 命令行示例:
             ```shell
             CONFIG_TEMPLATE=rpi3stretch ./rpi23-gen-image.sh
             CONFIG_TEMPLATE=rpi2stretch ./rpi23-gen-image.sh
             ```
             ## 支持的参数和设置
             #### APT 设置:
             ##### `APT_SERVER`="ftp.debian.org"
             设置 Debian 仓库地址. 选择一个 [镜像站点](https://www.debian.org/mirror/list). 选一个近的镜像站点会加快镜像生成过程中所需文件的下载速度.
             ##### `APT_PROXY`=""
             设置代理服务器地址. 使用本地缓存代理, 比如 `apt-cacher-ng` 可以缩短镜像生成时间, 因为所需要的 Debian 包文件只需下载一次.
             ##### `APT_INCLUDES`=""
             生成镜像过程中最先由debootstrap程序自动安装的附加包, 逗号分隔.
             ##### `APT_INCLUDES_LATE`=""
             生成镜像过程中最初的debootstrap完成后, 需要的使用apt命令安装的附加包, 逗号分隔. 特别用在含有 pre-depend 依赖关系的包的, 其依赖关系在打包过程中debootstrap程序中无法正确处理.
             ---
             #### 通用系统设置:
             ##### `RPI_MODEL`=2
             指定树莓派型号. 当前支持树莓派 `2` 和 `3`. 设为 `3` 时 `BUILD_KERNEL` 自动设为true .
             ##### `RELEASE`="jessie"
             设置 Debian 发行版. 脚本当前支持 Debian 发行版 "jessie", "stretch" 和 "buster" 的自动生成. 设为`stretch` 或 `buster`时 `BUILD_KERNEL` 自动设为true.
             ##### `RELEASE_ARCH`="armhf"
             设置期望的 Debian 发行架构.
             ##### `HOSTNAME`="rpi$RPI_MODEL-$RELEASE"
             设置主机名称. 建议所在的子网中主机名称是唯一的.
             ##### `PASSWORD`="raspberry"
             设置系统的 `root` 用户密码.  **强烈**建议选择一个自定义密码 .
             ##### `USER_PASSWORD`="raspberry"
             设置由 `USER_NAME`=pi 参数创建的普通用户的密码.  如果 `ENABLE_USER`=false 则忽略. **强烈**建议选择一个自定义密码.
             ##### `DEFLOCAL`="en_US.UTF-8"
             设置系统默认 locale.  将来可以在运行的系统中执行 `dpkg-reconfigure locales` 命令更改此项设置. 设置这项脚本会自动安装 `locales`, `keyboard-configuration` 和 `console-setup` 三个包.
             ##### `TIMEZONE`="Europe/Berlin"
             设置系统默认时区.  可以在`/usr/share/zoneinfo/` 目录中找到全部可用时区. 将来可以在运行的系统中执行 `dpkg-reconfigure tzdata` 命令更改此项设置.
             ##### `EXPANDROOT`=true
             第一次运行时自动扩展根分区和文件系统.
             ---
             #### 键盘设置:
             这些选项用来配置键盘布局文件 `/etc/default/keyboard` 影响控制台和X窗口. 将来可以在运行的系统中执行 `dpkg-reconfigure keyboard-configuration` 命令更改此项设置.
             ##### `XKB_MODEL`=""
             设置键盘类型, 大陆常见pc104.
             ##### `XKB_LAYOUT`=""
             设置键盘布局, 大陆常见us.
             ##### `XKB_VARIANT`=""
             设置键盘布局变种.
             ##### `XKB_OPTIONS`=""
             设置其它 XKB 配置选项.
             ---
             #### 网络设置 (动态):
             设置网络为自动获取IP地址. 配置文件位于 `/etc/systemd/network/eth.network`. 在Debian `stretch`中, 默认位置更改为 `/lib/systemd/network`.
             ##### `ENABLE_DHCP`=true
             设置系统使用 DHCP 获取动态IP. 需要有一个 DHCP 服务器.
             ---
             #### 网络设置 (静态):
             设置系统为手动配置IP地址. 配置文件位于 `/etc/systemd/network/eth.network`. 在Debian `stretch` 中, 默认位置更改为 `/lib/systemd/network`.
             当 `ENABLE_DHCP`=false 时下面这些静态IP设置才起作用.
             ##### `NET_ADDRESS`=""
             设置静态 IPv4 或 IPv6, 使用CIDR "/"形式, 如 "192.169.0.3/24".
             ##### `NET_GATEWAY`=""
             设置默认网关的地址.
             ##### `NET_DNS_1`=""
             设置主域名服务器地址.
             ##### `NET_DNS_2`=""
             设置辅域名服务器地址.
             ##### `NET_DNS_DOMAINS`=""
             设置默认的域名搜索后缀, 当主机名称不是一个完整域名(FQDN)时使用.
             ##### `NET_NTP_1`=""
             设置主时间服务器地址.
             ##### `NET_NTP_2`=""
             设置辅时间服务器地址.
             ---
             #### 基本系统特性:
             ##### `ENABLE_CONSOLE`=true
             允许串行控制台接口. 没有连接显示器键盘的树莓派推荐打开, 此时如果网络无法连接至树莓派, 可以使用串行控制台连至系统.
             ##### `ENABLE_I2C`=false
-            允许树莓派2/3的 I2C 接口. 请对照 [树莓派2/3 引脚示意图](http://elinux.org/RPi_Low-level_peripherals) 正确连接 GPIO 引脚.
+            允许树莓派2/3的 I2C 接口. 请对照 [树莓派2/3 引脚示意图](https://elinux.org/RPi_Low-level_peripherals) 正确连接 GPIO 引脚.
             ##### `ENABLE_SPI`=false
-            允许树莓派2/3的 SPI 接口. 请对照 [树莓派2/3 引脚示意图](http://elinux.org/RPi_Low-level_peripherals) 正确连接 GPIO 引脚.
+            允许树莓派2/3的 SPI 接口. 请对照 [树莓派2/3 引脚示意图](https://elinux.org/RPi_Low-level_peripherals) 正确连接 GPIO 引脚.
             ##### `ENABLE_IPV6`=true
             允许 IPv6 . 通过 systemd-networkd 配置管理网络接口.
             ##### `ENABLE_SSHD`=true
             安装并且允许 OpenSSH 服务. 此服务默认禁止 `root` 用户远程登录. 使用普通用户 `pi` 远程登录然后使用 `su -` 或 `sudo` 来取得root权限.
             ##### `ENABLE_NONFREE`=false
             允许安装仓库中的 non-free 类的软件包. 需要安装闭源的固件, 二进制大对象 blob.
             ##### `ENABLE_WIRELESS`=false
             下载安装树莓派3无线接口所需要的闭源固件 二进制blob [树莓派3无线接口固件](https://github.com/RPi-Distro/firmware-nonfree/tree/master/brcm80211/brcm). 如果 `RPI_MODEL` 不是 `3` 则忽略.
             ##### `ENABLE_RSYSLOG`=true
             如果设置为 false, 禁用并卸载 rsyslog,  则只能通过日志文件查看logs.
             ##### `ENABLE_SOUND`=true
             允许声卡并且安装 ALSA.
             ##### `ENABLE_HWRANDOM`=true
             允许硬件随机数发生器. 强随机数对大多数使用加密的网络通信是非常重要的. 推荐允许此设置.
             ##### `ENABLE_MINGPU`=false
             最小化显存 (16MB, no X), 目前无法完全禁用GPU.
             ##### `ENABLE_DBUS`=true
             安装并允许 D-Bus 消息总线.  虽然 systemd 可以在没有 D-bus的情况下工作, 但是推荐允许D-Bus.
             ##### `ENABLE_XORG`=false
             是否安装 Xorg, 开源 X11 系统.
             ##### `ENABLE_WM`=""
             安装用户指定的X Window 窗口管理器. 如果设置了`ENABLE_WM`, 系统确定所有被依赖的X11相关软件包都安装好了以后`ENABLE_XORG`会自动设置为true,  `rpi23-gen-image.sh` 脚本已经通过下列窗口管理器的测试: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
             ---
             #### 高级系统特性:
             ##### `ENABLE_MINBASE`=false
             使用 debootstrap 脚本变量 `minbase`, 只含有必不可少的核心包和apt. 体积大约 65 MB.
             ##### `ENABLE_REDUCE`=false
             卸载包、删除文件以减小体积 详情查看 `REDUCE_*` 参数.
             ##### `ENABLE_UBOOT`=false
-            使用 [U-Boot 引导器](http://git.denx.de/?p=u-boot.git;a=summary) 替代树莓派2/3 默认的第二阶段引导器(bootcode.bin).  U-Boot 可以通过网络使用 BOOTP/TFTP 协议引导镜像文件.
+            使用 [U-Boot 引导器](https://git.denx.de/?p=u-boot.git;a=summary) 替代树莓派2/3 默认的第二阶段引导器(bootcode.bin).  U-Boot 可以通过网络使用 BOOTP/TFTP 协议引导镜像文件.
             ##### `UBOOTSRC_DIR`=""
-            存放已下载 [U-Boot 引导器源文件](http://git.denx.de/?p=u-boot.git;a=summary) 的目录(`u-boot`).
+            存放已下载 [U-Boot 引导器源文件](https://git.denx.de/?p=u-boot.git;a=summary) 的目录(`u-boot`).
             ##### `ENABLE_FBTURBO`=false
             安装并且允许 [硬件加速的 Xorg 显卡驱动](https://github.com/ssvb/xf86-video-fbturbo) `fbturbo`. 当前仅支持窗口的移动和滚动的硬件加速.
             ##### `FBTURBOSRC_DIR`=""
             设置存放已下载的 [硬件加速的 Xorg 显卡驱动](https://github.com/ssvb/xf86-video-fbturbo) 的目录 (`xf86-video-fbturbo`) , 可以复制到chroot内配置、构建和安装.
             ##### `ENABLE_IPTABLES`=false
             允许 iptables 防火墙. 使用最简单的规则集: 允许所有出站连接;禁止除OpenSSH外的所有入站连接.
             ##### `ENABLE_USER`=true
             创建普通用户, 默认用户名`pi`, 默认密码raspberry.  可以使用 `USER_NAME`=user 更改默认用户名;使用 `USER_PASSWORD`=raspberry 更改默认密码.
             ##### `USER_NAME`=pi
             创建普通用户pi. 如果`ENABLE_USER`=false 此参数被忽略.
             ##### `ENABLE_ROOT`=false
             允许root用户登录, 需要设置 root 用户密码.
             ##### `ENABLE_HARDNET`=false
             允许加固 IPv4/IPv6 协议栈, 防止DoS攻击.
             ##### `ENABLE_SPLITFS`=false
             允许将根分区放在USB驱动器中. 将会生成两个镜像文件, 一个挂载为 `/boot/firmware` , 另一个挂载为 `/`.
             ##### `CHROOT_SCRIPTS`=""
             设置自定义脚本目录的路径, 该目录中的脚本在镜像文件构建完成之前在chroot中运行. 这个目录里的可执行文件按着字典序运行.
             ##### `ENABLE_INITRAMFS`=false
             创建 Linux 启动时加载的 initramfs .如果 `ENABLE_CRYPTFS`=true 那么 `ENABLE_INITRAMFS` 自动设为true . 如果 `BUILD_KERNEL`=false 此参数被忽略.
             ##### `ENABLE_IFNAMES`=true
             允许一致/可预测网络接口命名, 支持 Debian 发行版 `stretch` 或 `buster` .
             ##### `DISABLE_UNDERVOLT_WARNINGS`=
             禁止树莓派2/3 的低电压警告. 设为 `1` 禁止警告. 设为 `2` 额外允许低电压下的turbo增强模式.
             ---
             #### SSH 设置:
             ##### `SSH_ENABLE_ROOT`=false
             允许root通过密码验证方式远程登录系统. 如果没有修改默认密码, 这将是个巨大的安全隐患. `ENABLE_ROOT` 必须设为 `true`.
             ##### `SSH_DISABLE_PASSWORD_AUTH`=false
             禁用SSH的密码验证方式, 只支持SSH (v2)的公钥认证.
             ##### `SSH_LIMIT_USERS`=false
             限制通过SSH远程登录的用户. 只允许由 `USER_NAME`=pi 参数创建的普通用户, 以及当 `SSH_ENABLE_ROOT`=true 时 root 用户远程登录. 如果使用的守护程序是 `dropbear` (通过 `REDUCE_SSHD`=true 设置) 则忽略此参数.
             ##### `SSH_ROOT_PUB_KEY`=""
             从指定文件(可包含多个公钥)添加 SSH (v2) 公钥到 `authorized_keys` 文件, 使得 `root` 用户可以使用SSH (v2)的公钥验证方式远程登录, 不支持SSH (v1).  `ENABLE_ROOT` **和** `SSH_ENABLE_ROOT` 必须同时设为 `true`.
             ##### `SSH_USER_PUB_KEY`=""
             从指定文件(可包含多个公钥)添加 SSH (v2) 公钥到 `authorized_keys` 文件, 使得由 `USER_NAME`=pi 参数创建的普通用户可以使用SSH (v2)的公钥验证方式远程登录, 不支持SSH (v1).
             ---
             #### 内核编译:
             ##### `BUILD_KERNEL`=false
             构建安装最新的树莓派 2/3 Linux 内核, 当前只支持默认内核配置. 如果设置为树莓派`3`那么自动设置`BUILD_KERNEL`=true .
             ##### `CROSS_COMPILE`="arm-linux-gnueabihf-"
             设置交叉编译器.
             ##### `KERNEL_ARCH`="arm"
             设置内核架构.
             ##### `KERNEL_IMAGE`="kernel7.img"
             内核镜像名称, 如果没有设置, 编译32位内核默认“kernel7.img” 64位内核默认 "kernel8.img".
             ##### `KERNEL_BRANCH`=""
             GIT里的树莓派内核源代码分支名称, 默认使用当前默认分支.
             ##### `QEMU_BINARY`="/usr/bin/qemu-arm-static"
             设置构建系统中的QEMU程序位置. 如果没有设置, 32位内核默认 “/usr/bin/qemu-arm-static” 64位内核默认 "/usr/bin/qemu-aarch64-static".
             ##### `KERNEL_DEFCONFIG`="bcm2709_defconfig"
             设置编译内核的默认配置. 如果没有设置, 32位内核默认"bcm2709_defconfig" 64位内核默认"bcmrpi3\_defconfig".
             ##### `KERNEL_REDUCE`=false
             缩小内核体积, 移除不想要的设备驱动、网络驱动和文件系统驱动 (实验性质).
             ##### `KERNEL_THREADS`=1
             编译内核时的并发线程数量. 如果使用默认设置, 系统会自动检测CPU的内核数量, 设置线程数量, 加速内核编译.
             ##### `KERNEL_HEADERS`=true
             安装内核相应的头文件.
             ##### `KERNEL_MENUCONFIG`=false
             运行`make menuconfig`使用菜单界面配置内核. 退出配置菜单后脚本继续运行.
             ##### `KERNEL_REMOVESRC`=true
             编译安装完成后, 删掉内核源代码, 产生的镜像不含内核源代码.
             ##### `KERNELSRC_DIR`=""
             已下载好的 [Github上的树莓派官方内核](https://github.com/raspberrypi/linux) 源码所在目录 (`linux`) 的路径, 可以复制到chroot内配置、构建和安装.
             ##### `KERNELSRC_CLEAN`=false
             当`KERNELSRC_DIR`被复制到 chroot 之后开始编译之前(使用 `make mrproper`)清理内核源代码. 如果 `KERNELSRC_DIR` 没有设置或者 `KERNELSRC_PREBUILT`=true时忽略此设置.
             ##### `KERNELSRC_CONFIG`=true
             在编译前使用 `make bcm2709_defconfig` (也可以选择 `make menuconfig`) 配置内核源代码. 如果`KERNELSRC_DIR`指定的源码存放目录不存在,这个参数自动设为 `true`. 如果 `KERNELSRC_PREBUILT`=true 忽略此参数.
             ##### `KERNELSRC_USRCONFIG`=""
             复制自己的配置文件到内核的 `.config`. 如果 `KERNEL_MENUCONFIG`=true 拷贝完成后自动运行 make menuconfig.
             ##### `KERNELSRC_PREBUILT`=false
             如果这个参数设为true 表示内核源代码目录中包含成功交叉编译好的内核. 忽略 `KERNELSRC_CLEAN`, `KERNELSRC_CONFIG`, `KERNELSRC_USRCONFIG` and `KERNEL_MENUCONFIG` 这四个参数,不再执行交叉编译操作.
             ##### `RPI_FIRMWARE_DIR`=""
             指定目录 (`firmware`) 含有已经从 [Github上的树莓派官方固件](https://github.com/raspberrypi/firmware)下载到本地的固件. 默认直接从网上下载最新的固件.
             ---
             #### 缩小体积:
             如果 `ENABLE_REDUCE`=false 则忽略下列参数.
             ##### `REDUCE_APT`=true
             配置 APT,压缩仓库文件列表,不缓存下载的包文件.
             ##### `REDUCE_DOC`=true
             移除所有的doc文档文件(harsh). 配置 APT, 将来使用`apt-get`安装deb包时不包括doc文件.
             ##### `REDUCE_MAN`=true
             移除所有的man手册页和info文件 (harsh).  配置 APT, 将来使用`apt-get`安装deb包时不包括man手册页.
             ##### `REDUCE_VIM`=false
             使用vim的小型克隆 `levee` 替代 `vim-tiny`.
             ##### `REDUCE_BASH`=false
             使用 `dash` 代替 `bash` (实验性质).
             ##### `REDUCE_HWDB`=true
             移除与 PCI 相关的 hwdb 文件 (实验性质).
             ##### `REDUCE_SSHD`=true
             使用`dropbear`代替 `openssh-server`.
             ##### `REDUCE_LOCALE`=true
             移除所有的 `locale` 本地化文件.
             ---
             #### 加密根分区:
             ##### `ENABLE_CRYPTFS`=false
             使用dm-crypt进行全盘加密. 创建一个 LUKS 加密根分区 (加密方法 aes-xts-plain64:sha512) 并生成所需要的 initramfs.  /boot 目录不会被加密. 当`BUILD_KERNEL`=false时忽略此参数. `ENABLE_CRYPTFS` 这个参数当前是实验性质的. SSH-to-initramfs 当前不支持,正在进行中.
             ##### `CRYPTFS_PASSWORD`=""
             设置根分区的加密密码. 如果 `ENABLE_CRYPTFS`=true,请务必设置此参数.
             ##### `CRYPTFS_MAPPING`="secure"
             设置device-mapper映射名称.
             ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512"
             加密算法. 推荐 `aes-xts*`加密法.
             ##### `CRYPTFS_XTSKEYSIZE`=512
             设置密钥长度,8的倍数,以bit为单位.
             ---
             #### Build settings构建设置:
             ##### `BASEDIR`=$(pwd)/images/${RELEASE}
             设置产生镜像的目录.
             ##### `IMAGE_NAME`=${BASEDIR}/${DATE}-${KERNEL_ARCH}-${KERNEL_BRANCH}-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}
             设置镜像文件名. 如果`ENABLE_SPLITFS`=false则文件名$IMAGE_NAME.img 如果`ENABLE_SPLITFS`=true则文件名$IMAGE_NAME-frmw.img 和 $IMAGE_NAME-root.img. 如果没有设置 `KERNEL_BRANCH` 则使用 "CURRENT" .
             ## 理解脚本
             制作镜像的每个阶段所实现的功能都由各自的脚本完成, 位于 `bootstrap.d` 目录. 按着字典序执行:
             | 脚本 | 说明 |
             | --- | --- |
             | `10-bootstrap.sh` | 生成基本系统 |
             | `11-apt.sh` | 设置 APT 仓库源 |
             | `12-locale.sh` | 设置 Locales 和 keyboard |
             | `13-kernel.sh` | 编译安装树莓派 2/3 内核 |
             | `14-fstab.sh` | 设置 fstab 和 initramfs |
             | `15-rpi-config.sh` | 设置 RPi2/3 config and cmdline |
             | `20-networking.sh` | 设置网络 |
             | `21-firewall.sh` | 设置防火墙 |
             | `30-security.sh` | 设置用户以及安全相关 |
             | `31-logging.sh` | 设置日志 |
             | `32-sshd.sh` | 设置 SSH 和公钥 |
             | `41-uboot.sh` | 编译设置 U-Boot |
             | `42-fbturbo.sh` | 编译设置 fbturbo Xorg 驱动 |
             | `50-firstboot.sh` | 首次启动执行的任务 |
             | `99-reduce.sh` | 缩小体积 |
             所有需要拷贝到镜像文件的配置文件都位于 `files` 目录. 最好不要手动更改这些配置文件.
             | 目录 | 说明 |
             | --- | --- |
             | `apt` | APT 管理配置文件 |
             | `boot` | 引导文件 树莓派2/3配置文件 |
             | `dpkg` | 包管理配置文件 |
             | `etc` | 配置文件以及 rc 启动脚本 |
             | `firstboot` | 首次引导执行的脚本  |
             | `initramfs` | Initramfs 脚本 |
             | `iptables` | 防火墙配置文件 |
             | `locales` | Locales 配置 |
             | `modules` | 内核模块配置 |
             | `mount` | Fstab 配置 |
             | `network` | 网络配置文件 |
             | `sysctl.d` | 交换文件以及IP协议加固配置文件 |
             | `xorg` | fbturbo Xorg 驱动配置 |
             ## 自定义包和脚本
              `packages` 目录里放置自定义deb包, 比如系统仓库里没有的软件.在安装完系统仓库中的包之后安装. 自定义包所依赖的deb包会自动从系统仓库下载. 不要把自定义包添加到 `APT_INCLUDES` 参数中.
              `custom.d` 目录中的脚本会在其它安装都完成后, 创建镜像文件之前执行.
             ## 记录镜像产生过程的信息
             所有镜像产生过程的信息、`rpi23-gen-image.sh` 脚本执行的命令都可以通过shell的 `script` 命令保存到日志文件中:
             ```shell
             script -c 'APT_SERVER=ftp.de.debian.org ./rpi23-gen-image.sh' ./build.log
             ```
             ## 烧录镜像文件
             `rpi23-gen-image.sh` 所生成的镜像文件需要使用 `bmaptool` 或 `dd` 烧录到 microSD 卡. `bmaptool` 速度快比 `dd` 聪明.
             ##### 烧录示例:
             ```shell
             bmaptool copy ./images/jessie/2017-01-23-rpi3-jessie.img /dev/mmcblk0
             dd bs=4M if=./images/jessie/2017-01-23-rpi3-jessie.img of=/dev/mmcblk0
             ```
             如果设置过 `ENABLE_SPLITFS`, 烧录 `-frmw` 文件到 microSD 卡, 烧录 `-root` 文件到 USB 驱动器:
             ```shell
             bmaptool copy ./images/jessie/2017-01-23-rpi3-jessie-frmw.img /dev/mmcblk0
             bmaptool copy ./images/jessie/2017-01-23-rpi3-jessie-root.img /dev/sdc
             ```
             ## 每周镜像
             这些镜像由JRWR'S I/O PORT提供, 每周日午夜UTC 0点编译!
             * [Debian Stretch Raspberry Pi2/3 周构建镜像](https://jrwr.io/doku.php?id=projects:debianpi)
             ## External links and references外部链接, 各种资源
             * [Debian 全世界镜像列表](https://www.debian.org/mirror/list)
             * [Debian 树莓派 2 Wiki](https://wiki.debian.org/RaspberryPi2)
             * [Debian 交叉工具链 Wiki](https://wiki.debian.org/CrossToolchains)
             * [Github上的树莓派官方固件](https://github.com/raspberrypi/firmware)
             * [Github上的树莓派官方内核](https://github.com/raspberrypi/linux)
-            * [U-BOOT git 仓库](http://git.denx.de/?p=u-boot.git;a=summary)
+            * [U-BOOT git 仓库](https://git.denx.de/?p=u-boot.git;a=summary)
             * [Xorg DDX fbturbo驱动](https://github.com/ssvb/xf86-video-fbturbo)
             * [树莓派3无线接口固件](https://github.com/RPi-Distro/firmware-nonfree/tree/master/brcm80211/brcm)
             * [Collabora 树莓派2预编译内核](https://repositories.collabora.co.uk/debian/)

README.md +150 -52

             # rpi23-gen-image
             ## Introduction
             `rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for Raspberry Pi 2 (RPi2) and Raspberry Pi 3 (RPi3) computers. The script at this time supports the bootstrapping of the Debian (armhf) releases `jessie`, `stretch` and `buster`. Raspberry Pi 3 images are generated for 32-bit mode only. Raspberry Pi 3 64-bit images can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.11.y```).
             ## Build dependencies
             The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
               ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo```
-            It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the RPi3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf) cross-compiler toolchain.
+            It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel) cross-compiler toolchain.
-            The script has been tested using the default `crossbuild-essential-armhf` toolchain meta package on Debian Linux `jessie` and `stretch` build systems. Please check the [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains) for further information.
-            If a Debian Linux `jessie` build system is used it will be required to add the [Debian Cross-toolchains repository](http://emdebian.org/tools/debian/) first:
+            The script has been tested using the default `crossbuild-essential-armhf` and `crossbuild-essential-armel` toolchain meta packages on Debian Linux `stretch` build systems. Please check the [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains) for further information.
-            ```
-            echo "deb http://emdebian.org/tools/debian/ jessie main" > /etc/apt/sources.list.d/crosstools.list
-            sudo -u nobody wget -O - http://emdebian.org/tools/debian/emdebian-toolchain-archive.key | apt-key add -
-            dpkg --add-architecture armhf
-            apt-get update
-            ```
             ## Command-line parameters
             The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi23-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi23-gen-image.sh` script.
             ##### Command-line examples:
             ```shell
             ENABLE_UBOOT=true ./rpi23-gen-image.sh
             ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi23-gen-image.sh
             ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi23-gen-image.sh
             ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi23-gen-image.sh
             APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi23-gen-image.sh
             ENABLE_MINBASE=true ./rpi23-gen-image.sh
             BUILD_KERNEL=true ENABLE_MINBASE=true ENABLE_IPV6=false ./rpi23-gen-image.sh
             BUILD_KERNEL=true KERNELSRC_DIR=/tmp/linux ./rpi23-gen-image.sh
             ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi23-gen-image.sh
             ENABLE_CRYPTFS=true CRYPTFS_PASSWORD=changeme EXPANDROOT=false ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi23-gen-image.sh
             RELEASE=stretch BUILD_KERNEL=true ./rpi23-gen-image.sh
             RPI_MODEL=3 ENABLE_WIRELESS=true ENABLE_MINBASE=true BUILD_KERNEL=true ./rpi23-gen-image.sh
             RELEASE=stretch RPI_MODEL=3 ENABLE_WIRELESS=true ENABLE_MINBASE=true BUILD_KERNEL=true ./rpi23-gen-image.sh
             ```
             ## Configuration template files
             To avoid long lists of command-line parameters and to help to store the favourite parameter configurations the `rpi23-gen-image.sh` script supports so called configuration template files (`CONFIG_TEMPLATE`=template). These are simple text files located in the `./templates` directory that contain the list of configuration parameters that will be used. New configuration template files can be added to the `./templates` directory.
             ##### Command-line examples:
             ```shell
             CONFIG_TEMPLATE=rpi3stretch ./rpi23-gen-image.sh
             CONFIG_TEMPLATE=rpi2stretch ./rpi23-gen-image.sh
             ```
             ## Supported parameters and settings
             #### APT settings:
             ##### `APT_SERVER`="ftp.debian.org"
             Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
             ##### `APT_PROXY`=""
-            Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
+            Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. If `apt-cacher-ng` is running on default `http://127.0.0.1:3142` it is autodetected and you don't need to set this.
+            ##### `KEEP_APT_PROXY`=false
+            Keep the APT_PROXY settings used in the bootsrapping process in the generated image.
             ##### `APT_INCLUDES`=""
-            A comma separated list of additional packages to be installed by debootstrap during bootstrapping.
+            A comma-separated list of additional packages to be installed by debootstrap during bootstrapping.
             ##### `APT_INCLUDES_LATE`=""
-            A comma separated list of additional packages to be installed by apt after bootstrapping and after APT sources are set up.  This is useful for packages with pre-depends, which debootstrap do not handle well.
+            A comma-separated list of additional packages to be installed by apt after bootstrapping and after APT sources are set up.  This is useful for packages with pre-depends, which debootstrap do not handle well.
             ---
             #### General system settings:
+            ##### `SET_ARCH`=32
+            Set Architecture to default 32bit. If you want to compile 64-bit (RPI3 or RPI3+) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build.
             ##### `RPI_MODEL`=2
-            Specifiy the target Raspberry Pi hardware model. The script at this time supports the Raspberry Pi models `2` and `3`. `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` is used.
+            Specify the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models:
+            - `0`  = Raspberry Pi 0 and Raspberry Pi 0 W
+            - `1`  = Raspberry Pi 1 model A and B
+            - `1P` = Raspberry Pi 1 model B+ and A+
+            - `2`  = Raspberry Pi 2 model B
+            - `3`  = Raspberry Pi 3 model B
+            - `3P` = Raspberry Pi 3 model B+
-            ##### `RELEASE`="jessie"
+            ##### `RELEASE`="buster"
-            Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases "jessie", "stretch" and "buster". `BUILD_KERNEL`=true will automatically be set if the Debian releases `stretch` or `buster` are used.
+            Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`.
             ##### `RELEASE_ARCH`="armhf"
             Set the desired Debian release architecture.
             ##### `HOSTNAME`="rpi$RPI_MODEL-$RELEASE"
-            Set system host name. It's recommended that the host name is unique in the corresponding subnet.
+            Set system hostname. It's recommended that the hostname is unique in the corresponding subnet.
             ##### `PASSWORD`="raspberry"
             Set system `root` password. It's **STRONGLY** recommended that you choose a custom password.
             ##### `USER_PASSWORD`="raspberry"
             Set password for the created non-root user `USER_NAME`=pi. Ignored if `ENABLE_USER`=false. It's **STRONGLY** recommended that you choose a custom password.
             ##### `DEFLOCAL`="en_US.UTF-8"
             Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. Please note that on using this parameter the script will automatically install the required packages `locales`, `keyboard-configuration` and `console-setup`.
             ##### `TIMEZONE`="Europe/Berlin"
             Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
             ##### `EXPANDROOT`=true
             Expand the root partition and filesystem automatically on first boot.
+            ##### `ENABLE_DPHYSSWAP`=true
+            Enable swap. The size of the swapfile is chosen relative to the size of the root partition. It'll use the `dphys-swapfile` package for that.
+            ##### `ENABLE_QEMU`=false
+            Generate kernel (`vexpress_defconfig`), file system image (`qcow2`) and DTB files that can be used for QEMU full system emulation (`vexpress-A15`). The output files are stored in the `$(pwd)/images/qemu` directory. You can find more information about running the generated image in the QEMU section of this readme file.
             ---
             #### Keyboard settings:
             These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
             ##### `XKB_MODEL`=""
             Set the name of the model of your keyboard type.
             ##### `XKB_LAYOUT`=""
             Set the supported keyboard layout(s).
             ##### `XKB_VARIANT`=""
             Set the supported variant(s) of the keyboard layout(s).
             ##### `XKB_OPTIONS`=""
             Set extra xkb configuration options.
             ---
             #### Networking settings (DHCP):
-            This parameter is used to set up networking auto configuration in `/etc/systemd/network/eth.network`. The default location of network configuration files in the Debian `stretch` release was changed to `/lib/systemd/network`.`
+            This parameter is used to set up networking auto-configuration in `/etc/systemd/network/eth.network`. The default location of network configuration files in the Debian `stretch` release was changed to `/lib/systemd/network`.`
             ##### `ENABLE_DHCP`=true
             Set the system to use DHCP. This requires an DHCP server.
             ---
             #### Networking settings (static):
             These parameters are used to set up a static networking configuration in `/etc/systemd/network/eth.network`. The following static networking parameters are only supported if `ENABLE_DHCP` was set to `false`. The default location of network configuration files in the Debian `stretch` release was changed to `/lib/systemd/network`.
             ##### `NET_ADDRESS`=""
             Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
             ##### `NET_GATEWAY`=""
             Set the IP address for the default gateway.
             ##### `NET_DNS_1`=""
             Set the IP address for the first DNS server.
             ##### `NET_DNS_2`=""
             Set the IP address for the second DNS server.
             ##### `NET_DNS_DOMAINS`=""
-            Set the default DNS search domains to use for non fully qualified host names.
+            Set the default DNS search domains to use for non fully qualified hostnames.
             ##### `NET_NTP_1`=""
             Set the IP address for the first NTP server.
             ##### `NET_NTP_2`=""
             Set the IP address for the second NTP server.
             ---
             #### Basic system features:
             ##### `ENABLE_CONSOLE`=true
-            Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2/3. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
+            Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2/3. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system. On RPI `0` `3` `3P` the CPU speed is locked at lowest speed.
+            ##### `ENABLE_PRINTK`=false
+            Enables printing kernel messages to konsole. printk is `3 4 1 3` as in raspbian.
+            ##### `ENABLE_BLUETOOTH`=false
+            Enable onboard Bluetooth interface on the RPi0/3/3P. See: [Configuring the GPIO serial port on Raspbian jessie and stretch](https://spellfoundry.com/2016/05/29/configuring-gpio-serial-port-raspbian-jessie-including-pi-3/).
+            ##### `ENABLE_MINIUART_OVERLAY`=false
+            Enable Bluetooth to use this. Adds overlay to swap UART0 with UART1. Enabling (slower) Bluetooth and full speed serial console. - RPI `0` `3` `3P` have a fast `hardware UART0` (ttyAMA0) and a `mini UART1` (ttyS0)! RPI `1` `1P` `2` only have a `hardware UART0`. `UART0` is considered better, because is faster and more stable than `mini UART1`. By default the Bluetooth modem is mapped to the `hardware UART0` and `mini UART` is used for console. The `mini UART` is a problem for the serial console, because its baudrate depends on the CPU frequency, which is changing on runtime. Resulting in a volatile baudrate and thus in an unusable serial console.
+            ##### `ENABLE_TURBO`=false
+            Enable Turbo mode. This setting locks cpu at the highest frequency. As setting ENABLE_CONSOLE=true locks RPI to lowest CPU speed, this is can be used additionally to lock cpu hat max speed. Need a good power supply and probably cooling for the Raspberry PI.
             ##### `ENABLE_I2C`=false
-            Enable I2C interface on the RPi2/3. Please check the [RPi2/3 pinout diagrams](http://elinux.org/RPi_Low-level_peripherals) to connect the right GPIO pins.
+            Enable I2C interface on the RPi 0/1/2/3. Please check the [RPi 0/1/2/3 pinout diagrams](https://elinux.org/RPi_Low-level_peripherals) to connect the right GPIO pins.
             ##### `ENABLE_SPI`=false
-            Enable SPI interface on the RPi2/3. Please check the [RPi2/3 pinout diagrams](http://elinux.org/RPi_Low-level_peripherals) to connect the right GPIO pins.
+            Enable SPI interface on the RPi 0/1/2/3. Please check the [RPi 0/1/2/3 pinout diagrams](https://elinux.org/RPi_Low-level_peripherals) to connect the right GPIO pins.
             ##### `ENABLE_IPV6`=true
             Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
             ##### `ENABLE_SSHD`=true
             Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
             ##### `ENABLE_NONFREE`=false
             Allow the installation of non-free Debian packages that do not comply with the DFSG. This is required to install closed-source firmware binary blobs.
             ##### `ENABLE_WIRELESS`=false
-            Download and install the [closed-source firmware binary blob](https://github.com/RPi-Distro/firmware-nonfree/tree/master/brcm80211/brcm) that is required to run the internal wireless interface of the Raspberry Pi model `3`. This parameter is ignored if the specified `RPI_MODEL` is not `3`.
+            Download and install the [closed-source firmware binary blob](https://github.com/RPi-Distro/firmware-nonfree/raw/master/brcm) that is required to run the internal wireless interface of the Raspberry Pi model `3`. This parameter is ignored if the specified `RPI_MODEL` is not `3`.
             ##### `ENABLE_RSYSLOG`=true
-            If set to false, disable and uninstall rsyslog (so logs will be available only
+            If set to false, disable and uninstall rsyslog (so logs will be available only in journal files)
-            in journal files)
             ##### `ENABLE_SOUND`=true
             Enable sound hardware and install Advanced Linux Sound Architecture.
             ##### `ENABLE_HWRANDOM`=true
-            Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
+            Enable Hardware Random Number Generator. Strong random numbers are important for most network-based communications that use encryption. It's recommended to be enabled.
             ##### `ENABLE_MINGPU`=false
             Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
             ##### `ENABLE_DBUS`=true
             Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
             ##### `ENABLE_XORG`=false
             Install Xorg open-source X Window System.
             ##### `ENABLE_WM`=""
-            Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi23-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
+            Install a user-defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi23-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
+            ##### `ENABLE_SYSVINIT`=false
+            Support for halt,init,poweroff,reboot,runlevel,shutdown,telinit commands
             ---
             #### Advanced system features:
+            ##### `ENABLE_SYSTEMDSWAP`=false
+            Enables [Systemd-swap service](https://github.com/Nefelim4ag/systemd-swap). Usefull if `KERNEL_ZSWAP` is enabled.
             ##### `ENABLE_MINBASE`=false
             Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
             ##### `ENABLE_REDUCE`=false
             Reduce the disk space usage by deleting packages and files. See `REDUCE_*` parameters for detailed information.
             ##### `ENABLE_UBOOT`=false
-            Replace the default RPi2/3 second stage bootloader (bootcode.bin) with [U-Boot bootloader](http://git.denx.de/?p=u-boot.git;a=summary). U-Boot can boot images via the network using the BOOTP/TFTP protocol.
+            Replace the default RPi 0/1/2/3 second stage bootloader (bootcode.bin) with [U-Boot bootloader](https://git.denx.de/?p=u-boot.git;a=summary). U-Boot can boot images via the network using the BOOTP/TFTP protocol.
             ##### `UBOOTSRC_DIR`=""
-            Path to a directory (`u-boot`) of [U-Boot bootloader sources](http://git.denx.de/?p=u-boot.git;a=summary) that will be copied, configured, build and installed inside the chroot.
+            Path to a directory (`u-boot`) of [U-Boot bootloader sources](https://git.denx.de/?p=u-boot.git;a=summary) that will be copied, configured, build and installed inside the chroot.
             ##### `ENABLE_FBTURBO`=false
             Install and enable the [hardware accelerated Xorg video driver](https://github.com/ssvb/xf86-video-fbturbo) `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
             ##### `FBTURBOSRC_DIR`=""
             Path to a directory (`xf86-video-fbturbo`) of [hardware accelerated Xorg video driver sources](https://github.com/ssvb/xf86-video-fbturbo) that will be copied, configured, build and installed inside the chroot.
+            ##### `ENABLE_VIDEOCORE`=false
+            Install and enable the [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) `vcgencmd`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
+            ##### `VIDEOCORESRC_DIR`=""
+            Path to a directory (`userland`) of [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
+            ##### `ENABLE_NEXMON`=false
+            Install and enable the [Source code for a C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection](https://github.com/seemoo-lab/nexmon.git).
+            ##### `NEXMONSRC_DIR`=""
+            Path to a directory (`nexmon`) of [Source code for ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
             ##### `ENABLE_IPTABLES`=false
             Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
             ##### `ENABLE_USER`=true
-            Create non-root user with password `USER_PASSWORD`=raspberry. Unless overridden with `USER_NAME`=user, username will be `pi`.
+            Create non-root user with password `USER_PASSWORD`=raspberry. Unless overridden with `USER_NAME`=user, the username will be `pi`.
             ##### `USER_NAME`=pi
             Non-root user to create.  Ignored if `ENABLE_USER`=false
             ##### `ENABLE_ROOT`=false
             Set root user password so root login will be enabled
             ##### `ENABLE_HARDNET`=false
             Enable IPv4/IPv6 network stack hardening settings.
             ##### `ENABLE_SPLITFS`=false
             Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`.
             ##### `CHROOT_SCRIPTS`=""
             Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this directory is run in lexicographical order.
             ##### `ENABLE_INITRAMFS`=false
             Create an initramfs that that will be loaded during the Linux startup process. `ENABLE_INITRAMFS` will automatically get enabled if `ENABLE_CRYPTFS`=true. This parameter will be ignored if `BUILD_KERNEL`=false.
             ##### `ENABLE_IFNAMES`=true
-            Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names. This parameter is only supported if the Debian releases `stretch` or `buster` are used.
+            Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names.
+            ##### `ENABLE_SPLASH`=true
+            Enable default Raspberry Pi boot up rainbow splash screen.
+            ##### `ENABLE_LOGO`=true
+            Enable default Raspberry Pi console logo (image of four raspberries in the top left corner).
+            ##### `ENABLE_SILENT_BOOT`=false
+            Set the verbosity of console messages shown during boot up to a strict minimum.
             ##### `DISABLE_UNDERVOLT_WARNINGS`=
             Disable RPi2/3 under-voltage warnings and overlays. Setting the parameter to `1` will disable the warning overlay. Setting it to `2` will additionally allow RPi2/3 turbo mode when low-voltage is present.
             ---
             #### SSH settings:
             ##### `SSH_ENABLE_ROOT`=false
-            Enable password root login via SSH. This may be a security risk with default password, use only in trusted environments. `ENABLE_ROOT` must be set to `true`.
+            Enable password-based root login via SSH. This may be a security risk with the default password set, use only in trusted environments. `ENABLE_ROOT` must be set to `true`.
             ##### `SSH_DISABLE_PASSWORD_AUTH`=false
-            Disable password based SSH authentication. Only public key based SSH (v2) authentication will be supported.
+            Disable password-based SSH authentication. Only public key based SSH (v2) authentication will be supported.
             ##### `SSH_LIMIT_USERS`=false
             Limit the users that are allowed to login via SSH. Only allow user `USER_NAME`=pi and root if `SSH_ENABLE_ROOT`=true to login. This parameter will be ignored if `dropbear` SSH is used (`REDUCE_SSHD`=true).
             ##### `SSH_ROOT_PUB_KEY`=""
             Add SSH (v2) public key(s) from specified file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `root`. The specified file can also contain multiple SSH (v2) public keys. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
             ##### `SSH_USER_PUB_KEY`=""
             Add SSH (v2) public key(s) from specified file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `USER_NAME`=pi. The specified file can also contain multiple SSH (v2) public keys. SSH protocol version 1 is not supported.
             ---
             #### Kernel compilation:
-            ##### `BUILD_KERNEL`=false
+            ##### `BUILD_KERNEL`=true
-            Build and install the latest RPi2/3 Linux kernel. Currently only the default RPi2/3 kernel configuration is used. `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` is used.
+            Build and install the latest RPi 0/1/2/3 Linux kernel. Currently only the default RPi 0/1/2/3 kernel configuration is used.
             ##### `CROSS_COMPILE`="arm-linux-gnueabihf-"
-            This sets the cross compile enviornment for the compiler.
+            This sets the cross-compile environment for the compiler.
             ##### `KERNEL_ARCH`="arm"
             This sets the kernel architecture for the compiler.
             ##### `KERNEL_IMAGE`="kernel7.img"
             Name of the image file in the boot partition. If not set, `KERNEL_IMAGE` will be set to "kernel8.img" automatically if building for arm64.
             ##### `KERNEL_BRANCH`=""
             Name of the requested branch from the GIT location for the RPi Kernel. Default is using the current default branch from the GIT site.
             ##### `QEMU_BINARY`="/usr/bin/qemu-arm-static"
             Sets the QEMU enviornment for the Debian archive. If not set, `QEMU_BINARY` will be set to "/usr/bin/qemu-aarch64-static" automatically if building for arm64.
             ##### `KERNEL_DEFCONFIG`="bcm2709_defconfig"
             Sets the default config for kernel compiling. If not set, `KERNEL_DEFCONFIG` will be set to "bcmrpi3\_defconfig" automatically if building for arm64.
             ##### `KERNEL_REDUCE`=false
-            Reduce the size of the generated kernel by removing unwanted device, network and filesystem drivers (experimental).
+            Reduce the size of the generated kernel by removing unwanted devices, network and filesystem drivers (experimental).
             ##### `KERNEL_THREADS`=1
             Number of parallel kernel building threads. If the parameter is left untouched the script will automatically determine the number of CPU cores to set the number of parallel threads to speed the kernel compilation.
             ##### `KERNEL_HEADERS`=true
-            Install kernel headers with built kernel.
+            Install kernel headers with the built kernel.
             ##### `KERNEL_MENUCONFIG`=false
             Start `make menuconfig` interactive menu-driven kernel configuration. The script will continue after `make menuconfig` was terminated.
+            ##### `KERNEL_OLDDEFCONFIG`=false
+            Run `make olddefconfig` to automatically set all new kernel configuration options to their recommended default values.
+            ##### `KERNEL_CCACHE`=false
+            Compile the kernel using ccache. This speeds up kernel recompilation by caching previous compilations and detecting when the same compilation is being done again.
             ##### `KERNEL_REMOVESRC`=true
             Remove all kernel sources from the generated OS image after it was built and installed.
             ##### `KERNELSRC_DIR`=""
             Path to a directory (`linux`) of [RaspberryPi Linux kernel sources](https://github.com/raspberrypi/linux) that will be copied, configured, build and installed inside the chroot.
             ##### `KERNELSRC_CLEAN`=false
             Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This parameter will be ignored if no `KERNELSRC_DIR` was specified or if `KERNELSRC_PREBUILT`=true.
             ##### `KERNELSRC_CONFIG`=true
             Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This parameter is automatically set to `true` if no existing kernel sources directory was specified using `KERNELSRC_DIR`. This parameter is ignored if `KERNELSRC_PREBUILT`=true.
             ##### `KERNELSRC_USRCONFIG`=""
             Copy own config file to kernel `.config`. If `KERNEL_MENUCONFIG`=true then running after copy.
             ##### `KERNELSRC_PREBUILT`=false
             With this parameter set to true the script expects the existing kernel sources directory to be already successfully cross-compiled. The parameters `KERNELSRC_CLEAN`, `KERNELSRC_CONFIG`, `KERNELSRC_USRCONFIG` and `KERNEL_MENUCONFIG` are ignored and no kernel compilation tasks are performed.
             ##### `RPI_FIRMWARE_DIR`=""
             The directory (`firmware`) containing a local copy of the firmware from the [RaspberryPi firmware project](https://github.com/raspberrypi/firmware). Default is to download the latest firmware directly from the project.
+            ##### `KERNEL_DEFAULT_GOV`="ONDEMAND"
+            Set the default cpu governor at kernel compilation. Supported values are: PERFORMANCE POWERSAVE USERSPACE ONDEMAND CONSERVATIVE SCHEDUTIL
+            ##### `KERNEL_NF`=false
+            Enable Netfilter modules as kernel modules
+            ##### `KERNEL_VIRT`=false
+            Enable Kernel KVM support (/dev/kvm)
+            ##### `KERNEL_ZSWAP`=false
+            Enable Kernel Zswap support. Best use on high RAM load and mediocre CPU load usecases
+            ##### `KERNEL_BPF`=true
+            Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSCALL CONFIG_CGROUP_BPF) [systemd compilations about it - File /lib/systemd/system/systemd-journald.server:36 configures an IP firewall (IPAddressDeny=all), but the local system does not support BPF/cgroup based firewalls]
+            ##### `KERNEL_SECURITY`=false
+            Enables Apparmor, integrity subsystem, auditing.
             ---
             #### Reduce disk usage:
             The following list of parameters is ignored if `ENABLE_REDUCE`=false.
             ##### `REDUCE_APT`=true
             Configure APT to use compressed package repository lists and no package caching files.
             ##### `REDUCE_DOC`=true
             Remove all doc files (harsh). Configure APT to not include doc files on future `apt-get` package installations.
             ##### `REDUCE_MAN`=true
             Remove all man pages and info files (harsh).  Configure APT to not include man pages on future `apt-get` package installations.
             ##### `REDUCE_VIM`=false
             Replace `vim-tiny` package by `levee` a tiny vim clone.
             ##### `REDUCE_BASH`=false
             Remove `bash` package and switch to `dash` shell (experimental).
             ##### `REDUCE_HWDB`=true
             Remove PCI related hwdb files (experimental).
             ##### `REDUCE_SSHD`=true
             Replace `openssh-server` with `dropbear`.
             ##### `REDUCE_LOCALE`=true
             Remove all `locale` translation files.
             ---
             #### Encrypted root partition:
             ##### `ENABLE_CRYPTFS`=false
             Enable full system encryption with dm-crypt. Setup a fully LUKS encrypted root partition (aes-xts-plain64:sha512) and generate required initramfs. The /boot directory will not be encrypted. This parameter will be ignored if `BUILD_KERNEL`=false. `ENABLE_CRYPTFS` is experimental. SSH-to-initramfs is currently not supported but will be soon - feel free to help.
             ##### `CRYPTFS_PASSWORD`=""
             Set password of the encrypted root partition. This parameter is mandatory if `ENABLE_CRYPTFS`=true.
             ##### `CRYPTFS_MAPPING`="secure"
             Set name of dm-crypt managed device-mapper mapping.
             ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512"
             Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
             ##### `CRYPTFS_XTSKEYSIZE`=512
             Sets key size in bits. The argument has to be a multiple of 8.
+            ##### `CRYPTFS_DROPBEAR`=false
+            Enable Dropbear Initramfs support
+            ##### `CRYPTFS_DROPBEAR_PUBKEY`=""
+            Provide path to dropbear Public RSA-OpenSSH Key
             ---
             #### Build settings:
             ##### `BASEDIR`=$(pwd)/images/${RELEASE}
             Set a path to a working directory used by the script to generate an image.
             ##### `IMAGE_NAME`=${BASEDIR}/${DATE}-${KERNEL_ARCH}-${KERNEL_BRANCH}-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}
             Set a filename for the output file(s). Note: the script will create $IMAGE_NAME.img if `ENABLE_SPLITFS`=false or $IMAGE_NAME-frmw.img and $IMAGE_NAME-root.img if `ENABLE_SPLITFS`=true. Note 2: If the KERNEL_BRANCH is not set, the word "CURRENT" is used.
             ## Understanding the script
             The functions of this script that are required for the different stages of the bootstrapping are split up into single files located inside the `bootstrap.d` directory. During the bootstrapping every script in this directory gets executed in lexicographical order:
             | Script | Description |
             | --- | --- |
             | `10-bootstrap.sh` | Debootstrap basic system |
             | `11-apt.sh` | Setup APT repositories |
             | `12-locale.sh` | Setup Locales and keyboard settings |
-            | `13-kernel.sh` | Build and install RPi2/3 Kernel |
+            | `13-kernel.sh` | Build and install RPi 0/1/2/3 Kernel |
             | `14-fstab.sh` | Setup fstab and initramfs |
-            | `15-rpi-config.sh` | Setup RPi2/3 config and cmdline |
+            | `15-rpi-config.sh` | Setup RPi 0/1/2/3 config and cmdline |
             | `20-networking.sh` | Setup Networking |
             | `21-firewall.sh` | Setup Firewall |
             | `30-security.sh` | Setup Users and Security settings |
             | `31-logging.sh` | Setup Logging |
             | `32-sshd.sh` | Setup SSH and public keys |
             | `41-uboot.sh` | Build and Setup U-Boot |
             | `42-fbturbo.sh` | Build and Setup fbturbo Xorg driver |
+            | `43-videocore.sh` | Build and Setup videocore libraries |
             | `50-firstboot.sh` | First boot actions |
             | `99-reduce.sh` | Reduce the disk space usage |
             All the required configuration files that will be copied to the generated OS image are located inside the `files` directory. It is not recommended to modify these configuration files manually.
             | Directory | Description |
             | --- | --- |
             | `apt` | APT management configuration files |
-            | `boot` | Boot and RPi2/3 configuration files |
+            | `boot` | Boot and RPi 0/1/2/3 configuration files |
             | `dpkg` | Package Manager configuration |
             | `etc` | Configuration files and rc scripts |
             | `firstboot` | Scripts that get executed on first boot  |
             | `initramfs` | Initramfs scripts |
             | `iptables` | Firewall configuration files |
             | `locales` | Locales configuration |
             | `modules` | Kernel Modules configuration |
             | `mount` | Fstab configuration |
             | `network` | Networking configuration files |
             | `sysctl.d` | Swapping and Network Hardening configuration |
             | `xorg` | fbturbo Xorg driver configuration |
             ## Custom packages and scripts
             Debian custom packages, i.e. those not in the debian repositories, can be installed by placing them in the `packages` directory. They are installed immediately after packages from the repositories are installed. Any dependencies listed in the custom packages will be downloaded automatically from the repositories. Do not list these custom packages in `APT_INCLUDES`.
             Scripts in the custom.d directory will be executed after all other installation is complete but before the image is created.
             ## Logging of the bootstrapping process
             All information related to the bootstrapping process and the commands executed by the `rpi23-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
             ```shell
             script -c 'APT_SERVER=ftp.de.debian.org ./rpi23-gen-image.sh' ./build.log
             ```
             ## Flashing the image file
-            After the image file was successfully created by the `rpi23-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2/3 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
+            After the image file was successfully created by the `rpi23-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi 0/1/2/3 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
             ##### Flashing examples:
             ```shell
-            bmaptool copy ./images/jessie/2017-01-23-rpi3-jessie.img /dev/mmcblk0
+            bmaptool copy ./images/buster/2017-01-23-rpi3-buster.img /dev/mmcblk0
-            dd bs=4M if=./images/jessie/2017-01-23-rpi3-jessie.img of=/dev/mmcblk0
+            dd bs=4M if=./images/buster/2017-01-23-rpi3-buster.img of=/dev/mmcblk0
             ```
             If you have set `ENABLE_SPLITFS`, copy the `-frmw` image on the microSD card, then the `-root` one on the USB drive:
             ```shell
-            bmaptool copy ./images/jessie/2017-01-23-rpi3-jessie-frmw.img /dev/mmcblk0
+            bmaptool copy ./images/buster/2017-01-23-rpi3-buster-frmw.img /dev/mmcblk0
-            bmaptool copy ./images/jessie/2017-01-23-rpi3-jessie-root.img /dev/sdc
+            bmaptool copy ./images/buster/2017-01-23-rpi3-buster-root.img /dev/sdc
+            ```
+            ## QEMU emulation
+            Start QEMU full system emulation:
+            ```shell
+            qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -append "root=/dev/mmcblk0p2 rw rootfstype=ext4 console=tty1"
+            ```
+            Start QEMU full system emulation and output to console:
+            ```shell
+            qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -append "root=/dev/mmcblk0p2 rw rootfstype=ext4 console=ttyAMA0,115200 init=/bin/systemd" -serial stdio
+            ```
+            Start QEMU full system emulation with SMP and output to console:
+            ```shell
+            qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -smp cpus=2,maxcpus=2 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -append "root=/dev/mmcblk0p2 rw rootfstype=ext4 console=ttyAMA0,115200 init=/bin/systemd" -serial stdio
+            ```
+            Start QEMU full system emulation with cryptfs, initramfs and output to console:
+            ```shell
+            qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -initrd "initramfs-${KERNEL_VERSION}" -append "root=/dev/mapper/secure cryptdevice=/dev/mmcblk0p2:secure rw rootfstype=ext4 console=ttyAMA0,115200 init=/bin/systemd" -serial stdio
             ```
-            ## Weekly image builds
-            The image files are provided by JRWR'S I/O PORT and are built once a Sunday at midnight UTC!
-            * [Debian Stretch Raspberry Pi2/3 Weekly Image Builds](https://jrwr.io/doku.php?id=projects:debianpi)
             ## External links and references
             * [Debian worldwide mirror sites](https://www.debian.org/mirror/list)
             * [Debian Raspberry Pi 2 Wiki](https://wiki.debian.org/RaspberryPi2)
             * [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains)
             * [Official Raspberry Pi Firmware on github](https://github.com/raspberrypi/firmware)
             * [Official Raspberry Pi Kernel on github](https://github.com/raspberrypi/linux)
-            * [U-BOOT git repository](http://git.denx.de/?p=u-boot.git;a=summary)
+            * [U-BOOT git repository](https://git.denx.de/?p=u-boot.git;a=summary)
             * [Xorg DDX driver fbturbo](https://github.com/ssvb/xf86-video-fbturbo)
-            * [RPi3 Wireless interface firmware](https://github.com/RPi-Distro/firmware-nonfree/tree/master/brcm80211/brcm)
+            * [RPi3 Wireless interface firmware](https://github.com/RPi-Distro/firmware-nonfree/tree/master/brcm)
             * [Collabora RPi2 Kernel precompiled](https://repositories.collabora.co.uk/debian/)

bootstrap.d/10-bootstrap.sh +3 -2

             #
             # Debootstrap basic system
             #
             # Load utility functions
             . ./functions.sh
             VARIANT=""
             COMPONENTS="main"
-            EXCLUDES=""
             # Use non-free Debian packages if needed
             if [ "$ENABLE_NONFREE" = true ] ; then
               COMPONENTS="main,non-free,contrib"
             fi
             # Use minbase bootstrap variant which only includes essential packages
             if [ "$ENABLE_MINBASE" = true ] ; then
               VARIANT="--variant=minbase"
             fi
             # Exclude packages if required by Debian release
             if [ "$RELEASE" = "stretch" ] || [ "$RELEASE" = "buster" ] ; then
               EXCLUDES="--exclude=init,systemd-sysv"
             fi
             # Base debootstrap (unpack only)
-            http_proxy=${APT_PROXY} debootstrap ${EXCLUDES} --arch="${RELEASE_ARCH}" --foreign ${VARIANT} --components="${COMPONENTS}" --include="${APT_INCLUDES}" "${RELEASE}" "${R}" "http://${APT_SERVER}/debian"
+            http_proxy=${APT_PROXY} debootstrap ${APT_EXCLUDES} --arch="${RELEASE_ARCH}" --foreign ${VARIANT} --components="${COMPONENTS}" --include="${APT_INCLUDES}" "${RELEASE}" "${R}" "http://${APT_SERVER}/debian"
             # Copy qemu emulator binary to chroot
             install -m 755 -o root -g root "${QEMU_BINARY}" "${R}${QEMU_BINARY}"
             # Copy debian-archive-keyring.pgp
             mkdir -p "${R}/usr/share/keyrings"
             install_readonly /usr/share/keyrings/debian-archive-keyring.gpg "${R}/usr/share/keyrings/debian-archive-keyring.gpg"
             # Complete the bootstrapping process
             chroot_exec /debootstrap/debootstrap --second-stage
             # Mount required filesystems
             mount -t proc none "${R}/proc"
             mount -t sysfs none "${R}/sys"
             # Mount pseudo terminal slave if supported by Debian release
             if [ -d "${R}/dev/pts" ] ; then
               mount --bind /dev/pts "${R}/dev/pts"
             fi

bootstrap.d/11-apt.sh +10 -7

             #
             # Setup APT repositories
             #
             # Load utility functions
             . ./functions.sh
             # Install and setup APT proxy configuration
             if [ -z "$APT_PROXY" ] ; then
               install_readonly files/apt/10proxy "${ETC_DIR}/apt/apt.conf.d/10proxy"
               sed -i "s/\"\"/\"${APT_PROXY}\"/" "${ETC_DIR}/apt/apt.conf.d/10proxy"
             fi
             if [ "$BUILD_KERNEL" = false ] ; then
               # Install APT pinning configuration for flash-kernel package
               install_readonly files/apt/flash-kernel "${ETC_DIR}/apt/preferences.d/flash-kernel"
               # Install APT sources.list
               install_readonly files/apt/sources.list "${ETC_DIR}/apt/sources.list"
               echo "deb ${COLLABORA_URL} ${RELEASE} rpi2" >> "${ETC_DIR}/apt/sources.list"
               # Upgrade collabora package index and install collabora keyring
               chroot_exec apt-get -qq -y update
               # Removed --allow-unauthenticated as suggested after modification on _apt privileges
               chroot_exec apt-get -qq -y install collabora-obs-archive-keyring
             else # BUILD_KERNEL=true
               # Install APT sources.list
               install_readonly files/apt/sources.list "${ETC_DIR}/apt/sources.list"
               # Use specified APT server and release
               sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list"
               sed -i "s/ jessie/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
             fi
-            # Allow the installation of non-free Debian packages
-            if [ "$ENABLE_NONFREE" = true ] ; then
+            # Use specified APT server and release
-              sed -i "s/ contrib/ contrib non-free/" "${ETC_DIR}/apt/sources.list"
+            sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list"
-            fi
+            sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
             # Upgrade package index and update all installed packages and changed dependencies
             chroot_exec apt-get -qq -y update
             chroot_exec apt-get -qq -y -u dist-upgrade
+            # Install additional packages
             if [ "$APT_INCLUDES_LATE" ] ; then
-              chroot_exec apt-get -qq -y install $(echo $APT_INCLUDES_LATE |tr , ' ')
+              chroot_exec apt-get -qq -y install $(echo "$APT_INCLUDES_LATE" |tr , ' ')
             fi
+            # Install Debian custom packages
             if [ -d packages ] ; then
               for package in packages/*.deb ; do
-                cp $package ${R}/tmp
+                cp "$package" "${R}"/tmp
-                chroot_exec dpkg --unpack /tmp/$(basename $package)
+                chroot_exec dpkg --unpack /tmp/"$(basename "$package")"
               done
             fi
             chroot_exec apt-get -qq -y -f install
             chroot_exec apt-get -qq -y check

bootstrap.d/12-locale.sh +13 -5

             #
             # Setup Locales and keyboard settings
             #
             # Load utility functions
             . ./functions.sh
             # Install and setup timezone
-            echo ${TIMEZONE} > "${ETC_DIR}/timezone"
+            echo "${TIMEZONE}" > "${ETC_DIR}/timezone"
+            if [ -f "${ETC_DIR}/localtime" ]; then
+                # 1. If 11-apt.sh upgrades the package 'tzdata', '/etc/localtime' was created
+                #    because 'dpkg-reconfigure -f noninteractive tzdata' was executed by apt-get.
+                # 2. If '/etc/localtime' exists, our execution of 'dpkg-reconfigure -f noninteractive tzdata'
+                #    will ignore the our timezone set in '/etc/timezone'.
+                # 3. Removing /etc/localtime will solve this.
+                rm -f "${ETC_DIR}/localtime"
+            fi
             chroot_exec dpkg-reconfigure -f noninteractive tzdata
             # Install and setup default locale and keyboard configuration
-            if [ $(echo "$APT_INCLUDES" | grep ",locales") ] ; then
+            if [ "$(echo "$APT_INCLUDES" | grep ",locales")" ] ; then
               # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
               # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
               # ... so we have to set locales manually
               if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
-                chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
+                chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8 | debconf-set-selections"
               else
                 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
-                chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
+                chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8 | debconf-set-selections"
                 sed -i "/en_US.UTF-8/s/^#//" "${ETC_DIR}/locale.gen"
               fi
               sed -i "/${DEFLOCAL}/s/^#//" "${ETC_DIR}/locale.gen"
-              chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
+              chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL} | debconf-set-selections"
               chroot_exec locale-gen
               chroot_exec update-locale LANG="${DEFLOCAL}"
               # Install and setup default keyboard configuration
               if [ "$XKB_MODEL" != "" ] ; then
                 sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKB_MODEL}\"/" "${ETC_DIR}/default/keyboard"
               fi
               if [ "$XKB_LAYOUT" != "" ] ; then
                 sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKB_LAYOUT}\"/" "${ETC_DIR}/default/keyboard"
               fi
               if [ "$XKB_VARIANT" != "" ] ; then
                 sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKB_VARIANT}\"/" "${ETC_DIR}/default/keyboard"
               fi
               if [ "$XKB_OPTIONS" != "" ] ; then
                 sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKB_OPTIONS}\"/" "${ETC_DIR}/default/keyboard"
               fi
               chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
               # Install and setup font console
               case "${DEFLOCAL}" in
                 *UTF-8)
                   sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' "${ETC_DIR}/default/console-setup"
                   ;;
                 *)
                   sed -i 's/^CHARMAP.*/CHARMAP="guess"/' "${ETC_DIR}/default/console-setup"
                   ;;
               esac
               chroot_exec dpkg-reconfigure -f noninteractive console-setup
             else # (no locales were installed)
               # Install POSIX default locale
               install_readonly files/locales/locale "${ETC_DIR}/default/locale"
             fi

bootstrap.d/13-kernel.sh +464 -34

@@ -1,185 +1,615
1	#	1	#
2	# Build and Setup RPi2/3 Kernel	2	# Build and Setup RPi2/3 Kernel
3	#	3	#
4		4
5	# Load utility functions	5	# Load utility functions
6	. ./functions.sh	6	. ./functions.sh
7		7
		8	# Need to use kali kernel src if nexmon is enabled
		9	if [ "$ENABLE_NEXMON" = true ] ; then
		10	KERNEL_URL="${KALI_KERNEL_URL}"
		11	# Clear Branch and KernelSRC_DIR if using nexmon. Everyone will forget to clone kali kernel instead of nomrla kernel
		12	KERNEL_BRANCH=""
		13	KERNELSRC_DIR=""
		14	fi
		15
8	# Fetch and build latest raspberry kernel	16	# Fetch and build latest raspberry kernel
9	if [ "$BUILD_KERNEL" = true ] ; then	17	if [ "$BUILD_KERNEL" = true ] ; then
10	# Setup source directory	18	# Setup source directory
11	mkdir -p "${R}/usr/src/linux"	19	mkdir -p "${KERNEL_DIR}"
12		20
13	# Copy existing kernel sources into chroot directory	21	# Copy existing kernel sources into chroot directory
14	if [ -n "$KERNELSRC_DIR" ] && [ -d "$KERNELSRC_DIR" ] ; then	22	if [ -n "$KERNELSRC_DIR" ] && [ -d "$KERNELSRC_DIR" ] ; then
15	# Copy kernel sources and include hidden files	23	# Copy kernel sources and include hidden files
16	cp -r "${KERNELSRC_DIR}/". "${R}~~/usr/src/linux~~"	24	cp -r "${KERNELSRC_DIR}/". "${KERNEL_DIR}"
17		25
18	# Clean the kernel sources	26	# Clean the kernel sources
19	if [ "$KERNELSRC_CLEAN" = true ] && [ "$KERNELSRC_PREBUILT" = false ] ; then	27	if [ "$KERNELSRC_CLEAN" = true ] && [ "$KERNELSRC_PREBUILT" = false ] ; then
20	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" mrproper	28	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" mrproper
21	fi	29	fi
22	else # KERNELSRC_DIR=""	30	else # KERNELSRC_DIR=""
23	# Create temporary directory for kernel sources	31	# Create temporary directory for kernel sources
24	temp_dir=$(as_nobody mktemp -d)	32	temp_dir=$(as_nobody mktemp -d)
25		33
26	# Fetch current RPi2/3 kernel sources	34	# Fetch current RPi2/3 kernel sources
27	if [ -z "${KERNEL_BRANCH}" ] ; then	35	if [ -z "${KERNEL_BRANCH}" ] ; then
28	as_nobody git -C "${temp_dir}" clone --depth=1 "${KERNEL_URL}" linux	36	as_nobody -H git -C "${temp_dir}" clone --depth=1 "${KERNEL_URL}" linux
29	else	37	else
30	as_nobody git -C "${temp_dir}" clone --depth=1 --branch "${KERNEL_BRANCH}" "${KERNEL_URL}" linux	38	as_nobody -H git -C "${temp_dir}" clone --depth=1 --branch "${KERNEL_BRANCH}" "${KERNEL_URL}" linux
31	fi	39	fi
32		40
33	# Copy downloaded kernel sources	41	# Copy downloaded kernel sources
34	cp -r "${temp_dir}/linux/"* "${R}~~/usr/src/linux/~~"	42	cp -r "${temp_dir}/linux/"* "${KERNEL_DIR}"
35		43
36	# Remove temporary directory for kernel sources	44	# Remove temporary directory for kernel sources
37	rm -fr "${temp_dir}"	45	rm -fr "${temp_dir}"
38		46
39	# Set permissions of the kernel sources	47	# Set permissions of the kernel sources
40	chown -R root:root "${R}/usr/src"	48	chown -R root:root "${R}/usr/src"
41	fi	49	fi
42		50
43	# Calculate optimal number of kernel building threads	51	# Calculate optimal number of kernel building threads
44	if [ "$KERNEL_THREADS" = "1" ] && [ -r /proc/cpuinfo ] ; then	52	if [ "$KERNEL_THREADS" = "1" ] && [ -r /proc/cpuinfo ] ; then
45	KERNEL_THREADS=$(grep -c processor /proc/cpuinfo)	53	KERNEL_THREADS=$(grep -c processor /proc/cpuinfo)
46	fi	54	fi
47		55
48	# Configure and build kernel	56	# Configure and build kernel
49	if [ "$KERNELSRC_PREBUILT" = false ] ; then	57	if [ "$KERNELSRC_PREBUILT" = false ] ; then
50	# Remove device, network and filesystem drivers from kernel configuration	58	# Remove device, network and filesystem drivers from kernel configuration
51	if [ "$KERNEL_REDUCE" = true ] ; then	59	if [ "$KERNEL_REDUCE" = true ] ; then
52	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"	60	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
53	sed -i\	61	sed -i\
54	-e "s/$^CONFIG_SND.\=$./\1n/"\	62	-e "s/$^CONFIG_SND.\=$./\1n/"\
55	-e "s/$^CONFIG_SOUND.\=$./\1n/"\	63	-e "s/$^CONFIG_SOUND.\=$./\1n/"\
56	-e "s/$^CONFIG_AC97.\=$./\1n/"\	64	-e "s/$^CONFIG_AC97.\=$./\1n/"\
57	-e "s/$^CONFIG_VIDEO_.\=$./\1n/"\	65	-e "s/$^CONFIG_VIDEO_.\=$./\1n/"\
58	-e "s/$^CONFIG_MEDIA_TUNER.\=$./\1n/"\	66	-e "s/$^CONFIG_MEDIA_TUNER.\=$./\1n/"\
59	-e "s/$^CONFIG_DVB.*\=$[ym]/\1n/"\	67	-e "s/$^CONFIG_DVB.*\=$[ym]/\1n/"\
60	-e "s/$^CONFIG_REISERFS.\=$./\1n/"\	68	-e "s/$^CONFIG_REISERFS.\=$./\1n/"\
61	-e "s/$^CONFIG_JFS.\=$./\1n/"\	69	-e "s/$^CONFIG_JFS.\=$./\1n/"\
62	-e "s/$^CONFIG_XFS.\=$./\1n/"\	70	-e "s/$^CONFIG_XFS.\=$./\1n/"\
63	-e "s/$^CONFIG_GFS2.\=$./\1n/"\	71	-e "s/$^CONFIG_GFS2.\=$./\1n/"\
64	-e "s/$^CONFIG_OCFS2.\=$./\1n/"\	72	-e "s/$^CONFIG_OCFS2.\=$./\1n/"\
65	-e "s/$^CONFIG_BTRFS.\=$./\1n/"\	73	-e "s/$^CONFIG_BTRFS.\=$./\1n/"\
66	-e "s/$^CONFIG_HFS.\=$./\1n/"\	74	-e "s/$^CONFIG_HFS.\=$./\1n/"\
67	-e "s/$^CONFIG_JFFS2.*\=$[ym]/\1n/"\	75	-e "s/$^CONFIG_JFFS2.*\=$[ym]/\1n/"\
68	-e "s/$^CONFIG_UBIFS.\=$./\1n/"\	76	-e "s/$^CONFIG_UBIFS.\=$./\1n/"\
69	-e "s/$^CONFIG_SQUASHFS.*\=$[ym]/\1n/"\	77	-e "s/$^CONFIG_SQUASHFS.*\=$[ym]/\1n/"\
70	-e "s/$^CONFIG_W1.*\=$[ym]/\1n/"\	78	-e "s/$^CONFIG_W1.*\=$[ym]/\1n/"\
71	-e "s/$^CONFIG_HAMRADIO.\=$./\1n/"\	79	-e "s/$^CONFIG_HAMRADIO.\=$./\1n/"\
72	-e "s/$^CONFIG_CAN.\=$./\1n/"\	80	-e "s/$^CONFIG_CAN.\=$./\1n/"\
73	-e "s/$^CONFIG_IRDA.\=$./\1n/"\	81	-e "s/$^CONFIG_IRDA.\=$./\1n/"\
74	-e "s/$^CONFIG_BT_.\=$./\1n/"\	82	-e "s/$^CONFIG_BT_.\=$./\1n/"\
75	-e "s/$^CONFIG_WIMAX.*\=$[ym]/\1n/"\	83	-e "s/$^CONFIG_WIMAX.*\=$[ym]/\1n/"\
76	-e "s/$^CONFIG_6LOWPAN.\=$./\1n/"\	84	-e "s/$^CONFIG_6LOWPAN.\=$./\1n/"\
77	-e "s/$^CONFIG_IEEE802154.\=$./\1n/"\	85	-e "s/$^CONFIG_IEEE802154.\=$./\1n/"\
78	-e "s/$^CONFIG_NFC.\=$./\1n/"\	86	-e "s/$^CONFIG_NFC.\=$./\1n/"\
79	-e "s/$^CONFIG_FB_TFT=.\=$./\1n/"\	87	-e "s/$^CONFIG_FB_TFT=.\=$./\1n/"\
80	-e "s/$^CONFIG_TOUCHSCREEN.\=$./\1n/"\	88	-e "s/$^CONFIG_TOUCHSCREEN.\=$./\1n/"\
81	-e "s/$^CONFIG_USB_GSPCA_.\=$./\1n/"\	89	-e "s/$^CONFIG_USB_GSPCA_.\=$./\1n/"\
82	-e "s/$^CONFIG_DRM.\=$./\1n/"\	90	-e "s/$^CONFIG_DRM.\=$./\1n/"\
83	"${KERNEL_DIR}/.config"	91	"${KERNEL_DIR}/.config"
84	fi	92	fi
85		93
86	if [ "$KERNELSRC_CONFIG" = true ] ; then	94	if [ "$KERNELSRC_CONFIG" = true ] ; then
87	# Load default raspberry kernel configuration	95	# Load default raspberry kernel configuration
88	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"	96	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
89		97
90	if [ ! -z "$KERNELSRC_USRCONFIG" ] ; then	98	#Switch to KERNELSRC_DIR so we can use set_kernel_config
91	cp $KERNELSRC_USRCONFIG ${KERNEL_DIR}/.config	99	cd "${KERNEL_DIR}" \|\| exit
		100
		101	if [ "$KERNEL_ARCH" = arm64 ] ; then
		102	#Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config
		103	# use correct driver MMC_BCM2835_MMC instead of MMC_BCM2835_SDHOST - see https://www.raspberrypi.org/forums/viewtopic.php?t=210225
		104	set_kernel_config CONFIG_MMC_BCM2835 n
		105	set_kernel_config CONFIG_MMC_SDHCI_IPROC n
		106	set_kernel_config CONFIG_USB_DWC2 n
		107	sed -i "s\|depends on MMC_BCM2835_MMC && MMC_BCM2835_DMA\|depends on MMC_BCM2835_MMC\|" "${KERNEL_DIR}"/drivers/mmc/host/Kconfig
		108
		109	#VLAN got disabled without reason in arm64bit
		110	set_kernel_config CONFIG_IPVLAN m
		111	fi
		112
		113	# enable ZSWAP see https://askubuntu.com/a/472227 or https://wiki.archlinux.org/index.php/zswap
		114	if [ "$KERNEL_ZSWAP" = true ] ; then
		115	set_kernel_config CONFIG_ZPOOL y
		116	set_kernel_config CONFIG_ZSWAP y
		117	set_kernel_config CONFIG_ZBUD y
		118	set_kernel_config CONFIG_Z3FOLD y
		119	set_kernel_config CONFIG_ZSMALLOC y
		120	set_kernel_config CONFIG_PGTABLE_MAPPING y
		121	set_kernel_config CONFIG_LZO_COMPRESS y
		122
		123	fi
		124
		125	# enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453
		126	if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] \|\| [ "$RPI_MODEL" = 3 ] \|\| [ "$RPI_MODEL" = 3P ] ; } ; then
		127	set_kernel_config CONFIG_HAVE_KVM_IRQCHIP y
		128	set_kernel_config CONFIG_HAVE_KVM_ARCH_TLB_FLUSH_ALL y
		129	set_kernel_config CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT y
		130	set_kernel_config CONFIG_HAVE_KVM_EVENTFD y
		131	set_kernel_config CONFIG_HAVE_KVM_IRQFD y
		132	set_kernel_config CONFIG_HAVE_KVM_IRQ_ROUTING y
		133	set_kernel_config CONFIG_HAVE_KVM_MSI y
		134	set_kernel_config CONFIG_KVM y
		135	set_kernel_config CONFIG_KVM_ARM_HOST y
		136	set_kernel_config CONFIG_KVM_ARM_PMU y
		137	set_kernel_config CONFIG_KVM_COMPAT y
		138	set_kernel_config CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT y
		139	set_kernel_config CONFIG_KVM_MMIO y
		140	set_kernel_config CONFIG_KVM_VFIO y
		141	set_kernel_config CONFIG_VHOST m
		142	set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y
		143	set_kernel_config CONFIG_VHOST_NET m
		144	set_kernel_config CONFIG_VIRTUALIZATION y
		145
		146	set_kernel_config CONFIG_MMU_NOTIFIER y
		147
		148	# erratum
		149	set_kernel_config ARM64_ERRATUM_834220 y
		150
		151	# https://sourceforge.net/p/kvm/mailman/message/18440797/
		152	set_kernel_config CONFIG_PREEMPT_NOTIFIERS y
		153	fi
		154
		155	# enable apparmor,integrity audit,
		156	if [ "$KERNEL_SECURITY" = true ] ; then
		157
		158	# security filesystem, security models and audit
		159	set_kernel_config CONFIG_SECURITYFS y
		160	set_kernel_config CONFIG_SECURITY y
		161	set_kernel_config CONFIG_AUDIT y
		162
		163	# harden strcpy and memcpy
		164	set_kernel_config CONFIG_HARDENED_USERCOPY y
		165	set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR y
		166	set_kernel_config CONFIG_FORTIFY_SOURCE y
		167
		168	# integrity sub-system
		169	set_kernel_config CONFIG_INTEGRITY y
		170	set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS y
		171	set_kernel_config CONFIG_INTEGRITY_AUDIT y
		172	set_kernel_config CONFIG_INTEGRITY_SIGNATURE y
		173	set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING y
		174
		175	# This option provides support for retaining authentication tokens and access keys in the kernel.
		176	set_kernel_config CONFIG_KEYS y
		177	set_kernel_config CONFIG_KEYS_COMPAT y
		178
		179	# Apparmor
		180	set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0
		181	set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
		182	set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
		183	set_kernel_config CONFIG_SECURITY_APPARMOR y
		184	set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y
		185	set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor"
		186
		187	# restrictions on unprivileged users reading the kernel
		188	set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT y
		189
		190	# network security hooks
		191	set_kernel_config CONFIG_SECURITY_NETWORK y
		192	set_kernel_config CONFIG_SECURITY_NETWORK_XFRM y
		193	set_kernel_config CONFIG_SECURITY_PATH y
		194	set_kernel_config CONFIG_SECURITY_YAMA n
		195
		196	# New Options
		197	if [ "$KERNEL_NF" = true ] ; then
		198	set_kernel_config CONFIG_IP_NF_SECURITY m
		199	set_kernel_config CONFIG_NETLABEL y
		200	set_kernel_config CONFIG_IP6_NF_SECURITY m
		201	fi
		202	set_kernel_config CONFIG_SECURITY_SELINUX n
		203	set_kernel_config CONFIG_SECURITY_SMACK n
		204	set_kernel_config CONFIG_SECURITY_TOMOYO n
		205	set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n
		206	set_kernel_config CONFIG_SECURITY_LOADPIN n
		207	set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n
		208	set_kernel_config CONFIG_IMA n
		209	set_kernel_config CONFIG_EVM n
		210	set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y
		211	set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
		212	set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
		213	set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
		214	set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
		215	set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
		216	set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
		217	set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
		218	set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS m
		219	set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE 4096
		220
		221	set_kernel_config CONFIG_ARM64_CRYPTO y
		222	set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m
		223	set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m
		224	set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m
		225	set_kernel_config CRYPTO_GHASH_ARM64_CE m
		226	set_kernel_config CRYPTO_SHA2_ARM64_CE m
		227	set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m
		228	set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m
		229	set_kernel_config CONFIG_CRYPTO_AES_ARM64 m
		230	set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m
		231	set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y
		232	set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y
		233	set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m
		234	set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m
		235	set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m
		236	set_kernel_config SYSTEM_TRUSTED_KEYS
		237	fi
		238
		239	# Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
		240	if [ "$KERNEL_NF" = true ] ; then
		241	set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m
		242	set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m
		243	set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m
		244	set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m
		245	set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m
		246	set_kernel_config CONFIG_NFT_FIB_INET m
		247	set_kernel_config CONFIG_NFT_FIB_IPV4 m
		248	set_kernel_config CONFIG_NFT_FIB_IPV6 m
		249	set_kernel_config CONFIG_NFT_FIB_NETDEV m
		250	set_kernel_config CONFIG_NFT_OBJREF m
		251	set_kernel_config CONFIG_NFT_RT m
		252	set_kernel_config CONFIG_NFT_SET_BITMAP m
		253	set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y
		254	set_kernel_config CONFIG_NF_LOG_ARP m
		255	set_kernel_config CONFIG_NF_SOCKET_IPV4 m
		256	set_kernel_config CONFIG_NF_SOCKET_IPV6 m
		257	set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m
		258	set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m
		259	set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m
		260	set_kernel_config CONFIG_IP6_NF_IPTABLES m
		261	set_kernel_config CONFIG_IP6_NF_MATCH_AH m
		262	set_kernel_config CONFIG_IP6_NF_MATCH_EUI64 m
		263	set_kernel_config CONFIG_IP6_NF_NAT m
		264	set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m
		265	set_kernel_config CONFIG_IP6_NF_TARGET_NPT m
		266	set_kernel_config CONFIG_IP_NF_SECURITY m
		267	set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m
		268	set_kernel_config CONFIG_IP_SET_BITMAP_PORT m
		269	set_kernel_config CONFIG_IP_SET_HASH_IP m
		270	set_kernel_config CONFIG_IP_SET_HASH_IPMARK m
		271	set_kernel_config CONFIG_IP_SET_HASH_IPPORT m
		272	set_kernel_config CONFIG_IP_SET_HASH_IPPORTIP m
		273	set_kernel_config CONFIG_IP_SET_HASH_IPPORTNET m
		274	set_kernel_config CONFIG_IP_SET_HASH_MAC m
		275	set_kernel_config CONFIG_IP_SET_HASH_NET m
		276	set_kernel_config CONFIG_IP_SET_HASH_NETIFACE m
		277	set_kernel_config CONFIG_IP_SET_HASH_NETNET m
		278	set_kernel_config CONFIG_IP_SET_HASH_NETPORT m
		279	set_kernel_config CONFIG_IP_SET_HASH_NETPORTNET m
		280	set_kernel_config CONFIG_IP_SET_LIST_SET m
		281	set_kernel_config CONFIG_NETFILTER_XTABLES m
		282	set_kernel_config CONFIG_NETFILTER_XTABLES m
		283	set_kernel_config CONFIG_NFT_BRIDGE_META m
		284	set_kernel_config CONFIG_NFT_BRIDGE_REJECT m
		285	set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV4 m
		286	set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV6 m
		287	set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV4 m
		288	set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV6 m
		289	set_kernel_config CONFIG_NFT_COMPAT m
		290	set_kernel_config CONFIG_NFT_COUNTER m
		291	set_kernel_config CONFIG_NFT_CT m
		292	set_kernel_config CONFIG_NFT_DUP_IPV4 m
		293	set_kernel_config CONFIG_NFT_DUP_IPV6 m
		294	set_kernel_config CONFIG_NFT_DUP_NETDEV m
		295	set_kernel_config CONFIG_NFT_EXTHDR m
		296	set_kernel_config CONFIG_NFT_FWD_NETDEV m
		297	set_kernel_config CONFIG_NFT_HASH m
		298	set_kernel_config CONFIG_NFT_LIMIT m
		299	set_kernel_config CONFIG_NFT_LOG m
		300	set_kernel_config CONFIG_NFT_MASQ m
		301	set_kernel_config CONFIG_NFT_MASQ_IPV4 m
		302	set_kernel_config CONFIG_NFT_MASQ_IPV6 m
		303	set_kernel_config CONFIG_NFT_META m
		304	set_kernel_config CONFIG_NFT_NAT m
		305	set_kernel_config CONFIG_NFT_NUMGEN m
		306	set_kernel_config CONFIG_NFT_QUEUE m
		307	set_kernel_config CONFIG_NFT_QUOTA m
		308	set_kernel_config CONFIG_NFT_REDIR m
		309	set_kernel_config CONFIG_NFT_REDIR_IPV4 m
		310	set_kernel_config CONFIG_NFT_REDIR_IPV6 m
		311	set_kernel_config CONFIG_NFT_REJECT m
		312	set_kernel_config CONFIG_NFT_REJECT_INET m
		313	set_kernel_config CONFIG_NFT_REJECT_IPV4 m
		314	set_kernel_config CONFIG_NFT_REJECT_IPV6 m
		315	set_kernel_config CONFIG_NFT_SET_HASH m
		316	set_kernel_config CONFIG_NFT_SET_RBTREE m
		317	set_kernel_config CONFIG_NF_CONNTRACK_IPV4 m
		318	set_kernel_config CONFIG_NF_CONNTRACK_IPV6 m
		319	set_kernel_config CONFIG_NF_DEFRAG_IPV4 m
		320	set_kernel_config CONFIG_NF_DEFRAG_IPV6 m
		321	set_kernel_config CONFIG_NF_DUP_IPV4 m
		322	set_kernel_config CONFIG_NF_DUP_IPV6 m
		323	set_kernel_config CONFIG_NF_DUP_NETDEV m
		324	set_kernel_config CONFIG_NF_LOG_BRIDGE m
		325	set_kernel_config CONFIG_NF_LOG_IPV4 m
		326	set_kernel_config CONFIG_NF_LOG_IPV6 m
		327	set_kernel_config CONFIG_NF_NAT_IPV4 m
		328	set_kernel_config CONFIG_NF_NAT_IPV6 m
		329	set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV4 m
		330	set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV6 m
		331	set_kernel_config CONFIG_NF_NAT_PPTP m
		332	set_kernel_config CONFIG_NF_NAT_PROTO_GRE m
		333	set_kernel_config CONFIG_NF_NAT_REDIRECT m
		334	set_kernel_config CONFIG_NF_NAT_SIP m
		335	set_kernel_config CONFIG_NF_NAT_SNMP_BASIC m
		336	set_kernel_config CONFIG_NF_NAT_TFTP m
		337	set_kernel_config CONFIG_NF_REJECT_IPV4 m
		338	set_kernel_config CONFIG_NF_REJECT_IPV6 m
		339	set_kernel_config CONFIG_NF_TABLES m
		340	set_kernel_config CONFIG_NF_TABLES_ARP m
		341	set_kernel_config CONFIG_NF_TABLES_BRIDGE m
		342	set_kernel_config CONFIG_NF_TABLES_INET m
		343	set_kernel_config CONFIG_NF_TABLES_IPV4 m
		344	set_kernel_config CONFIG_NF_TABLES_IPV6 m
		345	set_kernel_config CONFIG_NF_TABLES_NETDEV m
		346	fi
		347
		348	# Enables BPF syscall for systemd-journald see https://github.com/torvalds/linux/blob/master/init/Kconfig#L848 or https://groups.google.com/forum/#!topic/linux.gentoo.user/_2aSc_ztGpA
		349	if [ "$KERNEL_BPF" = true ] ; then
		350	set_kernel_config CONFIG_BPF_SYSCALL y
		351	set_kernel_config CONFIG_BPF_EVENTS y
		352	set_kernel_config CONFIG_BPF_STREAM_PARSER y
		353	set_kernel_config CONFIG_CGROUP_BPF y
		354	fi
		355
		356	# KERNEL_DEFAULT_GOV was set by user
		357	if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ] ; then
		358
		359	case "$KERNEL_DEFAULT_GOV" in
		360	performance)
		361	set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y
		362	;;
		363	userspace)
		364	set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE y
		365	;;
		366	ondemand)
		367	set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND y
		368	;;
		369	conservative)
		370	set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE y
		371	;;
		372	shedutil)
		373	set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL y
		374	;;
		375	*)
		376	echo "error: unsupported default cpu governor"
		377	exit 1
		378	;;
		379	esac
		380
		381	# unset previous default governor
		382	unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE
		383	fi
		384
		385	#Revert to previous directory
		386	cd "${WORKDIR}" \|\| exit
		387
		388	# Set kernel configuration parameters to enable qemu emulation
		389	if [ "$ENABLE_QEMU" = true ] ; then
		390	echo "CONFIG_FHANDLE=y" >> "${KERNEL_DIR}"/.config
		391	echo "CONFIG_LBDAF=y" >> "${KERNEL_DIR}"/.config
		392
		393	if [ "$ENABLE_CRYPTFS" = true ] ; then
		394	{
		395	echo "CONFIG_EMBEDDED=y"
		396	echo "CONFIG_EXPERT=y"
		397	echo "CONFIG_DAX=y"
		398	echo "CONFIG_MD=y"
		399	echo "CONFIG_BLK_DEV_MD=y"
		400	echo "CONFIG_MD_AUTODETECT=y"
		401	echo "CONFIG_BLK_DEV_DM=y"
		402	echo "CONFIG_BLK_DEV_DM_BUILTIN=y"
		403	echo "CONFIG_DM_CRYPT=y"
		404	echo "CONFIG_CRYPTO_BLKCIPHER=y"
		405	echo "CONFIG_CRYPTO_CBC=y"
		406	echo "CONFIG_CRYPTO_XTS=y"
		407	echo "CONFIG_CRYPTO_SHA512=y"
		408	echo "CONFIG_CRYPTO_MANAGER=y"
		409	} >> "${KERNEL_DIR}"/.config
		410	fi
		411	fi
		412
		413	# Copy custom kernel configuration file
		414	if [ -n "$KERNELSRC_USRCONFIG" ] ; then
		415	cp "$KERNELSRC_USRCONFIG" "${KERNEL_DIR}"/.config
		416	fi
		417
		418	# Set kernel configuration parameters to their default values
		419	if [ "$KERNEL_OLDDEFCONFIG" = true ] ; then
		420	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" olddefconfig
92	fi	421	fi
93		422
94	# Start menu-driven kernel configuration (interactive)	423	# Start menu-driven kernel configuration (interactive)
95	if [ "$KERNEL_MENUCONFIG" = true ] ; then	424	if [ "$KERNEL_MENUCONFIG" = true ] ; then
96	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig	425	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig
97	fi	426	fi
		427	# end if "$KERNELSRC_CONFIG" = true
98	fi	428	fi
99		429
100	# Cross compile kernel ~~and modules~~	430	# Use ccache to cross compile the kernel
101	make -C "${KERNEL_DIR}" -j${KERNEL_THREADS} ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_BIN_IMAGE}" modules dtbs	431	if [ "$KERNEL_CCACHE" = true ] ; then
		432	cc="ccache ${CROSS_COMPILE}gcc"
		433	else
		434	cc="${CROSS_COMPILE}gcc"
		435	fi
		436
		437	# Cross compile kernel and dtbs
		438	make -C "${KERNEL_DIR}" -j"${KERNEL_THREADS}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" CC="${cc}" "${KERNEL_BIN_IMAGE}" dtbs
		439
		440	# Cross compile kernel modules
		441	if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
		442	make -C "${KERNEL_DIR}" -j"${KERNEL_THREADS}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" CC="${cc}" modules
		443	fi
		444	# end if "$KERNELSRC_PREBUILT" = false
102	fi	445	fi
103		446
104	# Check if kernel compilation was successful	447	# Check if kernel compilation was successful
105	if [ ! -r "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/${KERNEL_BIN_IMAGE}" ] ; then	448	if [ ! -r "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/${KERNEL_BIN_IMAGE}" ] ; then
106	echo "error: kernel compilation failed! (kernel image not found)"	449	echo "error: kernel compilation failed! (kernel image not found)"
107	cleanup	450	cleanup
108	exit 1	451	exit 1
109	fi	452	fi
110		453
111	# Install kernel modules	454	# Install kernel modules
112	if [ "$ENABLE_REDUCE" = true ] ; then	455	if [ "$ENABLE_REDUCE" = true ] ; then
113	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=../../.. modules_install	456	if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
		457	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=../../.. modules_install
		458	fi
114	else	459	else
115	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_PATH=../../.. modules_install	460	if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
		461	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_PATH=../../.. modules_install
		462	fi
116		463
117	# Install kernel firmware	464	# Install kernel firmware
118	if [ $(~~cat ./Makefile~~ \| grep "^firmware_install:") ] ; then	465	if grep -q "^firmware_install:" "${KERNEL_DIR}/Makefile" ; then
119	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_FW_PATH=../../../lib firmware_install	466	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_FW_PATH=../../../lib firmware_install
120	fi	467	fi
121	fi	468	fi
122		469
123	# Install kernel headers	470	# Install kernel headers
124	if [ "$KERNEL_HEADERS" = true ] && [ "$KERNEL_REDUCE" = false ] ; then	471	if [ "$KERNEL_HEADERS" = true ] && [ "$KERNEL_REDUCE" = false ] ; then
125	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_HDR_PATH=../.. headers_install	472	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_HDR_PATH=../.. headers_install
126	fi	473	fi
127		474
128	# Prepare boot (firmware) directory	475	# Prepare boot (firmware) directory
129	mkdir "${BOOT_DIR}"	476	mkdir "${BOOT_DIR}"
130		477
131	# Get kernel release version	478	# Get kernel release version
132	KERNEL_VERSION=`cat "${KERNEL_DIR}/include/config/kernel.release"`	479	KERNEL_VERSION=$(cat "${KERNEL_DIR}/include/config/kernel.release")
133		480
134	# Copy kernel configuration file to the boot directory	481	# Copy kernel configuration file to the boot directory
135	install_readonly "${KERNEL_DIR}/.config" "${R}/boot/config-${KERNEL_VERSION}"	482	install_readonly "${KERNEL_DIR}/.config" "${R}/boot/config-${KERNEL_VERSION}"
136		483
137	# Copy dts and dtb device tree sources and binaries	484	# Prepare device tree directory
138	mkdir "${BOOT_DIR}/overlays"	485	mkdir "${BOOT_DIR}/overlays"
139		486
140	# Ensure the proper .dtb is located	487	# Ensure the proper .dtb is located
141	if [ "$KERNEL_ARCH" = "arm" ] ; then	488	if [ "$KERNEL_ARCH" = "arm" ] ; then
142	~~install_readonly~~ "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/"*.dtb "${~~BOOT_DIR~~}/"	489	for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/"*.dtb ; do
		490	if [ -f "${dtb}" ] ; then
		491	install_readonly "${dtb}" "${BOOT_DIR}/"
		492	fi
		493	done
143	else	494	else
144	~~install_readonly~~ "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/broadcom/"*.dtb "${~~BOOT_DIR~~}/"	495	for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/broadcom/"*.dtb ; do
		496	if [ -f "${dtb}" ] ; then
		497	install_readonly "${dtb}" "${BOOT_DIR}/"
		498	fi
		499	done
145	fi	500	fi
146		501
147	install_readonly "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/".dtb "${BOOT_DIR}/overlays/"	502	# Copy compiled dtb device tree files
148	i~~nstall_readonly~~ "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays~~/README~~" "${~~BOOT_DIR~~}~~/overlays/README"~~	503	if [ -d "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays" ] ; then
		504	for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtbo ; do
		505	if [ -f "${dtb}" ] ; then
		506	install_readonly "${dtb}" "${BOOT_DIR}/overlays/"
		507	fi
		508	done
		509
		510	if [ -f "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/README" ] ; then
		511	install_readonly "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "${BOOT_DIR}/overlays/README"
		512	fi
		513	fi
149		514
150	if [ "$ENABLE_UBOOT" = false ] ; then	515	if [ "$ENABLE_UBOOT" = false ] ; then
151	# Convert and copy kernel image to the boot directory	516	# Convert and copy kernel image to the boot directory
152	"${KERNEL_DIR}/scripts/mkknlimg" "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/${KERNEL_BIN_IMAGE}" "${BOOT_DIR}/${KERNEL_IMAGE}"	517	"${KERNEL_DIR}/scripts/mkknlimg" "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/${KERNEL_BIN_IMAGE}" "${BOOT_DIR}/${KERNEL_IMAGE}"
153	else	518	else
154	# Copy kernel image to the boot directory	519	# Copy kernel image to the boot directory
155	install_readonly "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/${KERNEL_BIN_IMAGE}" "${BOOT_DIR}/${KERNEL_IMAGE}"	520	install_readonly "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/${KERNEL_BIN_IMAGE}" "${BOOT_DIR}/${KERNEL_IMAGE}"
156	fi	521	fi
157		522
158	# Remove kernel sources	523	# Remove kernel sources
159	if [ "$KERNEL_REMOVESRC" = true ] ; then	524	if [ "$KERNEL_REMOVESRC" = true ] ; then
160	rm -fr "${KERNEL_DIR}"	525	rm -fr "${KERNEL_DIR}"
161	else	526	else
162	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" modules_prepare	527	# Prepare compiled kernel modules
		528	if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
		529	if grep -q "^modules_prepare:" "${KERNEL_DIR}/Makefile" ; then
		530	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" modules_prepare
		531	fi
163		532
164	# Create symlinks for kernel modules	533	# Create symlinks for kernel modules
165	chroot_exec ln -sf /usr/src/linux "/lib/modules/${KERNEL_VERSION}/build"	534	chroot_exec ln -sf /usr/src/linux "/lib/modules/${KERNEL_VERSION}/build"
166	chroot_exec ln -sf /usr/src/linux "/lib/modules/${KERNEL_VERSION}/source"	535	chroot_exec ln -sf /usr/src/linux "/lib/modules/${KERNEL_VERSION}/source"
		536	fi
167	fi	537	fi
168		538
169	else # BUILD_KERNEL=false	539	else # BUILD_KERNEL=false
170	# Kernel installation	540	if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] \|\| [ "$RPI_MODEL" = 3P ] ; } ; then
171	chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel	541
		542	# Use Sakakis modified kernel if ZSWAP is active
		543	if [ "$KERNEL_ZSWAP" = true ] \|\| [ "$KERNEL_VIRT" = true ] \|\| [ "$KERNEL_NF" = true ] \|\| [ "$KERNEL_BPF" = true ] ; then
		544	RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}"
		545	fi
		546
		547	# Create temporary directory for dl
		548	temp_dir=$(as_nobody mktemp -d)
		549
		550	# Fetch kernel dl
		551	as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL"
		552
		553	#extract download
		554	tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}"
172		555
173	# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot	556	#move extracted kernel to /boot/firmware
174	chroot_exec apt-get -qq -y install flash-kernel	557	mkdir "${R}/boot/firmware"
		558	cp "${temp_dir}"/boot/* "${R}"/boot/firmware/
		559	cp -r "${temp_dir}"/lib/* "${R}"/lib/
		560
		561	# Remove temporary directory for kernel sources
		562	rm -fr "${temp_dir}"
		563
		564	# Set permissions of the kernel sources
		565	chown -R root:root "${R}/boot/firmware"
		566	chown -R root:root "${R}/lib/modules"
		567	fi
		568
		569	# Install Kernel from hypriot comptabile with all Raspberry PI
		570	if [ "$SET_ARCH" = 32 ] ; then
		571	# Create temporary directory for dl
		572	temp_dir=$(as_nobody mktemp -d)
		573
		574	# Fetch kernel
		575	as_nobody wget -O "${temp_dir}"/kernel.deb -c "$RPI_32_KERNEL_URL"
		576
		577	# Copy downloaded U-Boot sources
		578	mv "${temp_dir}"/kernel.deb "${R}"/tmp/kernel.deb
		579
		580	# Set permissions
		581	chown -R root:root "${R}"/tmp/kernel.deb
		582
		583	# Install kernel
		584	chroot_exec dpkg -i /tmp/kernel.deb
		585
		586	# move /boot to /boot/firmware to fit script env.
		587	#mkdir "${BOOT_DIR}"
		588	mkdir "${temp_dir}"/firmware
		589	mv "${R}"/boot/* "${temp_dir}"/firmware/
		590	mv "${temp_dir}"/firmware "${R}"/boot/
		591
		592	#same for kernel headers
		593	if [ "$KERNEL_HEADERS" = true ] ; then
		594	# Fetch kernel header
		595	as_nobody wget -O "${temp_dir}"/kernel-header.deb -c "$RPI_32_KERNELHEADER_URL"
		596	mv "${temp_dir}"/kernel-header.deb "${R}"/tmp/kernel-header.deb
		597	chown -R root:root "${R}"/tmp/kernel-header.deb
		598	# Install kernel header
		599	chroot_exec dpkg -i /tmp/kernel-header.deb
		600	rm -f "${R}"/tmp/kernel-header.deb
		601	fi
		602
		603	# Remove temporary directory and files
		604	rm -fr "${temp_dir}"
		605	rm -f "${R}"/tmp/kernel.deb
		606	fi
175		607
176	# Check if kernel installation was successful	608	# Check if kernel installation was successful
177	~~VMLINUZ~~="$(ls -1 ${R}/boot/~~vmlinuz-~~* \| sort \| tail -n 1)"	609	KERNEL="$(ls -1 "${R}"/boot/firmware/kernel* \| sort \| tail -n 1)"
178	if [ -z "$~~VMLINUZ~~" ] ; then	610	if [ -z "$KERNEL" ] ; then
179	echo "error: kernel installation failed! (/boot/~~vmlinuz-~~* not found)"	611	echo "error: kernel installation failed! (/boot/kernel* not found)"
180	cleanup	612	cleanup
181	exit 1	613	exit 1
182	fi	614	fi
183	# Copy vmlinuz kernel to the boot directory
184	install_readonly "${VMLINUZ}" "${BOOT_DIR}/${KERNEL_IMAGE}"
185	fi	615	fi

bootstrap.d/14-fstab.sh +66 -6

             #
             # Setup fstab and initramfs
             #
             # Load utility functions
             . ./functions.sh
             # Install and setup fstab
             install_readonly files/mount/fstab "${ETC_DIR}/fstab"
             # Add usb/sda disk root partition to fstab
             if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then
               sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
             fi
             # Add encrypted root partition to fstab and crypttab
             if [ "$ENABLE_CRYPTFS" = true ] ; then
               # Replace fstab root partition with encrypted partition mapping
               sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab"
               # Add encrypted partition to crypttab and fstab
               install_readonly files/mount/crypttab "${ETC_DIR}/crypttab"
-              echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks" >> "${ETC_DIR}/crypttab"
+              echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"
               if [ "$ENABLE_SPLITFS" = true ] ; then
-                # Add usb/sda disk to crypttab
+                # Add usb/sda1 disk to crypttab
                 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
               fi
             fi
+            if [ "$ENABLE_USBBOOT" = true ] ; then
+              sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
+              sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
+              # Add usb/sda2 disk to crypttab
+              sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab"
+            fi
             # Generate initramfs file
-            if [ "$BUILD_KERNEL" = true ] && [ "$ENABLE_INITRAMFS" = true ] ; then
+            if [ "$ENABLE_INITRAMFS" = true ] ; then
               if [ "$ENABLE_CRYPTFS" = true ] ; then
                 # Include initramfs scripts to auto expand encrypted root partition
                 if [ "$EXPANDROOT" = true ] ; then
                   install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs"
                   install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount"
                   install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
                 fi
+            	if [ "$ENABLE_DHCP" = false ] ; then
+                  # Get cdir from NET_ADDRESS e.g. 24
+                  cdir=$(${NET_ADDRESS} | cut -d '/' -f2)
+                  # Convert cdir ro netmask e.g. 24 to 255.255.255.0
+                  NET_MASK=$(cdr2mask "$cdir")
+            	  # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
+                  sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
+            	  # Regenerate initramfs
+            	  chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
+                fi
+            	if [ "$CRYPTFS_DROPBEAR" = true ]; then
+            	  if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
+             	    install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
+             	    cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys
+             	  else
+             	    # Create key
+             	    chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear
+             	    # Convert dropbear key to openssh key
+             	    chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa
+             	    # Get Public Key Part
+             	    chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub
+             	    # Delete unwanted lines
+             	    sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
+             	    sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
+             	    # Trust the new key
+             	    cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys
+             	    # Save Keys - convert with putty from rsa/openssh to puttkey
+             	    cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa
+             	    # Get unlock script
+             	    install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh
+             	    # Enable Dropbear inside initramfs
+             	    printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
+             	    # Enable Dropbear inside initramfs
+             	    sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear
+            	  fi
+            	else
+            	  # Disable SSHD inside initramfs
+            	  printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
+            	fi
-                # Disable SSHD inside initramfs
+                # Add cryptsetup modules to initramfs
-                printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
+                printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
                 # Dummy mapping required by mkinitramfs
-                echo "0 1 crypt $(echo ${CRYPTFS_CIPHER} | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
+                echo "0 1 crypt $(echo "${CRYPTFS_CIPHER}" | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
                 # Generate initramfs with encrypted root partition support
                 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
                 # Remove dummy mapping
                 chroot_exec cryptsetup close "${CRYPTFS_MAPPING}"
               else
                 # Generate initramfs without encrypted root partition support
                 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
               fi
             fi

bootstrap.d/15-rpi-config.sh +209 -60

@@ -1,151 +1,300
1	#	1	#
2	# Setup RPi2/3 config and cmdline	2	# Setup RPi2/3 config and cmdline
3	#	3	#
4		4
5	# Load utility functions	5	# Load utility functions
6	. ./functions.sh	6	. ./functions.sh
7		7
8	if [ "$BUILD_KERNEL" = true ] ; then	8	if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then
9	if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then	9	# Install boot binaries from local directory
10	# Install boot binaries from local directory	10	cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin
11	cp ${RPI_FIRMWARE_DIR}/boot/~~bootcode.bin~~ ${BOOT_DIR}~~/bootcode.bin~~	11	cp "${RPI_FIRMWARE_DIR}"/boot/fixup.dat "${BOOT_DIR}"/fixup.dat
12	cp ${RPI_FIRMWARE_DIR}/boot/fixup.dat ${BOOT_DIR}/fixup.dat	12	cp "${RPI_FIRMWARE_DIR}"/boot/fixup_cd.dat "${BOOT_DIR}"/fixup_cd.dat
13	cp ${RPI_FIRMWARE_DIR}/boot/fixup_cd.dat ${BOOT_DIR}/fixup_cd.dat	13	cp "${RPI_FIRMWARE_DIR}"/boot/fixup_x.dat "${BOOT_DIR}"/fixup_x.dat
14	cp ${RPI_FIRMWARE_DIR}/boot/~~fixup_x.dat~~ ${BOOT_DIR}~~/fixup_x.dat~~	14	cp "${RPI_FIRMWARE_DIR}"/boot/start.elf "${BOOT_DIR}"/start.elf
15	cp ${RPI_FIRMWARE_DIR}/boot/start.elf ${BOOT_DIR}/start.elf	15	cp "${RPI_FIRMWARE_DIR}"/boot/start_cd.elf "${BOOT_DIR}"/start_cd.elf
16	cp ${RPI_FIRMWARE_DIR}/boot/start_cd.elf ${BOOT_DIR}/start_cd.elf	16	cp "${RPI_FIRMWARE_DIR}"/boot/start_x.elf "${BOOT_DIR}"/start_x.elf
17	cp ${RPI_FIRMWARE_DIR}/boot/start_x.elf ${BOOT_DIR}/start_x.elf	17	else
18	else	18	# Create temporary directory for boot binaries
19	# Create temporary directory for boot binaries	19	temp_dir=$(as_nobody mktemp -d)
20	temp_dir=$(as_nobody mktemp -d)
21		20
22	# Install latest boot binaries from raspberry/firmware github	21	# Install latest boot binaries from raspberry/firmware github
23	as_nobody wget -q -O "${temp_dir}/bootcode.bin" "${FIRMWARE_URL}/bootcode.bin"	22	as_nobody wget -q -O "${temp_dir}/bootcode.bin" "${FIRMWARE_URL}/bootcode.bin"
24	as_nobody wget -q -O "${temp_dir}/fixup.dat" "${FIRMWARE_URL}/fixup.dat"	23	as_nobody wget -q -O "${temp_dir}/fixup.dat" "${FIRMWARE_URL}/fixup.dat"
25	as_nobody wget -q -O "${temp_dir}/fixup_cd.dat" "${FIRMWARE_URL}/fixup_cd.dat"	24	as_nobody wget -q -O "${temp_dir}/fixup_cd.dat" "${FIRMWARE_URL}/fixup_cd.dat"
26	as_nobody wget -q -O "${temp_dir}/fixup_x.dat" "${FIRMWARE_URL}/fixup_x.dat"	25	as_nobody wget -q -O "${temp_dir}/fixup_x.dat" "${FIRMWARE_URL}/fixup_x.dat"
27	as_nobody wget -q -O "${temp_dir}/start.elf" "${FIRMWARE_URL}/start.elf"	26	as_nobody wget -q -O "${temp_dir}/start.elf" "${FIRMWARE_URL}/start.elf"
28	as_nobody wget -q -O "${temp_dir}/start_cd.elf" "${FIRMWARE_URL}/start_cd.elf"	27	as_nobody wget -q -O "${temp_dir}/start_cd.elf" "${FIRMWARE_URL}/start_cd.elf"
29	as_nobody wget -q -O "${temp_dir}/start_x.elf" "${FIRMWARE_URL}/start_x.elf"	28	as_nobody wget -q -O "${temp_dir}/start_x.elf" "${FIRMWARE_URL}/start_x.elf"
30		29
31	# Move downloaded boot binaries	30	# Move downloaded boot binaries
32	mv "${temp_dir}/"* "${BOOT_DIR}/"	31	mv "${temp_dir}/"* "${BOOT_DIR}/"
33		32
34	# Remove temporary directory for boot binaries	33	# Remove temporary directory for boot binaries
35	rm -fr "${temp_dir}"	34	rm -fr "${temp_dir}"
36		35
37	# Set permissions of the boot binaries	36	# Set permissions of the boot binaries
38	chown -R root:root "${BOOT_DIR}"	37	chown -R root:root "${BOOT_DIR}"
39	chmod -R 600 "${BOOT_DIR}"	38	chmod -R 600 "${BOOT_DIR}"
40	fi
41	fi	39	fi
42		40
43	# Setup firmware boot cmdline	41	# Setup firmware boot cmdline
44	if [ "$ENABLE_~~SPLITFS~~" = true ] ; then	42	if [ "$ENABLE_USBBOOT" = true ] ; then
45	CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline ~~rootwait~~ console=tty1"	43	CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
46	else	44	else
47	CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait console=tty1"	45	if [ "$ENABLE_SPLITFS" = true ] ; then
		46	CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
		47	else
		48	CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
		49	fi
48	fi	50	fi
49		51
50	# Add encrypted root partition to cmdline.txt	52	# Add encrypted root partition to cmdline.txt
51	if [ "$ENABLE_CRYPTFS" = true ] ; then	53	if [ "$ENABLE_CRYPTFS" = true ] ; then
52	if [ "$ENABLE_SPLITFS" = true ] ; then	54	if [ "$ENABLE_SPLITFS" = true ] ; then
53	CMDLINE=$(echo ${CMDLINE} \| sed "s/sda1/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda1:${CRYPTFS_MAPPING}/")	55	CMDLINE=$(echo "${CMDLINE}" \| sed "s/sda1/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda1:${CRYPTFS_MAPPING}/")
54	else	56	else
55	CMDLINE=$(echo ${CMDLINE} \| sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/")	57	if [ "$ENABLE_USBBOOT" = true ] ; then
		58	CMDLINE=$(echo "${CMDLINE}" \| sed "s/sda2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda2:${CRYPTFS_MAPPING}/")
		59	else
		60	CMDLINE=$(echo "${CMDLINE}" \| sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/")
		61	fi
56	fi	62	fi
57	fi	63	fi
58		64
59	# Add serial console support	65	# Enable Kernel messages on standard output
60	if [ "$ENABLE_~~CONSOLE~~" = true ] ; then	66	if [ "$ENABLE_PRINTK" = true ] ; then
61	CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"	67	install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf"
		68	fi
		69
		70	# Enable Kernel messages on standard output
		71	if [ "$KERNEL_SECURITY" = true ] ; then
		72	install_readonly files/sysctl.d/84-rpi-ASLR.conf "${ETC_DIR}/sysctl.d/84-rpi-ASLR.conf"
62	fi	73	fi
63		74
		75	# Install udev rule for serial alias - serial0 = console serial1=bluetooth
		76	install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules"
		77
64	# Remove IPv6 networking support	78	# Remove IPv6 networking support
65	if [ "$ENABLE_IPV6" = false ] ; then	79	if [ "$ENABLE_IPV6" = false ] ; then
66	CMDLINE="${CMDLINE} ipv6.disable=1"	80	CMDLINE="${CMDLINE} ipv6.disable=1"
67	fi	81	fi
68		82
69	# Automatically assign predictable network interface names	83	# Automatically assign predictable network interface names
70	if [ "$ENABLE_IFNAMES" = false ] ; then	84	if [ "$ENABLE_IFNAMES" = false ] ; then
71	CMDLINE="${CMDLINE} net.ifnames=0"	85	CMDLINE="${CMDLINE} net.ifnames=0"
72	else	86	else
73	CMDLINE="${CMDLINE} net.ifnames=1"	87	CMDLINE="${CMDLINE} net.ifnames=1"
74	fi	88	fi
75		89
76	# Set init to systemd if required by Debian release	90	# Disable Raspberry Pi console logo
77	if [ "$RELEASE" = "stretch" ] \|\| [ "$RELEASE" = "buster" ] ; then	91	if [ "$ENABLE_LOGO" = false ] ; then
78	CMDLINE="${CMDLINE} ~~init=/bin/systemd~~"	92	CMDLINE="${CMDLINE} logo.nologo"
79	fi	93	fi
80		94
81	# Install firmware boot cmdline	95	# Strictly limit verbosity of boot up console messages
82	echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"	96	if [ "$ENABLE_SILENT_BOOT" = true ] ; then
		97	CMDLINE="${CMDLINE} quiet loglevel=0 rd.systemd.show_status=auto rd.udev.log_priority=0"
		98	fi
83		99
84	# Install firmware config	100	# Install firmware config
85	install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt"	101	install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt"
86		102
		103	# Disable Raspberry Pi console logo
		104	if [ "$ENABLE_SLASH" = false ] ; then
		105	echo "disable_splash=1" >> "${BOOT_DIR}/config.txt"
		106	fi
		107
		108	# Locks CPU frequency at maximum
		109	if [ "$ENABLE_TURBO" = true ] ; then
		110	echo "force_turbo=1" >> "${BOOT_DIR}/config.txt"
		111	# helps to avoid sdcard corruption when force_turbo is enabled.
		112	echo "boot_delay=1" >> "${BOOT_DIR}/config.txt"
		113	fi
		114
		115	if [ "$RPI_MODEL" = 0 ] \|\| [ "$RPI_MODEL" = 3 ] \|\| [ "$RPI_MODEL" = 3P ] ; then
		116
		117	# Bluetooth enabled
		118	if [ "$ENABLE_BLUETOOTH" = true ] ; then
		119	# Create temporary directory for Bluetooth sources
		120	temp_dir=$(as_nobody mktemp -d)
		121
		122	# Fetch Bluetooth sources
		123	as_nobody git -C "${temp_dir}" clone "${BLUETOOTH_URL}"
		124
		125	# Copy downloaded sources
		126	mv "${temp_dir}/pi-bluetooth" "${R}/tmp/"
		127
		128	# Bluetooth firmware from arch aur https://aur.archlinux.org/packages/pi-bluetooth/
		129	as_nobody wget -q -O "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" https://aur.archlinux.org/cgit/aur.git/plain/LICENCE.broadcom_bcm43xx?h=pi-bluetooth
		130	as_nobody wget -q -O "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/master/broadcom/BCM43430A1.hcd
		131
		132	# Set permissions
		133	chown -R root:root "${R}/tmp/pi-bluetooth"
		134
		135	# Install tools
		136	install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart"
		137	install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper"
		138
		139	# make scripts executable
		140	chmod +x "${R}/usr/bin/bthelper"
		141	chmod +x "${R}/usr/bin/btuart"
		142
		143	# Install bluetooth udev rule
		144	install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules"
		145
		146	# Install Firmware Flash file and apropiate licence
		147	mkdir -p "$BLUETOOTH_FIRMWARE_DIR"
		148	install_readonly "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx"
		149	install_readonly "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" "${BLUETOOTH_FIRMWARE_DIR}/BCM43430A1.hcd"
		150	install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service"
		151	install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service"
		152
		153	# Remove temporary directories
		154	rm -fr "${temp_dir}"
		155	rm -fr "${R}"/tmp/pi-bluetooth
		156
		157	# Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0
		158	if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then
		159	# set overlay to swap ttyAMA0 and ttyS0
		160	echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt"
		161
		162	if [ "$ENABLE_TURBO" = false ] ; then
		163	echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
		164	fi
		165
		166	fi
		167
		168	# Activate services
		169	chroot_exec systemctl enable pi-bluetooth.hciuart.service
		170
		171	else # if ENABLE_BLUETOOTH = false
		172	# set overlay to disable bluetooth
		173	echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt"
		174	fi # ENABLE_BLUETOOTH end
		175	fi
		176
		177	# may need sudo systemctl disable hciuart
		178	if [ "$ENABLE_CONSOLE" = true ] ; then
		179	echo "enable_uart=1" >> "${BOOT_DIR}/config.txt"
		180	# add string to cmdline
		181	CMDLINE="${CMDLINE} console=serial0,115200"
		182
		183	if [ "$RPI_MODEL" = 3 ] \|\| [ "$RPI_MODEL" = 3P ]\|\| [ "$RPI_MODEL" = 0 ]; then
		184	# if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken
		185	if [ "$ENABLE_TURBO" = false ] ; then
		186	echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
		187	fi
		188	fi
		189
		190	# Enable serial console systemd style
		191	chroot_exec systemctl enable serial-getty@serial0.service
		192	else
		193	echo "enable_uart=0" >> "${BOOT_DIR}/config.txt"
		194	fi
		195
		196	# Disable dphys-swapfile service. Will get enabled on first boot
		197	if [ "$ENABLE_DPHYSSWAP" = true ] ; then
		198	chroot_exec systemctl disable dphys-swapfile
		199	fi
		200
		201	if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then
		202	# Create temporary directory for systemd-swap sources
		203	temp_dir=$(as_nobody mktemp -d)
		204
		205	# Fetch systemd-swap sources
		206	as_nobody git -C "${temp_dir}" clone "${SYSTEMDSWAP_URL}"
		207
		208	# Copy downloaded systemd-swap sources
		209	mv "${temp_dir}/systemd-swap" "${R}/tmp/"
		210
		211	# Change into downloaded src dir
		212	cd "${R}/tmp/systemd-swap" \|\| exit
		213
		214	# Build package
		215	bash ./package.sh debian
		216
		217	# Change back into script root dir
		218	cd "${WORKDIR}" \|\| exit
		219
		220	# Set permissions of the systemd-swap sources
		221	chown -R root:root "${R}/tmp/systemd-swap"
		222
		223	# Install package - IMPROVE AND MAKE IT POSSIBLE WITHOUT VERSION NR.
		224	chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap_4.0.1_any.deb
		225
		226	# Enable service
		227	chroot_exec systemctl enable systemd-swap
		228
		229	# Remove temporary directory for systemd-swap sources
		230	rm -fr "${temp_dir}"
		231	else
		232	# Enable ZSWAP in cmdline if systemd-swap is not used
		233	if [ "$KERNEL_ZSWAP" = true ] ; then
		234	CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4"
		235	fi
		236	fi
		237	if [ "$KERNEL_SECURITY" = true ] ; then
		238	CMDLINE="${CMDLINE} apparmor=1 security=apparmor"
		239	fi
		240
		241	# Install firmware boot cmdline
		242	echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"
		243
87	# Setup minimal GPU memory allocation size: 16MB (no X)	244	# Setup minimal GPU memory allocation size: 16MB (no X)
88	if [ "$ENABLE_MINGPU" = true ] ; then	245	if [ "$ENABLE_MINGPU" = true ] ; then
89	echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt"	246	echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt"
90	fi	247	fi
91		248
92	# Setup boot with initramfs	249	# Setup boot with initramfs
93	if [ "$ENABLE_INITRAMFS" = true ] ; then	250	if [ "$ENABLE_INITRAMFS" = true ] ; then
94	echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "${BOOT_DIR}/config.txt"	251	echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "${BOOT_DIR}/config.txt"
95	fi	252	fi
96		253
97	# Disable RPi3 Bluetooth and restore ttyAMA0 serial device
98	if [ "$RPI_MODEL" = 3 ] ; then
99	if [ "$ENABLE_CONSOLE" = true ] && [ "$ENABLE_UBOOT" = false ] ; then
100	echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt"
101	echo "enable_uart=1" >> "${BOOT_DIR}/config.txt"
102	fi
103	fi
104
105	# Create firmware configuration and cmdline symlinks	254	# Create firmware configuration and cmdline symlinks
106	ln -sf firmware/config.txt "${R}/boot/config.txt"	255	ln -sf firmware/config.txt "${R}/boot/config.txt"
107	ln -sf firmware/cmdline.txt "${R}/boot/cmdline.txt"	256	ln -sf firmware/cmdline.txt "${R}/boot/cmdline.txt"
108		257
109	# Install and setup kernel modules to load at boot	258	# Install and setup kernel modules to load at boot
110	mkdir -p "${R}~~/lib~~/modules-load.d/"	259	mkdir -p "${LIB_DIR}/modules-load.d/"
111	install_readonly files/modules/rpi2.conf "${R}~~/lib~~/modules-load.d/rpi2.conf"	260	install_readonly files/modules/rpi2.conf "${LIB_DIR}/modules-load.d/rpi2.conf"
112		261
113	# Load hardware random module at boot	262	# Load hardware random module at boot
114	if [ "$ENABLE_HWRANDOM" = true ] && [ "$BUILD_KERNEL" = false ] ; then	263	if [ "$ENABLE_HWRANDOM" = true ] && [ "$BUILD_KERNEL" = false ] ; then
115	sed -i "s/^# bcm2708_rng/bcm2708_rng/" "${R}~~/lib~~/modules-load.d/rpi2.conf"	264	sed -i "s/^# bcm2708_rng/bcm2708_rng/" "${LIB_DIR}/modules-load.d/rpi2.conf"
116	fi	265	fi
117		266
118	# Load sound module at boot	267	# Load sound module at boot
119	if [ "$ENABLE_SOUND" = true ] ; then	268	if [ "$ENABLE_SOUND" = true ] ; then
120	sed -i "s/^# snd_bcm2835/snd_bcm2835/" "${R}~~/lib~~/modules-load.d/rpi2.conf"	269	sed -i "s/^# snd_bcm2835/snd_bcm2835/" "${LIB_DIR}/modules-load.d/rpi2.conf"
121	else	270	else
122	echo "dtparam=audio=off" >> "${BOOT_DIR}/config.txt"	271	echo "dtparam=audio=off" >> "${BOOT_DIR}/config.txt"
123	fi	272	fi
124		273
125	# Enable I2C interface	274	# Enable I2C interface
126	if [ "$ENABLE_I2C" = true ] ; then	275	if [ "$ENABLE_I2C" = true ] ; then
127	echo "dtparam=i2c_arm=on" >> "${BOOT_DIR}/config.txt"	276	echo "dtparam=i2c_arm=on" >> "${BOOT_DIR}/config.txt"
128	sed -i "s/^# i2c-bcm2708/i2c-bcm2708/" "${R}~~/lib~~/modules-load.d/rpi2.conf"	277	sed -i "s/^# i2c-bcm2708/i2c-bcm2708/" "${LIB_DIR}/modules-load.d/rpi2.conf"
129	sed -i "s/^# i2c-dev/i2c-dev/" "${R}~~/lib~~/modules-load.d/rpi2.conf"	278	sed -i "s/^# i2c-dev/i2c-dev/" "${LIB_DIR}/modules-load.d/rpi2.conf"
130	fi	279	fi
131		280
132	# Enable SPI interface	281	# Enable SPI interface
133	if [ "$ENABLE_SPI" = true ] ; then	282	if [ "$ENABLE_SPI" = true ] ; then
134	echo "dtparam=spi=on" >> "${BOOT_DIR}/config.txt"	283	echo "dtparam=spi=on" >> "${BOOT_DIR}/config.txt"
135	echo "spi-bcm2708" >> "${R}~~/lib~~/modules-load.d/rpi2.conf"	284	echo "spi-bcm2708" >> "${LIB_DIR}/modules-load.d/rpi2.conf"
136	if [ "$RPI_MODEL" = 3 ] ; then	285	if [ "$RPI_MODEL" = 3 ] \|\| [ "$RPI_MODEL" = 3P ]; then
137	sed -i "s/spi-bcm2708/spi-bcm2835/" "${R}~~/lib~~/modules-load.d/rpi2.conf"	286	sed -i "s/spi-bcm2708/spi-bcm2835/" "${LIB_DIR}/modules-load.d/rpi2.conf"
138	fi	287	fi
139	fi	288	fi
140		289
141	# Disable RPi2/3 under-voltage warnings	290	# Disable RPi2/3 under-voltage warnings
142	if [ ~~! -z~~ "$DISABLE_UNDERVOLT_WARNINGS" ] ; then	291	if [ -n "$DISABLE_UNDERVOLT_WARNINGS" ] ; then
143	echo "avoid_warnings=${DISABLE_UNDERVOLT_WARNINGS}" >> "${BOOT_DIR}/config.txt"	292	echo "avoid_warnings=${DISABLE_UNDERVOLT_WARNINGS}" >> "${BOOT_DIR}/config.txt"
144	fi	293	fi
145		294
146	# Install kernel modules blacklist	295	# Install kernel modules blacklist
147	mkdir -p "${ETC_DIR}/modprobe.d/"	296	mkdir -p "${ETC_DIR}/modprobe.d/"
148	install_readonly files/modules/raspi-blacklist.conf "${ETC_DIR}/modprobe.d/raspi-blacklist.conf"	297	install_readonly files/modules/raspi-blacklist.conf "${ETC_DIR}/modprobe.d/raspi-blacklist.conf"
149		298
150	# Install sysctl.d configuration files	299	# Install sysctl.d configuration files
151	install_readonly files/sysctl.d/81-rpi-vm.conf "${ETC_DIR}/sysctl.d/81-rpi-vm.conf"	300	install_readonly files/sysctl.d/81-rpi-vm.conf "${ETC_DIR}/sysctl.d/81-rpi-vm.conf"

bootstrap.d/20-networking.sh +49 -20

             #
             # Setup Networking
             #
             # Load utility functions
             . ./functions.sh
             # Install and setup hostname
             install_readonly files/network/hostname "${ETC_DIR}/hostname"
-            sed -i "s/^rpi2-jessie/${HOSTNAME}/" "${ETC_DIR}/hostname"
+            sed -i "s/^RaspberryPI/${HOSTNAME}/" "${ETC_DIR}/hostname"
             # Install and setup hosts
             install_readonly files/network/hosts "${ETC_DIR}/hosts"
-            sed -i "s/rpi2-jessie/${HOSTNAME}/" "${ETC_DIR}/hosts"
+            sed -i "s/RaspberryPI/${HOSTNAME}/" "${ETC_DIR}/hosts"
             # Setup hostname entry with static IP
             if [ "$NET_ADDRESS" != "" ] ; then
               NET_IP=$(echo "${NET_ADDRESS}" | cut -f 1 -d'/')
               sed -i "s/^127.0.1.1/${NET_IP}/" "${ETC_DIR}/hosts"
             fi
             # Remove IPv6 hosts
             if [ "$ENABLE_IPV6" = false ] ; then
               sed -i -e "/::[1-9]/d" -e "/^$/d" "${ETC_DIR}/hosts"
             fi
             # Install hint about network configuration
             install_readonly files/network/interfaces "${ETC_DIR}/network/interfaces"
             # Install configuration for interface eth0
             install_readonly files/network/eth.network "${ETC_DIR}/systemd/network/eth.network"
+            if [ "$RPI_MODEL" = 3P ] ; then
+            printf "\n[Link]\nGenericReceiveOffload=off\nTCPSegmentationOffload=off\nGenericSegmentationOffload=off" >> "${ETC_DIR}/systemd/network/eth.network"
+            fi
+            # Install configuration for interface wl*
+            install_readonly files/network/wlan.network "${ETC_DIR}/systemd/network/wlan.network"
+            #always with dhcp since wpa_supplicant integration is missing
+            sed -i -e "s/DHCP=.*/DHCP=yes/" -e "/DHCP/q" "${ETC_DIR}/systemd/network/wlan.network"
             if [ "$ENABLE_DHCP" = true ] ; then
               # Enable DHCP configuration for interface eth0
               sed -i -e "s/DHCP=.*/DHCP=yes/" -e "/DHCP/q" "${ETC_DIR}/systemd/network/eth.network"
               # Set DHCP configuration to IPv4 only
               if [ "$ENABLE_IPV6" = false ] ; then
                 sed -i "s/DHCP=.*/DHCP=v4/" "${ETC_DIR}/systemd/network/eth.network"
               fi
             else # ENABLE_DHCP=false
               # Set static network configuration for interface eth0
               sed -i\
               -e "s|DHCP=.*|DHCP=no|"\
               -e "s|Address=\$|Address=${NET_ADDRESS}|"\
               -e "s|Gateway=\$|Gateway=${NET_GATEWAY}|"\
               -e "0,/DNS=\$/ s|DNS=\$|DNS=${NET_DNS_1}|"\
               -e "0,/DNS=\$/ s|DNS=\$|DNS=${NET_DNS_2}|"\
               -e "s|Domains=\$|Domains=${NET_DNS_DOMAINS}|"\
               -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\
               -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\
               "${ETC_DIR}/systemd/network/eth.network"
             fi
             # Remove empty settings from network configuration
             sed -i "/.*=\$/d" "${ETC_DIR}/systemd/network/eth.network"
+            # Remove empty settings from wlan configuration
+            sed -i "/.*=\$/d" "${ETC_DIR}/systemd/network/wlan.network"
             # Move systemd network configuration if required by Debian release
-            if [ "$RELEASE" = "stretch" ] || [ "$RELEASE" = "buster" ] ; then
+            mv -v "${ETC_DIR}/systemd/network/eth.network" "${LIB_DIR}/systemd/network/10-eth.network"
-              mv -v "${ETC_DIR}/systemd/network/eth.network" "${LIB_DIR}/systemd/network/10-eth.network"
+            # If WLAN is enabled copy wlan configuration too
-              rm -fr "${ETC_DIR}/systemd/network"
+            if [ "$ENABLE_WIRELESS" = true ] ; then
+              mv -v "${ETC_DIR}/systemd/network/wlan.network" "${LIB_DIR}/systemd/network/11-wlan.network"
             fi
+            rm -fr "${ETC_DIR}/systemd/network"
             # Enable systemd-networkd service
             chroot_exec systemctl enable systemd-networkd
             # Install host.conf resolver configuration
             install_readonly files/network/host.conf "${ETC_DIR}/host.conf"
             # Enable network stack hardening
             if [ "$ENABLE_HARDNET" = true ] ; then
               # Install sysctl.d configuration files
               install_readonly files/sysctl.d/82-rpi-net-hardening.conf "${ETC_DIR}/sysctl.d/82-rpi-net-hardening.conf"
               # Setup resolver warnings about spoofed addresses
               sed -i "s/^# spoof warn/spoof warn/" "${ETC_DIR}/host.conf"
             fi
             # Enable time sync
-            if [ "NET_NTP_1" != "" ] ; then
+            if [ "$NET_NTP_1" != "" ] ; then
               chroot_exec systemctl enable systemd-timesyncd.service
             fi
             # Download the firmware binary blob required to use the RPi3 wireless interface
             if [ "$ENABLE_WIRELESS" = true ] ; then
-              if [ ! -d ${WLAN_FIRMWARE_DIR} ] ; then
+              if [ ! -d "${WLAN_FIRMWARE_DIR}" ] ; then
-                mkdir -p ${WLAN_FIRMWARE_DIR}
+                mkdir -p "${WLAN_FIRMWARE_DIR}"
               fi
               # Create temporary directory for firmware binary blob
               temp_dir=$(as_nobody mktemp -d)
-              # Fetch firmware binary blob
+              # Fetch firmware binary blob for RPI3B+
-              as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.bin"
+              if [ "$RPI_MODEL" = 3P ] ; then
-              as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.txt"
+                # Fetch firmware binary blob for RPi3P
+                as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.bin"
-              # Move downloaded firmware binary blob
+                as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.txt"
-              mv "${temp_dir}/brcmfmac43430-sdio."* "${WLAN_FIRMWARE_DIR}/"
+                as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.clm_blob" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.clm_blob"
+            	# Move downloaded firmware binary blob
+            	mv "${temp_dir}/brcmfmac43455-sdio."* "${WLAN_FIRMWARE_DIR}/"
+            	# Set permissions of the firmware binary blob
+            	chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."*
+                chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."*
+              elif [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 0 ] ; then
+                # Fetch firmware binary blob for RPi3
+                as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.bin"
+                as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.txt"
+            	# Move downloaded firmware binary blob
+            	mv "${temp_dir}/brcmfmac43430-sdio."* "${WLAN_FIRMWARE_DIR}/"
+            	# Set permissions of the firmware binary blob
+            	chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
+                chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
+              fi
               # Remove temporary directory for firmware binary blob
               rm -fr "${temp_dir}"
-              # Set permissions of the firmware binary blob
-              chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
-              chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
             fi

bootstrap.d/21-firewall.sh +11 -1

             #
             # Setup Firewall
             #
             # Load utility functions
             . ./functions.sh
             if [ "$ENABLE_IPTABLES" = true ] ; then
               # Create iptables configuration directory
               mkdir -p "${ETC_DIR}/iptables"
+              if [ "$KERNEL_NF" = false ] ; then
+                # iptables-save and -restore are slaves of iptables and thus are set accordingly
+                chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy
+              fi
               # Install iptables systemd service
               install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service"
               # Install flush-table script called by iptables service
               install_exec files/iptables/flush-iptables.sh "${ETC_DIR}/iptables/flush-iptables.sh"
               # Install iptables rule file
               install_readonly files/iptables/iptables.rules "${ETC_DIR}/iptables/iptables.rules"
               # Reload systemd configuration and enable iptables service
               chroot_exec systemctl daemon-reload
               chroot_exec systemctl enable iptables.service
               if [ "$ENABLE_IPV6" = true ] ; then
+                if [ "$KERNEL_NF" = false ] ; then
+                  # iptables-save and -restore are slaves of iptables and thus are set accordingly
+                  chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy
+            	fi
                 # Install ip6tables systemd service
                 install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service"
                 # Install ip6tables file
                 install_exec files/iptables/flush-ip6tables.sh "${ETC_DIR}/iptables/flush-ip6tables.sh"
                 install_readonly files/iptables/ip6tables.rules "${ETC_DIR}/iptables/ip6tables.rules"
                 # Reload systemd configuration and enable iptables service
                 chroot_exec systemctl daemon-reload
                 chroot_exec systemctl enable ip6tables.service
               fi
               if [ "$ENABLE_SSHD" = false ] ; then
                # Remove SSHD related iptables rules
                sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/iptables.rules" 2> /dev/null
                sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/ip6tables.rules" 2> /dev/null
               fi
             fi

bootstrap.d/30-security.sh +4 -9

             #
             # Setup users and security settings
             #
             # Load utility functions
             . ./functions.sh
             # Generate crypt(3) password string
-            ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 "${PASSWORD}"`
+            ENCRYPTED_PASSWORD=$(mkpasswd -m sha-512 "${PASSWORD}")
-            ENCRYPTED_USER_PASSWORD=`mkpasswd -m sha-512 "${USER_PASSWORD}"`
+            ENCRYPTED_USER_PASSWORD=$(mkpasswd -m sha-512 "${USER_PASSWORD}")
             # Setup default user
             if [ "$ENABLE_USER" = true ] ; then
-              chroot_exec adduser --gecos $USER_NAME --add_extra_groups --disabled-password $USER_NAME
+              chroot_exec adduser --gecos "$USER_NAME" --add_extra_groups --disabled-password "$USER_NAME"
-              chroot_exec usermod -a -G sudo -p "${ENCRYPTED_USER_PASSWORD}" $USER_NAME
+              chroot_exec usermod -a -G sudo -p "${ENCRYPTED_USER_PASSWORD}" "$USER_NAME"
             fi
             # Setup root password or not
             if [ "$ENABLE_ROOT" = true ] ; then
               chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
             else
               # Set no root password to disable root login
               chroot_exec usermod -p \'!\' root
             fi
-            # Enable serial console systemd style
-            if [ "$ENABLE_CONSOLE" = true ] ; then
-              chroot_exec systemctl enable serial-getty\@ttyAMA0.service
-            fi

bootstrap.d/32-sshd.sh +6 -6

             #
             # Setup SSH settings and public keys
             #
             # Load utility functions
             . ./functions.sh
             if [ "$ENABLE_SSHD" = true ] ; then
               DROPBEAR_ARGS=""
               if [ "$SSH_ENABLE_ROOT" = false ] ; then
                 if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then
                   # User root is not allowed to log in
                   sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin no|g" "${ETC_DIR}/ssh/sshd_config"
                 else
                   # User root is not allowed to log in
                   DROPBEAR_ARGS="-w"
                 fi
               fi
               if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
                 if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then
                   # Permit SSH root login
                   sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config"
                 else
                   # Permit SSH root login
                   DROPBEAR_ARGS=""
                 fi
                 # Add SSH (v2) public key for user root
-                if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
+                if [ -n "$SSH_ROOT_PUB_KEY" ] ; then
                   # Create root SSH config directory
                   mkdir -p "${R}/root/.ssh"
                   # Set permissions of root SSH config directory
                   chroot_exec chmod 700 "/root/.ssh"
                   chroot_exec chown root:root "/root/.ssh"
                   # Add SSH (v2) public key(s) to authorized_keys file
                   cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys"
                   # Set permissions of root SSH authorized_keys file
                   chroot_exec chmod 600 "/root/.ssh/authorized_keys"
                   chroot_exec chown root:root "/root/.ssh/authorized_keys"
                   if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then
                     # Allow SSH public key authentication
                     sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"
                   fi
                 fi
               fi
               if [ "$ENABLE_USER" = true ] ; then
                 # Add SSH (v2) public key for user $USER_NAME
-                if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
+                if [ -n "$SSH_USER_PUB_KEY" ] ; then
                   # Create $USER_NAME SSH config directory
                   mkdir -p "${R}/home/${USER_NAME}/.ssh"
                   # Set permissions of $USER_NAME SSH config directory
                   chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"
-                  chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh"
+                  chroot_exec chown "${USER_NAME}":"${USER_NAME}" "/home/${USER_NAME}/.ssh"
                   # Add SSH (v2) public key(s) to authorized_keys file
                   cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys"
                   # Set permissions of $USER_NAME SSH config directory
                   chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys"
-                  chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys"
+                  chroot_exec chown "${USER_NAME}":"${USER_NAME}" "/home/${USER_NAME}/.ssh/authorized_keys"
                   if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then
                     # Allow SSH public key authentication
                     sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"
                   fi
                 fi
               fi
               # Limit the users that are allowed to login via SSH
               if [ "$SSH_LIMIT_USERS" = true ] && [ "$ENABLE_REDUCE" = false ] ; then
                 allowed_users=""
                 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
                   allowed_users="root"
                 fi
                 if [ "$ENABLE_USER" = true ] ; then
                   allowed_users="${allowed_users} ${USER_NAME}"
                 fi
-                if [ ! -z "$allowed_users" ] ; then
+                if [ -n "$allowed_users" ] ; then
                   echo "AllowUsers ${allowed_users}" >> "${ETC_DIR}/ssh/sshd_config"
                 fi
               fi
               # Disable password-based authentication
               if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then
                 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
                   if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then
                     sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin without-password|g" "${ETC_DIR}/ssh/sshd_config"
                   else
                     DROPBEAR_ARGS="-g"
                   fi
                 fi
                 if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then
                   sed -i "s|[#]*PasswordAuthentication.*|PasswordAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"
                   sed -i "s|[#]*ChallengeResponseAuthentication no.*|ChallengeResponseAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"
                   sed -i "s|[#]*UsePAM.*|UsePAM no|g" "${ETC_DIR}/ssh/sshd_config"
                 else
                   DROPBEAR_ARGS="${DROPBEAR_ARGS} -s"
                 fi
               fi
               # Update dropbear SSH configuration
               if [ "$ENABLE_REDUCE" = true ] && [ "$REDUCE_SSHD" = true ] ; then
                 sed "s|^DROPBEAR_EXTRA_ARGS=.*|DROPBEAR_EXTRA_ARGS=\"${DROPBEAR_ARGS}\"|g" "${ETC_DIR}/default/dropbear"
               fi
-            fi
+            fi
  No newline at end of file

bootstrap.d/41-uboot.sh +27 -5

             #
             # Build and Setup U-Boot
             #
             # Load utility functions
             . ./functions.sh
             # Fetch and build U-Boot bootloader
             if [ "$ENABLE_UBOOT" = true ] ; then
               # Install c/c++ build environment inside the chroot
               chroot_install_cc
               # Copy existing U-Boot sources into chroot directory
               if [ -n "$UBOOTSRC_DIR" ] && [ -d "$UBOOTSRC_DIR" ] ; then
                 # Copy local U-Boot sources
                 cp -r "${UBOOTSRC_DIR}" "${R}/tmp"
               else
                 # Create temporary directory for U-Boot sources
                 temp_dir=$(as_nobody mktemp -d)
                 # Fetch U-Boot sources
                 as_nobody git -C "${temp_dir}" clone "${UBOOT_URL}"
                 # Copy downloaded U-Boot sources
                 mv "${temp_dir}/u-boot" "${R}/tmp/"
                 # Set permissions of the U-Boot sources
                 chown -R root:root "${R}/tmp/u-boot"
                 # Remove temporary directory for U-Boot sources
                 rm -fr "${temp_dir}"
               fi
               # Build and install U-Boot inside chroot
-              chroot_exec make -j${KERNEL_THREADS} -C /tmp/u-boot/ ${UBOOT_CONFIG} all
+              chroot_exec make -j"${KERNEL_THREADS}" -C /tmp/u-boot/ "${UBOOT_CONFIG}" all
               # Copy compiled bootloader binary and set config.txt to load it
               install_exec "${R}/tmp/u-boot/tools/mkimage" "${R}/usr/sbin/mkimage"
               install_readonly "${R}/tmp/u-boot/u-boot.bin" "${BOOT_DIR}/u-boot.bin"
               printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> "${BOOT_DIR}/config.txt"
               # Install and setup U-Boot command file
               install_readonly files/boot/uboot.mkimage "${BOOT_DIR}/uboot.mkimage"
-              printf "# Set the kernel boot command line\nsetenv bootargs \"earlyprintk ${CMDLINE}\"\n\n$(cat ${BOOT_DIR}/uboot.mkimage)" > "${BOOT_DIR}/uboot.mkimage"
+              printf "# Set the kernel boot command line\nsetenv bootargs \"earlyprintk ${CMDLINE}\"\n\n$(cat "${BOOT_DIR}"/uboot.mkimage)" > "${BOOT_DIR}/uboot.mkimage"
               if [ "$ENABLE_INITRAMFS" = true ] ; then
                 # Convert generated initramfs for U-Boot using mkimage
                 chroot_exec /usr/sbin/mkimage -A "${KERNEL_ARCH}" -T ramdisk -C none -n "initramfs-${KERNEL_VERSION}" -d "/boot/firmware/initramfs-${KERNEL_VERSION}" "/boot/firmware/initramfs-${KERNEL_VERSION}.uboot"
                 # Remove original initramfs file
                 rm -f "${BOOT_DIR}/initramfs-${KERNEL_VERSION}"
                 # Configure U-Boot to load generated initramfs
-                printf "# Set initramfs file\nsetenv initramfs initramfs-${KERNEL_VERSION}.uboot\n\n$(cat ${BOOT_DIR}/uboot.mkimage)" > "${BOOT_DIR}/uboot.mkimage"
+                printf "# Set initramfs file\nsetenv initramfs initramfs-${KERNEL_VERSION}.uboot\n\n$(cat "${BOOT_DIR}"/uboot.mkimage)" > "${BOOT_DIR}/uboot.mkimage"
                 printf "\nbootz \${kernel_addr_r} \${ramdisk_addr_r} \${fdt_addr_r}" >> "${BOOT_DIR}/uboot.mkimage"
               else # ENABLE_INITRAMFS=false
                 # Remove initramfs from U-Boot mkfile
                 sed -i '/.*initramfs.*/d' "${BOOT_DIR}/uboot.mkimage"
                 if [ "$BUILD_KERNEL" = false ] ; then
                   # Remove dtbfile from U-Boot mkfile
                   sed -i '/.*dtbfile.*/d' "${BOOT_DIR}/uboot.mkimage"
                   printf "\nbootz \${kernel_addr_r}" >> "${BOOT_DIR}/uboot.mkimage"
                 else
                   printf "\nbootz \${kernel_addr_r} - \${fdt_addr_r}" >> "${BOOT_DIR}/uboot.mkimage"
                 fi
               fi
+              if [ "$SET_ARCH" = 64 ] ; then
+                echo "Setting up config.txt to boot 64bit uboot"
+                {
+                  printf "\n# 64bit-mode"
+                  printf "\n# arm_control=0x200 is deprecated https://www.raspberrypi.org/documentation/configuration/config-txt/misc.md"
+                  printf "\narm_64bit=1"
+                } >> "${BOOT_DIR}/config.txt"
+                #in 64bit uboot booti is used instead of bootz [like in KERNEL_BIN_IMAGE=zImage (armv7)|| Image(armv8)]
+                sed -i "s|bootz|booti|g" "${BOOT_DIR}/uboot.mkimage"
+              fi
+              # instead of sd, boot from usb device
+              if [ "$ENABLE_USBBOOT" = true ] ; then
+                sed -i "s|mmc|usb|g" "${BOOT_DIR}/uboot.mkimage"
+              fi
               # Set mkfile to use the correct dtb file
-              sed -i "s/^\(setenv dtbfile \).*/\1${DTB_FILE}/" "${BOOT_DIR}/uboot.mkimage"
+              sed -i "s|bcm2709-rpi-2-b.dtb|${DTB_FILE}|" "${BOOT_DIR}/uboot.mkimage"
+              # Set mkfile to use the correct mach id
+              if [ "$ENABLE_QEMU" = true ] ; then
+                sed -i "s/^\(setenv machid \).*/\10x000008e0/" "${BOOT_DIR}/uboot.mkimage"
+              fi
               # Set mkfile to use kernel image
-              sed -i "s/^\(fatload mmc 0:1 \${kernel_addr_r} \).*/\1${KERNEL_IMAGE}/" "${BOOT_DIR}/uboot.mkimage"
+              sed -i "s|kernel7.img|${KERNEL_IMAGE}|" "${BOOT_DIR}/uboot.mkimage"
               # Remove all leading blank lines
               sed -i "/./,\$!d" "${BOOT_DIR}/uboot.mkimage"
               # Generate U-Boot bootloader image
               chroot_exec /usr/sbin/mkimage -A "${KERNEL_ARCH}" -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi${RPI_MODEL}" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
               # Remove U-Boot sources
               rm -fr "${R}/tmp/u-boot"
             fi

bootstrap.d/42-fbturbo.sh +2 0

             #
             # Build and Setup fbturbo Xorg driver
             #
             # Load utility functions
             . ./functions.sh
             if [ "$ENABLE_FBTURBO" = true ] ; then
               # Install c/c++ build environment inside the chroot
               chroot_install_cc
               # Copy existing fbturbo sources into chroot directory
               if [ -n "$FBTURBOSRC_DIR" ] && [ -d "$FBTURBOSRC_DIR" ] ; then
                 # Copy local fbturbo sources
                 cp -r "${FBTURBOSRC_DIR}" "${R}/tmp"
               else
                 # Create temporary directory for fbturbo sources
                 temp_dir=$(as_nobody mktemp -d)
                 # Fetch fbturbo sources
                 as_nobody git -C "${temp_dir}" clone "${FBTURBO_URL}"
                 # Move downloaded fbturbo sources
                 mv "${temp_dir}/xf86-video-fbturbo" "${R}/tmp/"
                 # Remove temporary directory for fbturbo sources
                 rm -fr "${temp_dir}"
               fi
               # Install Xorg build dependencies
               if [ "$RELEASE" = "jessie" ] || [ "$RELEASE" = "stretch" ] || [ "$RELEASE" = "buster" ] ; then
                 chroot_exec apt-get -q -y --no-install-recommends install xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
               elif [ "$RELEASE" = "stretch" ] || [ "$RELEASE" = "buster" ] ; then
                 chroot_exec apt-get -q -y --no-install-recommends --allow-unauthenticated install xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
               fi
               # Build and install fbturbo driver inside chroot
               chroot_exec /bin/bash -x <<'EOF'
             cd /tmp/xf86-video-fbturbo
             autoreconf -vi
             ./configure --prefix=/usr
             make
             make install
             EOF
               # Install fbturbo driver Xorg configuration
               install_readonly files/xorg/99-fbturbo.conf "${R}/usr/share/X11/xorg.conf.d/99-fbturbo.conf"
               # Remove Xorg build dependencies
               chroot_exec apt-get -qq -y --auto-remove purge xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
             fi

bootstrap.d/50-firstboot.sh +15 -10

             #
             # First boot actions
             #
             # Load utility functions
             . ./functions.sh
             # Prepare rc.firstboot script
             cat files/firstboot/10-begin.sh > "${ETC_DIR}/rc.firstboot"
-            # Ensure openssh server host keys are regenerated on first boot
-            if [ "$ENABLE_SSHD" = true ] ; then
-              cat files/firstboot/21-generate-ssh-keys.sh >> "${ETC_DIR}/rc.firstboot"
-            fi
             # Prepare filesystem auto expand
             if [ "$EXPANDROOT" = true ] ; then
               if [ "$ENABLE_CRYPTFS" = false ] ; then
-                cat files/firstboot/22-expandroot.sh >> "${ETC_DIR}/rc.firstboot"
+                cat files/firstboot/20-expandroot.sh >> "${ETC_DIR}/rc.firstboot"
               else
                 # Regenerate initramfs to remove encrypted root partition auto expand
-                cat files/firstboot/23-regenerate-initramfs.sh >> "${ETC_DIR}/rc.firstboot"
+                cat files/firstboot/21-regenerate-initramfs.sh >> "${ETC_DIR}/rc.firstboot"
+              fi
+              # Restart dphys-swapfile so the size of the swap file is relative to the resized root partition
+              if [ "$ENABLE_DPHYSSWAP" = true ] ; then
+                cat files/firstboot/23-restart-dphys-swapfile.sh >> "${ETC_DIR}/rc.firstboot"
               fi
             fi
+            # Ensure openssh server host keys are regenerated on first boot
+            if [ "$ENABLE_SSHD" = true ] ; then
+              cat files/firstboot/30-generate-ssh-keys.sh >> "${ETC_DIR}/rc.firstboot"
+            fi
             # Ensure that dbus machine-id exists
-            cat files/firstboot/24-generate-machineid.sh >> "${ETC_DIR}/rc.firstboot"
+            cat files/firstboot/40-generate-machineid.sh >> "${ETC_DIR}/rc.firstboot"
             # Create /etc/resolv.conf symlink
-            cat files/firstboot/25-create-resolv-symlink.sh >> "${ETC_DIR}/rc.firstboot"
+            cat files/firstboot/41-create-resolv-symlink.sh >> "${ETC_DIR}/rc.firstboot"
             # Configure automatic network interface names
             if [ "$ENABLE_IFNAMES" = true ] ; then
-              cat files/firstboot/26-config-ifnames.sh >> "${ETC_DIR}/rc.firstboot"
+              cat files/firstboot/42-config-ifnames.sh >> "${ETC_DIR}/rc.firstboot"
             fi
             # Finalize rc.firstboot script
             cat files/firstboot/99-finish.sh >> "${ETC_DIR}/rc.firstboot"
             chmod +x "${ETC_DIR}/rc.firstboot"
             # Install default rc.local if it does not exist
             if [ ! -f "${ETC_DIR}/rc.local" ] ; then
               install_exec files/etc/rc.local "${ETC_DIR}/rc.local"
             fi
             # Add rc.firstboot script to rc.local
             sed -i '/exit 0/d' "${ETC_DIR}/rc.local"
             echo /etc/rc.firstboot >> "${ETC_DIR}/rc.local"
             echo exit 0 >> "${ETC_DIR}/rc.local"

bootstrap.d/99-reduce.sh +5 -14

             #
             # Reduce system disk usage
             #
             # Load utility functions
             . ./functions.sh
             # Reduce the image size by various operations
             if [ "$ENABLE_REDUCE" = true ] ; then
               if [ "$REDUCE_APT" = true ] ; then
                 # Install dpkg configuration file
                 if [ "$REDUCE_DOC" = true ] || [ "$REDUCE_MAN" = true ] ; then
                   install_readonly files/dpkg/01nodoc "${ETC_DIR}/dpkg/dpkg.cfg.d/01nodoc"
                 fi
                 # Install APT configuration files
                 install_readonly files/apt/02nocache "${ETC_DIR}/apt/apt.conf.d/02nocache"
                 install_readonly files/apt/03compress "${ETC_DIR}/apt/apt.conf.d/03compress"
                 install_readonly files/apt/04norecommends "${ETC_DIR}/apt/apt.conf.d/04norecommends"
                 # Remove APT cache files
                 rm -fr "${R}/var/cache/apt/pkgcache.bin"
                 rm -fr "${R}/var/cache/apt/srcpkgcache.bin"
               fi
               # Remove all doc files
               if [ "$REDUCE_DOC" = true ] ; then
-                find "${R}/usr/share/doc" -depth -type f ! -name copyright | xargs rm || true
+                find "${R}/usr/share/doc" -depth -type f ! -name copyright -print0 | xargs -0 rm || true
-                find "${R}/usr/share/doc" -empty | xargs rmdir || true
+                find "${R}/usr/share/doc" -empty -print0 | xargs -0 rmdir || true
               fi
               # Remove all man pages and info files
               if [ "$REDUCE_MAN" = true ] ; then
                 rm -rf "${R}/usr/share/man" "${R}/usr/share/groff" "${R}/usr/share/info" "${R}/usr/share/lintian" "${R}/usr/share/linda" "${R}/var/cache/man"
               fi
               # Remove all locale translation files
               if [ "$REDUCE_LOCALE" = true ] ; then
-                find "${R}/usr/share/locale" -mindepth 1 -maxdepth 1 ! -name 'en' | xargs rm -r
+                find "${R}/usr/share/locale" -mindepth 1 -maxdepth 1 ! -name 'en' -print0 | xargs -0 rm -r
               fi
               # Remove hwdb PCI device classes (experimental)
               if [ "$REDUCE_HWDB" = true ] ; then
                 rm -fr "/lib/udev/hwdb.d/20-pci-*"
               fi
               # Replace bash shell by dash shell (experimental)
               if [ "$REDUCE_BASH" = true ] ; then
-                if [ "$RELEASE" = "stretch" ] || [ "$RELEASE" = "buster" ] ; then
+                # Purge bash and update alternatives
-                  echo "Yes, do as I say!" | chroot_exec apt-get purge -qq -y --allow-remove-essential bash
+                echo "Yes, do as I say!" | chroot_exec apt-get purge -qq -y --allow-remove-essential bash
-                else
-                  echo "Yes, do as I say!" | chroot_exec apt-get purge -qq -y --force-yes bash
-                fi
                 chroot_exec update-alternatives --install /bin/bash bash /bin/dash 100
               fi
               # Remove sound utils and libraries
               if [ "$ENABLE_SOUND" = false ] ; then
                 chroot_exec apt-get -qq -y purge alsa-utils libsamplerate0 libasound2 libasound2-data
               fi
-              # Re-install tools for managing kernel modules
-              if [ "$RELEASE" = "jessie" ] ; then
-                chroot_exec apt-get -qq -y install module-init-tools
-              fi
               # Remove GPU kernels
               if [ "$ENABLE_MINGPU" = true ] ; then
                 rm -f "${BOOT_DIR}/start.elf"
                 rm -f "${BOOT_DIR}/fixup.dat"
                 rm -f "${BOOT_DIR}/start_x.elf"
                 rm -f "${BOOT_DIR}/fixup_x.dat"
               fi
               # Remove kernel and initrd from /boot (already in /boot/firmware)
               if [ "$BUILD_KERNEL" = false ] ; then
                 rm -f "${R}/boot/vmlinuz-*"
                 rm -f "${R}/boot/initrd.img-*"
               fi
               # Clean APT list of repositories
               rm -fr "${R}/var/lib/apt/lists/*"
               chroot_exec apt-get -qq -y update
             fi

files/apt/sources.list +6 -6

@@ -1,8 +1,8
1	deb http://ftp.debian.org/debian ~~jessie~~ main contrib	1	deb http://ftp.debian.org/debian stretch main contrib
2	#deb-src http://ftp.debian.org/debian ~~jessie~~ main contrib	2	#deb-src http://ftp.debian.org/debian stretch main contrib
3		3
4	deb http://ftp.debian.org/debian/ ~~jessie~~-updates main contrib	4	deb http://ftp.debian.org/debian/ stretch-updates main contrib
5	#deb-src http://ftp.debian.org/debian/ ~~jessie~~-updates main contrib	5	#deb-src http://ftp.debian.org/debian/ stretch-updates main contrib
6		6
7	deb http://security.debian.org/ ~~jessie~~/updates main contrib	7	deb http://security.debian.org/ stretch/updates main contrib
8	#deb-src http://security.debian.org/ ~~jessie~~/updates main contrib	8	#deb-src http://security.debian.org/ stretch/updates main contrib

files/boot/uboot.mkimage +1 0

             # Set device tree fdtfile
             setenv dtbfile bcm2709-rpi-2-b.dtb
             # Tell Linux that it is booting on a Raspberry Pi2/3
             setenv machid 0x00000c42
             # Save these changes to u-boot's environment
             saveenv
             # Load the existing Linux kernel into RAM
+            mmc dev 0
             fatload mmc 0:1 ${kernel_addr_r} kernel7.img
             fatload mmc 0:1 ${fdt_addr_r} ${dtbfile}
             fatload mmc 0:1 ${ramdisk_addr_r} ${initramfs}
             # Boot the kernel we have just loaded

files/firstboot/20-expandroot.sh ~~files/firstboot/22-expandroot.sh~~ renamed 0 0

NO CONTENT: file renamed from files/firstboot/22-expandroot.sh to files/firstboot/20-expandroot.sh

files/firstboot/21-regenerate-initramfs.sh ~~files/firstboot/23-regenerate-initramfs.sh~~ renamed +1 0

             logger -t "rc.firstboot" "Regenerating initramfs to remove encrypted root partition auto-expand"
             KERNEL_VERSION=$(uname -r)
             KERNEL_ARCH=$(uname -m)
             INITRAMFS="/boot/firmware/initramfs-${KERNEL_VERSION}"
             INITRAMFS_UBOOT="${INITRAMFS}.uboot"
             # Extract kernel arch
             case "${KERNEL_ARCH}" in
               arm*) KERNEL_ARCH=arm ;;
+              aarch64) KERNEL_ARCH=arm64 ;;
             esac
             # Regenerate initramfs
             if [ -r "${INITRAMFS}" ] ; then
               rm -f /etc/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs
               rm -f /etc/initramfs-tools/scripts/local-premount/expand-premount
               rm -f /etc/initramfs-tools/hooks/expand-tools
               rm -f "${INITRAMFS}"
               mkinitramfs -o "${INITRAMFS}" "${KERNEL_VERSION}"
             fi
             # Convert generated initramfs for U-Boot using mkimage
             if [ -r "${INITRAMFS_UBOOT}" ] ; then
               rm -f /etc/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs
               rm -f /etc/initramfs-tools/scripts/local-premount/expand-premount
               rm -f /etc/initramfs-tools/hooks/expand-tools
               rm -f "${INITRAMFS_UBOOT}"
               mkinitramfs -o "${INITRAMFS}" "${KERNEL_VERSION}"
               mkimage -A "${KERNEL_ARCH}" -T ramdisk -C none -n "initramfs-${KERNEL_VERSION}" -d "${INITRAMFS}" "${INITRAMFS_UBOOT}"
               rm -f "${INITRAMFS}"
             fi

files/firstboot/30-generate-ssh-keys.sh ~~files/firstboot/21-generate-ssh-keys.sh~~ renamed 0 0

NO CONTENT: file renamed from files/firstboot/21-generate-ssh-keys.sh to files/firstboot/30-generate-ssh-keys.sh

files/firstboot/40-generate-machineid.sh ~~files/firstboot/24-generate-machineid.sh~~ renamed 0 0

NO CONTENT: file renamed from files/firstboot/24-generate-machineid.sh to files/firstboot/40-generate-machineid.sh

files/firstboot/41-create-resolv-symlink.sh ~~files/firstboot/25-create-resolv-symlink.sh~~ renamed 0 0

NO CONTENT: file renamed from files/firstboot/25-create-resolv-symlink.sh to files/firstboot/41-create-resolv-symlink.sh

files/firstboot/42-config-ifnames.sh ~~files/firstboot/26-config-ifnames.sh~~ renamed 0 0

NO CONTENT: file renamed from files/firstboot/26-config-ifnames.sh to files/firstboot/42-config-ifnames.sh

files/initramfs/expand_encrypted_rootfs +15 -4

             #!/bin/sh
             # expand_encrypted_rootfs initramfs-tools boot script
             # dependencies: grep awk cut tail fdisk parted e2fsck resize2fs
             set -e
             # Wait for USB devices to be ready
             sleep 5
             # Use initramfs utility functions
             if [ -r "/scripts/functions" ] ; then
               . /scripts/functions
             fi
             # Check for cryptdevice variable
             if [ -z "$cryptdevice" ] ; then
               echo "unable to get cryptdevice variable (init-premount)"
               return 1
             fi
             # Detect root partition device
             ROOT_PART=$(echo $cryptdevice | awk -F"/|:" '{ print $3 }')
             if [ -z "$ROOT_PART" ] ; then
               log_warning_msg "unable to detect encrypted root partition device (cryptdevice)"
               return 1
             fi
             # Extract root device name
             case "${ROOT_PART}" in
               mmcblk0*) ROOT_DEV=mmcblk0 ;;
               sda*)     ROOT_DEV=sda ;;
             esac
             # Check detected root partition name
             PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$')
             if [ "$PART_NUM" = "$ROOT_PART" ] ; then
               log_warning_msg "$ROOT_PART is not an SD card. Don't know how to expand"
               return 1
             fi
             # NOTE: the NOOBS partition layout confuses parted. For now, let's only
             # agree to work with a sufficiently simple partition layout
             if [ "$PART_NUM" -gt 2 ] ; then
               log_warning_msg "Your partition layout is not currently supported by this tool."
               return 1
             fi
             # Check if last partition number
             LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
             if [ $LAST_PART_NUM -ne $PART_NUM ]; then
               log_warning_msg "$ROOT_PART is not the last partition. Don't know how to expand"
               return 1
             fi
             # Get the starting offset of the root partition
             PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
             if [ -z "$PART_START" ] ; then
               log_warning_msg "${ROOT_DEV} unable to get starting sector of the partition"
               return 1
             fi
+            # Get the current last sector of the root partition
+            PART_END=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 3 -d: | sed 's/[^0-9]//g')
+            if [ -z "$PART_END" ] ; then
+              log_warning_msg "${ROOT_DEV} unable to get last sector of the partition"
+              return 1
+            fi
             # Get the possible last sector for the root partition
             PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }')
             if [ -z "$PART_LAST" ] ; then
-              log_warning_msg "${ROOT_DEV} unable to get last sector of the partition"
+              log_warning_msg "${ROOT_DEV} unable to get last possible sector of the partition"
               return 1
             fi
             ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
-            fdisk /dev/${ROOT_DEV} 2> /dev/null <<EOF2 || true
+            if [ $PART_END != $PART_LAST ] ; then
+              fdisk /dev/${ROOT_DEV} 2> /dev/null <<EOF2 || true
             p
             d
             $PART_NUM
             n
             p
             $PART_NUM
             $PART_START
             $PART_LAST
             p
             w
             EOF2
-            partprobe
+              partprobe
-            log_success_msg "Root partition successfully resized."
+              log_success_msg "Root partition successfully resized."
+            else
+              log_success_msg "Root partition already resized."
+            fi

files/iptables/ip6tables.service +1 -1

             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
-            ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
+            ExecStart=/sbin/ip6tables-restore -w 5 /etc/iptables/ip6tables.rules
             ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecStop=/etc/iptables/flush-ip6tables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target

files/iptables/iptables.service +1 -1

             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
-            ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
+            ExecStart=/sbin/iptables-restore -w 5 /etc/iptables/iptables.rules
             ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecStop=/etc/iptables/flush-iptables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target

files/network/hostname +1 -1

	@@ -1,1 +1,1
	1	rpi2-jessie		1	RaspberryPI

files/network/hosts +1 -1

 .0.0.1       localhost
-.0.1.1       rpi2-jessie
+.0.1.1       RaspberryPI
             ::1             localhost ip6-localhost ip6-loopback
             ff02::1         ip6-allnodes
             ff02::2         ip6-allrouters

functions.sh +46 -5

             # This file contains utility functions used by rpi23-gen-image.sh
             cleanup (){
               set +x
               set +e
+              # Remove exports from nexmon
+              unset KERNEL
+              unset ARCH
+              unset SUBARCH
+              unset CCPLUGIN
+              unset ZLIBFLATE
+              unset Q
+              unset NEXMON_SETUP_ENV
+              unset HOSTUNAME
+              unset PLATFORMUNAME
               # Identify and kill all processes still using files
               echo "killing processes using mount point ..."
               fuser -k "${R}"
               sleep 3
               fuser -9 -k -v "${R}"
               # Clean up temporary .password file
               if [ -r ".password" ] ; then
                 shred -zu .password
               fi
               # Clean up all temporary mount points
               echo "removing temporary mount points ..."
               umount -l "${R}/proc" 2> /dev/null
               umount -l "${R}/sys" 2> /dev/null
               umount -l "${R}/dev/pts" 2> /dev/null
               umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
               umount "$BUILDDIR/mount" 2> /dev/null
               cryptsetup close "${CRYPTFS_MAPPING}" 2> /dev/null
               losetup -d "$ROOT_LOOP" 2> /dev/null
               losetup -d "$FRMW_LOOP" 2> /dev/null
               trap - 0 1 2 3 6
             }
             chroot_exec() {
               # Exec command in chroot
-              LANG=C LC_ALL=C DEBIAN_FRONTEND=noninteractive chroot ${R} $*
+              LANG=C LC_ALL=C DEBIAN_FRONTEND=noninteractive chroot "${R}" "$@"
             }
             as_nobody() {
               # Exec command as user nobody
-              sudo -E -u nobody LANG=C LC_ALL=C $*
+              sudo -E -u nobody LANG=C LC_ALL=C "$@"
             }
             install_readonly() {
               # Install file with user read-only permissions
-              install -o root -g root -m 644 $*
+              install -o root -g root -m 644 "$@"
             }
             install_exec() {
               # Install file with root exec permissions
-              install -o root -g root -m 744 $*
+              install -o root -g root -m 744 "$@"
             }
             use_template () {
               # Test if configuration template file exists
               if [ ! -r "./templates/${CONFIG_TEMPLATE}" ] ; then
                 echo "error: configuration template ${CONFIG_TEMPLATE} not found"
                 exit 1
               fi
               # Load template configuration parameters
               . "./templates/${CONFIG_TEMPLATE}"
             }
             chroot_install_cc() {
               # Install c/c++ build environment inside the chroot
               if [ -z "${COMPILER_PACKAGES}" ] ; then
                 COMPILER_PACKAGES=$(chroot_exec apt-get -s install g++ make bc | grep "^Inst " | awk -v ORS=" " '{ print $2 }')
                 if [ "$RELEASE" = "jessie" ] || [ "$RELEASE" = "stretch" ] || [ "$RELEASE" = "buster" ] ; then
                   chroot_exec apt-get -q -y --no-install-recommends install ${COMPILER_PACKAGES}
                 elif [ "$RELEASE" = "stretch" ] || [ "$RELEASE" = "buster" ] ; then
                   chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install ${COMPILER_PACKAGES}
                 fi
               fi
             }
             chroot_remove_cc() {
               # Remove c/c++ build environment from the chroot
-              if [ ! -z "${COMPILER_PACKAGES}" ] ; then
+              if [ -n "${COMPILER_PACKAGES}" ] ; then
                 chroot_exec apt-get -qq -y --auto-remove purge ${COMPILER_PACKAGES}
                 COMPILER_PACKAGES=""
               fi
             }
+            # https://serverfault.com/a/682849 - converts e.g. /24 to 255.255.255.0
+            cdr2mask ()
+            {
+               # Number of args to shift, 255..255, first non-255 byte, zeroes
+               set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0
+               [ $1 -gt 1 ] && shift $1 || shift
+               echo ${1-0}.${2-0}.${3-0}.${4-0}
+            }
+            # GPL v2.0 - #https://github.com/sakaki-/bcmrpi3-kernel-bis/blob/master/conform_config.sh
+            set_kernel_config() {
+              # flag as $1, value to set as $2, config must exist at "./.config"
+              TGT="CONFIG_${1#CONFIG_}"
+              REP="${2}"
+              if grep -q "^${TGT}[^_]" .config; then
+                sed -i "s/^\(${TGT}=.*\|# ${TGT} is not set\)/${TGT}=${REP}/" .config
+              else
+                echo "${TGT}"="${2}" >> .config
+              fi
+            }
+            # unset kernel config parameter
+            unset_kernel_config() {
+              # unsets flag with the value of $1, config must exist at "./.config"
+              TGT="CONFIG_${1#CONFIG_}"
+              sed -i "s/^${TGT}=.*/# ${TGT} is not set/" .config
+            }
  No newline at end of file

rpi23-gen-image.sh +342 -116

             #!/bin/sh
             ########################################################################
             # rpi23-gen-image.sh					       2015-2017
             #
-            # Advanced Debian "jessie", "stretch" and "buster" bootstrap script for RPi2/3
+            # Advanced Debian "stretch" and "buster" bootstrap script for Raspberry Pi
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # Copyright (C) 2015 Jan Wagner <mail@jwagner.eu>
             #
             # Big thanks for patches and enhancements by 20+ github contributors!
             ########################################################################
             # Are we running as root?
             if [ "$(id -u)" -ne "0" ] ; then
               echo "error: this script must be executed with root privileges!"
               exit 1
             fi
             # Check if ./functions.sh script exists
             if [ ! -r "./functions.sh" ] ; then
               echo "error: './functions.sh' required script not found!"
               exit 1
             fi
             # Load utility functions
             . ./functions.sh
             # Load parameters from configuration template file
-            if [ ! -z "$CONFIG_TEMPLATE" ] ; then
+            if [ -n "$CONFIG_TEMPLATE" ] ; then
               use_template
             fi
             # Introduce settings
             set -e
-            echo -n -e "\n#\n# RPi2/3 Bootstrap Settings\n#\n"
+            echo -n -e "\n#\n# RPi 0/1/2/3 Bootstrap Settings\n#\n"
             set -x
             # Raspberry Pi model configuration
             RPI_MODEL=${RPI_MODEL:=2}
-            RPI2_DTB_FILE=${RPI2_DTB_FILE:=bcm2709-rpi-2-b.dtb}
-            RPI2_UBOOT_CONFIG=${RPI2_UBOOT_CONFIG:=rpi_2_defconfig}
-            RPI3_DTB_FILE=${RPI3_DTB_FILE:=bcm2710-rpi-3-b.dtb}
-            RPI3_UBOOT_CONFIG=${RPI3_UBOOT_CONFIG:=rpi_3_32b_defconfig}
             # Debian release
-            RELEASE=${RELEASE:=jessie}
+            RELEASE=${RELEASE:=buster}
-            KERNEL_ARCH=${KERNEL_ARCH:=arm}
-            RELEASE_ARCH=${RELEASE_ARCH:=armhf}
+            # Kernel Branch
-            CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabihf-}
-            COLLABORA_KERNEL=${COLLABORA_KERNEL:=3.18.0-trunk-rpi2}
-            if [ "$KERNEL_ARCH" = "arm64" ] ; then
-              KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcmrpi3_defconfig}
-              KERNEL_IMAGE=${KERNEL_IMAGE:=kernel8.img}
-            else
-              KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig}
-              KERNEL_IMAGE=${KERNEL_IMAGE:=kernel7.img}
-            fi
-            if [ "$RELEASE_ARCH" = "arm64" ] ; then
-              QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-aarch64-static}
-            else
-              QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static}
-            fi
             KERNEL_BRANCH=${KERNEL_BRANCH:=""}
             # URLs
             KERNEL_URL=${KERNEL_URL:=https://github.com/raspberrypi/linux}
             FIRMWARE_URL=${FIRMWARE_URL:=https://github.com/raspberrypi/firmware/raw/master/boot}
             WLAN_FIRMWARE_URL=${WLAN_FIRMWARE_URL:=https://github.com/RPi-Distro/firmware-nonfree/raw/master/brcm}
             COLLABORA_URL=${COLLABORA_URL:=https://repositories.collabora.co.uk/debian}
             FBTURBO_URL=${FBTURBO_URL:=https://github.com/ssvb/xf86-video-fbturbo.git}
-            UBOOT_URL=${UBOOT_URL:=git://git.denx.de/u-boot.git}
+            UBOOT_URL=${UBOOT_URL:=https://git.denx.de/u-boot.git}
+            VIDEOCORE_URL=${VIDEOCORE_URL:=https://github.com/raspberrypi/userland}
+            BLUETOOTH_URL=${BLUETOOTH_URL:=https://github.com/RPi-Distro/pi-bluetooth.git}
+            NEXMON_URL=${NEXMON_URL:=https://github.com/seemoo-lab/nexmon.git}
+            SYSTEMDSWAP_URL=${SYSTEMDSWAP_URL:=https://github.com/Nefelim4ag/systemd-swap.git}
+            # Kernel deb packages for 32bit kernel
+            RPI_32_KERNEL_URL=${RPI_32_KERNEL_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel_20180422-141901_armhf.deb}
+            RPI_32_KERNELHEADER_URL=${RPI_32_KERNELHEADER_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel-headers_20180422-141901_armhf.deb}
+            # Kernel has KVM and zswap enabled - use if KERNEL_* parameters and precompiled kernel are used
+            RPI3_64_BIS_KERNEL_URL=${RPI3_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel-bis/releases/download/4.14.80.20181113/bcmrpi3-kernel-bis-4.14.80.20181113.tar.xz}
+            # Default precompiled 64bit kernel
+            RPI3_64_DEF_KERNEL_URL=${RPI3_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel/releases/download/4.14.80.20181113/bcmrpi3-kernel-4.14.80.20181113.tar.xz}
+            # Generic
+            RPI3_64_KERNEL_URL=${RPI3_64_KERNEL_URL:=$RPI3_64_DEF_KERNEL_URL}
+            # Kali kernel src - used if ENABLE_NEXMON=true (they patch the wlan kernel modul)
+            KALI_KERNEL_URL=${KALI_KERNEL_URL:=https://github.com/Re4son/re4son-raspberrypi-linux.git}
             # Build directories
-            BASEDIR=${BASEDIR:=$(pwd)/images/${RELEASE}}
+            WORKDIR=$(pwd)
+            BASEDIR=${BASEDIR:=${WORKDIR}/images/${RELEASE}}
             BUILDDIR="${BASEDIR}/build"
-            # Prepare date string for default image file name
-            DATE="$(date +%Y-%m-%d)"
-            if [ -z "$KERNEL_BRANCH" ] ; then
-              IMAGE_NAME=${IMAGE_NAME:=${BASEDIR}/${DATE}-${KERNEL_ARCH}-CURRENT-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}}
-            else
-              IMAGE_NAME=${IMAGE_NAME:=${BASEDIR}/${DATE}-${KERNEL_ARCH}-${KERNEL_BRANCH}-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}}
-            fi
             # Chroot directories
             R="${BUILDDIR}/chroot"
             ETC_DIR="${R}/etc"
             LIB_DIR="${R}/lib"
             BOOT_DIR="${R}/boot/firmware"
             KERNEL_DIR="${R}/usr/src/linux"
-            WLAN_FIRMWARE_DIR="${R}/lib/firmware/brcm"
+            WLAN_FIRMWARE_DIR="${LIB_DIR}/firmware/brcm"
+            BLUETOOTH_FIRMWARE_DIR="${ETC_DIR}/firmware/bt"
             # Firmware directory: Blank if download from github
             RPI_FIRMWARE_DIR=${RPI_FIRMWARE_DIR:=""}
             # General settings
+            SET_ARCH=${SET_ARCH:=32}
             HOSTNAME=${HOSTNAME:=rpi${RPI_MODEL}-${RELEASE}}
             PASSWORD=${PASSWORD:=raspberry}
             USER_PASSWORD=${USER_PASSWORD:=raspberry}
             DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
             TIMEZONE=${TIMEZONE:="Europe/Berlin"}
             EXPANDROOT=${EXPANDROOT:=true}
+            ENABLE_DPHYSSWAP=${ENABLE_DPHYSSWAP:=true}
             # Keyboard settings
             XKB_MODEL=${XKB_MODEL:=""}
             XKB_LAYOUT=${XKB_LAYOUT:=""}
             XKB_VARIANT=${XKB_VARIANT:=""}
             XKB_OPTIONS=${XKB_OPTIONS:=""}
             # Network settings (DHCP)
             ENABLE_DHCP=${ENABLE_DHCP:=true}
             # Network settings (static)
             NET_ADDRESS=${NET_ADDRESS:=""}
             NET_GATEWAY=${NET_GATEWAY:=""}
             NET_DNS_1=${NET_DNS_1:=""}
             NET_DNS_2=${NET_DNS_2:=""}
             NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
             NET_NTP_1=${NET_NTP_1:=""}
             NET_NTP_2=${NET_NTP_2:=""}
             # APT settings
             APT_PROXY=${APT_PROXY:=""}
             APT_SERVER=${APT_SERVER:="ftp.debian.org"}
+            KEEP_APT_PROXY=${KEEP_APT_PROXY:=false}
             # Feature settings
+            ENABLE_PRINTK=${ENABLE_PRINTK:=false}
+            ENABLE_BLUETOOTH=${ENABLE_BLUETOOTH:=false}
+            ENABLE_MINIUART_OVERLAY=${ENABLE_MINIUART_OVERLAY:=false}
             ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
             ENABLE_I2C=${ENABLE_I2C:=false}
             ENABLE_SPI=${ENABLE_SPI:=false}
             ENABLE_IPV6=${ENABLE_IPV6:=true}
             ENABLE_SSHD=${ENABLE_SSHD:=true}
             ENABLE_NONFREE=${ENABLE_NONFREE:=false}
             ENABLE_WIRELESS=${ENABLE_WIRELESS:=false}
             ENABLE_SOUND=${ENABLE_SOUND:=true}
             ENABLE_DBUS=${ENABLE_DBUS:=true}
             ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
             ENABLE_MINGPU=${ENABLE_MINGPU:=false}
             ENABLE_XORG=${ENABLE_XORG:=false}
             ENABLE_WM=${ENABLE_WM:=""}
             ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
             ENABLE_USER=${ENABLE_USER:=true}
             USER_NAME=${USER_NAME:="pi"}
             ENABLE_ROOT=${ENABLE_ROOT:=false}
+            ENABLE_QEMU=${ENABLE_QEMU:=false}
+            ENABLE_SYSVINIT=${ENABLE_SYSVINIT:=false}
             # SSH settings
             SSH_ENABLE_ROOT=${SSH_ENABLE_ROOT:=false}
             SSH_DISABLE_PASSWORD_AUTH=${SSH_DISABLE_PASSWORD_AUTH:=false}
             SSH_LIMIT_USERS=${SSH_LIMIT_USERS:=false}
             SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""}
             SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""}
             # Advanced settings
+            ENABLE_SYSTEMDSWAP=${ENABLE_SYSTEMDSWAP:=false}
             ENABLE_MINBASE=${ENABLE_MINBASE:=false}
             ENABLE_REDUCE=${ENABLE_REDUCE:=false}
             ENABLE_UBOOT=${ENABLE_UBOOT:=false}
             UBOOTSRC_DIR=${UBOOTSRC_DIR:=""}
+            ENABLE_USBBOOT=${ENABLE_USBBOOT=false}
             ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
+            ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false}
+            ENABLE_NEXMON=${ENABLE_NEXMON:=false}
+            VIDEOCORESRC_DIR=${VIDEOCORESRC_DIR:=""}
             FBTURBOSRC_DIR=${FBTURBOSRC_DIR:=""}
+            NEXMONSRC_DIR=${NEXMONSRC_DIR:=""}
             ENABLE_HARDNET=${ENABLE_HARDNET:=false}
             ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
             ENABLE_SPLITFS=${ENABLE_SPLITFS:=false}
             ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false}
             ENABLE_IFNAMES=${ENABLE_IFNAMES:=true}
+            ENABLE_SPLASH=${ENABLE_SPLASH:=true}
+            ENABLE_LOGO=${ENABLE_LOGO:=true}
+            ENABLE_SILENT_BOOT=${ENABLE_SILENT_BOOT=false}
             DISABLE_UNDERVOLT_WARNINGS=${DISABLE_UNDERVOLT_WARNINGS:=}
             # Kernel compilation settings
-            BUILD_KERNEL=${BUILD_KERNEL:=false}
+            BUILD_KERNEL=${BUILD_KERNEL:=true}
             KERNEL_REDUCE=${KERNEL_REDUCE:=false}
             KERNEL_THREADS=${KERNEL_THREADS:=1}
             KERNEL_HEADERS=${KERNEL_HEADERS:=true}
             KERNEL_MENUCONFIG=${KERNEL_MENUCONFIG:=false}
             KERNEL_REMOVESRC=${KERNEL_REMOVESRC:=true}
-            if [ "$KERNEL_ARCH" = "arm64" ] ; then
+            KERNEL_OLDDEFCONFIG=${KERNEL_OLDDEFCONFIG:=false}
-              KERNEL_BIN_IMAGE=${KERNEL_BIN_IMAGE:="Image"}
+            KERNEL_CCACHE=${KERNEL_CCACHE:=false}
-            else
+            KERNEL_ZSWAP=${KERNEL_ZSWAP:=false}
-              KERNEL_BIN_IMAGE=${KERNEL_BIN_IMAGE:="zImage"}
+            KERNEL_VIRT=${KERNEL_VIRT:=false}
-            fi
+            KERNEL_BPF=${KERNEL_BPF:=false}
+            KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=ondemand}
+            KERNEL_SECURITY=${KERNEL_SECURITY:=false}
+            KERNEL_NF=${KERNEL_NF:=false}
             # Kernel compilation from source directory settings
             KERNELSRC_DIR=${KERNELSRC_DIR:=""}
             KERNELSRC_CLEAN=${KERNELSRC_CLEAN:=false}
             KERNELSRC_CONFIG=${KERNELSRC_CONFIG:=true}
             KERNELSRC_PREBUILT=${KERNELSRC_PREBUILT:=false}
             # Reduce disk usage settings
             REDUCE_APT=${REDUCE_APT:=true}
             REDUCE_DOC=${REDUCE_DOC:=true}
             REDUCE_MAN=${REDUCE_MAN:=true}
             REDUCE_VIM=${REDUCE_VIM:=false}
             REDUCE_BASH=${REDUCE_BASH:=false}
             REDUCE_HWDB=${REDUCE_HWDB:=true}
             REDUCE_SSHD=${REDUCE_SSHD:=true}
             REDUCE_LOCALE=${REDUCE_LOCALE:=true}
             # Encrypted filesystem settings
             ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false}
             CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
             CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
             CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
             CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
+            #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup
-            # Stop the Crypto Wars
+            CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false}
-            DISABLE_FBI=${DISABLE_FBI:=false}
+            #Provide your own Dropbear Public RSA-OpenSSH Key otherwise it will be generated
+            CRYPTFS_DROPBEAR_PUBKEY=${CRYPTFS_DROPBEAR_PUBKEY:=""}
             # Chroot scripts directory
             CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
             # Packages required in the chroot build environment
             APT_INCLUDES=${APT_INCLUDES:=""}
-            APT_INCLUDES="${APT_INCLUDES},apt-transport-https,apt-utils,ca-certificates,debian-archive-keyring,dialog,sudo,systemd,sysvinit-utils"
+            APT_INCLUDES="${APT_INCLUDES},apt-transport-https,apt-utils,ca-certificates,debian-archive-keyring,dialog,sudo,systemd,sysvinit-utils,locales,keyboard-configuration,console-setup,libnss-systemd"
+            # Packages to exclude from chroot build environment
+            APT_EXCLUDES=${APT_EXCLUDES:=""}
             # Packages required for bootstrapping
             REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo"
             MISSING_PACKAGES=""
             # Packages installed for c/c++ build environment in chroot (keep empty)
             COMPILER_PACKAGES=""
-            set +x
+            # Check if apt-cacher-ng has port 3142 open and set APT_PROXY
+            APT_CACHER_RUNNING=$(lsof -i :3142 | cut -d ' ' -f3 | uniq | sed '/^\s*$/d')
+            if [ "${APT_CACHER_RUNNING}" = "apt-cacher-ng" ] ; then
+              APT_PROXY=http://127.0.0.1:3142/
+            fi
+            # Setup architecture specific settings
+            if [ -n "$SET_ARCH" ] ; then
+              # 64-bit configuration
+              if [ "$SET_ARCH" = 64 ] ; then
+                # General 64-bit depended settings
+                QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-aarch64-static}
+                KERNEL_ARCH=${KERNEL_ARCH:=arm64}
+                KERNEL_BIN_IMAGE=${KERNEL_BIN_IMAGE:="Image"}
+                # Raspberry Pi model specific settings
+                if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ] ; then
+                  if [ "$RPI_MODEL" != 4 ] ; then
+                    KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcmrpi3_defconfig}
+                  else
+                    KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2711_defconfig}
+                  fi
+                  REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-arm64"
+                  RELEASE_ARCH=${RELEASE_ARCH:=arm64}
+                  KERNEL_IMAGE=${KERNEL_IMAGE:=kernel8.img}
+                  CROSS_COMPILE=${CROSS_COMPILE:=aarch64-linux-gnu-}
+                else
+                  echo "error: Only Raspberry PI 3, 3B+ and 4 support 64-bit"
+                  exit 1
+                fi
+              fi
-            # Set Raspberry Pi model specific configuration
+              # 32-bit configuration
-            if [ "$RPI_MODEL" = 2 ] ; then
+              if [ "$SET_ARCH" = 32 ] ; then
-              DTB_FILE=${RPI2_DTB_FILE}
+                # General 32-bit dependend settings
-              UBOOT_CONFIG=${RPI2_UBOOT_CONFIG}
+                QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static}
-            elif [ "$RPI_MODEL" = 3 ] ; then
+                KERNEL_ARCH=${KERNEL_ARCH:=arm}
-              DTB_FILE=${RPI3_DTB_FILE}
+                KERNEL_BIN_IMAGE=${KERNEL_BIN_IMAGE:="zImage"}
-              UBOOT_CONFIG=${RPI3_UBOOT_CONFIG}
-              BUILD_KERNEL=true
+                # Raspberry Pi model specific settings
+                if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 1 ] || [ "$RPI_MODEL" = 1P ] ; then
+                  REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armel"
+                  KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcmrpi_defconfig}
+                  RELEASE_ARCH=${RELEASE_ARCH:=armel}
+                  KERNEL_IMAGE=${KERNEL_IMAGE:=kernel.img}
+                  CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabi-}
+                fi
+                # Raspberry Pi model specific settings
+                if [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ] ; then
+                  if [ "$RPI_MODEL" != 4 ] ; then
+                    KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig}
+                  else
+                    KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2711_defconfig}
+                  fi
+                  REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armhf"
+                  RELEASE_ARCH=${RELEASE_ARCH:=armhf}
+                  KERNEL_IMAGE=${KERNEL_IMAGE:=kernel7.img}
+                  CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabihf-}
+                fi
+              fi
+            # SET_ARCH not set
             else
-              echo "error: Raspberry Pi model ${RPI_MODEL} is not supported!"
+              echo "error: Please set '32' or '64' as value for SET_ARCH"
               exit 1
             fi
+            # Device specific configuration and U-Boot configuration
+            case "$RPI_MODEL" in
+)
+                DTB_FILE=${DTB_FILE:=bcm2708-rpi-0-w.dtb}
+                UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_defconfig}
+                ;;
+)
+                DTB_FILE=${DTB_FILE:=bcm2708-rpi-b.dtb}
+                UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_defconfig}
+                ;;
+P)
+                DTB_FILE=${DTB_FILE:=bcm2708-rpi-b-plus.dtb}
+                UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_defconfig}
+                ;;
+)
+                DTB_FILE=${DTB_FILE:=bcm2709-rpi-2-b.dtb}
+                UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_2_defconfig}
+                ;;
+)
+                DTB_FILE=${DTB_FILE:=bcm2710-rpi-3-b.dtb}
+                UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_3_defconfig}
+                ;;
+P)
+                DTB_FILE=${DTB_FILE:=bcm2710-rpi-3-b.dtb}
+                UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_3_defconfig}
+                ;;
+)
+                DTB_FILE=${DTB_FILE:=bcm2711-rpi-4-b.dtb}
+                UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_4_defconfig}
+                ;;
+              *)
+                echo "error: Raspberry Pi model $RPI_MODEL is not supported!"
+                exit 1
+                ;;
+            esac
+            # Raspberry PI 0,3,3P with Bluetooth and Wifi onboard
+            if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ] ; then
+              # Include bluetooth packages on supported boards
+              if [ "$ENABLE_BLUETOOTH" = true ] ; then
+                APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez"
+              fi
+              if [ "$ENABLE_WIRELESS" = true ] ; then
+                APT_INCLUDES="${APT_INCLUDES},wireless-tools,crda,wireless-regdb"
+              fi
+            else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard
+              # Check if the internal wireless interface is not supported by the RPi model
+              if [ "$ENABLE_WIRELESS" = true ] || [ "$ENABLE_BLUETOOTH" = true ]; then
+                echo "error: The selected Raspberry Pi model has no integrated interface for wireless or bluetooth"
+                exit 1
+              fi
+            fi
-            # Check if the internal wireless interface is supported by the RPi model
+            if [ "$BUILD_KERNEL" = false ] && [ "$ENABLE_NEXMON" = true ]; then
-            if [ "$ENABLE_WIRELESS" = true ] && [ "$RPI_MODEL" != 3 ] ; then
+              echo "error: You have to compile kernel sources, if you want to enable nexmon"
-              echo "error: The selected Raspberry Pi model has no internal wireless interface"
               exit 1
             fi
+            # Prepare date string for default image file name
+            DATE="$(date +%Y-%m-%d)"
+            if [ -z "$KERNEL_BRANCH" ] ; then
+              IMAGE_NAME=${IMAGE_NAME:=${BASEDIR}/${DATE}-${KERNEL_ARCH}-CURRENT-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}}
+            else
+              IMAGE_NAME=${IMAGE_NAME:=${BASEDIR}/${DATE}-${KERNEL_ARCH}-${KERNEL_BRANCH}-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}}
+            fi
             # Check if DISABLE_UNDERVOLT_WARNINGS parameter value is supported
-            if [ ! -z "$DISABLE_UNDERVOLT_WARNINGS" ] ; then
+            if [ -n "$DISABLE_UNDERVOLT_WARNINGS" ] ; then
               if [ "$DISABLE_UNDERVOLT_WARNINGS" != 1 ] && [ "$DISABLE_UNDERVOLT_WARNINGS" != 2 ] ; then
                 echo "error: DISABLE_UNDERVOLT_WARNINGS=${DISABLE_UNDERVOLT_WARNINGS} is not supported"
                 exit 1
               fi
             fi
-            # Build RPi2/3 Linux kernel if required by Debian release
+            # Add cmake to compile videocore sources
-            if [ "$RELEASE" = "stretch" ]  || [ "$RELEASE" = "buster" ] ; then
+            if [ "$ENABLE_VIDEOCORE" = true ] ; then
-              BUILD_KERNEL=true
+              REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cmake"
             fi
-            # Add packages required for kernel cross compilation
+            # Add deps for nexmon
-            if [ "$BUILD_KERNEL" = true ] ; then
+            if [ "$ENABLE_NEXMON" = true ] ; then
-              if [ "$KERNEL_ARCH" = "arm" ] ; then
+              REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libgmp3-dev gawk qpdf bison flex make autoconf automake build-essential libtool"
-                REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armhf"
-              else
-                REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-arm64"
-              fi
             fi
             # Add libncurses5 to enable kernel menuconfig
             if [ "$KERNEL_MENUCONFIG" = true ] ; then
-              REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses5-dev"
+              REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses-dev"
             fi
-            # Stop the Crypto Wars
+            # Add ccache compiler cache for (faster) kernel cross (re)compilation
-            if [ "$DISABLE_FBI" = true ] ; then
+            if [ "$KERNEL_CCACHE" = true ] ; then
-              ENABLE_CRYPTFS=true
+              REQUIRED_PACKAGES="${REQUIRED_PACKAGES} ccache"
             fi
             # Add cryptsetup package to enable filesystem encryption
             if [ "$ENABLE_CRYPTFS" = true ]  && [ "$BUILD_KERNEL" = true ] ; then
               REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
-              APT_INCLUDES="${APT_INCLUDES},cryptsetup"
+              APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup"
+              # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package
+              if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then
+                APT_INCLUDES="${APT_INCLUDES},dropbear-initramfs"
+              fi
               if [ -z "$CRYPTFS_PASSWORD" ] ; then
                 echo "error: no password defined (CRYPTFS_PASSWORD)!"
                 exit 1
               fi
               ENABLE_INITRAMFS=true
             fi
             # Add initramfs generation tools
             if [ "$ENABLE_INITRAMFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},initramfs-tools"
             fi
             # Add device-tree-compiler required for building the U-Boot bootloader
             if [ "$ENABLE_UBOOT" = true ] ; then
-              APT_INCLUDES="${APT_INCLUDES},device-tree-compiler"
+              APT_INCLUDES="${APT_INCLUDES},device-tree-compiler,bison,flex,bc"
+            fi
+            if [ "$ENABLE_USBBOOT" = true ] ; then
+              if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 1P ] || [ "$RPI_MODEL" = 1 ] || [ "$RPI_MODEL" = 2 ]; then
+                echo "error: Booting from USB alone is only supported by Raspberry Pi 3 and 3P"
+                exit 1
+              fi
             fi
             # Check if root SSH (v2) public key file exists
-            if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
+            if [ -n "$SSH_ROOT_PUB_KEY" ] ; then
               if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then
                 echo "error: '$SSH_ROOT_PUB_KEY' specified SSH public key file not found (SSH_ROOT_PUB_KEY)!"
                 exit 1
               fi
             fi
             # Check if $USER_NAME SSH (v2) public key file exists
-            if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
+            if [ -n "$SSH_USER_PUB_KEY" ] ; then
               if [ ! -f "$SSH_USER_PUB_KEY" ] ; then
                 echo "error: '$SSH_USER_PUB_KEY' specified SSH public key file not found (SSH_USER_PUB_KEY)!"
                 exit 1
               fi
             fi
+            if [ "$ENABLE_NEXMON" = true ] && [ -n "$KERNEL_BRANCH" ] ; then
+              echo "error: Please unset KERNEL_BRANCH if using ENABLE_NEXMON"
+              exit 1
+            fi
             # Check if all required packages are installed on the build system
             for package in $REQUIRED_PACKAGES ; do
-              if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
+              if [ "$(dpkg-query -W -f='${Status}' "$package")" != "install ok installed" ] ; then
                 MISSING_PACKAGES="${MISSING_PACKAGES} $package"
               fi
             done
             # If there are missing packages ask confirmation for install, or exit
             if [ -n "$MISSING_PACKAGES" ] ; then
               echo "the following packages needed by this script are not installed:"
               echo "$MISSING_PACKAGES"
-              echo -n "\ndo you want to install the missing packages right now? [y/n] "
+              printf "\ndo you want to install the missing packages right now? [y/n] "
-              read confirm
+              read -r confirm
               [ "$confirm" != "y" ] && exit 1
               # Make sure all missing required packages are installed
-              apt-get -qq -y install ${MISSING_PACKAGES}
+              apt-get -qq -y install `echo "${MISSING_PACKAGES}" | sed "s/ //"`
             fi
             # Check if ./bootstrap.d directory exists
             if [ ! -d "./bootstrap.d/" ] ; then
               echo "error: './bootstrap.d' required directory not found!"
               exit 1
             fi
             # Check if ./files directory exists
             if [ ! -d "./files/" ] ; then
               echo "error: './files' required directory not found!"
               exit 1
             fi
             # Check if specified KERNELSRC_DIR directory exists
             if [ -n "$KERNELSRC_DIR" ] && [ ! -d "$KERNELSRC_DIR" ] ; then
               echo "error: '${KERNELSRC_DIR}' specified directory not found (KERNELSRC_DIR)!"
               exit 1
             fi
             # Check if specified UBOOTSRC_DIR directory exists
             if [ -n "$UBOOTSRC_DIR" ] && [ ! -d "$UBOOTSRC_DIR" ] ; then
               echo "error: '${UBOOTSRC_DIR}' specified directory not found (UBOOTSRC_DIR)!"
               exit 1
             fi
+            # Check if specified VIDEOCORESRC_DIR directory exists
+            if [ -n "$VIDEOCORESRC_DIR" ] && [ ! -d "$VIDEOCORESRC_DIR" ] ; then
+              echo "error: '${VIDEOCORESRC_DIR}' specified directory not found (VIDEOCORESRC_DIR)!"
+              exit 1
+            fi
             # Check if specified FBTURBOSRC_DIR directory exists
             if [ -n "$FBTURBOSRC_DIR" ] && [ ! -d "$FBTURBOSRC_DIR" ] ; then
               echo "error: '${FBTURBOSRC_DIR}' specified directory not found (FBTURBOSRC_DIR)!"
               exit 1
             fi
+            # Check if specified NEXMONSRC_DIR directory exists
+            if [ -n "$NEXMONSRC_DIR" ] && [ ! -d "$NEXMONSRC_DIR" ] ; then
+              echo "error: '${NEXMONSRC_DIR}' specified directory not found (NEXMONSRC_DIR)!"
+              exit 1
+            fi
             # Check if specified CHROOT_SCRIPTS directory exists
             if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then
                echo "error: ${CHROOT_SCRIPTS} specified directory not found (CHROOT_SCRIPTS)!"
                exit 1
             fi
             # Check if specified device mapping already exists (will be used by cryptsetup)
             if [ -r "/dev/mapping/${CRYPTFS_MAPPING}" ] ; then
               echo "error: mapping /dev/mapping/${CRYPTFS_MAPPING} already exists, not proceeding"
               exit 1
             fi
             # Don't clobber an old build
             if [ -e "$BUILDDIR" ] ; then
               echo "error: directory ${BUILDDIR} already exists, not proceeding"
               exit 1
             fi
             # Setup chroot directory
             mkdir -p "${R}"
             # Check if build directory has enough of free disk space >512MB
-            if [ "$(df --output=avail ${BUILDDIR} | sed "1d")" -le "524288" ] ; then
+            if [ "$(df --output=avail "${BUILDDIR}" | sed "1d")" -le "524288" ] ; then
               echo "error: ${BUILDDIR} not enough space left to generate the output image!"
               exit 1
             fi
             set -x
             # Call "cleanup" function on various signals and errors
             trap cleanup 0 1 2 3 6
             # Add required packages for the minbase installation
             if [ "$ENABLE_MINBASE" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools,ifupdown"
             fi
-            # Add required locales packages
-            if [ "$DEFLOCAL" != "en_US.UTF-8" ] ; then
-              APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
-            fi
             # Add parted package, required to get partprobe utility
             if [ "$EXPANDROOT" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},parted"
             fi
+            # Add dphys-swapfile package, required to enable swap
+            if [ "$ENABLE_DPHYSSWAP" = true ] ; then
+              APT_INCLUDES="${APT_INCLUDES},dphys-swapfile"
+            fi
             # Add dbus package, recommended if using systemd
             if [ "$ENABLE_DBUS" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},dbus"
             fi
             # Add iptables IPv4/IPv6 package
             if [ "$ENABLE_IPTABLES" = true ] ; then
-              APT_INCLUDES="${APT_INCLUDES},iptables"
+              APT_INCLUDES="${APT_INCLUDES},iptables,iptables-persistent"
+            fi
+            # Add apparmor for KERNEL_SECURITY
+            if [ "$KERNEL_SECURITY" = true ] ; then
+              APT_INCLUDES="${APT_INCLUDES},apparmor,apparmor-utils,apparmor-profiles,apparmor-profiles-extra,libapparmor-perl"
             fi
             # Add openssh server package
             if [ "$ENABLE_SSHD" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},openssh-server"
             fi
             # Add alsa-utils package
             if [ "$ENABLE_SOUND" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},alsa-utils"
             fi
             # Add rng-tools package
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},rng-tools"
             fi
             # Add fbturbo video driver
             if [ "$ENABLE_FBTURBO" = true ] ; then
               # Enable xorg package dependencies
               ENABLE_XORG=true
             fi
             # Add user defined window manager package
             if [ -n "$ENABLE_WM" ] ; then
               APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
               # Enable xorg package dependencies
               ENABLE_XORG=true
             fi
             # Add xorg package
             if [ "$ENABLE_XORG" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},xorg,dbus-x11"
             fi
             # Replace selected packages with smaller clones
             if [ "$ENABLE_REDUCE" = true ] ; then
               # Add levee package instead of vim-tiny
               if [ "$REDUCE_VIM" = true ] ; then
                 APT_INCLUDES="$(echo ${APT_INCLUDES} | sed "s/vim-tiny/levee/")"
               fi
               # Add dropbear package instead of openssh-server
               if [ "$REDUCE_SSHD" = true ] ; then
-                APT_INCLUDES="$(echo ${APT_INCLUDES} | sed "s/openssh-server/dropbear/")"
+                APT_INCLUDES="$(echo "${APT_INCLUDES}" | sed "s/openssh-server/dropbear/")"
               fi
             fi
-            if [ "$RELEASE" != "jessie" ] ; then
+            # Configure systemd-sysv exclude to make halt/reboot/shutdown scripts available
-              APT_INCLUDES="${APT_INCLUDES},libnss-systemd"
+            if [ "$ENABLE_SYSVINIT" = false ] ; then
+              APT_EXCLUDES="--exclude=${APT_EXCLUDES},init,systemd-sysv"
             fi
             # Configure kernel sources if no KERNELSRC_DIR
             if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then
               KERNELSRC_CONFIG=true
             fi
             # Configure reduced kernel
             if [ "$KERNEL_REDUCE" = true ] ; then
               KERNELSRC_CONFIG=false
             fi
+            # Configure qemu compatible kernel
+            if [ "$ENABLE_QEMU" = true ] ; then
+              DTB_FILE=vexpress-v2p-ca15_a7.dtb
+              UBOOT_CONFIG=vexpress_ca15_tc2_defconfig
+              KERNEL_DEFCONFIG="vexpress_defconfig"
+              if [ "$KERNEL_MENUCONFIG" = false ] ; then
+                KERNEL_OLDDEFCONFIG=true
+              fi
+            fi
             # Execute bootstrap scripts
             for SCRIPT in bootstrap.d/*.sh; do
               head -n 3 "$SCRIPT"
               . "$SCRIPT"
             done
             ## Execute custom bootstrap scripts
             if [ -d "custom.d" ] ; then
               for SCRIPT in custom.d/*.sh; do
                 . "$SCRIPT"
               done
             fi
             # Execute custom scripts inside the chroot
             if [ -n "$CHROOT_SCRIPTS" ] && [ -d "$CHROOT_SCRIPTS" ] ; then
               cp -r "${CHROOT_SCRIPTS}" "${R}/chroot_scripts"
               chroot_exec /bin/bash -x <<'EOF'
             for SCRIPT in /chroot_scripts/* ; do
               if [ -f $SCRIPT -a -x $SCRIPT ] ; then
                 $SCRIPT
               fi
             done
             EOF
               rm -rf "${R}/chroot_scripts"
             fi
             # Remove c/c++ build environment from the chroot
             chroot_remove_cc
-            # Remove apt-utils
-            if [ "$RELEASE" = "jessie" ] ; then
-              chroot_exec apt-get purge -qq -y --force-yes apt-utils
-            fi
             # Generate required machine-id
             MACHINE_ID=$(dbus-uuidgen)
             echo -n "${MACHINE_ID}" > "${R}/var/lib/dbus/machine-id"
             echo -n "${MACHINE_ID}" > "${ETC_DIR}/machine-id"
             # APT Cleanup
             chroot_exec apt-get -y clean
             chroot_exec apt-get -y autoclean
             chroot_exec apt-get -y autoremove
             # Unmount mounted filesystems
             umount -l "${R}/proc"
             umount -l "${R}/sys"
             # Clean up directories
             rm -rf "${R}/run/*"
             rm -rf "${R}/tmp/*"
+            # Clean up APT proxy settings
+            if [ "$KEEP_APT_PROXY" = false ] ; then
+              rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy"
+            fi
             # Clean up files
             rm -f "${ETC_DIR}/ssh/ssh_host_*"
             rm -f "${ETC_DIR}/dropbear/dropbear_*"
             rm -f "${ETC_DIR}/apt/sources.list.save"
             rm -f "${ETC_DIR}/resolvconf/resolv.conf.d/original"
             rm -f "${ETC_DIR}/*-"
-            rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy"
             rm -f "${ETC_DIR}/resolv.conf"
             rm -f "${R}/root/.bash_history"
             rm -f "${R}/var/lib/urandom/random-seed"
             rm -f "${R}/initrd.img"
             rm -f "${R}/vmlinuz"
             rm -f "${R}${QEMU_BINARY}"
+            if [ "$ENABLE_QEMU" = true ] ; then
+              # Setup QEMU directory
+              mkdir "${BASEDIR}/qemu"
+              # Copy kernel image to QEMU directory
+              install_readonly "${BOOT_DIR}/${KERNEL_IMAGE}" "${BASEDIR}/qemu/${KERNEL_IMAGE}"
+              # Copy kernel config to QEMU directory
+              install_readonly "${R}/boot/config-${KERNEL_VERSION}" "${BASEDIR}/qemu/config-${KERNEL_VERSION}"
+              # Copy kernel dtbs to QEMU directory
+              for dtb in "${BOOT_DIR}/"*.dtb ; do
+                if [ -f "${dtb}" ] ; then
+                  install_readonly "${dtb}" "${BASEDIR}/qemu/"
+                fi
+              done
+              # Copy kernel overlays to QEMU directory
+              if [ -d "${BOOT_DIR}/overlays" ] ; then
+                # Setup overlays dtbs directory
+                mkdir "${BASEDIR}/qemu/overlays"
+                for dtb in "${BOOT_DIR}/overlays/"*.dtbo ; do
+                  if [ -f "${dtb}" ] ; then
+                    install_readonly "${dtb}" "${BASEDIR}/qemu/overlays/"
+                  fi
+                done
+              fi
+              # Copy u-boot files to QEMU directory
+              if [ "$ENABLE_UBOOT" = true ] ; then
+                if [ -f "${BOOT_DIR}/u-boot.bin" ] ; then
+                  install_readonly "${BOOT_DIR}/u-boot.bin" "${BASEDIR}/qemu/u-boot.bin"
+                fi
+                if [ -f "${BOOT_DIR}/uboot.mkimage" ] ; then
+                  install_readonly "${BOOT_DIR}/uboot.mkimage" "${BASEDIR}/qemu/uboot.mkimage"
+                fi
+                if [ -f "${BOOT_DIR}/boot.scr" ] ; then
+                  install_readonly "${BOOT_DIR}/boot.scr" "${BASEDIR}/qemu/boot.scr"
+                fi
+              fi
+              # Copy initramfs to QEMU directory
+              if [ -f "${BOOT_DIR}/initramfs-${KERNEL_VERSION}" ] ; then
+                install_readonly "${BOOT_DIR}/initramfs-${KERNEL_VERSION}" "${BASEDIR}/qemu/initramfs-${KERNEL_VERSION}"
+              fi
+            fi
             # Calculate size of the chroot directory in KB
-            CHROOT_SIZE=$(expr `du -s "${R}" | awk '{ print $1 }'`)
+            CHROOT_SIZE=$(expr "$(du -s "${R}" | awk '{ print $1 }')")
             # Calculate the amount of needed 512 Byte sectors
             TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512)
             FRMW_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512)
-            ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${FRMW_SECTORS})
+            ROOT_OFFSET=$(expr "${TABLE_SECTORS}" + "${FRMW_SECTORS}")
             # The root partition is EXT4
             # This means more space than the actual used space of the chroot is used.
             # As overhead for journaling and reserved blocks 35% are added.
-            ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 35) \* 1024 \/ 512)
+            ROOT_SECTORS=$(expr "$(expr "${CHROOT_SIZE}" + "${CHROOT_SIZE}" \/ 100 \* 35)" \* 1024 \/ 512)
             # Calculate required image size in 512 Byte sectors
-            IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS})
+            IMAGE_SECTORS=$(expr "${TABLE_SECTORS}" + "${FRMW_SECTORS}" + "${ROOT_SECTORS}")
             # Prepare image file
             if [ "$ENABLE_SPLITFS" = true ] ; then
-              dd if=/dev/zero of="$IMAGE_NAME-frmw.img" bs=512 count=${TABLE_SECTORS}
+              dd if=/dev/zero of="$IMAGE_NAME-frmw.img" bs=512 count="${TABLE_SECTORS}"
-              dd if=/dev/zero of="$IMAGE_NAME-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS}
+              dd if=/dev/zero of="$IMAGE_NAME-frmw.img" bs=512 count=0 seek="${FRMW_SECTORS}"
-              dd if=/dev/zero of="$IMAGE_NAME-root.img" bs=512 count=${TABLE_SECTORS}
+              dd if=/dev/zero of="$IMAGE_NAME-root.img" bs=512 count="${TABLE_SECTORS}"
-              dd if=/dev/zero of="$IMAGE_NAME-root.img" bs=512 count=0 seek=${ROOT_SECTORS}
+              dd if=/dev/zero of="$IMAGE_NAME-root.img" bs=512 count=0 seek="${ROOT_SECTORS}"
               # Write firmware/boot partition tables
               sfdisk -q -L -uS -f "$IMAGE_NAME-frmw.img" 2> /dev/null <<EOM
             ${TABLE_SECTORS},${FRMW_SECTORS},c,*
             EOM
               # Write root partition table
               sfdisk -q -L -uS -f "$IMAGE_NAME-root.img" 2> /dev/null <<EOM
             ${TABLE_SECTORS},${ROOT_SECTORS},83
             EOM
               # Setup temporary loop devices
-              FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $IMAGE_NAME-frmw.img)"
+              FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show "$IMAGE_NAME"-frmw.img)"
-              ROOT_LOOP="$(losetup -o 1M -f --show $IMAGE_NAME-root.img)"
+              ROOT_LOOP="$(losetup -o 1M -f --show "$IMAGE_NAME"-root.img)"
             else # ENABLE_SPLITFS=false
-              dd if=/dev/zero of="$IMAGE_NAME.img" bs=512 count=${TABLE_SECTORS}
+              dd if=/dev/zero of="$IMAGE_NAME.img" bs=512 count="${TABLE_SECTORS}"
-              dd if=/dev/zero of="$IMAGE_NAME.img" bs=512 count=0 seek=${IMAGE_SECTORS}
+              dd if=/dev/zero of="$IMAGE_NAME.img" bs=512 count=0 seek="${IMAGE_SECTORS}"
               # Write partition table
               sfdisk -q -L -uS -f "$IMAGE_NAME.img" 2> /dev/null <<EOM
             ${TABLE_SECTORS},${FRMW_SECTORS},c,*
             ${ROOT_OFFSET},${ROOT_SECTORS},83
             EOM
               # Setup temporary loop devices
-              FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $IMAGE_NAME.img)"
+              FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show "$IMAGE_NAME".img)"
-              ROOT_LOOP="$(losetup -o 65M -f --show $IMAGE_NAME.img)"
+              ROOT_LOOP="$(losetup -o 65M -f --show "$IMAGE_NAME".img)"
             fi
             if [ "$ENABLE_CRYPTFS" = true ] ; then
               # Create dummy ext4 fs
               mkfs.ext4 "$ROOT_LOOP"
               # Setup password keyfile
               touch .password
               chmod 600 .password
               echo -n ${CRYPTFS_PASSWORD} > .password
               # Initialize encrypted partition
               echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password
               # Open encrypted partition and setup mapping
               cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"
               # Secure delete password keyfile
               shred -zu .password
               # Update temporary loop device
               ROOT_LOOP="/dev/mapper/${CRYPTFS_MAPPING}"
               # Wipe encrypted partition (encryption cipher is used for randomness)
-              dd if=/dev/zero of="${ROOT_LOOP}" bs=512 count=$(blockdev --getsz "${ROOT_LOOP}")
+              dd if=/dev/zero of="${ROOT_LOOP}" bs=512 count="$(blockdev --getsz "${ROOT_LOOP}")"
             fi
             # Build filesystems
             mkfs.vfat "$FRMW_LOOP"
             mkfs.ext4 "$ROOT_LOOP"
             # Mount the temporary loop devices
             mkdir -p "$BUILDDIR/mount"
             mount "$ROOT_LOOP" "$BUILDDIR/mount"
             mkdir -p "$BUILDDIR/mount/boot/firmware"
             mount "$FRMW_LOOP" "$BUILDDIR/mount/boot/firmware"
             # Copy all files from the chroot to the loop device mount point directory
             rsync -a "${R}/" "$BUILDDIR/mount/"
             # Unmount all temporary loop devices and mount points
             cleanup
             # Create block map file(s) of image(s)
             if [ "$ENABLE_SPLITFS" = true ] ; then
               # Create block map files for "bmaptool"
               bmaptool create -o "$IMAGE_NAME-frmw.bmap" "$IMAGE_NAME-frmw.img"
               bmaptool create -o "$IMAGE_NAME-root.bmap" "$IMAGE_NAME-root.img"
               # Image was successfully created
-              echo "$IMAGE_NAME-frmw.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
+              echo "$IMAGE_NAME-frmw.img ($(expr \( "${TABLE_SECTORS}" + "${FRMW_SECTORS}" \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
-              echo "$IMAGE_NAME-root.img ($(expr \( ${TABLE_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
+              echo "$IMAGE_NAME-root.img ($(expr \( "${TABLE_SECTORS}" + "${ROOT_SECTORS}" \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
             else
               # Create block map file for "bmaptool"
               bmaptool create -o "$IMAGE_NAME.bmap" "$IMAGE_NAME.img"
               # Image was successfully created
-              echo "$IMAGE_NAME.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
+              echo "$IMAGE_NAME.img ($(expr \( "${TABLE_SECTORS}" + "${FRMW_SECTORS}" + "${ROOT_SECTORS}" \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
+              # Create qemu qcow2 image
+              if [ "$ENABLE_QEMU" = true ] ; then
+                QEMU_IMAGE=${QEMU_IMAGE:=${BASEDIR}/qemu/${DATE}-${KERNEL_ARCH}-CURRENT-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}}
+                QEMU_SIZE=16G
+                qemu-img convert -f raw -O qcow2 "$IMAGE_NAME".img "$QEMU_IMAGE".qcow2
+                qemu-img resize "$QEMU_IMAGE".qcow2 $QEMU_SIZE
+                echo "$QEMU_IMAGE.qcow2 ($QEMU_SIZE)" ": successfully created"
+              fi
             fi

templates/raspife2-stretch +102 -1

              Configuration file raspife2 Stretch IFÉ 2017/02/24
              #
              APT_SERVER=ftp.fr.debian.org
              APT_INCLUDES="gnupg,gnupg2,firmware-realtek,firmware-linux-nonfree,firmware-linux,tightvncserver,build-essentia$
              bison,libboost-all-dev,automake,autoconf,autogen,libtool,pkg-config,checkinstall,python3,python3-dev,menulibre,$
              libnotify-bin,python,python-configobj,python-cheetah,python-imaging,python-serial,python-usb,python-dev,\
              pcre2-utils,libpcre++-dev,libpcre2-dev,libjpeg-dev,jed,i2c-tools,python-smbus,policykit-1,usbutils,\
              pmount,python-pip,python3-pip,geany,geany-plugin-py,geany-plugin-markdown,firefox-esr,firefox-esr-l10n-fr,\
              icedtea-8-plugin,openjdk-8-jdk,openjdk-8-jre,openjdk-8-jre-headless,libqtwebkit-dev,libqt5webkit5-dev,\
              libudev-dev,libzzip-dev,zlib1g-dev,libcanberra-gtk-module,libnss-myhostname,libfreetype6-dev,libpng16-16,\
              lxsession,openbox-lxde-session,lxde"
              #----------------------
              RPI_MODEL=2
              RELEASE="stretch"
              HOSTNAME="raspife2"
              PASSWORD="***********"
              USER_PASSWORD="**************"
              DEFLOCAL="fr_FR.UTF-8"
              TIMEZONE="Europe/Paris"
              EXPANDROOT=false
              #-----------------------
              XKB_MODEL="pc105"
              XKB_LAYOUT="fr"
              XKB_VARIANT="latin9"
              XKB_OPTIONS=""
              #------------------------
              ENABLE_DHCP=true
              #------------------------
              ENABLE_CONSOLE=true
              ENABLE_I2C=true
              ENABLE_SPI=true
              ENABLE_IPV6=true
              ENABLE_SSHD=true
              ENABLE_NONFREE=true
              ENABLE_WIRELESS=false
              ENABLE_RSYSLOG=true
              ENABLE_SOUND=true
              ENABLE_HWRANDOM=true
              ENABLE_MINGPU=true
              ENABLE_DBUS=true
              ENABLE_XORG=true
              ENABLE_WM="lxdm"
              #------------------------
              ENABLE_MINBASE=false
              ENABLE_REDUCE=false
              ENABLE_UBOOT=false
              ENABLE_FBTURBO=true
              ENABLE_IPTABLES=false
              ENABLE_USER=true
              USER_NAME=ens-ife
              ENABLE_ROOT=true
              ENABLE_HARDNET=true
              ENABLE_INITRAMFS=true
              ENABLE_IFNAMES=true
              #------------------------
              ENABLE_ROOT_SSH=false
              SSH_LIMIT_USERS=false
              SSH_ROOT_PUB_KEY="/home/********/.ssh/authorized_keys"
              SSH_USER_PUB_KEY="/home/********/.ssh/authorized_keys"
              #------------------------
              BUILD_KERNEL=true
              KERNEL_REDUCE=false
              KERNEL_HEADERS=true
              KERNEL_REMOVESRC=true
              KERNELSRC_CLEAN=true
              KERNELSRC_CONFIG=true
              #------------------------
              REDUCE_APT=false
              REDUCE_DOC=true
              REDUCE_MAN=false
              REDUCE_HWDB=true
              REDUCE_BASH=false
              REDUCE_SSHD=false
              REDUCE_LOCALE=false
              #-------------------------
              ENABLE_CRYPTFS=false
              #-------------------------
              BASEDIR=/media/********/images/${RELEASE}
              DATE=date
-            +%Y-%m-%d
IMAGE_NAME=${BASEDIR}/${DATE}-rpi${RPI_MODEL}-${RELEASE}
+            +%Y-%m-%d
+            IMAGE_NAME=${BASEDIR}/${DATE}-rpi${RPI_MODEL}-${RELEASE}
+            =======
+            # Configuration file raspi2 Stretch IFÉ 2017/12/28
+            #
+            APT_SERVER=debian.mirrors.ovh.net
+            APT_INCLUDES=""
+            APT_INCLUDES_LATE="gnupg,firmware-linux-nonfree,firmware-linux,dh-autoreconf,\
+            gettext,build-essential,git,cmake,libjson-c-dev,unzip,usbutils,\
+            bison,libboost-all-dev,automake,autoconf,autogen,libtool,libtool-bin,\
+            pkg-config,checkinstall,menulibre,libnotify-bin,pandoc,\
+            python3,python3-dev,python3-pypandoc,python3-scipy,python3-tk,python3-pandocfilters,\
+            python3-geopy,python3-pip,\
+            python,python-dev,python-pypandoc,python-scipy,python-tk,python-pandocfilters,\
+            python-geopy,python-pip,python-tk,pandoc,\
+            python-configobj,python-cheetah,python-imaging,python-serial,python-usb,\
+            pcre2-utils,libpcre++-dev,libpcre2-dev,libjpeg-dev,i2c-tools,python-smbus,policykit-1,\
+            pmount,ntpdate,ntp,rsync,\
+            texlive,texlive-xetex,nginx-extras,ffmpeg,wicd,wicd-gtk,console-data,keyboard-configuration,\
+            libqtwebkit-dev,libqt5webkit5-dev,\
+            libudev-dev,libzzip-dev,zlib1g-dev,libcanberra-gtk-module,libnss-myhostname,libfreetype6-dev,libpng16-16,\
+            nmap,libltdl-dev,dbus-user-session,debian-archive-keyring,\
+            xutils-dev,lxsession,openbox-lxde-session,lxde,x11proto-randr-dev,lxrandr,\
+            tightvncserver,geany,geany-plugin-py,firefox-esr,firefox-esr-l10n-fr,jed,terminator,automake"
+            #ca-certificates-java,icedtea-plugin,icedtea-netx,\
+            #openjdk-8-jdk,openjdk-8-jre,openjdk-8-jre-headless,\
+            #openjdk-9-jdk,openjdk-9-jre,openjdk-9-jre-headless"
+            #----------------------
+            RPI_MODEL=2
+            RELEASE="stretch"
+            RELEASE_ARCH="armhf"
+            HOSTNAME="raspife2"
+            PASSWORD="*****"
+            USER_PASSWORD="*****"
+            DEFLOCAL="fr_FR.UTF-8"
+            TIMEZONE="Europe/Paris"
+            EXPANDROOT=false
+            #-----------------------
+            XKB_MODEL="pc105"
+            XKB_LAYOUT="fr"
+            XKB_VARIANT="latin9"
+            XKB_OPTIONS=""
+            #------------------------
+            ENABLE_DHCP=true
+            #------------------------
+            ENABLE_CONSOLE=false
+            ENABLE_I2C=true
+            ENABLE_SPI=true
+            ENABLE_IPV6=true
+            ENABLE_SSHD=true
+            ENABLE_NONFREE=true
+            ENABLE_WIRELESS=false
+            ENABLE_RSYSLOG=true
+            ENABLE_SOUND=true
+            ENABLE_HWRANDOM=true
+            ENABLE_MINGPU=true
+            ENABLE_DBUS=true
+            ENABLE_XORG=true
+            ENABLE_WM="lxdm"
+            #------------------------
+            ENABLE_MINBASE=false
+            ENABLE_REDUCE=false
+            ENABLE_UBOOT=false
+            ENABLE_FBTURBO=true
+            ENABLE_IPTABLES=false
+            ENABLE_USER=true
+            USER_NAME=ens-ife
+            ENABLE_ROOT=true
+            ENABLE_HARDNET=true
+            ENABLE_INITRAMFS=true
+            ENABLE_IFNAMES=true
+            #------------------------
+            ENABLE_ROOT_SSH=false
+            SSH_LIMIT_USERS=false
+            SSH_ROOT_PUB_KEY="/home/*****/.ssh/id_rsa.pub"
+            SSH_USER_PUB_KEY="/home/*****/.ssh/id_rsa.pub"
+            #------------------------
+            BUILD_KERNEL=true
+            KERNEL_BRANCH=rpi-4.13.y
+            KERNEL_REDUCE=false
+            KERNEL_HEADERS=true
+            KERNEL_REMOVESRC=true
+            KERNELSRC_CLEAN=true
+            KERNELSRC_CONFIG=true
+            #------------------------
+            REDUCE_APT=false
+            REDUCE_DOC=true
+            REDUCE_MAN=false
+            REDUCE_HWDB=true
+            REDUCE_BASH=false
+            REDUCE_SSHD=false
+            REDUCE_LOCALE=false
+            #-------------------------
+            ENABLE_CRYPTFS=false
+            #-------------------------
+            BASEDIR=/data/RpiGenImage/Images/${RELEASE}
+            #BASEDIR=/media/*******/*********/Nano-Ordinateurs/RaspberryPi/RpiGenImage/Images/${RELEASE}
+            DATE=`date +%Y-%m-%d`
+            IMAGE_NAME=${BASEDIR}/${DATE}-rpi${RPI_MODEL}-${RELEASE}

templates/raspife3-buster +2 0

             # Configuration file raspi3 Buster IFÉ 2017/11/01
             #
             APT_SERVER=debian.mirrors.ovh.net
             APT_INCLUDES=""
             APT_INCLUDES_LATE="gnupg,firmware-linux-nonfree,firmware-linux,dh-autoreconf,\
             gettext,build-essential,git,cmake,libjson-c-dev,unzip,usbutils,\
             bison,libboost-all-dev,automake,autoconf,autogen,libtool,libtool-bin,\
             pkg-config,checkinstall,menulibre,libnotify-bin,pandoc,\
             python3,python3-dev,python3-pypandoc,python3-scipy,python3-tk,python3-pandocfilters,\
             python3-geopy,python3-pip,\
             python,python-dev,python-pypandoc,python-scipy,python-tk,python-pandocfilters,\
             python-geopy,python-pip,python-tk,pandoc,\
             python-configobj,python-cheetah,python-imaging,python-serial,python-usb,\
             pcre2-utils,libpcre++-dev,libpcre2-dev,libjpeg-dev,i2c-tools,python-smbus,policykit-1,\
             pmount,ntpdate,ntp,rsync,\
             texlive,texlive-xetex,nginx-extras,ffmpeg,wicd,wicd-gtk,console-data,keyboard-configuration,\
             libqtwebkit-dev,libqt5webkit5-dev,\
             libudev-dev,libzzip-dev,zlib1g-dev,libcanberra-gtk-module,libnss-myhostname,libfreetype6-dev,libpng16-16,\
             nmap,libltdl-dev,dbus-user-session,debian-archive-keyring,\
             xutils-dev,lxsession,openbox-lxde-session,lxde,x11proto-randr-dev,lxrandr,\
             tightvncserver,geany,geany-plugin-py,firefox-esr,firefox-esr-l10n-fr,jed,terminator,automake"
             #ca-certificates-java,icedtea-plugin,icedtea-netx,\
             #openjdk-8-jdk,openjdk-8-jre,openjdk-8-jre-headless,\
             #openjdk-9-jdk,openjdk-9-jre,openjdk-9-jre-headless"
             #----------------------
             RPI_MODEL=3
             RELEASE="buster"
             RELEASE_ARCH="armhf"
             HOSTNAME="raspife3"
             PASSWORD="***********"
             USER_PASSWORD="*************"
             DEFLOCAL="fr_FR.UTF-8"
             TIMEZONE="Europe/Paris"
             EXPANDROOT=false
             #-----------------------
             XKB_MODEL="pc105"
             XKB_LAYOUT="fr"
             XKB_VARIANT="latin9"
             XKB_OPTIONS=""
             #------------------------
             ENABLE_DHCP=true
             #------------------------
             ENABLE_CONSOLE=false
             ENABLE_I2C=true
             ENABLE_SPI=true
             ENABLE_IPV6=true
             ENABLE_SSHD=true
             ENABLE_NONFREE=true
             ENABLE_WIRELESS=true
             ENABLE_RSYSLOG=true
             ENABLE_SOUND=true
             ENABLE_HWRANDOM=true
             ENABLE_MINGPU=true
             ENABLE_DBUS=true
             ENABLE_XORG=true
             ENABLE_WM="lxdm"
             #------------------------
             ENABLE_MINBASE=false
             ENABLE_REDUCE=false
             ENABLE_UBOOT=false
             ENABLE_FBTURBO=true
             ENABLE_IPTABLES=false
             ENABLE_USER=true
             USER_NAME=ens-ife
             ENABLE_ROOT=true
             ENABLE_HARDNET=true
             ENABLE_INITRAMFS=true
             ENABLE_IFNAMES=true
             #------------------------
             ENABLE_ROOT_SSH=false
             SSH_LIMIT_USERS=false
             SSH_ROOT_PUB_KEY="/home/*****/.ssh/authorized_keys"
             SSH_USER_PUB_KEY="/home/*****/.ssh/authorized_keys"
             #------------------------
             BUILD_KERNEL=true
             KERNEL_BRANCH=rpi-4.13.y
             KERNEL_REDUCE=false
             KERNEL_HEADERS=true
             KERNEL_REMOVESRC=true
             KERNELSRC_CLEAN=true
             KERNELSRC_CONFIG=true
             #------------------------
             REDUCE_APT=false
             REDUCE_DOC=true
             REDUCE_MAN=false
             REDUCE_HWDB=true
             REDUCE_BASH=false
             REDUCE_SSHD=false
             REDUCE_LOCALE=false
             #-------------------------
             ENABLE_CRYPTFS=false
             #-------------------------
             BASEDIR=/data/RpiGenImage/Images/${RELEASE}
             #BASEDIR=/media/*******/*********/Nano-Ordinateurs/RaspberryPi/RpiGenImage/Images/${RELEASE}
             DATE=`date +%Y-%m-%d`
             IMAGE_NAME=${BASEDIR}/${DATE}-rpi${RPI_MODEL}-${RELEASE}

templates/raspife3-stretch +4 -3

             # Configuration file raspi3 Stretch IFÉ 2017/07/26
             #
             APT_SERVER=ftp.fr.debian.org
             APT_INCLUDES="gnupg,gnupg2,firmware-linux-nonfree,firmware-linux,dh-autoreconf,\
             gettext,build-essential,git,cmake,libjson-c-dev,unzip,usbutils,\
             bison,libboost-all-dev,automake,autoconf,autogen,libtool,libtool-bin,\
             pkg-config,checkinstall,menulibre,libnotify-bin,pandoc,\
             python3,python3-dev,python3-pypandoc,python3-scipy,python3-tk,python3-pandocfilters,\
             python,python-dev,python-pypandoc,python-scipy,python-tk,python-pandocfilters,\
             python3-geopy,python3-pip,\
             python-geopy,python-pip,\
             python-configobj,python-cheetah,python-imaging,python-serial,python-usb,\
             pcre2-utils,libpcre++-dev,libpcre2-dev,libjpeg-dev,jed,i2c-tools,python-smbus,policykit-1,\
             pmount,ntpdate,\
             texlive,texlive-xetex,nginx-extras,ffmpeg,wicd,wicd-gtk,console-data,keyboard-configuration,\
             icedtea-8-plugin,openjdk-8-jdk,openjdk-8-jre,openjdk-8-jre-headless,libqtwebkit-dev,libqt5webkit5-dev,\
             libudev-dev,libzzip-dev,zlib1g-dev,libcanberra-gtk-module,libnss-myhostname,libfreetype6-dev,libpng16-16,\
             nmap,libltdl-dev,dbus-user-session,debian-archive-keyring,\
             xutils-dev,lxsession,openbox-lxde-session,lxde,x11proto-randr-dev,lxrandr,\
             tightvncserver,geany,geany-plugin-py,geany-plugin-markdown,firefox-esr,firefox-esr-l10n-fr"
             #----------------------
             RPI_MODEL=3
             RELEASE="stretch"
             HOSTNAME="raspife3"
             PASSWORD="**************"
-            USER_PASSWORD="***************"
+            USER_PASSWORD="***************
             DEFLOCAL="fr_FR.UTF-8"
             TIMEZONE="Europe/Paris"
             EXPANDROOT=false
             #-----------------------
             XKB_MODEL="pc105"
             XKB_LAYOUT="fr"
             XKB_VARIANT="latin9"
             XKB_OPTIONS=""
             #------------------------
             ENABLE_DHCP=true
             #------------------------
             ENABLE_CONSOLE=false
             ENABLE_I2C=true
             ENABLE_SPI=true
             ENABLE_IPV6=true
             ENABLE_SSHD=true
             ENABLE_NONFREE=true
             ENABLE_WIRELESS=true
             ENABLE_RSYSLOG=true
             ENABLE_SOUND=true
             ENABLE_HWRANDOM=true
             ENABLE_MINGPU=true
             ENABLE_DBUS=true
             ENABLE_XORG=true
             ENABLE_WM="lxdm"
             #------------------------
             ENABLE_MINBASE=false
             ENABLE_REDUCE=false
             ENABLE_UBOOT=false
             ENABLE_FBTURBO=true
             ENABLE_IPTABLES=false
             ENABLE_USER=true
             USER_NAME=ens-ife
             ENABLE_ROOT=true
             ENABLE_HARDNET=true
             ENABLE_INITRAMFS=true
             ENABLE_IFNAMES=true
             #------------------------
             ENABLE_ROOT_SSH=false
-            SSH_LIMIT_USERS=false
+            SSH_LIMIT_USERS=fal
             SSH_ROOT_PUB_KEY="/home/*******/.ssh/authorized_keys"
             SSH_USER_PUB_KEY="/home/*******/.ssh/authorized_keys"
             #------------------------
             BUILD_KERNEL=true
             KERNEL_REDUCE=false
             KERNEL_HEADERS=true
             KERNEL_REMOVESRC=true
             KERNELSRC_CLEAN=true
             KERNELSRC_CONFIG=true
             #------------------------
             REDUCE_APT=false
             REDUCE_DOC=true
             REDUCE_MAN=false
             REDUCE_HWDB=true
             REDUCE_BASH=false
             REDUCE_SSHD=false
             REDUCE_LOCALE=false
             #-------------------------
             ENABLE_CRYPTFS=false
             #-------------------------
             BASEDIR=/data/RpiGenImage/Images/${RELEASE}
             DATE=`date +%Y-%m-%d`
             IMAGE_NAME=${BASEDIR}/${DATE}-rpi${RPI_MODEL}-${RELEASE}

templates/raspife3W-stretch +2 0

             # Configuration file raspi3 Stretch Weewx IFÉ 2017/07/26
             #
             APT_SERVER=ftp.fr.debian.org
             APT_INCLUDES="debian-archive-keyring,debian-keyring,automake,autoconf,autogen,gawk,gnupg,gnupg2,\
             build-essential,git,cmake,libjson-c-dev,unzip,\
             bison,libboost-all-dev,libtool,libtool-bin,pkg-config,checkinstall,libnotify-bin,pandoc,\
             python3,python3-dev,python,python-dev,python-configobj,python-cheetah,python-mysqldb\
             python-imaging,python-serial,python-usb,python-tk,python3-tk,python3-scipy,\
             python-pypandoc,python3-pypandoc,python-pandocfilters,python3-pandocfilters,\
             python-geopy,python3-geopy,python-pip,python3-pip,python-smbus,\
             libudev-dev,libzzip-dev,zlib1g-dev,libnss-myhostname,libpng16-16,nmap,\
             libltdl-dev,usbutils,pmount,ntpdate,texlive,texlive-xetex,nginx-extras,policykit-1,\
             openjdk-8-jdk-headless,openjdk-8-jre-headless,\
             pcre2-utils,libpcre++-dev,libpcre2-dev,libjpeg-dev,i2c-tools"
             #----------------------
             RPI_MODEL=3
             RELEASE="stretch"
             HOSTNAME="raspwife3"
             PASSWORD="************"
             USER_PASSWORD="************"
             DEFLOCAL="fr_FR.UTF-8"
             TIMEZONE="Europe/Paris"
             EXPANDROOT=false
             #-----------------------
             XKB_MODEL="pc105"
             XKB_LAYOUT="fr"
             XKB_VARIANT="latin9"
             XKB_OPTIONS=""
             #------------------------
             ENABLE_DHCP=false
             NET_ADDRESS="192.168.***.***/24"
             NET_GATEWAY="192.168.***.1"
             NET_DNS_1="192.168.***.1"
             NET_DNS_2="8.8.8.8"
             #------------------------
             ENABLE_CONSOLE=false
             ENABLE_I2C=true
             ENABLE_SPI=true
             ENABLE_IPV6=true
             ENABLE_SSHD=true
             ENABLE_NONFREE=true
             ENABLE_WIRELESS=true
             ENABLE_RSYSLOG=true
             ENABLE_SOUND=true
             ENABLE_HWRANDOM=true
             ENABLE_MINGPU=true
             ENABLE_DBUS=true
             ENABLE_XORG=false
             ENABLE_WM=""
             #------------------------
             ENABLE_MINBASE=false
             ENABLE_REDUCE=false
             ENABLE_UBOOT=false
             ENABLE_FBTURBO=false
             ENABLE_IPTABLES=false
             ENABLE_USER=true
             USER_NAME=ens-ife
             ENABLE_ROOT=true
             ENABLE_HARDNET=true
             ENABLE_INITRAMFS=true
             ENABLE_IFNAMES=true
             #------------------------
             ENABLE_ROOT_SSH=false
             SSH_LIMIT_USERS=false
             SSH_ROOT_PUB_KEY="/home/*******/.ssh/authorized_keys"
             SSH_USER_PUB_KEY="/home/*******/.ssh/authorized_keys"
             #------------------------
             BUILD_KERNEL=true
             KERNEL_REDUCE=false
             KERNEL_HEADERS=true
             KERNEL_REMOVESRC=true
             KERNELSRC_CLEAN=true
             KERNELSRC_CONFIG=true
             #------------------------
             REDUCE_APT=false
             REDUCE_DOC=true
             REDUCE_MAN=false
             REDUCE_HWDB=true
             REDUCE_BASH=false
             REDUCE_SSHD=false
             REDUCE_LOCALE=false
             #-------------------------
             ENABLE_CRYPTFS=false
             #-------------------------
             BASEDIR=/data/RpiGenImage/Images/${RELEASE}
             DATE=`date +%Y-%m-%d`
             IMAGE_NAME=${BASEDIR}/${DATE}-rpiw${RPI_MODEL}-${RELEASE}

templates/rpi1buster ~~templates/rpi3jessie~~ renamed +1 -1

             # Configuration template file used by rpi23-gen-image.sh
             RPI_MODEL=3
-            RELEASE=jessie
+            RELEASE=buster
             BUILD_KERNEL=true

templates/rpi2stretch +1 0

             # Configuration template file used by rpi23-gen-image.sh
+            RPI_MODEL=2
             RELEASE=stretch
             BUILD_KERNEL=true

templates/rpi3-stretch-arm64-4.14.y ~~templates/rpi3-stretch-arm64-4.11.y~~ renamed +1 -1

             # Configuration template file used by rpi23-gen-image.sh
             # Debian Stretch using the Arm64 for kernel compilation and Debian distribution.
             RPI_MODEL=3
             RELEASE=stretch
             BUILD_KERNEL=true
             KERNEL_ARCH=arm64
             RELEASE_ARCH=arm64
             CROSS_COMPILE=aarch64-linux-gnu-
             QEMU_BINARY=/usr/bin/qemu-aarch64-static
             KERNEL_DEFCONFIG=bcmrpi3_defconfig
             KERNEL_BIN_IMAGE=Image
             KERNEL_IMAGE=kernel8.img
-            KERNEL_BRANCH=rpi-4.11.y
+            KERNEL_BRANCH=rpi-4.14.y
             ENABLE_WIRELESS=true

templates/rpi3buster +2 0

             # Configuration template file used by rpi23-gen-image.sh
             RPI_MODEL=3
             RELEASE=buster
             BUILD_KERNEL=true
+            # ENABLE_WIRELESS=false
+            # ENABLE_BLUETOOTH=false

templates/rpi3stretch +2 0

             # Configuration template file used by rpi23-gen-image.sh
             RPI_MODEL=3
             RELEASE=stretch
             BUILD_KERNEL=true
+            # ENABLE_WIRELESS=false
+            # ENABLE_BLUETOOTH=false

files/apt/flash-kernel removed 0 -3

NO CONTENT: file was removed

templates/rpi2jessie removed 0 -2

NO CONTENT: file was removed

General Comments 0

Écrire
Preview

Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages