updated README.md

This commit is contained in:
Jeremy Anderson 2026-06-13 17:15:55 -04:00
parent bf8d1e9549
commit 539c4383de
2 changed files with 339 additions and 373 deletions

631
BTC.sh
View File

@ -1,398 +1,407 @@
#!/bin/bash #!/bin/bash
# ============================================================================== # BTC-0.3.1.sh - Build Tool Chain (Sovereign Forge Edition)
# BTC-0.3.0.sh - Sovereign Sentry Forge # Identity: dcosnet / dcos.net | Target: Broadwell-HS / Haswell-EP
# Identity: dcosnet / dcos.net | Swarm: Broadwell-HS / Haswell-EP # Version: 0.3.1 | Persistence: /opt/BTC | Volatile: ramfs
# License: GNU Affero General Public License v3 (AGPL-3.0) # License: GNU AGPLv3 Mandatory Prominent Interactive Notice
#
# Notwithstanding any other provision of this License, if you modify
# the Program, your modified version must prominently offer all users
# interacting with it remotely through a computer network an
# opportunity to receive the Corresponding Source of your version.
#
# Profile: Ghost / Virt / Base - Multi-Target Hardened Kernel & eBPF
# Security: CVE-2026-31431 Mitigated | PATH-Pinned | Static-Trust Ready
# Persistence: /opt/BTC | Volatile: ramfs
# Copyright (C) 2012-2026 Jeremy Anderson (info@dcos.net) # Copyright (C) 2012-2026 Jeremy Anderson (info@dcos.net)
# ==============================================================================
# --- 1. AGPL COMPLIANCE & IDENTITY --- set -euo pipefail
export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
# --- 1. AGPL INTERACTIVE LICENSE COMPLIANCE ---
function f_agpl_header() { function f_agpl_header() {
cat <<EOF clear
>> BTC-0.3.0 "Sovereign Sentry" cat << 'EOF'
>> Copyright (C) 2026 Jeremy Anderson ===========================================================================
>> Licensed under GNU AGPLv3. NO WARRANTY. BTC-0.3.1: SOVEREIGN FORGE PIPELINE (AGPLv3 PROTECTED)
>> SOURCE: https://git.dcos.net/jeremy/btc (Official Mirror) ===========================================================================
>> ----------------------------------------------------- This program is free software: you can redistribute it and/or modify it
under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License.
REMOTE INTERACTION NOTICE: Per Section 13 of the GNU AGPLv3, if you modify
this script and offer its toolchain-building capabilities as a service over
a network, you MUST make your complete modified source code available.
===========================================================================
EOF EOF
if [[ ! -f /var/tmp/BTC-AGPL-ACCEPTED ]]; then
echo -n "Do you accept the network-sovereignty terms of the AGPLv3? (y/N): "
read -r reply
if [[ "${reply}" =~ ^[Yy]$ ]]; then
touch /var/tmp/BTC-AGPL-ACCEPTED
else
echo ">> Build aborted: AGPLv3 acceptance is mandatory for execution."
exit 1
fi
fi
} }
# --- 2. HARDENED ENVIRONMENT --- # --- 2. SILICON IDENTITY & SAFE RESOURCE MANAGEMENT ---
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
set -euo pipefail
set -f
# Expand aliases for non-interactive bash to ensure absolute paths run correctly
shopt -s expand_aliases
alias rsync='/usr/bin/rsync'
alias tar='/usr/bin/tar'
alias gcc='/usr/bin/gcc'
alias sha256sum='/usr/bin/sha256sum'
# --- 3. RECOVERY & CLEANUP ---
trap "echo '>> Interrupt: Cleaning ramfs...'; cd / && umount -l ${SOURCES_ACTIVE} 2>/dev/null || true; exit 1" INT TERM
# --- 4. GLOBAL CONFIG ---
export BTC_DEBUG_LEVEL=1
export BTC_STRIP_MODE=1
export BTC_ARCHIVE=/opt/BTC
export SOURCES_ACTIVE=/usr/src
export SOURCE_CACHE=${BTC_ARCHIVE}/src
export v_glibc='glibc-2.41'
export v_gcc='gcc-14.2.0'
export v_binutils='binutils-2.46'
export v_linux='linux-7.1'
export NEWROOT=${SOURCES_ACTIVE}/BTC-Forge
export LOGS=${NEWROOT}/LOGS
export DISTRO="DCOSNET-LEAD"
# --- 5. SILICON IDENTITY & MITIGATION ---
function f_silicon_probe() { function f_silicon_probe() {
echo ">> [IDENTITY] Interrogating Silicon..." echo ">> Interrogating Core Topology and Instruction Extensions..."
local RAW_ARCH
RAW_ARCH=$(gcc -march=native -Q --help=target | grep -m1 "march=" | awk '{print $2}')
if [[ -f /proc/modules ]] && grep -q "algif_aead" /proc/modules; then if [[ -z "${RAW_ARCH}" || "${RAW_ARCH}" == "x86-64" ]]; then
echo ">> [SECURITY] Disabling algif_aead (Copy Fail mitigation)..." export TARGET_ARCH="haswell"
rmmod algif_aead || true else
export TARGET_ARCH="${RAW_ARCH}"
fi fi
local RAW_ARCH=$(/usr/bin/gcc -march=native -Q --help=target | grep -m1 "march=" | awk '{print $2}')
[[ -z "$RAW_ARCH" || "$RAW_ARCH" == "x86-64" ]] && export TARGET_ARCH="hsw" || export TARGET_ARCH="bdw"
export ISA_TAG="AVX2" export ISA_TAG="AVX2"
export OPT_TAG="LTO" export OPT_TAG="LTO"
export SYS_LABEL="DCOSNET-${TARGET_ARCH^^}-${ISA_TAG}-${OPT_TAG}" export SYS_LABEL="DCOSNET-${TARGET_ARCH^^}-${ISA_TAG}-${OPT_TAG}"
export TARGET="x86_64-dcosnet-linux-gnu" export TARGET="x86_64-dcosnet-linux-gnu"
local total_ram=$(/usr/bin/free -m | awk '/^Mem:/{print $2}') # Resource-Safe Threading: Allocate 2GB RAM per core floor to prevent LTO thrashing
export v_threads="-j$(( (total_ram / 2048) < $(nproc) ? (total_ram / 2048) : $(nproc) ))" local total_cpus
total_cpus=$(nproc)
local free_gb
free_gb=$(free -g | awk '/^Mem:/{print $7}')
local safe_threads=$(( free_gb / 2 ))
export GLOBAL_CFLAGS="-O3 -march=native -flto=$(nproc) -fstack-protector-strong -D_FORTIFY_SOURCE=2 --sysroot=${NEWROOT} -pipe" if [[ ${safe_threads} -lt 1 ]]; then safe_threads=1; fi
export GLOBAL_LDFLAGS="-Wl,-O1 -Wl,--as-needed -flto=$(nproc) --sysroot=${NEWROOT}" if [[ ${safe_threads} -gt ${total_cpus} ]]; then safe_threads=${total_cpus}; fi
export v_threads="-j${safe_threads}"
export CCACHE_DIR="${BTC_ARCHIVE}/cache/${SYS_LABEL}" echo ">> [IDENTITY STAMP] ${SYS_LABEL}"
mkdir -p "${CCACHE_DIR}" echo ">> [THREAD ALLOCATION] Probed ${total_cpus} cores -> Throttled to ${v_threads} for LTO Safety."
} }
# --- 6. DCOSNET FORENSIC STAMPING (ELF & XATTR) --- # --- 3. SYSTEM PATHS & STAGING MATRIX ---
export SOURCES_ACTIVE=/usr/src
export BTC_ARCHIVE=/opt/BTC
export SOURCE_CACHE=${BTC_ARCHIVE}/src
export RAMDISK_SIZE="12gb"
# Upstream Production Matrices
export v_linux='linux-7.1'
export v_binutils='binutils-2.46'
export v_gcc='gcc-14.2.0'
export v_glibc='glibc-2.41'
export v_libxcrypt='4.4.36'
export v_gmp='gmp-6.3.0'
export v_mpfr='mpfr-4.2.1'
export v_mpc='mpc-1.3.1'
export NEWROOT="${SOURCES_ACTIVE}/${SYS_LABEL}-cleanroom"
export LOGS="${BTC_ARCHIVE}/logs/${SYS_LABEL}"
export HOST_ARCH="x86_64-pc-linux-gnu"
# Optimization Ensembles
export GLOBAL_CFLAGS="-O3 -march=${TARGET_ARCH} -flto -ffat-lto-objects --sysroot=${NEWROOT} -pipe"
export GLOBAL_LDFLAGS="-Wl,-O1 -Wl,--as-needed -flto --sysroot=${NEWROOT}"
# --- 4. HARDWARE SENTINEL & TELEMETRY MODULES ---
function f_guard() {
local max_temp=85
local min_mem=800
local cur_temp
local cur_mem
cur_temp=$(cat /sys/class/thermal/thermal_zone*/temp | head -n1 | awk '{print $1/1000}')
cur_mem=$(free -m | awk '/^Mem:/{print $7}')
if (( ${cur_temp%.*} > max_temp )); then
echo ">> [WARNING: THERMAL SPIKE] Temp at ${cur_temp}°C. Throttling build for cooling phase..."
sleep 15
fi
if [[ ${cur_mem} -lt ${min_mem} ]]; then
echo ">> [WARNING: MEMORY SATURATION] Free memory at ${cur_mem}MB. Yielding pipeline execution..."
sleep 20
fi
}
function f_entropy_shield() {
local min_entropy=1000
local cur_entropy
cur_entropy=$(cat /proc/sys/kernel/random/entropy_avail)
if [[ ${cur_entropy} -lt ${min_entropy} ]]; then
echo ">> [ENTROPY DEFICIT] Pool dropped to ${cur_entropy}. Injecting safe hardware-jitter..."
find /bin /sbin -type f -exec ls -l {} + > /dev/null 2>&1 &
sleep 2
kill $! 2>/dev/null || true
fi
}
function f_exec_log() {
local cmd="$1"
local log_base="$2"
f_entropy_shield
f_guard
echo ">> Executing: ${log_base}"
stdbuf -oL -eL bash -c "${cmd}" 2>&1 | \
pv -t -r -b -N "${log_base}" | \
tee -a "${LOGS}/${log_base}.log" > /dev/null
}
function f_tmux_dashboard() {
if [[ -n "${TMUX:-}" ]]; then
echo ">> Active Tmux session identified. Splitting target tracking matrix..."
tmux split-window -h -p 35 "tail -F ${LOGS}/*.log" || true
tmux split-window -v -p 50 "watch -n 2 'echo \"=== ENTROPY POOL ===\"; cat /proc/sys/kernel/random/entropy_avail; echo \"=== NETWORK BOUND MATRIX ===\"; ss -tunp | grep -v 127.0.0.1'" || true
tmux select-pane -t 0 || true
fi
}
# --- 5. FORENSIC IDENTITY STAMPING LAYER ---
function f_stamp_binary() { function f_stamp_binary() {
local target_bin="$1" local target_bin="$1"
local log_base="$2" local log_base="$2"
cat <<EOF > btc_stamp.s if [[ -f "${target_bin}" && ! -L "${target_bin}" ]]; then
.section .note.BTC,"a" # 1. Inject ELF Object Note
.align 4 cat << EOF > btc_stamp.s
.long 4f - 1f .section .note.BTC,"a",@note
.long 3f - 2f .long 2f - 1f
.long 4f - 3f
.long 1 .long 1
1: .asciz "DCOSNET" 1: .asciz "DCOSNET"
2: .ascii "Org: dcos.net|K:7.1|I:${ISA_TAG}|O:${OPT_TAG}|T:${DISTRO}|F:${HOSTNAME}" 2: .align 4
3: .align 4 3: .ascii "Org: dcos.net|K:7.1|Arch:${TARGET_ARCH}|Label:${SYS_LABEL}|Forge:${log_base}"
4: 4: .align 4
EOF EOF
/usr/bin/gcc -c btc_stamp.s -o btc_stamp.o gcc -c btc_stamp.s -o btc_stamp.o
objcopy --add-section .note.BTC=btc_stamp.o "${target_bin}" objcopy --add-section .note.BTC=btc_stamp.o "${target_bin}"
rm btc_stamp.s btc_stamp.o rm -f btc_stamp.s btc_stamp.o
local bin_hash=$(sha256sum "${target_bin}" | awk '{print $1}') # 2. Append Extended Filesystem Attributes Ledger
setfattr -n user.btc.identity -v "BTC-${SYS_LABEL}-${v_linux}-dcosnet" "${target_bin}" local bin_hash
setfattr -n user.btc.hash -v "${bin_hash}" "${target_bin}" bin_hash=$(sha256sum "${target_bin}" | awk '{print $1}')
setfattr -n user.btc.identity -v "BTC-${SYS_LABEL}-${v_linux}-sovereign" "${target_bin}" 2>/dev/null || true
setfattr -n user.btc.hash -v "${bin_hash}" "${target_bin}" 2>/dev/null || true
if [[ "${BTC_STRIP_MODE}" -eq 1 ]]; then # 3. Separate Debug Symbols & Create External Links
if [[ "${BTC_STRIP_MODE:-1}" -eq 1 ]]; then
mkdir -p "${BTC_ARCHIVE}/symbols/${SYS_LABEL}" mkdir -p "${BTC_ARCHIVE}/symbols/${SYS_LABEL}"
objcopy --only-keep-debug "${target_bin}" "${BTC_ARCHIVE}/symbols/${SYS_LABEL}/${log_base}.debug" objcopy --only-keep-debug "${target_bin}" "${BTC_ARCHIVE}/symbols/${SYS_LABEL}/${log_base}.debug"
strip --strip-unneeded "${target_bin}" strip --strip-unneeded "${target_bin}"
objcopy --add-gnu-debuglink="${BTC_ARCHIVE}/symbols/${SYS_LABEL}/${log_base}.debug" "${target_bin}" objcopy --add-gnu-debuglink="${BTC_ARCHIVE}/symbols/${SYS_LABEL}/${log_base}.debug" "${target_bin}"
fi fi
}
# --- 7. THE INVISIBLE GUARD ---
function f_guard() {
local max_temp=85
local min_mem=800
while true; do
local cur_temp=$(cat /sys/class/thermal/thermal_zone*/temp | head -n1 | awk '{print $1/1000}')
local cur_mem=$(/usr/bin/free -m | awk '/^Mem:/{print $7}')
if (( cur_temp > max_temp )); then
echo ">> [THERMAL PAUSE] ${cur_temp}°C - Cooling..."
sleep 10
elif (( cur_mem < min_mem )); then
echo ">> [MEMORY PAUSE] ${cur_mem}MB - Waiting for LTO clearance (RDIMM)..."
sleep 30
else
break
fi
done
}
function f_entropy_shield() {
local cur_ent=$(cat /proc/sys/kernel/random/entropy_avail)
if (( cur_ent < 250 )); then
echo ">> [ENTROPY SHIELD] Low Pool. Generating Jitter for 7.1 Signing..."
find /bin /sbin -type f -exec ls -l {} + > /dev/null 2>&1 &
sleep 2 && kill $! 2>/dev/null || true
fi
}
# --- 8. EXECUTION ENGINE (FORENSIC) ---
function f_exec_log() {
local cmd="$1"
local log_base="$2"
local mode="${3:-build}"
f_entropy_shield
f_guard
if [[ "$mode" == "install" ]]; then
stdbuf -oL -eL installwatch -o "${LOGS}/${log_base}.iw" bash -c "$cmd" | \
pv -t -r -b -N "${log_base}" >> "${LOGS}/${log_base}.log" 2>&1
find ${NEWROOT} -type f -executable -exec bash -c '
file "$1" | grep -q "ELF" && f_stamp_binary "$1" "'"${log_base}"'"
' _ {} \;
else
stdbuf -oL -eL bash -c "${cmd}" | \
pv -t -r -b -N "${log_base}" | \
tee -a "${LOGS}/${log_base}.log" > /dev/null \
2> >(tee -a "${LOGS}/${log_base}.err" >> "${LOGS}/${log_base}.log")
fi fi
} }
# --- 6. CLEANROOM MATRIX CONFIGURATION ---
function f_setup() { function f_setup() {
local ram_kb=$(grep MemTotal /proc/meminfo | awk '{print $2}') echo ">> Preparing Virtualized Cleanroom Environment..."
mount -t ramfs -o size=$((ram_kb/2/1024))M ramfs ${SOURCES_ACTIVE} mkdir -p "${SOURCE_CACHE}" "${LOGS}" "${BTC_ARCHIVE}/symbols/${SYS_LABEL}"
mkdir -p ${NEWROOT}/{bin,lib,lib64,sbin,etc,usr,boot} ${LOGS}
ln -sf lib ${NEWROOT}/lib64
if [[ -n "${TMUX:-}" ]]; then if ! mountpoint -q "${SOURCES_ACTIVE}"; then
tmux split-window -h -p 35 "tail -F ${LOGS}/*.log 2>/dev/null" mount -t ramfs -o size=${RAMDISK_SIZE} ramfs "${SOURCES_ACTIVE}"
tmux split-window -v -p 66 "watch -n 2 'ss -tunp | grep -E \"gcc|make|configure|ld\" | grep -v \"127.0.0.1\"'" echo ">> Ramfs Cleanroom mounted at ${SOURCES_ACTIVE} with ceiling ${RAMDISK_SIZE}."
tmux split-window -v -p 50 "watch -n 2 'echo \"ENTROPY: \$(cat /proc/sys/kernel/random/entropy_avail)\"; iostat -dx 1 2 | awk \"/avg-cpu/ {getline; print \\\$4 \\\"% iowait\\\"}\"'"
tmux select-pane -t 0
echo ">> BTC Dashboard Synchronized..."
fi fi
mkdir -p "${NEWROOT}"
cd "${NEWROOT}"
mkdir -p bin etc lib lib64 sbin usr var include
case $(uname -m) in
x86_64) ln -sfv lib "${NEWROOT}/lib64" ;;
esac
export PATH="${NEWROOT}/bin:${PATH}"
} }
# --- 9. PERSISTENCE BRIDGE (PACKAGING) --- # --- 7. MONOLITHIC STEP-BY-STEP FORGE PIPELINE ---
function f_package() {
local PKG_NAME="dcosnet-baseline-${SYS_LABEL}-${v_linux}.tar.xz"
local PKG_PATH="${BTC_ARCHIVE}/completed"
mkdir -p "${PKG_PATH}"
echo ">> [AGPL-EXPORT] Compressing Forge State to Archive..."
tar -cJpf "${PKG_PATH}/${PKG_NAME}" -C "${NEWROOT}" .
local pkg_hash=$(sha256sum "${PKG_PATH}/${PKG_NAME}" | awk '{print $1}')
setfattr -n user.btc.pkg_hash -v "${pkg_hash}" "${PKG_PATH}/${PKG_NAME}"
mkdir -p "${BTC_ARCHIVE}/logs"
cp -rv "${LOGS}" "${BTC_ARCHIVE}/logs/${SYS_LABEL}_$(date +%Y%m%d)"
echo ">> [SUCCESS] Artifact preserved at ${PKG_PATH}/${PKG_NAME}"
}
function f_set_exports() {
export CC="ccache ${NEWROOT}/bin/${TARGET}-gcc-${SYS_LABEL}"
export CXX="ccache ${NEWROOT}/bin/${TARGET}-g++-${SYS_LABEL}"
export AR="${NEWROOT}/bin/${TARGET}-gcc-ar-${SYS_LABEL}"
export NM="${NEWROOT}/bin/${TARGET}-gcc-nm-${SYS_LABEL}"
export RANLIB="${NEWROOT}/bin/${TARGET}-gcc-ranlib-${SYS_LABEL}"
export CFLAGS="${GLOBAL_CFLAGS}"
export CXXFLAGS="${GLOBAL_CFLAGS}"
export LDFLAGS="${GLOBAL_LDFLAGS}"
}
# --- 10. KERNEL PROFILE INJECTION ---
function f_ghost_opts() {
echo ">> [PROFILE] Applying Ghost Hardening (Physical/Tuned)..."
{
echo "CONFIG_MODULES=n"
echo "CONFIG_KALLSYMS=n"
echo "CONFIG_COMPAT=n"
echo "CONFIG_PROC_KCORE=n"
echo "CONFIG_CIFS=n"
echo "CONFIG_NFS_FS=n"
echo "CONFIG_SUNRPC=n"
echo "CONFIG_ATM=n"
echo "CONFIG_SYSVIPC=n"
echo "CONFIG_SECURITY_SELINUX=n"
echo "CONFIG_SECURITY_APPARMOR=n"
echo "CONFIG_LSM=\"bpf,capability\""
echo "CONFIG_BPF_LSM=y"
echo "CONFIG_DEBUG_INFO_BTF=y"
echo "CONFIG_E1000E=y"
echo "CONFIG_R8169=y"
} >> .config
make olddefconfig > /dev/null
}
function f_virt_opts() {
echo ">> [PROFILE] Applying Weightless Profile (VirtIO/Classic Guest)..."
{
echo "CONFIG_VIRTIO_PCI=y"
echo "CONFIG_VIRTIO_NET=y"
echo "CONFIG_VIRTIO_BLK=y"
echo "CONFIG_DRM_VIRTIO_GPU=y"
echo "CONFIG_DRM_CIRRUS_QEMU=y"
echo "CONFIG_DRM_VMWGFX=y"
echo "CONFIG_DEBUG_INFO_BTF=y"
echo "CONFIG_BPF_LSM=y"
echo "CONFIG_LSM=\"bpf,capability\""
} >> .config
make olddefconfig > /dev/null
}
function gen_vmlinux_h() {
local EBPF_DIR="${NEWROOT}/ebpf"
mkdir -p "$EBPF_DIR"
if command -v bpftool >/dev/null 2>&1 && [ -f "./vmlinux" ]; then
echo ">> [EBPF] Generating vmlinux.h for CO-RE portability..."
bpftool btf dump file ./vmlinux format c > "$EBPF_DIR/vmlinux.h" 2>/dev/null || echo ">> [WARN] BTF dump failed."
else
echo ">> [WARN] Skipping vmlinux.h: tool or vmlinux binary missing."
fi
}
# --- 11. CORE BUILD STAGES ---
function f_binutils() { function f_binutils() {
cd ${SOURCES_ACTIVE} cd "${SOURCES_ACTIVE}"
tar -axf ${SOURCE_CACHE}/${v_binutils}* tar -xf "${SOURCE_CACHE}/${v_binutils}.tar.xz"
cd binutils-* && mkdir -p build && cd build mkdir -p "${v_binutils}-build" && cd "${v_binutils}-build"
f_exec_log "../configure --prefix=${NEWROOT} --target=${TARGET} --with-sysroot=${NEWROOT} --program-suffix=-${SYS_LABEL} --disable-nls --disable-multilib" "binutils-conf"
local build_cmd="../${v_binutils}/configure \
--prefix=${NEWROOT} \
--with-sysroot=${NEWROOT} \
--target=${TARGET} \
--disable-nls \
--enable-gprofng=no \
--disable-werror \
--enable-default-hash-style=gnu"
f_exec_log "${build_cmd}" "binutils-configure"
f_exec_log "make ${v_threads}" "binutils-make" f_exec_log "make ${v_threads}" "binutils-make"
f_exec_log "make install" "binutils-install" "install" f_exec_log "make install" "binutils-install"
} }
function f_kernel_headers() { function f_kernel_headers() {
cd ${SOURCES_ACTIVE} cd "${SOURCES_ACTIVE}"
tar -axf ${SOURCE_CACHE}/${v_linux}* tar -xf "${SOURCE_CACHE}/${v_linux}.tar.xz"
cd linux-* cd "${v_linux}"
f_exec_log "make mrproper && make headers" "kernel-headers"
cp -rv usr/include/* ${NEWROOT}/include f_exec_log "make mrproper" "kernel-headers-clean"
f_exec_log "make headers" "kernel-headers-generate"
find usr/include -type f ! -name '*.h' -delete
mkdir -p "${NEWROOT}/usr/include"
cp -rv usr/include/* "${NEWROOT}/usr/include"
} }
function f_gcc_p1() { function f_gcc_p1() {
cd ${SOURCES_ACTIVE} cd "${SOURCES_ACTIVE}"
tar -axf ${SOURCE_CACHE}/${v_gcc}* tar -xf "${SOURCE_CACHE}/${v_gcc}.tar.xz"
cd gcc-* cd "${v_gcc}"
for lib in gmp mpfr mpc; do tar -xf ${SOURCE_CACHE}/${lib}*; mv -v ${lib}-* ${lib}; done
mkdir -p build && cd build # Nesting Support Libraries internally for Stage-1 execution isolation
f_exec_log "../configure --target=${TARGET} --prefix=${NEWROOT} --with-sysroot=${NEWROOT} --program-suffix=-${SYS_LABEL} --without-headers --disable-shared --disable-threads --enable-languages=c,c++" "gcc1-conf" tar -xf "${SOURCE_CACHE}/${v_gmp}.tar.xz" && mv -v "${v_gmp}" gmp
f_exec_log "make ${v_threads}" "gcc1-make" tar -xf "${SOURCE_CACHE}/${v_mpfr}.tar.xz" && mv -v "${v_mpfr}" mpfr
f_exec_log "make install" "gcc1-install" "install" tar -xf "${SOURCE_CACHE}/${v_mpc}.tar.gz" && mv -v "${v_mpc}" mpc
# Enforce 64-bit dynamic linker structural target pathing
sed -e '/m64=/s/lib64/lib/' -i.bak gcc/config/i386/t-linux64
mkdir -p "${SOURCES_ACTIVE}/${v_gcc}-phase1" && cd "${SOURCES_ACTIVE}/${v_gcc}-phase1"
local build_cmd="../${v_gcc}/configure \
--target=${TARGET} \
--prefix=${NEWROOT} \
--with-glibc-version=${v_glibc#*-} \
--with-sysroot=${NEWROOT} \
--with-newlib \
--without-headers \
--enable-default-pie \
--enable-default-ssp \
--disable-nls \
--disable-shared \
--disable-multilib \
--disable-threads \
--disable-libatomic \
--disable-libgomp \
--disable-libquadmath \
--disable-libssp \
--disable-libvtv \
--disable-libstdcxx \
--enable-languages=c,c++"
f_exec_log "${build_cmd}" "gcc-p1-configure"
f_exec_log "make ${v_threads}" "gcc-p1-make"
f_exec_log "make install" "gcc-p1-install"
} }
function f_glibc() { function f_glibc() {
f_set_exports cd "${SOURCES_ACTIVE}"
cd ${SOURCES_ACTIVE}/glibc-* tar -xf "${SOURCE_CACHE}/${v_glibc}.tar.xz"
mkdir -p build && cd build mkdir -p "${v_glibc}-build" && cd "${v_glibc}-build"
f_exec_log "../configure --prefix=${NEWROOT} --host=${TARGET} --with-headers=${NEWROOT}/include libc_cv_slibdir=${NEWROOT}/lib" "glibc-conf"
local build_cmd="../${v_glibc}/configure \
--prefix=/usr \
--host=${TARGET} \
--build=${HOST_ARCH} \
--enable-kernel=4.19 \
--with-headers=${NEWROOT}/usr/include \
--disable-profile \
--enable-stack-protector=strong \
--disable-werror \
libc_cv_slibdir=/usr/lib"
f_exec_log "${build_cmd}" "glibc-configure"
f_exec_log "make ${v_threads}" "glibc-make" f_exec_log "make ${v_threads}" "glibc-make"
f_exec_log "make DESTDIR=${NEWROOT} install" "glibc-install" "install" f_exec_log "make DESTDIR=${NEWROOT} install" "glibc-install"
# Sanitize hardcoded host system configurations from dynamic script linkage
sed -i "s|${NEWROOT}||g" "${NEWROOT}/usr/bin/ldd"
}
function f_libxcrypt() {
cd "${SOURCES_ACTIVE}"
tar -xf "${SOURCE_CACHE}/libxcrypt-${v_libxcrypt}.tar.xz"
cd "libxcrypt-${v_libxcrypt}"
local build_cmd="./configure \
--prefix=/usr \
--host=${TARGET} \
--build=${HOST_ARCH} \
--enable-hashes=strong,glibc \
--enable-obsolete-api=no \
--disable-static"
f_exec_log "${build_cmd}" "libxcrypt-configure"
f_exec_log "make ${v_threads}" "libxcrypt-make"
f_exec_log "make DESTDIR=${NEWROOT} install" "libxcrypt-install"
} }
function f_gcc_p2() { function f_gcc_p2() {
f_set_exports cd "${SOURCES_ACTIVE}"
cd ${SOURCES_ACTIVE}/gcc-*/build && rm -rf * # Re-use existing directory with static parameters attached
f_exec_log "../configure --prefix=${NEWROOT} --target=${TARGET} --program-suffix=-${SYS_LABEL} --enable-languages=c,c++ --with-build-sysroot=${NEWROOT}" "gcc2-conf" cd "${v_gcc}"
f_exec_log "make ${v_threads}" "gcc2-make"
f_exec_log "make install" "gcc2-install" "install" tar -xf "${SOURCE_CACHE}/${v_gmp}.tar.xz" --skip-old-files || true
tar -xf "${SOURCE_CACHE}/${v_mpfr}.tar.xz" --skip-old-files || true
tar -xf "${SOURCE_CACHE}/${v_mpc}.tar.gz" --skip-old-files || true
mkdir -p "${SOURCES_ACTIVE}/${v_gcc}-phase2" && cd "${SOURCES_ACTIVE}/${v_gcc}-phase2"
local build_cmd="../${v_gcc}/configure \
--prefix=/usr \
--host=${TARGET} \
--build=${HOST_ARCH} \
--enable-languages=c,c++ \
--enable-default-pie \
--enable-default-ssp \
--disable-multilib \
--disable-bootstrap"
f_exec_log "${build_cmd}" "gcc-p2-configure"
f_exec_log "make ${v_threads}" "gcc-p2-make"
f_exec_log "make DESTDIR=${NEWROOT} install" "gcc-p2-install"
} }
function f_kernel_binary() { function f_kernel_binary() {
f_set_exports cd "${SOURCES_ACTIVE}/${v_linux}"
cd ${SOURCES_ACTIVE}/linux-*
make defconfig > /dev/null
# Kernel Profile Routing echo ">> Instantiating Silicon Optimized Monolithic Configuration Matrix..."
case ${KERNEL_PROFILE} in make defconfig
ghost) f_ghost_opts ;;
virt) f_virt_opts ;;
base) echo ">> [PROFILE] Baseline Discovery Active" ;;
esac
echo "-dcosnet-${SYS_LABEL}" > .scmversion # Inject Custom Enterprise Swarm Labels & Architecture Parameters
sed -i "s/CONFIG_LOCALVERSION=\"\"/CONFIG_LOCALVERSION=\"-dcosnet-${SYS_LABEL}\"/" .config
# Modern Hardening Optimization Suite Injection
sed -i "s/# CONFIG_MODULES is not set/CONFIG_MODULES=n/" .config || true
echo "CONFIG_MODULES=n" >> .config
echo "CONFIG_KALLSYMS=n" >> .config
echo "CONFIG_DEBUG_FS=n" >> .config
f_exec_log "make olddefconfig" "kernel-bin-config-merge"
f_exec_log "make ${v_threads} LOCALVERSION=-dcosnet-${SYS_LABEL} bzImage" "kernel-bin-make" f_exec_log "make ${v_threads} LOCALVERSION=-dcosnet-${SYS_LABEL} bzImage" "kernel-bin-make"
# Generate eBPF structural maps for the resulting kernel layout mkdir -p "${NEWROOT}/boot"
gen_vmlinux_h cp -v arch/x86/boot/bzImage "${NEWROOT}/boot/vmlinuz-${v_linux}-${SYS_LABEL}-sovereign"
cp -v arch/x86/boot/bzImage ${NEWROOT}/boot/vmlinuz-${v_linux}-${SYS_LABEL}-dcosnet # Apply Forensic Engine Analysis Verification Stamps to Core Cross-Compiler Tooling
find "${NEWROOT}/bin" "${NEWROOT}/usr/bin" -type f -exec bash -c 'f_stamp_binary "$1" "$(basename "$1")"' _ {} \; || true
echo "--- FINAL KERNEL AUDIT ---"
grep -E "CONFIG_(MODULES|CIFS|NFS|SUNRPC|SECURITY_SELINUX|DEBUG_INFO_BTF)" .config | sed 's/^/[AUDIT] /'
} }
# --- 12. DEPLOYMENT TARGETING --- function f_package() {
function f_install_target() { echo ">> Packaging Production Golden Image Artifact Target Matrix..."
local TARGET_PART="${1}" cd "${NEWROOT}"
local MNT_POINT="/mnt/btc_target" tar -cf - . | xz -9 -T 0 > "${BTC_ARCHIVE}/${SYS_LABEL}-toolchain-golden.tar.xz"
mkdir -p ${MNT_POINT} && mount ${TARGET_PART} ${MNT_POINT} echo ">> [SUCCESS] Archive deployed cleanly to: ${BTC_ARCHIVE}/${SYS_LABEL}-toolchain-golden.tar.xz"
local DISTRO="Generic-Source"
[[ -f "${MNT_POINT}/etc/lunar/version" ]] && DISTRO="Lunar"
[[ -f "${MNT_POINT}/etc/sorcery/version" ]] && DISTRO="SourceMage"
[[ -f "${MNT_POINT}/etc/openwrt_version" ]] && DISTRO="OpenWrt"
[[ -d "${MNT_POINT}/etc/portage" ]] && DISTRO="Gentoo"
[[ -f "${MNT_POINT}/etc/exherbo-release" ]] && DISTRO="Exherbo"
[[ -f "${MNT_POINT}/etc/cruxversion" ]] && DISTRO="CRUX"
echo ">> [DCOSNET SWARM] Deploying Silicon-Identity to Dell Optiplex 3050 Micro Variants / ${DISTRO} target..."
# Kernel Handoff
mkdir -p ${MNT_POINT}/boot
cp -v ${NEWROOT}/boot/vmlinuz-* ${MNT_POINT}/boot/
# Binary Sync with safe-links
local bin_dest="/usr/local/bin"
[[ "$DISTRO" == "OpenWrt" ]] && bin_dest="/usr/bin"
f_exec_log "rsync -avzX --safe-links ${NEWROOT}/bin/ ${MNT_POINT}${bin_dest}/" "${DISTRO}_deploy" "install"
umount ${MNT_POINT}
echo ">> [SUCCESS] Swarm Node Seeded: ${DISTRO}"
} }
# --- 13. MAIN ORCHESTRATION --- # --- 8. MAIN ENTRY RUNTIME MATRIX ---
function f_main() { function f_main() {
[[ $EUID -ne 0 ]] && { echo ">> Root Required."; exit 1; } [[ ${EUID} -ne 0 ]] && { echo ">> Error: Root privileges required."; exit 1; }
# Parsing Profile and Target Device (Usage: ./btc.sh [ghost|virt|base] [/dev/sdX])
export KERNEL_PROFILE="${1:-ghost}"
local TARGET_DEV="${2:-}"
f_agpl_header f_agpl_header
f_silicon_probe f_silicon_probe
f_setup f_setup
f_tmux_dashboard
# Forge Pipeline # Linear Forge Execution Sequence
f_binutils f_binutils
f_kernel_headers f_kernel_headers
f_gcc_p1 f_gcc_p1
f_glibc f_glibc
f_libxcrypt
f_gcc_p2 f_gcc_p2
f_kernel_binary f_kernel_binary
# Mandatory Persistence (Archive)
f_package f_package
# Optional Physical Seed deployment # Clear volatile memory cleanrooms
if [[ -n "${TARGET_DEV}" ]]; then cd /
f_install_target "${TARGET_DEV}" umount -l "${SOURCES_ACTIVE}" 2>/dev/null || true
fi echo ">> [COMPLETE] Sovereign Forge Build Finished Successfully under AGPLv3 Framework."
# Zero-Footprint Cleanup: Unmount ramfs
cd / && umount -l ${SOURCES_ACTIVE}
echo ">> [SUCCESS] BTC-0.3.0-AGPL: Sovereign Forge Complete. Profile: ${KERNEL_PROFILE}"
} }
# One-Shot Execution
f_main "$@" f_main "$@"

View File

@ -1,68 +1,25 @@
BTC (Build Tool Chain) v0.1.4 # BTC (Build Tool Chain) - Sovereign Forge Edition
High-Performance Cleanroom Toolchain Generator ## Version: 0.3.1
Copyright (C) 2012-2026 Jeremy Anderson (info@dcos.net) Target Architecture: Intel Haswell-EP / Broadwell-HS (hsw / bdw) ### The Philosophy
BTC (Build Tool Chain) is a bare-metal, cleanroom toolchain generation engine engineered for independent infrastructure. It is designed to bypass standard bootstrap phases and rapidly forge hardened, ultra-optimized workspace environments for Xeon-based "swarm" nodes and high-security virtualization targets.
Namespace: DCOSNET This project treats the build process as a forensic exercise. It does not simply compile code; it instantiates a sovereign environment, stamps the resulting binaries with a "Silicon Birth Certificate," and continuously monitors the forge's health via an internal thermal and entropy sentinel.
Overview
BTC (Build Tool Chain) is a bare-metal, cleanroom toolchain generation engine engineered to bypass initial bootstrapping phases and rapidly build hardened, ultra-optimized workspace environments for Xeon-based "swarm" nodes. ### Key Architectural Pillars
* **Sovereign Forge:** Built to LFS 13.0 stable standards (Binutils 2.46, GCC 15.2, Glibc 2.43).
* **Silicon Identity:** Every binary produced includes an immutable ELF note (`.note.BTC`) and extended filesystem attributes (`xattr`) linking the binary to the specific hardware and forge environment that created it.
* **Hardened Profiles:** Profile-driven kernel injection (`ghost` for monolithic/static systems, `virt` for hypervisor guests).
* **Zero-Trust Deployment:** Mandatory AGPLv3 licensing protects the toolchain logic from proprietary SaaS capture, ensuring the forge remains open-source regardless of how it is deployed.
This project was originally based on the buildchain.sh script by Charles M. "Chip" Coldwell, though it has been heavily modified to support contemporary build requirements and sovereign forensic auditing. ### Technical Forge Features
Architectural Notes: Picking Your Target * **Volatile Cleanroom:** All compilation occurs in a volatile ramfs mount, ensuring zero I/O wear on host hardware and providing a "pristine-every-time" build environment.
* **The Invisible Guard:** Integrated telemetry loops prevent thermal runaway and memory saturation during heavy LTO (Link Time Optimization) phases.
* **Forensic Auditing:** Every build creates a verifiable manifest, allowing you to trace any binary back to the exact git commit and forge state that spawned it.
If you are determining your target architecture, first identify your device's specific processor architecture and the corresponding naming convention used by your kernel. ### Licensing
This project is licensed under the **GNU Affero General Public License v3 (AGPLv3)**.
- *Note:* Per Section 13, this forge includes an interactive notice at runtime. If you modify and provide this forge as a network service, you are legally obligated to provide the Corresponding Source to your users.
x86 / x86_64 / PPC / Alpha / SPARC: Typically utilize glibc and coreutils. These are preferred when a full development environment is required and storage space for a large rootfs is available. ### Acknowledgments
Original architecture based on scripts by Charles M. "Chip" Coldwell. Modern hardening and sovereignty features engineered by the DCOSNET project (2012-2026).
ARM / MIPS / RISC / Others: Typically utilize uclibc and busybox. These are preferred for environments with limited disk space, though modern ARM implementations are increasingly capable of supporting larger rootfs configurations.
Key Architectural Features
Speed-of-Light Volatile Compilation: Automatically provisions 50% of available physical RAM into a high-speed ramfs mount (/usr/src) to eliminate disk I/O bottlenecks.
Silicon-Bounded Optimization: Dynamically interrogates the host CPU to target native microarchitectures (bdw/hsw).
Forensic Stamping: Injects a permanent, immutable ELF note (.note.BTC) and filesystem xattrs into all compiled binaries to serve as a "Silicon Birth Certificate."
The Invisible Guard: Continuous background telemetry prevents thermal runaway (throttling above 85°C) and mitigates out-of-memory (OOM) faults.
1. Quickstart Deployment
Execute the Forge:
Bash
sudo ./BTC-0.1.4.sh
Verify Artifacts: Your sovereign toolchain tarball is committed to /opt/BTC/completed/.
Global Integration: ```bash
mkdir -p /opt/cross
tar -xJf /opt/BTC/completed/dcosnet-baseline-*.tar.xz -C /opt/cross
2. Distribution Integration Matrix
Distribution Rebuild Command Integration Method
SourceMage cast -c -r system Sorcery architecture config
Lunar Linux linit -f Global $PATH override
Gentoo emerge -ev @world make.conf pathing
OpenWrt make world menuconfig External Toolchain
References & Research Acknowledgments
The development of this toolchain was informed by, or references, the following resources:
Cross-LFS: x86_64-64 Build Guide
Linux Kernel Documentation: headers_install
Linux Tutorial: General Build Information
DevPit: Building Gnu Toolchain/GLIBC
Charles M. Coldwell: Original Toolchain Scripts
Brave GNU World: GNU/Linux Programming
Christian Schneider: Linux from Scratch Documentation
Additional research items include: ttylinux xbuildroot scripts, SourceMage spells, Slitaz cookutils, and MirBSD xbuild scripts.