fixing build

.gitignore

@@ -31,3 +31,6 @@ extra/pre-build.d/etc/openvpn/client.conf
 overlay/etc/ssh/*
 overlay/home/bdisk
 overlay/etc/systemd/system/multi-user.target.wants/openvpn@client.service
+src/ipxe_local/ssl/keys
+src/ipxe_local/ssl/crts
+src/ipxe_local/ssl/txt

bin/build.sh

@@ -85,7 +85,7 @@ CHROOTDIR_GLOB="${CHROOTDIR}"
 BUILDDIR_GLOB="${BUILDDIR}"
 
 # Set the version.
-VERSION="$(git describe --abbrev=0 --tags)-$(git rev-parse --short --verify HEAD)"
+BUILDVERSION="$(git describe --abbrev=0 --tags)-$(git rev-parse --short --verify HEAD)"
 BUILD="$(cat BUILDNO)"
 BUILD="$(expr ${BUILD} + 1)"
 echo ${BUILD} > ./BUILDNO
@@ -104,7 +104,7 @@ set -e
 USERNAME_REAL="$(grep ${BUILD_USERNAME} /etc/passwd | cut -f5 -d':')"
 
 cat > ${BASEDIR}/VERSION_INFO.txt << EOF
-Version:	${VERSION}
+Version:	${BUILDVERSION}
 Build:		${BUILD}
 Time:		${BUILDTIME}
 Machine:	${BUILD_MACHINE}

docs/FAQ

@@ -0,0 +1,33 @@
+BDisk Frequently Asked(/Unasked) Questions
+
+
+
+0.) Why does it take so long to build?
+1.) Why is the generated ISO file so big?
+2.) How do I find the version/release/etc. number of an ISO?
+
+
+=========================================================
+
+
+
+0.) WHY DOES IT TAKE SO LONG TO BUILD?
+A: This typically occurs when you're building from within a LiveCD/LiveUSB situation, in a VM/container/etc., or on a headless server.
+If this is the case, you may run into what appears to be "stalling", especially while keys are generating for the chroots.
+Thankfully, there is an easy fix. You can install the "haveged"(http://www.issihosts.com/haveged/) software and run it. This will
+show an immediate and non-negligible improvement for the above contexts. If you have extra power to throw at it (or are using a dedicated build box)
+as well, I recommend enabling I_AM_A_RACECAR in your build.conf. BDisk will then be more aggressive with its resource consumption.
+
+
+1.) WHY IS THE GENERATED ISO FILE SO BIG?
+A: You may have enabled a LOT of packages in extra/packages.(32|64|both). Or you're using the default set of packages, which tries to include a LOT
+of different (and in some cases, redundant) packages for widespread utilization and usage. In addition, keep in mind that BDisk builds a single ISO
+that can be used on both i686 architectures AND full x86_64 architectures ("AMD64" as you may sometimes see it referenced). Because it doesn't cheat
+and just use a 64-bit kernel with a 32-bit userland, it needs two different squash images on each ISO- one for 32-bit userland and one for 64-bit
+userland.
+
+2.) HOW DO I FIND THE VERSION/RELEASE/ETC. NUMBER OF AN ISO?
+A: This can be found in a multitude of places. The full-size ISO file (iso/<distname>-<git tag>-<git rev number>-(32|64|any).iso) should have the
+version right in the file name. If you want more detailed information (or perhaps you renamed the file), you can mount the ISO as loopback in GNU/Linux,
+*BSD, or Mac OS X and check /path/to/mounted/iso/VERSION_INTO.txt. Lastly, within the runtime itself (especially handy if booting via iPXE), you can
+check /root/VERSION_INFO.txt within the running live environment.

docs/TODO

@@ -6,6 +6,7 @@
 -- https://github.com/akopytov/sysbench
 -- (http://blog.due.io/2014/linode-digitalocean-and-vultr-comparison/ etc.)
 -package in AUR
+-base rewrite in python. pyalpm may come in handy here.
 
 
 ## NETWORKING ##
@@ -22,25 +23,28 @@
 
 ## Building ##
 
+-GUMMIBOOT IS GONE FROM THE REPOS. I could repackage it, but better to just see what the hell archiso's doing.
 -WISH: Better logging[0]
+-WISH: signing for secureboot releases (PreLoader and gummiboot handle this okay, but require manual intervention
 -use manual chrooting functions ONLY if distro not detected as arch. if /usr/bin/systemd-nspawn exists, use that instead
 --does arch-chroot work across all distros? see https://wiki.archlinux.org/index.php/Install_bundled_32-bit_system_in_Arch64 and https://wiki.archlinux.org/index.php/Chroot
 --i think this might be unnecessary. testing across other major distros is necessary, but i think i can just use the chroot'd arch-chroot
 -tweak build.conf (and build.conf.sample) to source the pwd and set as BASEDIR ***if*** the project resources are present in pwd, otherwise throw warning
 --this is half-done;PWD is currently used by default.
 -does gummiboot? loader? wtfever it's called support splash backgrounds? can i implement that differently somehow?
+--yes, see e.g. https://www.reddit.com/r/archlinux/comments/3bwgf0/where_put_the_splasharchbmp_to_splash_screen_boot/
 -strip out/remove unnecessary and orphan packages (e.g. gcc, make, automake, etc.)
 -incorporate iPXE tweaks:
---http://ipxe.org/crypto
+--http://ipxe.org/crypto 
 --http://ipxe.org/cmd/imgtrust
 --http://ipxe.org/cmd/imgverify
---enable use of custom CA/self-signed certs for HTTPS etc.
--X-platform
---what distros are supported?
---automatically install what we need for buildtime
----need to finish pkg lists and then test, but meta files should be done as well as lib script
---hardcode list of runtime (e.g. live media) dependencies (e.g. openssh, vim, etc.)
---...and create separate list for after-the-fact e.g. goodies
+--enable use of custom CA/self-signed certs for HTTPS etc. DONE, partially. need to incorporate codesign certs/keys. routines, conf variables
+-enable mirror= kernel commandline.
+--if mirror_(NAME) is present, use that as repo name.
+--if it starts with /, treat as mirrorlist (Include); otherwise use Server = 
+--if it has mirror_SIG-X, set signature options e.g. _SIG-N would be "SigLevel = Never"
+-iPXE background support. sed -rf "${BASEDIR}/src/ipxe_local/script.sed" ${SRCDIR}/ipxe/src/config/general.h ; sed -rf "${BASEDIR}/src/ipxe_local/script2.sed" ${SRCDIR}/ipxe/src/config/console.h
+--note that iPXE VESAFB console is not (yet) supported in EFI, so this is on hold.
 
 ## Split into Separate Tools CD ##
 

extra/build.conf.sample

@@ -71,6 +71,35 @@ BUILDMINI="no"
 # This currently does not work for HTTPS with self-signed certificates.
 IPXE_URI="https://bdisk.square-r00t.net"
 
+# Path to the (root) CA certificate file (in PEM/X509 format) iPXE should use.
+# If one is not specified, one will be generated.
+# Only used if BUILDMINI is set to yes.
+# Please properly escape any spaces or other funky characters.
+# Note that you can use your own CA to sign existing certs. See http://ipxe.org/crypto for
+# more info. This is handy if you run a third-party/"Trusted" root-CA-signed certificate
+# for the HTTPS target.
+# Requires IPXE_SSL_CAKEY if specified.
+IPXE_SSL_CA=""
+
+# Path to the (root) CA key file (in PEM/X509 format) iPXE should use.
+# If one is not specified, one will be generated.
+# Only used if BUILDMINI is set to yes.
+# Please properly escape any spaces or other funky characters.
+# Requires IPXE_SSL_CA if specified.
+IPXE_SSL_CAKEY=""
+
+# Path to the CLIENT certificate (in PEM/X509). If one is not specified, one will be generated.
+# Only used if BUILDMINI is set to yes.
+# Please properly escape any spaces or other funky characters.
+# Requires IPXE_SSL_KEY if specified.
+IPXE_SSL_CRT=""
+
+# Path to the CLIENT key (in PEM/X509). If one is not specified, one will be generated.
+# Only used if BUILDMINI is set to yes.
+# Please properly escape any spaces or other funky characters.
+# Requires IPXE_SSL_CRT if specified.
+IPXE_SSL_KEY=""
+
 # Set to "yes" to enable pushing new changes to a git repo/committing to a local repo
 GIT="no"
 

extra/packages.both

@@ -3,7 +3,7 @@
 abs
 acpi
 #acpidump
-afflib
+#afflib
 aircrack-ng
 apr
 apr-util
@@ -12,14 +12,19 @@ asciidoc
 atop
 autopsy
 autossh
+backuppc
+#bacula ## TODO: grab all the bacula packages in here
 beep
 bin86
 bind-tools
 binutils
 bluez-utils
 bonnie++
+boxbackup-client
+boxbackup-server
 bozocrack-git
 bridge-utils
+burp-backup-git
 btrfs-progs
 cabextract
 cdrtools
@@ -30,6 +35,7 @@ chntpw
 cifs-utils
 ckermit
 clamav
+clonezilla
 cmospwd
 colordiff
 cowpatty
@@ -39,6 +45,7 @@ cpupower
 crackpkcs12
 #cryptcat
 cryptsetup
+csync2
 customizepkg-scripting
 dar
 dcfldd
@@ -152,10 +159,12 @@ mcelog
 md5deep
 mdadm
 mdcrack
-megaraid-cli
+# superseded by storcli
+#megaraid-cli
 memtester
 mfoc
 minicom
+mondo
 mtd-utils
 mtr
 mtree
@@ -176,7 +185,9 @@ nmap
 nmon
 ntfs-3g
 ntfsfixboot
-nwipe
+#nwipe #broken since they moved to github(?)
+nwipe-git
+obnam
 open-iscsi
 openipmi
 ophcrack
@@ -184,6 +195,8 @@ os-prober
 p7zip
 pack
 par2cmdline
+partclone
+partclone-utils
 parted
 partimage
 pax-utils
@@ -207,7 +220,7 @@ procps-ng
 progsreiserfs
 psmisc
 pwgen
-pxz
+pixz
 pyrit-svn
 python2-gnuplot
 python2-pyx
@@ -241,7 +254,8 @@ smartmontools
 smbclient
 s-nail
 socat
-#star
+#star ## do people even USE tape packups anymore?
+storcli
 strace
 stress
 sucrack
@@ -263,6 +277,7 @@ tor
 udftools
 #udpcast
 unace
+unison
 unrar
 unshield
 unzip
@@ -295,6 +310,8 @@ xfsprogs
 xmlto
 xorg
 xorg-drivers
+xorg-xinit
+xterm
 zerofree
 zip
 zsh

extra/pre-build.d/32/etc/pacman.conf

@@ -37,7 +37,8 @@ VerbosePkgLists
 
 # By default, pacman accepts packages signed by keys that its local keyring
 # trusts (see pacman-key and its man page), as well as unsigned packages.
-SigLevel    = Required DatabaseOptional
+#SigLevel    = Required DatabaseOptional #RE-ENABLE ME WHEN A NEW SNAPSHOT IS RELEASED WITH FIXED GPG
+SigLevel    = Never
 LocalFileSigLevel = Optional
 #RemoteFileSigLevel = Required
 

extra/pre-build.d/64/etc/pacman.conf

@@ -37,7 +37,8 @@ VerbosePkgLists
 
 # By default, pacman accepts packages signed by keys that its local keyring
 # trusts (see pacman-key and its man page), as well as unsigned packages.
-SigLevel    = Required DatabaseOptional
+#SigLevel    = Required DatabaseOptional #RE-ENABLE ME WHEN A NEW SNAPSHOT IS RELEASED WITH FIXED GPG
+SigLevel    = Never
 LocalFileSigLevel = Optional
 #RemoteFileSigLevel = Required
 

extra/pre-build.d/etc/customizepkg.d/dd_rhelp

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i -e 's/build(/package(/g' ${1}

extra/pre-build.d/etc/customizepkg.d/lsiutil

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -re 's@^(source=\(").*$@\1https://github.com/kwilczynski/lsi/blob/master/lsiutil/LSIUtil_1.62.zip?raw=true")@g' ${1}

extra/pre-build.d/etc/customizepkg.d/whdd

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if [[ ! -f "/usr/lib/libdialog.so" ]];
+then
+  echo "Please run the following: sudo ln -s /usr/lib/libdialog.so.1.2 /usr/lib/libdialog.so"
+  echo "This package will fail to build otherwise."
+fi

extra/pre-build.d/etc/customizepkg.d/wifite-mod-pixiewps-git

@@ -1,3 +1,3 @@
 #!/bin/bash
 
-sed -i -e 's/any/x86_64/g' ${1}
+sed -i -re "s/'any'/'i686' 'x86_64'/g" ${1}

extra/pre-build.d/root/post-build.sh

@@ -3,6 +3,6 @@
 set -e
 
 apacman --noconfirm --noedit -S --needed customizepkg-scripting
-
+ln -s /usr/lib/libdialog.so.1.2 /usr/lib/libdialog.so
 
 echo "Done."

lib/00-depcheck.func.sh

@@ -31,8 +31,8 @@ function so_check_me_out {
        break 2
      fi
    done
-   set -e
  fi
+ set -e
 
  # Sanity is important.
  if [[ -z "${HOST_DIST}" ]];
@@ -64,8 +64,10 @@ function so_check_me_out {
      echo "Please ensure you are connected to the Internet/have repositories configured correctly."
      exit 1
    fi
+   set -e
  fi
 
+ set +e
  while read pkgname;
  do
    eval "${PKG_CHK}" >> "${LOGFILE}.${FUNCNAME}" 2>&1
@@ -83,8 +85,8 @@ function so_check_me_out {
      fi
    fi
  done < ${PKGLIST}
-
  set -e
+
  rm -f "${LOCKFILE}"
 }
 

lib/01-mk.chroot.func.sh

@@ -180,6 +180,7 @@ EOF
     echo "Done."
     echo -n "...Upgrading any outdated packages..."
     ${CHROOTCMD} ${i}/ pacman -Syyu --noconfirm >> "${LOGFILE}.${FUNCNAME}" 2>&1
+    ${CHROOTCMD} ${i}/ pacman-key --refresh-keys >> "${LOGFILE}.${FUNCNAME}" 2>&1
     for x in $(find ${i}/etc/ -type f -iname "*.pacorig");do mv -f ${x} ${x%%.pacorig} ; done
     echo "Done. Finishing/cleaning up..."
     ${CHROOTCMD} ${i}/ pacman -S --noconfirm --needed base-devel >> "${LOGFILE}.${FUNCNAME}" 2>&1
@@ -245,38 +246,39 @@ EOF
  for x in $(find ${CHROOTDIR64}/etc/ -type f -iname "*.pacorig");do mv -f ${x} ${x%.pacorig} ; done
  set -e
 
