├── .github ├── FUNDING.yml └── workflows │ └── ci.yml ├── .gitignore ├── .vscode └── extensions.json ├── CONTRIBUTING.md ├── Dockerfile ├── LICENSE ├── README.md └── build-kernel.sh /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: [] 4 | patreon: # Replace with a single Patreon username 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | custom: ['https://paypal.me/tschaffter/0usd'] 13 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: ci 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | tags: 8 | - '*' 9 | pull_request: 10 | 11 | jobs: 12 | lint: 13 | runs-on: ubuntu-18.04 14 | container: hadolint/hadolint:latest 15 | steps: 16 | - uses: actions/checkout@v2 17 | - name: Run hadolint 18 | run: hadolint Dockerfile 19 | 20 | test: 21 | needs: [lint] 22 | runs-on: ubuntu-18.04 23 | steps: 24 | - uses: actions/checkout@v2 25 | - name: Run builder script with arguments `--help` 26 | run: ./build-kernel.sh --help 27 | 28 | release: 29 | needs: [test] 30 | runs-on: ubuntu-18.04 31 | steps: 32 | - uses: actions/checkout@v2 33 | 34 | - name: Set variables 35 | id: vars 36 | run: | 37 | echo ::set-output \ 38 | name=repository::tschaffter/${{ github.event.repository.name }} 39 | echo ::set-output name=user::tschaffter 40 | if [[ ${GITHUB_REF} = refs/tags/* ]] 41 | then 42 | echo ::set-output name=version::${GITHUB_REF#refs/tags/} 43 | echo ::set-output name=push::true 44 | else 45 | echo ::set-output name=version::test 46 | echo ::set-output name=push::false 47 | fi 48 | 49 | - name: Build Dockerfile.base 50 | uses: docker/build-push-action@v1 51 | with: 52 | username: ${{ secrets.DOCKER_USERNAME }} 53 | password: ${{ secrets.DOCKER_PASSWORD }} 54 | repository: ${{ steps.vars.outputs.repository }} 55 | tags: latest, ${{ steps.vars.outputs.version }} 56 | push: ${{ steps.vars.outputs.push }} -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | output/ -------------------------------------------------------------------------------- /.vscode/extensions.json: -------------------------------------------------------------------------------- 1 | { 2 | "recommendations": [ 3 | "exiasr.hadolint" 4 | ] 5 | } -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | When contributing to this repository, please first discuss the change you wish to make via issue, 4 | email, or any other method with the owners of this repository before making a change. 5 | 6 | Please note we have a code of conduct, please follow it in all your interactions with the project. 7 | 8 | ## Pull Request Process 9 | 10 | 1. Ensure any install or build dependencies are removed before the end of the layer when doing a 11 | build. 12 | 2. Update the README.md with details of changes to the interface, this includes new environment 13 | variables, exposed ports, useful file locations and container parameters. 14 | 3. Increase the version numbers in any examples files and the README.md to the new version that this 15 | Pull Request would represent. The versioning scheme we use is [SemVer](http://semver.org/). 16 | 4. You may merge the Pull Request in once you have the sign-off of two other developers, or if you 17 | do not have permission to do that, you may request the second reviewer to merge it for you. 18 | 19 | ## Code of Conduct 20 | 21 | ### Our Pledge 22 | 23 | We as members, contributors, and leaders pledge to make participation in our 24 | community a harassment-free experience for everyone, regardless of age, body 25 | size, visible or invisible disability, ethnicity, sex characteristics, gender 26 | identity and expression, level of experience, education, socio-economic status, 27 | nationality, personal appearance, race, religion, or sexual identity 28 | and orientation. 29 | 30 | We pledge to act and interact in ways that contribute to an open, welcoming, 31 | diverse, inclusive, and healthy community. 32 | 33 | ### Our Standards 34 | 35 | Examples of behavior that contributes to a positive environment for our 36 | community include: 37 | 38 | * Demonstrating empathy and kindness toward other people 39 | * Being respectful of differing opinions, viewpoints, and experiences 40 | * Giving and gracefully accepting constructive feedback 41 | * Accepting responsibility and apologizing to those affected by our mistakes, 42 | and learning from the experience 43 | * Focusing on what is best not just for us as individuals, but for the 44 | overall community 45 | 46 | Examples of unacceptable behavior include: 47 | 48 | * The use of sexualized language or imagery, and sexual attention or 49 | advances of any kind 50 | * Trolling, insulting or derogatory comments, and personal or political attacks 51 | * Public or private harassment 52 | * Publishing others' private information, such as a physical or email 53 | address, without their explicit permission 54 | * Other conduct which could reasonably be considered inappropriate in a 55 | professional setting 56 | 57 | ### Enforcement Responsibilities 58 | 59 | Community leaders are responsible for clarifying and enforcing our standards of 60 | acceptable behavior and will take appropriate and fair corrective action in 61 | response to any behavior that they deem inappropriate, threatening, offensive, 62 | or harmful. 63 | 64 | Community leaders have the right and responsibility to remove, edit, or reject 65 | comments, commits, code, wiki edits, issues, and other contributions that are 66 | not aligned to this Code of Conduct, and will communicate reasons for moderation 67 | decisions when appropriate. 68 | 69 | ### Scope 70 | 71 | This Code of Conduct applies within all community spaces, and also applies when 72 | an individual is officially representing the community in public spaces. 73 | Examples of representing our community include using an official e-mail address, 74 | posting via an official social media account, or acting as an appointed 75 | representative at an online or offline event. 76 | 77 | ### Enforcement 78 | 79 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 80 | reported to the community leaders responsible for enforcement at 81 | [INSERT CONTACT METHOD]. 82 | All complaints will be reviewed and investigated promptly and fairly. 83 | 84 | All community leaders are obligated to respect the privacy and security of the 85 | reporter of any incident. 86 | 87 | ### Attribution 88 | 89 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0, 90 | available at [http://contributor-covenant.org/version/2/0][version] 91 | 92 | [homepage]: http://contributor-covenant.org 93 | [version]: http://contributor-covenant.org/version/2/0/ -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:buster-20200803-slim 2 | 3 | LABEL maintainer="thomas.schaffter@gmail.com" 4 | 5 | # Internal user who will build the kernel 6 | ARG user=builder 7 | 8 | # Install Git and the build dependencies 9 | # hadolint ignore=DL3008 10 | RUN apt-get update -qq -y && apt-get install --no-install-recommends -qq -y \ 11 | apt-transport-https \ 12 | bc \ 13 | bison \ 14 | build-essential \ 15 | ca-certificates \ 16 | cpio \ 17 | dpkg-dev \ 18 | fakeroot \ 19 | flex \ 20 | git \ 21 | kmod \ 22 | libssl-dev \ 23 | libc6-dev \ 24 | libncurses5-dev \ 25 | make \ 26 | rsync \ 27 | && update-ca-certificates \ 28 | && apt-get -y autoclean \ 29 | && apt-get -y autoremove \ 30 | && rm -rf /var/lib/apt/lists/* 31 | 32 | # Create user and set work directory 33 | RUN useradd -m $user 34 | USER $user 35 | WORKDIR /home/$user 36 | 37 | # Copy script that builds the kernel 38 | COPY --chown=$user:$user build-kernel.sh . 39 | RUN chmod +x build-kernel.sh 40 | 41 | ENTRYPOINT ["bash", "build-kernel.sh"] 42 | CMD ["--help"] -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Thomas Schaffter 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Hardened Kernel Builder for Raspberry Pi 2 | 3 | [![GitHub Stars](https://img.shields.io/github/stars/tschaffter/raspberry-pi-kernel-hardened.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/tschaffter/raspberry-pi-kernel-hardened) 4 | [![GitHub Release](https://img.shields.io/github/release/tschaffter/raspberry-pi-kernel-hardened.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/tschaffter/raspberry-pi-kernel-hardened/releases) 5 | [![Docker Stars](https://img.shields.io/docker/stars/tschaffter/raspberry-pi-kernel-hardened.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=stars&logo=docker)](https://hub.docker.com/r/tschaffter/raspberry-pi-kernel-hardened) 6 | [![GitHub CI](https://img.shields.io/github/workflow/status/tschaffter/raspberry-pi-kernel-hardened/ci.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/tschaffter/raspberry-pi-kernel-hardened) 7 | [![GitHub License](https://img.shields.io/github/license/tschaffter/raspberry-pi-kernel-hardened.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/tschaffter/raspberry-pi-kernel-hardened) 8 | 9 | Cross-compile the [Linux kernel for Raspberry Pi][raspberrypi_kernel_build] with 10 | enhanced security support in a single command. 11 | 12 | ## Features 13 | 14 | - Dockerized tool to cross-compile an hardened Linux kernel for the Pi 15 | - Hardens the Linux kernel by adding 16 | - Audit support 17 | - SELinux support 18 | 19 | ## Usage 20 | 21 | This command shows the options of the builder: 22 | 23 | $ docker run --rm tschaffter/raspberry-pi-kernel-hardened 24 | Cross-compiling hardened kernels for Raspberry Pi 25 | Usage: build-kernel.sh [--kernel-branch ] [--kernel-defconfig ] [--kernel-localversion ] [-h|--help] 26 | --kernel-branch: Kernel branch to build (default: '') 27 | --kernel-defconfig: Default kernel config to use (default: '') 28 | --kernel-localversion: Kernel local version (default: '') 29 | -h, --help: Prints help 30 | 31 | ## Build the hardened kernel 32 | 33 | ### Identify the kernel version to build 34 | 35 | Go to the GitHub repository of the [Linux kernel of Raspberry Pi][gh_raspberrypi/linux] 36 | and identify the name of the branch or tag that you want to build. 37 | 38 | Examples: 39 | 40 | - The branch `rpi-5.4.y` 41 | - The tag `raspberrypi-kernel_1.20200527-1` 42 | 43 | ### Identify the default configuration to use 44 | 45 | Go to the page [Kernel building][raspberrypi_kernel_build] of the Raspberry Pi 46 | website to identify the configuration to apply for your Pi. 47 | 48 | Examples: 49 | 50 | - `bcmrpi_defconfig` for Raspberry Pi 1, Pi Zero, Pi Zero W, and Compute Module 51 | - `bcm2709_defconfig` for Raspberry Pi 2, Pi 3, Pi 3+, and Compute Module 3 52 | - `bcm2711_defconfig` for Raspberry Pi 4 53 | 54 | Please visit the above page to make sure that these examples are up-to-date. 55 | 56 | ### Cross-compile the kernel 57 | 58 | Below is a command that build the branch `rpi-5.4.y` for the Raspberry Pi 4 59 | (`bcm2711_defconfig`). Because this branch is still in development, we recommand 60 | to include today's date to the value of `--kernel-localversion`. The value of 61 | `--kernel-localversion` can be set to anything you want. 62 | 63 | $ mkdir -p output && docker run \ 64 | --rm \ 65 | -v $PWD/output:/output \ 66 | tschaffter/raspberry-pi-kernel-hardened \ 67 | --kernel-branch rpi-5.4.y \ 68 | --kernel-defconfig bcm2711_defconfig \ 69 | --kernel-localversion $(date '+%Y%m%d')-hardened 70 | Cloning into '/home/builder/tools'... 71 | Installing cross compiler toolchain 72 | Checking out files: 100% (19059/19059), done. 73 | Getting kernel source code 74 | Cloning into '/home/builder/linux'... 75 | ... 76 | 77 | Moving .deb packages to /output 78 | SUCCESS The kernel has been successfully packaged. 79 | 80 | INSTALL 81 | sudo dpkg -i linux-*-5.4.y-20200804-hardened*.deb 82 | sudo sh -c "echo 'kernel=vmlinuz-5.4.51-20200804-hardened+' >> /boot/config.txt" 83 | sudo reboot 84 | 85 | ENABLE SELinux 86 | sudo apt-get install selinux-basics selinux-policy-default auditd 87 | sudo sh -c "sed -i '$ s/$/ selinux=1 security=selinux/' /boot/cmdline.txt" 88 | sudo touch /.autorelabel 89 | sudo reboot 90 | sestatus 91 | 92 | After installing the above kernel, its version will be: 93 | 94 | $ uname -r 95 | 5.4.51-20200804-hardened+ 96 | 97 | **Note:** The builder inside the docker container runs as a non-root user. The command 98 | `mkdir output` included in the above command ensures that the builder will be able 99 | to save the output kernel files to the output folder. 100 | 101 | ## Install the kernel 102 | 103 | Copy the Debian packages `*.deb` generated to the target Raspbery Pi, for example 104 | using `scp`. Then follow the instructions given at the end of the command used to 105 | build the kernel (see above). 106 | 107 | - `linux-headers`: The kernel headers, required when compiling any code that 108 | interfaces with the kernel. 109 | - `linux-image`: The kernel image and the associated modules. 110 | - `linux-libc-dev`: Linux support headers for userspace development. 111 | 112 | ### Install the kernel source 113 | 114 | You can also install the kernel source in case you need it to compile a module 115 | for the kernel in the future. 116 | 117 | 1. Copy the archive `linux-source-.tar.xz` to the Pi. 118 | 2. Extract the archive in `/usr/src/`. 119 | 120 | tar -xf linux-source-.tar.xz 121 | 122 | 3. Create a symbolic link `/usr/src/linux` to the folder extracted. 123 | 124 | ln -s /usr/src/linux /usr/src/linux-source- 125 | 126 | ## Update the kernel 127 | 128 | Repeat the same protocol as given above to build and install a newer version of 129 | the kernel. The only difference is that after installing the `*.deb` packages 130 | with `dpkg`, you only have to update `/boot/config.txt` so that the new kernel 131 | is loaded at boot. The kernel source must also be updated if it has been 132 | previously installed. 133 | 134 | ## Customize the build 135 | 136 | - The builder uses all the CPU cores available to the Docker container. By default, 137 | that is all the CPU cores of the host. Use [Docker runtime options][docker_runtime_options] 138 | to limit the usage of CPU cores by the builder. 139 | 140 | - The builder clones two GitHub repositories: the cross-compiler toolchain and 141 | the source code of the kernel, unless their target directories already exist 142 | (`/home/builder/tools` and `/home/builder/linux`). When running the dockerized 143 | builder, you can specify a different toolchain and kernel source code by mounting 144 | volumes that points to these two directories. For example, 145 | 146 | $ git clone tools 147 | $ git clone linux 148 | $ mkdir -p output && docker run \ 149 | --rm \ 150 | -v $PWD/output:/output \ 151 | -v $PWD/tools:/home/builder/tools \ 152 | -v $PWD/linux:/home/builder/linux \ 153 | tschaffter/raspberry-pi-kernel-hardened \ 154 | --kernel-branch rpi-5.4.y \ 155 | --kernel-defconfig bcm2711_defconfig \ 156 | --kernel-localversion $(date '+%Y%m%d')-hardened 157 | 158 | ## Contributing change 159 | 160 | Please read the [`CONTRIBUTING.md`](CONTRIBUTING.md) for details on how to 161 | contribute to this project. 162 | 163 | 164 | 165 | [raspberrypi_kernel_build]: https://www.raspberrypi.org/documentation/linux/kernel/building.md 166 | [gh_raspberrypi/linux]: https://github.com/raspberrypi/linux 167 | [docker_runtime_options]: https://docs.docker.com/config/containers/resource_constraints/#cpu 168 | -------------------------------------------------------------------------------- /build-kernel.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # @tschaffter 4 | # 5 | # Cross-compiles the Raspberry Pi kernel with SELinux support and other 6 | # hardening features enabled. 7 | # 8 | # Example: 9 | # 10 | # ./build-kernel.sh \ 11 | # --kernel-branch rpi-4.19.y \ 12 | # --kernel-defconfig bcm2711_defconfig \ 13 | # --kernel-localversion 4.19.y-20200607-hardened 14 | # 15 | # Notes: 16 | # 17 | # - Identify kernel branch or tag from https://github.com/raspberrypi/linux 18 | # - Identify --kernel-defconfig value from https://www.raspberrypi.org/documentation/linux/kernel/building.md 19 | # - The value of --kernel-localversion will be returned by `uname -a` 20 | # 21 | # ARG_OPTIONAL_SINGLE([kernel-branch],[],[Kernel branch to build],['']) 22 | # ARG_OPTIONAL_SINGLE([kernel-defconfig],[],[Default kernel config to use],['']) 23 | # ARG_OPTIONAL_SINGLE([kernel-localversion],[],[Kernel local version],['']) 24 | # ARG_HELP([The general script's help msg]) 25 | # ARGBASH_GO() 26 | # needed because of Argbash --> m4_ignore([ 27 | ### START OF CODE GENERATED BY Argbash v2.8.1 one line above ### 28 | # Argbash is a bash code generator used to get arguments parsing right. 29 | # Argbash is FREE SOFTWARE, see https://argbash.io for more info 30 | # Generated online by https://argbash.io/generate 31 | 32 | 33 | die() 34 | { 35 | local _ret=$2 36 | test -n "$_ret" || _ret=1 37 | test "$_PRINT_HELP" = yes && print_help >&2 38 | echo "$1" >&2 39 | exit ${_ret} 40 | } 41 | 42 | 43 | begins_with_short_option() 44 | { 45 | local first_option all_short_options='h' 46 | first_option="${1:0:1}" 47 | test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0 48 | } 49 | 50 | # THE DEFAULTS INITIALIZATION - OPTIONALS 51 | _arg_kernel_branch="" 52 | _arg_kernel_defconfig="" 53 | _arg_kernel_localversion="" 54 | 55 | 56 | print_help() 57 | { 58 | printf '%s\n' "Cross-compiling hardened kernels for Raspberry Pi" 59 | printf 'Usage: %s [--kernel-branch ] [--kernel-defconfig ] [--kernel-localversion ] [-h|--help]\n' "$0" 60 | printf '\t%s\n' "--kernel-branch: Kernel branch to build (default: '')" 61 | printf '\t%s\n' "--kernel-defconfig: Default kernel config to use (default: '')" 62 | printf '\t%s\n' "--kernel-localversion: Kernel local version (default: '')" 63 | printf '\t%s\n' "-h, --help: Prints help" 64 | } 65 | 66 | 67 | parse_commandline() 68 | { 69 | while test $# -gt 0 70 | do 71 | _key="$1" 72 | case "$_key" in 73 | --kernel-branch) 74 | test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1 75 | _arg_kernel_branch="$2" 76 | shift 77 | ;; 78 | --kernel-branch=*) 79 | _arg_kernel_branch="${_key##--kernel-branch=}" 80 | ;; 81 | --kernel-defconfig) 82 | test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1 83 | _arg_kernel_defconfig="$2" 84 | shift 85 | ;; 86 | --kernel-defconfig=*) 87 | _arg_kernel_defconfig="${_key##--kernel-defconfig=}" 88 | ;; 89 | --kernel-localversion) 90 | test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1 91 | _arg_kernel_localversion="$2" 92 | shift 93 | ;; 94 | --kernel-localversion=*) 95 | _arg_kernel_localversion="${_key##--kernel-localversion=}" 96 | ;; 97 | -h|--help) 98 | print_help 99 | exit 0 100 | ;; 101 | -h*) 102 | print_help 103 | exit 0 104 | ;; 105 | *) 106 | _PRINT_HELP=yes die "FATAL ERROR: Got an unexpected argument '$1'" 1 107 | ;; 108 | esac 109 | shift 110 | done 111 | } 112 | 113 | parse_commandline "$@" 114 | 115 | # OTHER STUFF GENERATED BY Argbash 116 | 117 | ### END OF CODE GENERATED BY Argbash (sortof) ### ]) 118 | # [ <-- needed because of Argbash 119 | 120 | # The argument --kernel-branch must be specified. 121 | if [ -z "$_arg_kernel_branch" ]; then 122 | echo "The argument --kernel-branch is missing." 123 | exit 1 124 | fi 125 | 126 | # The argument --kernel-defconfig must be specified. 127 | if [ -z "$_arg_kernel_defconfig" ]; then 128 | echo "The argument --kernel-defconfig is missing." 129 | exit 1 130 | fi 131 | 132 | # The argument --kernel-localversion must be specified. 133 | if [ -z "$_arg_kernel_localversion" ]; then 134 | echo "The argument --kernel-localversion is missing." 135 | exit 1 136 | fi 137 | 138 | _workdir=$(pwd) 139 | _tools_dir=$_workdir/tools 140 | _kernel_src_dir=$_workdir/linux 141 | _ccprefix="$_tools_dir/arm-bcm2708/arm-linux-gnueabihf/bin/arm-linux-gnueabihf-" 142 | _output_dir=/output 143 | 144 | 145 | # Check that the output directory exists and is writable 146 | test -d $_output_dir || die "Output directory $_output_dir does not exist" 1 147 | test -w $_output_dir || die "Output directory $_output_dir is not writable" 1 148 | 149 | 150 | # Install toolchain 151 | if [ -d $_tools_dir ]; then 152 | echo "Using exsiting cross compiler toolchain $_tools_dir" 153 | else 154 | echo "Installing cross compiler toolchain" 155 | git clone https://github.com/raspberrypi/tools $_tools_dir \ 156 | || die "ERROR: Unable to clone the cross compiler toolchain" 1 157 | fi 158 | 159 | 160 | # Get the kernel source code 161 | if [ -d $_kernel_src_dir ]; then 162 | echo "Using existing kernel source dir $_kernel_src_dir" 163 | else 164 | echo "Getting kernel source code" 165 | git clone \ 166 | --branch $_arg_kernel_branch \ 167 | --depth=1 \ 168 | https://github.com/raspberrypi/linux \ 169 | $_kernel_src_dir \ 170 | || die "Unable to clone kernel source code" 1 171 | fi 172 | 173 | 174 | cd $_kernel_src_dir 175 | 176 | _kernel_version=$(make kernelversion) 177 | 178 | echo "Kernel version is $_kernel_version" 179 | echo "Kernel local version is $_arg_kernel_localversion" 180 | 181 | echo "Cleaning up the directory" 182 | make mrproper 183 | 184 | echo "Creating initial .config" 185 | make ARCH=arm CROSS_COMPILE=$_ccprefix $_arg_kernel_defconfig \ 186 | || die "Unable to create initial .config" 1 187 | 188 | echo "Setting kernel local version" 189 | ./scripts/config --set-str CONFIG_LOCALVERSION "-$_arg_kernel_localversion" 190 | 191 | echo "Enabling Audit" 192 | ./scripts/config --enable CONFIG_AUDIT 193 | ./scripts/config --enable CONFIG_AUDIT_LOGINUID_IMMUTABLE 194 | 195 | echo "Enabling Security" 196 | ./scripts/config --enable CONFIG_SECURITY 197 | ./scripts/config --enable CONFIG_SECURITY_NETWORK 198 | 199 | echo "Enabling SELinux" 200 | ./scripts/config --enable CONFIG_SECURITY_SELINUX 201 | ./scripts/config --enable CONFIG_SECURITY_SELINUX_BOOTPARAM 202 | ./scripts/config --set-val CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE 1 203 | ./scripts/config --disable CONFIG_SECURITY_SELINUX_DISABLE 204 | ./scripts/config --enable CONFIG_SECURITY_SELINUX_DEVELOP 205 | ./scripts/config --enable CONFIG_SECURITY_SELINUX_AVC_STATS 206 | ./scripts/config --set-val CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE 1 207 | # ./scripts/config --disable CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX 208 | ./scripts/config --enable CONFIG_DEFAULT_SECURITY_SELINUX 209 | ./scripts/config --disable CONFIG_DEFAULT_SECURITY_DAC 210 | ./scripts/config --set-str CONFIG_DEFAULT_SECURITY "selinux" 211 | 212 | # Validate config changes 213 | make ARCH=arm CROSS_COMPILE=$_ccprefix olddefconfig 214 | 215 | # Alternatively, update config using menuconfig (interactive) 216 | # make ARCH=arm CROSS_COMPILE=$_ccprefix menuconfig 217 | 218 | echo "Building kernel and generating .deb packages" 219 | DEB_HOST_ARCH=armhf make ARCH=arm CROSS_COMPILE=$_ccprefix deb-pkg -j$(($(nproc)+1)) \ 220 | || die "Unable to build or package kernel" 1 221 | 222 | ls -al 223 | 224 | echo "Moving .deb packages to $_output_dir" 225 | mv $_workdir/*.deb /output 226 | 227 | echo "Compressing kernel source to $_output_dir" 228 | make clean 229 | mv $_workdir/linux $_workdir/linux-source-${_kernel_version}-${_arg_kernel_localversion}+ 230 | tar cjf \ 231 | $_output_dir/linux-source-${_kernel_version}-${_arg_kernel_localversion}+.tar.bz2 \ 232 | $_workdir/linux-source-${_kernel_version}-${_arg_kernel_localversion}+ 233 | 234 | 235 | echo "" 236 | echo "SUCCESS The kernel has been successfully packaged." 237 | echo "" 238 | echo "INSTALL" 239 | echo "sudo dpkg -i linux-*-${_arg_kernel_localversion}*.deb" 240 | echo "sudo sh -c \"echo 'kernel=vmlinuz-${_kernel_version}-${_arg_kernel_localversion}+' >> /boot/config.txt\"" 241 | echo "sudo reboot" 242 | echo "" 243 | echo "ENABLE SELinux" 244 | echo "sudo apt-get install selinux-basics selinux-policy-default auditd" 245 | echo "sudo sh -c \"sed -i '$ s/$/ selinux=1 security=selinux/' /boot/cmdline.txt\"" 246 | echo "sudo touch /.autorelabel" 247 | echo "sudo reboot" 248 | echo "sestatus" 249 | echo "" 250 | echo "INSTALL SOURCE (OPTIONAL)" 251 | echo "tar xjf linux-source-${_kernel_version}-${_arg_kernel_localversion}+.tar.bz2 --directory /usr/src/" 252 | echo "ln -s linux-source-${_kernel_version}-${_arg_kernel_localversion}+ /usr/src/linux" 253 | 254 | # ] <-- needed because of Argbash 255 | --------------------------------------------------------------------------------