@@ -0,0 +1,97 | |||||
|
1 | #!/bin/sh | |||
|
2 | # | |||
|
3 | # Build and Setup nexmon with monitor mode patch | |||
|
4 | # | |||
|
5 | ||||
|
6 | # Load utility functions | |||
|
7 | . ./functions.sh | |||
|
8 | ||||
|
9 | if [ "$ENABLE_NEXMON" = true ] && [ "$ENABLE_WIRELESS" = true ]; then | |||
|
10 | # Copy existing nexmon sources into chroot directory | |||
|
11 | if [ -n "$NEXMONSRC_DIR" ] && [ -d "$NEXMONSRC_DIR" ] ; then | |||
|
12 | # Copy local U-Boot sources | |||
|
13 | cp -r "${NEXMONSRC_DIR}" "${R}/tmp" | |||
|
14 | else | |||
|
15 | # Create temporary directory for nexmon sources | |||
|
16 | temp_dir=$(as_nobody mktemp -d) | |||
|
17 | ||||
|
18 | # Fetch nexmon sources | |||
|
19 | as_nobody git -C "${temp_dir}" clone "${NEXMON_URL}" | |||
|
20 | ||||
|
21 | # Copy downloaded nexmon sources | |||
|
22 | mv "${temp_dir}/nexmon" "${R}"/tmp/ | |||
|
23 | ||||
|
24 | # Set permissions of the nexmon sources | |||
|
25 | chown -R root:root "${R}"/tmp/nexmon | |||
|
26 | ||||
|
27 | # Remove temporary directory for nexmon sources | |||
|
28 | rm -fr "${temp_dir}" | |||
|
29 | fi | |||
|
30 | ||||
|
31 | # Set script Root | |||
|
32 | export NEXMON_ROOT="${R}"/tmp/nexmon | |||
|
33 | ||||
|
34 | # Build nexmon firmware outside the build system, if we can. | |||
|
35 | cd "${NEXMON_ROOT}" || exit | |||
|
36 | ||||
|
37 | # Make ancient isl build | |||
|
38 | cd buildtools/isl-0.10 || exit | |||
|
39 | ./configure | |||
|
40 | make | |||
|
41 | cd ../.. || exit | |||
|
42 | ||||
|
43 | # Disable statistics | |||
|
44 | touch DISABLE_STATISTICS | |||
|
45 | ||||
|
46 | # Setup Enviroment: see https://github.com/NoobieDog/nexmon/blob/master/setup_env.sh | |||
|
47 | export KERNEL="${KERNEL_IMAGE}" | |||
|
48 | export ARCH=arm | |||
|
49 | export SUBARCH=arm | |||
|
50 | export CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi- | |||
|
51 | export CC="${CC}"gcc | |||
|
52 | export CCPLUGIN="${NEXMON_ROOT}"/buildtools/gcc-nexmon-plugin/nexmon.so | |||
|
53 | export ZLIBFLATE="zlib-flate -compress" | |||
|
54 | export Q=@ | |||
|
55 | export NEXMON_SETUP_ENV=1 | |||
|
56 | export HOSTUNAME=$(uname -s) | |||
|
57 | export PLATFORMUNAME=$(uname -m) | |||
|
58 | ||||
|
59 | # Make nexmon | |||
|
60 | make | |||
|
61 | ||||
|
62 | # build patches | |||
|
63 | if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] ; then | |||
|
64 | cd "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon || exit | |||
|
65 | sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43430a1/7_45_41_46/nexmon/Makefile | |||
|
66 | make clean | |||
|
67 | ||||
|
68 | # We do this so we don't have to install the ancient isl version into /usr/local/lib on systems. | |||
|
69 | LD_LIBRARY_PATH="${NEXMON_ROOT}"/buildtools/isl-0.10/.libs make ARCH="${KERNEL_ARCH}" CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi- | |||
|
70 | ||||
|
71 | # copy RPi0W & RPi3 firmware | |||
|
72 | mv "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.org.bin | |||
|
73 | cp "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.nexmon.bin | |||
|
74 | cp -f "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin | |||
|
75 | fi | |||
|
76 | ||||
|
77 | if [ "$RPI_MODEL" = 3P ] ; then | |||
|
78 | cd "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon || exit | |||
|
79 | sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43455c0/7_45_154/nexmon/Makefile | |||
|
80 | make clean | |||
|
81 | ||||
|
82 | # We do this so we don't have to install the ancient isl version into /usr/local/lib on systems. | |||
|
83 | LD_LIBRARY_PATH=${NEXMON_ROOT}/buildtools/isl-0.10/.libs make ARCH="${KERNEL_ARCH}" CC="${NEXMON_ROOT}"/buildtools/gcc-arm-none-eabi-5_4-2016q2-linux-x86/bin/arm-none-eabi- | |||
|
84 | ||||
|
85 | # RPi3B+ firmware | |||
|
86 | mv "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.org.bin | |||
|
87 | cp "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.nexmon.bin | |||
|
88 | cp -f "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon/brcmfmac43455-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43455-sdio.bin | |||
|
89 | fi | |||
|
90 | ||||
|
91 | #Revert to previous directory | |||
|
92 | cd "${WORKDIR}" || exit | |||
|
93 | ||||
|
94 | # Remove nexmon sources | |||
|
95 | rm -fr "${NEXMON_ROOT}" | |||
|
96 | ||||
|
97 | fi |
@@ -0,0 +1,45 | |||||
|
1 | #!/bin/sh | |||
|
2 | ||||
|
3 | PREREQ="dropbear" | |||
|
4 | ||||
|
5 | prereqs() { | |||
|
6 | echo "$PREREQ" | |||
|
7 | } | |||
|
8 | ||||
|
9 | case "$1" in | |||
|
10 | prereqs) | |||
|
11 | prereqs | |||
|
12 | exit 0 | |||
|
13 | ;; | |||
|
14 | esac | |||
|
15 | ||||
|
16 | . "${CONFDIR}/initramfs.conf" | |||
|
17 | . /usr/share/initramfs-tools/hook-functions | |||
|
18 | ||||
|
19 | if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then | |||
|
20 | cat > "${DESTDIR}/bin/unlock" << EOF | |||
|
21 | #!/bin/sh | |||
|
22 | if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then | |||
|
23 | kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\` | |||
|
24 | # following line kill the remote shell right after the passphrase has | |||
|
25 | # been entered. | |||
|
26 | kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\` | |||
|
27 | exit 0 | |||
|
28 | fi | |||
|
29 | exit 1 | |||
|
30 | EOF | |||
|
31 | ||||
|
32 | chmod 755 "${DESTDIR}/bin/unlock" | |||
|
33 | ||||
|
34 | mkdir -p "${DESTDIR}/lib/unlock" | |||
|
35 | cat > "${DESTDIR}/lib/unlock/plymouth" << EOF | |||
|
36 | #!/bin/sh | |||
|
37 | [ "\$1" == "--ping" ] && exit 1 | |||
|
38 | /bin/plymouth "\$@" | |||
|
39 | EOF | |||
|
40 | ||||
|
41 | chmod 755 "${DESTDIR}/lib/unlock/plymouth" | |||
|
42 | ||||
|
43 | echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd | |||
|
44 | ||||
|
45 | fi No newline at end of file |
@@ -48,6 +48,9 Set Debian packages server address. Choose a server from the list of Debian worl | |||||
48 | ##### `APT_PROXY`="" |
|
48 | ##### `APT_PROXY`="" | |
49 | Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. If `apt-cacher-ng` is running on default `http://127.0.0.1:3142` it is autodetected and you don't need to set this. |
|
49 | Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. If `apt-cacher-ng` is running on default `http://127.0.0.1:3142` it is autodetected and you don't need to set this. | |
50 |
|
50 | |||
|
51 | ##### `KEEP_APT_PROXY`=false | |||
|
52 | Keep the APT_PROXY settings used in the bootsrapping process in the generated image. | |||
|
53 | ||||
51 | ##### `APT_INCLUDES`="" |
|
54 | ##### `APT_INCLUDES`="" | |
52 | A comma-separated list of additional packages to be installed by debootstrap during bootstrapping. |
|
55 | A comma-separated list of additional packages to be installed by debootstrap during bootstrapping. | |
53 |
|
56 | |||
@@ -210,6 +213,9 Support for halt,init,poweroff,reboot,runlevel,shutdown,telinit commands | |||||
210 | --- |
|
213 | --- | |
211 |
|
214 | |||
212 | #### Advanced system features: |
|
215 | #### Advanced system features: | |
|
216 | ##### `ENABLE_SYSTEMDSWAP`=false | |||
|
217 | Enables [Systemd-swap service](https://github.com/Nefelim4ag/systemd-swap). Usefull if `KERNEL_ZSWAP` is enabled. | |||
|
218 | ||||
213 | ##### `ENABLE_MINBASE`=false |
|
219 | ##### `ENABLE_MINBASE`=false | |
214 | Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB. |
|
220 | Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB. | |
215 |
|
221 | |||
@@ -234,6 +240,12 Install and enable the [ARM side libraries for interfacing to Raspberry Pi GPU]( | |||||
234 | ##### `VIDEOCORESRC_DIR`="" |
|
240 | ##### `VIDEOCORESRC_DIR`="" | |
235 | Path to a directory (`userland`) of [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot. |
|
241 | Path to a directory (`userland`) of [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot. | |
236 |
|
242 | |||
|
243 | ##### `ENABLE_NEXMON`=false | |||
|
244 | Install and enable the [Source code for a C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection](https://github.com/seemoo-lab/nexmon.git). | |||
|
245 | ||||
|
246 | ##### `NEXMONSRC_DIR`="" | |||
|
247 | Path to a directory (`nexmon`) of [Source code for ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot. | |||
|
248 | ||||
237 | ##### `ENABLE_IPTABLES`=false |
|
249 | ##### `ENABLE_IPTABLES`=false | |
238 | Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service. |
|
250 | Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service. | |
239 |
|
251 | |||
@@ -261,6 +273,15 Create an initramfs that that will be loaded during the Linux startup process. ` | |||||
261 | ##### `ENABLE_IFNAMES`=true |
|
273 | ##### `ENABLE_IFNAMES`=true | |
262 | Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names. |
|
274 | Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names. | |
263 |
|
275 | |||
|
276 | ##### `ENABLE_SPLASH`=true | |||
|
277 | Enable default Raspberry Pi boot up rainbow splash screen. | |||
|
278 | ||||
|
279 | ##### `ENABLE_LOGO`=true | |||
|
280 | Enable default Raspberry Pi console logo (image of four raspberries in the top left corner). | |||
|
281 | ||||
|
282 | ##### `ENABLE_SILENT_BOOT`=false | |||
|
283 | Set the verbosity of console messages shown during boot up to a strict minimum. | |||
|
284 | ||||
264 | ##### `DISABLE_UNDERVOLT_WARNINGS`= |
|
285 | ##### `DISABLE_UNDERVOLT_WARNINGS`= | |
265 | Disable RPi2/3 under-voltage warnings and overlays. Setting the parameter to `1` will disable the warning overlay. Setting it to `2` will additionally allow RPi2/3 turbo mode when low-voltage is present. |
|
286 | Disable RPi2/3 under-voltage warnings and overlays. Setting the parameter to `1` will disable the warning overlay. Setting it to `2` will additionally allow RPi2/3 turbo mode when low-voltage is present. | |
266 |
|
287 | |||
@@ -345,6 +366,23 With this parameter set to true the script expects the existing kernel sources d | |||||
345 | ##### `RPI_FIRMWARE_DIR`="" |
|
366 | ##### `RPI_FIRMWARE_DIR`="" | |
346 | The directory (`firmware`) containing a local copy of the firmware from the [RaspberryPi firmware project](https://github.com/raspberrypi/firmware). Default is to download the latest firmware directly from the project. |
|
367 | The directory (`firmware`) containing a local copy of the firmware from the [RaspberryPi firmware project](https://github.com/raspberrypi/firmware). Default is to download the latest firmware directly from the project. | |
347 |
|
368 | |||
|
369 | ##### `KERNEL_DEFAULT_GOV`="ONDEMAND" | |||
|
370 | Set the default cpu governor at kernel compilation. Supported values are: PERFORMANCE POWERSAVE USERSPACE ONDEMAND CONSERVATIVE SCHEDUTIL | |||
|
371 | ||||
|
372 | ##### `KERNEL_NF`=false | |||
|
373 | Enable Netfilter modules as kernel modules | |||
|
374 | ||||
|
375 | ##### `KERNEL_VIRT`=false | |||
|
376 | Enable Kernel KVM support (/dev/kvm) | |||
|
377 | ||||
|
378 | ##### `KERNEL_ZSWAP`=false | |||
|
379 | Enable Kernel Zswap support. Best use on high RAM load and mediocre CPU load usecases | |||
|
380 | ||||
|
381 | ##### `KERNEL_BPF`=true | |||
|
382 | Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSCALL CONFIG_CGROUP_BPF) [systemd compilations about it - File /lib/systemd/system/systemd-journald.server:36 configures an IP firewall (IPAddressDeny=all), but the local system does not support BPF/cgroup based firewalls] | |||
|
383 | ||||
|
384 | ##### `KERNEL_SECURITY`=false | |||
|
385 | Enables Apparmor, integrity subsystem, auditing | |||
348 | --- |
|
386 | --- | |
349 |
|
387 | |||
350 | #### Reduce disk usage: |
|
388 | #### Reduce disk usage: | |
@@ -392,6 +430,12 Set cipher specification string. `aes-xts*` ciphers are strongly recommended. | |||||
392 | ##### `CRYPTFS_XTSKEYSIZE`=512 |
|
430 | ##### `CRYPTFS_XTSKEYSIZE`=512 | |
393 | Sets key size in bits. The argument has to be a multiple of 8. |
|
431 | Sets key size in bits. The argument has to be a multiple of 8. | |
394 |
|
432 | |||
|
433 | ##### `CRYPTFS_DROPBEAR`=false | |||
|
434 | Enable Dropbear Initramfs support | |||
|
435 | ||||
|
436 | ##### `CRYPTFS_DROPBEAR_PUBKEY`="" | |||
|
437 | Provide path to dropbear Public RSA-OpenSSH Key | |||
|
438 | ||||
395 | --- |
|
439 | --- | |
396 |
|
440 | |||
397 | #### Build settings: |
|
441 | #### Build settings: |
@@ -11,6 +11,13 if [ -z "$APT_PROXY" ] ; then | |||||
11 | sed -i "s/\"\"/\"${APT_PROXY}\"/" "${ETC_DIR}/apt/apt.conf.d/10proxy" |
|
11 | sed -i "s/\"\"/\"${APT_PROXY}\"/" "${ETC_DIR}/apt/apt.conf.d/10proxy" | |
12 | fi |
|
12 | fi | |
13 |
|
13 | |||
|
14 | # Install APT sources.list | |||
|
15 | install_readonly files/apt/sources.list "${ETC_DIR}/apt/sources.list" | |||
|
16 | ||||
|
17 | # Use specified APT server and release | |||
|
18 | sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list" | |||
|
19 | sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list" | |||
|
20 | ||||
14 | # Upgrade package index and update all installed packages and changed dependencies |
|
21 | # Upgrade package index and update all installed packages and changed dependencies | |
15 | chroot_exec apt-get -qq -y update |
|
22 | chroot_exec apt-get -qq -y update | |
16 | chroot_exec apt-get -qq -y -u dist-upgrade |
|
23 | chroot_exec apt-get -qq -y -u dist-upgrade |
@@ -5,6 +5,14 | |||||
5 | # Load utility functions |
|
5 | # Load utility functions | |
6 | . ./functions.sh |
|
6 | . ./functions.sh | |
7 |
|
7 | |||
|
8 | # Need to use kali kernel src if nexmon is enabled | |||
|
9 | if [ "$ENABLE_NEXMON" = true ] ; then | |||
|
10 | KERNEL_URL="${KALI_KERNEL_URL}" | |||
|
11 | # Clear Branch and KernelSRC_DIR if using nexmon. Everyone will forget to clone kali kernel instead of nomrla kernel | |||
|
12 | KERNEL_BRANCH="" | |||
|
13 | KERNELSRC_DIR="" | |||
|
14 | fi | |||
|
15 | ||||
8 | # Fetch and build latest raspberry kernel |
|
16 | # Fetch and build latest raspberry kernel | |
9 | if [ "$BUILD_KERNEL" = true ] ; then |
|
17 | if [ "$BUILD_KERNEL" = true ] ; then | |
10 | # Setup source directory |
|
18 | # Setup source directory | |
@@ -87,6 +95,283 if [ "$BUILD_KERNEL" = true ] ; then | |||||
87 | # Load default raspberry kernel configuration |
|
95 | # Load default raspberry kernel configuration | |
88 | make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}" |
|
96 | make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}" | |
89 |
|
97 | |||
|
98 | #Switch to KERNELSRC_DIR so we can use set_kernel_config | |||
|
99 | cd "${KERNEL_DIR}" || exit | |||
|
100 | ||||
|
101 | # enable ZSWAP see https://askubuntu.com/a/472227 or https://wiki.archlinux.org/index.php/zswap | |||
|
102 | if [ "$KERNEL_ZSWAP" = true ] ; then | |||
|
103 | set_kernel_config CONFIG_ZPOOL y | |||
|
104 | set_kernel_config CONFIG_ZSWAP y | |||
|
105 | set_kernel_config CONFIG_ZBUD y | |||
|
106 | set_kernel_config CONFIG_Z3FOLD y | |||
|
107 | set_kernel_config CONFIG_ZSMALLOC y | |||
|
108 | set_kernel_config CONFIG_PGTABLE_MAPPING y | |||
|
109 | set_kernel_config CONFIG_LZO_COMPRESS y | |||
|
110 | fi | |||
|
111 | ||||
|
112 | # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453 | |||
|
113 | if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then | |||
|
114 | set_kernel_config CONFIG_HAVE_KVM_IRQCHIP y | |||
|
115 | set_kernel_config CONFIG_HAVE_KVM_ARCH_TLB_FLUSH_ALL y | |||
|
116 | set_kernel_config CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT y | |||
|
117 | set_kernel_config CONFIG_HAVE_KVM_EVENTFD y | |||
|
118 | set_kernel_config CONFIG_HAVE_KVM_IRQFD y | |||
|
119 | set_kernel_config CONFIG_HAVE_KVM_IRQ_ROUTING y | |||
|
120 | set_kernel_config CONFIG_HAVE_KVM_MSI y | |||
|
121 | set_kernel_config CONFIG_KVM y | |||
|
122 | set_kernel_config CONFIG_KVM_ARM_HOST y | |||
|
123 | set_kernel_config CONFIG_KVM_ARM_PMU y | |||
|
124 | set_kernel_config CONFIG_KVM_COMPAT y | |||
|
125 | set_kernel_config CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT y | |||
|
126 | set_kernel_config CONFIG_KVM_MMIO y | |||
|
127 | set_kernel_config CONFIG_KVM_VFIO y | |||
|
128 | set_kernel_config CONFIG_VHOST m | |||
|
129 | set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y | |||
|
130 | set_kernel_config CONFIG_VHOST_NET m | |||
|
131 | set_kernel_config CONFIG_VIRTUALIZATION y | |||
|
132 | ||||
|
133 | set_kernel_config CONFIG_MMU_NOTIFIER y | |||
|
134 | ||||
|
135 | # erratum | |||
|
136 | set_kernel_config ARM64_ERRATUM_834220 y | |||
|
137 | ||||
|
138 | # https://sourceforge.net/p/kvm/mailman/message/18440797/ | |||
|
139 | set_kernel_config CONFIG_PREEMPT_NOTIFIERS y | |||
|
140 | fi | |||
|
141 | ||||
|
142 | # enable apparmor,integrity audit, | |||
|
143 | if [ "$KERNEL_SECURITY" = true ] ; then | |||
|
144 | ||||
|
145 | # security filesystem, security models and audit | |||
|
146 | set_kernel_config CONFIG_SECURITYFS y | |||
|
147 | set_kernel_config CONFIG_SECURITY y | |||
|
148 | set_kernel_config CONFIG_AUDIT y | |||
|
149 | ||||
|
150 | # harden strcpy and memcpy | |||
|
151 | set_kernel_config CONFIG_HARDENED_USERCOPY=y | |||
|
152 | set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y | |||
|
153 | set_kernel_config CONFIG_FORTIFY_SOURCE=y | |||
|
154 | ||||
|
155 | # integrity sub-system | |||
|
156 | set_kernel_config CONFIG_INTEGRITY=y | |||
|
157 | set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y | |||
|
158 | set_kernel_config CONFIG_INTEGRITY_AUDIT=y | |||
|
159 | set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y | |||
|
160 | set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y | |||
|
161 | ||||
|
162 | # This option provides support for retaining authentication tokens and access keys in the kernel. | |||
|
163 | set_kernel_config CONFIG_KEYS=y | |||
|
164 | set_kernel_config CONFIG_KEYS_COMPAT=y | |||
|
165 | ||||
|
166 | # Apparmor | |||
|
167 | set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0 | |||
|
168 | set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y | |||
|
169 | set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y | |||
|
170 | set_kernel_config CONFIG_SECURITY_APPARMOR y | |||
|
171 | set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y | |||
|
172 | set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor" | |||
|
173 | ||||
|
174 | # restrictions on unprivileged users reading the kernel | |||
|
175 | set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y | |||
|
176 | ||||
|
177 | # network security hooks | |||
|
178 | set_kernel_config CONFIG_SECURITY_NETWORK y | |||
|
179 | set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y | |||
|
180 | set_kernel_config CONFIG_SECURITY_PATH=y | |||
|
181 | set_kernel_config CONFIG_SECURITY_YAMA=y | |||
|
182 | ||||
|
183 | # New Options | |||
|
184 | if [ "$KERNEL_NF" = true ] ; then | |||
|
185 | set_kernel_config CONFIG_IP_NF_SECURITY m | |||
|
186 | set_kernel_config CONFIG_NETLABEL y | |||
|
187 | set_kernel_config CONFIG_IP6_NF_SECURITY m | |||
|
188 | fi | |||
|
189 | set_kernel_config CONFIG_SECURITY_SELINUX n | |||
|
190 | set_kernel_config CONFIG_SECURITY_SMACK n | |||
|
191 | set_kernel_config CONFIG_SECURITY_TOMOYO n | |||
|
192 | set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n | |||
|
193 | set_kernel_config CONFIG_SECURITY_LOADPIN n | |||
|
194 | set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n | |||
|
195 | set_kernel_config CONFIG_IMA n | |||
|
196 | set_kernel_config CONFIG_EVM n | |||
|
197 | set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y | |||
|
198 | set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y | |||
|
199 | set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y | |||
|
200 | set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y | |||
|
201 | set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y | |||
|
202 | set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y | |||
|
203 | set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y | |||
|
204 | set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n | |||
|
205 | set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS m | |||
|
206 | set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE 4096 | |||
|
207 | ||||
|
208 | set_kernel_config CONFIG_ARM64_CRYPTO y | |||
|
209 | set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m | |||
|
210 | set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m | |||
|
211 | set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m | |||
|
212 | set_kernel_config CRYPTO_GHASH_ARM64_CE m | |||
|
213 | set_kernel_config CRYPTO_SHA2_ARM64_CE m | |||
|
214 | set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m | |||
|
215 | set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m | |||
|
216 | set_kernel_config CONFIG_CRYPTO_AES_ARM64 m | |||
|
217 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m | |||
|
218 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y | |||
|
219 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y | |||
|
220 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m | |||
|
221 | set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m | |||
|
222 | set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m | |||
|
223 | set_kernel_config SYSTEM_TRUSTED_KEYS | |||
|
224 | fi | |||
|
225 | ||||
|
226 | # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406 | |||
|
227 | if [ "$KERNEL_NF" = true ] ; then | |||
|
228 | set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m | |||
|
229 | set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m | |||
|
230 | set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m | |||
|
231 | set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m | |||
|
232 | set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m | |||
|
233 | set_kernel_config CONFIG_NFT_FIB_INET m | |||
|
234 | set_kernel_config CONFIG_NFT_FIB_IPV4 m | |||
|
235 | set_kernel_config CONFIG_NFT_FIB_IPV6 m | |||
|
236 | set_kernel_config CONFIG_NFT_FIB_NETDEV m | |||
|
237 | set_kernel_config CONFIG_NFT_OBJREF m | |||
|
238 | set_kernel_config CONFIG_NFT_RT m | |||
|
239 | set_kernel_config CONFIG_NFT_SET_BITMAP m | |||
|
240 | set_kernel_config CONFIG_NF_CONNTRACK_TIMEOUT y | |||
|
241 | set_kernel_config CONFIG_NF_LOG_ARP m | |||
|
242 | set_kernel_config CONFIG_NF_SOCKET_IPV4 m | |||
|
243 | set_kernel_config CONFIG_NF_SOCKET_IPV6 m | |||
|
244 | set_kernel_config CONFIG_BRIDGE_EBT_BROUTE m | |||
|
245 | set_kernel_config CONFIG_BRIDGE_EBT_T_FILTER m | |||
|
246 | set_kernel_config CONFIG_BRIDGE_NF_EBTABLES m | |||
|
247 | set_kernel_config CONFIG_IP6_NF_IPTABLES m | |||
|
248 | set_kernel_config CONFIG_IP6_NF_MATCH_AH m | |||
|
249 | set_kernel_config CONFIG_IP6_NF_MATCH_EUI64 m | |||
|
250 | set_kernel_config CONFIG_IP6_NF_NAT m | |||
|
251 | set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m | |||
|
252 | set_kernel_config CONFIG_IP6_NF_TARGET_NPT m | |||
|
253 | set_kernel_config CONFIG_IP_NF_SECURITY m | |||
|
254 | set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m | |||
|
255 | set_kernel_config CONFIG_IP_SET_BITMAP_PORT m | |||
|
256 | set_kernel_config CONFIG_IP_SET_HASH_IP m | |||
|
257 | set_kernel_config CONFIG_IP_SET_HASH_IPMARK m | |||
|
258 | set_kernel_config CONFIG_IP_SET_HASH_IPPORT m | |||
|
259 | set_kernel_config CONFIG_IP_SET_HASH_IPPORTIP m | |||
|
260 | set_kernel_config CONFIG_IP_SET_HASH_IPPORTNET m | |||
|
261 | set_kernel_config CONFIG_IP_SET_HASH_MAC m | |||
|
262 | set_kernel_config CONFIG_IP_SET_HASH_NET m | |||
|
263 | set_kernel_config CONFIG_IP_SET_HASH_NETIFACE m | |||
|
264 | set_kernel_config CONFIG_IP_SET_HASH_NETNET m | |||
|
265 | set_kernel_config CONFIG_IP_SET_HASH_NETPORT m | |||
|
266 | set_kernel_config CONFIG_IP_SET_HASH_NETPORTNET m | |||
|
267 | set_kernel_config CONFIG_IP_SET_LIST_SET m | |||
|
268 | set_kernel_config CONFIG_NETFILTER_XTABLES m | |||
|
269 | set_kernel_config CONFIG_NETFILTER_XTABLES m | |||
|
270 | set_kernel_config CONFIG_NFT_BRIDGE_META m | |||
|
271 | set_kernel_config CONFIG_NFT_BRIDGE_REJECT m | |||
|
272 | set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV4 m | |||
|
273 | set_kernel_config CONFIG_NFT_CHAIN_NAT_IPV6 m | |||
|
274 | set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV4 m | |||
|
275 | set_kernel_config CONFIG_NFT_CHAIN_ROUTE_IPV6 m | |||
|
276 | set_kernel_config CONFIG_NFT_COMPAT m | |||
|
277 | set_kernel_config CONFIG_NFT_COUNTER m | |||
|
278 | set_kernel_config CONFIG_NFT_CT m | |||
|
279 | set_kernel_config CONFIG_NFT_DUP_IPV4 m | |||
|
280 | set_kernel_config CONFIG_NFT_DUP_IPV6 m | |||
|
281 | set_kernel_config CONFIG_NFT_DUP_NETDEV m | |||
|
282 | set_kernel_config CONFIG_NFT_EXTHDR m | |||
|
283 | set_kernel_config CONFIG_NFT_FWD_NETDEV m | |||
|
284 | set_kernel_config CONFIG_NFT_HASH m | |||
|
285 | set_kernel_config CONFIG_NFT_LIMIT m | |||
|
286 | set_kernel_config CONFIG_NFT_LOG m | |||
|
287 | set_kernel_config CONFIG_NFT_MASQ m | |||
|
288 | set_kernel_config CONFIG_NFT_MASQ_IPV4 m | |||
|
289 | set_kernel_config CONFIG_NFT_MASQ_IPV6 m | |||
|
290 | set_kernel_config CONFIG_NFT_META m | |||
|
291 | set_kernel_config CONFIG_NFT_NAT m | |||
|
292 | set_kernel_config CONFIG_NFT_NUMGEN m | |||
|
293 | set_kernel_config CONFIG_NFT_QUEUE m | |||
|
294 | set_kernel_config CONFIG_NFT_QUOTA m | |||
|
295 | set_kernel_config CONFIG_NFT_REDIR m | |||
|
296 | set_kernel_config CONFIG_NFT_REDIR_IPV4 m | |||
|
297 | set_kernel_config CONFIG_NFT_REDIR_IPV6 m | |||
|
298 | set_kernel_config CONFIG_NFT_REJECT m | |||
|
299 | set_kernel_config CONFIG_NFT_REJECT_INET m | |||
|
300 | set_kernel_config CONFIG_NFT_REJECT_IPV4 m | |||
|
301 | set_kernel_config CONFIG_NFT_REJECT_IPV6 m | |||
|
302 | set_kernel_config CONFIG_NFT_SET_HASH m | |||
|
303 | set_kernel_config CONFIG_NFT_SET_RBTREE m | |||
|
304 | set_kernel_config CONFIG_NF_CONNTRACK_IPV4 m | |||
|
305 | set_kernel_config CONFIG_NF_CONNTRACK_IPV6 m | |||
|
306 | set_kernel_config CONFIG_NF_DEFRAG_IPV4 m | |||
|
307 | set_kernel_config CONFIG_NF_DEFRAG_IPV6 m | |||
|
308 | set_kernel_config CONFIG_NF_DUP_IPV4 m | |||
|
309 | set_kernel_config CONFIG_NF_DUP_IPV6 m | |||
|
310 | set_kernel_config CONFIG_NF_DUP_NETDEV m | |||
|
311 | set_kernel_config CONFIG_NF_LOG_BRIDGE m | |||
|
312 | set_kernel_config CONFIG_NF_LOG_IPV4 m | |||
|
313 | set_kernel_config CONFIG_NF_LOG_IPV6 m | |||
|
314 | set_kernel_config CONFIG_NF_NAT_IPV4 m | |||
|
315 | set_kernel_config CONFIG_NF_NAT_IPV6 m | |||
|
316 | set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV4 m | |||
|
317 | set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV6 m | |||
|
318 | set_kernel_config CONFIG_NF_NAT_PPTP m | |||
|
319 | set_kernel_config CONFIG_NF_NAT_PROTO_GRE m | |||
|
320 | set_kernel_config CONFIG_NF_NAT_REDIRECT m | |||
|
321 | set_kernel_config CONFIG_NF_NAT_SIP m | |||
|
322 | set_kernel_config CONFIG_NF_NAT_SNMP_BASIC m | |||
|
323 | set_kernel_config CONFIG_NF_NAT_TFTP m | |||
|
324 | set_kernel_config CONFIG_NF_REJECT_IPV4 m | |||
|
325 | set_kernel_config CONFIG_NF_REJECT_IPV6 m | |||
|
326 | set_kernel_config CONFIG_NF_TABLES m | |||
|
327 | set_kernel_config CONFIG_NF_TABLES_ARP m | |||
|
328 | set_kernel_config CONFIG_NF_TABLES_BRIDGE m | |||
|
329 | set_kernel_config CONFIG_NF_TABLES_INET m | |||
|
330 | set_kernel_config CONFIG_NF_TABLES_IPV4 m | |||
|
331 | set_kernel_config CONFIG_NF_TABLES_IPV6 m | |||
|
332 | set_kernel_config CONFIG_NF_TABLES_NETDEV m | |||
|
333 | fi | |||
|
334 | ||||
|
335 | # Enables BPF syscall for systemd-journald see https://github.com/torvalds/linux/blob/master/init/Kconfig#L848 or https://groups.google.com/forum/#!topic/linux.gentoo.user/_2aSc_ztGpA | |||
|
336 | if [ "$KERNEL_BPF" = true ] ; then | |||
|
337 | set_kernel_config CONFIG_BPF_SYSCALL y | |||
|
338 | set_kernel_config CONFIG_BPF_EVENTS y | |||
|
339 | set_kernel_config CONFIG_BPF_STREAM_PARSER y | |||
|
340 | set_kernel_config CONFIG_CGROUP_BPF y | |||
|
341 | fi | |||
|
342 | ||||
|
343 | # KERNEL_DEFAULT_GOV was set by user | |||
|
344 | if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ] ; then | |||
|
345 | ||||
|
346 | case "$KERNEL_DEFAULT_GOV" in | |||
|
347 | performance) | |||
|
348 | set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE y | |||
|
349 | ;; | |||
|
350 | userspace) | |||
|
351 | set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE y | |||
|
352 | ;; | |||
|
353 | ondemand) | |||
|
354 | set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND y | |||
|
355 | ;; | |||
|
356 | conservative) | |||
|
357 | set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE y | |||
|
358 | ;; | |||
|
359 | shedutil) | |||
|
360 | set_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL y | |||
|
361 | ;; | |||
|
362 | *) | |||
|
363 | echo "error: unsupported default cpu governor" | |||
|
364 | exit 1 | |||
|
365 | ;; | |||
|
366 | esac | |||
|
367 | ||||
|
368 | # unset previous default governor | |||
|
369 | unset_kernel_config CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE | |||
|
370 | fi | |||
|
371 | ||||
|
372 | #Revert to previous directory | |||
|
373 | cd "${WORKDIR}" || exit | |||
|
374 | ||||
90 | # Set kernel configuration parameters to enable qemu emulation |
|
375 | # Set kernel configuration parameters to enable qemu emulation | |
91 | if [ "$ENABLE_QEMU" = true ] ; then |
|
376 | if [ "$ENABLE_QEMU" = true ] ; then | |
92 | echo "CONFIG_FHANDLE=y" >> "${KERNEL_DIR}"/.config |
|
377 | echo "CONFIG_FHANDLE=y" >> "${KERNEL_DIR}"/.config | |
@@ -126,6 +411,7 if [ "$BUILD_KERNEL" = true ] ; then | |||||
126 | if [ "$KERNEL_MENUCONFIG" = true ] ; then |
|
411 | if [ "$KERNEL_MENUCONFIG" = true ] ; then | |
127 | make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig |
|
412 | make -C "${KERNEL_DIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig | |
128 | fi |
|
413 | fi | |
|
414 | # end if "$KERNELSRC_CONFIG" = true | |||
129 | fi |
|
415 | fi | |
130 |
|
416 | |||
131 | # Use ccache to cross compile the kernel |
|
417 | # Use ccache to cross compile the kernel | |
@@ -142,6 +428,7 if [ "$BUILD_KERNEL" = true ] ; then | |||||
142 | if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then |
|
428 | if grep -q "CONFIG_MODULES=y" "${KERNEL_DIR}/.config" ; then | |
143 | make -C "${KERNEL_DIR}" -j"${KERNEL_THREADS}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" CC="${cc}" modules |
|
429 | make -C "${KERNEL_DIR}" -j"${KERNEL_THREADS}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" CC="${cc}" modules | |
144 | fi |
|
430 | fi | |
|
431 | # end if "$KERNELSRC_PREBUILT" = false | |||
145 | fi |
|
432 | fi | |
146 |
|
433 | |||
147 | # Check if kernel compilation was successful |
|
434 | # Check if kernel compilation was successful | |
@@ -237,19 +524,79 if [ "$BUILD_KERNEL" = true ] ; then | |||||
237 | fi |
|
524 | fi | |
238 |
|
525 | |||
239 | else # BUILD_KERNEL=false |
|
526 | else # BUILD_KERNEL=false | |
240 | # Kernel installation |
|
527 | if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then | |
241 | chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel |
|
528 | ||
|
529 | # Use Sakakis modified kernel if ZSWAP is active | |||
|
530 | if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then | |||
|
531 | RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}" | |||
|
532 | fi | |||
|
533 | ||||
|
534 | # Create temporary directory for dl | |||
|
535 | temp_dir=$(as_nobody mktemp -d) | |||
|
536 | ||||
|
537 | # Fetch kernel dl | |||
|
538 | as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL" | |||
|
539 | ||||
|
540 | #extract download | |||
|
541 | tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}" | |||
|
542 | ||||
|
543 | #move extracted kernel to /boot/firmware | |||
|
544 | mkdir "${R}/boot/firmware" | |||
|
545 | cp "${temp_dir}"/boot/* "${R}"/boot/firmware/ | |||
|
546 | cp -r "${temp_dir}"/lib/* "${R}"/lib/ | |||
|
547 | ||||
|
548 | # Remove temporary directory for kernel sources | |||
|
549 | rm -fr "${temp_dir}" | |||
|
550 | ||||
|
551 | # Set permissions of the kernel sources | |||
|
552 | chown -R root:root "${R}/boot/firmware" | |||
|
553 | chown -R root:root "${R}/lib/modules" | |||
|
554 | fi | |||
|
555 | ||||
|
556 | # Install Kernel from hypriot comptabile with all Raspberry PI | |||
|
557 | if [ "$SET_ARCH" = 32 ] ; then | |||
|
558 | # Create temporary directory for dl | |||
|
559 | temp_dir=$(as_nobody mktemp -d) | |||
|
560 | ||||
|
561 | # Fetch kernel | |||
|
562 | as_nobody wget -O "${temp_dir}"/kernel.deb -c "$RPI_32_KERNEL_URL" | |||
242 |
|
563 | |||
243 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot |
|
564 | # Copy downloaded U-Boot sources | |
244 | chroot_exec apt-get -qq -y install flash-kernel |
|
565 | mv "${temp_dir}"/kernel.deb "${R}"/tmp/kernel.deb | |
|
566 | ||||
|
567 | # Set permissions | |||
|
568 | chown -R root:root "${R}"/tmp/kernel.deb | |||
|
569 | ||||
|
570 | # Install kernel | |||
|
571 | chroot_exec dpkg -i /tmp/kernel.deb | |||
|
572 | ||||
|
573 | # move /boot to /boot/firmware to fit script env. | |||
|
574 | #mkdir "${BOOT_DIR}" | |||
|
575 | mkdir "${temp_dir}"/firmware | |||
|
576 | mv "${R}"/boot/* "${temp_dir}"/firmware/ | |||
|
577 | mv "${temp_dir}"/firmware "${R}"/boot/ | |||
|
578 | ||||
|
579 | #same for kernel headers | |||
|
580 | if [ "$KERNEL_HEADERS" = true ] ; then | |||
|
581 | # Fetch kernel header | |||
|
582 | as_nobody wget -O "${temp_dir}"/kernel-header.deb -c "$RPI_32_KERNELHEADER_URL" | |||
|
583 | mv "${temp_dir}"/kernel-header.deb "${R}"/tmp/kernel-header.deb | |||
|
584 | chown -R root:root "${R}"/tmp/kernel-header.deb | |||
|
585 | # Install kernel header | |||
|
586 | chroot_exec dpkg -i /tmp/kernel-header.deb | |||
|
587 | rm -f "${R}"/tmp/kernel-header.deb | |||
|
588 | fi | |||
|
589 | ||||
|
590 | # Remove temporary directory and files | |||
|
591 | rm -fr "${temp_dir}" | |||
|
592 | rm -f "${R}"/tmp/kernel.deb | |||
|
593 | fi | |||
245 |
|
594 | |||
246 | # Check if kernel installation was successful |
|
595 | # Check if kernel installation was successful | |
247 |
|
|
596 | KERNEL="$(ls -1 "${R}"/boot/firmware/kernel* | sort | tail -n 1)" | |
248 |
if [ -z "$ |
|
597 | if [ -z "$KERNEL" ] ; then | |
249 |
echo "error: kernel installation failed! (/boot/ |
|
598 | echo "error: kernel installation failed! (/boot/kernel* not found)" | |
250 | cleanup |
|
599 | cleanup | |
251 | exit 1 |
|
600 | exit 1 | |
252 | fi |
|
601 | fi | |
253 | # Copy vmlinuz kernel to the boot directory |
|
|||
254 | install_readonly "${VMLINUZ}" "${BOOT_DIR}/${KERNEL_IMAGE}" |
|
|||
255 | fi |
|
602 | fi |
@@ -8,6 +8,11 | |||||
8 | # Install and setup fstab |
|
8 | # Install and setup fstab | |
9 | install_readonly files/mount/fstab "${ETC_DIR}/fstab" |
|
9 | install_readonly files/mount/fstab "${ETC_DIR}/fstab" | |
10 |
|
10 | |||
|
11 | if [ "$ENABLE_UBOOTUSB" = true ] ; then | |||
|
12 | sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab" | |||
|
13 | sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab" | |||
|
14 | fi | |||
|
15 | ||||
11 | # Add usb/sda disk root partition to fstab |
|
16 | # Add usb/sda disk root partition to fstab | |
12 | if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then |
|
17 | if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then | |
13 | sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab" |
|
18 | sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab" | |
@@ -29,7 +34,7 if [ "$ENABLE_CRYPTFS" = true ] ; then | |||||
29 | fi |
|
34 | fi | |
30 |
|
35 | |||
31 | # Generate initramfs file |
|
36 | # Generate initramfs file | |
32 |
if |
|
37 | if [ "$ENABLE_INITRAMFS" = true ] ; then | |
33 | if [ "$ENABLE_CRYPTFS" = true ] ; then |
|
38 | if [ "$ENABLE_CRYPTFS" = true ] ; then | |
34 | # Include initramfs scripts to auto expand encrypted root partition |
|
39 | # Include initramfs scripts to auto expand encrypted root partition | |
35 | if [ "$EXPANDROOT" = true ] ; then |
|
40 | if [ "$EXPANDROOT" = true ] ; then | |
@@ -38,8 +43,43 if [ "$BUILD_KERNEL" = true ] && [ "$ENABLE_INITRAMFS" = true ] ; then | |||||
38 | install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools" |
|
43 | install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools" | |
39 | fi |
|
44 | fi | |
40 |
|
45 | |||
41 | # Disable SSHD inside initramfs |
|
46 | if [ "$CRYPTFS_DROPBEAR" = true ]; then | |
42 | printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" |
|
47 | if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then | |
|
48 | install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | |||
|
49 | cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys | |||
|
50 | else | |||
|
51 | # Create key | |||
|
52 | chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear | |||
|
53 | ||||
|
54 | # Convert dropbear key to openssh key | |||
|
55 | chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa | |||
|
56 | ||||
|
57 | # Get Public Key Part | |||
|
58 | chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub | |||
|
59 | ||||
|
60 | # Delete unwanted lines | |||
|
61 | sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | |||
|
62 | sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | |||
|
63 | ||||
|
64 | # Trust the new key | |||
|
65 | cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys | |||
|
66 | ||||
|
67 | # Save Keys - convert with putty from rsa/openssh to puttkey | |||
|
68 | cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa | |||
|
69 | ||||
|
70 | # Get unlock script | |||
|
71 | install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh | |||
|
72 | ||||
|
73 | # Enable Dropbear inside initramfs | |||
|
74 | printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" | |||
|
75 | ||||
|
76 | # Enable Dropbear inside initramfs | |||
|
77 | sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear | |||
|
78 | fi | |||
|
79 | else | |||
|
80 | # Disable SSHD inside initramfs | |||
|
81 | printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" | |||
|
82 | fi | |||
43 |
|
83 | |||
44 | # Add cryptsetup modules to initramfs |
|
84 | # Add cryptsetup modules to initramfs | |
45 | printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook" |
|
85 | printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook" |
@@ -5,39 +5,37 | |||||
5 | # Load utility functions |
|
5 | # Load utility functions | |
6 | . ./functions.sh |
|
6 | . ./functions.sh | |
7 |
|
7 | |||
8 | if [ "$BUILD_KERNEL" = true ] ; then |
|
8 | if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then | |
9 | if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then |
|
9 | # Install boot binaries from local directory | |
10 | # Install boot binaries from local directory |
|
10 | cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin | |
11 |
|
|
11 | cp "${RPI_FIRMWARE_DIR}"/boot/fixup.dat "${BOOT_DIR}"/fixup.dat | |
12 |
|
|
12 | cp "${RPI_FIRMWARE_DIR}"/boot/fixup_cd.dat "${BOOT_DIR}"/fixup_cd.dat | |
13 |
|
|
13 | cp "${RPI_FIRMWARE_DIR}"/boot/fixup_x.dat "${BOOT_DIR}"/fixup_x.dat | |
14 |
|
|
14 | cp "${RPI_FIRMWARE_DIR}"/boot/start.elf "${BOOT_DIR}"/start.elf | |
15 |
|
|
15 | cp "${RPI_FIRMWARE_DIR}"/boot/start_cd.elf "${BOOT_DIR}"/start_cd.elf | |
16 |
|
|
16 | cp "${RPI_FIRMWARE_DIR}"/boot/start_x.elf "${BOOT_DIR}"/start_x.elf | |
17 | cp "${RPI_FIRMWARE_DIR}"/boot/start_x.elf "${BOOT_DIR}"/start_x.elf |
|
17 | else | |
18 | else |
|
18 | # Create temporary directory for boot binaries | |
19 | # Create temporary directory for boot binaries |
|
19 | temp_dir=$(as_nobody mktemp -d) | |
20 | temp_dir=$(as_nobody mktemp -d) |
|
20 | ||
21 |
|
21 | # Install latest boot binaries from raspberry/firmware github | ||
22 | # Install latest boot binaries from raspberry/firmware github |
|
22 | as_nobody wget -q -O "${temp_dir}/bootcode.bin" "${FIRMWARE_URL}/bootcode.bin" | |
23 |
|
|
23 | as_nobody wget -q -O "${temp_dir}/fixup.dat" "${FIRMWARE_URL}/fixup.dat" | |
24 |
|
|
24 | as_nobody wget -q -O "${temp_dir}/fixup_cd.dat" "${FIRMWARE_URL}/fixup_cd.dat" | |
25 |
|
|
25 | as_nobody wget -q -O "${temp_dir}/fixup_x.dat" "${FIRMWARE_URL}/fixup_x.dat" | |
26 |
|
|
26 | as_nobody wget -q -O "${temp_dir}/start.elf" "${FIRMWARE_URL}/start.elf" | |
27 |
|
|
27 | as_nobody wget -q -O "${temp_dir}/start_cd.elf" "${FIRMWARE_URL}/start_cd.elf" | |
28 |
|
|
28 | as_nobody wget -q -O "${temp_dir}/start_x.elf" "${FIRMWARE_URL}/start_x.elf" | |
29 | as_nobody wget -q -O "${temp_dir}/start_x.elf" "${FIRMWARE_URL}/start_x.elf" |
|
29 | ||
30 |
|
30 | # Move downloaded boot binaries | ||
31 | # Move downloaded boot binaries |
|
31 | mv "${temp_dir}/"* "${BOOT_DIR}/" | |
32 | mv "${temp_dir}/"* "${BOOT_DIR}/" |
|
32 | ||
33 |
|
33 | # Remove temporary directory for boot binaries | ||
34 | # Remove temporary directory for boot binaries |
|
34 | rm -fr "${temp_dir}" | |
35 | rm -fr "${temp_dir}" |
|
35 | ||
36 |
|
36 | # Set permissions of the boot binaries | ||
37 | # Set permissions of the boot binaries |
|
37 | chown -R root:root "${BOOT_DIR}" | |
38 |
|
|
38 | chmod -R 600 "${BOOT_DIR}" | |
39 | chmod -R 600 "${BOOT_DIR}" |
|
|||
40 | fi |
|
|||
41 | fi |
|
39 | fi | |
42 |
|
40 | |||
43 | # Setup firmware boot cmdline |
|
41 | # Setup firmware boot cmdline | |
@@ -56,23 +54,53 if [ "$ENABLE_CRYPTFS" = true ] ; then | |||||
56 | fi |
|
54 | fi | |
57 | fi |
|
55 | fi | |
58 |
|
56 | |||
59 | #locks cpu at max frequency |
|
57 | # Enable Kernel messages on standard output | |
60 | if [ "$ENABLE_TURBO" = true ] ; then |
|
|||
61 | echo "force_turbo=1" >> "${BOOT_DIR}/config.txt" |
|
|||
62 | fi |
|
|||
63 |
|
||||
64 | if [ "$ENABLE_PRINTK" = true ] ; then |
|
58 | if [ "$ENABLE_PRINTK" = true ] ; then | |
65 | install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf" |
|
59 | install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf" | |
66 | fi |
|
60 | fi | |
67 |
|
61 | |||
68 | # Install udev rule for serial alias |
|
62 | # Install udev rule for serial alias - serial0 = console serial1=bluetooth | |
69 | install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules" |
|
63 | install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules" | |
70 |
|
64 | |||
|
65 | # Remove IPv6 networking support | |||
|
66 | if [ "$ENABLE_IPV6" = false ] ; then | |||
|
67 | CMDLINE="${CMDLINE} ipv6.disable=1" | |||
|
68 | fi | |||
|
69 | ||||
|
70 | # Automatically assign predictable network interface names | |||
|
71 | if [ "$ENABLE_IFNAMES" = false ] ; then | |||
|
72 | CMDLINE="${CMDLINE} net.ifnames=0" | |||
|
73 | else | |||
|
74 | CMDLINE="${CMDLINE} net.ifnames=1" | |||
|
75 | fi | |||
|
76 | ||||
|
77 | # Disable Raspberry Pi console logo | |||
|
78 | if [ "$ENABLE_LOGO" = false ] ; then | |||
|
79 | CMDLINE="${CMDLINE} logo.nologo" | |||
|
80 | fi | |||
|
81 | ||||
|
82 | # Strictly limit verbosity of boot up console messages | |||
|
83 | if [ "$ENABLE_SILENT_BOOT" = true ] ; then | |||
|
84 | CMDLINE="${CMDLINE} quiet loglevel=0 rd.systemd.show_status=auto rd.udev.log_priority=0" | |||
|
85 | fi | |||
|
86 | ||||
|
87 | # Install firmware config | |||
|
88 | install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt" | |||
|
89 | ||||
|
90 | # Disable Raspberry Pi console logo | |||
|
91 | if [ "$ENABLE_SLASH" = false ] ; then | |||
|
92 | echo "disable_splash=1" >> "${BOOT_DIR}/config.txt" | |||
|
93 | fi | |||
|
94 | ||||
|
95 | # Locks CPU frequency at maximum | |||
|
96 | if [ "$ENABLE_TURBO" = true ] ; then | |||
|
97 | echo "force_turbo=1" >> "${BOOT_DIR}/config.txt" | |||
|
98 | # helps to avoid sdcard corruption when force_turbo is enabled. | |||
|
99 | echo "boot_delay=1" >> "${BOOT_DIR}/config.txt" | |||
|
100 | fi | |||
|
101 | ||||
71 | if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then |
|
102 | if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then | |
72 |
|
103 | |||
73 | # RPI0,3,3P Use default ttyS0 (mini-UART)as serial interface |
|
|||
74 | SET_SERIAL="ttyS0" |
|
|||
75 |
|
||||
76 | # Bluetooth enabled |
|
104 | # Bluetooth enabled | |
77 | if [ "$ENABLE_BLUETOOTH" = true ] ; then |
|
105 | if [ "$ENABLE_BLUETOOTH" = true ] ; then | |
78 | # Create temporary directory for Bluetooth sources |
|
106 | # Create temporary directory for Bluetooth sources | |
@@ -95,6 +123,10 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then | |||||
95 | install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart" |
|
123 | install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart" | |
96 | install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper" |
|
124 | install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper" | |
97 |
|
125 | |||
|
126 | # make scripts executable | |||
|
127 | chmod +x "${R}/usr/bin/bthelper" | |||
|
128 | chmod +x "${R}/usr/bin/btuart" | |||
|
129 | ||||
98 | # Install bluetooth udev rule |
|
130 | # Install bluetooth udev rule | |
99 | install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules" |
|
131 | install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules" | |
100 |
|
132 | |||
@@ -104,13 +136,13 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then | |||||
104 | install_readonly "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx" |
|
136 | install_readonly "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx" | |
105 | install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service" |
|
137 | install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service" | |
106 | install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service" |
|
138 | install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service" | |
107 |
|
139 | |||
108 |
# Remove temporary director |
|
140 | # Remove temporary directories | |
109 | rm -fr "${temp_dir}" |
|
141 | rm -fr "${temp_dir}" | |
110 |
|
142 | rm -fr "${R}"/tmp/pi-bluetooth | ||
|
143 | ||||
111 | # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0 |
|
144 | # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0 | |
112 | if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then |
|
145 | if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then | |
113 | SET_SERIAL="ttyAMA0" |
|
|||
114 |
|
146 | |||
115 | # set overlay to swap ttyAMA0 and ttyS0 |
|
147 | # set overlay to swap ttyAMA0 and ttyS0 | |
116 | echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt" |
|
148 | echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt" | |
@@ -119,23 +151,15 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then | |||||
119 | if [ "$ENABLE_TURBO" = false ] ; then |
|
151 | if [ "$ENABLE_TURBO" = false ] ; then | |
120 | echo "core_freq=250" >> "${BOOT_DIR}/config.txt" |
|
152 | echo "core_freq=250" >> "${BOOT_DIR}/config.txt" | |
121 | fi |
|
153 | fi | |
122 |
|
||||
123 | # Activate services |
|
|||
124 | chroot_exec systemctl enable pi-bluetooth.hciuart.service |
|
|||
125 | #chroot_exec systemctl enable pi-bluetooth.bthelper@.service |
|
|||
126 | else |
|
|||
127 | chroot_exec systemctl enable pi-bluetooth.hciuart.service |
|
|||
128 | #chroot_exec systemctl enable pi-bluetooth.bthelper@.service |
|
|||
129 |
|
|
154 | fi | |
130 |
|
155 | |||
|
156 | # Activate services | |||
|
157 | chroot_exec systemctl enable pi-bluetooth.hciuart.service | |||
|
158 | ||||
131 | else # if ENABLE_BLUETOOTH = false |
|
159 | else # if ENABLE_BLUETOOTH = false | |
132 | # set overlay to disable bluetooth |
|
160 | # set overlay to disable bluetooth | |
133 | echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt" |
|
161 | echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt" | |
134 | fi # ENABLE_BLUETOOTH end |
|
162 | fi # ENABLE_BLUETOOTH end | |
135 |
|
||||
136 | else |
|
|||
137 | # RPI1,1P,2 Use default ttyAMA0 (full UART) as serial interface |
|
|||
138 | SET_SERIAL="ttyAMA0" |
|
|||
139 | fi |
|
163 | fi | |
140 |
|
164 | |||
141 | # may need sudo systemctl disable hciuart |
|
165 | # may need sudo systemctl disable hciuart | |
@@ -143,33 +167,60 if [ "$ENABLE_CONSOLE" = true ] ; then | |||||
143 | echo "enable_uart=1" >> "${BOOT_DIR}/config.txt" |
|
167 | echo "enable_uart=1" >> "${BOOT_DIR}/config.txt" | |
144 | # add string to cmdline |
|
168 | # add string to cmdline | |
145 | CMDLINE="${CMDLINE} console=serial0,115200" |
|
169 | CMDLINE="${CMDLINE} console=serial0,115200" | |
146 |
|
170 | |||
147 | # Enable serial console systemd style |
|
171 | # Enable serial console systemd style | |
148 |
chroot_exec systemctl enable serial-getty\@ |
|
172 | chroot_exec systemctl enable serial-getty\@serial0.service | |
149 | else |
|
173 | else | |
150 | echo "enable_uart=0" >> "${BOOT_DIR}/config.txt" |
|
174 | echo "enable_uart=0" >> "${BOOT_DIR}/config.txt" | |
|
175 | ||||
151 | # disable serial console systemd style |
|
176 | # disable serial console systemd style | |
152 | chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service |
|
177 | chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service | |
153 | fi |
|
178 | fi | |
154 |
|
179 | |||
155 | # Remove IPv6 networking support |
|
180 | if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then | |
156 | if [ "$ENABLE_IPV6" = false ] ; then |
|
181 | # Create temporary directory for systemd-swap sources | |
157 | CMDLINE="${CMDLINE} ipv6.disable=1" |
|
182 | temp_dir=$(as_nobody mktemp -d) | |
158 | fi |
|
|||
159 |
|
183 | |||
160 | # Automatically assign predictable network interface names |
|
184 | # Fetch systemd-swap sources | |
161 | if [ "$ENABLE_IFNAMES" = false ] ; then |
|
185 | as_nobody git -C "${temp_dir}" clone "${SYSTEMDSWAP_URL}" | |
162 | CMDLINE="${CMDLINE} net.ifnames=0" |
|
186 | ||
|
187 | # Copy downloaded systemd-swap sources | |||
