| @@ -0,0 +1,45 | |||
|
|
1 | #!/bin/sh | |
|
|
2 | ||
|
|
3 | PREREQ="dropbear" | |
|
|
4 | ||
|
|
5 | prereqs() { | |
|
|
6 | echo "$PREREQ" | |
|
|
7 | } | |
|
|
8 | ||
|
|
9 | case "$1" in | |
|
|
10 | prereqs) | |
|
|
11 | prereqs | |
|
|
12 | exit 0 | |
|
|
13 | ;; | |
|
|
14 | esac | |
|
|
15 | ||
|
|
16 | . "${CONFDIR}/initramfs.conf" | |
|
|
17 | . /usr/share/initramfs-tools/hook-functions | |
|
|
18 | ||
|
|
19 | if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then | |
|
|
20 | cat > "${DESTDIR}/bin/unlock" << EOF | |
|
|
21 | #!/bin/sh | |
|
|
22 | if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then | |
|
|
23 | kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\` | |
|
|
24 | # following line kill the remote shell right after the passphrase has | |
|
|
25 | # been entered. | |
|
|
26 | kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\` | |
|
|
27 | exit 0 | |
|
|
28 | fi | |
|
|
29 | exit 1 | |
|
|
30 | EOF | |
|
|
31 | ||
|
|
32 | chmod 755 "${DESTDIR}/bin/unlock" | |
|
|
33 | ||
|
|
34 | mkdir -p "${DESTDIR}/lib/unlock" | |
|
|
35 | cat > "${DESTDIR}/lib/unlock/plymouth" << EOF | |
|
|
36 | #!/bin/sh | |
|
|
37 | [ "\$1" == "--ping" ] && exit 1 | |
|
|
38 | /bin/plymouth "\$@" | |
|
|
39 | EOF | |
|
|
40 | ||
|
|
41 | chmod 755 "${DESTDIR}/lib/unlock/plymouth" | |
|
|
42 | ||
|
|
43 | echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd | |
|
|
44 | ||
|
|
45 | fi No newline at end of file | |
| @@ -418,6 +418,12 Set cipher specification string. `aes-xts*` ciphers are strongly recommended. | |||
|
|
418 | 418 | ##### `CRYPTFS_XTSKEYSIZE`=512 |
|
|
419 | 419 | Sets key size in bits. The argument has to be a multiple of 8. |
|
|
420 | 420 | |
|
|
421 | ##### `CRYPTFS_DROPBEAR`=false | |
|
|
422 | Enable Dropbear Initramfs support | |
|
|
423 | ||
|
|
424 | ##### `CRYPTFS_DROPBEAR_PUBKEY`="" | |
|
|
425 | Provide path to dropbear Public RSA-OpenSSH Key | |
|
|
426 | ||
|
|
421 | 427 | --- |
|
|
422 | 428 | |
|
|
423 | 429 | #### Build settings: |
| @@ -43,8 +43,43 if [ "$ENABLE_INITRAMFS" = true ] ; then | |||
|
|
43 | 43 | install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools" |
|
|
44 | 44 | fi |
|
|
45 | 45 | |
|
|
46 | if [ "$CRYPTFS_DROPBEAR" = true ]; then | |
|
|
47 | if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then | |
|
|
48 | install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | |
|
|
49 | cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys | |
|
|
50 | else | |
|
|
51 | # Create key | |
|
|
52 | chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear | |
|
|
53 | ||
|
|
54 | # Convert dropbear key to openssh key | |
|
|
55 | chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa | |
|
|
56 | ||
|
|
57 | # Get Public Key Part | |
|
|
58 | chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub | |
|
|
59 | ||
|
|
60 | # Delete unwanted lines | |
|
|
61 | sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | |
|
|
62 | sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | |
|
|
63 | ||
|
|
64 | # Trust the new key | |
|
|
65 | cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys | |
|
|
66 | ||
|
|
67 | # Save Keys - convert with putty from rsa/openssh to puttkey | |
|
|
68 | cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa | |
|
|
69 | ||
|
|
70 | # Get unlock script | |
|
|
71 | install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh | |
|
|
72 | ||
|
|
73 | # Enable Dropbear inside initramfs | |
|
|
74 | printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" | |
|
|
75 | ||
|
|
76 | # Enable Dropbear inside initramfs | |
|
|
77 | sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear | |
|
|
78 | fi | |
|
|
79 | else | |
|
|
46 | 80 |
|
|
|
47 | 81 |
|
|
|
82 | fi | |
|
|
48 | 83 | |
|
|
49 | 84 | # Add cryptsetup modules to initramfs |
|
|
50 | 85 | printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook" |
| @@ -86,9 +86,6 fi | |||
|
|
86 | 86 | |
|
|
87 | 87 | if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then |
|
|
88 | 88 | |
|
|
89 | # RPI0,3,3P Use default ttyS0 (mini-UART)as serial interface | |
|
|
90 | SET_SERIAL="ttyS0" | |
|
|
91 | ||
|
|
92 | 89 | # Bluetooth enabled |
|
|
93 | 90 | if [ "$ENABLE_BLUETOOTH" = true ] ; then |
|
|
94 | 91 | # Create temporary directory for Bluetooth sources |
| @@ -111,6 +108,10 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then | |||
|
|
111 | 108 | install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart" |
|
|
112 | 109 | install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper" |
|
|
113 | 110 | |
|
|
111 | # make scripts executable | |
|
|
112 | chmod +x "${R}/usr/bin/bthelper" | |
|
|
113 | chmod +x "${R}/usr/bin/btuart" | |
|
|
114 | ||
|
|
114 | 115 | # Install bluetooth udev rule |
|
|
115 | 116 | install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules" |
|
|
116 | 117 | |
| @@ -121,12 +122,12 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then | |||
|
|
121 | 122 | install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service" |
|
|
122 | 123 | install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service" |
|
|
123 | 124 | |
|
|
124 |
# Remove temporary director |
|
|
|
125 | # Remove temporary directories | |
|
|
125 | 126 | rm -fr "${temp_dir}" |
|
|
127 | rm -fr "${R}"/tmp/pi-bluetooth | |
|
|
126 | 128 | |
|
|
127 | 129 | # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0 |
|
|
128 | 130 | if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then |
|
|
129 | SET_SERIAL="ttyAMA0" | |
|
|
130 | 131 | |
|
|
131 | 132 | # set overlay to swap ttyAMA0 and ttyS0 |
|
|
132 | 133 | echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt" |
| @@ -135,23 +136,15 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then | |||
|
|
135 | 136 | if [ "$ENABLE_TURBO" = false ] ; then |
|
|
136 | 137 | echo "core_freq=250" >> "${BOOT_DIR}/config.txt" |
|
|
137 | 138 | fi |
|
|
139 | fi | |
|
|
138 | 140 | |
|
|
139 | 141 |
|
|
|
140 | 142 |
|
|
|
141 | #chroot_exec systemctl enable pi-bluetooth.bthelper@.service | |
|
|
142 | else | |
|
|
143 | chroot_exec systemctl enable pi-bluetooth.hciuart.service | |
|
|
144 | #chroot_exec systemctl enable pi-bluetooth.bthelper@.service | |
|
|
145 | fi | |
|
|
146 | 143 | |
|
|
147 | 144 | else # if ENABLE_BLUETOOTH = false |
|
|
148 | 145 | # set overlay to disable bluetooth |
|
|
149 | 146 | echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt" |
|
|
150 | 147 | fi # ENABLE_BLUETOOTH end |
|
|
151 | ||
|
|
152 | else | |
|
|
153 | # RPI1,1P,2 Use default ttyAMA0 (full UART) as serial interface | |
|
|
154 | SET_SERIAL="ttyAMA0" | |
|
|
155 | 148 | fi |
|
|
156 | 149 | |
|
|
157 | 150 | # may need sudo systemctl disable hciuart |
| @@ -161,9 +154,10 if [ "$ENABLE_CONSOLE" = true ] ; then | |||
|
|
161 | 154 | CMDLINE="${CMDLINE} console=serial0,115200" |
|
|
162 | 155 | |
|
|
163 | 156 | # Enable serial console systemd style |
|
|
164 |
chroot_exec systemctl enable serial-getty\@ |
|
|
|
157 | chroot_exec systemctl enable serial-getty\@serial0.service | |
|
|
165 | 158 | else |
|
|
166 | 159 | echo "enable_uart=0" >> "${BOOT_DIR}/config.txt" |
|
|
160 | ||
|
|
167 | 161 | # disable serial console systemd style |
|
|
168 | 162 | chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service |
|
|
169 | 163 | fi |
| @@ -204,6 +198,7 else | |||
|
|
204 | 198 | CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4" |
|
|
205 | 199 | fi |
|
|
206 | 200 | fi |
|
|
201 | ||
|
|
207 | 202 |
|
|
|
208 | 203 |
|
|
|
209 | 204 |
|
| @@ -57,6 +57,20 else # ENABLE_DHCP=false | |||
|
|
57 | 57 | -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\ |
|
|
58 | 58 | -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\ |
|
|
59 | 59 | "${ETC_DIR}/systemd/network/eth.network" |
|
|
60 | ||
|
|
61 | if [ "$CRYPTFS_DROPBEAR" = true ] ; then | |
|
|
62 | # Get cdir from NET_ADDRESS e.g. 24 | |
|
|
63 | cdir=$(${NET_ADDRESS} | cut -d '/' -f2) | |
|
|
64 | ||
|
|
65 | # Convert cdir ro netmask e.g. 24 to 255.255.255.0 | |
|
|
66 | NET_MASK=$(cdr2mask "$cdir") | |
|
|
67 | ||
|
|
68 | # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf | |
|
|
69 | sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf | |
|
|
70 | ||
|
|
71 | # Regenerate initramfs | |
|
|
72 | chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" | |
|
|
73 | fi | |
|
|
60 | 74 | fi |
|
|
61 | 75 | |
|
|
62 | 76 | # Remove empty settings from network configuration |
| @@ -32,6 +32,7 if [ "$ENABLE_IPTABLES" = true ] ; then | |||
|
|
32 | 32 | #iptables-save and -restore are slaves of iptables and thus are set accordingly |
|
|
33 | 33 | chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy |
|
|
34 | 34 | fi |
|
|
35 | ||
|
|
35 | 36 | # Install ip6tables systemd service |
|
|
36 | 37 | install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service" |
|
|
37 | 38 | |
| @@ -22,8 +22,3 else | |||
|
|
22 | 22 | # Set no root password to disable root login |
|
|
23 | 23 | chroot_exec usermod -p \'!\' root |
|
|
24 | 24 | fi |
|
|
25 | ||
|
|
26 | # Enable serial console systemd style | |
|
|
27 | if [ "$ENABLE_CONSOLE" = true ] ; then | |
|
|
28 | chroot_exec systemctl enable serial-getty\@ttyAMA0.service | |
|
|
29 | fi | |
| @@ -50,4 +50,7 if [ "$ENABLE_VIDEOCORE" = true ] ; then | |||
|
|
50 | 50 | |
|
|
51 | 51 | #back to root of scriptdir |
|
|
52 | 52 | cd "${WORKDIR}" |
|
|
53 | ||
|
|
54 | # Remove videocore sources | |
|
|
55 | rm -fr "${R}"/tmp/userland/ | |
|
|
53 | 56 | fi |
| @@ -8,6 +8,7 INITRAMFS_UBOOT="${INITRAMFS}.uboot" | |||
|
|
8 | 8 | # Extract kernel arch |
|
|
9 | 9 | case "${KERNEL_ARCH}" in |
|
|
10 | 10 | arm*) KERNEL_ARCH=arm ;; |
|
|
11 | aarch64) KERNEL_ARCH=arm64 ;; | |
|
|
11 | 12 | esac |
|
|
12 | 13 | |
|
|
13 | 14 | # Regenerate initramfs |
| @@ -74,18 +74,28 chroot_install_cc() { | |||
|
|
74 | 74 | # Install c/c++ build environment inside the chroot |
|
|
75 | 75 | if [ -z "${COMPILER_PACKAGES}" ] ; then |
|
|
76 | 76 | COMPILER_PACKAGES=$(chroot_exec apt-get -s install g++ make bc | grep "^Inst " | awk -v ORS=" " '{ print $2 }') |
|
|
77 | # Install COMPILER_PACKAGES in chroot | |
|
|
78 |
chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install |
|
|
|
77 | # Install COMPILER_PACKAGES in chroot - NEVER do "${COMPILER_PACKAGES}" -> breaks uboot | |
|
|
78 | chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install ${COMPILER_PACKAGES} | |
|
|
79 | 79 | fi |
|
|
80 | 80 | } |
|
|
81 | 81 | |
|
|
82 | 82 | chroot_remove_cc() { |
|
|
83 | 83 | # Remove c/c++ build environment from the chroot |
|
|
84 | 84 | if [ -n "${COMPILER_PACKAGES}" ] ; then |
|
|
85 |
chroot_exec apt-get -qq -y --auto-remove purge |
|
|
|
85 | chroot_exec apt-get -qq -y --auto-remove purge ${COMPILER_PACKAGES} | |
|
|
86 | 86 | COMPILER_PACKAGES="" |
|
|
87 | 87 | fi |
|
|
88 | 88 | } |
|
|
89 | ||
|
|
90 | # https://serverfault.com/a/682849 - converts e.g. /24 to 255.255.255.0 | |
|
|
91 | cdr2mask () | |
|
|
92 | { | |
|
|
93 | # Number of args to shift, 255..255, first non-255 byte, zeroes | |
|
|
94 | set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0 | |
|
|
95 | [ $1 -gt 1 ] && shift $1 || shift | |
|
|
96 | echo ${1-0}.${2-0}.${3-0}.${4-0} | |
|
|
97 | } | |
|
|
98 | ||
|
|
89 | 99 | # GPL v2.0 - #https://github.com/sakaki-/bcmrpi3-kernel-bis/blob/master/conform_config.sh |
|
|
90 | 100 | set_kernel_config() { |
|
|
91 | 101 | # flag as $1, value to set as $2, config must exist at "./.config" |
| @@ -97,6 +107,7 set_kernel_config() { | |||
|
|
97 | 107 | echo "${TGT}"="${2}" >> .config |
|
|
98 | 108 | fi |
|
|
99 | 109 | } |
|
|
110 | ||
|
|
100 | 111 | # unset kernel config parameter |
|
|
101 | 112 | unset_kernel_config() { |
|
|
102 | 113 | # unsets flag with the value of $1, config must exist at "./.config" |
| @@ -209,6 +209,10 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""} | |||
|
|
209 | 209 | CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"} |
|
|
210 | 210 | CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"} |
|
|
211 | 211 | CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512} |
|
|
212 | #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup | |
|
|
213 | CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false} | |
|
|
214 | #Provide your own Dropbear Public RSA-OpenSSH Key otherwise it will be generated | |
|
|
215 | CRYPTFS_DROPBEAR_PUBKEY=${CRYPTFS_DROPBEAR_PUBKEY:=""} | |
|
|
212 | 216 | |
|
|
213 | 217 | # Chroot scripts directory |
|
|
214 | 218 | CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""} |
| @@ -227,11 +231,9 MISSING_PACKAGES="" | |||
|
|
227 | 231 | # Packages installed for c/c++ build environment in chroot (keep empty) |
|
|
228 | 232 | COMPILER_PACKAGES="" |
|
|
229 | 233 | |
|
|
230 | set +x | |
|
|
231 | ||
|
|
232 | 234 | #Check if apt-cacher-ng has port 3142 open and set APT_PROXY |
|
|
233 |
APT_CACHER_RUNNING=$(lsof -i :3142 | |
|
|
|
234 |
if [ |
|
|
|
235 | APT_CACHER_RUNNING=$(lsof -i :3142 | cut -d ' ' -f3 | uniq | sed '/^\s*$/d') | |
|
|
236 | if [ "${APT_CACHER_RUNNING}" = "apt-cacher-ng" ] ; then | |
|
|
235 | 237 | APT_PROXY=http://127.0.0.1:3142/ |
|
|
236 | 238 | fi |
|
|
237 | 239 | |
| @@ -393,6 +395,11 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then | |||
|
|
393 | 395 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup" |
|
|
394 | 396 | APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup" |
|
|
395 | 397 | |
|
|
398 | # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package | |
|
|
399 | if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then | |
|
|
400 | APT_INCLUDES="${APT_INCLUDES},dropbear-initramfs" | |
|
|
401 | fi | |
|
|
402 | ||
|
|
396 | 403 | if [ -z "$CRYPTFS_PASSWORD" ] ; then |
|
|
397 | 404 | echo "error: no password defined (CRYPTFS_PASSWORD)!" |
|
|
398 | 405 | exit 1 |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant
