Add program to build pi kernel (#1)

* Initial commit
* Add README

Author: tschaffter

CONTRIBUTING.md

@@ -0,0 +1,93 @@
+# Contributing
+
+When contributing to this repository, please first discuss the change you wish to make via issue,
+email, or any other method with the owners of this repository before making a change.
+
+Please note we have a code of conduct, please follow it in all your interactions with the project.
+
+## Pull Request Process
+
+1. Ensure any install or build dependencies are removed before the end of the layer when doing a
+   build.
+2. Update the README.md with details of changes to the interface, this includes new environment
+   variables, exposed ports, useful file locations and container parameters.
+3. Increase the version numbers in any examples files and the README.md to the new version that this
+   Pull Request would represent. The versioning scheme we use is [SemVer](http://semver.org/).
+4. You may merge the Pull Request in once you have the sign-off of two other developers, or if you
+   do not have permission to do that, you may request the second reviewer to merge it for you.
+
+## Code of Conduct
+
+### Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+### Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+### Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+### Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+### Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+[INSERT CONTACT METHOD].
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+### Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0,
+available at [http://contributor-covenant.org/version/2/0][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/2/0/

Dockerfile

@@ -0,0 +1,39 @@
+FROM debian:buster-20200607-slim
+
+LABEL maintainer="[email protected]"
+
+ARG user=builder
+
+# Install Git and the build dependencies
+# hadolint ignore=DL3008
+RUN apt-get update -qq -y && apt-get install --no-install-recommends -qq -y \
+    apt-transport-https \
+    bc \
+    bison \
+    build-essential \
+    ca-certificates \
+    cpio \
+    dpkg-dev \
+    fakeroot \
+    flex \
+    git \
+    kmod \
+    libssl-dev \
+    libc6-dev \
+    libncurses5-dev \
+    make \
+    rsync \
+    && update-ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create user and set work directory
+RUN useradd -m $user
+USER $user
+WORKDIR /home/$user
+
+# Copy script that builds the kernel
+COPY --chown=$user:$user build-kernel.sh .
+RUN chmod +x build-kernel.sh
+
+ENTRYPOINT ["bash", "build-kernel.sh"]
+CMD ["--help"]

README.md

@@ -0,0 +1,138 @@
+# Hardened kerrnel for Raspberry Pi
+
+## Overview
+
+This repository provides a dockerized tool to cross-compile the [Linux kernel for
+Raspberry Pi](https://www.raspberrypi.org/documentation/linux/kernel/building.md)
+with enhanced security.
+
+## Features
+
+- Dockerized tool to cross-compile the kernel with a single command
+- Hardened kernel features
+  - Enable Audit
+  - Enable SELinux
+
+## Builder options
+
+Run the folllowing command to see the options of the builder:
+
+```console
+$ docker run --rm tschaffter/raspberry-pi-kernel-hardened
+Cross-compiling hardened kernels for Raspberry Pi
+Usage: build-kernel.sh [--kernel-branch <arg>] [--kernel-defconfig <arg>] [--kernel-localversion <arg>] [-h|--help]
+    --kernel-branch: Kernel branch to build (default: '')
+    --kernel-defconfig: Default kernel config to use (default: '')
+    --kernel-localversion: Kernel local version (default: '')
+    -h, --help: Prints help
+```
+
+## Build the hardered kernel
+
+### Identify the kernel version to build
+
+Go to the GitHub repository of the [Linux kernel of Raspberry Pi](https://github.com/raspberrypi/linux)
+and identify the name of the branch or tag that you want to build.
+
+Examples:
+
+- The branch `rpi-4.19.y`
+- The tag `raspberrypi-kernel_1.20200527-1`
+
+### Identify the default configuration to use
+
+Go to the page [Kernel building](https://www.raspberrypi.org/documentation/linux/kernel/building.md)
+of the Raspberry Pi website to identify the default build configuration to use
+for the target Pi.
+
+Examples:
+
+- `bcmrpi_defconfig` for Raspberry Pi 1, Pi Zero, Pi Zero W, and Compute Module
+- `bcm2709_defconfig` for Raspberry Pi 2, Pi 3, Pi 3+, and Compute Module 3
+- `bcm2711_defconfig` for Raspberry Pi 4
+
+Check the above documentation to make sure that these examples are up-to-date.
+
+### Cross-compile the kernel
+
+The command below builds the branch `rpi-4.19.y` for the Raspberry Pi 4
+(`bcm2711_defconfig`). Because this branch is not stable, we include today's
+date to the value of `--kernel-localversion` (`4.19.y-20200614-hardened`).
+
+Once installed, the full kernel name will be
+
+```console
+$ uname -a
+Linux raspberrypi 4.19.127-4.19.y-20200614-hardened+ #1 SMP Sun Jun 14 15:06:51 UTC 2020 armv7l GNU/Linux
+```
+
+This command builds kernel:
+
+```console
+$ docker run \
+    --rm \
+    -v $PWD/output:/output \
+    tschaffter/raspberry-pi-kernel-hardened \
+        --kernel-branch rpi-4.19.y \
+        --kernel-defconfig bcm2711_defconfig \
+        --kernel-localversion 4.19.y-20200614-hardened
+Cloning into '/home/builder/tools'...
+Installing cross compiler toolchain
+Checking out files: 100% (19059/19059), done.
+Getting kernel source code
+Cloning into '/home/builder/linux'...
+...
+
+Moving .deb packages to /output
+SUCCESS The kernel has been successfully packaged.
+
+INSTALL
+sudo dpkg -i linux-*-4.19.y-20200614-hardened*.deb
+sudo sh -c "echo 'kernel=vmlinuz-4.19.127-4.19.y-20200614-hardened+' >> /boot/config.txt"
+sudo reboot
+
+ENABLE SELinux
+sudo apt-get install selinux-basics selinux-policy-default auditd
+sudo sh -c "echo ' selinux=1 security=selinux' >> /boot/cmdline.txt"
+sudo touch /.autorelabel
+sudo reboot
+sestatus
+```
+
+## Install the kernel
+
+Copy the Debian packages `$PWD/output/*.deb` to the target Raspbery Pi, for
+example using `scp`, then follow the instructions given at the end of the build
+command.
+
+## Notes
+
+- The builder uses all the CPU cores available to the Docker container. By default,
+that is all the CPU cores of the host. Use
+[Docker runtime options](https://docs.docker.com/config/containers/resource_constraints/#cpu)
+to limit the usage of CPU cores by the builder.
+
+- The builder clones two GitHub repositories, the cross-compiler toolchain and
+the source code of the kernel, unless their target directories already exist
+(`/home/builder/tools` and `/home/builder/linux`). When running the dockerized
+builder, you can mount volumes that points to these two directories to specify
+a different toolchain and kernel source code.
+
+```console
+$ git clone <toolchain-repo> tools
+$ git cllone <kernel-repo> linux
+$ docker run \
+    --rm \
+    -v $PWD/output:/output \
+    -v $PWD/tools:/home/builder/tools \
+    -v $PWD/linux:/home/builder/linux \
+    tschaffter/raspberry-pi-kernel-hardened \
+        --kernel-branch rpi-4.19.y \
+        --kernel-defconfig bcm2711_defconfig \
+        --kernel-localversion 4.19.y-20200614-hardened
+```
+
+## Contributing change
+
+Please read the [`CONTRIBUTING.md`](CONTRIBUTING.md) for details on how to
+contribute to this project.