vknecht-master-merge

5 files changed, 77 insertions, 23 deletions

diff --git a/README.md b/README.md
index ee8ee9b..f7d8795 100644
--- a/README.md
+++ b/README.md
@@ -150,6 +150,9 @@ password, use only in trusted environments.
 ##### `ENABLE_HARDNET`=false
 Enable IPv4/IPv6 network stack hardening settings.
 
+##### `ENABLE_SPLITFS`=false
+Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`.
+
 ##### `CHROOT_SCRIPTS`=""
 Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this direcory is run in lexicographical order.
 
@@ -212,3 +215,8 @@ After the image file was successfully created by the `rpi2-gen-image.sh` script
 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
 ```
+If you have set `ENABLE_SPLITFS`, copy the `-frmw` image on the microSD card, then the `-root` one on the USB drive:
+```shell
+bmaptool copy ./images/jessie/2015-12-13-debian-jessie-frmw.img /dev/mmcblk0
+bmaptool copy ./images/jessie/2015-12-13-debian-jessie-root.img /dev/sdc
+```
diff --git a/bootstrap.d/13-kernel.sh b/bootstrap.d/13-kernel.sh
index 87a33b7..8fa3b08 100644
--- a/bootstrap.d/13-kernel.sh
+++ b/bootstrap.d/13-kernel.sh
@@ -61,7 +61,11 @@ else
 fi
 
 # Set up firmware boot cmdline
-CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}"
+if [ "$ENABLE_SPLITFS" = true ] ; then
+  CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}"
+else
+  CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}"
+fi
 
 # Set up serial console support (if requested)
 if [ "$ENABLE_CONSOLE" = true ] ; then
@@ -110,6 +114,9 @@ install_readonly files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-b
 
 # Create default fstab
 install_readonly files/mount/fstab $R/etc/fstab
+if [ "$ENABLE_SPLITFS" = true ] ; then
+  sed -i 's/mmcblk0p2/sda1/' $R/etc/fstab
+fi
 
 # Avoid swapping and increase cache sizes
 install_readonly files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf
diff --git a/bootstrap.d/20-networking.sh b/bootstrap.d/20-networking.sh
index 051c172..61270d4 100644
--- a/bootstrap.d/20-networking.sh
+++ b/bootstrap.d/20-networking.sh
@@ -60,7 +60,7 @@ chroot_exec systemctl enable systemd-networkd
 
 # Enable network stack hardening
 if [ "$ENABLE_HARDNET" = true ] ; then
-  install_readonly files/sysctl.d/81-rpi-net-hardening.conf $R/etc/sysctl.d/81-rpi-net-hardening.conf
+  install_readonly files/sysctl.d/82-rpi-net-hardening.conf $R/etc/sysctl.d/82-rpi-net-hardening.conf
 
 # Enable resolver warnings about spoofed addresses
   cat <<EOM >>$R/etc/host.conf
diff --git a/functions.sh b/functions.sh
index f64fb97..36f6bc3 100644
--- a/functions.sh
+++ b/functions.sh
@@ -17,8 +17,8 @@ cleanup (){
   umount -l $R/dev/pts 2> /dev/null
   umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
   umount "$BUILDDIR/mount" 2> /dev/null
-  losetup -d "$EXT4_LOOP" 2> /dev/null
-  losetup -d "$VFAT_LOOP" 2> /dev/null
+  losetup -d "$ROOT_LOOP" 2> /dev/null
+  losetup -d "$FRMW_LOOP" 2> /dev/null
   trap - 0 1 2 3 6
 }
 
diff --git a/rpi2-gen-image.sh b/rpi2-gen-image.sh
index 2cb1277..39d5a76 100755
--- a/rpi2-gen-image.sh
+++ b/rpi2-gen-image.sh
@@ -81,6 +81,7 @@ ENABLE_UBOOT=${ENABLE_UBOOT:=false}
 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
+ENABLE_SPLITFS=${ENABLE_SPLITFS:=false}
 
 # Kernel compilation settings
 BUILD_KERNEL=${BUILD_KERNEL:=false}
@@ -259,8 +260,8 @@ CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'`)
 
 # Calculate the amount of needed 512 Byte sectors
 TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512)
-BOOT_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512)
-ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS})
+FRMW_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512)
+ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${FRMW_SECTORS})
 
 # The root partition is EXT4
 # This means more space than the actual used space of the chroot is used.
@@ -268,37 +269,64 @@ ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS})
 ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 20) \* 1024 \/ 512)
 
 # Calculate required image size in 512 Byte sectors
-IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS} + ${ROOT_SECTORS})
+IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS})
 
 # Prepare date string for image file name
 DATE="$(date +%Y-%m-%d)"
 
 # Prepare image file
-dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
-dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
+if [ "$ENABLE_SPLITFS" = true ] ; then
+  dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=${TABLE_SECTORS}
+  dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS}
+  dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS}
+  dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS}
+  # Write partition tables
+  sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" <<EOM
+unit: sectors
 
-# Write partition table
-sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
+1 : start=   ${TABLE_SECTORS}, size=   ${FRMW_SECTORS}, Id= c, bootable
+2 : start=                  0, size=                 0, Id= 0
+3 : start=                  0, size=                 0, Id= 0
+4 : start=                  0, size=                 0, Id= 0
+EOM
+  sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" <<EOM
+unit: sectors
+
+1 : start=   ${TABLE_SECTORS}, size=   ${ROOT_SECTORS}, Id=83
+2 : start=                  0, size=                 0, Id= 0
+3 : start=                  0, size=                 0, Id= 0
+4 : start=                  0, size=                 0, Id= 0
+EOM
+  # Set up temporary loop devices
+  FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-frmw.img)"
+  ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-root.img)"
+else
+  dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
+  dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
+  # Write partition table
+  sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
 unit: sectors
 
-1 : start=   ${TABLE_SECTORS}, size=   ${BOOT_SECTORS}, Id= c, bootable
+1 : start=   ${TABLE_SECTORS}, size=   ${FRMW_SECTORS}, Id= c, bootable
 2 : start=     ${ROOT_OFFSET}, size=   ${ROOT_SECTORS}, Id=83
 3 : start=                  0, size=                 0, Id= 0
 4 : start=                  0, size=                 0, Id= 0
 EOM
+  # Set up temporary loop devices
+  FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
+  ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
+fi
 
-# Set up temporary loop devices and build filesystems
-VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
-EXT4_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
-mkfs.vfat "$VFAT_LOOP"
-mkfs.ext4 "$EXT4_LOOP"
+# Build filesystems
+mkfs.vfat "$FRMW_LOOP"
+mkfs.ext4 "$ROOT_LOOP"
 
 # Mount the temporary loop devices
 mkdir -p "$BUILDDIR/mount"
-mount "$EXT4_LOOP" "$BUILDDIR/mount"
+mount "$ROOT_LOOP" "$BUILDDIR/mount"
 
 mkdir -p "$BUILDDIR/mount/boot/firmware"
-mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
+mount "$FRMW_LOOP" "$BUILDDIR/mount/boot/firmware"
 
 # Copy all files from the chroot to the loop device mount point directory
 rsync -a "$R/" "$BUILDDIR/mount/"
@@ -306,8 +334,19 @@ rsync -a "$R/" "$BUILDDIR/mount/"
 # Unmount all temporary loop devices and mount points
 cleanup
 
-# Create block map file for "bmaptool"
-bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
+# Create block map file(s) of image(s)
+if [ "$ENABLE_SPLITFS" = true ] ; then
+  # Create block map files for "bmaptool"
+  bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img"
+  bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}-root.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}-root.img"
 
-# Image was successfully created
-echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
+  # Image was successfully created
+  echo "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img ($(expr ${TABLE_SECTORS} + ${FRMW_SECTORS} \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
+  echo "$BASEDIR/${DATE}-debian-${RELEASE}-root.img ($(expr ${TABLE_SECTORS} + ${ROOT_SECTORS} \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
+else
+  # Create block map file for "bmaptool"
+  bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
+
+  # Image was successfully created
+  echo "$BASEDIR/${DATE}-debian-${RELEASE}.img ($(expr ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS} \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
+fi