|
188 | mv "${temp_dir}/systemd-swap" "${R}/tmp/" | |||
|
189 | ||||
|
190 | # Set permissions of the systemd-swap sources | |||
|
191 | chown -R root:root "${R}/tmp/systemd-swap" | |||
|
192 | ||||
|
193 | # Remove temporary directory for systemd-swap sources | |||
|
194 | rm -fr "${temp_dir}" | |||
|
195 | ||||
|
196 | # Change into downloaded src dir | |||
|
197 | cd "${R}/tmp/systemd-swap" || exit | |||
|
198 | ||||
|
199 | # Build package | |||
|
200 | . ./package.sh debian | |||
|
201 | ||||
|
202 | # Install package | |||
|
203 | chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap-*any.deb | |||
|
204 | ||||
|
205 | # Enable service | |||
|
206 | chroot_exec systemctl enable systemd-swap | |||
|
207 | ||||
|
208 | # Change back into script root dir | |||
|
209 | cd "${WORKDIR}" || exit | |||
163 | else |
|
210 | else | |
164 | CMDLINE="${CMDLINE} net.ifnames=1" |
|
211 | # Enable ZSWAP in cmdline if systemd-swap is not used | |
|
212 | if [ "$KERNEL_ZSWAP" = true ] ; then | |||
|
213 | CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4" | |||
|
214 | fi | |||
|
215 | fi | |||
|
216 | ||||
|
217 | if [ "$KERNEL_SECURITY" = true ] ; then | |||
|
218 | CMDLINE="${CMDLINE} apparmor=1 security=apparmor" | |||
165 | fi |
|
219 | fi | |
166 |
|
220 | |||
167 | # Install firmware boot cmdline |
|
221 | # Install firmware boot cmdline | |
168 | echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt" |
|
222 | echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt" | |
169 |
|
223 | |||
170 | # Install firmware config |
|
|||
171 | install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt" |
|
|||
172 |
|
||||
173 | # Setup minimal GPU memory allocation size: 16MB (no X) |
|
224 | # Setup minimal GPU memory allocation size: 16MB (no X) | |
174 | if [ "$ENABLE_MINGPU" = true ] ; then |
|
225 | if [ "$ENABLE_MINGPU" = true ] ; then | |
175 | echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt" |
|
226 | echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt" |
@@ -57,6 +57,20 else # ENABLE_DHCP=false | |||||
57 | -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\ |
|
57 | -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\ | |
58 | -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\ |
|
58 | -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\ | |
59 | "${ETC_DIR}/systemd/network/eth.network" |
|
59 | "${ETC_DIR}/systemd/network/eth.network" | |
|
60 | ||||
|
61 | if [ "$CRYPTFS_DROPBEAR" = true ] ; then | |||
|
62 | # Get cdir from NET_ADDRESS e.g. 24 | |||
|
63 | cdir=$(${NET_ADDRESS} | cut -d '/' -f2) | |||
|
64 | ||||
|
65 | # Convert cdir ro netmask e.g. 24 to 255.255.255.0 | |||
|
66 | NET_MASK=$(cdr2mask "$cdir") | |||
|
67 | ||||
|
68 | # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf | |||
|
69 | sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf | |||
|
70 | ||||
|
71 | # Regenerate initramfs | |||
|
72 | chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" | |||
|
73 | fi | |||
60 | fi |
|
74 | fi | |
61 |
|
75 | |||
62 | # Remove empty settings from network configuration |
|
76 | # Remove empty settings from network configuration |
@@ -9,9 +9,10 if [ "$ENABLE_IPTABLES" = true ] ; then | |||||
9 | # Create iptables configuration directory |
|
9 | # Create iptables configuration directory | |
10 | mkdir -p "${ETC_DIR}/iptables" |
|
10 | mkdir -p "${ETC_DIR}/iptables" | |
11 |
|
11 | |||
12 | # make sure iptables-legacy is the used alternatives |
|
12 | if [ "$KERNEL_NF" = false ] ; then | |
13 | #iptables-save and -restore are slaves of iptables and thus are set accordingly |
|
13 | #iptables-save and -restore are slaves of iptables and thus are set accordingly | |
14 | chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy |
|
14 | chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy | |
|
15 | fi | |||
15 |
|
16 | |||
16 | # Install iptables systemd service |
|
17 | # Install iptables systemd service | |
17 | install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service" |
|
18 | install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service" | |
@@ -27,6 +28,11 if [ "$ENABLE_IPTABLES" = true ] ; then | |||||
27 | chroot_exec systemctl enable iptables.service |
|
28 | chroot_exec systemctl enable iptables.service | |
28 |
|
29 | |||
29 | if [ "$ENABLE_IPV6" = true ] ; then |
|
30 | if [ "$ENABLE_IPV6" = true ] ; then | |
|
31 | if [ "$KERNEL_NF" = false ] ; then | |||
|
32 | #iptables-save and -restore are slaves of iptables and thus are set accordingly | |||
|
33 | chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy | |||
|
34 | fi | |||
|
35 | ||||
30 | # Install ip6tables systemd service |
|
36 | # Install ip6tables systemd service | |
31 | install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service" |
|
37 | install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service" | |
32 |
|
38 |
@@ -22,8 +22,3 else | |||||
22 | # Set no root password to disable root login |
|
22 | # Set no root password to disable root login | |
23 | chroot_exec usermod -p \'!\' root |
|
23 | chroot_exec usermod -p \'!\' root | |
24 | fi |
|
24 | fi | |
25 |
|
||||
26 | # Enable serial console systemd style |
|
|||
27 | if [ "$ENABLE_CONSOLE" = true ] ; then |
|
|||
28 | chroot_exec systemctl enable serial-getty\@ttyAMA0.service |
|
|||
29 | fi |
|
@@ -77,6 +77,11 if [ "$ENABLE_UBOOT" = true ] ; then | |||||
77 | #in 64bit uboot booti is used instead of bootz [like in KERNEL_BIN_IMAGE=zImage (armv7)|| Image(armv8)] |
|
77 | #in 64bit uboot booti is used instead of bootz [like in KERNEL_BIN_IMAGE=zImage (armv7)|| Image(armv8)] | |
78 | sed -i "s|bootz|booti|g" "${BOOT_DIR}/uboot.mkimage" |
|
78 | sed -i "s|bootz|booti|g" "${BOOT_DIR}/uboot.mkimage" | |
79 | fi |
|
79 | fi | |
|
80 | ||||
|
81 | # instead of sd, boot from usb device | |||
|
82 | if [ "$ENABLE_UBOOTUSB" = true ] ; then | |||
|
83 | sed -i "s|mmc|usb|g" "${BOOT_DIR}/uboot.mkimage" | |||
|
84 | fi | |||
80 |
|
85 | |||
81 | # Set mkfile to use the correct dtb file |
|
86 | # Set mkfile to use the correct dtb file | |
82 | sed -i "s|bcm2709-rpi-2-b.dtb|${DTB_FILE}|" "${BOOT_DIR}/uboot.mkimage" |
|
87 | sed -i "s|bcm2709-rpi-2-b.dtb|${DTB_FILE}|" "${BOOT_DIR}/uboot.mkimage" |
@@ -50,4 +50,7 if [ "$ENABLE_VIDEOCORE" = true ] ; then | |||||
50 |
|
50 | |||
51 | #back to root of scriptdir |
|
51 | #back to root of scriptdir | |
52 | cd "${WORKDIR}" |
|
52 | cd "${WORKDIR}" | |
|
53 | ||||
|
54 | # Remove videocore sources | |||
|
55 | rm -fr "${R}"/tmp/userland/ | |||
53 | fi |
|
56 | fi |
@@ -1,8 +1,8 | |||||
1 |
deb http://ftp.debian.org/debian |
|
1 | deb http://ftp.debian.org/debian stretch main contrib | |
2 |
#deb-src http://ftp.debian.org/debian |
|
2 | #deb-src http://ftp.debian.org/debian stretch main contrib | |
3 |
|
3 | |||
4 |
deb http://ftp.debian.org/debian/ |
|
4 | deb http://ftp.debian.org/debian/ stretch-updates main contrib | |
5 |
#deb-src http://ftp.debian.org/debian/ |
|
5 | #deb-src http://ftp.debian.org/debian/ stretch-updates main contrib | |
6 |
|
6 | |||
7 |
deb http://security.debian.org/ |
|
7 | deb http://security.debian.org/ stretch/updates main contrib | |
8 |
#deb-src http://security.debian.org/ |
|
8 | #deb-src http://security.debian.org/ stretch/updates main contrib |
@@ -66,3 +66,11 EOF2 | |||||
66 | partprobe && |
|
66 | partprobe && | |
67 | resize2fs /dev/${ROOT_PART} && |
|
67 | resize2fs /dev/${ROOT_PART} && | |
68 | logger -t "rc.firstboot" "Root partition successfully resized." |
|
68 | logger -t "rc.firstboot" "Root partition successfully resized." | |
|
69 | ||||
|
70 | # Restart dphys-swapfile service if it exists | |||
|
71 | if systemctl list-units | grep -q dphys-swapfile ; then | |||
|
72 | if systemctl is-enabled dphys-swapfile ; then | |||
|
73 | logger -t "rc.firstboot" "Restarting dphys-swapfile" | |||
|
74 | systemctl restart dphys-swapfile | |||
|
75 | fi | |||
|
76 | fi |
@@ -8,6 +8,7 INITRAMFS_UBOOT="${INITRAMFS}.uboot" | |||||
8 | # Extract kernel arch |
|
8 | # Extract kernel arch | |
9 | case "${KERNEL_ARCH}" in |
|
9 | case "${KERNEL_ARCH}" in | |
10 | arm*) KERNEL_ARCH=arm ;; |
|
10 | arm*) KERNEL_ARCH=arm ;; | |
|
11 | aarch64) KERNEL_ARCH=arm64 ;; | |||
11 | esac |
|
12 | esac | |
12 |
|
13 | |||
13 | # Regenerate initramfs |
|
14 | # Regenerate initramfs |
@@ -3,6 +3,17 | |||||
3 | cleanup (){ |
|
3 | cleanup (){ | |
4 | set +x |
|
4 | set +x | |
5 | set +e |
|
5 | set +e | |
|
6 | ||||
|
7 | # Remove exports from nexmon | |||
|
8 | unset KERNEL | |||
|
9 | unset ARCH | |||
|
10 | unset SUBARCH | |||
|
11 | unset CCPLUGIN | |||
|
12 | unset ZLIBFLATE | |||
|
13 | unset Q | |||
|
14 | unset NEXMON_SETUP_ENV | |||
|
15 | unset HOSTUNAME | |||
|
16 | unset PLATFORMUNAME | |||
6 |
|
17 | |||
7 | # Identify and kill all processes still using files |
|
18 | # Identify and kill all processes still using files | |
8 | echo "killing processes using mount point ..." |
|
19 | echo "killing processes using mount point ..." | |
@@ -63,15 +74,43 chroot_install_cc() { | |||||
63 | # Install c/c++ build environment inside the chroot |
|
74 | # Install c/c++ build environment inside the chroot | |
64 | if [ -z "${COMPILER_PACKAGES}" ] ; then |
|
75 | if [ -z "${COMPILER_PACKAGES}" ] ; then | |
65 | COMPILER_PACKAGES=$(chroot_exec apt-get -s install g++ make bc | grep "^Inst " | awk -v ORS=" " '{ print $2 }') |
|
76 | COMPILER_PACKAGES=$(chroot_exec apt-get -s install g++ make bc | grep "^Inst " | awk -v ORS=" " '{ print $2 }') | |
66 | # Install COMPILER_PACKAGES in chroot |
|
77 | # Install COMPILER_PACKAGES in chroot - NEVER do "${COMPILER_PACKAGES}" -> breaks uboot | |
67 |
chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install |
|
78 | chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install ${COMPILER_PACKAGES} | |
68 | fi |
|
79 | fi | |
69 | } |
|
80 | } | |
70 |
|
81 | |||
71 | chroot_remove_cc() { |
|
82 | chroot_remove_cc() { | |
72 | # Remove c/c++ build environment from the chroot |
|
83 | # Remove c/c++ build environment from the chroot | |
73 | if [ -n "${COMPILER_PACKAGES}" ] ; then |
|
84 | if [ -n "${COMPILER_PACKAGES}" ] ; then | |
74 |
chroot_exec apt-get -qq -y --auto-remove purge |
|
85 | chroot_exec apt-get -qq -y --auto-remove purge ${COMPILER_PACKAGES} | |
75 | COMPILER_PACKAGES="" |
|
86 | COMPILER_PACKAGES="" | |
76 | fi |
|
87 | fi | |
77 | } |
|
88 | } | |
|
89 | ||||
|
90 | # https://serverfault.com/a/682849 - converts e.g. /24 to 255.255.255.0 | |||
|
91 | cdr2mask () | |||
|
92 | { | |||
|
93 | # Number of args to shift, 255..255, first non-255 byte, zeroes | |||
|
94 | set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0 | |||
|
95 | [ $1 -gt 1 ] && shift $1 || shift | |||
|
96 | echo ${1-0}.${2-0}.${3-0}.${4-0} | |||
|
97 | } | |||
|
98 | ||||
|
99 | # GPL v2.0 - #https://github.com/sakaki-/bcmrpi3-kernel-bis/blob/master/conform_config.sh | |||
|
100 | set_kernel_config() { | |||
|
101 | # flag as $1, value to set as $2, config must exist at "./.config" | |||
|
102 | TGT="CONFIG_${1#CONFIG_}" | |||
|
103 | REP="${2}" | |||
|
104 | if grep -q "^${TGT}[^_]" .config; then | |||
|
105 | sed -i "s/^\(${TGT}=.*\|# ${TGT} is not set\)/${TGT}=${REP}/" .config | |||
|
106 | else | |||
|
107 | echo "${TGT}"="${2}" >> .config | |||
|
108 | fi | |||
|
109 | } | |||
|
110 | ||||
|
111 | # unset kernel config parameter | |||
|
112 | unset_kernel_config() { | |||
|
113 | # unsets flag with the value of $1, config must exist at "./.config" | |||
|
114 | TGT="CONFIG_${1#CONFIG_}" | |||
|
115 | sed -i "s/^${TGT}=.*/# ${TGT} is not set/" .config | |||
|
116 | } No newline at end of file |
@@ -57,6 +57,20 FBTURBO_URL=${FBTURBO_URL:=https://github.com/ssvb/xf86-video-fbturbo.git} | |||||
57 | UBOOT_URL=${UBOOT_URL:=https://git.denx.de/u-boot.git} |
|
57 | UBOOT_URL=${UBOOT_URL:=https://git.denx.de/u-boot.git} | |
58 | VIDEOCORE_URL=${VIDEOCORE_URL:=https://github.com/raspberrypi/userland} |
|
58 | VIDEOCORE_URL=${VIDEOCORE_URL:=https://github.com/raspberrypi/userland} | |
59 | BLUETOOTH_URL=${BLUETOOTH_URL:=https://github.com/RPi-Distro/pi-bluetooth.git} |
|
59 | BLUETOOTH_URL=${BLUETOOTH_URL:=https://github.com/RPi-Distro/pi-bluetooth.git} | |
|
60 | NEXMON_URL=${NEXMON_URL:=https://github.com/seemoo-lab/nexmon.git} | |||
|
61 | SYSTEMDSWAP_URL=${SYSTEMDSWAP_URL:=https://github.com/Nefelim4ag/systemd-swap.git} | |||
|
62 | ||||
|
63 | # Kernel deb packages for 32bit kernel | |||
|
64 | RPI_32_KERNEL_URL=${RPI_32_KERNEL_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel_20180422-141901_armhf.deb} | |||
|
65 | RPI_32_KERNELHEADER_URL=${RPI_32_KERNELHEADER_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel-headers_20180422-141901_armhf.deb} | |||
|
66 | # Kernel has KVM and zswap enabled - use if KERNEL_* parameters and precompiled kernel are used | |||
|
67 | RPI3_64_BIS_KERNEL_URL=${RPI3_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel-bis/releases/download/4.14.80.20181113/bcmrpi3-kernel-bis-4.14.80.20181113.tar.xz} | |||
|
68 | # Default precompiled 64bit kernel | |||
|
69 | RPI3_64_DEF_KERNEL_URL=${RPI3_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel/releases/download/4.14.80.20181113/bcmrpi3-kernel-4.14.80.20181113.tar.xz} | |||
|
70 | # Generic | |||
|
71 | RPI3_64_KERNEL_URL=${RPI3_64_KERNEL_URL:=$RPI3_64_DEF_KERNEL_URL} | |||
|
72 | # Kali kernel src - used if ENABLE_NEXMON=true (they patch the wlan kernel modul) | |||
|
73 | KALI_KERNEL_URL=${KALI_KERNEL_URL:=https://github.com/Re4son/re4son-raspberrypi-linux.git} | |||
60 |
|
74 | |||
61 | # Build directories |
|
75 | # Build directories | |
62 | WORKDIR=$(pwd) |
|
76 | WORKDIR=$(pwd) | |
@@ -105,6 +119,7 NET_NTP_2=${NET_NTP_2:=""} | |||||
105 | # APT settings |
|
119 | # APT settings | |
106 | APT_PROXY=${APT_PROXY:=""} |
|
120 | APT_PROXY=${APT_PROXY:=""} | |
107 | APT_SERVER=${APT_SERVER:="ftp.debian.org"} |
|
121 | APT_SERVER=${APT_SERVER:="ftp.debian.org"} | |
|
122 | KEEP_APT_PROXY=${KEEP_APT_PROXY:=false} | |||
108 |
|
123 | |||
109 | # Feature settings |
|
124 | # Feature settings | |
110 | ENABLE_PRINTK=${ENABLE_PRINTK:=false} |
|
125 | ENABLE_PRINTK=${ENABLE_PRINTK:=false} | |
@@ -138,19 +153,26 SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""} | |||||
138 | SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""} |
|
153 | SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""} | |
139 |
|
154 | |||
140 | # Advanced settings |
|
155 | # Advanced settings | |
|
156 | ENABLE_SYSTEMDSWAP=${ENABLE_SYSTEMDSWAP:=false} | |||
141 | ENABLE_MINBASE=${ENABLE_MINBASE:=false} |
|
157 | ENABLE_MINBASE=${ENABLE_MINBASE:=false} | |
142 | ENABLE_REDUCE=${ENABLE_REDUCE:=false} |
|
158 | ENABLE_REDUCE=${ENABLE_REDUCE:=false} | |
143 | ENABLE_UBOOT=${ENABLE_UBOOT:=false} |
|
159 | ENABLE_UBOOT=${ENABLE_UBOOT:=false} | |
144 | UBOOTSRC_DIR=${UBOOTSRC_DIR:=""} |
|
160 | UBOOTSRC_DIR=${UBOOTSRC_DIR:=""} | |
|
161 | ENABLE_UBOOTUSB=${ENABLE_UBOOTUSB=false} | |||
145 | ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} |
|
162 | ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} | |
146 | ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false} |
|
163 | ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false} | |
|
164 | ENABLE_NEXMON=${ENABLE_NEXMON:=false} | |||
147 | VIDEOCORESRC_DIR=${VIDEOCORESRC_DIR:=""} |
|
165 | VIDEOCORESRC_DIR=${VIDEOCORESRC_DIR:=""} | |
148 | FBTURBOSRC_DIR=${FBTURBOSRC_DIR:=""} |
|
166 | FBTURBOSRC_DIR=${FBTURBOSRC_DIR:=""} | |
|
167 | NEXMONSRC_DIR=${NEXMONSRC_DIR:=""} | |||
149 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} |
|
168 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} | |
150 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} |
|
169 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} | |
151 | ENABLE_SPLITFS=${ENABLE_SPLITFS:=false} |
|
170 | ENABLE_SPLITFS=${ENABLE_SPLITFS:=false} | |
152 | ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false} |
|
171 | ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false} | |
153 | ENABLE_IFNAMES=${ENABLE_IFNAMES:=true} |
|
172 | ENABLE_IFNAMES=${ENABLE_IFNAMES:=true} | |
|
173 | ENABLE_SPLASH=${ENABLE_SPLASH:=true} | |||
|
174 | ENABLE_LOGO=${ENABLE_LOGO:=true} | |||
|
175 | ENABLE_SILENT_BOOT=${ENABLE_SILENT_BOOT=false} | |||
154 | DISABLE_UNDERVOLT_WARNINGS=${DISABLE_UNDERVOLT_WARNINGS:=} |
|
176 | DISABLE_UNDERVOLT_WARNINGS=${DISABLE_UNDERVOLT_WARNINGS:=} | |
155 |
|
177 | |||
156 | # Kernel compilation settings |
|
178 | # Kernel compilation settings | |
@@ -162,6 +184,12 KERNEL_MENUCONFIG=${KERNEL_MENUCONFIG:=false} | |||||
162 | KERNEL_REMOVESRC=${KERNEL_REMOVESRC:=true} |
|
184 | KERNEL_REMOVESRC=${KERNEL_REMOVESRC:=true} | |
163 | KERNEL_OLDDEFCONFIG=${KERNEL_OLDDEFCONFIG:=false} |
|
185 | KERNEL_OLDDEFCONFIG=${KERNEL_OLDDEFCONFIG:=false} | |
164 | KERNEL_CCACHE=${KERNEL_CCACHE:=false} |
|
186 | KERNEL_CCACHE=${KERNEL_CCACHE:=false} | |
|
187 | KERNEL_ZSWAP=${KERNEL_ZSWAP:=false} | |||
|
188 | KERNEL_VIRT=${KERNEL_VIRT:=false} | |||
|
189 | KERNEL_BPF=${KERNEL_BPF:=false} | |||
|
190 | KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=powersave} | |||
|
191 | KERNEL_SECURITY=${KERNEL_SECURITY:=false} | |||
|
192 | KERNEL_NF=${KERNEL_NF:=false} | |||
165 |
|
193 | |||
166 | # Kernel compilation from source directory settings |
|
194 | # Kernel compilation from source directory settings | |
167 | KERNELSRC_DIR=${KERNELSRC_DIR:=""} |
|
195 | KERNELSRC_DIR=${KERNELSRC_DIR:=""} | |
@@ -185,6 +213,10 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""} | |||||
185 | CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"} |
|
213 | CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"} | |
186 | CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"} |
|
214 | CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"} | |
187 | CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512} |
|
215 | CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512} | |
|
216 | #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup | |||
|
217 | CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false} | |||
|
218 | #Provide your own Dropbear Public RSA-OpenSSH Key otherwise it will be generated | |||
|
219 | CRYPTFS_DROPBEAR_PUBKEY=${CRYPTFS_DROPBEAR_PUBKEY:=""} | |||
188 |
|
220 | |||
189 | # Chroot scripts directory |
|
221 | # Chroot scripts directory | |
190 | CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""} |
|
222 | CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""} | |
@@ -203,11 +235,9 MISSING_PACKAGES="" | |||||
203 | # Packages installed for c/c++ build environment in chroot (keep empty) |
|
235 | # Packages installed for c/c++ build environment in chroot (keep empty) | |
204 | COMPILER_PACKAGES="" |
|
236 | COMPILER_PACKAGES="" | |
205 |
|
237 | |||
206 | set +x |
|
238 | # Check if apt-cacher-ng has port 3142 open and set APT_PROXY | |
207 |
|
239 | APT_CACHER_RUNNING=$(lsof -i :3142 | cut -d ' ' -f3 | uniq | sed '/^\s*$/d') | ||
208 | #Check if apt-cacher-ng has port 3142 open and set APT_PROXY |
|
240 | if [ "${APT_CACHER_RUNNING}" = "apt-cacher-ng" ] ; then | |
209 | APT_CACHER_RUNNING=$(lsof -i :3142 | grep apt-cacher-ng | cut -d ' ' -f3 | uniq) |
|
|||
210 | if [ -n "${APT_CACHER_RUNNING}" ] ; then |
|
|||
211 | APT_PROXY=http://127.0.0.1:3142/ |
|
241 | APT_PROXY=http://127.0.0.1:3142/ | |
212 | fi |
|
242 | fi | |
213 |
|
243 | |||
@@ -258,7 +288,7 if [ -n "$SET_ARCH" ] ; then | |||||
258 | CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabihf-} |
|
288 | CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabihf-} | |
259 | fi |
|
289 | fi | |
260 | fi |
|
290 | fi | |
261 | #SET_ARCH not set |
|
291 | # SET_ARCH not set | |
262 | else |
|
292 | else | |
263 | echo "error: Please set '32' or '64' as value for SET_ARCH" |
|
293 | echo "error: Please set '32' or '64' as value for SET_ARCH" | |
264 | exit 1 |
|
294 | exit 1 | |
@@ -295,12 +325,26 case "$RPI_MODEL" in | |||||
295 | ;; |
|
325 | ;; | |
296 | esac |
|
326 | esac | |
297 |
|
327 | |||
|
328 | if [ "$ENABLE_UBOOTUSB" = true ] ; then | |||
|
329 | if [ "$ENABLE_UBOOT" = false ] ; then | |||
|
330 | echo "error: Enabling UBOOTUSB requires u-boot to be enabled" | |||
|
331 | exit 1 | |||
|
332 | fi | |||
|
333 | if [ "$RPI_MODEL" != 3 ] || [ "$RPI_MODEL" != 3P ] ; then | |||
|
334 | echo "error: Enabling UBOOTUSB requires Raspberry 3" | |||
|
335 | exit 1 | |||
|
336 | fi | |||
|
337 | fi | |||
|
338 | ||||
298 | # Raspberry PI 0,3,3P with Bluetooth and Wifi onboard |
|
339 | # Raspberry PI 0,3,3P with Bluetooth and Wifi onboard | |
299 | if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then |
|
340 | if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then | |
300 | # Include bluetooth packages on supported boards |
|
341 | # Include bluetooth packages on supported boards | |
301 |
if [ "$ENABLE_BLUETOOTH" = true ] |
|
342 | if [ "$ENABLE_BLUETOOTH" = true ] ; then | |
302 | APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez" |
|
343 | APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez" | |
303 | fi |
|
344 | fi | |
|
345 | if [ "$ENABLE_WIRELESS" = true ] ; then | |||
|
346 | APT_INCLUDES="${APT_INCLUDES},wireless-tools,crda,wireless-regdb" | |||
|
347 | fi | |||
304 | else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard |
|
348 | else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard | |
305 | # Check if the internal wireless interface is not supported by the RPi model |
|
349 | # Check if the internal wireless interface is not supported by the RPi model | |
306 | if [ "$ENABLE_WIRELESS" = true ] || [ "$ENABLE_BLUETOOTH" = true ]; then |
|
350 | if [ "$ENABLE_WIRELESS" = true ] || [ "$ENABLE_BLUETOOTH" = true ]; then | |
@@ -309,6 +353,11 else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard | |||||
309 | fi |
|
353 | fi | |
310 | fi |
|
354 | fi | |
311 |
|
355 | |||
|
356 | if [ "$BUILD_KERNEL" = false ] && [ "$ENABLE_NEXMON" = true ]; then | |||
|
357 | echo "error: You have to compile kernel sources, if you want to enable nexmon" | |||
|
358 | exit 1 | |||
|
359 | fi | |||
|
360 | ||||
312 | # Prepare date string for default image file name |
|
361 | # Prepare date string for default image file name | |
313 | DATE="$(date +%Y-%m-%d)" |
|
362 | DATE="$(date +%Y-%m-%d)" | |
314 | if [ -z "$KERNEL_BRANCH" ] ; then |
|
363 | if [ -z "$KERNEL_BRANCH" ] ; then | |
@@ -330,6 +379,11 if [ "$ENABLE_VIDEOCORE" = true ] ; then | |||||
330 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cmake" |
|
379 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cmake" | |
331 | fi |
|
380 | fi | |
332 |
|
381 | |||
|
382 | # Add deps for nexmon | |||
|
383 | if [ "$ENABLE_NEXMON" = true ] ; then | |||
|
384 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libgmp3-dev gawk qpdf bison flex make autoconf automake build-essential libtool" | |||
|
385 | fi | |||
|
386 | ||||
333 | # Add libncurses5 to enable kernel menuconfig |
|
387 | # Add libncurses5 to enable kernel menuconfig | |
334 | if [ "$KERNEL_MENUCONFIG" = true ] ; then |
|
388 | if [ "$KERNEL_MENUCONFIG" = true ] ; then | |
335 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses-dev" |
|
389 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses-dev" | |
@@ -345,6 +399,11 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then | |||||
345 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup" |
|
399 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup" | |
346 | APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup" |
|
400 | APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup" | |
347 |
|
401 | |||
|
402 | # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package | |||
|
403 | if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then | |||
|
404 | APT_INCLUDES="${APT_INCLUDES},dropbear-initramfs" | |||
|
405 | fi | |||
|
406 | ||||
348 | if [ -z "$CRYPTFS_PASSWORD" ] ; then |
|
407 | if [ -z "$CRYPTFS_PASSWORD" ] ; then | |
349 | echo "error: no password defined (CRYPTFS_PASSWORD)!" |
|
408 | echo "error: no password defined (CRYPTFS_PASSWORD)!" | |
350 | exit 1 |
|
409 | exit 1 | |
@@ -362,14 +421,6 if [ "$ENABLE_UBOOT" = true ] ; then | |||||
362 | APT_INCLUDES="${APT_INCLUDES},device-tree-compiler,bison,flex,bc" |
|
421 | APT_INCLUDES="${APT_INCLUDES},device-tree-compiler,bison,flex,bc" | |
363 | fi |
|
422 | fi | |
364 |
|
423 | |||
365 | if [ "$ENABLE_BLUETOOTH" = true ] ; then |
|
|||
366 | if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then |
|
|||
367 | if [ "$ENABLE_CONSOLE" = false ] ; then |
|
|||
368 | APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez" |
|
|||
369 | fi |
|
|||
370 | fi |
|
|||
371 | fi |
|
|||
372 |
|
||||
373 | # Check if root SSH (v2) public key file exists |
|
424 | # Check if root SSH (v2) public key file exists | |
374 | if [ -n "$SSH_ROOT_PUB_KEY" ] ; then |
|
425 | if [ -n "$SSH_ROOT_PUB_KEY" ] ; then | |
375 | if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then |
|
426 | if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then | |
@@ -386,6 +437,11 if [ -n "$SSH_USER_PUB_KEY" ] ; then | |||||
386 | fi |
|
437 | fi | |
387 | fi |
|
438 | fi | |
388 |
|
439 | |||
|
440 | if [ "$ENABLE_NEXMON" = true ] && [ -n "$KERNEL_BRANCH" ] ; then | |||
|
441 | echo "error: Please unset KERNEL_BRANCH if using ENABLE_NEXMON" | |||
|
442 | exit 1 | |||
|
443 | fi | |||
|
444 | ||||
389 | # Check if all required packages are installed on the build system |
|
445 | # Check if all required packages are installed on the build system | |
390 | for package in $REQUIRED_PACKAGES ; do |
|
446 | for package in $REQUIRED_PACKAGES ; do | |
391 | if [ "$(dpkg-query -W -f='${Status}' "$package")" != "install ok installed" ] ; then |
|
447 | if [ "$(dpkg-query -W -f='${Status}' "$package")" != "install ok installed" ] ; then | |
@@ -442,6 +498,12 if [ -n "$FBTURBOSRC_DIR" ] && [ ! -d "$FBTURBOSRC_DIR" ] ; then | |||||
442 | exit 1 |
|
498 | exit 1 | |
443 | fi |
|
499 | fi | |
444 |
|
500 | |||
|
501 | # Check if specified NEXMONSRC_DIR directory exists | |||
|
502 | if [ -n "$NEXMONSRC_DIR" ] && [ ! -d "$NEXMONSRC_DIR" ] ; then | |||
|
503 | echo "error: '${NEXMONSRC_DIR}' specified directory not found (NEXMONSRC_DIR)!" | |||
|
504 | exit 1 | |||
|
505 | fi | |||
|
506 | ||||
445 | # Check if specified CHROOT_SCRIPTS directory exists |
|
507 | # Check if specified CHROOT_SCRIPTS directory exists | |
446 | if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then |
|
508 | if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then | |
447 | echo "error: ${CHROOT_SCRIPTS} specified directory not found (CHROOT_SCRIPTS)!" |
|
509 | echo "error: ${CHROOT_SCRIPTS} specified directory not found (CHROOT_SCRIPTS)!" | |
@@ -493,6 +555,10 fi | |||||
493 | if [ "$ENABLE_IPTABLES" = true ] ; then |
|
555 | if [ "$ENABLE_IPTABLES" = true ] ; then | |
494 | APT_INCLUDES="${APT_INCLUDES},iptables,iptables-persistent" |
|
556 | APT_INCLUDES="${APT_INCLUDES},iptables,iptables-persistent" | |
495 | fi |
|
557 | fi | |
|
558 | # Add apparmor for KERNEL_SECURITY | |||
|
559 | if [ "$KERNEL_SECURITY" = true ] ; then | |||
|
560 | APT_INCLUDES="${APT_INCLUDES},apparmor,apparmor-utils,apparmor-profiles,apparmor-profiles-extra,libapparmor-perl" | |||
|
561 | fi | |||
496 |
|
562 | |||
497 | # Add openssh server package |
|
563 | # Add openssh server package | |
498 | if [ "$ENABLE_SSHD" = true ] ; then |
|
564 | if [ "$ENABLE_SSHD" = true ] ; then | |
@@ -546,16 +612,6 if [ "$ENABLE_SYSVINIT" = false ] ; then | |||||
546 | APT_EXCLUDES="--exclude=${APT_EXCLUDES},init,systemd-sysv" |
|
612 | APT_EXCLUDES="--exclude=${APT_EXCLUDES},init,systemd-sysv" | |
547 | fi |
|
613 | fi | |
548 |
|
614 | |||
549 | # Check if kernel is getting compiled |
|
|||
550 | if [ "$BUILD_KERNEL" = false ] ; then |
|
|||
551 | echo "Downloading precompiled kernel" |
|
|||
552 | echo "error: not configured" |
|
|||
553 | exit 1; |
|
|||
554 | # BUILD_KERNEL=true |
|
|||
555 | else |
|
|||
556 | echo "No precompiled kernel repositories were added" |
|
|||
557 | fi |
|
|||
558 |
|
||||
559 | # Configure kernel sources if no KERNELSRC_DIR |
|
615 | # Configure kernel sources if no KERNELSRC_DIR | |
560 | if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then |
|
616 | if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then | |
561 | KERNELSRC_CONFIG=true |
|
617 | KERNELSRC_CONFIG=true | |
@@ -623,13 +679,17 umount -l "${R}/sys" | |||||
623 | rm -rf "${R}/run/*" |
|
679 | rm -rf "${R}/run/*" | |
624 | rm -rf "${R}/tmp/*" |
|
680 | rm -rf "${R}/tmp/*" | |
625 |
|
681 | |||
|
682 | # Clean up APT proxy settings | |||
|
683 | if [ "$KEEP_APT_PROXY" = false ] ; then | |||
|
684 | rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy" | |||
|
685 | fi | |||
|
686 | ||||
626 | # Clean up files |
|
687 | # Clean up files | |
627 | rm -f "${ETC_DIR}/ssh/ssh_host_*" |
|
688 | rm -f "${ETC_DIR}/ssh/ssh_host_*" | |
628 | rm -f "${ETC_DIR}/dropbear/dropbear_*" |
|
689 | rm -f "${ETC_DIR}/dropbear/dropbear_*" | |
629 | rm -f "${ETC_DIR}/apt/sources.list.save" |
|
690 | rm -f "${ETC_DIR}/apt/sources.list.save" | |
630 | rm -f "${ETC_DIR}/resolvconf/resolv.conf.d/original" |
|
691 | rm -f "${ETC_DIR}/resolvconf/resolv.conf.d/original" | |
631 | rm -f "${ETC_DIR}/*-" |
|
692 | rm -f "${ETC_DIR}/*-" | |
632 | rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy" |
|
|||
633 | rm -f "${ETC_DIR}/resolv.conf" |
|
693 | rm -f "${ETC_DIR}/resolv.conf" | |
634 | rm -f "${R}/root/.bash_history" |
|
694 | rm -f "${R}/root/.bash_history" | |
635 | rm -f "${R}/var/lib/urandom/random-seed" |
|
695 | rm -f "${R}/var/lib/urandom/random-seed" |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant