webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-13 20:42:58 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
75363dc20ffbb2aa17518b757eec2a4e09f9be65
bpfire/lfs/flash-images
Peter Müller 9a7e4d8506 Switch checksums from MD5 to BLAKE2 
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.

While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.

Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.

In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
2022-04-02 14:19:25 +00:00

272 lines
8.3 KiB
Plaintext
Raw Blame History

###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = ipfire
THISAPP = flash-image
TARGET = $(DIR_INFO)/$(THISAPP)
DEVICE = $(shell losetup -f)
PART_BOOT = /dev/mapper/$(patsubst /dev/%,%,$(DEVICE))p1
ifeq "$(EFI)" "1"
PART_EFI = /dev/mapper/$(patsubst /dev/%,%,$(DEVICE))p2
endif
PART_ROOT = /dev/mapper/$(patsubst /dev/%,%,$(DEVICE))p3
IMAGE_FILE = /install/images/$(SNAME)-$(VERSION).2gb-ext4.$(BUILD_ARCH)-full-core$(CORE).img.xz
FSTAB_FMT = UUID=%s %-8s %-4s %-10s %d %d\n
###############################################################################
# Top-level Rules
###############################################################################
install : $(TARGET)
check :
download :
b2 :
###############################################################################
# Installation Details
###############################################################################
MNThdd := $(DIR_TMP)/harddisk
IMG := $(DIR_TMP)/image.img
# All sizes in blocks
ifeq "$(BUILD_PLATFORM)" "arm"
BOOTLOADER =
S_OFFSET = 8192
# FAT32
PART_TYPE = c
ifeq "$(BUILD_ARCH)" "aarch64"
BOOTLOADER = grub
S_OFFSET = 32768
endif
else
BOOTLOADER = grub
S_OFFSET = 8192
# Linux
PART_TYPE = L
endif
# /boot: 128MB - OFFSET
# / : 1800 MB
S_BOOT := $(shell echo $$(( 262144 - $(S_OFFSET) )))
S_ROOT := 3773292
ifeq "$(EFI)" "1"
S_EFI = 65536 # 32 MB
else
S_EFI = 0
endif
PADDING = 100 # MB
ifeq "$(EFI)" "1"
SFDISK = $(SFDISK_BOOT)$(SFDISK_EFI)$(SFDISK_ROOT)
else
SFDISK = $(SFDISK_BOOT),0,0\n$(SFDISK_ROOT)
endif
SFDISK_BOOT = $(S_OFFSET),$(S_BOOT),$(PART_TYPE),*\n
SFDISK_EFI = $(shell echo $$(( $(S_OFFSET) + $(S_BOOT) ))),$(S_EFI),U\n
SFDISK_ROOT = $(shell echo $$(( $(S_OFFSET) + $(S_BOOT) + $(S_EFI) ))),$(S_ROOT),L\n
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Stop if $(MNThdd) is still mounted
mountpoint $(MNThdd) && exit 1 || exit 0
rm -rf $(IMG) $(MNThdd) && mkdir -p $(MNThdd)
# Allocate image on disk
dd if=/dev/zero of=$(IMG) bs=512 count=$$(( $(S_OFFSET) + $(S_BOOT) + $(S_EFI) + $(S_ROOT) ))
losetup $(DEVICE) $(IMG)
# Write Partition table
echo -e "$(SFDISK)" | sfdisk -uS $(DEVICE)
kpartx -v -a $(DEVICE)
# Format them
ifeq "$(PART_TYPE)" "c"
mkfs.vfat $(PART_BOOT)
else
mkfs.ext2 -F $(PART_BOOT)
endif
ifeq "$(EFI)" "1"
mkfs.vfat $(PART_EFI)
endif
mkfs.ext4 -O ^has_journal,extent -F $(PART_ROOT)
# Most systems that use Flashimages has no RTC at boot
# so the interval check should disables
tune2fs -i0 $(PART_ROOT)
# Mount root partition
mount $(PART_ROOT) $(MNThdd)
# Mount boot partition
mkdir -pv $(MNThdd)/boot
mount $(PART_BOOT) $(MNThdd)/boot
ifeq "$(EFI)" "1"
mkdir -pv $(MNThdd)/boot/efi
mount $(PART_EFI) $(MNThdd)/boot/efi
endif
# Install Pandaboard MLO and uboot first
ifeq "$(BUILD_ARCH)" "armv6l"
cp -v /boot/MLO $(MNThdd)/boot/
cp -v /boot/u-boot.img $(MNThdd)/boot/
sync
umount $(MNThdd)/boot
mount $(PART_BOOT) $(MNThdd)/boot
endif
# Install IPFire
ifneq "$(BUILD_PLATFORM)" "arm"
tar $(TAR_OPTIONS) -x --zstd -C $(MNThdd)/ -f $(DIR_TMP)/cdrom/distro.img
else
tar $(TAR_OPTIONS) -x -C $(MNThdd)/ -f $(DIR_TMP)/cdrom/distro.img
endif
-touch $(MNThdd)/lib/modules/$(KVER)-ipfire/modules.dep
mkdir $(MNThdd)/proc
mount --bind /proc $(MNThdd)/proc
mount --bind /dev $(MNThdd)/dev
mount --bind /sys $(MNThdd)/sys
chroot $(MNThdd) /usr/bin/perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
# Create /etc/fstab
printf "$(FSTAB_FMT)" "$$(blkid -o value -s UUID $(PART_BOOT))" "/boot" \
"auto" "defaults" 1 2 > $(MNThdd)/etc/fstab
ifeq "$(EFI)" "1"
printf "$(FSTAB_FMT)" "$$(blkid -o value -s UUID $(PART_EFI))" "/boot/efi" \
"auto" "defaults" 1 2 >> $(MNThdd)/etc/fstab
endif
printf "$(FSTAB_FMT)" "$$(blkid -o value -s UUID $(PART_ROOT))" "/" \
"auto" "defaults" 1 1 >> $(MNThdd)/etc/fstab
ifeq "$(BOOTLOADER)" "grub"
# backup defaults file
cp $(MNThdd)/etc/default/grub $(MNThdd)/etc/default/grub.backup
# Enable also serial console on GRUB
echo "GRUB_TERMINAL=\"serial console\"" >> $(MNThdd)/etc/default/grub
echo "GRUB_SERIAL_COMMAND=\"serial --unit=0 --speed=115200\"" >> $(MNThdd)/etc/default/grub
# Add additional entry for Serial console
cp $(DIR_SRC)/config/flash-images/grub/11_linux_scon \
$(MNThdd)/etc/grub.d/
# Create configuration
mkdir -pv $(MNThdd)/boot/grub
GRUB_FIRST_BOOT=true KERNEL_RELEASE="$(KVER)-ipfire" chroot $(MNThdd) \
grub-mkconfig -o /boot/grub/grub.cfg
# Boot the first kernel by default
chroot $(MNThdd) grub-set-default 0
# Insert the UUID because grub-mkconfig often fails to
# detect that correctly
sed -i $(MNThdd)/boot/grub/grub.cfg \
-e "s/root=[A-Za-z0-9\/=-]*/root=UUID=$$(blkid -o value -s UUID $(PART_ROOT))/g"
ifeq "$(BUILD_PLATFORM)" "x86"
# Install GRUB
grub-install --force --recheck --no-floppy --target=i386-pc \
--root-directory=$(MNThdd) $(DEVICE)
endif
ifeq "$(EFI)" "1"
# Install GRUB for EFI
grub-install --target=$(GRUB_ARCH)-efi --removable --no-nvram \
--boot-directory=$(MNThdd)/boot --efi-directory=$(MNThdd)/boot/efi
endif
# restore orginal defaults
mv -f $(MNThdd)/etc/default/grub.backup $(MNThdd)/etc/default/grub
rm -f $(MNThdd)/etc/grub.d/11_linux_scon
endif
ifeq "$(BUILD_PLATFORM)" "arm"
# Insert the UUID to uENV.txt
sed -i $(MNThdd)/boot/uENV.txt \
-e "s/^root_dev=.*/root_dev=UUID=$$(blkid -o value -s UUID $(PART_ROOT))/g"
endif
# Set ramdisk mode to automatic
echo RAMDISK_MODE=2 > $(MNThdd)/etc/sysconfig/ramdisk
# Automatically resize the root partition to its maximum size at first boot
touch $(MNThdd)/.partresize
# Unmount
umount $(MNThdd)/proc
umount $(MNThdd)/sys
umount $(MNThdd)/dev
ifeq "$(EFI)" "1"
umount $(MNThdd)/boot/efi
endif
umount $(MNThdd)/boot
umount $(MNThdd)
# zerofree the ext2 images to get better compression
ifneq "$(PART_TYPE)" "c"
zerofree $(PART_BOOT)
-fsck.ext2 -f -y $(PART_BOOT)
fsck.ext2 -f -y $(PART_BOOT)
endif
zerofree $(PART_ROOT)
-fsck.ext4 -f -y $(PART_ROOT)
fsck.ext4 -f -y $(PART_ROOT)
sleep 10 #Ubuntu compiling: allow time to automount/dismount
kpartx -d -v $(DEVICE)
losetup -d $(DEVICE)
# Add padding at the end of the image (to fix alignment issues if the image is
# not copied to a block device)
dd if=/dev/zero bs=1M count=$(PADDING) >> $(IMG)
ifeq "$(BUILD_ARCH)" "armv6l"
# Install u-boot for Orangepi Zero/Nanopi DUO into image 8KB
dd if=/usr/share/u-boot/orangepi_zero/u-boot-sunxi-with-spl.bin of=$(IMG) bs=1K seek=8 conv=notrunc
endif
ifeq "$(BUILD_ARCH)" "aarch64"
# Install u-boot for NanoPi R2S into image 8KB
dd if=/usr/share/u-boot/nanopi_r2s/u-boot-rockchip.bin of=$(IMG) bs=1K seek=32 conv=notrunc
endif
# Compress Image
xz $(XZ_OPT) < $(IMG) > $(IMAGE_FILE)
rm -rf $(IMG) $(MNThdd) $(DIR_TMP)/cdrom
Reference in New Issue View Git Blame Copy Permalink