From 3f501f9a0ccd24ec9bee20bf681831f186eeea9f Mon Sep 17 00:00:00 2001
From: "Luigi F. Cruz" <luigifcruz@gmail.com>
Date: Sat, 26 Aug 2023 23:10:51 -0300
Subject: [PATCH] Update pi-gen release.

---
 Dockerfile                                    |   4 +-
 build-docker.sh                               | 120 +++++++++++++-----
 build.sh                                      |  66 ++++++----
 config                                        |   2 +
 depends                                       |   2 +
 export-image/01-user-rename/00-packages       |   1 +
 export-image/01-user-rename/01-run.sh         |   9 ++
 .../01-run.sh                                 |   0
 .../{02-network => 03-network}/01-run.sh      |   0
 .../files/resolv.conf                         |   0
 .../00-run.sh                                 |   0
 .../{04-finalise => 05-finalise}/01-run.sh    |  32 +++--
 export-image/prerun.sh                        |  36 ++----
 scripts/common                                |  47 ++++---
 scripts/qcow2_handling                        |   4 +-
 stage0/00-configure-apt/00-run.sh             |   3 +-
 stage0/00-configure-apt/01-packages           |   1 +
 stage0/02-firmware/01-packages                |   1 -
 stage0/prerun.sh                              |   5 +
 stage1/01-sys-tweaks/00-packages              |   1 +
 stage1/01-sys-tweaks/00-run.sh                |   5 +-
 stage1/03-install-packages/00-packages        |   1 +
 stage2/00-copies-and-fills/01-packages        |   1 -
 stage2/00-copies-and-fills/02-run.sh          |   6 -
 stage2/01-sys-tweaks/00-packages              |   6 +-
 .../00-patches/07-resize-init.diff            |   2 +-
 stage2/01-sys-tweaks/01-run.sh                |   8 +-
 stage2/02-net-tweaks/00-packages              |   1 +
 stage2/02-net-tweaks/01-run.sh                |   5 +-
 stage3/00-install-packages/00-packages        |   2 +-
 stage3/00-install-packages/00-packages-nr     |   1 +
 stage4/00-install-packages/00-packages        |   2 +
 32 files changed, 241 insertions(+), 133 deletions(-)
 create mode 100644 export-image/01-user-rename/00-packages
 create mode 100755 export-image/01-user-rename/01-run.sh
 rename export-image/{01-set-sources => 02-set-sources}/01-run.sh (100%)
 rename export-image/{02-network => 03-network}/01-run.sh (100%)
 rename export-image/{02-network => 03-network}/files/resolv.conf (100%)
 rename export-image/{03-set-partuuid => 04-set-partuuid}/00-run.sh (100%)
 rename export-image/{04-finalise => 05-finalise}/01-run.sh (78%)
 create mode 100644 stage0/00-configure-apt/01-packages
 create mode 100644 stage1/01-sys-tweaks/00-packages
 delete mode 100644 stage2/00-copies-and-fills/01-packages
 delete mode 100755 stage2/00-copies-and-fills/02-run.sh

diff --git a/Dockerfile b/Dockerfile
index 4b34617..2a5d8fe 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-ARG BASE_IMAGE=debian:buster
+ARG BASE_IMAGE=debian:bullseye
 FROM ${BASE_IMAGE}
 
 ENV DEBIAN_FRONTEND noninteractive
@@ -8,7 +8,7 @@ RUN apt-get -y update && \
         git vim parted \
         quilt coreutils qemu-user-static debootstrap zerofree zip dosfstools \
         libarchive-tools libcap2-bin rsync grep udev xz-utils curl xxd file kmod bc\
-        binfmt-support ca-certificates qemu-utils kpartx util-linux fdisk \
+        binfmt-support ca-certificates qemu-utils kpartx fdisk gpg pigz\
     && rm -rf /var/lib/apt/lists/*
 
 COPY . /pi-gen/
diff --git a/build-docker.sh b/build-docker.sh
index 7c93873..fc0398a 100755
--- a/build-docker.sh
+++ b/build-docker.sh
@@ -4,10 +4,15 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 
 BUILD_OPTS="$*"
 
-DOCKER="docker"
-
-if ! ${DOCKER} ps >/dev/null 2>&1; then
-	DOCKER="sudo docker"
+# Allow user to override docker command
+DOCKER=${DOCKER:-docker}
+
+# Ensure that default docker command is not set up in rootless mode
+if \
+  ! ${DOCKER} ps    >/dev/null 2>&1 || \
+    ${DOCKER} info 2>/dev/null | grep -q rootless \
+; then
+	DOCKER="sudo ${DOCKER}"
 fi
 if ! ${DOCKER} ps >/dev/null; then
 	echo "error connecting to docker:"
@@ -48,7 +53,7 @@ fi
 CONTAINER_NAME=${CONTAINER_NAME:-pigen_work}
 CONTINUE=${CONTINUE:-0}
 PRESERVE_CONTAINER=${PRESERVE_CONTAINER:-0}
-PIGEN_DOCKER_OPTS=${PIGEN_DOCKER_OPTS:-""}  
+PIGEN_DOCKER_OPTS=${PIGEN_DOCKER_OPTS:-""}
 
 if [ -z "${IMG_NAME}" ]; then
 	echo "IMG_NAME not set in 'config'" 1>&2
@@ -75,42 +80,87 @@ fi
 # Modify original build-options to allow config file to be mounted in the docker container
 BUILD_OPTS="$(echo "${BUILD_OPTS:-}" | sed -E 's@\-c\s?([^ ]+)@-c /config@')"
 
-BASE_IMAGE=debian:buster
-${DOCKER} build --build-arg BASE_IMAGE=${BASE_IMAGE} -t pi-gen "${DIR}"
+${DOCKER} build --build-arg BASE_IMAGE=debian:bullseye -t pi-gen "${DIR}"
 
 if [ "${CONTAINER_EXISTS}" != "" ]; then
-	trap 'echo "got CTRL+C... please wait 5s" && ${DOCKER} stop -t 5 ${CONTAINER_NAME}_cont' SIGINT SIGTERM
-	time ${DOCKER} run --rm --privileged \
-		--cap-add=ALL \
-		-v /dev:/dev \
-		-v /lib/modules:/lib/modules \
-		${PIGEN_DOCKER_OPTS} \
-		--volume "${CONFIG_FILE}":/config:ro \
-		-e "GIT_HASH=${GIT_HASH}" \
-		--volumes-from="${CONTAINER_NAME}" --name "${CONTAINER_NAME}_cont" \
-		pi-gen \
-		bash -e -o pipefail -c "dpkg-reconfigure qemu-user-static &&
-	cd /pi-gen; ./build.sh ${BUILD_OPTS} &&
-	rsync -av work/*/build.log deploy/" &
-	wait "$!"
+  DOCKER_CMDLINE_NAME="${CONTAINER_NAME}_cont"
+  DOCKER_CMDLINE_PRE=( \
+    --rm \
+  )
+  DOCKER_CMDLINE_POST=( \
+    --volumes-from="${CONTAINER_NAME}" \
+  )
 else
-	trap 'echo "got CTRL+C... please wait 5s" && ${DOCKER} stop -t 5 ${CONTAINER_NAME}' SIGINT SIGTERM
-	time ${DOCKER} run --name "${CONTAINER_NAME}" --privileged \
-		--cap-add=ALL \
-		-v /dev:/dev \
-		-v /lib/modules:/lib/modules \
-		${PIGEN_DOCKER_OPTS} \
-		--volume "${CONFIG_FILE}":/config:ro \
-		-e "GIT_HASH=${GIT_HASH}" \
-		pi-gen \
-		bash -e -o pipefail -c "dpkg-reconfigure qemu-user-static &&
-	cd /pi-gen; ./build.sh ${BUILD_OPTS} &&
-	rsync -av work/*/build.log deploy/" &
-	wait "$!"
+  DOCKER_CMDLINE_NAME="${CONTAINER_NAME}"
+  DOCKER_CMDLINE_PRE=( \
+  )
+  DOCKER_CMDLINE_POST=( \
+  )
+fi
+
+# Check if binfmt_misc is required
+binfmt_misc_required=1
+case $(uname -m) in
+  aarch64)
+    binfmt_misc_required=0
+    ;;
+  arm*)
+    binfmt_misc_required=0
+    ;;
+esac
+
+# Check if qemu-aarch64-static and /proc/sys/fs/binfmt_misc are present
+if [[ "${binfmt_misc_required}" == "1" ]]; then
+  if ! qemu_arm=$(which qemu-aarch64-static) ; then
+    echo "qemu-aarch64-static not found (please install qemu-user-static)"
+    exit 1
+  fi
+  if [ ! -f /proc/sys/fs/binfmt_misc/register ]; then
+    echo "binfmt_misc required but not mounted, trying to mount it..."
+    if ! mount binfmt_misc -t binfmt_misc /proc/sys/fs/binfmt_misc ; then
+        echo "mounting binfmt_misc failed"
+        exit 1
+    fi
+    echo "binfmt_misc mounted"
+  fi
+  if ! grep -q "^interpreter ${qemu_arm}" /proc/sys/fs/binfmt_misc/qemu-aarch64* ; then
+    # Register qemu-aarch64 for binfmt_misc
+    reg="echo ':qemu-aarch64-rpi:M::"\
+"\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00:"\
+"\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:"\
+"${qemu_arm}:F' > /proc/sys/fs/binfmt_misc/register"
+    echo "Registering qemu-aarch64 for binfmt_misc..."
+    sudo bash -c "${reg}" 2>/dev/null || true
+  fi
 fi
 
+trap 'echo "got CTRL+C... please wait 5s" && ${DOCKER} stop -t 5 ${DOCKER_CMDLINE_NAME}' SIGINT SIGTERM
+time ${DOCKER} run \
+  --name "${DOCKER_CMDLINE_NAME}" \
+  --privileged \
+  --cap-add=ALL \
+  -v /dev:/dev \
+  -v /lib/modules:/lib/modules \
+  ${PIGEN_DOCKER_OPTS} \
+  --volume "${CONFIG_FILE}":/config:ro \
+  -e "GIT_HASH=${GIT_HASH}" \
+  pi-gen \
+  bash -e -o pipefail -c "
+    dpkg-reconfigure qemu-user-static &&
+    # binfmt_misc is sometimes not mounted with debian bullseye image
+    (mount binfmt_misc -t binfmt_misc /proc/sys/fs/binfmt_misc || true) &&
+    cd /pi-gen; ./build.sh ${BUILD_OPTS} &&
+    rsync -av work/*/build.log deploy/
+  " &
+  wait "$!"
+
+# Ensure that deploy/ is always owned by calling user
 echo "copying results from deploy/"
-${DOCKER} cp "${CONTAINER_NAME}":/pi-gen/deploy .
+${DOCKER} cp "${CONTAINER_NAME}":/pi-gen/deploy - | tar -xf -
+
+echo "copying log from container ${CONTAINER_NAME} to depoy/"
+${DOCKER} logs --timestamps "${CONTAINER_NAME}" &>deploy/build-docker.log
+
 ls -lah deploy
 