- # preprocessing
- sed -i -e '/base-devel/d ; /multilib-devel/d' ${BASEDIR}/extra/packages.*
+ # extra packages
+ sed -i -e '/base-devel/d ; /multilib-devel/d' ${BASEDIR}/extra/packages.{both,64}
  # both
  echo "Installing extra common packages..."
  PKGLIST=$(sed -e '/^[[:space:]]*#/d ; /^[[:space:]]*$/d' ${BASEDIR}/extra/packages.both | tr '\n' ' ')
  for i in ${CHROOTDIR32} ${CHROOTDIR64};
  do
     echo "Running post-build tasks in ${i}..."
+    chmod 700 ${i}/root/post-build.sh
     ${CHROOTCMD} ${i}/ "/root/post-build.sh" >> "${LOGFILE}.${FUNCNAME}" 2>&1
     for x in $(find ${i}/etc/ -type f -iname "*.pacorig");do mv -f ${x} ${x%%.pacorig} ; done
     set +e
     ${CHROOTCMD} ${i}/ /usr/bin/bash -c "apacman --noconfirm --noedit --skipinteg -S --needed linux" >> "${LOGFILE}.${FUNCNAME}" 2>&1
-    cp -a ${i}/boot/vmlinuz-linux ${i}/boot/vmlinuz-linux-${PNAME}
-    cp -a ${i}/boot/initramfs-linux.img ${i}/boot/initramfs-linux-${PNAME}.img
+    cp -a ${i}/boot/vmlinuz-linux ${i}/boot/vmlinuz-linux-${DISTNAME}
+    #cp -a ${i}/boot/initramfs-linux.img ${i}/boot/initramfs-linux-${DISTNAME}.img
     set -e
     for x in $(find ${i}/etc/ -type f -iname "*.pacorig");do mv -f ${x} ${x%%.pacorig} ; done
     # Uncomment if you wish to use the mkpasswd binary from within the chroot...
     #${CHROOTCMD} ${i}/ bash -c "apacman --noconfirm --noedit --skipinteg -S --needed debian-whois-mkpasswd" >> "${LOGFILE}.${FUNCNAME}" 2>&1
     #for x in $(find ${i}/etc/ -type f -iname "*.pacorig");do mv -f ${x} ${x%%.pacorig} ; done
     echo -n "Regular packages..."
-    set +e
     ${CHROOTCMD} ${i}/ bash -c "yes '' | apacman --noconfirm --noedit --skipinteg -S --needed ${PKGLIST}" >> "${LOGFILE}.${FUNCNAME}" 2>&1
+    set +e
     for x in $(find ${i}/etc/ -type f -iname "*.pacorig");do mv -f ${x} ${x%%.pacorig} ; done
-    # User creation
     set -e
+    # User creation
     echo -n "...Creating ${REGUSR} user..."
     ${CHROOTCMD} ${i}/ useradd -m -s /bin/bash -c "Default user" ${REGUSR} >> "${LOGFILE}.${FUNCNAME}" 2>&1
     ${CHROOTCMD} ${i}/ usermod -aG users,games,video,audio ${REGUSR} >> "${LOGFILE}.${FUNCNAME}" 2>&1
     ${CHROOTCMD} ${i}/ passwd -d ${REGUSR} >> "${LOGFILE}.${FUNCNAME}" 2>&1
     mkdir -p ${i}/etc/sudoers.d ; chmod 750 ${i}/etc/sudoers.d
-    echo "${REGUSR} ALL=(ALL) ALL" >> ${i}/etc/sudoers.d/${REGUSR}
-    if [ -n "${REGUSR_PASS}" ];
+    printf "Defaults:${REGUSR} \041lecture\n${REGUSR} ALL=(ALL) ALL\n" >> ${i}/etc/sudoers.d/${REGUSR}
+    if [[ -n "${REGUSR_PASS}" && "${REGUSR_PASS}" != '{[BLANK]}' ]];
     then
       #${CHROOTCMD} ${i}/ "/usr/bin/echo ${REGUSR}:${REGUSR_PASS} | chpasswd -e" >> "${LOGFILE}.${FUNCNAME}" 2>&1
       sed -i -e "s|^${REGUSR}::|${REGUSR}:${REGUSR_PASS}:|g" ${i}/etc/shadow
@@ -286,7 +288,7 @@ EOF
     else
       ${CHROOTCMD} ${i}/ usermod -L ${REGUSR} >> "${LOGFILE}.${FUNCNAME}" 2>&1
     fi
-    if [ -n "${ROOT_PASS}" ];
+    if [[ -n "${ROOT_PASS}" && "${ROOT_PASS}" != '{[BLANK]}' ]];
     then
       #${CHROOTCMD} ${i}/ "/usr/bin/echo root:${ROOT_PASS} | chpasswd -e" >> "${LOGFILE}.${FUNCNAME}" 2>&1
       sed -i -e "s|^root::|root:${ROOT_PASS}:|g" ${i}/etc/shadow
@@ -306,7 +308,7 @@ EOF
   set +e
   for x in $(find ${i}/etc/ -type f -iname "*.pacorig");do mv -f ${x} ${x%.pacorig} ; done
   ${CHROOTCMD} ${i}/ /usr/bin/bash -c "mkinitcpio -p linux" >> "${LOGFILE}.${FUNCNAME}" 2>&1
-  cp -a ${i}/boot/initramfs-linux.img ${i}/boot/initramfs-linux-${PNAME}.img
+  cp -a ${i}/boot/initramfs-linux.img ${i}/boot/initramfs-linux-${DISTNAME}.img
   set -e
  done
  
@@ -359,7 +361,7 @@ EOF
  echo "Done."
 
  
- rm -f ${LOCKFILE}
+ #rm -f ${LOCKFILE}
  
  echo "Chroot setup complete."
 

lib/07-centos_is_stupid.func.sh

@@ -4,8 +4,7 @@ function centos_is_stupid {
 
   if [[ "${HOST_DIST}" == "CentOS" || "${HOST_DIST}" == "RHEL" ]];
   then
-    rpm -qa | egrep -q "^xorriso-[0-9]"
-    if [[ "${?}" != "0" ]];
+    if [[ "$(rpm -qa | egrep -q '^xorriso-[0-9]')" != "0" ]];
     then
       # Download/install the proper xorriso
       EL_VER="$(rpm -qa coreutils | sed -re 's/^coreutils-[0-9.-]*el([0-9])*.*$/\1/g')"
@@ -17,7 +16,9 @@ function centos_is_stupid {
       XORRISO_RPM=$(curl -s http://pkgs.repoforge.org/xorriso/ | egrep "\"xorriso-[0-9.-]*el${EL_VER}.rf.x86_64.rpm\"" | sed -re "s/^.*\"(xorriso[0-9.-]*el${EL_VER}.rf.x86_64.rpm).*$/\1/g")
       echo "Since you're using either CentOS or RHEL, we need to install xorriso directly from an RPM. Please wait while we do this..."
       curl -sLo /tmp/${XORRISO_RPM} http://pkgs.repoforge.org/xorriso/${XORRISO_RPM}
+      set +e
       yum -y install /tmp/${XORRISO_RPM} >> "${LOGFILE}.${FUNCNAME}" 2>&1
+      set -e
       echo "Done."
       echo
     fi
@@ -28,8 +29,7 @@ function centos_is_stupid {
   # UGH. And you know what? Fuck SUSE too.
   if [[ "${HOST_DIST}" == "openSUSE" || "${HOST_DIST}" == "SUSE" ]];
   then
-    rpm -qa | egrep -q "^xorriso-[0-9]"
-    if [[ "${?}" != "0" ]];
+    if [[ "$(rpm -qa | egrep -q '^xorriso-[0-9]')" != "0" ]];
     then
       # Download/install the proper xorriso
       source /etc/os-release
@@ -37,7 +37,10 @@ function centos_is_stupid {
       XORRISO_RPM=$(curl -s "http://software.opensuse.org/download.html?project=home%3AKnolleblau&package=xorriso" | egrep "/openSUSE_${SUSE_VER}/x86_64/xorriso-[0-9.-]" | tail -n1 | sed -re 's|^.*x86_64/(xorriso-[0-9.-]*.x86_64.rpm).*$|\1|g')
       echo "Since you're using openSUSE or SLED/SLES, we need to install xorriso directly from an RPM. Please wait while we do this..."
       curl -sLo /tmp/${XORRISO_RPM} "http://download.opensuse.org/repositories/home:/Knolleblau/openSUSE_${SUSE_VER}/x86_64/${XORRISO_RPM}"
+      cp /etc/zypp/zypp.conf /etc/zypp/zypp.conf_BAK."${$}"
+      echo 'pkg_gpgcheck = no' >> /etc/zypp/zypp.conf
       zypper install --no-confirm -l /tmp/${XORRISO_RPM} >> "${LOGFILE}.${FUNCNAME}" 2>&1
+      mv -f /etc/zypp/zypp.conf_BAK."${$}" /etc/zypp/zypp.conf
       echo "Done."
  
       echo
@@ -64,6 +67,7 @@ function centos_is_stupid {
         echo "Please ensure you are connected to the Internet/have repositories configured correctly."
         exit 1
       fi
+      set -e
     fi
 
     zypper search binutils-devel | egrep -q '^[[:space:]]*|[[:space:]]*binutils-devel[[:space:]]*'

lib/08-will_it_blend.func.sh

@@ -75,14 +75,19 @@ function will_it_blend () {
   # and now we copy stuff into the live directories
   echo "[${ARCHSUFFIX}-bit] Copying files for PXE, and ISO building, please be patient."
   #rm -rf ${TEMPDIR}/*
+  if [ ! -f ${BASEDIR}/extra/${UXNAME}.png ];
+  then
+    cat ${BASEDIR}/extra/bdisk.png > ${BASEDIR}/extra/${UXNAME}.png
+  fi
   cp -af ${BASEDIR}/extra/${UXNAME}.png ${TEMPDIR}/.
   cp -af ${BASEDIR}/extra/${UXNAME}.png ${TFTPDIR}/.
   mkdir -p ${TEMPDIR}/boot
-  cp -af ${CHROOTDIR}/boot/initramfs-linux-${PNAME}.img ${TEMPDIR}/boot/${UXNAME}.${ARCHSUFFIX}.img
-  cp -af ${CHROOTDIR}/boot/vmlinuz-linux-${PNAME} ${TEMPDIR}/boot/${UXNAME}.${ARCHSUFFIX}.kern
-  cp -af ${CHROOTDIR}/boot/initramfs-linux-${PNAME}.img ${TFTPDIR}/${UXNAME}.${ARCHSUFFIX}.img
-  cp -af ${CHROOTDIR}/boot/vmlinuz-linux-${PNAME} ${TFTPDIR}/${UXNAME}.${ARCHSUFFIX}.kern
+  cp -af ${CHROOTDIR}/boot/initramfs-linux-${DISTNAME}.img ${TEMPDIR}/boot/${UXNAME}.${ARCHSUFFIX}.img
+  cp -af ${CHROOTDIR}/boot/vmlinuz-linux-${DISTNAME} ${TEMPDIR}/boot/${UXNAME}.${ARCHSUFFIX}.kern
+  cp -af ${CHROOTDIR}/boot/initramfs-linux-${DISTNAME}.img ${TFTPDIR}/${UXNAME}.${ARCHSUFFIX}.img
+  cp -af ${CHROOTDIR}/boot/vmlinuz-linux-${DISTNAME} ${TFTPDIR}/${UXNAME}.${ARCHSUFFIX}.kern
   cp -af ${ARCHBOOT}/* ${HTTPDIR}/${DISTNAME}/.
+  cp -af ${TFTPDIR}/* ${HTTPDIR}/.
   chown -R ${HTTPUSR}:${HTTPGRP} ${HTTPDIR}
   chown ${TFTPUSR}:${TFTPGRP} ${TFTPDIR}/${UXNAME}.*
 }

lib/09-stuffy.func.sh

@@ -14,10 +14,10 @@ function stuffy {
   echo "Setting up EFI stuff..."
 
   mkdir -p ${TEMPDIR}/{EFI/{${DISTNAME},boot},loader/entries}
-  # this stuff comes from the prebootloader pkg and gummiboot pkg. lets us boot on UEFI machines with secureboot still enabled.
+  # this stuff comes from the prebootloader pkg and systemd-boot. lets us boot on UEFI machines with secureboot still enabled.
   cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/PreLoader.efi ${TEMPDIR}/EFI/boot/bootx64.efi
   cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/HashTool.efi ${TEMPDIR}/EFI/boot/.
-  cp ${BASEDIR}/root.x86_64/usr/lib/gummiboot/gummibootx64.efi ${TEMPDIR}/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead?
+  cp ${BASEDIR}/root.x86_64/usr/lib/systemd/boot/efi/systemd-bootx64.efi ${TEMPDIR}/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead?
 
   echo "Checking/fetching UEFI shells..."
   if [ ! -f "${TEMPDIR}/EFI/shellx64_v2.efi" ];
@@ -71,7 +71,7 @@ EOF
   FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${TEMPDIR}/boot/${UXNAME}.64.img))) # EFI/BDISK/bdisk.img
   FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/prebootloader/PreLoader.efi))) # EFI/boot/bootx64.efi
   FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/prebootloader/HashTool.efi))) # EFI/boot/HashTool.efi
-  FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/gummiboot/gummibootx64.efi))) # EFI/boot/loader.efi
+  FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/systemd/boot/efi/systemd-bootx64.efi))) # EFI/boot/loader.efi
   FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${TEMPDIR}/EFI/shellx64_v1.efi)))
   FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${TEMPDIR}/EFI/shellx64_v2.efi)))
   FATSIZE=$((${FATSIZE} + $(du -sb ${TEMPDIR}/loader | tail -n1 | awk '{print $1}'))) # loader/* (okay so i cheated a little here.)
@@ -112,7 +112,7 @@ EOF
 
   cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/PreLoader.efi ${SRCDIR}/efiboot/EFI/boot/bootx64.efi
   cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/HashTool.efi ${SRCDIR}/efiboot/EFI/boot/.
-  cp ${BASEDIR}/root.x86_64/usr/lib/gummiboot/gummibootx64.efi ${SRCDIR}/efiboot/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead?
+  cp ${BASEDIR}/root.x86_64/usr/lib/systemd/boot/efi/systemd-bootx64.efi ${SRCDIR}/efiboot/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead?
   cp ${TEMPDIR}/EFI/shellx64_v{1,2}.efi ${SRCDIR}/efiboot/EFI/.
   umount ${SRCDIR}/efiboot
   echo "EFI configuration complete..."

lib/10-yo_dj.func.sh

@@ -5,15 +5,15 @@ function yo_dj () {
   ARCH="${1}"
   echo "Building the actual .iso image. This may take a while."
   #im_batman ## WHYTF IS THIS HERE?!
-  ISOFILENAME="${UXNAME}-${VERSION}.iso"
-  #MINIFILENAME="${UXNAME}-${VERSION}-mini.iso"
+  ISOFILENAME="${UXNAME}-${BUILDVERSION}.iso"
+  #MINIFILENAME="${UXNAME}-${BUILDVERSION}-mini.iso"
   MINIFILENAME="${UXNAME}-mini.iso"
   USBFILENAME="${UXNAME}-mini.usb.img"
   if [[ "${MULTIARCH}" == "y" ]];
   then
-    ISOFILENAME="${UXNAME}-${VERSION}-any.iso"
+    ISOFILENAME="${UXNAME}-${BUILDVERSION}-any.iso"
   else
-    ISOFILENAME="${UXNAME}-${VERSION}-${ARCH}.iso"
+    ISOFILENAME="${UXNAME}-${BUILDVERSION}-${ARCH}.iso"
   fi
 
   if [[ "${I_AM_A_RACECAR}" == "y" ]]; 
@@ -284,6 +284,7 @@ EOF
   if [[ "${BUILDMINI}" == "y" ]];
   then
     echo "Now generating the iPXE images; please wait..."
+    ## Get the latest version of ipxe from git.
     git submodule init >> "${LOGFILE}.${FUNCNAME}" 2>&1
     git submodule update >> "${LOGFILE}.${FUNCNAME}" 2>&1
     cd ${BASEDIR}/src/ipxe/src
@@ -292,24 +293,95 @@ EOF
     git checkout master >> "${LOGFILE}.${FUNCNAME}" 2>&1
     git pull >> "${LOGFILE}.${FUNCNAME}" 2>&1
     git checkout master >> "${LOGFILE}.${FUNCNAME}" 2>&1
+    # It will not build if we don't do this. Apparently we *need* libiberty.
+    git revert -n 40a9a0f0
+    ## Apply our patches.
     for i in $(find ${BASEDIR}/src/ipxe_local/patches/ -type f -iname "*.patch" -printf '%P\n' | sort);
     do
       patch -Np2 < ${BASEDIR}/src/ipxe_local/patches/${i} >> "${LOGFILE}.${FUNCNAME}" 2>&1
     done
+    ## SSL
+    SSLDIR="${BASEDIR}/src/ipxe_local/ssl"
+    mkdir -p ${SSLDIR}/{keys,crts,txt}
+    chmod 000 ${SSLDIR}/keys
+    chown root:root ${SSLDIR}/keys
+    if [[ -z "${IPXE_SSL_CA}" && -z "${IPXE_SSL_KEY}" ]];
+    then
+      # Generate SSL CA
+      #rm -rf ${SSLDIR}/*
+      cd "${SSLDIR}"
+      IPXE_SSL_CA="${SSLDIR}/crts/ca.crt"
+      IPXE_SSL_CAKEY="${SSLDIR}/keys/ca.key"
+      IPXE_DOMAIN=$(echo ${IPXE_URI} | sed -re 's/^(f|ht)tps?:\/\/// ; s/\/.*//')
+      if [[ ! -f "${SSLDIR}/txt/ca.srl" ]];
+      then
+        echo 01 > ${SSLDIR}/txt/ca.srl
+      fi
+      touch ${SSLDIR}/txt/ca.idx
+      openssl req -days 3650 -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -x509 -newkey rsa:4096 -nodes -out ${IPXE_SSL_CA} -keyout ${IPXE_SSL_CAKEY} -sha512 >> "${LOGFILE}.${FUNCNAME}" 2>&1
+      openssl req -days 3650 -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -newkey rsa:4096 -keyout ${SSLDIR}/keys/server.key -nodes -out ${SSLDIR}/crts/server.csr -sha512 >> "${LOGFILE}.${FUNCNAME}" 2>&1
+      openssl ca -days 3650 -batch -config ${SSLDIR}/openssl.cnf -keyfile ${IPXE_SSL_CAKEY} -in ${SSLDIR}/crts/server.csr -out ${SSLDIR}/crts/server.crt >> "${LOGFILE}.${FUNCNAME}" 2>&1
+      #cat crts/server.crt crts/ca.crt > crts/server_chained.crt
+    elif [[ -z "${IPXE_SSL_CA}" && -e "${IPXE_SSL_CAKEY}" ]];
+    then
+      echo "ERROR: You specified IPXE_SSL_CAKEY but not IPXE_SSL_CA. If one is specified, the other must be also."
+      exit 1
+    elif [[ -z "${IPXE_SSL_CAKEY}" && -e "${IPXE_SSL_CA}" ]];
+    then
+      echo "ERROR: You specified IPXE_SSL_CA but not IPXE_SSL_CAKEY. If one is specified, the other must be also."
+      exit 1
+    elif [[ ! -e "${IPXE_SSL_CA}" || ! -e "${IPXE_SSL_CAKEY}" ]];
+    then
+      echo "ERROR: You have specified both IPXE_SSL_CA and IPXE_SSL_CAKEY but one (or both) are not valid paths/files."
+      exit 1
+    fi
+    if [[ -z "${IPXE_SSL_KEY}" && -z "${IPXE_SSL_CRT}" ]];
+    then
+      IPXE_SSL_KEY="${SSLDIR}/keys/client.key"
+      IPXE_SSL_CRT="${SSLDIR}/crts/client.crt"
+      IPXE_DOMAIN=$(echo ${IPXE_URI} | sed -re 's/^(f|ht)tps?:\/\/// ; s/\/.*//')
+      # Generate SSL client key.
+      openssl req -days 3650 -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -newkey rsa:4096 -keyout ${IPXE_SSL_KEY} -nodes -out ${SSLDIR}/crts/client.csr -sha512 >> "${LOGFILE}.${FUNCNAME}" 2>&1
+      # Sign the crt.
+      openssl ca -days 3650 -batch -config ${SSLDIR}/openssl.cnf -keyfile ${IPXE_SSL_CAKEY} -in ${SSLDIR}/crts/client.csr -out ${IPXE_SSL_CRT} >> "${LOGFILE}.${FUNCNAME}" 2>&1
+    elif [[ -z "${IPXE_SSL_CRT}" && -e "${IPXE_SSL_KEY}" ]]; 
+    then
+      echo "ERROR: You specified IPXE_SSL_KEY but not IPXE_SSL_CRT. If one is specified, the other must be also."
+      exit 1
+    elif [[ -z "${IPXE_SSL_KEY}" && -e "${IPXE_SSL_CRT}" ]]; 
+    then
+      echo "ERROR: You specified IPXE_SSL_CRT but not IPXE_SSL_KEY. If one is specified, the other must be also."
+      exit 1
+    elif [[ ! -e "${IPXE_SSL_CRT}" || ! -e "${IPXE_SSL_KEY}" ]]; 
+    then
+      echo "ERROR: You have specified both IPXE_SSL_CRT and IPXE_SSL_KEY but one (or both) are not valid paths/files."
+      exit 1
+    fi
+    cd ${BASEDIR}/src/ipxe/src
     # Generate the iPXE EMBED script...
     sed -re "s,^(chain\ ).*$,\1${IPXE_URI},g" \
 	-e 's/%%COMMA%%/,/g' ${BASEDIR}/src/ipxe_local/EMBED > ${SRCDIR}/EMBED
+    # And now we build!
     #make everything EMBED="${SRCDIR}/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1
-    make bin-i386-efi/ipxe.efi bin-x86_64-efi/ipxe.efi EMBED="${SRCDIR}/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1
-    make bin/ipxe.eiso bin/ipxe.usb EMBED="${SRCDIR}/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1
+    make bin-i386-efi/ipxe.efi bin-x86_64-efi/ipxe.efi \
+         EMBED="${SRCDIR}/EMBED" \
+         TRUST="${IPXE_SSL_CA}" \
+         CERT="${IPXE_SSL_CA},${IPXE_SSL_CRT}" \
+         PRIVKEY="${IPXE_SSL_KEY}" >> "${LOGFILE}.${FUNCNAME}" 2>&1
+    make bin/ipxe.eiso bin/ipxe.usb \
+         EMBED="${SRCDIR}/EMBED" \
+         TRUST="${IPXE_SSL_CA}" \
+         CERT="${IPXE_SSL_CA},${IPXE_SSL_CRT}" \
+         PRIVKEY="${IPXE_SSL_KEY}" >> "${LOGFILE}.${FUNCNAME}" 2>&1
     # Change this to USB-only...
     #make all EMBED="${BASEDIR}/src/ipxe_local/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1
     mv -f ${BASEDIR}/src/ipxe/src/bin/ipxe.usb  ${ISODIR}/${USBFILENAME}
     mv -f ${BASEDIR}/src/ipxe/src/bin/ipxe.eiso  ${ISODIR}/${MINIFILENAME}
     make clean >> "${LOGFILE}.${FUNCNAME}" 2>&1
+    cd ${BASEDIR}/src/ipxe
     git reset --hard >> "${LOGFILE}.${FUNCNAME}" 2>&1
     git clean -xdf > /dev/null 2>&1
-    git checkout master > /dev/null 2>&1
+    git checkout master . > /dev/null 2>&1
     #git reset --hard HEAD > /dev/null 2>&1
     echo
   fi

lib/11-mentos.func.sh

@@ -22,7 +22,7 @@ function mentos {
    RACECAR_CHK=""
  fi
 
- if [[ -n $(find ${BASEDIR}/extra/pre-build.d/ -type f -newer ${BASEDIR}/root.x86_64/boot/vmlinuz-linux-${PNAME}) ]];
+ if [[ -n $(find ${BASEDIR}/extra/pre-build.d/ -type f -newer ${BASEDIR}/root.x86_64/boot/vmlinuz-linux-${DISTNAME}) ]];
  then
   touch ${LOCKFILE}
   sleep 2
@@ -36,7 +36,7 @@ function mentos {
  for i in ${CHROOTDIR32} ${CHROOTDIR64};
  do
     echo -n "...Packages installing/upgrading to ${i}..."
-    local INSTKERN=$(file ${i}/boot/vmlinuz-linux-${PNAME} | awk '{print $9}' | cut -f1 -d"-")
+    local INSTKERN=$(file ${i}/boot/vmlinuz-linux-${DISTNAME} | awk '{print $9}' | cut -f1 -d"-")
     local MIRROR=$(egrep '^Server' ${i}/etc/pacman.d/mirrorlist | head -n1 | sed -e 's/^Server\ =\ //g  ; s#$repo.*#core/os/x86_64/#g')
     local NEWKERN=$(curl -s "${MIRROR}" | grep linux | awk '{print $3}' | cut -f2 -d\" | egrep '^linux-[0-9].*pkg.tar.xz$' | cut -f2 -d"-")
 
@@ -45,8 +45,8 @@ function mentos {
     for x in $(find ${i}/etc/ -type f -iname "*.pacorig");do mv -f ${x} ${x%.pacorig} ; done
     ${CHROOTCMD} ${i}/ /usr/bin/bash -c "mkinitcpio -p linux" >> "${LOGFILE}.${FUNCNAME}" 2>&1
     #${CHROOTCMD} ${i}/ bash -c "apacman --noconfirm --noedit --skipinteg -S --needed ${PKGLIST}"
-    cp -a ${i}/boot/vmlinuz-linux ${i}/boot/vmlinuz-linux-${PNAME}
-    cp -a ${i}/boot/initramfs-linux.img ${i}/boot/initramfs-linux-${PNAME}.img
+    cp -a ${i}/boot/vmlinuz-linux ${i}/boot/vmlinuz-linux-${DISTNAME}
+    cp -a ${i}/boot/initramfs-linux.img ${i}/boot/initramfs-linux-${DISTNAME}.img
     echo "Done."
  done
  

lib/prereqs/Antergos/meta

@@ -10,7 +10,7 @@ function distro_specific_tweaks {
  # For some reason, I can't get "yes y | " to parse correctly with eval. And Arch isn't smart enough
  # to figure out that if I enable the multilib repos, *I want multilib gcc*. Fuck it. We'll just remove it first.
 
- pacman -S --needed haveged >> "${LOGFILE}.${FUNCNAME}" 2>&1
+ pacman -S --needed --noconfirm haveged >> "${LOGFILE}.${FUNCNAME}" 2>&1
  haveged
 
  set +e

lib/prereqs/Arch/meta

@@ -10,7 +10,7 @@ function distro_specific_tweaks {
  # For some reason, I can't get "yes y | " to parse correctly with eval. And Arch isn't smart enough
  # to figure out that if I enable the multilib repos, *I want multilib gcc*. Fuck it. We'll just remove it first.
 
- pacman -S --needed haveged >> "${LOGFILE}.${FUNCNAME}" 2>&1
+ pacman -S --needed --noconfirm haveged >> "${LOGFILE}.${FUNCNAME}" 2>&1
  haveged
 
  set +e

lib/prereqs/Arch/pkgs

@@ -1,5 +1,6 @@
 binutils
 curl
+dosfstools
 findutils
 gcc-libs-multilib
 gcc-multilib

lib/prereqs/CentOS/meta

@@ -1,4 +1,5 @@
 NAME='CentOS'
+# Currently fails on installing software *inside* the chroot. Will troubleshoot and restore when figured out.
 SUPPORTED='yes'
 CHECK_METHOD='egrep "^CentOS" /etc/redhat-release'
 PKG_MGR='yum -y install ${pkgname}'
@@ -9,6 +10,7 @@ URL='http://centos.org/'
 function distro_specific_tweaks {
  # NOTE: we handle installing of squashfs-tools (maybe) and xorriso in centos_is_stupid function.
  # because they *suck*. Seriously. I need to install tk just to install xorriso. I mean, what?
+ # You need EPEL enabled, by the way.
 
  echo "No tweaks found."
 

lib/prereqs/Debian/pkgs

@@ -10,7 +10,7 @@ libiberty-dev
 libisoburn1
 lynx
 liblzma5
-liblsma-dev
+liblzma-dev
 make
 mtools
 patch

lib/prereqs/Devuan/meta

@@ -1,5 +1,5 @@
 NAME='Devuan'
-SUPPORTED='yes'
+SUPPORTED='no'
 CHECK_METHOD='egrep "^NAME=\"Devuan\ GNU/Linux\"$" /etc/os-release'
 PKG_MGR='apt-get -y install ${pkgname}'
 PRE_RUN='apt-get update'

lib/prereqs/Fedora/pkgs

@@ -1,6 +1,7 @@
 binutils
 binutils-devel
 curl
+dosfstools
 gcc
 git
 libisofs

lib/prereqs/Gentoo/pkgs

@@ -1,5 +1,6 @@
 sys-devel/binutils
 net-misc/curl
+sys-fs/dosfstools
 sys-devel/gcc
 dev-vcs/git
 dev-libs/libisoburn

lib/prereqs/Manjaro/meta

@@ -2,7 +2,7 @@ NAME='Manjaro'
 SUPPORTED='yes'
 CHECK_METHOD='egrep "^NAME=\"Manjaro Linux\"$" /etc/os-release'
 PKG_MGR='pacman -S --needed --noconfirm ${pkgname}'
-PRE_RUN='pacman -Syyyu'
+PRE_RUN='pacman -Syyy --noconfirm'
 PKG_CHK='pacman -Q ${pkgname}'
 URL='https://manjaro.org/'
 
@@ -10,7 +10,7 @@ function distro_specific_tweaks {
  # For some reason, I can't get "yes y | " to parse correctly with eval. And Arch isn't smart enough
  # to figure out that if I enable the multilib repos, *I want multilib gcc*. Fuck it. We'll just remove it first.
 
- pacman -S --needed haveged >> "${LOGFILE}.${FUNCNAME}" 2>&1
+ pacman -S --needed --noconfirm haveged >> "${LOGFILE}.${FUNCNAME}" 2>&1
  haveged
 
  set +e
@@ -20,6 +20,7 @@ function distro_specific_tweaks {
    if [[ "${?}" == "0" ]];
    then
      pacman -Rdd --noconfirm ${pkg_override} >> "${LOGFILE}.${FUNCNAME}" 2>&1
+     pacman -S --noconfirm ${pkg_override}-multilib >> "${LOGFILE}.${FUNCNAME}" 2>&1
    fi
  done
 set -e

lib/prereqs/Mint/meta

@@ -1,6 +1,7 @@
 NAME='Mint'
-SUPPORTED='yes'
-CHECK_METHOD='egrep "^DESCRIPTION=\"Linux\ Mint\"" /etc/linuxmint/info'
+SUPPORTED='no'
+# Needs non-systemd chroot method
+CHECK_METHOD='egrep "^DESCRIPTION=\"Linux\ Mint" /etc/linuxmint/info'
 PKG_MGR='apt-get -y install ${pkgname}'
 PRE_RUN='apt-get -y update'
 PKG_CHK='dpkg-query -l ${pkgname}'

lib/prereqs/RHEL/meta

@@ -1,5 +1,5 @@
-NAME=RHEL
-SUPPORTED=yes
+NAME='RHEL'
+SUPPORTED='yes'
 # Red Hat Enterprise Linux Server release 6.5 (Santiago)
 CHECK_METHOD='egrep "^Red\ Hat\ Enterprise\ Linux" /etc/redhat-release'
 PKG_MGR='yum -y install'

lib/prereqs/RHEL/pkgs

@@ -1,6 +1,7 @@
 binutils
 binutils-devel
 curl
+dosfstools
 gcc
 git
 libisofs

lib/prereqs/Ubuntu/pkgs

@@ -10,7 +10,7 @@ libiberty-dev
 libisoburn1
 lynx
 liblzma5
-liblsma-dev
+liblzma-dev
 make
 mtools
 patch
@@ -19,7 +19,6 @@ rsync
 sed
 squashfs-tools
 syslinux
-syslinux-efi
 xorriso
 xz-utils
 zlib1g

lib/prereqs/elementaryOS/meta

@@ -1,5 +1,5 @@
 NAME='elementaryOS'
-SUPPORTED='yes'
+SUPPORTED='no'
 CHECK_METHOD='egrep "^DISTRIB_ID=\"elementary OS\"$" /etc/lsb-release'
 PKG_MGR='apt-get -y install ${pkgname}'
 PRE_RUN='apt-get -y update'

lib/prereqs/iso.pkgs.lst

@@ -12,7 +12,6 @@ efivar
 ethtool
 file
 findutils
-gummiboot
 iproute2
 iputils
 libisoburn
@@ -28,11 +27,11 @@ netctl
 networkmanager
 openssh
 openvpn
+prebootloader
 pv
 rsync
 sed
 shorewall
-squashfs3-tools
 squashfs-tools
 sudo
 sysfsutils

lib/prereqs/openSUSE/pkgs

@@ -1,5 +1,8 @@
 binutils
+binutils-devel
+binutils-devel-32bit
 curl
+dosfstools
 gcc
 gcc-32bit
 git
@@ -15,3 +18,5 @@ sed
 squashfs
 syslinux
 xz
+xz-devel
+xz-devel-32bit

overlay/etc/bash.bashrc

@@ -50,9 +50,10 @@ echo "==================================="
 date
 if [ -n "${DEFROUTEIF}" ];
 then
+ IPADDR=$(ip a s dev ${DEFROUTEIF} | egrep '^[[:space:]]*inet\ ' | awk '{print $2}' | cut -f1 -d"/")
+ HWADDR=$(ip l show dev ${DEFROUTEIF} | egrep '^[[:space:]]*link' | awk '{print $2}')
  echo
- echo -n "${DEFROUTEIF} is: "
- ifconfig "${DEFROUTEIF}" | egrep 'inet|ether' | grep -v "inet6" | awk '{print $2}'
+ echo -n "${DEFROUTEIF} (${HWADDR}) is: ${IPADDR}"
 fi
 echo
 echo  -n "tun0 is:"

overlay/etc/systemd/scripts/livecd.fix.sh

@@ -1,11 +1,6 @@
 #/bin/sh -
 
 #chmod 4755 /opt/google/chrome-beta/chrome-sandbox
-mkdir -p /var/db/sudo/lectured
-touch /var/db/sudo/lectured/bdisk
-chmod 700 /var/db/sudo/lectured
-chgrp bdisk /var/db/sudo/lectured/bdisk
-chmod 600 /var/db/sudo/lectured/bdisk
 chmod 4755 /usr/bin/sudo
 
 function fuck_you_gimme_net() {

src/ipxe_local/00-general.sed

@@ -0,0 +1,10 @@
+## Enable IPv6 support
+s/^#undef([[:space:]]*NET_PROTO_IPV6)/#define\1/g
+## Enable HTTPS
+s/^#undef([[:space:]]*DOWNLOAD_PROTO_HTTPS)/#define\1/g
+s@^//(#define[[:space:]]*IMAGE_TRUST_CMD@\1@g
+## Enable FTP
+s/^#undef([[:space:]]*DOWNLOAD_PROTO_FTP)/#define\1/g
+## Currently broken for EFI building
+#s@^//(#define[[:space:]]*CONSOLE_CMD)@\1@g
+#s@^//(#define[[:space:]]*IMAGE_PNG@\1@g

src/ipxe_local/01-console.sed

@@ -0,0 +1,2 @@
+## Currently broken on EFI systems
+#s@^//(#define[[:space:]]*CONSOLE_VESAFB)@\1@g

src/ipxe_local/EMBED

@@ -1,4 +1,8 @@
 #!ipxe
 
 dhcp
+## TODO: signed kernel and initrd
+#imgtrust --permanent
+#imgverify vmlinuz path/to/vmlinuz.sig
+#imgverify initrd path/to/initrd.sig
 chain https://bdisk.square-r00t.net

src/ipxe_local/patches/ipxe-0003-iso-efi.patch

@@ -1,14 +1,13 @@
-From ddf6f6ac945654b00121ab899fb0bbb63293e51e Mon Sep 17 00:00:00 2001
+From d2092664b3cf866b2ab338fe056149d3266d0acc Mon Sep 17 00:00:00 2001
 From: Christian Hesse <mail@eworm.de>
-Date: Tue, 7 Apr 2015 16:04:31 +0200
-Subject: [PATCH 1/2] [build] allow to build ISO image with EFI support
- (ipxe.eiso)
+Date: Sun, 19 Apr 2015 13:16:09 +0200
+Subject: [PATCH 1/1] allow to build ISO image with EFI support (ipxe.eiso)
 
 Signed-off-by: Christian Hesse <mail@eworm.de>
 ---
- src/arch/i386/Makefile.pcbios |  6 ++++++
- src/util/geniso               | 39 ++++++++++++++++++++++++++++++---------
- 2 files changed, 36 insertions(+), 9 deletions(-)
+ src/arch/i386/Makefile.pcbios |  6 +++++
+ src/util/geniso               | 52 +++++++++++++++++++++++++++++++++----------
+ 2 files changed, 46 insertions(+), 12 deletions(-)
 
 diff --git a/src/arch/i386/Makefile.pcbios b/src/arch/i386/Makefile.pcbios
 index ff82373..c7a58eb 100644
@@ -28,14 +27,14 @@ index ff82373..c7a58eb 100644
  NON_AUTO_MEDIA	+= liso
  %liso:	%lkrn util/geniso
 diff --git a/src/util/geniso b/src/util/geniso
-index 521c929..998370d 100755
+index 521c929..9e8588c 100755
 --- a/src/util/geniso
 +++ b/src/util/geniso
 @@ -6,16 +6,21 @@ function help() {
  	echo "usage: ${0} [OPTIONS] foo.lkrn [bar.lkrn,...]"
  	echo
  	echo "where OPTIONS are:"
-+	echo " -e	build image with EFI support"
++	echo " -e       build image with EFI support"
  	echo " -h       show this help"
  	echo " -l       build legacy image with floppy emulation"
  	echo " -o FILE  save iso image to file"
@@ -54,49 +53,47 @@ index 521c929..998370d 100755
  		h)
  			help
  			exit 0
-@@ -37,23 +42,24 @@ if [ -z "${OUT}" ]; then
+@@ -37,17 +42,25 @@ if [ -z "${OUT}" ]; then
  	exit 1
  fi
  
 -# There should either be mkisofs or the compatible genisoimage program
 -for command in genisoimage mkisofs; do
-+# We require xorriso (from libisoburn) for EFI support
-+# genisoimage and mkisofs are missing some features
-+for command in xorriso; do
- 	if ${command} --version >/dev/null 2>/dev/null; then
+-	if ${command} --version >/dev/null 2>/dev/null; then
 -		mkisofs=(${command})
-+		xorriso=(${command})
- 		break
- 	fi
- done
- 
+-		break
+-	fi
+-done
+-
 -if [ -z "${mkisofs}" ]; then
 -	echo "${0}: mkisofs or genisoimage not found, please install or set PATH" >&2
-+if [ -z "${xorriso}" ]; then
-+	echo "${0}: xorriso not found, please install or set PATH" >&2
++# We need xorriso (from libisoburn) for EFI support, so try that first.
++if xorriso --version >/dev/null 2>/dev/null; then
++	mkisofs=(xorriso -as mkisofs)
++elif [ ${EFI} -eq 1 ]; then
++	echo "${0}: xorriso not found, but required for EFI support. Please install." >&2
  	exit 1
++else
++	# fall back to mkisofs or the compatible genisoimage program
++	for command in genisoimage mkisofs; do
++		if ${command} --version >/dev/null 2>/dev/null; then
++			mkisofs=(${command})
++			break
++		fi
++	done
++
++	if [ -z "${mkisofs}" ]; then
++		echo "${0}: mkisofs or genisoimage not found, please install or set PATH" >&2
++		exit 1
++	fi
  fi
  
  dir=$(mktemp -d bin/iso.dir.XXXXXX)
- cfg=${dir}/isolinux.cfg
- 
--mkisofs+=(-quiet -l -volid "iPXE" -preparer "iPXE build system"
-+xorriso+=(-as mkisofs -quiet -l -volid "iPXE" -preparer "iPXE build system"
- 	-appid "iPXE ${VERSION} - Open Source Network Boot Firmware"
- 	-publisher "http://ipxe.org/" -c boot.cat)
- 
-@@ -116,12 +122,27 @@ case "${LEGACY}" in
- 		fi
- 
- 		# generate the iso image
--		"${mkisofs[@]}" -b boot.img -output ${OUT} ${dir}
-+		"${xorriso[@]}" -b boot.img -output ${OUT} ${dir}
- 		;;
- 	0)
+@@ -122,6 +135,21 @@ case "${LEGACY}" in
  		# copy isolinux bootloader
  		cp ${ISOLINUX_BIN} ${dir}
  
-+		xorriso+=(-b isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table)
++		mkisofs+=(-b isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table)
 +
 +		if [ "${EFI}" -eq 1 ]; then
 +			# generate EFI image
@@ -108,18 +105,18 @@ index 521c929..998370d 100755
 +			mcopy -m -i ${img} bin-x86_64-efi/ipxe.efi "::EFI/BOOT/BOOTX64.EFI"
 +			mcopy -m -i ${img} bin-i386-efi/ipxe.efi "::EFI/BOOT/BOOTIA32.EFI"
 +
-+			xorriso+=(-eltorito-alt-boot -e efiboot.img -isohybrid-gpt-basdat -no-emul-boot)
++			mkisofs+=(-eltorito-alt-boot -e efiboot.img -isohybrid-gpt-basdat -no-emul-boot)
 +		fi
 +
  		# syslinux 6.x needs a file called ldlinux.c32
  		LDLINUX_C32=$(dirname ${ISOLINUX_BIN})/ldlinux.c32
  		if [ -s ${LDLINUX_C32} ]; then
-@@ -129,7 +150,7 @@ case "${LEGACY}" in
+@@ -129,7 +157,7 @@ case "${LEGACY}" in
  		fi
  
  		# generate the iso image
 -		"${mkisofs[@]}" -b isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table -output ${OUT} ${dir}
-+		"${xorriso[@]}" -output ${OUT} ${dir}
++		"${mkisofs[@]}" -output ${OUT} ${dir}
  
  		# isohybrid will be used if available
  		if isohybrid --version >/dev/null 2>/dev/null; then

src/ipxe_local/ssl/openssl.cnf

@@ -0,0 +1,33 @@
+[ ca ]
+default_ca             = ca_default
+
+[ ca_default ]
+certificate            = crts/ca.crt
+private_key            = keys/ca.key
+serial                 = txt/ca.srl
+database               = txt/ca.idx
+#new_certs_dir          = signed
+new_certs_dir          = crts
+#default_md             = default
+default_md             = sha512
+policy                 = policy_anything
+preserve               = yes
+default_days           = 90
+unique_subject         = no
+
+[ policy_anything ]
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = optional
+emailAddress           = optional
+
+[ cross ]
+basicConstraints       = critical,CA:true
+keyUsage               = critical,cRLSign,keyCertSign
+
+[ codesigning ]
+keyUsage                = digitalSignature
+extendedKeyUsage        = codeSigning