Raspi2-3_GenImage Commit - r3:ed1f379a7abf · Collaboration Tremplin des Sciences

1

#!/bin/sh

1

#!/bin/sh

2

3

########################################################################

3

########################################################################

4

# rpi2-gen-image.sh ver2a 12/2015

4

# rpi2-gen-image.sh ver2a 12/2015

5

#

5

#

6

# Advanced debian "jessie" bootstrap script for RPi2

6

# Advanced debian "jessie" bootstrap script for RPi2

7

#

7

#

8

# This program is free software; you can redistribute it and/or

8

# This program is free software; you can redistribute it and/or

9

# modify it under the terms of the GNU General Public License

9

# modify it under the terms of the GNU General Public License

10

# as published by the Free Software Foundation; either version 2

10

# as published by the Free Software Foundation; either version 2

11

# of the License, or (at your option) any later version.

11

# of the License, or (at your option) any later version.

12

#

12

#

13

# some parts based on rpi2-build-image:

13

# some parts based on rpi2-build-image:

14

15

16

########################################################################

16

########################################################################

17

18

cleanup (){

18

cleanup (){

19

set +x

19

set +x

20

set +e

20

set +e

21

echo "removing temporary mount points ..."

21

echo "removing temporary mount points ..."

22

umount -l $R/proc 2> /dev/null

22

umount -l $R/proc 2> /dev/null

23

umount -l $R/sys 2> /dev/null

23

umount -l $R/sys 2> /dev/null

24

umount -l $R/dev/pts 2> /dev/null

24

umount -l $R/dev/pts 2> /dev/null

25

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

25

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

26

umount "$BUILDDIR/mount" 2> /dev/null

26

umount "$BUILDDIR/mount" 2> /dev/null

27

losetup -d "$EXT4_LOOP" 2> /dev/null

27

losetup -d "$EXT4_LOOP" 2> /dev/null

28

losetup -d "$VFAT_LOOP" 2> /dev/null

28

losetup -d "$VFAT_LOOP" 2> /dev/null

29

trap - 0 1 2 3 6

29

trap - 0 1 2 3 6

30

}

30

}

31

32

set -e

32

set -e

33

set -x

33

set -x

34

35

RELEASE=${RELEASE:=jessie}

35

RELEASE=${RELEASE:=jessie}

36

37

# Build settings

37

# Build settings

38

BASEDIR=./images/${RELEASE}

38

BASEDIR=./images/${RELEASE}

39

BUILDDIR=${BASEDIR}/build

39

BUILDDIR=${BASEDIR}/build

40

41

# General settings

41

# General settings

42

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

42

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

43

PASSWORD=${PASSWORD:=raspberry}

43

PASSWORD=${PASSWORD:=raspberry}

44

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

44

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

45

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

45

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

46

47

# APT settings

47

# APT settings

48

APT_PROXY=${APT_PROXY:=""}

48

APT_PROXY=${APT_PROXY:=""}

49

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

49

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

50

51

# Feature settings

51

# Feature settings

52

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

52

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

53

ENABLE_IPV6=${ENABLE_IPV6:=true}

53

ENABLE_IPV6=${ENABLE_IPV6:=true}

54

ENABLE_SSHD=${ENABLE_SSHD:=true}

54

ENABLE_SSHD=${ENABLE_SSHD:=true}

55

ENABLE_SOUND=${ENABLE_SOUND:=true}

55

ENABLE_SOUND=${ENABLE_SOUND:=true}

56

ENABLE_SYSTEMD=${ENABLE_SYSTEMD:=true}

56

ENABLE_SYSTEMD=${ENABLE_SYSTEMD:=true}

57

ENABLE_DBUS=${ENABLE_DBUS:=true}

57

ENABLE_DBUS=${ENABLE_DBUS:=true}

58

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

58

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

59

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

59

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

60

ENABLE_XORG=${ENABLE_XORG:=false}

60

ENABLE_XORG=${ENABLE_XORG:=false}

61

ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}

61

ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}

62

63

# Advanced settings

63

# Advanced settings

64

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

64

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

65

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

65

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

66

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

66

67

# Image chroot path

68

# Image chroot path

68

R=${BUILDDIR}/chroot

69

R=${BUILDDIR}/chroot

69

70

# Packages required for bootstrapping

71

# Packages required for bootstrapping

71

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois"

72

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

72

73

# Packages required in the chroot build enviroment

74

# Packages required in the chroot build enviroment

74

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales,apt-utils,vim-tiny"

75

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales,apt-utils,vim-tiny"

75

76

set +x

77

set +x

77

78

# Are we running as root?

79

# Are we running as root?

79

if [ "$(id -u)" -ne "0" ] ; then

80

if [ "$(id -u)" -ne "0" ] ; then

80

echo "this script must be executed with root privileges"

81

echo "this script must be executed with root privileges"

81

exit 1

82

exit 1

82

fi

83

fi

83

84

# Don't clobber an old build

85

# Don't clobber an old build

85

if [ -e "$BUILDDIR" ]; then

86

if [ -e "$BUILDDIR" ]; then

86

echo "directory $BUILDDIR already exists, not proceeding"

87

echo "directory $BUILDDIR already exists, not proceeding"

87

exit 1

88

exit 1

88

fi

89

fi

89

90

set -x

91

set -x

91

92

# Call "cleanup" function on various signals and errors

93

# Call "cleanup" function on various signals and errors

93

trap cleanup 0 1 2 3 6

94

trap cleanup 0 1 2 3 6

94

95

# Set up chroot directory

96

# Set up chroot directory

96

mkdir -p $R

97

mkdir -p $R

97

98

# Install dependencies

99

# Install dependencies

99

apt-get -q -y install ${REQUIRED_PACKAGES}

100

apt-get -q -y install ${REQUIRED_PACKAGES}

100

101

# Use traditional SystemV init instead of systemd services

102

# Use traditional SystemV init instead of systemd services

102

if [ "$ENABLE_SYSTEMD" = false ] ; then

103

if [ "$ENABLE_SYSTEMD" = false ] ; then

103

APT_INCLUDES="${APT_INCLUDES},sysvinit-core"

104

APT_INCLUDES="${APT_INCLUDES},sysvinit-core"

104

fi

105

fi

105

106

# Add dbus package, recommended if using systemd

107

# Add dbus package, recommended if using systemd

107

if [ "$ENABLE_DBUS" = true ] ; then

108

if [ "$ENABLE_DBUS" = true ] ; then

108

APT_INCLUDES="${APT_INCLUDES},dbus"

109

APT_INCLUDES="${APT_INCLUDES},dbus"

109

fi

110

fi

110

111

# Add openssh server package

112

# Add openssh server package

112

if [ "$ENABLE_SSHD" = true ] ; then

113

if [ "$ENABLE_SSHD" = true ] ; then

113

APT_INCLUDES="${APT_INCLUDES},openssh-server"

114

APT_INCLUDES="${APT_INCLUDES},openssh-server"

114

fi

115

fi

115

116

# Add rng-tools package

117

# Add rng-tools package

117

if [ "$ENABLE_HWRANDOM" = true ] ; then

118

if [ "$ENABLE_HWRANDOM" = true ] ; then

118

APT_INCLUDES="${APT_INCLUDES},rng-tools"

119

APT_INCLUDES="${APT_INCLUDES},rng-tools"

119

fi

120

fi

120

121

# Add xorg package

122

# Add xorg package

122

if [ "$ENABLE_XORG" = true ] ; then

123

if [ "$ENABLE_XORG" = true ] ; then

123

APT_INCLUDES="${APT_INCLUDES},xorg"

124

APT_INCLUDES="${APT_INCLUDES},xorg"

124

fi

125

fi

125

126

# Add fluxbox package with eterm

127

# Add fluxbox package with eterm

127

if [ "$ENABLE_FLUXBOX" = true ] ; then

128

if [ "$ENABLE_FLUXBOX" = true ] ; then

128

APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"

129

APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"

129

fi

130

fi

130

131

if [ -z "$APT_PROXY" ] ; then

132

if [ -z "$APT_PROXY" ] ; then

132

APT_PROXY="http://"

133

APT_PROXY="http://"

133

fi

134

fi

134

135

# Base debootstrap (unpack only)

136

# Base debootstrap (unpack only)

136

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

137

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

137

cp /usr/bin/qemu-arm-static $R/usr/bin

138

cp /usr/bin/qemu-arm-static $R/usr/bin

138

139

# Remove systemd releated packages from list of packages to be bootsrapped

140

# Remove systemd releated packages from list of packages to be bootsrapped

140

if [ "$ENABLE_SYSTEMD" = false ] ; then

141

if [ "$ENABLE_SYSTEMD" = false ] ; then

141

chroot $R sed -i -e 's/systemd systemd-sysv //g' /debootstrap/required

142

chroot $R sed -i -e 's/systemd systemd-sysv //g' /debootstrap/required

142

fi

143

fi

143

144

# Copy debian-archive-keyring.pgp

145

# Copy debian-archive-keyring.pgp

145

chroot $R mkdir -p /usr/share/keyrings

146

chroot $R mkdir -p /usr/share/keyrings

146

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

147

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

147

148

# Complete the bootstrapping proccess

149

# Complete the bootstrapping proccess

149

chroot $R /debootstrap/debootstrap --second-stage

150

chroot $R /debootstrap/debootstrap --second-stage

150

151

# Mount required filesystems

152

# Mount required filesystems

152

mount -t proc none $R/proc

153

mount -t proc none $R/proc

153

mount -t sysfs none $R/sys

154

mount -t sysfs none $R/sys

154

mount --bind /dev/pts $R/dev/pts

155

mount --bind /dev/pts $R/dev/pts

155

156

# Set up initial sources.list

157

# Set up initial sources.list

157

cat <<EOM >$R/etc/apt/sources.list

158

cat <<EOM >$R/etc/apt/sources.list

158

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

159

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

159

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

160

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

160

161

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

162

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

162

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

163

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

163

164

deb http://security.debian.org/ ${RELEASE}/updates main contrib

165

deb http://security.debian.org/ ${RELEASE}/updates main contrib

165

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

166

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

166

167

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

168

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

168

EOM

169

EOM

169

170

# Pin package flash-kernel to repositories.collabora.co.uk

171

# Pin package flash-kernel to repositories.collabora.co.uk

171

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

172

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

172

Package: flash-kernel

173

Package: flash-kernel

173

Pin: origin repositories.collabora.co.uk

174

Pin: origin repositories.collabora.co.uk

174

Pin-Priority: 1000

175

Pin-Priority: 1000

175

EOM

176

EOM

176

177

# Set up timezone

178

# Set up timezone

178

echo ${TIMEZONE} >$R/etc/timezone

179

echo ${TIMEZONE} >$R/etc/timezone

179

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

180

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

180

181

# Set up default locales to "en_US.UTF-8" default

182

# Set up default locales to "en_US.UTF-8" default

182

LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen

183

LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen

183

LANG=C chroot $R locale-gen ${DEFLOCAL}

184

LANG=C chroot $R locale-gen ${DEFLOCAL}

184

185

# Fetch APT public key "Collabora Raspbian Archive Signing Key <daniels@collabora.com>"

186

# Fetch APT public key "Collabora Raspbian Archive Signing Key <daniels@collabora.com>"

186

LANG=C chroot $R apt-key adv --keyserver hkp://pool.sks-keyservers.net --recv-keys ED4BF9140C50B1C5

187

LANG=C chroot $R apt-key adv --keyserver hkp://pool.sks-keyservers.net --recv-keys ED4BF9140C50B1C5

187

188

# Upgrade package index and update all installed packages and changed dependencies

189

# Upgrade package index and update all installed packages and changed dependencies

189

LANG=C chroot $R apt-get -q -y update

190

LANG=C chroot $R apt-get -q -y update

190

LANG=C chroot $R apt-get -q -y -u dist-upgrade

191

LANG=C chroot $R apt-get -q -y -u dist-upgrade

191

192

# Kernel installation

193

# Kernel installation

193

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

194

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

194

195

LANG=C chroot $R apt-get -q -y --force-yes --no-install-recommends install linux-image-3.18.0-trunk-rpi2

196

LANG=C chroot $R apt-get -q -y --force-yes --no-install-recommends install linux-image-3.18.0-trunk-rpi2

196

LANG=C chroot $R apt-get -q -y --force-yes install flash-kernel

197

LANG=C chroot $R apt-get -q -y --force-yes install flash-kernel

197

198

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

199

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

199

[ -z "$VMLINUZ" ] && exit 1

200

[ -z "$VMLINUZ" ] && exit 1

200

mkdir -p $R/boot/firmware

201

mkdir -p $R/boot/firmware

201

202

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

203

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

203

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

204

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

204

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

205

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

205

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

206

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

206

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

207

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

207

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

208

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

208

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

209

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

209

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

210

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

210

cp $VMLINUZ $R/boot/firmware/kernel7.img

211

cp $VMLINUZ $R/boot/firmware/kernel7.img

211

212

# Set up hosts

213

# Set up hosts

213

echo ${HOSTNAME} >$R/etc/hostname

214

echo ${HOSTNAME} >$R/etc/hostname

214

cat <<EOM >$R/etc/hosts

215

cat <<EOM >$R/etc/hosts

215

127.0.0.1 localhost

216

127.0.0.1 localhost

216

127.0.1.1 ${HOSTNAME}

217

127.0.1.1 ${HOSTNAME}

217

EOM

218

EOM

218

219

if [ "$ENABLE_IPV6" = true ] ; then

220

if [ "$ENABLE_IPV6" = true ] ; then

220

cat <<EOM >>$R/etc/hosts

221

cat <<EOM >>$R/etc/hosts

221

222

::1 localhost ip6-localhost ip6-loopback

223

::1 localhost ip6-localhost ip6-loopback

223

ff02::1 ip6-allnodes

224

ff02::1 ip6-allnodes

224

ff02::2 ip6-allrouters

225

ff02::2 ip6-allrouters

225

EOM

226

EOM

226

fi

227

fi

227

228

# Generate crypt(3) password string

229

# Generate crypt(3) password string

229

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

230

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

230

231

# Set up default user

232

# Set up default user

232

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

233

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

233

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

234

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

234

235

# Set up root password

236

# Set up root password

236

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

237

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

237

238

# Clean cached downloads

239

LANG=C chroot $R apt-get -y clean

240

LANG=C chroot $R apt-get -y autoclean

241

LANG=C chroot $R apt-get -y autoremove

242

239

243

# Set up interfaces

240

# Set up interfaces

244

cat <<EOM >$R/etc/network/interfaces

241

cat <<EOM >$R/etc/network/interfaces

245

# interfaces(5) file used by ifup(8) and ifdown(8)

242

# interfaces(5) file used by ifup(8) and ifdown(8)

246

# Include files from /etc/network/interfaces.d:

243

# Include files from /etc/network/interfaces.d:

247

source-directory /etc/network/interfaces.d

244

source-directory /etc/network/interfaces.d

248

245

249

# The loopback network interface

246

# The loopback network interface

250

auto lo

247

auto lo

251

iface lo inet loopback

248

iface lo inet loopback

252

249

253

# The primary network interface

250

# The primary network interface

254

allow-hotplug eth0

251

allow-hotplug eth0

255

iface eth0 inet dhcp

252

iface eth0 inet dhcp

256

EOM

253

EOM

257

254

258

# Set up firmware boot cmdline

255

# Set up firmware boot cmdline

259

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

256

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

260

257

261

# Set up serial console support (if requested)

258

# Set up serial console support (if requested)

262

if [ "$ENABLE_CONSOLE" = true ] ; then

259

if [ "$ENABLE_CONSOLE" = true ] ; then

263

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

260

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

264

fi

261

fi

265

262

266

# Set up ipv6 support (if requested)

263

# Set up ipv6 support (if requested)

267

if [ "$ENABLE_IPV6" = false ] ; then

264

if [ "$ENABLE_IPV6" = false ] ; then

268

CMDLINE="${CMDLINE} ipv6.disable=1"

265

CMDLINE="${CMDLINE} ipv6.disable=1"

269

fi

266

fi

270

267

271

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

268

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

272

269

273

# Set up firmware config

270

# Set up firmware config

274

cat <<EOM >$R/boot/firmware/config.txt

271

cat <<EOM >$R/boot/firmware/config.txt

275

# For more options and information see

272

# For more options and information see

276

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

273

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

277

# Some settings may impact device functionality. See link above for details

274

# Some settings may impact device functionality. See link above for details

278

275

279

# uncomment if you get no picture on HDMI for a default "safe" mode

276

# uncomment if you get no picture on HDMI for a default "safe" mode

280

#hdmi_safe=1

277

#hdmi_safe=1

281

278

282

# uncomment this if your display has a black border of unused pixels visible

279

# uncomment this if your display has a black border of unused pixels visible

283

# and your display can output without overscan

280

# and your display can output without overscan

284

#disable_overscan=1

281

#disable_overscan=1

285

282

286

# uncomment the following to adjust overscan. Use positive numbers if console

283

# uncomment the following to adjust overscan. Use positive numbers if console

287

# goes off screen, and negative if there is too much border

284

# goes off screen, and negative if there is too much border

288

#overscan_left=16

285

#overscan_left=16

289

#overscan_right=16

286

#overscan_right=16

290

#overscan_top=16

287

#overscan_top=16

291

#overscan_bottom=16

288

#overscan_bottom=16

292

289

293

# uncomment to force a console size. By default it will be display's size minus

290

# uncomment to force a console size. By default it will be display's size minus

294

# overscan.

291

# overscan.

295

#framebuffer_width=1280

292

#framebuffer_width=1280

296

#framebuffer_height=720

293

#framebuffer_height=720

297

294

298

# uncomment if hdmi display is not detected and composite is being output

295

# uncomment if hdmi display is not detected and composite is being output

299

#hdmi_force_hotplug=1

296

#hdmi_force_hotplug=1

300

297

301

# uncomment to force a specific HDMI mode (this will force VGA)

298

# uncomment to force a specific HDMI mode (this will force VGA)

302

#hdmi_group=1

299

#hdmi_group=1

303

#hdmi_mode=1

300

#hdmi_mode=1

304

301

305

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

302

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

306

# DMT (computer monitor) modes

303

# DMT (computer monitor) modes

307

#hdmi_drive=2

304

#hdmi_drive=2

308

305

309

# uncomment to increase signal to HDMI, if you have interference, blanking, or

306

# uncomment to increase signal to HDMI, if you have interference, blanking, or

310

# no display

307

# no display

311

#config_hdmi_boost=4

308

#config_hdmi_boost=4

312

309

313

# uncomment for composite PAL

310

# uncomment for composite PAL

314

#sdtv_mode=2

311

#sdtv_mode=2

315

312

316

#uncomment to overclock the arm. 700 MHz is the default.

313

#uncomment to overclock the arm. 700 MHz is the default.

317

#arm_freq=800

314

#arm_freq=800

318

EOM

315

EOM

319

316

320

# Set smallest possible GPU memory allocation size: 16MB (no X)

317

# Set smallest possible GPU memory allocation size: 16MB (no X)

321

if [ "$ENABLE_MINGPU" = true ] ; then

318

if [ "$ENABLE_MINGPU" = true ] ; then

322

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

319

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

323

fi

320

fi

324

321

325

# Create symlinks

322

# Create symlinks

326

ln -sf firmware/config.txt $R/boot/config.txt

323

ln -sf firmware/config.txt $R/boot/config.txt

327

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

324

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

328

325

329

# Prepare modules-load.d directory

326

# Prepare modules-load.d directory

330

mkdir -p $R/lib/modules-load.d/

327

mkdir -p $R/lib/modules-load.d/

331

328

332

# Load random module on boot

329

# Load random module on boot

333

if [ "$ENABLE_HWRANDOM" = true ] ; then

330

if [ "$ENABLE_HWRANDOM" = true ] ; then

334

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

331

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

335

bcm2708_rng

332

bcm2708_rng

336

EOM

333

EOM

337

fi

334

fi

338

335

339

# Prepare modprobe.d directory

336

# Prepare modprobe.d directory

340

mkdir -p $R/etc/modprobe.d/

337

mkdir -p $R/etc/modprobe.d/

341

338

342

# Blacklist sound modules

339

# Blacklist sound modules

343

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

340

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

344

blacklist snd_soc_core

341

blacklist snd_soc_core

345

blacklist snd_pcm

342

blacklist snd_pcm

346

blacklist snd_pcm_dmaengine

343

blacklist snd_pcm_dmaengine

347

blacklist snd_timer

344

blacklist snd_timer

348

blacklist snd_compress

345

blacklist snd_compress

349

blacklist snd_soc_pcm512x_i2c

346

blacklist snd_soc_pcm512x_i2c

350

blacklist snd_soc_pcm512x

347

blacklist snd_soc_pcm512x

351

blacklist snd_soc_tas5713

348

blacklist snd_soc_tas5713

352

blacklist snd_soc_wm8804

349

blacklist snd_soc_wm8804

353

EOM

350

EOM

354

351

355

# Create default fstab

352

# Create default fstab

356

cat <<EOM >$R/etc/fstab

353

cat <<EOM >$R/etc/fstab

357

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

354

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

358

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

355

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

359

EOM

356

EOM

360

357

361

# Avoid swapping and increase cache sizes

358

# Avoid swapping and increase cache sizes

362

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

359

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

363

360

364

# Avoid swapping and increase cache sizes

361

# Avoid swapping and increase cache sizes

365

vm.swappiness=1

362

vm.swappiness=1

366

vm.dirty_background_ratio=20

363

vm.dirty_background_ratio=20

367

vm.dirty_ratio=40

364

vm.dirty_ratio=40

368

vm.dirty_writeback_centisecs=500

365

vm.dirty_writeback_centisecs=500

369

vm.dirty_expire_centisecs=6000

366

vm.dirty_expire_centisecs=6000

370

EOM

367

EOM

371

368

372

# Enable network stack hardening

369

# Enable network stack hardening

373

if [ "$ENABLE_HARDNET" = true ] ; then

370

if [ "$ENABLE_HARDNET" = true ] ; then

374

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

371

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

375

372

376

# Enable network stack hardening

373

# Enable network stack hardening

377

net.ipv4.tcp_timestamps=0

374

net.ipv4.tcp_timestamps=0

378

net.ipv4.tcp_syncookies=1

375

net.ipv4.tcp_syncookies=1

379

net.ipv4.conf.all.rp_filter=1

376

net.ipv4.conf.all.rp_filter=1

380

net.ipv4.conf.all.accept_redirects=0

377

net.ipv4.conf.all.accept_redirects=0

381

net.ipv4.conf.all.send_redirects=0

378

net.ipv4.conf.all.send_redirects=0

382

net.ipv4.conf.all.accept_source_route=0

379

net.ipv4.conf.all.accept_source_route=0

383

net.ipv4.conf.default.rp_filter=1

380

net.ipv4.conf.default.rp_filter=1

384

net.ipv4.conf.default.accept_redirects=0

381

net.ipv4.conf.default.accept_redirects=0

385

net.ipv4.conf.default.send_redirects=0

382

net.ipv4.conf.default.send_redirects=0

386

net.ipv4.conf.default.accept_source_route=0

383

net.ipv4.conf.default.accept_source_route=0

387

net.ipv4.conf.lo.accept_redirects=0

384

net.ipv4.conf.lo.accept_redirects=0

388

net.ipv4.conf.lo.send_redirects=0

385

net.ipv4.conf.lo.send_redirects=0

389

net.ipv4.conf.lo.accept_source_route=0

386

net.ipv4.conf.lo.accept_source_route=0

390

net.ipv4.conf.eth0.accept_redirects=0

387

net.ipv4.conf.eth0.accept_redirects=0

391

net.ipv4.conf.eth0.send_redirects=0

388

net.ipv4.conf.eth0.send_redirects=0

392

net.ipv4.conf.eth0.accept_source_route=0

389

net.ipv4.conf.eth0.accept_source_route=0

393

net.ipv4.icmp_echo_ignore_broadcasts=1

390

net.ipv4.icmp_echo_ignore_broadcasts=1

394

net.ipv4.icmp_ignore_bogus_error_responses=1

391

net.ipv4.icmp_ignore_bogus_error_responses=1

395

392

396

net.ipv6.conf.all.accept_redirects=0

393

net.ipv6.conf.all.accept_redirects=0

397

net.ipv6.conf.all.accept_source_route=0

394

net.ipv6.conf.all.accept_source_route=0

398

net.ipv6.conf.all.router_solicitations=0

395

net.ipv6.conf.all.router_solicitations=0

399

net.ipv6.conf.all.accept_ra_rtr_pref=0

396

net.ipv6.conf.all.accept_ra_rtr_pref=0

400

net.ipv6.conf.all.accept_ra_pinfo=0

397

net.ipv6.conf.all.accept_ra_pinfo=0

401

net.ipv6.conf.all.accept_ra_defrtr=0

398

net.ipv6.conf.all.accept_ra_defrtr=0

402

net.ipv6.conf.all.autoconf=0

399

net.ipv6.conf.all.autoconf=0

403

net.ipv6.conf.all.dad_transmits=0

400

net.ipv6.conf.all.dad_transmits=0

404

net.ipv6.conf.all.max_addresses=1

401

net.ipv6.conf.all.max_addresses=1

405

402

406

net.ipv6.conf.default.accept_redirects=0

403

net.ipv6.conf.default.accept_redirects=0

407

net.ipv6.conf.default.accept_source_route=0

404

net.ipv6.conf.default.accept_source_route=0

408

net.ipv6.conf.default.router_solicitations=0

405

net.ipv6.conf.default.router_solicitations=0

409

net.ipv6.conf.default.accept_ra_rtr_pref=0

406

net.ipv6.conf.default.accept_ra_rtr_pref=0

410

net.ipv6.conf.default.accept_ra_pinfo=0

407

net.ipv6.conf.default.accept_ra_pinfo=0

411

net.ipv6.conf.default.accept_ra_defrtr=0

408

net.ipv6.conf.default.accept_ra_defrtr=0

412

net.ipv6.conf.default.autoconf=0

409

net.ipv6.conf.default.autoconf=0

413

net.ipv6.conf.default.dad_transmits=0

410

net.ipv6.conf.default.dad_transmits=0

414

net.ipv6.conf.default.max_addresses=1

411

net.ipv6.conf.default.max_addresses=1

415

412

416

net.ipv6.conf.lo.accept_redirects=0

413

net.ipv6.conf.lo.accept_redirects=0

417

net.ipv6.conf.lo.accept_source_route=0

414

net.ipv6.conf.lo.accept_source_route=0

418

net.ipv6.conf.lo.router_solicitations=0

415

net.ipv6.conf.lo.router_solicitations=0

419

net.ipv6.conf.lo.accept_ra_rtr_pref=0

416

net.ipv6.conf.lo.accept_ra_rtr_pref=0

420

net.ipv6.conf.lo.accept_ra_pinfo=0

417

net.ipv6.conf.lo.accept_ra_pinfo=0

421

net.ipv6.conf.lo.accept_ra_defrtr=0

418

net.ipv6.conf.lo.accept_ra_defrtr=0

422

net.ipv6.conf.lo.autoconf=0

419

net.ipv6.conf.lo.autoconf=0

423

net.ipv6.conf.lo.dad_transmits=0

420

net.ipv6.conf.lo.dad_transmits=0

424

net.ipv6.conf.lo.max_addresses=1

421

net.ipv6.conf.lo.max_addresses=1

425

422

426

net.ipv6.conf.eth0.accept_redirects=0

423

net.ipv6.conf.eth0.accept_redirects=0

427

net.ipv6.conf.eth0.accept_source_route=0

424

net.ipv6.conf.eth0.accept_source_route=0

428

net.ipv6.conf.eth0.router_solicitations=0

425

net.ipv6.conf.eth0.router_solicitations=0

429

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

426

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

430

net.ipv6.conf.eth0.accept_ra_pinfo=0

427

net.ipv6.conf.eth0.accept_ra_pinfo=0

431

net.ipv6.conf.eth0.accept_ra_defrtr=0

428

net.ipv6.conf.eth0.accept_ra_defrtr=0

432

net.ipv6.conf.eth0.autoconf=0

429

net.ipv6.conf.eth0.autoconf=0

433

net.ipv6.conf.eth0.dad_transmits=0

430

net.ipv6.conf.eth0.dad_transmits=0

434

net.ipv6.conf.eth0.max_addresses=1

431

net.ipv6.conf.eth0.max_addresses=1

435

EOM

432

EOM

436

433

437

# Enable resolver warnings about spoofed addresses

434

# Enable resolver warnings about spoofed addresses

438

cat <<EOM >>$R/etc/host.conf

435

cat <<EOM >>$R/etc/host.conf

439

spoof warn

436

spoof warn

440

EOM

437

EOM

441

fi

438

fi

442

439

443

# Regenerate openssh server host keys

440

# Regenerate openssh server host keys

444

if [ "$ENABLE_SSHD" = true ] ; then

441

if [ "$ENABLE_SSHD" = true ] ; then

445

rm -fr $R/etc/ssh/ssh_host_*

442

rm -fr $R/etc/ssh/ssh_host_*

446

LANG=C chroot $R dpkg-reconfigure openssh-server

443

LANG=C chroot $R dpkg-reconfigure openssh-server

447

fi

444

fi

448

445

449

# Enable serial console systemd style

446

# Enable serial console systemd style

450

if [ "$ENABLE_CONSOLE" = true ] ; then

447

if [ "$ENABLE_CONSOLE" = true ] ; then

451

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

448

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

452

fi

449

fi

453

450

454

# Enable firewall based on iptables started by systemd service

451

# Enable firewall based on iptables started by systemd service

455

if [ "$ENABLE_IPTABLES" = true ] ; then

452

if [ "$ENABLE_IPTABLES" = true ] ; then

456

# Create iptables configuration directory

453

# Create iptables configuration directory

457

mkdir -p "$R/etc/iptables"

454

mkdir -p "$R/etc/iptables"

458

455

459

# Create iptables systemd service

456

# Create iptables systemd service

460

cat <<EOM >$R/etc/systemd/system/iptables.service

457

cat <<EOM >$R/etc/systemd/system/iptables.service

461

[Unit]

458

[Unit]

462

Description=Packet Filtering Framework

459

Description=Packet Filtering Framework

463

DefaultDependencies=no

460

DefaultDependencies=no

464

After=systemd-sysctl.service

461

After=systemd-sysctl.service

465

Before=sysinit.target

462

Before=sysinit.target

466

[Service]

463

[Service]

467

Type=oneshot

464

Type=oneshot

468

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

465

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

469

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

466

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

470

ExecStop=/etc/iptables/flush-iptables.sh

467

ExecStop=/etc/iptables/flush-iptables.sh

471

RemainAfterExit=yes

468

RemainAfterExit=yes

472

[Install]

469

[Install]

473

WantedBy=multi-user.target

470

WantedBy=multi-user.target

474

EOM

471

EOM

475

472

476

# Create flush-table script called by iptables service

473

# Create flush-table script called by iptables service

477

cat <<EOM >$R/etc/iptables/flush-iptables.sh

474

cat <<EOM >$R/etc/iptables/flush-iptables.sh

478

#!/bin/sh

475

#!/bin/sh

479

iptables -F

476

iptables -F

480

iptables -X

477

iptables -X

481

iptables -t nat -F

478

iptables -t nat -F

482

iptables -t nat -X

479

iptables -t nat -X

483

iptables -t mangle -F

480

iptables -t mangle -F

484

iptables -t mangle -X

481

iptables -t mangle -X

485

iptables -P INPUT ACCEPT

482

iptables -P INPUT ACCEPT

486

iptables -P FORWARD ACCEPT

483

iptables -P FORWARD ACCEPT

487

iptables -P OUTPUT ACCEPT

484

iptables -P OUTPUT ACCEPT

488

EOM

485

EOM

489

486

490

# Create iptables rule file

487

# Create iptables rule file

491

cat <<EOM >$R/etc/iptables/iptables.rules

488

cat <<EOM >$R/etc/iptables/iptables.rules

492

*filter

489

*filter

493

:INPUT DROP [0:0]

490

:INPUT DROP [0:0]

494

:FORWARD DROP [0:0]

491

:FORWARD DROP [0:0]

495

:OUTPUT ACCEPT [0:0]

492

:OUTPUT ACCEPT [0:0]

496

:TCP - [0:0]

493

:TCP - [0:0]

497

:UDP - [0:0]

494

:UDP - [0:0]

498

:SSH - [0:0]

495

:SSH - [0:0]

499

496

500

# Rate limit ping requests

497

# Rate limit ping requests

501

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

498

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

502

-A INPUT -p icmp --icmp-type echo-request -j DROP

499

-A INPUT -p icmp --icmp-type echo-request -j DROP

503

500

504

# Accept established connections

501

# Accept established connections

505

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

502

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

506

503

507

# Accept all traffic on loopback interface

504

# Accept all traffic on loopback interface

508

-A INPUT -i lo -j ACCEPT

505

-A INPUT -i lo -j ACCEPT

509

506

510

# Drop packets declared invalid

507

# Drop packets declared invalid

511

-A INPUT -m conntrack --ctstate INVALID -j DROP

508

-A INPUT -m conntrack --ctstate INVALID -j DROP

512

509

513

# SSH rate limiting

510

# SSH rate limiting

514

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

511

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

515

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

512

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

516

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

513

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

517

-A SSH -m recent --name sshbf --set -j ACCEPT

514

-A SSH -m recent --name sshbf --set -j ACCEPT

518

515

519

# Send TCP and UDP connections to their respective rules chain

516

# Send TCP and UDP connections to their respective rules chain

520

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

517

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

521

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

518

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

522

519

523

# Reject dropped packets with a RFC compliant responce

520

# Reject dropped packets with a RFC compliant responce

524

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

521

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

525

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

522

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

526

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

523

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

527

524

528

## TCP PORT RULES

525

## TCP PORT RULES

529

# -A TCP -p tcp -j LOG

526

# -A TCP -p tcp -j LOG

530

527

531

## UDP PORT RULES

528

## UDP PORT RULES

532

# -A UDP -p udp -j LOG

529

# -A UDP -p udp -j LOG

533

530

534

COMMIT

531

COMMIT

535

EOM

532

EOM

536

533

537

# Reload systemd configuration and enable iptables service

534

# Reload systemd configuration and enable iptables service

538

LANG=C chroot $R systemctl daemon-reload

535

LANG=C chroot $R systemctl daemon-reload

539

LANG=C chroot $R systemctl enable iptables.service

536

LANG=C chroot $R systemctl enable iptables.service

540

537

541

if [ "$ENABLE_IPV6" = true ] ; then

538

if [ "$ENABLE_IPV6" = true ] ; then

542

# Create ip6tables systemd service

539

# Create ip6tables systemd service

543

cat <<EOM >$R/etc/systemd/system/ip6tables.service

540

cat <<EOM >$R/etc/systemd/system/ip6tables.service

544

[Unit]

541

[Unit]

545

Description=Packet Filtering Framework

542

Description=Packet Filtering Framework

546

DefaultDependencies=no

543

DefaultDependencies=no

547

After=systemd-sysctl.service

544

After=systemd-sysctl.service

548

Before=sysinit.target

545

Before=sysinit.target

549

[Service]

546

[Service]

550

Type=oneshot

547

Type=oneshot

551

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

548

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

552

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

549

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

553

ExecStop=/etc/iptables/flush-ip6tables.sh

550

ExecStop=/etc/iptables/flush-ip6tables.sh

554

RemainAfterExit=yes

551

RemainAfterExit=yes

555

[Install]

552

[Install]

556

WantedBy=multi-user.target

553

WantedBy=multi-user.target

557

EOM

554

EOM

558

555

559

# Create ip6tables file

556

# Create ip6tables file

560

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

557

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

561

#!/bin/sh

558

#!/bin/sh

562

ip6tables -F

559

ip6tables -F

563

ip6tables -X

560

ip6tables -X

564

ip6tables -Z

561

ip6tables -Z

565

for table in $(</proc/net/ip6_tables_names)

562

for table in $(</proc/net/ip6_tables_names)

566

do

563

do

567

ip6tables -t \$table -F

564

ip6tables -t \$table -F

568

ip6tables -t \$table -X

565

ip6tables -t \$table -X

569

ip6tables -t \$table -Z

566

ip6tables -t \$table -Z

570

done

567

done

571

ip6tables -P INPUT ACCEPT

568

ip6tables -P INPUT ACCEPT

572

ip6tables -P OUTPUT ACCEPT

569

ip6tables -P OUTPUT ACCEPT

573

ip6tables -P FORWARD ACCEPT

570

ip6tables -P FORWARD ACCEPT

574

EOM

571

EOM

575

572

576

# Create ip6tables rule file

573

# Create ip6tables rule file

577

cat <<EOM >$R/etc/iptables/ip6tables.rules

574

cat <<EOM >$R/etc/iptables/ip6tables.rules

578

*filter

575

*filter

579

:INPUT DROP [0:0]

576

:INPUT DROP [0:0]

580

:FORWARD DROP [0:0]

577

:FORWARD DROP [0:0]

581

:OUTPUT ACCEPT [0:0]

578

:OUTPUT ACCEPT [0:0]

582

:TCP - [0:0]

579

:TCP - [0:0]

583

:UDP - [0:0]

580

:UDP - [0:0]

584

:SSH - [0:0]

581

:SSH - [0:0]

585

582

586

# Drop packets with RH0 headers

583

# Drop packets with RH0 headers

587

-A INPUT -m rt --rt-type 0 -j DROP

584

-A INPUT -m rt --rt-type 0 -j DROP

588

-A OUTPUT -m rt --rt-type 0 -j DROP

585

-A OUTPUT -m rt --rt-type 0 -j DROP

589

-A FORWARD -m rt --rt-type 0 -j DROP

586

-A FORWARD -m rt --rt-type 0 -j DROP

590

587

591

# Rate limit ping requests

588

# Rate limit ping requests

592

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

589

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

593

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

590

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

594

591

595

# Accept established connections

592

# Accept established connections

596

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

593

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

597

594

598

# Accept all traffic on loopback interface

595

# Accept all traffic on loopback interface

599

-A INPUT -i lo -j ACCEPT

596

-A INPUT -i lo -j ACCEPT

600

597

601

# Drop packets declared invalid

598

# Drop packets declared invalid

602

-A INPUT -m conntrack --ctstate INVALID -j DROP

599

-A INPUT -m conntrack --ctstate INVALID -j DROP

603

600

604

# SSH rate limiting

601

# SSH rate limiting

605

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

602

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

606

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

603

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

607

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

604

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

608

-A SSH -m recent --name sshbf --set -j ACCEPT

605

-A SSH -m recent --name sshbf --set -j ACCEPT

609

606

610

# Send TCP and UDP connections to their respective rules chain

607

# Send TCP and UDP connections to their respective rules chain

611

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

608

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

612

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

609

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

613

610

614

# Reject dropped packets with a RFC compliant responce

611

# Reject dropped packets with a RFC compliant responce

615

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

612

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

616

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

613

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

617

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

614

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

618

615

619

## TCP PORT RULES

616

## TCP PORT RULES

620

# -A TCP -p tcp -j LOG

617

# -A TCP -p tcp -j LOG

621

618

622

## UDP PORT RULES

619

## UDP PORT RULES

623

# -A UDP -p udp -j LOG

620

# -A UDP -p udp -j LOG

624

621

625

COMMIT

622

COMMIT

626

EOM

623

EOM

627

624

628

# Reload systemd configuration and enable iptables service

625

# Reload systemd configuration and enable iptables service

629

LANG=C chroot $R systemctl daemon-reload

626

LANG=C chroot $R systemctl daemon-reload

630

LANG=C chroot $R systemctl enable ip6tables.service

627

LANG=C chroot $R systemctl enable ip6tables.service

631

628

632

fi

629

fi

633

fi

630

fi

634

631

632

if [ "$ENABLE_UBOOT" = true ] ; then

633

# Fetch u-boot github

634

git -C $R/tmp clone git://git.denx.de/u-boot.git

635

636

# Install minimal gcc/g++ build enviroment and build u-boot inside chroot

637

LANG=C chroot $R apt-get install -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

638

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

639

640

# Copy compiled bootloader binary and set config.txt to load it

641

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

642

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

643

644

# Set u-boot command file

645

cat <<EOM >$R/boot/firmware/uboot.mkimage

646

# Tell Linux that it is booting on a Raspberry Pi2

647

setenv machid 0x00000c42

648

649

# Set the kernel boot command line

650

setenv bootargs "earlyprintk ${CMDLINE}"

651

652

# Save these changes to u-boot's environment

653

saveenv

654

655

# Load the existing Linux kernel into RAM

656

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

657

658

# Boot the kernel we have just loaded

659

bootz \${kernel_addr_r}

660

EOM

661

662

# Generate u-boot image from command file

663

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

664

665

# Remove gcc/c++ build enviroment

666

LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

667

fi

668

669

# Clean cached downloads

670

LANG=C chroot $R apt-get -y clean

671

LANG=C chroot $R apt-get -y autoclean

672

LANG=C chroot $R apt-get -y autoremove

673

635

# Unmount mounted filesystems

674

# Unmount mounted filesystems

636

umount -l $R/proc

675

umount -l $R/proc

637

umount -l $R/sys

676

umount -l $R/sys

638

677

639

# Clean up files

678

# Clean up files

640

rm -f $R/etc/apt/sources.list.save

679

rm -f $R/etc/apt/sources.list.save

641

rm -f $R/etc/resolvconf/resolv.conf.d/original

680

rm -f $R/etc/resolvconf/resolv.conf.d/original

642

rm -rf $R/run

681

rm -rf $R/run

643

mkdir -p $R/run

682

mkdir -p $R/run

644

rm -f $R/etc/*-

683

rm -f $R/etc/*-

645

rm -f $R/root/.bash_history

684

rm -f $R/root/.bash_history

646

rm -rf $R/tmp/*

685

rm -rf $R/tmp/*

647

rm -f $R/var/lib/urandom/random-seed

686

rm -f $R/var/lib/urandom/random-seed

648

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

687

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

649

rm -f $R/etc/machine-id

688

rm -f $R/etc/machine-id

650

689

651

# Calculate size of the chroot directory

690

# Calculate size of the chroot directory

652

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

691

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

653

692

654

# Calculate required image size

693

# Calculate required image size

655

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

694

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

656

695

657

# Calculate number of sectors for the partition

696

# Calculate number of sectors for the partition

658

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

697

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

659

698

660

# Prepare date string for image file name

699

# Prepare date string for image file name

661

DATE="$(date +%Y-%m-%d)"

700

DATE="$(date +%Y-%m-%d)"

662

701

663

# Prepare image file

702

# Prepare image file

664

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

703

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

665

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

704

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

666

705

667

# Write partition table

706

# Write partition table

668

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

707

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

669

unit: sectors

708

unit: sectors

670

709

671

1 : start= 2048, size= 131072, Id= c, bootable

710

1 : start= 2048, size= 131072, Id= c, bootable

672

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

711

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

673

3 : start= 0, size= 0, Id= 0

712

3 : start= 0, size= 0, Id= 0

674

4 : start= 0, size= 0, Id= 0

713

4 : start= 0, size= 0, Id= 0

675

EOM

714

EOM

676

715

677

# Set up temporary loop devices and build filesystems

716

# Set up temporary loop devices and build filesystems

678

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

717

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

679

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

718

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

680

mkfs.vfat "$VFAT_LOOP"

719

mkfs.vfat "$VFAT_LOOP"

681

mkfs.ext4 "$EXT4_LOOP"

720

mkfs.ext4 "$EXT4_LOOP"

682

721

683

# Mount the temporary loop devices

722

# Mount the temporary loop devices

684

mkdir -p "$BUILDDIR/mount"

723

mkdir -p "$BUILDDIR/mount"

685

mount "$EXT4_LOOP" "$BUILDDIR/mount"

724

mount "$EXT4_LOOP" "$BUILDDIR/mount"

686

725

687

mkdir -p "$BUILDDIR/mount/boot/firmware"

726

mkdir -p "$BUILDDIR/mount/boot/firmware"

688

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

727

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

689

728

690

# Copy all files from the chroot to the loop device mount point directory

729

# Copy all files from the chroot to the loop device mount point directory

691

rsync -a "$R/" "$BUILDDIR/mount/"

730

rsync -a "$R/" "$BUILDDIR/mount/"

692

731

693

# Unmount all temporary loop devices and mount points

732

# Unmount all temporary loop devices and mount points

694

cleanup

733

cleanup

695

734

696

# (optinal) create block map file for "bmaptool"

735

# (optinal) create block map file for "bmaptool"

697

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

736

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

698

737

699

# Image was successfully created

738

# Image was successfully created

700

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

739

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             #!/bin/sh
             ########################################################################
             # rpi2-gen-image.sh					   ver2a 12/2015
             #
             # Advanced debian "jessie" bootstrap script for RPi2
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # some parts based on rpi2-build-image:
             # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
             # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
             ########################################################################
             cleanup (){
               set +x
               set +e
               echo "removing temporary mount points ..."
               umount -l $R/proc 2> /dev/null
               umount -l $R/sys 2> /dev/null
               umount -l $R/dev/pts 2> /dev/null
               umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
               umount "$BUILDDIR/mount" 2> /dev/null
               losetup -d "$EXT4_LOOP" 2> /dev/null
               losetup -d "$VFAT_LOOP" 2> /dev/null
               trap - 0 1 2 3 6
             }
             set -e
             set -x
             RELEASE=${RELEASE:=jessie}
             # Build settings
             BASEDIR=./images/${RELEASE}
             BUILDDIR=${BASEDIR}/build
             # General settings
             HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
             PASSWORD=${PASSWORD:=raspberry}
             DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
             TIMEZONE=${TIMEZONE:="Europe/Berlin"}
             # APT settings
             APT_PROXY=${APT_PROXY:=""}
             APT_SERVER=${APT_SERVER:="ftp.debian.org"}
             # Feature settings
             ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
             ENABLE_IPV6=${ENABLE_IPV6:=true}
             ENABLE_SSHD=${ENABLE_SSHD:=true}
             ENABLE_SOUND=${ENABLE_SOUND:=true}
             ENABLE_SYSTEMD=${ENABLE_SYSTEMD:=true}
             ENABLE_DBUS=${ENABLE_DBUS:=true}
             ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
             ENABLE_MINGPU=${ENABLE_MINGPU:=false}
             ENABLE_XORG=${ENABLE_XORG:=false}
             ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}
             # Advanced settings
+            ENABLE_UBOOT=${ENABLE_UBOOT:=false}
             ENABLE_HARDNET=${ENABLE_HARDNET:=false}
             ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
             # Image chroot path
             R=${BUILDDIR}/chroot
             # Packages required for bootstrapping
-            REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois"
+            REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
             # Packages required in the chroot build enviroment
             APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales,apt-utils,vim-tiny"
             set +x
             # Are we running as root?
             if [ "$(id -u)" -ne "0" ] ; then
               echo "this script must be executed with root privileges"
               exit 1
             fi
             # Don't clobber an old build
             if [ -e "$BUILDDIR" ]; then
               echo "directory $BUILDDIR already exists, not proceeding"
               exit 1
             fi
             set -x
             # Call "cleanup" function on various signals and errors
             trap cleanup 0 1 2 3 6
             # Set up chroot directory
             mkdir -p $R
             # Install dependencies
             apt-get -q -y install ${REQUIRED_PACKAGES}
             # Use traditional SystemV init instead of systemd services
             if [ "$ENABLE_SYSTEMD" = false ] ; then
               APT_INCLUDES="${APT_INCLUDES},sysvinit-core"
             fi
             # Add dbus package, recommended if using systemd
             if [ "$ENABLE_DBUS" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},dbus"
             fi
             # Add openssh server package
             if [ "$ENABLE_SSHD" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},openssh-server"
             fi
             # Add rng-tools package
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},rng-tools"
             fi
             # Add xorg package
             if [ "$ENABLE_XORG" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},xorg"
             fi
             # Add fluxbox package with eterm
             if [ "$ENABLE_FLUXBOX" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"
             fi
             if [ -z "$APT_PROXY" ] ; then
               APT_PROXY="http://"
             fi
             # Base debootstrap (unpack only)
             debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
             cp /usr/bin/qemu-arm-static $R/usr/bin
             # Remove systemd releated packages from list of packages to be bootsrapped
             if [ "$ENABLE_SYSTEMD" = false ] ; then
               chroot $R sed -i -e 's/systemd systemd-sysv //g' /debootstrap/required
             fi
             # Copy debian-archive-keyring.pgp
             chroot $R mkdir -p /usr/share/keyrings
             cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
             # Complete the bootstrapping proccess
             chroot $R /debootstrap/debootstrap --second-stage
             # Mount required filesystems
             mount -t proc none $R/proc
             mount -t sysfs none $R/sys
             mount --bind /dev/pts $R/dev/pts
             # Set up initial sources.list
             cat <<EOM >$R/etc/apt/sources.list
             deb http://${APT_SERVER}/debian ${RELEASE} main contrib
             #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
             deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             deb http://security.debian.org/ ${RELEASE}/updates main contrib
             #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
             deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
             EOM
             # Pin package flash-kernel to repositories.collabora.co.uk
             cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
             Package: flash-kernel
             Pin: origin repositories.collabora.co.uk
             Pin-Priority: 1000
             EOM
             # Set up timezone
             echo ${TIMEZONE} >$R/etc/timezone
             LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
             # Set up default locales to "en_US.UTF-8" default
             LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
             LANG=C chroot $R locale-gen ${DEFLOCAL}
             # Fetch APT public key "Collabora Raspbian Archive Signing Key <daniels@collabora.com>"
             LANG=C chroot $R apt-key adv --keyserver hkp://pool.sks-keyservers.net --recv-keys ED4BF9140C50B1C5
             # Upgrade package index and update all installed packages and changed dependencies
             LANG=C chroot $R apt-get -q -y update
             LANG=C chroot $R apt-get -q -y -u dist-upgrade
             # Kernel installation
             # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
             LANG=C chroot $R apt-get -q -y --force-yes --no-install-recommends install linux-image-3.18.0-trunk-rpi2
             LANG=C chroot $R apt-get -q -y --force-yes install flash-kernel
             VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
             [ -z "$VMLINUZ" ] && exit 1
             mkdir -p $R/boot/firmware
             # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
             wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
             wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
             wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
             wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
             wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
             wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
             wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
             cp $VMLINUZ $R/boot/firmware/kernel7.img
             # Set up hosts
             echo ${HOSTNAME} >$R/etc/hostname
             cat <<EOM >$R/etc/hosts
 .0.0.1       localhost
 .0.1.1       ${HOSTNAME}
             EOM
             if [ "$ENABLE_IPV6" = true ] ; then
             cat <<EOM >>$R/etc/hosts
             ::1             localhost ip6-localhost ip6-loopback
             ff02::1         ip6-allnodes
             ff02::2         ip6-allrouters
             EOM
             fi
             # Generate crypt(3) password string
             ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
             # Set up default user
             LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
             LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
             # Set up root password
             LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
-            # Clean cached downloads
-            LANG=C chroot $R apt-get -y clean
-            LANG=C chroot $R apt-get -y autoclean
-            LANG=C chroot $R apt-get -y autoremove
             # Set up interfaces
             cat <<EOM >$R/etc/network/interfaces
             # interfaces(5) file used by ifup(8) and ifdown(8)
             # Include files from /etc/network/interfaces.d:
             source-directory /etc/network/interfaces.d
             # The loopback network interface
             auto lo
             iface lo inet loopback
             # The primary network interface
             allow-hotplug eth0
             iface eth0 inet dhcp
             EOM
             # Set up firmware boot cmdline
             CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
             # Set up serial console support (if requested)
             if [ "$ENABLE_CONSOLE" = true ] ; then
               CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
             fi
             # Set up ipv6 support (if requested)
             if [ "$ENABLE_IPV6" = false ] ; then
               CMDLINE="${CMDLINE} ipv6.disable=1"
             fi
             echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
             # Set up firmware config
             cat <<EOM >$R/boot/firmware/config.txt
             # For more options and information see
             # http://www.raspberrypi.org/documentation/configuration/config-txt.md
             # Some settings may impact device functionality. See link above for details
             # uncomment if you get no picture on HDMI for a default "safe" mode
             #hdmi_safe=1
             # uncomment this if your display has a black border of unused pixels visible
             # and your display can output without overscan
             #disable_overscan=1
             # uncomment the following to adjust overscan. Use positive numbers if console
             # goes off screen, and negative if there is too much border
             #overscan_left=16
             #overscan_right=16
             #overscan_top=16
             #overscan_bottom=16
             # uncomment to force a console size. By default it will be display's size minus
             # overscan.
             #framebuffer_width=1280
             #framebuffer_height=720
             # uncomment if hdmi display is not detected and composite is being output
             #hdmi_force_hotplug=1
             # uncomment to force a specific HDMI mode (this will force VGA)
             #hdmi_group=1
             #hdmi_mode=1
             # uncomment to force a HDMI mode rather than DVI. This can make audio work in
             # DMT (computer monitor) modes
             #hdmi_drive=2
             # uncomment to increase signal to HDMI, if you have interference, blanking, or
             # no display
             #config_hdmi_boost=4
             # uncomment for composite PAL
             #sdtv_mode=2
             #uncomment to overclock the arm. 700 MHz is the default.
             #arm_freq=800
             EOM
             # Set smallest possible GPU memory allocation size: 16MB (no X)
             if [ "$ENABLE_MINGPU" = true ] ; then
               echo "gpu_mem=16" >>$R/boot/firmware/config.txt
             fi
             # Create symlinks
             ln -sf firmware/config.txt $R/boot/config.txt
             ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
             # Prepare modules-load.d directory
             mkdir -p $R/lib/modules-load.d/
             # Load random module on boot
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               cat <<EOM >$R/lib/modules-load.d/rpi2.conf
             bcm2708_rng
             EOM
             fi
             # Prepare modprobe.d directory
             mkdir -p $R/etc/modprobe.d/
             # Blacklist sound modules
             cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
             blacklist snd_soc_core
             blacklist snd_pcm
             blacklist snd_pcm_dmaengine
             blacklist snd_timer
             blacklist snd_compress
             blacklist snd_soc_pcm512x_i2c
             blacklist snd_soc_pcm512x
             blacklist snd_soc_tas5713
             blacklist snd_soc_wm8804
             EOM
             # Create default fstab
             cat <<EOM >$R/etc/fstab
             /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
             /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
             EOM
             # Avoid swapping and increase cache sizes
             cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Avoid swapping and increase cache sizes
             vm.swappiness=1
             vm.dirty_background_ratio=20
             vm.dirty_ratio=40
             vm.dirty_writeback_centisecs=500
             vm.dirty_expire_centisecs=6000
             EOM
             # Enable network stack hardening
             if [ "$ENABLE_HARDNET" = true ] ; then
               cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Enable network stack hardening
             net.ipv4.tcp_timestamps=0
             net.ipv4.tcp_syncookies=1
             net.ipv4.conf.all.rp_filter=1
             net.ipv4.conf.all.accept_redirects=0
             net.ipv4.conf.all.send_redirects=0
             net.ipv4.conf.all.accept_source_route=0
             net.ipv4.conf.default.rp_filter=1
             net.ipv4.conf.default.accept_redirects=0
             net.ipv4.conf.default.send_redirects=0
             net.ipv4.conf.default.accept_source_route=0
             net.ipv4.conf.lo.accept_redirects=0
             net.ipv4.conf.lo.send_redirects=0
             net.ipv4.conf.lo.accept_source_route=0
             net.ipv4.conf.eth0.accept_redirects=0
             net.ipv4.conf.eth0.send_redirects=0
             net.ipv4.conf.eth0.accept_source_route=0
             net.ipv4.icmp_echo_ignore_broadcasts=1
             net.ipv4.icmp_ignore_bogus_error_responses=1
             net.ipv6.conf.all.accept_redirects=0
             net.ipv6.conf.all.accept_source_route=0
             net.ipv6.conf.all.router_solicitations=0
             net.ipv6.conf.all.accept_ra_rtr_pref=0
             net.ipv6.conf.all.accept_ra_pinfo=0
             net.ipv6.conf.all.accept_ra_defrtr=0
             net.ipv6.conf.all.autoconf=0
             net.ipv6.conf.all.dad_transmits=0
             net.ipv6.conf.all.max_addresses=1
             net.ipv6.conf.default.accept_redirects=0
             net.ipv6.conf.default.accept_source_route=0
             net.ipv6.conf.default.router_solicitations=0
             net.ipv6.conf.default.accept_ra_rtr_pref=0
             net.ipv6.conf.default.accept_ra_pinfo=0
             net.ipv6.conf.default.accept_ra_defrtr=0
             net.ipv6.conf.default.autoconf=0
             net.ipv6.conf.default.dad_transmits=0
             net.ipv6.conf.default.max_addresses=1
             net.ipv6.conf.lo.accept_redirects=0
             net.ipv6.conf.lo.accept_source_route=0
             net.ipv6.conf.lo.router_solicitations=0
             net.ipv6.conf.lo.accept_ra_rtr_pref=0
             net.ipv6.conf.lo.accept_ra_pinfo=0
             net.ipv6.conf.lo.accept_ra_defrtr=0
             net.ipv6.conf.lo.autoconf=0
             net.ipv6.conf.lo.dad_transmits=0
             net.ipv6.conf.lo.max_addresses=1
             net.ipv6.conf.eth0.accept_redirects=0
             net.ipv6.conf.eth0.accept_source_route=0
             net.ipv6.conf.eth0.router_solicitations=0
             net.ipv6.conf.eth0.accept_ra_rtr_pref=0
             net.ipv6.conf.eth0.accept_ra_pinfo=0
             net.ipv6.conf.eth0.accept_ra_defrtr=0
             net.ipv6.conf.eth0.autoconf=0
             net.ipv6.conf.eth0.dad_transmits=0
             net.ipv6.conf.eth0.max_addresses=1
             EOM
             # Enable resolver warnings about spoofed addresses
               cat <<EOM >>$R/etc/host.conf
             spoof warn
             EOM
             fi
             # Regenerate openssh server host keys
             if [ "$ENABLE_SSHD" = true ] ; then
               rm -fr $R/etc/ssh/ssh_host_*
               LANG=C chroot $R dpkg-reconfigure openssh-server
             fi
             # Enable serial console systemd style
             if [ "$ENABLE_CONSOLE" = true ] ; then
               LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
             fi
             # Enable firewall based on iptables started by systemd service
             if [ "$ENABLE_IPTABLES" = true ] ; then
               # Create iptables configuration directory
               mkdir -p "$R/etc/iptables"
               # Create iptables systemd service
               cat <<EOM >$R/etc/systemd/system/iptables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecStop=/etc/iptables/flush-iptables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
               # Create flush-table script called by iptables service
               cat <<EOM >$R/etc/iptables/flush-iptables.sh
             #!/bin/sh
             iptables -F
             iptables -X
             iptables -t nat -F
             iptables -t nat -X
             iptables -t mangle -F
             iptables -t mangle -X
             iptables -P INPUT ACCEPT
             iptables -P FORWARD ACCEPT
             iptables -P OUTPUT ACCEPT
             EOM
               # Create iptables rule file
               cat <<EOM >$R/etc/iptables/iptables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Rate limit ping requests
             -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmp --icmp-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
             -A INPUT -p tcp -j REJECT --reject-with tcp-rst
             -A INPUT -j REJECT --reject-with icmp-proto-unreachable
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable iptables.service
               if [ "$ENABLE_IPV6" = true ] ; then
                 # Create ip6tables systemd service
                 cat <<EOM >$R/etc/systemd/system/ip6tables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecStop=/etc/iptables/flush-ip6tables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
                 # Create ip6tables file
                 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
             #!/bin/sh
             ip6tables -F
             ip6tables -X
             ip6tables -Z
             for table in $(</proc/net/ip6_tables_names)
             do
                     ip6tables -t \$table -F
                     ip6tables -t \$table -X
                     ip6tables -t \$table -Z
             done
             ip6tables -P INPUT ACCEPT
             ip6tables -P OUTPUT ACCEPT
             ip6tables -P FORWARD ACCEPT
             EOM
                 # Create ip6tables rule file
                 cat <<EOM >$R/etc/iptables/ip6tables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Drop packets with RH0 headers
             -A INPUT -m rt --rt-type 0 -j DROP
             -A OUTPUT -m rt --rt-type 0 -j DROP
             -A FORWARD -m rt --rt-type 0 -j DROP
             # Rate limit ping requests
             -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable ip6tables.service
               fi
             fi
+            if [ "$ENABLE_UBOOT" = true ] ; then
+              # Fetch u-boot github
+              git -C $R/tmp clone git://git.denx.de/u-boot.git
+              # Install minimal gcc/g++ build enviroment and build u-boot inside chroot
+              LANG=C chroot $R apt-get install -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
+              LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
+              # Copy compiled bootloader binary and set config.txt to load it
+              cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
+              printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
+              # Set u-boot command file
+              cat <<EOM >$R/boot/firmware/uboot.mkimage
+            # Tell Linux that it is booting on a Raspberry Pi2
+            setenv machid 0x00000c42
+            # Set the kernel boot command line
+            setenv bootargs "earlyprintk ${CMDLINE}"
+            # Save these changes to u-boot's environment
+            saveenv
+            # Load the existing Linux kernel into RAM
+            fatload mmc 0:1 \${kernel_addr_r} kernel7.img
+            # Boot the kernel we have just loaded
+            bootz \${kernel_addr_r}
+            EOM
+              # Generate u-boot image from command file
+              LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
+              # Remove gcc/c++ build enviroment
+              LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
+            fi
+            # Clean cached downloads
+            LANG=C chroot $R apt-get -y clean
+            LANG=C chroot $R apt-get -y autoclean
+            LANG=C chroot $R apt-get -y autoremove
             # Unmount mounted filesystems
             umount -l $R/proc
             umount -l $R/sys
             # Clean up files
             rm -f $R/etc/apt/sources.list.save
             rm -f $R/etc/resolvconf/resolv.conf.d/original
             rm -rf $R/run
             mkdir -p $R/run
             rm -f $R/etc/*-
             rm -f $R/root/.bash_history
             rm -rf $R/tmp/*
             rm -f $R/var/lib/urandom/random-seed
             [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
             rm -f $R/etc/machine-id
             # Calculate size of the chroot directory
             CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
             # Calculate required image size
             IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
             # Calculate number of sectors for the partition
             IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
             # Prepare date string for image file name
             DATE="$(date +%Y-%m-%d)"
             # Prepare image file
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
             # Write partition table
             sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
             unit: sectors
 : start=     2048, size=   131072, Id= c, bootable
 : start=   133120, size=  ${IMAGE_SECTORS}, Id=83
 : start=        0, size=        0, Id= 0
 : start=        0, size=        0, Id= 0
             EOM
             # Set up temporary loop devices and build filesystems
             VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             mkfs.vfat "$VFAT_LOOP"
             mkfs.ext4 "$EXT4_LOOP"
             # Mount the temporary loop devices
             mkdir -p "$BUILDDIR/mount"
             mount "$EXT4_LOOP" "$BUILDDIR/mount"
             mkdir -p "$BUILDDIR/mount/boot/firmware"
             mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
             # Copy all files from the chroot to the loop device mount point directory
             rsync -a "$R/" "$BUILDDIR/mount/"
             # Unmount all temporary loop devices and mount points
             cleanup
             # (optinal) create block map file for "bmaptool"
             bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
             # Image was successfully created
             echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"