public
/
airgap
5
0
Fork 1
Code Issues Pull Requests 3 Packages Projects Releases Wiki Activity

Compare commits

base: public:main
Branches Tags
public:main
public:sam/remove-extra-console-shell
public:release/2024.10.x
public:lance/fix-determinism
public:tpm2vm
public:sam/add-user-partition
public:2024.8.1
public:ryansquared/bump-keyfork-v0.2.3
public:lance/add-external-sigs
public:lance/fix-qemu-bios-boot
public:stagex-rewrite
public:release/2024.03.x
public:ryan/update-buildroot
..
compare: public:ryan/update-buildroot
Branches Tags
public:sam/remove-extra-console-shell
public:release/2024.10.x
public:main
public:lance/fix-determinism
public:tpm2vm
public:sam/add-user-partition
public:2024.8.1
public:ryansquared/bump-keyfork-v0.2.3
public:lance/add-external-sigs
public:lance/fix-qemu-bios-boot
public:stagex-rewrite
public:release/2024.03.x
public:ryan/update-buildroot

1 Commits
main ... ryan/updat

Author SHA1 Message Date
Ryan Heywood e1504570e6
update buildroot: first steps, WIP 2024-01-25 03:38:12 -05:00
57 changed files with 11767 additions and 858 deletions
Show Stats Expand all files Collapse all files

1
.gitattributes vendored
View File

@ -1,2 +1 @@
dist/*.iso filter=lfs diff=lfs merge=lfs -text dist/*.iso filter=lfs diff=lfs merge=lfs -text
dist/airgap.iso filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored
View File

@ -1,4 +1,3 @@
cache/ cache/
out/ out/
out*/
.* .*

3
.gitmodules vendored
View File

@ -0,0 +1,3 @@
[submodule "src/toolchain"]
path = src/toolchain
url = https://codeberg.org/distrust/toolchain

236
Containerfile
View File

@ -1,236 +0,0 @@
FROM stagex/alsa-lib:sx2024.09.0@sha256:a41b481187f76c1e9ed4e237977f4892c1507a3b8f8f6736ff3fdd5144bd2afb AS alsa-lib
FROM stagex/bash:sx2024.09.0@sha256:cb58f55d268fbe7ef629cda86e3a8af893066e4af7f26ef54748b6ad47bdaa66 AS bash
FROM stagex/bc:sx2024.09.0@sha256:039cc5ac357a17d6374445fe4eed1dac15cc72f615bd9657c17e2c3904d42b62 AS bc
FROM stagex/busybox:sx2024.09.0@sha256:d34bfa56566aa72d605d6cbdc154de8330cf426cfea1bc4ba8013abcac594395 AS busybox
FROM stagex/ccid:sx2024.09.0@sha256:3225dc4a6a1af5f828854157a6b16eb09a0b0f7ebe9d9ee34030afe3966afad1 AS ccid
FROM stagex/cpio:sx2024.09.0@sha256:abccb58edb5f1f31b3b9c8b61cffa10cd56de3307e337335927b8df4d9112d24 AS cpio
FROM stagex/curl:sx2024.09.0@sha256:8e5705a77a76c92d058e016184dabd0c4fa2f6117021cc5ff55df35f654cb158 AS curl
FROM stagex/dtc:sx2024.09.0@sha256:57f8aaa94059c43081b32fccb473ebd2c0cf16878dcf0e24e0e56c910467e93a AS dtc
FROM stagex/eudev:sx2024.09.0@sha256:7da7aed7ea7eb73bda86e206e765bdc8e6367c2c2ae535ccd68c7c1b0a936611 AS eudev
FROM stagex/flashtools:sx2024.09.0@sha256:4e61cc6f0af9aa6116bb93f048c20d00026d75c27dc52b7e8604f0e340c55b80 AS flashtools
FROM stagex/gcc:sx2024.09.0@sha256:439bf36289ef036a934129d69dd6b4c196427e4f8e28bc1a3de5b9aab6e062f0 AS gcc
FROM stagex/glib:sx2024.09.0@sha256:d280c18f8b52ce21a26924b0cb1bfb69ea6508b57db73efe22401572e71dbe84 AS glib
FROM stagex/gpg:sx2024.09.0@sha256:f63555b39740db63b34c06894a4a9d5e125d04f5d51e799909d06c490e8ecd42 AS gpg
FROM stagex/grub:sx2024.09.0@sha256:a14c60f152c759185e5702e910053cb5c0d9eee11f43d8d5d40a84123aece9fd AS grub
FROM stagex/ipxe:sx2024.09.0@sha256:5791d9b42c7e9099a0180c4fe6cc4b8e9afc9e6b9ec392099c65c53b71db7908 AS ipxe
FROM stagex/jq:sx2024.09.0@sha256:3e8b44aa54481bdd46406e9d3a63862f4216f81530a1898b3c144e1c38847a82 AS jq
FROM stagex/jq:sx2024.09.0@sha256:3e8b44aa54481bdd46406e9d3a63862f4216f81530a1898b3c144e1c38847a82 AS jq
FROM stagex/keyfork:sx2024.09.0@sha256:2288c1d769a0c3c535835019ad4919cc45b094492b5aa959a0eaf1e883a96214 AS keyfork
FROM stagex/libaio:sx2024.09.0@sha256:c8d6dd6f3e6fbda73ac0620b2bc4b4cfe6fa504bf7a17eee3bb56e286c394b8b AS libaio
FROM stagex/libassuan:sx2024.09.0@sha256:1f31e888ab3f02634009d1a38acca9f25deb827432eb91392e21fd75128a44aa AS libassuan
FROM stagex/libffi:sx2024.09.0@sha256:ab647ebf8464e00cde623f86f716e7f50ce82c30eafde813b7977d917ff7143a AS libffi
FROM stagex/libgcrypt:sx2024.09.0@sha256:49c84a586969ff625b3304dcf8905a98db0da36fb8704e3d7a0771d271509b68 AS libgcrypt
FROM stagex/libgpg-error:sx2024.09.0@sha256:11c17c1ac41f36c85e538bd34a0095a9f17e116f61c38d560350c02a6929e55a AS libgpg-error
FROM stagex/libksba:sx2024.09.0@sha256:2913b382fdb76f02f9d78ee162066e04953ba782b8f722145111617a842f40a3 AS libksba
FROM stagex/libqrencode:sx2024.09.0@sha256:8c0f523bdf8d315e7b67cadd584e23d22a316dd1973232d49603e127717e4d1a AS libqrencode
FROM stagex/libseccomp:sx2024.09.0@sha256:f48d783989da9d509cc6b4c12ec34e14074ffc1ab7a4f2d1e322c417d967e12f AS libseccomp
FROM stagex/libslirp:sx2024.09.0@sha256:9dfb87e4a0adba80b862ce6b96112d96f509ffbca25bb71c60ba5bb5693b481d AS libslirp
FROM stagex/libtpms:sx2024.09.0@sha256:d909a55137d0bf4a76331c2bf0358ee192d6c93ad77a5099af09ce1bcca2a6cd AS libtpms
FROM stagex/libusb:sx2024.09.0@sha256:6c0dcf2b9519b1a41066ad71d3b597e9dae84fb73e5d031a3bdd2eb40f78ef94 AS libusb
FROM stagex/libzstd:sx2024.09.0@sha256:a055f8cd6e11b0b8836b2e5e1d755f672edbd344a4f4b5aba94919a6511be4c3 AS libzstd
FROM stagex/linux-airgap:sx2024.09.0@sha256:efb98b59ab37a7e33db423eda7a49bb7273b087838fda8098ce6736a0860fc73 AS linux-airgap
FROM stagex/lzo:sx2024.09.0@sha256:09c60840e3e3e5835ec027c21283febc9f8cf53ab887576fbe9c38dbdbdfd571 AS lzo
FROM stagex/mtools:sx2024.09.0@sha256:c83f7aebce9076903dbf1082aac981d3c0950d9e8952a900e5e072e2a811cda7 AS mtools
FROM stagex/musl:sx2024.09.0@sha256:ad351b875f26294562d21740a3ee51c23609f15e6f9f0310e0994179c4231e1d AS musl
FROM stagex/npth:sx2024.09.0@sha256:21d50ec1421fe75af4bea240d76022ddb8c114fd2805bfeb06fb938e5a58fc0d AS npth
FROM stagex/numactl:sx2024.09.0@sha256:39e667b966a443f42e1c7a8c944203945bd1808ce759df1706bb3b93b0b674c2 AS numactl
FROM stagex/openpgp-card-tools:sx2024.09.0@sha256:56d4696d111b309e536f1b70980db7098cd7823005432e4130432cb2f625cf9f AS openpgp-card-tools
FROM stagex/opensc:sx2024.09.0@sha256:5117a9d39d3b77655b29bf661d9e04eea2001a5b033b2fd6b4297048330ff6e7 AS opensc
FROM stagex/openssl:sx2024.09.0@sha256:2c1a9d8fcc6f52cb11a206f380b17d74c1079f04cbb08071a4176648b4df52c1 AS openssl
FROM stagex/pcsc-lite:sx2024.09.0@sha256:4fe37671197ac768637e95f7395ae1a18412b3f42359d0c0aa9f4e7f684aef4e AS pcsc-lite
FROM stagex/pcsc-tools:sx2024.09.0@sha256:05046ca5d41a09163eda26785563fd98f0cb1179030c3f4ee3243997a907bb96 AS pcsc-tools
FROM stagex/qemu:sx2024.09.0@sha256:c9b099bc7d810a581e0e0f68061dd525d7efdb5334d119b4253249a459bd907e AS qemu
FROM stagex/seabios:sx2024.09.0@sha256:f4e535fb1bfc2c7ae1756cdaa2404b1572f6ad195ceabba90d87ed0599fd97d7 AS seabios
FROM stagex/sops:sx2024.09.0@sha256:c742fb1f0c5a4f9d9bc9afc37ba686b247d2b17d55d179409d33736b43c9aaa5 AS sops
FROM stagex/swtpm:sx2024.09.0@sha256:c47fb2c4d8690936b4adef832a3f354231bb5a04206bf2fb565218034ce27792 AS swtpm
FROM stagex/syslinux:sx2024.09.0@sha256:a41388558d7f6d9a29847ee2ff5507ab3100bfe9032ef3b99a3d783ad60ed390 AS syslinux
FROM stagex/tpm2-tools:sx2024.09.0@sha256:c2fc693ec68a9d097151e5b3dd5b923f0dcc35fd4e0624b91ade3bf21367162c AS tpm2-tools
FROM stagex/tpm2-tss:sx2024.09.0@sha256:a8bf8c0973e1b5ba62ce5034a6230684ebe5a142da275d09e81fa2f2f9c87411 AS tpm2-tss
FROM stagex/util-linux:sx2024.09.0@sha256:7e3f3c1e748f5c216503e69b9f8f2e9f8084ec675fb29b23f3a6f0ed3b20c54a AS util-linux
FROM stagex/xorriso:sx2024.09.0@sha256:2205a8f53d4fc569880c311061daa085f40c62b2fd94d556e72bd31b4df9e63a AS xorriso
FROM stagex/xz:sx2024.09.0@sha256:b57c5e6144117bc0124855e9538e60c302cc7bf53fafb53e2eef3434015366f1 AS xz
FROM stagex/yq:sx2024.09.0@sha256:bd6882f0f3ea664e9de6cf732cef2fa2781fc2852f5e6502a6aea1e63eb9708b AS yq
FROM stagex/zlib:sx2024.09.0@sha256:96b4100550760026065dac57148d99e20a03d17e5ee20d6b32cbacd61125dbb6 AS zlib
FROM scratch AS base
ARG VERSION development
ARG GIT_TIMESTAMP null
ARG GIT_AUTHOR null
ARG GIT_REF null
ARG GIT_PUBKEY null
COPY --from=busybox . /
COPY --from=musl . /
COPY --from=xorriso . /
COPY --from=cpio . /
COPY --from=mtools . /
COPY --from=xz . /
COPY --from=grub . /
FROM base as dev
COPY --from=gcc . /
COPY --from=glib . /
COPY --from=alsa-lib . /
COPY --from=lzo . /
COPY --from=dtc . /
COPY --from=zlib . /
COPY --from=numactl . /
COPY --from=libaio . /
COPY --from=libseccomp . /
COPY --from=libffi . /
COPY --from=libzstd . /
COPY --from=libslirp . /
COPY --from=seabios . /
COPY --from=ipxe . /
COPY --from=qemu . /
COPY --from=swtpm . /
COPY --from=openssl . /
COPY --from=curl . /
COPY --from=libtpms . /
COPY --from=tpm2-tss . /
COPY --from=tpm2-tools . /
FROM base AS build
## Kernel
COPY --from=linux-airgap /bzImage iso/boot/vmlinuz
## Initramfs
COPY --from=busybox . initramfs
COPY --from=eudev . initramfs
COPY --from=musl . initramfs
COPY --from=zlib . initramfs
COPY --from=npth . initramfs
COPY --from=libksba . initramfs
COPY --from=libgpg-error . initramfs
COPY --from=libassuan . initramfs
COPY --from=libgcrypt . initramfs
COPY --from=keyfork . initramfs
COPY --from=bash . initramfs
COPY --from=gpg . initramfs
COPY --from=jq . initramfs
COPY --from=yq . initramfs
COPY --from=bc . initramfs
COPY --from=flashtools . initramfs
COPY --from=curl . initramfs
COPY --from=tpm2-tools . initramfs
COPY --from=tpm2-tss . initramfs
COPY --from=openssl . initramfs
COPY --from=libusb . initramfs
COPY --from=ccid . initramfs
COPY --from=pcsc-lite . initramfs
COPY --from=pcsc-tools . initramfs
COPY --from=openpgp-card-tools . initramfs
COPY --from=libqrencode . initramfs
COPY --from=opensc . initramfs
COPY --from=util-linux . initramfs
COPY --from=sops . initramfs
COPY rootfs/ initramfs
COPY <<-EOF initramfs/etc/environment
export VERSION="$VERSION"
export GIT_TIMESTAMP="$GIT_TIMESTAMP"
export GIT_AUTHOR="$GIT_AUTHOR"
export GIT_REF="$GIT_REF"
export GIT_PUBKEY="$GIT_PUBKEY"
EOF
RUN <<-EOF
set -eux
cd initramfs
find . -exec touch -hcd "@0" "{}" +
find . -print0 \
| sort -z \
| cpio \
--null \
--create \
--verbose \
--reproducible \
--format=newc \
| gzip --best \
> ../iso/boot/initramfs
EOF
## Grub (EFI Boot)
COPY config/grub.cfg iso/boot/grub/grub.cfg
COPY config/grub_early.cfg grub_early.cfg
RUN <<-EOF
set -eux
mkdir -p efi/boot
grub-mkimage \
--config="grub_early.cfg" \
--prefix="/boot/grub" \
--output="efi/boot/bootx64.efi" \
--format="x86_64-efi" \
--compression="xz" \
all_video \
disk \
part_gpt \
part_msdos \
linux \
normal \
configfile \
search \
search_label \
efi_gop \
fat \
iso9660 \
gzio \
serial \
terminal
find efi -exec touch -hcd "@0" "{}" +
mformat -i iso/boot/grub/efi.img -C -f 1440 -N 0 ::
mcopy -i iso/boot/grub/efi.img -ms efi ::
touch -md "@0" iso/boot/grub/efi.img
EOF
## Syslinux (BIOS Boot)
COPY config/syslinux.cfg iso/boot/syslinux/
COPY --from=syslinux \
/usr/share/syslinux/isohdpfx.bin \
/usr/share/syslinux/isolinux.bin \
/usr/share/syslinux/ldlinux.c32 \
/usr/share/syslinux/libutil.c32 \
/usr/share/syslinux/libcom32.c32 \
/usr/share/syslinux/mboot.c32 \
iso/boot/syslinux/
## Build Hybrid EFI/BIOS ISO
FROM build AS install
ENV SOURCE_DATE_EPOCH=1
RUN <<-EOF
set -eux
dd if=/dev/zero bs=1M count=10 >> user.img
mformat -v user -i user.img -N 0 ::
find iso -exec touch -hcd "@0" "{}" +
xorrisofs \
-output airgap.iso \
-full-iso9660-filenames \
-joliet \
-rational-rock \
-sysid LINUX \
-volid "airgap" \
-isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \
-eltorito-boot boot/syslinux/isolinux.bin \
-eltorito-catalog boot/syslinux/boot.cat \
-no-emul-boot \
-boot-load-size 4 \
-boot-info-table \
-eltorito-alt-boot \
-e boot/grub/efi.img \
-no-emul-boot \
-isohybrid-gpt-basdat \
-follow-links \
-append_partition 3 0xb user.img \
iso/
EOF
## Minimal Autorun SD card image
COPY sdcard sdcard
RUN <<-EOF
set -eux
dd if=/dev/zero of=sdcard.img bs=1M count=32
mformat -v external -i sdcard.img ::
mcopy -i sdcard.img -s sdcard/* ::
EOF
FROM scratch AS package
COPY --from=install /sdcard.img /
COPY --from=install /airgap.iso /

167
Makefile
View File

@ -1,86 +1,21 @@
VERSION := development include $(PWD)/src/toolchain/Makefile
GIT_REF := $(shell git log -1 --format=%H)
GIT_AUTHOR := $(shell git log -1 --format=%an)
GIT_PUBKEY := $(shell git log -1 --format=%GP)
GIT_TIMESTAMP := $(shell git log -1 --format=%cd --date=iso)
export
## Use env vars from latest release when reproducing
ifdef REPRODUCE
include dist/release.env
export
endif
ifdef NOCACHE
NO_CACHE := --no-cache
endif
.DEFAULT_GOAL := .DEFAULT_GOAL :=
.PHONY: default .PHONY: default
default: \ default: \
out/release.env \ toolchain \
out/manifest.txt \ $(OUT_DIR)/airgap.iso \
out/airgap.iso $(OUT_DIR)/release.env \
$(OUT_DIR)/manifest.txt
## Primary targets
out/airgap.iso: Containerfile $(shell git ls-files rootfs)
SOURCE_DATE_EPOCH=1 \
docker build \
--progress=plain \
--output type=local,rewrite-timestamp=true,dest=out \
--build-arg SOURCE_DATE_EPOCH=1 \
--build-arg VERSION="$(VERSION)" \
--build-arg GIT_REF="$(GIT_REF)" \
--build-arg GIT_AUTHOR="$(GIT_AUTHOR)" \
--build-arg GIT_PUBKEY="$(GIT_PUBKEY)" \
--build-arg GIT_TIMESTAMP="$(GIT_TIMESTAMP)" \
$(NO_CACHE) \
-f Containerfile \
.
## Development Targets
out/dev-shell.digest: Containerfile | out
docker build --target dev -f Containerfile -q . > $@
.PHONY: shell
shell: out/dev-shell.digest
docker run -it $(shell cat $<) /bin/sh
.PHONY: vm
vm: out/dev-shell.digest out/airgap.iso out/sdcard.img
docker run -it -v ./out:/out $(shell cat $<) sh -c "\
swtpm socket \
--tpmstate dir=. \
--ctrl type=unixio,path=vtpm-sock \
--tpm2 & \
qemu-system-x86_64 \
-m 4G \
-machine pc \
-chardev socket,id=chrtpm,path=vtpm-sock \
-tpmdev emulator,id=tpm0,chardev=chrtpm \
-device tpm-tis,tpmdev=tpm0 \
-usb \
-device sdhci-pci \
-device sd-card,drive=external \
-drive id=external,if=none,format=raw,file=out/sdcard.img \
-device usb-storage,drive=usbdrive \
-drive id=usbdrive,if=none,format=raw,file=out/airgap.iso \
-boot order=c \
-nographic; \
"
## Signing, Verification, and Release Targets
.PHONY: clean .PHONY: clean
clean: clean: toolchain
rm -rf out rm -rf $(CACHE_DIR)/buildroot-ccache
$(call toolchain,$(USER)," \
.PHONY: release cd $(FETCH_DIR)/buildroot; \
release: clean make clean; \
$(MAKE) NOCACHE=1 VERSION=$(VERSION) ")
rm -rf dist/* $(MAKE) toolchain-clean
cp -R out/release.env out/airgap.iso out/manifest.txt dist/
.PHONY: sign .PHONY: sign
sign: sign:
@ -95,35 +30,67 @@ sign:
); \ ); \
gpg --armor \ gpg --armor \
--detach-sig \ --detach-sig \
--output dist/manifest.$${fingerprint}.asc \ --output $(DIST_DIR)/manifest.$${fingerprint}.asc \
dist/manifest.txt $(DIST_DIR)/manifest.txt
.PHONY: verify .PHONY: verify
verify: | dist/manifest.txt verify: | $(DIST_DIR)/manifest.txt
set -e; \ set -e; \
for file in dist/manifest.*.asc; do \ for file in $(DIST_DIR)/manifest.*.asc; do \
echo "\nVerifying: $${file}\n"; \ echo "\nVerifying: $${file}\n"; \
gpg --verify $${file} dist/manifest.txt; \ gpg --verify $${file} $(DIST_DIR)/manifest.txt; \
done; done;
.PHONY: reproduce .PHONY: mrproper
reproduce: clean | out mrproper:
$(MAKE) REPRODUCE=true NOCACHE=1 docker image rm -f $(IMAGE)
diff -q out/manifest.txt dist/manifest.txt; rm -rf $(CACHE_DIR) $(OUT_DIR)
out: .PHONY: menuconfig
mkdir -p $@ menuconfig: toolchain
$(call toolchain,$(USER)," \
cd $(FETCH_DIR)/buildroot; \
make "airgap_$(TARGET)_defconfig"; \
make menuconfig; \
")
cp $(FETCH_DIR)/buildroot/.config \
"config/buildroot/configs/airgap_$(TARGET)_defconfig"
out/release.env: $(shell git ls-files) | out .PHONY: linux-menuconfig
echo 'VERSION=$(VERSION)' > out/release.env linux-menuconfig: toolchain
echo 'GIT_REF=$(GIT_REF)' >> out/release.env $(call toolchain,$(USER),"\
echo 'GIT_AUTHOR=$(GIT_AUTHOR)' >> out/release.env cd $(FETCH_DIR)/buildroot; \
echo 'GIT_PUBKEY=$(GIT_PUBKEY)' >> out/release.env make linux-menuconfig; \
echo 'GIT_TIMESTAMP=$(GIT_TIMESTAMP)' >> out/release.env make linux-update-defconfig; \
")
out/manifest.txt: out/airgap.iso out/release.env | out .PHONY: vm
openssl sha256 -r \ vm: toolchain
out/airgap.iso \ $(call toolchain,$(USER)," \
out/release.env \ qemu-system-i386 \
| sed -e 's/ \*out\// /g' -e 's/ \.\// /g' \ -M pc \
> $@ -nographic \
-cdrom "$(OUT_DIR)/airgap.iso"; \
")
.PHONY: release
release: default
rm -rf $(DIST_DIR)/*
cp -R $(OUT_DIR)/* $(DIST_DIR)/
$(FETCH_DIR)/buildroot: toolchain
$(call git_clone,$(FETCH_DIR)/buildroot,$(BUILDROOT_REPO),$(BUILDROOT_REF))
$(OUT_DIR)/airgap.iso: \
$(FETCH_DIR)/buildroot \
$(OUT_DIR)/release.env
# $(call apply_patches,$(FETCH_DIR)/buildroot,$(CONFIG_DIR)/buildroot/patches)
$(call toolchain,$(USER)," \
cd $(FETCH_DIR)/buildroot; \
make "airgap_$(TARGET)_defconfig"; \
unset FAKETIME; \
make source; \
make; \
")
cp $(FETCH_DIR)/buildroot/output/images/rootfs.iso9660 \
$(OUT_DIR)/airgap.iso

57
README.md
View File

@ -1,26 +1,24 @@
# AirgapOS # # AirgapOS #
<https://git.distrust.co/public/airgap> <https://github.com/distrust-foundation/airgap>
## About ## ## About ##
A full-source-bootstrapped, deterministic, minimal, immutable, and offline, A live buildroot based Liux distribution designed for managing secrets offline.
workstation linux distribution designed for creating and managing secrets
offline.
Built for those of us that want to be -really- sure our most important secrets Built for those of us that want to be -really- sure our most important secrets
are managed in a clean environment with an "air gap" between us and the are managed in a clean environment with an "air gap" between us and the
internet with high integrity on the supply chain of the firmware and OS used. internet with high integrity on the supply chain of the firmware and OS used.
## Uses ## ## Uses ##
* Generate PGP keychain * Generate GPG keychain
* Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey * Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey
* Signing cryptocurrency transactions * Signing cryptocurrency transactions
* Generate/backup BIP39 universal cryptocurrency wallet seed * Generate/backup BIP39 universal cryptocurrency wallet seed
* Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger * Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger
## Features ## ## Features ##
* Deterministic iso generation for multi-party code->binary verification * Determinsitic iso generation for multi-party code->binary verification
* Small footprint (< 100MB) * Small footprint (< 100MB)
* Immutable and Diskless: runs from initramfs * Immutable and Diskless: runs from initramfs
* Network support and most drivers removed to minimize exfiltration vectors * Network support and most drivers removed to minimize exfiltration vectors
@ -29,54 +27,37 @@ internet with high integrity on the supply chain of the firmware and OS used.
### Software ### ### Software ###
* docker 26+ * docker 18+
### Hardware ### ### Hardware ###
* x86_64 PC or laptop * Recommended: PC running coreboot-heads
* linuxboot/heads firmware supported and recommended for multi-use machine * Allows for signed builds, and verification of signed sd card payloads
* Allows for signed builds, and verification of signed sd card payloads * Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed
* Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed * Supported remote attestation key (Librem Key, Nitrokey, etc)
* Supported GPG smartcard device (Yubikey, Ledger, Trezor, Librem Key, etc)
* Blank flash drive * Blank flash drive
* Blank SD card * Blank SD card
## Build ## ## Build ##
### Update git submodules
```
git submodule update --init --recursive
```
### Build a new release ### Build a new release
``` ```
make release make release
``` ```
### Reproduce an existing release ### Reproduce an existing release
``` ```
make attest make attest
``` ```
### Sign an existing release ### Sign an existing release
``` ```
make sign make sign
``` ```
## Provisioning ##
1. Write airgap.iso to CD-ROM or SD Card
a. `dd if=out/airgap.iso of=/dev/sda bs=1M conv=sync status=progress`
b. `cdrecord out/airgap.iso`
2. Verify media still produces expected hash
```
sha256sum out/airgap.iso
head -c $(stat -c '%s' airgap.iso) /dev/sda | sha256sum
```
## Setup ## ## Setup ##

1
config/buildroot/Config.in Normal file
View File

@ -0,0 +1 @@
source "$BR2_EXTERNAL_Airgap_PATH/package/flashtools/Config.in"

27
config/buildroot/board/x86_64/grub.cfg Normal file
View File

@ -0,0 +1,27 @@
set default="0"
set timeout="10"
menuentry "AirgapOS (qwerty)" {
linux /boot/bzImage root=/dev/sr0 keymap=qwerty/us
initrd /boot/initrd
}
menuentry "AirgapOS (dvorak)" {
linux /boot/bzImage root=/dev/sr0 keymap=dvorak
initrd /boot/initrd
}
menuentry "AirgapOS (colemak)" {
linux /boot/bzImage root=/dev/sr0 keymap=colemak/en-latin9
initrd /boot/initrd
}
menuentry "AirgapOS (qwertz)" {
linux /boot/bzImage root=/dev/sr0 keymap=qwertz/de
initrd /boot/initrd
}
menuentry "AirgapOS (azerty)" {
linux /boot/bzImage root=/dev/sr0 keymap=azerty/fr
initrd /boot/initrd
}

1580
config/buildroot/board/x86_64/linux.config Normal file
View File

File diff suppressed because it is too large Load Diff

17
config/buildroot/board/x86_64/post-build.sh Executable file
View File

@ -0,0 +1,17 @@
#!/bin/sh
set -u
set -e
set -x
BOARD_DIR="$(dirname $0)"
cp -f ${BOARD_DIR}/grub.cfg ${TARGET_DIR}/boot/grub/grub.cfg
echo "export VERSION=\"${VERSION}\"" > ${TARGET_DIR}/etc/environment
echo "export GIT_REF=\"${GIT_REF}\"" >> ${TARGET_DIR}/etc/environment
echo "export GIT_AUTHOR=\"${GIT_AUTHOR}\"" >> ${TARGET_DIR}/etc/environment
echo "export GIT_KEY=\"${GIT_KEY}\"" >> ${TARGET_DIR}/etc/environment
echo "export GIT_TIMESTAMP=\"${GIT_TIMESTAMP}\"" >> ${TARGET_DIR}/etc/environment
exit $?

6
config/buildroot/board/x86_64/post-image.sh Executable file
View File

@ -0,0 +1,6 @@
#!/bin/sh
set -u
set -e
echo "post-image.sh was run"

4099
config/buildroot/configs/airgap_qemu_defconfig Normal file
View File

File diff suppressed because it is too large Load Diff

4945
config/buildroot/configs/airgap_x86_64_defconfig Normal file
View File

File diff suppressed because it is too large Load Diff

2
config/buildroot/external.desc Normal file
View File

@ -0,0 +1,2 @@
name: Airgap
desc: Linux distribution for offline cryptography use cases

1
config/buildroot/external.mk Normal file
View File

@ -0,0 +1 @@
include $(sort $(wildcard $(BR2_EXTERNAL_Airgap_PATH)/package/*/*.mk))

36
config/buildroot/package/flashtools/Config.in Normal file
View File

@ -0,0 +1,36 @@
menu "Flashtools"
config BR2_PACKAGE_FLASHTOOLS
bool "flashtools"
config BR2_PACKAGE_FLASHTOOLS_FLASHTOOL
bool "flashtool"
select BR2_PACKAGE_FLASHTOOLS
help
Todo
config BR2_PACKAGE_FLASHTOOLS_PEEK
bool "peek"
select BR2_PACKAGE_FLASHTOOLS
help
Todo
config BR2_PACKAGE_FLASHTOOLS_POKE
bool "poke"
select BR2_PACKAGE_FLASHTOOLS
help
Todo
config BR2_PACKAGE_FLASHTOOLS_CBFS
bool "cbfs"
select BR2_PACKAGE_FLASHTOOLS
help
Todo
config BR2_PACKAGE_FLASHTOOLS_UEFI
bool "uefi"
select BR2_PACKAGE_FLASHTOOLS
help
Todo
endmenu

47
config/buildroot/package/flashtools/flashtools.mk Normal file
View File

@ -0,0 +1,47 @@
################################################################################
#
# flashtools
#
################################################################################
FLASHTOOLS_VERSION = 9acce09aeb635c5bef01843e495b95e75e8da135
FLASHTOOLS_SITE = https://github.com/osresearch/flashtools.git
FLASHTOOLS_SITE_METHOD = git
FLASHTOOLS_LICENSE = GPL-2.0
FLASHTOOLS_LICENSE_FILES = LICENSE
ifeq ($(BR2_PACKAGE_FLASHTOOLS_FLASHTOOL),y)
FLASHTOOLS_TARGETS += flashtool
endif
ifeq ($(BR2_PACKAGE_FLASHTOOLS_PEEK),y)
FLASHTOOLS_TARGETS += peek
endif
ifeq ($(BR2_PACKAGE_FLASHTOOLS_POKE),y)
FLASHTOOLS_TARGETS += poke
endif
ifeq ($(BR2_PACKAGE_FLASHTOOLS_CBFS),y)
FLASHTOOLS_TARGETS += cbfs
endif
ifeq ($(BR2_PACKAGE_FLASHTOOLS_UEFI),y)
FLASHTOOLS_TARGETS += uefi
endif
define FLASHTOOLS_BUILD_CMDS
$(foreach t,$(FLASHTOOLS_TARGETS),\
$(TARGET_MAKE_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) \
CFLAGS="$(TARGET_CFLAGS)" -C $(@D) $(t) \
)
endef
define FLASHTOOLS_INSTALL_TARGET_CMDS
$(foreach t,$(FLASHTOOLS_TARGETS),\
$(INSTALL) -D -m 0755 $(@D)/$(t) $(TARGET_DIR)/usr/bin/$(t)$(sep) \
)
endef
$(eval $(generic-package))

39
config/buildroot/patches/deterministic-cpio.patch Normal file
View File

@ -0,0 +1,39 @@
diff --git a/fs/cpio/cpio.mk b/fs/cpio/cpio.mk
index 81f8c393d1..72923ded47 100644
--- a/fs/cpio/cpio.mk
+++ b/fs/cpio/cpio.mk
@@ -32,15 +32,16 @@ ROOTFS_CPIO_PRE_GEN_HOOKS += ROOTFS_CPIO_ADD_INIT
# --reproducible option was introduced in cpio v2.12, which may not be
# available in some old distributions, so we build host-cpio
ifeq ($(BR2_REPRODUCIBLE),y)
-ROOTFS_CPIO_DEPENDENCIES += host-cpio
-ROOTFS_CPIO_OPTS += --reproducible
+ROOTFS_CPIO_DEPENDENCIES += host-cpio host-libarchive
endif
define ROOTFS_CPIO_CMD
- cd $(TARGET_DIR) && \
- find . \
- | LC_ALL=C sort \
- | cpio $(ROOTFS_CPIO_OPTS) --quiet -o -H newc \
+ cd $(TARGET_DIR) \
+ && find . -mindepth 1 -execdir touch -hcd "@0" "{}" + \
+ && find . -mindepth 1 -printf '%P\0' \
+ | sort -z \
+ | LANG=C bsdtar --null -cnf - -T - \
+ | LANG=C bsdtar --uid 0 --gid 0 --null -cf - --format=newc @- \
> $@
endef
diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
index 708ce637c2..2ba8dcab2a 100644
--- a/package/libarchive/libarchive.mk
+++ b/package/libarchive/libarchive.mk
@@ -135,7 +135,6 @@ endif
# The only user of host-libarchive needs zlib support
HOST_LIBARCHIVE_DEPENDENCIES = host-zlib
HOST_LIBARCHIVE_CONF_OPTS = \
- --disable-bsdtar \
--disable-bsdcpio \
--disable-bsdcat \
--disable-acl \

28
config/buildroot/patches/deterministic-iso9660.patch Normal file
View File

@ -0,0 +1,28 @@
diff --git a/fs/iso9660/iso9660.mk b/fs/iso9660/iso9660.mk
index 0524f94c35..284c21f566 100644
--- a/fs/iso9660/iso9660.mk
+++ b/fs/iso9660/iso9660.mk
@@ -157,7 +157,13 @@ ROOTFS_ISO9660_PRE_GEN_HOOKS += ROOTFS_ISO9660_DISABLE_EXTERNAL_INITRD
endif # ROOTFS_ISO9660_USE_INITRD
-ROOTFS_ISO9660_OPTS += -J -R
+ROOTFS_ISO9660_OPTS += \
+ -volume_date all_file_dates "=$(SOURCE_DATE_EPOCH)" \
+ -as mkisofs \
+ -J \
+ -R \
+ -gid 0 \
+ -uid 0
ROOTFS_ISO9660_OPTS_BIOS = \
-b $(ROOTFS_ISO9660_BOOT_IMAGE) \
@@ -181,7 +187,7 @@ ROOTFS_ISO9660_OPTS += $(ROOTFS_ISO9660_OPTS_EFI)
endif
define ROOTFS_ISO9660_CMD
- $(HOST_DIR)/bin/xorriso -as mkisofs \
+ $(HOST_DIR)/bin/xorriso \
$(ROOTFS_ISO9660_OPTS) \
-o $@ $(ROOTFS_ISO9660_TMP_TARGET_DIR)
endef

0
rootfs/.gnupg/gpg.conf → config/buildroot/rootfs_overlay/.gnupg/gpg.conf
View File

0
rootfs/etc/init.d/S02modules → config/buildroot/rootfs_overlay/etc/init.d/S02modules
View File

0
rootfs/etc/init.d/S03keymap → config/buildroot/rootfs_overlay/etc/init.d/S03keymap
View File

0
rootfs/etc/init.d/S04cbfs-key-import → config/buildroot/rootfs_overlay/etc/init.d/S04cbfs-key-import
View File

23
rootfs/etc/inittab → config/buildroot/rootfs_overlay/etc/inittab
View File

@ -1,5 +1,11 @@
# /etc/inittab # /etc/inittab
#
# Copyright (C) 2001 Erik Andersen <andersen@codepoet.org>
#
# Note: BusyBox init doesn't support runlevels. The runlevels field is
# completely ignored by BusyBox init. If you want runlevels, use
# sysvinit.
#
# Format for each entry: <id>:<runlevels>:<action>:<process> # Format for each entry: <id>:<runlevels>:<action>:<process>
# #
# id == tty to run on, or empty for /dev/console # id == tty to run on, or empty for /dev/console
@ -8,26 +14,27 @@
# process == program to run # process == program to run
# Startup the system # Startup the system
::sysinit:/bin/mount -t devtmpfs devtmpfs /dev
::sysinit:/bin/mkdir -p /proc /run /dev/pts /dev/shm /sys
::sysinit:/bin/mount -t sysfs sysfs /sys
::sysinit:/bin/mount -t proc proc /proc ::sysinit:/bin/mount -t proc proc /proc
::sysinit:/bin/mount -o remount,rw / ::sysinit:/bin/mount -o remount,rw /
::sysinit:/bin/mkdir -p /dev/pts /dev/shm
::sysinit:/bin/mount -a
::sysinit:/sbin/swapon -a
null::sysinit:/bin/ln -sf /proc/self/fd /dev/fd null::sysinit:/bin/ln -sf /proc/self/fd /dev/fd
null::sysinit:/bin/ln -sf /proc/self/fd/0 /dev/stdin null::sysinit:/bin/ln -sf /proc/self/fd/0 /dev/stdin
null::sysinit:/bin/ln -sf /proc/self/fd/1 /dev/stdout null::sysinit:/bin/ln -sf /proc/self/fd/1 /dev/stdout
null::sysinit:/bin/ln -sf /proc/self/fd/2 /dev/stderr null::sysinit:/bin/ln -sf /proc/self/fd/2 /dev/stderr
::sysinit:/bin/hostname -F /etc/hostname
# now run any rc scripts # now run any rc scripts
::sysinit:/etc/init.d/rcS ::sysinit:/etc/init.d/rcS
# Put shells on the serial terminal and console # Put a getty on the serial port
console::respawn:-/bin/bash #console::respawn:/sbin/getty -L console 0 vt100 # GENERIC_SERIAL
ttyS0::respawn:-/bin/bash
::respawn:-/bin/bash ::respawn:-/bin/bash
# Stuff to do for the 3-finger salute # Stuff to do for the 3-finger salute
::ctrlaltdel:/sbin/reboot #::ctrlaltdel:/sbin/reboot
# Stuff to do before rebooting # Stuff to do before rebooting
::shutdown:/etc/init.d/rcK ::shutdown:/etc/init.d/rcK
::shutdown:/sbin/swapoff -a
::shutdown:/bin/umount -a -r ::shutdown:/bin/umount -a -r

0
rootfs/etc/modules → config/buildroot/rootfs_overlay/etc/modules
View File

5
rootfs/etc/profile → config/buildroot/rootfs_overlay/etc/profile
View File

@ -3,7 +3,8 @@ export PATH="/usr/local/bin:/bin:/sbin:/usr/bin:/usr/sbin"
export PS1="[\h \t] \\$ " export PS1="[\h \t] \\$ "
export GNUPGHOME=/.gnupg export GNUPGHOME=/.gnupg
source /etc/environment source /etc/environment
cd /root
dmesg -n1
clear clear
cat << "EOF" cat << "EOF"
_ _ ___ ____ _ _ ___ ____
@ -18,5 +19,5 @@ echo " - Version: $VERSION"
echo " - Date: $GIT_TIMESTAMP" echo " - Date: $GIT_TIMESTAMP"
echo " - Committer: $GIT_AUTHOR" echo " - Committer: $GIT_AUTHOR"
echo " - Commit: $GIT_REF" echo " - Commit: $GIT_REF"
echo " - Key: $GIT_PUBKEY" echo " - Key: $GIT_KEY"
echo "" echo ""

12
config/buildroot/rootfs_overlay/etc/udev/rules.d/sdcard-autorun.rules Normal file
View File

@ -0,0 +1,12 @@
KERNEL!="sd[a-z][0-9]", GOTO="sd_cards_auto_mount_end"
# Global mount options
ACTION=="add", ENV{mount_options}="relatime"
# Filesystem specific options
ACTION=="add", IMPORT{program}="/sbin/blkid -o udev -p %N"
ACTION=="add", ENV{ID_FS_TYPE}=="vfat|ntfs", ENV{mount_options}="$env{mount_options},utf8,flush,user,umask=0000"
ACTION=="add", RUN+="/bin/mkdir -p /media/sd-%k", RUN+="/bin/mount -o $env{mount_options} /dev/%k /media/sd-%k"
ACTION=="add", RUN+="/usr/local/bin/autorun /media/sd-%k"
ACTION=="remove", RUN+="/bin/umount -l /media/sd-%k", RUN+="/bin/rmdir /media/sd-%k"
LABEL="sd_cards_auto_mount_end"

18
config/buildroot/rootfs_overlay/usr/local/bin/autorun Executable file
View File

@ -0,0 +1,18 @@
#!/bin/bash
set -e
source /etc/profile
folder=${1?}
if [ -f "${folder}/autorun.sh.asc" ]; then
echo "" >/dev/console
echo "++ Autorun: Found ${folder}/autorun.sh" >/dev/console;
gpg --verify "${folder}/autorun.sh.asc" >/dev/null 2>&1 || {
echo "!! Autorun: Verification Failed for ${folder}/autorun.sh" \
>/dev/console;
exit 1;
}
echo "++ Autorun: Verified ${folder}/autorun.sh" >/dev/console
echo "** Autorun: Executing ${folder}/autorun.sh" >/dev/console
/bin/bash "${folder}/autorun.sh" >/dev/console
fi

8
config/global.env Normal file
View File

@ -0,0 +1,8 @@
DEBIAN_HASH=48b28b354484a7f0e683e340fa0e6e4c4bce3dc3aa0146fc2f78f443fde2c55d
# BUILDROOT_REF=ea51485ee9ab44f72f8b1cc019dcb17f276d1def
BUILDROOT_REF=8526e60a1f09854b96016b03a2439fcb61200ee4
HEADS_REF=6e62c83e164231c629d77a45d37569b3bff43d3f
BUILDROOT_REPO=git://git.busybox.net/buildroot
HEADS_REPO=https://source.puri.sm/coreboot/purism-heads.git
BR2_EXTERNAL=/home/build/config/buildroot
HEADS_EXTERNAL=/home/build/config/heads

5
config/grub.cfg
View File

@ -1,5 +0,0 @@
set timeout=1
menuentry "Linux Airgap" {
linux /boot/vmlinuz init=/init console=ttyS0 console=tty0 ro
initrd /boot/initramfs
}

2
config/grub_early.cfg
View File

@ -1,2 +0,0 @@
search --no-floppy --set=root --label "airgap"
set prefix=($root)/boot/grub

160
config/heads/patches/usb-boot.patch Normal file
View File

@ -0,0 +1,160 @@
diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init
index 1369ed1..f576a8e 100755
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@@ -13,21 +13,26 @@ first_pass=true
mount_boot()
{
-
+
# Mount local disk if it is not already mounted
while ! grep -q /boot /proc/mounts ; do
+
# try to mount if CONFIG_BOOT_DEV exists
if [ -e "$CONFIG_BOOT_DEV" ]; then
- mount -o ro $CONFIG_BOOT_DEV /boot
+ mount -o ro $CONFIG_BOOT_DEV /boot
[[ $? -eq 0 ]] && continue
fi
- # CONFIG_BOOT_DEV doesn't exist or couldn't be mounted, so give user options
+ # try to mount usb to /media and /boot if it exists
+ mount-usb \
+ && mount -o bind,ro /media /boot \
+ && continue
+
+ # no boot device available, so give user options
whiptail $BG_COLOR_ERROR --clear --title "ERROR: No Bootable OS Found!" \
- --menu " No bootable OS was found on the default boot device $CONFIG_BOOT_DEV.
+ --menu " No bootable OS was found at $CONFIG_BOOT_DEV or on USB.
How would you like to proceed?" 30 90 4 \
'b' ' Select a new boot device' \
- 'u' ' Boot from USB' \
'm' ' Continue to the main menu' \
'x' ' Exit to recovery shell' \
2>/tmp/whiptail || recovery "GUI menu failed"
@@ -41,9 +46,6 @@ mount_boot()
. /tmp/config
fi
;;
- u )
- exec /bin/usb-init
- ;;
m )
break
;;
@@ -55,6 +57,11 @@ mount_boot()
}
verify_global_hashes()
{
+
+ # If default boot device is not mounted, then there are no hashes to verify
+ # User is likely usb booting.
+ df $CONFIG_BOOT_DEV >/dev/null 2>&1 || return 0
+
# Check the hashes of all the files, ignoring signatures for now
check_config /boot force
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
@@ -458,6 +465,7 @@ while true; do
if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then
# Try to boot the default
mount_boot
+
verify_global_hashes
if [ $? -ne 0 ]; then
continue
@@ -467,6 +475,7 @@ while true; do
kexec-select-boot -b /boot -c "grub.cfg" -g \
|| recovery "Failed default boot"
else
+ usb-init
if (whiptail --title 'No Default Boot Option Configured' \
--yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 16 90) then
kexec-select-boot -m -b /boot -c "grub.cfg" -g
diff --git a/initrd/bin/mount-usb b/initrd/bin/mount-usb
index a79dd66..8a8734c 100755
--- a/initrd/bin/mount-usb
+++ b/initrd/bin/mount-usb
@@ -4,19 +4,6 @@
enable_usb
-if ! lsmod | grep -q usb_storage; then
- count=$(ls /dev/sd* 2>/dev/null | wc -l)
- timeout=0
- echo "Scanning for USB storage devices..."
- insmod /lib/modules/usb-storage.ko >/dev/null 2>&1 \
- || die "usb_storage: module load failed"
- while [[ $count == $(ls /dev/sd* 2>/dev/null | wc -l) ]]; do
- [[ $timeout -ge 4 ]] && break
- sleep 1
- timeout=$(($timeout+1))
- done
-fi
-
if [ ! -d /media ]; then
mkdir /media
fi
diff --git a/initrd/bin/usb-scan b/initrd/bin/usb-scan
index d9f26b0..b64f150 100755
--- a/initrd/bin/usb-scan
+++ b/initrd/bin/usb-scan
@@ -5,12 +5,6 @@ set -e -o pipefail
. /etc/gui_functions
. /tmp/config
-# Unmount any previous boot device
-if grep -q /boot /proc/mounts ; then
- umount /boot \
- || die "Unable to unmount /boot"
-fi
-
# Mount the USB boot device
mount_usb || die "Unable to mount /media"
@@ -29,12 +23,16 @@ get_menu_option() {
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
done < /tmp/iso_menu.txt
- whiptail --clear --title "Select your ISO boot option" \
- --menu "Choose the ISO boot option [1-$n, s for standard boot, a to abort]:" 20 120 8 \
- -- $MENU_OPTIONS \
- 2>/tmp/whiptail || die "Aborting boot attempt"
+ if [ "$n" -eq "1" ]; then
+ option_index=1
+ else
+ whiptail --clear --title "Select your ISO boot option" \
+ --menu "Choose the ISO boot option [1-$n, s for standard boot, a to abort]:" 20 120 8 \
+ -- $MENU_OPTIONS \
+ 2>/tmp/whiptail || die "Aborting boot attempt"
- option_index=$(cat /tmp/whiptail)
+ option_index=$(cat /tmp/whiptail)
+ fi
else
echo "+++ Select your ISO boot option:"
n=0
diff --git a/initrd/etc/functions b/initrd/etc/functions
index dc0fbed..a083e17 100755
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@@ -122,6 +122,18 @@ enable_usb()
|| die "xhci_pci: module load failed"
sleep 2
fi
+ if ! lsmod | grep -q usb_storage; then
+ count=$(ls /dev/sd* 2>/dev/null | wc -l)
+ timeout=0
+ echo "Scanning for USB storage devices..."
+ insmod /lib/modules/usb-storage.ko >/dev/null 2>&1 \
+ || die "usb_storage: module load failed"
+ while [[ $count == $(ls /dev/sd* 2>/dev/null | wc -l) ]]; do
+ [[ $timeout -ge 4 ]] && break
+ sleep 1
+ timeout=$(($timeout+1))
+ done
+ fi
}
confirm_gpg_card()

8
config/syslinux.cfg
View File

@ -1,8 +0,0 @@
TIMEOUT 2
PROMPT -1
DEFAULT Airgap
LABEL Airgap
MENU LABEL Linux Airgap
KERNEL /boot/vmlinuz
INITRD /boot/initramfs
APPEND init=/init console=ttyS0 console=tty0 ro

256
config/toolchain/package-hashes-x86_64.txt Normal file
View File

@ -0,0 +1,256 @@
030db54f4d76cdfe2bf0e8eb5f9efea0233ab3c7aa942d672c7b63b52dbaf935 libpcre2-8-0_10.42-1_amd64.deb
03326473eed54ffa27efae19aa5d6aeb402930968f869f318445513093691d55 libtirpc-dev_1.3.3+ds-1_amd64.deb
03539fd30c509e27101d13a56e52eda9062bdf1aefe337c07ab56def25a13eab libmd0_1.0.4-2_amd64.deb
03ebdf235600f4a8a6d4fbc7080de0a776b1a701f43c4e9697944757591d7809 libkrb5-3_1.20.1-2+deb12u1_amd64.deb
072d908f38f51090ca28ca5afa3b46b2957dc61fe35094c0b851426859a49a51 libtinfo6_6.4-4_amd64.deb
097a2cb520881c29afa97c1bb0c381ce008aef362df2779677416a0981bcf165 g++-12_12.2.0-14_amd64.deb
0a43a9785f32d517a967d99e00d8e0a69edc0be09d4e63a08d7fd64466a11a0f gpgv_2.2.40-1.1_amd64.deb
0ca5213c1ab67278cbfcec4cafccdb538c2e089718f4bddabe5a00145e5a21fb libdav1d6_1.0.0-2_amd64.deb
11790842108768ec52432ea22e7b4f057232813b7c27ef6dfe1aba776a5cb90e sysvinit-utils_3.06-4_amd64.deb
11ee190ad39f8d7af441d2c8347388b9449434c73acc67b4b372445ac4152efa libsasl2-2_2.1.28+dfsg-10_amd64.deb
1379ab846489b322bb45602d34ca8e2791e1d342fd53d49143f6355430934efd libcc1-0_12.2.0-14_amd64.deb
146ee93768433ac6a33edc8ae9248d8d619f10ef42c18b1212e0cb594ab9be3b libblkid1_2.38.1-5+b1_amd64.deb
16ee38d374e064f534116dc442b086ef26f9831f1c0af7e5fb4fe4512e700649 libfontconfig1_2.14.1-4_amd64.deb
177cacdfe9508448d84bf25534a87a7fcc058d8e2dcd422672851ea13f2115df sed_4.9-1_amd64.deb
17d0341ca6ce604ce59c296780ac2c2a24141a769823c50669af942c025e6591 libaudit-common_1%3a3.0.9-1_all.deb
17d9a2f3c05004499d80e180d2440fd716f84c32b65f09d96c9a024af4d1d0e7 hostname_3.23+nmu1_amd64.deb
17fc3fb0897b9d26f779d60d056d9a1ce68af50208118c4277cf18a0496f36a8 openssh-client_1%3a9.2p1-2+deb12u2_amd64.deb
187aedef2ed763f425c1e523753b9719677633c7eede660401739e9c893482bd libgmp10_2%3a6.2.1+dfsg1-1.1_amd64.deb
194024e45303ed7e38f68e2e82c57b5d03a09822b6c3fcbf7865fea982e78914 mount_2.38.1-5+b1_amd64.deb
194fd3750e6d647f300045a266c20cc3a3d47f84fd2fc8ff8830c55098b63c0d fakeroot_1.31-1.2_amd64.deb
1a03df5a57833d65b5bb08cfa19d50e76f29088dc9e64fb934af42d9023a0807 gcc-12-base_12.2.0-14_amd64.deb
1a394277e17426a10abdd9293e06fa0f8c31049fe73027608fe9363dda36f25b libc-dev-bin_2.36-9+deb12u3_amd64.deb
1cdc3c6614ce1dd2486041bf8bbd86d7dda5c79bc72d3e78bb4abcb9468a85aa base-files_12.4+deb12u4_amd64.deb
1cf14abf2716d3279db12d0657a5737cf70074a1e71d3bdf73206625e3c89ce6 libedit2_3.1-20221030-2_amd64.deb
1dbc499d2055cb128fa4ed678a7adbcced3d882b3509e26d5aa3742a4b9e5b2f libgomp1_12.2.0-14_amd64.deb
245f55e17d9ec050d9a1de80b35bc6b8f64f277b6f12183ff7769be5b3678eb8 logsave_1.47.0-2_amd64.deb
251330faddbf013f060fcdb41f4b0c037c8a6e89ba7c09b04bfcc4e3f0807b22 libp11-kit0_0.24.1-2_amd64.deb
2520093a31c082ace185a18ad6bdf860b13f32139977d1dfe1d52867c2e5df30 gpg-wks-client_2.2.40-1.1_amd64.deb
26c451a660728cf7c15548a281e17eef2f36fab28499371e83fc2d3accb499d7 g++_4%3a12.2.0-3_amd64.deb
26e174fb15af157b5d5698b5ccd9aafcdb084acdf74a5aa9aab6887c1f308f99 tzdata_2023c-5+deb12u1_all.deb
27b3d102545f597df9e6dc5c7f6590a648de09b57debd6b05ad3d1189de428d5 pinentry-curses_1.2.1-1_amd64.deb
281c66e46b95f045a0282a6c7a03b33de0e9a08d016897a759aaf4a04adfddbe fontconfig-config_2.14.1-4_amd64.deb
29b23c48c0fe6f878e56c5ddc9f65d1c05d729360f3690a593a8c795031cd867 netbase_6.4_all.deb
2a46d5a5e9486da11ffeff5740931740d6deae4f92cd6098df060dc5dff1e1c7 libtirpc3_1.3.3+ds-1_amd64.deb
2ac1236547360284e9e154ad11a14564db65175bd4da393ec652ac1b2dc43571 libgpm2_1.20.7-10+b1_amd64.deb
2ad228835756feb118bb131b32834bd23a09047e4de408cc5204cbb5dce0e4bb libncurses-dev_6.4-4_amd64.deb
2b07f5287b9105f40158b56e4d70cc1652dac56a408f3507b4ab3d061eed425f libselinux1_3.4-1+b6_amd64.deb
2c57221bf8cc0ff5d2295ececb9215cc1b9ff9040dacb152c385bba3087ab1df file_1%3a5.44-3_amd64.deb
2d7ea8a570d768224d7f2424abbe6f373d2154865a1fa7f56c80d43ecf492521 binutils-x86-64-linux-gnu_2.40-2_amd64.deb
30954df4b5a7c505661ba8ae5e6ea94f5805e408899fb400783bb166eb5ff306 libaudit1_1%3a3.0.9-1_amd64.deb
30b4972cc88a4ff0fba9e08e6d476de13b109af9e4b826d130bdc72771d6e373 libasan8_12.2.0-14_amd64.deb
30f9618670e686d781afbfc713eb0830c29d2819e9cb2a0488800dad6bb99faa python3-minimal_3.11.2-1+b1_amd64.deb
31c77590324be46e1d1616df144a4f9002fb92b3252cce13f14f0612f97746e6 rsync_3.2.7-1_amd64.deb
3264acea728df3c48a54f20e9291b965130e306b9d00adac76647049da7196df grep_3.8-5_amd64.deb
32ac0692694f8a34cc90c895f4fc739680fb2ef0e2d4870a68833682bf1c81a3 rpcsvc-proto_1.4.3-1_amd64.deb
32b60c039da18a2b17fdf4bc569d783fbb7a2fe634907eb239a380357eca4872 linux-libc-dev_6.1.69-1_amd64.deb
339abb97957695134f9df48dfa3eb7df5f681c3aa76a53934133dee2f451d1e4 libsystemd0_252.19-1~deb12u1_amd64.deb
33ea40061da2f1a861ec46212b2b6a34f0776a049b1a3f0abce2fb8cb994258f dash_0.5.12-2_amd64.deb
33f6dafbd1a6902d9063172ec7dbd4b2225e12009e0d7ec5c933a72c2f5f3b74 python3_3.11.2-1+b1_amd64.deb
34097adaf793f92cc93c8f07059d34766a6a8f2b1d0b1b74b9bb530516402642 git-man_1%3a2.39.2-1.1_all.deb
343b60a755ceb2c3687f9a5c9c9dc00eea0e44a7de49a537c36df17894f784b3 passwd_1%3a4.13+dfsg1-1+b1_amd64.deb
36a29db2aa4262bd02c23df42cd91cc709883fe52a517aa8a1b148039305eef0 tar_1.34+dfsg-1.2_amd64.deb
36b6fc603efaa2bfd22cff3a7773590dd6774a5d0d9b0c23b73306f3f58cbc20 libavif15_0.11.1-1_amd64.deb
37b7a2b4e78890b6a074777f27b96c84f58e81558ba08410c2b6c0ca4a4ad77b libmpfr6_4.2.0-1_amd64.deb
37d5e8d44bb9729a89d747db15880f0f01e53101cc16f258087bb8b591017e76 gpgsm_2.2.40-1.1_amd64.deb
37eaea795edc3bd2c5d43ab5a3a723859d851a9aff9d8d882eddb786047d7594 libc-devtools_2.36-9+deb12u3_amd64.deb
396d6e453aee6d71b7141f0bfb333a6c08a44c64f77632bdf52894ccd123db46 ncurses-bin_6.4-4_amd64.deb
3a8b61891f0ce9bd310088ce2d269d63b5afd88b9196fa4f046fd890faea4a17 libalgorithm-diff-perl_1.201-1_all.deb
3ac4fd6cbe3b3b06e68d24b931bf3eb9385b42f15604a37ed25310e948ca0ee6 libsasl2-modules-db_2.1.28+dfsg-10_amd64.deb
3d4b39f94317b64a860db8a7a8b581b555124cd461fe07ec0d347edbdb9f6683 libdeflate0_1.14-1_amd64.deb
3e3ef129b4bf61513144236e15e1b4ec57fa5ae3dc8a72137abdbefb7a63af85 libtirpc-common_1.3.3+ds-1_all.deb
3fb7b6f326be3fae4a87a3d33b9269bd06c1e4346a24bd737f265067e3b7427f libctf0_2.40-2_amd64.deb
3fc9742f9f1a37bcb9931df6074b4d1483419ef832ad5349f47323e75fc27864 libjansson4_2.14-2_amd64.deb
4018d17d6a44ffeb19c002dc9f721bf474e6879ad814f1bfcdd6666803e30178 e2fsprogs_1.47.0-2_amd64.deb
438871b3f5c5c7a357a9840951dab9dab8db7eb1ff760a563226fafa111b99e5 bzip2_1.0.8-5+b1_amd64.deb
43c90d45f7cf5584108964b919d6c728680d81af5fa70c8fb367d661cef54e8c libnpth0_1.6-3_amd64.deb
43f19bcfdf5e1866c21d429d04403168ec4e19b3231de1eccef3e48160114591 util-linux_2.38.1-5+b1_amd64.deb
45403a9d495cd41997f1358352d386cf0076c1c57790a44df10b0529393cd728 less_590-2_amd64.deb
45922e6e289ffd92f0f92d2bb9159e84236ff202d552a461bf10e5335b3f0261 libnettle8_3.8.1-2_amd64.deb
46dbe02369411b46f676ddb55fa8ee3a98f7a15607ddab785979c25bacb5d7db libalgorithm-merge-perl_0.08-5_all.deb
48225793c486310600459d08a417dca0c28cbaf184047c09c82aff19107aa6f2 libyuv0_0.0~git20230123.b2528b0-1_amd64.deb
4922b5ade6ab4018089e9725fac243c89365aca788bc399a87cfc88501aaeba7 libsmartcols1_2.38.1-5+b1_amd64.deb
4af36a590b68d415a78d9238b932b6a4579f515ec8a8016597498acff5b515a4 libgdbm-compat4_1.23-3_amd64.deb
4b48b8f0b06c2c667d52117edcef69af6896bcfe69a4f4bde47b89590b83875e libperl5.36_5.36.0-7+deb12u1_amd64.deb
4b6c30f6554149c594628d945edc6003f0eea8d0cc1341638c0e71375db147ed libldap-2.5-0_2.5.13+dfsg-5_amd64.deb
4cf64c4e1168f3c7e858bb4a71f2c5bea9a36dd448cdcc2154a551ac146e293b libgav1-1_0.18.0-1+b1_amd64.deb
4e21728bbb1f170f35a5d60fe26adadb48c436f1b5fd977454e632668074169c libquadmath0_12.2.0-14_amd64.deb
4e58891d5c951a1e360ed9eaa814413cb5e84deadce3f08e801ac680434c786e libpython3-stdlib_3.11.2-1+b1_amd64.deb
4f0d35610204e4e754b057748719744114621f2f6f4202d846c314860a981afb libpsl5_0.21.2-1_amd64.deb
504b7be9d7df4f6f4519e8dd4d6f9d03a9fb911a78530fa23a692fba3058cba6 libxext6_2%3a1.3.4-1+b1_amd64.deb
505400598dcda712380f2e4a73b09b015a3fedf78bd874f6429622c448e249f9 libxpm4_1%3a3.5.12-1.1+deb12u1_amd64.deb
5308b9bd88eebe2a48be3168cb3d87677aaec5da9c63ad0cf561a29b8219115c ca-certificates_20230311_all.deb
5325e63acaecb37f6636990328370774995bd9b3dce10abd0366c8a06877bd0d bash_5.2.15-2+b2_amd64.deb
539c1a013e6e90800b4c37877cf871e7583791b486a39e23f2466906bbe5061f libfakeroot_1.31-1.2_amd64.deb
54149da3f44b22d523b26b692033b84503d822cc5122fed606ea69cc83ca5aeb libbz2-1.0_1.0.8-5+b1_amd64.deb
54f7a9e77c6b12bafa07ffb1d4c42933a416748119f169514c1ed1119d51f4b3 gcc-12_12.2.0-14_amd64.deb
55f951359670eb3236c9e2ccd5fac9ccb3db734f5a22aff21589e7a30aee48c9 debianutils_5.7-0.5~deb12u1_amd64.deb
563b4caec1aa5e876bd3355b36e7a38e1484baf5a293b48d1e8bd22db786e4d7 libbrotli1_1.0.9-2+b6_amd64.deb
57d6348f392c77ccc3fdc5874c527df18df8be702814b13d1151352b28e29145 xauth_1%3a1.1.2-1_amd64.deb
5912430927da16ccc831459679207fdbb9dfc5a206f2bab8d6f36d5a1ab53e25 libassuan0_2.5.5-5_amd64.deb
5a466348531b9c38c8e5ccb18c231f27a98b9fdab61b37ea22592553de5d2ced liberror-perl_0.17029-2_all.deb
5dd86bd0af4aa73f067dfd6b8339dd868f2dd84056aa79db29d1206d4fbc5e04 findutils_4.9.0-4_amd64.deb
5e1b647d802d9612596dfc6a546c0315f9d06843793aad66af2ad819c17c3e58 libaom3_3.6.0-1_amd64.deb
5ef7e6c1cd6b165455466bbfa6c22d8f5b61109d29aeab906bd3406322f34b15 xz-utils_5.4.1-0.2_amd64.deb
61038f857e346e8500adf53a2a0a20859f4d3a3b51570cc876b153a2d51a3091 coreutils_9.1-1_amd64.deb
6156f5b9edc0de38755869e5bcbed0b65d48d2a5531ae2f0ff2c347a7882f402 gnupg-utils_2.2.40-1.1_amd64.deb
619add379c606b3ac6c1a175853b918e6939598a83d8ebadf3bdfd50d10b3c8c libelf1_0.188-2.1_amd64.deb
6315b5ac38b724a710fb96bf1042019398cb656718b1522279a5185ed39318fa libzstd1_1.5.4+dfsg2-5_amd64.deb
639e1ab6bd66ead40db8a22c332d7199679fa22db261cac34444eb8eb4c17dda libnuma1_2.0.16-1_amd64.deb
64c17a80dede46900f8baf4a20803323aa57dac7707b0a8dea4b266767878945 libdpkg-perl_1.21.22_all.deb
64cde86cef1deaf828bd60297839b59710b5cd8dc50efd4f12643caaee9389d3 liblz4-1_1.9.4-1_amd64.deb
6631304ce4b5b9ba0af3fdebf088a734aed2d28ffad2a03ba79e4fcb2e226dd6 libgssapi-krb5-2_1.20.1-2+deb12u1_amd64.deb
665732aacbb8cb82cc5f33d0b6f31849001a02be074743fa5dd3ec218b95b48e util-linux-extra_2.38.1-5+b1_amd64.deb
679db1c4579ec7c61079adeaae8528adeb2e4bf5465baa6c56233b995d714750 libxau6_1%3a1.0.9-1_amd64.deb
67eec0eb4df58b93e1bf97c402c2cbeb361bf9c5af44fa3a02ff1c723c791ca2 libpython3.11-stdlib_3.11.2-6_amd64.deb
68aa3b3bdac8b34802df7e2e950bae64c40aa6c2b24fed356b832968f8305aa0 libfile-fcntllock-perl_0.22-4+b1_amd64.deb
69317523fe56429aa361545416ad339d138c1500e5a604856a80dd9074b4e35c readline-common_8.2-1.3_all.deb
6995822451e1300baa41b953c19f1094640ad4237982612583e980d32e18eee5 wget_1.21.3-1+b2_amd64.deb
6a91eee690e6ad2207df3a355fc329a58d8e31bf5ca9a9dd4de8f7a1c812ddc5 libk5crypto3_1.20.1-2+deb12u1_amd64.deb
6b07c77b700a615642888a82ba92a7e7c429d04b9c8669c62b2263f15c4c4059 libjbig0_2.1-6.1_amd64.deb
6c19a5d18c8350744581fbd25d5d29e2b7101053e25aafa4e1ffcc2b505b2f1c libxxhash0_0.8.1-1_amd64.deb
6d9f6c25c30efccce6d4bceaa48ea86c329a3432abb360a141f76ac223a4c34a libffi8_3.4.4-1_amd64.deb
6e129c5814812b3516a656ae5b664b9970e2f8823250cd5b98190f21c0de2bca libssl3_3.0.11-1~deb12u2_amd64.deb
6ea03cbbc7a7bfcee601c9fb08d4e026fd522ede5350561f06867ad9c0a0fa6b apt_2.6.1_amd64.deb
6f6fe95c43338db9887e52fe948228a779d3651fef1a975b62dfe891bb71fdc4 gnupg_2.2.40-1.1_all.deb
6f8c90780705bb2434d02e2360881b581319307ccde43abcd1f781e05928db04 cpp-12_12.2.0-14_amd64.deb
6f94b488255acd996254f775c77ff3956557c61f860a3c9caeaf65457554194f libpopt0_1.19+dfsg-1_amd64.deb
6fc5ab5858781ab90c68b4deea09f21871fd7b55dc1a0764ad7116ac4c86574d libpython3.11-minimal_3.11.2-6_amd64.deb
6ffd3721915c49580fc9bcf1ef06deab4ad59e99c52c9f349d03954642b97655 libgcc-12-dev_12.2.0-14_amd64.deb
7038b4d856aff8b4054f879c488c1298db5a83ecfa6280f85706f20e2e1935f1 libalgorithm-diff-xs-perl_0.04-8+b1_amd64.deb
70d356876847a9a540b5bebd02b2141f9de292e7ce17a596cafdecb15c39ba21 libisl23_0.25-1_amd64.deb
72300f09f02669c06c99b641ea795d52300ec7eb65eaccddf7bc3b72934f0ef5 libncurses6_6.4-4_amd64.deb
7259b7ce46444694ce536360ad53acb68eb3b47a7ff81d7b1b8a3939b2ac9918 libwebp7_1.2.4-0.2+deb12u1_amd64.deb
72a6c113801a0f307f3a9ab9fe7a7f9559d9164af990494ed2c50617a0e20452 libldap-common_2.5.13+dfsg-5_all.deb
72ef03236f1936e72a0faf86a547425b0eff3c5fd0b43f8669012182cf376354 libfreetype6_2.12.1+dfsg-5_amd64.deb
73d4a22bdd7eb6be1e480d6884b103eb500cfd539cc20ae0f3e44dd8b0614798 cpio_2.13+dfsg-7.1_amd64.deb
74ab14194a3762b2fc717917dcfda42929ab98e3c59295a063344dc551cd7cc8 debconf_1.5.82_all.deb
7516082b33a0e3c76d6c18d67754d5f2ef2116255fac9897ff0eb2004aa8de8c gpg-wks-server_2.2.40-1.1_amd64.deb
75bbf628518966bea04498df28391b5c070ccae110332302c52affcce8cb7b68 libss2_1.47.0-2_amd64.deb
771f5c47ca69f24ca61e4be0c98c5912b182ce442f921697d17a472f3ded5c9c liblerc4_4.0.0+ds-2_amd64.deb
7900a203b9b0e7db923882701e852e3c95a229a3bfb0b517531f6a679707e477 libtiff6_4.5.0-6+deb12u1_amd64.deb
791c92c681a3cefcc9721445dc8a301a1a3cb3eef40ac2c16a4d9dd9ad5a42d7 publicsuffix_20230209.2326-1_all.deb
79cb66b55021bd0130308369524bac5240d0b5463cb252cd44be6a1500fdebec libelf-dev_0.188-2.1_amd64.deb
7d2b2b700bae0ba67a13655fabba6a98da3f6ce7dee43d1ee0ac433b7ca1d947 libdebconfclient0_0.270_amd64.deb
7dc5127b8dd0da80e992ba594954c005ae4359d839a24eb65d0d8129b5235c84 libdb5.3_5.3.28+dfsg2-1_amd64.deb
8010e4285276bb344c05ae780deae2fffb45e237116c3a78481365c5954125ec libcom-err2_1.47.0-2_amd64.deb
8011853dcb09cd62d60fd95791eabba86df58d70b054f654f1bb51261b95cb98 libudev1_252.19-1~deb12u1_amd64.deb
81ccd29130f75a9e3adabc80e61921abff42f76761e1f792fa2d1bb69af7f52f libcrypt-dev_1%3a4.4.33-2_amd64.deb
835f806c21ae25e39053bd3057051640341b0cf08e1db9746fd82e370d82fa30 libsemanage-common_3.4-1_all.deb
83c3e20b53e1fbd84d764c3ba27d26a0376e361ae5d7fb37120196934dd87424 binutils_2.40-2_amd64.deb
851d270e36707787ab1cd269dbd9597864feaf3f8453ecd3c426caaa56142222 libpam-modules_1.5.2-6+deb12u1_amd64.deb
86b1f3504cf50fd4873be364c8a4e49a8c28e3442b31963a98a758135283db9d login_1%3a4.13+dfsg1-1+b1_amd64.deb
8892669e51aab4dc56682c8e39d8ddb7d70fad83c369344e1e240bf3ca22bb76 fonts-dejavu-core_2.37-6_all.deb
89944ee11d7370ce6ef46fc52f094c4a6512eff8943ec4c6ebefeae6360ceada libgpg-error0_1.46-1_amd64.deb
8a2f81076419cd6b0def5cd1fac98383c85ddec1a5c388f57e8e9e2fdf491ad9 libmount1_2.38.1-5+b1_amd64.deb
8bdfedc14c1035e3750e9f055ac9c1ecd9b5d05d9e6dc6466c4e9237eef407dd diffutils_1%3a3.8-4_amd64.deb
8be9df5795114bfe90e2be3d208ef47a5edd3fc7b3e20d387a597486d444e5e2 libacl1_2.3.1-3_amd64.deb
8c6d49b771530dbe26d7bd060582dc7d2b4eeb603a20789debc1ef4bbbc4ef67 patch_2.7.6-7_amd64.deb
8cbd111e1ad1c1357afb18f916c88c7ebb8cc860b8fac04ccc66a9eefe5a53af libcbor0.8_0.8.0-2+b1_amd64.deb
908ca1b35125f49125ae56945a72bc11ce0fcec85a8d980d10d83bb3a610f518 base-passwd_3.6.1_amd64.deb
95224197cc1275ee3e625be4522f9d03f8fea3bd7a5d7d8f1f55ab914736b404 perl_5.36.0-7+deb12u1_amd64.deb
95ec30140789a342add8f8371ed018924de51b539056522b66f207b25cba9cad libjpeg62-turbo_1%3a2.1.5-2_amd64.deb
95fe4a1336532450e67bd067892f46eaa484139919ea8d067a9ffcbf5a4bf883 libgdbm6_1.23-3_amd64.deb
96c2d796a21fdc92b4d272a550841c208e89c91ab0d54514ac28ae92da64c2c7 libc6_2.36-9+deb12u3_amd64.deb
96f55cb5e26231d5567c89b692bced63825a14a2d5bd18fdf16ea2ed44eb9838 manpages-dev_6.03-2_all.deb
9751239757dcc218a3cd5a5772070e33d86a8a15506fe5af8a47793d61fa2abc libcurl3-gnutls_7.88.1-10+deb12u5_amd64.deb
983ca41d506fa159536cd584118855748763f5f5a3b5949206bee4a62ec0cbf9 libxmuu1_2%3a1.1.3-3_amd64.deb
9840ce93b42b66c784852df07ee9131b7acab886177794a5c9ba761da9463887 libc-bin_2.36-9+deb12u3_amd64.deb
987a848aeb1c358e4186368871b0526f10bb14c6b53214ab3bf8b69abb830191 libx11-data_2%3a1.8.4-2+deb12u2_all.deb
98fa7a53dc565a38b65fb70422ad08001bf5361d8fbc74255280c329996a6bec libncursesw6_6.4-4_amd64.deb
993ea623ce5b42d67f653f2faaa7ef15e7c9d72bfcb93e22a1eaff7aa3532303 libpcre3_2%3a8.39-15_amd64.deb
9b1b269020cec6aced3b39f096f7b67edd1f0d4ab24f412cb6506d0800e19cbf libstdc++6_12.2.0-14_amd64.deb
9b8223674661ead1836ce21966f7e4511a3a943c1b87c02ea92ec17ed2c3f2cf perl-modules-5.36_5.36.0-7+deb12u1_all.deb
9cd87d1b0c56f34f51bcbe8bdb55ebb45dd08ce6c0c6ff2dc77378bac3f64cc0 libx265-199_3.5-2+b1_amd64.deb
9d1d4ba9ac38a7ae48567bfbd0bec88e02a5ccd941a48a76709a131197ea6570 python3.11_3.11.2-6_amd64.deb
9d97f27d8a8a06dd4800e8e0291337ca02e11cdfd7df09a4566a982a6d9fe4c4 dpkg_1.21.22_amd64.deb
9e46ced911ab34dee945fbcb2720b19eef39b0ac814583b9b7bb3a36f6179524 dpkg-dev_1.21.22_all.deb
9e6305a100f5178cc321ee33b96933a6482d11fdc22b42c0e526d6151c0c6f0f libseccomp2_2.5.4-1+b3_amd64.deb
a0f0f3fbeb661d9bda139a54f4bd1c30aa66cd55a8fa0beb0e6bc7946e243ca1 libstdc++-12-dev_12.2.0-14_amd64.deb
a1a83af8cbd854af887b72ad196b1f4af58387815e21ced1000253a116a46e2a make_4.3-4.1_amd64.deb
a241c2adc7438a7e217f32544028489981768a349d3e48673392703255c7b88e libmagic1_1%3a5.44-3_amd64.deb
a35f744972476c4b425e006d5c0752d917f3a6f48ce1268723a29e65a65b78a6 libatomic1_12.2.0-14_amd64.deb
a3c4092d84f19d13caf90f3c96eec53db8819f0e3a5247434944d71ed75fa53d libgprofng0_2.40-2_amd64.deb
a4d4d44b996fbb4d7b43710ec42d6ed30deefac9ed62c32ddc95d38767717ae1 krb5-locales_1.20.1-2+deb12u1_all.deb
a520264593224df5a4e98d9e95edffa4cf420dc3af7d609c2f5776e180dbc494 bsdutils_1%3a2.38.1-5+b1_amd64.deb
a63db920f7aa1857a57beab185423deffb6111fa09437a99bbb4ef724fb7ba78 cpp_4%3a12.2.0-3_amd64.deb
a6b79588938ef738fe6f03582b3ca0ed4fbd4a152dbe9f960e51a0355479a117 libitm1_12.2.0-14_amd64.deb
a72247ba64bcd1d0ace2ea8eefd7bcfaca84204def9495269526c25dd9fddc0c python3.11-minimal_3.11.2-6_amd64.deb
a8b11a1664a998cc2499fb04327d1f6c4e8f77b78ea8b6f8418d96fc54e3731f libsqlite3-0_3.40.1-2_amd64.deb
aaa46dcb3b39948ae2e0fdb72cfcb2f48c0b59f19785a3da8045c05eb19955dd media-types_10.0.0_all.deb
aaf001e0d4c68f995f9efbc551d54f213122fef99b3eaf9e28286bda6c03da73 libabsl20220623_20220623.1-1_amd64.deb
ab314134f43a0891a48f69a9bc33d825da748fa5e0ba2bebb7a5c491b026f1a0 binutils-common_2.40-2_amd64.deb
ac48d6bfac9298843355561a14047673a9361ecff7f24cfe1da119dbf1a037e9 gpg-agent_2.2.40-1.1_amd64.deb
b09481e7690680966005330c3f907bba4b5eefc35e1faaea4783cc55655d1150 libfaketime_0.9.10-2.1_amd64.deb
b10102de6c5f57bd040e9ee2a5fa9a5182a769ecb56a9ac09af4ab5f38131482 libc6-dev_2.36-9+deb12u3_amd64.deb
b1966bea9832686a0fd5ddba9787dce5816ebe02218a4a8f7472a1628d73451b libsasl2-modules_2.1.28+dfsg-10_amd64.deb
b36fefe9867f9e59b540f952e957a72ebdc241e997179d826da19a9511ade4a3 libcap2_1%3a2.66-4_amd64.deb
b3a0cc418526e1f9ae90ed320714cbdcf28dc252e7b5dddbf885cbe4062b3c63 gpgconf_2.2.40-1.1_amd64.deb
b3d9529c34382cc8d2e6cc8299a18536504edbc284b9133ffbe522704865068e unzip_6.0-28_amd64.deb
b4327c2d8e2ca92402205ac6b5845b3110fa2a1d50925c0e61c39624583a8baf perl-base_5.36.0-7+deb12u1_amd64.deb
b4b54769c77e4a71c8b33aee4d600ba28a9994a1c6f60d55d4ebe7fc44882e07 libcap-ng0_0.8.3-1+b3_amd64.deb
b52ffe8f80020a0df90d5fc188561010042ee8a67aae6de463d141a5fc09e1bc libksba8_1.6.3-2_amd64.deb
b81c29562345b88b809ee63acc6ef8bb7a1c0cbde2cf5959276da8dfdd3b9c26 libheif1_1.15.1-1_amd64.deb
b998946bb9818a97b387a962826caae33bc7fdcb6d706b2782c0470510be6b48 libsepol2_3.4-2.1_amd64.deb
b9c15ab69bb1408136f094e593bb9bedc1dec4a830519c412a191e4ca6d1a287 libgnutls30_3.7.9-2+deb12u1_amd64.deb
baaa4e935c5e3bcd57d4f2f4e7a1ddc67bd4eb8629d98f97a696548849ae01ac bc_1.07.1-3+b1_amd64.deb
bad01673ba5dfb9b5db4f3ae6a71f18d492cb6801eab45ad3c7d483c0a1f6ad2 libmagic-mgc_1%3a5.44-3_amd64.deb
bb31cc8b40f962a85b2cec970f7f79cc704a1ae4bad24257a822055404b2c60b libbsd0_0.11.7-2_amd64.deb
bb63b0fb2797e2a3a294dab8a02614930c557ec1f4ea96637c244b8b5f87e630 gcc_4%3a12.2.0-3_amd64.deb
bb81a188c119cd7fdebae723cbc95887b6c549b2fe4fb7e268a9c8846444da99 libnsl-dev_1.3.0-2_amd64.deb
bbfd38de41898a06326f2a6ce4cc43e8e399f5566381231065b01d70499d5ba5 build-essential_12.9_amd64.deb
bc62f3b366042157e9a8d00d04f1bd2e2a05e37501fc9a821883f99aa282ed77 gnupg-l10n_2.2.40-1.1_all.deb
bcbc83f391854ea9d50ce2a4101aacf330de3b8b71d81a798faadba14a157f78 mawk_1.3.4.20200120-3.1_amd64.deb
bfd1d89f833c09a28b062ee916495cf69649ca2bf529532476c7b69d75d24909 ncurses-base_6.4-4_all.deb
bffcac7e4f69e39d37d4a33e841d6371ac8b5aba6cd55546b385dc7ff6c702f5 libgcrypt20_1.10.1-3_amd64.deb
c0d83437fdb016cb289436f49f28a36be44b3e8f1f2498c7e3a095f709c0d6f8 libnsl2_1.3.0-2_amd64.deb
c1450e3afcb821645976b0c1dc06094195d7540ac2c811924ace472303290962 usr-is-merged_35_all.deb
c158f1d854928a91ae0cfcfbf0653083624f73d6be94005d26358ecc8edc3173 libde265-0_1.0.11-1+deb12u1_amd64.deb
c1bac61abefa0d957394d33c02b7bfb2a3ab3ce5e6d90617c4019ddea4bdbf63 debian-archive-keyring_2023.3+deb12u1_all.deb
c24fe4eb8e60d8632d72ed104cce7c92cff200847c897dc8ba764b6c47b519e0 adduser_3.134_all.deb
c266adb3545b0b8ff6450dbd09f85f19361bf5bc9290ddf2e869f040cb9725b7 librav1e0_0.5.1-6_amd64.deb
c2b3ccade855de14c6ece893a0d2bec63b0a007cbc2970af8152cf06699ccd2a libuuid1_2.38.1-5+b1_amd64.deb
c4945123d66d0503ba42e2fc0585abc76d0838978c6d277b9cc37a4da25d1a34 libattr1_1%3a2.5.1-4_amd64.deb
c6a494d3605341a2c909e280f81fa015a4c8df2de8624c88a712a7f98a63f057 liblsan0_12.2.0-14_amd64.deb
ccab743f6784b4cc7bd69e1810630edaf726cd69c1e735e39a16266d470bfdc0 libapt-pkg6.0_2.6.1_amd64.deb
cfac89e6a7a54ff3c6a4f843310e25efeddaa771baeae470bd98bd588c373563 libkeyutils1_1.6.3-2_amd64.deb
d20a3ee34fa84ad8bd381e8be6e9c2c2ea32347cff5e1169c10e978d43f54f24 libssh2-1_1.10.0-3+b1_amd64.deb
d3564267cef9f0162ad21b73d34b6a4302ee3a84426188168d74be737b079647 libgd3_2.3.3-9_amd64.deb
d466bbfe011d764d793c1d9d777cad9c7cf65b938e11598f27408171ad95a951 libunistring2_1.0-2_amd64.deb
d4b7736e58512a2b047f9cb91b71db5a3cf9d3451192fc6da044c77bf51fe869 liblzma5_5.4.1-0.2_amd64.deb
d50716d5824083d667427817d506b45d3f59dc77e1ca52de000f3f62d4918afa libidn2-0_2.3.3-1+b1_amd64.deb
d66fd8d7dd21a98e6a5acaa8d3fcb80b30561bb20c8e635dd6e66873abd4d40d gpg_2.2.40-1.1_amd64.deb
d7dd1d1411fedf27f5e27650a6eff20ef294077b568f4c8c5e51466dc7c08ce4 zlib1g_1%3a1.2.13.dfsg-1_amd64.deb
d7f79544790e44f9b0c8cb9034a18c58d37f8702a15f32539050718679e52f80 libmpc3_1.3.1-1_amd64.deb
d88c973e79fd9b65838d77624142952757e47a6eb1a58602acf0911cf35989f4 libx11-6_2%3a1.8.4-2+deb12u2_amd64.deb
d8e04be2cd7f8299668020b1c2a13ce07a1b79e73c901338a6fabd77ccabf004 libtsan2_12.2.0-14_amd64.deb
da03311a716bdcb73d1a93d322901ac46dce8eac67b5ccc95a6d8b776bfb4021 libpam-runtime_1.5.2-6+deb12u1_all.deb
dba89cd91adcb886ce1972122e55768aa3652cb562a6b26c5983c2d482a30a1e libfido2-1_1.12.0-2+b1_amd64.deb
dc32727dca9a87ba317da7989572011669f568d10159b9d8675ed7aedd26d686 libpng16-16_1.6.39-2_amd64.deb
e02ebbd3701cf468dbf98d6d917fbe0325e881f07fe8b316150c8d2a64486e66 libreadline8_8.2-1.3_amd64.deb
e0f6e357f327e80f26438dcda9c9304c43e2f3343359c6a5075d0b10ddfdb05d libsvtav1enc1_1.4.1+dfsg-1_amd64.deb
e1f69020dc2c466e421ec6a58406b643be8b5c382abf0f8989011c1d3df91c87 librtmp1_2.4+20151223.gitfa8646d.1-2+b2_amd64.deb
e28d141cebb72f1ac1f1d0ea6528b343e41287128db3d4b217ce7790a22352cf libext2fs2_1.47.0-2_amd64.deb
e360be5f17f9c09c8f17bae809f6c6f091c5bb6ab1a44fc33e4fb86c5e5559df libpam0g_1.5.2-6+deb12u1_amd64.deb
e3a8e56057592c60fd8db174968e9f232f07905b79544a9e477cd48f008326b2 dirmngr_2.2.40-1.1_amd64.deb
e46fbb519b4342c114b2fa19bcdb736e294eadc769fae75d6bc2e94a4db67f15 libubsan1_12.2.0-14_amd64.deb
e489a9282c4b765c29d9eda7c4747e1cb58be71161012c3a57e2a8bc63dc0f5a libkrb5support0_1.20.1-2+deb12u1_amd64.deb
ea063646d4f70d15be5ed52b67b5ac95d68dda823c60d808c7c25439c6d14e4d openssl_3.0.11-1~deb12u2_amd64.deb
eabec1dde2834f72540d7b93fc5df2625f52611c06d93d61f5cdb12480e0e6a3 gzip_1.12-1_amd64.deb
ecb8536f5fb34543b55bb9dc5f5b14c9dbb4150a7bddb3f2287b7cab6e9d25ef libxdmcp6_1%3a1.1.2-3_amd64.deb
ed8185c28b2cb519744a5a462dcd720d3b332c9b88a1d0002eac06dc8550cb94 libhogweed6_3.8.1-2_amd64.deb
ee690db978151ae372dcede4bba26c299d985046e6dc708bb907961901b73b6a libnghttp2-14_1.52.0-1+deb12u1_amd64.deb
eec4dc9d949d2c666b1da3fa762a340e8ba10c3a04d3eed32749a97695c15641 libtasn1-6_4.19.0-2_amd64.deb
ef1dfcf22de41ea90ebd3d505447ccccd999e96b85aa777a1d7d981dc3b347aa libctf-nobfd0_2.40-2_amd64.deb
efa1ba4cd19ad7baeae959c9209a7eb74be2ebb858bcabb412597bfc9f588c91 manpages_6.03-2_all.deb
f3d1d48c0599aea85b7f2077a01d285badc42998c1a1e7473935d5cf995c8141 libgcc-s1_12.2.0-14_amd64.deb
f5f60a5cdfd4e4eaa9438ade5078a57741a7a78d659fcb0c701204f523e8bd29 libcrypt1_1%3a4.4.33-2_amd64.deb
f9ce24cbf69957dc1851fc55adba0a60b5bc617d51587b6478f2be64786442f1 init-system-helpers_1.65.2_all.deb
f9ce531f60cbd5df37996af9370e0171be96902a17ec2bdbd8d62038c354094f zlib1g-dev_1%3a1.2.13.dfsg-1_amd64.deb
fa5cd07754d9a4f93e2a6f54a5b1fa160230e312121d62c0c609b6701f9b93a3 git_1%3a2.39.2-1.1_amd64.deb
fc6a692d2f399b83ef5a7f310883286a5e4326095812d8bb934925125002981c libpam-modules-bin_1.5.2-6+deb12u1_amd64.deb
fcf55b99e5f8a78f3c8ce9b6957f1024f394cf20c196b100d308a57e43547710 libbinutils_2.40-2_amd64.deb
fd36d0972866adde5a52269a309fcecd76a8e45e557dd0ecd33aa221cabc2a8c libsemanage2_3.4-1+b5_amd64.deb
fdc61332a3892168f3cc9cfa1fe9cf11a91dc3e0acacbc47cbc50ebaa234cc71 libxcb1_1.15-1_amd64.deb
fe36a7f35361fc40d0057ef447a7302fd41d51740d51c98fb3870bbed5b96e56 libexpat1_2.5.0-1_amd64.deb
fe524a9de7ed6b2a1465693f12d5f7be2d2d9f6d6e6bf028f17109263e173dc8 liblocale-gettext-perl_1.07-5_amd64.deb

13
config/toolchain/packages-base.list Normal file
View File

@ -0,0 +1,13 @@
debian-archive-keyring
build-essential
git
libfaketime
file
wget
cpio
unzip
rsync
bc
libncurses-dev
python3
libelf-dev

256
config/toolchain/packages-x86_64.list Normal file
View File

@ -0,0 +1,256 @@
adduser=3.134
apt=2.6.1
base-files=12.4+deb12u4
base-passwd=3.6.1
bash=5.2.15-2+b2
bc=1.07.1-3+b1
binutils-common=2.40-2
binutils-x86-64-linux-gnu=2.40-2
binutils=2.40-2
bsdutils=1:2.38.1-5+b1
build-essential=12.9
bzip2=1.0.8-5+b1
ca-certificates=20230311
coreutils=9.1-1
cpio=2.13+dfsg-7.1
cpp-12=12.2.0-14
cpp=4:12.2.0-3
dash=0.5.12-2
debconf=1.5.82
debian-archive-keyring=2023.3+deb12u1
debianutils=5.7-0.5~deb12u1
diffutils=1:3.8-4
dirmngr=2.2.40-1.1
dpkg-dev=1.21.22
dpkg=1.21.22
e2fsprogs=1.47.0-2
fakeroot=1.31-1.2
file=1:5.44-3
findutils=4.9.0-4
fontconfig-config=2.14.1-4
fonts-dejavu-core=2.37-6
g++-12=12.2.0-14
g++=4:12.2.0-3
gcc-12-base=12.2.0-14
gcc-12=12.2.0-14
gcc=4:12.2.0-3
git-man=1:2.39.2-1.1
git=1:2.39.2-1.1
gnupg-l10n=2.2.40-1.1
gnupg-utils=2.2.40-1.1
gnupg=2.2.40-1.1
gpg-agent=2.2.40-1.1
gpg-wks-client=2.2.40-1.1
gpg-wks-server=2.2.40-1.1
gpg=2.2.40-1.1
gpgconf=2.2.40-1.1
gpgsm=2.2.40-1.1
gpgv=2.2.40-1.1
grep=3.8-5
gzip=1.12-1
hostname=3.23+nmu1
init-system-helpers=1.65.2
krb5-locales=1.20.1-2+deb12u1
less=590-2
libabsl20220623=20220623.1-1
libacl1=2.3.1-3
libalgorithm-diff-perl=1.201-1
libalgorithm-diff-xs-perl=0.04-8+b1
libalgorithm-merge-perl=0.08-5
libaom3=3.6.0-1
libapt-pkg6.0=2.6.1
libasan8=12.2.0-14
libassuan0=2.5.5-5
libatomic1=12.2.0-14
libattr1=1:2.5.1-4
libaudit-common=1:3.0.9-1
libaudit1=1:3.0.9-1
libavif15=0.11.1-1
libbinutils=2.40-2
libblkid1=2.38.1-5+b1
libbrotli1=1.0.9-2+b6
libbsd0=0.11.7-2
libbz2-1.0=1.0.8-5+b1
libc-bin=2.36-9+deb12u3
libc-dev-bin=2.36-9+deb12u3
libc-devtools=2.36-9+deb12u3
libc6-dev=2.36-9+deb12u3
libc6=2.36-9+deb12u3
libcap-ng0=0.8.3-1+b3
libcap2=1:2.66-4
libcbor0.8=0.8.0-2+b1
libcc1-0=12.2.0-14
libcom-err2=1.47.0-2
libcrypt-dev=1:4.4.33-2
libcrypt1=1:4.4.33-2
libctf-nobfd0=2.40-2
libctf0=2.40-2
libcurl3-gnutls=7.88.1-10+deb12u5
libdav1d6=1.0.0-2
libdb5.3=5.3.28+dfsg2-1
libde265-0=1.0.11-1+deb12u1
libdebconfclient0=0.270
libdeflate0=1.14-1
libdpkg-perl=1.21.22
libedit2=3.1-20221030-2
libelf-dev=0.188-2.1
libelf1=0.188-2.1
liberror-perl=0.17029-2
libexpat1=2.5.0-1
libext2fs2=1.47.0-2
libfakeroot=1.31-1.2
libfaketime=0.9.10-2.1
libffi8=3.4.4-1
libfido2-1=1.12.0-2+b1
libfile-fcntllock-perl=0.22-4+b1
libfontconfig1=2.14.1-4
libfreetype6=2.12.1+dfsg-5
libgav1-1=0.18.0-1+b1
libgcc-12-dev=12.2.0-14
libgcc-s1=12.2.0-14
libgcrypt20=1.10.1-3
libgd3=2.3.3-9
libgdbm-compat4=1.23-3
libgdbm6=1.23-3
libgmp10=2:6.2.1+dfsg1-1.1
libgnutls30=3.7.9-2+deb12u1
libgomp1=12.2.0-14
libgpg-error0=1.46-1
libgpm2=1.20.7-10+b1
libgprofng0=2.40-2
libgssapi-krb5-2=1.20.1-2+deb12u1
libheif1=1.15.1-1
libhogweed6=3.8.1-2
libidn2-0=2.3.3-1+b1
libisl23=0.25-1
libitm1=12.2.0-14
libjansson4=2.14-2
libjbig0=2.1-6.1
libjpeg62-turbo=1:2.1.5-2
libk5crypto3=1.20.1-2+deb12u1
libkeyutils1=1.6.3-2
libkrb5-3=1.20.1-2+deb12u1
libkrb5support0=1.20.1-2+deb12u1
libksba8=1.6.3-2
libldap-2.5-0=2.5.13+dfsg-5
libldap-common=2.5.13+dfsg-5
liblerc4=4.0.0+ds-2
liblocale-gettext-perl=1.07-5
liblsan0=12.2.0-14
liblz4-1=1.9.4-1
liblzma5=5.4.1-0.2
libmagic-mgc=1:5.44-3
libmagic1=1:5.44-3
libmd0=1.0.4-2
libmount1=2.38.1-5+b1
libmpc3=1.3.1-1
libmpfr6=4.2.0-1
libncurses-dev=6.4-4
libncurses6=6.4-4
libncursesw6=6.4-4
libnettle8=3.8.1-2
libnghttp2-14=1.52.0-1+deb12u1
libnpth0=1.6-3
libnsl-dev=1.3.0-2
libnsl2=1.3.0-2
libnuma1=2.0.16-1
libp11-kit0=0.24.1-2
libpam-modules-bin=1.5.2-6+deb12u1
libpam-modules=1.5.2-6+deb12u1
libpam-runtime=1.5.2-6+deb12u1
libpam0g=1.5.2-6+deb12u1
libpcre2-8-0=10.42-1
libpcre3=2:8.39-15
libperl5.36=5.36.0-7+deb12u1
libpng16-16=1.6.39-2
libpopt0=1.19+dfsg-1
libpsl5=0.21.2-1
libpython3-stdlib=3.11.2-1+b1
libpython3.11-minimal=3.11.2-6
libpython3.11-stdlib=3.11.2-6
libquadmath0=12.2.0-14
librav1e0=0.5.1-6
libreadline8=8.2-1.3
librtmp1=2.4+20151223.gitfa8646d.1-2+b2
libsasl2-2=2.1.28+dfsg-10
libsasl2-modules-db=2.1.28+dfsg-10
libsasl2-modules=2.1.28+dfsg-10
libseccomp2=2.5.4-1+b3
libselinux1=3.4-1+b6
libsemanage-common=3.4-1
libsemanage2=3.4-1+b5
libsepol2=3.4-2.1
libsmartcols1=2.38.1-5+b1
libsqlite3-0=3.40.1-2
libss2=1.47.0-2
libssh2-1=1.10.0-3+b1
libssl3=3.0.11-1~deb12u2
libstdc++-12-dev=12.2.0-14
libstdc++6=12.2.0-14
libsvtav1enc1=1.4.1+dfsg-1
libsystemd0=252.19-1~deb12u1
libtasn1-6=4.19.0-2
libtiff6=4.5.0-6+deb12u1
libtinfo6=6.4-4
libtirpc-common=1.3.3+ds-1
libtirpc-dev=1.3.3+ds-1
libtirpc3=1.3.3+ds-1
libtsan2=12.2.0-14
libubsan1=12.2.0-14
libudev1=252.19-1~deb12u1
libunistring2=1.0-2
libuuid1=2.38.1-5+b1
libwebp7=1.2.4-0.2+deb12u1
libx11-6=2:1.8.4-2+deb12u2
libx11-data=2:1.8.4-2+deb12u2
libx265-199=3.5-2+b1
libxau6=1:1.0.9-1
libxcb1=1.15-1
libxdmcp6=1:1.1.2-3
libxext6=2:1.3.4-1+b1
libxmuu1=2:1.1.3-3
libxpm4=1:3.5.12-1.1+deb12u1
libxxhash0=0.8.1-1
libyuv0=0.0~git20230123.b2528b0-1
libzstd1=1.5.4+dfsg2-5
linux-libc-dev=6.1.69-1
login=1:4.13+dfsg1-1+b1
logsave=1.47.0-2
make=4.3-4.1
manpages-dev=6.03-2
manpages=6.03-2
mawk=1.3.4.20200120-3.1
media-types=10.0.0
mount=2.38.1-5+b1
ncurses-base=6.4-4
ncurses-bin=6.4-4
netbase=6.4
openssh-client=1:9.2p1-2+deb12u2
openssl=3.0.11-1~deb12u2
passwd=1:4.13+dfsg1-1+b1
patch=2.7.6-7
perl-base=5.36.0-7+deb12u1
perl-modules-5.36=5.36.0-7+deb12u1
perl=5.36.0-7+deb12u1
pinentry-curses=1.2.1-1
publicsuffix=20230209.2326-1
python3-minimal=3.11.2-1+b1
python3.11-minimal=3.11.2-6
python3.11=3.11.2-6
python3=3.11.2-1+b1
readline-common=8.2-1.3
rpcsvc-proto=1.4.3-1
rsync=3.2.7-1
sed=4.9-1
sysvinit-utils=3.06-4
tar=1.34+dfsg-1.2
tzdata=2023c-5+deb12u1
unzip=6.0-28
usr-is-merged=35
util-linux-extra=2.38.1-5+b1
util-linux=2.38.1-5+b1
wget=1.21.3-1+b2
xauth=1:1.1.2-1
xz-utils=5.4.1-0.2
zlib1g-dev=1:1.2.13.dfsg-1
zlib1g=1:1.2.13.dfsg-1

6
config/toolchain/sources.list Normal file
View File

@ -0,0 +1,6 @@
deb http://deb.debian.org/debian bookworm main
deb http://security.debian.org/debian-security bookworm-security main
deb http://deb.debian.org/debian bookworm-updates main
deb [trusted=yes] http://snapshot.debian.org/archive/debian/20240125T000000Z bookworm main
deb [trusted=yes] http://snapshot.debian.org/archive/debian-security/20240125T000000Z bookworm-security main
deb [trusted=yes] http://snapshot.debian.org/archive/debian/20240125T000000Z bookworm-updates main

BIN
dist/airgap.iso (Stored with Git LFS) vendored
View File

Binary file not shown.

16
dist/manifest.2BDE9CDB6D0FAD15.asc vendored Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEzAzToO3Ax9K7Run3B88Hlc0qV+sFAmP+XQ4ACgkQB88Hlc0q
V+v1lg/9HxgMu/SLVcDlLEi0uz21693OwEBjcxL1rRca7y4/t/upGnhu53c0gM7W
ws+voJWWi9d8wTeuwl9yxvajdAo8I3Jw78hjXZWvqTK0CmLSSfCBTH6e7uRpvzbC
cJrc3QiErI84TpJde4NmZpMz6oGPzp+qdoAPCvsSiS2xy97+ZGB9OIfffjmlN86L
ZIjKCB0K2+yijB3pa/faNHv3Jv4XKliUXP+AelT0Rsw2466Bndruh63mxNjqYZiC
54hVd46ASwhS4YDNFZVrcYJNETr52328QjhtNlPsG83E2KGp2rl9mFaiXxLQsFD0
7j0VPIFPAqDvD7ZhAf5oTZDmo2BJYZpGTmTjBAdKDKCWySbwIEoGC65UoOY8ROXV
uGNqf9enFzWfnwLcDiujDo3e51Dag65FnEGkUDLUo/D/2B+r9vEzesVdTuGx3Szh
OTldUZp0ls9bCqhO4cCllZheswREbTTUUSYMYGNsRF+j6VaBR8jYa9yM4AX/Qk4N
9cokKyUD/ci49CH8R6THliD7FtF1G+LWvgHI4ZKzrEMJGyJVTiimHX4N2BJzZtUv
ObfCcskscf6DZxDpiFG256t2FYL3zQzNCaLj7mBpwe9NRuLwiSuHgS3udP9qossn
6Zew0D+a9wpst1MibKMx1G6eLn24Bjly81LDvIaKPn/yRIRrVzc=
=RJE0
-----END PGP SIGNATURE-----

26
dist/manifest.36C8AAA9.asc vendored
View File

@ -1,16 +1,16 @@
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAma0fbsACgkQjkeh7DWh iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAmP5OHwACgkQjkeh7DWh
VR0lYBAAsjKcqgoSM73lck4gSga3CWtTfZ/k7azr98HnUw5InTyTwvna2sRGL3jb VR08/w//ScO/qM0a8JAAsCuCXEeZIJAhkICrxOCjMl6z9KP3lU8yVU6NL/ULF9P4
Q0pUhrPVQVmjXSyxD/hR/uLuiAfUn2Gyhp1MZS3C7jmFcRsxCJzNbByv/2bUS2+U 0nW5A1jnZo9PKcabV1RKFkQ/UuJdmUOuupg5JkN5X99rR/SDZ6hrsVy/tS6kjKaU
5TaCoxmM8SdxTqcBIyYylKzZ4ub0t3bCWUt2uPqdSqslgEReeqbzzE3jpmiUfmHE Z9qMGlsVRYVdbBb+VKtQB1gguj04QXVD9iAFIeAeaRRNMhtqo7gMHU1cdOkB86g2
daaZhZa3iPEr7vqq00jUGFuSEdxQCQkty0nZHzfGhHwbliiUGyH6/bb+u4v5eGYH H4w25LuxkIfRtyGlUgtBMS3MqpRiNjUSunP357VlHFBEGv4yT7CcdLK68FFd6Qzp
VEyRq0CWFgw5sywpSf3UZjR0fkd0do9z6Li1ggN2GV63I4oT3L1LltcMXtgfMp+B U1KJja5DG68aVTHdT47LvFCKRPjyFvheA1Ok1feSnYrOqPAhzYEFuWoE+f/+/nsI
SA3gz7/mJsMqM6H2ZWqUgJAZw/mZCGStftSnOTKdyEtpzagNNeePa5f4kM1ZuHF6 JLqGVvPO7g40p0YXZdPWjQON4ZpcRuWG9TRg85G4WV+sQfqnDpz1i2++pb2RrOMI
ehSl1nbnCeCPfedS8+oUm3v8qWiFLXz4tmYvBnfDWaUXIYpNOrvJPtatdinTNRfl SNwUIz8zdTaWo1G+AoNfaveybk7BOlAstjDwA5SzukFNrPvBSOQpe53i+NGyTAPS
nglyEt6Olc+3vEqkrEl7JFu13Gl92mbuhhelKjM/VDheHBUZ6yrso1aLbyruO+wm pbKnir6IAD1QwagZOzYac6tzE4ZX2F7zmjPrwCDHGYAYuaQV+1CWiIvnN5zCjHXe
RxL3pQSCNfAnIQpSdkXga5gVvbZDDISBast3qHFuZaZFbo2p24hw0HnLAfyCrxgF pvl22LKwr8BDRHzmVpctdVojlkb4llrbdzq3cMZgdXasXKORD9+yuGAK5+hfekmi
JnN3x2qqRlTzQSrVr4EEXUwUqpt5LlnQ3kDLNVYhXuqTdmyETj1YGnAXkqV/D+Z7 vsUMROvIp27q/eFL5fLTIP3clOo5+foWdB4cqWoS0q+5qIG3Aa0YZp9HDeI9pdjH
B7hlDdddXI5d0yDoYPAmF9N7XJCasdfutnO/8IfZ/eE989jYybE= W11QFp4tlrDwA0lgHdUiF4vITxDk/+qz0Hi3gKCll87cmXUufRg=
=eruT =wZZ6
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

16
dist/manifest.8E401478A3FBEF72.asc vendored
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEiII6deyqeGsP84sUjkAUeKP773IFAma0f0IACgkQjkAUeKP7
73I33w//SaGbbM9z8SYsWhii1SBnfs6NVQSwdBoO20C4gFdmZkPVDak3QoCAioaC
GjlEOEDb7SXfWi3n2z72P97dswN6dG1IxQKR1N913IWzUUEXGR0phaC+o0P1/f74
MXrcUDLwwJwZsA/0zMV6gHvONEqwgmfEO4WrEB/Ty7ueoJjsmQ2oauWytlh8CVDR
3HFwiVoAjRC2d0vKj0eL2n9pNQNEYKb+oJ/gq3sk2L8qPs1vThQguHADvqmi6V3w
+4tZqviksPXb+sve3VTsKFDbd5AXvcRY4TbPawQ5W7Aa6iK9W/yA10+zXvcHoGrA
6iMR94yI9eprBkqoeoxr2MHPk+8d9xXB16hY/h+OCPibkFFfPST9GDFcp0nk1JFH
b0bbpanBsxwN3IxTAL0a7iD2nxftZHjgiZib1lhdhLg35o9iou1V0fRPwdjepS3o
2TBvKhtNncUW/87ZhxhdkTI/iUvS0iem3KHUQXkM+ziOC5zGf+PYvMCuy2P0oSei
731aVOgxKbpEZHY0pTkuqG7U4+RWZ+KJEnxETcZWoCeY9DW/u2Dx5hukeZJbvmUo
111vBoziyocgKvKi5S3ctZaAwm2wNsE0TU/o5u9+Q5ST1wgsKJF+F0laCUQcDPwM
UyM5VznH31pChrlzRiUcsm0lMvDkx+JfTSBPOgzABMAcQ3YuTSk=
=e+q6
-----END PGP SIGNATURE-----

4
dist/manifest.txt vendored
View File

@ -1,2 +1,2 @@
fe92783ef775ccc5e32baefb26f951b7f37ed26ecbb4601a068e20b31bebadbb airgap.iso 5b830f69691a96deb50caa68b69b7a6bb34a0af8c55a0d7dd21c1771683f96e1 airgap.iso
b714c963bd8b1f3a38295821f0a3521bc64f97c1023c49d22a2e7433385b1a09 release.env 89695f9584b98adea86887de56774b8747c4f36092611c31da367a63f072954d release.env

8
dist/release.env vendored
View File

@ -1,5 +1,5 @@
VERSION=2024.8.1 VERSION=2023.02.24
GIT_REF=ea623cc147741b0a753ce4ea7aabe512df9a2ef9 GIT_REF=2376bc53dc4609ad0bff55e0b3365891db6fbeea
GIT_AUTHOR=Lance R. Vick GIT_AUTHOR=Lance R. Vick
GIT_PUBKEY=6B61ECD76088748C70590D55E90A401336C8AAA9 GIT_KEY=6B61ECD76088748C70590D55E90A401336C8AAA9
GIT_TIMESTAMP=2024-08-08 00:34:41 -0700 GIT_TIMESTAMP=2023-02-24 13:31:37 -0800

55
rootfs/etc/init.d/S01syslogd
View File

@ -1,55 +0,0 @@
#!/bin/sh
DAEMON="syslogd"
PIDFILE="/var/run/$DAEMON.pid"
SYSLOGD_ARGS=""
# shellcheck source=/dev/null
[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
# BusyBox' syslogd does not create a pidfile, so pass "-n" in the command line
# and use "-m" to instruct start-stop-daemon to create one.
start() {
printf 'Starting %s: ' "$DAEMON"
# shellcheck disable=SC2086 # we need the word splitting
start-stop-daemon -b -m -S -q -p "$PIDFILE" -x "/sbin/$DAEMON" \
-- -n $SYSLOGD_ARGS
status=$?
if [ "$status" -eq 0 ]; then
echo "OK"
else
echo "FAIL"
fi
return "$status"
}
stop() {
printf 'Stopping %s: ' "$DAEMON"
start-stop-daemon -K -q -p "$PIDFILE"
status=$?
if [ "$status" -eq 0 ]; then
rm -f "$PIDFILE"
echo "OK"
else
echo "FAIL"
fi
return "$status"
}
restart() {
stop
sleep 1
start
}
case "$1" in
start|stop|restart)
"$1";;
reload)
# Restart, since there is no true "reload" feature.
restart;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac

55
rootfs/etc/init.d/S02klogd
View File

@ -1,55 +0,0 @@
#!/bin/sh
DAEMON="klogd"
PIDFILE="/var/run/$DAEMON.pid"
KLOGD_ARGS=""
# shellcheck source=/dev/null
[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
# BusyBox' klogd does not create a pidfile, so pass "-n" in the command line
# and use "-m" to instruct start-stop-daemon to create one.
start() {
printf 'Starting %s: ' "$DAEMON"
# shellcheck disable=SC2086 # we need the word splitting
start-stop-daemon -b -m -S -q -p "$PIDFILE" -x "/sbin/$DAEMON" \
-- -n $KLOGD_ARGS
status=$?
if [ "$status" -eq 0 ]; then
echo "OK"
else
echo "FAIL"
fi
return "$status"
}
stop() {
printf 'Stopping %s: ' "$DAEMON"
start-stop-daemon -K -q -p "$PIDFILE"
status=$?
if [ "$status" -eq 0 ]; then
rm -f "$PIDFILE"
echo "OK"
else
echo "FAIL"
fi
return "$status"
}
restart() {
stop
sleep 1
start
}
case "$1" in
start|stop|restart)
"$1";;
reload)
# Restart, since there is no true "reload" feature.
restart;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac

94
rootfs/etc/init.d/S02sysctl
View File

@ -1,94 +0,0 @@
#!/bin/sh
#
# This script is used by busybox and procps-ng.
#
# With procps-ng, the "--system" option of sysctl also enables "--ignore", so
# errors are not reported via syslog. Use the run_logger function to mimic the
# --system behavior, still reporting errors via syslog. Users not interested
# on error reports can add "-e" to SYSCTL_ARGS.
#
# busybox does not have a "--system" option neither reports errors via syslog,
# so the scripting provides a consistent behavior between the implementations.
# Testing the busybox sysctl exit code is fruitless, as at the moment, since
# its exit status is zero even if errors happen. Hopefully this will be fixed
# in a future busybox version.
PROGRAM="sysctl"
SYSCTL_ARGS=""
# shellcheck source=/dev/null
[ -r "/etc/default/$PROGRAM" ] && . "/etc/default/$PROGRAM"
# Files are read from directories in the SYSCTL_SOURCES list, in the given
# order. A file may be used more than once, since there can be multiple
# symlinks to it. No attempt is made to prevent this.
SYSCTL_SOURCES="/etc/sysctl.d/ /usr/local/lib/sysctl.d/ /usr/lib/sysctl.d/ /lib/sysctl.d/ /etc/sysctl.conf"
# If the logger utility is available all messages are sent to syslog, except
# for the final status. The file redirections do the following:
#
# - stdout is redirected to syslog with facility.level "kern.info"
# - stderr is redirected to syslog with facility.level "kern.err"
# - file dscriptor 4 is used to pass the result to the "start" function.
#
run_logger() {
# shellcheck disable=SC2086 # we need the word splitting
find $SYSCTL_SOURCES -maxdepth 1 -name '*.conf' -print0 2> /dev/null | \
xargs -0 -r -n 1 readlink -f | {
prog_status="OK"
while :; do
read -r file || {
echo "$prog_status" >&4
break
}
echo "* Applying $file ..."
/sbin/sysctl -p "$file" $SYSCTL_ARGS || prog_status="FAIL"
done 2>&1 >&3 | /usr/bin/logger -t sysctl -p kern.err
} 3>&1 | /usr/bin/logger -t sysctl -p kern.info
}
# If logger is not available all messages are sent to stdout/stderr.
run_std() {
# shellcheck disable=SC2086 # we need the word splitting
find $SYSCTL_SOURCES -maxdepth 1 -name '*.conf' -print0 2> /dev/null | \
xargs -0 -r -n 1 readlink -f | {
prog_status="OK"
while :; do
read -r file || {
echo "$prog_status" >&4
break
}
echo "* Applying $file ..."
/sbin/sysctl -p "$file" $SYSCTL_ARGS || prog_status="FAIL"
done
}
}
if [ -x /usr/bin/logger ]; then
run_program="run_logger"
else
run_program="run_std"
fi
start() {
printf '%s %s: ' "$1" "$PROGRAM"
status=$("$run_program" 4>&1)
echo "$status"
if [ "$status" = "OK" ]; then
return 0
fi
return 1
}
case "$1" in
start)
start "Running";;
restart|reload)
start "Rerunning";;
stop)
:;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac

24
rootfs/etc/init.d/S10udev
View File

@ -1,24 +0,0 @@
#!/bin/sh
case "$1" in
start)
printf "Populating %s using udev: " "${udev_root:-/dev}"
[ -e /proc/sys/kernel/hotplug ] && printf '\000\000\000\000' > /proc/sys/kernel/hotplug
/sbin/udevd -d || { echo "FAIL"; exit 1; }
udevadm trigger --type=subsystems --action=add
udevadm trigger --type=devices --action=add
udevadm settle --timeout=30 || echo "udevadm settle failed"
echo "done"
;;
stop)
# Stop execution of events
udevadm control --stop-exec-queue
killall udevd
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
;;
esac
exit 0

20
rootfs/etc/init.d/S12pcscd
View File

@ -1,20 +0,0 @@
#!/bin/sh
case "$1" in
start)
/usr/sbin/pcscd -d || { echo "FAIL"; exit 1; }
killall pcscd
/usr/sbin/pcscd -d || { echo "FAIL"; exit 1; }
echo "done"
;;
stop)
# Stop execution of events
killall pcscd
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
;;
esac
exit 0

70
rootfs/etc/init.d/S20urandom
View File

@ -1,70 +0,0 @@
#! /bin/sh
#
# Preserve the random seed between reboots. See urandom(4).
#
# Quietly do nothing if /dev/urandom does not exist
[ -c /dev/urandom ] || exit 0
URANDOM_SEED="/var/lib/random-seed"
# shellcheck source=/dev/null
[ -r "/etc/default/urandom" ] && . "/etc/default/urandom"
if pool_bits=$(cat /proc/sys/kernel/random/poolsize 2> /dev/null); then
pool_size=$((pool_bits/8))
else
pool_size=512
fi
init_rng() {
[ -f "$URANDOM_SEED" ] || return 0
printf 'Initializing random number generator: '
dd if="$URANDOM_SEED" bs="$pool_size" of=/dev/urandom count=1 2> /dev/null
status=$?
if [ "$status" -eq 0 ]; then
echo "OK"
else
echo "FAIL"
fi
return "$status"
}
save_random_seed() {
printf 'Saving random seed: '
status=1
if touch "$URANDOM_SEED.new" 2> /dev/null; then
old_umask=$(umask)
umask 077
dd if=/dev/urandom of="$URANDOM_SEED.tmp" bs="$pool_size" count=1 2> /dev/null
cat "$URANDOM_SEED" "$URANDOM_SEED.tmp" 2>/dev/null \
| sha256sum \
| cut -d ' ' -f 1 > "$URANDOM_SEED.new" && \
mv "$URANDOM_SEED.new" "$URANDOM_SEED" && status=0
rm -f "$URANDOM_SEED.tmp"
umask "$old_umask"
if [ "$status" -eq 0 ]; then
echo "OK"
else
echo "FAIL"
fi
else
echo "SKIP (read-only file system detected)"
fi
return "$status"
}
case "$1" in
start|restart|reload)
# Carry a random seed from start-up to start-up
# Load and then save the whole entropy pool
init_rng && save_random_seed;;
stop)
# Carry a random seed from shut-down to start-up
# Save the whole entropy pool
save_random_seed;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac

27
rootfs/etc/init.d/rcK
View File

@ -1,27 +0,0 @@
#!/bin/sh
# Stop all init scripts in /etc/init.d
# executing them in reversed numerical order.
#
for i in $(ls -r /etc/init.d/S??*) ;do
# Ignore dangling symlinks (if any).
[ ! -f "$i" ] && continue
case "$i" in
*.sh)
# Source shell script for speed.
(
trap - INT QUIT TSTP
set stop
. $i
)
;;
*)
# No sh extension, so fork subprocess.
$i stop
;;
esac
done

27
rootfs/etc/init.d/rcS
View File

@ -1,27 +0,0 @@
#!/bin/sh
# Start all init scripts in /etc/init.d
# executing them in numerical order.
#
for i in /etc/init.d/S??* ;do
# Ignore dangling symlinks (if any).
[ ! -f "$i" ] && continue
case "$i" in
*.sh)
# Source shell script for speed.
(
trap - INT QUIT TSTP
set start
. $i
)
;;
*)
# No sh extension, so fork subprocess.
$i start
;;
esac
done

2
rootfs/init
View File

@ -1,2 +0,0 @@
#!/bin/sh
exec /bin/init

15
rootfs/usr/lib/udev/rules.d/sdcard-autorun.rules
View File

@ -1,15 +0,0 @@
KERNEL!="mmcblk[0-9]p[0-9]|sd[a-z][0-9]", GOTO="automount_end"
ACTION=="add", PROGRAM!="/sbin/blkid %N", GOTO="automount_end"
IMPORT{program}="/sbin/blkid -o udev -p %N"
ENV{ID_FS_LABEL}!="", ENV{dir_name}="%E{ID_FS_LABEL}"
ENV{ID_FS_LABEL}=="", ENV{dir_name}="%k"
ACTION=="add", IMPORT{program}="/sbin/blkid -o udev -p %N"
ACTION=="add", ENV{ID_FS_TYPE}=="vfat", ENV{mount_options}="relatime,utf8,flush,user,umask=0000"
ACTION=="add", RUN+="/bin/mkdir -p /media/%E{dir_name}", RUN+="/bin/mount -o $env{mount_options} /dev/%k /media/%E{dir_name}"
ACTION=="add", RUN+="/usr/local/bin/autorun /media/%E{dir_name}"
ACTION=="remove", ENV{dir_name}!="", RUN+="/bin/umount -l /media/%E{dir_name}", RUN+="/bin/rmdir /media/%E{dir_name}"
LABEL="automount_end"

28
rootfs/usr/local/bin/autorun
View File

@ -1,28 +0,0 @@
#!/bin/bash
set -e
source /etc/profile
folder=${1?}
if [ "$folder" == "/media/USER" ] && [ -f "${folder}/autorun.sh" ]; then
if touch "${folder}/.write_test" 2>/dev/null; then
echo "!! Autorun: Read-only verification failed for /media/USER" >/dev/console
exit 1;
else
echo "" >/dev/console
echo "++ Autorun: Found /media/USER/autorun.sh" >/dev/console;
echo "** Autorun: Executing /media/USER/autorun.sh" >/dev/console
/bin/bash "/media/USER/autorun.sh" >/dev/console
fi
elif [ -f "${folder}/autorun.sh.asc" ]; then
echo "" >/dev/console
echo "++ Autorun: Found ${folder}/autorun.sh" >/dev/console;
gpg --verify "${folder}/autorun.sh.asc" >/dev/null 2>&1 || {
echo "!! Autorun: Verification Failed for ${folder}/autorun.sh" \
>/dev/console;
exit 1;
}
echo "++ Autorun: Verified ${folder}/autorun.sh" >/dev/console
echo "** Autorun: Executing ${folder}/autorun.sh" >/dev/console
/bin/bash "${folder}/autorun.sh" >/dev/console
fi

3
sdcard/autorun.sh
View File

@ -1,3 +0,0 @@
#!/bin/bash
echo "Autorun.sh executed"

65
src/scripts/audit Executable file
View File

@ -0,0 +1,65 @@
#!/bin/bash
[ -f /.dockerenv ] || { echo "please run in supplied container"; exit 1; }
set -e; source environment
build_dir="${BUILD_DIR?}"
audit_dir="${BUILD_DIR?}/audit"
buildroot_dir="${build_dir}/buildroot"
heads_dir="${build_dir}/heads"
mkdir -p ${audit_dir}
printf "Generating container package vulnerability stats... "
debsecan \
--suite $(lsb_release --codename --short) \
--format detail \
> ${audit_dir}/container_package_cves.txt
container_package_cves="$( \
cat ${audit_dir}/container_package_cves.txt | grep CVE | wc -l \
)"
echo "done"
printf "Generating target OS source tar hashes... "
openssl sha256 -r ${buildroot_dir}/dl/*/*.tar.* \
> ${audit_dir}/os_src_hashes.txt
echo "done"
printf "Generating firmware source tar hashes... "
openssl sha256 -r ${heads_dir}/packages/* \
> ${audit_dir}/fw_src_hashes.txt
echo "done"
printf "Generating combined/uniqued source tar hashes... "
cat ${audit_dir}/os_src_hashes.txt \
${audit_dir}/fw_src_hashes.txt \
| sed 's/ .*\// /g' \
| awk '{ t = $1; $1 = $2; $2 = t; print;}' \
| sort \
| uniq \
> ${audit_dir}/all_hashes.txt
echo "done"
printf "Generating buildroot package stats... "
( cd ${buildroot_dir} \
&& support/scripts/pkg-stats --json ${audit_dir}/pkg-stats.json \
> /dev/null 2>&1
)
target_os_source_cves=$( \
cat build/audit/pkg-stats.json | jq '.stats["total-cves"]' \
)
echo "done"
printf "Generating license usage reports... "
( cd ${buildroot_dir} && make legal-info > /dev/null 2>&1 )
cp -R ${buildroot_dir}/output/legal-info ${audit_dir}/legal-info
echo "done"
echo "------------------------------------------------"
echo "Wrote: build/audit/container_package_cves.txt"
echo "Wrote: build/audit/os_src_hashes.txt"
echo "Wrote: build/audit/fw_src_hashes.txt"
echo "Wrote: build/audit/all_hashes.txt"
echo "Wrote: build/audit/pkg-stats.json"
echo "Wrote: build/audit/legal-info"
echo "------------------------------------------------"
echo "Build container package CVEs: ${container_package_cves}"
echo "Target OS source CVEs: ${target_os_source_cves}"

1
src/toolchain Submodule

@ -0,0 +1 @@
Subproject commit ca3e7960ea2abb9e448610c633dc92d7786ce8ab