Raspi2-3_GenImage Commit - r589:ce9333651b6a · Collaboration Tremplin des Sciences

Merge pull request #22 from drtyhlpr/master...

Gérard Vidal -

r589:ce9333651b6a

parent child

Context file:

r589:ce9333651b6a

Expand all files

bootstrap.d/44-nexmon_monitor_patch.sh created 644 +97 0

@@ -0,0 +1,97
	1	#!/bin/sh
	2	#
	3	# Build and Setup nexmon with monitor mode patch
	4	#
	5
	6	# Load utility functions
	7	. ./functions.sh
	8
	9	if [ "$ENABLE_NEXMON" = true ] && [ "$ENABLE_WIRELESS" = true ]; then
	10	# Copy existing nexmon sources into chroot directory
	11	if [ -n "$NEXMONSRC_DIR" ] && [ -d "$NEXMONSRC_DIR" ] ; then
	12	# Copy local U-Boot sources
	13	cp -r "${NEXMONSRC_DIR}" "${R}/tmp"
	14	else
	15	# Create temporary directory for nexmon sources
	16	temp_dir=$(as_nobody mktemp -d)
	17
	18	# Fetch nexmon sources
	19	as_nobody git -C "${temp_dir}" clone "${NEXMON_URL}"
	20
	21	# Copy downloaded nexmon sources
	22	mv "${temp_dir}/nexmon" "${R}"/tmp/
	23
	24	# Set permissions of the nexmon sources
	25	chown -R root:root "${R}"/tmp/nexmon
	26
	27	# Remove temporary directory for nexmon sources
	28	rm -fr "${temp_dir}"
	29	fi
	30
	31	# Set script Root
	32	export NEXMON_ROOT="${R}"/tmp/nexmon
	33
	34	# Build nexmon firmware outside the build system, if we can.
	35	cd "${NEXMON_ROOT}" \|\| exit
	36
	37	# Make ancient isl build
	38	cd buildtools/isl-0.10 \|\| exit
	39	./configure
	40	make
	41	cd ../.. \|\| exit
	42
	43	# Disable statistics
	44	touch DISABLE_STATISTICS
	45
	46	# Setup Enviroment: see https://github.com/NoobieDog/nexmon/blob/master/setup_env.sh
	47	export KERNEL="${KERNEL_IMAGE}"
	48	export ARCH=arm
	49	export SUBARCH=arm
	50	export CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
	51	export CC="${CC}"gcc
	52	export CCPLUGIN="${NEXMON_ROOT}"/buildtools/gcc-nexmon-plugin/nexmon.so
	53	export ZLIBFLATE="zlib-flate -compress"
	54	export Q=@
	55	export NEXMON_SETUP_ENV=1
	56	export HOSTUNAME=$(uname -s)
	57	export PLATFORMUNAME=$(uname -m)
	58
	59	# Make nexmon
	60	make
	61
	62	# build patches
	63	if [ "$RPI_MODEL" = 0 ] \|\| [ "$RPI_MODEL" = 3 ] ; then
	64	cd "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon \|\| exit
	65	sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon/Makefile
	66	make clean
	67
	68	# We do this so we don't have to install the ancient isl version into /usr/local/lib on systems.
	69	LD_LIBRARY_PATH="${NEXMON_ROOT}"/buildtools/isl-0.10/.libs make ARCH="${KERNEL_ARCH}" CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
	70
	71	# copy RPi0W & RPi3 firmware
	72	mv "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.org.bin
	73	cp "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.nexmon.bin
	74	cp -f "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin
	75	fi
	76
	77	if [ "$RPI_MODEL" = 3P ] ; then
	78	cd "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon \|\| exit
	79	sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43455c0/7_45_154/nexmon/Makefile
	80	make clean
	81
	82	# We do this so we don't have to install the ancient isl version into /usr/local/lib on systems.
	83	LD_LIBRARY_PATH=${NEXMON_ROOT}/buildtools/isl-0.10/.libs make ARCH="${KERNEL_ARCH}" CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi-
	84
	85	# RPi3B+ firmware
	86	mv "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.org.bin
	87	cp "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.nexmon.bin
	88	cp -f "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.bin
	89	fi
	90
	91	#Revert to previous directory
	92	cd "${WORKDIR}" \|\| exit
	93
	94	# Remove nexmon sources
	95	rm -fr "${NEXMON_ROOT}"
	96
	97	fi

files/firstboot/23-restart-dphys-swapfile.sh created 644 +5 0

@@ -0,0 +1,5
	1	# Restart dphys-swapfile service if it exists
	2	logger -t "rc.firstboot" "Restarting dphys-swapfile"
	3
	4	systemctl enable dphys-swapfile
	5	systemctl restart dphys-swapfile

files/initramfs/crypt_unlock.sh created 644 +45 0

@@ -0,0 +1,45
	1	#!/bin/sh
	2
	3	PREREQ="dropbear"
	4
	5	prereqs() {
	6	echo "$PREREQ"
	7	}
	8
	9	case "$1" in
	10	prereqs)
	11	prereqs
	12	exit 0
	13	;;
	14	esac
	15
	16	. "${CONFDIR}/initramfs.conf"
	17	. /usr/share/initramfs-tools/hook-functions
	18
	19	if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
	20	cat > "${DESTDIR}/bin/unlock" << EOF
	21	#!/bin/sh
	22	if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
	23	kill \`ps \| grep cryptroot \| grep -v "grep" \| awk '{print \$1}'\`
	24	# following line kill the remote shell right after the passphrase has
	25	# been entered.
	26	kill -9 \`ps \| grep "\-sh" \| grep -v "grep" \| awk '{print \$1}'\`
	27	exit 0
	28	fi
	29	exit 1
	30	EOF
	31
	32	chmod 755 "${DESTDIR}/bin/unlock"
	33
	34	mkdir -p "${DESTDIR}/lib/unlock"
	35	cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
	36	#!/bin/sh
	37	[ "\$1" == "--ping" ] && exit 1
	38	/bin/plymouth "\$@"
	39	EOF
	40
	41	chmod 755 "${DESTDIR}/lib/unlock/plymouth"
	42
	43	echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
	44
	45	fi No newline at end of file

files/sysctl.d/84-rpi-ASLR.conf created 644 +2 0

@@ -0,0 +1,2
	1	# ASLR
	2	kernel.randomize_va_space = 2 No newline at end of file

README.md +48 0

             ##### `APT_PROXY`=""
             Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. If `apt-cacher-ng` is running on default `http://127.0.0.1:3142` it is autodetected and you don't need to set this.
+            ##### `KEEP_APT_PROXY`=false
+            Keep the APT_PROXY settings used in the bootsrapping process in the generated image.
             ##### `APT_INCLUDES`=""
             A comma-separated list of additional packages to be installed by debootstrap during bootstrapping.
             ##### `EXPANDROOT`=true
             Expand the root partition and filesystem automatically on first boot.
+            ##### `ENABLE_DPHYSSWAP`=true
+            Enable swap. The size of the swapfile is chosen relative to the size of the root partition. It'll use the `dphys-swapfile` package for that.
             ##### `ENABLE_QEMU`=false
             Generate kernel (`vexpress_defconfig`), file system image (`qcow2`) and DTB files that can be used for QEMU full system emulation (`vexpress-A15`). The output files are stored in the `$(pwd)/images/qemu` directory. You can find more information about running the generated image in the QEMU section of this readme file.
             ---
             #### Advanced system features:
+            ##### `ENABLE_SYSTEMDSWAP`=false
+            Enables [Systemd-swap service](https://github.com/Nefelim4ag/systemd-swap). Usefull if `KERNEL_ZSWAP` is enabled.
             ##### `ENABLE_MINBASE`=false
             Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
             ##### `VIDEOCORESRC_DIR`=""
             Path to a directory (`userland`) of [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
+            ##### `ENABLE_NEXMON`=false
+            Install and enable the [Source code for a C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection](https://github.com/seemoo-lab/nexmon.git).
+            ##### `NEXMONSRC_DIR`=""
+            Path to a directory (`nexmon`) of [Source code for ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
             ##### `ENABLE_IPTABLES`=false
             Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
             ##### `ENABLE_IFNAMES`=true
             Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names.
+            ##### `ENABLE_SPLASH`=true
+            Enable default Raspberry Pi boot up rainbow splash screen.
+            ##### `ENABLE_LOGO`=true
+            Enable default Raspberry Pi console logo (image of four raspberries in the top left corner).
+            ##### `ENABLE_SILENT_BOOT`=false
+            Set the verbosity of console messages shown during boot up to a strict minimum.
             ##### `DISABLE_UNDERVOLT_WARNINGS`=
             Disable RPi2/3 under-voltage warnings and overlays. Setting the parameter to `1` will disable the warning overlay. Setting it to `2` will additionally allow RPi2/3 turbo mode when low-voltage is present.
             ##### `RPI_FIRMWARE_DIR`=""
             The directory (`firmware`) containing a local copy of the firmware from the [RaspberryPi firmware project](https://github.com/raspberrypi/firmware). Default is to download the latest firmware directly from the project.
+            ##### `KERNEL_DEFAULT_GOV`="ONDEMAND"
+            Set the default cpu governor at kernel compilation. Supported values are: PERFORMANCE POWERSAVE USERSPACE ONDEMAND CONSERVATIVE SCHEDUTIL
+            ##### `KERNEL_NF`=false
+            Enable Netfilter modules as kernel modules
+            ##### `KERNEL_VIRT`=false
+            Enable Kernel KVM support (/dev/kvm)
+            ##### `KERNEL_ZSWAP`=false
+            Enable Kernel Zswap support. Best use on high RAM load and mediocre CPU load usecases
+            ##### `KERNEL_BPF`=true
+            Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSCALL CONFIG_CGROUP_BPF) [systemd compilations about it - File /lib/systemd/system/systemd-journald.server:36 configures an IP firewall (IPAddressDeny=all), but the local system does not support BPF/cgroup based firewalls]
+            ##### `KERNEL_SECURITY`=false
+            Enables Apparmor, integrity subsystem, auditing.
             ---
             #### Reduce disk usage:
             ##### `CRYPTFS_XTSKEYSIZE`=512
             Sets key size in bits. The argument has to be a multiple of 8.
+            ##### `CRYPTFS_DROPBEAR`=false
+            Enable Dropbear Initramfs support
+            ##### `CRYPTFS_DROPBEAR_PUBKEY`=""
+            Provide path to dropbear Public RSA-OpenSSH Key
             ---
             #### Build settings:

bootstrap.d/11-apt.sh +7 0

               sed -i "s/\"\"/\"${APT_PROXY}\"/" "${ETC_DIR}/apt/apt.conf.d/10proxy"
             fi
+            # Install APT sources.list
+            install_readonly files/apt/sources.list "${ETC_DIR}/apt/sources.list"
+            # Use specified APT server and release
+            sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list"
+            sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
             # Upgrade package index and update all installed packages and changed dependencies
             chroot_exec apt-get -qq -y update
             chroot_exec apt-get -qq -y -u dist-upgrade

bootstrap.d/13-kernel.sh +370 -10

@@ -5,6 +5,14
5	# Load utility functions	5	# Load utility functions
6	. ./functions.sh	6	. ./functions.sh
7		7
		8	# Need to use kali kernel src if nexmon is enabled
		9	if [ "$ENABLE_NEXMON" = true ] ; then
		10	KERNEL_URL="${KALI_KERNEL_URL}"
		11	# Clear Branch and KernelSRC_DIR if using nexmon. Everyone will forget to clone kali kernel instead of nomrla kernel
		12	KERNEL_BRANCH=""
		13	KERNELSRC_DIR=""
		14	fi
		15
8	# Fetch and build latest raspberry kernel	16	# Fetch and build latest raspberry kernel
9	if [ "$BUILD_KERNEL" = true ] ; then	17	if [ "$BUILD_KERNEL" = true ] ; then
10	# Setup source directory	18	# Setup source directory
@@ -87,6 +95,296 if [ "$BUILD_KERNEL" = true ] ; then
87	# Load default raspberry kernel configuration	95	# Load default raspberry kernel configuration
88	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"	96	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}"
89		97
		98	#Switch to KERNELSRC_DIR so we can use set_kernel_config
		99	cd "${KERNEL_DIR}" \|\| exit
		100
		101	if [ "$KERNEL_ARCH" = arm64 ] ; then
		102	#Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config
		103	# use correct driver MMC_BCM2835_MMC instead of MMC_BCM2835_SDHOST - see https://www.raspberrypi.org/forums/viewtopic.php?t=210225
		104	set_kernel_config CONFIG_MMC_BCM2835 n
		105	set_kernel_config CONFIG_MMC_SDHCI_IPROC n
		106	set_kernel_config CONFIG_USB_DWC2 n
		107	sed -i "s\|depends on MMC_BCM2835_MMC && MMC_BCM2835_DMA\|depends on MMC_BCM2835_MMC\|" "${KERNEL_DIR}"/drivers/mmc/host/Kconfig
		108
		109	#VLAN got disabled without reason in arm64bit
		110	set_kernel_config CONFIG_IPVLAN m
		111	fi
		112
		113	# enable ZSWAP see https://askubuntu.com/a/472227 or https://wiki.archlinux.org/index.php/zswap
		114	if [ "$KERNEL_ZSWAP" = true ] ; then
		115	set_kernel_config CONFIG_ZPOOL y
		116	set_kernel_config CONFIG_ZSWAP y
		117	set_kernel_config CONFIG_ZBUD y
		118	set_kernel_config CONFIG_Z3FOLD y
		119	set_kernel_config CONFIG_ZSMALLOC y
		120	set_kernel_config CONFIG_PGTABLE_MAPPING y
		121	set_kernel_config CONFIG_LZO_COMPRESS y
		122
		123	fi
		124
		125	# enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453
		126	if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] \|\| [ "$RPI_MODEL" = 3 ] \|\| [ "$RPI_MODEL" = 3P ] ; } ; then
		127	set_kernel_config CONFIG_HAVE_KVM_IRQCHIP y
		128	set_kernel_config CONFIG_HAVE_KVM_ARCH_TLB_FLUSH_ALL y
		129	set_kernel_config CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT y
		130	set_kernel_config CONFIG_HAVE_KVM_EVENTFD y
		131	set_kernel_config CONFIG_HAVE_KVM_IRQFD y
		132	set_kernel_config CONFIG_HAVE_KVM_IRQ_ROUTING y
		133	set_kernel_config CONFIG_HAVE_KVM_MSI y
		134	set_kernel_config CONFIG_KVM y
		135	set_kernel_config CONFIG_KVM_ARM_HOST y
		136	set_kernel_config CONFIG_KVM_ARM_PMU y
		137	set_kernel_config CONFIG_KVM_COMPAT y
		138	set_kernel_config CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT y
		139	set_kernel_config CONFIG_KVM_MMIO y
		140	set_kernel_config CONFIG_KVM_VFIO y
		141	set_kernel_config CONFIG_VHOST m
		142	set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y
		143	set_kernel_config CONFIG_VHOST_NET m
		144	set_kernel_config CONFIG_VIRTUALIZATION y
		145
		146	set_kernel_config CONFIG_MMU_NOTIFIER y
		147
		148	# erratum
		149	set_kernel_config ARM64_ERRATUM_834220 y
		150
		151	# https://sourceforge.net/p/kvm/mailman/message/18440797/
		152	set_kernel_config CONFIG_PREEMPT_NOTIFIERS y
		153	fi
		154
		155	# enable apparmor,integrity audit,
		156	if [ "$KERNEL_SECURITY" = true ] ; then
		157
		158	# security filesystem, security models and audit
		159	set_kernel_config CONFIG_SECURITYFS y
		160	set_kernel_config CONFIG_SECURITY y
		161	set_kernel_config CONFIG_AUDIT y
		162
		163	# harden strcpy and memcpy
		164	set_kernel_config CONFIG_HARDENED_USERCOPY y
		165	set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR y
		166	set_kernel_config CONFIG_FORTIFY_SOURCE y
		167
		168	# integrity sub-system
		169	set_kernel_config CONFIG_INTEGRITY y
		170	set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS y
		171	set_kernel_config CONFIG_INTEGRITY_AUDIT y
		172	set_kernel_config CONFIG_INTEGRITY_SIGNATURE y
		173	set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING y
		174
		175	# This option provides support for retaining authentication tokens and access keys in the kernel.
		176	set_kernel_config CONFIG_KEYS y
		177	set_kernel_config CONFIG_KEYS_COMPAT y
		178
		179	# Apparmor
		180	set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0
		181	set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
		182	set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
		183	set_kernel_config CONFIG_SECURITY_APPARMOR y
		184	set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y
		185	set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor"
		186
		187	# restrictions on unprivileged users reading the kernel
		188	set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT y
		189
		190	# network security hooks
		191	set_kernel_config CONFIG_SECURITY_NETWORK y
		192	set_kernel_config CONFIG_SECURITY_NETWORK_XFRM y
		193	set_kernel_config CONFIG_SECURITY_PATH y
		194	set_kernel_config CONFIG_SECURITY_YAMA n
		195
		196	# New Options
		197	if [ "$KERNEL_NF" = true ] ; then
		198	set_kernel_config CONFIG_IP_NF_SECURITY m
		199	set_kernel_config CONFIG_NETLABEL y
		200	set_kernel_config CONFIG_IP6_NF_SECURITY m
		201	fi
		202	set_kernel_config CONFIG_SECURITY_SELINUX n
		203	set_kernel_config CONFIG_SECURITY_SMACK n
		204	set_kernel_config CONFIG_SECURITY_TOMOYO n
		205	set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n
		206	set_kernel_config CONFIG_SECURITY_LOADPIN n
		207	set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n
		208	set_kernel_config CONFIG_IMA n
		209	set_kernel_config CONFIG_EVM n
		210	set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y
		211	set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
		212	set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
		213	set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
		214	set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
		215	set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
		216	set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
		217	set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
		218	set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS m
		219	set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE 4096
		220
		221	set_kernel_config CONFIG_ARM64_CRYPTO y
		222	set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m
		223	set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m
		224	set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m
		225	set_kernel_config CRYPTO_GHASH_ARM64_CE m
		226	set_kernel_config CRYPTO_SHA2_ARM64_CE m
		227	set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m
		228	set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m
		229	set_kernel_config CONFIG_CRYPTO_AES_ARM64 m
		230	set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m
		231	set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y
		232	set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y
		233	set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m
		234	set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m
		235	set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m
		236	set_kernel_config SYSTEM_TRUSTED_KEYS
		237	fi
		238
		239	# Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
		240	if [ "$KERNEL_NF" = true ] ; then
		241	set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m
		242	set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m
		243	set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m
		244	set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m
		245	set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m
		246	set_kernel_config CONFIG_NFT_FIB_INET m
		247	set_kernel_config CONFIG_NFT_FIB_IPV4 m
		248	set_kernel_config CONFIG_NFT_FIB_IPV6 m
		249	set_kernel_config CONFIG_NFT_FIB_NETDEV m
		250	set_kernel_config CONFIG_NFT_OBJREF m
		251	set_kernel_config CONFIG_NFT_RT m
		252	set_kernel_config CONFIG_NFT_SET_BITMAP m
		253	set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y
		254	set_kernel_config CONFIG_NF_LOG_ARP m
		255	set_kernel_config CONFIG_NF_SOCKET_IPV4 m
		256	set_kernel_config CONFIG_NF_SOCKET_IPV6 m
		257	set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m
		258	set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m
		259	set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m
		260	set_kernel_config CONFIG_IP6_NF_IPTABLES m
		261	set_kernel_config CONFIG_IP6_NF_MATCH_AH m
		262	set_kernel_config CONFIG_IP6_NF_MATCH_EUI64 m
		263	set_kernel_config CONFIG_IP6_NF_NAT m
		264	set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m
		265	set_kernel_config CONFIG_IP6_NF_TARGET_NPT m
		266	set_kernel_config CONFIG_IP_NF_SECURITY m
		267	set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m
		268	set_kernel_config CONFIG_IP_SET_BITMAP_PORT m
		269	set_kernel_config CONFIG_IP_SET_HASH_IP m
		270	set_kernel_config CONFIG_IP_SET_HASH_IPMARK m
		271	set_kernel_config CONFIG_IP_SET_HASH_IPPORT m
		272	set_kernel_config CONFIG_IP_SET_HASH_IPPORTIP m
		273	set_kernel_config CONFIG_IP_SET_HASH_IPPORTNET m
		274	set_kernel_config CONFIG_IP_SET_HASH_MAC m
		275	set_kernel_config CONFIG_IP_SET_HASH_NET m
		276	set_kernel_config CONFIG_IP_SET_HASH_NETIFACE m
		277	set_kernel_config CONFIG_IP_SET_HASH_NETNET m
		278	set_kernel_config CONFIG_IP_SET_HASH_NETPORT m
		279	set_kernel_config CONFIG_IP_SET_HASH_NETPORTNET m
		280	set_kernel_config CONFIG_IP_SET_LIST_SET m
		281	set_kernel_config CONFIG_NETFILTER_XTABLES m
		282	set_kernel_config CONFIG_NETFILTER_XTABLES m
		283	set_kernel_config CONFIG_NFT_BRIDGE_META m
		284	set_kernel_config CONFIG_NFT_BRIDGE_REJECT m
		285	set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV4 m
		286	set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV6 m
		287	set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV4 m
		288	set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV6 m
		289	set_kernel_config CONFIG_NFT_COMPAT m
		290	set_kernel_config CONFIG_NFT_COUNTER m
		291	set_kernel_config CONFIG_NFT_CT m
		292	set_kernel_config CONFIG_NFT_DUP_IPV4 m
		293	set_kernel_config CONFIG_NFT_DUP_IPV6 m
		294	set_kernel_config CONFIG_NFT_DUP_NETDEV m
		295	set_kernel_config CONFIG_NFT_EXTHDR m
		296	set_kernel_config CONFIG_NFT_FWD_NETDEV m
		297	set_kernel_config CONFIG_NFT_HASH m
		298	set_kernel_config CONFIG_NFT_LIMIT m
		299	set_kernel_config CONFIG_NFT_LOG m
		300	set_kernel_config CONFIG_NFT_MASQ m
		301	set_kernel_config CONFIG_NFT_MASQ_IPV4 m
		302	set_kernel_config CONFIG_NFT_MASQ_IPV6 m
		303	set_kernel_config CONFIG_NFT_META m
		304	set_kernel_config CONFIG_NFT_NAT m
		305	set_kernel_config CONFIG_NFT_NUMGEN m
		306	set_kernel_config CONFIG_NFT_QUEUE m
		307	set_kernel_config CONFIG_NFT_QUOTA m
		308	set_kernel_config CONFIG_NFT_REDIR m
		309	set_kernel_config CONFIG_NFT_REDIR_IPV4 m
		310	set_kernel_config CONFIG_NFT_REDIR_IPV6 m
		311	set_kernel_config CONFIG_NFT_REJECT m
		312	set_kernel_config CONFIG_NFT_REJECT_INET m
		313	set_kernel_config CONFIG_NFT_REJECT_IPV4 m
		314	set_kernel_config CONFIG_NFT_REJECT_IPV6 m
		315	set_kernel_config CONFIG_NFT_SET_HASH m
		316	set_kernel_config CONFIG_NFT_SET_RBTREE m
		317	set_kernel_config CONFIG_NF_CONNTRACK_IPV4 m
		318	set_kernel_config CONFIG_NF_CONNTRACK_IPV6 m
		319	set_kernel_config CONFIG_NF_DEFRAG_IPV4 m
		320	set_kernel_config CONFIG_NF_DEFRAG_IPV6 m
		321	set_kernel_config CONFIG_NF_DUP_IPV4 m
		322	set_kernel_config CONFIG_NF_DUP_IPV6 m
		323	set_kernel_config CONFIG_NF_DUP_NETDEV m
		324	set_kernel_config CONFIG_NF_LOG_BRIDGE m
		325	set_kernel_config CONFIG_NF_LOG_IPV4 m
		326	set_kernel_config CONFIG_NF_LOG_IPV6 m
		327	set_kernel_config CONFIG_NF_NAT_IPV4 m
		328	set_kernel_config CONFIG_NF_NAT_IPV6 m
		329	set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV4 m
		330	set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV6 m
		331	set_kernel_config CONFIG_NF_NAT_PPTP m
		332	set_kernel_config CONFIG_NF_NAT_PROTO_GRE m
		333	set_kernel_config CONFIG_NF_NAT_REDIRECT m
		334	set_kernel_config CONFIG_NF_NAT_SIP m
		335	set_kernel_config CONFIG_NF_NAT_SNMP_BASIC m
		336	set_kernel_config CONFIG_NF_NAT_TFTP m
		337	set_kernel_config CONFIG_NF_REJECT_IPV4 m
		338	set_kernel_config CONFIG_NF_REJECT_IPV6 m
		339	set_kernel_config CONFIG_NF_TABLES m
		340	set_kernel_config CONFIG_NF_TABLES_ARP m
		341	set_kernel_config CONFIG_NF_TABLES_BRIDGE m
		342	set_kernel_config CONFIG_NF_TABLES_INET m
		343	set_kernel_config CONFIG_NF_TABLES_IPV4 m
		344	set_kernel_config CONFIG_NF_TABLES_IPV6 m
		345	set_kernel_config CONFIG_NF_TABLES_NETDEV m
		346	fi
		347
		348	# Enables BPF syscall for systemd-journald see https://github.com/torvalds/linux/blob/master/init/Kconfig#L848 or https://groups.google.com/forum/#!topic/linux.gentoo.user/_2aSc_ztGpA
		349	if [ "$KERNEL_BPF" = true ] ; then
		350	set_kernel_config CONFIG_BPF_SYSCALL y
		351	set_kernel_config CONFIG_BPF_EVENTS y
		352	set_kernel_config CONFIG_BPF_STREAM_PARSER y
		353	set_kernel_config CONFIG_CGROUP_BPF y
		354	fi
		355
		356	# KERNEL_DEFAULT_GOV was set by user
		357	if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ] ; then
		358
		359	case "$KERNEL_DEFAULT_GOV" in
		360	performance)
		361	set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y
		362	;;
		363	userspace)
		364	set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE y
		365	;;
		366	ondemand)
		367	set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND y
		368	;;
		369	conservative)
		370	set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE y
		371	;;
		372	shedutil)
		373	set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL y
		374	;;
		375	*)
		376	echo "error: unsupported default cpu governor"
		377	exit 1
		378	;;
		379	esac
		380
		381	# unset previous default governor
		382	unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE
		383	fi
		384
		385	#Revert to previous directory
		386	cd "${WORKDIR}" \|\| exit
		387
90	# Set kernel configuration parameters to enable qemu emulation	388	# Set kernel configuration parameters to enable qemu emulation
91	if [ "$ENABLE_QEMU" = true ] ; then	389	if [ "$ENABLE_QEMU" = true ] ; then
92	echo "CONFIG_FHANDLE=y" >> "${KERNEL_DIR}"/.config	390	echo "CONFIG_FHANDLE=y" >> "${KERNEL_DIR}"/.config
@@ -126,6 +424,7 if [ "$BUILD_KERNEL" = true ] ; then
126	if [ "$KERNEL_MENUCONFIG" = true ] ; then	424	if [ "$KERNEL_MENUCONFIG" = true ] ; then
127	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig	425	make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig
128	fi	426	fi
		427	# end if "$KERNELSRC_CONFIG" = true
129	fi	428	fi
130		429
131	# Use ccache to cross compile the kernel	430	# Use ccache to cross compile the kernel
@@ -142,6 +441,7 if [ "$BUILD_KERNEL" = true ] ; then
142	if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then	441	if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then
143	make -C "${KERNEL_DIR}" -j"${KERNEL_THREADS}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" CC="${cc}" modules	442	make -C "${KERNEL_DIR}" -j"${KERNEL_THREADS}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" CC="${cc}" modules
144	fi	443	fi
		444	# end if "$KERNELSRC_PREBUILT" = false
145	fi	445	fi
146		446
147	# Check if kernel compilation was successful	447	# Check if kernel compilation was successful
@@ -201,7 +501,7 if [ "$BUILD_KERNEL" = true ] ; then
201		501
202	# Copy compiled dtb device tree files	502	# Copy compiled dtb device tree files
203	if [ -d "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays" ] ; then	503	if [ -d "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays" ] ; then
204	for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb ; do	504	for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtbo ; do
205	if [ -f "${dtb}" ] ; then	505	if [ -f "${dtb}" ] ; then
206	install_readonly "${dtb}" "${BOOT_DIR}/overlays/"	506	install_readonly "${dtb}" "${BOOT_DIR}/overlays/"
207	fi	507	fi
@@ -237,19 +537,79 if [ "$BUILD_KERNEL" = true ] ; then
237	fi	537	fi
238		538
239	else # BUILD_KERNEL=false	539	else # BUILD_KERNEL=false
240	# Kernel installation	540	if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] \|\| [ "$RPI_MODEL" = 3P ] ; } ; then
241	chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel	541
		542	# Use Sakakis modified kernel if ZSWAP is active
		543	if [ "$KERNEL_ZSWAP" = true ] \|\| [ "$KERNEL_VIRT" = true ] \|\| [ "$KERNEL_NF" = true ] \|\| [ "$KERNEL_BPF" = true ] ; then
		544	RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}"
		545	fi
		546
		547	# Create temporary directory for dl
		548	temp_dir=$(as_nobody mktemp -d)
		549
		550	# Fetch kernel dl
		551	as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL"
242		552
243	# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot	553	#extract download
244	chroot_exec apt-get -qq -y install flash-kernel	554	tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}"
		555
		556	#move extracted kernel to /boot/firmware
		557	mkdir "${R}/boot/firmware"
		558	cp "${temp_dir}"/boot/* "${R}"/boot/firmware/
		559	cp -r "${temp_dir}"/lib/* "${R}"/lib/
		560
		561	# Remove temporary directory for kernel sources
		562	rm -fr "${temp_dir}"
		563
		564	# Set permissions of the kernel sources
		565	chown -R root:root "${R}/boot/firmware"
		566	chown -R root:root "${R}/lib/modules"
		567	fi
		568
		569	# Install Kernel from hypriot comptabile with all Raspberry PI
		570	if [ "$SET_ARCH" = 32 ] ; then
		571	# Create temporary directory for dl
		572	temp_dir=$(as_nobody mktemp -d)
		573
		574	# Fetch kernel
		575	as_nobody wget -O "${temp_dir}"/kernel.deb -c "$RPI_32_KERNEL_URL"
		576
		577	# Copy downloaded U-Boot sources
		578	mv "${temp_dir}"/kernel.deb "${R}"/tmp/kernel.deb
		579
		580	# Set permissions
		581	chown -R root:root "${R}"/tmp/kernel.deb
		582
		583	# Install kernel
		584	chroot_exec dpkg -i /tmp/kernel.deb
		585
		586	# move /boot to /boot/firmware to fit script env.
		587	#mkdir "${BOOT_DIR}"
		588	mkdir "${temp_dir}"/firmware
		589	mv "${R}"/boot/* "${temp_dir}"/firmware/
		590	mv "${temp_dir}"/firmware "${R}"/boot/
		591
		592	#same for kernel headers
		593	if [ "$KERNEL_HEADERS" = true ] ; then
		594	# Fetch kernel header
		595	as_nobody wget -O "${temp_dir}"/kernel-header.deb -c "$RPI_32_KERNELHEADER_URL"
		596	mv "${temp_dir}"/kernel-header.deb "${R}"/tmp/kernel-header.deb
		597	chown -R root:root "${R}"/tmp/kernel-header.deb
		598	# Install kernel header
		599	chroot_exec dpkg -i /tmp/kernel-header.deb
		600	rm -f "${R}"/tmp/kernel-header.deb
		601	fi
		602
		603	# Remove temporary directory and files
		604	rm -fr "${temp_dir}"
		605	rm -f "${R}"/tmp/kernel.deb
		606	fi
245		607
246	# Check if kernel installation was successful	608	# Check if kernel installation was successful
247	~~VMLINUZ~~="$(ls -1 "${R}"/boot/~~vmlinuz-~~* \| sort \| tail -n 1)"	609	KERNEL="$(ls -1 "${R}"/boot/firmware/kernel* \| sort \| tail -n 1)"
248	if [ -z "$~~VMLINUZ~~" ] ; then	610	if [ -z "$KERNEL" ] ; then
249	echo "error: kernel installation failed! (/boot/~~vmlinuz-~~* not found)"	611	echo "error: kernel installation failed! (/boot/kernel* not found)"
250	cleanup	612	cleanup
251	exit 1	613	exit 1
252	fi	614	fi
253	# Copy vmlinuz kernel to the boot directory
254	install_readonly "${VMLINUZ}" "${BOOT_DIR}/${KERNEL_IMAGE}"
255	fi	615	fi

