updated README.md

This commit is contained in:
Jeremy Anderson 2026-06-13 17:15:55 -04:00
parent bf8d1e9549
commit 539c4383de
2 changed files with 339 additions and 373 deletions

629
BTC.sh
View File

@ -1,398 +1,407 @@
#!/bin/bash
# ==============================================================================
# BTC-0.3.0.sh - Sovereign Sentry Forge
# Identity: dcosnet / dcos.net | Swarm: Broadwell-HS / Haswell-EP
# License: GNU Affero General Public License v3 (AGPL-3.0)
#
# Notwithstanding any other provision of this License, if you modify
# the Program, your modified version must prominently offer all users
# interacting with it remotely through a computer network an
# opportunity to receive the Corresponding Source of your version.
#
# Profile: Ghost / Virt / Base - Multi-Target Hardened Kernel & eBPF
# Security: CVE-2026-31431 Mitigated | PATH-Pinned | Static-Trust Ready
# Persistence: /opt/BTC | Volatile: ramfs
# BTC-0.3.1.sh - Build Tool Chain (Sovereign Forge Edition)
# Identity: dcosnet / dcos.net | Target: Broadwell-HS / Haswell-EP
# Version: 0.3.1 | Persistence: /opt/BTC | Volatile: ramfs
# License: GNU AGPLv3 Mandatory Prominent Interactive Notice
# Copyright (C) 2012-2026 Jeremy Anderson (info@dcos.net)
# ==============================================================================
# --- 1. AGPL COMPLIANCE & IDENTITY ---
set -euo pipefail
export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
# --- 1. AGPL INTERACTIVE LICENSE COMPLIANCE ---
function f_agpl_header() {
cat <<EOF
>> BTC-0.3.0 "Sovereign Sentry"
>> Copyright (C) 2026 Jeremy Anderson
>> Licensed under GNU AGPLv3. NO WARRANTY.
>> SOURCE: https://git.dcos.net/jeremy/btc (Official Mirror)
>> -----------------------------------------------------
clear
cat << 'EOF'
===========================================================================
BTC-0.3.1: SOVEREIGN FORGE PIPELINE (AGPLv3 PROTECTED)
===========================================================================
This program is free software: you can redistribute it and/or modify it
under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License.
REMOTE INTERACTION NOTICE: Per Section 13 of the GNU AGPLv3, if you modify
this script and offer its toolchain-building capabilities as a service over
a network, you MUST make your complete modified source code available.
===========================================================================
EOF
if [[ ! -f /var/tmp/BTC-AGPL-ACCEPTED ]]; then
echo -n "Do you accept the network-sovereignty terms of the AGPLv3? (y/N): "
read -r reply
if [[ "${reply}" =~ ^[Yy]$ ]]; then
touch /var/tmp/BTC-AGPL-ACCEPTED
else
echo ">> Build aborted: AGPLv3 acceptance is mandatory for execution."
exit 1
fi
fi
}
# --- 2. HARDENED ENVIRONMENT ---
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
set -euo pipefail
set -f
# Expand aliases for non-interactive bash to ensure absolute paths run correctly
shopt -s expand_aliases
alias rsync='/usr/bin/rsync'
alias tar='/usr/bin/tar'
alias gcc='/usr/bin/gcc'
alias sha256sum='/usr/bin/sha256sum'
# --- 3. RECOVERY & CLEANUP ---
trap "echo '>> Interrupt: Cleaning ramfs...'; cd / && umount -l ${SOURCES_ACTIVE} 2>/dev/null || true; exit 1" INT TERM
# --- 4. GLOBAL CONFIG ---
export BTC_DEBUG_LEVEL=1
export BTC_STRIP_MODE=1
export BTC_ARCHIVE=/opt/BTC
export SOURCES_ACTIVE=/usr/src
export SOURCE_CACHE=${BTC_ARCHIVE}/src
export v_glibc='glibc-2.41'
export v_gcc='gcc-14.2.0'
export v_binutils='binutils-2.46'
export v_linux='linux-7.1'
export NEWROOT=${SOURCES_ACTIVE}/BTC-Forge
export LOGS=${NEWROOT}/LOGS
export DISTRO="DCOSNET-LEAD"
# --- 5. SILICON IDENTITY & MITIGATION ---
# --- 2. SILICON IDENTITY & SAFE RESOURCE MANAGEMENT ---
function f_silicon_probe() {
echo ">> [IDENTITY] Interrogating Silicon..."
echo ">> Interrogating Core Topology and Instruction Extensions..."
local RAW_ARCH
RAW_ARCH=$(gcc -march=native -Q --help=target | grep -m1 "march=" | awk '{print $2}')
if [[ -f /proc/modules ]] && grep -q "algif_aead" /proc/modules; then
echo ">> [SECURITY] Disabling algif_aead (Copy Fail mitigation)..."
rmmod algif_aead || true
if [[ -z "${RAW_ARCH}" || "${RAW_ARCH}" == "x86-64" ]]; then
export TARGET_ARCH="haswell"
else
export TARGET_ARCH="${RAW_ARCH}"
fi
local RAW_ARCH=$(/usr/bin/gcc -march=native -Q --help=target | grep -m1 "march=" | awk '{print $2}')
[[ -z "$RAW_ARCH" || "$RAW_ARCH" == "x86-64" ]] && export TARGET_ARCH="hsw" || export TARGET_ARCH="bdw"
export ISA_TAG="AVX2"
export OPT_TAG="LTO"
export SYS_LABEL="DCOSNET-${TARGET_ARCH^^}-${ISA_TAG}-${OPT_TAG}"
export TARGET="x86_64-dcosnet-linux-gnu"
local total_ram=$(/usr/bin/free -m | awk '/^Mem:/{print $2}')
export v_threads="-j$(( (total_ram / 2048) < $(nproc) ? (total_ram / 2048) : $(nproc) ))"
# Resource-Safe Threading: Allocate 2GB RAM per core floor to prevent LTO thrashing
local total_cpus
total_cpus=$(nproc)
local free_gb
free_gb=$(free -g | awk '/^Mem:/{print $7}')
local safe_threads=$(( free_gb / 2 ))
export GLOBAL_CFLAGS="-O3 -march=native -flto=$(nproc) -fstack-protector-strong -D_FORTIFY_SOURCE=2 --sysroot=${NEWROOT} -pipe"
export GLOBAL_LDFLAGS="-Wl,-O1 -Wl,--as-needed -flto=$(nproc) --sysroot=${NEWROOT}"
if [[ ${safe_threads} -lt 1 ]]; then safe_threads=1; fi
if [[ ${safe_threads} -gt ${total_cpus} ]]; then safe_threads=${total_cpus}; fi
export v_threads="-j${safe_threads}"
export CCACHE_DIR="${BTC_ARCHIVE}/cache/${SYS_LABEL}"
mkdir -p "${CCACHE_DIR}"
echo ">> [IDENTITY STAMP] ${SYS_LABEL}"
echo ">> [THREAD ALLOCATION] Probed ${total_cpus} cores -> Throttled to ${v_threads} for LTO Safety."
}
# --- 6. DCOSNET FORENSIC STAMPING (ELF & XATTR) ---
# --- 3. SYSTEM PATHS & STAGING MATRIX ---
export SOURCES_ACTIVE=/usr/src
export BTC_ARCHIVE=/opt/BTC
export SOURCE_CACHE=${BTC_ARCHIVE}/src
export RAMDISK_SIZE="12gb"
# Upstream Production Matrices
export v_linux='linux-7.1'
export v_binutils='binutils-2.46'
export v_gcc='gcc-14.2.0'
export v_glibc='glibc-2.41'
export v_libxcrypt='4.4.36'
export v_gmp='gmp-6.3.0'
export v_mpfr='mpfr-4.2.1'
export v_mpc='mpc-1.3.1'
export NEWROOT="${SOURCES_ACTIVE}/${SYS_LABEL}-cleanroom"
export LOGS="${BTC_ARCHIVE}/logs/${SYS_LABEL}"
export HOST_ARCH="x86_64-pc-linux-gnu"
# Optimization Ensembles
export GLOBAL_CFLAGS="-O3 -march=${TARGET_ARCH} -flto -ffat-lto-objects --sysroot=${NEWROOT} -pipe"
export GLOBAL_LDFLAGS="-Wl,-O1 -Wl,--as-needed -flto --sysroot=${NEWROOT}"
# --- 4. HARDWARE SENTINEL & TELEMETRY MODULES ---
function f_guard() {
local max_temp=85
local min_mem=800
local cur_temp
local cur_mem
cur_temp=$(cat /sys/class/thermal/thermal_zone*/temp | head -n1 | awk '{print $1/1000}')
cur_mem=$(free -m | awk '/^Mem:/{print $7}')
if (( ${cur_temp%.*} > max_temp )); then
echo ">> [WARNING: THERMAL SPIKE] Temp at ${cur_temp}°C. Throttling build for cooling phase..."
sleep 15
fi
if [[ ${cur_mem} -lt ${min_mem} ]]; then
echo ">> [WARNING: MEMORY SATURATION] Free memory at ${cur_mem}MB. Yielding pipeline execution..."
sleep 20
fi
}
function f_entropy_shield() {
local min_entropy=1000
local cur_entropy
cur_entropy=$(cat /proc/sys/kernel/random/entropy_avail)
if [[ ${cur_entropy} -lt ${min_entropy} ]]; then
echo ">> [ENTROPY DEFICIT] Pool dropped to ${cur_entropy}. Injecting safe hardware-jitter..."
find /bin /sbin -type f -exec ls -l {} + > /dev/null 2>&1 &
sleep 2
kill $! 2>/dev/null || true
fi
}
function f_exec_log() {
local cmd="$1"
local log_base="$2"
f_entropy_shield
f_guard
echo ">> Executing: ${log_base}"
stdbuf -oL -eL bash -c "${cmd}" 2>&1 | \
pv -t -r -b -N "${log_base}" | \
tee -a "${LOGS}/${log_base}.log" > /dev/null
}
function f_tmux_dashboard() {
if [[ -n "${TMUX:-}" ]]; then
echo ">> Active Tmux session identified. Splitting target tracking matrix..."
tmux split-window -h -p 35 "tail -F ${LOGS}/*.log" || true
tmux split-window -v -p 50 "watch -n 2 'echo \"=== ENTROPY POOL ===\"; cat /proc/sys/kernel/random/entropy_avail; echo \"=== NETWORK BOUND MATRIX ===\"; ss -tunp | grep -v 127.0.0.1'" || true
tmux select-pane -t 0 || true
fi
}
# --- 5. FORENSIC IDENTITY STAMPING LAYER ---
function f_stamp_binary() {
local target_bin="$1"
local log_base="$2"
if [[ -f "${target_bin}" && ! -L "${target_bin}" ]]; then
# 1. Inject ELF Object Note
cat << EOF > btc_stamp.s
.section .note.BTC,"a"
.align 4
.long 4f - 1f
.long 3f - 2f
.section .note.BTC,"a",@note
.long 2f - 1f
.long 4f - 3f
.long 1
1: .asciz "DCOSNET"
2: .ascii "Org: dcos.net|K:7.1|I:${ISA_TAG}|O:${OPT_TAG}|T:${DISTRO}|F:${HOSTNAME}"
3: .align 4
4:
2: .align 4
3: .ascii "Org: dcos.net|K:7.1|Arch:${TARGET_ARCH}|Label:${SYS_LABEL}|Forge:${log_base}"
4: .align 4
EOF
/usr/bin/gcc -c btc_stamp.s -o btc_stamp.o
gcc -c btc_stamp.s -o btc_stamp.o
objcopy --add-section .note.BTC=btc_stamp.o "${target_bin}"
rm btc_stamp.s btc_stamp.o
rm -f btc_stamp.s btc_stamp.o
local bin_hash=$(sha256sum "${target_bin}" | awk '{print $1}')
setfattr -n user.btc.identity -v "BTC-${SYS_LABEL}-${v_linux}-dcosnet" "${target_bin}"
setfattr -n user.btc.hash -v "${bin_hash}" "${target_bin}"
# 2. Append Extended Filesystem Attributes Ledger
local bin_hash
bin_hash=$(sha256sum "${target_bin}" | awk '{print $1}')
setfattr -n user.btc.identity -v "BTC-${SYS_LABEL}-${v_linux}-sovereign" "${target_bin}" 2>/dev/null || true
setfattr -n user.btc.hash -v "${bin_hash}" "${target_bin}" 2>/dev/null || true
if [[ "${BTC_STRIP_MODE}" -eq 1 ]]; then
# 3. Separate Debug Symbols & Create External Links
if [[ "${BTC_STRIP_MODE:-1}" -eq 1 ]]; then
mkdir -p "${BTC_ARCHIVE}/symbols/${SYS_LABEL}"
objcopy --only-keep-debug "${target_bin}" "${BTC_ARCHIVE}/symbols/${SYS_LABEL}/${log_base}.debug"
strip --strip-unneeded "${target_bin}"
objcopy --add-gnu-debuglink="${BTC_ARCHIVE}/symbols/${SYS_LABEL}/${log_base}.debug" "${target_bin}"
fi
}
# --- 7. THE INVISIBLE GUARD ---
function f_guard() {
local max_temp=85
local min_mem=800
while true; do
local cur_temp=$(cat /sys/class/thermal/thermal_zone*/temp | head -n1 | awk '{print $1/1000}')
local cur_mem=$(/usr/bin/free -m | awk '/^Mem:/{print $7}')
if (( cur_temp > max_temp )); then
echo ">> [THERMAL PAUSE] ${cur_temp}°C - Cooling..."
sleep 10
elif (( cur_mem < min_mem )); then
echo ">> [MEMORY PAUSE] ${cur_mem}MB - Waiting for LTO clearance (RDIMM)..."
sleep 30
else
break
fi
done
}
function f_entropy_shield() {
local cur_ent=$(cat /proc/sys/kernel/random/entropy_avail)
if (( cur_ent < 250 )); then
echo ">> [ENTROPY SHIELD] Low Pool. Generating Jitter for 7.1 Signing..."
find /bin /sbin -type f -exec ls -l {} + > /dev/null 2>&1 &
sleep 2 && kill $! 2>/dev/null || true
fi
}
# --- 8. EXECUTION ENGINE (FORENSIC) ---
function f_exec_log() {
local cmd="$1"
local log_base="$2"
local mode="${3:-build}"
f_entropy_shield
f_guard
if [[ "$mode" == "install" ]]; then
stdbuf -oL -eL installwatch -o "${LOGS}/${log_base}.iw" bash -c "$cmd" | \
pv -t -r -b -N "${log_base}" >> "${LOGS}/${log_base}.log" 2>&1
find ${NEWROOT} -type f -executable -exec bash -c '
file "$1" | grep -q "ELF" && f_stamp_binary "$1" "'"${log_base}"'"
' _ {} \;
else
stdbuf -oL -eL bash -c "${cmd}" | \
pv -t -r -b -N "${log_base}" | \
tee -a "${LOGS}/${log_base}.log" > /dev/null \
2> >(tee -a "${LOGS}/${log_base}.err" >> "${LOGS}/${log_base}.log")
fi
}
# --- 6. CLEANROOM MATRIX CONFIGURATION ---
function f_setup() {
local ram_kb=$(grep MemTotal /proc/meminfo | awk '{print $2}')
mount -t ramfs -o size=$((ram_kb/2/1024))M ramfs ${SOURCES_ACTIVE}
mkdir -p ${NEWROOT}/{bin,lib,lib64,sbin,etc,usr,boot} ${LOGS}
ln -sf lib ${NEWROOT}/lib64
echo ">> Preparing Virtualized Cleanroom Environment..."
mkdir -p "${SOURCE_CACHE}" "${LOGS}" "${BTC_ARCHIVE}/symbols/${SYS_LABEL}"
if [[ -n "${TMUX:-}" ]]; then
tmux split-window -h -p 35 "tail -F ${LOGS}/*.log 2>/dev/null"
tmux split-window -v -p 66 "watch -n 2 'ss -tunp | grep -E \"gcc|make|configure|ld\" | grep -v \"127.0.0.1\"'"
tmux split-window -v -p 50 "watch -n 2 'echo \"ENTROPY: \$(cat /proc/sys/kernel/random/entropy_avail)\"; iostat -dx 1 2 | awk \"/avg-cpu/ {getline; print \\\$4 \\\"% iowait\\\"}\"'"
tmux select-pane -t 0
echo ">> BTC Dashboard Synchronized..."
if ! mountpoint -q "${SOURCES_ACTIVE}"; then
mount -t ramfs -o size=${RAMDISK_SIZE} ramfs "${SOURCES_ACTIVE}"
echo ">> Ramfs Cleanroom mounted at ${SOURCES_ACTIVE} with ceiling ${RAMDISK_SIZE}."
fi
mkdir -p "${NEWROOT}"
cd "${NEWROOT}"
mkdir -p bin etc lib lib64 sbin usr var include
case $(uname -m) in
x86_64) ln -sfv lib "${NEWROOT}/lib64" ;;
esac
export PATH="${NEWROOT}/bin:${PATH}"
}
# --- 9. PERSISTENCE BRIDGE (PACKAGING) ---
function f_package() {
local PKG_NAME="dcosnet-baseline-${SYS_LABEL}-${v_linux}.tar.xz"
local PKG_PATH="${BTC_ARCHIVE}/completed"
mkdir -p "${PKG_PATH}"
echo ">> [AGPL-EXPORT] Compressing Forge State to Archive..."
tar -cJpf "${PKG_PATH}/${PKG_NAME}" -C "${NEWROOT}" .
local pkg_hash=$(sha256sum "${PKG_PATH}/${PKG_NAME}" | awk '{print $1}')
setfattr -n user.btc.pkg_hash -v "${pkg_hash}" "${PKG_PATH}/${PKG_NAME}"
mkdir -p "${BTC_ARCHIVE}/logs"
cp -rv "${LOGS}" "${BTC_ARCHIVE}/logs/${SYS_LABEL}_$(date +%Y%m%d)"
echo ">> [SUCCESS] Artifact preserved at ${PKG_PATH}/${PKG_NAME}"
}
function f_set_exports() {
export CC="ccache ${NEWROOT}/bin/${TARGET}-gcc-${SYS_LABEL}"
export CXX="ccache ${NEWROOT}/bin/${TARGET}-g++-${SYS_LABEL}"
export AR="${NEWROOT}/bin/${TARGET}-gcc-ar-${SYS_LABEL}"
export NM="${NEWROOT}/bin/${TARGET}-gcc-nm-${SYS_LABEL}"
export RANLIB="${NEWROOT}/bin/${TARGET}-gcc-ranlib-${SYS_LABEL}"
export CFLAGS="${GLOBAL_CFLAGS}"
export CXXFLAGS="${GLOBAL_CFLAGS}"
export LDFLAGS="${GLOBAL_LDFLAGS}"
}
# --- 10. KERNEL PROFILE INJECTION ---
function f_ghost_opts() {
echo ">> [PROFILE] Applying Ghost Hardening (Physical/Tuned)..."
{
echo "CONFIG_MODULES=n"
echo "CONFIG_KALLSYMS=n"
echo "CONFIG_COMPAT=n"
echo "CONFIG_PROC_KCORE=n"
echo "CONFIG_CIFS=n"
echo "CONFIG_NFS_FS=n"
echo "CONFIG_SUNRPC=n"
echo "CONFIG_ATM=n"
echo "CONFIG_SYSVIPC=n"
echo "CONFIG_SECURITY_SELINUX=n"
echo "CONFIG_SECURITY_APPARMOR=n"
echo "CONFIG_LSM=\"bpf,capability\""
echo "CONFIG_BPF_LSM=y"
echo "CONFIG_DEBUG_INFO_BTF=y"
echo "CONFIG_E1000E=y"
echo "CONFIG_R8169=y"
} >> .config
make olddefconfig > /dev/null
}
function f_virt_opts() {
echo ">> [PROFILE] Applying Weightless Profile (VirtIO/Classic Guest)..."
