##// END OF EJS Templates
Raspi2-3_GenImage
RSS

Cloner depuis https://github.com/drtyhlpr/rpi23-gen-image.git

Merge pull request #169 from burnbabyburn/dropbear...
drtyhlpr -
r531:f2b59207efa6 Fusion
parent child
Show More
Show file before | Show file after | Hide comments
@@ -0,0 +1,45
1 #!/bin/sh
2
3 PREREQ="dropbear"
4
5 prereqs() {
6 echo "$PREREQ"
7 }
8
9 case "$1" in
10 prereqs)
11 prereqs
12 exit 0
13 ;;
14 esac
15
16 . "${CONFDIR}/initramfs.conf"
17 . /usr/share/initramfs-tools/hook-functions
18
19 if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
20 cat > "${DESTDIR}/bin/unlock" << EOF
21 #!/bin/sh
22 if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
23 kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\`
24 # following line kill the remote shell right after the passphrase has
25 # been entered.
26 kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\`
27 exit 0
28 fi
29 exit 1
30 EOF
31
32 chmod 755 "${DESTDIR}/bin/unlock"
33
34 mkdir -p "${DESTDIR}/lib/unlock"
35 cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
36 #!/bin/sh
37 [ "\$1" == "--ping" ] && exit 1
38 /bin/plymouth "\$@"
39 EOF
40
41 chmod 755 "${DESTDIR}/lib/unlock/plymouth"
42
43 echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
44
45 fi No newline at end of file
Show file before | Show file after | Hide comments
@@ -1,526 +1,532
1 1 # rpi23-gen-image
2 2 ## Introduction
3 3 `rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for all Raspberry Pi computers. The script at this time supports the bootstrapping of the Debian (armhf/armel) releases `stretch` and `buster`. Raspberry Pi 0/1/2/3 images are generated for 32-bit mode only. Raspberry Pi 3 supports 64-bit images that can be generated using custom configuration parameters (```templates/rpi3-stretch-arm64-4.14.y```).
4 4
5 5 ## Build dependencies
6 6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7 7
8 8 ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo```
9 9
10 10 It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the Raspberry 3 this is mandatory. Kernel compilation and linking will be performed on the build system using an ARM (armhf/armel) cross-compiler toolchain.
11 11
12 12 The script has been tested using the default `crossbuild-essential-armhf` and `crossbuild-essential-armel` toolchain meta packages on Debian Linux `stretch` build systems. Please check the [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains) for further information.
13 13
14 14 ## Command-line parameters
15 15 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi23-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi23-gen-image.sh` script.
16 16
17 17 ##### Command-line examples:
18 18 ```shell
19 19 ENABLE_UBOOT=true ./rpi23-gen-image.sh
20 20 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi23-gen-image.sh
21 21 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi23-gen-image.sh
22 22 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi23-gen-image.sh
23 23 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi23-gen-image.sh
24 24 ENABLE_MINBASE=true ./rpi23-gen-image.sh
25 25 BUILD_KERNEL=true ENABLE_MINBASE=true ENABLE_IPV6=false ./rpi23-gen-image.sh
26 26 BUILD_KERNEL=true KERNELSRC_DIR=/tmp/linux ./rpi23-gen-image.sh
27 27 ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi23-gen-image.sh
28 28 ENABLE_CRYPTFS=true CRYPTFS_PASSWORD=changeme EXPANDROOT=false ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi23-gen-image.sh
29 29 RELEASE=stretch BUILD_KERNEL=true ./rpi23-gen-image.sh
30 30 RPI_MODEL=3 ENABLE_WIRELESS=true ENABLE_MINBASE=true BUILD_KERNEL=true ./rpi23-gen-image.sh
31 31 RELEASE=stretch RPI_MODEL=3 ENABLE_WIRELESS=true ENABLE_MINBASE=true BUILD_KERNEL=true ./rpi23-gen-image.sh
32 32 ```
33 33
34 34 ## Configuration template files
35 35 To avoid long lists of command-line parameters and to help to store the favourite parameter configurations the `rpi23-gen-image.sh` script supports so called configuration template files (`CONFIG_TEMPLATE`=template). These are simple text files located in the `./templates` directory that contain the list of configuration parameters that will be used. New configuration template files can be added to the `./templates` directory.
36 36
37 37 ##### Command-line examples:
38 38 ```shell
39 39 CONFIG_TEMPLATE=rpi3stretch ./rpi23-gen-image.sh
40 40 CONFIG_TEMPLATE=rpi2stretch ./rpi23-gen-image.sh
41 41 ```
42 42
43 43 ## Supported parameters and settings
44 44 #### APT settings:
45 45 ##### `APT_SERVER`="ftp.debian.org"
46 46 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
47 47
48 48 ##### `APT_PROXY`=""
49 49 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. If `apt-cacher-ng` is running on default `http://127.0.0.1:3142` it is autodetected and you don't need to set this.
50 50
51 51 ##### `APT_INCLUDES`=""
52 52 A comma-separated list of additional packages to be installed by debootstrap during bootstrapping.
53 53
54 54 ##### `APT_INCLUDES_LATE`=""
55 55 A comma-separated list of additional packages to be installed by apt after bootstrapping and after APT sources are set up. This is useful for packages with pre-depends, which debootstrap do not handle well.
56 56
57 57 ---
58 58
59 59 #### General system settings:
60 60 ##### `SET_ARCH`=32
61 61 Set Architecture to default 32bit. If you want to compile 64-bit (RPI3 or RPI3+) set it to `64`. This option will set every needed cross-compiler or board specific option for a successful build.
62 62
63 63 ##### `RPI_MODEL`=2
64 64 Specify the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models:
65 65 - `0` = Raspberry Pi 0 and Raspberry Pi 0 W
66 66 - `1` = Raspberry Pi 1 model A and B
67 67 - `1P` = Raspberry Pi 1 model B+ and A+
68 68 - `2` = Raspberry Pi 2 model B
69 69 - `3` = Raspberry Pi 3 model B
70 70 - `3P` = Raspberry Pi 3 model B+
71 71
72 72 ##### `RELEASE`="buster"
73 73 Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`.
74 74
75 75 ##### `RELEASE_ARCH`="armhf"
76 76 Set the desired Debian release architecture.
77 77
78 78 ##### `HOSTNAME`="rpi$RPI_MODEL-$RELEASE"
79 79 Set system hostname. It's recommended that the hostname is unique in the corresponding subnet.
80 80
81 81 ##### `PASSWORD`="raspberry"
82 82 Set system `root` password. It's **STRONGLY** recommended that you choose a custom password.
83 83
84 84 ##### `USER_PASSWORD`="raspberry"
85 85 Set password for the created non-root user `USER_NAME`=pi. Ignored if `ENABLE_USER`=false. It's **STRONGLY** recommended that you choose a custom password.
86 86
87 87 ##### `DEFLOCAL`="en_US.UTF-8"
88 88 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. Please note that on using this parameter the script will automatically install the required packages `locales`, `keyboard-configuration` and `console-setup`.
89 89
90 90 ##### `TIMEZONE`="Europe/Berlin"
91 91 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
92 92
93 93 ##### `EXPANDROOT`=true
94 94 Expand the root partition and filesystem automatically on first boot.
95 95
96 96 ##### `ENABLE_QEMU`=false
97 97 Generate kernel (`vexpress_defconfig`), file system image (`qcow2`) and DTB files that can be used for QEMU full system emulation (`vexpress-A15`). The output files are stored in the `$(pwd)/images/qemu` directory. You can find more information about running the generated image in the QEMU section of this readme file.
98 98
99 99 ---
100 100
101 101 #### Keyboard settings:
102 102 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
103 103
104 104 ##### `XKB_MODEL`=""
105 105 Set the name of the model of your keyboard type.
106 106
107 107 ##### `XKB_LAYOUT`=""
108 108 Set the supported keyboard layout(s).
109 109
110 110 ##### `XKB_VARIANT`=""
111 111 Set the supported variant(s) of the keyboard layout(s).
112 112
113 113 ##### `XKB_OPTIONS`=""
114 114 Set extra xkb configuration options.
115 115
116 116 ---
117 117
118 118 #### Networking settings (DHCP):
119 119 This parameter is used to set up networking auto-configuration in `/etc/systemd/network/eth.network`. The default location of network configuration files in the Debian `stretch` release was changed to `/lib/systemd/network`.`
120 120
121 121 ##### `ENABLE_DHCP`=true
122 122 Set the system to use DHCP. This requires an DHCP server.
123 123
124 124 ---
125 125
126 126 #### Networking settings (static):
127 127 These parameters are used to set up a static networking configuration in `/etc/systemd/network/eth.network`. The following static networking parameters are only supported if `ENABLE_DHCP` was set to `false`. The default location of network configuration files in the Debian `stretch` release was changed to `/lib/systemd/network`.
128 128
129 129 ##### `NET_ADDRESS`=""
130 130 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
131 131
132 132 ##### `NET_GATEWAY`=""
133 133 Set the IP address for the default gateway.
134 134
135 135 ##### `NET_DNS_1`=""
136 136 Set the IP address for the first DNS server.
137 137
138 138 ##### `NET_DNS_2`=""
139 139 Set the IP address for the second DNS server.
140 140
141 141 ##### `NET_DNS_DOMAINS`=""
142 142 Set the default DNS search domains to use for non fully qualified hostnames.
143 143
144 144 ##### `NET_NTP_1`=""
145 145 Set the IP address for the first NTP server.
146 146
147 147 ##### `NET_NTP_2`=""
148 148 Set the IP address for the second NTP server.
149 149
150 150 ---
151 151
152 152 #### Basic system features:
153 153 ##### `ENABLE_CONSOLE`=true
154 154 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2/3. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system. On RPI `0` `3` `3P` the CPU speed is locked at lowest speed.
155 155
156 156 ##### `ENABLE_PRINTK`=false
157 157 Enables printing kernel messages to konsole. printk is `3 4 1 3` as in raspbian.
158 158
159 159 ##### `ENABLE_BLUETOOTH`=false
160 160 Enable onboard Bluetooth interface on the RPi0/3/3P. See: [Configuring the GPIO serial port on Raspbian jessie and stretch](https://spellfoundry.com/2016/05/29/configuring-gpio-serial-port-raspbian-jessie-including-pi-3/).
161 161
162 162 ##### `ENABLE_MINIUART_OVERLAY`=false
163 163 Enable Bluetooth to use this. Adds overlay to swap UART0 with UART1. Enabling (slower) Bluetooth and full speed serial console. - RPI `0` `3` `3P` have a fast `hardware UART0` (ttyAMA0) and a `mini UART1` (ttyS0)! RPI `1` `1P` `2` only have a `hardware UART0`. `UART0` is considered better, because is faster and more stable than `mini UART1`. By default the Bluetooth modem is mapped to the `hardware UART0` and `mini UART` is used for console. The `mini UART` is a problem for the serial console, because its baudrate depends on the CPU frequency, which is changing on runtime. Resulting in a volatile baudrate and thus in an unusable serial console.
164 164
165 165 ##### `ENABLE_TURBO`=false
166 166 Enable Turbo mode. This setting locks cpu at the highest frequency. As setting ENABLE_CONSOLE=true locks RPI to lowest CPU speed, this is can be used additionally to lock cpu hat max speed. Need a good power supply and probably cooling for the Raspberry PI.
167 167
168 168 ##### `ENABLE_I2C`=false
169 169 Enable I2C interface on the RPi 0/1/2/3. Please check the [RPi 0/1/2/3 pinout diagrams](https://elinux.org/RPi_Low-level_peripherals) to connect the right GPIO pins.
170 170
171 171 ##### `ENABLE_SPI`=false
172 172 Enable SPI interface on the RPi 0/1/2/3. Please check the [RPi 0/1/2/3 pinout diagrams](https://elinux.org/RPi_Low-level_peripherals) to connect the right GPIO pins.
173 173
174 174 ##### `ENABLE_IPV6`=true
175 175 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
176 176
177 177 ##### `ENABLE_SSHD`=true
178 178 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
179 179
180 180 ##### `ENABLE_NONFREE`=false
181 181 Allow the installation of non-free Debian packages that do not comply with the DFSG. This is required to install closed-source firmware binary blobs.
182 182
183 183 ##### `ENABLE_WIRELESS`=false
184 184 Download and install the [closed-source firmware binary blob](https://github.com/RPi-Distro/firmware-nonfree/raw/master/brcm) that is required to run the internal wireless interface of the Raspberry Pi model `3`. This parameter is ignored if the specified `RPI_MODEL` is not `3`.
185 185
186 186 ##### `ENABLE_RSYSLOG`=true
187 187 If set to false, disable and uninstall rsyslog (so logs will be available only in journal files)
188 188
189 189 ##### `ENABLE_SOUND`=true
190 190 Enable sound hardware and install Advanced Linux Sound Architecture.
191 191
192 192 ##### `ENABLE_HWRANDOM`=true
193 193 Enable Hardware Random Number Generator. Strong random numbers are important for most network-based communications that use encryption. It's recommended to be enabled.
194 194
195 195 ##### `ENABLE_MINGPU`=false
196 196 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
197 197
198 198 ##### `ENABLE_DBUS`=true
199 199 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
200 200
201 201 ##### `ENABLE_XORG`=false
202 202 Install Xorg open-source X Window System.
203 203
204 204 ##### `ENABLE_WM`=""
205 205 Install a user-defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi23-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
206 206
207 207 ##### `ENABLE_SYSVINIT`=false
208 208 Support for halt,init,poweroff,reboot,runlevel,shutdown,telinit commands
209 209
210 210 ---
211 211
212 212 #### Advanced system features:
213 213 ##### `ENABLE_SYSTEMDSWAP`=false
214 214 Enables [Systemd-swap service](https://github.com/Nefelim4ag/systemd-swap). Usefull if `KERNEL_ZSWAP` is enabled.
215 215
216 216 ##### `ENABLE_MINBASE`=false
217 217 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
218 218
219 219 ##### `ENABLE_REDUCE`=false
220 220 Reduce the disk space usage by deleting packages and files. See `REDUCE_*` parameters for detailed information.
221 221
222 222 ##### `ENABLE_UBOOT`=false
223 223 Replace the default RPi 0/1/2/3 second stage bootloader (bootcode.bin) with [U-Boot bootloader](https://git.denx.de/?p=u-boot.git;a=summary). U-Boot can boot images via the network using the BOOTP/TFTP protocol.
224 224
225 225 ##### `UBOOTSRC_DIR`=""
226 226 Path to a directory (`u-boot`) of [U-Boot bootloader sources](https://git.denx.de/?p=u-boot.git;a=summary) that will be copied, configured, build and installed inside the chroot.
227 227
228 228 ##### `ENABLE_FBTURBO`=false
229 229 Install and enable the [hardware accelerated Xorg video driver](https://github.com/ssvb/xf86-video-fbturbo) `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
230 230
231 231 ##### `FBTURBOSRC_DIR`=""
232 232 Path to a directory (`xf86-video-fbturbo`) of [hardware accelerated Xorg video driver sources](https://github.com/ssvb/xf86-video-fbturbo) that will be copied, configured, build and installed inside the chroot.
233 233
234 234 ##### `ENABLE_VIDEOCORE`=false
235 235 Install and enable the [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) `vcgencmd`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
236 236
237 237 ##### `VIDEOCORESRC_DIR`=""
238 238 Path to a directory (`userland`) of [ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
239 239
240 240 ##### `ENABLE_NEXMON`=false
241 241 Install and enable the [Source code for a C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection](https://github.com/seemoo-lab/nexmon.git).
242 242
243 243 ##### `NEXMONSRC_DIR`=""
244 244 Path to a directory (`nexmon`) of [Source code for ARM side libraries for interfacing to Raspberry Pi GPU](https://github.com/raspberrypi/userland) that will be copied, configured, build and installed inside the chroot.
245 245
246 246 ##### `ENABLE_IPTABLES`=false
247 247 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
248 248
249 249 ##### `ENABLE_USER`=true
250 250 Create non-root user with password `USER_PASSWORD`=raspberry. Unless overridden with `USER_NAME`=user, the username will be `pi`.
251 251
252 252 ##### `USER_NAME`=pi
253 253 Non-root user to create. Ignored if `ENABLE_USER`=false
254 254
255 255 ##### `ENABLE_ROOT`=false
256 256 Set root user password so root login will be enabled
257 257
258 258 ##### `ENABLE_HARDNET`=false
259 259 Enable IPv4/IPv6 network stack hardening settings.
260 260
261 261 ##### `ENABLE_SPLITFS`=false
262 262 Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`.
263 263
264 264 ##### `CHROOT_SCRIPTS`=""
265 265 Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this directory is run in lexicographical order.
266 266
267 267 ##### `ENABLE_INITRAMFS`=false
268 268 Create an initramfs that that will be loaded during the Linux startup process. `ENABLE_INITRAMFS` will automatically get enabled if `ENABLE_CRYPTFS`=true. This parameter will be ignored if `BUILD_KERNEL`=false.
269 269
270 270 ##### `ENABLE_IFNAMES`=true
271 271 Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names.
272 272
273 273 ##### `DISABLE_UNDERVOLT_WARNINGS`=
274 274 Disable RPi2/3 under-voltage warnings and overlays. Setting the parameter to `1` will disable the warning overlay. Setting it to `2` will additionally allow RPi2/3 turbo mode when low-voltage is present.
275 275
276 276 ---
277 277
278 278 #### SSH settings:
279 279 ##### `SSH_ENABLE_ROOT`=false
280 280 Enable password-based root login via SSH. This may be a security risk with the default password set, use only in trusted environments. `ENABLE_ROOT` must be set to `true`.
281 281
282 282 ##### `SSH_DISABLE_PASSWORD_AUTH`=false
283 283 Disable password-based SSH authentication. Only public key based SSH (v2) authentication will be supported.
284 284
285 285 ##### `SSH_LIMIT_USERS`=false
286 286 Limit the users that are allowed to login via SSH. Only allow user `USER_NAME`=pi and root if `SSH_ENABLE_ROOT`=true to login. This parameter will be ignored if `dropbear` SSH is used (`REDUCE_SSHD`=true).
287 287
288 288 ##### `SSH_ROOT_PUB_KEY`=""
289 289 Add SSH (v2) public key(s) from specified file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `root`. The specified file can also contain multiple SSH (v2) public keys. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
290 290
291 291 ##### `SSH_USER_PUB_KEY`=""
292 292 Add SSH (v2) public key(s) from specified file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `USER_NAME`=pi. The specified file can also contain multiple SSH (v2) public keys. SSH protocol version 1 is not supported.
293 293
294 294 ---
295 295
296 296 #### Kernel compilation:
297 297 ##### `BUILD_KERNEL`=true
298 298 Build and install the latest RPi 0/1/2/3 Linux kernel. Currently only the default RPi 0/1/2/3 kernel configuration is used.
299 299
300 300 ##### `CROSS_COMPILE`="arm-linux-gnueabihf-"
301 301 This sets the cross-compile environment for the compiler.
302 302
303 303 ##### `KERNEL_ARCH`="arm"
304 304 This sets the kernel architecture for the compiler.
305 305
306 306 ##### `KERNEL_IMAGE`="kernel7.img"
307 307 Name of the image file in the boot partition. If not set, `KERNEL_IMAGE` will be set to "kernel8.img" automatically if building for arm64.
308 308
309 309 ##### `KERNEL_BRANCH`=""
310 310 Name of the requested branch from the GIT location for the RPi Kernel. Default is using the current default branch from the GIT site.
311 311
312 312 ##### `QEMU_BINARY`="/usr/bin/qemu-arm-static"
313 313 Sets the QEMU enviornment for the Debian archive. If not set, `QEMU_BINARY` will be set to "/usr/bin/qemu-aarch64-static" automatically if building for arm64.
314 314
315 315 ##### `KERNEL_DEFCONFIG`="bcm2709_defconfig"
316 316 Sets the default config for kernel compiling. If not set, `KERNEL_DEFCONFIG` will be set to "bcmrpi3\_defconfig" automatically if building for arm64.
317 317
318 318 ##### `KERNEL_REDUCE`=false
319 319 Reduce the size of the generated kernel by removing unwanted devices, network and filesystem drivers (experimental).
320 320
321 321 ##### `KERNEL_THREADS`=1
322 322 Number of parallel kernel building threads. If the parameter is left untouched the script will automatically determine the number of CPU cores to set the number of parallel threads to speed the kernel compilation.
323 323
324 324 ##### `KERNEL_HEADERS`=true
325 325 Install kernel headers with the built kernel.
326 326
327 327 ##### `KERNEL_MENUCONFIG`=false
328 328 Start `make menuconfig` interactive menu-driven kernel configuration. The script will continue after `make menuconfig` was terminated.
329 329
330 330 ##### `KERNEL_OLDDEFCONFIG`=false
331 331 Run `make olddefconfig` to automatically set all new kernel configuration options to their recommended default values.
332 332
333 333 ##### `KERNEL_CCACHE`=false
334 334 Compile the kernel using ccache. This speeds up kernel recompilation by caching previous compilations and detecting when the same compilation is being done again.
335 335
336 336 ##### `KERNEL_REMOVESRC`=true
337 337 Remove all kernel sources from the generated OS image after it was built and installed.
338 338
339 339 ##### `KERNELSRC_DIR`=""
340 340 Path to a directory (`linux`) of [RaspberryPi Linux kernel sources](https://github.com/raspberrypi/linux) that will be copied, configured, build and installed inside the chroot.
341 341
342 342 ##### `KERNELSRC_CLEAN`=false
343 343 Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This parameter will be ignored if no `KERNELSRC_DIR` was specified or if `KERNELSRC_PREBUILT`=true.
344 344
345 345 ##### `KERNELSRC_CONFIG`=true
346 346 Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This parameter is automatically set to `true` if no existing kernel sources directory was specified using `KERNELSRC_DIR`. This parameter is ignored if `KERNELSRC_PREBUILT`=true.
347 347
348 348 ##### `KERNELSRC_USRCONFIG`=""
349 349 Copy own config file to kernel `.config`. If `KERNEL_MENUCONFIG`=true then running after copy.
350 350
351 351 ##### `KERNELSRC_PREBUILT`=false
352 352 With this parameter set to true the script expects the existing kernel sources directory to be already successfully cross-compiled. The parameters `KERNELSRC_CLEAN`, `KERNELSRC_CONFIG`, `KERNELSRC_USRCONFIG` and `KERNEL_MENUCONFIG` are ignored and no kernel compilation tasks are performed.
353 353
354 354 ##### `RPI_FIRMWARE_DIR`=""
355 355 The directory (`firmware`) containing a local copy of the firmware from the [RaspberryPi firmware project](https://github.com/raspberrypi/firmware). Default is to download the latest firmware directly from the project.
356 356
357 357 ##### `KERNEL_DEFAULT_GOV`="ONDEMAND"
358 358 Set the default cpu governor at kernel compilation. Supported values are: PERFORMANCE POWERSAVE USERSPACE ONDEMAND CONSERVATIVE SCHEDUTIL
359 359
360 360 ##### `KERNEL_NF`=false
361 361 Enable Netfilter modules as kernel modules
362 362
363 363 ##### `KERNEL_VIRT`=false
364 364 Enable Kernel KVM support (/dev/kvm)
365 365
366 366 ##### `KERNEL_ZSWAP`=false
367 367 Enable Kernel Zswap support. Best use on high RAM load and mediocre CPU load usecases
368 368
369 369 ##### `KERNEL_BPF`=true
370 370 Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSCALL CONFIG_CGROUP_BPF) [systemd compilations about it - File /lib/systemd/system/systemd-journald.server:36 configures an IP firewall (IPAddressDeny=all), but the local system does not support BPF/cgroup based firewalls]
371 371
372 372 ##### `KERNEL_SECURITY`=false
373 373 Enables Apparmor, integrity subsystem, auditing
374 374 ---
375 375
376 376 #### Reduce disk usage:
377 377 The following list of parameters is ignored if `ENABLE_REDUCE`=false.
378 378
379 379 ##### `REDUCE_APT`=true
380 380 Configure APT to use compressed package repository lists and no package caching files.
381 381
382 382 ##### `REDUCE_DOC`=true
383 383 Remove all doc files (harsh). Configure APT to not include doc files on future `apt-get` package installations.
384 384
385 385 ##### `REDUCE_MAN`=true
386 386 Remove all man pages and info files (harsh). Configure APT to not include man pages on future `apt-get` package installations.
387 387
388 388 ##### `REDUCE_VIM`=false
389 389 Replace `vim-tiny` package by `levee` a tiny vim clone.
390 390
391 391 ##### `REDUCE_BASH`=false
392 392 Remove `bash` package and switch to `dash` shell (experimental).
393 393
394 394 ##### `REDUCE_HWDB`=true
395 395 Remove PCI related hwdb files (experimental).
396 396
397 397 ##### `REDUCE_SSHD`=true
398 398 Replace `openssh-server` with `dropbear`.
399 399
400 400 ##### `REDUCE_LOCALE`=true
401 401 Remove all `locale` translation files.
402 402
403 403 ---
404 404
405 405 #### Encrypted root partition:
406 406 ##### `ENABLE_CRYPTFS`=false
407 407 Enable full system encryption with dm-crypt. Setup a fully LUKS encrypted root partition (aes-xts-plain64:sha512) and generate required initramfs. The /boot directory will not be encrypted. This parameter will be ignored if `BUILD_KERNEL`=false. `ENABLE_CRYPTFS` is experimental. SSH-to-initramfs is currently not supported but will be soon - feel free to help.
408 408
409 409 ##### `CRYPTFS_PASSWORD`=""
410 410 Set password of the encrypted root partition. This parameter is mandatory if `ENABLE_CRYPTFS`=true.
411 411
412 412 ##### `CRYPTFS_MAPPING`="secure"
413 413 Set name of dm-crypt managed device-mapper mapping.
414 414
415 415 ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512"
416 416 Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
417 417
418 418 ##### `CRYPTFS_XTSKEYSIZE`=512
419 419 Sets key size in bits. The argument has to be a multiple of 8.
420 420
421 ##### `CRYPTFS_DROPBEAR`=false
422 Enable Dropbear Initramfs support
423
424 ##### `CRYPTFS_DROPBEAR_PUBKEY`=""
425 Provide path to dropbear Public RSA-OpenSSH Key
426
421 427 ---
422 428
423 429 #### Build settings:
424 430 ##### `BASEDIR`=$(pwd)/images/${RELEASE}
425 431 Set a path to a working directory used by the script to generate an image.
426 432
427 433 ##### `IMAGE_NAME`=${BASEDIR}/${DATE}-${KERNEL_ARCH}-${KERNEL_BRANCH}-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}
428 434 Set a filename for the output file(s). Note: the script will create $IMAGE_NAME.img if `ENABLE_SPLITFS`=false or $IMAGE_NAME-frmw.img and $IMAGE_NAME-root.img if `ENABLE_SPLITFS`=true. Note 2: If the KERNEL_BRANCH is not set, the word "CURRENT" is used.
429 435
430 436 ## Understanding the script
431 437 The functions of this script that are required for the different stages of the bootstrapping are split up into single files located inside the `bootstrap.d` directory. During the bootstrapping every script in this directory gets executed in lexicographical order:
432 438
433 439 | Script | Description |
434 440 | --- | --- |
435 441 | `10-bootstrap.sh` | Debootstrap basic system |
436 442 | `11-apt.sh` | Setup APT repositories |
437 443 | `12-locale.sh` | Setup Locales and keyboard settings |
438 444 | `13-kernel.sh` | Build and install RPi 0/1/2/3 Kernel |
439 445 | `14-fstab.sh` | Setup fstab and initramfs |
440 446 | `15-rpi-config.sh` | Setup RPi 0/1/2/3 config and cmdline |
441 447 | `20-networking.sh` | Setup Networking |
442 448 | `21-firewall.sh` | Setup Firewall |
443 449 | `30-security.sh` | Setup Users and Security settings |
444 450 | `31-logging.sh` | Setup Logging |
445 451 | `32-sshd.sh` | Setup SSH and public keys |
446 452 | `41-uboot.sh` | Build and Setup U-Boot |
447 453 | `42-fbturbo.sh` | Build and Setup fbturbo Xorg driver |
448 454 | `43-videocore.sh` | Build and Setup videocore libraries |
449 455 | `50-firstboot.sh` | First boot actions |
450 456 | `99-reduce.sh` | Reduce the disk space usage |
451 457
452 458 All the required configuration files that will be copied to the generated OS image are located inside the `files` directory. It is not recommended to modify these configuration files manually.
453 459
454 460 | Directory | Description |
455 461 | --- | --- |
456 462 | `apt` | APT management configuration files |
457 463 | `boot` | Boot and RPi 0/1/2/3 configuration files |
458 464 | `dpkg` | Package Manager configuration |
459 465 | `etc` | Configuration files and rc scripts |
460 466 | `firstboot` | Scripts that get executed on first boot |
461 467 | `initramfs` | Initramfs scripts |
462 468 | `iptables` | Firewall configuration files |
463 469 | `locales` | Locales configuration |
464 470 | `modules` | Kernel Modules configuration |
465 471 | `mount` | Fstab configuration |
466 472 | `network` | Networking configuration files |
467 473 | `sysctl.d` | Swapping and Network Hardening configuration |
468 474 | `xorg` | fbturbo Xorg driver configuration |
469 475
470 476 ## Custom packages and scripts
471 477 Debian custom packages, i.e. those not in the debian repositories, can be installed by placing them in the `packages` directory. They are installed immediately after packages from the repositories are installed. Any dependencies listed in the custom packages will be downloaded automatically from the repositories. Do not list these custom packages in `APT_INCLUDES`.
472 478
473 479 Scripts in the custom.d directory will be executed after all other installation is complete but before the image is created.
474 480
475 481 ## Logging of the bootstrapping process
476 482 All information related to the bootstrapping process and the commands executed by the `rpi23-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
477 483
478 484 ```shell
479 485 script -c 'APT_SERVER=ftp.de.debian.org ./rpi23-gen-image.sh' ./build.log
480 486 ```
481 487
482 488 ## Flashing the image file
483 489 After the image file was successfully created by the `rpi23-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi 0/1/2/3 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
484 490
485 491 ##### Flashing examples:
486 492 ```shell
487 493 bmaptool copy ./images/buster/2017-01-23-rpi3-buster.img /dev/mmcblk0
488 494 dd bs=4M if=./images/buster/2017-01-23-rpi3-buster.img of=/dev/mmcblk0
489 495 ```
490 496 If you have set `ENABLE_SPLITFS`, copy the `-frmw` image on the microSD card, then the `-root` one on the USB drive:
491 497 ```shell
492 498 bmaptool copy ./images/buster/2017-01-23-rpi3-buster-frmw.img /dev/mmcblk0
493 499 bmaptool copy ./images/buster/2017-01-23-rpi3-buster-root.img /dev/sdc
494 500 ```
495 501
496 502 ## QEMU emulation
497 503 Start QEMU full system emulation:
498 504 ```shell
499 505 qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -append "root=/dev/mmcblk0p2 rw rootfstype=ext4 console=tty1"
500 506 ```
501 507
502 508 Start QEMU full system emulation and output to console:
503 509 ```shell
504 510 qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -append "root=/dev/mmcblk0p2 rw rootfstype=ext4 console=ttyAMA0,115200 init=/bin/systemd" -serial stdio
505 511 ```
506 512
507 513 Start QEMU full system emulation with SMP and output to console:
508 514 ```shell
509 515 qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -smp cpus=2,maxcpus=2 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -append "root=/dev/mmcblk0p2 rw rootfstype=ext4 console=ttyAMA0,115200 init=/bin/systemd" -serial stdio
510 516 ```
511 517
512 518 Start QEMU full system emulation with cryptfs, initramfs and output to console:
513 519 ```shell
514 520 qemu-system-arm -m 2048M -M vexpress-a15 -cpu cortex-a15 -kernel kernel7.img -no-reboot -dtb vexpress-v2p-ca15_a7.dtb -sd ${IMAGE_NAME}.qcow2 -initrd "initramfs-${KERNEL_VERSION}" -append "root=/dev/mapper/secure cryptdevice=/dev/mmcblk0p2:secure rw rootfstype=ext4 console=ttyAMA0,115200 init=/bin/systemd" -serial stdio
515 521 ```
516 522
517 523 ## External links and references
518 524 * [Debian worldwide mirror sites](https://www.debian.org/mirror/list)
519 525 * [Debian Raspberry Pi 2 Wiki](https://wiki.debian.org/RaspberryPi2)
520 526 * [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains)
521 527 * [Official Raspberry Pi Firmware on github](https://github.com/raspberrypi/firmware)
522 528 * [Official Raspberry Pi Kernel on github](https://github.com/raspberrypi/linux)
523 529 * [U-BOOT git repository](https://git.denx.de/?p=u-boot.git;a=summary)
524 530 * [Xorg DDX driver fbturbo](https://github.com/ssvb/xf86-video-fbturbo)
525 531 * [RPi3 Wireless interface firmware](https://github.com/RPi-Distro/firmware-nonfree/tree/master/brcm80211/brcm)
526 532 * [Collabora RPi2 Kernel precompiled](https://repositories.collabora.co.uk/debian/)
Show file before | Show file after | Hide comments
@@ -1,64 +1,99
1 1 #
2 2 # Setup fstab and initramfs
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Install and setup fstab
9 9 install_readonly files/mount/fstab "${ETC_DIR}/fstab"
10 10
11 11 if [ "$ENABLE_UBOOTUSB" = true ] ; then
12 12 sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
13 13 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
14 14 fi
15 15
16 16 # Add usb/sda disk root partition to fstab
17 17 if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then
18 18 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
19 19 fi
20 20
21 21 # Add encrypted root partition to fstab and crypttab
22 22 if [ "$ENABLE_CRYPTFS" = true ] ; then
23 23 # Replace fstab root partition with encrypted partition mapping
24 24 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab"
25 25
26 26 # Add encrypted partition to crypttab and fstab
27 27 install_readonly files/mount/crypttab "${ETC_DIR}/crypttab"
28 28 echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"
29 29
30 30 if [ "$ENABLE_SPLITFS" = true ] ; then
31 31 # Add usb/sda disk to crypttab
32 32 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
33 33 fi
34 34 fi
35 35
36 36 # Generate initramfs file
37 37 if [ "$ENABLE_INITRAMFS" = true ] ; then
38 38 if [ "$ENABLE_CRYPTFS" = true ] ; then
39 39 # Include initramfs scripts to auto expand encrypted root partition
40 40 if [ "$EXPANDROOT" = true ] ; then
41 41 install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs"
42 42 install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount"
43 43 install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
44 44 fi
45 45
46 # Disable SSHD inside initramfs
47 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
46 if [ "$CRYPTFS_DROPBEAR" = true ]; then
47 if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
48 install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
49 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys
50 else
51 # Create key
52 chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear
53
54 # Convert dropbear key to openssh key
55 chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa
56
57 # Get Public Key Part
58 chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub
59
60 # Delete unwanted lines
61 sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
62 sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
63
64 # Trust the new key
65 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys
66
67 # Save Keys - convert with putty from rsa/openssh to puttkey
68 cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa
69
70 # Get unlock script
71 install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh
72
73 # Enable Dropbear inside initramfs
74 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
75
76 # Enable Dropbear inside initramfs
77 sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear
78 fi
79 else
80 # Disable SSHD inside initramfs
81 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
82 fi
48 83
49 84 # Add cryptsetup modules to initramfs
50 85 printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
51 86
52 87 # Dummy mapping required by mkinitramfs
53 88 echo "0 1 crypt $(echo "${CRYPTFS_CIPHER}" | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
54 89
55 90 # Generate initramfs with encrypted root partition support
56 91 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
57 92
58 93 # Remove dummy mapping
59 94 chroot_exec cryptsetup close "${CRYPTFS_MAPPING}"
60 95 else
61 96 # Generate initramfs without encrypted root partition support
62 97 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
63 98 fi
64 99 fi
Show file before | Show file after | Hide comments
@@ -1,270 +1,265
1 1 #
2 2 # Setup RPi2/3 config and cmdline
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then
9 9 # Install boot binaries from local directory
10 10 cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin
11 11 cp "${RPI_FIRMWARE_DIR}"/boot/fixup.dat "${BOOT_DIR}"/fixup.dat
12 12 cp "${RPI_FIRMWARE_DIR}"/boot/fixup_cd.dat "${BOOT_DIR}"/fixup_cd.dat
13 13 cp "${RPI_FIRMWARE_DIR}"/boot/fixup_x.dat "${BOOT_DIR}"/fixup_x.dat
14 14 cp "${RPI_FIRMWARE_DIR}"/boot/start.elf "${BOOT_DIR}"/start.elf
15 15 cp "${RPI_FIRMWARE_DIR}"/boot/start_cd.elf "${BOOT_DIR}"/start_cd.elf
16 16 cp "${RPI_FIRMWARE_DIR}"/boot/start_x.elf "${BOOT_DIR}"/start_x.elf
17 17 else
18 18 # Create temporary directory for boot binaries
19 19 temp_dir=$(as_nobody mktemp -d)
20 20
21 21 # Install latest boot binaries from raspberry/firmware github
22 22 as_nobody wget -q -O "${temp_dir}/bootcode.bin" "${FIRMWARE_URL}/bootcode.bin"
23 23 as_nobody wget -q -O "${temp_dir}/fixup.dat" "${FIRMWARE_URL}/fixup.dat"
24 24 as_nobody wget -q -O "${temp_dir}/fixup_cd.dat" "${FIRMWARE_URL}/fixup_cd.dat"
25 25 as_nobody wget -q -O "${temp_dir}/fixup_x.dat" "${FIRMWARE_URL}/fixup_x.dat"
26 26 as_nobody wget -q -O "${temp_dir}/start.elf" "${FIRMWARE_URL}/start.elf"
27 27 as_nobody wget -q -O "${temp_dir}/start_cd.elf" "${FIRMWARE_URL}/start_cd.elf"
28 28 as_nobody wget -q -O "${temp_dir}/start_x.elf" "${FIRMWARE_URL}/start_x.elf"
29 29
30 30 # Move downloaded boot binaries
31 31 mv "${temp_dir}/"* "${BOOT_DIR}/"
32 32
33 33 # Remove temporary directory for boot binaries
34 34 rm -fr "${temp_dir}"
35 35
36 36 # Set permissions of the boot binaries
37 37 chown -R root:root "${BOOT_DIR}"
38 38 chmod -R 600 "${BOOT_DIR}"
39 39 fi
40 40
41 41 # Setup firmware boot cmdline
42 42 if [ "$ENABLE_SPLITFS" = true ] ; then
43 43 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait console=tty1 init=/bin/systemd"
44 44 else
45 45 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait console=tty1 init=/bin/systemd"
46 46 fi
47 47
48 48 # Add encrypted root partition to cmdline.txt
49 49 if [ "$ENABLE_CRYPTFS" = true ] ; then
50 50 if [ "$ENABLE_SPLITFS" = true ] ; then
51 51 CMDLINE=$(echo "${CMDLINE}" | sed "s/sda1/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda1:${CRYPTFS_MAPPING}/")
52 52 else
53 53 CMDLINE=$(echo "${CMDLINE}" | sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/")
54 54 fi
55 55 fi
56 56
57 57 # Enable Kernel messages on standard output
58 58 if [ "$ENABLE_PRINTK" = true ] ; then
59 59 install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf"
60 60 fi
61 61
62 62 # Install udev rule for serial alias - serial0 = console serial1=bluetooth
63 63 install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules"
64 64
65 65 # Remove IPv6 networking support
66 66 if [ "$ENABLE_IPV6" = false ] ; then
67 67 CMDLINE="${CMDLINE} ipv6.disable=1"
68 68 fi
69 69
70 70 # Automatically assign predictable network interface names
71 71 if [ "$ENABLE_IFNAMES" = false ] ; then
72 72 CMDLINE="${CMDLINE} net.ifnames=0"
73 73 else
74 74 CMDLINE="${CMDLINE} net.ifnames=1"
75 75 fi
76 76
77 77 # Install firmware config
78 78 install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt"
79 79
80 80 # Locks CPU frequency at maximum
81 81 if [ "$ENABLE_TURBO" = true ] ; then
82 82 echo "force_turbo=1" >> "${BOOT_DIR}/config.txt"
83 83 # helps to avoid sdcard corruption when force_turbo is enabled.
84 84 echo "boot_delay=1" >> "${BOOT_DIR}/config.txt"
85 85 fi
86 86
87 87 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
88
89 # RPI0,3,3P Use default ttyS0 (mini-UART)as serial interface
90 SET_SERIAL="ttyS0"
91
88
92 89 # Bluetooth enabled
93 90 if [ "$ENABLE_BLUETOOTH" = true ] ; then
94 91 # Create temporary directory for Bluetooth sources
95 92 temp_dir=$(as_nobody mktemp -d)
96 93
97 94 # Fetch Bluetooth sources
98 95 as_nobody git -C "${temp_dir}" clone "${BLUETOOTH_URL}"
99 96
100 97 # Copy downloaded sources
101 98 mv "${temp_dir}/pi-bluetooth" "${R}/tmp/"
102 99
103 100 # Bluetooth firmware from arch aur https://aur.archlinux.org/packages/pi-bluetooth/
104 101 as_nobody wget -q -O "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" https://aur.archlinux.org/cgit/aur.git/plain/LICENCE.broadcom_bcm43xx?h=pi-bluetooth
105 102 as_nobody wget -q -O "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" https://aur.archlinux.org/cgit/aur.git/plain/BCM43430A1.hcd?h=pi-bluetooth
106 103
107 104 # Set permissions
108 105 chown -R root:root "${R}/tmp/pi-bluetooth"
109 106
110 107 # Install tools
111 108 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart"
112 109 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper"
113 110
111 # make scripts executable
112 chmod +x "${R}/usr/bin/bthelper"
113 chmod +x "${R}/usr/bin/btuart"
114
114 115 # Install bluetooth udev rule
115 116 install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules"
116 117
117 118 # Install Firmware Flash file and apropiate licence
118 119 mkdir -p "$BLUETOOTH_FIRMWARE_DIR"
119 120 install_readonly "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx"
120 121 install_readonly "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx"
121 122 install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service"
122 123 install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service"
123
124 # Remove temporary directory
124
125 # Remove temporary directories
125 126 rm -fr "${temp_dir}"
126
127 rm -fr "${R}"/tmp/pi-bluetooth
128
127 129 # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0
128 130 if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then
129 SET_SERIAL="ttyAMA0"
130 131
131 132 # set overlay to swap ttyAMA0 and ttyS0
132 133 echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt"
133 134
134 135 # if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken
135 136 if [ "$ENABLE_TURBO" = false ] ; then
136 137 echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
137 138 fi
138
139 # Activate services
140 chroot_exec systemctl enable pi-bluetooth.hciuart.service
141 #chroot_exec systemctl enable pi-bluetooth.bthelper@.service
142 else
143 chroot_exec systemctl enable pi-bluetooth.hciuart.service
144 #chroot_exec systemctl enable pi-bluetooth.bthelper@.service
145 139 fi
146
140
141 # Activate services
142 chroot_exec systemctl enable pi-bluetooth.hciuart.service
143
147 144 else # if ENABLE_BLUETOOTH = false
148 145 # set overlay to disable bluetooth
149 146 echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt"
150 147 fi # ENABLE_BLUETOOTH end
151
152 else
153 # RPI1,1P,2 Use default ttyAMA0 (full UART) as serial interface
154 SET_SERIAL="ttyAMA0"
155 148 fi
156 149
157 150 # may need sudo systemctl disable hciuart
158 151 if [ "$ENABLE_CONSOLE" = true ] ; then
159 152 echo "enable_uart=1" >> "${BOOT_DIR}/config.txt"
160 153 # add string to cmdline
161 154 CMDLINE="${CMDLINE} console=serial0,115200"
162
155
163 156 # Enable serial console systemd style
164 chroot_exec systemctl enable serial-getty\@"$SET_SERIAL".service
157 chroot_exec systemctl enable serial-getty\@serial0.service
165 158 else
166 159 echo "enable_uart=0" >> "${BOOT_DIR}/config.txt"
160
167 161 # disable serial console systemd style
168 162 chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service
169 163 fi
170 164
171 165 if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then
172 166 # Create temporary directory for systemd-swap sources
173 167 temp_dir=$(as_nobody mktemp -d)
174 168
175 169 # Fetch systemd-swap sources
176 170 as_nobody git -C "${temp_dir}" clone "${SYSTEMDSWAP_URL}"
177 171
178 172 # Copy downloaded systemd-swap sources
179 173 mv "${temp_dir}/systemd-swap" "${R}/tmp/"
180 174
181 175 # Set permissions of the systemd-swap sources
182 176 chown -R root:root "${R}/tmp/systemd-swap"
183 177
184 178 # Remove temporary directory for systemd-swap sources
185 179 rm -fr "${temp_dir}"
186 180
187 181 # Change into downloaded src dir
188 182 cd "${R}/tmp/systemd-swap" || exit
189 183
190 184 # Build package
191 185 . ./package.sh debian
192 186
193 187 # Install package
194 188 chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap-*any.deb
195 189
196 190 # Enable service
197 191 chroot_exec systemctl enable systemd-swap
198 192
199 193 # Change back into script root dir
200 194 cd "${WORKDIR}" || exit
201 195 else
202 196 # Enable ZSWAP in cmdline if systemd-swap is not used
203 197 if [ "$KERNEL_ZSWAP" = true ] ; then
204 198 CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4"
205 199 fi
206 200 fi
207 if [ "$KERNEL_SECURITY" = true ] ; then
208 CMDLINE="${CMDLINE} apparmor=1 security=apparmor"
209 fi
201
202 if [ "$KERNEL_SECURITY" = true ] ; then
203 CMDLINE="${CMDLINE} apparmor=1 security=apparmor"
204 fi
210 205
211 206 # Install firmware boot cmdline
212 207 echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"
213 208
214 209 # Setup minimal GPU memory allocation size: 16MB (no X)
215 210 if [ "$ENABLE_MINGPU" = true ] ; then
216 211 echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt"
217 212 fi
218 213
219 214 # Setup boot with initramfs
220 215 if [ "$ENABLE_INITRAMFS" = true ] ; then
221 216 echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "${BOOT_DIR}/config.txt"
222 217 fi
223 218
224 219 # Create firmware configuration and cmdline symlinks
225 220 ln -sf firmware/config.txt "${R}/boot/config.txt"
226 221 ln -sf firmware/cmdline.txt "${R}/boot/cmdline.txt"
227 222
228 223 # Install and setup kernel modules to load at boot
229 224 mkdir -p "${LIB_DIR}/modules-load.d/"
230 225 install_readonly files/modules/rpi2.conf "${LIB_DIR}/modules-load.d/rpi2.conf"
231 226
232 227 # Load hardware random module at boot
233 228 if [ "$ENABLE_HWRANDOM" = true ] && [ "$BUILD_KERNEL" = false ] ; then
234 229 sed -i "s/^# bcm2708_rng/bcm2708_rng/" "${LIB_DIR}/modules-load.d/rpi2.conf"
235 230 fi
236 231
237 232 # Load sound module at boot
238 233 if [ "$ENABLE_SOUND" = true ] ; then
239 234 sed -i "s/^# snd_bcm2835/snd_bcm2835/" "${LIB_DIR}/modules-load.d/rpi2.conf"
240 235 else
241 236 echo "dtparam=audio=off" >> "${BOOT_DIR}/config.txt"
242 237 fi
243 238
244 239 # Enable I2C interface
245 240 if [ "$ENABLE_I2C" = true ] ; then
246 241 echo "dtparam=i2c_arm=on" >> "${BOOT_DIR}/config.txt"
247 242 sed -i "s/^# i2c-bcm2708/i2c-bcm2708/" "${LIB_DIR}/modules-load.d/rpi2.conf"
248 243 sed -i "s/^# i2c-dev/i2c-dev/" "${LIB_DIR}/modules-load.d/rpi2.conf"
249 244 fi
250 245
251 246 # Enable SPI interface
252 247 if [ "$ENABLE_SPI" = true ] ; then
253 248 echo "dtparam=spi=on" >> "${BOOT_DIR}/config.txt"
254 249 echo "spi-bcm2708" >> "${LIB_DIR}/modules-load.d/rpi2.conf"
255 250 if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ]; then
256 251 sed -i "s/spi-bcm2708/spi-bcm2835/" "${LIB_DIR}/modules-load.d/rpi2.conf"
257 252 fi
258 253 fi
259 254
260 255 # Disable RPi2/3 under-voltage warnings
261 256 if [ -n "$DISABLE_UNDERVOLT_WARNINGS" ] ; then
262 257 echo "avoid_warnings=${DISABLE_UNDERVOLT_WARNINGS}" >> "${BOOT_DIR}/config.txt"
263 258 fi
264 259
265 260 # Install kernel modules blacklist
266 261 mkdir -p "${ETC_DIR}/modprobe.d/"
267 262 install_readonly files/modules/raspi-blacklist.conf "${ETC_DIR}/modprobe.d/raspi-blacklist.conf"
268 263
269 264 # Install sysctl.d configuration files
270 265 install_readonly files/sysctl.d/81-rpi-vm.conf "${ETC_DIR}/sysctl.d/81-rpi-vm.conf"
Show file before | Show file after | Hide comments
@@ -1,132 +1,146
1 1 #
2 2 # Setup Networking
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Install and setup hostname
9 9 install_readonly files/network/hostname "${ETC_DIR}/hostname"
10 10 sed -i "s/^RaspberryPI/${HOSTNAME}/" "${ETC_DIR}/hostname"
11 11
12 12 # Install and setup hosts
13 13 install_readonly files/network/hosts "${ETC_DIR}/hosts"
14 14 sed -i "s/RaspberryPI/${HOSTNAME}/" "${ETC_DIR}/hosts"
15 15
16 16 # Setup hostname entry with static IP
17 17 if [ "$NET_ADDRESS" != "" ] ; then
18 18 NET_IP=$(echo "${NET_ADDRESS}" | cut -f 1 -d'/')
19 19 sed -i "s/^127.0.1.1/${NET_IP}/" "${ETC_DIR}/hosts"
20 20 fi
21 21
22 22 # Remove IPv6 hosts
23 23 if [ "$ENABLE_IPV6" = false ] ; then
24 24 sed -i -e "/::[1-9]/d" -e "/^$/d" "${ETC_DIR}/hosts"
25 25 fi
26 26
27 27 # Install hint about network configuration
28 28 install_readonly files/network/interfaces "${ETC_DIR}/network/interfaces"
29 29
30 30 # Install configuration for interface eth0
31 31 install_readonly files/network/eth.network "${ETC_DIR}/systemd/network/eth.network"
32 32
33 33 # Install configuration for interface wl*
34 34 install_readonly files/network/wlan.network "${ETC_DIR}/systemd/network/wlan.network"
35 35
36 36 #always with dhcp since wpa_supplicant integration is missing
37 37 sed -i -e "s/DHCP=.*/DHCP=yes/" -e "/DHCP/q" "${ETC_DIR}/systemd/network/wlan.network"
38 38
39 39 if [ "$ENABLE_DHCP" = true ] ; then
40 40 # Enable DHCP configuration for interface eth0
41 41 sed -i -e "s/DHCP=.*/DHCP=yes/" -e "/DHCP/q" "${ETC_DIR}/systemd/network/eth.network"
42 42
43 43 # Set DHCP configuration to IPv4 only
44 44 if [ "$ENABLE_IPV6" = false ] ; then
45 45 sed -i "s/DHCP=.*/DHCP=v4/" "${ETC_DIR}/systemd/network/eth.network"
46 46 fi
47 47
48 48 else # ENABLE_DHCP=false
49 49 # Set static network configuration for interface eth0
50 50 sed -i\
51 51 -e "s|DHCP=.*|DHCP=no|"\
52 52 -e "s|Address=\$|Address=${NET_ADDRESS}|"\
53 53 -e "s|Gateway=\$|Gateway=${NET_GATEWAY}|"\
54 54 -e "0,/DNS=\$/ s|DNS=\$|DNS=${NET_DNS_1}|"\
55 55 -e "0,/DNS=\$/ s|DNS=\$|DNS=${NET_DNS_2}|"\
56 56 -e "s|Domains=\$|Domains=${NET_DNS_DOMAINS}|"\
57 57 -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\
58 58 -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\
59 59 "${ETC_DIR}/systemd/network/eth.network"
60
61 if [ "$CRYPTFS_DROPBEAR" = true ] ; then
62 # Get cdir from NET_ADDRESS e.g. 24
63 cdir=$(${NET_ADDRESS} | cut -d '/' -f2)
64
65 # Convert cdir ro netmask e.g. 24 to 255.255.255.0
66 NET_MASK=$(cdr2mask "$cdir")
67
68 # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
69 sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
70
71 # Regenerate initramfs
72 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
73 fi
60 74 fi
61 75
62 76 # Remove empty settings from network configuration
63 77 sed -i "/.*=\$/d" "${ETC_DIR}/systemd/network/eth.network"
64 78 # Remove empty settings from wlan configuration
65 79 sed -i "/.*=\$/d" "${ETC_DIR}/systemd/network/wlan.network"
66 80
67 81 # Move systemd network configuration if required by Debian release
68 82 mv -v "${ETC_DIR}/systemd/network/eth.network" "${LIB_DIR}/systemd/network/10-eth.network"
69 83 # If WLAN is enabled copy wlan configuration too
70 84 if [ "$ENABLE_WIRELESS" = true ] ; then
71 85 mv -v "${ETC_DIR}/systemd/network/wlan.network" "${LIB_DIR}/systemd/network/11-wlan.network"
72 86 fi
73 87 rm -fr "${ETC_DIR}/systemd/network"
74 88
75 89 # Enable systemd-networkd service
76 90 chroot_exec systemctl enable systemd-networkd
77 91
78 92 # Install host.conf resolver configuration
79 93 install_readonly files/network/host.conf "${ETC_DIR}/host.conf"
80 94
81 95 # Enable network stack hardening
82 96 if [ "$ENABLE_HARDNET" = true ] ; then
83 97 # Install sysctl.d configuration files
84 98 install_readonly files/sysctl.d/82-rpi-net-hardening.conf "${ETC_DIR}/sysctl.d/82-rpi-net-hardening.conf"
85 99
86 100 # Setup resolver warnings about spoofed addresses
87 101 sed -i "s/^# spoof warn/spoof warn/" "${ETC_DIR}/host.conf"
88 102 fi
89 103
90 104 # Enable time sync
91 105 if [ "$NET_NTP_1" != "" ] ; then
92 106 chroot_exec systemctl enable systemd-timesyncd.service
93 107 fi
94 108
95 109 # Download the firmware binary blob required to use the RPi3 wireless interface
96 110 if [ "$ENABLE_WIRELESS" = true ] ; then
97 111 if [ ! -d "${WLAN_FIRMWARE_DIR}" ] ; then
98 112 mkdir -p "${WLAN_FIRMWARE_DIR}"
99 113 fi
100 114
101 115 # Create temporary directory for firmware binary blob
102 116 temp_dir=$(as_nobody mktemp -d)
103 117
104 118 # Fetch firmware binary blob for RPI3B+
105 119 if [ "$RPI_MODEL" = 3P ] ; then
106 120 # Fetch firmware binary blob for RPi3P
107 121 as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.bin"
108 122 as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.txt"
109 123 as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.clm_blob" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.clm_blob"
110 124
111 125 # Move downloaded firmware binary blob
112 126 mv "${temp_dir}/brcmfmac43455-sdio."* "${WLAN_FIRMWARE_DIR}/"
113 127
114 128 # Set permissions of the firmware binary blob
115 129 chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."*
116 130 chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."*
117 131 elif [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 0 ] ; then
118 132 # Fetch firmware binary blob for RPi3
119 133 as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.bin"
120 134 as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.txt"
121 135
122 136 # Move downloaded firmware binary blob
123 137 mv "${temp_dir}/brcmfmac43430-sdio."* "${WLAN_FIRMWARE_DIR}/"
124 138
125 139 # Set permissions of the firmware binary blob
126 140 chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
127 141 chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
128 142 fi
129 143
130 144 # Remove temporary directory for firmware binary blob
131 145 rm -fr "${temp_dir}"
132 146 fi
Show file before | Show file after | Hide comments
@@ -1,53 +1,54
1 1 #
2 2 # Setup Firewall
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 if [ "$ENABLE_IPTABLES" = true ] ; then
9 9 # Create iptables configuration directory
10 10 mkdir -p "${ETC_DIR}/iptables"
11 11
12 12 if [ "$KERNEL_NF" = false ] ; then
13 13 #iptables-save and -restore are slaves of iptables and thus are set accordingly
14 14 chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy
15 15 fi
16 16
17 17 # Install iptables systemd service
18 18 install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service"
19 19
20 20 # Install flush-table script called by iptables service
21 21 install_exec files/iptables/flush-iptables.sh "${ETC_DIR}/iptables/flush-iptables.sh"
22 22
23 23 # Install iptables rule file
24 24 install_readonly files/iptables/iptables.rules "${ETC_DIR}/iptables/iptables.rules"
25 25
26 26 # Reload systemd configuration and enable iptables service
27 27 chroot_exec systemctl daemon-reload
28 28 chroot_exec systemctl enable iptables.service
29 29
30 30 if [ "$ENABLE_IPV6" = true ] ; then
31 31 if [ "$KERNEL_NF" = false ] ; then
32 #iptables-save and -restore are slaves of iptables and thus are set accordingly
33 chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy
34 fi
32 #iptables-save and -restore are slaves of iptables and thus are set accordingly
33 chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy
34 fi
35
35 36 # Install ip6tables systemd service
36 37 install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service"
37 38
38 39 # Install ip6tables file
39 40 install_exec files/iptables/flush-ip6tables.sh "${ETC_DIR}/iptables/flush-ip6tables.sh"
40 41
41 42 install_readonly files/iptables/ip6tables.rules "${ETC_DIR}/iptables/ip6tables.rules"
42 43
43 44 # Reload systemd configuration and enable iptables service
44 45 chroot_exec systemctl daemon-reload
45 46 chroot_exec systemctl enable ip6tables.service
46 47 fi
47 48
48 49 if [ "$ENABLE_SSHD" = false ] ; then
49 50 # Remove SSHD related iptables rules
50 51 sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/iptables.rules" 2> /dev/null
51 52 sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/ip6tables.rules" 2> /dev/null
52 53 fi
53 54 fi
Show file before | Show file after | Hide comments
@@ -1,29 +1,24
1 1 #
2 2 # Setup users and security settings
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 # Generate crypt(3) password string
9 9 ENCRYPTED_PASSWORD=$(mkpasswd -m sha-512 "${PASSWORD}")
10 10 ENCRYPTED_USER_PASSWORD=$(mkpasswd -m sha-512 "${USER_PASSWORD}")
11 11
12 12 # Setup default user
13 13 if [ "$ENABLE_USER" = true ] ; then
14 14 chroot_exec adduser --gecos "$USER_NAME" --add_extra_groups --disabled-password "$USER_NAME"
15 15 chroot_exec usermod -a -G sudo -p "${ENCRYPTED_USER_PASSWORD}" "$USER_NAME"
16 16 fi
17 17
18 18 # Setup root password or not
19 19 if [ "$ENABLE_ROOT" = true ] ; then
20 20 chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
21 21 else
22 22 # Set no root password to disable root login
23 23 chroot_exec usermod -p \'!\' root
24 24 fi
25
26 # Enable serial console systemd style
27 if [ "$ENABLE_CONSOLE" = true ] ; then
28 chroot_exec systemctl enable serial-getty\@ttyAMA0.service
29 fi
Show file before | Show file after | Hide comments
@@ -1,53 +1,56
1 1 #
2 2 # Setup videocore - Raspberry Userland
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 if [ "$ENABLE_VIDEOCORE" = true ] ; then
9 9 # Copy existing videocore sources into chroot directory
10 10 if [ -n "$VIDEOCORESRC_DIR" ] && [ -d "$VIDEOCORESRC_DIR" ] ; then
11 11 # Copy local videocore sources
12 12 cp -r "${VIDEOCORESRC_DIR}" "${R}/tmp/userland"
13 13 else
14 14 # Create temporary directory for videocore sources
15 15 temp_dir=$(as_nobody mktemp -d)
16 16
17 17 # Fetch videocore sources
18 18 as_nobody git -C "${temp_dir}" clone "${VIDEOCORE_URL}"
19 19
20 20 # Copy downloaded videocore sources
21 21 mv "${temp_dir}/userland" "${R}/tmp/"
22 22
23 23 # Set permissions of the U-Boot sources
24 24 chown -R root:root "${R}/tmp/userland"
25 25
26 26 # Remove temporary directory for U-Boot sources
27 27 rm -fr "${temp_dir}"
28 28 fi
29 29
30 30 # Create build dir
31 31 mkdir "${R}"/tmp/userland/build
32 32
33 33 # push us to build directory
34 34 cd "${R}"/tmp/userland/build
35 35
36 36 if [ "$RELEASE_ARCH" = "arm64" ] ; then
37 37 cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DARM64=ON -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_CXX_COMPILER=aarch64-linux-gnu-g++ -DCMAKE_ASM_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
38 38 fi
39 39
40 40 if [ "$RELEASE_ARCH" = "armel" ] ; then
41 41 cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_C_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_CXX_COMPILER=arm-linux-gnueabi-g++ -DCMAKE_ASM_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DCMAKE_SYSTEM_PROCESSOR="arm" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
42 42 fi
43 43
44 44 if [ "$RELEASE_ARCH" = "armhf" ] ; then
45 45 cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_TOOLCHAIN_FILE="${R}"/tmp/userland/makefiles/cmake/toolchains/arm-linux-gnueabihf.cmake -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
46 46 fi
47 47
48 48 #build userland
49 49 make -j "$(nproc)"
50 50
51 51 #back to root of scriptdir
52 52 cd "${WORKDIR}"
53
54 # Remove videocore sources
55 rm -fr "${R}"/tmp/userland/
53 56 fi
Show file before | Show file after | Hide comments
@@ -1,31 +1,32
1 1 logger -t "rc.firstboot" "Regenerating initramfs to remove encrypted root partition auto-expand"
2 2
3 3 KERNEL_VERSION=$(uname -r)
4 4 KERNEL_ARCH=$(uname -m)
5 5 INITRAMFS="/boot/firmware/initramfs-${KERNEL_VERSION}"
6 6 INITRAMFS_UBOOT="${INITRAMFS}.uboot"
7 7
8 8 # Extract kernel arch
9 9 case "${KERNEL_ARCH}" in
10 10 arm*) KERNEL_ARCH=arm ;;
11 aarch64) KERNEL_ARCH=arm64 ;;
11 12 esac
12 13
13 14 # Regenerate initramfs
14 15 if [ -r "${INITRAMFS}" ] ; then
15 16 rm -f /etc/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs
16 17 rm -f /etc/initramfs-tools/scripts/local-premount/expand-premount
17 18 rm -f /etc/initramfs-tools/hooks/expand-tools
18 19 rm -f "${INITRAMFS}"
19 20 mkinitramfs -o "${INITRAMFS}" "${KERNEL_VERSION}"
20 21 fi
21 22
22 23 # Convert generated initramfs for U-Boot using mkimage
23 24 if [ -r "${INITRAMFS_UBOOT}" ] ; then
24 25 rm -f /etc/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs
25 26 rm -f /etc/initramfs-tools/scripts/local-premount/expand-premount
26 27 rm -f /etc/initramfs-tools/hooks/expand-tools
27 28 rm -f "${INITRAMFS_UBOOT}"
28 29 mkinitramfs -o "${INITRAMFS}" "${KERNEL_VERSION}"
29 30 mkimage -A "${KERNEL_ARCH}" -T ramdisk -C none -n "initramfs-${KERNEL_VERSION}" -d "${INITRAMFS}" "${INITRAMFS_UBOOT}"
30 31 rm -f "${INITRAMFS}"
31 32 fi
Show file before | Show file after | Hide comments
@@ -1,105 +1,116
1 1 # This file contains utility functions used by rpi23-gen-image.sh
2 2
3 3 cleanup (){
4 4 set +x
5 5 set +e
6 6
7 7 # Remove exports from nexmon
8 8 unset KERNEL
9 9 unset ARCH
10 10 unset SUBARCH
11 11 unset CCPLUGIN
12 12 unset ZLIBFLATE
13 13 unset Q
14 14 unset NEXMON_SETUP_ENV
15 15 unset HOSTUNAME
16 16 unset PLATFORMUNAME
17 17
18 18 # Identify and kill all processes still using files
19 19 echo "killing processes using mount point ..."
20 20 fuser -k "${R}"
21 21 sleep 3
22 22 fuser -9 -k -v "${R}"
23 23
24 24 # Clean up temporary .password file
25 25 if [ -r ".password" ] ; then
26 26 shred -zu .password
27 27 fi
28 28
29 29 # Clean up all temporary mount points
30 30 echo "removing temporary mount points ..."
31 31 umount -l "${R}/proc" 2> /dev/null
32 32 umount -l "${R}/sys" 2> /dev/null
33 33 umount -l "${R}/dev/pts" 2> /dev/null
34 34 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
35 35 umount "$BUILDDIR/mount" 2> /dev/null
36 36 cryptsetup close "${CRYPTFS_MAPPING}" 2> /dev/null
37 37 losetup -d "$ROOT_LOOP" 2> /dev/null
38 38 losetup -d "$FRMW_LOOP" 2> /dev/null
39 39 trap - 0 1 2 3 6
40 40 }
41 41
42 42 chroot_exec() {
43 43 # Exec command in chroot
44 44 LANG=C LC_ALL=C DEBIAN_FRONTEND=noninteractive chroot "${R}" "$@"
45 45 }
46 46
47 47 as_nobody() {
48 48 # Exec command as user nobody
49 49 sudo -E -u nobody LANG=C LC_ALL=C "$@"
50 50 }
51 51
52 52 install_readonly() {
53 53 # Install file with user read-only permissions
54 54 install -o root -g root -m 644 "$@"
55 55 }
56 56
57 57 install_exec() {
58 58 # Install file with root exec permissions
59 59 install -o root -g root -m 744 "$@"
60 60 }
61 61
62 62 use_template () {
63 63 # Test if configuration template file exists
64 64 if [ ! -r "./templates/${CONFIG_TEMPLATE}" ] ; then
65 65 echo "error: configuration template ${CONFIG_TEMPLATE} not found"
66 66 exit 1
67 67 fi
68 68
69 69 # Load template configuration parameters
70 70 . "./templates/${CONFIG_TEMPLATE}"
71 71 }
72 72
73 73 chroot_install_cc() {
74 74 # Install c/c++ build environment inside the chroot
75 75 if [ -z "${COMPILER_PACKAGES}" ] ; then
76 76 COMPILER_PACKAGES=$(chroot_exec apt-get -s install g++ make bc | grep "^Inst " | awk -v ORS=" " '{ print $2 }')
77 # Install COMPILER_PACKAGES in chroot
78 chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install "${COMPILER_PACKAGES}"
77 # Install COMPILER_PACKAGES in chroot - NEVER do "${COMPILER_PACKAGES}" -> breaks uboot
78 chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install ${COMPILER_PACKAGES}
79 79 fi
80 80 }
81 81
82 82 chroot_remove_cc() {
83 83 # Remove c/c++ build environment from the chroot
84 84 if [ -n "${COMPILER_PACKAGES}" ] ; then
85 chroot_exec apt-get -qq -y --auto-remove purge "${COMPILER_PACKAGES}"
85 chroot_exec apt-get -qq -y --auto-remove purge ${COMPILER_PACKAGES}
86 86 COMPILER_PACKAGES=""
87 87 fi
88 88 }
89
90 # https://serverfault.com/a/682849 - converts e.g. /24 to 255.255.255.0
91 cdr2mask ()
92 {
93 # Number of args to shift, 255..255, first non-255 byte, zeroes
94 set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0
95 [ $1 -gt 1 ] && shift $1 || shift
96 echo ${1-0}.${2-0}.${3-0}.${4-0}
97 }
98
89 99 # GPL v2.0 - #https://github.com/sakaki-/bcmrpi3-kernel-bis/blob/master/conform_config.sh
90 100 set_kernel_config() {
91 101 # flag as $1, value to set as $2, config must exist at "./.config"
92 102 TGT="CONFIG_${1#CONFIG_}"
93 103 REP="${2}"
94 104 if grep -q "^${TGT}[^_]" .config; then
95 105 sed -i "s/^\(${TGT}=.*\|# ${TGT} is not set\)/${TGT}=${REP}/" .config
96 106 else
97 107 echo "${TGT}"="${2}" >> .config
98 108 fi
99 109 }
110
100 111 # unset kernel config parameter
101 112 unset_kernel_config() {
102 113 # unsets flag with the value of $1, config must exist at "./.config"
103 114 TGT="CONFIG_${1#CONFIG_}"
104 115 sed -i "s/^${TGT}=.*/# ${TGT} is not set/" .config
105 116 } No newline at end of file
Show file before | Show file after | Hide comments
@@ -1,852 +1,859
1 1 #!/bin/sh
2 2 ########################################################################
3 3 # rpi23-gen-image.sh 2015-2017
4 4 #
5 5 # Advanced Debian "stretch" and "buster" bootstrap script for Raspberry Pi
6 6 #
7 7 # This program is free software; you can redistribute it and/or
8 8 # modify it under the terms of the GNU General Public License
9 9 # as published by the Free Software Foundation; either version 2
10 10 # of the License, or (at your option) any later version.
11 11 #
12 12 # Copyright (C) 2015 Jan Wagner <mail@jwagner.eu>
13 13 #
14 14 # Big thanks for patches and enhancements by 20+ github contributors!
15 15 ########################################################################
16 16
17 17 # Are we running as root?
18 18 if [ "$(id -u)" -ne "0" ] ; then
19 19 echo "error: this script must be executed with root privileges!"
20 20 exit 1
21 21 fi
22 22
23 23 # Check if ./functions.sh script exists
24 24 if [ ! -r "./functions.sh" ] ; then
25 25 echo "error: './functions.sh' required script not found!"
26 26 exit 1
27 27 fi
28 28
29 29 # Load utility functions
30 30 . ./functions.sh
31 31
32 32 # Load parameters from configuration template file
33 33 if [ -n "$CONFIG_TEMPLATE" ] ; then
34 34 use_template
35 35 fi
36 36
37 37 # Introduce settings
38 38 set -e
39 39 echo -n -e "\n#\n# RPi 0/1/2/3 Bootstrap Settings\n#\n"
40 40 set -x
41 41
42 42 # Raspberry Pi model configuration
43 43 RPI_MODEL=${RPI_MODEL:=2}
44 44
45 45 # Debian release
46 46 RELEASE=${RELEASE:=buster}
47 47
48 48 # Kernel Branch
49 49 KERNEL_BRANCH=${KERNEL_BRANCH:=""}
50 50
51 51 # URLs
52 52 KERNEL_URL=${KERNEL_URL:=https://github.com/raspberrypi/linux}
53 53 FIRMWARE_URL=${FIRMWARE_URL:=https://github.com/raspberrypi/firmware/raw/master/boot}
54 54 WLAN_FIRMWARE_URL=${WLAN_FIRMWARE_URL:=https://github.com/RPi-Distro/firmware-nonfree/raw/master/brcm}
55 55 COLLABORA_URL=${COLLABORA_URL:=https://repositories.collabora.co.uk/debian}
56 56 FBTURBO_URL=${FBTURBO_URL:=https://github.com/ssvb/xf86-video-fbturbo.git}
57 57 UBOOT_URL=${UBOOT_URL:=https://git.denx.de/u-boot.git}
58 58 VIDEOCORE_URL=${VIDEOCORE_URL:=https://github.com/raspberrypi/userland}
59 59 BLUETOOTH_URL=${BLUETOOTH_URL:=https://github.com/RPi-Distro/pi-bluetooth.git}
60 60 NEXMON_URL=${NEXMON_URL:=https://github.com/seemoo-lab/nexmon.git}
61 61 SYSTEMDSWAP_URL=${SYSTEMDSWAP_URL:=https://github.com/Nefelim4ag/systemd-swap.git}
62 62
63 63 # Kernel deb packages for 32bit kernel
64 64 RPI_32_KERNEL_URL=${RPI_32_KERNEL_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel_20180422-141901_armhf.deb}
65 65 RPI_32_KERNELHEADER_URL=${RPI_32_KERNELHEADER_URL:=https://github.com/hypriot/rpi-kernel/releases/download/v4.14.34/raspberrypi-kernel-headers_20180422-141901_armhf.deb}
66 66 # Kernel has KVM and zswap enabled - use if KERNEL_* parameters and precompiled kernel are used
67 67 RPI3_64_BIS_KERNEL_URL=${RPI3_64_BIS_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel-bis/releases/download/4.14.80.20181113/bcmrpi3-kernel-bis-4.14.80.20181113.tar.xz}
68 68 # Default precompiled 64bit kernel
69 69 RPI3_64_DEF_KERNEL_URL=${RPI3_64_DEF_KERNEL_URL:=https://github.com/sakaki-/bcmrpi3-kernel/releases/download/4.14.80.20181113/bcmrpi3-kernel-4.14.80.20181113.tar.xz}
70 70 # Generic
71 71 RPI3_64_KERNEL_URL=${RPI3_64_KERNEL_URL:=$RPI3_64_DEF_KERNEL_URL}
72 72 # Kali kernel src - used if ENABLE_NEXMON=true (they patch the wlan kernel modul)
73 73 KALI_KERNEL_URL=${KALI_KERNEL_URL:=https://github.com/Re4son/re4son-raspberrypi-linux.git}
74 74
75 75 # Build directories
76 76 WORKDIR=$(pwd)
77 77 BASEDIR=${BASEDIR:=${WORKDIR}/images/${RELEASE}}
78 78 BUILDDIR="${BASEDIR}/build"
79 79
80 80 # Chroot directories
81 81 R="${BUILDDIR}/chroot"
82 82 ETC_DIR="${R}/etc"
83 83 LIB_DIR="${R}/lib"
84 84 BOOT_DIR="${R}/boot/firmware"
85 85 KERNEL_DIR="${R}/usr/src/linux"
86 86 WLAN_FIRMWARE_DIR="${LIB_DIR}/firmware/brcm"
87 87 BLUETOOTH_FIRMWARE_DIR="${ETC_DIR}/firmware/bt"
88 88
89 89 # Firmware directory: Blank if download from github
90 90 RPI_FIRMWARE_DIR=${RPI_FIRMWARE_DIR:=""}
91 91
92 92 # General settings
93 93 SET_ARCH=${SET_ARCH:=32}
94 94 HOSTNAME=${HOSTNAME:=rpi${RPI_MODEL}-${RELEASE}}
95 95 PASSWORD=${PASSWORD:=raspberry}
96 96 USER_PASSWORD=${USER_PASSWORD:=raspberry}
97 97 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
98 98 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
99 99 EXPANDROOT=${EXPANDROOT:=true}
100 100
101 101 # Keyboard settings
102 102 XKB_MODEL=${XKB_MODEL:=""}
103 103 XKB_LAYOUT=${XKB_LAYOUT:=""}
104 104 XKB_VARIANT=${XKB_VARIANT:=""}
105 105 XKB_OPTIONS=${XKB_OPTIONS:=""}
106 106
107 107 # Network settings (DHCP)
108 108 ENABLE_DHCP=${ENABLE_DHCP:=true}
109 109
110 110 # Network settings (static)
111 111 NET_ADDRESS=${NET_ADDRESS:=""}
112 112 NET_GATEWAY=${NET_GATEWAY:=""}
113 113 NET_DNS_1=${NET_DNS_1:=""}
114 114 NET_DNS_2=${NET_DNS_2:=""}
115 115 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
116 116 NET_NTP_1=${NET_NTP_1:=""}
117 117 NET_NTP_2=${NET_NTP_2:=""}
118 118
119 119 # APT settings
120 120 APT_PROXY=${APT_PROXY:=""}
121 121 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
122 122
123 123 # Feature settings
124 124 ENABLE_PRINTK=${ENABLE_PRINTK:=false}
125 125 ENABLE_BLUETOOTH=${ENABLE_BLUETOOTH:=false}
126 126 ENABLE_MINIUART_OVERLAY=${ENABLE_MINIUART_OVERLAY:=false}
127 127 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
128 128 ENABLE_I2C=${ENABLE_I2C:=false}
129 129 ENABLE_SPI=${ENABLE_SPI:=false}
130 130 ENABLE_IPV6=${ENABLE_IPV6:=true}
131 131 ENABLE_SSHD=${ENABLE_SSHD:=true}
132 132 ENABLE_NONFREE=${ENABLE_NONFREE:=false}
133 133 ENABLE_WIRELESS=${ENABLE_WIRELESS:=false}
134 134 ENABLE_SOUND=${ENABLE_SOUND:=true}
135 135 ENABLE_DBUS=${ENABLE_DBUS:=true}
136 136 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
137 137 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
138 138 ENABLE_XORG=${ENABLE_XORG:=false}
139 139 ENABLE_WM=${ENABLE_WM:=""}
140 140 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
141 141 ENABLE_USER=${ENABLE_USER:=true}
142 142 USER_NAME=${USER_NAME:="pi"}
143 143 ENABLE_ROOT=${ENABLE_ROOT:=false}
144 144 ENABLE_QEMU=${ENABLE_QEMU:=false}
145 145 ENABLE_SYSVINIT=${ENABLE_SYSVINIT:=false}
146 146
147 147 # SSH settings
148 148 SSH_ENABLE_ROOT=${SSH_ENABLE_ROOT:=false}
149 149 SSH_DISABLE_PASSWORD_AUTH=${SSH_DISABLE_PASSWORD_AUTH:=false}
150 150 SSH_LIMIT_USERS=${SSH_LIMIT_USERS:=false}
151 151 SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""}
152 152 SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""}
153 153
154 154 # Advanced settings
155 155 ENABLE_SYSTEMDSWAP=${ENABLE_SYSTEMDSWAP:=false}
156 156 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
157 157 ENABLE_REDUCE=${ENABLE_REDUCE:=false}
158 158 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
159 159 UBOOTSRC_DIR=${UBOOTSRC_DIR:=""}
160 160 ENABLE_UBOOTUSB=${ENABLE_UBOOTUSB=false}
161 161 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
162 162 ENABLE_VIDEOCORE=${ENABLE_VIDEOCORE:=false}
163 163 ENABLE_NEXMON=${ENABLE_NEXMON:=false}
164 164 VIDEOCORESRC_DIR=${VIDEOCORESRC_DIR:=""}
165 165 FBTURBOSRC_DIR=${FBTURBOSRC_DIR:=""}
166 166 NEXMONSRC_DIR=${NEXMONSRC_DIR:=""}
167 167 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
168 168 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
169 169 ENABLE_SPLITFS=${ENABLE_SPLITFS:=false}
170 170 ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false}
171 171 ENABLE_IFNAMES=${ENABLE_IFNAMES:=true}
172 172 DISABLE_UNDERVOLT_WARNINGS=${DISABLE_UNDERVOLT_WARNINGS:=}
173 173
174 174 # Kernel compilation settings
175 175 BUILD_KERNEL=${BUILD_KERNEL:=true}
176 176 KERNEL_REDUCE=${KERNEL_REDUCE:=false}
177 177 KERNEL_THREADS=${KERNEL_THREADS:=1}
178 178 KERNEL_HEADERS=${KERNEL_HEADERS:=true}
179 179 KERNEL_MENUCONFIG=${KERNEL_MENUCONFIG:=false}
180 180 KERNEL_REMOVESRC=${KERNEL_REMOVESRC:=true}
181 181 KERNEL_OLDDEFCONFIG=${KERNEL_OLDDEFCONFIG:=false}
182 182 KERNEL_CCACHE=${KERNEL_CCACHE:=false}
183 183 KERNEL_ZSWAP=${KERNEL_ZSWAP:=false}
184 184 KERNEL_VIRT=${KERNEL_VIRT:=false}
185 185 KERNEL_BPF=${KERNEL_BPF:=false}
186 186 KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=powersave}
187 187 KERNEL_SECURITY=${KERNEL_SECURITY:=false}
188 188 KERNEL_NF=${KERNEL_NF:=false}
189 189
190 190 # Kernel compilation from source directory settings
191 191 KERNELSRC_DIR=${KERNELSRC_DIR:=""}
192 192 KERNELSRC_CLEAN=${KERNELSRC_CLEAN:=false}
193 193 KERNELSRC_CONFIG=${KERNELSRC_CONFIG:=true}
194 194 KERNELSRC_PREBUILT=${KERNELSRC_PREBUILT:=false}
195 195
196 196 # Reduce disk usage settings
197 197 REDUCE_APT=${REDUCE_APT:=true}
198 198 REDUCE_DOC=${REDUCE_DOC:=true}
199 199 REDUCE_MAN=${REDUCE_MAN:=true}
200 200 REDUCE_VIM=${REDUCE_VIM:=false}
201 201 REDUCE_BASH=${REDUCE_BASH:=false}
202 202 REDUCE_HWDB=${REDUCE_HWDB:=true}
203 203 REDUCE_SSHD=${REDUCE_SSHD:=true}
204 204 REDUCE_LOCALE=${REDUCE_LOCALE:=true}
205 205
206 206 # Encrypted filesystem settings
207 207 ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false}
208 208 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
209 209 CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
210 210 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
211 211 CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
212 #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup
213 CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false}
214 #Provide your own Dropbear Public RSA-OpenSSH Key otherwise it will be generated
215 CRYPTFS_DROPBEAR_PUBKEY=${CRYPTFS_DROPBEAR_PUBKEY:=""}
212 216
213 217 # Chroot scripts directory
214 218 CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
215 219
216 220 # Packages required in the chroot build environment
217 221 APT_INCLUDES=${APT_INCLUDES:=""}
218 222 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,apt-utils,ca-certificates,debian-archive-keyring,dialog,sudo,systemd,sysvinit-utils,locales,keyboard-configuration,console-setup,libnss-systemd"
219 223
220 224 # Packages to exclude from chroot build environment
221 225 APT_EXCLUDES=${APT_EXCLUDES:=""}
222 226
223 227 # Packages required for bootstrapping
224 228 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc dbus sudo"
225 229 MISSING_PACKAGES=""
226 230
227 231 # Packages installed for c/c++ build environment in chroot (keep empty)
228 232 COMPILER_PACKAGES=""
229 233
230 set +x
231
232 #Check if apt-cacher-ng has port 3142 open and set APT_PROXY
233 APT_CACHER_RUNNING=$(lsof -i :3142 | grep apt-cacher-ng | cut -d ' ' -f3 | uniq)
234 if [ -n "${APT_CACHER_RUNNING}" ] ; then
234 # Check if apt-cacher-ng has port 3142 open and set APT_PROXY
235 APT_CACHER_RUNNING=$(lsof -i :3142 | cut -d ' ' -f3 | uniq | sed '/^\s*$/d')
236 if [ "${APT_CACHER_RUNNING}" = "apt-cacher-ng" ] ; then
235 237 APT_PROXY=http://127.0.0.1:3142/
236 238 fi
237 239
238 240 # Setup architecture specific settings
239 241 if [ -n "$SET_ARCH" ] ; then
240 242 # 64-bit configuration
241 243 if [ "$SET_ARCH" = 64 ] ; then
242 244 # General 64-bit depended settings
243 245 QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-aarch64-static}
244 246 KERNEL_ARCH=${KERNEL_ARCH:=arm64}
245 247 KERNEL_BIN_IMAGE=${KERNEL_BIN_IMAGE:="Image"}
246 248
247 249 # Raspberry Pi model specific settings
248 250 if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
249 251 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-arm64"
250 252 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcmrpi3_defconfig}
251 253 RELEASE_ARCH=${RELEASE_ARCH:=arm64}
252 254 KERNEL_IMAGE=${KERNEL_IMAGE:=kernel8.img}
253 255 CROSS_COMPILE=${CROSS_COMPILE:=aarch64-linux-gnu-}
254 256 else
255 257 echo "error: Only Raspberry PI 3 and 3B+ support 64-bit"
256 258 exit 1
257 259 fi
258 260 fi
259 261
260 262 # 32-bit configuration
261 263 if [ "$SET_ARCH" = 32 ] ; then
262 264 # General 32-bit dependend settings
263 265 QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static}
264 266 KERNEL_ARCH=${KERNEL_ARCH:=arm}
265 267 KERNEL_BIN_IMAGE=${KERNEL_BIN_IMAGE:="zImage"}
266 268
267 269 # Raspberry Pi model specific settings
268 270 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 1 ] || [ "$RPI_MODEL" = 1P ] ; then
269 271 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armel"
270 272 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcmrpi_defconfig}
271 273 RELEASE_ARCH=${RELEASE_ARCH:=armel}
272 274 KERNEL_IMAGE=${KERNEL_IMAGE:=kernel.img}
273 275 CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabi-}
274 276 fi
275 277
276 278 # Raspberry Pi model specific settings
277 279 if [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
278 280 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armhf"
279 281 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig}
280 282 RELEASE_ARCH=${RELEASE_ARCH:=armhf}
281 283 KERNEL_IMAGE=${KERNEL_IMAGE:=kernel7.img}
282 284 CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabihf-}
283 285 fi
284 286 fi
285 287 # SET_ARCH not set
286 288 else
287 289 echo "error: Please set '32' or '64' as value for SET_ARCH"
288 290 exit 1
289 291 fi
290 292 # Device specific configuration and U-Boot configuration
291 293 case "$RPI_MODEL" in
292 294 0)
293 295 DTB_FILE=${DTB_FILE:=bcm2708-rpi-0-w.dtb}
294 296 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_defconfig}
295 297 ;;
296 298 1)
297 299 DTB_FILE=${DTB_FILE:=bcm2708-rpi-b.dtb}
298 300 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_defconfig}
299 301 ;;
300 302 1P)
301 303 DTB_FILE=${DTB_FILE:=bcm2708-rpi-b-plus.dtb}
302 304 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_defconfig}
303 305 ;;
304 306 2)
305 307 DTB_FILE=${DTB_FILE:=bcm2709-rpi-2-b.dtb}
306 308 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_2_defconfig}
307 309 ;;
308 310 3)
309 311 DTB_FILE=${DTB_FILE:=bcm2710-rpi-3-b.dtb}
310 312 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_3_defconfig}
311 313 ;;
312 314 3P)
313 315 DTB_FILE=${DTB_FILE:=bcm2710-rpi-3-b.dtb}
314 316 UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_3_defconfig}
315 317 ;;
316 318 *)
317 319 echo "error: Raspberry Pi model $RPI_MODEL is not supported!"
318 320 exit 1
319 321 ;;
320 322 esac
321 323
322 324 if [ "$ENABLE_UBOOTUSB" = true ] ; then
323 325 if [ "$ENABLE_UBOOT" = false ] ; then
324 326 echo "error: Enabling UBOOTUSB requires u-boot to be enabled"
325 327 exit 1
326 328 fi
327 329 if [ "$RPI_MODEL" != 3 ] || [ "$RPI_MODEL" != 3P ] ; then
328 330 echo "error: Enabling UBOOTUSB requires Raspberry 3"
329 331 exit 1
330 332 fi
331 333 fi
332 334
333 335 # Raspberry PI 0,3,3P with Bluetooth and Wifi onboard
334 336 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
335 337 # Include bluetooth packages on supported boards
336 338 if [ "$ENABLE_BLUETOOTH" = true ] ; then
337 339 APT_INCLUDES="${APT_INCLUDES},bluetooth,bluez"
338 340 fi
339 341 if [ "$ENABLE_WIRELESS" = true ] ; then
340 342 APT_INCLUDES="${APT_INCLUDES},wireless-tools,crda,wireless-regdb"
341 343 fi
342 344 else # Raspberry PI 1,1P,2 without Wifi and bluetooth onboard
343 345 # Check if the internal wireless interface is not supported by the RPi model
344 346 if [ "$ENABLE_WIRELESS" = true ] || [ "$ENABLE_BLUETOOTH" = true ]; then
345 347 echo "error: The selected Raspberry Pi model has no integrated interface for wireless or bluetooth"
346 348 exit 1
347 349 fi
348 350 fi
349 351
350 352 if [ "$BUILD_KERNEL" = false ] && [ "$ENABLE_NEXMON" = true ]; then
351 353 echo "error: You have to compile kernel sources, if you want to enable nexmon"
352 354 exit 1
353 355 fi
354 356
355 357 # Prepare date string for default image file name
356 358 DATE="$(date +%Y-%m-%d)"
357 359 if [ -z "$KERNEL_BRANCH" ] ; then
358 360 IMAGE_NAME=${IMAGE_NAME:=${BASEDIR}/${DATE}-${KERNEL_ARCH}-CURRENT-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}}
359 361 else
360 362 IMAGE_NAME=${IMAGE_NAME:=${BASEDIR}/${DATE}-${KERNEL_ARCH}-${KERNEL_BRANCH}-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}}
361 363 fi
362 364
363 365 # Check if DISABLE_UNDERVOLT_WARNINGS parameter value is supported
364 366 if [ -n "$DISABLE_UNDERVOLT_WARNINGS" ] ; then
365 367 if [ "$DISABLE_UNDERVOLT_WARNINGS" != 1 ] && [ "$DISABLE_UNDERVOLT_WARNINGS" != 2 ] ; then
366 368 echo "error: DISABLE_UNDERVOLT_WARNINGS=${DISABLE_UNDERVOLT_WARNINGS} is not supported"
367 369 exit 1
368 370 fi
369 371 fi
370 372
371 373 # Add cmake to compile videocore sources
372 374 if [ "$ENABLE_VIDEOCORE" = true ] ; then
373 375 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cmake"
374 376 fi
375 377
376 378 # Add deps for nexmon
377 379 if [ "$ENABLE_NEXMON" = true ] ; then
378 380 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libgmp3-dev gawk qpdf bison flex make autoconf automake build-essential libtool"
379 381 fi
380 382
381 383 # Add libncurses5 to enable kernel menuconfig
382 384 if [ "$KERNEL_MENUCONFIG" = true ] ; then
383 385 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses-dev"
384 386 fi
385 387
386 388 # Add ccache compiler cache for (faster) kernel cross (re)compilation
387 389 if [ "$KERNEL_CCACHE" = true ] ; then
388 390 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} ccache"
389 391 fi
390 392
391 393 # Add cryptsetup package to enable filesystem encryption
392 394 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
393 395 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
394 396 APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup"
395 397
398 # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package
399 if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then
400 APT_INCLUDES="${APT_INCLUDES},dropbear-initramfs"
401 fi
402
396 403 if [ -z "$CRYPTFS_PASSWORD" ] ; then
397 404 echo "error: no password defined (CRYPTFS_PASSWORD)!"
398 405 exit 1
399 406 fi
400 407 ENABLE_INITRAMFS=true
401 408 fi
402 409
403 410 # Add initramfs generation tools
404 411 if [ "$ENABLE_INITRAMFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
405 412 APT_INCLUDES="${APT_INCLUDES},initramfs-tools"
406 413 fi
407 414
408 415 # Add device-tree-compiler required for building the U-Boot bootloader
409 416 if [ "$ENABLE_UBOOT" = true ] ; then
410 417 APT_INCLUDES="${APT_INCLUDES},device-tree-compiler,bison,flex,bc"
411 418 fi
412 419
413 420 # Check if root SSH (v2) public key file exists
414 421 if [ -n "$SSH_ROOT_PUB_KEY" ] ; then
415 422 if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then
416 423 echo "error: '$SSH_ROOT_PUB_KEY' specified SSH public key file not found (SSH_ROOT_PUB_KEY)!"
417 424 exit 1
418 425 fi
419 426 fi
420 427
421 428 # Check if $USER_NAME SSH (v2) public key file exists
422 429 if [ -n "$SSH_USER_PUB_KEY" ] ; then
423 430 if [ ! -f "$SSH_USER_PUB_KEY" ] ; then
424 431 echo "error: '$SSH_USER_PUB_KEY' specified SSH public key file not found (SSH_USER_PUB_KEY)!"
425 432 exit 1
426 433 fi
427 434 fi
428 435
429 436 if [ "$ENABLE_NEXMON" = true ] && [ -n "$KERNEL_BRANCH" ] ; then
430 437 echo "error: Please unset KERNEL_BRANCH if using ENABLE_NEXMON"
431 438 exit 1
432 439 fi
433 440
434 441 # Check if all required packages are installed on the build system
435 442 for package in $REQUIRED_PACKAGES ; do
436 443 if [ "$(dpkg-query -W -f='${Status}' "$package")" != "install ok installed" ] ; then
437 444 MISSING_PACKAGES="${MISSING_PACKAGES} $package"
438 445 fi
439 446 done
440 447
441 448 # If there are missing packages ask confirmation for install, or exit
442 449 if [ -n "$MISSING_PACKAGES" ] ; then
443 450 echo "the following packages needed by this script are not installed:"
444 451 echo "$MISSING_PACKAGES"
445 452
446 453 printf "\ndo you want to install the missing packages right now? [y/n] "
447 454 read -r confirm
448 455 [ "$confirm" != "y" ] && exit 1
449 456
450 457 # Make sure all missing required packages are installed
451 458 apt-get -qq -y install `echo "${MISSING_PACKAGES}" | sed "s/ //"`
452 459 fi
453 460
454 461 # Check if ./bootstrap.d directory exists
455 462 if [ ! -d "./bootstrap.d/" ] ; then
456 463 echo "error: './bootstrap.d' required directory not found!"
457 464 exit 1
458 465 fi
459 466
460 467 # Check if ./files directory exists
461 468 if [ ! -d "./files/" ] ; then
462 469 echo "error: './files' required directory not found!"
463 470 exit 1
464 471 fi
465 472
466 473 # Check if specified KERNELSRC_DIR directory exists
467 474 if [ -n "$KERNELSRC_DIR" ] && [ ! -d "$KERNELSRC_DIR" ] ; then
468 475 echo "error: '${KERNELSRC_DIR}' specified directory not found (KERNELSRC_DIR)!"
469 476 exit 1
470 477 fi
471 478
472 479 # Check if specified UBOOTSRC_DIR directory exists
473 480 if [ -n "$UBOOTSRC_DIR" ] && [ ! -d "$UBOOTSRC_DIR" ] ; then
474 481 echo "error: '${UBOOTSRC_DIR}' specified directory not found (UBOOTSRC_DIR)!"
475 482 exit 1
476 483 fi
477 484
478 485 # Check if specified VIDEOCORESRC_DIR directory exists
479 486 if [ -n "$VIDEOCORESRC_DIR" ] && [ ! -d "$VIDEOCORESRC_DIR" ] ; then
480 487 echo "error: '${VIDEOCORESRC_DIR}' specified directory not found (VIDEOCORESRC_DIR)!"
481 488 exit 1
482 489 fi
483 490
484 491 # Check if specified FBTURBOSRC_DIR directory exists
485 492 if [ -n "$FBTURBOSRC_DIR" ] && [ ! -d "$FBTURBOSRC_DIR" ] ; then
486 493 echo "error: '${FBTURBOSRC_DIR}' specified directory not found (FBTURBOSRC_DIR)!"
487 494 exit 1
488 495 fi
489 496
490 497 # Check if specified NEXMONSRC_DIR directory exists
491 498 if [ -n "$NEXMONSRC_DIR" ] && [ ! -d "$NEXMONSRC_DIR" ] ; then
492 499 echo "error: '${NEXMONSRC_DIR}' specified directory not found (NEXMONSRC_DIR)!"
493 500 exit 1
494 501 fi
495 502
496 503 # Check if specified CHROOT_SCRIPTS directory exists
497 504 if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then
498 505 echo "error: ${CHROOT_SCRIPTS} specified directory not found (CHROOT_SCRIPTS)!"
499 506 exit 1
500 507 fi
501 508
502 509 # Check if specified device mapping already exists (will be used by cryptsetup)
503 510 if [ -r "/dev/mapping/${CRYPTFS_MAPPING}" ] ; then
504 511 echo "error: mapping /dev/mapping/${CRYPTFS_MAPPING} already exists, not proceeding"
505 512 exit 1
506 513 fi
507 514
508 515 # Don't clobber an old build
509 516 if [ -e "$BUILDDIR" ] ; then
510 517 echo "error: directory ${BUILDDIR} already exists, not proceeding"
511 518 exit 1
512 519 fi
513 520
514 521 # Setup chroot directory
515 522 mkdir -p "${R}"
516 523
517 524 # Check if build directory has enough of free disk space >512MB
518 525 if [ "$(df --output=avail "${BUILDDIR}" | sed "1d")" -le "524288" ] ; then
519 526 echo "error: ${BUILDDIR} not enough space left to generate the output image!"
520 527 exit 1
521 528 fi
522 529
523 530 set -x
524 531
525 532 # Call "cleanup" function on various signals and errors
526 533 trap cleanup 0 1 2 3 6
527 534
528 535 # Add required packages for the minbase installation
529 536 if [ "$ENABLE_MINBASE" = true ] ; then
530 537 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools,ifupdown"
531 538 fi
532 539
533 540 # Add parted package, required to get partprobe utility
534 541 if [ "$EXPANDROOT" = true ] ; then
535 542 APT_INCLUDES="${APT_INCLUDES},parted"
536 543 fi
537 544
538 545 # Add dbus package, recommended if using systemd
539 546 if [ "$ENABLE_DBUS" = true ] ; then
540 547 APT_INCLUDES="${APT_INCLUDES},dbus"
541 548 fi
542 549
543 550 # Add iptables IPv4/IPv6 package
544 551 if [ "$ENABLE_IPTABLES" = true ] ; then
545 552 APT_INCLUDES="${APT_INCLUDES},iptables,iptables-persistent"
546 553 fi
547 554 # Add apparmor for KERNEL_SECURITY
548 555 if [ "$KERNEL_SECURITY" = true ] ; then
549 556 APT_INCLUDES="${APT_INCLUDES},apparmor,apparmor-utils,apparmor-profiles,apparmor-profiles-extra,libapparmor-perl"
550 557 fi
551 558
552 559 # Add openssh server package
553 560 if [ "$ENABLE_SSHD" = true ] ; then
554 561 APT_INCLUDES="${APT_INCLUDES},openssh-server"
555 562 fi
556 563
557 564 # Add alsa-utils package
558 565 if [ "$ENABLE_SOUND" = true ] ; then
559 566 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
560 567 fi
561 568
562 569 # Add rng-tools package
563 570 if [ "$ENABLE_HWRANDOM" = true ] ; then
564 571 APT_INCLUDES="${APT_INCLUDES},rng-tools"
565 572 fi
566 573
567 574 # Add fbturbo video driver
568 575 if [ "$ENABLE_FBTURBO" = true ] ; then
569 576 # Enable xorg package dependencies
570 577 ENABLE_XORG=true
571 578 fi
572 579
573 580 # Add user defined window manager package
574 581 if [ -n "$ENABLE_WM" ] ; then
575 582 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
576 583
577 584 # Enable xorg package dependencies
578 585 ENABLE_XORG=true
579 586 fi
580 587
581 588 # Add xorg package
582 589 if [ "$ENABLE_XORG" = true ] ; then
583 590 APT_INCLUDES="${APT_INCLUDES},xorg,dbus-x11"
584 591 fi
585 592
586 593 # Replace selected packages with smaller clones
587 594 if [ "$ENABLE_REDUCE" = true ] ; then
588 595 # Add levee package instead of vim-tiny
589 596 if [ "$REDUCE_VIM" = true ] ; then
590 597 APT_INCLUDES="$(echo ${APT_INCLUDES} | sed "s/vim-tiny/levee/")"
591 598 fi
592 599
593 600 # Add dropbear package instead of openssh-server
594 601 if [ "$REDUCE_SSHD" = true ] ; then
595 602 APT_INCLUDES="$(echo "${APT_INCLUDES}" | sed "s/openssh-server/dropbear/")"
596 603 fi
597 604 fi
598 605
599 606 # Configure systemd-sysv exclude to make halt/reboot/shutdown scripts available
600 607 if [ "$ENABLE_SYSVINIT" = false ] ; then
601 608 APT_EXCLUDES="--exclude=${APT_EXCLUDES},init,systemd-sysv"
602 609 fi
603 610
604 611 # Configure kernel sources if no KERNELSRC_DIR
605 612 if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then
606 613 KERNELSRC_CONFIG=true
607 614 fi
608 615
609 616 # Configure reduced kernel
610 617 if [ "$KERNEL_REDUCE" = true ] ; then
611 618 KERNELSRC_CONFIG=false
612 619 fi
613 620
614 621 # Configure qemu compatible kernel
615 622 if [ "$ENABLE_QEMU" = true ] ; then
616 623 DTB_FILE=vexpress-v2p-ca15_a7.dtb
617 624 UBOOT_CONFIG=vexpress_ca15_tc2_defconfig
618 625 KERNEL_DEFCONFIG="vexpress_defconfig"
619 626 if [ "$KERNEL_MENUCONFIG" = false ] ; then
620 627 KERNEL_OLDDEFCONFIG=true
621 628 fi
622 629 fi
623 630
624 631 # Execute bootstrap scripts
625 632 for SCRIPT in bootstrap.d/*.sh; do
626 633 head -n 3 "$SCRIPT"
627 634 . "$SCRIPT"
628 635 done
629 636
630 637 ## Execute custom bootstrap scripts
631 638 if [ -d "custom.d" ] ; then
632 639 for SCRIPT in custom.d/*.sh; do
633 640 . "$SCRIPT"
634 641 done
635 642 fi
636 643
637 644 # Execute custom scripts inside the chroot
638 645 if [ -n "$CHROOT_SCRIPTS" ] && [ -d "$CHROOT_SCRIPTS" ] ; then
639 646 cp -r "${CHROOT_SCRIPTS}" "${R}/chroot_scripts"
640 647 chroot_exec /bin/bash -x <<'EOF'
641 648 for SCRIPT in /chroot_scripts/* ; do
642 649 if [ -f $SCRIPT -a -x $SCRIPT ] ; then
643 650 $SCRIPT
644 651 fi
645 652 done
646 653 EOF
647 654 rm -rf "${R}/chroot_scripts"
648 655 fi
649 656
650 657 # Remove c/c++ build environment from the chroot
651 658 chroot_remove_cc
652 659
653 660 # Generate required machine-id
654 661 MACHINE_ID=$(dbus-uuidgen)
655 662 echo -n "${MACHINE_ID}" > "${R}/var/lib/dbus/machine-id"
656 663 echo -n "${MACHINE_ID}" > "${ETC_DIR}/machine-id"
657 664
658 665 # APT Cleanup
659 666 chroot_exec apt-get -y clean
660 667 chroot_exec apt-get -y autoclean
661 668 chroot_exec apt-get -y autoremove
662 669
663 670 # Unmount mounted filesystems
664 671 umount -l "${R}/proc"
665 672 umount -l "${R}/sys"
666 673
667 674 # Clean up directories
668 675 rm -rf "${R}/run/*"
669 676 rm -rf "${R}/tmp/*"
670 677
671 678 # Clean up files
672 679 rm -f "${ETC_DIR}/ssh/ssh_host_*"
673 680 rm -f "${ETC_DIR}/dropbear/dropbear_*"
674 681 rm -f "${ETC_DIR}/apt/sources.list.save"
675 682 rm -f "${ETC_DIR}/resolvconf/resolv.conf.d/original"
676 683 rm -f "${ETC_DIR}/*-"
677 684 rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy"
678 685 rm -f "${ETC_DIR}/resolv.conf"
679 686 rm -f "${R}/root/.bash_history"
680 687 rm -f "${R}/var/lib/urandom/random-seed"
681 688 rm -f "${R}/initrd.img"
682 689 rm -f "${R}/vmlinuz"
683 690 rm -f "${R}${QEMU_BINARY}"
684 691
685 692 if [ "$ENABLE_QEMU" = true ] ; then
686 693 # Setup QEMU directory
687 694 mkdir "${BASEDIR}/qemu"
688 695
689 696 # Copy kernel image to QEMU directory
690 697 install_readonly "${BOOT_DIR}/${KERNEL_IMAGE}" "${BASEDIR}/qemu/${KERNEL_IMAGE}"
691 698
692 699 # Copy kernel config to QEMU directory
693 700 install_readonly "${R}/boot/config-${KERNEL_VERSION}" "${BASEDIR}/qemu/config-${KERNEL_VERSION}"
694 701
695 702 # Copy kernel dtbs to QEMU directory
696 703 for dtb in "${BOOT_DIR}/"*.dtb ; do
697 704 if [ -f "${dtb}" ] ; then
698 705 install_readonly "${dtb}" "${BASEDIR}/qemu/"
699 706 fi
700 707 done
701 708
702 709 # Copy kernel overlays to QEMU directory
703 710 if [ -d "${BOOT_DIR}/overlays" ] ; then
704 711 # Setup overlays dtbs directory
705 712 mkdir "${BASEDIR}/qemu/overlays"
706 713
707 714 for dtb in "${BOOT_DIR}/overlays/"*.dtb ; do
708 715 if [ -f "${dtb}" ] ; then
709 716 install_readonly "${dtb}" "${BASEDIR}/qemu/overlays/"
710 717 fi
711 718 done
712 719 fi
713 720
714 721 # Copy u-boot files to QEMU directory
715 722 if [ "$ENABLE_UBOOT" = true ] ; then
716 723 if [ -f "${BOOT_DIR}/u-boot.bin" ] ; then
717 724 install_readonly "${BOOT_DIR}/u-boot.bin" "${BASEDIR}/qemu/u-boot.bin"
718 725 fi
719 726 if [ -f "${BOOT_DIR}/uboot.mkimage" ] ; then
720 727 install_readonly "${BOOT_DIR}/uboot.mkimage" "${BASEDIR}/qemu/uboot.mkimage"
721 728 fi
722 729 if [ -f "${BOOT_DIR}/boot.scr" ] ; then
723 730 install_readonly "${BOOT_DIR}/boot.scr" "${BASEDIR}/qemu/boot.scr"
724 731 fi
725 732 fi
726 733
727 734 # Copy initramfs to QEMU directory
728 735 if [ -f "${BOOT_DIR}/initramfs-${KERNEL_VERSION}" ] ; then
729 736 install_readonly "${BOOT_DIR}/initramfs-${KERNEL_VERSION}" "${BASEDIR}/qemu/initramfs-${KERNEL_VERSION}"
730 737 fi
731 738 fi
732 739
733 740 # Calculate size of the chroot directory in KB
734 741 CHROOT_SIZE=$(expr "$(du -s "${R}" | awk '{ print $1 }')")
735 742
736 743 # Calculate the amount of needed 512 Byte sectors
737 744 TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512)
738 745 FRMW_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512)
739 746 ROOT_OFFSET=$(expr "${TABLE_SECTORS}" + "${FRMW_SECTORS}")
740 747
741 748 # The root partition is EXT4
742 749 # This means more space than the actual used space of the chroot is used.
743 750 # As overhead for journaling and reserved blocks 35% are added.
744 751 ROOT_SECTORS=$(expr "$(expr "${CHROOT_SIZE}" + "${CHROOT_SIZE}" \/ 100 \* 35)" \* 1024 \/ 512)
745 752
746 753 # Calculate required image size in 512 Byte sectors
747 754 IMAGE_SECTORS=$(expr "${TABLE_SECTORS}" + "${FRMW_SECTORS}" + "${ROOT_SECTORS}")
748 755
749 756 # Prepare image file
750 757 if [ "$ENABLE_SPLITFS" = true ] ; then
751 758 dd if=/dev/zero of="$IMAGE_NAME-frmw.img" bs=512 count="${TABLE_SECTORS}"
752 759 dd if=/dev/zero of="$IMAGE_NAME-frmw.img" bs=512 count=0 seek="${FRMW_SECTORS}"
753 760 dd if=/dev/zero of="$IMAGE_NAME-root.img" bs=512 count="${TABLE_SECTORS}"
754 761 dd if=/dev/zero of="$IMAGE_NAME-root.img" bs=512 count=0 seek="${ROOT_SECTORS}"
755 762
756 763 # Write firmware/boot partition tables
757 764 sfdisk -q -L -uS -f "$IMAGE_NAME-frmw.img" 2> /dev/null <<EOM
758 765 ${TABLE_SECTORS},${FRMW_SECTORS},c,*
759 766 EOM
760 767
761 768 # Write root partition table
762 769 sfdisk -q -L -uS -f "$IMAGE_NAME-root.img" 2> /dev/null <<EOM
763 770 ${TABLE_SECTORS},${ROOT_SECTORS},83
764 771 EOM
765 772
766 773 # Setup temporary loop devices
767 774 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show "$IMAGE_NAME"-frmw.img)"
768 775 ROOT_LOOP="$(losetup -o 1M -f --show "$IMAGE_NAME"-root.img)"
769 776 else # ENABLE_SPLITFS=false
770 777 dd if=/dev/zero of="$IMAGE_NAME.img" bs=512 count="${TABLE_SECTORS}"
771 778 dd if=/dev/zero of="$IMAGE_NAME.img" bs=512 count=0 seek="${IMAGE_SECTORS}"
772 779
773 780 # Write partition table
774 781 sfdisk -q -L -uS -f "$IMAGE_NAME.img" 2> /dev/null <<EOM
775 782 ${TABLE_SECTORS},${FRMW_SECTORS},c,*
776 783 ${ROOT_OFFSET},${ROOT_SECTORS},83
777 784 EOM
778 785
779 786 # Setup temporary loop devices
780 787 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show "$IMAGE_NAME".img)"
781 788 ROOT_LOOP="$(losetup -o 65M -f --show "$IMAGE_NAME".img)"
782 789 fi
783 790
784 791 if [ "$ENABLE_CRYPTFS" = true ] ; then
785 792 # Create dummy ext4 fs
786 793 mkfs.ext4 "$ROOT_LOOP"
787 794
788 795 # Setup password keyfile
789 796 touch .password
790 797 chmod 600 .password
791 798 echo -n ${CRYPTFS_PASSWORD} > .password
792 799
793 800 # Initialize encrypted partition
794 801 echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password
795 802
796 803 # Open encrypted partition and setup mapping
797 804 cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"
798 805
799 806 # Secure delete password keyfile
800 807 shred -zu .password
801 808
802 809 # Update temporary loop device
803 810 ROOT_LOOP="/dev/mapper/${CRYPTFS_MAPPING}"
804 811
805 812 # Wipe encrypted partition (encryption cipher is used for randomness)
806 813 dd if=/dev/zero of="${ROOT_LOOP}" bs=512 count="$(blockdev --getsz "${ROOT_LOOP}")"
807 814 fi
808 815
809 816 # Build filesystems
810 817 mkfs.vfat "$FRMW_LOOP"
811 818 mkfs.ext4 "$ROOT_LOOP"
812 819
813 820 # Mount the temporary loop devices
814 821 mkdir -p "$BUILDDIR/mount"
815 822 mount "$ROOT_LOOP" "$BUILDDIR/mount"
816 823
817 824 mkdir -p "$BUILDDIR/mount/boot/firmware"
818 825 mount "$FRMW_LOOP" "$BUILDDIR/mount/boot/firmware"
819 826
820 827 # Copy all files from the chroot to the loop device mount point directory
821 828 rsync -a "${R}/" "$BUILDDIR/mount/"
822 829
823 830 # Unmount all temporary loop devices and mount points
824 831 cleanup
825 832
826 833 # Create block map file(s) of image(s)
827 834 if [ "$ENABLE_SPLITFS" = true ] ; then
828 835 # Create block map files for "bmaptool"
829 836 bmaptool create -o "$IMAGE_NAME-frmw.bmap" "$IMAGE_NAME-frmw.img"
830 837 bmaptool create -o "$IMAGE_NAME-root.bmap" "$IMAGE_NAME-root.img"
831 838
832 839 # Image was successfully created
833 840 echo "$IMAGE_NAME-frmw.img ($(expr \( "${TABLE_SECTORS}" + "${FRMW_SECTORS}" \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
834 841 echo "$IMAGE_NAME-root.img ($(expr \( "${TABLE_SECTORS}" + "${ROOT_SECTORS}" \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
835 842 else
836 843 # Create block map file for "bmaptool"
837 844 bmaptool create -o "$IMAGE_NAME.bmap" "$IMAGE_NAME.img"
838 845
839 846 # Image was successfully created
840 847 echo "$IMAGE_NAME.img ($(expr \( "${TABLE_SECTORS}" + "${FRMW_SECTORS}" + "${ROOT_SECTORS}" \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
841 848
842 849 # Create qemu qcow2 image
843 850 if [ "$ENABLE_QEMU" = true ] ; then
844 851 QEMU_IMAGE=${QEMU_IMAGE:=${BASEDIR}/qemu/${DATE}-${KERNEL_ARCH}-CURRENT-rpi${RPI_MODEL}-${RELEASE}-${RELEASE_ARCH}}
845 852 QEMU_SIZE=16G
846 853
847 854 qemu-img convert -f raw -O qcow2 "$IMAGE_NAME".img "$QEMU_IMAGE".qcow2
848 855 qemu-img resize "$QEMU_IMAGE".qcow2 $QEMU_SIZE
849 856
850 857 echo "$QEMU_IMAGE.qcow2 ($QEMU_SIZE)" ": successfully created"
851 858 fi
852 859 fi
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant