AimeeOS
/
aimee-os
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: AimeeOS:master
Branches Tags
AimeeOS:master
AimeeOS:dev/gentoo
AimeeOS:gentoo
AimeeOS:2.0dev
...
pull from: AimeeOS:dev/gentoo
Branches Tags
AimeeOS:master
AimeeOS:dev/gentoo
AimeeOS:gentoo
AimeeOS:2.0dev

No commits in common. "master" and "dev/gentoo" have entirely different histories.
master ... dev/gentoo

120 changed files with 4068 additions and 700 deletions
Show Stats Expand all files Collapse all files

8
.gitignore vendored
View File

@ -1 +1,7 @@
/_build
/images
/linux
/output
/repos/x-portage
/.built
/.prepared
/.host-tools

0
board/raspberrypi3/cmdline.txt → .gitmodules vendored
View File

40
Config.in
View File

@ -1,40 +0,0 @@
config AIMEEOS
bool "Aimee OS"
depends on BR2_INIT_SYSTEMD
select BR2_TARGET_ROOTFS_SQUASHFS
select BR2_TARGET_ROOTFS_SQUASHFS4_GZIP
select BR2_LINUX_KERNEL_INSTALL_TARGET
select BR2_PACKAGE_SYSTEMD_EFI
select BR2_PACKAGE_SYSTEMD_COREDUMP
select BR2_PACKAGE_SYSTEMD_SYSUSERS
select BR2_PACKAGE_COREUTILS
select BR2_PACKAGE_TAR
select BR2_PACKAGE_ZSTD
select BR2_PACKAGE_HOST_DOSFSTOOLS
select BR2_PACKAGE_HOST_GENIMAGE
select BR2_PACKAGE_HOST_MTOOLS
select BR2_TARGET_GRUB2
select BR2_PACKAGE_HOST_ZSTD
select BR2_PACKAGE_AIMEE_OS_UTILS
help
Enable all Aimee OS features.
comment "Aimee OS needs systemd"
depends on !BR2_INIT_SYSTEMD
config AIMEEOS_RPI
bool "Aimee OS Raspberry Pi support"
depends on AIMEEOS
select BR2_TARGET_UBOOT
select BR2_TARGET_UBOOT_NEEDS_OPENSSL
select BR2_TARGET_UBOOT_NEEDS_GNUTLS
select BR2_TARGET_GRUB2_ARM_EFI
help
Support running Aimee OS on Rasperry Pi devices
config AIMEEOS_DEFAULT_ROOTFLAGS
string "Default kernel command line argumens"
help
Additional command line arguments to pass to the kernel by default.
source "$BR2_EXTERNAL_AIMEEOS_PATH/package/aimee-os-utils/Config.in"

133
Makefile Normal file
View File

@ -0,0 +1,133 @@
O ?= .
IMAGESDIR ?= $(O)/images
CONFIGDIR ?= .
export CONFIGDIR
update.tar: $(IMAGESDIR)/update.tar.zstd
$(O)/portage/.stamp: \
$(shell find portage -type f) \
$(shell find $(CONFIGDIR)/portage -type f)
rm -rf $(O)/portage
mkdir -p $(O)/portage/etc/portage
tar -C portage -c . | tar -C $(O)/portage/etc/portage -x
tar -C $(CONFIGDIR)/portage -c . | tar -C $(O)/portage/etc/portage -x
touch $@
portage: $(O)/portage/.stamp
$(O)/.prepared: \
$(O)/portage/.stamp \
prepare.sh \
setup-local-repo.sh
./prepare.sh
./setup-local-repo.sh
mkdir -p $(O)
touch $(O)/.prepared
prepare: $(O)/.prepared
$(O)/.built: \
build.sh \
build.packages \
install.packages \
$(wildcard $(CONFIGDIR)/build.packages) \
$(CONFIGDIR)/install.packages \
$(O)/portage/.stamp \
$(O)/.prepared
./build.sh
touch $(O)/.built
build: $(O)/.built
$(O)/semanage.mods: \
semanage.mods \
$(wildcard $(CONFIGDIR)/semanage.mods)
cat $^ > $@
$(O)/.ready: \
build-rootfs.sh \
install.packages \
$(CONFIGDIR)/install.packages \
$(wildcard $(CONFIGDIR)/installonly.packages) \
busybox.symlinks \
$(wildcard $(CONFIGDIR)/busybox.symlinks) \
$(O)/linux/arch/arm64/boot/Image.gz \
$(O)/semanage.mods \
$(shell find overlay -type f) \
$(shell find $(CONFIGDIR)/overlay -type f 2>/dev/null) \
$(wildcard $(CONFIGDIR)/customize.sh) \
$(O)/.built
./build-rootfs.sh "$(O)"
if [ -x "$(CONFIGDIR)"/customize.sh ]; then "$(CONFIGDIR)"/customize.sh "$(O)"; fi
touch $(O)/.ready
$(O)/squashfs.exclude: \
squashfs.exclude \
$(shell test -f $(CONFIGDIR)/squashfs.exclude && echo $(CONFIGDIR)/squashfs.exclude)
mkdir -p $(O)
sort $^ > $@
$(O)/squashfs.pseudo: \
$(wildcard $(CONFIGDIR)/squashfs.pseudo)
sort /dev/null $^ > $@
$(IMAGESDIR)/rootfs.squashfs: \
build-squashfs.sh \
$(O)/squashfs.exclude \
$(O)/squashfs.pseudo \
$(O)/.ready
./build-squashfs.sh "$(O)" "$(IMAGESDIR)"
squashfs: $(IMAGESDIR)/rootfs.squashfs
$(O)/linux/arch/arm64/boot/Image.gz: \
build-kernel.sh \
$(CONFIGDIR)/linux.config \
$(O)/.prepared
./build-kernel.sh "$(O)"
kernel: $(O)/linux/arch/arm64/boot/Image.gz
$(O)/efi-part/EFI/BOOT/BOOTAA64.efi: \
build-grub.sh \
grub.cfg \
$(O)/.built
./build-grub.sh "$(O)"
grub: $(O)/efi-part/EFI/BOOT/BOOTAA64.efi
$(IMAGESDIR)/sdcard.img: \
genimage.cfg \
genimage.sh \
post-build.sh \
$(O)/efi-part/EFI/BOOT/BOOTAA64.efi \
$(IMAGESDIR)/rootfs.squashfs
./post-build.sh "$(O)"
./genimage.sh "$(O)" "$(IMAGESDIR)"
sdcard.img: $(IMAGESDIR)/sdcard.img
$(IMAGESDIR)/firmware.img: $(IMAGESDIR)/sdcard.img
$(IMAGESDIR)/update.tar.zstd: \
$(IMAGESDIR)/rootfs.squashfs \
$(IMAGESDIR)/firmware.img \
install-update.sh \
$(O)/.prepared
./build-update.sh "$(IMAGESDIR)"
clean:
rm -rf $(O)/linux $(O)/output $(IMAGESDIR) $(O)/tmp
rm -f $(O)/.prepared
.PHONY: \
build \
grub \
kernel \
portage \
prepare \
sdcard.img \
squashfs \
update.tar

18
README.md Normal file
View File

@ -0,0 +1,18 @@
## Errors
### SWIOTLB Buffer
> OF: reserved mem: failed to allocate memory for node
> …
> Can not allocate SWIOTLB buffer earlier and can't now provide you with the
> DMA bounce buffer
Ensure `start_x=1` is in `config.txt` and `start_file`/`fixup_file` are not
specified.
### U-Boot: Overwrite Reserved Memory
> ** Reading file would overwrite reserved memory **
Set `CONFIG_LMB_MAX_REGIONS=16` in `u-boot/.config`

1
board/qemu/genimage.cfg
View File

@ -1 +0,0 @@
../raspberrypi3/genimage.cfg

18
board/qemu/post-image.sh
View File

@ -1,18 +0,0 @@
#!/bin/sh
set -e
BOARD_DIR=$(dirname "$0")
genimage_tmp=$(mktemp -d)
trap 'rm -rf "${genimage_tmp}"' EXIT
mkdir -p "${genimage_tmp}"/rootfs "${genimage_tmp}"/tmp
cd "${BINARIES_DIR}"
genimage \
--rootpath "${genimage_tmp}/rootfs" \
--tmppath "${genimage_tmp}/tmp" \
--inputpath "${BINARIES_DIR}" \
--outputpath "${BINARIES_DIR}" \
--config "${BOARD_DIR}"/genimage.cfg

12
board/raspberrypi3/config.txt
View File

@ -1,12 +0,0 @@
start_file=start.elf
fixup_file=fixup.dat
kernel=u-boot.bin
disable_overscan=1
# U-Boot requires a UART port. There are three options for enabling one:
# 1. Disable Bluetooth with dtoverlay=disable-bt
# 2. Swap Bluetooth to the mini UART with dtoverlay=miniuart-bt
# 3. Enable the mini UART as primary with enable_uart=1
dtoverlay=disable-bt

26
board/raspberrypi3/post-image.sh
View File

@ -1,26 +0,0 @@
#!/bin/sh
set -e
BOARD_DIR=$(dirname "$0")
GRUBENV="${BINARIES_DIR}"/efi-part/EFI/BOOT/grubenv
genimage_tmp=$(mktemp -d)
trap 'rm -rf "${genimage_tmp}"' EXIT
cp -alf "${BINARIES_DIR}"/u-boot.bin "${BINARIES_DIR}"/efi-part/
cp -alf "${BINARIES_DIR}"/*.dtb "${BINARIES_DIR}"/efi-part/
cp -alf "${BINARIES_DIR}"/rpi-firmware/* "${BINARIES_DIR}"/efi-part/
mkdir -p "${genimage_tmp}"/rootfs "${genimage_tmp}"/tmp
grub-editenv "${GRUBENV}" set default=0
grub-editenv "${GRUBENV}" set timeout=3
cd "${BINARIES_DIR}"
genimage \
--rootpath "${genimage_tmp}/rootfs" \
--tmppath "${genimage_tmp}/tmp" \
--inputpath "${BINARIES_DIR}" \
--outputpath "${BINARIES_DIR}" \
--config "${BOARD_DIR}"/genimage.cfg

14
boot/grub2/gen-grub-cfg.sh
View File

@ -1,14 +0,0 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
vers=${BR2_EXTERNAL_AIMEEOS_VERSION}
br2_vers=${BR2_VERSION_FULL}
kernel_filename=$1
cat > "${TARGET_DIR}"/boot/grub.cfg <<EOF
menuentry "Aimee OS ${vers} (Buildroot ${br2_vers}) on \$dev" --class gnu-linux --id "id-\$partuuid" "\$dev" "\$partuuid" {
set root="\$2"
linux "/boot/${kernel_filename}" root=PARTUUID=\$3 ro \$rootflags
initrd "/boot/initramfs.img.zst"
}
EOF

11
boot/grub2/grub.cfg
View File

@ -1,11 +0,0 @@
# vim: set ft=sh :
# vim: set sw=4 ts=4 sts=4 et:
load_env
regexp --set 1:disk '(.*),.*' $root
for dev in ($disk,gpt*); do
if [ -f $dev/boot/grub.cfg ]; then
probe --set partuuid --part-uuid $dev
source $dev/boot/grub.cfg
fi
done

27
boot/initramfs/initramfs-init.sh
View File

@ -1,27 +0,0 @@
#!/bin/sh
mkdir -p \
/dev \
/proc \
/run \
/sys \
/sysroot \
&& :
mount -t devtmpfs devtmpfs /dev
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount -t tmpfs tmpfs /run
set -- $(cat /proc/cmdline)
for arg; do
case "${arg}" in
root=*)
root=${arg#root=}
;;
esac
done
init-storage "${root}"
exec switch_root /sysroot /sbin/init

114
boot/mkinitramfs.sh
View File

@ -1,114 +0,0 @@
#!/bin/sh
if [ $(id -u) != 0 ]; then
exec "${HOST_DIR}"/bin/fakeroot "$0" "$@"
fi
export PATH="${HOST_DIR}:${PATH}"
TARGET_DIR=$1
WORKDIR=$(mktemp -d)
OUTDIR="${WORKDIR}"/initramfs
LIB_CACHE="${WORKDIR}"/libs.cache
PKGDIR="${0%/*}"
trap 'rm -rf "${WORKDIR}"' INT QUIT TERM EXIT
cache_libs() {
find \
"${TARGET_DIR}"/usr/lib \
"${TARGET_DIR}"/usr/lib64 \
\( -type f -o -type l \) \
-name '*.so*' \
| sed "s@${TARGET_DIR}@@" \
> "${LIB_CACHE}"
}
bin_install() {
for arg; do
arg=${arg#/}
[ -e "${OUTDIR}/${arg}" ] && continue
mkdir -p "${OUTDIR}/${arg%/*}"
cp -a "${TARGET_DIR}/${arg}" "${OUTDIR}/${arg}"
if [ -h "${TARGET_DIR}/${arg}" ]; then
bin_install "$(realpath --relative-to "${TARGET_DIR}" "${TARGET_DIR}/${arg}")"
elif [ -f "${TARGET_DIR}/${arg}" ]; then
readelf --dynamic "${TARGET_DIR}/${arg}" \
| awk '$2=="(NEEDED)"{gsub(/\[|\]/,"",$5); print $5}' \
| while IFS= read -r lib; do
path="$(grep "${lib}"'$' "${LIB_CACHE}")"
if [ -z "${path}" ]; then
printf 'ERROR could not resolve shared library %s\n' "${lib}" >&2
return 1
fi
bin_install "${path}"
done
elif [ ! -e "${TARGET_DIR}/${arg}" ]; then
printf 'ERROR could not find /%s to copy\n' "${arg}" >&2
return 1
fi
done
}
mk_skel() {
mkdir -p "${OUTDIR}"/dev
mknod -m 0622 "${OUTDIR}"/dev/console c 5 1
mkdir -p \
"${OUTDIR}"/usr \
"${OUTDIR}"/usr/bin \
"${OUTDIR}"/usr/sbin \
"${OUTDIR}"/usr/lib
ln -s usr/bin "${OUTDIR}"/bin
ln -s usr/sbin "${OUTDIR}"/sbin
ln -s usr/lib "${OUTDIR}"/lib
if [ -h "${TARGET_DIR}"/usr/lib64 ]; then
cp -P "${TARGET_DIR}"/usr/lib64 "${OUTDIR}"/usr
fi
if [ -h "${TARGET_DIR}"/lib64 ]; then
cp -P "${TARGET_DIR}"/lib64 "${OUTDIR}"
fi
}
rm -rf "${OUTDIR}"
mk_skel || exit
cache_libs || exit
bin_install \
/bin/cat \
/bin/cp \
/bin/ls \
/bin/mkdir \
/bin/mount \
/bin/rm \
/bin/sh \
/bin/sleep \
/bin/sort \
/bin/tail \
/bin/umount \
/usr/bin/btrfs \
/usr/bin/mkfs.btrfs \
/usr/bin/mountpoint \
/usr/bin/readlink \
/usr/sbin/blkid \
/usr/sbin/findfs \
/usr/sbin/partx \
/usr/sbin/sfdisk \
/usr/sbin/switch_root \
|| exit
if [ -e "${TARGET_DIR}"/usr/bin/setfiles ]; then
bin_install /usr/bin/setfiles || exit
fi
install "${PKGDIR}"/initramfs/initramfs-init.sh "${OUTDIR}"/init || exit
install "${PKGDIR}"/initramfs/init-storage.sh "${OUTDIR}"/usr/bin/init-storage || exit
mkdir -p "${TARGET_DIR}"/boot
(cd "${OUTDIR}" && find . -mindepth 1 \
| LC_ALL=C sort \
| cpio --reproducible --quiet -o -H newc \
| zstd \
) > "${TARGET_DIR}"/boot/initramfs.img.zst

46
build-grub.sh Executable file
View File

@ -0,0 +1,46 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR:=${PWD}}"/config
O="${1}"
GRUB_MODULES='
boot
echo
efi_gop
eval
fat
gzio
linux
loadenv
normal
part_gpt
probe
regexp
serial
squash4
test
xzio
zstd
'
echo 'Creating GRUB image ...'
mkdir -p "${O}"/efi-part/EFI/BOOT
grub-mkimage \
-O arm64-efi \
-o "${O}"/efi-part/EFI/BOOT/BOOTAA64.efi \
-d /usr/${target}/usr/lib/grub/arm64-efi \
-p /EFI/gentoo \
${GRUB_MODULES}
echo 'Generating GRUB configuration file ...'
mkdir -p "${O}"/efi-part/EFI/gentoo
cp -uv grub.cfg "${O}"/efi-part/EFI/gentoo
grub-editenv "${O}"/efi-part/EFI/gentoo/grubenv set \
rootflags="${rootflags-ro}" \
default=0 \
timeout=5 \
&& :

40
build-kernel.sh Executable file
View File

@ -0,0 +1,40 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
O="${1}"
. "${CONFIGDIR:=${PWD}}"/config
USE=symlink \
emerge -vnuUj ${kernel_pkg}
export ARCH=arm64 CROSS_COMPILE=${target}-
unset MAKEFLAGS MAKEOVERRIDES MAKELEVEL
mkdir -p "${O}"/linux
/usr/src/linux/scripts/kconfig/merge_config.sh -m \
-O "${O}"/linux \
/usr/src/linux/arch/*/configs/${kernel_defconfig}_defconfig \
"${CONFIGDIR}"/linux.config
cd "${O}"/linux
make -C /usr/src/linux O=${PWD} olddefconfig
make -j$(nproc)
touch arch/arm64/boot/Image.gz
kver=$(make -s kernelversion)
make modules_install INSTALL_MOD_PATH=/mnt/gentoo/usr
cd -
printf 'Installing Kernel %s ...\n' "${kver}"
mkdir -p /mnt/gentoo/boot
cp -au "${O}"/linux/arch/arm64/boot/Image.gz /mnt/gentoo/boot/vmlinuz-${kver}
cp -au "${O}"/linux/.config /mnt/gentoo/boot/config-${kver}
cp -au "${O}"/linux/System.map /mnt/gentoo/boot/System.map-${kver}
printf 'Installing device tree binaries ...\n'
mkdir -p "${O}"/efi-part/overlays
cp -u "${O}"/linux/arch/arm64/boot/dts/${device_tree} "${O}"/efi-part/
cp -u \
"${O}"/linux/arch/arm64/boot/dts/overlays/*.dtb \
"${O}"/linux/arch/arm64/boot/dts/overlays/*.dtbo \
"${O}"/efi-part/overlays/

138
build-rootfs.sh Executable file
View File

@ -0,0 +1,138 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR:=${PWD}}"/config
O="${1}"
mkdir -p /mnt/gentoo/etc/portage
ln -snf \
/var/db/repos/gentoo/profiles/${profile} \
/mnt/gentoo/etc/portage/make.profile
USE=build \
emerge \
--root=/mnt/gentoo \
--config-root="${O}"/portage \
-kvnj \
sys-apps/baselayout
cat \
install.packages \
"${CONFIGDIR}"/install.packages \
| xargs -rt \
${target}-emerge \
--root=/mnt/gentoo \
--config-root="${O}"/portage \
-KvnuUDj \
--rebuilt-binaries=y
if [ -f "${CONFIGDIR}"/installonly.packages ]; then
< "${CONFIGDIR}"/installonly.packages xargs -rt \
${target}-emerge \
--root=/mnt/gentoo \
--config-root="${O}"/portage \
-vnuUDj
fi
ROOT=/mnt/gentoo \
locale-gen
mkdir -p \
/mnt/gentoo/boot/efi \
/mnt/gentoo/dev \
/mnt/gentoo/home \
/mnt/gentoo/proc \
/mnt/gentoo/sys \
|| exit
: > /mnt/gentoo/etc/machine-id
cat \
"${CONFIGDIR}"/busybox.symlinks \
busybox.symlinks \
| while read name; do
if [ ! -h /mnt/gentoo/bin/"${name}" ]; then
printf "'/bin/%s' -> 'busybox'\n" "${name}"
ln -snf busybox /mnt/gentoo/bin/"${name}" \
|| printf 'Failed to create busybox symlink for %s\n' "${name}"
fi
done
rsync -rltpDO overlay/ /mnt/gentoo/
if [ -d "${CONFIGDIR}"/overlay ]; then
rsync -rltpDO "${CONFIGDIR}"/overlay/ /mnt/gentoo/
fi
cp -uv /usr/${target}/usr/bin/grub-editenv /mnt/gentoo/usr/bin/
if [ -d /mnt/gentoo/usr/${target} ]; then
rsync -aO /mnt/gentoo/usr/${target}/ /mnt/gentoo/
fi
if [ -f /mnt/gentoo/etc/udev/hwdb.bin ]; then
mv /mnt/gentoo/etc/udev/hwdb.bin /mnt/gentoo/usr/lib/udev/
fi
gccver=$(qlist -I -F '%{PV}' cross-${target}/gcc | sed 's/[^0-9].*//')
for lib in \
libstdc++ \
libgcc_s \
; do
cp /usr/lib/gcc/${target}/${gccver}/${lib}.so.* /mnt/gentoo/usr/lib64/
done
qemu-${target%%-*} \
/mnt/gentoo/usr/sbin/ldconfig \
-r /mnt/gentoo \
-f /mnt/gentoo/etc/ld.so.conf
if [ -d /mnt/gentoo/lib64/security ]; then
find /mnt/gentoo/lib64/security -name 'pam_*.so' \
-exec mv -t /mnt/gentoo/lib/security {} +
fi
rm -f /mnt/gentoo/lib/tmpfiles.d/provision.conf
systemd-tmpfiles --root=/mnt/gentoo -E --exclude-prefix=/var --create
systemctl preset-all --root=/mnt/gentoo
rm -f /mnt/gentoo/lib/systemd/system/sysinit.target.wants/ldconfig.service
systemd-sysusers --root=/mnt/gentoo
if grep -q '^root:.*/bin/bash$' /mnt/gentoo/etc/passwd; then
sed -ri 's@(root:.*):/bin/bash@\1:/bin/sh@' /mnt/gentoo/etc/passwd
fi
if ! grep -q Include /mnt/gentoo/etc/ssh/sshd_config; then
echo 'Include /etc/ssh/sshd_config.d/*.conf' \
>> /mnt/gentoo/etc/ssh/sshd_config
fi
case ${profile} in *selinux*)
# Although `semanage` accepts a `--store` argument that supposedly
# instructs it to operate on an alternate SELinux policy store, it
# doesn't actually work. As such, we have to run `semanage` in an
# alternate mount namespace with the target policy store bind-mounted
# at the default location so `semanage` can operate on it.
unshare -m sh -e <<EOF
mount -o bind /mnt/gentoo/var/lib/selinux /var/lib/selinux
mount -o bind /mnt/gentoo/etc/selinux /etc/selinux
semanage import -N -f "${O}"/semanage.mods
EOF
setfiles \
-p \
-F \
-m \
-r /mnt/gentoo \
-c /mnt/gentoo/etc/selinux/mcs/policy/policy.* \
-e /mnt/gentoo/var/db/pkg \
-e /mnt/gentoo/etc/portage \
/mnt/gentoo/etc/selinux/mcs/contexts/files/file_contexts \
/mnt/gentoo
;;
esac
touch /mnt/gentoo/usr

20
build-squashfs.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR:=${PWD}}"/config
O="${1}"
IMAGESDIR="${2}"
mkdir -p "${IMAGESDIR}"
mksquashfs \
/mnt/gentoo \
"${IMAGESDIR}"/rootfs.squashfs \
-comp gzip \
-ef "${O}"/squashfs.exclude \
-pf "${O}"/squashfs.pseudo \
-no-exports \
-noappend \
-wildcards

20
build-update.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR:=${PWD}}"/config
IMAGESDIR="$1"
cd "${IMAGESDIR}"
sha256sum firmware.img > digests
sha256sum rootfs.squashfs >> digests
cp -u "${OLDPWD}"/install-update.sh install
tar -c --zstd -f update.tar.zstd \
digests \
firmware.img \
rootfs.squashfs \
install \
|| exit
rm install

1
build.packages Normal file
View File

@ -0,0 +1 @@
sys-boot/grub

21
build.sh Executable file
View File

@ -0,0 +1,21 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR}"/config
unset MAKEFLAGS MAKEOVERRIDES MAKELEVEL
export PORTAGE_CONFIGROOT="${O}"/portage
${target}-emerge -bkvuUDj sys-apps/util-linux
cat \
build.packages \
install.packages \
"${CONFIGDIR}"/build.packages \
"${CONFIGDIR}"/install.packages \
| xargs -rt \
${target}-emerge -bkvnuUDj
${target}-emerge -bv @preserved-rebuild

63
busybox.symlinks Normal file
View File

@ -0,0 +1,63 @@
basename
cat
chcon
cp
dd
df
du
echo
env
false
find
free
fsync
fuser
grep
groups
head
id
install
ip
kill
less
link
ln
ls
lsof
mkdir
mkfifo
mktemp
mv
nice
nproc
pgrep
ping
ping6
pkill
ppidof
printf
ps
readahead
readlink
realpath
rm
rmdir
sed
seq
sh
sha1sum
sha256sum
sha3sum
sha512sum
sort
stat
stty
sync
tac
tail
tar
tee
truncate
tty
uname
uptime

75
ci/Jenkinsfile vendored
View File

@ -1,75 +0,0 @@
pipeline {
parameters {
booleanParam 'CLEAN_BUILD'
string 'CUSTOM_TARGET'
}
options {
disableConcurrentBuilds()
}
agent {
kubernetes {
yamlFile 'ci/podTemplate.yaml'
yamlMergeStrategy merge()
workspaceVolume persistentVolumeClaimWorkspaceVolume(
claimName: 'buildroot-aimeeos'
)
defaultContainer 'build'
}
}
environment {
BR2_CCACHE_DIR = "${env.JENKINS_AGENT_WORKDIR}/br2-ccache"
}
stages {
stage('Clean') {
when {
expression {
return params.CLEAN_BUILD
}
}
steps {
sh 'git clean -fdx'
}
}
stage('Prepare') {
steps {
container('jnlp') {
sh 'if [ ! -d buildroot ]; then git clone https://gitlab.com/buildroot.org/buildroot.git -b 2025.05.x --depth 1; else git -C buildroot pull; fi'
}
}
}
stage('Build') {
steps {
sh 'make -C buildroot O="${PWD}"/_build BR2_EXTERNAL="${PWD}" aimeeos_qemu_aarch64_defconfig'
script {
if (params.CUSTOM_TARGET) {
sh "make -C _build '${CUSTOM_TARGET}'"
}
}
sh 'make -C _build'
}
post {
success {
dir('_build') {
archiveArtifacts('.config')
}
dir('_build/images') {
sh 'zstd -f firmware.img'
sh 'zstd -f sdcard.img'
archiveArtifacts([
'firmware.img.zst',
'rootfs.squashfs',
'sdcard.img.zst',
'update.tar.zst',
].join(','))
}
}
}
}
}
}

19
ci/podTemplate.yaml
View File

@ -1,19 +0,0 @@
spec:
containers:
- name: build
image: git.pyrocufflink.net/containerimages/buildroot
resources:
limits: &resources
cpu: 6
memory: 12Gi
requests: *resources
volumeMounts:
- mountPath: /etc/ssh/ssh_known_hosts
name: ssh-known-hosts
subPath: ssh_known_hosts
securityContext:
fsGroupChangePolicy: OnRootMismatch
volumes:
- name: ssh-known-hosts
configMap:
name: ssh-known-hosts

14
configs/aimeeos_qemu_aarch64_defconfig
View File

@ -1,14 +0,0 @@
BR2_aarch64=y
BR2_TOOLCHAIN_BUILDROOT_VENDOR="aimeeos"
BR2_GLOBAL_PATCH_DIR="board/qemu/patches"
BR2_DOWNLOAD_FORCE_CHECK_HASHES=y
BR2_INIT_SYSTEMD=y
BR2_ROOTFS_POST_IMAGE_SCRIPT="$(BR2_EXTERNAL_AIMEEOS_PATH)/board/qemu/post-image.sh"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config"
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
# BR2_PACKAGE_BUSYBOX is not set
# BR2_TARGET_ROOTFS_TAR is not set
AIMEEOS=y
AIMEEOS_DEFAULT_ROOTFLAGS="systemd.mask=serial-getty@ttyAMA0 systemd.debug_shell systemd.default_debug_tty=ttyAMA0"

28
configs/aimeeos_rpi3_defconfig
View File

@ -1,28 +0,0 @@
BR2_arm=y
BR2_cortex_a53=y
BR2_ARM_FPU_NEON_VFPV4=y
BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_12=y
BR2_GLOBAL_PATCH_DIR="board/raspberrypi/patches"
BR2_DOWNLOAD_FORCE_CHECK_HASHES=y
BR2_INIT_SYSTEMD=y
BR2_ROOTFS_POST_IMAGE_SCRIPT="$(BR2_EXTERNAL_AIMEEOS_PATH)/board/raspberrypi3/post-image.sh"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_TARBALL=y
BR2_LINUX_KERNEL_CUSTOM_TARBALL_LOCATION="$(call github,raspberrypi,linux,ac69f097e1fba94502cbd36278db204120a37943)/linux-ac69f097e1fba94502cbd36278db204120a37943.tar.gz"
BR2_LINUX_KERNEL_DEFCONFIG="bcm2709"
BR2_LINUX_KERNEL_ZSTD=y
BR2_LINUX_KERNEL_DTS_SUPPORT=y
BR2_LINUX_KERNEL_INTREE_DTS_NAME="broadcom/bcm2710-rpi-3-b broadcom/bcm2710-rpi-3-b-plus broadcom/bcm2710-rpi-cm3"
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_XZ=y
BR2_PACKAGE_RPI_FIRMWARE=y
BR2_PACKAGE_RPI_FIRMWARE_BOOTCODE_BIN=y
BR2_PACKAGE_RPI_FIRMWARE_VARIANT_PI=y
BR2_PACKAGE_RPI_FIRMWARE_CMDLINE_FILE="$(BR2_EXTERNAL_AIMEEOS_PATH)/board/raspberrypi3/cmdline.txt"
BR2_PACKAGE_RPI_FIRMWARE_CONFIG_FILE="$(BR2_EXTERNAL_AIMEEOS_PATH)/board/raspberrypi3/config.txt"
# BR2_TARGET_ROOTFS_TAR is not set
BR2_TARGET_UBOOT_BOARD_DEFCONFIG="rpi_3_32b"
BR2_PACKAGE_HOST_KMOD_XZ=y
AIMEEOS=y
AIMEEOS_RPI=y

2
external.desc
View File

@ -1,2 +0,0 @@
name: AIMEEOS
desc: Aimee OS (Buildroot)

79
external.mk
View File

@ -1,79 +0,0 @@
ifeq ($(AIMEEOS),y)
BR2_TOOLCHAIN_BUILDROOT_VENDOR = "aimeeos"
# Disable the default fstab
SKELETON_INIT_SYSTEMD_ROOT_RO_OR_RW =
# Disable the default var.mount
SKELETON_INIT_SYSTEMD_ROOTFS_PRE_CMD_HOOKS =
# Do not run preset-all at build time
SYSTEMD_PRESET_ALL =
# Enable required kernel options for Aimee OS storage
define AIMEEOS_LINUX_CONFIG_FIXUPS
$(call KCONFIG_ENABLE_OPT,CONFIG_BLK_DEV_INITRD)
$(call KCONFIG_ENABLE_OPT,CONFIG_EFI)
$(call KCONFIG_ENABLE_OPT,CONFIG_NLS_CODEPAGE_437)
$(call KCONFIG_ENABLE_OPT,CONFIG_NLS_ISO8859_1)
$(call KCONFIG_ENABLE_OPT,CONFIG_NLS_UTF8)
$(call KCONFIG_ENABLE_OPT,CONFIG_VFAT_FS)
$(call KCONFIG_SET_OPT,CONFIG_BTRFS_FS,y)
$(call KCONFIG_SET_OPT,CONFIG_OVERLAY_FS,y)
$(call KCONFIG_SET_OPT,CONFIG_SQUASHFS,y)
$(call KCONFIG_SET_OPT,CONFIG_MSDOS_FS,y)
endef
LINUX_KCONFIG_FIXUP_CMDS += $(AIMEEOS_LINUX_CONFIG_FIXUPS)
# Generate the initramfs image after building the target
BR2_ROOTFS_POST_BUILD_SCRIPT += $(BR2_EXTERNAL_AIMEEOS_PATH)/boot/mkinitramfs.sh
# Ensure the requisite GRUB2 modules are selected
define AIMEEOS_GRUB2_MODULES
boot
configfile
echo
efi_gop
fat
gzio
linux
loadenv
minicmd
normal
part_gpt
probe
regexp
squash4
terminfo
test
zstd
endef
BR2_TARGET_GRUB2_BUILTIN_MODULES_EFI += $(AIMEEOS_GRUB2_MODULES)
# Overwrite the grub.cfg provided by Buildroot with our own.
define AIMEEOS_GRUB2_INSTALL_IMAGES_CMDS
$(foreach tuple, $(GRUB2_TUPLES-y), \
$(INSTALL) -D -m 0644 $(BR2_EXTERNAL_AIMEEOS_PATH)/boot/grub2/grub.cfg $(GRUB2_CFG_$(tuple))
)
$(HOST_DIR)/bin/grub-editenv $(BINARIES_DIR)/efi-part/EFI/BOOT/grubenv set \
default=0 \
timeout=3 \
rootflags=$(AIMEEOS_DEFAULT_ROOTFLAGS)
endef
GRUB2_INSTALL_IMAGES_CMDS += $(AIMEEOS_GRUB2_INSTALL_IMAGES_CMDS)
# Generate the grub.cfg stub for the kernel embedded in rootfs.squashfs
define AIMEEOS_GEN_GRUB_CFG
$(BR2_EXTERNAL_AIMEEOS_PATH)/boot/grub2/gen-grub-cfg.sh $(LINUX_IMAGE_NAME)
endef
LINUX_TARGET_FINALIZE_HOOKS += AIMEEOS_GEN_GRUB_CFG
define AIMEEOS_TARGET_FINALIZE_HOOKS
echo uninitialized > $(TARGET_DIR)/etc/machine-id
endef
TARGET_FINALIZE_HOOKS += AIMEEOS_TARGET_FINALIZE_HOOKS
BR2_ROOTFS_POST_IMAGE_SCRIPT += $(BR2_EXTERNAL_AIMEEOS_PATH)/update/make-package.sh
endif
include $(sort $(wildcard $(BR2_EXTERNAL_AIMEEOS_PATH)/package/*/*.mk))

20
flash.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
dev=$(readlink -f "$1")
wipefs -fa "${dev}"
pv images/sdcard.img \
| dd of="${dev}" bs=1M conv=sparse oflag=sync
sync; sync; sync
sleep 1
for p in /sys/class/block/${dev##*/}/*/partition; do
[ -f "${p}" ] || continue
case $(cat "${p}") in
1|2)
;;
*)
p=${p%/*}
wipefs -fa /dev/${p##*/}
;;
esac
done

4
board/raspberrypi3/genimage.cfg → genimage.cfg
View File

@ -5,7 +5,7 @@ image firmware.img {
}
srcpath = "efi-part"
size = 64M
size = 32M
}
image sdcard.img {
@ -32,7 +32,7 @@ image sdcard.img {
size = 512M
}
partition aimeeos-data {
partition dch-data {
partition-type-uuid = "L"
autoresize = true
}

31
genimage.sh Executable file
View File

@ -0,0 +1,31 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
cleanup() {
if [ -n "${tmproot}" ]; then
if [ "${tmproot}" != / ]; then
rm -rf "${tmproot}"
fi
unset tmproot
fi
}
. "${CONFIGDIR:=${PWD}}"/config
O="${1}"
IMAGESDIR="${2}"
trap cleanup INT TERM QUIT EXIT
tmproot=$(mktemp -d)
tmppath=$(mktemp -d)
cd "${O}"
genimage \
--rootpath "${tmproot}" \
--tmppath "${tmppath}" \
--inputpath "${IMAGESDIR}" \
--outputpath "${IMAGESDIR}" \
--mkdosfs mkfs.vfat \
--config "${OLDPWD}"/genimage.cfg

19
grub.cfg Normal file
View File

@ -0,0 +1,19 @@
# vim: set ft=sh :
# vim: set sw=4 ts=4 sts=4 et:
load_env
regexp --set 1:disk '(.*),.*' $root
for dev in ($disk,gpt*); do
probe --set partuuid --part-uuid $dev
for path in $dev/boot/vmlinuz-*; do
if [ -f $path ]; then
regexp --set 1:kernel '.*/(vmlinuz-.*)' $path
regexp --set 1:kver 'vmlinuz-(.*)' $kernel
menuentry "Gentoo Linux $kver on $dev" --class gnu-linux --id "id-$partuuid-$kver" "$dev" "$kernel" $partuuid {
set root="$2"
linux "/boot/$3" root=PARTUUID=$4 $rootflags
}
fi
done
done

95
install-update.sh Executable file
View File

@ -0,0 +1,95 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
. /lib/gentoo/functions.sh
die() {
rc=$?
if [ $rc -eq 0 ]; then
rc=1
fi
eerror "$@"
exit $rc
}
get_partuuid() {
blkid -o value -s PARTUUID "$1"
}
set_default_boot() {
_rc=0
mkdir -p newroot || return
mount -oro "$1" newroot || return
_kernel=$(find newroot/boot -name 'vmlinuz-*' \
| awk -F/ '{print $NF}' \
| sort -V \
| tail -n1
)
_kver=${_kernel#vmlinuz-}
_partuuid=$(get_partuuid "$1")
_id=id-${_partuuid}-${_kver}
ebegin 'Setting default boot entry'
veindent
veinfo "Menu entry ID: ${_id}"
veoutdent
grub-editenv /boot/efi/EFI/gentoo/grubenv set "default=${_id}" || _rc=$?
eend $_rc
umount newroot
return $_rc
}
write_firmware() {
_rc=0
_esp=$(findfs PARTLABEL='EFI System Partition')
if [ -z "${_esp}" ]; then
eerror 'Could not identify EFI System Partition'
return 1
fi
if ! mountpoint -q /boot/efi; then
mount -o ro "${_esp}" /boot/efi \
|| ewarn 'Failed to mount EFI System Partition'
fi
if [ -f /boot/efi/EFI/gentoo/grubenv ]; then
ebegin 'Saving current GRUB environment'
cp /boot/efi/EFI/gentoo/grubenv .
ewend $? 'Failed to save GRUB environment'
fi
if mountpoint -q /boot/efi; then
umount /boot/efi || return
fi
ebegin "Writing firmware image to EFI System Partition (${_esp})"
dd if=firmware.img of="${_esp}" bs=1M || _rc=$?
if [ $_rc -eq 0 ]; then
mount -orw "${_esp}" /boot/efi || rc=$?
fi
if [ $_rc -eq 0 ]; then
if [ -f grubenv ]; then
ebegin 'Restoring GRUB environment'
cp grubenv /boot/efi/EFI/gentoo/grubenv || _rc=$?
eend $_rc
fi
fi
return $_rc
}
write_rootfs() {
_rc=0
ebegin "Writing rootfs image to $1"
dd if=rootfs.squashfs of="$1" bs=1M || _rc=$?
eend $_rc
}
rc=0
newroot="$1"
write_rootfs "${newroot}" || die 'Failed to write new rootfs image to disk'
write_firmware || die 'Failed to write new firmware image to disk'
if ! set_default_boot "${newroot}"; then
rc=$?
eerror 'Failed to set default boot option'
fi
if [ $rc -eq 0 ]; then
einfo 'Successfully installed update'
fi
exit $rc

8
install.packages Normal file
View File

@ -0,0 +1,8 @@
app-alternatives/awk
net-misc/openssh
net-misc/wget
sys-apps/busybox
sys-apps/kbd
sys-apps/gentoo-functions
sys-apps/systemd
sys-fs/btrfs-progs

20
ocivm.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
set -e
. "${CONFIGDIR:=${PWD}}"/config
if ! ocivm list | grep -q localhost/cross-${target}; then
ocivm import localhost/cross-${target}
fi
ocivm \
--log-level DEBUG \
run \
-m 8G \
-n ${buildvm:-aimeebuild} \
-w /tmp/src \
-v "${PWD}":/tmp/src \
-v portagecache:/var/cache:size=16G \
-v portage:/var/db/repos/gentoo:size=4G \
localhost/cross-aarch64-unknown-linux-gnu \
"$@"

1
overlay/etc/fstab Normal file
View File

@ -0,0 +1 @@
PARTLABEL=dch-data /var btrfs subvol=var,nosuid,noexec,nodev 0 2

1
overlay/etc/locale.conf Normal file
View File

@ -0,0 +1 @@
LANG=en_US.UTF-8

1
overlay/etc/locale.gen Normal file
View File

@ -0,0 +1 @@
en_US.UTF-8 UTF-8

1
overlay/etc/resolv.conf Symbolic link
View File

@ -0,0 +1 @@
../run/systemd/resolve/resolv.conf

15
overlay/etc/selinux/config Normal file
View File

@ -0,0 +1,15 @@
# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=mcs

16
overlay/etc/ssh/sshd_config Normal file
View File

@ -0,0 +1,16 @@
PasswordAuthentication no
UsePAM yes
PrintMotd no
PrintLastLog no
Subsystem sftp /usr/lib64/misc/sftp-server
AcceptEnv LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
AcceptEnv COLORTERM
HostKey /var/lib/ssh/ssh_host_rsa_key
HostKey /var/lib/ssh/ssh_host_ecdsa_key
HostKey /var/lib/ssh/ssh_host_ed25519_key
Include /etc/ssh/sshd_config.d/*.conf

11
overlay/etc/systemd/network/95-default.network Normal file
View File

@ -0,0 +1,11 @@
[Match]
Type=ether
[Network]
DHCP=yes
[DHCPv4]
UseDomains=yes
[DHCPv6]
UseDomains=yes

27
overlay/usr/bin/factory-reset Executable file
View File

@ -0,0 +1,27 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
. /lib/gentoo/functions.sh
confirm() {
unset _confirm
printf '%s [y/N] ' "${1-Do you want to continue?}"
read _confirm
case "${_confirm}" in
[Yy]|[Yy][Ee][Ss])
return 0
;;
*)
return 1
;;
esac
}
printf "${WARN}"
printf 'This operation will COMPLETELY ERASE all data and information '
printf 'stored on this system!\n'
printf "${NORMAL}"
confirm || exit 9
ewarn 'The system will now reboot and wipe all data.'
systemctl enable --runtime factory-reset.service
systemctl reboot

56
overlay/usr/bin/set-root-password Executable file
View File

@ -0,0 +1,56 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
if [ -z "${_UNSHARED}" ]; then
export _UNSHARED=1
exec unshare -m "$0" "$@"
fi
unset _UNSHARED
cleanup() {
if is_mount -q /etc; then
umount -R /etc
fi
if [ -n "${tmpdir}" ] && [ "${tmpdir}" != / ]; then
if is_mount "${tmpdir}"; then
umount -R "${tmpdir}"
fi
rm -rf "${tmpdir}"
fi
unset tmpdir
}
is_mount() {
awk '
BEGIN { rc = 1 }
$5 == "'"${1}"'" { rc = 0 }
END { exit rc }
' /proc/self/mountinfo
}
tmpdir=$(mktemp -d)
trap 'cleanup' INT QUIT TERM EXIT
mount \
-t tmpfs \
-o private,rootcontext=system_u:object_r:etc_t:s0 \
tmpfs \
"${tmpdir}" \
|| exit
mkdir -p \
"${tmpdir}"/etc \
"${tmpdir}"/etc/pam.d \
"${tmpdir}"/etc/security \
"${tmpdir}"/etc/selinux \
|| exit
cp -a /etc/passwd /etc/shadow "${tmpdir}"/etc || exit
mount -o bind /etc/pam.d "${tmpdir}"/etc/pam.d || exit
mount -o bind /etc/security "${tmpdir}"/etc/security || exit
mount -o bind /etc/selinux "${tmpdir}"/etc/selinux || exit
mount --rbind "${tmpdir}"/etc /etc || exit
passwd || exit
mv /etc/shadow "${tmpdir}"/shadow || exit
umount -R /etc || exit
cat "${tmpdir}"/shadow > /etc/shadow || exit

2
package/aimee-os-utils/system-update.sh → overlay/usr/bin/system-update
View File

@ -119,6 +119,8 @@ trap cleanup INT TERM QUIT EXIT
workdir=$(mktemp -d)
cd "${workdir}"
systemctl daemon-reload
fetch_update "${source_url}" || die 'Failed to fetch update source'
extract_update || die 'Failed to extact update source'
./install "${newroot}" || die 'Error installing system update'

2
overlay/usr/lib/systemd/sshd.service.d/no-keygen.conf Normal file
View File

@ -0,0 +1,2 @@
[Service]
ExecStartPre=

19
overlay/usr/lib/systemd/system-preset/80-local-default.preset Normal file
View File

@ -0,0 +1,19 @@
enable auditd.service
enable restorecon.service
disable ldconfig.service
disable systemd-userdbd.service
disable systemd-userdbd.socket
enable systemd-networkd-wait-online.service
enable systemd-networkd.service
enable systemd-networkd.socket
#enable systemd-time-wait-sync.service
disable getty@.service
enable sshd.socket
enable ssh-keygen.target

5
overlay/usr/lib/systemd/system/auditd.service.d/augenrules.conf Normal file
View File

@ -0,0 +1,5 @@
[Service]
# Do not run augenrules; read audit rules from the audit.rules file as
# it exists already. Audit rules are generated at build time.
ExecStartPost=
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules

13
overlay/usr/lib/systemd/system/factory-reset.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Perform a factory reset
DefaultDependencies=no
After=umount.target
Before=systemd-reboot.service
[Service]
Type=oneshot
ExecStart=/usr/libexec/factory-reset
StandardOutput=kmsg+console
[Install]
WantedBy=final.target

15
overlay/usr/lib/systemd/system/init-storage.service Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=Initialize persistent data storage
DefaultDependencies=no
Before=local-fs-pre.target
After=systemd-journald.service
After=systemd-remount-fs.service
After=systemd-sysctl.service
After=systemd-udev-trigger.service
[Service]
Type=oneshot
ExecStart=/usr/libexec/init-storage
StandardInput=null
StandardOutput=journal+console
StandardError=journal+console

7
overlay/usr/lib/systemd/system/ssh-keygen.target Normal file
View File

@ -0,0 +1,7 @@
[Unit]
Wants=ssh-keygen@rsa.service
Wants=ssh-keygen@ecdsa.service
Wants=ssh-keygen@ed25519.service
[Install]
WantedBy=multi-user.target

11
overlay/usr/lib/systemd/system/ssh-keygen@.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Generate SSH %I host key
ConditionPathExists=!%S/ssh/ssh_host_%I_key
[Service]
Type=oneshot
StateDirectory=ssh
ExecStart=/usr/bin/ssh-keygen -t %I -f %S/ssh/ssh_host_%I_key -N ''
[Install]
WantedBy=sshd-keygen.target

1
overlay/usr/lib/systemd/system/sysinit.target.wants/init-storage.service Symbolic link
View File

@ -0,0 +1 @@
../init-storage.service

2
overlay/usr/lib/systemd/system/systemd-tmpfiles-setup.service.d/force-subvol.conf Normal file
View File

@ -0,0 +1,2 @@
[Service]
Environment=SYSTEMD_TMPFILES_FORCE_SUBVOL=1

11
overlay/usr/libexec/factory-reset Executable file
View File

@ -0,0 +1,11 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
DATAPART=$(awk '$2=="/var"{print $1}' /etc/fstab)
dev=$(findfs "${DATAPART}")
if [ -z "${dev}" ]; then
printf 'Could not find data partition (%s)\n' "${DATAPART}" >&2
exit 1
fi
wipefs -fa "${dev}"

80
boot/initramfs/init-storage.sh → overlay/usr/libexec/init-storage
View File

@ -18,26 +18,15 @@ cleanup() {
fi
}
copy_vol() {
copy_var() {
dev="$1"
vol=$2
printf 'Copying %s contents to data volume\n' "${vol}" >&2
mount -o subvol="${vol#/}" "${dev}" "${tmpdir}" || exit
cp -au${VERBOSE+v} /sysroot/${vol#/}/. "${tmpdir}" || exit
echo 'Copying /var contents to data volume'
mount -o subvol=var "${dev}" "${tmpdir}" || exit
cp -auv /var/. "${tmpdir}" || exit
umount "${tmpdir}"
}
find_part() {
_i=0
while [ $_i -lt 5 ]; do
findfs "$1" 2>/dev/null && return
_i=$((_i + 1))
sleep 1
done
findfs "$1"
}
format_dev() {
dev="$1"
partno=$(partition_number "${dev}")
@ -56,8 +45,8 @@ format_dev() {
fi
fi
printf 'Creating BTRFS filesystem on %s\n' "${dev}" >&2
mkfs.btrfs --quiet "${dev}" || exit
printf 'Creating BTRFS filesystem on %s\n' "${dev}"
mkfs.btrfs "${dev}" || exit
mount "${dev}" "${tmpdir}" || exit
for vol in ${SUBVOLUMES}; do
@ -100,8 +89,8 @@ partition_number() {
}
relabel_all() {
if [ ! -d /sys/fs/selinux ] || [ ! -f /etc/selinux/config ]; then
return
if [ ! "$(command -v selinuxenabled)" ] || !selinuxenabled; then
return 0
fi
selinuxtype=$(. /etc/selinux/config && echo ${SELINUXTYPE})
find "${tmpdir}" | \
@ -132,7 +121,7 @@ resize_partition() {
"${_type}" \
"${_uuid}" \
"${_label}" \
| sfdisk -N "${_part}" "${_disk}" --quiet --force \
| sfdisk -N "${_part}" "${_disk}" --force \
|| return $?
partx -u "${_disk}"
}
@ -140,20 +129,43 @@ resize_partition() {
setup_etc() {
dev="$1"
echo 'Initializing /etc overlay' >&2
mkdir -p /run/aimeeos/etc || return
mount -o subvol=etc "${dev}" /run/aimeeos/etc || return
mkdir -p /run/aimeeos/etc/rw /run/aimeeos/etc/work || return
mount -t overlay \
-o lowerdir=/sysroot/etc,upperdir=/run/aimeeos/etc/rw,workdir=/run/aimeeos/etc/work \
overlay \
/sysroot/etc
echo 'Initializing writable paths in /etc'
mount -o subvol=etc "${dev}" "${tmpdir}" || exit
if [ ! -f "${tmpdir}"/shadow ]; then
cp -a /etc/shadow "${tmpdir}"/shadow || exit
fi
mount -o bind "${tmpdir}"/shadow /etc/shadow || exit
if [ -f /etc/aimee-os/writable-etc ]; then
while read type path; do
if [ ! -e "${tmpdir}/${path}" ]; then
if [ -e /etc/"${path}" ]; then
case "${path}" in
*/*)
mkdir -p "${tmpdir}/${path%/*}"
;;
esac
cp -a /etc/"${path}" "${tmpdir}/${path}"
elif [ "${type}" = d ]; then
mkdir -p "${tmpdir}/${path}"
elif [ "${type}" = f ]; then
: > "${tmpdir}/${path}"
else
printf 'Invalid path type %s for %s\n' \
"${type}" \
"${path}" \
>&2
continue
fi
fi
mount -o bind "${tmpdir}/${path}" /etc/"${path}"
done < /etc/aimee-os/writable-etc
fi
umount "${tmpdir}"
}
rootdev=$(find_part "$1")
datapart=$(find_part "${2:-PARTLABEL=aimeeos-data}")
datapart=$(findfs $(awk '$2=="/var"{print $1}' /etc/fstab))
if [ -b "${datapart}" ]; then
printf 'Found data partition: %s\n' "${datapart}" >&2
printf 'Found data partition: %s\n' "${datapart}"
else
echo 'Could not identify data partition' >&2
exit 1
@ -167,9 +179,5 @@ if ! has_fs "${datapart}"; then
format_dev "${datapart}"
fi
mkdir -p /sysroot
mount -o ro "${rootdev}" /sysroot || exit
setup_etc "${datapart}"
copy_vol "${datapart}" /var
exit 0
copy_var "${datapart}"

10
package/aimee-os-utils/90-default.network
View File

@ -1,10 +0,0 @@
[Match]
Type=ether
Name=en* eth*
[Network]
DHCP=true
[DHCPv4]
ClientIdentifier=mac
UseDomain=true

10
package/aimee-os-utils/Config.in
View File

@ -1,10 +0,0 @@
config BR2_PACKAGE_AIMEE_OS_UTILS
bool
select BR2_PACKAGE_BTRFS_PROGS
select BR2_PACKAGE_UTIL_LINUX
select BR2_PACKAGE_UTIL_LINUX_BINARIES
select BR2_PACKAGE_UTIL_LINUX_MOUNTPOINT
select BR2_PACKAGE_UTIL_LINUX_PARTX
select BR2_PACKAGE_UTIL_LINUX_SWITCH_ROOT
select BR2_PACKAGE_WGET
select BR2_TARGET_GRUB2_INSTALL_TOOLS

31
package/aimee-os-utils/aimee-os-utils.mk
View File

@ -1,31 +0,0 @@
################################################################################
#
# Aimee OS Utils
#
################################################################################
AIMEE_OS_UTILS_VERSION = 2.0
AIMEE_OS_UTILS_LICENSE = GPL-3.0+
AIMEE_OS_UTILS_DEPENDENCIES = \
host-fakeroot \
btrfs-progs \
AIMEE_OS_UTILS_SOURCE =
define AIMEE_OS_UTILS_INSTALL_TARGET_CMDS
$(INSTALL) -D -m u=rwx,go=rx \
$(AIMEE_OS_UTILS_PKGDIR)/system-update.sh \
$(TARGET_DIR)/usr/sbin/system-update
mkdir -p $(TARGET_DIR)/boot/efi
endef
define AIMEE_OS_UTILS_INSTALL_INIT_SYSTEMD
$(INSTALL) -D -m u=rw,go=r \
$(AIMEE_OS_UTILS_PKGDIR)/var.mount \
$(TARGET_DIR)/usr/lib/systemd/system/var.mount
$(INSTALL) -D -m u=rw,go=r \
$(AIMEE_OS_UTILS_PKGDIR)/90-default.network \
$(TARGET_DIR)/usr/lib/systemd/network/90-default.network
endef
$(eval $(generic-package))

12
package/aimee-os-utils/var.mount
View File

@ -1,12 +0,0 @@
[Unit]
Description=/var
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target
[Mount]
What=PARTLABEL=aimeeos-data
Where=/var
Type=btrfs
Options=subvol=var,nosuid,nodev,noexec

13
podman-build.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
cid=$(./start-container.sh)
./patch-uboot.sh
podman exec -it ${cid} make
podman stop ${cid}
podman rm ${cid}

1
portage/env/nobuildpkg vendored Normal file
View File

@ -0,0 +1 @@
FEATURES=-buildpkg

2
portage/make.conf/20-binpkgs.conf Normal file
View File

@ -0,0 +1,2 @@
FEATURES="${FEATURES} binpkg-multi-instance buildpkg"
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --usepkg --binpkg-respect-use=y"

1
portage/make.conf/30-default-use.conf Normal file
View File

@ -0,0 +1 @@
USE='-man -doc minimal pam zstd'

2
portage/make.conf/40-goarch.conf Normal file
View File

@ -0,0 +1,2 @@
GOOS=linux
GOARCH=${ARCH}

3
portage/make.conf/40-lang.conf Normal file
View File

@ -0,0 +1,3 @@
LINGUAS=en
L10N=en-US
USE="${USE} -nls"

2
portage/make.conf/80-quiet.conf Normal file
View File

@ -0,0 +1,2 @@
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --quiet-build=y"
FEATURES="${FEATURES} -news"

1
portage/package.accept_keywords/uboot Normal file
View File

@ -0,0 +1 @@
sys-boot/u-boot ~arm64

1
portage/package.env/linux-firmware Normal file
View File

@ -0,0 +1 @@
sys-kernel/linux-firmware nobuildpkg

1
portage/package.env/raspberrypi-firmware Normal file
View File

@ -0,0 +1 @@
sys-boot/raspberrypi-firmware nobuildpkg

1
portage/package.use/awk Normal file
View File

@ -0,0 +1 @@
app-alternatives/awk -gawk busybox

1
portage/package.use/busybox Normal file
View File

@ -0,0 +1 @@
sys-apps/busybox savedconfig

1
portage/package.use/firmware Normal file
View File

@ -0,0 +1 @@
sys-kernel/linux-firmware compress compress-xz savedconfig

1
portage/package.use/python Normal file
View File

@ -0,0 +1 @@
dev-lang/python -ensurepip

1
portage/package.use/u-boot Normal file
View File

@ -0,0 +1 @@
sys-boot/u-boot savedconfig

1
portage/patches/sec-policy/selinux-base-policy Symbolic link
View File

@ -0,0 +1 @@
selinux-base

24
portage/patches/sec-policy/selinux-base/0001-systemd-Fixes-for-systemd-resolved.patch Normal file
View File

@ -0,0 +1,24 @@
From 21d7cfbc3969ddea86e7dcc2dd15f8009ffcabe6 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 3 Mar 2023 15:04:28 -0600
Subject: [PATCH] systemd: Fixes for systemd-resolved
---
refpolicy/policy/modules/system/systemd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/system/systemd.te b/refpolicy/policy/modules/system/systemd.te
index da64b11..9013931 100644
--- a/refpolicy/policy/modules/system/systemd.te
+++ b/refpolicy/policy/modules/system/systemd.te
@@ -236,6 +236,7 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
files_runtime_file(systemd_resolved_runtime_t)
+init_mountpoint(systemd_resolved_runtime_t)
type systemd_stdio_bridge_t;
type systemd_stdio_bridge_exec_t;
--
2.40.1

24
portage/patches/sec-policy/selinux-base/0002-mount-Allow-mounting-on-etc_t.patch Normal file
View File

@ -0,0 +1,24 @@
From 1a7dfe6699484a6b7808cc02df7354b146b07a36 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 4 Mar 2023 09:57:44 -0600
Subject: [PATCH] mount: Allow mounting on etc_t
---
refpolicy/policy/modules/system/mount.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 22a4766..f405615 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -92,6 +92,7 @@ files_manage_etc_runtime_files(mount_t)
files_etc_filetrans_etc_runtime(mount_t, file)
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
+files_mounton_etc_dirs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
files_relabelto_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
--
2.40.1

24
portage/patches/sec-policy/selinux-base/0003-kernel-Mark-unlabeled_t-as-mount-point-type.patch Normal file
View File

@ -0,0 +1,24 @@
From b24010882565c3ea5f9ab9b3007648f1e4d2e603 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 4 Mar 2023 10:16:13 -0600
Subject: [PATCH] kernel: Mark unlabeled_t as mount point type
---
refpolicy/policy/modules/kernel/kernel.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 56dbd5a..0dff529 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -267,6 +267,7 @@ allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
# Other possible mount points for the root fs are in files
allow kernel_t unlabeled_t:dir mounton;
+files_mountpoint(unlabeled_t)
# Kernel-generated traffic e.g., TCP resets on
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
--
2.40.1

24
portage/patches/sec-policy/selinux-base/0004-Allow-systemd-journald-list-cgroup-directories.patch Normal file
View File

@ -0,0 +1,24 @@
From 6e4feac42f7c646e3353e0747767f1226f6c513e Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 6 Mar 2023 12:10:19 -0600
Subject: [PATCH] Allow systemd-journald list cgroup directories
---
refpolicy/policy/modules/system/logging.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 227dc67..0c6f372 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -500,6 +500,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
+fs_list_cgroup_dirs(syslogd_t)
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
--
2.40.1

76
portage/patches/sec-policy/selinux-base/0005-Allow-systemd-to-create-directories.patch Normal file
View File

@ -0,0 +1,76 @@
From 3e580c1cc3c31745c180dfd69bfd913ef1333c63 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 10 Mar 2023 12:39:41 -0600
Subject: [PATCH] Allow systemd to create directories
This allows use of the `RuntimeDirectory`, `StateDirectory`, etc. unit
settings.
---
refpolicy/policy/modules/kernel/files.if | 18 ++++++++++++++++++
refpolicy/policy/modules/system/init.te | 14 ++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index 6fe764a..add9b6d 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -564,6 +564,24 @@ interface(`files_manage_non_security_dirs',`
allow $1 non_security_file_type:dir manage_dir_perms;
')
+########################################
+## <summary>
+## Allow attempts to setattr any directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_non_security_dirs',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ allow $1 non_security_file_type:dir { read setattr };
+')
+
########################################
## <summary>
## Create non-security directories.
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 9997215..554a04d 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -37,6 +37,13 @@ gen_tunable(init_daemons_use_tty, false)
## </desc>
gen_tunable(init_mounton_non_security, false)
+## <desc>
+## <p>
+## Enable init create, setattr, mounton on non_security_file_type
+## </p>
+## </desc>
+gen_tunable(init_create_dirs, true)
+
attribute init_mountpoint_type;
attribute init_path_unit_loc_type;
attribute init_script_domain_type;
@@ -625,6 +632,13 @@ ifdef(`init_systemd',`
unconfined_create_keys(init_t)
unconfined_write_keys(init_t)
')
+
+ tunable_policy(`init_create_dirs',`
+ files_create_non_security_dirs(init_t)
+ files_mounton_non_security(init_t)
+ files_setattr_non_security_dirs(init_t)
+ ')
+
',`
tunable_policy(`init_upstart',`
corecmd_shell_domtrans(init_t, initrc_t)
--
2.40.1

25
portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch Normal file
View File

@ -0,0 +1,25 @@
From 936c142431d96fec0474fa3c5b27e41f5906a3d0 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 14 Mar 2023 13:40:23 -0500
Subject: [PATCH] Allow init to setattr on char devices
This is required for local logins to work.
---
refpolicy/policy/modules/system/init.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 554a04d..cd8ed37 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -392,6 +392,7 @@ ifdef(`init_systemd',`
dev_create_urand_dev(init_t)
# systemd writes to /dev/watchdog on shutdown
dev_write_watchdog(init_t)
+ dev_setattr_all_chr_files(init_t)
domain_read_all_domains_state(init_t)
# for starting systemd --user in the right domain:
--
2.40.1

33
portage/patches/sec-policy/selinux-base/0007-podman-Allow-crun-to-chown-stdio-sockets.patch Normal file
View File

@ -0,0 +1,33 @@
From 5595c5c29e6038da5e5a61b1f38c231e2ca4301e Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 23 Mar 2023 09:44:02 -0500
Subject: [PATCH] podman: Allow crun to chown stdio sockets
Podman (actually `crun`) fails to launch containers as systemd units
with this error:
fchown std stream 1: Permission denied
The error is caused by this AVC denial:
AVC avc: denied { setattr } for pid=262 comm="crun" name="UNIX-STREAM" dev="sockfs" ino=9811 scontext=system_u:system_r:podman_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
---
refpolicy/policy/modules/services/podman.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
index d929bb2..7649298 100644
--- a/refpolicy/policy/modules/services/podman.te
+++ b/refpolicy/policy/modules/services/podman.te
@@ -75,6 +75,8 @@ ifdef(`init_systemd',`
init_start_transient_units(podman_t)
init_stop_transient_units(podman_t)
+ init_rw_stream_sockets(podman_t)
+
# podman can read logs from containers which are
# sent to the system journal
logging_search_logs(podman_t)
--
2.40.1

28
portage/patches/sec-policy/selinux-base/0008-systemd-Allow-quadlet-to-read-container-configs.patch Normal file
View File

@ -0,0 +1,28 @@
From d7001620adab1780ae51fc916f8eee824ecd6709 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 23 Mar 2023 10:45:11 -0500
Subject: [PATCH] systemd: Allow quadlet to read container configs
---
refpolicy/policy/modules/system/systemd.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/refpolicy/policy/modules/system/systemd.te b/refpolicy/policy/modules/system/systemd.te
index 9013931..54868ea 100644
--- a/refpolicy/policy/modules/system/systemd.te
+++ b/refpolicy/policy/modules/system/systemd.te
@@ -582,6 +582,11 @@ optional_policy(`
zfs_read_config(systemd_generator_t)
')
+optional_policy(`
+ # needed by podman-system-generator
+ container_read_config(systemd_generator_t)
+')
+
#######################################
#
# systemd-homed policy
--
2.40.1

24
portage/patches/sec-policy/selinux-base/0009-podman-Allow-podman-to-use-fd-inherited-from-init.patch Normal file
View File

@ -0,0 +1,24 @@
From 04e3b1f3f91ad10b5fc69b59bba0e24f360905fa Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 26 Mar 2023 14:56:02 -0500
Subject: [PATCH] podman: Allow podman to use fd inherited from init
---
refpolicy/policy/modules/services/podman.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
index 7649298..e622f25 100644
--- a/refpolicy/policy/modules/services/podman.te
+++ b/refpolicy/policy/modules/services/podman.te
@@ -76,6 +76,7 @@ ifdef(`init_systemd',`
init_stop_transient_units(podman_t)
init_rw_stream_sockets(podman_t)
+ init_use_fds(podman_t)
# podman can read logs from containers which are
# sent to the system journal
--
2.40.1

28
portage/patches/sec-policy/selinux-base/0010-Allow-podman-to-validate-security-contexts.patch Normal file
View File

@ -0,0 +1,28 @@
From c59490d5823a17de62697cce367fbbb99156f424 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 26 Mar 2023 14:59:28 -0500
Subject: [PATCH] Allow podman to validate security contexts
Addresses this AVC denial:
avc: denied { write } for pid=244 comm="podman" name="context" dev="selinuxfs" ino=5 scontext=system_u:system_r:podman_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=0
---
refpolicy/policy/modules/services/podman.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
index e622f25..243880f 100644
--- a/refpolicy/policy/modules/services/podman.te
+++ b/refpolicy/policy/modules/services/podman.te
@@ -64,6 +64,8 @@ container_manage_sock_files(podman_t)
podman_spec_rangetrans_conmon(podman_t, s0)
+selinux_validate_context(podman_t)
+
ifdef(`init_systemd',`
init_dbus_chat(podman_t)
init_setsched(podman_t)
--
2.40.1

38
portage/patches/sec-policy/selinux-base/0011-podman-Allow-conmon-to-signal-containers.patch Normal file
View File

@ -0,0 +1,38 @@
From 6d997d50fe41abc68b8828cac4fa7ce1d7bbd2f1 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 26 Mar 2023 15:03:40 -0500
Subject: [PATCH] podman: Allow conmon to signal containers
Addresses these AVC denials:
avc: denied { kill } for pid=274 comm="conmon" capability=5 scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:system_r:podman_conmon_t:s0 tclass=capability permissive=0
avc: denied { signal } for pid=278 comm="conmon" scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:system_r:container_t:s0:c273,c333 tclass=process permissive=0
---
refpolicy/policy/modules/services/podman.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
index 243880f..0d64e19 100644
--- a/refpolicy/policy/modules/services/podman.te
+++ b/refpolicy/policy/modules/services/podman.te
@@ -196,7 +196,7 @@ ifdef(`init_systemd',`
# podman conmon local policy
#
-allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };
+allow podman_conmon_t self:capability { dac_override dac_read_search kill sys_ptrace sys_resource };
dontaudit podman_conmon_t self:capability net_admin;
podman_domtrans(podman_conmon_t)
@@ -219,6 +219,8 @@ container_engine_tmp_filetrans(podman_conmon_t, { file sock_file })
container_manage_engine_tmp_files(podman_conmon_t)
container_manage_engine_tmp_sock_files(podman_conmon_t)
+container_signal_all_containers(podman_conmon_t)
+
ifdef(`init_systemd',`
init_get_transient_units_status(podman_conmon_t)
init_start_transient_units(podman_conmon_t)
--
2.40.1

1
portage/patches/sec-policy/selinux-container Symbolic link
View File

@ -0,0 +1 @@
selinux-base

1
portage/patches/sec-policy/selinux-podman Symbolic link
View File

@ -0,0 +1 @@
selinux-base

1190
portage/savedconfig/sys-apps/busybox Normal file
View File

File diff suppressed because it is too large Load Diff

10
post-build.sh Executable file
View File

@ -0,0 +1,10 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR:=${PWD}}"/config
if [ -f "${CONFIGDIR}"/post-build.sh ]; then
. "${CONFIGDIR}"/post-build.sh
fi

58
prepare.sh Executable file
View File

@ -0,0 +1,58 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR:=${PWD}}"/config
unset MAKEFLAGS MAKEOVERRIDES MAKELEVEL
# Ensure we have a Portage repo
if [ ! -f /var/db/repos/gentoo/metadata/timestamp ]; then
emerge-webrsync
fi
chown portage: "$(portageq envvar DISTDIR)"
ARCH=$(PORTAGE_CONFIGROOT=/usr/${target} portageq envvar ARCH)
PKGDIR=$(portageq envvar PKGDIR)
FEATURES="${FEATURES} binpkg-multi-instance"
# For some reason, libcap installs its pkg-config files in the wrong
# place. More strangely, even though `PKG_CONFIG_PATH` contains that
# directory, `pkg-config` does not find the `.pc` files for libcap.
# We work around this by merging /usr/lib64/pkgconfig and
# /usr/lib/pkgconfig.
FEATURES="${FEATURES}" \
PKGDIR="${PKGDIR}" \
${target}-emerge -kb1vnj sys-libs/libcap
if [ -d /usr/${target}/usr/lib/pkgconfig ] \
&& [ ! -d /usr/${target}/usr/lib64/pkgconfig ]; then
mv /usr/${target}/usr/lib/pkgconfig /usr/${target}/usr/lib64
ln -snf ../lib64/pkgconfig /usr/${target}/usr/lib/pkgconfig
fi
if [ ! -f portage/make.conf/10-crossdev.conf ]; then
mkdir -p "${O}"/portage/etc/portage/make.conf
sed -r \
-e 's: ?-pam::' \
-e '/PKGDIR=/d' \
-e '/ACCEPT_KEYWORDS/d' \
/usr/${target}/etc/portage/make.conf \
> "${O}"/portage/etc/portage/make.conf/10-crossdev.conf
fi
FEATURES="${FEATURES} -preserve-libs -protect-owned" \
PKGDIR="${PKGDIR}" \
${target}-emerge -bk1nvj sys-libs/glibc
FEATURES="${FEATURES}" \
PKGDIR=$(portageq envvar PKGDIR) \
USE='pam build' \
${target}-emerge -bknvj sys-apps/util-linux
# Set the Portage profile
mkdir -p "${O}"/portage/etc/portage
ln -snf \
/var/db/repos/gentoo/profiles/${profile} \
${O}/portage/etc/portage/make.profile

12
rebuild-pkg.sh Executable file
View File

@ -0,0 +1,12 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR:=${PWD}}"/config
unset MAKEFLAGS MAKEOVERRIDES MAKELEVEL
export PORTAGE_CONFIGROOT="${O}"/portage
${target}-emerge -bkv1j --usepkg-exclude="$*" "$@"

2
repos/aimee-os/metadata/layout.conf Normal file
View File

@ -0,0 +1,2 @@
masters = gentoo
thin-manifests = true

1
repos/aimee-os/profiles/repo_name Normal file
View File

@ -0,0 +1 @@
aimee-os

2
repos/aimee-os/sec-policy/selinux-aimee-os/Manifest Normal file
View File

@ -0,0 +1,2 @@
DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6

8
repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.fc Normal file
View File

@ -0,0 +1,8 @@
/usr/bin/system-update -- gen_context(system_u:object_r:aimee_sysupdate_exec_t,s0)
/usr/bin/set-root-password -- gen_context(system_u:object_r:aimee_set_root_password_exec_t,s0)
/usr/libexec/factory-reset -- gen_context(system_u:object_r:aimee_factory_reset_exec_t,s0)
/usr/libexec/init-storage -- gen_context(system_u:object_r:aimee_storinit_exec_t,s0)
/var/run/storinit(/.*)? gen_context(system_u:object_r:aimee_storinit_runtime_t,s0)
/var/lib/ssh/.*_key.* -- gen_context(system_u:object_r:sshd_key_t,s0)

135
repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.if Normal file
View File

@ -0,0 +1,135 @@
## <summary>Policy for Aimee OS utilities.</summary>
########################################
## <summary>
## Execute system-update in the aimee_sysupdate_t
## domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`aimee_os_system_update_domtrans',`
gen_require(`
type aimee_sysupdate_t, aimee_sysupdate_exec_t;
')
domtrans_pattern($1, aimee_sysupdate_exec_t, aimee_sysupdate_t)
')
########################################
## <summary>
## Execute system-update in the aimee_sysupdate_t
## domain, and allow the specified role the
## aimee_sysupdate_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`aimee_os_run_system_update',`
gen_require(`
type aimee_sysupdate_t;
')
aimee_os_system_update_domtrans($1)
role $2 types aimee_sysupdate_t;
')
########################################
## <summary>
## Execute set-root-password in the
## aimee_set_root_password_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`aimee_os_set_root_password_domtrans',`
gen_require(`
type aimee_set_root_password_t, aimee_set_root_password_exec_t;
')
domtrans_pattern($1, aimee_set_root_password_exec_t, aimee_set_root_password_t)
')
########################################
## <summary>
## Execute set-root-password in the
## aimee_set_root_password_t domain, and
## allow the specified role the
## aimee_set_root_password_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`aimee_os_run_set_root_password',`
gen_require(`
type aimee_set_root_password_t;
')
aimee_os_set_root_password_domtrans($1)
role $2 types aimee_set_root_password_t;
mount_run(aimee_set_root_password_t, $2)
')
########################################
## <summary>
## Execute set-root-password in the caller
## domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`aimee_os_set_root_password_exec',`
gen_require(`
type aimee_set_root_password_exec_t;
')
corecmd_search_bin($1)
can_exec($1, aimee_set_root_password_exec_t)
')
########################################
## <summary>
## Create, read, write, and delete temporary
## files used by Aimee OS set-root-password.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`aimee_os_manage_set_root_password_tmp_files',`
gen_require(`
type aimee_set_root_password_tmp_t;
')
manage_files_pattern($1, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
read_lnk_files_pattern($1, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
')

271
repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te Normal file
View File

@ -0,0 +1,271 @@
policy_module(aimee-os, 1.0)
########################################
#
# Declarations
#
type aimee_storinit_t;
type aimee_storinit_exec_t;
init_daemon_domain(aimee_storinit_t, aimee_storinit_exec_t)
type aimee_storinit_runtime_t;
files_runtime_file(aimee_storinit_runtime_t)
type aimee_sysupdate_t;
type aimee_sysupdate_exec_t;
userdom_user_application_domain(aimee_sysupdate_t, aimee_sysupdate_exec_t)
type aimee_sysupdate_tmp_t;
files_tmp_file(aimee_sysupdate_tmp_t)
type aimee_factory_reset_t;
type aimee_factory_reset_exec_t;
init_daemon_domain(aimee_factory_reset_t, aimee_factory_reset_exec_t)
type aimee_set_root_password_t;
type aimee_set_root_password_exec_t;
userdom_user_application_domain(aimee_set_root_password_t, aimee_set_root_password_exec_t)
type aimee_set_root_password_tmp_t;
files_tmp_file(aimee_set_root_password_tmp_t)
########################################
#
# init-storage local policy
#
allow aimee_storinit_t self:fifo_file rw_fifo_file_perms;
allow aimee_storinit_t self:capability { dac_read_search dac_override chown fowner fsetid sys_admin };
allow aimee_storinit_t self:process { setfscreate };
manage_dirs_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
manage_files_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
files_runtime_filetrans(aimee_storinit_t, aimee_storinit_runtime_t, dir)
corecmd_exec_bin(aimee_storinit_t)
files_read_etc_files(aimee_storinit_t)
storage_raw_read_fixed_disk(aimee_storinit_t)
fstools_domtrans(aimee_storinit_t)
mount_exec(aimee_storinit_t)
miscfiles_read_localization(aimee_storinit_t)
mount_list_runtime(aimee_storinit_t)
dev_read_sysfs(aimee_storinit_t)
kernel_search_debugfs(aimee_storinit_t)
kernel_list_unlabeled(aimee_storinit_t)
fs_getattr_all_fs(aimee_storinit_t)
fs_mount_all_fs(aimee_storinit_t)
fs_unmount_all_fs(aimee_storinit_t)
allow aimee_storinit_t aimee_storinit_runtime_t:dir mounton;
gen_require(`
type mount_runtime_t;
')
dontaudit aimee_storinit_t mount_runtime_t:dir write;
seutil_read_config(aimee_storinit_t)
seutil_read_file_contexts(aimee_storinit_t)
seutil_read_bin_policy(aimee_storinit_t)
seutil_domtrans_setfiles(aimee_storinit_t)
kernel_manage_unlabeled_dirs(aimee_storinit_t)
files_manage_non_security_dirs(aimee_storinit_t)
files_relabel_non_security_dirs(aimee_storinit_t)
files_manage_non_security_files(aimee_storinit_t)
files_relabel_non_security_files(aimee_storinit_t)
logging_manage_audit_log(aimee_storinit_t)
gen_require(`
attribute non_security_file_type;
')
manage_lnk_files_pattern(aimee_storinit_t, non_security_file_type, non_security_file_type)
relabel_lnk_files_pattern(aimee_storinit_t, non_security_file_type, non_security_file_type)
auth_manage_shadow(aimee_storinit_t)
auth_relabel_shadow(aimee_storinit_t)
gen_require(`
type shadow_t;
attribute configfile;
')
allow aimee_storinit_t shadow_t:file mounton;
allow aimee_storinit_t configfile:{file dir} mounton;
########################################
#
# system-update local policy
#
allow aimee_sysupdate_t self:capability { chown fowner fsetid sys_admin };
allow aimee_sysupdate_t self:fifo_file rw_fifo_file_perms;
allow aimee_sysupdate_t self:tcp_socket create_stream_socket_perms;
files_tmp_filetrans(aimee_sysupdate_t, aimee_sysupdate_tmp_t, dir)
manage_dirs_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
manage_files_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
filetrans_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, bin_t, file, "install")
domain_use_interactive_fds(aimee_sysupdate_t)
userdom_use_inherited_user_terminals(aimee_sysupdate_t)
corecmd_exec_bin(aimee_sysupdate_t)
selinux_get_fs_mount(aimee_sysupdate_t)
seutil_read_config(aimee_sysupdate_t)
userdom_search_user_home_dirs(aimee_sysupdate_t)
kernel_read_system_state(aimee_sysupdate_t)
fstools_exec(aimee_sysupdate_t)
fstools_manage_runtime_files(aimee_sysupdate_t)
miscfiles_read_localization(aimee_sysupdate_t)
storage_raw_rw_fixed_disk(aimee_sysupdate_t)
dev_read_sysfs(aimee_sysupdate_t)
files_read_etc_files(aimee_sysupdate_t)
systemd_read_resolved_runtime(aimee_sysupdate_t)
systemd_stream_connect_resolved(aimee_sysupdate_t)
corenet_tcp_connect_http_port(aimee_sysupdate_t)
corenet_tcp_connect_soundd_port(aimee_sysupdate_t)
files_manage_non_security_dirs(aimee_sysupdate_t)
files_manage_non_security_files(aimee_sysupdate_t)
mount_exec(aimee_sysupdate_t)
mount_list_runtime(aimee_sysupdate_t)
fs_getattr_all_fs(aimee_sysupdate_t)
fs_mount_all_fs(aimee_sysupdate_t)
fs_unmount_all_fs(aimee_sysupdate_t)
dbus_system_bus_client(aimee_sysupdate_t)
systemd_dbus_chat_logind(aimee_sysupdate_t)
logging_send_syslog_msg(aimee_sysupdate_t)
files_mounton_non_security(aimee_sysupdate_t)
gen_require(`
type sysadm_t;
role sysadm_r;
')
aimee_os_run_system_update(sysadm_t, sysadm_r)
# factory-reset local policy
#
allow aimee_factory_reset_t self:capability { sys_admin };
allow aimee_factory_reset_t self:fifo_file rw_fifo_file_perms;
corecmd_exec_bin(aimee_factory_reset_t)
dev_read_sysfs(aimee_factory_reset_t)
kernel_read_system_state(aimee_factory_reset_t)
files_read_etc_files(aimee_factory_reset_t)
fstools_exec(aimee_factory_reset_t)
fstools_manage_runtime_files(aimee_factory_reset_t)
miscfiles_read_localization(aimee_factory_reset_t)
storage_raw_rw_fixed_disk(aimee_factory_reset_t)
########################################
#
# set-root-password local policy
#
gen_require(`
class passwd { passwd };
')
allow aimee_set_root_password_t self:capability { sys_admin };
allow aimee_set_root_password_t self:fifo_file rw_fifo_file_perms;
allow aimee_set_root_password_t self:process setfscreate;
allow aimee_set_root_password_t self:process { ptrace sigkill sigstop signal };
allow aimee_set_root_password_t self:passwd passwd;
files_tmp_filetrans(aimee_set_root_password_t, aimee_set_root_password_tmp_t, dir)
manage_dirs_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
manage_files_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
relabel_files_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
domain_use_interactive_fds(aimee_set_root_password_t)
userdom_use_inherited_user_terminals(aimee_set_root_password_t)
userdom_search_user_home_dirs(aimee_set_root_password_t)
corecmd_exec_bin(aimee_set_root_password_t)
selinux_get_fs_mount(aimee_set_root_password_t)
seutil_read_config(aimee_set_root_password_t)
miscfiles_read_localization(aimee_set_root_password_t)
files_mounton_root(aimee_set_root_password_t)
aimee_os_set_root_password_exec(aimee_set_root_password_t)
mount_list_runtime(aimee_set_root_password_t)
fs_getattr_all_fs(aimee_set_root_password_t)
fs_mount_all_fs(aimee_set_root_password_t)
fs_unmount_all_fs(aimee_set_root_password_t)
files_read_var_lib_files(aimee_set_root_password_t)
files_manage_etc_files(aimee_set_root_password_t)
files_relabel_etc_files(aimee_set_root_password_t)
files_manage_etc_dirs(aimee_set_root_password_t)
auth_manage_shadow(aimee_set_root_password_t)
auth_relabel_shadow(aimee_set_root_password_t)
files_mounton_etc_dirs(aimee_set_root_password_t)
usermanage_domtrans_passwd(aimee_set_root_password_t)
dev_read_sysfs(aimee_set_root_password_t)
aimee_os_manage_set_root_password_tmp_files(aimee_set_root_password_t)
gen_require(`
type mount_t;
type passwd_t;
')
allow aimee_set_root_password_t aimee_set_root_password_tmp_t:dir mounton;
allow mount_t aimee_set_root_password_tmp_t:dir mounton;
aimee_os_manage_set_root_password_tmp_files(passwd_t)
gen_require(`
type sysadm_t;
role sysadm_r;
')
aimee_os_run_set_root_password(sysadm_t, sysadm_r)
########################################
#
# Additional policy rules for Aimee OS-specific behavior
#
# Allow ssh-keygen to create host key files in /var/lib/ssh
gen_require(`
type ssh_keygen_t;
type sshd_key_t, var_lib_t;
')
allow ssh_keygen_t var_lib_t:dir rw_dir_perms;
filetrans_pattern(ssh_keygen_t, var_lib_t, sshd_key_t, file)
# Allow login to execute /bin/busybox (via /bin/sh symlink)
gen_require(`
type local_login_t;
')
corecmd_exec_bin(local_login_t)
# Allow root to log in on the serial console
gen_require(`
type sysadm_t;
')
init_use_fds(sysadm_t)
# Allow podman to relabel any file (to container_file_t)
optional_policy(`
gen_require(`
type podman_t;
')
files_relabel_non_security_dirs(podman_t)
files_relabel_non_security_files(podman_t)
')
# Allow podman to mount /dev/log in containers
optional_policy(`
gen_require(`
type podman_t, container_t;
type devlog_t;
')
allow podman_t devlog_t:sock_file mounton;
logging_send_syslog_msg(container_t)
')
# Allow podman to mount tty devices in containers
optional_policy(`
gen_require(`
type container_t, kernel_t;
type tty_device_t;
')
term_use_unallocated_ttys(container_t)
container_mountpoint(tty_device_t)
dev_rw_generic_usb_dev(kernel_t)
dev_setattr_generic_usb_dev(kernel_t)
')

14
repos/aimee-os/sec-policy/selinux-aimee-os/selinux-aimee-os-2.20221101-r3.ebuild Normal file
View File

@ -0,0 +1,14 @@
# Copyright 2023 Dustin C. Hatch
# Distributed under the terms of the GNU General Public License v2
EAPI=7
IUSE=""
MODS="aimee-os"
POLICY_FILES="aimee-os.te aimee-os.fc aimee-os.if"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for AimeeOS"
KEYWORDS="~amd64 ~arm ~arm64 ~x86"

11
repos/aimee-os/sys-boot/u-boot/Manifest Normal file
View File

@ -0,0 +1,11 @@
AUX 0001-drivers-bcm283x-don-t-explicitly-disable-init.patch 1684 BLAKE2B 801bf1c6b0b5e678d2e23689edb6612af3b2acd89f21b926a36f98ca600083603b8ee53c7ad8f11dc706db67819437910ce7ba9d7406c5763b25c88cd620a338 SHA512 f39fe500ca17dfd7f32d0eb986cfd110b225edcf01c6d235a2af1d9d5fcb8c1922a5db89dc683bb1e259bd9675beecc07948543c5ab98d1ee6e5d7693b86060a
AUX 0001-rpi-Use-CONFIG_OF_BOARD-instead-of-CONFIG_EMBED.patch 2621 BLAKE2B ac8792433c3ebde967b083d12855faa21ed4fca5a0095bd38c4b597714430f77bfa81b70b8e26535fcf64650590d60510de5c4e18760d56d1ecb9ab692a44ac8 SHA512 18340a67637873179317a16a565c5b34490bd4dbf6dabac7c2ee5947349977fed6dd71253af55233c3e2912ddec6a15e17a29440b0e009b267c93deb28bc7713
AUX 0002-drivers-bcm283x-allow-to-spawn-any-PL011-UART.patch 2228 BLAKE2B efb42405ecc011973d5f8417bb7a82618d1d24917f0bd246d908ac8abd0bee6ed062ff2d77caa485cdbc02959de5c1cc7ca1943055708a8f6ab8ff34751e1aa1 SHA512 283ec38a092c370306037324a67b40141398e6102ba04b64304f2998870e0f1aa86891894c749789eb59454b8972d094771b5a8ca7ae3747760de246812c5c2c
AUX 0002-rpi-add-NVMe-to-boot-order.patch 1290 BLAKE2B a5e911e07b7b6723845d004bd5513db9cfebe73b7de2c7e4073d0725f6e3159b7b72381f859e357abf4f28421609fb18ad8fcc669d3b94db124771a36df51497 SHA512 f3d8351235b74f234aed5893523b36a355c1afcb92ee0f481c552c83c418856e450b6cf2c7c7ad4ab40fe41d0561f0e283da403b5245e76649f1fa996f88b6fa
AUX 0003-Revert-nvme-Correct-the-prps-per-page-calculation-me.patch 1610 BLAKE2B 1a5530178fef080472e1355adf6eccc92e6ced11aba0fc3f2042f16bf7a8b0a1cdb236723b93c95d30431cef03a595258355a0d20489f9533f47e0c541d0f232 SHA512 bda4d59519caa41dd7133d39740a39ce8d01197e16738b8af4ebc8fea096a3f73f88a11763a2a7938ed181819a0f7c442d1d14211f1d8cee9ecdb2c5f6eeb4f9
AUX 0004-usb-xhci-brcm-Make-driver-compatible-with-downstream.patch 1172 BLAKE2B 98589d6c4062e6cdc17522cd98d8c5ddcd0bdb953b0dc5a8c997f960da397a6174ab748afda5f64cfc2ad4c6ffeb65e76f9e346b2ae0a2466593968f06f32857 SHA512 1b92eabeb731f4c7ae8b2401942994b0515a673f4583a4333deb5ebac0981ac34c744c68e195dbad7a7cd92d6efe1a180446509cf3fe72ad443b094c5e74ed8e
AUX 0005-nvme-improve-readability-of-nvme_setup_prps.patch 1757 BLAKE2B 152cb9ea9662f7271b7cf3226825e825cc0d6420ed2ef77b7a8186b25b5eccf92edac32823d1f79afea3307269897c68d3899fd9b018cf11109c2739af7fccc3 SHA512 2192379f650ce1b43be1df43c06ae031f7bdbaeeecab1a195ca0f254d9e00bb7ed03256b90a5e5edc80c37bca449d0648a3a90d2d73faaec0561465f728e2b59
AUX 0006-nvme-Use-pointer-for-CPU-addressed-buffers.patch 9077 BLAKE2B b28afb568d791bed8c93f222b62677d87629d803747bb52cba74fff50752aaa4522b0fcdece58148d9da77a7da6a547dc4d47cfc9ae5fe7de0fbe6d7a0a9a497 SHA512 a84424877cc858b7596fe4f263a48e94fca7075c2c9a10d28fe1e569ca4e893af2ba3536c26d93ce15d8792d27a6c8779ef9669730414e6cc0de7af672dd31c2
AUX 0007-nvme-translate-virtual-addresses-into-the-bus-s-addr.patch 6480 BLAKE2B 6d7fec7096bf239f08a5e7e7ac5f8c58dcd72829b37d2f3e8b2e96c173a43449f538148cece64c5f48da68826eeec0c1db7a8ac6cc254a853a3cdf04d7431b95 SHA512 fecba2572d5f1dd7e941efdecb935a734ef1385af9b9300d84decd9bf91c4387b500fa08f655af62d33d085907353972f613ec97b3dd96ed18cac4811d5210a1
DIST u-boot-2023.01.tar.bz2 18560442 BLAKE2B 9412da6c7c8da8be64e470347d150ea2ba9a33b84f463c8ff3109e3db6c2dbcf13c8ab2e02bf3a2c412ff57c91987da922e4dde6a26e317e7b9e65101f7a6d62 SHA512 417a28267eb7875820d08fafc7316f164663609378637539e71648b0b9b7d28796b6c381717f31b0ab6472805fefd32628ef7d1b2e7b9f3c51c8ad122993f679
EBUILD u-boot-2023.01.ebuild 1762 BLAKE2B c0fba3aec8bfd26da6d32014bb38a2e5e8235f8ded6a7681f6cc1f5557b5437b5da6366740141465265b174832f38b6e669bd0bf956d241652acf69076596a71 SHA512 fa2b82ab1ea4fdc71ad9a5022433da137aad1722e02f18d7be0ff67d7130570a2783e4cac0f1fc1851537325750b9584d48ee4d99f01908a179fb58c0eb0724f

Some files were not shown because too many files have changed in this diff Show More