 # cleanup
diff --git a/build.sh b/build.sh
index d56583e..986f81c 100755
--- a/build.sh
+++ b/build.sh
@@ -14,20 +14,14 @@ $(cat "${i}-debconf")
 SELEOF
 EOF
 
-		log "End ${SUB_STAGE_DIR}/${i}-debconf"
+			log "End ${SUB_STAGE_DIR}/${i}-debconf"
 		fi
 		if [ -f "${i}-packages-nr" ]; then
 			log "Begin ${SUB_STAGE_DIR}/${i}-packages-nr"
 			PACKAGES="$(sed -f "${SCRIPT_DIR}/remove-comments.sed" < "${i}-packages-nr")"
 			if [ -n "$PACKAGES" ]; then
 				on_chroot << EOF
-n=0
-until [ "$n" -ge 5 ]
-do
-    apt-get --ignore-missing --fix-missing install --no-install-recommends -y $PACKAGES && break
-    n=$((n+1))
-    sleep 15
-done
+apt-get -o Acquire::Retries=3 install --no-install-recommends -y $PACKAGES
 EOF
 				if [ "${USE_QCOW2}" = "1" ]; then
 					on_chroot << EOF
@@ -42,13 +36,7 @@ EOF
 			PACKAGES="$(sed -f "${SCRIPT_DIR}/remove-comments.sed" < "${i}-packages")"
 			if [ -n "$PACKAGES" ]; then
 				on_chroot << EOF
-n=0
-until [ "$n" -ge 5 ]
-do
-    apt-get --ignore-missing --fix-missing install -y $PACKAGES && break
-    n=$((n+1))
-    sleep 15
-done
+apt-get -o Acquire::Retries=3 install -y $PACKAGES
 EOF
 				if [ "${USE_QCOW2}" = "1" ]; then
 					on_chroot << EOF
@@ -145,7 +133,7 @@ run_stage(){
 		done
 	fi
 
-	if [ "${USE_QCOW2}" = "1" ]; then 
+	if [ "${USE_QCOW2}" = "1" ]; then
 		unload_qimage
 	else
 		# make sure we are not umounting during export-image stage
@@ -167,6 +155,14 @@ if [ "$(id -u)" != "0" ]; then
 fi
 
 BASE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+if [[ $BASE_DIR = *" "* ]]; then
+	echo "There is a space in the base path of pi-gen"
+	echo "This is not a valid setup supported by debootstrap."
+	echo "Please remove the spaces, or move pi-gen directory to a base path without spaces" 1>&2
+	exit 1
+fi
+
 export BASE_DIR
 
 if [ -f config ]; then
@@ -207,19 +203,30 @@ fi
 export USE_QEMU="${USE_QEMU:-0}"
 export IMG_DATE="${IMG_DATE:-"$(date +%Y-%m-%d)"}"
 export IMG_FILENAME="${IMG_FILENAME:-"${IMG_DATE}-${IMG_NAME}"}"
-export ZIP_FILENAME="${ZIP_FILENAME:-"${IMG_DATE}-${IMG_NAME}"}"
+export ARCHIVE_FILENAME="${ARCHIVE_FILENAME:-"image_${IMG_DATE}-${IMG_NAME}"}"
 
 export SCRIPT_DIR="${BASE_DIR}/scripts"
-export WORK_DIR="${WORK_DIR:-"${BASE_DIR}/work/${IMG_DATE}-${IMG_NAME}"}"
+export WORK_DIR="${WORK_DIR:-"${BASE_DIR}/work/${IMG_NAME}"}"
 export DEPLOY_DIR=${DEPLOY_DIR:-"${BASE_DIR}/deploy"}
-export DEPLOY_ZIP="${DEPLOY_ZIP:-1}"
+
+# DEPLOY_ZIP was deprecated in favor of DEPLOY_COMPRESSION
+# This preserve the old behavior with DEPLOY_ZIP=0 where no archive was created
+if [ -z "${DEPLOY_COMPRESSION}" ] && [ "${DEPLOY_ZIP:-1}" = "0" ]; then
+	echo "DEPLOY_ZIP has been deprecated in favor of DEPLOY_COMPRESSION"
+	echo "Similar behavior to DEPLOY_ZIP=0 can be obtained with DEPLOY_COMPRESSION=none"
+	echo "Please update your config file"
+	DEPLOY_COMPRESSION=none
+fi
+export DEPLOY_COMPRESSION=${DEPLOY_COMPRESSION:-zip}
+export COMPRESSION_LEVEL=${COMPRESSION_LEVEL:-6}
 export LOG_FILE="${WORK_DIR}/build.log"
 
 export TARGET_HOSTNAME=${TARGET_HOSTNAME:-raspberrypi}
 
 export FIRST_USER_NAME=${FIRST_USER_NAME:-pi}
-export FIRST_USER_PASS=${FIRST_USER_PASS:-raspberry}
-export RELEASE=${RELEASE:-bullseye}
+export FIRST_USER_PASS
+export DISABLE_FIRST_BOOT_USER_RENAME=${DISABLE_FIRST_BOOT_USER_RENAME:-0}
+export RELEASE=${RELEASE:-bullseye} # Don't forget to update stage0/prerun.sh
 export WPA_ESSID
 export WPA_PASSWORD
 export WPA_COUNTRY
@@ -276,6 +283,10 @@ fi
 
 export NO_PRERUN_QCOW2="${NO_PRERUN_QCOW2:-1}"
 
+if [ "$SETFCAP" != "1" ]; then
+	export CAPSH_ARG="--drop=cap_setfcap"
+fi
+
 dependencies_check "${BASE_DIR}/depends"
 
 #check username is valid
@@ -284,6 +295,17 @@ if [[ ! "$FIRST_USER_NAME" =~ ^[a-z][-a-z0-9_]*$ ]]; then
 	exit 1
 fi
 
+if [[ "$DISABLE_FIRST_BOOT_USER_RENAME" == "1" ]] && [ -z "${FIRST_USER_PASS}" ]; then
+	echo "To disable user rename on first boot, FIRST_USER_PASS needs to be set"
+	echo "Not setting FIRST_USER_PASS makes your system vulnerable and open to cyberattacks"
+	exit 1
+fi
+
+if [[ "$DISABLE_FIRST_BOOT_USER_RENAME" == "1" ]]; then
+	echo "User rename on the first boot is disabled"
+	echo "Be advised of the security risks linked to shipping a device with default username/password set."
+fi
+
 if [[ -n "${APT_PROXY}" ]] && ! curl --silent "${APT_PROXY}" >/dev/null ; then
 	echo "Could not reach APT_PROXY server: ${APT_PROXY}"
 	exit 1
@@ -381,7 +403,7 @@ for EXPORT_DIR in ${EXPORT_DIRS}; do
 
 	else
 		run_stage
-	fi 
+	fi
 	if [ "${USE_QEMU}" != "1" ]; then
 		if [ -e "${EXPORT_DIR}/EXPORT_NOOBS" ]; then
 			# shellcheck source=/dev/null
diff --git a/config b/config
index c51f746..a8079b3 100644
--- a/config
+++ b/config
@@ -2,3 +2,5 @@ IMG_NAME='PiSDR'
 ENABLE_SSH=1
 TARGET_HOSTNAME='pisdr'
 FIRST_USER_PASS='raspberry'
+DEPLOY_COMPRESSION='xz'
+COMPRESSION_LEVEL=9
\ No newline at end of file
diff --git a/depends b/depends
index eeb2490..db88171 100644
--- a/depends
+++ b/depends
@@ -19,3 +19,5 @@ lsmod:kmod
 bc
 qemu-nbd:qemu-utils
 kpartx
+gpg
+pigz
diff --git a/export-image/01-user-rename/00-packages b/export-image/01-user-rename/00-packages
new file mode 100644
index 0000000..e8b69fc
--- /dev/null
+++ b/export-image/01-user-rename/00-packages
@@ -0,0 +1 @@
+userconf-pi
diff --git a/export-image/01-user-rename/01-run.sh b/export-image/01-user-rename/01-run.sh
new file mode 100755
index 0000000..aa5dd94
--- /dev/null
+++ b/export-image/01-user-rename/01-run.sh
@@ -0,0 +1,9 @@
+#!/bin/bash -e
+
+if [[ "${DISABLE_FIRST_BOOT_USER_RENAME}" == "0" ]]; then
+	on_chroot <<- EOF
+		SUDO_USER="${FIRST_USER_NAME}" rename-user -f -s
+	EOF
+else
+	rm -f "${ROOTFS_DIR}/etc/xdg/autostart/piwiz.desktop"
+fi
diff --git a/export-image/01-set-sources/01-run.sh b/export-image/02-set-sources/01-run.sh
similarity index 100%
rename from export-image/01-set-sources/01-run.sh
rename to export-image/02-set-sources/01-run.sh
diff --git a/export-image/02-network/01-run.sh b/export-image/03-network/01-run.sh
similarity index 100%
rename from export-image/02-network/01-run.sh
rename to export-image/03-network/01-run.sh
diff --git a/export-image/02-network/files/resolv.conf b/export-image/03-network/files/resolv.conf
similarity index 100%
rename from export-image/02-network/files/resolv.conf
rename to export-image/03-network/files/resolv.conf
diff --git a/export-image/03-set-partuuid/00-run.sh b/export-image/04-set-partuuid/00-run.sh
similarity index 100%
rename from export-image/03-set-partuuid/00-run.sh
rename to export-image/04-set-partuuid/00-run.sh
diff --git a/export-image/04-finalise/01-run.sh b/export-image/05-finalise/01-run.sh
similarity index 78%
rename from export-image/04-finalise/01-run.sh
rename to export-image/05-finalise/01-run.sh
index 3e72c0c..c104366 100755
--- a/export-image/04-finalise/01-run.sh
+++ b/export-image/05-finalise/01-run.sh
@@ -18,6 +18,12 @@ fi
 
 rm -f "${ROOTFS_DIR}/usr/bin/qemu-arm-static"
 
+if [ "${USE_QEMU}" != "1" ]; then
+	if [ -e "${ROOTFS_DIR}/etc/ld.so.preload.disabled" ]; then
+		mv "${ROOTFS_DIR}/etc/ld.so.preload.disabled" "${ROOTFS_DIR}/etc/ld.so.preload"
+	fi
+fi
+
 rm -f "${ROOTFS_DIR}/etc/network/interfaces.dpkg-old"
 
 rm -f "${ROOTFS_DIR}/etc/apt/sources.list~"
@@ -72,9 +78,8 @@ cp "$ROOTFS_DIR/etc/rpi-issue" "$INFO_FILE"
 
 mkdir -p "${DEPLOY_DIR}"
 
-rm -f "${DEPLOY_DIR}/${ZIP_FILENAME}${IMG_SUFFIX}.zip"
+rm -f "${DEPLOY_DIR}/${ARCHIVE_FILENAME}${IMG_SUFFIX}.*"
 rm -f "${DEPLOY_DIR}/${IMG_FILENAME}${IMG_SUFFIX}.img"
-rm -f "${DEPLOY_DIR}/${ZIP_FILENAME}${IMG_SUFFIX}.img.xz"
 
 mv "$INFO_FILE" "$DEPLOY_DIR/"
 
@@ -90,11 +95,22 @@ else
 	make_bootable_image "${STAGE_WORK_DIR}/${IMG_FILENAME}${IMG_SUFFIX}.qcow2" "$IMG_FILE"
 fi
 
-if [ "${DEPLOY_ZIP}" == "1" ]; then
+case "${DEPLOY_COMPRESSION}" in
+zip)
 	pushd "${STAGE_WORK_DIR}" > /dev/null
-	xz -T16 -c "$(basename "${IMG_FILE}")" > "${DEPLOY_DIR}/${ZIP_FILENAME}${IMG_SUFFIX}.img.xz"
+	zip -"${COMPRESSION_LEVEL}" \
+	"${DEPLOY_DIR}/${ARCHIVE_FILENAME}${IMG_SUFFIX}.zip" "$(basename "${IMG_FILE}")"
 	popd > /dev/null
-	rm -f "${DEPLOY_DIR}/${IMG_FILENAME}${IMG_SUFFIX}.img"
-else
-	mv "$IMG_FILE" "$DEPLOY_DIR/"
-fi
+	;;
+gz)
+	pigz --force -"${COMPRESSION_LEVEL}" "$IMG_FILE" --stdout > \
+	"${DEPLOY_DIR}/${ARCHIVE_FILENAME}${IMG_SUFFIX}.img.gz"
+	;;
+xz)
+	xz --compress --force --threads 0 --memlimit-compress=50% -"${COMPRESSION_LEVEL}" \
+	--stdout "$IMG_FILE" > "${DEPLOY_DIR}/${ARCHIVE_FILENAME}${IMG_SUFFIX}.img.xz"
+	;;
+none | *)
+	cp "$IMG_FILE" "$DEPLOY_DIR/"
+;;
+esac
diff --git a/export-image/prerun.sh b/export-image/prerun.sh
index fad7f80..267bbe0 100755
--- a/export-image/prerun.sh
+++ b/export-image/prerun.sh
@@ -33,49 +33,29 @@ if [ "${NO_PRERUN_QCOW2}" = "0" ]; then
 	parted --script "${IMG_FILE}" unit B mkpart primary fat32 "${BOOT_PART_START}" "$((BOOT_PART_START + BOOT_PART_SIZE - 1))"
 	parted --script "${IMG_FILE}" unit B mkpart primary ext4 "${ROOT_PART_START}" "$((ROOT_PART_START + ROOT_PART_SIZE - 1))"
 
-	PARTED_OUT=$(parted -sm "${IMG_FILE}" unit b print)
-	BOOT_OFFSET=$(echo "$PARTED_OUT" | grep -e '^1:' | cut -d':' -f 2 | tr -d B)
-	BOOT_LENGTH=$(echo "$PARTED_OUT" | grep -e '^1:' | cut -d':' -f 4 | tr -d B)
-
-	ROOT_OFFSET=$(echo "$PARTED_OUT" | grep -e '^2:' | cut -d':' -f 2 | tr -d B)
-	ROOT_LENGTH=$(echo "$PARTED_OUT" | grep -e '^2:' | cut -d':' -f 4 | tr -d B)
-
-	echo "Mounting BOOT_DEV..."
-	cnt=0
-	until BOOT_DEV=$(losetup --show -f -o "${BOOT_OFFSET}" --sizelimit "${BOOT_LENGTH}" "${IMG_FILE}"); do
-		if [ $cnt -lt 5 ]; then
-			cnt=$((cnt + 1))
-			echo "Error in losetup for BOOT_DEV.  Retrying..."
-			sleep 5
-		else
-			echo "ERROR: losetup for BOOT_DEV failed; exiting"
-			exit 1
-		fi
-	done
-
-	echo "Mounting ROOT_DEV..."
+	echo "Creating loop device..."
 	cnt=0
-	until ROOT_DEV=$(losetup --show -f -o "${ROOT_OFFSET}" --sizelimit "${ROOT_LENGTH}" "${IMG_FILE}"); do
+	until ensure_next_loopdev && LOOP_DEV="$(losetup --show --find --partscan "$IMG_FILE")"; do
 		if [ $cnt -lt 5 ]; then
 			cnt=$((cnt + 1))
-			echo "Error in losetup for ROOT_DEV.  Retrying..."
+			echo "Error in losetup.  Retrying..."
 			sleep 5
 		else
-			echo "ERROR: losetup for ROOT_DEV failed; exiting"
+			echo "ERROR: losetup failed; exiting"
 			exit 1
 		fi
 	done
 
-	echo "/boot: offset $BOOT_OFFSET, length $BOOT_LENGTH"
-	echo "/:     offset $ROOT_OFFSET, length $ROOT_LENGTH"
+	BOOT_DEV="${LOOP_DEV}p1"
+	ROOT_DEV="${LOOP_DEV}p2"
 
 	ROOT_FEATURES="^huge_file"
-	for FEATURE in metadata_csum 64bit; do
+	for FEATURE in 64bit; do
 	if grep -q "$FEATURE" /etc/mke2fs.conf; then
 		ROOT_FEATURES="^$FEATURE,$ROOT_FEATURES"
 	fi
 	done
-	mkdosfs -n boot -F 32 -v "$BOOT_DEV" > /dev/null
+	mkdosfs -n bootfs -F 32 -s 4 -v "$BOOT_DEV" > /dev/null
 	mkfs.ext4 -L rootfs -O "$ROOT_FEATURES" "$ROOT_DEV" > /dev/null
 
 	mount -v "$ROOT_DEV" "${ROOTFS_DIR}" -t ext4
diff --git a/scripts/common b/scripts/common
index fe64e74..8c54c45 100644
--- a/scripts/common
+++ b/scripts/common
@@ -7,21 +7,18 @@ bootstrap(){
 	local BOOTSTRAP_CMD=debootstrap
 	local BOOTSTRAP_ARGS=()
 
-	#export http_proxy=${APT_PROXY}
-
-	if [ "$(dpkg --print-architecture)" !=  "armhf" ] && [ "$(dpkg --print-architecture)" !=  "aarch64" ]; then
-		BOOTSTRAP_CMD=qemu-debootstrap
-	fi
+	export http_proxy=${APT_PROXY}
 
 	BOOTSTRAP_ARGS+=(--arch arm64)
 	BOOTSTRAP_ARGS+=(--include gnupg)
 	BOOTSTRAP_ARGS+=(--components "main,contrib,non-free")
 	#BOOTSTRAP_ARGS+=(--keyring "${STAGE_DIR}/files/raspberrypi.gpg")
 	BOOTSTRAP_ARGS+=(--exclude=info)
+	BOOTSTRAP_ARGS+=(--include=ca-certificates)
 	BOOTSTRAP_ARGS+=("$@")
 	printf -v BOOTSTRAP_STR '%q ' "${BOOTSTRAP_ARGS[@]}"
 
-	capsh --drop=cap_setfcap -- -c "'${BOOTSTRAP_CMD}' $BOOTSTRAP_STR" || true
+	capsh $CAPSH_ARG -- -c "'${BOOTSTRAP_CMD}' $BOOTSTRAP_STR" || true
 
 	if [ -d "$2/debootstrap" ] && ! rmdir "$2/debootstrap"; then
 		cp "$2/debootstrap/debootstrap.log" "${STAGE_WORK_DIR}"
@@ -61,19 +58,15 @@ export -f unmount
 unmount_image(){
 	sync
 	sleep 1
-	local LOOP_DEVICES
-	LOOP_DEVICES=$(losetup --list | grep "$(basename "${1}")" | cut -f1 -d' ')
-	for LOOP_DEV in ${LOOP_DEVICES}; do
-		if [ -n "${LOOP_DEV}" ]; then
-			local MOUNTED_DIR
-			MOUNTED_DIR=$(mount | grep "$(basename "${LOOP_DEV}")" | head -n 1 | cut -f 3 -d ' ')
-			if [ -n "${MOUNTED_DIR}" ] && [ "${MOUNTED_DIR}" != "/" ]; then
-				unmount "$(dirname "${MOUNTED_DIR}")"
+	LOOP_DEVICE=$(losetup --list | grep "$1" | cut -f1 -d' ')
+	if [ -n "$LOOP_DEVICE" ]; then
+		for part in "$LOOP_DEVICE"p*; do
+			if DIR=$(findmnt -n -o target -S "$part"); then
+				unmount "$DIR"
 			fi
-			sleep 1
-			losetup -d "${LOOP_DEV}"
-		fi
-	done
+		done
+		losetup -d "$LOOP_DEVICE"
+	fi
 }
 export -f unmount_image
 
@@ -94,7 +87,15 @@ on_chroot() {
 		mount --bind /sys "${ROOTFS_DIR}/sys"
 	fi
 
-	capsh --drop=cap_setfcap "--chroot=${ROOTFS_DIR}/" -- -e "$@"
+	if ! mount | grep -q "$(realpath "${ROOTFS_DIR}"/run)"; then
+		mount -t tmpfs  tmpfs "${ROOTFS_DIR}/run"
+	fi
+
+	if ! mount | grep -q "$(realpath "${ROOTFS_DIR}"/tmp)"; then
+		mount -t tmpfs  tmpfs "${ROOTFS_DIR}/tmp"
+	fi
+
+	capsh $CAPSH_ARG "--chroot=${ROOTFS_DIR}/" -- -e "$@"
 }
 export -f on_chroot
 
@@ -102,3 +103,11 @@ update_issue() {
 	echo -e "Raspberry Pi reference ${IMG_DATE}\nGenerated using ${PI_GEN}, ${PI_GEN_REPO}, ${GIT_HASH}, ${1}" > "${ROOTFS_DIR}/etc/rpi-issue"
 }
 export -f update_issue
+
+ensure_next_loopdev() {
+	local loopdev
+	loopdev="$(losetup -f)"
+	loopmaj="$(echo "$loopdev" | sed -E 's/.*[^0-9]*?([0-9]+)$/\1/')"
+	[[ -b "$loopdev" ]] || mknod "$loopdev" b 7 "$loopmaj"
+}
+export -f ensure_next_loopdev
diff --git a/scripts/qcow2_handling b/scripts/qcow2_handling
index 6b2a56b..66708e7 100644
--- a/scripts/qcow2_handling
+++ b/scripts/qcow2_handling
@@ -109,8 +109,8 @@ load_qimage() {
 EOF
 				sync
 				kpartx -as $NBD_DEV
-				mkdosfs -n boot -F 32 -v $MAP_BOOT_DEV
-				mkfs.ext4 -L rootfs -O "^huge_file,^metadata_csum,^64bit" $MAP_ROOT_DEV
+				mkdosfs -n boot -F 32 -s 4 -v $MAP_BOOT_DEV
+				mkfs.ext4 -L rootfs -O "^huge_file,^64bit" $MAP_ROOT_DEV
 				sync
 			else
 				if [ ! -f "${WORK_DIR}/image-${PREV_STAGE}.qcow2" ]; then
diff --git a/stage0/00-configure-apt/00-run.sh b/stage0/00-configure-apt/00-run.sh
index 651d154..c962c35 100755
--- a/stage0/00-configure-apt/00-run.sh
+++ b/stage0/00-configure-apt/00-run.sh
@@ -12,7 +12,8 @@ else
 	rm -f "${ROOTFS_DIR}/etc/apt/apt.conf.d/51cache"
 fi
 
-on_chroot apt-key add - < files/raspberrypi.gpg.key
+cat files/raspberrypi.gpg.key | gpg --dearmor > "${STAGE_WORK_DIR}/raspberrypi-archive-stable.gpg"
+install -m 644 "${STAGE_WORK_DIR}/raspberrypi-archive-stable.gpg" "${ROOTFS_DIR}/etc/apt/trusted.gpg.d/"
 on_chroot << EOF
 dpkg --add-architecture armhf
 apt-get update
diff --git a/stage0/00-configure-apt/01-packages b/stage0/00-configure-apt/01-packages
new file mode 100644
index 0000000..f5e3789
--- /dev/null
+++ b/stage0/00-configure-apt/01-packages
@@ -0,0 +1 @@
+raspberrypi-archive-keyring
diff --git a/stage0/02-firmware/01-packages b/stage0/02-firmware/01-packages
index 127bf36..b166aa8 100644
--- a/stage0/02-firmware/01-packages
+++ b/stage0/02-firmware/01-packages
@@ -1,3 +1,2 @@
 raspberrypi-bootloader
 raspberrypi-kernel
-raspi-config
diff --git a/stage0/prerun.sh b/stage0/prerun.sh
index e001309..e4f85f1 100755
--- a/stage0/prerun.sh
+++ b/stage0/prerun.sh
@@ -1,5 +1,10 @@
 #!/bin/bash -e
 
+if [ "$RELEASE" != "bullseye" ]; then
+	echo "WARNING: RELEASE does not match the intended option for this branch."
+	echo "         Please check the relevant README.md section."
+fi
+
 if [ ! -d "${ROOTFS_DIR}" ] || [ "${USE_QCOW2}" = "1" ]; then
 	bootstrap ${RELEASE} "${ROOTFS_DIR}" http://deb.debian.org/debian/
 fi
diff --git a/stage1/01-sys-tweaks/00-packages b/stage1/01-sys-tweaks/00-packages
new file mode 100644
index 0000000..9e91ea1
--- /dev/null
+++ b/stage1/01-sys-tweaks/00-packages
@@ -0,0 +1 @@
+raspi-config
diff --git a/stage1/01-sys-tweaks/00-run.sh b/stage1/01-sys-tweaks/00-run.sh
index 9c380ec..0f761bd 100755
--- a/stage1/01-sys-tweaks/00-run.sh
+++ b/stage1/01-sys-tweaks/00-run.sh
@@ -8,7 +8,10 @@ on_chroot << EOF
 if ! id -u ${FIRST_USER_NAME} >/dev/null 2>&1; then
 	adduser --disabled-password --gecos "" ${FIRST_USER_NAME}
 fi
-echo "${FIRST_USER_NAME}:${FIRST_USER_PASS}" | chpasswd
+
+if [ -n "${FIRST_USER_PASS}" ]; then
+	echo "${FIRST_USER_NAME}:${FIRST_USER_PASS}" | chpasswd
+fi
 echo "root:root" | chpasswd
 EOF
 
diff --git a/stage1/03-install-packages/00-packages b/stage1/03-install-packages/00-packages
index 73edcc9..a3d2fb6 100644
--- a/stage1/03-install-packages/00-packages
+++ b/stage1/03-install-packages/00-packages
@@ -1 +1,2 @@
 libraspberrypi-bin libraspberrypi0
+systemd-timesyncd
diff --git a/stage2/00-copies-and-fills/01-packages b/stage2/00-copies-and-fills/01-packages
deleted file mode 100644
index 283c290..0000000
--- a/stage2/00-copies-and-fills/01-packages
+++ /dev/null
@@ -1 +0,0 @@
-raspi-copies-and-fills
diff --git a/stage2/00-copies-and-fills/02-run.sh b/stage2/00-copies-and-fills/02-run.sh
deleted file mode 100755
index 366ac24..0000000
--- a/stage2/00-copies-and-fills/02-run.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash -e
-
-if [ -f "${ROOTFS_DIR}/etc/ld.so.preload" ]; then
-   mv "${ROOTFS_DIR}/etc/ld.so.preload" "${ROOTFS_DIR}/etc/ld.so.preload.disabled"
-fi
-
diff --git a/stage2/01-sys-tweaks/00-packages b/stage2/01-sys-tweaks/00-packages
index 55f8451..6138c6d 100644
--- a/stage2/01-sys-tweaks/00-packages
+++ b/stage2/01-sys-tweaks/00-packages
@@ -1,5 +1,5 @@
 ssh less fbset sudo psmisc strace ed ncdu crda
-console-setup keyboard-configuration debconf-utils parted unzip
+console-setup keyboard-configuration debconf-utils parted
 build-essential manpages-dev bash-completion gdb pkg-config
 python-is-python3
 python3-rpi.gpio v4l-utils
@@ -30,3 +30,7 @@ ntfs-3g
 pciutils
 rpi-eeprom
 raspinfo
+udisks2
+unzip zip p7zip-full
+file
+kms++-utils
diff --git a/stage2/01-sys-tweaks/00-patches/07-resize-init.diff b/stage2/01-sys-tweaks/00-patches/07-resize-init.diff
index cb160ae..dfc01d4 100644
--- a/stage2/01-sys-tweaks/00-patches/07-resize-init.diff
+++ b/stage2/01-sys-tweaks/00-patches/07-resize-init.diff
@@ -2,4 +2,4 @@
 +++ stage2/rootfs/boot/cmdline.txt
 @@ -1 +1 @@
 -console=serial0,115200 console=tty1 root=ROOTDEV rootfstype=ext4 fsck.repair=yes rootwait
-+console=serial0,115200 console=tty1 root=ROOTDEV rootfstype=ext4 fsck.repair=yes rootwait quiet init=/usr/lib/raspi-config/init_resize.sh
++console=serial0,115200 console=tty1 root=ROOTDEV rootfstype=ext4 fsck.repair=yes rootwait quiet init=/usr/lib/raspberrypi-sys-mods/firstboot
diff --git a/stage2/01-sys-tweaks/01-run.sh b/stage2/01-sys-tweaks/01-run.sh
index 4a757a1..294a0ec 100755
--- a/stage2/01-sys-tweaks/01-run.sh
+++ b/stage2/01-sys-tweaks/01-run.sh
@@ -24,8 +24,6 @@ s/^#?[[:blank:]]*PasswordAuthentication[[:blank:]]*yes[[:blank:]]*$/PasswordAuth
 fi
 
 on_chroot << EOF
-gcc -march=native -Q --help=target
-echo "++++++++++++++++++++++++++++++++++++"
 systemctl disable hwclock.sh
 systemctl disable nfs-common
 systemctl disable rpcbind
@@ -54,11 +52,15 @@ on_chroot <<EOF
 for GRP in input spi i2c gpio; do
 	groupadd -f -r "\$GRP"
 done
-for GRP in adm dialout cdrom audio users sudo video games plugdev input gpio spi i2c netdev; do
+for GRP in adm dialout cdrom audio users sudo video games plugdev input gpio spi i2c netdev render; do
   adduser $FIRST_USER_NAME \$GRP
 done
 EOF
 
+if [ -f "${ROOTFS_DIR}/etc/sudoers.d/010_pi-nopasswd" ]; then
+  sed -i "s/^pi /$FIRST_USER_NAME /" "${ROOTFS_DIR}/etc/sudoers.d/010_pi-nopasswd"
+fi
+
 on_chroot << EOF
 setupcon --force --save-only -v
 EOF
diff --git a/stage2/02-net-tweaks/00-packages b/stage2/02-net-tweaks/00-packages
index cc4a68e..f0125f6 100644
--- a/stage2/02-net-tweaks/00-packages
+++ b/stage2/02-net-tweaks/00-packages
@@ -1,4 +1,5 @@
 wpasupplicant wireless-tools firmware-atheros firmware-brcm80211 firmware-libertas firmware-misc-nonfree firmware-realtek
 raspberrypi-net-mods
 dhcpcd5
+network-manager
 net-tools
diff --git a/stage2/02-net-tweaks/01-run.sh b/stage2/02-net-tweaks/01-run.sh
index 837e861..3b06c05 100755
--- a/stage2/02-net-tweaks/01-run.sh
+++ b/stage2/02-net-tweaks/01-run.sh
@@ -5,10 +5,13 @@ install -v -m 600 files/wpa_supplicant.conf	"${ROOTFS_DIR}/etc/wpa_supplicant/"
 
 on_chroot << EOF
 	SUDO_USER="${FIRST_USER_NAME}" raspi-config nonint do_boot_wait 0
+	SUDO_USER="${FIRST_USER_NAME}" raspi-config nonint do_netconf 1
 EOF
 
 if [ -v WPA_COUNTRY ]; then
-	echo "country=${WPA_COUNTRY}" >> "${ROOTFS_DIR}/etc/wpa_supplicant/wpa_supplicant.conf"
+	on_chroot <<- EOF
+		SUDO_USER="${FIRST_USER_NAME}" raspi-config nonint do_wifi_country "${WPA_COUNTRY}"
+	EOF
 fi
 
 if [ -v WPA_ESSID ] && [ -v WPA_PASSWORD ]; then
diff --git a/stage3/00-install-packages/00-packages b/stage3/00-install-packages/00-packages
index 322d338..c88cf4c 100644
--- a/stage3/00-install-packages/00-packages
+++ b/stage3/00-install-packages/00-packages
@@ -12,4 +12,4 @@ fonts-liberation2
 obconf
 arandr
 libcamera-tools
-libcamera-apps
\ No newline at end of file
+libcamera-apps
diff --git a/stage3/00-install-packages/00-packages-nr b/stage3/00-install-packages/00-packages-nr
index f8bff31..8c16b40 100644
--- a/stage3/00-install-packages/00-packages-nr
+++ b/stage3/00-install-packages/00-packages-nr
@@ -4,3 +4,4 @@ lxde lxtask menu-xdg
 zenity xdg-utils
 gvfs-backends gvfs-fuse
 lightdm gnome-themes-standard gnome-icon-theme
+gnome-keyring
diff --git a/stage4/00-install-packages/00-packages b/stage4/00-install-packages/00-packages
index e76d411..7854596 100644
--- a/stage4/00-install-packages/00-packages
+++ b/stage4/00-install-packages/00-packages
@@ -23,3 +23,5 @@ piwiz
 rp-prefapps
 ffmpeg
 vlc
+rpi-imager
+rpi-wayland