From b33dfc51ccafb9172c0a29c0e4376f0db8b9e3f1 Mon Sep 17 00:00:00 2001 From: Jan Wagner Date: Fri, 25 Mar 2016 21:58:11 +0100 Subject: Added: ENABLE_CRYPTFS - encrypted rootfs, use-latest-bootloader, cp-cleanup --- bootstrap.d/10-bootstrap.sh | 4 +-- bootstrap.d/11-apt.sh | 27 +++++++++++------ bootstrap.d/13-kernel.sh | 74 ++++++++++++++++++++++++++++++++++++++------- bootstrap.d/41-uboot.sh | 2 +- bootstrap.d/50-firstboot.sh | 3 +- bootstrap.d/99-reduce.sh | 6 ++++ 6 files changed, 90 insertions(+), 26 deletions(-) (limited to 'bootstrap.d') diff --git a/bootstrap.d/10-bootstrap.sh b/bootstrap.d/10-bootstrap.sh index 7b4a04d..f55c3e3 100644 --- a/bootstrap.d/10-bootstrap.sh +++ b/bootstrap.d/10-bootstrap.sh @@ -13,11 +13,11 @@ else fi # Copy qemu emulator binary to chroot -cp "${QEMU_BINARY}" "$R/usr/bin" +install_exec "${QEMU_BINARY}" "${R}${QEMU_BINARY}" # Copy debian-archive-keyring.pgp mkdir -p "$R/usr/share/keyrings" -cp /usr/share/keyrings/debian-archive-keyring.gpg "$R/usr/share/keyrings/debian-archive-keyring.gpg" +install_readonly /usr/share/keyrings/debian-archive-keyring.gpg "$R/usr/share/keyrings/debian-archive-keyring.gpg" # Complete the bootstrapping process chroot_exec /debootstrap/debootstrap --second-stage diff --git a/bootstrap.d/11-apt.sh b/bootstrap.d/11-apt.sh index 9610832..554aaf5 100644 --- a/bootstrap.d/11-apt.sh +++ b/bootstrap.d/11-apt.sh @@ -11,18 +11,25 @@ if [ -z "$APT_PROXY" ] ; then sed -i "s/\"\"/\"${APT_PROXY}\"/" "$R/etc/apt/apt.conf.d/10proxy" fi -# Install APT pinning configuration for flash-kernel package -install_readonly files/apt/flash-kernel "$R/etc/apt/preferences.d/flash-kernel" +if [ "$BUILD_KERNEL" = false ] ; then + # Install APT pinning configuration for flash-kernel package + install_readonly files/apt/flash-kernel "$R/etc/apt/preferences.d/flash-kernel" -# Upgrade collabora package index and install collabora keyring -echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" > "$R/etc/apt/sources.list" -chroot_exec apt-get -qq -y update -chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring + # Install APT sources.list + install_readonly files/apt/sources.list "$R/etc/apt/sources.list" + echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >> "$R/etc/apt/sources.list" + + # Upgrade collabora package index and install collabora keyring + chroot_exec apt-get -qq -y update + chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring +else # BUILD_KERNEL=true + # Install APT sources.list + install_readonly files/apt/sources.list "$R/etc/apt/sources.list" -# Install APT sources.list -install_readonly files/apt/sources.list "$R/etc/apt/sources.list" -sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "$R/etc/apt/sources.list" -sed -i "s/ jessie/ ${RELEASE}/" "$R/etc/apt/sources.list" + # Use specified APT server and release + sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "$R/etc/apt/sources.list" + sed -i "s/ jessie/ ${RELEASE}/" "$R/etc/apt/sources.list" +fi # Upgrade package index and update all installed packages and changed dependencies chroot_exec apt-get -qq -y update diff --git a/bootstrap.d/13-kernel.sh b/bootstrap.d/13-kernel.sh index 671025d..ec6b59f 100644 --- a/bootstrap.d/13-kernel.sh +++ b/bootstrap.d/13-kernel.sh @@ -110,24 +110,31 @@ if [ "$BUILD_KERNEL" = true ] ; then KERNEL_VERSION=`cat "$R/usr/src/linux/include/config/kernel.release"` # Copy kernel configuration file to the boot directory - cp "$R/usr/src/linux/.config" "$R/boot/config-${KERNEL_VERSION}" + install_readonly "$R/usr/src/linux/.config" "$R/boot/config-${KERNEL_VERSION}" # Copy dts and dtb device tree sources and binaries mkdir "$R/boot/firmware/overlays/" - cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/"*.dtb "$R/boot/firmware/" - cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb* "$R/boot/firmware/overlays/" - cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "$R/boot/firmware/overlays/" + install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/"*.dtb "$R/boot/firmware/" + install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb* "$R/boot/firmware/overlays/" + install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "$R/boot/firmware/overlays/README" - # Convert kernel zImage and copy it to the boot directory - "$R/usr/src/linux/scripts/mkknlimg" "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage" "$R/boot/firmware/kernel7.img" + # Copy zImage kernel to the boot directory + install_readonly "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage" "$R/boot/firmware/kernel7.img" # Remove kernel sources if [ "$KERNEL_REMOVESRC" = true ] ; then rm -fr "$R/usr/src/linux" fi - # Install raspberry bootloader and flash-kernel packages - chroot_exec apt-get -qq -y --no-install-recommends install raspberrypi-bootloader-nokernel + # Install latest boot binaries from raspberry/firmware github + wget -q -O "$R/boot/firmware/bootcode.bin" https://github.com/raspberrypi/firmware/raw/master/boot/bootcode.bin + wget -q -O "$R/boot/firmware/fixup_cd.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_cd.dat + wget -q -O "$R/boot/firmware/fixup.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup.dat + wget -q -O "$R/boot/firmware/fixup_x.dat" https://github.com/raspberrypi/firmware/raw/master/boot/fixup_x.dat + wget -q -O "$R/boot/firmware/start_cd.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_cd.elf + wget -q -O "$R/boot/firmware/start.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start.elf + wget -q -O "$R/boot/firmware/start_x.elf" https://github.com/raspberrypi/firmware/raw/master/boot/start_x.elf + else # BUILD_KERNEL=false # Kernel installation chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel @@ -135,9 +142,15 @@ else # BUILD_KERNEL=false # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot chroot_exec apt-get -qq -y install flash-kernel + # Check if kernel installation was successful VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" - [ -z "$VMLINUZ" ] && exit 1 - cp "$VMLINUZ" "$R/boot/firmware/kernel7.img" + if [ -z "$VMLINUZ" ] ; then + echo "error: kernel installation failed! (/boot/vmlinuz-* not found)" + cleanup + exit 1 + fi + # Copy vmlinuz kernel to the boot directory + install_readonly "$VMLINUZ" "$R/boot/firmware/kernel7.img" fi # Setup firmware boot cmdline @@ -160,6 +173,11 @@ fi # Install firmware boot cmdline echo "${CMDLINE}" > "$R/boot/firmware/cmdline.txt" +# Add encrypted root partition to cmdline.txt +if [ "$ENABLE_CRYPTFS" = true ] ; then + sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/" "$R/boot/firmware/cmdline.txt" +fi + # Install firmware config install_readonly files/boot/config.txt "$R/boot/firmware/config.txt" @@ -168,6 +186,11 @@ if [ "$ENABLE_MINGPU" = true ] ; then echo "gpu_mem=16" >> "$R/boot/firmware/config.txt" fi +# Setup boot with initramfs +if [ "$ENABLE_INITRAMFS" = true ] ; then + echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "$R/boot/firmware/config.txt" +fi + # Create firmware configuration and cmdline symlinks ln -sf firmware/config.txt "$R/boot/config.txt" ln -sf firmware/cmdline.txt "$R/boot/cmdline.txt" @@ -192,8 +215,37 @@ install_readonly files/modules/raspi-blacklist.conf "$R/etc/modprobe.d/raspi-bla # Install and setup fstab install_readonly files/mount/fstab "$R/etc/fstab" + +# Add usb/sda disk root partition to fstab if [ "$ENABLE_SPLITFS" = true ] ; then - sed -i 's/mmcblk0p2/sda1/' "$R/etc/fstab" + sed -i "s/mmcblk0p2/sda1/" "$R/etc/fstab" +fi + +# Add encrypted root partition to fstab and crypttab +if [ "$ENABLE_CRYPTFS" = true ] ; then + # Replace fstab root partition with encrypted partition mapping + sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "$R/etc/fstab" + + # Add encrypted partition to crypttab and fstab + install_readonly files/mount/crypttab "$R/etc/crypttab" + echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks" >> "$R/etc/crypttab" +fi + +# Generate initramfs file +if [ "$ENABLE_INITRAMFS" = true ] ; then + if [ "$ENABLE_CRYPTFS" = true ] ; then + # Dummy mapping required by mkinitramfs + echo "0 1 crypt $(echo ${CRYPTFS_CIPHER} | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}" + + # Generate initramfs with encrypted root partition support + chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" + + # Remove dummy mapping + chroot_exec cryptsetup close "${CRYPTFS_MAPPING}" + else + # Generate initramfs without encrypted root partition support + chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" + fi fi # Install sysctl.d configuration files diff --git a/bootstrap.d/41-uboot.sh b/bootstrap.d/41-uboot.sh index d3f13b9..8f59f26 100644 --- a/bootstrap.d/41-uboot.sh +++ b/bootstrap.d/41-uboot.sh @@ -19,7 +19,7 @@ if [ "$ENABLE_UBOOT" = true ] ; then chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all # Copy compiled bootloader binary and set config.txt to load it - cp "$R/tmp/u-boot/u-boot.bin" "$R/boot/firmware/" + install_readonly "$R/tmp/u-boot/u-boot.bin" "$R/boot/firmware/u-boot.bin" printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> "$R/boot/firmware/config.txt" # Install and setup U-Boot command file diff --git a/bootstrap.d/50-firstboot.sh b/bootstrap.d/50-firstboot.sh index 0c93d11..2ec9404 100644 --- a/bootstrap.d/50-firstboot.sh +++ b/bootstrap.d/50-firstboot.sh @@ -9,9 +9,8 @@ cat files/firstboot/10-begin.sh > "$R/etc/rc.firstboot" # Ensure openssh server host keys are regenerated on first boot -if [ "$ENABLE_SSHD" = true ] && [ "$ENABLE_REDUCE" = false ]; then +if [ "$ENABLE_SSHD" = true ] ; then cat files/firstboot/21-generate-ssh-keys.sh >> "$R/etc/rc.firstboot" - rm -f "$R/etc/ssh/ssh_host_*" fi # Prepare filesystem auto expand diff --git a/bootstrap.d/99-reduce.sh b/bootstrap.d/99-reduce.sh index f3b2848..99fbc9b 100644 --- a/bootstrap.d/99-reduce.sh +++ b/bootstrap.d/99-reduce.sh @@ -66,6 +66,12 @@ if [ "$ENABLE_REDUCE" = true ] ; then rm -f "$R/boot/firmware/fixup_x.dat" fi + # Remove kernel and initrd from /boot (already in /boot/firmware) + if [ "$BUILD_KERNEL" = false ] ; then + rm -r "$R/boot/vmlinuz--*" + rm -r "$R/boot/initrd.img-*" + fi + # Clean APT list of repositories rm -fr "$R/var/lib/apt/lists/*" chroot_exec apt-get -qq -y update -- cgit v1.2.3