min
/
shimboot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: min:f647a9f73399b252081b8a6a9962f48de84e3fc4
Branches Tags
min:main
...
compare: min:033d6b6a7db31737849a029db59a6a79a349de3f
Branches Tags
min:main

10 Commits
f647a9f733 ... 033d6b6a7d

Author SHA1 Message Date
minish 033d6b6a7d
add binwalk 2024-08-05 21:25:55 -04:00
minish 8b44ba1b0c
add nix flake 2024-08-05 21:25:00 -04:00
ading2210 3f213fc4ca run binwalk without --run-as if needed 2024-07-12 14:11:55 -07:00
ading2210 91486b067f fix chrome os unenrolled persistence 2024-06-20 22:37:05 -07:00
ading2210 645e03cfd8 add feature to spoof an invalid hwid automatically 2024-06-18 00:01:47 -07:00
ading2210 291f616b6b highlight status messages in the build scripts 2024-06-17 17:36:26 -07:00
ading2210 e76d04244f allow building unstable image in build_complete.sh and remove rsync usage 2024-06-13 23:07:20 -07:00
Darkn 12b29ef8b2
add jacuzzi & corsola + sideways chart (#36) 
* chore(demo2): update resolution

same resolution as demo1

* chore(readme): update image URLs and text

* update(readme): add jacuzzi

* chore(readme): actually align jacuzzi in chart

* update(readme): add corsola

* update(readme): sideways compatibility table

* chore(readme): swap brand / feature

* chore(readme): switch brand / feature around again..

* chore(readme): shorten top left

* chore(readme): shorten features

* chore(readme): more shortening

* chore(readme): brand to board
 2024-06-13 21:34:20 -07:00
Darkn 71cff4ca1a
improve readme pictures SLIGHTLY (#34) 
* chore(demo2): update resolution

same resolution as demo1

* chore(readme): update image URLs and text
 2024-06-13 18:19:36 -07:00
ading2210 73ff47a6b7 autodetect arm64 in the build script 2024-06-13 18:02:10 -07:00
17 changed files with 251 additions and 90 deletions
Show Stats Expand all files Collapse all files

4
.envrc Normal file
View File

@ -0,0 +1,4 @@
if ! has nix_direnv_version || ! nix_direnv_version 3.0.5; then
source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.5/direnvrc" "sha256-RuwIS+QKFj/T9M2TFXScjBsLR6V3A17YVoEW/Q6AZ1w="
fi
use flake

2
.github/workflows/build-image.yaml vendored
View File

@ -9,7 +9,7 @@ jobs:
strategy:
matrix:
board: [dedede, octopus, coral, grunt, nissa, zork]
board: [dedede, octopus, coral, grunt, nissa, zork, corsola, jacuzzi]
runs-on: ubuntu-latest
steps:

44
README.md
View File

@ -2,6 +2,10 @@
Shimboot is a collection of scripts for patching a Chrome OS RMA shim to serve as a bootloader for a standard Linux distribution. It allows you to boot a full desktop Debian install on a Chromebook, without needing to unenroll it or modify the firmware.
| <img src="/website/assets/shimboot_demo_1.jpg" alt="Shimboot (KDE) on an HP Chromebook 11 G9 EE." width="400"/> | <img src="/website/assets/shimboot_demo_2.jpg" alt="Shimboot (XFCE) on an Acer Chromebook 311 C722." width="400"/> |
| ----- | ----- |
| Shimboot (KDE) on an HP Chromebook 11 G9 EE | Shimboot (XFCE) on an Acer Chromebook 311 C722 |
## Features:
- Run a full Debian installation on a Chromebook
- Does not modify the firmware
@ -34,16 +38,17 @@ Note that rootfs partitions have to be named `shimboot_rootfs:<partname>` for th
Driver support depends on the device you are using shimboot on. The `patch_rootfs.sh` script attempts to copy all the firmware and drivers from the shim and recovery image into the rootfs, so expect most things to work on other boards. ARM Chromebooks are not supported at the moment.
### Device Compatibility Table:
| Feature \ Board Name | [`dedede`](https://chrome100.dev/board/dedede/) | [`octopus`](https://chrome100.dev/board/octopus/) | [`nissa`](https://chrome100.dev/board/nissa/) | [`reks`](https://chrome100.dev/board/reks/) | [`kefka`](https://chrome100.dev/board/kefka) | [`zork`](https://chrome100.dev/board/zork) | [`grunt`](https://chrome100.dev/board/grunt) |
|----------------------|-------------------------------------------------|---------------------------------------------------|-----------------------------------------------|---------------------------------------------|----------------------------------------------|--------------------------------------------|----------------------------------------------|
| X11 | yes | yes | yes | no <sup>[1]</sup> | no <sup>[1]</sup> | yes | yes |
| Wifi | yes | yes | yes | yes | yes | yes | yes |
| Internal Audio | no | yes | no | untested | yes | no | no |
| Backlight | yes | yes | yes | untested | yes | untested | yes |
| Touchscreen | yes | yes | yes | untested | untested | yes | yes |
| 3D Acceleration | yes | yes | yes | no | no | yes | yes |
| Bluetooth | yes | yes | yes | untested | untested | yes | yes |
| Webcam | yes | yes | yes | untested | untested | yes | yes |
| Board Name | X11 | Wifi | Speakers | Backlight | Touchscreen | 3D Accel | Bluetooth | Webcam |
|------------------------------------------------ |-------------------|------|----------|-----------|-------------|----------|-----------|----------|
| [`dedede`](https://chrome100.dev/board/dedede) | yes | yes | no | yes | yes | yes | yes | yes |
| [`octopus`](https://chrome100.dev/board/octopus) | yes | yes | yes | yes | yes | yes | yes | yes |
| [`nissa`](https://chrome100.dev/board/nissa) | yes | yes | no | yes | yes | yes | yes | yes |
| [`reks`](https://chrome100.dev/board/reks) | no<sup>[1]</sup> | yes | untested | untested | untested | no | untested | untested |
| [`kefka`](https://chrome100.dev/board/kefka) | no<sup>[1]</sup> | yes | yes | yes | untested | no | untested | untested |
| [`zork`](https://chrome100.dev/board/zork) | yes | yes | no | untested | yes | yes | yes | yes |
| [`grunt`](https://chrome100.dev/board/grunt) | yes | yes | no | yes | yes | yes | yes | yes |
| [`jacuzzi`](https://chrome100.dev/board/jacuzzi) | yes | yes | no | yes | untested | no | no | yes |
| [`corsola`](https://chrome100.dev/board/corsola) | yes | yes | untested | untested | untested | untested | untested | untested |
<sup>1. The kernel is too old.</sup>
@ -62,7 +67,6 @@ On all devices, the following features will not work:
- Transparent disk compression
- Full disk encryption
- Support for more distros (Ubuntu and Arch maybe)
- Support for ARM based Chromebooks (see [issue #8](https://github.com/ading2210/shimboot/issues/8))
- Eliminate binwalk dependency
- Get audio to work on dedede
- Get kexec working
@ -76,14 +80,17 @@ PRs and contributions are welcome to help implement these features.
- WSL2 is supported if you are on Windows
- Github Codespaces is not supported at the moment
- A USB drive that is at least 8GB in size
- Cheap USB 2.0 drives typically won't work well due to their slow speeds
- At least 20GB of free disk space
### Build Instructions:
1. Find the board name of your Chromebook. You can search for the model name on [chrome100.dev](https://chrome100.dev/).
1. Clone this repository and cd into it.
2. Run `sudo ./build_complete.sh <board_name>` to download the required data and build the disk image. If you have an ARM-based Chromebook, pass `arch=arm64` in as an option.
2. Clone this repository and cd into it.
3. Run `sudo ./build_complete.sh <board_name>` to download the required data and build the disk image.
Alternatively, you can run each of the steps manually:
Note: If you are building for an ARM Chromebook, you need the `qemu-user-static` and `binfmt-support` packages.
#### Alternatively, you can run each of the steps manually:
1. Grab a Chrome OS RMA Shim from somewhere. Most of them have already been leaked and aren't too difficult to find.
2. Download a Chrome OS [recovery image](https://chromiumdash.appspot.com/serving-builds?deviceCategory=ChromeOS) for your board.
3. Unzip the shim and the recovery image if you have not done so already.
@ -108,10 +115,11 @@ Alternatively, you can run each of the steps manually:
#### I want to use a different Linux distribution. How can I do that?
Using any Linux distro is possible, provided that you apply the [proper patches](https://github.com/ading2210/chromeos-systemd) to systemd and recompile it. Most distros have some sort of bootstrapping tool that allows you to install it to a directory on your host PC. Then, you can just pass that rootfs directory into `patch_rootfs.sh` and `build.sh`.
Debian Sid (the rolling release version of Debian) is also supported if you just want newer packages, and you can install it by passing an argument to `build_rootfs.sh`:
Debian Sid (the rolling release version of Debian) is also supported if you just want newer packages, and you can install it by passing an argument to `build_complete.sh`:
```bash
sudo ./build_rootfs.sh data/rootfs unstable
sudo ./build_complete.sh dedede release=unstable
```
#### How can I install a desktop environment other than XFCE?
You can pass the `desktop` argument to the `build_complete.sh` script, like this:
```bash
@ -133,12 +141,14 @@ sudo resize2fs /dev/mmcblk1p4
#### GPU acceleration isn't working, how can I fix this?
If your kernel version is too old, the standard Mesa drivers will fail to load. Instead, you must download and install the `mesa-amber` drivers. Run the following commands:
```
```bash
sudo apt install libglx-amber0 libegl-amber0
echo "MESA_LOADER_DRIVER_OVERRIDE=i965" | sudo tee -a /etc/environment
```
You may need to change `i965` to `i915` (or `r100`/`r200` for AMD hardware), depending on what GPU you have.
For ARM Chromebooks, you may have to tweak the [Xorg configuration](https://xkcd.com/963/) instead.
#### Can the rootfs be compressed to save space?
Compressing the Debian rootfs with a squashfs is supported, and you can do this by running the regular Debian rootfs through `./build_squashfs.sh`. For example:
```bash

53
bootloader/bin/bootstrap.sh
View File

@ -94,7 +94,7 @@ move_mounts() {
print_license() {
cat << EOF
Shimboot v1.0.2
Shimboot v1.1.1
ading2210/shimboot: Boot desktop Linux from a Chrome OS RMA shim.
Copyright (C) 2023 ading2210
@ -184,18 +184,6 @@ get_selection() {
return 1
}
contains_word() {
local substr="$1"
local str="$2"
for word in $str; do
if [ "$word" = "$substr" ]; then
return 0
fi
done
return 1
}
copy_progress() {
local source="$1"
local destination="$2"
@ -223,6 +211,24 @@ print_donor_selector() {
done
}
yes_no_prompt() {
local prompt="$1"
local var_name="$2"
while true; do
read -p "$prompt" temp_result
if [ "$temp_result" = "y" ] || [ "$temp_result" = "n" ]; then
#the busybox shell has no other way to declare a variable from a string
#the declare command and printf -v are both bashisms
eval "$var_name='$temp_result'"
return 0
else
echo "invalid selection"
fi
done
}
get_donor_selection() {
local rootfs_partitions="$1"
local target="$2"
@ -240,16 +246,9 @@ get_donor_selection() {
if [ "$selection" = "$i" ]; then
echo "selected $part_path as the donor partition"
read -p "would you like to spoof verified mode? this is useful if you're planning on using chrome os while enrolled. (y/n): " use_crossystem
if [ "$use_crossystem" = "y" ] || [ "$use_crossystem" = "n" ]; then
boot_chromeos $target $part_path $use_crossystem
return 0
else
echo "invalid selection"
sleep 1
return 1
fi
yes_no_prompt "would you like to spoof verified mode? this is useful if you're planning on using chrome os while enrolled. (y/n): " use_crossystem
yes_no_prompt "would you like to spoof an invalid hwid? this will forcibly prevent the device from being enrolled. (y/n): " invalid_hwid
boot_chromeos $target $part_path $use_crossystem $invalid_hwid
fi
i=$((i+1))
@ -278,6 +277,7 @@ boot_chromeos() {
local target="$1"
local donor="$2"
local use_crossystem="$3"
local invalid_hwid="$4"
echo "mounting target"
mkdir /newroot
@ -314,10 +314,17 @@ boot_chromeos() {
echo "patching chrome os rootfs"
cat /newroot/etc/ui_use_flags.txt | sed "/reven_branding/d" | sed "/os_install_service/d" > /newroot/tmp/ui_use_flags.txt
mount -o bind /newroot/tmp/ui_use_flags.txt /newroot/etc/ui_use_flags.txt
cp /opt/mount-encrypted /newroot/tmp/mount-encrypted
cp /newroot/usr/sbin/mount-encrypted /newroot/tmp/mount-encrypted.real
mount -o bind /newroot/tmp/mount-encrypted /newroot/usr/sbin/mount-encrypted
if [ "$use_crossystem" = "y" ]; then
echo "patching crossystem"
cp /opt/crossystem /newroot/tmp/crossystem
if [ "$invalid_hwid" = "y" ]; then
sed -i 's/block_devmode/hwid/' /newroot/tmp/crossystem
fi
cp /newroot/usr/bin/crossystem /newroot/tmp/crossystem_old
mount -o bind /newroot/tmp/crossystem /newroot/usr/bin/crossystem
fi

5
bootloader/opt/mount-encrypted Executable file
View File

@ -0,0 +1,5 @@
#!/bin/bash
#this fixes chrome os persistence by adding the "--unsafe" flag to all invocations of mount-encrypted
/tmp/mount-encrypted.real "$@" --unsafe 2>&1 | tee -a /tmp/mount-encrypted.log

18
build.sh
View File

@ -14,7 +14,7 @@ print_help() {
}
assert_root
assert_deps "cpio binwalk pcregrep realpath cgpt mkfs.ext4 mkfs.ext2 fdisk rsync lz4"
assert_deps "cpio binwalk pcregrep realpath cgpt mkfs.ext4 mkfs.ext2 fdisk lz4"
assert_args "$3"
parse_args "$@"
@ -22,32 +22,32 @@ output_path=$(realpath -m "${1}")
shim_path=$(realpath -m "${2}")
rootfs_dir=$(realpath -m "${3}")
echo "reading the shim image"
print_info "reading the shim image"
initramfs_dir=/tmp/shim_initramfs
kernel_img=/tmp/kernel.img
rm -rf $initramfs_dir $kernel_img
extract_initramfs_full $shim_path $initramfs_dir $kernel_img "${args['arch']}"
echo "patching initramfs"
print_info "patching initramfs"
patch_initramfs $initramfs_dir
echo "creating disk image"
print_info "creating disk image"
rootfs_size=$(du -sm $rootfs_dir | cut -f 1)
rootfs_part_size=$(($rootfs_size * 12 / 10 + 5))
#create a 20mb bootloader partition
#rootfs partition is 20% larger than its contents
create_image $output_path 20 $rootfs_part_size
echo "creating loop device for the image"
print_info "creating loop device for the image"
image_loop=$(create_loop ${output_path})
echo "creating partitions on the disk image"
print_info "creating partitions on the disk image"
create_partitions $image_loop $kernel_img
echo "copying data into the image"
print_info "copying data into the image"
populate_partitions $image_loop $initramfs_dir $rootfs_dir "${args['quiet']}"
rm -rf $initramfs_dir $kernel_img
echo "cleaning up loop devices"
print_info "cleaning up loop devices"
losetup -d $image_loop
echo "done"
print_info "done"

56
build_complete.sh
View File

@ -13,25 +13,43 @@ print_help() {
echo " gnome, xfce, kde, lxde, gnome-flashback, cinnamon, mate, lxqt"
echo " data_dir - The working directory for the scripts. This defaults to ./data"
echo " arch - The CPU architecture to build the shimboot image for. Set this to 'arm64' if you have an ARM Chromebook."
echo " release - Set this to either 'bookworm' or 'unstable' to build for Debian stable/unstable."
}
assert_root
assert_args "$1"
parse_args "$@"
base_dir="$(realpath -m $(dirname "$0"))"
board="$1"
compress_img="${args['compress_img']}"
rootfs_dir="${args['rootfs_dir']}"
quiet="${args['quiet']}"
desktop="${args['desktop']-'xfce'}"
data_dir="${args['data_dir']}"
arch="${args['arch']-'amd64'}"
arch="${args['arch']-amd64}"
release="${args['release']-bookworm}"
needed_deps="wget python3 unzip zip git debootstrap cpio binwalk pcregrep cgpt mkfs.ext4 mkfs.ext2 fdisk rsync depmod findmnt lz4"
arm_boards="
corsola hana jacuzzi kukui strongbad nyan-big kevin bob
veyron-speedy veyron-jerry veyron-minnie scarlet elm
kukui peach-pi peach-pit stumpy daisy-spring
"
if grep -q "$board" <<< "$arm_boards"; then
print_info "automatically detected arm64 device name"
arch="arm64"
fi
needed_deps="wget python3 unzip zip git debootstrap cpio binwalk pcregrep cgpt mkfs.ext4 mkfs.ext2 fdisk depmod findmnt lz4 pv"
if [ "$(check_deps "$needed_deps")" ]; then
#install deps automatically on debian and ubuntu
if [ -f "/etc/debian_version" ]; then
echo "attempting to install build deps"
apt-get install wget python3-all unzip zip debootstrap cpio binwalk pcregrep cgpt rsync kmod pv -y
print_title "attempting to install build deps"
apt-get install wget python3-all unzip zip debootstrap cpio binwalk pcregrep cgpt kmod pv lz4 -y
if [ "$arch" = "arm64" ]; then
apt-get install qemu-user-static binfmt-support -y
fi
fi
assert_deps "$needed_deps"
fi
@ -45,8 +63,6 @@ sigint_handler() {
}
trap sigint_handler SIGINT
base_dir="$(realpath -m $(dirname "$0"))"
board="$1"
shim_url="https://dl.darkn.bio/api/raw/?path=/SH1mmer/$board.zip"
boards_url="https://chromiumdash.appspot.com/cros/fetch_serving_builds?deviceCategory=ChromeOS"
@ -56,7 +72,7 @@ else
data_dir="$(realpath -m "$data_dir")"
fi
echo "downloading list of recovery images"
print_title "downloading list of recovery images"
reco_url="$(wget -qO- --show-progress $boards_url | python3 -c '
import json, sys
@ -71,7 +87,7 @@ if "models" in board:
reco_url = list(board["pushRecoveries"].values())[-1]
print(reco_url)
' $board)"
echo "found url: $reco_url"
print_info "found url: $reco_url"
shim_bin="$data_dir/shim_$board.bin"
shim_zip="$data_dir/shim_$board.zip"
@ -93,7 +109,7 @@ download_and_unzip() {
if [ ! -f "$bin_path" ]; then
cleanup_path="$bin_path"
echo "extracting $zip_path"
print_info "extracting $zip_path"
local total_bytes="$(unzip -lq $zip_path | tail -1 | xargs | cut -d' ' -f1)"
if [ ! "$quiet" ]; then
unzip -p $zip_path | pv -s $total_bytes > $bin_path
@ -112,10 +128,10 @@ retry_cmd() {
done
}
echo "downloading recovery image"
print_title "downloading recovery image"
download_and_unzip $reco_url $reco_zip $reco_bin
echo "downloading shim image"
print_title "downloading shim image"
download_and_unzip $shim_url $shim_zip $shim_bin
if [ ! "$rootfs_dir" ]; then
@ -127,8 +143,8 @@ if [ ! "$rootfs_dir" ]; then
rm -rf $rootfs_dir
mkdir -p $rootfs_dir
echo "building debian rootfs"
./build_rootfs.sh $rootfs_dir bookworm \
print_title "building debian rootfs"
./build_rootfs.sh $rootfs_dir $release \
custom_packages=$desktop_package \
hostname=shimboot-$board \
username=user \
@ -136,22 +152,22 @@ if [ ! "$rootfs_dir" ]; then
arch=$arch
fi
echo "patching debian rootfs"
print_title "patching debian rootfs"
retry_cmd ./patch_rootfs.sh $shim_bin $reco_bin $rootfs_dir "quiet=$quiet"
echo "building final disk image"
print_title "building final disk image"
final_image="$data_dir/shimboot_$board.bin"
rm -rf $final_image
retry_cmd ./build.sh $final_image $shim_bin $rootfs_dir "quiet=$quiet" "arch=$arch"
echo "build complete! the final disk image is located at $final_image"
print_info "build complete! the final disk image is located at $final_image"
echo "cleaning up"
print_title "cleaning up"
clean_loops
if [ "$compress_img" ]; then
image_zip="$data_dir/shimboot_$board.zip"
echo "compressing disk image into a zip file"
print_title "compressing disk image into a zip file"
zip -j $image_zip $final_image
echo "finished compressing the disk file"
echo "the finished zip file can be found at $image_zip"
print_info "finished compressing the disk file"
print_info "the finished zip file can be found at $image_zip"
fi

2
build_rootfs.sh
View File

@ -31,7 +31,7 @@ parse_args "$@"
rootfs_dir=$(realpath -m "${1}")
release_name="${2}"
packages="${args['custom_packages']-'task-xfce-desktop'}"
arch="${args['arch']-'amd64'}"
arch="${args['arch']-amd64}"
chroot_mounts="proc sys dev run"
mkdir -p $rootfs_dir

10
build_squashfs.sh
View File

@ -50,19 +50,19 @@ root_squashfs="$rootfs_dir/root.squashfs"
modules_squashfs="$rootfs_dir/modules.squashfs"
unionfs_dir="/tmp/unionfs-fuse"
echo "compiling unionfs-fuse"
print_info "compiling unionfs-fuse"
compile_unionfs $unionfs_dir/unionfs $unionfs_dir
echo "reading the shim image"
print_info "reading the shim image"
extract_initramfs_full $shim_path $rootfs_dir
rm -rf $rootfs_dir/init
echo "compressing old rootfs"
print_info "compressing old rootfs"
mksquashfs $old_dir $root_squashfs -noappend -comp gzip
echo "patching new rootfs"
print_info "patching new rootfs"
mv $unionfs_dir/unionfs $rootfs_dir/bin/unionfs
cp -ar squashfs/* $rootfs_dir/
chmod +x $rootfs_dir/bin/*
echo "done"
print_info "done"

26
common.sh
View File

@ -6,6 +6,12 @@ if [ "$DEBUG" ]; then
export DEBUG=1
fi
ANSI_CLEAR='\033[0m'
ANSI_BOLD='\033[1m'
ANSI_RED='\033[1;31m'
ANSI_GREEN='\033[1;32m'
ANSI_BLUE='\033[1;34m'
check_deps() {
local needed_commands="$1"
for command in $needed_commands; do
@ -19,9 +25,9 @@ assert_deps() {
local needed_commands="$1"
local missing_commands=$(check_deps "$needed_commands")
if [ "${missing_commands}" ]; then
echo "You are missing dependencies needed for this script."
echo "Commands needed:"
echo "${missing_commands}"
print_error "You are missing dependencies needed for this script."
print_error "Commands needed:"
print_error "${missing_commands}"
exit 1
fi
}
@ -43,7 +49,7 @@ parse_args() {
assert_root() {
if [ "$EUID" -ne 0 ]; then
echo "this needs to be run as root."
print_error "This script needs to be run as root."
exit 1
fi
}
@ -54,3 +60,15 @@ assert_args() {
exit 1
fi
}
print_title() {
printf ">> ${ANSI_GREEN}${1}${ANSI_CLEAR}\n"
}
print_info() {
printf "${ANSI_BOLD}${1}${ANSI_CLEAR}\n"
}
print_error() {
printf "${ANSI_RED}${1}${ANSI_CLEAR}\n"
}

58
flake.lock Normal file
View File

@ -0,0 +1,58 @@
{
"nodes": {
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1722555600,
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1722791413,
"narHash": "sha256-rCTrlCWvHzMCNcKxPE3Z/mMK2gDZ+BvvpEVyRM4tKmU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "8b5b6723aca5a51edf075936439d9cd3947b7b2c",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1722555339,
"narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
}
},
"root": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

29
flake.nix Normal file
View File

@ -0,0 +1,29 @@
{
description = "k8s land";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
flake-parts.url = "github:hercules-ci/flake-parts";
};
outputs = inputs @ {...}:
inputs.flake-parts.lib.mkFlake {inherit inputs;} {
flake = {};
systems = ["x86_64-linux"];
perSystem = {pkgs, system, ...}: {
_module.args.pkgs = import inputs.nixpkgs {
inherit system;
config.allowUnfree = true;
};
devShells.default = pkgs.mkShell {
packages = with pkgs; [
wget zip debootstrap vboot_reference binwalk pv
];
};
};
};
}

14
image_utils.sh
View File

@ -119,9 +119,9 @@ populate_partitions() {
local rootfs_mount=/tmp/new_rootfs
safe_mount "${image_loop}p4" $rootfs_mount
if [ "$quiet" ]; then
rsync --archive --human-readable --hard-links --quiet --sparse $rootfs_dir/ $rootfs_mount/
cp -ar $rootfs_dir/* $rootfs_mount
else
rsync --archive --human-readable --hard-links --info=progress2 --sparse $rootfs_dir/ $rootfs_mount/
copy_progress $rootfs_dir $rootfs_mount
fi
umount $rootfs_mount
}
@ -155,8 +155,14 @@ clean_loops() {
local mountpoints="$(cat /proc/mounts | grep "$loop_device")"
if [ ! "$mountpoints" ]; then
losetup -d $loop_device
else
echo "warning: not removing $loop_device because it is still mounted"
fi
done
}
copy_progress() {
local source="$1"
local destination="$2"
local total_bytes="$(du -sb "$source" | cut -f1)"
mkdir -p "$destination"
tar -cf - -C "${source}" . | pv -f -s $total_bytes | tar -xf - -C "${destination}"
}

2
rootfs/opt/setup_rootfs.sh
View File

@ -39,7 +39,7 @@ apt-get install -y ca-certificates
apt-get update
installed_systemd="$(dpkg-query -W -f='${binary:Package}\n' | grep "systemd")"
apt-get clean
apt-get install --reinstall $installed_systemd
apt-get install -y --reinstall --allow-downgrades $installed_systemd
#enable shimboot services
systemctl enable kill-frecon.service

16
shim_utils.sh
View File

@ -2,6 +2,14 @@
#utilties for reading shim disk images
run_binwalk() {
if binwalk -h | grep -- '--run-as' >/dev/null; then
binwalk "$@" --run-as=root
else
binwalk "$@"
fi
}
#extract the initramfs from a kernel image
extract_initramfs() {
local kernel_bin="$1"
@ -10,13 +18,13 @@ extract_initramfs() {
#extract the compressed kernel image from the partition data
local kernel_file="$(basename $kernel_bin)"
local binwalk_out=$(binwalk --extract $kernel_bin --directory=$working_dir --run-as=root)
local binwalk_out=$(run_binwalk --extract $kernel_bin --directory=$working_dir)
local stage1_file=$(echo $binwalk_out | pcregrep -o1 "\d+\s+0x([0-9A-F]+)\s+gzip compressed data")
local stage1_dir="$working_dir/_$kernel_file.extracted"
local stage1_path="$stage1_dir/$stage1_file"
#extract the initramfs cpio archive from the kernel image
binwalk --extract $stage1_path --directory=$stage1_dir --run-as=root > /dev/null
run_binwalk --extract $stage1_path --directory=$stage1_dir > /dev/null
local stage2_dir="$stage1_dir/_$stage1_file.extracted/"
local cpio_file=$(file $stage2_dir/* | pcregrep -o1 "([0-9A-F]+):\s+ASCII cpio archive")
local cpio_path="$stage2_dir/$cpio_file"
@ -31,7 +39,7 @@ extract_initramfs_arm() {
local output_dir="$3"
#extract the kernel lz4 archive from the partition
local binwalk_out="$(binwalk $kernel_bin --run-as=root)"
local binwalk_out="$(run_binwalk $kernel_bin)"
local lz4_offset="$(echo "$binwalk_out" | pcregrep -o1 "(\d+).+?LZ4 compressed data" | head -n1)"
local lz4_file="$working_dir/kernel.lz4"
local kernel_img="$working_dir/kernel_decompressed.bin"
@ -40,7 +48,7 @@ extract_initramfs_arm() {
#extract the initramfs cpio archive from the kernel image
local extracted_dir="$working_dir/_kernel_decompressed.bin.extracted"
binwalk --extract $kernel_img --directory=$working_dir --run-as=root > /dev/null
run_binwalk --extract $kernel_img --directory=$working_dir > /dev/null
local cpio_file=$(file $extracted_dir/* | pcregrep -o1 "([0-9A-F]+):\s+ASCII cpio archive")
local cpio_path="$extracted_dir/$cpio_file"

BIN
website/assets/shimboot_demo_1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.8 MiB

BIN
website/assets/shimboot_demo_2.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.3 MiB