bootstrap.d/14-fstab.sh +59 -2

@@ -23,13 +23,21 if [ "$ENABLE_CRYPTFS" = true ] ; then
23	echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"	23	echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"
24		24
25	if [ "$ENABLE_SPLITFS" = true ] ; then	25	if [ "$ENABLE_SPLITFS" = true ] ; then
26	# Add usb/sda disk to crypttab	26	# Add usb/sda1 disk to crypttab
27	sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"	27	sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
28	fi	28	fi
29	fi	29	fi
30		30
		31	if [ "$ENABLE_USBBOOT" = true ] ; then
		32	sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
		33	sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
		34
		35	# Add usb/sda2 disk to crypttab
		36	sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab"
		37	fi
		38
31	# Generate initramfs file	39	# Generate initramfs file
32	if [ "~~$BUILD_KERNEL~~" = ~~true~~ ] && [ "$ENABLE_INITRAMFS" = true ] ; then	40	if [ "$ENABLE_INITRAMFS" = true ] ; then
33	if [ "$ENABLE_CRYPTFS" = true ] ; then	41	if [ "$ENABLE_CRYPTFS" = true ] ; then
34	# Include initramfs scripts to auto expand encrypted root partition	42	# Include initramfs scripts to auto expand encrypted root partition
35	if [ "$EXPANDROOT" = true ] ; then	43	if [ "$EXPANDROOT" = true ] ; then
@@ -38,8 +46,57 if [ "$BUILD_KERNEL" = true ] && [ "$ENABLE_INITRAMFS" = true ] ; then
38	install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"	46	install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
39	fi	47	fi
40		48
		49	if [ "$ENABLE_DHCP" = false ] ; then
		50	# Get cdir from NET_ADDRESS e.g. 24
		51	cdir=$(${NET_ADDRESS} \| cut -d '/' -f2)
		52
		53	# Convert cdir ro netmask e.g. 24 to 255.255.255.0
		54	NET_MASK=$(cdr2mask "$cdir")
		55
		56	# Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
		57	sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
		58
		59	# Regenerate initramfs
		60	chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
		61	fi
		62
		63	if [ "$CRYPTFS_DROPBEAR" = true ]; then
		64	if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
		65	install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
		66	cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys
		67	else
		68	# Create key
		69	chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear
		70
		71	# Convert dropbear key to openssh key
		72	chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa
		73
		74	# Get Public Key Part
		75	chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear \| chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub
		76
		77	# Delete unwanted lines
		78	sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
		79	sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
		80
		81	# Trust the new key
		82	cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys
		83
		84	# Save Keys - convert with putty from rsa/openssh to puttkey
		85	cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa
		86
		87	# Get unlock script
		88	install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh
		89
		90	# Enable Dropbear inside initramfs
		91	printf "#\n# DROPBEAR: [ y \| n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
		92
		93	# Enable Dropbear inside initramfs
		94	sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear
		95	fi
		96	else
41	# Disable SSHD inside initramfs	97	# Disable SSHD inside initramfs
42	printf "#\n# DROPBEAR: [ y \| n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"	98	printf "#\n# DROPBEAR: [ y \| n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
		99	fi
43		100
44	# Add cryptsetup modules to initramfs	101	# Add cryptsetup modules to initramfs
45	printf "#\n# CRYPTSETUP: [ y \| n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"	102	printf "#\n# CRYPTSETUP: [ y \| n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"

bootstrap.d/15-rpi-config.sh +109 -38

@@ -5,7 +5,6
5	# Load utility functions	5	# Load utility functions
6	. ./functions.sh	6	. ./functions.sh
7		7
8	if [ "$BUILD_KERNEL" = true ] ; then
9	if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then	8	if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then
10	# Install boot binaries from local directory	9	# Install boot binaries from local directory
11	cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin	10	cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin
@@ -38,13 +37,16 if [ "$BUILD_KERNEL" = true ] ; then
38	chown -R root:root "${BOOT_DIR}"	37	chown -R root:root "${BOOT_DIR}"
39	chmod -R 600 "${BOOT_DIR}"	38	chmod -R 600 "${BOOT_DIR}"
40	fi	39	fi
41	fi
42		40
43	# Setup firmware boot cmdline	41	# Setup firmware boot cmdline
		42	if [ "$ENABLE_USBBOOT" = true ] ; then
		43	CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
		44	else
44	if [ "$ENABLE_SPLITFS" = true ] ; then	45	if [ "$ENABLE_SPLITFS" = true ] ; then
45	CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline ~~rootwait~~ console=tty1 init=/bin/systemd"	46	CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
46	else	47	else
47	CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline ~~rootwait~~ console=tty1 init=/bin/systemd"	48	CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
		49	fi
48	fi	50	fi
49		51
50	# Add encrypted root partition to cmdline.txt	52	# Add encrypted root partition to cmdline.txt
@@ -52,26 +54,65 if [ "$ENABLE_CRYPTFS" = true ] ; then
52	if [ "$ENABLE_SPLITFS" = true ] ; then	54	if [ "$ENABLE_SPLITFS" = true ] ; then
53	CMDLINE=$(echo "${CMDLINE}" \| sed "s/sda1/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda1:${CRYPTFS_MAPPING}/")	55	CMDLINE=$(echo "${CMDLINE}" \| sed "s/sda1/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda1:${CRYPTFS_MAPPING}/")
54	else	56	else
		57	if [ "$ENABLE_USBBOOT" = true ] ; then
		58	CMDLINE=$(echo "${CMDLINE}" \| sed "s/sda2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda2:${CRYPTFS_MAPPING}/")
		59	else
55	CMDLINE=$(echo "${CMDLINE}" \| sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/")	60	CMDLINE=$(echo "${CMDLINE}" \| sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/")
56	fi	61	fi
57	fi	62	fi
58
59	#locks cpu at max frequency
60	if [ "$ENABLE_TURBO" = true ] ; then
61	echo "force_turbo=1" >> "${BOOT_DIR}/config.txt"
62	fi	63	fi
63		64
		65	# Enable Kernel messages on standard output
64	if [ "$ENABLE_PRINTK" = true ] ; then	66	if [ "$ENABLE_PRINTK" = true ] ; then
65	install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf"	67	install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf"
66	fi	68	fi
67		69
68	# Install udev rule for serial alias	70	# Enable Kernel messages on standard output
		71	if [ "$KERNEL_SECURITY" = true ] ; then
		72	install_readonly files/sysctl.d/84-rpi-ASLR.conf "${ETC_DIR}/sysctl.d/84-rpi-ASLR.conf"
		73	fi
		74
		75	# Install udev rule for serial alias - serial0 = console serial1=bluetooth
69	install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules"	76	install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules"
70		77
71	if [ "$RPI_MODEL" = 0 ] \|\| [ "$RPI_MODEL" = 3 ] \|\| [ "$RPI_MODEL" = 3P ] ; then	78	# Remove IPv6 networking support
		79	if [ "$ENABLE_IPV6" = false ] ; then
		80	CMDLINE="${CMDLINE} ipv6.disable=1"
		81	fi
72		82
73	# RPI0,3,3P Use default ttyS0 (mini-UART)as serial interface	83	# Automatically assign predictable network interface names
74	SET_SERIAL="ttyS0"	84	if [ "$ENABLE_IFNAMES" = false ] ; then
		85	CMDLINE="${CMDLINE} net.ifnames=0"
		86	else
		87	CMDLINE="${CMDLINE} net.ifnames=1"
		88	fi
		89
		90	# Disable Raspberry Pi console logo
		91	if [ "$ENABLE_LOGO" = false ] ; then
		92	CMDLINE="${CMDLINE} logo.nologo"
		93	fi
		94
		95	# Strictly limit verbosity of boot up console messages
		96	if [ "$ENABLE_SILENT_BOOT" = true ] ; then
		97	CMDLINE="${CMDLINE} quiet loglevel=0 rd.systemd.show_status=auto rd.udev.log_priority=0"
		98	fi
		99
		100	# Install firmware config
		101	install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt"
		102
		103	# Disable Raspberry Pi console logo
		104	if [ "$ENABLE_SLASH" = false ] ; then
		105	echo "disable_splash=1" >> "${BOOT_DIR}/config.txt"
		106	fi
		107
		108	# Locks CPU frequency at maximum
		109	if [ "$ENABLE_TURBO" = true ] ; then
		110	echo "force_turbo=1" >> "${BOOT_DIR}/config.txt"
		111	# helps to avoid sdcard corruption when force_turbo is enabled.
		112	echo "boot_delay=1" >> "${BOOT_DIR}/config.txt"
		113	fi
		114
		115	if [ "$RPI_MODEL" = 0 ] \|\| [ "$RPI_MODEL" = 3 ] \|\| [ "$RPI_MODEL" = 3P ] ; then
75		116
76	# Bluetooth enabled	117	# Bluetooth enabled
77	if [ "$ENABLE_BLUETOOTH" = true ] ; then	118	if [ "$ENABLE_BLUETOOTH" = true ] ; then
@@ -95,6 +136,10 if [ "$RPI_MODEL" = 0 ] \|\| [ "$RPI_MODEL" = 3 ] \|\| [ "$RPI_MODEL" = 3P ] ; then
95	install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart"	136	install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart"
96	install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper"	137	install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper"
97		138
		139	# make scripts executable
		140	chmod +x "${R}/usr/bin/bthelper"
		141	chmod +x "${R}/usr/bin/btuart"
		142
98	# Install bluetooth udev rule	143	# Install bluetooth udev rule
99	install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules"	144	install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules"
100		145
@@ -105,37 +150,28 if [ "$RPI_MODEL" = 0 ] \|\| [ "$RPI_MODEL" = 3 ] \|\| [ "$RPI_MODEL" = 3P ] ; then
105	install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service"	150	install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service"
106	install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service"	151	install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service"
107		152
108	# Remove temporary directory	153	# Remove temporary directories
109	rm -fr "${temp_dir}"	154	rm -fr "${temp_dir}"
		155	rm -fr "${R}"/tmp/pi-bluetooth
110		156
111	# Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0	157	# Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0
112	if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then	158	if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then
113	SET_SERIAL="ttyAMA0"
114
115	# set overlay to swap ttyAMA0 and ttyS0	159	# set overlay to swap ttyAMA0 and ttyS0
116	echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt"	160	echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt"
117		161
118	# if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken
119	if [ "$ENABLE_TURBO" = false ] ; then	162	if [ "$ENABLE_TURBO" = false ] ; then
120	echo "core_freq=250" >> "${BOOT_DIR}/config.txt"	163	echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
121	fi	164	fi
122		165
		166	fi
		167
123	# Activate services	168	# Activate services
124	chroot_exec systemctl enable pi-bluetooth.hciuart.service	169	chroot_exec systemctl enable pi-bluetooth.hciuart.service
125	#chroot_exec systemctl enable pi-bluetooth.bthelper@.service
126	else
127	chroot_exec systemctl enable pi-bluetooth.hciuart.service
128	#chroot_exec systemctl enable pi-bluetooth.bthelper@.service
129	fi
130		170
131	else # if ENABLE_BLUETOOTH = false	171	else # if ENABLE_BLUETOOTH = false
132	# set overlay to disable bluetooth	172	# set overlay to disable bluetooth
133	echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt"	173	echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt"
134	fi # ENABLE_BLUETOOTH end	174	fi # ENABLE_BLUETOOTH end
135
136	else
137	# RPI1,1P,2 Use default ttyAMA0 (full UART) as serial interface
138	SET_SERIAL="ttyAMA0"
139	fi	175	fi
140		176
141	# may need sudo systemctl disable hciuart	177	# may need sudo systemctl disable hciuart
@@ -144,32 +180,67 if [ "$ENABLE_CONSOLE" = true ] ; then
144	# add string to cmdline	180	# add string to cmdline
145	CMDLINE="${CMDLINE} console=serial0,115200"	181	CMDLINE="${CMDLINE} console=serial0,115200"
146		182
		183	if [ "$RPI_MODEL" = 3 ] \|\| [ "$RPI_MODEL" = 3P ]\|\| [ "$RPI_MODEL" = 0 ]; then
		184	# if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken
		185	if [ "$ENABLE_TURBO" = false ] ; then
		186	echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
		187	fi
		188	fi
		189
147	# Enable serial console systemd style	190	# Enable serial console systemd style
148	chroot_exec systemctl enable serial-getty\@"~~$SET_SERIAL~~".service	191	chroot_exec systemctl enable serial-getty@serial0.service
149	else	192	else
150	echo "enable_uart=0" >> "${BOOT_DIR}/config.txt"	193	echo "enable_uart=0" >> "${BOOT_DIR}/config.txt"
151	# disable serial console systemd style
152	chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service
153	fi	194	fi
154		195
155	# Remove IPv6 networking support	196	# Disable dphys-swapfile service. Will get enabled on first boot
156	if [ "$ENABLE_~~IPV6~~" = ~~fals~~e ] ; then	197	if [ "$ENABLE_DPHYSSWAP" = true ] ; then
157	CMDLINE="${CMDLINE} ipv6.disable=1"	198	chroot_exec systemctl disable dphys-swapfile
158	fi	199	fi
159		200
160	# Automatically assign predictable network interface names	201	if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then
161	if [ "$ENABLE_IFNAMES" = false ] ; then	202	# Create temporary directory for systemd-swap sources
162	CMDLINE="${CMDLINE} net.ifnames=0"	203	temp_dir=$(as_nobody mktemp -d)
		204
		205	# Fetch systemd-swap sources
		206	as_nobody git -C "${temp_dir}" clone "${SYSTEMDSWAP_URL}"
		207
		208	# Copy downloaded systemd-swap sources
		209	mv "${temp_dir}/systemd-swap" "${R}/tmp/"
		210
		211	# Change into downloaded src dir
		212	cd "${R}/tmp/systemd-swap" \|\| exit
		213
		214	# Build package
		215	bash ./package.sh debian
		216
		217	# Change back into script root dir
		218	cd "${WORKDIR}" \|\| exit
		219
		220	# Set permissions of the systemd-swap sources
		221	chown -R root:root "${R}/tmp/systemd-swap"
		222
		223	# Install package - IMPROVE AND MAKE IT POSSIBLE WITHOUT VERSION NR.
		224	chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap_4.0.1_any.deb
		225
		226	# Enable service
		227	chroot_exec systemctl enable systemd-swap
		228
		229	# Remove temporary directory for systemd-swap sources
		230	rm -fr "${temp_dir}"
163	else	231	else
164	CMDLINE="${CMDLINE} net.ifnames=1"	232	# Enable ZSWAP in cmdline if systemd-swap is not used
		233	if [ "$KERNEL_ZSWAP" = true ] ; then
		234	CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4"
		235	fi
		236	fi
		237	if [ "$KERNEL_SECURITY" = true ] ; then
		238	CMDLINE="${CMDLINE} apparmor=1 security=apparmor"
165	fi	239	fi
166		240
167	# Install firmware boot cmdline	241	# Install firmware boot cmdline
168	echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"	242	echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"
169		243
170	# Install firmware config
171	install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt"
172
173	# Setup minimal GPU memory allocation size: 16MB (no X)	244	# Setup minimal GPU memory allocation size: 16MB (no X)
174	if [ "$ENABLE_MINGPU" = true ] ; then	245	if [ "$ENABLE_MINGPU" = true ] ; then
175	echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt"	246	echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt"

bootstrap.d/20-networking.sh +4 0

             # Install configuration for interface eth0
             install_readonly files/network/eth.network "${ETC_DIR}/systemd/network/eth.network"
+            if [ "$RPI_MODEL" = 3P ] ; then
+            printf "\n[Link]\nGenericReceiveOffload=off\nTCPSegmentationOffload=off\nGenericSegmentationOffload=off" >> "${ETC_DIR}/systemd/network/eth.network"
+            fi
             # Install configuration for interface wl*
             install_readonly files/network/wlan.network "${ETC_DIR}/systemd/network/wlan.network"

bootstrap.d/21-firewall.sh +7 -1

               # Create iptables configuration directory
               mkdir -p "${ETC_DIR}/iptables"
-              # make sure iptables-legacy is the used alternatives
+              if [ "$KERNEL_NF" = false ] ; then
                 # iptables-save and -restore are slaves of iptables and thus are set accordingly
                 chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy
+              fi
               # Install iptables systemd service
               install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service"
               chroot_exec systemctl enable iptables.service
               if [ "$ENABLE_IPV6" = true ] ; then
+                if [ "$KERNEL_NF" = false ] ; then
+                  # iptables-save and -restore are slaves of iptables and thus are set accordingly
+                  chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy
+            	fi
                 # Install ip6tables systemd service
                 install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service"

bootstrap.d/30-security.sh 0 -5

@@ -22,8 +22,3 else
22	# Set no root password to disable root login	22	# Set no root password to disable root login
23	chroot_exec usermod -p \'!\' root	23	chroot_exec usermod -p \'!\' root
24	fi	24	fi
25
26	# Enable serial console systemd style
27	if [ "$ENABLE_CONSOLE" = true ] ; then
28	chroot_exec systemctl enable serial-getty\@ttyAMA0.service
29	fi

bootstrap.d/41-uboot.sh +5 0

                 sed -i "s|bootz|booti|g" "${BOOT_DIR}/uboot.mkimage"
               fi
+              # instead of sd, boot from usb device
+              if [ "$ENABLE_USBBOOT" = true ] ; then
+                sed -i "s|mmc|usb|g" "${BOOT_DIR}/uboot.mkimage"
+              fi
               # Set mkfile to use the correct dtb file
               sed -i "s|bcm2709-rpi-2-b.dtb|${DTB_FILE}|" "${BOOT_DIR}/uboot.mkimage"

bootstrap.d/43-videocore.sh +3 0

               #back to root of scriptdir
               cd "${WORKDIR}"
+              # Remove videocore sources
+              rm -fr "${R}"/tmp/userland/
             fi

bootstrap.d/50-firstboot.sh +15 -10

             # Prepare rc.firstboot script
             cat files/firstboot/10-begin.sh > "${ETC_DIR}/rc.firstboot"
-            # Ensure openssh server host keys are regenerated on first boot
-            if [ "$ENABLE_SSHD" = true ] ; then
-              cat files/firstboot/21-generate-ssh-keys.sh >> "${ETC_DIR}/rc.firstboot"
-            fi
             # Prepare filesystem auto expand
             if [ "$EXPANDROOT" = true ] ; then
               if [ "$ENABLE_CRYPTFS" = false ] ; then
-                cat files/firstboot/22-expandroot.sh >> "${ETC_DIR}/rc.firstboot"
+                cat files/firstboot/20-expandroot.sh >> "${ETC_DIR}/rc.firstboot"
               else
                 # Regenerate initramfs to remove encrypted root partition auto expand
-                cat files/firstboot/23-regenerate-initramfs.sh >> "${ETC_DIR}/rc.firstboot"
+                cat files/firstboot/21-regenerate-initramfs.sh >> "${ETC_DIR}/rc.firstboot"
+              fi
+              # Restart dphys-swapfile so the size of the swap file is relative to the resized root partition
+              if [ "$ENABLE_DPHYSSWAP" = true ] ; then
+                cat files/firstboot/23-restart-dphys-swapfile.sh >> "${ETC_DIR}/rc.firstboot"
+              fi
             fi
+            # Ensure openssh server host keys are regenerated on first boot
+            if [ "$ENABLE_SSHD" = true ] ; then
+              cat files/firstboot/30-generate-ssh-keys.sh >> "${ETC_DIR}/rc.firstboot"
             fi
             # Ensure that dbus machine-id exists
-            cat files/firstboot/24-generate-machineid.sh >> "${ETC_DIR}/rc.firstboot"
+            cat files/firstboot/40-generate-machineid.sh >> "${ETC_DIR}/rc.firstboot"
             # Create /etc/resolv.conf symlink
-            cat files/firstboot/25-create-resolv-symlink.sh >> "${ETC_DIR}/rc.firstboot"
+            cat files/firstboot/41-create-resolv-symlink.sh >> "${ETC_DIR}/rc.firstboot"
             # Configure automatic network interface names
             if [ "$ENABLE_IFNAMES" = true ] ; then
-              cat files/firstboot/26-config-ifnames.sh >> "${ETC_DIR}/rc.firstboot"
+              cat files/firstboot/42-config-ifnames.sh >> "${ETC_DIR}/rc.firstboot"
             fi
             # Finalize rc.firstboot script

files/apt/sources.list +6 -6

@@ -1,8 +1,8
1	deb http://ftp.debian.org/debian ~~jessie~~ main contrib	1	deb http://ftp.debian.org/debian stretch main contrib
2	#deb-src http://ftp.debian.org/debian ~~jessie~~ main contrib	2	#deb-src http://ftp.debian.org/debian stretch main contrib
3		3
4	deb http://ftp.debian.org/debian/ ~~jessie~~-updates main contrib	4	deb http://ftp.debian.org/debian/ stretch-updates main contrib
5	#deb-src http://ftp.debian.org/debian/ ~~jessie~~-updates main contrib	5	#deb-src http://ftp.debian.org/debian/ stretch-updates main contrib
6		6
7	deb http://security.debian.org/ ~~jessie~~/updates main contrib	7	deb http://security.debian.org/ stretch/updates main contrib
8	#deb-src http://security.debian.org/ ~~jessie~~/updates main contrib	8	#deb-src http://security.debian.org/ stretch/updates main contrib

files/firstboot/20-expandroot.sh ~~files/firstboot/22-expandroot.sh~~ renamed 0 0

NO CONTENT: file renamed from files/firstboot/22-expandroot.sh to files/firstboot/20-expandroot.sh

files/firstboot/21-regenerate-initramfs.sh ~~files/firstboot/23-regenerate-initramfs.sh~~ renamed +1 0

             # Extract kernel arch
             case "${KERNEL_ARCH}" in
               arm*) KERNEL_ARCH=arm ;;
+              aarch64) KERNEL_ARCH=arm64 ;;
             esac
             # Regenerate initramfs

files/firstboot/30-generate-ssh-keys.sh ~~files/firstboot/21-generate-ssh-keys.sh~~ renamed 0 0

NO CONTENT: file renamed from files/firstboot/21-generate-ssh-keys.sh to files/firstboot/30-generate-ssh-keys.sh

files/firstboot/40-generate-machineid.sh ~~files/firstboot/24-generate-machineid.sh~~ renamed 0 0

NO CONTENT: file renamed from files/firstboot/24-generate-machineid.sh to files/firstboot/40-generate-machineid.sh

files/firstboot/41-create-resolv-symlink.sh ~~files/firstboot/25-create-resolv-symlink.sh~~ renamed 0 0

NO CONTENT: file renamed from files/firstboot/25-create-resolv-symlink.sh to files/firstboot/41-create-resolv-symlink.sh

files/firstboot/42-config-ifnames.sh ~~files/firstboot/26-config-ifnames.sh~~ renamed 0 0

NO CONTENT: file renamed from files/firstboot/26-config-ifnames.sh to files/firstboot/42-config-ifnames.sh

functions.sh +42 -3

@@ -4,6 +4,17 cleanup (){
4	set +x	4	set +x
5	set +e	5	set +e
6		6
		7	# Remove exports from nexmon
		8	unset KERNEL
		9	unset ARCH
		10	unset SUBARCH
		11	unset CCPLUGIN
		12	unset ZLIBFLATE
		13	unset Q
		14	unset NEXMON_SETUP_ENV
		15	unset HOSTUNAME
		16	unset PLATFORMUNAME
		17
7	# Identify and kill all processes still using files	18	# Identify and kill all processes still using files
8	echo "killing processes using mount point ..."	19	echo "killing processes using mount point ..."
9	fuser -k "${R}"	20	fuser -k "${R}"
@@ -63,15 +74,43 chroot_install_cc() {
63	# Install c/c++ build environment inside the chroot	74	# Install c/c++ build environment inside the chroot
64	if [ -z "${COMPILER_PACKAGES}" ] ; then	75	if [ -z "${COMPILER_PACKAGES}" ] ; then
65	COMPILER_PACKAGES=$(chroot_exec apt-get -s install g++ make bc \| grep "^Inst " \| awk -v ORS=" " '{ print $2 }')	76	COMPILER_PACKAGES=$(chroot_exec apt-get -s install g++ make bc \| grep "^Inst " \| awk -v ORS=" " '{ print $2 }')
66	# Install COMPILER_PACKAGES in chroot	77	# Install COMPILER_PACKAGES in chroot - NEVER do "${COMPILER_PACKAGES}" -> breaks uboot
67	chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install "${COMPILER_PACKAGES}"	78	chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install ${COMPILER_PACKAGES}
68	fi	79	fi
69	}	80	}
70		81
71	chroot_remove_cc() {	82	chroot_remove_cc() {
72	# Remove c/c++ build environment from the chroot	83	# Remove c/c++ build environment from the chroot
73	if [ -n "${COMPILER_PACKAGES}" ] ; then	84	if [ -n "${COMPILER_PACKAGES}" ] ; then
74	chroot_exec apt-get -qq -y --auto-remove purge "${COMPILER_PACKAGES}"	85	chroot_exec apt-get -qq -y --auto-remove purge ${COMPILER_PACKAGES}
75	COMPILER_PACKAGES=""	86	COMPILER_PACKAGES=""
76	fi	87	fi
77	}	88	}
		89
		90	# https://serverfault.com/a/682849 - converts e.g. /24 to 255.255.255.0
		91	cdr2mask ()
		92	{
		93	# Number of args to shift, 255..255, first non-255 byte, zeroes
		94	set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0
		95	[ $1 -gt 1 ] && shift $1 \|\| shift
		96	echo ${1-0}.${2-0}.${3-0}.${4-0}
		97	}
		98
		99	# GPL v2.0 - #https://github.com/sakaki-/bcmrpi3-kernel-bis/blob/master/conform_config.sh
		100	set_kernel_config() {
		101	# flag as $1, value to set as $2, config must exist at "./.config"
		102	TGT="CONFIG_${1#CONFIG_}"
		103	REP="${2}"
		104	if grep -q "^${TGT}[^_]" .config; then
		105	sed -i "s/^$${TGT}=.*\\|# ${TGT} is not set$/${TGT}=${REP}/" .config
		106	else
		107	echo "${TGT}"="${2}" >> .config
		108	fi
		109	}
		110
		111	# unset kernel config parameter
		112	unset_kernel_config() {
		113	# unsets flag with the value of $1, config must exist at "./.config"
		114	TGT="CONFIG_${1#CONFIG_}"
		115	sed -i "s/^${TGT}=.*/# ${TGT} is not set/" .config
		116	} No newline at end of file

rpi23-gen-image.sh +84 -22

             UBOOT_URL=${UBOOT_URL:=https://git.denx.de/u-boot.git}
             VIDEOCORE_URL=${VIDEOCORE_URL:=https://github.com/raspberrypi/userland}
             BLUETOOTH_URL=${BLUETOOTH_URL:=https://github.com/RPi-Distro/pi-bluetooth.git}
+            NEXMON_URL=${NEXMON_URL:=https://github.com/seemoo-lab/nexmon.git}
+            SYSTEMDSWAP_URL=${SYSTEMDSWAP_URL:=https://github.com/Nefelim4ag/systemd-swap.git}
+            # Kernel deb packages for 32bit kernel
+            RPI_32_KERNEL_URL=${RPI_32_KERNEL_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel_20180422-141901_armhf.deb}
+            RPI_32_KERNELHEADER_URL=${RPI_32_KERNELHEADER_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel-headers_20180422-141901_armhf.deb}
+            # Kernel has KVM and zswap enabled - use if KERNEL_* parameters and precompiled kernel are used
+            RPI3_64_BIS_KERNEL_URL=${RPI3_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel-bis/releases/download/4.14.80.20181113/bcmrpi3-kernel-bis-4.14.80.20181113.tar.xz}
+            # Default precompiled 64bit kernel
+            RPI3_64_DEF_KERNEL_URL=${RPI3_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel/releases/download/4.14.80.20181113/bcmrpi3-kernel-4.14.80.20181113.tar.xz}
+            # Generic
+            RPI3_64_KERNEL_URL=${RPI3_64_KERNEL_URL:=$RPI3_64_DEF_KERNEL_URL}
+            # Kali kernel src - used if ENABLE_NEXMON=true (they patch the wlan kernel modul)
+            KALI_KERNEL_URL=${KALI_KERNEL_URL:=https://github.com/Re4son/re4son-raspberrypi-linux.git}
             # Build directories
             WORKDIR=$(pwd)
             DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
             TIMEZONE=${TIMEZONE:="Europe/Berlin"}
             EXPANDROOT=${EXPANDROOT:=true}
+            ENABLE_DPHYSSWAP=${ENABLE_DPHYSSWAP:=true}
             # Keyboard settings
             XKB_MODEL=${XKB_MODEL:=""}
             # APT settings
             APT_PROXY=${APT_PROXY:=""}
             APT_SERVER=${APT_SERVER:="ftp.debian.org"}
+            KEEP_APT_PROXY=${KEEP_APT_PROXY:=false}
             # Feature settings
             ENABLE_PRINTK=${ENABLE_PRINTK:=false}
             SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""}
             # Advanced settings
+            ENABLE_SYSTEMDSWAP=${ENABLE_SYSTEMDSWAP:=false}
             ENABLE_MINBASE=${ENABLE_MINBASE:=false}
             ENABLE_REDUCE=${ENABLE_REDUCE:=false}
             ENABLE_UBOOT=${ENABLE_UBOOT:=false}
             UBOOTSRC_DIR=${UBOOTSRC_DIR:=""}
+            ENABLE_USBBOOT=${ENABLE_USBBOOT=false}
             ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
             ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false}
+            ENABLE_NEXMON=${ENABLE_NEXMON:=false}
             VIDEOCORESRC_DIR=${VIDEOCORESRC_DIR:=""}
             FBTURBOSRC_DIR=${FBTURBOSRC_DIR:=""}
+            NEXMONSRC_DIR=${NEXMONSRC_DIR:=""}
             ENABLE_HARDNET=${ENABLE_HARDNET:=false}
             ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
             ENABLE_SPLITFS=${ENABLE_SPLITFS:=false}
             ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false}
             ENABLE_IFNAMES=${ENABLE_IFNAMES:=true}
+            ENABLE_SPLASH=${ENABLE_SPLASH:=true}
+            ENABLE_LOGO=${ENABLE_LOGO:=true}
+            ENABLE_SILENT_BOOT=${ENABLE_SILENT_BOOT=false}
             DISABLE_UNDERVOLT_WARNINGS=${DISABLE_UNDERVOLT_WARNINGS:=}
             # Kernel compilation settings
             KERNEL_REMOVESRC=${KERNEL_REMOVESRC:=true}
             KERNEL_OLDDEFCONFIG=${KERNEL_OLDDEFCONFIG:=false}
             KERNEL_CCACHE=${KERNEL_CCACHE:=false}
+            KERNEL_ZSWAP=${KERNEL_ZSWAP:=false}
+            KERNEL_VIRT=${KERNEL_VIRT:=false}
+            KERNEL_BPF=${KERNEL_BPF:=false}
+            KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=powersave}
+            KERNEL_SECURITY=${KERNEL_SECURITY:=false}
+            KERNEL_NF=${KERNEL_NF:=false}
             # Kernel compilation from source directory settings
             KERNELSRC_DIR=${KERNELSRC_DIR:=""}
             CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
             CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
             CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
+            #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup
+            CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false}
+            #Provide your own Dropbear Public RSA-OpenSSH Key otherwise it will be generated
+            CRYPTFS_DROPBEAR_PUBKEY=${CRYPTFS_DROPBEAR_PUBKEY:=""}
             # Chroot scripts directory
             CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
             # Packages installed for c/c++ build environment in chroot (keep empty)
             COMPILER_PACKAGES=""
-            set +x
             # Check if apt-cacher-ng has port 3142 open and set APT_PROXY
-            APT_CACHER_RUNNING=$(lsof -i :3142 | grep apt-cacher-ng |  cut -d ' ' -f3 | uniq)
+            APT_CACHER_RUNNING=$(lsof -i :3142 | cut -d ' ' -f3 | uniq | sed '/^\s*$/d')
-            if [ -n "${APT_CACHER_RUNNING}" ] ; then
+            if [ "${APT_CACHER_RUNNING}" = "apt-cacher-ng" ] ; then
               APT_PROXY=http://127.0.0.1:3142/
             fi
             # Raspberry PI 0,3,3P with Bluetooth and Wifi onboard
             if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
               # Include bluetooth packages on supported boards
-              if [ "$ENABLE_BLUETOOTH" = true ] && [ "$ENABLE_CONSOLE" = false ]; then
+              if [ "$ENABLE_BLUETOOTH" = true ] ; then
                 APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez"
               fi
+              if [ "$ENABLE_WIRELESS" = true ] ; then
+                APT_INCLUDES="${APT_INCLUDES},wireless-tools,crda,wireless-regdb"
+              fi
             else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard
               # Check if the internal wireless interface is not supported by the RPi model
               if [ "$ENABLE_WIRELESS" = true ] || [ "$ENABLE_BLUETOOTH" = true ]; then
               fi
             fi
+            if [ "$BUILD_KERNEL" = false ] && [ "$ENABLE_NEXMON" = true ]; then
+              echo "error: You have to compile kernel sources, if you want to enable nexmon"
+              exit 1
+            fi
             # Prepare date string for default image file name
             DATE="$(date +%Y-%m-%d)"
             if [ -z "$KERNEL_BRANCH" ] ; then
               REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cmake"
             fi
+            # Add deps for nexmon
+            if [ "$ENABLE_NEXMON" = true ] ; then
+              REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libgmp3-dev gawk qpdf bison flex make autoconf automake build-essential libtool"
+            fi
             # Add libncurses5 to enable kernel menuconfig
             if [ "$KERNEL_MENUCONFIG" = true ] ; then
               REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses-dev"
               REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
               APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup"
+              # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package
+              if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then
+                APT_INCLUDES="${APT_INCLUDES},dropbear-initramfs"
+              fi
               if [ -z "$CRYPTFS_PASSWORD" ] ; then
                 echo "error: no password defined (CRYPTFS_PASSWORD)!"
                 exit 1
               APT_INCLUDES="${APT_INCLUDES},device-tree-compiler,bison,flex,bc"
             fi
-            if [ "$ENABLE_BLUETOOTH" = true ] ; then
+            if [ "$ENABLE_USBBOOT" = true ] ; then
-              if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
+              if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 1P ] || [ "$RPI_MODEL" = 1 ] || [ "$RPI_MODEL" = 2 ]; then
-                if [ "$ENABLE_CONSOLE" = false ] ; then
+                echo "error: Booting from USB alone is only supported by Raspberry Pi 3 and 3P"
-            	  APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez"
+                exit 1
-            	fi
               fi
             fi
               fi
             fi
+            if [ "$ENABLE_NEXMON" = true ] && [ -n "$KERNEL_BRANCH" ] ; then
+              echo "error: Please unset KERNEL_BRANCH if using ENABLE_NEXMON"
+              exit 1
+            fi
             # Check if all required packages are installed on the build system
             for package in $REQUIRED_PACKAGES ; do
               if [ "$(dpkg-query -W -f='${Status}' "$package")" != "install ok installed" ] ; then
               exit 1
             fi
+            # Check if specified NEXMONSRC_DIR directory exists
+            if [ -n "$NEXMONSRC_DIR" ] && [ ! -d "$NEXMONSRC_DIR" ] ; then
+              echo "error: '${NEXMONSRC_DIR}' specified directory not found (NEXMONSRC_DIR)!"
+              exit 1
+            fi
             # Check if specified CHROOT_SCRIPTS directory exists
             if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then
                echo "error: ${CHROOT_SCRIPTS} specified directory not found (CHROOT_SCRIPTS)!"
               APT_INCLUDES="${APT_INCLUDES},parted"
             fi
+            # Add dphys-swapfile package, required to enable swap
+            if [ "$ENABLE_DPHYSSWAP" = true ] ; then
+              APT_INCLUDES="${APT_INCLUDES},dphys-swapfile"
+            fi
             # Add dbus package, recommended if using systemd
             if [ "$ENABLE_DBUS" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},dbus"
             if [ "$ENABLE_IPTABLES" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},iptables,iptables-persistent"
             fi
+            # Add apparmor for KERNEL_SECURITY
+            if [ "$KERNEL_SECURITY" = true ] ; then
+              APT_INCLUDES="${APT_INCLUDES},apparmor,apparmor-utils,apparmor-profiles,apparmor-profiles-extra,libapparmor-perl"
+            fi
             # Add openssh server package
             if [ "$ENABLE_SSHD" = true ] ; then
               APT_EXCLUDES="--exclude=${APT_EXCLUDES},init,systemd-sysv"
             fi
-            # Check if kernel is getting compiled
-            if [ "$BUILD_KERNEL" = false ] ; then
-              echo "Downloading precompiled kernel"
-              echo "error: not configured"
-              exit 1;
-            # BUILD_KERNEL=true
-            else
-              echo "No precompiled kernel repositories were added"
-            fi
             # Configure kernel sources if no KERNELSRC_DIR
             if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then
               KERNELSRC_CONFIG=true
             rm -rf "${R}/run/*"
             rm -rf "${R}/tmp/*"
+            # Clean up APT proxy settings
+            if [ "$KEEP_APT_PROXY" = false ] ; then
+              rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy"
+            fi
             # Clean up files
             rm -f "${ETC_DIR}/ssh/ssh_host_*"
             rm -f "${ETC_DIR}/dropbear/dropbear_*"
             rm -f "${ETC_DIR}/apt/sources.list.save"
             rm -f "${ETC_DIR}/resolvconf/resolv.conf.d/original"
             rm -f "${ETC_DIR}/*-"
-            rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy"
             rm -f "${ETC_DIR}/resolv.conf"
             rm -f "${R}/root/.bash_history"
             rm -f "${R}/var/lib/urandom/random-seed"
                 # Setup overlays dtbs directory
                 mkdir "${BASEDIR}/qemu/overlays"
-                for dtb in "${BOOT_DIR}/overlays/"*.dtb ; do
+                for dtb in "${BOOT_DIR}/overlays/"*.dtbo ; do
                   if [ -f "${dtb}" ] ; then
                     install_readonly "${dtb}" "${BASEDIR}/qemu/overlays/"
                   fi

files/apt/flash-kernel removed 0 -3

NO CONTENT: file was removed

General Comments 0

Écrire
Preview

Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages