##// END OF EJS Templates
Merge pull request #184 from drtyhlpr/testing...
drtyhlpr -
r584:b93827055453 Fusion
parent child
Show More
@@ -0,0 +1,97
1 #!/bin/sh
2 #
3 # Build and Setup nexmon with monitor mode patch
4 #
5
6 # Load utility functions
7 . ./functions.sh
8
9 if [ "$ENABLE_NEXMON" = true ] && [ "$ENABLE_WIRELESS" = true ]; then
10 # Copy existing nexmon sources into chroot directory
11 if [ -n "$NEXMONSRC_DIR" ] && [ -d "$NEXMONSRC_DIR" ] ; then
12 # Copy local U-Boot sources
13 cp -r "${NEXMONSRC_DIR}" "${R}/tmp"
14 else
15 # Create temporary directory for nexmon sources
16 temp_dir=$(as_nobody mktemp -d)
17
18 # Fetch nexmon sources
19 as_nobody git -C "${temp_dir}" clone "${NEXMON_URL}"
20
21 # Copy downloaded nexmon sources
22 mv "${temp_dir}/nexmon" "${R}"/tmp/
23
24 # Set permissions of the nexmon sources
25 chown -R root:root "${R}"/tmp/nexmon
26
27 # Remove temporary directory for nexmon sources
28 rm -fr "${temp_dir}"
29 fi
30
31 # Set script Root
32 export NEXMON_ROOT="${R}"/tmp/nexmon
33
34 # Build nexmon firmware outside the build system, if we can.
35 cd "${NEXMON_ROOT}" || exit
36
37 # Make ancient isl build
38 cd buildtools/isl-0.10 || exit
39 ./configure
40 make
41 cd ../.. || exit
42
43 # Disable statistics
44 touch DISABLE_STATISTICS
45
46 # Setup Enviroment: see https://github.com/NoobieDog/nexmon/blob/master/setup_env.sh
47 export KERNEL="${KERNEL_IMAGE}"
48 export ARCH=arm
49 export SUBARCH=arm
50 export CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
51 export CC="${CC}"gcc
52 export CCPLUGIN="${NEXMON_ROOT}"/buildtools/gcc-nexmon-plugin/nexmon.so
53 export ZLIBFLATE="zlib-flate -compress"
54 export Q=@
55 export NEXMON_SETUP_ENV=1
56 export HOSTUNAME=$(uname -s)
57 export PLATFORMUNAME=$(uname -m)
58
59 # Make nexmon
60 make
61
62 # build patches
63 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] ; then
64 cd "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon || exit
65 sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon/Makefile
66 make clean
67
68 # We do this so we don't have to install the ancient isl version into /usr/local/lib on systems.
69 LD_LIBRARY_PATH="${NEXMON_ROOT}"/buildtools/isl-0.10/.libs make ARCH="${KERNEL_ARCH}" CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
70
71 # copy RPi0W & RPi3 firmware
72 mv "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.org.bin
73 cp "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.nexmon.bin
74 cp -f "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin
75 fi
76
77 if [ "$RPI_MODEL" = 3P ] ; then
78 cd "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon || exit
79 sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43455c0/7_45_154/nexmon/Makefile
80 make clean
81
82 # We do this so we don't have to install the ancient isl version into /usr/local/lib on systems.
83 LD_LIBRARY_PATH=${NEXMON_ROOT}/buildtools/isl-0.10/.libs make ARCH="${KERNEL_ARCH}" CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
84
85 # RPi3B+ firmware
86 mv "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.org.bin
87 cp "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.nexmon.bin
88 cp -f "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.bin
89 fi
90
91 #Revert to previous directory
92 cd "${WORKDIR}" || exit
93
94 # Remove nexmon sources
95 rm -fr "${NEXMON_ROOT}"
96
97 fi
@@ -0,0 +1,5
1 # Restart dphys-swapfile service if it exists
2 logger -t "rc.firstboot" "Restarting dphys-swapfile"
3
4 systemctl enable dphys-swapfile
5 systemctl restart dphys-swapfile
@@ -0,0 +1,45
1 #!/bin/sh
2
3 PREREQ="dropbear"
4
5 prereqs() {
6 echo "$PREREQ"
7 }
8
9 case "$1" in
10 prereqs)
11 prereqs
12 exit 0
13 ;;
14 esac
15
16 . "${CONFDIR}/initramfs.conf"
17 . /usr/share/initramfs-tools/hook-functions
18
19 if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
20 cat > "${DESTDIR}/bin/unlock" << EOF
21 #!/bin/sh
22 if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
23 kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\`
24 # following line kill the remote shell right after the passphrase has
25 # been entered.
26 kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\`
27 exit 0
28 fi
29 exit 1
30 EOF
31
32 chmod 755 "${DESTDIR}/bin/unlock"
33
34 mkdir -p "${DESTDIR}/lib/unlock"
35 cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
36 #!/bin/sh
37 [ "\$1" == "--ping" ] && exit 1
38 /bin/plymouth "\$@"
39 EOF
40
41 chmod 755 "${DESTDIR}/lib/unlock/plymouth"
42
43 echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
44
45 fi No newline at end of file
@@ -0,0 +1,2
1 # ASLR
2 kernel.randomize_va_space = 2 No newline at end of file
@@ -1,500 +1,547
1 1 # rpi23-gen-image
2 2 ## Introduction
3 3 `rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for all Raspberry Pi computers. The script at this time supports the bootstrapping of the Debian (armhf/armel) releases `stretch` and `buster`. Raspberry Pi 0/1/2/3 images are generated for 32-bit mode only. Raspberry Pi 3 supports 64-bit images that can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.14.y```).
4 4
5 5 ## Build dependencies
6 6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7 7
8 8 ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo```
9 9
10 10 It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel) cross-compiler toolchain.
11 11
12 12 The script has been tested using the default `crossbuild-essential-armhf` and `crossbuild-essential-armel` toolchain meta packages on Debian Linux `stretch` build systems. Please check the [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains) for further information.
13 13
14 14 ## Command-line parameters
15 15 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi23-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi23-gen-image.sh` script.
16 16
17 17 ##### Command-line examples:
18 18 ```shell
19 19 ENABLE_UBOOT=true ./rpi23-gen-image.sh
20 20 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi23-gen-image.sh
21 21 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi23-gen-image.sh
22 22 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi23-gen-image.sh
23 23 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi23-gen-image.sh
24 24 ENABLE_MINBASE=true ./rpi23-gen-image.sh
25 25 BUILD_KERNEL=true ENABLE_MINBASE=true ENABLE_IPV6=false ./rpi23-gen-image.sh
26 26 BUILD_KERNEL=true KERNELSRC_DIR=/tmp/linux ./rpi23-gen-image.sh
27 27 ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi23-gen-image.sh
28 28 ENABLE_CRYPTFS=true CRYPTFS_PASSWORD=changeme EXPANDROOT=false ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi23-gen-image.sh
29 29 RELEASE=stretch BUILD_KERNEL=true ./rpi23-gen-image.sh
30 30 RPI_MODEL=3 ENABLE_WIRELESS=true ENABLE_MINBASE=true BUILD_KERNEL=true ./rpi23-gen-image.sh
31 31 RELEASE=stretch RPI_MODEL=3 ENABLE_WIRELESS=true ENABLE_MINBASE=true BUILD_KERNEL=true ./rpi23-gen-image.sh
32 32 ```
33 33
34 34 ## Configuration template files
35 35 To avoid long lists of command-line parameters and to help to store the favourite parameter configurations the `rpi23-gen-image.sh` script supports so called configuration template files (`CONFIG_TEMPLATE`=template). These are simple text files located in the `./templates` directory that contain the list of configuration parameters that will be used. New configuration template files can be added to the `./templates` directory.
36 36
37 37 ##### Command-line examples:
38 38 ```shell
39 39 CONFIG_TEMPLATE=rpi3stretch ./rpi23-gen-image.sh
40 40 CONFIG_TEMPLATE=rpi2stretch ./rpi23-gen-image.sh
41 41 ```
42 42
43 43 ## Supported parameters and settings
44 44 #### APT settings:
45 45 ##### `APT_SERVER`="ftp.debian.org"
46 46 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
47 47
48 48 ##### `APT_PROXY`=""
49 49 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. If `apt-cacher-ng` is running on default `http://127.0.0.1:3142` it is autodetected and you don't need to set this.
50 50
51 ##### `KEEP_APT_PROXY`=false
52 Keep the APT_PROXY settings used in the bootsrapping process in the generated image.
53
51 54 ##### `APT_INCLUDES`=""
52 55 A comma-separated list of additional packages to be installed by debootstrap during bootstrapping.
53 56
54 57 ##### `APT_INCLUDES_LATE`=""
55 58 A comma-separated list of additional packages to be installed by apt after bootstrapping and after APT sources are set up. This is useful for packages with pre-depends, which debootstrap do not handle well.
56 59
57 60 ---
58 61
59 62 #### General system settings:
60 63 ##### `SET_ARCH`=32
61 64 Set Architecture to default 32bit. If you want to compile 64-bit (RPI3 or RPI3+) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build.
62 65
63 66 ##### `RPI_MODEL`=2
64 67 Specify the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models:
65 68 - `0` = Raspberry Pi 0 and Raspberry Pi 0 W
66 69 - `1` = Raspberry Pi 1 model A and B
67 70 - `1P` = Raspberry Pi 1 model B+ and A+
68 71 - `2` = Raspberry Pi 2 model B
69 72 - `3` = Raspberry Pi 3 model B
70 73 - `3P` = Raspberry Pi 3 model B+
71 74
72 75 ##### `RELEASE`="buster"
73 76 Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`.
74 77
75 78 ##### `RELEASE_ARCH`="armhf"
76 79 Set the desired Debian release architecture.
77 80
78 81 ##### `HOSTNAME`="rpi$RPI_MODEL-$RELEASE"
79 82 Set system hostname. It's recommended that the hostname is unique in the corresponding subnet.
80 83
81 84 ##### `PASSWORD`="raspberry"
82 85 Set system `root` password. It's **STRONGLY** recommended that you choose a custom password.
83 86
84 87 ##### `USER_PASSWORD`="raspberry"
85 88 Set password for the created non-root user `USER_NAME`=pi. Ignored if `ENABLE_USER`=false. It's **STRONGLY** recommended that you choose a custom password.
86 89
87 90 ##### `DEFLOCAL`="en_US.UTF-8"
88 91 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. Please note that on using this parameter the script will automatically install the required packages `locales`, `keyboard-configuration` and `console-setup`.
89 92
90 93 ##### `TIMEZONE`="Europe/Berlin"
91 94 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
92 95
93 96 ##### `EXPANDROOT`=true
94 97 Expand the root partition and filesystem automatically on first boot.
95 98
99 ##### `ENABLE_DPHYSSWAP`=true
100 Enable swap. The size of the swapfile is chosen relative to the size of the root partition. It'll use the `dphys-swapfile` package for that.
101
96 102 ##### `ENABLE_QEMU`=false
97 103 Generate kernel (`vexpress_defconfig`), file system image (`qcow2`) and DTB files that can be used for QEMU full system emulation (`vexpress-A15`). The output files are stored in the `$(pwd)/images/qemu` directory. You can find more information about running the generated image in the QEMU section of this readme file.
98 104
99 105 ---
100 106
101 107 #### Keyboard settings:
102 108 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
103 109
104 110 ##### `XKB_MODEL`=""
105 111 Set the name of the model of your keyboard type.
106 112
107 113 ##### `XKB_LAYOUT`=""
108 114 Set the supported keyboard layout(s).
109 115
110 116 ##### `XKB_VARIANT`=""
111 117 Set the supported variant(s) of the keyboard layout(s).
112 118
113 119 ##### `XKB_OPTIONS`=""
114 120 Set extra xkb configuration options.
115 121
116 122 ---
117 123
118 124 #### Networking settings (DHCP):
119 125 This parameter is used to set up networking auto-configuration in `/etc/systemd/network/eth.network`. The default location of network configuration files in the Debian `stretch` release was changed to `/lib/systemd/network`.`
120 126
121 127 ##### `ENABLE_DHCP`=true
122 128 Set the system to use DHCP. This requires an DHCP server.
123 129
124 130 ---
125 131
126 132 #### Networking settings (static):
127 133 These parameters are used to set up a static networking configuration in `/etc/systemd/network/eth.network`. The following static networking parameters are only supported if `ENABLE_DHCP` was set to `false`. The default location of network configuration files in the Debian `stretch` release was changed to `/lib/systemd/network`.
128 134
129 135 ##### `NET_ADDRESS`=""
130 136 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
131 137
132 138 ##### `NET_GATEWAY`=""
133 139 Set the IP address for the default gateway.
134 140
135 141 ##### `NET_DNS_1`=""
136 142 Set the IP address for the first DNS server.
137 143
138 144 ##### `NET_DNS_2`=""
139 145 Set the IP address for the second DNS server.
140 146
141 147 ##### `NET_DNS_DOMAINS`=""
142 148 Set the default DNS search domains to use for non fully qualified hostnames.
143 149
144 150 ##### `NET_NTP_1`=""
145 151 Set the IP address for the first NTP server.
146 152
147 153 ##### `NET_NTP_2`=""
148 154 Set the IP address for the second NTP server.
149 155
150 156 ---
151 157
152 158 #### Basic system features:
153 159 ##### `ENABLE_CONSOLE`=true
154 160 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2/3. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system. On RPI `0` `3` `3P` the CPU speed is locked at lowest speed.
155 161
156 162 ##### `ENABLE_PRINTK`=false
157 163 Enables printing kernel messages to konsole. printk is `3 4 1 3` as in raspbian.
158 164
159 165 ##### `ENABLE_BLUETOOTH`=false
160 166 Enable onboard Bluetooth interface on the RPi0/3/3P. See: [Configuring the GPIO serial port on Raspbian jessie and stretch](https://spellfoundry.com/2016/05/29/configuring-gpio-serial-port-raspbian-jessie-including-pi-3/).
161 167
162 168 ##### `ENABLE_MINIUART_OVERLAY`=false
163 169 Enable Bluetooth to use this. Adds overlay to swap UART0 with UART1. Enabling (slower) Bluetooth and full speed serial console. - RPI `0` `3` `3P` have a fast `hardware UART0` (ttyAMA0) and a `mini UART1` (ttyS0)! RPI `1` `1P` `2` only have a `hardware UART0`. `UART0` is considered better, because is faster and more stable than `mini UART1`. By default the Bluetooth modem is mapped to the `hardware UART0` and `mini UART` is used for console. The `mini UART` is a problem for the serial console, because its baudrate depends on the CPU frequency, which is changing on runtime. Resulting in a volatile baudrate and thus in an unusable serial console.
164 170
165 171 ##### `ENABLE_TURBO`=false
166 172 Enable Turbo mode. This setting locks cpu at the highest frequency. As setting ENABLE_CONSOLE=true locks RPI to lowest CPU speed, this is can be used additionally to lock cpu hat max speed. Need a good power supply and probably cooling for the Raspberry PI.
167 173
168 174 ##### `ENABLE_I2C`=false
169 175 Enable I2C interface on the RPi 0/1/2/3. Please check the [RPi 0/1/2/3 pinout diagrams](https://elinux.org/RPi_Low-level_peripherals) to connect the right GPIO pins.
170 176
171 177 ##### `ENABLE_SPI`=false
172 178 Enable SPI interface on the RPi 0/1/2/3. Please check the [RPi 0/1/2/3 pinout diagrams](https://elinux.org/RPi_Low-level_peripherals) to connect the right GPIO pins.
173 179
174 180 ##### `ENABLE_IPV6`=true
175 181 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
176 182
177 183 ##### `ENABLE_SSHD`=true
178 184 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
179 185
180 186 ##### `ENABLE_NONFREE`=false
181 187 Allow the installation of non-free Debian packages that do not comply with the DFSG. This is required to install closed-source firmware binary blobs.
182 188
183 189 ##### `ENABLE_WIRELESS`=false
184 190 Download and install the [closed-source firmware binary blob](https://github.com/RPi-Distro/firmware-nonfree/raw/master/brcm) that is required to run the internal wireless interface of the Raspberry Pi model `3`. This parameter is ignored if the specified `RPI_MODEL` is not `3`.
185 191
186 192 ##### `ENABLE_RSYSLOG`=true
187 193 If set to false, disable and uninstall rsyslog (so logs will be available only in journal files)
188 194
189 195 ##### `ENABLE_SOUND`=true
190 196 Enable sound hardware and install Advanced Linux Sound Architecture.
191 197
192 198 ##### `ENABLE_HWRANDOM`=true
193 199 Enable Hardware Random Number Generator. Strong random numbers are important for most network-based communications that use encryption. It's recommended to be enabled.
194 200
195 201 ##### `ENABLE_MINGPU`=false
196 202 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
197 203
198 204 ##### `ENABLE_DBUS`=true
199 205 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
200 206
201 207 ##### `ENABLE_XORG`=false
202 208 Install Xorg open-source X Window System.
203 209
204 210 ##### `ENABLE_WM`=""
205 211 Install a user-defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi23-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
206 212
207 213 ##### `ENABLE_SYSVINIT`=false
208 214 Support for halt,init,poweroff,reboot,runlevel,shutdown,telinit commands
209 215
210 216 ---
211 217
212 218 #### Advanced system features:
219 ##### `ENABLE_SYSTEMDSWAP`=false
220 Enables [Systemd-swap service](https://github.com/Nefelim4ag/systemd-swap). Usefull if `KERNEL_ZSWAP` is enabled.
221
213 222 ##### `ENABLE_MINBASE`=false
214 223 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
215 224
216 225 ##### `ENABLE_REDUCE`=false
217 226 Reduce the disk space usage by deleting packages and files. See `REDUCE_*` parameters for detailed information.
218 227
219 228 ##### `ENABLE_UBOOT`=false
220 229 Replace the default RPi 0/1/2/3 second stage bootloader (bootcode.bin) with [U-Boot bootloader](https://git.denx.de/?p=u-boot.git;a=summary). U-Boot can boot images via the network using the BOOTP/TFTP protocol.
221 230
222 231 ##### `UBOOTSRC_DIR`=""
223 232 Path to a directory (`u-boot`) of [U-Boot bootloader sources](https://git.denx.de/?p=u-boot.git;a=summary) that will be copied, configured, build and installed inside the chroot.
224 233
225 234 ##### `ENABLE_FBTURBO`=false
226 235 Install and enable the [hardware accelerated Xorg video driver](https://github.com/ssvb/xf86-video-fbturbo) `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
227 236
228 237 ##### `FBTURBOSRC_DIR`=""
229 238 Path to a directory (`xf86-video-fbturbo`) of [hardware accelerated Xorg video driver sources](https://github.com/ssvb/xf86-video-fbturbo) that will be copied, configured, build and installed inside the chroot.
230 239
231 240 ##### `ENABLE_VIDEOCORE`=false
232 241 Install and enable the [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) `vcgencmd`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
233 242
234 243 ##### `VIDEOCORESRC_DIR`=""
235 244 Path to a directory (`userland`) of [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
236 245
246 ##### `ENABLE_NEXMON`=false
247 Install and enable the [Source code for a C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection](https://github.com/seemoo-lab/nexmon.git).
248
249 ##### `NEXMONSRC_DIR`=""
250 Path to a directory (`nexmon`) of [Source code for ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
251
237 252 ##### `ENABLE_IPTABLES`=false
238 253 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
239 254
240 255 ##### `ENABLE_USER`=true
241 256 Create non-root user with password `USER_PASSWORD`=raspberry. Unless overridden with `USER_NAME`=user, the username will be `pi`.
242 257
243 258 ##### `USER_NAME`=pi
244 259 Non-root user to create. Ignored if `ENABLE_USER`=false
245 260
246 261 ##### `ENABLE_ROOT`=false
247 262 Set root user password so root login will be enabled
248 263
249 264 ##### `ENABLE_HARDNET`=false
250 265 Enable IPv4/IPv6 network stack hardening settings.
251 266
252 267 ##### `ENABLE_SPLITFS`=false
253 268 Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`.
254 269
255 270 ##### `CHROOT_SCRIPTS`=""
256 271 Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this directory is run in lexicographical order.
257 272
258 273 ##### `ENABLE_INITRAMFS`=false
259 274 Create an initramfs that that will be loaded during the Linux startup process. `ENABLE_INITRAMFS` will automatically get enabled if `ENABLE_CRYPTFS`=true. This parameter will be ignored if `BUILD_KERNEL`=false.
260 275
261 276 ##### `ENABLE_IFNAMES`=true
262 277 Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names.
263 278
279 ##### `ENABLE_SPLASH`=true
280 Enable default Raspberry Pi boot up rainbow splash screen.
281
282 ##### `ENABLE_LOGO`=true
283 Enable default Raspberry Pi console logo (image of four raspberries in the top left corner).
284
285 ##### `ENABLE_SILENT_BOOT`=false
286 Set the verbosity of console messages shown during boot up to a strict minimum.
287
264 288 ##### `DISABLE_UNDERVOLT_WARNINGS`=
265 289 Disable RPi2/3 under-voltage warnings and overlays. Setting the parameter to `1` will disable the warning overlay. Setting it to `2` will additionally allow RPi2/3 turbo mode when low-voltage is present.
266 290
267 291 ---
268 292
269 293 #### SSH settings:
270 294 ##### `SSH_ENABLE_ROOT`=false
271 295 Enable password-based root login via SSH. This may be a security risk with the default password set, use only in trusted environments. `ENABLE_ROOT` must be set to `true`.
272 296
273 297 ##### `SSH_DISABLE_PASSWORD_AUTH`=false
274 298 Disable password-based SSH authentication. Only public key based SSH (v2) authentication will be supported.
275 299
276 300 ##### `SSH_LIMIT_USERS`=false
277 301 Limit the users that are allowed to login via SSH. Only allow user `USER_NAME`=pi and root if `SSH_ENABLE_ROOT`=true to login. This parameter will be ignored if `dropbear` SSH is used (`REDUCE_SSHD`=true).
278 302
279 303 ##### `SSH_ROOT_PUB_KEY`=""
280 304 Add SSH (v2) public key(s) from specified file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `root`. The specified file can also contain multiple SSH (v2) public keys. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
281 305
282 306 ##### `SSH_USER_PUB_KEY`=""
283 307 Add SSH (v2) public key(s) from specified file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `USER_NAME`=pi. The specified file can also contain multiple SSH (v2) public keys. SSH protocol version 1 is not supported.
284 308
285 309 ---
286 310
287 311 #### Kernel compilation:
288 312 ##### `BUILD_KERNEL`=true
289 313 Build and install the latest RPi 0/1/2/3 Linux kernel. Currently only the default RPi 0/1/2/3 kernel configuration is used.
290 314
291 315 ##### `CROSS_COMPILE`="arm-linux-gnueabihf-"
292 316 This sets the cross-compile environment for the compiler.
293 317
294 318 ##### `KERNEL_ARCH`="arm"
295 319 This sets the kernel architecture for the compiler.
296 320
297 321 ##### `KERNEL_IMAGE`="kernel7.img"
298 322 Name of the image file in the boot partition. If not set, `KERNEL_IMAGE` will be set to "kernel8.img" automatically if building for arm64.
299 323
300 324 ##### `KERNEL_BRANCH`=""
301 325 Name of the requested branch from the GIT location for the RPi Kernel. Default is using the current default branch from the GIT site.
302 326
303 327 ##### `QEMU_BINARY`="/usr/bin/qemu-arm-static"
304 328 Sets the QEMU enviornment for the Debian archive. If not set, `QEMU_BINARY` will be set to "/usr/bin/qemu-aarch64-static" automatically if building for arm64.
305 329
306 330 ##### `KERNEL_DEFCONFIG`="bcm2709_defconfig"
307 331 Sets the default config for kernel compiling. If not set, `KERNEL_DEFCONFIG` will be set to "bcmrpi3\_defconfig" automatically if building for arm64.
308 332
309 333 ##### `KERNEL_REDUCE`=false
310 334 Reduce the size of the generated kernel by removing unwanted devices, network and filesystem drivers (experimental).
311 335
312 336 ##### `KERNEL_THREADS`=1
313 337 Number of parallel kernel building threads. If the parameter is left untouched the script will automatically determine the number of CPU cores to set the number of parallel threads to speed the kernel compilation.
314 338
315 339 ##### `KERNEL_HEADERS`=true
316 340 Install kernel headers with the built kernel.
317 341
318 342 ##### `KERNEL_MENUCONFIG`=false
319 343 Start `make menuconfig` interactive menu-driven kernel configuration. The script will continue after `make menuconfig` was terminated.
320 344
321 345 ##### `KERNEL_OLDDEFCONFIG`=false
322 346 Run `make olddefconfig` to automatically set all new kernel configuration options to their recommended default values.
323 347
324 348 ##### `KERNEL_CCACHE`=false
325 349 Compile the kernel using ccache. This speeds up kernel recompilation by caching previous compilations and detecting when the same compilation is being done again.
326 350
327 351 ##### `KERNEL_REMOVESRC`=true
328 352 Remove all kernel sources from the generated OS image after it was built and installed.
329 353
330 354 ##### `KERNELSRC_DIR`=""
331 355 Path to a directory (`linux`) of [RaspberryPi Linux kernel sources](https://github.com/raspberrypi/linux) that will be copied, configured, build and installed inside the chroot.
332 356
333 357 ##### `KERNELSRC_CLEAN`=false
334 358 Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This parameter will be ignored if no `KERNELSRC_DIR` was specified or if `KERNELSRC_PREBUILT`=true.
335 359
336 360 ##### `KERNELSRC_CONFIG`=true
337 361 Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This parameter is automatically set to `true` if no existing kernel sources directory was specified using `KERNELSRC_DIR`. This parameter is ignored if `KERNELSRC_PREBUILT`=true.
338 362
339 363 ##### `KERNELSRC_USRCONFIG`=""
340 364 Copy own config file to kernel `.config`. If `KERNEL_MENUCONFIG`=true then running after copy.
341 365
342 366 ##### `KERNELSRC_PREBUILT`=false
343 367 With this parameter set to true the script expects the existing kernel sources directory to be already successfully cross-compiled. The parameters `KERNELSRC_CLEAN`, `KERNELSRC_CONFIG`, `KERNELSRC_USRCONFIG` and `KERNEL_MENUCONFIG` are ignored and no kernel compilation tasks are performed.
344 368
345 369 ##### `RPI_FIRMWARE_DIR`=""
346 370 The directory (`firmware`) containing a local copy of the firmware from the [RaspberryPi firmware project](https://github.com/raspberrypi/firmware). Default is to download the latest firmware directly from the project.
347 371
372 ##### `KERNEL_DEFAULT_GOV`="ONDEMAND"
373 Set the default cpu governor at kernel compilation. Supported values are: PERFORMANCE POWERSAVE USERSPACE ONDEMAND CONSERVATIVE SCHEDUTIL
374
375 ##### `KERNEL_NF`=false
376 Enable Netfilter modules as kernel modules
377
378 ##### `KERNEL_VIRT`=false
379 Enable Kernel KVM support (/dev/kvm)
380
381 ##### `KERNEL_ZSWAP`=false
382 Enable Kernel Zswap support. Best use on high RAM load and mediocre CPU load usecases
383
384 ##### `KERNEL_BPF`=true
385 Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSCALL CONFIG_CGROUP_BPF) [systemd compilations about it - File /lib/systemd/system/systemd-journald.server:36 configures an IP firewall (IPAddressDeny=all), but the local system does not support BPF/cgroup based firewalls]
386
387 ##### `KERNEL_SECURITY`=false
388 Enables Apparmor, integrity subsystem, auditing
348 389 ---
349 390
350 391 #### Reduce disk usage:
351 392 The following list of parameters is ignored if `ENABLE_REDUCE`=false.
352 393
353 394 ##### `REDUCE_APT`=true
354 395 Configure APT to use compressed package repository lists and no package caching files.
355 396
356 397 ##### `REDUCE_DOC`=true
357 398 Remove all doc files (harsh). Configure APT to not include doc files on future `apt-get` package installations.
358 399
359 400 ##### `REDUCE_MAN`=true
360 401 Remove all man pages and info files (harsh). Configure APT to not include man pages on future `apt-get` package installations.
361 402
362 403 ##### `REDUCE_VIM`=false
363 404 Replace `vim-tiny` package by `levee` a tiny vim clone.
364 405
365 406 ##### `REDUCE_BASH`=false
366 407 Remove `bash` package and switch to `dash` shell (experimental).
367 408
368 409 ##### `REDUCE_HWDB`=true
369 410 Remove PCI related hwdb files (experimental).
370 411
371 412 ##### `REDUCE_SSHD`=true
372 413 Replace `openssh-server` with `dropbear`.
373 414
374 415 ##### `REDUCE_LOCALE`=true
375 416 Remove all `locale` translation files.
376 417
377 418 ---
378 419
379 420 #### Encrypted root partition:
380 421 ##### `ENABLE_CRYPTFS`=false
381 422 Enable full system encryption with dm-crypt. Setup a fully LUKS encrypted root partition (aes-xts-plain64:sha512) and generate required initramfs. The /boot directory will not be encrypted. This parameter will be ignored if `BUILD_KERNEL`=false. `ENABLE_CRYPTFS` is experimental. SSH-to-initramfs is currently not supported but will be soon - feel free to help.
382 423
383 424 ##### `CRYPTFS_PASSWORD`=""
384 425 Set password of the encrypted root partition. This parameter is mandatory if `ENABLE_CRYPTFS`=true.
385 426
386 427 ##### `CRYPTFS_MAPPING`="secure"
387 428 Set name of dm-crypt managed device-mapper mapping.
388 429
389 430 ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512"
390 431 Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
391 432
392 433 ##### `CRYPTFS_XTSKEYSIZE`=512
393 434 Sets key size in bits. The argument has to be a multiple of 8.
394 435
436 ##### `CRYPTFS_DROPBEAR`=false
437 Enable Dropbear Initramfs support
438
439 ##### `CRYPTFS_DROPBEAR_PUBKEY`=""
440 Provide path to dropbear Public RSA-OpenSSH Key
441
395 442 ---
396 443
397 444 #### Build settings:
398 445 ##### `BASEDIR`=$(pwd)/images/${RELEASE}
399 446 Set a path to a working directory used by the script to generate an image.
400 447
401 448 ##### `IMAGE_NAME`=${BASEDIR}/${DATE}-${KERNEL_ARCH}-${KERNEL_BRANCH}-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}
402 449 Set a filename for the output file(s). Note: the script will create $IMAGE_NAME.img if `ENABLE_SPLITFS`=false or $IMAGE_NAME-frmw.img and $IMAGE_NAME-root.img if `ENABLE_SPLITFS`=true. Note 2: If the KERNEL_BRANCH is not set, the word "CURRENT" is used.
403 450
404 451 ## Understanding the script
405 452 The functions of this script that are required for the different stages of the bootstrapping are split up into single files located inside the `bootstrap.d` directory. During the bootstrapping every script in this directory gets executed in lexicographical order:
406 453
407 454 | Script | Description |
408 455 | --- | --- |
409 456 | `10-bootstrap.sh` | Debootstrap basic system |
410 457 | `11-apt.sh` | Setup APT repositories |
411 458 | `12-locale.sh` | Setup Locales and keyboard settings |
412 459 | `13-kernel.sh` | Build and install RPi 0/1/2/3 Kernel |
413 460 | `14-fstab.sh` | Setup fstab and initramfs |
414 461 | `15-rpi-config.sh` | Setup RPi 0/1/2/3 config and cmdline |
415 462 | `20-networking.sh` | Setup Networking |
416 463 | `21-firewall.sh` | Setup Firewall |
417 464 | `30-security.sh` | Setup Users and Security settings |
418 465 | `31-logging.sh` | Setup Logging |
419 466 | `32-sshd.sh` | Setup SSH and public keys |
420 467 | `41-uboot.sh` | Build and Setup U-Boot |
421 468 | `42-fbturbo.sh` | Build and Setup fbturbo Xorg driver |
422 469 | `43-videocore.sh` | Build and Setup videocore libraries |
423 470 | `50-firstboot.sh` | First boot actions |
424 471 | `99-reduce.sh` | Reduce the disk space usage |
425 472
426 473 All the required configuration files that will be copied to the generated OS image are located inside the `files` directory. It is not recommended to modify these configuration files manually.
427 474
428 475 | Directory | Description |
429 476 | --- | --- |
430 477 | `apt` | APT management configuration files |
431 478 | `boot` | Boot and RPi 0/1/2/3 configuration files |
432 479 | `dpkg` | Package Manager configuration |
433 480 | `etc` | Configuration files and rc scripts |
434 481 | `firstboot` | Scripts that get executed on first boot |
435 482 | `initramfs` | Initramfs scripts |
436 483 | `iptables` | Firewall configuration files |
437 484 | `locales` | Locales configuration |
438 485 | `modules` | Kernel Modules configuration |
439 486 | `mount` | Fstab configuration |
440 487 | `network` | Networking configuration files |
441 488 | `sysctl.d` | Swapping and Network Hardening configuration |
442 489 | `xorg` | fbturbo Xorg driver configuration |
443 490
444 491 ## Custom packages and scripts
445 492 Debian custom packages, i.e. those not in the debian repositories, can be installed by placing them in the `packages` directory. They are installed immediately after packages from the repositories are installed. Any dependencies listed in the custom packages will be downloaded automatically from the repositories. Do not list these custom packages in `APT_INCLUDES`.
446 493
447 494 Scripts in the custom.d directory will be executed after all other installation is complete but before the image is created.
448 495
449 496 ## Logging of the bootstrapping process
450 497 All information related to the bootstrapping process and the commands executed by the `rpi23-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
451 498
452 499 ```shell
453 500 script -c 'APT_SERVER=ftp.de.debian.org ./rpi23-gen-image.sh' ./build.log
454 501 ```
455 502
456 503 ## Flashing the image file
457 504 After the image file was successfully created by the `rpi23-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi 0/1/2/3 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
458 505
459 506 ##### Flashing examples:
460 507 ```shell
461 508 bmaptool copy ./images/buster/2017-01-23-rpi3-buster.img /dev/mmcblk0
462 509 dd bs=4M if=./images/buster/2017-01-23-rpi3-buster.img of=/dev/mmcblk0
463 510 ```
464 511 If you have set `ENABLE_SPLITFS`, copy the `-frmw` image on the microSD card, then the `-root` one on the USB drive:
465 512 ```shell
466 513 bmaptool copy ./images/buster/2017-01-23-rpi3-buster-frmw.img /dev/mmcblk0
467 514 bmaptool copy ./images/buster/2017-01-23-rpi3-buster-root.img /dev/sdc
468 515 ```
469 516
470 517 ## QEMU emulation
471 518 Start QEMU full system emulation:
472 519 ```shell
473 520 qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -append "root=/dev/mmcblk0p2 rw rootfstype=ext4 console=tty1"
474 521 ```
475 522
476 523 Start QEMU full system emulation and output to console:
477 524 ```shell
478 525 qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -append "root=/dev/mmcblk0p2 rw rootfstype=ext4 console=ttyAMA0,115200 init=/bin/systemd" -serial stdio
479 526 ```
480 527
481 528 Start QEMU full system emulation with SMP and output to console:
482 529 ```shell
483 530 qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -smp cpus=2,maxcpus=2 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -append "root=/dev/mmcblk0p2 rw rootfstype=ext4 console=ttyAMA0,115200 init=/bin/systemd" -serial stdio
484 531 ```
485 532
486 533 Start QEMU full system emulation with cryptfs, initramfs and output to console:
487 534 ```shell
488 535 qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -initrd "initramfs-${KERNEL_VERSION}" -append "root=/dev/mapper/secure cryptdevice=/dev/mmcblk0p2:secure rw rootfstype=ext4 console=ttyAMA0,115200 init=/bin/systemd" -serial stdio
489 536 ```
490 537
491 538 ## External links and references
492 539 * [Debian worldwide mirror sites](https://www.debian.org/mirror/list)
493 540 * [Debian Raspberry Pi 2 Wiki](https://wiki.debian.org/RaspberryPi2)
494 541 * [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains)
495 542 * [Official Raspberry Pi Firmware on github](https://github.com/raspberrypi/firmware)
496 543 * [Official Raspberry Pi Kernel on github](https://github.com/raspberrypi/linux)
497 544 * [U-BOOT git repository](https://git.denx.de/?p=u-boot.git;a=summary)
498 545 * [Xorg DDX driver fbturbo](https://github.com/ssvb/xf86-video-fbturbo)
499 546 * [RPi3 Wireless interface firmware](https://github.com/RPi-Distro/firmware-nonfree/tree/master/brcm80211/brcm)
500 547 * [Collabora RPi2 Kernel precompiled](https://repositories.collabora.co.uk/debian/)
@@ -1,33 +1,40
1 1 #
2 2 # Setup APT repositories
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Install and setup APT proxy configuration
9 9 if [ -z "$APT_PROXY" ] ; then
10 10 install_readonly files/apt/10proxy "${ETC_DIR}/apt/apt.conf.d/10proxy"
11 11 sed -i "s/\"\"/\"${APT_PROXY}\"/" "${ETC_DIR}/apt/apt.conf.d/10proxy"
12 12 fi
13 13
14 # Install APT sources.list
15 install_readonly files/apt/sources.list "${ETC_DIR}/apt/sources.list"
16
17 # Use specified APT server and release
18 sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list"
19 sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
20
14 21 # Upgrade package index and update all installed packages and changed dependencies
15 22 chroot_exec apt-get -qq -y update
16 23 chroot_exec apt-get -qq -y -u dist-upgrade
17 24
18 25 # Install additional packages
19 26 if [ "$APT_INCLUDES_LATE" ] ; then
20 27 chroot_exec apt-get -qq -y install "$(echo "$APT_INCLUDES_LATE" |tr , ' ')"
21 28 fi
22 29
23 30 # Install Debian custom packages
24 31 if [ -d packages ] ; then
25 32 for package in packages/*.deb ; do
26 33 cp "$package" "${R}"/tmp
27 34 chroot_exec dpkg --unpack /tmp/"$(basename "$package")"
28 35 done
29 36 fi
30 37
31 38 chroot_exec apt-get -qq -y -f install
32 39
33 40 chroot_exec apt-get -qq -y check
@@ -1,255 +1,615
1 1 #
2 2 # Build and Setup RPi2/3 Kernel
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 # Need to use kali kernel src if nexmon is enabled
9 if [ "$ENABLE_NEXMON" = true ] ; then
10 KERNEL_URL="${KALI_KERNEL_URL}"
11 # Clear Branch and KernelSRC_DIR if using nexmon. Everyone will forget to clone kali kernel instead of nomrla kernel
12 KERNEL_BRANCH=""
13 KERNELSRC_DIR=""
14 fi
15
8 16 # Fetch and build latest raspberry kernel
9 17 if [ "$BUILD_KERNEL" = true ] ; then
10 18 # Setup source directory
11 19 mkdir -p "${KERNEL_DIR}"
12 20
13 21 # Copy existing kernel sources into chroot directory
14 22 if [ -n "$KERNELSRC_DIR" ] && [ -d "$KERNELSRC_DIR" ] ; then
15 23 # Copy kernel sources and include hidden files
16 24 cp -r "${KERNELSRC_DIR}/". "${KERNEL_DIR}"
17 25
18 26 # Clean the kernel sources
19 27 if [ "$KERNELSRC_CLEAN" = true ] && [ "$KERNELSRC_PREBUILT" = false ] ; then
20 28 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" mrproper
21 29 fi
22 30 else # KERNELSRC_DIR=""
23 31 # Create temporary directory for kernel sources
24 32 temp_dir=$(as_nobody mktemp -d)
25 33
26 34 # Fetch current RPi2/3 kernel sources
27 35 if [ -z "${KERNEL_BRANCH}" ] ; then
28 36 as_nobody -H git -C "${temp_dir}" clone --depth=1 "${KERNEL_URL}" linux
29 37 else
30 38 as_nobody -H git -C "${temp_dir}" clone --depth=1 --branch "${KERNEL_BRANCH}" "${KERNEL_URL}" linux
31 39 fi
32 40
33 41 # Copy downloaded kernel sources
34 42 cp -r "${temp_dir}/linux/"* "${KERNEL_DIR}"
35 43
36 44 # Remove temporary directory for kernel sources
37 45 rm -fr "${temp_dir}"
38 46
39 47 # Set permissions of the kernel sources
40 48 chown -R root:root "${R}/usr/src"
41 49 fi
42 50
43 51 # Calculate optimal number of kernel building threads
44 52 if [ "$KERNEL_THREADS" = "1" ] && [ -r /proc/cpuinfo ] ; then
45 53 KERNEL_THREADS=$(grep -c processor /proc/cpuinfo)
46 54 fi
47 55
48 56 # Configure and build kernel
49 57 if [ "$KERNELSRC_PREBUILT" = false ] ; then
50 58 # Remove device, network and filesystem drivers from kernel configuration
51 59 if [ "$KERNEL_REDUCE" = true ] ; then
52 60 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
53 61 sed -i\
54 62 -e "s/\(^CONFIG_SND.*\=\).*/\1n/"\
55 63 -e "s/\(^CONFIG_SOUND.*\=\).*/\1n/"\
56 64 -e "s/\(^CONFIG_AC97.*\=\).*/\1n/"\
57 65 -e "s/\(^CONFIG_VIDEO_.*\=\).*/\1n/"\
58 66 -e "s/\(^CONFIG_MEDIA_TUNER.*\=\).*/\1n/"\
59 67 -e "s/\(^CONFIG_DVB.*\=\)[ym]/\1n/"\
60 68 -e "s/\(^CONFIG_REISERFS.*\=\).*/\1n/"\
61 69 -e "s/\(^CONFIG_JFS.*\=\).*/\1n/"\
62 70 -e "s/\(^CONFIG_XFS.*\=\).*/\1n/"\
63 71 -e "s/\(^CONFIG_GFS2.*\=\).*/\1n/"\
64 72 -e "s/\(^CONFIG_OCFS2.*\=\).*/\1n/"\
65 73 -e "s/\(^CONFIG_BTRFS.*\=\).*/\1n/"\
66 74 -e "s/\(^CONFIG_HFS.*\=\).*/\1n/"\
67 75 -e "s/\(^CONFIG_JFFS2.*\=\)[ym]/\1n/"\
68 76 -e "s/\(^CONFIG_UBIFS.*\=\).*/\1n/"\
69 77 -e "s/\(^CONFIG_SQUASHFS.*\=\)[ym]/\1n/"\
70 78 -e "s/\(^CONFIG_W1.*\=\)[ym]/\1n/"\
71 79 -e "s/\(^CONFIG_HAMRADIO.*\=\).*/\1n/"\
72 80 -e "s/\(^CONFIG_CAN.*\=\).*/\1n/"\
73 81 -e "s/\(^CONFIG_IRDA.*\=\).*/\1n/"\
74 82 -e "s/\(^CONFIG_BT_.*\=\).*/\1n/"\
75 83 -e "s/\(^CONFIG_WIMAX.*\=\)[ym]/\1n/"\
76 84 -e "s/\(^CONFIG_6LOWPAN.*\=\).*/\1n/"\
77 85 -e "s/\(^CONFIG_IEEE802154.*\=\).*/\1n/"\
78 86 -e "s/\(^CONFIG_NFC.*\=\).*/\1n/"\
79 87 -e "s/\(^CONFIG_FB_TFT=.*\=\).*/\1n/"\
80 88 -e "s/\(^CONFIG_TOUCHSCREEN.*\=\).*/\1n/"\
81 89 -e "s/\(^CONFIG_USB_GSPCA_.*\=\).*/\1n/"\
82 90 -e "s/\(^CONFIG_DRM.*\=\).*/\1n/"\
83 91 "${KERNEL_DIR}/.config"
84 92 fi
85 93
86 94 if [ "$KERNELSRC_CONFIG" = true ] ; then
87 95 # Load default raspberry kernel configuration
88 96 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
89 97
98 #Switch to KERNELSRC_DIR so we can use set_kernel_config
99 cd "${KERNEL_DIR}" || exit
100
101 if [ "$KERNEL_ARCH" = arm64 ] ; then
102 #Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config
103 # use correct driver MMC_BCM2835_MMC instead of MMC_BCM2835_SDHOST - see https://www.raspberrypi.org/forums/viewtopic.php?t=210225
104 set_kernel_config CONFIG_MMC_BCM2835 n
105 set_kernel_config CONFIG_MMC_SDHCI_IPROC n
106 set_kernel_config CONFIG_USB_DWC2 n
107 sed -i "s|depends on MMC_BCM2835_MMC && MMC_BCM2835_DMA|depends on MMC_BCM2835_MMC|" "${KERNEL_DIR}"/drivers/mmc/host/Kconfig
108
109 #VLAN got disabled without reason in arm64bit
110 set_kernel_config CONFIG_IPVLAN m
111 fi
112
113 # enable ZSWAP see https://askubuntu.com/a/472227 or https://wiki.archlinux.org/index.php/zswap
114 if [ "$KERNEL_ZSWAP" = true ] ; then
115 set_kernel_config CONFIG_ZPOOL y
116 set_kernel_config CONFIG_ZSWAP y
117 set_kernel_config CONFIG_ZBUD y
118 set_kernel_config CONFIG_Z3FOLD y
119 set_kernel_config CONFIG_ZSMALLOC y
120 set_kernel_config CONFIG_PGTABLE_MAPPING y
121 set_kernel_config CONFIG_LZO_COMPRESS y
122
123 fi
124
125 # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453
126 if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
127 set_kernel_config CONFIG_HAVE_KVM_IRQCHIP y
128 set_kernel_config CONFIG_HAVE_KVM_ARCH_TLB_FLUSH_ALL y
129 set_kernel_config CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT y
130 set_kernel_config CONFIG_HAVE_KVM_EVENTFD y
131 set_kernel_config CONFIG_HAVE_KVM_IRQFD y
132 set_kernel_config CONFIG_HAVE_KVM_IRQ_ROUTING y
133 set_kernel_config CONFIG_HAVE_KVM_MSI y
134 set_kernel_config CONFIG_KVM y
135 set_kernel_config CONFIG_KVM_ARM_HOST y
136 set_kernel_config CONFIG_KVM_ARM_PMU y
137 set_kernel_config CONFIG_KVM_COMPAT y
138 set_kernel_config CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT y
139 set_kernel_config CONFIG_KVM_MMIO y
140 set_kernel_config CONFIG_KVM_VFIO y
141 set_kernel_config CONFIG_VHOST m
142 set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y
143 set_kernel_config CONFIG_VHOST_NET m
144 set_kernel_config CONFIG_VIRTUALIZATION y
145
146 set_kernel_config CONFIG_MMU_NOTIFIER y
147
148 # erratum
149 set_kernel_config ARM64_ERRATUM_834220 y
150
151 # https://sourceforge.net/p/kvm/mailman/message/18440797/
152 set_kernel_config CONFIG_PREEMPT_NOTIFIERS y
153 fi
154
155 # enable apparmor,integrity audit,
156 if [ "$KERNEL_SECURITY" = true ] ; then
157
158 # security filesystem, security models and audit
159 set_kernel_config CONFIG_SECURITYFS y
160 set_kernel_config CONFIG_SECURITY y
161 set_kernel_config CONFIG_AUDIT y
162
163 # harden strcpy and memcpy
164 set_kernel_config CONFIG_HARDENED_USERCOPY y
165 set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR y
166 set_kernel_config CONFIG_FORTIFY_SOURCE y
167
168 # integrity sub-system
169 set_kernel_config CONFIG_INTEGRITY y
170 set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS y
171 set_kernel_config CONFIG_INTEGRITY_AUDIT y
172 set_kernel_config CONFIG_INTEGRITY_SIGNATURE y
173 set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING y
174
175 # This option provides support for retaining authentication tokens and access keys in the kernel.
176 set_kernel_config CONFIG_KEYS y
177 set_kernel_config CONFIG_KEYS_COMPAT y
178
179 # Apparmor
180 set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0
181 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
182 set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
183 set_kernel_config CONFIG_SECURITY_APPARMOR y
184 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y
185 set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor"
186
187 # restrictions on unprivileged users reading the kernel
188 set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT y
189
190 # network security hooks
191 set_kernel_config CONFIG_SECURITY_NETWORK y
192 set_kernel_config CONFIG_SECURITY_NETWORK_XFRM y
193 set_kernel_config CONFIG_SECURITY_PATH y
194 set_kernel_config CONFIG_SECURITY_YAMA n
195
196 # New Options
197 if [ "$KERNEL_NF" = true ] ; then
198 set_kernel_config CONFIG_IP_NF_SECURITY m
199 set_kernel_config CONFIG_NETLABEL y
200 set_kernel_config CONFIG_IP6_NF_SECURITY m
201 fi
202 set_kernel_config CONFIG_SECURITY_SELINUX n
203 set_kernel_config CONFIG_SECURITY_SMACK n
204 set_kernel_config CONFIG_SECURITY_TOMOYO n
205 set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n
206 set_kernel_config CONFIG_SECURITY_LOADPIN n
207 set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n
208 set_kernel_config CONFIG_IMA n
209 set_kernel_config CONFIG_EVM n
210 set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y
211 set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
212 set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
213 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
214 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
215 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
216 set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
217 set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
218 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS m
219 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE 4096
220
221 set_kernel_config CONFIG_ARM64_CRYPTO y
222 set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m
223 set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m
224 set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m
225 set_kernel_config CRYPTO_GHASH_ARM64_CE m
226 set_kernel_config CRYPTO_SHA2_ARM64_CE m
227 set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m
228 set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m
229 set_kernel_config CONFIG_CRYPTO_AES_ARM64 m
230 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m
231 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y
232 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y
233 set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m
234 set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m
235 set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m
236 set_kernel_config SYSTEM_TRUSTED_KEYS
237 fi
238
239 # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
240 if [ "$KERNEL_NF" = true ] ; then
241 set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m
242 set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m
243 set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m
244 set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m
245 set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m
246 set_kernel_config CONFIG_NFT_FIB_INET m
247 set_kernel_config CONFIG_NFT_FIB_IPV4 m
248 set_kernel_config CONFIG_NFT_FIB_IPV6 m
249 set_kernel_config CONFIG_NFT_FIB_NETDEV m
250 set_kernel_config CONFIG_NFT_OBJREF m
251 set_kernel_config CONFIG_NFT_RT m
252 set_kernel_config CONFIG_NFT_SET_BITMAP m
253 set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y
254 set_kernel_config CONFIG_NF_LOG_ARP m
255 set_kernel_config CONFIG_NF_SOCKET_IPV4 m
256 set_kernel_config CONFIG_NF_SOCKET_IPV6 m
257 set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m
258 set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m
259 set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m
260 set_kernel_config CONFIG_IP6_NF_IPTABLES m
261 set_kernel_config CONFIG_IP6_NF_MATCH_AH m
262 set_kernel_config CONFIG_IP6_NF_MATCH_EUI64 m
263 set_kernel_config CONFIG_IP6_NF_NAT m
264 set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m
265 set_kernel_config CONFIG_IP6_NF_TARGET_NPT m
266 set_kernel_config CONFIG_IP_NF_SECURITY m
267 set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m
268 set_kernel_config CONFIG_IP_SET_BITMAP_PORT m
269 set_kernel_config CONFIG_IP_SET_HASH_IP m
270 set_kernel_config CONFIG_IP_SET_HASH_IPMARK m
271 set_kernel_config CONFIG_IP_SET_HASH_IPPORT m
272 set_kernel_config CONFIG_IP_SET_HASH_IPPORTIP m
273 set_kernel_config CONFIG_IP_SET_HASH_IPPORTNET m
274 set_kernel_config CONFIG_IP_SET_HASH_MAC m
275 set_kernel_config CONFIG_IP_SET_HASH_NET m
276 set_kernel_config CONFIG_IP_SET_HASH_NETIFACE m
277 set_kernel_config CONFIG_IP_SET_HASH_NETNET m
278 set_kernel_config CONFIG_IP_SET_HASH_NETPORT m
279 set_kernel_config CONFIG_IP_SET_HASH_NETPORTNET m
280 set_kernel_config CONFIG_IP_SET_LIST_SET m
281 set_kernel_config CONFIG_NETFILTER_XTABLES m
282 set_kernel_config CONFIG_NETFILTER_XTABLES m
283 set_kernel_config CONFIG_NFT_BRIDGE_META m
284 set_kernel_config CONFIG_NFT_BRIDGE_REJECT m
285 set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV4 m
286 set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV6 m
287 set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV4 m
288 set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV6 m
289 set_kernel_config CONFIG_NFT_COMPAT m
290 set_kernel_config CONFIG_NFT_COUNTER m
291 set_kernel_config CONFIG_NFT_CT m
292 set_kernel_config CONFIG_NFT_DUP_IPV4 m
293 set_kernel_config CONFIG_NFT_DUP_IPV6 m
294 set_kernel_config CONFIG_NFT_DUP_NETDEV m
295 set_kernel_config CONFIG_NFT_EXTHDR m
296 set_kernel_config CONFIG_NFT_FWD_NETDEV m
297 set_kernel_config CONFIG_NFT_HASH m
298 set_kernel_config CONFIG_NFT_LIMIT m
299 set_kernel_config CONFIG_NFT_LOG m
300 set_kernel_config CONFIG_NFT_MASQ m
301 set_kernel_config CONFIG_NFT_MASQ_IPV4 m
302 set_kernel_config CONFIG_NFT_MASQ_IPV6 m
303 set_kernel_config CONFIG_NFT_META m
304 set_kernel_config CONFIG_NFT_NAT m
305 set_kernel_config CONFIG_NFT_NUMGEN m
306 set_kernel_config CONFIG_NFT_QUEUE m
307 set_kernel_config CONFIG_NFT_QUOTA m
308 set_kernel_config CONFIG_NFT_REDIR m
309 set_kernel_config CONFIG_NFT_REDIR_IPV4 m
310 set_kernel_config CONFIG_NFT_REDIR_IPV6 m
311 set_kernel_config CONFIG_NFT_REJECT m
312 set_kernel_config CONFIG_NFT_REJECT_INET m
313 set_kernel_config CONFIG_NFT_REJECT_IPV4 m
314 set_kernel_config CONFIG_NFT_REJECT_IPV6 m
315 set_kernel_config CONFIG_NFT_SET_HASH m
316 set_kernel_config CONFIG_NFT_SET_RBTREE m
317 set_kernel_config CONFIG_NF_CONNTRACK_IPV4 m
318 set_kernel_config CONFIG_NF_CONNTRACK_IPV6 m
319 set_kernel_config CONFIG_NF_DEFRAG_IPV4 m
320 set_kernel_config CONFIG_NF_DEFRAG_IPV6 m
321 set_kernel_config CONFIG_NF_DUP_IPV4 m
322 set_kernel_config CONFIG_NF_DUP_IPV6 m
323 set_kernel_config CONFIG_NF_DUP_NETDEV m
324 set_kernel_config CONFIG_NF_LOG_BRIDGE m
325 set_kernel_config CONFIG_NF_LOG_IPV4 m
326 set_kernel_config CONFIG_NF_LOG_IPV6 m
327 set_kernel_config CONFIG_NF_NAT_IPV4 m
328 set_kernel_config CONFIG_NF_NAT_IPV6 m
329 set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV4 m
330 set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV6 m
331 set_kernel_config CONFIG_NF_NAT_PPTP m
332 set_kernel_config CONFIG_NF_NAT_PROTO_GRE m
333 set_kernel_config CONFIG_NF_NAT_REDIRECT m
334 set_kernel_config CONFIG_NF_NAT_SIP m
335 set_kernel_config CONFIG_NF_NAT_SNMP_BASIC m
336 set_kernel_config CONFIG_NF_NAT_TFTP m
337 set_kernel_config CONFIG_NF_REJECT_IPV4 m
338 set_kernel_config CONFIG_NF_REJECT_IPV6 m
339 set_kernel_config CONFIG_NF_TABLES m
340 set_kernel_config CONFIG_NF_TABLES_ARP m
341 set_kernel_config CONFIG_NF_TABLES_BRIDGE m
342 set_kernel_config CONFIG_NF_TABLES_INET m
343 set_kernel_config CONFIG_NF_TABLES_IPV4 m
344 set_kernel_config CONFIG_NF_TABLES_IPV6 m
345 set_kernel_config CONFIG_NF_TABLES_NETDEV m
346 fi
347
348 # Enables BPF syscall for systemd-journald see https://github.com/torvalds/linux/blob/master/init/Kconfig#L848 or https://groups.google.com/forum/#!topic/linux.gentoo.user/_2aSc_ztGpA
349 if [ "$KERNEL_BPF" = true ] ; then
350 set_kernel_config CONFIG_BPF_SYSCALL y
351 set_kernel_config CONFIG_BPF_EVENTS y
352 set_kernel_config CONFIG_BPF_STREAM_PARSER y
353 set_kernel_config CONFIG_CGROUP_BPF y
354 fi
355
356 # KERNEL_DEFAULT_GOV was set by user
357 if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ] ; then
358
359 case "$KERNEL_DEFAULT_GOV" in
360 performance)
361 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y
362 ;;
363 userspace)
364 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE y
365 ;;
366 ondemand)
367 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND y
368 ;;
369 conservative)
370 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE y
371 ;;
372 shedutil)
373 set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL y
374 ;;
375 *)
376 echo "error: unsupported default cpu governor"
377 exit 1
378 ;;
379 esac
380
381 # unset previous default governor
382 unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE
383 fi
384
385 #Revert to previous directory
386 cd "${WORKDIR}" || exit
387
90 388 # Set kernel configuration parameters to enable qemu emulation
91 389 if [ "$ENABLE_QEMU" = true ] ; then
92 390 echo "CONFIG_FHANDLE=y" >> "${KERNEL_DIR}"/.config
93 391 echo "CONFIG_LBDAF=y" >> "${KERNEL_DIR}"/.config
94 392
95 393 if [ "$ENABLE_CRYPTFS" = true ] ; then
96 394 {
97 395 echo "CONFIG_EMBEDDED=y"
98 396 echo "CONFIG_EXPERT=y"
99 397 echo "CONFIG_DAX=y"
100 398 echo "CONFIG_MD=y"
101 399 echo "CONFIG_BLK_DEV_MD=y"
102 400 echo "CONFIG_MD_AUTODETECT=y"
103 401 echo "CONFIG_BLK_DEV_DM=y"
104 402 echo "CONFIG_BLK_DEV_DM_BUILTIN=y"
105 403 echo "CONFIG_DM_CRYPT=y"
106 404 echo "CONFIG_CRYPTO_BLKCIPHER=y"
107 405 echo "CONFIG_CRYPTO_CBC=y"
108 406 echo "CONFIG_CRYPTO_XTS=y"
109 407 echo "CONFIG_CRYPTO_SHA512=y"
110 408 echo "CONFIG_CRYPTO_MANAGER=y"
111 409 } >> "${KERNEL_DIR}"/.config
112 410 fi
113 411 fi
114 412
115 413 # Copy custom kernel configuration file
116 414 if [ -n "$KERNELSRC_USRCONFIG" ] ; then
117 415 cp "$KERNELSRC_USRCONFIG" "${KERNEL_DIR}"/.config
118 416 fi
119 417
120 418 # Set kernel configuration parameters to their default values
121 419 if [ "$KERNEL_OLDDEFCONFIG" = true ] ; then
122 420 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" olddefconfig
123 421 fi
124 422
125 423 # Start menu-driven kernel configuration (interactive)
126 424 if [ "$KERNEL_MENUCONFIG" = true ] ; then
127 425 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig
128 426 fi
427 # end if "$KERNELSRC_CONFIG" = true
129 428 fi
130 429
131 430 # Use ccache to cross compile the kernel
132 431 if [ "$KERNEL_CCACHE" = true ] ; then
133 432 cc="ccache ${CROSS_COMPILE}gcc"
134 433 else
135 434 cc="${CROSS_COMPILE}gcc"
136 435 fi
137 436
138 437 # Cross compile kernel and dtbs
139 438 make -C "${KERNEL_DIR}" -j"${KERNEL_THREADS}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" CC="${cc}" "${KERNEL_BIN_IMAGE}" dtbs
140 439
141 440 # Cross compile kernel modules
142 441 if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
143 442 make -C "${KERNEL_DIR}" -j"${KERNEL_THREADS}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" CC="${cc}" modules
144 443 fi
444 # end if "$KERNELSRC_PREBUILT" = false
145 445 fi
146 446
147 447 # Check if kernel compilation was successful
148 448 if [ ! -r "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/${KERNEL_BIN_IMAGE}" ] ; then
149 449 echo "error: kernel compilation failed! (kernel image not found)"
150 450 cleanup
151 451 exit 1
152 452 fi
153 453
154 454 # Install kernel modules
155 455 if [ "$ENABLE_REDUCE" = true ] ; then
156 456 if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
157 457 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=../../.. modules_install
158 458 fi
159 459 else
160 460 if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
161 461 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_PATH=../../.. modules_install
162 462 fi
163 463
164 464 # Install kernel firmware
165 465 if grep -q "^firmware_install:" "${KERNEL_DIR}/Makefile" ; then
166 466 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_FW_PATH=../../../lib firmware_install
167 467 fi
168 468 fi
169 469
170 470 # Install kernel headers
171 471 if [ "$KERNEL_HEADERS" = true ] && [ "$KERNEL_REDUCE" = false ] ; then
172 472 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_HDR_PATH=../.. headers_install
173 473 fi
174 474
175 475 # Prepare boot (firmware) directory
176 476 mkdir "${BOOT_DIR}"
177 477
178 478 # Get kernel release version
179 479 KERNEL_VERSION=$(cat "${KERNEL_DIR}/include/config/kernel.release")
180 480
181 481 # Copy kernel configuration file to the boot directory
182 482 install_readonly "${KERNEL_DIR}/.config" "${R}/boot/config-${KERNEL_VERSION}"
183 483
184 484 # Prepare device tree directory
185 485 mkdir "${BOOT_DIR}/overlays"
186 486
187 487 # Ensure the proper .dtb is located
188 488 if [ "$KERNEL_ARCH" = "arm" ] ; then
189 489 for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/"*.dtb ; do
190 490 if [ -f "${dtb}" ] ; then
191 491 install_readonly "${dtb}" "${BOOT_DIR}/"
192 492 fi
193 493 done
194 494 else
195 495 for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/broadcom/"*.dtb ; do
196 496 if [ -f "${dtb}" ] ; then
197 497 install_readonly "${dtb}" "${BOOT_DIR}/"
198 498 fi
199 499 done
200 500 fi
201 501
202 502 # Copy compiled dtb device tree files
203 503 if [ -d "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays" ] ; then
204 for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb ; do
504 for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtbo ; do
205 505 if [ -f "${dtb}" ] ; then
206 506 install_readonly "${dtb}" "${BOOT_DIR}/overlays/"
207 507 fi
208 508 done
209 509
210 510 if [ -f "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/README" ] ; then
211 511 install_readonly "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "${BOOT_DIR}/overlays/README"
212 512 fi
213 513 fi
214 514
215 515 if [ "$ENABLE_UBOOT" = false ] ; then
216 516 # Convert and copy kernel image to the boot directory
217 517 "${KERNEL_DIR}/scripts/mkknlimg" "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/${KERNEL_BIN_IMAGE}" "${BOOT_DIR}/${KERNEL_IMAGE}"
218 518 else
219 519 # Copy kernel image to the boot directory
220 520 install_readonly "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/${KERNEL_BIN_IMAGE}" "${BOOT_DIR}/${KERNEL_IMAGE}"
221 521 fi
222 522
223 523 # Remove kernel sources
224 524 if [ "$KERNEL_REMOVESRC" = true ] ; then
225 525 rm -fr "${KERNEL_DIR}"
226 526 else
227 527 # Prepare compiled kernel modules
228 528 if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
229 529 if grep -q "^modules_prepare:" "${KERNEL_DIR}/Makefile" ; then
230 530 make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" modules_prepare
231 531 fi
232 532
233 533 # Create symlinks for kernel modules
234 534 chroot_exec ln -sf /usr/src/linux "/lib/modules/${KERNEL_VERSION}/build"
235 535 chroot_exec ln -sf /usr/src/linux "/lib/modules/${KERNEL_VERSION}/source"
236 536 fi
237 537 fi
238 538
239 539 else # BUILD_KERNEL=false
240 # Kernel installation
241 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel
540 if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
541
542 # Use Sakakis modified kernel if ZSWAP is active
543 if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then
544 RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}"
545 fi
546
547 # Create temporary directory for dl
548 temp_dir=$(as_nobody mktemp -d)
549
550 # Fetch kernel dl
551 as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL"
552
553 #extract download
554 tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}"
555
556 #move extracted kernel to /boot/firmware
557 mkdir "${R}/boot/firmware"
558 cp "${temp_dir}"/boot/* "${R}"/boot/firmware/
559 cp -r "${temp_dir}"/lib/* "${R}"/lib/
560
561 # Remove temporary directory for kernel sources
562 rm -fr "${temp_dir}"
563
564 # Set permissions of the kernel sources
565 chown -R root:root "${R}/boot/firmware"
566 chown -R root:root "${R}/lib/modules"
567 fi
568
569 # Install Kernel from hypriot comptabile with all Raspberry PI
570 if [ "$SET_ARCH" = 32 ] ; then
571 # Create temporary directory for dl
572 temp_dir=$(as_nobody mktemp -d)
573
574 # Fetch kernel
575 as_nobody wget -O "${temp_dir}"/kernel.deb -c "$RPI_32_KERNEL_URL"
242 576
243 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
244 chroot_exec apt-get -qq -y install flash-kernel
577 # Copy downloaded U-Boot sources
578 mv "${temp_dir}"/kernel.deb "${R}"/tmp/kernel.deb
579
580 # Set permissions
581 chown -R root:root "${R}"/tmp/kernel.deb
582
583 # Install kernel
584 chroot_exec dpkg -i /tmp/kernel.deb
585
586 # move /boot to /boot/firmware to fit script env.
587 #mkdir "${BOOT_DIR}"
588 mkdir "${temp_dir}"/firmware
589 mv "${R}"/boot/* "${temp_dir}"/firmware/
590 mv "${temp_dir}"/firmware "${R}"/boot/
591
592 #same for kernel headers
593 if [ "$KERNEL_HEADERS" = true ] ; then
594 # Fetch kernel header
595 as_nobody wget -O "${temp_dir}"/kernel-header.deb -c "$RPI_32_KERNELHEADER_URL"
596 mv "${temp_dir}"/kernel-header.deb "${R}"/tmp/kernel-header.deb
597 chown -R root:root "${R}"/tmp/kernel-header.deb
598 # Install kernel header
599 chroot_exec dpkg -i /tmp/kernel-header.deb
600 rm -f "${R}"/tmp/kernel-header.deb
601 fi
602
603 # Remove temporary directory and files
604 rm -fr "${temp_dir}"
605 rm -f "${R}"/tmp/kernel.deb
606 fi
245 607
246 608 # Check if kernel installation was successful
247 VMLINUZ="$(ls -1 "${R}"/boot/vmlinuz-* | sort | tail -n 1)"
248 if [ -z "$VMLINUZ" ] ; then
249 echo "error: kernel installation failed! (/boot/vmlinuz-* not found)"
609 KERNEL="$(ls -1 "${R}"/boot/firmware/kernel* | sort | tail -n 1)"
610 if [ -z "$KERNEL" ] ; then
611 echo "error: kernel installation failed! (/boot/kernel* not found)"
250 612 cleanup
251 613 exit 1
252 614 fi
253 # Copy vmlinuz kernel to the boot directory
254 install_readonly "${VMLINUZ}" "${BOOT_DIR}/${KERNEL_IMAGE}"
255 615 fi
@@ -1,59 +1,116
1 1 #
2 2 # Setup fstab and initramfs
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Install and setup fstab
9 9 install_readonly files/mount/fstab "${ETC_DIR}/fstab"
10 10
11 11 # Add usb/sda disk root partition to fstab
12 12 if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then
13 13 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
14 14 fi
15 15
16 16 # Add encrypted root partition to fstab and crypttab
17 17 if [ "$ENABLE_CRYPTFS" = true ] ; then
18 18 # Replace fstab root partition with encrypted partition mapping
19 19 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab"
20 20
21 21 # Add encrypted partition to crypttab and fstab
22 22 install_readonly files/mount/crypttab "${ETC_DIR}/crypttab"
23 23 echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"
24 24
25 25 if [ "$ENABLE_SPLITFS" = true ] ; then
26 # Add usb/sda disk to crypttab
26 # Add usb/sda1 disk to crypttab
27 27 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
28 28 fi
29 29 fi
30 30
31 if [ "$ENABLE_USBBOOT" = true ] ; then
32 sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
33 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
34
35 # Add usb/sda2 disk to crypttab
36 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab"
37 fi
38
31 39 # Generate initramfs file
32 if [ "$BUILD_KERNEL" = true ] && [ "$ENABLE_INITRAMFS" = true ] ; then
40 if [ "$ENABLE_INITRAMFS" = true ] ; then
33 41 if [ "$ENABLE_CRYPTFS" = true ] ; then
34 42 # Include initramfs scripts to auto expand encrypted root partition
35 43 if [ "$EXPANDROOT" = true ] ; then
36 44 install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs"
37 45 install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount"
38 46 install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
39 47 fi
48
49 if [ "$ENABLE_DHCP" = false ] ; then
50 # Get cdir from NET_ADDRESS e.g. 24
51 cdir=$(${NET_ADDRESS} | cut -d '/' -f2)
52
53 # Convert cdir ro netmask e.g. 24 to 255.255.255.0
54 NET_MASK=$(cdr2mask "$cdir")
55
56 # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
57 sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
58
59 # Regenerate initramfs
60 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
61 fi
62
63 if [ "$CRYPTFS_DROPBEAR" = true ]; then
64 if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
65 install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
66 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys
67 else
68 # Create key
69 chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear
70
71 # Convert dropbear key to openssh key
72 chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa
73
74 # Get Public Key Part
75 chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub
76
77 # Delete unwanted lines
78 sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
79 sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
80
81 # Trust the new key
82 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys
83
84 # Save Keys - convert with putty from rsa/openssh to puttkey
85 cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa
86
87 # Get unlock script
88 install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh
89
90 # Enable Dropbear inside initramfs
91 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
40 92
41 # Disable SSHD inside initramfs
42 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
93 # Enable Dropbear inside initramfs
94 sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear
95 fi
96 else
97 # Disable SSHD inside initramfs
98 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
99 fi
43 100
44 101 # Add cryptsetup modules to initramfs
45 102 printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
46 103
47 104 # Dummy mapping required by mkinitramfs
48 105 echo "0 1 crypt $(echo "${CRYPTFS_CIPHER}" | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
49 106
50 107 # Generate initramfs with encrypted root partition support
51 108 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
52 109
53 110 # Remove dummy mapping
54 111 chroot_exec cryptsetup close "${CRYPTFS_MAPPING}"
55 112 else
56 113 # Generate initramfs without encrypted root partition support
57 114 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
58 115 fi
59 116 fi
@@ -1,229 +1,300
1 1 #
2 2 # Setup RPi2/3 config and cmdline
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 if [ "$BUILD_KERNEL" = true ] ; then
9 if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then
10 # Install boot binaries from local directory
11 cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin
12 cp "${RPI_FIRMWARE_DIR}"/boot/fixup.dat "${BOOT_DIR}"/fixup.dat
13 cp "${RPI_FIRMWARE_DIR}"/boot/fixup_cd.dat "${BOOT_DIR}"/fixup_cd.dat
14 cp "${RPI_FIRMWARE_DIR}"/boot/fixup_x.dat "${BOOT_DIR}"/fixup_x.dat
15 cp "${RPI_FIRMWARE_DIR}"/boot/start.elf "${BOOT_DIR}"/start.elf
16 cp "${RPI_FIRMWARE_DIR}"/boot/start_cd.elf "${BOOT_DIR}"/start_cd.elf
17 cp "${RPI_FIRMWARE_DIR}"/boot/start_x.elf "${BOOT_DIR}"/start_x.elf
18 else
19 # Create temporary directory for boot binaries
20 temp_dir=$(as_nobody mktemp -d)
21
22 # Install latest boot binaries from raspberry/firmware github
23 as_nobody wget -q -O "${temp_dir}/bootcode.bin" "${FIRMWARE_URL}/bootcode.bin"
24 as_nobody wget -q -O "${temp_dir}/fixup.dat" "${FIRMWARE_URL}/fixup.dat"
25 as_nobody wget -q -O "${temp_dir}/fixup_cd.dat" "${FIRMWARE_URL}/fixup_cd.dat"
26 as_nobody wget -q -O "${temp_dir}/fixup_x.dat" "${FIRMWARE_URL}/fixup_x.dat"
27 as_nobody wget -q -O "${temp_dir}/start.elf" "${FIRMWARE_URL}/start.elf"
28 as_nobody wget -q -O "${temp_dir}/start_cd.elf" "${FIRMWARE_URL}/start_cd.elf"
29 as_nobody wget -q -O "${temp_dir}/start_x.elf" "${FIRMWARE_URL}/start_x.elf"
30
31 # Move downloaded boot binaries
32 mv "${temp_dir}/"* "${BOOT_DIR}/"
33
34 # Remove temporary directory for boot binaries
35 rm -fr "${temp_dir}"
36
37 # Set permissions of the boot binaries
38 chown -R root:root "${BOOT_DIR}"
39 chmod -R 600 "${BOOT_DIR}"
40 fi
8 if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then
9 # Install boot binaries from local directory
10 cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin
11 cp "${RPI_FIRMWARE_DIR}"/boot/fixup.dat "${BOOT_DIR}"/fixup.dat
12 cp "${RPI_FIRMWARE_DIR}"/boot/fixup_cd.dat "${BOOT_DIR}"/fixup_cd.dat
13 cp "${RPI_FIRMWARE_DIR}"/boot/fixup_x.dat "${BOOT_DIR}"/fixup_x.dat
14 cp "${RPI_FIRMWARE_DIR}"/boot/start.elf "${BOOT_DIR}"/start.elf
15 cp "${RPI_FIRMWARE_DIR}"/boot/start_cd.elf "${BOOT_DIR}"/start_cd.elf
16 cp "${RPI_FIRMWARE_DIR}"/boot/start_x.elf "${BOOT_DIR}"/start_x.elf
17 else
18 # Create temporary directory for boot binaries
19 temp_dir=$(as_nobody mktemp -d)
20
21 # Install latest boot binaries from raspberry/firmware github
22 as_nobody wget -q -O "${temp_dir}/bootcode.bin" "${FIRMWARE_URL}/bootcode.bin"
23 as_nobody wget -q -O "${temp_dir}/fixup.dat" "${FIRMWARE_URL}/fixup.dat"
24 as_nobody wget -q -O "${temp_dir}/fixup_cd.dat" "${FIRMWARE_URL}/fixup_cd.dat"
25 as_nobody wget -q -O "${temp_dir}/fixup_x.dat" "${FIRMWARE_URL}/fixup_x.dat"
26 as_nobody wget -q -O "${temp_dir}/start.elf" "${FIRMWARE_URL}/start.elf"
27 as_nobody wget -q -O "${temp_dir}/start_cd.elf" "${FIRMWARE_URL}/start_cd.elf"
28 as_nobody wget -q -O "${temp_dir}/start_x.elf" "${FIRMWARE_URL}/start_x.elf"
29
30 # Move downloaded boot binaries
31 mv "${temp_dir}/"* "${BOOT_DIR}/"
32
33 # Remove temporary directory for boot binaries
34 rm -fr "${temp_dir}"
35
36 # Set permissions of the boot binaries
37 chown -R root:root "${BOOT_DIR}"
38 chmod -R 600 "${BOOT_DIR}"
41 39 fi
42 40
43 41 # Setup firmware boot cmdline
44 if [ "$ENABLE_SPLITFS" = true ] ; then
45 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait console=tty1 init=/bin/systemd"
42 if [ "$ENABLE_USBBOOT" = true ] ; then
43 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
46 44 else
47 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait console=tty1 init=/bin/systemd"
45 if [ "$ENABLE_SPLITFS" = true ] ; then
46 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
47 else
48 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
49 fi
48 50 fi
49 51
50 52 # Add encrypted root partition to cmdline.txt
51 53 if [ "$ENABLE_CRYPTFS" = true ] ; then
52 54 if [ "$ENABLE_SPLITFS" = true ] ; then
53 55 CMDLINE=$(echo "${CMDLINE}" | sed "s/sda1/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda1:${CRYPTFS_MAPPING}/")
54 56 else
55 CMDLINE=$(echo "${CMDLINE}" | sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/")
57 if [ "$ENABLE_USBBOOT" = true ] ; then
58 CMDLINE=$(echo "${CMDLINE}" | sed "s/sda2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda2:${CRYPTFS_MAPPING}/")
59 else
60 CMDLINE=$(echo "${CMDLINE}" | sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/")
61 fi
56 62 fi
57 63 fi
58 64
59 #locks cpu at max frequency
60 if [ "$ENABLE_TURBO" = true ] ; then
61 echo "force_turbo=1" >> "${BOOT_DIR}/config.txt"
62 fi
63
65 # Enable Kernel messages on standard output
64 66 if [ "$ENABLE_PRINTK" = true ] ; then
65 67 install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf"
66 68 fi
67 69
68 # Install udev rule for serial alias
70 # Enable Kernel messages on standard output
71 if [ "$KERNEL_SECURITY" = true ] ; then
72 install_readonly files/sysctl.d/84-rpi-ASLR.conf "${ETC_DIR}/sysctl.d/84-rpi-ASLR.conf"
73 fi
74
75 # Install udev rule for serial alias - serial0 = console serial1=bluetooth
69 76 install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules"
70 77
78 # Remove IPv6 networking support
79 if [ "$ENABLE_IPV6" = false ] ; then
80 CMDLINE="${CMDLINE} ipv6.disable=1"
81 fi
82
83 # Automatically assign predictable network interface names
84 if [ "$ENABLE_IFNAMES" = false ] ; then
85 CMDLINE="${CMDLINE} net.ifnames=0"
86 else
87 CMDLINE="${CMDLINE} net.ifnames=1"
88 fi
89
90 # Disable Raspberry Pi console logo
91 if [ "$ENABLE_LOGO" = false ] ; then
92 CMDLINE="${CMDLINE} logo.nologo"
93 fi
94
95 # Strictly limit verbosity of boot up console messages
96 if [ "$ENABLE_SILENT_BOOT" = true ] ; then
97 CMDLINE="${CMDLINE} quiet loglevel=0 rd.systemd.show_status=auto rd.udev.log_priority=0"
98 fi
99
100 # Install firmware config
101 install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt"
102
103 # Disable Raspberry Pi console logo
104 if [ "$ENABLE_SLASH" = false ] ; then
105 echo "disable_splash=1" >> "${BOOT_DIR}/config.txt"
106 fi
107
108 # Locks CPU frequency at maximum
109 if [ "$ENABLE_TURBO" = true ] ; then
110 echo "force_turbo=1" >> "${BOOT_DIR}/config.txt"
111 # helps to avoid sdcard corruption when force_turbo is enabled.
112 echo "boot_delay=1" >> "${BOOT_DIR}/config.txt"
113 fi
114
71 115 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
72
73 # RPI0,3,3P Use default ttyS0 (mini-UART)as serial interface
74 SET_SERIAL="ttyS0"
75
116
76 117 # Bluetooth enabled
77 118 if [ "$ENABLE_BLUETOOTH" = true ] ; then
78 119 # Create temporary directory for Bluetooth sources
79 120 temp_dir=$(as_nobody mktemp -d)
80 121
81 122 # Fetch Bluetooth sources
82 123 as_nobody git -C "${temp_dir}" clone "${BLUETOOTH_URL}"
83 124
84 125 # Copy downloaded sources
85 126 mv "${temp_dir}/pi-bluetooth" "${R}/tmp/"
86 127
87 128 # Bluetooth firmware from arch aur https://aur.archlinux.org/packages/pi-bluetooth/
88 129 as_nobody wget -q -O "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" https://aur.archlinux.org/cgit/aur.git/plain/LICENCE.broadcom_bcm43xx?h=pi-bluetooth
89 130 as_nobody wget -q -O "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" https://aur.archlinux.org/cgit/aur.git/plain/BCM43430A1.hcd?h=pi-bluetooth
90 131
91 132 # Set permissions
92 133 chown -R root:root "${R}/tmp/pi-bluetooth"
93 134
94 135 # Install tools
95 136 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart"
96 137 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper"
97 138
139 # make scripts executable
140 chmod +x "${R}/usr/bin/bthelper"
141 chmod +x "${R}/usr/bin/btuart"
142
98 143 # Install bluetooth udev rule
99 144 install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules"
100 145
101 146 # Install Firmware Flash file and apropiate licence
102 147 mkdir -p "$BLUETOOTH_FIRMWARE_DIR"
103 148 install_readonly "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx"
104 149 install_readonly "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx"
105 150 install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service"
106 151 install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service"
107
108 # Remove temporary directory
152
153 # Remove temporary directories
109 154 rm -fr "${temp_dir}"
110
155 rm -fr "${R}"/tmp/pi-bluetooth
156
111 157 # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0
112 158 if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then
113 SET_SERIAL="ttyAMA0"
114
115 159 # set overlay to swap ttyAMA0 and ttyS0
116 160 echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt"
117 161
118 # if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken
119 162 if [ "$ENABLE_TURBO" = false ] ; then
120 echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
121 fi
163 echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
164 fi
122 165
123 # Activate services
124 chroot_exec systemctl enable pi-bluetooth.hciuart.service
125 #chroot_exec systemctl enable pi-bluetooth.bthelper@.service
126 else
127 chroot_exec systemctl enable pi-bluetooth.hciuart.service
128 #chroot_exec systemctl enable pi-bluetooth.bthelper@.service
129 166 fi
130
167
168 # Activate services
169 chroot_exec systemctl enable pi-bluetooth.hciuart.service
170
131 171 else # if ENABLE_BLUETOOTH = false
132 172 # set overlay to disable bluetooth
133 173 echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt"
134 174 fi # ENABLE_BLUETOOTH end
135
136 else
137 # RPI1,1P,2 Use default ttyAMA0 (full UART) as serial interface
138 SET_SERIAL="ttyAMA0"
139 175 fi
140 176
141 177 # may need sudo systemctl disable hciuart
142 178 if [ "$ENABLE_CONSOLE" = true ] ; then
143 179 echo "enable_uart=1" >> "${BOOT_DIR}/config.txt"
144 180 # add string to cmdline
145 181 CMDLINE="${CMDLINE} console=serial0,115200"
146
182
183 if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ]|| [ "$RPI_MODEL" = 0 ]; then
184 # if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken
185 if [ "$ENABLE_TURBO" = false ] ; then
186 echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
187 fi
188 fi
189
147 190 # Enable serial console systemd style
148 chroot_exec systemctl enable serial-getty\@"$SET_SERIAL".service
191 chroot_exec systemctl enable serial-getty@serial0.service
149 192 else
150 193 echo "enable_uart=0" >> "${BOOT_DIR}/config.txt"
151 # disable serial console systemd style
152 chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service
153 194 fi
154 195
155 # Remove IPv6 networking support
156 if [ "$ENABLE_IPV6" = false ] ; then
157 CMDLINE="${CMDLINE} ipv6.disable=1"
196 # Disable dphys-swapfile service. Will get enabled on first boot
197 if [ "$ENABLE_DPHYSSWAP" = true ] ; then
198 chroot_exec systemctl disable dphys-swapfile
158 199 fi
159 200
160 # Automatically assign predictable network interface names
161 if [ "$ENABLE_IFNAMES" = false ] ; then
162 CMDLINE="${CMDLINE} net.ifnames=0"
201 if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then
202 # Create temporary directory for systemd-swap sources
203 temp_dir=$(as_nobody mktemp -d)
204
205 # Fetch systemd-swap sources
206 as_nobody git -C "${temp_dir}" clone "${SYSTEMDSWAP_URL}"
207
208 # Copy downloaded systemd-swap sources
209 mv "${temp_dir}/systemd-swap" "${R}/tmp/"
210
211 # Change into downloaded src dir
212 cd "${R}/tmp/systemd-swap" || exit
213
214 # Build package
215 bash ./package.sh debian
216
217 # Change back into script root dir
218 cd "${WORKDIR}" || exit
219
220 # Set permissions of the systemd-swap sources
221 chown -R root:root "${R}/tmp/systemd-swap"
222
223 # Install package - IMPROVE AND MAKE IT POSSIBLE WITHOUT VERSION NR.
224 chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap_4.0.1_any.deb
225
226 # Enable service
227 chroot_exec systemctl enable systemd-swap
228
229 # Remove temporary directory for systemd-swap sources
230 rm -fr "${temp_dir}"
163 231 else
164 CMDLINE="${CMDLINE} net.ifnames=1"
232 # Enable ZSWAP in cmdline if systemd-swap is not used
233 if [ "$KERNEL_ZSWAP" = true ] ; then
234 CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4"
235 fi
165 236 fi
237 if [ "$KERNEL_SECURITY" = true ] ; then
238 CMDLINE="${CMDLINE} apparmor=1 security=apparmor"
239 fi
166 240
167 241 # Install firmware boot cmdline
168 242 echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"
169 243
170 # Install firmware config
171 install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt"
172
173 244 # Setup minimal GPU memory allocation size: 16MB (no X)
174 245 if [ "$ENABLE_MINGPU" = true ] ; then
175 246 echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt"
176 247 fi
177 248
178 249 # Setup boot with initramfs
179 250 if [ "$ENABLE_INITRAMFS" = true ] ; then
180 251 echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "${BOOT_DIR}/config.txt"
181 252 fi
182 253
183 254 # Create firmware configuration and cmdline symlinks
184 255 ln -sf firmware/config.txt "${R}/boot/config.txt"
185 256 ln -sf firmware/cmdline.txt "${R}/boot/cmdline.txt"
186 257
187 258 # Install and setup kernel modules to load at boot
188 259 mkdir -p "${LIB_DIR}/modules-load.d/"
189 260 install_readonly files/modules/rpi2.conf "${LIB_DIR}/modules-load.d/rpi2.conf"
190 261
191 262 # Load hardware random module at boot
192 263 if [ "$ENABLE_HWRANDOM" = true ] && [ "$BUILD_KERNEL" = false ] ; then
193 264 sed -i "s/^# bcm2708_rng/bcm2708_rng/" "${LIB_DIR}/modules-load.d/rpi2.conf"
194 265 fi
195 266
196 267 # Load sound module at boot
197 268 if [ "$ENABLE_SOUND" = true ] ; then
198 269 sed -i "s/^# snd_bcm2835/snd_bcm2835/" "${LIB_DIR}/modules-load.d/rpi2.conf"
199 270 else
200 271 echo "dtparam=audio=off" >> "${BOOT_DIR}/config.txt"
201 272 fi
202 273
203 274 # Enable I2C interface
204 275 if [ "$ENABLE_I2C" = true ] ; then
205 276 echo "dtparam=i2c_arm=on" >> "${BOOT_DIR}/config.txt"
206 277 sed -i "s/^# i2c-bcm2708/i2c-bcm2708/" "${LIB_DIR}/modules-load.d/rpi2.conf"
207 278 sed -i "s/^# i2c-dev/i2c-dev/" "${LIB_DIR}/modules-load.d/rpi2.conf"
208 279 fi
209 280
210 281 # Enable SPI interface
211 282 if [ "$ENABLE_SPI" = true ] ; then
212 283 echo "dtparam=spi=on" >> "${BOOT_DIR}/config.txt"
213 284 echo "spi-bcm2708" >> "${LIB_DIR}/modules-load.d/rpi2.conf"
214 285 if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ]; then
215 286 sed -i "s/spi-bcm2708/spi-bcm2835/" "${LIB_DIR}/modules-load.d/rpi2.conf"
216 287 fi
217 288 fi
218 289
219 290 # Disable RPi2/3 under-voltage warnings
220 291 if [ -n "$DISABLE_UNDERVOLT_WARNINGS" ] ; then
221 292 echo "avoid_warnings=${DISABLE_UNDERVOLT_WARNINGS}" >> "${BOOT_DIR}/config.txt"
222 293 fi
223 294
224 295 # Install kernel modules blacklist
225 296 mkdir -p "${ETC_DIR}/modprobe.d/"
226 297 install_readonly files/modules/raspi-blacklist.conf "${ETC_DIR}/modprobe.d/raspi-blacklist.conf"
227 298
228 299 # Install sysctl.d configuration files
229 300 install_readonly files/sysctl.d/81-rpi-vm.conf "${ETC_DIR}/sysctl.d/81-rpi-vm.conf"
@@ -1,132 +1,136
1 1 #
2 2 # Setup Networking
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Install and setup hostname
9 9 install_readonly files/network/hostname "${ETC_DIR}/hostname"
10 10 sed -i "s/^RaspberryPI/${HOSTNAME}/" "${ETC_DIR}/hostname"
11 11
12 12 # Install and setup hosts
13 13 install_readonly files/network/hosts "${ETC_DIR}/hosts"
14 14 sed -i "s/RaspberryPI/${HOSTNAME}/" "${ETC_DIR}/hosts"
15 15
16 16 # Setup hostname entry with static IP
17 17 if [ "$NET_ADDRESS" != "" ] ; then
18 18 NET_IP=$(echo "${NET_ADDRESS}" | cut -f 1 -d'/')
19 19 sed -i "s/^127.0.1.1/${NET_IP}/" "${ETC_DIR}/hosts"
20 20 fi
21 21
22 22 # Remove IPv6 hosts
23 23 if [ "$ENABLE_IPV6" = false ] ; then
24 24 sed -i -e "/::[1-9]/d" -e "/^$/d" "${ETC_DIR}/hosts"
25 25 fi
26 26
27 27 # Install hint about network configuration
28 28 install_readonly files/network/interfaces "${ETC_DIR}/network/interfaces"
29 29
30 30 # Install configuration for interface eth0
31 31 install_readonly files/network/eth.network "${ETC_DIR}/systemd/network/eth.network"
32 32
33 if [ "$RPI_MODEL" = 3P ] ; then
34 printf "\n[Link]\nGenericReceiveOffload=off\nTCPSegmentationOffload=off\nGenericSegmentationOffload=off" >> "${ETC_DIR}/systemd/network/eth.network"
35 fi
36
33 37 # Install configuration for interface wl*
34 38 install_readonly files/network/wlan.network "${ETC_DIR}/systemd/network/wlan.network"
35 39
36 40 #always with dhcp since wpa_supplicant integration is missing
37 41 sed -i -e "s/DHCP=.*/DHCP=yes/" -e "/DHCP/q" "${ETC_DIR}/systemd/network/wlan.network"
38 42
39 43 if [ "$ENABLE_DHCP" = true ] ; then
40 44 # Enable DHCP configuration for interface eth0
41 45 sed -i -e "s/DHCP=.*/DHCP=yes/" -e "/DHCP/q" "${ETC_DIR}/systemd/network/eth.network"
42 46
43 47 # Set DHCP configuration to IPv4 only
44 48 if [ "$ENABLE_IPV6" = false ] ; then
45 49 sed -i "s/DHCP=.*/DHCP=v4/" "${ETC_DIR}/systemd/network/eth.network"
46 50 fi
47 51
48 52 else # ENABLE_DHCP=false
49 53 # Set static network configuration for interface eth0
50 54 sed -i\
51 55 -e "s|DHCP=.*|DHCP=no|"\
52 56 -e "s|Address=\$|Address=${NET_ADDRESS}|"\
53 57 -e "s|Gateway=\$|Gateway=${NET_GATEWAY}|"\
54 58 -e "0,/DNS=\$/ s|DNS=\$|DNS=${NET_DNS_1}|"\
55 59 -e "0,/DNS=\$/ s|DNS=\$|DNS=${NET_DNS_2}|"\
56 60 -e "s|Domains=\$|Domains=${NET_DNS_DOMAINS}|"\
57 61 -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\
58 62 -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\
59 63 "${ETC_DIR}/systemd/network/eth.network"
60 64 fi
61 65
62 66 # Remove empty settings from network configuration
63 67 sed -i "/.*=\$/d" "${ETC_DIR}/systemd/network/eth.network"
64 68 # Remove empty settings from wlan configuration
65 69 sed -i "/.*=\$/d" "${ETC_DIR}/systemd/network/wlan.network"
66 70
67 71 # Move systemd network configuration if required by Debian release
68 72 mv -v "${ETC_DIR}/systemd/network/eth.network" "${LIB_DIR}/systemd/network/10-eth.network"
69 73 # If WLAN is enabled copy wlan configuration too
70 74 if [ "$ENABLE_WIRELESS" = true ] ; then
71 75 mv -v "${ETC_DIR}/systemd/network/wlan.network" "${LIB_DIR}/systemd/network/11-wlan.network"
72 76 fi
73 77 rm -fr "${ETC_DIR}/systemd/network"
74 78
75 79 # Enable systemd-networkd service
76 80 chroot_exec systemctl enable systemd-networkd
77 81
78 82 # Install host.conf resolver configuration
79 83 install_readonly files/network/host.conf "${ETC_DIR}/host.conf"
80 84
81 85 # Enable network stack hardening
82 86 if [ "$ENABLE_HARDNET" = true ] ; then
83 87 # Install sysctl.d configuration files
84 88 install_readonly files/sysctl.d/82-rpi-net-hardening.conf "${ETC_DIR}/sysctl.d/82-rpi-net-hardening.conf"
85 89
86 90 # Setup resolver warnings about spoofed addresses
87 91 sed -i "s/^# spoof warn/spoof warn/" "${ETC_DIR}/host.conf"
88 92 fi
89 93
90 94 # Enable time sync
91 95 if [ "$NET_NTP_1" != "" ] ; then
92 96 chroot_exec systemctl enable systemd-timesyncd.service
93 97 fi
94 98
95 99 # Download the firmware binary blob required to use the RPi3 wireless interface
96 100 if [ "$ENABLE_WIRELESS" = true ] ; then
97 101 if [ ! -d "${WLAN_FIRMWARE_DIR}" ] ; then
98 102 mkdir -p "${WLAN_FIRMWARE_DIR}"
99 103 fi
100 104
101 105 # Create temporary directory for firmware binary blob
102 106 temp_dir=$(as_nobody mktemp -d)
103 107
104 108 # Fetch firmware binary blob for RPI3B+
105 109 if [ "$RPI_MODEL" = 3P ] ; then
106 110 # Fetch firmware binary blob for RPi3P
107 111 as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.bin"
108 112 as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.txt"
109 113 as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.clm_blob" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.clm_blob"
110 114
111 115 # Move downloaded firmware binary blob
112 116 mv "${temp_dir}/brcmfmac43455-sdio."* "${WLAN_FIRMWARE_DIR}/"
113 117
114 118 # Set permissions of the firmware binary blob
115 119 chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."*
116 120 chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."*
117 121 elif [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 0 ] ; then
118 122 # Fetch firmware binary blob for RPi3
119 123 as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.bin"
120 124 as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.txt"
121 125
122 126 # Move downloaded firmware binary blob
123 127 mv "${temp_dir}/brcmfmac43430-sdio."* "${WLAN_FIRMWARE_DIR}/"
124 128
125 129 # Set permissions of the firmware binary blob
126 130 chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
127 131 chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
128 132 fi
129 133
130 134 # Remove temporary directory for firmware binary blob
131 135 rm -fr "${temp_dir}"
132 136 fi
@@ -1,48 +1,54
1 1 #
2 2 # Setup Firewall
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 if [ "$ENABLE_IPTABLES" = true ] ; then
9 9 # Create iptables configuration directory
10 10 mkdir -p "${ETC_DIR}/iptables"
11 11
12 # make sure iptables-legacy is the used alternatives
13 #iptables-save and -restore are slaves of iptables and thus are set accordingly
14 chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy
12 if [ "$KERNEL_NF" = false ] ; then
13 # iptables-save and -restore are slaves of iptables and thus are set accordingly
14 chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy
15 fi
15 16
16 17 # Install iptables systemd service
17 18 install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service"
18 19
19 20 # Install flush-table script called by iptables service
20 21 install_exec files/iptables/flush-iptables.sh "${ETC_DIR}/iptables/flush-iptables.sh"
21 22
22 23 # Install iptables rule file
23 24 install_readonly files/iptables/iptables.rules "${ETC_DIR}/iptables/iptables.rules"
24 25
25 26 # Reload systemd configuration and enable iptables service
26 27 chroot_exec systemctl daemon-reload
27 28 chroot_exec systemctl enable iptables.service
28 29
29 30 if [ "$ENABLE_IPV6" = true ] ; then
31 if [ "$KERNEL_NF" = false ] ; then
32 # iptables-save and -restore are slaves of iptables and thus are set accordingly
33 chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy
34 fi
35
30 36 # Install ip6tables systemd service
31 37 install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service"
32 38
33 39 # Install ip6tables file
34 40 install_exec files/iptables/flush-ip6tables.sh "${ETC_DIR}/iptables/flush-ip6tables.sh"
35 41
36 42 install_readonly files/iptables/ip6tables.rules "${ETC_DIR}/iptables/ip6tables.rules"
37 43
38 44 # Reload systemd configuration and enable iptables service
39 45 chroot_exec systemctl daemon-reload
40 46 chroot_exec systemctl enable ip6tables.service
41 47 fi
42 48
43 49 if [ "$ENABLE_SSHD" = false ] ; then
44 50 # Remove SSHD related iptables rules
45 51 sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/iptables.rules" 2> /dev/null
46 52 sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/ip6tables.rules" 2> /dev/null
47 53 fi
48 54 fi
@@ -1,29 +1,24
1 1 #
2 2 # Setup users and security settings
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Generate crypt(3) password string
9 9 ENCRYPTED_PASSWORD=$(mkpasswd -m sha-512 "${PASSWORD}")
10 10 ENCRYPTED_USER_PASSWORD=$(mkpasswd -m sha-512 "${USER_PASSWORD}")
11 11
12 12 # Setup default user
13 13 if [ "$ENABLE_USER" = true ] ; then
14 14 chroot_exec adduser --gecos "$USER_NAME" --add_extra_groups --disabled-password "$USER_NAME"
15 15 chroot_exec usermod -a -G sudo -p "${ENCRYPTED_USER_PASSWORD}" "$USER_NAME"
16 16 fi
17 17
18 18 # Setup root password or not
19 19 if [ "$ENABLE_ROOT" = true ] ; then
20 20 chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
21 21 else
22 22 # Set no root password to disable root login
23 23 chroot_exec usermod -p \'!\' root
24 24 fi
25
26 # Enable serial console systemd style
27 if [ "$ENABLE_CONSOLE" = true ] ; then
28 chroot_exec systemctl enable serial-getty\@ttyAMA0.service
29 fi
@@ -1,100 +1,105
1 1 #
2 2 # Build and Setup U-Boot
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Fetch and build U-Boot bootloader
9 9 if [ "$ENABLE_UBOOT" = true ] ; then
10 10 # Install c/c++ build environment inside the chroot
11 11 chroot_install_cc
12 12
13 13 # Copy existing U-Boot sources into chroot directory
14 14 if [ -n "$UBOOTSRC_DIR" ] && [ -d "$UBOOTSRC_DIR" ] ; then
15 15 # Copy local U-Boot sources
16 16 cp -r "${UBOOTSRC_DIR}" "${R}/tmp"
17 17 else
18 18 # Create temporary directory for U-Boot sources
19 19 temp_dir=$(as_nobody mktemp -d)
20 20
21 21 # Fetch U-Boot sources
22 22 as_nobody git -C "${temp_dir}" clone "${UBOOT_URL}"
23 23
24 24 # Copy downloaded U-Boot sources
25 25 mv "${temp_dir}/u-boot" "${R}/tmp/"
26 26
27 27 # Set permissions of the U-Boot sources
28 28 chown -R root:root "${R}/tmp/u-boot"
29 29
30 30 # Remove temporary directory for U-Boot sources
31 31 rm -fr "${temp_dir}"
32 32 fi
33 33
34 34 # Build and install U-Boot inside chroot
35 35 chroot_exec make -j"${KERNEL_THREADS}" -C /tmp/u-boot/ "${UBOOT_CONFIG}" all
36 36
37 37 # Copy compiled bootloader binary and set config.txt to load it
38 38 install_exec "${R}/tmp/u-boot/tools/mkimage" "${R}/usr/sbin/mkimage"
39 39 install_readonly "${R}/tmp/u-boot/u-boot.bin" "${BOOT_DIR}/u-boot.bin"
40 40 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> "${BOOT_DIR}/config.txt"
41 41
42 42 # Install and setup U-Boot command file
43 43 install_readonly files/boot/uboot.mkimage "${BOOT_DIR}/uboot.mkimage"
44 44 printf "# Set the kernel boot command line\nsetenv bootargs \"earlyprintk ${CMDLINE}\"\n\n$(cat "${BOOT_DIR}"/uboot.mkimage)" > "${BOOT_DIR}/uboot.mkimage"
45 45
46 46 if [ "$ENABLE_INITRAMFS" = true ] ; then
47 47 # Convert generated initramfs for U-Boot using mkimage
48 48 chroot_exec /usr/sbin/mkimage -A "${KERNEL_ARCH}" -T ramdisk -C none -n "initramfs-${KERNEL_VERSION}" -d "/boot/firmware/initramfs-${KERNEL_VERSION}" "/boot/firmware/initramfs-${KERNEL_VERSION}.uboot"
49 49
50 50 # Remove original initramfs file
51 51 rm -f "${BOOT_DIR}/initramfs-${KERNEL_VERSION}"
52 52
53 53 # Configure U-Boot to load generated initramfs
54 54 printf "# Set initramfs file\nsetenv initramfs initramfs-${KERNEL_VERSION}.uboot\n\n$(cat "${BOOT_DIR}"/uboot.mkimage)" > "${BOOT_DIR}/uboot.mkimage"
55 55 printf "\nbootz \${kernel_addr_r} \${ramdisk_addr_r} \${fdt_addr_r}" >> "${BOOT_DIR}/uboot.mkimage"
56 56 else # ENABLE_INITRAMFS=false
57 57 # Remove initramfs from U-Boot mkfile
58 58 sed -i '/.*initramfs.*/d' "${BOOT_DIR}/uboot.mkimage"
59 59
60 60 if [ "$BUILD_KERNEL" = false ] ; then
61 61 # Remove dtbfile from U-Boot mkfile
62 62 sed -i '/.*dtbfile.*/d' "${BOOT_DIR}/uboot.mkimage"
63 63 printf "\nbootz \${kernel_addr_r}" >> "${BOOT_DIR}/uboot.mkimage"
64 64 else
65 65 printf "\nbootz \${kernel_addr_r} - \${fdt_addr_r}" >> "${BOOT_DIR}/uboot.mkimage"
66 66 fi
67 67 fi
68 68
69 69 if [ "$SET_ARCH" = 64 ] ; then
70 70 echo "Setting up config.txt to boot 64bit uboot"
71 71 {
72 72 printf "\n# 64bit-mode"
73 73 printf "\n# arm_control=0x200 is deprecated https://www.raspberrypi.org/documentation/configuration/config-txt/misc.md"
74 74 printf "\narm_64bit=1"
75 75 } >> "${BOOT_DIR}/config.txt"
76 76
77 77 #in 64bit uboot booti is used instead of bootz [like in KERNEL_BIN_IMAGE=zImage (armv7)|| Image(armv8)]
78 78 sed -i "s|bootz|booti|g" "${BOOT_DIR}/uboot.mkimage"
79 79 fi
80
81 # instead of sd, boot from usb device
82 if [ "$ENABLE_USBBOOT" = true ] ; then
83 sed -i "s|mmc|usb|g" "${BOOT_DIR}/uboot.mkimage"
84 fi
80 85
81 86 # Set mkfile to use the correct dtb file
82 87 sed -i "s|bcm2709-rpi-2-b.dtb|${DTB_FILE}|" "${BOOT_DIR}/uboot.mkimage"
83 88
84 89 # Set mkfile to use the correct mach id
85 90 if [ "$ENABLE_QEMU" = true ] ; then
86 91 sed -i "s/^\(setenv machid \).*/\10x000008e0/" "${BOOT_DIR}/uboot.mkimage"
87 92 fi
88 93
89 94 # Set mkfile to use kernel image
90 95 sed -i "s|kernel7.img|${KERNEL_IMAGE}|" "${BOOT_DIR}/uboot.mkimage"
91 96
92 97 # Remove all leading blank lines
93 98 sed -i "/./,\$!d" "${BOOT_DIR}/uboot.mkimage"
94 99
95 100 # Generate U-Boot bootloader image
96 101 chroot_exec /usr/sbin/mkimage -A "${KERNEL_ARCH}" -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi${RPI_MODEL}" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
97 102
98 103 # Remove U-Boot sources
99 104 rm -fr "${R}/tmp/u-boot"
100 105 fi
@@ -1,53 +1,56
1 1 #
2 2 # Setup videocore - Raspberry Userland
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 if [ "$ENABLE_VIDEOCORE" = true ] ; then
9 9 # Copy existing videocore sources into chroot directory
10 10 if [ -n "$VIDEOCORESRC_DIR" ] && [ -d "$VIDEOCORESRC_DIR" ] ; then
11 11 # Copy local videocore sources
12 12 cp -r "${VIDEOCORESRC_DIR}" "${R}/tmp/userland"
13 13 else
14 14 # Create temporary directory for videocore sources
15 15 temp_dir=$(as_nobody mktemp -d)
16 16
17 17 # Fetch videocore sources
18 18 as_nobody git -C "${temp_dir}" clone "${VIDEOCORE_URL}"
19 19
20 20 # Copy downloaded videocore sources
21 21 mv "${temp_dir}/userland" "${R}/tmp/"
22 22
23 23 # Set permissions of the U-Boot sources
24 24 chown -R root:root "${R}/tmp/userland"
25 25
26 26 # Remove temporary directory for U-Boot sources
27 27 rm -fr "${temp_dir}"
28 28 fi
29 29
30 30 # Create build dir
31 31 mkdir "${R}"/tmp/userland/build
32 32
33 33 # push us to build directory
34 34 cd "${R}"/tmp/userland/build
35 35
36 36 if [ "$RELEASE_ARCH" = "arm64" ] ; then
37 37 cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DARM64=ON -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_CXX_COMPILER=aarch64-linux-gnu-g++ -DCMAKE_ASM_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
38 38 fi
39 39
40 40 if [ "$RELEASE_ARCH" = "armel" ] ; then
41 41 cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_C_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_CXX_COMPILER=arm-linux-gnueabi-g++ -DCMAKE_ASM_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DCMAKE_SYSTEM_PROCESSOR="arm" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
42 42 fi
43 43
44 44 if [ "$RELEASE_ARCH" = "armhf" ] ; then
45 45 cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_TOOLCHAIN_FILE="${R}"/tmp/userland/makefiles/cmake/toolchains/arm-linux-gnueabihf.cmake -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
46 46 fi
47 47
48 48 #build userland
49 49 make -j "$(nproc)"
50 50
51 51 #back to root of scriptdir
52 52 cd "${WORKDIR}"
53
54 # Remove videocore sources
55 rm -fr "${R}"/tmp/userland/
53 56 fi
@@ -1,49 +1,54
1 1 #
2 2 # First boot actions
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Prepare rc.firstboot script
9 9 cat files/firstboot/10-begin.sh > "${ETC_DIR}/rc.firstboot"
10 10
11 # Ensure openssh server host keys are regenerated on first boot
12 if [ "$ENABLE_SSHD" = true ] ; then
13 cat files/firstboot/21-generate-ssh-keys.sh >> "${ETC_DIR}/rc.firstboot"
14 fi
15
16 11 # Prepare filesystem auto expand
17 12 if [ "$EXPANDROOT" = true ] ; then
18 13 if [ "$ENABLE_CRYPTFS" = false ] ; then
19 cat files/firstboot/22-expandroot.sh >> "${ETC_DIR}/rc.firstboot"
14 cat files/firstboot/20-expandroot.sh >> "${ETC_DIR}/rc.firstboot"
20 15 else
21 16 # Regenerate initramfs to remove encrypted root partition auto expand
22 cat files/firstboot/23-regenerate-initramfs.sh >> "${ETC_DIR}/rc.firstboot"
17 cat files/firstboot/21-regenerate-initramfs.sh >> "${ETC_DIR}/rc.firstboot"
18 fi
19
20 # Restart dphys-swapfile so the size of the swap file is relative to the resized root partition
21 if [ "$ENABLE_DPHYSSWAP" = true ] ; then
22 cat files/firstboot/23-restart-dphys-swapfile.sh >> "${ETC_DIR}/rc.firstboot"
23 23 fi
24 24 fi
25 25
26 # Ensure openssh server host keys are regenerated on first boot
27 if [ "$ENABLE_SSHD" = true ] ; then
28 cat files/firstboot/30-generate-ssh-keys.sh >> "${ETC_DIR}/rc.firstboot"
29 fi
30
26 31 # Ensure that dbus machine-id exists
27 cat files/firstboot/24-generate-machineid.sh >> "${ETC_DIR}/rc.firstboot"
32 cat files/firstboot/40-generate-machineid.sh >> "${ETC_DIR}/rc.firstboot"
28 33
29 34 # Create /etc/resolv.conf symlink
30 cat files/firstboot/25-create-resolv-symlink.sh >> "${ETC_DIR}/rc.firstboot"
35 cat files/firstboot/41-create-resolv-symlink.sh >> "${ETC_DIR}/rc.firstboot"
31 36
32 37 # Configure automatic network interface names
33 38 if [ "$ENABLE_IFNAMES" = true ] ; then
34 cat files/firstboot/26-config-ifnames.sh >> "${ETC_DIR}/rc.firstboot"
39 cat files/firstboot/42-config-ifnames.sh >> "${ETC_DIR}/rc.firstboot"
35 40 fi
36 41
37 42 # Finalize rc.firstboot script
38 43 cat files/firstboot/99-finish.sh >> "${ETC_DIR}/rc.firstboot"
39 44 chmod +x "${ETC_DIR}/rc.firstboot"
40 45
41 46 # Install default rc.local if it does not exist
42 47 if [ ! -f "${ETC_DIR}/rc.local" ] ; then
43 48 install_exec files/etc/rc.local "${ETC_DIR}/rc.local"
44 49 fi
45 50
46 51 # Add rc.firstboot script to rc.local
47 52 sed -i '/exit 0/d' "${ETC_DIR}/rc.local"
48 53 echo /etc/rc.firstboot >> "${ETC_DIR}/rc.local"
49 54 echo exit 0 >> "${ETC_DIR}/rc.local"
@@ -1,8 +1,8
1 deb http://ftp.debian.org/debian jessie main contrib
2 #deb-src http://ftp.debian.org/debian jessie main contrib
1 deb http://ftp.debian.org/debian stretch main contrib
2 #deb-src http://ftp.debian.org/debian stretch main contrib
3 3
4 deb http://ftp.debian.org/debian/ jessie-updates main contrib
5 #deb-src http://ftp.debian.org/debian/ jessie-updates main contrib
4 deb http://ftp.debian.org/debian/ stretch-updates main contrib
5 #deb-src http://ftp.debian.org/debian/ stretch-updates main contrib
6 6
7 deb http://security.debian.org/ jessie/updates main contrib
8 #deb-src http://security.debian.org/ jessie/updates main contrib
7 deb http://security.debian.org/ stretch/updates main contrib
8 #deb-src http://security.debian.org/ stretch/updates main contrib
1 NO CONTENT: file renamed from files/firstboot/22-expandroot.sh to files/firstboot/20-expandroot.sh
@@ -1,31 +1,32
1 1 logger -t "rc.firstboot" "Regenerating initramfs to remove encrypted root partition auto-expand"
2 2
3 3 KERNEL_VERSION=$(uname -r)
4 4 KERNEL_ARCH=$(uname -m)
5 5 INITRAMFS="/boot/firmware/initramfs-${KERNEL_VERSION}"
6 6 INITRAMFS_UBOOT="${INITRAMFS}.uboot"
7 7
8 8 # Extract kernel arch
9 9 case "${KERNEL_ARCH}" in
10 10 arm*) KERNEL_ARCH=arm ;;
11 aarch64) KERNEL_ARCH=arm64 ;;
11 12 esac
12 13
13 14 # Regenerate initramfs
14 15 if [ -r "${INITRAMFS}" ] ; then
15 16 rm -f /etc/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs
16 17 rm -f /etc/initramfs-tools/scripts/local-premount/expand-premount
17 18 rm -f /etc/initramfs-tools/hooks/expand-tools
18 19 rm -f "${INITRAMFS}"
19 20 mkinitramfs -o "${INITRAMFS}" "${KERNEL_VERSION}"
20 21 fi
21 22
22 23 # Convert generated initramfs for U-Boot using mkimage
23 24 if [ -r "${INITRAMFS_UBOOT}" ] ; then
24 25 rm -f /etc/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs
25 26 rm -f /etc/initramfs-tools/scripts/local-premount/expand-premount
26 27 rm -f /etc/initramfs-tools/hooks/expand-tools
27 28 rm -f "${INITRAMFS_UBOOT}"
28 29 mkinitramfs -o "${INITRAMFS}" "${KERNEL_VERSION}"
29 30 mkimage -A "${KERNEL_ARCH}" -T ramdisk -C none -n "initramfs-${KERNEL_VERSION}" -d "${INITRAMFS}" "${INITRAMFS_UBOOT}"
30 31 rm -f "${INITRAMFS}"
31 32 fi
1 NO CONTENT: file renamed from files/firstboot/21-generate-ssh-keys.sh to files/firstboot/30-generate-ssh-keys.sh
1 NO CONTENT: file renamed from files/firstboot/24-generate-machineid.sh to files/firstboot/40-generate-machineid.sh
1 NO CONTENT: file renamed from files/firstboot/25-create-resolv-symlink.sh to files/firstboot/41-create-resolv-symlink.sh
1 NO CONTENT: file renamed from files/firstboot/26-config-ifnames.sh to files/firstboot/42-config-ifnames.sh
@@ -1,77 +1,116
1 1 # This file contains utility functions used by rpi23-gen-image.sh
2 2
3 3 cleanup (){
4 4 set +x
5 5 set +e
6
7 # Remove exports from nexmon
8 unset KERNEL
9 unset ARCH
10 unset SUBARCH
11 unset CCPLUGIN
12 unset ZLIBFLATE
13 unset Q
14 unset NEXMON_SETUP_ENV
15 unset HOSTUNAME
16 unset PLATFORMUNAME
6 17
7 18 # Identify and kill all processes still using files
8 19 echo "killing processes using mount point ..."
9 20 fuser -k "${R}"
10 21 sleep 3
11 22 fuser -9 -k -v "${R}"
12 23
13 24 # Clean up temporary .password file
14 25 if [ -r ".password" ] ; then
15 26 shred -zu .password
16 27 fi
17 28
18 29 # Clean up all temporary mount points
19 30 echo "removing temporary mount points ..."
20 31 umount -l "${R}/proc" 2> /dev/null
21 32 umount -l "${R}/sys" 2> /dev/null
22 33 umount -l "${R}/dev/pts" 2> /dev/null
23 34 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
24 35 umount "$BUILDDIR/mount" 2> /dev/null
25 36 cryptsetup close "${CRYPTFS_MAPPING}" 2> /dev/null
26 37 losetup -d "$ROOT_LOOP" 2> /dev/null
27 38 losetup -d "$FRMW_LOOP" 2> /dev/null
28 39 trap - 0 1 2 3 6
29 40 }
30 41
31 42 chroot_exec() {
32 43 # Exec command in chroot
33 44 LANG=C LC_ALL=C DEBIAN_FRONTEND=noninteractive chroot "${R}" "$@"
34 45 }
35 46
36 47 as_nobody() {
37 48 # Exec command as user nobody
38 49 sudo -E -u nobody LANG=C LC_ALL=C "$@"
39 50 }
40 51
41 52 install_readonly() {
42 53 # Install file with user read-only permissions
43 54 install -o root -g root -m 644 "$@"
44 55 }
45 56
46 57 install_exec() {
47 58 # Install file with root exec permissions
48 59 install -o root -g root -m 744 "$@"
49 60 }
50 61
51 62 use_template () {
52 63 # Test if configuration template file exists
53 64 if [ ! -r "./templates/${CONFIG_TEMPLATE}" ] ; then
54 65 echo "error: configuration template ${CONFIG_TEMPLATE} not found"
55 66 exit 1
56 67 fi
57 68
58 69 # Load template configuration parameters
59 70 . "./templates/${CONFIG_TEMPLATE}"
60 71 }
61 72
62 73 chroot_install_cc() {
63 74 # Install c/c++ build environment inside the chroot
64 75 if [ -z "${COMPILER_PACKAGES}" ] ; then
65 76 COMPILER_PACKAGES=$(chroot_exec apt-get -s install g++ make bc | grep "^Inst " | awk -v ORS=" " '{ print $2 }')
66 # Install COMPILER_PACKAGES in chroot
67 chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install "${COMPILER_PACKAGES}"
77 # Install COMPILER_PACKAGES in chroot - NEVER do "${COMPILER_PACKAGES}" -> breaks uboot
78 chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install ${COMPILER_PACKAGES}
68 79 fi
69 80 }
70 81
71 82 chroot_remove_cc() {
72 83 # Remove c/c++ build environment from the chroot
73 84 if [ -n "${COMPILER_PACKAGES}" ] ; then
74 chroot_exec apt-get -qq -y --auto-remove purge "${COMPILER_PACKAGES}"
85 chroot_exec apt-get -qq -y --auto-remove purge ${COMPILER_PACKAGES}
75 86 COMPILER_PACKAGES=""
76 87 fi
77 88 }
89
90 # https://serverfault.com/a/682849 - converts e.g. /24 to 255.255.255.0
91 cdr2mask ()
92 {
93 # Number of args to shift, 255..255, first non-255 byte, zeroes
94 set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0
95 [ $1 -gt 1 ] && shift $1 || shift
96 echo ${1-0}.${2-0}.${3-0}.${4-0}
97 }
98
99 # GPL v2.0 - #https://github.com/sakaki-/bcmrpi3-kernel-bis/blob/master/conform_config.sh
100 set_kernel_config() {
101 # flag as $1, value to set as $2, config must exist at "./.config"
102 TGT="CONFIG_${1#CONFIG_}"
103 REP="${2}"
104 if grep -q "^${TGT}[^_]" .config; then
105 sed -i "s/^\(${TGT}=.*\|# ${TGT} is not set\)/${TGT}=${REP}/" .config
106 else
107 echo "${TGT}"="${2}" >> .config
108 fi
109 }
110
111 # unset kernel config parameter
112 unset_kernel_config() {
113 # unsets flag with the value of $1, config must exist at "./.config"
114 TGT="CONFIG_${1#CONFIG_}"
115 sed -i "s/^${TGT}=.*/# ${TGT} is not set/" .config
116 } No newline at end of file
@@ -1,807 +1,869
1 1 #!/bin/sh
2 2 ########################################################################
3 3 # rpi23-gen-image.sh 2015-2017
4 4 #
5 5 # Advanced Debian "stretch" and "buster" bootstrap script for Raspberry Pi
6 6 #
7 7 # This program is free software; you can redistribute it and/or
8 8 # modify it under the terms of the GNU General Public License
9 9 # as published by the Free Software Foundation; either version 2
10 10 # of the License, or (at your option) any later version.
11 11 #
12 12 # Copyright (C) 2015 Jan Wagner <mail@jwagner.eu>
13 13 #
14 14 # Big thanks for patches and enhancements by 20+ github contributors!
15 15 ########################################################################
16 16
17 17 # Are we running as root?
18 18 if [ "$(id -u)" -ne "0" ] ; then
19 19 echo "error: this script must be executed with root privileges!"
20 20 exit 1
21 21 fi
22 22
23 23 # Check if ./functions.sh script exists
24 24 if [ ! -r "./functions.sh" ] ; then
25 25 echo "error: './functions.sh' required script not found!"
26 26 exit 1
27 27 fi
28 28
29 29 # Load utility functions
30 30 . ./functions.sh
31 31
32 32 # Load parameters from configuration template file
33 33 if [ -n "$CONFIG_TEMPLATE" ] ; then
34 34 use_template
35 35 fi
36 36
37 37 # Introduce settings
38 38 set -e
39 39 echo -n -e "\n#\n# RPi 0/1/2/3 Bootstrap Settings\n#\n"
40 40 set -x
41 41
42 42 # Raspberry Pi model configuration
43 43 RPI_MODEL=${RPI_MODEL:=2}
44 44
45 45 # Debian release
46 46 RELEASE=${RELEASE:=buster}
47 47
48 48 # Kernel Branch
49 49 KERNEL_BRANCH=${KERNEL_BRANCH:=""}
50 50
51 51 # URLs
52 52 KERNEL_URL=${KERNEL_URL:=https://github.com/raspberrypi/linux}
53 53 FIRMWARE_URL=${FIRMWARE_URL:=https://github.com/raspberrypi/firmware/raw/master/boot}
54 54 WLAN_FIRMWARE_URL=${WLAN_FIRMWARE_URL:=https://github.com/RPi-Distro/firmware-nonfree/raw/master/brcm}
55 55 COLLABORA_URL=${COLLABORA_URL:=https://repositories.collabora.co.uk/debian}
56 56 FBTURBO_URL=${FBTURBO_URL:=https://github.com/ssvb/xf86-video-fbturbo.git}
57 57 UBOOT_URL=${UBOOT_URL:=https://git.denx.de/u-boot.git}
58 58 VIDEOCORE_URL=${VIDEOCORE_URL:=https://github.com/raspberrypi/userland}
59 59 BLUETOOTH_URL=${BLUETOOTH_URL:=https://github.com/RPi-Distro/pi-bluetooth.git}
60 NEXMON_URL=${NEXMON_URL:=https://github.com/seemoo-lab/nexmon.git}
61 SYSTEMDSWAP_URL=${SYSTEMDSWAP_URL:=https://github.com/Nefelim4ag/systemd-swap.git}
62
63 # Kernel deb packages for 32bit kernel
64 RPI_32_KERNEL_URL=${RPI_32_KERNEL_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel_20180422-141901_armhf.deb}
65 RPI_32_KERNELHEADER_URL=${RPI_32_KERNELHEADER_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel-headers_20180422-141901_armhf.deb}
66 # Kernel has KVM and zswap enabled - use if KERNEL_* parameters and precompiled kernel are used
67 RPI3_64_BIS_KERNEL_URL=${RPI3_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel-bis/releases/download/4.14.80.20181113/bcmrpi3-kernel-bis-4.14.80.20181113.tar.xz}
68 # Default precompiled 64bit kernel
69 RPI3_64_DEF_KERNEL_URL=${RPI3_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel/releases/download/4.14.80.20181113/bcmrpi3-kernel-4.14.80.20181113.tar.xz}
70 # Generic
71 RPI3_64_KERNEL_URL=${RPI3_64_KERNEL_URL:=$RPI3_64_DEF_KERNEL_URL}
72 # Kali kernel src - used if ENABLE_NEXMON=true (they patch the wlan kernel modul)
73 KALI_KERNEL_URL=${KALI_KERNEL_URL:=https://github.com/Re4son/re4son-raspberrypi-linux.git}
60 74
61 75 # Build directories
62 76 WORKDIR=$(pwd)
63 77 BASEDIR=${BASEDIR:=${WORKDIR}/images/${RELEASE}}
64 78 BUILDDIR="${BASEDIR}/build"
65 79
66 80 # Chroot directories
67 81 R="${BUILDDIR}/chroot"
68 82 ETC_DIR="${R}/etc"
69 83 LIB_DIR="${R}/lib"
70 84 BOOT_DIR="${R}/boot/firmware"
71 85 KERNEL_DIR="${R}/usr/src/linux"
72 86 WLAN_FIRMWARE_DIR="${LIB_DIR}/firmware/brcm"
73 87 BLUETOOTH_FIRMWARE_DIR="${ETC_DIR}/firmware/bt"
74 88
75 89 # Firmware directory: Blank if download from github
76 90 RPI_FIRMWARE_DIR=${RPI_FIRMWARE_DIR:=""}
77 91
78 92 # General settings
79 93 SET_ARCH=${SET_ARCH:=32}
80 94 HOSTNAME=${HOSTNAME:=rpi${RPI_MODEL}-${RELEASE}}
81 95 PASSWORD=${PASSWORD:=raspberry}
82 96 USER_PASSWORD=${USER_PASSWORD:=raspberry}
83 97 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
84 98 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
85 99 EXPANDROOT=${EXPANDROOT:=true}
100 ENABLE_DPHYSSWAP=${ENABLE_DPHYSSWAP:=true}
86 101
87 102 # Keyboard settings
88 103 XKB_MODEL=${XKB_MODEL:=""}
89 104 XKB_LAYOUT=${XKB_LAYOUT:=""}
90 105 XKB_VARIANT=${XKB_VARIANT:=""}
91 106 XKB_OPTIONS=${XKB_OPTIONS:=""}
92 107
93 108 # Network settings (DHCP)
94 109 ENABLE_DHCP=${ENABLE_DHCP:=true}
95 110
96 111 # Network settings (static)
97 112 NET_ADDRESS=${NET_ADDRESS:=""}
98 113 NET_GATEWAY=${NET_GATEWAY:=""}
99 114 NET_DNS_1=${NET_DNS_1:=""}
100 115 NET_DNS_2=${NET_DNS_2:=""}
101 116 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
102 117 NET_NTP_1=${NET_NTP_1:=""}
103 118 NET_NTP_2=${NET_NTP_2:=""}
104 119
105 120 # APT settings
106 121 APT_PROXY=${APT_PROXY:=""}
107 122 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
123 KEEP_APT_PROXY=${KEEP_APT_PROXY:=false}
108 124
109 125 # Feature settings
110 126 ENABLE_PRINTK=${ENABLE_PRINTK:=false}
111 127 ENABLE_BLUETOOTH=${ENABLE_BLUETOOTH:=false}
112 128 ENABLE_MINIUART_OVERLAY=${ENABLE_MINIUART_OVERLAY:=false}
113 129 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
114 130 ENABLE_I2C=${ENABLE_I2C:=false}
115 131 ENABLE_SPI=${ENABLE_SPI:=false}
116 132 ENABLE_IPV6=${ENABLE_IPV6:=true}
117 133 ENABLE_SSHD=${ENABLE_SSHD:=true}
118 134 ENABLE_NONFREE=${ENABLE_NONFREE:=false}
119 135 ENABLE_WIRELESS=${ENABLE_WIRELESS:=false}
120 136 ENABLE_SOUND=${ENABLE_SOUND:=true}
121 137 ENABLE_DBUS=${ENABLE_DBUS:=true}
122 138 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
123 139 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
124 140 ENABLE_XORG=${ENABLE_XORG:=false}
125 141 ENABLE_WM=${ENABLE_WM:=""}
126 142 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
127 143 ENABLE_USER=${ENABLE_USER:=true}
128 144 USER_NAME=${USER_NAME:="pi"}
129 145 ENABLE_ROOT=${ENABLE_ROOT:=false}
130 146 ENABLE_QEMU=${ENABLE_QEMU:=false}
131 147 ENABLE_SYSVINIT=${ENABLE_SYSVINIT:=false}
132 148
133 149 # SSH settings
134 150 SSH_ENABLE_ROOT=${SSH_ENABLE_ROOT:=false}
135 151 SSH_DISABLE_PASSWORD_AUTH=${SSH_DISABLE_PASSWORD_AUTH:=false}
136 152 SSH_LIMIT_USERS=${SSH_LIMIT_USERS:=false}
137 153 SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""}
138 154 SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""}
139 155
140 156 # Advanced settings
157 ENABLE_SYSTEMDSWAP=${ENABLE_SYSTEMDSWAP:=false}
141 158 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
142 159 ENABLE_REDUCE=${ENABLE_REDUCE:=false}
143 160 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
144 161 UBOOTSRC_DIR=${UBOOTSRC_DIR:=""}
162 ENABLE_USBBOOT=${ENABLE_USBBOOT=false}
145 163 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
146 164 ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false}
165 ENABLE_NEXMON=${ENABLE_NEXMON:=false}
147 166 VIDEOCORESRC_DIR=${VIDEOCORESRC_DIR:=""}
148 167 FBTURBOSRC_DIR=${FBTURBOSRC_DIR:=""}
168 NEXMONSRC_DIR=${NEXMONSRC_DIR:=""}
149 169 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
150 170 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
151 171 ENABLE_SPLITFS=${ENABLE_SPLITFS:=false}
152 172 ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false}
153 173 ENABLE_IFNAMES=${ENABLE_IFNAMES:=true}
174 ENABLE_SPLASH=${ENABLE_SPLASH:=true}
175 ENABLE_LOGO=${ENABLE_LOGO:=true}
176 ENABLE_SILENT_BOOT=${ENABLE_SILENT_BOOT=false}
154 177 DISABLE_UNDERVOLT_WARNINGS=${DISABLE_UNDERVOLT_WARNINGS:=}
155 178
156 179 # Kernel compilation settings
157 180 BUILD_KERNEL=${BUILD_KERNEL:=true}
158 181 KERNEL_REDUCE=${KERNEL_REDUCE:=false}
159 182 KERNEL_THREADS=${KERNEL_THREADS:=1}
160 183 KERNEL_HEADERS=${KERNEL_HEADERS:=true}
161 184 KERNEL_MENUCONFIG=${KERNEL_MENUCONFIG:=false}
162 185 KERNEL_REMOVESRC=${KERNEL_REMOVESRC:=true}
163 186 KERNEL_OLDDEFCONFIG=${KERNEL_OLDDEFCONFIG:=false}
164 187 KERNEL_CCACHE=${KERNEL_CCACHE:=false}
188 KERNEL_ZSWAP=${KERNEL_ZSWAP:=false}
189 KERNEL_VIRT=${KERNEL_VIRT:=false}
190 KERNEL_BPF=${KERNEL_BPF:=false}
191 KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=powersave}
192 KERNEL_SECURITY=${KERNEL_SECURITY:=false}
193 KERNEL_NF=${KERNEL_NF:=false}
165 194
166 195 # Kernel compilation from source directory settings
167 196 KERNELSRC_DIR=${KERNELSRC_DIR:=""}
168 197 KERNELSRC_CLEAN=${KERNELSRC_CLEAN:=false}
169 198 KERNELSRC_CONFIG=${KERNELSRC_CONFIG:=true}
170 199 KERNELSRC_PREBUILT=${KERNELSRC_PREBUILT:=false}
171 200
172 201 # Reduce disk usage settings
173 202 REDUCE_APT=${REDUCE_APT:=true}
174 203 REDUCE_DOC=${REDUCE_DOC:=true}
175 204 REDUCE_MAN=${REDUCE_MAN:=true}
176 205 REDUCE_VIM=${REDUCE_VIM:=false}
177 206 REDUCE_BASH=${REDUCE_BASH:=false}
178 207 REDUCE_HWDB=${REDUCE_HWDB:=true}
179 208 REDUCE_SSHD=${REDUCE_SSHD:=true}
180 209 REDUCE_LOCALE=${REDUCE_LOCALE:=true}
181 210
182 211 # Encrypted filesystem settings
183 212 ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false}
184 213 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
185 214 CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
186 215 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
187 216 CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
217 #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup
218 CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false}
219 #Provide your own Dropbear Public RSA-OpenSSH Key otherwise it will be generated
220 CRYPTFS_DROPBEAR_PUBKEY=${CRYPTFS_DROPBEAR_PUBKEY:=""}
188 221
189 222 # Chroot scripts directory
190 223 CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
191 224
192 225 # Packages required in the chroot build environment
193 226 APT_INCLUDES=${APT_INCLUDES:=""}
194 227 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,apt-utils,ca-certificates,debian-archive-keyring,dialog,sudo,systemd,sysvinit-utils,locales,keyboard-configuration,console-setup,libnss-systemd"
195 228
196 229 # Packages to exclude from chroot build environment
197 230 APT_EXCLUDES=${APT_EXCLUDES:=""}
198 231
199 232 # Packages required for bootstrapping
200 233 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo"
201 234 MISSING_PACKAGES=""
202 235
203 236 # Packages installed for c/c++ build environment in chroot (keep empty)
204 237 COMPILER_PACKAGES=""
205 238
206 set +x
207
208 #Check if apt-cacher-ng has port 3142 open and set APT_PROXY
209 APT_CACHER_RUNNING=$(lsof -i :3142 | grep apt-cacher-ng | cut -d ' ' -f3 | uniq)
210 if [ -n "${APT_CACHER_RUNNING}" ] ; then
239 # Check if apt-cacher-ng has port 3142 open and set APT_PROXY
240 APT_CACHER_RUNNING=$(lsof -i :3142 | cut -d ' ' -f3 | uniq | sed '/^\s*$/d')
241 if [ "${APT_CACHER_RUNNING}" = "apt-cacher-ng" ] ; then
211 242 APT_PROXY=http://127.0.0.1:3142/
212 243 fi
213 244
214 245 # Setup architecture specific settings
215 246 if [ -n "$SET_ARCH" ] ; then
216 247 # 64-bit configuration
217 248 if [ "$SET_ARCH" = 64 ] ; then
218 249 # General 64-bit depended settings
219 250 QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-aarch64-static}
220 251 KERNEL_ARCH=${KERNEL_ARCH:=arm64}
221 252 KERNEL_BIN_IMAGE=${KERNEL_BIN_IMAGE:="Image"}
222 253
223 254 # Raspberry Pi model specific settings
224 255 if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
225 256 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-arm64"
226 257 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcmrpi3_defconfig}
227 258 RELEASE_ARCH=${RELEASE_ARCH:=arm64}
228 259 KERNEL_IMAGE=${KERNEL_IMAGE:=kernel8.img}
229 260 CROSS_COMPILE=${CROSS_COMPILE:=aarch64-linux-gnu-}
230 261 else
231 262 echo "error: Only Raspberry PI 3 and 3B+ support 64-bit"
232 263 exit 1
233 264 fi
234 265 fi
235 266
236 267 # 32-bit configuration
237 268 if [ "$SET_ARCH" = 32 ] ; then
238 269 # General 32-bit dependend settings
239 270 QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static}
240 271 KERNEL_ARCH=${KERNEL_ARCH:=arm}
241 272 KERNEL_BIN_IMAGE=${KERNEL_BIN_IMAGE:="zImage"}
242 273
243 274 # Raspberry Pi model specific settings
244 275 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 1 ] || [ "$RPI_MODEL" = 1P ] ; then
245 276 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armel"
246 277 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcmrpi_defconfig}
247 278 RELEASE_ARCH=${RELEASE_ARCH:=armel}
248 279 KERNEL_IMAGE=${KERNEL_IMAGE:=kernel.img}
249 280 CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabi-}
250 281 fi
251 282
252 283 # Raspberry Pi model specific settings
253 284 if [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
254 285 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armhf"
255 286 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig}
256 287 RELEASE_ARCH=${RELEASE_ARCH:=armhf}
257 288 KERNEL_IMAGE=${KERNEL_IMAGE:=kernel7.img}
258 289 CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabihf-}
259 290 fi
260 291 fi
261 #SET_ARCH not set
292 # SET_ARCH not set
262 293 else
263 294 echo "error: Please set '32' or '64' as value for SET_ARCH"
264 295 exit 1
265 296 fi
266 297 # Device specific configuration and U-Boot configuration
267 298 case "$RPI_MODEL" in
268 299 0)
269 300 DTB_FILE=${DTB_FILE:=bcm2708-rpi-0-w.dtb}
270 301 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_defconfig}
271 302 ;;
272 303 1)
273 304 DTB_FILE=${DTB_FILE:=bcm2708-rpi-b.dtb}
274 305 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_defconfig}
275 306 ;;
276 307 1P)
277 308 DTB_FILE=${DTB_FILE:=bcm2708-rpi-b-plus.dtb}
278 309 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_defconfig}
279 310 ;;
280 311 2)
281 312 DTB_FILE=${DTB_FILE:=bcm2709-rpi-2-b.dtb}
282 313 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_2_defconfig}
283 314 ;;
284 315 3)
285 316 DTB_FILE=${DTB_FILE:=bcm2710-rpi-3-b.dtb}
286 317 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_3_defconfig}
287 318 ;;
288 319 3P)
289 320 DTB_FILE=${DTB_FILE:=bcm2710-rpi-3-b.dtb}
290 321 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_3_defconfig}
291 322 ;;
292 323 *)
293 324 echo "error: Raspberry Pi model $RPI_MODEL is not supported!"
294 325 exit 1
295 326 ;;
296 327 esac
297 328
298 329 # Raspberry PI 0,3,3P with Bluetooth and Wifi onboard
299 330 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
300 331 # Include bluetooth packages on supported boards
301 if [ "$ENABLE_BLUETOOTH" = true ] && [ "$ENABLE_CONSOLE" = false ]; then
332 if [ "$ENABLE_BLUETOOTH" = true ] ; then
302 333 APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez"
303 334 fi
335 if [ "$ENABLE_WIRELESS" = true ] ; then
336 APT_INCLUDES="${APT_INCLUDES},wireless-tools,crda,wireless-regdb"
337 fi
304 338 else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard
305 339 # Check if the internal wireless interface is not supported by the RPi model
306 340 if [ "$ENABLE_WIRELESS" = true ] || [ "$ENABLE_BLUETOOTH" = true ]; then
307 341 echo "error: The selected Raspberry Pi model has no integrated interface for wireless or bluetooth"
308 342 exit 1
309 343 fi
310 344 fi
311 345
346 if [ "$BUILD_KERNEL" = false ] && [ "$ENABLE_NEXMON" = true ]; then
347 echo "error: You have to compile kernel sources, if you want to enable nexmon"
348 exit 1
349 fi
350
312 351 # Prepare date string for default image file name
313 352 DATE="$(date +%Y-%m-%d)"
314 353 if [ -z "$KERNEL_BRANCH" ] ; then
315 354 IMAGE_NAME=${IMAGE_NAME:=${BASEDIR}/${DATE}-${KERNEL_ARCH}-CURRENT-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}}
316 355 else
317 356 IMAGE_NAME=${IMAGE_NAME:=${BASEDIR}/${DATE}-${KERNEL_ARCH}-${KERNEL_BRANCH}-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}}
318 357 fi
319 358
320 359 # Check if DISABLE_UNDERVOLT_WARNINGS parameter value is supported
321 360 if [ -n "$DISABLE_UNDERVOLT_WARNINGS" ] ; then
322 361 if [ "$DISABLE_UNDERVOLT_WARNINGS" != 1 ] && [ "$DISABLE_UNDERVOLT_WARNINGS" != 2 ] ; then
323 362 echo "error: DISABLE_UNDERVOLT_WARNINGS=${DISABLE_UNDERVOLT_WARNINGS} is not supported"
324 363 exit 1
325 364 fi
326 365 fi
327 366
328 367 # Add cmake to compile videocore sources
329 368 if [ "$ENABLE_VIDEOCORE" = true ] ; then
330 369 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cmake"
331 370 fi
332 371
372 # Add deps for nexmon
373 if [ "$ENABLE_NEXMON" = true ] ; then
374 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libgmp3-dev gawk qpdf bison flex make autoconf automake build-essential libtool"
375 fi
376
333 377 # Add libncurses5 to enable kernel menuconfig
334 378 if [ "$KERNEL_MENUCONFIG" = true ] ; then
335 379 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses-dev"
336 380 fi
337 381
338 382 # Add ccache compiler cache for (faster) kernel cross (re)compilation
339 383 if [ "$KERNEL_CCACHE" = true ] ; then
340 384 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} ccache"
341 385 fi
342 386
343 387 # Add cryptsetup package to enable filesystem encryption
344 388 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
345 389 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
346 390 APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup"
347 391
392 # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package
393 if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then
394 APT_INCLUDES="${APT_INCLUDES},dropbear-initramfs"
395 fi
396
348 397 if [ -z "$CRYPTFS_PASSWORD" ] ; then
349 398 echo "error: no password defined (CRYPTFS_PASSWORD)!"
350 399 exit 1
351 400 fi
352 401 ENABLE_INITRAMFS=true
353 402 fi
354 403
355 404 # Add initramfs generation tools
356 405 if [ "$ENABLE_INITRAMFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
357 406 APT_INCLUDES="${APT_INCLUDES},initramfs-tools"
358 407 fi
359 408
360 409 # Add device-tree-compiler required for building the U-Boot bootloader
361 410 if [ "$ENABLE_UBOOT" = true ] ; then
362 411 APT_INCLUDES="${APT_INCLUDES},device-tree-compiler,bison,flex,bc"
363 412 fi
364 413
365 if [ "$ENABLE_BLUETOOTH" = true ] ; then
366 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
367 if [ "$ENABLE_CONSOLE" = false ] ; then
368 APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez"
369 fi
414 if [ "$ENABLE_USBBOOT" = true ] ; then
415 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 1P ] || [ "$RPI_MODEL" = 1 ] || [ "$RPI_MODEL" = 2 ]; then
416 echo "error: Booting from USB alone is only supported by Raspberry Pi 3 and 3P"
417 exit 1
370 418 fi
371 419 fi
372 420
373 421 # Check if root SSH (v2) public key file exists
374 422 if [ -n "$SSH_ROOT_PUB_KEY" ] ; then
375 423 if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then
376 424 echo "error: '$SSH_ROOT_PUB_KEY' specified SSH public key file not found (SSH_ROOT_PUB_KEY)!"
377 425 exit 1
378 426 fi
379 427 fi
380 428
381 429 # Check if $USER_NAME SSH (v2) public key file exists
382 430 if [ -n "$SSH_USER_PUB_KEY" ] ; then
383 431 if [ ! -f "$SSH_USER_PUB_KEY" ] ; then
384 432 echo "error: '$SSH_USER_PUB_KEY' specified SSH public key file not found (SSH_USER_PUB_KEY)!"
385 433 exit 1
386 434 fi
387 435 fi
388 436
437 if [ "$ENABLE_NEXMON" = true ] && [ -n "$KERNEL_BRANCH" ] ; then
438 echo "error: Please unset KERNEL_BRANCH if using ENABLE_NEXMON"
439 exit 1
440 fi
441
389 442 # Check if all required packages are installed on the build system
390 443 for package in $REQUIRED_PACKAGES ; do
391 444 if [ "$(dpkg-query -W -f='${Status}' "$package")" != "install ok installed" ] ; then
392 445 MISSING_PACKAGES="${MISSING_PACKAGES} $package"
393 446 fi
394 447 done
395 448
396 449 # If there are missing packages ask confirmation for install, or exit
397 450 if [ -n "$MISSING_PACKAGES" ] ; then
398 451 echo "the following packages needed by this script are not installed:"
399 452 echo "$MISSING_PACKAGES"
400 453
401 454 printf "\ndo you want to install the missing packages right now? [y/n] "
402 455 read -r confirm
403 456 [ "$confirm" != "y" ] && exit 1
404 457
405 458 # Make sure all missing required packages are installed
406 459 apt-get -qq -y install `echo "${MISSING_PACKAGES}" | sed "s/ //"`
407 460 fi
408 461
409 462 # Check if ./bootstrap.d directory exists
410 463 if [ ! -d "./bootstrap.d/" ] ; then
411 464 echo "error: './bootstrap.d' required directory not found!"
412 465 exit 1
413 466 fi
414 467
415 468 # Check if ./files directory exists
416 469 if [ ! -d "./files/" ] ; then
417 470 echo "error: './files' required directory not found!"
418 471 exit 1
419 472 fi
420 473
421 474 # Check if specified KERNELSRC_DIR directory exists
422 475 if [ -n "$KERNELSRC_DIR" ] && [ ! -d "$KERNELSRC_DIR" ] ; then
423 476 echo "error: '${KERNELSRC_DIR}' specified directory not found (KERNELSRC_DIR)!"
424 477 exit 1
425 478 fi
426 479
427 480 # Check if specified UBOOTSRC_DIR directory exists
428 481 if [ -n "$UBOOTSRC_DIR" ] && [ ! -d "$UBOOTSRC_DIR" ] ; then
429 482 echo "error: '${UBOOTSRC_DIR}' specified directory not found (UBOOTSRC_DIR)!"
430 483 exit 1
431 484 fi
432 485
433 486 # Check if specified VIDEOCORESRC_DIR directory exists
434 487 if [ -n "$VIDEOCORESRC_DIR" ] && [ ! -d "$VIDEOCORESRC_DIR" ] ; then
435 488 echo "error: '${VIDEOCORESRC_DIR}' specified directory not found (VIDEOCORESRC_DIR)!"
436 489 exit 1
437 490 fi
438 491
439 492 # Check if specified FBTURBOSRC_DIR directory exists
440 493 if [ -n "$FBTURBOSRC_DIR" ] && [ ! -d "$FBTURBOSRC_DIR" ] ; then
441 494 echo "error: '${FBTURBOSRC_DIR}' specified directory not found (FBTURBOSRC_DIR)!"
442 495 exit 1
443 496 fi
444 497
498 # Check if specified NEXMONSRC_DIR directory exists
499 if [ -n "$NEXMONSRC_DIR" ] && [ ! -d "$NEXMONSRC_DIR" ] ; then
500 echo "error: '${NEXMONSRC_DIR}' specified directory not found (NEXMONSRC_DIR)!"
501 exit 1
502 fi
503
445 504 # Check if specified CHROOT_SCRIPTS directory exists
446 505 if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then
447 506 echo "error: ${CHROOT_SCRIPTS} specified directory not found (CHROOT_SCRIPTS)!"
448 507 exit 1
449 508 fi
450 509
451 510 # Check if specified device mapping already exists (will be used by cryptsetup)
452 511 if [ -r "/dev/mapping/${CRYPTFS_MAPPING}" ] ; then
453 512 echo "error: mapping /dev/mapping/${CRYPTFS_MAPPING} already exists, not proceeding"
454 513 exit 1
455 514 fi
456 515
457 516 # Don't clobber an old build
458 517 if [ -e "$BUILDDIR" ] ; then
459 518 echo "error: directory ${BUILDDIR} already exists, not proceeding"
460 519 exit 1
461 520 fi
462 521
463 522 # Setup chroot directory
464 523 mkdir -p "${R}"
465 524
466 525 # Check if build directory has enough of free disk space >512MB
467 526 if [ "$(df --output=avail "${BUILDDIR}" | sed "1d")" -le "524288" ] ; then
468 527 echo "error: ${BUILDDIR} not enough space left to generate the output image!"
469 528 exit 1
470 529 fi
471 530
472 531 set -x
473 532
474 533 # Call "cleanup" function on various signals and errors
475 534 trap cleanup 0 1 2 3 6
476 535
477 536 # Add required packages for the minbase installation
478 537 if [ "$ENABLE_MINBASE" = true ] ; then
479 538 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools,ifupdown"
480 539 fi
481 540
482 541 # Add parted package, required to get partprobe utility
483 542 if [ "$EXPANDROOT" = true ] ; then
484 543 APT_INCLUDES="${APT_INCLUDES},parted"
485 544 fi
486 545
546 # Add dphys-swapfile package, required to enable swap
547 if [ "$ENABLE_DPHYSSWAP" = true ] ; then
548 APT_INCLUDES="${APT_INCLUDES},dphys-swapfile"
549 fi
550
487 551 # Add dbus package, recommended if using systemd
488 552 if [ "$ENABLE_DBUS" = true ] ; then
489 553 APT_INCLUDES="${APT_INCLUDES},dbus"
490 554 fi
491 555
492 556 # Add iptables IPv4/IPv6 package
493 557 if [ "$ENABLE_IPTABLES" = true ] ; then
494 558 APT_INCLUDES="${APT_INCLUDES},iptables,iptables-persistent"
495 559 fi
560 # Add apparmor for KERNEL_SECURITY
561 if [ "$KERNEL_SECURITY" = true ] ; then
562 APT_INCLUDES="${APT_INCLUDES},apparmor,apparmor-utils,apparmor-profiles,apparmor-profiles-extra,libapparmor-perl"
563 fi
496 564
497 565 # Add openssh server package
498 566 if [ "$ENABLE_SSHD" = true ] ; then
499 567 APT_INCLUDES="${APT_INCLUDES},openssh-server"
500 568 fi
501 569
502 570 # Add alsa-utils package
503 571 if [ "$ENABLE_SOUND" = true ] ; then
504 572 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
505 573 fi
506 574
507 575 # Add rng-tools package
508 576 if [ "$ENABLE_HWRANDOM" = true ] ; then
509 577 APT_INCLUDES="${APT_INCLUDES},rng-tools"
510 578 fi
511 579
512 580 # Add fbturbo video driver
513 581 if [ "$ENABLE_FBTURBO" = true ] ; then
514 582 # Enable xorg package dependencies
515 583 ENABLE_XORG=true
516 584 fi
517 585
518 586 # Add user defined window manager package
519 587 if [ -n "$ENABLE_WM" ] ; then
520 588 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
521 589
522 590 # Enable xorg package dependencies
523 591 ENABLE_XORG=true
524 592 fi
525 593
526 594 # Add xorg package
527 595 if [ "$ENABLE_XORG" = true ] ; then
528 596 APT_INCLUDES="${APT_INCLUDES},xorg,dbus-x11"
529 597 fi
530 598
531 599 # Replace selected packages with smaller clones
532 600 if [ "$ENABLE_REDUCE" = true ] ; then
533 601 # Add levee package instead of vim-tiny
534 602 if [ "$REDUCE_VIM" = true ] ; then
535 603 APT_INCLUDES="$(echo ${APT_INCLUDES} | sed "s/vim-tiny/levee/")"
536 604 fi
537 605
538 606 # Add dropbear package instead of openssh-server
539 607 if [ "$REDUCE_SSHD" = true ] ; then
540 608 APT_INCLUDES="$(echo "${APT_INCLUDES}" | sed "s/openssh-server/dropbear/")"
541 609 fi
542 610 fi
543 611
544 612 # Configure systemd-sysv exclude to make halt/reboot/shutdown scripts available
545 613 if [ "$ENABLE_SYSVINIT" = false ] ; then
546 614 APT_EXCLUDES="--exclude=${APT_EXCLUDES},init,systemd-sysv"
547 615 fi
548 616
549 # Check if kernel is getting compiled
550 if [ "$BUILD_KERNEL" = false ] ; then
551 echo "Downloading precompiled kernel"
552 echo "error: not configured"
553 exit 1;
554 # BUILD_KERNEL=true
555 else
556 echo "No precompiled kernel repositories were added"
557 fi
558
559 617 # Configure kernel sources if no KERNELSRC_DIR
560 618 if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then
561 619 KERNELSRC_CONFIG=true
562 620 fi
563 621
564 622 # Configure reduced kernel
565 623 if [ "$KERNEL_REDUCE" = true ] ; then
566 624 KERNELSRC_CONFIG=false
567 625 fi
568 626
569 627 # Configure qemu compatible kernel
570 628 if [ "$ENABLE_QEMU" = true ] ; then
571 629 DTB_FILE=vexpress-v2p-ca15_a7.dtb
572 630 UBOOT_CONFIG=vexpress_ca15_tc2_defconfig
573 631 KERNEL_DEFCONFIG="vexpress_defconfig"
574 632 if [ "$KERNEL_MENUCONFIG" = false ] ; then
575 633 KERNEL_OLDDEFCONFIG=true
576 634 fi
577 635 fi
578 636
579 637 # Execute bootstrap scripts
580 638 for SCRIPT in bootstrap.d/*.sh; do
581 639 head -n 3 "$SCRIPT"
582 640 . "$SCRIPT"
583 641 done
584 642
585 643 ## Execute custom bootstrap scripts
586 644 if [ -d "custom.d" ] ; then
587 645 for SCRIPT in custom.d/*.sh; do
588 646 . "$SCRIPT"
589 647 done
590 648 fi
591 649
592 650 # Execute custom scripts inside the chroot
593 651 if [ -n "$CHROOT_SCRIPTS" ] && [ -d "$CHROOT_SCRIPTS" ] ; then
594 652 cp -r "${CHROOT_SCRIPTS}" "${R}/chroot_scripts"
595 653 chroot_exec /bin/bash -x <<'EOF'
596 654 for SCRIPT in /chroot_scripts/* ; do
597 655 if [ -f $SCRIPT -a -x $SCRIPT ] ; then
598 656 $SCRIPT
599 657 fi
600 658 done
601 659 EOF
602 660 rm -rf "${R}/chroot_scripts"
603 661 fi
604 662
605 663 # Remove c/c++ build environment from the chroot
606 664 chroot_remove_cc
607 665
608 666 # Generate required machine-id
609 667 MACHINE_ID=$(dbus-uuidgen)
610 668 echo -n "${MACHINE_ID}" > "${R}/var/lib/dbus/machine-id"
611 669 echo -n "${MACHINE_ID}" > "${ETC_DIR}/machine-id"
612 670
613 671 # APT Cleanup
614 672 chroot_exec apt-get -y clean
615 673 chroot_exec apt-get -y autoclean
616 674 chroot_exec apt-get -y autoremove
617 675
618 676 # Unmount mounted filesystems
619 677 umount -l "${R}/proc"
620 678 umount -l "${R}/sys"
621 679
622 680 # Clean up directories
623 681 rm -rf "${R}/run/*"
624 682 rm -rf "${R}/tmp/*"
625 683
684 # Clean up APT proxy settings
685 if [ "$KEEP_APT_PROXY" = false ] ; then
686 rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy"
687 fi
688
626 689 # Clean up files
627 690 rm -f "${ETC_DIR}/ssh/ssh_host_*"
628 691 rm -f "${ETC_DIR}/dropbear/dropbear_*"
629 692 rm -f "${ETC_DIR}/apt/sources.list.save"
630 693 rm -f "${ETC_DIR}/resolvconf/resolv.conf.d/original"
631 694 rm -f "${ETC_DIR}/*-"
632 rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy"
633 695 rm -f "${ETC_DIR}/resolv.conf"
634 696 rm -f "${R}/root/.bash_history"
635 697 rm -f "${R}/var/lib/urandom/random-seed"
636 698 rm -f "${R}/initrd.img"
637 699 rm -f "${R}/vmlinuz"
638 700 rm -f "${R}${QEMU_BINARY}"
639 701
640 702 if [ "$ENABLE_QEMU" = true ] ; then
641 703 # Setup QEMU directory
642 704 mkdir "${BASEDIR}/qemu"
643 705
644 706 # Copy kernel image to QEMU directory
645 707 install_readonly "${BOOT_DIR}/${KERNEL_IMAGE}" "${BASEDIR}/qemu/${KERNEL_IMAGE}"
646 708
647 709 # Copy kernel config to QEMU directory
648 710 install_readonly "${R}/boot/config-${KERNEL_VERSION}" "${BASEDIR}/qemu/config-${KERNEL_VERSION}"
649 711
650 712 # Copy kernel dtbs to QEMU directory
651 713 for dtb in "${BOOT_DIR}/"*.dtb ; do
652 714 if [ -f "${dtb}" ] ; then
653 715 install_readonly "${dtb}" "${BASEDIR}/qemu/"
654 716 fi
655 717 done
656 718
657 719 # Copy kernel overlays to QEMU directory
658 720 if [ -d "${BOOT_DIR}/overlays" ] ; then
659 721 # Setup overlays dtbs directory
660 722 mkdir "${BASEDIR}/qemu/overlays"
661 723
662 for dtb in "${BOOT_DIR}/overlays/"*.dtb ; do
724 for dtb in "${BOOT_DIR}/overlays/"*.dtbo ; do
663 725 if [ -f "${dtb}" ] ; then
664 726 install_readonly "${dtb}" "${BASEDIR}/qemu/overlays/"
665 727 fi
666 728 done
667 729 fi
668 730
669 731 # Copy u-boot files to QEMU directory
670 732 if [ "$ENABLE_UBOOT" = true ] ; then
671 733 if [ -f "${BOOT_DIR}/u-boot.bin" ] ; then
672 734 install_readonly "${BOOT_DIR}/u-boot.bin" "${BASEDIR}/qemu/u-boot.bin"
673 735 fi
674 736 if [ -f "${BOOT_DIR}/uboot.mkimage" ] ; then
675 737 install_readonly "${BOOT_DIR}/uboot.mkimage" "${BASEDIR}/qemu/uboot.mkimage"
676 738 fi
677 739 if [ -f "${BOOT_DIR}/boot.scr" ] ; then
678 740 install_readonly "${BOOT_DIR}/boot.scr" "${BASEDIR}/qemu/boot.scr"
679 741 fi
680 742 fi
681 743
682 744 # Copy initramfs to QEMU directory
683 745 if [ -f "${BOOT_DIR}/initramfs-${KERNEL_VERSION}" ] ; then
684 746 install_readonly "${BOOT_DIR}/initramfs-${KERNEL_VERSION}" "${BASEDIR}/qemu/initramfs-${KERNEL_VERSION}"
685 747 fi
686 748 fi
687 749
688 750 # Calculate size of the chroot directory in KB
689 751 CHROOT_SIZE=$(expr "$(du -s "${R}" | awk '{ print $1 }')")
690 752
691 753 # Calculate the amount of needed 512 Byte sectors
692 754 TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512)
693 755 FRMW_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512)
694 756 ROOT_OFFSET=$(expr "${TABLE_SECTORS}" + "${FRMW_SECTORS}")
695 757
696 758 # The root partition is EXT4
697 759 # This means more space than the actual used space of the chroot is used.
698 760 # As overhead for journaling and reserved blocks 35% are added.
699 761 ROOT_SECTORS=$(expr "$(expr "${CHROOT_SIZE}" + "${CHROOT_SIZE}" \/ 100 \* 35)" \* 1024 \/ 512)
700 762
701 763 # Calculate required image size in 512 Byte sectors
702 764 IMAGE_SECTORS=$(expr "${TABLE_SECTORS}" + "${FRMW_SECTORS}" + "${ROOT_SECTORS}")
703 765
704 766 # Prepare image file
705 767 if [ "$ENABLE_SPLITFS" = true ] ; then
706 768 dd if=/dev/zero of="$IMAGE_NAME-frmw.img" bs=512 count="${TABLE_SECTORS}"
707 769 dd if=/dev/zero of="$IMAGE_NAME-frmw.img" bs=512 count=0 seek="${FRMW_SECTORS}"
708 770 dd if=/dev/zero of="$IMAGE_NAME-root.img" bs=512 count="${TABLE_SECTORS}"
709 771 dd if=/dev/zero of="$IMAGE_NAME-root.img" bs=512 count=0 seek="${ROOT_SECTORS}"
710 772
711 773 # Write firmware/boot partition tables
712 774 sfdisk -q -L -uS -f "$IMAGE_NAME-frmw.img" 2> /dev/null <<EOM
713 775 ${TABLE_SECTORS},${FRMW_SECTORS},c,*
714 776 EOM
715 777
716 778 # Write root partition table
717 779 sfdisk -q -L -uS -f "$IMAGE_NAME-root.img" 2> /dev/null <<EOM
718 780 ${TABLE_SECTORS},${ROOT_SECTORS},83
719 781 EOM
720 782
721 783 # Setup temporary loop devices
722 784 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show "$IMAGE_NAME"-frmw.img)"
723 785 ROOT_LOOP="$(losetup -o 1M -f --show "$IMAGE_NAME"-root.img)"
724 786 else # ENABLE_SPLITFS=false
725 787 dd if=/dev/zero of="$IMAGE_NAME.img" bs=512 count="${TABLE_SECTORS}"
726 788 dd if=/dev/zero of="$IMAGE_NAME.img" bs=512 count=0 seek="${IMAGE_SECTORS}"
727 789
728 790 # Write partition table
729 791 sfdisk -q -L -uS -f "$IMAGE_NAME.img" 2> /dev/null <<EOM
730 792 ${TABLE_SECTORS},${FRMW_SECTORS},c,*
731 793 ${ROOT_OFFSET},${ROOT_SECTORS},83
732 794 EOM
733 795
734 796 # Setup temporary loop devices
735 797 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show "$IMAGE_NAME".img)"
736 798 ROOT_LOOP="$(losetup -o 65M -f --show "$IMAGE_NAME".img)"
737 799 fi
738 800
739 801 if [ "$ENABLE_CRYPTFS" = true ] ; then
740 802 # Create dummy ext4 fs
741 803 mkfs.ext4 "$ROOT_LOOP"
742 804
743 805 # Setup password keyfile
744 806 touch .password
745 807 chmod 600 .password
746 808 echo -n ${CRYPTFS_PASSWORD} > .password
747 809
748 810 # Initialize encrypted partition
749 811 echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password
750 812
751 813 # Open encrypted partition and setup mapping
752 814 cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"
753 815
754 816 # Secure delete password keyfile
755 817 shred -zu .password
756 818
757 819 # Update temporary loop device
758 820 ROOT_LOOP="/dev/mapper/${CRYPTFS_MAPPING}"
759 821
760 822 # Wipe encrypted partition (encryption cipher is used for randomness)
761 823 dd if=/dev/zero of="${ROOT_LOOP}" bs=512 count="$(blockdev --getsz "${ROOT_LOOP}")"
762 824 fi
763 825
764 826 # Build filesystems
765 827 mkfs.vfat "$FRMW_LOOP"
766 828 mkfs.ext4 "$ROOT_LOOP"
767 829
768 830 # Mount the temporary loop devices
769 831 mkdir -p "$BUILDDIR/mount"
770 832 mount "$ROOT_LOOP" "$BUILDDIR/mount"
771 833
772 834 mkdir -p "$BUILDDIR/mount/boot/firmware"
773 835 mount "$FRMW_LOOP" "$BUILDDIR/mount/boot/firmware"
774 836
775 837 # Copy all files from the chroot to the loop device mount point directory
776 838 rsync -a "${R}/" "$BUILDDIR/mount/"
777 839
778 840 # Unmount all temporary loop devices and mount points
779 841 cleanup
780 842
781 843 # Create block map file(s) of image(s)
782 844 if [ "$ENABLE_SPLITFS" = true ] ; then
783 845 # Create block map files for "bmaptool"
784 846 bmaptool create -o "$IMAGE_NAME-frmw.bmap" "$IMAGE_NAME-frmw.img"
785 847 bmaptool create -o "$IMAGE_NAME-root.bmap" "$IMAGE_NAME-root.img"
786 848
787 849 # Image was successfully created
788 850 echo "$IMAGE_NAME-frmw.img ($(expr \( "${TABLE_SECTORS}" + "${FRMW_SECTORS}" \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
789 851 echo "$IMAGE_NAME-root.img ($(expr \( "${TABLE_SECTORS}" + "${ROOT_SECTORS}" \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
790 852 else
791 853 # Create block map file for "bmaptool"
792 854 bmaptool create -o "$IMAGE_NAME.bmap" "$IMAGE_NAME.img"
793 855
794 856 # Image was successfully created
795 857 echo "$IMAGE_NAME.img ($(expr \( "${TABLE_SECTORS}" + "${FRMW_SECTORS}" + "${ROOT_SECTORS}" \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
796 858
797 859 # Create qemu qcow2 image
798 860 if [ "$ENABLE_QEMU" = true ] ; then
799 861 QEMU_IMAGE=${QEMU_IMAGE:=${BASEDIR}/qemu/${DATE}-${KERNEL_ARCH}-CURRENT-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}}
800 862 QEMU_SIZE=16G
801 863
802 864 qemu-img convert -f raw -O qcow2 "$IMAGE_NAME".img "$QEMU_IMAGE".qcow2
803 865 qemu-img resize "$QEMU_IMAGE".qcow2 $QEMU_SIZE
804 866
805 867 echo "$QEMU_IMAGE.qcow2 ($QEMU_SIZE)" ": successfully created"
806 868 fi
807 869 fi
1 NO CONTENT: file was removed
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant