Arch linux arm img

Установка ArchLinux ARM рядом с Android без chroot

Нам потребуется

Все действия Вы выполняете на свой страх и риск.

Я использовал

Часть 1: Подготовка

1. Скачаем архив с ArchLinux ARM с зеркала:

Дальнейшие действия необходимо проделывать на Android устройстве

2. Создаем файл для будущего образа с помощью make_ext4fs.

Если у вас есть отдельный раздел на карте памяти — желательно использовать его. В моем случае 16Гб SD карта была забита важными данными и возможности сдвинуть главный FAT раздел не было.

В зависимости от настроек /sdcard может быть как внешней, так и внутренней картой памяти.

3221225472 это 1024*1024*1024*3, следовательно будет создан образ в 3Гб. Размер образа определите для себя по вкусу. Помните что на FAT32 нельзя создать файл больше 4Гб

3. Примонтируем образ и распакуем файлы ArchLinux ARM

4. Несмотря на то, что наша цель — обойтись без chroot, для базовой настройки и проверки работоспособности chroot все же нужно сделать. В противном случае обновлять, доставлять пакеты Вам придется уже на боевой системе.

Часть 2: Поиск и решение проблем

Проблема 1: ping не работает

Вспоминаем, что у Android серьезная система разграничения прав. И в нем существует пермишен на «Полный доступ к сети». Без этого пермишшена пользователи не могут получить полный доступ к сокетам. То что надо.

Вернемся к Android консоли и пропишем комманду id:

У вас вывод может быть другой

Но вот незадача, chroot не обновляет group. Поможет вот такой «хак»:

Пробуем еще раз:

Проблема 2: Не работает DNS

Удаляем симлинк на systemd и запишем нормальные DNS:

Если Вы запороли PATH

Если произошло такое, что простые комманды вида ls,cat,su не работают(не видятся) системой, Вы можете попробывать вызвать их напрямую: /system/bin/ls, /system/bin/cat, /system/xbin/su.
Или перезагрузить устройство.

Ставим необходимые пакеты

Проверяем gcc

Часть 3: Подготовка к работе без chroot

Самое главное, что позволяет ArchLinux работать без chroot рядом с андроидом — тот факт, что папки и файлы ArchLinux и андроид различны и не мешают друг другу.

Если Вы не уверены в том, что файлы не пересекутся, выполните эти команды из Android консоли:

Покажет пересечение файлов. У меня это выглядит так:

Выполним копирование файлов из /etc/ в /arch/etc/ из Android:

Ключ -a обязателен, так как при использовании обычного -R права скопированы не будут.

Нужно заранее позаботится о Root.

Android приложения требуют, что бы комманда su сразу же давала доступ к суперпользователю и не запрашивала пароль.

Часть 4: Поехали!

Создадим нужные каталоги и воспользуемся mount —bind что бы виртуально заменить директорию, не изменяя ее на диске.

Если что-то сделано неправильно, Вы можете перезагрузить устройство и попробовать снова. Порядок монтирования важен. При ошибке с монтированием стандартные команды могут взятся из ArchLinux до того, как все каталоги будут смонтированы.

Что дальше

В итоге мы имеем практически полноценный ArchLinux за исключением systemd с свежими версиями пакетов.

Можно установить http, php, mysql. При правильной настройке на уменьшение потребления памяти даже на моем смартфоне с ОЗУ 512Мб они работали корректно.

Можно установить иксовые библиотеки и с помощью X сервера для Android пользоваться ПО для линукса. xterm заработал корректно.

Можно собирать любые программы (и, о нет, ядра) для Linux без ПК.
Можно установить Java для ARM и использовать Java приложения.

Послесловие

Большой проблемой остается systemd и его привязка к PID 1. Для того, что бы сохранить PID 1 нужно влезть в init андроида и прописать exec после инициализации устройств. Это можно сделать заменив init андроида shell скриптом, но тогда остается вопрос что делать с оригинальным init андроида. Так как место на загрузочном диске ограничено несколькими мегабайтами, нужно будет использовать switch_root в заранее созданный образ. Мне пока не удалось завести systemd таким способом.

Мне 16, и это моя первая публикация. Конструктивная критика приветствуется.

Источник

Arch linux arm img

We are a port of Arch Linux, which aims for simplicity and full control to the end user. We provide a light-weight base structure that allows you to shape the system to your needs.

Optimized

We build optimized packages for soft-float ARMv5te, hard-float ARMv6 and ARMv7, and ARMv8 AArch64 instruction sets to use each platform to its full potential.

Up to Date

New software versions are packaged as they are released, ensuring you are always on the leading edge of stable software releases.

Arch Linux ARM is a distribution of Linux for ARM computers. We provide targeted kernel and software support for soft-float ARMv5te, hard-float ARMv6 and ARMv7, and ARMv8 AArch64 instruction sets on a variety of consumer devices and development platforms. Our collaboration with Arch Linux brings users the best platform, newest packages, and installation support.

Arch Linux ARM carries forward the Arch Linux philosophy of simplicity and user-centrism, targeting and accommodating competent Linux users by giving them complete control and responsibility over the system. Instructions are provided to assist in navigating the nuances of installation on the various ARM platforms; however, the system itself will offer little assistance to the user.

The entire distribution is on a rolling-release cycle that can be updated daily through small packages instead of huge updates on a defined release schedule. Most packages are unmodified from what the upstream developer originally released.

Hosting Sponsors

Arch Linux ARM is grateful to our hosting sponsors who help keep the lights on and allow us to concentrate on development.

Hardware Sponsors

And a big thanks to the individuals and companies that provide us with the hardware and resources to continue development.

Copyright ©2009-2020 Arch Linux ARM
The registered trademark Linux® is used pursuant to a sublicense from LMI, the exclusive licensee of Linus Torvalds, owner of the mark on a world-wide basis.
The Arch Linux™ name and logo are used under permission of the Arch Linux Project Lead.

Источник

Arch linux arm img

A simple (unofficial) CI/CD bash script to build a zipped .img of Arch Linux Arm installation archives, released to GitHub releases.

The alarm project does not publish images, just inconveniently packaged archives that require a very up-to-date version of bsdtar .

You can use this repo in a few different ways:

Flashing the provided image

1. The / partition is very small, so you will also need to extend that to fill up your SD card. You have to do this from an external system, you cannot resize the partition with the system running on the SD card itself.

• Arch Linux: Parted#Resizing_partitions
• macOS: TODO
• Windows: TODO

1. Continue on step 9 from the relavant intructions where you boot the SD card, log in (user: alarm pw: alarm root: root ) and initialize pacman:

Running your own build

The indented usage is to just consume the artifacts published on the GitHub releases page, but you can also run it locally on linux.

The script requires sudo access, because it needs to mount things. Read the script, it short.

There is also a script to install new bsdtar , but its just a simple ./configure ; make ; make install , so its not recommended to use outside of a disposable environment. Find a way to install bsdtar 3.3.1 or greater with your system package manager.

If you do run your own build, set it up to run in a CI environment. See .travis.yml for example CI usage.

Customize with packer (experimental)

(Note the following method is still experimental/WIP and doesn’t work yet)

Create customized versions of this image with packer and solo-io/packer-builder-arm-image.

• Install packages
• Resize the image
• Create users
• Set up ssh keys
• etc.

See github.com/bcomnes/raspi-packer for example consumption of this image with packer. (Not functional yet, see solo-io/packer-builder-arm-image#12)

Currently publishing the following installations. Open a pull request if you would like additional images added or to request a rebuild. Images are dated when they were created.

Run your own builds in CI for a greater level of trust in the build output.

Источник

Downloads

Updating/upgrading to the latest Arch Linux ARM release

Since Arch Linux ARM is a rolling distribution, you never need to download new releases or run special upgrade scripts. The entire system is kept up-to-date by running one command: pacman -Syu

The latest versions of packages are always available to all of our users. The only time you have to download a full Arch Linux ARM root filesystem is when you’re installing for the very first time.

All releases are signed with the same key used for package signing, key ID 68B3537F39A313B3E574D06777193F152BDBE6A6 .

Current Releases

Name	File	Checksum	Signature
ARMv5 AT91 Arietta	ArchLinuxARM-arietta-latest.tar.gz	MD5	SIG
ARMv5 Kirkwood platforms	ArchLinuxARM-kirkwood-latest.tar.gz	MD5	SIG
ARMv5 Multi-platform	ArchLinuxARM-armv5-latest.tar.gz	MD5	SIG
ARMv5 PXA168/910 platforms	ArchLinuxARM-mmp-latest.tar.gz	MD5	SIG
ARMv6 Raspberry Pi	ArchLinuxARM-rpi-latest.tar.gz	MD5	SIG
ARMv7 AM33x BeagleBone	ArchLinuxARM-am33x-latest.tar.gz	MD5	SIG
ARMv7 Amlogic S805 ODROID-C1	ArchLinuxARM-odroid-c1-latest.tar.gz	MD5

Copyright ©2009-2020 Arch Linux ARM
The registered trademark Linux® is used pursuant to a sublicense from LMI, the exclusive licensee of Linus Torvalds, owner of the mark on a world-wide basis.
The Arch Linux™ name and logo are used under permission of the Arch Linux Project Lead.

Источник

gea0 / arch-rpi-64-full-disk-encryption-ssh-unlock.md

Arch Linux ARM 64 on Raspberry Pi 3 B+ With Full Disk Encryption And SSH Unlock: 2018 Edition

There are multiple ways to get a full disk encrypted arch linux system on raspberry. In this tutorial, we will install a 64-bit arch linux armv8 system, using dropbear as ssh server for remote pre-boot unlocking of the root filesystem. However, it will still be possible to unlock and use the pi as usual, with a keyboard and monitor. We will also create an unencrypted partition in the installation process, usable as a rescue system.

Differences to the 32-bit arch linux arm version:

• probably better performance
• can run 64-bit software
• comes without the proprietary video-driver blobs
• uses the linux-aarch64 mainline kernel instead of linux-raspberrypi
• uses Das U-Boot instead of the normal raspberry boot process

The 32-bit version images are named AchlinuxARM-rpi-2-latest.tar.gz , and are usable for the Raspberry Pi version 2 and 3, while the 64-bit version images are named AchlinuxARM-rpi-3-latest.tar.gz .

For different setup options, see the end of the document.

Get The Image and check the signature

Make sure to verify the GPG-key from Arch Linux ARM Build System and its fingerprint. At this time it is 68B3 537F 39A3 13B3 E574 D067 7719 3F15 2BDB E6A6

Basically, follow the installation instructions from archlinuxarm.org, with a few changes:

The boot partition needs to be larger than 100M, use e.g. 300M to be on the safe side. The second partition will be unencrypted and used for the installation system, use 3G or more if you want to include more software here. Make a third partition from the remaining space, it will be our encrypted system.

You should overwrite the third partition with random bytes, to achieve greater forensic resistance:

Now put the sdcard in the pi, apply power, log in (over ssh if you want) as user alarm , password alarm . The root password root .

Prepare the rescue system

On the new system on the pi, upgrade, and install the necessary software:

You might also want to set a locale, keymap, hostname and everything else you want to have in the rescue system. Use the usual arch wiki installation guide for reference.

Enable sudo (you need it to build packages from AUR). Use visudo and append the line alarm ALL=(ALL) .

To be on the safe side, reboot your system now, and log in again.

Install the mkinitcpio tools

You need the following AUR packages: mkinitcpio-utils mkinitcpio-netconf mkinitcpio-dropbear .

Using an AUR helper is not strictly necessary, as you can install the mkinitcpio packages manually from the AUR, but it is probably more convenient. E.g. after installing yay , use:

Note: yay is an especially handy AUR helper on Arch Linux ARM, since it can easily skip architecture checks when building pkgbuilds with an officially unsupported arch.

mkinitcpio-dropbear only seems to be able to deal with RSA keys. So, on your primary computer, generate a new one:

Transfer it to the pi:

(The IP address is probably different, of course) Then, on the pi:

The matching lines in your

/.ssh/config file should be something like this:

You can then simply use ssh pi , and ssh pi-rescue to unlock at boot.

Prepare the initial ramdisk

You might want to backup the files we will be editing:

Or, even better, backup the whole /boot/ partition. If you break your encrypted system, you can simply overwrite the /boot/ partition with the backup, and thus easily boot the rescue system to fix things.

Change the line MODULES=() to

These are needed for the initramfs to contain the ethernet and usb drivers (the ethernet is connected over usb internally). More Information on this.

Also, insert the hooks sleep netconf dropbear encryptssh before filesystem in the line HOOKS=() .

The line should look like this:

You might also want to add the keymap hook after block , and set up a different keymap in /etc/vconsole.conf , if you want to use a non-US keyboard layout for entering your encryption passphrase.

Then, regenerate the initramfs:

Note: If you get the Error: Unrecognised key type message while the mkinitcpio-dropbear hook is running: Remove at least one of these ssh hostkeys, and regenerate it in the /etc/ssh directory with the -m PEM option. Example:

Then re-run mkinitcpio -P . See this dropbear bug on the key converting error.

Set up the encrypted partition

The number of iterations in the key derivation function, here -i 1000 , can be increased to make the encryption passphrase more resistant. With 1000 iterations, it takes about 2 seconds to unlock the partition.

Sync the system

Now, copy the prepared system to the encrypted partition:

Add to /mnt/etc/fstab (file on the encrypted partition /mnt/etc/, not in /etc/!):

and to /mnt/etc/crypttab :

Configure the bootloader

Note: This differs a lot from the 32-bit arch linux arm process, since U-Boot is used as bootloader. More information on the new boot process

You don’t have to edit /boot/config.txt and /boot/cmdline.txt anymore, also the latter doesn’t even exists anymore.

Instead, edit /boot/boot.txt .

Comment out the part uuid line, add a static ip setup, the cryptdevice, and change the root filesystem, all in the setenv line. It should look like this:

After changing the file, regenerate the bootloader image:

Notes:

• You can also add earlyprintk after setenv bootargs to get more debug output from the boot process.
• Of course, adjust your IP address, gateway and subnet mask
• You can also get an IP Address with DHCP here, use e.g. ip=. pi_rescue:eth0:dhcp (See the arch wiki for more net options.
• You can also set a different MAC address in the setenv line, e.g with: » smsc95xx.macaddr=»ab 💿 ef:01:23:45″.
• For problems with building the boot image, see the U-Boot Documentation

Moment Of Truth

Now, reboot your pi. You should be prompted for a the encryption passphrase when connecting the pi to a screen and a keyboard. Also, you should be able to connect with ssh pi_rescue , and enter you passphrase there.

After unlocking, your ssh connection will be dropped.

You can now ssh to your encrypted system with ssh pi !

Configure the new system

You can make all the usual configuration like language, hostname, timezone, NTP, . you didn’t make in the rescue system. It is also possible to use completely different settings here!

• If you broke your encrypted system somehow, and were wise enough to made a backup of your /boot/ partition: Plug the sd-card into another computer and regain acces to your rescue system like so:

Then, boot the pi, and log into the rescue system. Depending on how you messed up, you may want to change-root into the encrypted system and fix stuff:

Or, maybe you need to re-do the steps above after Prepare the rescue system.

Currently, the boot process hangs with the message USB0: scanning bus 0 for devices. , when some USB-devices are connected. Try different USB-devices or disconnect them before booting the pi. This seems to be a bug in U-Boot.

If you have issues with ssh, try to connect with ssh root@192.168.1.100 and ssh alarm@192.168.1.100 . The -F /etc/ssh/ssh_config and -v are also helpful to debug ssh problems.

If dropbear, for some reason, didn’t use the openssh hostkeys, but created its own, you will see the WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! message when connecting to the encrypted system. OpenSSH might also prefer other hostkeys over the rsa ones dropbear uses. The solution is to accept two different hostkeys for the same IP address of the pi. Edit

/.ssh/known_hosts , search for IP address of your pi. Copy the line and delete it, then ssh to the pi. Now paste the line back into the file, so you have two lines with the same ip, but with different hostkeys.

Instead of the default linux-aarch64 kernel, linux-aarch64-raspberrypi-bin from the AUR can be used. This is worth a try if some features are not working, like bluetooth, the Raspberry Touch Display, or video.

Previously, the AUR package dropbear_initrd_encrypt could be used. This was split into the packages mkinitcpio-netconf , mkinitcpio-dropbear and mkinitcpio-utils .

The sleep hook is not strictly necessary, but without it, on some systems, there is a race-condition. The smsc95xx module has not initialized the network interface yet before the net hook tries to configure it.

Instead of the netconf hook from the package mkinitcpio-netconf , the net hook from the package mkinitcpio-nfs-utils can be used to parse the ip= kernel parameter. It is more up-to-date, but so far, there does not seem to be a difference between them.

You might have to also add an ECDSA key to /etc/dropbear , or your first boot could fail.

In similar tutorials, you often see the advice to wipe the encrypted partition with /dev/zero instead of /dev/urandom . But this doesn’t add security, it is basically useless! (Unless you only want to wipe previous data from the sdcard, but then you should wipe the whole card and not one partition. Or, unless, you plan to give the encryption passphrase to someone, and want to be able to prove that there are no hidden containers in the un-used space)

Other Setup Choices

Arch Linux System: You can still use the 32-bit rpi-2 image for the Raspberry Pi 3, but the installation process will be different. Especially the boot process differs a lot. Basically, you need to edit to add initramfs initrd followkernel to /boot/config.txt , and cryptdevice=/dev/mmcblk0p3:root root=/dev/mapper/root to /boot/cmdline.txt , instead of editing /boot/boot.txt and running mkscr . To get more information, follow the links below.

Installation method: Instead of using an additional unencrypted partition to make the install, you can emulate the pi cpu architecture on main computer using the qemu and qemu-arch-extra packages. See this tutorial, and adapt it to the new rpi-3 64-bit version of arch linux arm. Also: arch wiki on QEMU

SSH daemon: Instead of using dropbear , you can also include tinyssh in the initial ramdisk. See the arch wiki.

mkinitcpio hooks: Instead of using mkinitcpio-dropbear , mkinitcpio-netconf , and mkinitcpio-utils , it can all be done with systemd and the mkinitcpio-systemd-tool AUR package. See the arch wiki entry on remote unlocking of dm-crypt.

File system: Some folks might want to use btrfs instead of ext4 on the encrypted filesystem. This gives the advantage See this tutorial, and adapt it for the newer rpi-3 64-bit version.

Источник