From d0f91512d9ca6d361d8a4a387094c48aab00e111 Mon Sep 17 00:00:00 2001 From: Jan Wagner Date: Tue, 19 Apr 2016 15:10:50 +0200 Subject: fix: ENABLE_CRYPTFS -> UBOOT, SPLITFS, EXPANDROOT - cleanup --- README.md | 5 +- bootstrap.d/10-bootstrap.sh | 14 +-- bootstrap.d/11-apt.sh | 16 ++-- bootstrap.d/12-locale.sh | 20 ++-- bootstrap.d/13-kernel.sh | 140 ++++++++++++++++------------ bootstrap.d/20-networking.sh | 30 +++--- bootstrap.d/21-firewall.sh | 18 ++-- bootstrap.d/30-security.sh | 2 +- bootstrap.d/31-logging.sh | 2 +- bootstrap.d/41-uboot.sh | 52 +++++++++-- bootstrap.d/42-fbturbo.sh | 6 +- bootstrap.d/50-firstboot.sh | 25 +++-- bootstrap.d/99-reduce.sh | 34 +++---- files/boot/uboot.mkimage | 6 +- files/firstboot/21-generate-ssh-keys.sh | 6 ++ files/firstboot/22-expandroot.sh | 18 +++- files/firstboot/23-generate-machineid.sh | 3 - files/firstboot/23-regenerate-initramfs.sh | 31 ++++++ files/firstboot/24-create-resolv-symlink.sh | 15 --- files/firstboot/24-generate-machineid.sh | 3 + files/firstboot/25-create-resolv-symlink.sh | 15 +++ files/initramfs/expand-premount | 19 ++++ files/initramfs/expand-tools | 19 ++++ files/initramfs/expand_encrypted_rootfs | 85 +++++++++++++++++ functions.sh | 12 +-- rpi2-gen-image.sh | 50 +++++----- 26 files changed, 448 insertions(+), 198 deletions(-) delete mode 100644 files/firstboot/23-generate-machineid.sh create mode 100644 files/firstboot/23-regenerate-initramfs.sh delete mode 100644 files/firstboot/24-create-resolv-symlink.sh create mode 100644 files/firstboot/24-generate-machineid.sh create mode 100644 files/firstboot/25-create-resolv-symlink.sh create mode 100755 files/initramfs/expand-premount create mode 100755 files/initramfs/expand-tools create mode 100644 files/initramfs/expand_encrypted_rootfs diff --git a/README.md b/README.md index 1f91c88..f02d286 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ ## Build dependencies The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user. - ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core``` + ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git``` ## Command-line parameters The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script. @@ -226,7 +226,7 @@ Remove all `locale` translation files. #### Encrypted root partition: ##### `ENABLE_CRYPTFS`=false -Enable full system encryption with dm-crypt. Setup a fully LUKS encrypted root partition (aes-xts-plain64:sha512) and generate required initramfs. The /boot directory will not be encrypted. This parameter will be ignored if `BUILD_KERNEL`=false. `ENABLE_CRYPTFS` is experimental. `ENABLE_UBOOT`, `ENABLE_SPLITFS`, `EXPANDROOT` and SSH-to-initramfs are currently not supported but will be soon - feel free to help. +Enable full system encryption with dm-crypt. Setup a fully LUKS encrypted root partition (aes-xts-plain64:sha512) and generate required initramfs. The /boot directory will not be encrypted. This parameter will be ignored if `BUILD_KERNEL`=false. `ENABLE_CRYPTFS` is experimental. SSH-to-initramfs is currently not supported but will be soon - feel free to help. ##### `CRYPTFS_PASSWORD`="" Set password of the encrypted root partition. This parameter is mandatory if `ENABLE_CRYPTFS`=true. @@ -266,6 +266,7 @@ All the required configuration files that will be copied to the generated OS ima | `boot` | Boot and RPi2 configuration files | | `dpkg` | Package Manager configuration | | `firstboot` | Scripts that get executed on first boot | +| `initramfs` | Initramfs scripts | | `iptables` | Firewall configuration files | | `locales` | Locales configuration | | `modules` | Kernel Modules configuration | diff --git a/bootstrap.d/10-bootstrap.sh b/bootstrap.d/10-bootstrap.sh index f55c3e3..2dfddff 100644 --- a/bootstrap.d/10-bootstrap.sh +++ b/bootstrap.d/10-bootstrap.sh @@ -7,22 +7,22 @@ # Base debootstrap (unpack only) if [ "$ENABLE_MINBASE" = true ] ; then - http_proxy=${APT_PROXY} debootstrap --arch="${RELEASE_ARCH}" --foreign --variant=minbase --include="${APT_INCLUDES}" "${RELEASE}" "$R" "http://${APT_SERVER}/debian" + http_proxy=${APT_PROXY} debootstrap --arch="${RELEASE_ARCH}" --foreign --variant=minbase --include="${APT_INCLUDES}" "${RELEASE}" "${R}" "http://${APT_SERVER}/debian" else - http_proxy=${APT_PROXY} debootstrap --arch="${RELEASE_ARCH}" --foreign --include="${APT_INCLUDES}" "${RELEASE}" "$R" "http://${APT_SERVER}/debian" + http_proxy=${APT_PROXY} debootstrap --arch="${RELEASE_ARCH}" --foreign --include="${APT_INCLUDES}" "${RELEASE}" "${R}" "http://${APT_SERVER}/debian" fi # Copy qemu emulator binary to chroot install_exec "${QEMU_BINARY}" "${R}${QEMU_BINARY}" # Copy debian-archive-keyring.pgp -mkdir -p "$R/usr/share/keyrings" -install_readonly /usr/share/keyrings/debian-archive-keyring.gpg "$R/usr/share/keyrings/debian-archive-keyring.gpg" +mkdir -p "${R}/usr/share/keyrings" +install_readonly /usr/share/keyrings/debian-archive-keyring.gpg "${R}/usr/share/keyrings/debian-archive-keyring.gpg" # Complete the bootstrapping process chroot_exec /debootstrap/debootstrap --second-stage # Mount required filesystems -mount -t proc none "$R/proc" -mount -t sysfs none "$R/sys" -mount --bind /dev/pts "$R/dev/pts" +mount -t proc none "${R}/proc" +mount -t sysfs none "${R}/sys" +mount --bind /dev/pts "${R}/dev/pts" diff --git a/bootstrap.d/11-apt.sh b/bootstrap.d/11-apt.sh index 554aaf5..1d32051 100644 --- a/bootstrap.d/11-apt.sh +++ b/bootstrap.d/11-apt.sh @@ -7,28 +7,28 @@ # Install and setup APT proxy configuration if [ -z "$APT_PROXY" ] ; then - install_readonly files/apt/10proxy "$R/etc/apt/apt.conf.d/10proxy" - sed -i "s/\"\"/\"${APT_PROXY}\"/" "$R/etc/apt/apt.conf.d/10proxy" + install_readonly files/apt/10proxy "${ETCDIR}/apt/apt.conf.d/10proxy" + sed -i "s/\"\"/\"${APT_PROXY}\"/" "${ETCDIR}/apt/apt.conf.d/10proxy" fi if [ "$BUILD_KERNEL" = false ] ; then # Install APT pinning configuration for flash-kernel package - install_readonly files/apt/flash-kernel "$R/etc/apt/preferences.d/flash-kernel" + install_readonly files/apt/flash-kernel "${ETCDIR}/apt/preferences.d/flash-kernel" # Install APT sources.list - install_readonly files/apt/sources.list "$R/etc/apt/sources.list" - echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >> "$R/etc/apt/sources.list" + install_readonly files/apt/sources.list "${ETCDIR}/apt/sources.list" + echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >> "${ETCDIR}/apt/sources.list" # Upgrade collabora package index and install collabora keyring chroot_exec apt-get -qq -y update chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring else # BUILD_KERNEL=true # Install APT sources.list - install_readonly files/apt/sources.list "$R/etc/apt/sources.list" + install_readonly files/apt/sources.list "${ETCDIR}/apt/sources.list" # Use specified APT server and release - sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "$R/etc/apt/sources.list" - sed -i "s/ jessie/ ${RELEASE}/" "$R/etc/apt/sources.list" + sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETCDIR}/apt/sources.list" + sed -i "s/ jessie/ ${RELEASE}/" "${ETCDIR}/apt/sources.list" fi # Upgrade package index and update all installed packages and changed dependencies diff --git a/bootstrap.d/12-locale.sh b/bootstrap.d/12-locale.sh index d82f212..bd1edf4 100644 --- a/bootstrap.d/12-locale.sh +++ b/bootstrap.d/12-locale.sh @@ -6,7 +6,7 @@ . ./functions.sh # Install and setup timezone -echo ${TIMEZONE} > "$R/etc/timezone" +echo ${TIMEZONE} > "${ETCDIR}/timezone" chroot_exec dpkg-reconfigure -f noninteractive tzdata # Install and setup default locale and keyboard configuration @@ -19,40 +19,40 @@ if [ "$ENABLE_MINBASE" = false ] ; then else # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections - sed -i "/en_US.UTF-8/s/^#//" "$R/etc/locale.gen" + sed -i "/en_US.UTF-8/s/^#//" "${ETCDIR}/locale.gen" fi - sed -i "/${DEFLOCAL}/s/^#//" "$R/etc/locale.gen" + sed -i "/${DEFLOCAL}/s/^#//" "${ETCDIR}/locale.gen" chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections chroot_exec locale-gen chroot_exec update-locale LANG="${DEFLOCAL}" # Install and setup default keyboard configuration if [ "$XKB_MODEL" != "" ] ; then - sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKB_MODEL}\"/" "$R/etc/default/keyboard" + sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKB_MODEL}\"/" "${ETCDIR}/default/keyboard" fi if [ "$XKB_LAYOUT" != "" ] ; then - sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKB_LAYOUT}\"/" "$R/etc/default/keyboard" + sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKB_LAYOUT}\"/" "${ETCDIR}/default/keyboard" fi if [ "$XKB_VARIANT" != "" ] ; then - sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKB_VARIANT}\"/" "$R/etc/default/keyboard" + sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKB_VARIANT}\"/" "${ETCDIR}/default/keyboard" fi if [ "$XKB_OPTIONS" != "" ] ; then - sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKB_OPTIONS}\"/" "$R/etc/default/keyboard" + sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKB_OPTIONS}\"/" "${ETCDIR}/default/keyboard" fi chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration # Install and setup font console case "${DEFLOCAL}" in *UTF-8) - sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' "$R/etc/default/console-setup" + sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' "${ETCDIR}/default/console-setup" ;; *) - sed -i 's/^CHARMAP.*/CHARMAP="guess"/' "$R/etc/default/console-setup" + sed -i 's/^CHARMAP.*/CHARMAP="guess"/' "${ETCDIR}/default/console-setup" ;; esac chroot_exec dpkg-reconfigure -f noninteractive console-setup else # ENABLE_MINBASE=true # Install POSIX default locale - install_readonly files/locales/locale "$R/etc/default/locale" + install_readonly files/locales/locale "${ETCDIR}/default/locale" fi diff --git a/bootstrap.d/13-kernel.sh b/bootstrap.d/13-kernel.sh index cc4828d..2652142 100644 --- a/bootstrap.d/13-kernel.sh +++ b/bootstrap.d/13-kernel.sh @@ -8,7 +8,7 @@ # Fetch and build latest raspberry kernel if [ "$BUILD_KERNEL" = true ] ; then # Setup source directory - mkdir -p "$R/usr/src" + mkdir -p "${R}/usr/src" # Copy existing kernel sources into chroot directory if [ -n "$KERNELSRC_DIR" ] && [ -d "$KERNELSRC_DIR" ] ; then @@ -17,11 +17,11 @@ if [ "$BUILD_KERNEL" = true ] ; then # Clean the kernel sources if [ "$KERNELSRC_CLEAN" = true ] && [ "$KERNELSRC_PREBUILT" = false ] ; then - make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" mrproper + make -C "${KERNELDIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" mrproper fi else # KERNELSRC_DIR="" # Fetch current raspberrypi kernel sources - git -C "$R/usr/src" clone --depth=1 https://github.com/raspberrypi/linux + git -C "${R}/usr/src" clone --depth=1 https://github.com/raspberrypi/linux fi # Calculate optimal number of kernel building threads @@ -33,7 +33,7 @@ if [ "$BUILD_KERNEL" = true ] ; then if [ "$KERNELSRC_PREBUILT" = false ] ; then # Remove device, network and filesystem drivers from kernel configuration if [ "$KERNEL_REDUCE" = true ] ; then - make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}" + make -C "${KERNELDIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}" sed -i\ -e "s/\(^CONFIG_SND.*\=\).*/\1n/"\ -e "s/\(^CONFIG_SOUND.*\=\).*/\1n/"\ @@ -64,25 +64,25 @@ if [ "$BUILD_KERNEL" = true ] ; then -e "s/\(^CONFIG_TOUCHSCREEN.*\=\).*/\1n/"\ -e "s/\(^CONFIG_USB_GSPCA_.*\=\).*/\1n/"\ -e "s/\(^CONFIG_DRM.*\=\).*/\1n/"\ - "$R/usr/src/linux/.config" + "${KERNELDIR}/.config" fi if [ "$KERNELSRC_CONFIG" = true ] ; then # Load default raspberry kernel configuration - make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}" + make -C "${KERNELDIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}" # Start menu-driven kernel configuration (interactive) if [ "$KERNEL_MENUCONFIG" = true ] ; then - make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig + make -C "${KERNELDIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig fi fi # Cross compile kernel and modules - make -C "$R/usr/src/linux" -j${KERNEL_THREADS} ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" zImage modules dtbs + make -C "${KERNELDIR}" -j${KERNEL_THREADS} ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" zImage modules dtbs fi # Check if kernel compilation was successful - if [ ! -r "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage" ] ; then + if [ ! -r "${KERNELDIR}/arch/${KERNEL_ARCH}/boot/zImage" ] ; then echo "error: kernel compilation failed! (zImage not found)" cleanup exit 1 @@ -90,50 +90,55 @@ if [ "$BUILD_KERNEL" = true ] ; then # Install kernel modules if [ "$ENABLE_REDUCE" = true ] ; then - make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=../../.. modules_install + make -C "${KERNELDIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=../../.. modules_install else - make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_PATH=../../.. modules_install + make -C "${KERNELDIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_PATH=../../.. modules_install # Install kernel firmware - make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_FW_PATH=../../../lib firmware_install + make -C "${KERNELDIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_FW_PATH=../../../lib