142 lines
4.3 KiB
Bash
Executable File
142 lines
4.3 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
set -eo pipefail
|
|
|
|
NPROC=$(nproc)
|
|
VERSION=$(date +%Y%m%d)$MINOR
|
|
IMAGE_ID="standard"
|
|
export VERSION="$VERSION"
|
|
|
|
# This variable gets unset if any security-critical elements are disabled
|
|
SECURESYS=true
|
|
|
|
echo "=========== VERSION ============"
|
|
echo "Version: $VERSION"
|
|
echo "Distfiles path: $DISTPATH"
|
|
echo -n "Distribution URL: "
|
|
if [ "$DISTURL" == "none" ]; then echo "Not set, OTA disabled";
|
|
else echo "$DISTURL"; fi
|
|
echo "=========== SECURITY ==========="
|
|
echo -en "Secure Boot: \t\t"
|
|
if [ "$SECBOOT" == "true" ]; then echo "Enabled"
|
|
else echo "Disabled"; SECURESYS="false"; fi
|
|
echo -en "TPM Security: \t"
|
|
if [ "$TPM" == "true" ]; then echo "Enabled"
|
|
else echo "Disabled"; SECURESYS="false"; fi
|
|
echo -en "Signature required: \t"
|
|
if [ "$REQSIG" == "true" ]; then echo "Enabled"
|
|
else echo "Disabled"; SECURESYS="false"; fi
|
|
echo -en "Overall security: \t"
|
|
if [ "$SECURESYS" == "true" ]; then echo "Intact"
|
|
else echo "Degraded"; fi
|
|
echo "================================"
|
|
|
|
set -x
|
|
|
|
export DISTPATH=$DISTPATH
|
|
mkdir -p "$DISTPATH"
|
|
|
|
# Gentoo setup
|
|
mkdir -p /var/db/repos/gentoo
|
|
rm -f /var/db/repos/gentoo/metadata/timestamp.x
|
|
emerge-webrsync --quiet
|
|
eselect profile set default/linux/amd64/23.0/musl/hardened/selinux
|
|
# STOP TELLING ME ABOUT THE NEWS
|
|
eselect news read new > /dev/null
|
|
|
|
# Copy in host configs
|
|
cp -r /build/include-host/* /
|
|
|
|
# squashfs-tools needed for image mksquashfs for image generation
|
|
# gentoolkit needed for euse for setting use flags
|
|
# btrfs-progs needed for mkfs.btrfs for generating usr partition fs
|
|
#emerge -j "$NPROC" --quiet --noreplace @halogenos-host
|
|
|
|
# We have to ensure use.disable contains at least one flag
|
|
# Otherwise euse -D will disable all global use flags
|
|
if [[ "$(cat /etc/portage/use.disable)" = *[![:space:]]* ]]; then
|
|
euse -D "$(cat /etc/portage/use.disable)"
|
|
fi
|
|
|
|
# Set install location
|
|
export ROOT="$DISTPATH"
|
|
|
|
# Update any existing packages
|
|
#emerge -j "$NPROC" --quiet --update --deep --newuse @world
|
|
|
|
# Emerge all packages
|
|
emerge -j "$NPROC" --quiet --noreplace @halogenos-image
|
|
emerge -j "$NPROC" --quiet --update --deep --noreplace @world
|
|
emerge -j "$NPROC" --quiet --autounmask=y sys-kernel/vanilla-kernel
|
|
emerge --depclean
|
|
emerge --unmerge --nodeps portage perl-cleaner
|
|
|
|
# Include any additional files
|
|
mkdir -p "$DISTPATH"/usr/share/halogenos
|
|
mkdir -p "$DISTPATH"/usr/share/halogenos/keys
|
|
mkdir -p "$DISTPATH"/usr/share/halogenos/bin
|
|
|
|
# Fix directory locations
|
|
for dir in bin sbin etc lib; do
|
|
mv "$DISTPATH"/"$dir" "$DISTPATH"/usr/"$dir"
|
|
done
|
|
|
|
cp -r /build/include-image/* "$DISTPATH"/
|
|
|
|
echo "IMAGE_VERSION=$VERSION" >> "$DISTPATH"/usr/lib/os-release
|
|
echo "IMAGE_ID=$IMAGE_ID" >> "$DISTPATH"/usr/lib/os-release
|
|
|
|
# Install gvisor OCI runtime
|
|
/build/external/gvisor.sh
|
|
|
|
# Install GrapheneOS hardened malloc
|
|
cd /build/hardened_malloc/
|
|
make
|
|
cd -
|
|
cp /build/hardened_malloc/out/libhardened_malloc.so "$DISTPATH"/usr/local/lib/libhardened_malloc.so
|
|
|
|
# Require inclusion of public key if $REQSIG is true
|
|
if [ "$REQSIG" == "true" ]; then
|
|
# This will cause an exit if the key is missing
|
|
cp /run/secrets/signing_key_public "$DISTPATH"/usr/share/halogenos/keys/release_key_pub.asc
|
|
else
|
|
# Otherwise, attempt to copy the key, but don't freak out if it does not exist
|
|
if [ -f /run/secrets/signing_key_public ]; then
|
|
cp /run/secrets/signing_key_public "$DISTPATH"/usr/share/halogenos/keys/release_key_pub.asc
|
|
else
|
|
echo "Signing key not found, but not enforcing signatures, so it's okay."
|
|
fi
|
|
fi
|
|
|
|
# Metadata & build-time configs
|
|
mkdir -p "$DISTPATH"/usr/share/halogenos/meta
|
|
echo "VERSION=$VERSION
|
|
OTA=$DISTURL
|
|
TPM=$TPM
|
|
REQSIG=$REQSIG
|
|
SECBOOT=$SECBOOT
|
|
SECURESYS=$SECURESYS" > "$DISTPATH"/usr/share/halogenos/release.meta
|
|
|
|
# Make any additional config changes
|
|
|
|
# Remove unwanted files
|
|
rm "$DISTPATH"/usr/etc/gentoo-release
|
|
rm -rf "$DISTPATH"/usr/lib/gentoo
|
|
|
|
# Create images dir and img files
|
|
mkdir -p /build/images
|
|
cp "$DISTPATH"/usr/share/halogenos/release.meta /build/images/
|
|
dd if=/dev/zero of=/build/images/usr.img bs=1 count=0 seek=2G
|
|
mkfs.btrfs /build/images/usr.img
|
|
dd if=/dev/zero of=/build/images/verity.img bs=1 count=0 seek=2000M
|
|
|
|
# Install squashfs filesystem onto usr img
|
|
mkdir -p /mnt/usr
|
|
mount /build/images/usr.img /mnt/usr
|
|
mksquashfs "$DISTPATH" /mnt/usr/usr.sfs
|
|
sync /mnt/usr/usr.sfs
|
|
umount /mnt/usr
|
|
|
|
# Build verity
|
|
|
|
tar -czf "$VERSION".tar.gz /build/images/ |