Merge branch 'master' of https://github.com/fpytloun/rpi2-gen-image into fpytloun-master

17 files changed, 455 insertions, 340 deletions

diff --git a/README.md b/README.md
index 912c7ce..9afe18b 100644
--- a/README.md
+++ b/README.md
@@ -43,6 +43,9 @@ Set default system locale. This setting can also be changed inside the running O
 ##### `TIMEZONE`="Europe/Berlin"
 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
 
+##### `EXPANDROOT`=true
+Expand the root partition and filesystem automatically on first boot.
+
 #### Keyboard settings:
 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
 ##### `XKBMODEL`=""
@@ -87,6 +90,10 @@ Enable IPv6 support. The network interface configuration is managed via systemd-
 ##### `ENABLE_SSHD`=true
 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
 
+##### `ENABLE_RSYSLOG`=true
+If set to false, disable and uninstall rsyslog (so logs will be available only
+in journal files)
+
 ##### `ENABLE_SOUND`=true
 Enable sound hardware and install Advanced Linux Sound Architecture.
 
@@ -118,6 +125,16 @@ Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please
 ##### `ENABLE_IPTABLES`=false
 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
 
+##### `ENABLE_USER`=true
+Create pi user with password raspberry
+
+##### `ENABLE_ROOT`=true
+Set root user password so root login will be enabled
+
+##### `ENABLE_ROOT_SSH`=true
+Enable password root login via SSH. May be a security risk with default
+password, use only in trusted environments.
+
 ##### `ENABLE_HARDNET`=false
 Enable IPv4/IPv6 network stack hardening settings.
 
diff --git a/files/config.txt b/files/config.txt
new file mode 100644
index 0000000..7491765
--- /dev/null
+++ b/files/config.txt
@@ -0,0 +1,43 @@
+# For more options and information see
+# http://www.raspberrypi.org/documentation/configuration/config-txt.md
+# Some settings may impact device functionality. See link above for details
+
+# uncomment if you get no picture on HDMI for a default "safe" mode
+#hdmi_safe=1
+
+# uncomment this if your display has a black border of unused pixels visible
+# and your display can output without overscan
+#disable_overscan=1
+
+# uncomment the following to adjust overscan. Use positive numbers if console
+# goes off screen, and negative if there is too much border
+#overscan_left=16
+#overscan_right=16
+#overscan_top=16
+#overscan_bottom=16
+
+# uncomment to force a console size. By default it will be display's size minus
+# overscan.
+#framebuffer_width=1280
+#framebuffer_height=720
+
+# uncomment if hdmi display is not detected and composite is being output
+#hdmi_force_hotplug=1
+
+# uncomment to force a specific HDMI mode (this will force VGA)
+#hdmi_group=1
+#hdmi_mode=1
+
+# uncomment to force a HDMI mode rather than DVI. This can make audio work in
+# DMT (computer monitor) modes
+#hdmi_drive=2
+
+# uncomment to increase signal to HDMI, if you have interference, blanking, or
+# no display
+#config_hdmi_boost=4
+
+# uncomment for composite PAL
+#sdtv_mode=2
+
+# uncomment to overclock the arm. 700 MHz is the default.
+#arm_freq=800
diff --git a/files/firstboot/10-begin.sh b/files/firstboot/10-begin.sh
new file mode 100644
index 0000000..6258bb7
--- /dev/null
+++ b/files/firstboot/10-begin.sh
@@ -0,0 +1,2 @@
+#!/bin/sh -e
+logger -t "rc.firstboot" "Starting first boot actions"
diff --git a/files/firstboot/21-generate-ssh-keys.sh b/files/firstboot/21-generate-ssh-keys.sh
new file mode 100644
index 0000000..a6c567c
--- /dev/null
+++ b/files/firstboot/21-generate-ssh-keys.sh
@@ -0,0 +1,8 @@
+logger -t "rc.firstboot" "Generating SSH host keys"
+rm -f /etc/ssh/ssh_host_*
+ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
+ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
+ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
+ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
+
+systemctl restart sshd
diff --git a/files/firstboot/22-expandroot.sh b/files/firstboot/22-expandroot.sh
new file mode 100644
index 0000000..00b94af
--- /dev/null
+++ b/files/firstboot/22-expandroot.sh
@@ -0,0 +1,52 @@
+logger -t "rc.firstboot" "Expanding root"
+ROOT_PART=$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p')
+PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$')
+case "${ROOT_PART}" in
+  mmcblk0*) ROOT_DEV=mmcblk0 ;;
+  sda*)     ROOT_DEV=sda ;;
+esac
+if [ "$PART_NUM" = "$ROOT_PART" ]; then
+  logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand"
+  return 0
+fi
+
+# NOTE: the NOOBS partition layout confuses parted. For now, let's only
+# agree to work with a sufficiently simple partition layout
+if [ "$PART_NUM" -gt 2 ]; then
+  logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool."
+  return 0
+fi
+LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
+if [ $LAST_PART_NUM -ne $PART_NUM ]; then
+  logger -t "rc.firstboot" "$ROOT_PART is not the last partition. Don't know how to expand"
+  return 0
+fi
+
+# Get the starting offset of the root partition
+PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
+[ "$PART_START" ] || return 1
+
+# Get the possible last sector for the root partition
+PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }')
+[ "$PART_LAST" ] || return 1
+
+# Return value will likely be error for fdisk as it fails to reload the
+# partition table because the root fs is mounted
+### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
+fdisk /dev/${ROOT_DEV} <<EOF2 || true
+p
+d
+$PART_NUM
+n
+p
+$PART_NUM
+$PART_START
+$PART_LAST
+p
+w
+EOF2
+
+# Reload the partition table, resize root filesystem then remove resizing code from this file
+partprobe &&
+  resize2fs /dev/${ROOT_PART} &&
+  logger -t "rc.firstboot" "Root partition successfuly resized."
diff --git a/files/firstboot/99-finish.sh b/files/firstboot/99-finish.sh
new file mode 100644
index 0000000..f3f64b5
--- /dev/null
+++ b/files/firstboot/99-finish.sh
@@ -0,0 +1,3 @@
+logger -t "rc.firstboot" "First boot actions finished"
+rm -f /etc/rc.firstboot
+sed -i '/.*rc.firstboot/d' /etc/rc.local
diff --git a/files/fstab b/files/fstab
new file mode 100644
index 0000000..4ec06e9
--- /dev/null
+++ b/files/fstab
@@ -0,0 +1,2 @@
+/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
+/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
diff --git a/files/iptables/flush-ip6tables.sh b/files/iptables/flush-ip6tables.sh
new file mode 100644
index 0000000..498e97f
--- /dev/null
+++ b/files/iptables/flush-ip6tables.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+ip6tables -F
+ip6tables -X
+ip6tables -Z
+
+for table in $(</proc/net/ip6_tables_names)
+do
+  ip6tables -t \$table -F
+  ip6tables -t \$table -X
+  ip6tables -t \$table -Z
+done
+
+ip6tables -P INPUT ACCEPT
+ip6tables -P OUTPUT ACCEPT
+ip6tables -P FORWARD ACCEPT
diff --git a/files/iptables/flush-iptables.sh b/files/iptables/flush-iptables.sh
new file mode 100644
index 0000000..6336455
--- /dev/null
+++ b/files/iptables/flush-iptables.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT
diff --git a/files/iptables/ip6tables.rules b/files/iptables/ip6tables.rules
new file mode 100644
index 0000000..30e8b36
--- /dev/null
+++ b/files/iptables/ip6tables.rules
@@ -0,0 +1,48 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:TCP - [0:0]
+:UDP - [0:0]
+:SSH - [0:0]
+
+# Drop packets with RH0 headers
+-A INPUT -m rt --rt-type 0 -j DROP
+-A OUTPUT -m rt --rt-type 0 -j DROP
+-A FORWARD -m rt --rt-type 0 -j DROP
+
+# Rate limit ping requests
+-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
+
+# Accept established connections
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Accept all traffic on loopback interface
+-A INPUT -i lo -j ACCEPT
+
+# Drop packets declared invalid
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+
+# SSH rate limiting
+-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
+-A SSH -m recent --name sshbf --set -j ACCEPT
+
+# Send TCP and UDP connections to their respective rules chain
+-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
+
+# Reject dropped packets with a RFC compliant responce
+-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
+-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+
+## TCP PORT RULES
+# -A TCP -p tcp -j LOG
+
+## UDP PORT RULES
+# -A UDP -p udp -j LOG
+
+COMMIT
diff --git a/files/iptables/ip6tables.service b/files/iptables/ip6tables.service
new file mode 100644
index 0000000..bb1644f
--- /dev/null
+++ b/files/iptables/ip6tables.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
+ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
+ExecStop=/etc/iptables/flush-ip6tables.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/files/iptables/iptables.rules b/files/iptables/iptables.rules
new file mode 100644
index 0000000..2fc4ca4
--- /dev/null
+++ b/files/iptables/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:TCP - [0:0]
+:UDP - [0:0]
+:SSH - [0:0]
+
+# Rate limit ping requests
+-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j DROP
+
+# Accept established connections
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Accept all traffic on loopback interface
+-A INPUT -i lo -j ACCEPT
+
+# Drop packets declared invalid
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+
+# SSH rate limiting
+-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
+-A SSH -m recent --name sshbf --set -j ACCEPT
+
+# Send TCP and UDP connections to their respective rules chain
+-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
+
+# Reject dropped packets with a RFC compliant responce
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -p tcp -j REJECT --reject-with tcp-rst
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+
+## TCP PORT RULES
+# -A TCP -p tcp -j LOG
+
+## UDP PORT RULES
+# -A UDP -p udp -j LOG
+
+COMMIT
diff --git a/files/iptables/iptables.service b/files/iptables/iptables.service
new file mode 100644
index 0000000..f5a1e89
--- /dev/null
+++ b/files/iptables/iptables.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
+ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
+ExecStop=/etc/iptables/flush-iptables.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/files/modprobe.d/raspi-blacklist.conf b/files/modprobe.d/raspi-blacklist.conf
new file mode 100644
index 0000000..0134f30
--- /dev/null
+++ b/files/modprobe.d/raspi-blacklist.conf
@@ -0,0 +1,9 @@
+blacklist snd_soc_core
+blacklist snd_pcm
+blacklist snd_pcm_dmaengine
+blacklist snd_timer
+blacklist snd_compress
+blacklist snd_soc_pcm512x_i2c
+blacklist snd_soc_pcm512x
+blacklist snd_soc_tas5713
+blacklist snd_soc_wm8804
diff --git a/files/sysctl.d/81-rpi-vm.conf b/files/sysctl.d/81-rpi-vm.conf
new file mode 100644
index 0000000..b818fc6
--- /dev/null
+++ b/files/sysctl.d/81-rpi-vm.conf
@@ -0,0 +1,6 @@
+# Avoid swapping and increase cache sizes
+vm.swappiness=1
+vm.dirty_background_ratio=20
+vm.dirty_ratio=40
+vm.dirty_writeback_centisecs=500
+vm.dirty_expire_centisecs=6000
diff --git a/files/sysctl.d/82-rpi-net-hardening.conf b/files/sysctl.d/82-rpi-net-hardening.conf
new file mode 100644
index 0000000..8ee6299
--- /dev/null
+++ b/files/sysctl.d/82-rpi-net-hardening.conf
@@ -0,0 +1,59 @@
+# Enable network stack hardening
+net.ipv4.tcp_timestamps=0
+net.ipv4.tcp_syncookies=1
+net.ipv4.conf.all.rp_filter=1
+net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.all.send_redirects=0
+net.ipv4.conf.all.accept_source_route=0
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.default.accept_redirects=0
+net.ipv4.conf.default.send_redirects=0
+net.ipv4.conf.default.accept_source_route=0
+net.ipv4.conf.lo.accept_redirects=0
+net.ipv4.conf.lo.send_redirects=0
+net.ipv4.conf.lo.accept_source_route=0
+net.ipv4.conf.eth0.accept_redirects=0
+net.ipv4.conf.eth0.send_redirects=0
+net.ipv4.conf.eth0.accept_source_route=0
+net.ipv4.icmp_echo_ignore_broadcasts=1
+net.ipv4.icmp_ignore_bogus_error_responses=1
+
+net.ipv6.conf.all.accept_redirects=0
+net.ipv6.conf.all.accept_source_route=0
+net.ipv6.conf.all.router_solicitations=0
+net.ipv6.conf.all.accept_ra_rtr_pref=0
+net.ipv6.conf.all.accept_ra_pinfo=0
+net.ipv6.conf.all.accept_ra_defrtr=0
+net.ipv6.conf.all.autoconf=0
+net.ipv6.conf.all.dad_transmits=0
+net.ipv6.conf.all.max_addresses=1
+
+net.ipv6.conf.default.accept_redirects=0
+net.ipv6.conf.default.accept_source_route=0
+net.ipv6.conf.default.router_solicitations=0
+net.ipv6.conf.default.accept_ra_rtr_pref=0
+net.ipv6.conf.default.accept_ra_pinfo=0
+net.ipv6.conf.default.accept_ra_defrtr=0
+net.ipv6.conf.default.autoconf=0
+net.ipv6.conf.default.dad_transmits=0
+net.ipv6.conf.default.max_addresses=1
+
+net.ipv6.conf.lo.accept_redirects=0
+net.ipv6.conf.lo.accept_source_route=0
+net.ipv6.conf.lo.router_solicitations=0
+net.ipv6.conf.lo.accept_ra_rtr_pref=0
+net.ipv6.conf.lo.accept_ra_pinfo=0
+net.ipv6.conf.lo.accept_ra_defrtr=0
+net.ipv6.conf.lo.autoconf=0
+net.ipv6.conf.lo.dad_transmits=0
+net.ipv6.conf.lo.max_addresses=1
+
+net.ipv6.conf.eth0.accept_redirects=0
+net.ipv6.conf.eth0.accept_source_route=0
+net.ipv6.conf.eth0.router_solicitations=0
+net.ipv6.conf.eth0.accept_ra_rtr_pref=0
+net.ipv6.conf.eth0.accept_ra_pinfo=0
+net.ipv6.conf.eth0.accept_ra_defrtr=0
+net.ipv6.conf.eth0.autoconf=0
+net.ipv6.conf.eth0.dad_transmits=0
+net.ipv6.conf.eth0.max_addresses=1
diff --git a/rpi2-gen-image.sh b/rpi2-gen-image.sh
index c974731..f86a7ca 100755
--- a/rpi2-gen-image.sh
+++ b/rpi2-gen-image.sh
@@ -30,11 +30,17 @@ cleanup (){
   trap - 0 1 2 3 6
 }
 
+# Exec command in chroot
+chroot_exec() {
+  LANG=C LC_ALL=C chroot $R $*
+}
+
 set -e
 set -x
 
 # Debian release
 RELEASE=${RELEASE:=jessie}
+KERNEL=${KERNEL:=3.18.0-trunk-rpi2}
 
 # Build settings
 BASEDIR=./images/${RELEASE}
@@ -49,6 +55,7 @@ XKBMODEL=${XKBMODEL:=""}
 XKBLAYOUT=${XKBLAYOUT:=""}
 XKBVARIANT=${XKBVARIANT:=""}
 XKBOPTIONS=${XKBOPTIONS:=""}
+EXPANDROOT=${EXPANDROOT:=true}
 
 # Network settings
 ENABLE_DHCP=${ENABLE_DHCP:=true}
@@ -76,6 +83,10 @@ ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
 ENABLE_XORG=${ENABLE_XORG:=false}
 ENABLE_WM=${ENABLE_WM:=""}
+ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
+ENABLE_USER=${ENABLE_USER:=true}
+ENABLE_ROOT=${ENABLE_ROOT:=false}
+ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
 
 # Advanced settings
 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
@@ -148,6 +159,11 @@ else
   APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
 fi
 
+# Add parted package, required to get partprobe utility
+if [ "$EXPANDROOT" = true ] ; then
+  APT_INCLUDES="${APT_INCLUDES},parted"
+fi
+
 # Add dbus package, recommended if using systemd
 if [ "$ENABLE_DBUS" = true ] ; then
   APT_INCLUDES="${APT_INCLUDES},dbus"
@@ -173,6 +189,10 @@ if [ "$ENABLE_HWRANDOM" = true ] ; then
   APT_INCLUDES="${APT_INCLUDES},rng-tools"
 fi
 
+if [ "$ENABLE_USER" = true ]; then
+  APT_INCLUDES="${APT_INCLUDES},sudo"
+fi
+
 # Add fbturbo video driver
 if [ "$ENABLE_FBTURBO" = true ] ; then
   # Enable xorg package dependencies
@@ -228,12 +248,12 @@ EOM
 
 # Set up timezone
 echo ${TIMEZONE} >$R/etc/timezone
-LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
+chroot_exec dpkg-reconfigure -f noninteractive tzdata
 
 # Upgrade collabora package index and install collabora keyring
 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
-LANG=C chroot $R apt-get -qq -y update
-LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
+chroot_exec apt-get -qq -y update
+chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
 
 # Set up initial sources.list
 cat <<EOM >$R/etc/apt/sources.list
@@ -250,8 +270,8 @@ deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
 EOM
 
 # Upgrade package index and update all installed packages and changed dependencies
-LANG=C chroot $R apt-get -qq -y update
-LANG=C chroot $R apt-get -qq -y -u dist-upgrade
+chroot_exec apt-get -qq -y update
+chroot_exec apt-get -qq -y -u dist-upgrade
 
 # Set up default locale and keyboard configuration
 if [ "$ENABLE_MINBASE" = false ] ; then
@@ -259,60 +279,50 @@ if [ "$ENABLE_MINBASE" = false ] ; then
   # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
   # ... so we have to set locales manually
   if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
-    LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
+    chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
   else
     # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
-    LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
-    LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
+    chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
+    chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
   fi
-  LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
-  LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
-  LANG=C chroot $R locale-gen
-  LANG=C chroot $R update-locale LANG=${DEFLOCAL}
+  chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
+  chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
+  chroot_exec locale-gen
+  chroot_exec update-locale LANG=${DEFLOCAL}
 
   # Keyboard configuration, if requested
   if [ "$XKBMODEL" != "" ] ; then
-    LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
+    chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
   fi
   if [ "$XKBLAYOUT" != "" ] ; then
-    LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
+    chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
   fi
   if [ "$XKBVARIANT" != "" ] ; then
-    LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
+    chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
   fi
   if [ "$XKBOPTIONS" != "" ] ; then
-    LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
+    chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
   fi
-  LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
+  chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
   # Set up font console
   case "${DEFLOCAL}" in
     *UTF-8)
-      LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
+      chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
       ;;
     *)
-      LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
+      chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
       ;;
   esac
-  LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
+  chroot_exec dpkg-reconfigure -f noninteractive console-setup
 fi
 
 # Kernel installation
 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
-LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
-LANG=C chroot $R apt-get -qq -y install flash-kernel
+chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel
+chroot_exec apt-get -qq -y install flash-kernel
 
 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
 [ -z "$VMLINUZ" ] && exit 1
-mkdir -p $R/boot/firmware
-
-# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
-wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
-wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
-wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
-wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
-wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
-wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
-wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
 cp $VMLINUZ $R/boot/firmware/kernel7.img
 
 # Set up IPv4 hosts
@@ -374,17 +384,27 @@ EOM
 fi
 
 # Enable systemd-networkd service
-LANG=C chroot $R systemctl enable systemd-networkd
+chroot_exec systemctl enable systemd-networkd
 
 # Generate crypt(3) password string
 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
 
 # Set up default user
-LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
-LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
+if [ "$ENABLE_USER" = true ] ; then
+  chroot_exec adduser --gecos \"Raspberry\ PI\ user\" --add_extra_groups --disabled-password pi
+  chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
+fi
+
+# Set up root password or not
+if [ "$ENABLE_ROOT" = true ]; then
+  chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
 
-# Set up root password
-LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
+  if [ "$ENABLE_ROOT_SSH" = true ]; then
+    sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config
+  fi
+else
+  chroot_exec usermod -p \'!\' root
+fi
 
 # Set up firmware boot cmdline
 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
@@ -402,51 +422,7 @@ fi
 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
 
 # Set up firmware config
-cat <<EOM >$R/boot/firmware/config.txt
-# For more options and information see
-# http://www.raspberrypi.org/documentation/configuration/config-txt.md
-# Some settings may impact device functionality. See link above for details
-
-# uncomment if you get no picture on HDMI for a default "safe" mode
-#hdmi_safe=1
-
-# uncomment this if your display has a black border of unused pixels visible
-# and your display can output without overscan
-#disable_overscan=1
-
-# uncomment the following to adjust overscan. Use positive numbers if console
-# goes off screen, and negative if there is too much border
-#overscan_left=16
-#overscan_right=16
-#overscan_top=16
-#overscan_bottom=16
-
-# uncomment to force a console size. By default it will be display's size minus
-# overscan.
-#framebuffer_width=1280
-#framebuffer_height=720
-
-# uncomment if hdmi display is not detected and composite is being output
-#hdmi_force_hotplug=1
-
-# uncomment to force a specific HDMI mode (this will force VGA)
-#hdmi_group=1
-#hdmi_mode=1
-
-# uncomment to force a HDMI mode rather than DVI. This can make audio work in
-# DMT (computer monitor) modes
-#hdmi_drive=2
-
-# uncomment to increase signal to HDMI, if you have interference, blanking, or
-# no display
-#config_hdmi_boost=4
-
-# uncomment for composite PAL
-#sdtv_mode=2
-
-# uncomment to overclock the arm. 700 MHz is the default.
-#arm_freq=800
-EOM
+install -o root -g root -m 644 files/config.txt $R/boot/firmware/config.txt
 
 # Load snd_bcm2835 kernel module at boot time
 if [ "$ENABLE_SOUND" = true ] ; then
@@ -476,99 +452,17 @@ fi
 mkdir -p $R/etc/modprobe.d/
 
 # Blacklist sound modules
-cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
-blacklist snd_soc_core
-blacklist snd_pcm
-blacklist snd_pcm_dmaengine
-blacklist snd_timer
-blacklist snd_compress
-blacklist snd_soc_pcm512x_i2c
-blacklist snd_soc_pcm512x
-blacklist snd_soc_tas5713
-blacklist snd_soc_wm8804
-EOM
+install -o root -g root -m 644 files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-blacklist.conf
 
 # Create default fstab
-cat <<EOM >$R/etc/fstab
-/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
-/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
-EOM
-
-# Avoid swapping and increase cache sizes
-cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
+install -o root -g root -m 644 files/fstab $R/etc/fstab
 
 # Avoid swapping and increase cache sizes
-vm.swappiness=1
-vm.dirty_background_ratio=20
-vm.dirty_ratio=40
-vm.dirty_writeback_centisecs=500
-vm.dirty_expire_centisecs=6000
-EOM
+install -o root -g root -m 644 files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf
 
 # Enable network stack hardening
 if [ "$ENABLE_HARDNET" = true ] ; then
-  cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
-
-# Enable network stack hardening
-net.ipv4.tcp_timestamps=0
-net.ipv4.tcp_syncookies=1
-net.ipv4.conf.all.rp_filter=1
-net.ipv4.conf.all.accept_redirects=0
-net.ipv4.conf.all.send_redirects=0
-net.ipv4.conf.all.accept_source_route=0
-net.ipv4.conf.default.rp_filter=1
-net.ipv4.conf.default.accept_redirects=0
-net.ipv4.conf.default.send_redirects=0
-net.ipv4.conf.default.accept_source_route=0
-net.ipv4.conf.lo.accept_redirects=0
-net.ipv4.conf.lo.send_redirects=0
-net.ipv4.conf.lo.accept_source_route=0
-net.ipv4.conf.eth0.accept_redirects=0
-net.ipv4.conf.eth0.send_redirects=0
-net.ipv4.conf.eth0.accept_source_route=0
-net.ipv4.icmp_echo_ignore_broadcasts=1
-net.ipv4.icmp_ignore_bogus_error_responses=1
-
-net.ipv6.conf.all.accept_redirects=0
-net.ipv6.conf.all.accept_source_route=0
-net.ipv6.conf.all.router_solicitations=0
-net.ipv6.conf.all.accept_ra_rtr_pref=0
-net.ipv6.conf.all.accept_ra_pinfo=0
-net.ipv6.conf.all.accept_ra_defrtr=0
-net.ipv6.conf.all.autoconf=0
-net.ipv6.conf.all.dad_transmits=0
-net.ipv6.conf.all.max_addresses=1
-
-net.ipv6.conf.default.accept_redirects=0
-net.ipv6.conf.default.accept_source_route=0
-net.ipv6.conf.default.router_solicitations=0
-net.ipv6.conf.default.accept_ra_rtr_pref=0
-net.ipv6.conf.default.accept_ra_pinfo=0
-net.ipv6.conf.default.accept_ra_defrtr=0
-net.ipv6.conf.default.autoconf=0
-net.ipv6.conf.default.dad_transmits=0
-net.ipv6.conf.default.max_addresses=1
-
-net.ipv6.conf.lo.accept_redirects=0
-net.ipv6.conf.lo.accept_source_route=0
-net.ipv6.conf.lo.router_solicitations=0
-net.ipv6.conf.lo.accept_ra_rtr_pref=0
-net.ipv6.conf.lo.accept_ra_pinfo=0
-net.ipv6.conf.lo.accept_ra_defrtr=0
-net.ipv6.conf.lo.autoconf=0
-net.ipv6.conf.lo.dad_transmits=0
-net.ipv6.conf.lo.max_addresses=1
-
-net.ipv6.conf.eth0.accept_redirects=0
-net.ipv6.conf.eth0.accept_source_route=0
-net.ipv6.conf.eth0.router_solicitations=0
-net.ipv6.conf.eth0.accept_ra_rtr_pref=0
-net.ipv6.conf.eth0.accept_ra_pinfo=0
-net.ipv6.conf.eth0.accept_ra_defrtr=0
-net.ipv6.conf.eth0.autoconf=0
-net.ipv6.conf.eth0.dad_transmits=0
-net.ipv6.conf.eth0.max_addresses=1
-EOM
+  install -o root -g root -m 644 files/sysctl.d/81-rpi-net-hardening.conf $R/etc/sysctl.d/81-rpi-net-hardening.conf
 
 # Enable resolver warnings about spoofed addresses
   cat <<EOM >>$R/etc/host.conf
@@ -576,15 +470,36 @@ spoof warn
 EOM
 fi
 
-# Regenerate openssh server host keys
+# First boot actions
+cat files/firstboot/10-begin.sh > $R/etc/rc.firstboot
+
+# Ensure openssh server host keys are regenerated on first boot
 if [ "$ENABLE_SSHD" = true ] ; then
-  rm -fr $R/etc/ssh/ssh_host_*
-  LANG=C chroot $R dpkg-reconfigure openssh-server
+  cat files/firstboot/21-generate-ssh-keys.sh >> $R/etc/rc.firstboot
+  rm -f $R/etc/ssh/ssh_host_*
+fi
+
+if [ "$EXPANDROOT" = true ] ; then
+  cat files/firstboot/22-expandroot.sh >> $R/etc/rc.firstboot
+fi
+
+cat files/firstboot/99-finish.sh >> $R/etc/rc.firstboot
+chmod +x $R/etc/rc.firstboot
+
+sed -i '/exit 0/d' $R/etc/rc.local
+echo /etc/rc.firstboot >> $R/etc/rc.local
+echo exit 0 >> $R/etc/rc.local
+
+# Disable rsyslog
+if [ "$ENABLE_RSYSLOG" = false ]; then
+  sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
+  chroot_exec systemctl disable rsyslog
+  chroot_exec apt-get purge -q -y --force-yes rsyslog
 fi
 
 # Enable serial console systemd style
 if [ "$ENABLE_CONSOLE" = true ] ; then
-  LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
+  chroot_exec systemctl enable serial-getty\@ttyAMA0.service
 fi
 
 # Enable firewall based on iptables started by systemd service
@@ -593,177 +508,30 @@ if [ "$ENABLE_IPTABLES" = true ] ; then
   mkdir -p "$R/etc/iptables"
 
   # Create iptables systemd service
-  cat <<EOM >$R/etc/systemd/system/iptables.service
-[Unit]
-Description=Packet Filtering Framework
-DefaultDependencies=no
-After=systemd-sysctl.service
-Before=sysinit.target
-[Service]
-Type=oneshot
-ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
-ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
-ExecStop=/etc/iptables/flush-iptables.sh
-RemainAfterExit=yes
-[Install]
-WantedBy=multi-user.target
-EOM
+  install -o root -g root -m 644 files/iptables/iptables.service $R/etc/systemd/system/iptables.service
 
   # Create flush-table script called by iptables service
-  cat <<EOM >$R/etc/iptables/flush-iptables.sh
-#!/bin/sh
-iptables -F
-iptables -X
-iptables -t nat -F
-iptables -t nat -X
-iptables -t mangle -F
-iptables -t mangle -X
-iptables -P INPUT ACCEPT
-iptables -P FORWARD ACCEPT
-iptables -P OUTPUT ACCEPT
-EOM
+  install -o root -g root -m 755 files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh
 
   # Create iptables rule file
-  cat <<EOM >$R/etc/iptables/iptables.rules
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
-:TCP - [0:0]
-:UDP - [0:0]
-:SSH - [0:0]
-
-# Rate limit ping requests
--A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
--A INPUT -p icmp --icmp-type echo-request -j DROP
-
-# Accept established connections
--A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-# Accept all traffic on loopback interface
--A INPUT -i lo -j ACCEPT
-
-# Drop packets declared invalid
--A INPUT -m conntrack --ctstate INVALID -j DROP
-
-# SSH rate limiting
--A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
--A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
--A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
--A SSH -m recent --name sshbf --set -j ACCEPT
-
-# Send TCP and UDP connections to their respective rules chain
--A INPUT -p udp -m conntrack --ctstate NEW -j UDP
--A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-
-# Reject dropped packets with a RFC compliant responce
--A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
--A INPUT -p tcp -j REJECT --reject-with tcp-rst
--A INPUT -j REJECT --reject-with icmp-proto-unreachable
-
-## TCP PORT RULES
-# -A TCP -p tcp -j LOG
-
-## UDP PORT RULES
-# -A UDP -p udp -j LOG
-
-COMMIT
-EOM
+  install -o root -g root -m 644 files/iptables/iptables.rules $R/etc/iptables/iptables.rules
 
   # Reload systemd configuration and enable iptables service
-  LANG=C chroot $R systemctl daemon-reload
-  LANG=C chroot $R systemctl enable iptables.service
+  chroot_exec systemctl daemon-reload
+  chroot_exec systemctl enable iptables.service
 
   if [ "$ENABLE_IPV6" = true ] ; then
     # Create ip6tables systemd service
-    cat <<EOM >$R/etc/systemd/system/ip6tables.service
-[Unit]
-Description=Packet Filtering Framework
-DefaultDependencies=no
-After=systemd-sysctl.service
-Before=sysinit.target
-[Service]
-Type=oneshot
-ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
-ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
-ExecStop=/etc/iptables/flush-ip6tables.sh
-RemainAfterExit=yes
-[Install]
-WantedBy=multi-user.target
-EOM
+    install -o root -g root -m 644 files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service
 
     # Create ip6tables file
-    cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
-#!/bin/sh
-ip6tables -F
-ip6tables -X
-ip6tables -Z
-for table in $(</proc/net/ip6_tables_names)
-do
-        ip6tables -t \$table -F
-        ip6tables -t \$table -X
-        ip6tables -t \$table -Z
-done
-ip6tables -P INPUT ACCEPT
-ip6tables -P OUTPUT ACCEPT
-ip6tables -P FORWARD ACCEPT
-EOM
-
-    # Create ip6tables rule file
-    cat <<EOM >$R/etc/iptables/ip6tables.rules
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
-:TCP - [0:0]
-:UDP - [0:0]
-:SSH - [0:0]
+    install -o root -g root -m 755 files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh
 
-# Drop packets with RH0 headers
--A INPUT -m rt --rt-type 0 -j DROP
--A OUTPUT -m rt --rt-type 0 -j DROP
--A FORWARD -m rt --rt-type 0 -j DROP
+    install -o root -g root -m 644 files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules
 
-# Rate limit ping requests
--A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
--A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
-
-# Accept established connections
--A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-# Accept all traffic on loopback interface
--A INPUT -i lo -j ACCEPT
-
-# Drop packets declared invalid
--A INPUT -m conntrack --ctstate INVALID -j DROP
-
-# SSH rate limiting
--A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
--A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
--A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
--A SSH -m recent --name sshbf --set -j ACCEPT
-
-# Send TCP and UDP connections to their respective rules chain
--A INPUT -p udp -m conntrack --ctstate NEW -j UDP
--A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-
-# Reject dropped packets with a RFC compliant responce
--A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
--A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
--A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-
-## TCP PORT RULES
-# -A TCP -p tcp -j LOG
-
-## UDP PORT RULES
-# -A UDP -p udp -j LOG
-
-COMMIT
-EOM
-
-  # Reload systemd configuration and enable iptables service
-  LANG=C chroot $R systemctl daemon-reload
-  LANG=C chroot $R systemctl enable ip6tables.service
+    # Reload systemd configuration and enable iptables service
+    chroot_exec systemctl daemon-reload
+    chroot_exec systemctl enable ip6tables.service
   fi
 fi
 
@@ -775,7 +543,7 @@ fi
 
 # Install gcc/c++ build environment inside the chroot
 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
-  LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
+  chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
 fi
 
 # Fetch and build U-Boot bootloader
@@ -784,7 +552,7 @@ if [ "$ENABLE_UBOOT" = true ] ; then
   git -C $R/tmp clone git://git.denx.de/u-boot.git
 
   # Build and install U-Boot inside chroot
-  LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
+  chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
 
   # Copy compiled bootloader binary and set config.txt to load it
   cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
@@ -809,7 +577,7 @@ bootz \${kernel_addr_r}
 EOM
 
   # Generate U-Boot image from command file
-  LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
+  chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
 fi
 
 # Fetch and build fbturbo Xorg driver
@@ -818,10 +586,10 @@ if [ "$ENABLE_FBTURBO" = true ] ; then
   git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
 
   # Install Xorg build dependencies
-  LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
+  chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
 
   # Build and install fbturbo driver inside chroot
-  LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
+  chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
 
   # Add fbturbo driver to Xorg configuration
   cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
@@ -834,18 +602,18 @@ EndSection
 EOM
 
   # Remove Xorg build dependencies
-  LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
+  chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
 fi
 
 # Remove gcc/c++ build environment from the chroot
 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
-  LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
+  chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
 fi
 
 # Clean cached downloads
-LANG=C chroot $R apt-get -y clean
-LANG=C chroot $R apt-get -y autoclean
-LANG=C chroot $R apt-get -y autoremove
+chroot_exec apt-get -y clean
+chroot_exec apt-get -y autoclean
+chroot_exec apt-get -y autoremove
 
 # Unmount mounted filesystems
 umount -l $R/proc