firmware_install fi # Install kernel headers if [ "$KERNEL_HEADERS" = true ] && [ "$KERNEL_REDUCE" = false ] ; then - make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_HDR_PATH=../.. headers_install + make -C "${KERNELDIR}" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_HDR_PATH=../.. headers_install fi # Prepare boot (firmware) directory - mkdir "$R/boot/firmware/" + mkdir "${BOOTDIR}" # Get kernel release version - KERNEL_VERSION=`cat "$R/usr/src/linux/include/config/kernel.release"` + KERNEL_VERSION=`cat "${KERNELDIR}/include/config/kernel.release"` # Copy kernel configuration file to the boot directory - install_readonly "$R/usr/src/linux/.config" "$R/boot/config-${KERNEL_VERSION}" + install_readonly "${KERNELDIR}/.config" "${R}/boot/config-${KERNEL_VERSION}" # Copy dts and dtb device tree sources and binaries - mkdir "$R/boot/firmware/overlays/" - install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/"*.dtb "$R/boot/firmware/" - install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb* "$R/boot/firmware/overlays/" - install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "$R/boot/firmware/overlays/README" - - # Convert and copy zImage kernel to the boot directory - "$R/usr/src/linux/scripts/mkknlimg" "$R/usr/src/linux/arch/arm/boot/zImage" "$R/boot/firmware/kernel7.img" + mkdir "${BOOTDIR}/overlays" + install_readonly "${KERNELDIR}/arch/${KERNEL_ARCH}/boot/dts/"*.dtb "${BOOTDIR}/" + install_readonly "${KERNELDIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb* "${BOOTDIR}/overlays/" + install_readonly "${KERNELDIR}/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "${BOOTDIR}/overlays/README" + + if [ "$ENABLE_UBOOT" = false ] ; then + # Convert and copy zImage kernel to the boot directory + "${KERNELDIR}/scripts/mkknlimg" "${KERNELDIR}/arch/${KERNEL_ARCH}/boot/zImage" "${BOOTDIR}/${KERNEL_IMAGE}" + else + # Copy zImage kernel to the boot directory + install_readonly "${KERNELDIR}/arch/${KERNEL_ARCH}/boot/zImage" "${BOOTDIR}/${KERNEL_IMAGE}" + fi # Remove kernel sources if [ "$KERNEL_REMOVESRC" = true ] ; then - rm -fr "$R/usr/src/linux" + rm -fr "${KERNELDIR}" fi # Install latest boot binaries from raspberry/firmware github - wget -q -O "$R/boot/firmware/bootcode.bin" https://github.com/raspberrypi/firmware/raw/master/boot/bootcode.bin - wget -q -O "$R/boot/firmware/fixup.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup.dat - wget -q -O "$R/boot/firmware/fixup_cd.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_cd.dat - wget -q -O "$R/boot/firmware/fixup_x.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_x.dat - wget -q -O "$R/boot/firmware/start.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start.elf - wget -q -O "$R/boot/firmware/start_cd.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_cd.elf - wget -q -O "$R/boot/firmware/start_x.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_x.elf + wget -q -O "${BOOTDIR}/bootcode.bin" https://github.com/raspberrypi/firmware/raw/master/boot/bootcode.bin + wget -q -O "${BOOTDIR}/fixup.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup.dat + wget -q -O "${BOOTDIR}/fixup_cd.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_cd.dat + wget -q -O "${BOOTDIR}/fixup_x.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_x.dat + wget -q -O "${BOOTDIR}/start.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start.elf + wget -q -O "${BOOTDIR}/start_cd.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_cd.elf + wget -q -O "${BOOTDIR}/start_x.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_x.elf else # BUILD_KERNEL=false # Kernel installation @@ -143,14 +148,14 @@ else # BUILD_KERNEL=false chroot_exec apt-get -qq -y install flash-kernel # Check if kernel installation was successful - VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" + VMLINUZ="$(ls -1 ${R}/boot/vmlinuz-* | sort | tail -n 1)" if [ -z "$VMLINUZ" ] ; then echo "error: kernel installation failed! (/boot/vmlinuz-* not found)" cleanup exit 1 fi # Copy vmlinuz kernel to the boot directory - install_readonly "$VMLINUZ" "$R/boot/firmware/kernel7.img" + install_readonly "${VMLINUZ}" "${BOOTDIR}/${KERNEL_IMAGE}" fi # Setup firmware boot cmdline @@ -160,6 +165,15 @@ else CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}" fi +# Add encrypted root partition to cmdline.txt +if [ "$ENABLE_CRYPTFS" = true ] ; then + if [ "$ENABLE_SPLITFS" = true ] ; then + CMDLINE=$(echo ${CMDLINE} | sed "s/sda1/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda1:${CRYPTFS_MAPPING}/") + else + CMDLINE=$(echo ${CMDLINE} | sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/") + fi +fi + # Add serial console support if [ "$ENABLE_CONSOLE" = true ] ; then CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200" @@ -171,69 +185,79 @@ if [ "$ENABLE_IPV6" = false ] ; then fi # Install firmware boot cmdline -echo "${CMDLINE}" > "$R/boot/firmware/cmdline.txt" - -# Add encrypted root partition to cmdline.txt -if [ "$ENABLE_CRYPTFS" = true ] ; then - sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/" "$R/boot/firmware/cmdline.txt" -fi +echo "${CMDLINE}" > "${BOOTDIR}/cmdline.txt" # Install firmware config -install_readonly files/boot/config.txt "$R/boot/firmware/config.txt" +install_readonly files/boot/config.txt "${BOOTDIR}/config.txt" # Setup minimal GPU memory allocation size: 16MB (no X) if [ "$ENABLE_MINGPU" = true ] ; then - echo "gpu_mem=16" >> "$R/boot/firmware/config.txt" + echo "gpu_mem=16" >> "${BOOTDIR}/config.txt" fi # Setup boot with initramfs if [ "$ENABLE_INITRAMFS" = true ] ; then - echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "$R/boot/firmware/config.txt" + echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "${BOOTDIR}/config.txt" fi # Create firmware configuration and cmdline symlinks -ln -sf firmware/config.txt "$R/boot/config.txt" -ln -sf firmware/cmdline.txt "$R/boot/cmdline.txt" +ln -sf firmware/config.txt "${R}/boot/config.txt" +ln -sf firmware/cmdline.txt "${R}/boot/cmdline.txt" # Install and setup kernel modules to load at boot -mkdir -p "$R/lib/modules-load.d/" -install_readonly files/modules/rpi2.conf "$R/lib/modules-load.d/rpi2.conf" +mkdir -p "${R}/lib/modules-load.d/" +install_readonly files/modules/rpi2.conf "${R}/lib/modules-load.d/rpi2.conf" # Load hardware random module at boot -if [ "$ENABLE_HWRANDOM" = true ] ; then - sed -i "s/^# bcm2708_rng/bcm2708_rng/" "$R/lib/modules-load.d/rpi2.conf" +if [ "$ENABLE_HWRANDOM" = true ] && [ "$BUILD_KERNEL" = false ] ; then + sed -i "s/^# bcm2708_rng/bcm2708_rng/" "${R}/lib/modules-load.d/rpi2.conf" fi # Load sound module at boot if [ "$ENABLE_SOUND" = true ] ; then - sed -i "s/^# snd_bcm2835/snd_bcm2835/" "$R/lib/modules-load.d/rpi2.conf" + sed -i "s/^# snd_bcm2835/snd_bcm2835/" "${R}/lib/modules-load.d/rpi2.conf" fi # Install kernel modules blacklist -mkdir -p "$R/etc/modprobe.d/" -install_readonly files/modules/raspi-blacklist.conf "$R/etc/modprobe.d/raspi-blacklist.conf" +mkdir -p "${ETCDIR}/modprobe.d/" +install_readonly files/modules/raspi-blacklist.conf "${ETCDIR}/modprobe.d/raspi-blacklist.conf" # Install and setup fstab -install_readonly files/mount/fstab "$R/etc/fstab" +install_readonly files/mount/fstab "${ETCDIR}/fstab" # Add usb/sda disk root partition to fstab -if [ "$ENABLE_SPLITFS" = true ] ; then - sed -i "s/mmcblk0p2/sda1/" "$R/etc/fstab" +if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then + sed -i "s/mmcblk0p2/sda1/" "${ETCDIR}/fstab" fi # Add encrypted root partition to fstab and crypttab if [ "$ENABLE_CRYPTFS" = true ] ; then # Replace fstab root partition with encrypted partition mapping - sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "$R/etc/fstab" + sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETCDIR}/fstab" # Add encrypted partition to crypttab and fstab - install_readonly files/mount/crypttab "$R/etc/crypttab" - echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks" >> "$R/etc/crypttab" + install_readonly files/mount/crypttab "${ETCDIR}/crypttab" + echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks" >> "${ETCDIR}/crypttab" + + if [ "$ENABLE_SPLITFS" = true ] ; then + # Add usb/sda disk to crypttab + sed -i "s/mmcblk0p2/sda1/" "${ETCDIR}/crypttab" + fi fi # Generate initramfs file if [ "$ENABLE_INITRAMFS" = true ] ; then if [ "$ENABLE_CRYPTFS" = true ] ; then + # Include initramfs scripts to auto expand encrypted root partition + if [ "$EXPANDROOT" = true ] ; then + install_exec files/initramfs/expand_encrypted_rootfs "${ETCDIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs" + install_exec files/initramfs/expand-premount "${ETCDIR}/initramfs-tools/scripts/local-premount/expand-premount" + install_exec files/initramfs/expand-tools "${ETCDIR}/initramfs-tools/hooks/expand-tools" + fi + + # Disable SSHD inside initramfs + printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETCDIR}/initramfs-tools/initramfs.conf" + # Dummy mapping required by mkinitramfs echo "0 1 crypt $(echo ${CRYPTFS_CIPHER} | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}" @@ -249,4 +273,4 @@ if [ "$ENABLE_INITRAMFS" = true ] ; then fi # Install sysctl.d configuration files -install_readonly files/sysctl.d/81-rpi-vm.conf "$R/etc/sysctl.d/81-rpi-vm.conf" +install_readonly files/sysctl.d/81-rpi-vm.conf "${ETCDIR}/sysctl.d/81-rpi-vm.conf" diff --git a/bootstrap.d/20-networking.sh b/bootstrap.d/20-networking.sh index bd6e8db..16e06f2 100644 --- a/bootstrap.d/20-networking.sh +++ b/bootstrap.d/20-networking.sh @@ -6,37 +6,37 @@ . ./functions.sh # Install and setup hostname -install_readonly files/network/hostname "$R/etc/hostname" -sed -i "s/^rpi2-jessie/${HOSTNAME}/" "$R/etc/hostname" +install_readonly files/network/hostname "${ETCDIR}/hostname" +sed -i "s/^rpi2-jessie/${HOSTNAME}/" "${ETCDIR}/hostname" # Install and setup hosts -install_readonly files/network/hosts "$R/etc/hosts" -sed -i "s/rpi2-jessie/${HOSTNAME}/" "$R/etc/hosts" +install_readonly files/network/hosts "${ETCDIR}/hosts" +sed -i "s/rpi2-jessie/${HOSTNAME}/" "${ETCDIR}/hosts" # Setup hostname entry with static IP if [ "$NET_ADDRESS" != "" ] ; then NET_IP=$(echo "${NET_ADDRESS}" | cut -f 1 -d'/') - sed -i "s/^127.0.1.1/${NET_IP}/" "$R/etc/hosts" + sed -i "s/^127.0.1.1/${NET_IP}/" "${ETCDIR}/hosts" fi # Remove IPv6 hosts if [ "$ENABLE_IPV6" = false ] ; then - sed -i -e "/::[1-9]/d" -e "/^$/d" "$R/etc/hosts" + sed -i -e "/::[1-9]/d" -e "/^$/d" "${ETCDIR}/hosts" fi # Install hint about network configuration -install_readonly files/network/interfaces "$R/etc/network/interfaces" +install_readonly files/network/interfaces "${ETCDIR}/network/interfaces" # Install configuration for interface eth0 -install_readonly files/network/eth.network "$R/etc/systemd/network/eth.network" +install_readonly files/network/eth.network "${ETCDIR}/systemd/network/eth.network" if [ "$ENABLE_DHCP" = true ] ; then # Enable DHCP configuration for interface eth0 - sed -i -e "s/DHCP=.*/DHCP=yes/" -e "/DHCP/q" "$R/etc/systemd/network/eth.network" + sed -i -e "s/DHCP=.*/DHCP=yes/" -e "/DHCP/q" "${ETCDIR}/systemd/network/eth.network" # Set DHCP configuration to IPv4 only if [ "$ENABLE_IPV6" = false ] ; then - sed -i "s/DHCP=.*/DHCP=v4/" "$R/etc/systemd/network/eth.network" + sed -i "s/DHCP=.*/DHCP=v4/" "${ETCDIR}/systemd/network/eth.network" fi else # ENABLE_DHCP=false @@ -50,23 +50,23 @@ else # ENABLE_DHCP=false -e "s|Domains=\$|Domains=${NET_DNS_DOMAINS}|"\ -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\ -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\ - "$R/etc/systemd/network/eth.network" + "${ETCDIR}/systemd/network/eth.network" fi # Remove empty settings from network configuration -sed -i "/.*=\$/d" "$R/etc/systemd/network/eth.network" +sed -i "/.*=\$/d" "${ETCDIR}/systemd/network/eth.network" # Enable systemd-networkd service chroot_exec systemctl enable systemd-networkd # Install host.conf resolver configuration -install_readonly files/network/host.conf "$R/etc/host.conf" +install_readonly files/network/host.conf "${ETCDIR}/host.conf" # Enable network stack hardening if [ "$ENABLE_HARDNET" = true ] ; then # Install sysctl.d configuration files - install_readonly files/sysctl.d/82-rpi-net-hardening.conf "$R/etc/sysctl.d/82-rpi-net-hardening.conf" + install_readonly files/sysctl.d/82-rpi-net-hardening.conf "${ETCDIR}/sysctl.d/82-rpi-net-hardening.conf" # Setup resolver warnings about spoofed addresses - sed -i "s/^# spoof warn/spoof warn/" "$R/etc/host.conf" + sed -i "s/^# spoof warn/spoof warn/" "${ETCDIR}/host.conf" fi diff --git a/bootstrap.d/21-firewall.sh b/bootstrap.d/21-firewall.sh index 247325e..7583d04 100644 --- a/bootstrap.d/21-firewall.sh +++ b/bootstrap.d/21-firewall.sh @@ -7,16 +7,16 @@ if [ "$ENABLE_IPTABLES" = true ] ; then # Create iptables configuration directory - mkdir -p "$R/etc/iptables" + mkdir -p "${ETCDIR}/iptables" # Install iptables systemd service - install_readonly files/iptables/iptables.service "$R/etc/systemd/system/iptables.service" + install_readonly files/iptables/iptables.service "${ETCDIR}/systemd/system/iptables.service" # Install flush-table script called by iptables service - install_exec files/iptables/flush-iptables.sh "$R/etc/iptables/flush-iptables.sh" + install_exec files/iptables/flush-iptables.sh "${ETCDIR}/iptables/flush-iptables.sh" # Install iptables rule file - install_readonly files/iptables/iptables.rules "$R/etc/iptables/iptables.rules" + install_readonly files/iptables/iptables.rules "${ETCDIR}/iptables/iptables.rules" # Reload systemd configuration and enable iptables service chroot_exec systemctl daemon-reload @@ -24,12 +24,12 @@ if [ "$ENABLE_IPTABLES" = true ] ; then if [ "$ENABLE_IPV6" = true ] ; then # Install ip6tables systemd service - install_readonly files/iptables/ip6tables.service "$R/etc/systemd/system/ip6tables.service" + install_readonly files/iptables/ip6tables.service "${ETCDIR}/systemd/system/ip6tables.service" # Install ip6tables file - install_exec files/iptables/flush-ip6tables.sh "$R/etc/iptables/flush-ip6tables.sh" + install_exec files/iptables/flush-ip6tables.sh "${ETCDIR}/iptables/flush-ip6tables.sh" - install_readonly files/iptables/ip6tables.rules "$R/etc/iptables/ip6tables.rules" + install_readonly files/iptables/ip6tables.rules "${ETCDIR}/iptables/ip6tables.rules" # Reload systemd configuration and enable iptables service chroot_exec systemctl daemon-reload @@ -39,6 +39,6 @@ fi if [ "$ENABLE_SSHD" = false ] ; then # Remove SSHD related iptables rules - sed -i "/^#/! {/SSH/ s/^/# /}" "$R/etc/iptables/iptables.rules" 2> /dev/null - sed -i "/^#/! {/SSH/ s/^/# /}" "$R/etc/iptables/ip6tables.rules" 2> /dev/null + sed -i "/^#/! {/SSH/ s/^/# /}" "${ETCDIR}/iptables/iptables.rules" 2> /dev/null + sed -i "/^#/! {/SSH/ s/^/# /}" "${ETCDIR}/iptables/ip6tables.rules" 2> /dev/null fi diff --git a/bootstrap.d/30-security.sh b/bootstrap.d/30-security.sh index a07719d..a5b558b 100644 --- a/bootstrap.d/30-security.sh +++ b/bootstrap.d/30-security.sh @@ -19,7 +19,7 @@ if [ "$ENABLE_ROOT" = true ] ; then chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root if [ "$ENABLE_ROOT_SSH" = true ] ; then - sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "$R/etc/ssh/sshd_config" + sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETCDIR}/ssh/sshd_config" fi else # Set no root password to disable root login diff --git a/bootstrap.d/31-logging.sh b/bootstrap.d/31-logging.sh index 00a9f86..149ab68 100644 --- a/bootstrap.d/31-logging.sh +++ b/bootstrap.d/31-logging.sh @@ -7,7 +7,7 @@ # Disable rsyslog if [ "$ENABLE_RSYSLOG" = false ] ; then - sed -i "s|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g" "$R/etc/systemd/journald.conf" + sed -i "s|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g" "${ETCDIR}/systemd/journald.conf" chroot_exec systemctl disable rsyslog chroot_exec apt-get -qq -y --force-yes purge rsyslog fi diff --git a/bootstrap.d/41-uboot.sh b/bootstrap.d/41-uboot.sh index 8f59f26..19ad084 100644 --- a/bootstrap.d/41-uboot.sh +++ b/bootstrap.d/41-uboot.sh @@ -7,25 +7,61 @@ # Install gcc/c++ build environment inside the chroot if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ] ; then - chroot_exec apt-get -q -y --force-yes --no-install-recommends install linux-compiler-gcc-4.9-arm g++ make bc + chroot_exec apt-get -q -y --force-yes --no-install-recommends install linux-compiler-gcc-4.8-arm g++ make bc fi # Fetch and build U-Boot bootloader if [ "$ENABLE_UBOOT" = true ] ; then # Fetch U-Boot bootloader sources - git -C "$R/tmp" clone git://git.denx.de/u-boot.git + git -C "${R}/tmp" clone git://git.denx.de/u-boot.git # Build and install U-Boot inside chroot - chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all + chroot_exec make -C /tmp/u-boot/ ${UBOOT_CONFIG} all # Copy compiled bootloader binary and set config.txt to load it - install_readonly "$R/tmp/u-boot/u-boot.bin" "$R/boot/firmware/u-boot.bin" - printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> "$R/boot/firmware/config.txt" + install_exec "${R}/tmp/u-boot/tools/mkimage" "${R}/usr/sbin/mkimage" + install_readonly "${R}/tmp/u-boot/u-boot.bin" "${BOOTDIR}/u-boot.bin" + printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> "${BOOTDIR}/config.txt" # Install and setup U-Boot command file - install_readonly files/boot/uboot.mkimage "$R/boot/firmware/uboot.mkimage" - printf "# Set the kernel boot command line\nsetenv bootargs \"earlyprintk ${CMDLINE}\"\n\n$(cat $R/boot/firmware/uboot.mkimage)" > "$R/boot/firmware/uboot.mkimage" + install_readonly files/boot/uboot.mkimage "${BOOTDIR}/uboot.mkimage" + printf "# Set the kernel boot command line\nsetenv bootargs \"earlyprintk ${CMDLINE}\"\n\n$(cat ${BOOTDIR}/uboot.mkimage)" > "${BOOTDIR}/uboot.mkimage" + + if [ "$ENABLE_INITRAMFS" = true ] ; then + # Convert generated initramfs for U-Boot using mkimage + chroot_exec /usr/sbin/mkimage -A "${KERNEL_ARCH}" -T ramdisk -C none -n "initramfs-${KERNEL_VERSION}" -d "/boot/firmware/initramfs-${KERNEL_VERSION}" "/boot/firmware/initramfs-${KERNEL_VERSION}.uboot" + + # Remove original initramfs file + rm -f "${BOOTDIR}/initramfs-${KERNEL_VERSION}" + + # Configure U-Boot to load generated initramfs + printf "# Set initramfs file\nsetenv initramfs initramfs-${KERNEL_VERSION}.uboot\n\n$(cat ${BOOTDIR}/uboot.mkimage)" > "${BOOTDIR}/uboot.mkimage" + printf "\nbootz \${kernel_addr_r} \${ramdisk_addr_r} \${fdt_addr_r}" >> "${BOOTDIR}/uboot.mkimage" + else # ENABLE_INITRAMFS=false + # Remove initramfs from U-Boot mkfile + sed -i '/.*initramfs.*/d' "${BOOTDIR}/uboot.mkimage" + + if [ "$BUILD_KERNEL" = false ] ; then + # Remove dtbfile from U-Boot mkfile + sed -i '/.*dtbfile.*/d' "${BOOTDIR}/uboot.mkimage" + printf "\nbootz \${kernel_addr_r}" >> "${BOOTDIR}/uboot.mkimage" + else + printf "\nbootz \${kernel_addr_r} - \${fdt_addr_r}" >> "${BOOTDIR}/uboot.mkimage" + fi + fi + + # Set mkfile to use dtb file + sed -i "s/^\(setenv dtbfile \).*/\1${DTB_FILE}/" "${BOOTDIR}/uboot.mkimage" + + # Set mkfile to use kernel image + sed -i "s/^\(fatload mmc 0:1 \${kernel_addr_r} \).*/\1${KERNEL_IMAGE}/" "${BOOTDIR}/uboot.mkimage" + + # Remove all leading blank lines + sed -i "/./,\$!d" "${BOOTDIR}/uboot.mkimage" # Generate U-Boot bootloader image - chroot_exec /tmp/u-boot/tools/mkimage -A "${KERNEL_ARCH}" -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n RPi2 -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr + chroot_exec /usr/sbin/mkimage -A "${KERNEL_ARCH}" -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n RPi2 -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr + + # Remove U-Boot sources + rm -fr "${R}/tmp/u-boot" fi diff --git a/bootstrap.d/42-fbturbo.sh b/bootstrap.d/42-fbturbo.sh index ca6b2fb..4e03f53 100644 --- a/bootstrap.d/42-fbturbo.sh +++ b/bootstrap.d/42-fbturbo.sh @@ -7,7 +7,7 @@ if [ "$ENABLE_FBTURBO" = true ] ; then # Fetch fbturbo driver sources - git -C "$R/tmp" clone https://github.com/ssvb/xf86-video-fbturbo.git + git -C "${R}/tmp" clone https://github.com/ssvb/xf86-video-fbturbo.git # Install Xorg build dependencies chroot_exec apt-get -q -y --no-install-recommends install xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev @@ -22,7 +22,7 @@ make install EOF # Install fbturbo driver Xorg configuration - install_readonly files/xorg/99-fbturbo.conf "$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf" + install_readonly files/xorg/99-fbturbo.conf "${R}/usr/share/X11/xorg.conf.d/99-fbturbo.conf" # Remove Xorg build dependencies chroot_exec apt-get -qq -y --auto-remove purge xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev @@ -30,5 +30,5 @@ fi # Remove gcc/c++ build environment from the chroot if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ] ; then - chroot_exec apt-get -qq -y --auto-remove purge bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make + chroot_exec apt-get -qq -y --auto-remove purge bc binutils cpp cpp-4.8 cpp-4.9 g++ g++-4.8 g++-4.9 gcc gcc-4.8 gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.8-dev libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.8-arm linux-libc-dev make fi diff --git a/bootstrap.d/50-firstboot.sh b/bootstrap.d/50-firstboot.sh index 2ec9404..7e2e008 100644 --- a/bootstrap.d/50-firstboot.sh +++ b/bootstrap.d/50-firstboot.sh @@ -6,29 +6,34 @@ . ./functions.sh # Prepare rc.firstboot script -cat files/firstboot/10-begin.sh > "$R/etc/rc.firstboot" +cat files/firstboot/10-begin.sh > "${ETCDIR}/rc.firstboot" # Ensure openssh server host keys are regenerated on first boot if [ "$ENABLE_SSHD" = true ] ; then - cat files/firstboot/21-generate-ssh-keys.sh >> "$R/etc/rc.firstboot" + cat files/firstboot/21-generate-ssh-keys.sh >> "${ETCDIR}/rc.firstboot" fi # Prepare filesystem auto expand if [ "$EXPANDROOT" = true ] ; then - cat files/firstboot/22-expandroot.sh >> "$R/etc/rc.firstboot" + if [ "$ENABLE_CRYPTFS" = false ] ; then + cat files/firstboot/22-expandroot.sh >> "${ETCDIR}/rc.firstboot" + else + # Regenerate initramfs to remove encrypted root partition auto expand + cat files/firstboot/23-regenerate-initramfs.sh >> "${ETCDIR}/rc.firstboot" + fi fi # Ensure that dbus machine-id exists -cat files/firstboot/23-generate-machineid.sh >> "$R/etc/rc.firstboot" +cat files/firstboot/24-generate-machineid.sh >> "${ETCDIR}/rc.firstboot" # Create /etc/resolv.conf symlink -cat files/firstboot/24-create-resolv-symlink.sh >> "$R/etc/rc.firstboot" +cat files/firstboot/25-create-resolv-symlink.sh >> "${ETCDIR}/rc.firstboot" # Finalize rc.firstboot script -cat files/firstboot/99-finish.sh >> "$R/etc/rc.firstboot" -chmod +x "$R/etc/rc.firstboot" +cat files/firstboot/99-finish.sh >> "${ETCDIR}/rc.firstboot" +chmod +x "${ETCDIR}/rc.firstboot" # Add rc.firstboot script to rc.local -sed -i '/exit 0/d' "$R/etc/rc.local" -echo /etc/rc.firstboot >> "$R/etc/rc.local" -echo exit 0 >> "$R/etc/rc.local" +sed -i '/exit 0/d' "${ETCDIR}/rc.local" +echo /etc/rc.firstboot >> "${ETCDIR}/rc.local" +echo exit 0 >> "${ETCDIR}/rc.local" diff --git a/bootstrap.d/99-reduce.sh b/bootstrap.d/99-reduce.sh index 99fbc9b..128e7a6 100644 --- a/bootstrap.d/99-reduce.sh +++ b/bootstrap.d/99-reduce.sh @@ -10,33 +10,33 @@ if [ "$ENABLE_REDUCE" = true ] ; then if [ "$REDUCE_APT" = true ] ; then # Install dpkg configuration file if [ "$REDUCE_DOC" = true ] || [ "$REDUCE_MAN" = true ] ; then - install_readonly files/dpkg/01nodoc "$R/etc/dpkg/dpkg.cfg.d/01nodoc" + install_readonly files/dpkg/01nodoc "${ETCDIR}/dpkg/dpkg.cfg.d/01nodoc" fi # Install APT configuration files - install_readonly files/apt/02nocache "$R/etc/apt/apt.conf.d/02nocache" - install_readonly files/apt/03compress "$R/etc/apt/apt.conf.d/03compress" - install_readonly files/apt/04norecommends "$R/etc/apt/apt.conf.d/04norecommends" + install_readonly files/apt/02nocache "${ETCDIR}/apt/apt.conf.d/02nocache" + install_readonly files/apt/03compress "${ETCDIR}/apt/apt.conf.d/03compress" + install_readonly files/apt/04norecommends "${ETCDIR}/apt/apt.conf.d/04norecommends" # Remove APT cache files - rm -fr "$R/var/cache/apt/pkgcache.bin" - rm -fr "$R/var/cache/apt/srcpkgcache.bin" + rm -fr "${R}/var/cache/apt/pkgcache.bin" + rm -fr "${R}/var/cache/apt/srcpkgcache.bin" fi # Remove all doc files if [ "$REDUCE_DOC" = true ] ; then - find "$R/usr/share/doc" -depth -type f ! -name copyright | xargs rm || true - find "$R/usr/share/doc" -empty | xargs rmdir || true + find "${R}/usr/share/doc" -depth -type f ! -name copyright | xargs rm || true + find "${R}/usr/share/doc" -empty | xargs rmdir || true fi # Remove all man pages and info files if [ "$REDUCE_MAN" = true ] ; then - rm -rf "$R/usr/share/man" "$R/usr/share/groff" "$R/usr/share/info" "$R/usr/share/lintian" "$R/usr/share/linda" "$R/var/cache/man" + rm -rf "${R}/usr/share/man" "${R}/usr/share/groff" "${R}/usr/share/info" "${R}/usr/share/lintian" "${R}/usr/share/linda" "${R}/var/cache/man" fi # Remove all locale translation files if [ "$REDUCE_LOCALE" = true ] ; then - find "$R/usr/share/locale" -mindepth 1 -maxdepth 1 ! -name 'en' | xargs rm -r + find "${R}/usr/share/locale" -mindepth 1 -maxdepth 1 ! -name 'en' | xargs rm -r fi # Remove hwdb PCI device classes (experimental) @@ -60,19 +60,19 @@ if [ "$ENABLE_REDUCE" = true ] ; then # Remove GPU kernels if [ "$ENABLE_MINGPU" = true ] ; then - rm -f "$R/boot/firmware/start.elf" - rm -f "$R/boot/firmware/fixup.dat" - rm -f "$R/boot/firmware/start_x.elf" - rm -f "$R/boot/firmware/fixup_x.dat" + rm -f "${BOOTDIR}/start.elf" + rm -f "${BOOTDIR}/fixup.dat" + rm -f "${BOOTDIR}/start_x.elf" + rm -f "${BOOTDIR}/fixup_x.dat" fi # Remove kernel and initrd from /boot (already in /boot/firmware) if [ "$BUILD_KERNEL" = false ] ; then - rm -r "$R/boot/vmlinuz--*" - rm -r "$R/boot/initrd.img-*" + rm -f "${R}/boot/vmlinuz-*" + rm -f "${R}/boot/initrd.img-*" fi # Clean APT list of repositories - rm -fr "$R/var/lib/apt/lists/*" + rm -fr "${R}/var/lib/apt/lists/*" chroot_exec apt-get -qq -y update fi diff --git a/files/boot/uboot.mkimage b/files/boot/uboot.mkimage index cd71de6..8d02431 100644 --- a/files/boot/uboot.mkimage +++ b/files/boot/uboot.mkimage @@ -1,3 +1,6 @@ +# Set device tree fdtfile +setenv dtbfile bcm2709-rpi-2-b.dtb + # Tell Linux that it is booting on a Raspberry Pi2 setenv machid 0x00000c42 @@ -6,6 +9,7 @@ saveenv # Load the existing Linux kernel into RAM fatload mmc 0:1 ${kernel_addr_r} kernel7.img +fatload mmc 0:1 ${fdt_addr_r} ${dtbfile} +fatload mmc 0:1 ${ramdisk_addr_r} ${initramfs} # Boot the kernel we have just loaded -bootz ${kernel_addr_r} diff --git a/files/firstboot/21-generate-ssh-keys.sh b/files/firstboot/21-generate-ssh-keys.sh index 928ee2e..b3345b4 100644 --- a/files/firstboot/21-generate-ssh-keys.sh +++ b/files/firstboot/21-generate-ssh-keys.sh @@ -1,8 +1,11 @@ logger -t "rc.firstboot" "Generating SSH host keys" if [ -d "/etc/ssh/" ] ; then + # Remove ssh host keys rm -f /etc/ssh/ssh_host_* systemctl stop sshd + + # Regenerate ssh host keys ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key @@ -11,8 +14,11 @@ if [ -d "/etc/ssh/" ] ; then fi if [ -d "/etc/dropbear/" ] ; then + # Remove ssh host keys rm -f /etc/dropbear/dropbear_* systemctl stop dropbear + + # Regenerate ssh host keys dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key diff --git a/files/firstboot/22-expandroot.sh b/files/firstboot/22-expandroot.sh index 03ec50d..235c411 100644 --- a/files/firstboot/22-expandroot.sh +++ b/files/firstboot/22-expandroot.sh @@ -1,10 +1,20 @@ -logger -t "rc.firstboot" "Expanding root" +logger -t "rc.firstboot" "Expanding root partition" + +# Detect root partition device ROOT_PART=$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p') -PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$') +if [ -z "$ROOT_PART" ] ; then + log_warning_msg "unable to detect root partition device" + return 1 +fi + +# Extract root device name case "${ROOT_PART}" in mmcblk0*) ROOT_DEV=mmcblk0 ;; sda*) ROOT_DEV=sda ;; esac + +# Check detected root partition name +PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$') if [ "$PART_NUM" = "$ROOT_PART" ] ; then logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand" return 0 @@ -16,6 +26,8 @@ if [ "$PART_NUM" -gt 2 ] ; then logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool." return 0 fi + +# Check if last partition number LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:) if [ $LAST_PART_NUM -ne $PART_NUM ]; then logger -t "rc.firstboot" "$ROOT_PART is not the last partition. Don't know how to expand" @@ -53,4 +65,4 @@ EOF2 # Reload the partition table, resize root filesystem then remove resizing code from this file partprobe && resize2fs /dev/${ROOT_PART} && - logger -t "rc.firstboot" "Root partition successfuly resized." + logger -t "rc.firstboot" "Root partition successfully resized." diff --git a/files/firstboot/23-generate-machineid.sh b/files/firstboot/23-generate-machineid.sh deleted file mode 100644 index dca48b3..0000000 --- a/files/firstboot/23-generate-machineid.sh +++ /dev/null @@ -1,3 +0,0 @@ -logger -t "rc.firstboot" "Generating D-Bus machine-id" -rm -f /var/lib/dbus/machine-id -dbus-uuidgen --ensure diff --git a/files/firstboot/23-regenerate-initramfs.sh b/files/firstboot/23-regenerate-initramfs.sh new file mode 100644 index 0000000..78e2922 --- /dev/null +++ b/files/firstboot/23-regenerate-initramfs.sh @@ -0,0 +1,31 @@ +logger -t "rc.firstboot" "Regenerating initramfs to remove encrypted root partition auto-expand" + +KERNEL_VERSION=$(uname -r) +KERNEL_ARCH=$(uname -m) +INITRAMFS="/boot/firmware/initramfs-${KERNEL_VERSION}" +INITRAMFS_UBOOT="${INITRAMFS}.uboot" + +# Extract kernel arch +case "${KERNEL_ARCH}" in + arm*) KERNEL_ARCH=arm ;; +esac + +# Regenerate initramfs +if [ -r "${INITRAMFS}" ] ; then + rm -f /etc/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs + rm -f /etc/initramfs-tools/scripts/local-premount/expand-premount + rm -f /etc/initramfs-tools/hooks/expand-tools + rm -f "${INITRAMFS}" + mkinitramfs -o "${INITRAMFS}" "${KERNEL_VERSION}" +fi + +# Convert generated initramfs for U-Boot using mkimage +if [ -r "${INITRAMFS_UBOOT}" ] ; then + rm -f /etc/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs + rm -f /etc/initramfs-tools/scripts/local-premount/expand-premount + rm -f /etc/initramfs-tools/hooks/expand-tools + rm -f "${INITRAMFS_UBOOT}" + mkinitramfs -o "${INITRAMFS}" "${KERNEL_VERSION}" + mkimage -A "${KERNEL_ARCH}" -T ramdisk -C none -n "initramfs-${KERNEL_VERSION}" -d "${INITRAMFS}" "${INITRAMFS_UBOOT}" + rm -f "${INITRAMFS}" +fi diff --git a/files/firstboot/24-create-resolv-symlink.sh b/files/firstboot/24-create-resolv-symlink.sh deleted file mode 100644 index 8a3f00b..0000000 --- a/files/firstboot/24-create-resolv-symlink.sh +++ /dev/null @@ -1,15 +0,0 @@ -logger -t "rc.firstboot" "Creating /etc/resolv.conf symlink" - -# Check if systemd resolve directory exists -if [ ! -d "/run/systemd/resolve" ] ; then - systemctl enable systemd-resolved.service - systemctl restart systemd-resolved.service -fi - -# Create resolv.conf file if it does not exists -if [ ! -f "/run/systemd/resolve/resolv.conf" ] ; then - touch /run/systemd/resolve/resolv.conf -fi - -# Create symlink to /etc/reolv.conf -ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf diff --git a/files/firstboot/24-generate-machineid.sh b/files/firstboot/24-generate-machineid.sh new file mode 100644 index 0000000..dca48b3 --- /dev/null +++ b/files/firstboot/24-generate-machineid.sh @@ -0,0 +1,3 @@ +logger -t "rc.firstboot" "Generating D-Bus machine-id" +rm -f /var/lib/dbus/machine-id +dbus-uuidgen --ensure diff --git a/files/firstboot/25-create-resolv-symlink.sh b/files/firstboot/25-create-resolv-symlink.sh new file mode 100644 index 0000000..8a3f00b --- /dev/null +++ b/files/firstboot/25-create-resolv-symlink.sh @@ -0,0 +1,15 @@ +logger -t "rc.firstboot" "Creating /etc/resolv.conf symlink" + +# Check if systemd resolve directory exists +if [ ! -d "/run/systemd/resolve" ] ; then + systemctl enable systemd-resolved.service + systemctl restart systemd-resolved.service +fi + +# Create resolv.conf file if it does not exists +if [ ! -f "/run/systemd/resolve/resolv.conf" ] ; then + touch /run/systemd/resolve/resolv.conf +fi + +# Create symlink to /etc/reolv.conf +ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf diff --git a/files/initramfs/expand-premount b/files/initramfs/expand-premount new file mode 100755 index 0000000..c0c5582 --- /dev/null +++ b/files/initramfs/expand-premount @@ -0,0 +1,19 @@ +#!/bin/sh + +set -e + +# Check for cryptdevice variable +if [ -z "$cryptdevice" ] ; then + echo "unable to get cryptdevice variable (local-premount)" + exit 1 +fi + +if [ -n "$ROOT" ] ; then + # Resize encrypted root partition + cryptsetup resize "${ROOT}" + e2fsck -fp "${ROOT}" + resize2fs -f "${ROOT}" + e2fsck -fp "${ROOT}" +fi + +exit 0 diff --git a/files/initramfs/expand-tools b/files/initramfs/expand-tools new file mode 100755 index 0000000..ad5dea3 --- /dev/null +++ b/files/initramfs/expand-tools @@ -0,0 +1,19 @@ +#!/bin/sh + +set -e + +# Use initramfs utility functions +. /usr/share/initramfs-tools/hook-functions + +# Add binaries required for resizing the filesystem +copy_exec /bin/grep /bin +copy_exec /usr/bin/awk /bin +copy_exec /usr/bin/cut /bin +copy_exec /usr/bin/tail /bin +copy_exec /sbin/fdisk /sbin +copy_exec /sbin/parted /sbin +copy_exec /sbin/e2fsck /sbin +copy_exec /sbin/resize2fs /sbin +copy_exec /sbin/partprobe /sbin + +exit 0 diff --git a/files/initramfs/expand_encrypted_rootfs b/files/initramfs/expand_encrypted_rootfs new file mode 100644 index 0000000..e6896ba --- /dev/null +++ b/files/initramfs/expand_encrypted_rootfs @@ -0,0 +1,85 @@ +#!/bin/sh +# expand_encrypted_rootfs initramfs-tools boot script + +# dependencies: grep awk cut tail fdisk parted e2fsck resize2fs + +set -e + +# Wait for USB devices to be ready +sleep 5 + +# Use initramfs utility functions +if [ -r "/scripts/functions" ] ; then + . /scripts/functions +fi + +# Check for cryptdevice variable +if [ -z "$cryptdevice" ] ; then + echo "unable to get cryptdevice variable (init-premount)" + return 1 +fi + +# Detect root partition device +ROOT_PART=$(echo $cryptdevice | awk -F"/|:" '{ print $3 }') +if [ -z "$ROOT_PART" ] ; then + log_warning_msg "unable to detect encrypted root partition device (cryptdevice)" + return 1 +fi + +# Extract root device name +case "${ROOT_PART}" in + mmcblk0*) ROOT_DEV=mmcblk0 ;; + sda*) ROOT_DEV=sda ;; +esac + +# Check detected root partition name +PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$') +if [ "$PART_NUM" = "$ROOT_PART" ] ; then + log_warning_msg "$ROOT_PART is not an SD card. Don't know how to expand" + return 1 +fi + +# NOTE: the NOOBS partition layout confuses parted. For now, let's only +# agree to work with a sufficiently simple partition layout +if [ "$PART_NUM" -gt 2 ] ; then + log_warning_msg "Your partition layout is not currently supported by this tool." + return 1 +fi + +# Check if last partition number +LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:) +if [ $LAST_PART_NUM -ne $PART_NUM ]; then + log_warning_msg "$ROOT_PART is not the last partition. Don't know how to expand" + return 1 +fi + +# Get the starting offset of the root partition +PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g') +if [ -z "$PART_START" ] ; then + log_warning_msg "${ROOT_DEV} unable to get starting sector of the partition" + return 1 +fi + +# Get the possible last sector for the root partition +PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }') +if [ -z "$PART_LAST" ] ; then + log_warning_msg "${ROOT_DEV} unable to get last sector of the partition" + return 1 +fi + +### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit +fdisk /dev/${ROOT_DEV} 2> /dev/null < /dev/null - umount -l "$R/sys" 2> /dev/null - umount -l "$R/dev/pts" 2> /dev/null + umount -l "${R}/proc" 2> /dev/null + umount -l "${R}/sys" 2> /dev/null + umount -l "${R}/dev/pts" 2> /dev/null umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null umount "$BUILDDIR/mount" 2> /dev/null cryptsetup close "${CRYPTFS_MAPPING}" 2> /dev/null @@ -30,7 +30,7 @@ cleanup (){ chroot_exec() { # Exec command in chroot - LANG=C LC_ALL=C DEBIAN_FRONTEND=noninteractive chroot $R $* + LANG=C LC_ALL=C DEBIAN_FRONTEND=noninteractive chroot ${R} $* } install_readonly() { diff --git a/rpi2-gen-image.sh b/rpi2-gen-image.sh index 03c7359..a04c8e3 100755 --- a/rpi2-gen-image.sh +++ b/rpi2-gen-image.sh @@ -42,12 +42,20 @@ RELEASE_ARCH=${RELEASE_ARCH:=armhf} CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabihf-} COLLABORA_KERNEL=${COLLABORA_KERNEL:=3.18.0-trunk-rpi2} KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig} +KERNEL_IMAGE=${KERNEL_IMAGE:=kernel7.img} +DTB_FILE=${DTB_FILE:=bcm2709-rpi-2-b.dtb} +UBOOT_CONFIG=${UBOOT_CONFIG:=rpi_2_defconfig} QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static} # Build directories BASEDIR="$(pwd)/images/${RELEASE}" BUILDDIR="${BASEDIR}/build" + +# Chroot directories R="${BUILDDIR}/chroot" +ETCDIR="${R}/etc" +BOOTDIR="${R}/boot/firmware" +KERNELDIR="${R}/usr/src/linux" # General settings HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}} @@ -239,7 +247,7 @@ if [ -e "$BUILDDIR" ] ; then fi # Setup chroot directory -mkdir -p "$R" +mkdir -p "${R}" # Check if build directory has enough of free disk space >512MB if [ "$(df --output=avail ${BUILDDIR} | sed "1d")" -le "524288" ] ; then @@ -354,7 +362,7 @@ for SCRIPT in /chroot_scripts/* ; do fi done EOF - rm -rf "$R/chroot_scripts" + rm -rf "${R}/chroot_scripts" fi # Remove apt-utils @@ -362,8 +370,8 @@ chroot_exec apt-get purge -qq -y --force-yes apt-utils # Generate required machine-id MACHINE_ID=$(dbus-uuidgen) -echo -n "${MACHINE_ID}" > "$R/var/lib/dbus/machine-id" -echo -n "${MACHINE_ID}" > "$R/etc/machine-id" +echo -n "${MACHINE_ID}" > "${R}/var/lib/dbus/machine-id" +echo -n "${MACHINE_ID}" > "${ETCDIR}/machine-id" # APT Cleanup chroot_exec apt-get -y clean @@ -371,29 +379,29 @@ chroot_exec apt-get -y autoclean chroot_exec apt-get -y autoremove # Unmount mounted filesystems -umount -l "$R/proc" -umount -l "$R/sys" +umount -l "${R}/proc" +umount -l "${R}/sys" # Clean up directories -rm -rf "$R/run/*" -rm -rf "$R/tmp/*" +rm -rf "${R}/run/*" +rm -rf "${R}/tmp/*" # Clean up files -rm -f "$R/etc/ssh/ssh_host_*" -rm -f "$R/etc/dropbear/dropbear_*" -rm -f "$R/etc/apt/sources.list.save" -rm -f "$R/etc/resolvconf/resolv.conf.d/original" -rm -f "$R/etc/*-" -rm -f "$R/root/.bash_history" -rm -f "$R/var/lib/urandom/random-seed" -rm -f "$R/etc/apt/apt.conf.d/10proxy" -rm -f "$R/etc/resolv.conf" -rm -f "$R/initrd.img" -rm -f "$R/vmlinuz" +rm -f "${ETCDIR}/ssh/ssh_host_*" +rm -f "${ETCDIR}/dropbear/dropbear_*" +rm -f "${ETCDIR}/apt/sources.list.save" +rm -f "${ETCDIR}/resolvconf/resolv.conf.d/original" +rm -f "${ETCDIR}/*-" +rm -f "${ETCDIR}/apt/apt.conf.d/10proxy" +rm -f "${ETCDIR}/resolv.conf" +rm -f "${R}/root/.bash_history" +rm -f "${R}/var/lib/urandom/random-seed" +rm -f "${R}/initrd.img" +rm -f "${R}/vmlinuz" rm -f "${R}${QEMU_BINARY}" # Calculate size of the chroot directory in KB -CHROOT_SIZE=$(expr `du -s "$R" | awk '{ print $1 }'`) +CHROOT_SIZE=$(expr `du -s "${R}" | awk '{ print $1 }'`) # Calculate the amount of needed 512 Byte sectors TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512) @@ -482,7 +490,7 @@ mkdir -p "$BUILDDIR/mount/boot/firmware" mount "$FRMW_LOOP" "$BUILDDIR/mount/boot/firmware" # Copy all files from the chroot to the loop device mount point directory -rsync -a "$R/" "$BUILDDIR/mount/" +rsync -a "${R}/" "$BUILDDIR/mount/" # Unmount all temporary loop devices and mount points cleanup -- cgit v1.2.3