109 lines
3.5 KiB
Bash
Executable File
109 lines
3.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
set -eo pipefail
|
|
|
|
NPROC=$(nproc)
|
|
VERSION=$(date +%Y%m%d)$MINOR
|
|
|
|
# This variable gets unset if any security-critical elements are disabled
|
|
SECURESYS=true
|
|
|
|
echo "========== VERSION ==========="
|
|
echo "Version: $VERSION"
|
|
echo "Distfiles path: $DISTPATH"
|
|
echo -n "Distribution URL: "
|
|
if [ -n "$DISTURL" ]; then echo "Not set, OTA disabled"
|
|
else echo "$DISTURL"; fi
|
|
echo "========== SECURITY =========="
|
|
echo -en "Secure Boot: \t\t"
|
|
if [ "$SECBOOT" == "true" ]; then echo "Enabled"
|
|
else echo "Disabled"; SECURESYS="false"; fi
|
|
echo -en "TPM Security: \t"
|
|
if [ "$TPM" == "true" ]; then echo "Enabled"
|
|
else echo "Disabled"; fi
|
|
echo -en "Signature required: \t"
|
|
if [ "$REQSIG" == "true" ]; then echo "Enabled"
|
|
else echo "Disabled"; unset SECURESYS="false"; fi
|
|
echo -en "Overall security: \t"
|
|
if [ "$SECURESYS" == "true" ]; then echo "Intact"
|
|
else echo "Degraded"; fi
|
|
echo "=============================="
|
|
|
|
set -x
|
|
|
|
mkdir -p "$DISTPATH"
|
|
|
|
# Gentoo setup
|
|
mkdir -p /var/db/repos/gentoo
|
|
rm -f /var/db/repos/gentoo/metadata/timestamp.x
|
|
emerge-webrsync --quiet
|
|
eselect profile set default/linux/amd64/23.0/musl/hardened/selinux
|
|
|
|
# SquashFS tools needed for image generation
|
|
emerge --quiet squashfs-tools
|
|
|
|
# Copy in package list
|
|
mkdir -p /etc/portage/sets
|
|
cp /build/packages.txt /etc/portage/sets/halogenos
|
|
|
|
# Set install location
|
|
export ROOT="$DISTPATH"
|
|
|
|
# Update any existing packages
|
|
emerge -j "$NPROC" --quiet --update --deep --newuse @world
|
|
|
|
# Emerge all packages
|
|
emerge -j "$NPROC" --quiet @halogenos
|
|
|
|
# Fix directory locations
|
|
mv "$DISTPATH"/bin "$DISTPATH"/usr/bin
|
|
mv "$DISTPATH"/lib "$DISTPATH"/usr/lib
|
|
mv "$DISTPATH"/sbin "$DISTPATH"/usr/sbin
|
|
|
|
# Include any additional files
|
|
mkdir -p "$DISTPATH"/usr/share/halogenos
|
|
mkdir "$DISTPATH"/usr/share/halogenos/keys
|
|
mkdir "$DISTPATH"/usr/share/halogenos/bin
|
|
|
|
# Require inclusion of public key if $REQSIG is true
|
|
if [ "$REQSIG" == "true" ]; then
|
|
cp /run/secrets/signing_key_public "$DISTPATH"/usr/share/halogenos/keys/release_key_pub.asc
|
|
else
|
|
# Otherwise, attempt to copy the key, but don't freak out if it does not exist
|
|
if [ -f /run/secrets/signing_key_public ]; then
|
|
cp /run/secrets/signing_key_public "$DISTPATH"/usr/share/halogenos/keys/release_key_pub.asc
|
|
else
|
|
echo "Signing key not found, but not enforcing signatures, so it's okay."
|
|
fi
|
|
fi
|
|
|
|
# Metadata & build-time configs
|
|
mkdir "$DISTPATH"/usr/share/halogenos/meta
|
|
echo "$VERSION" > "$DISTPATH"/usr/share/halogenos/meta/version
|
|
if [ -n "$DISTURL" ]; then echo "$DISTURL" > "$DISTPATH"/usr/share/halogenos/meta/ota
|
|
else echo "DISABLED" > "$DISTPATH"/usr/share/halogenos/meta/ota; fi
|
|
if [ "$SECBOOT" == "true" ]; then echo "ENABLED" > "$DISTPATH"/usr/share/halogenos/meta/secboot
|
|
else echo "DISABLED" > "$DISTPATH"/usr/share/halogenos/meta/secboot; fi
|
|
if [ "$TPM" == "true" ]; then echo "ENABLED" > "$DISTPATH"/usr/share/halogenos/meta/tpm
|
|
else echo "DISABLED" > "$DISTPATH"/usr/share/halogenos/meta/tpm; fi
|
|
if [ "$SECURESYS" == "true" ]; then echo "TRUE" > "$DISTPATH"/usr/share/halogenos/meta/securesys
|
|
else echo "FALSE" > "$DISTPATH"/usr/share/halogenos/meta/securesys; fi
|
|
|
|
# Make any additional config changes
|
|
|
|
# Create images dir and img files
|
|
mkdir -p /build/images
|
|
dd if=/dev/zero of=/build/images/usr.img bs=1 count=0 seek=2G
|
|
mkfs.ext4 /build/images/usr.img
|
|
dd if=/dev/zero of=/build/images/verity.img bs=1 count=0 seek=2000M
|
|
|
|
# Create squashfs
|
|
mksquashfs "$DISTPATH" /build/artifacts/usr.squashfs
|
|
|
|
# Install squashfs filesystem onto usr img
|
|
mkdir -p /mnt/usr
|
|
mount /build/images/usr.img /mnt/usr
|
|
cp /build/artifacts/usr.squashfs /mnt/usr
|
|
umount /mnt/usr
|
|
|
|
# Build verity |