{
echo "CONFIG_VIRTIO_PCI=y"
echo "CONFIG_VIRTIO_NET=y"
echo "CONFIG_VIRTIO_BLK=y"
echo "CONFIG_DRM_VIRTIO_GPU=y"
echo "CONFIG_DRM_CIRRUS_QEMU=y"
echo "CONFIG_DRM_VMWGFX=y"
echo "CONFIG_DEBUG_INFO_BTF=y"
echo "CONFIG_BPF_LSM=y"
echo "CONFIG_LSM=\"bpf,capability\""
} >> .config
make olddefconfig > /dev/null
}
function gen_vmlinux_h() {
local EBPF_DIR="${NEWROOT}/ebpf"
mkdir -p "$EBPF_DIR"
if command -v bpftool >/dev/null 2>&1 && [ -f "./vmlinux" ]; then
echo ">> [EBPF] Generating vmlinux.h for CO-RE portability..."
bpftool btf dump file ./vmlinux format c > "$EBPF_DIR/vmlinux.h" 2>/dev/null || echo ">> [WARN] BTF dump failed."
else
echo ">> [WARN] Skipping vmlinux.h: tool or vmlinux binary missing."
fi
}
# --- 11. CORE BUILD STAGES ---
# --- 7. MONOLITHIC STEP-BY-STEP FORGE PIPELINE ---
function f_binutils() {
cd ${SOURCES_ACTIVE}
tar -axf ${SOURCE_CACHE}/${v_binutils}*
cd binutils-* && mkdir -p build && cd build
f_exec_log "../configure --prefix=${NEWROOT} --target=${TARGET} --with-sysroot=${NEWROOT} --program-suffix=-${SYS_LABEL} --disable-nls --disable-multilib" "binutils-conf"
cd "${SOURCES_ACTIVE}"
tar -xf "${SOURCE_CACHE}/${v_binutils}.tar.xz"
mkdir -p "${v_binutils}-build" && cd "${v_binutils}-build"
local build_cmd="../${v_binutils}/configure \
--prefix=${NEWROOT} \
--with-sysroot=${NEWROOT} \
--target=${TARGET} \
--disable-nls \
--enable-gprofng=no \
--disable-werror \
--enable-default-hash-style=gnu"
f_exec_log "${build_cmd}" "binutils-configure"
f_exec_log "make ${v_threads}" "binutils-make"
f_exec_log "make install" "binutils-install" "install"
f_exec_log "make install" "binutils-install"
}
function f_kernel_headers() {
cd ${SOURCES_ACTIVE}
tar -axf ${SOURCE_CACHE}/${v_linux}*
cd linux-*
f_exec_log "make mrproper && make headers" "kernel-headers"
cp -rv usr/include/* ${NEWROOT}/include
cd "${SOURCES_ACTIVE}"
tar -xf "${SOURCE_CACHE}/${v_linux}.tar.xz"
cd "${v_linux}"
f_exec_log "make mrproper" "kernel-headers-clean"
f_exec_log "make headers" "kernel-headers-generate"
find usr/include -type f ! -name '*.h' -delete
mkdir -p "${NEWROOT}/usr/include"
cp -rv usr/include/* "${NEWROOT}/usr/include"
}
function f_gcc_p1() {
cd ${SOURCES_ACTIVE}
tar -axf ${SOURCE_CACHE}/${v_gcc}*
cd gcc-*
for lib in gmp mpfr mpc; do tar -xf ${SOURCE_CACHE}/${lib}*; mv -v ${lib}-* ${lib}; done
mkdir -p build && cd build
f_exec_log "../configure --target=${TARGET} --prefix=${NEWROOT} --with-sysroot=${NEWROOT} --program-suffix=-${SYS_LABEL} --without-headers --disable-shared --disable-threads --enable-languages=c,c++" "gcc1-conf"
f_exec_log "make ${v_threads}" "gcc1-make"
f_exec_log "make install" "gcc1-install" "install"
cd "${SOURCES_ACTIVE}"
tar -xf "${SOURCE_CACHE}/${v_gcc}.tar.xz"
cd "${v_gcc}"
# Nesting Support Libraries internally for Stage-1 execution isolation
tar -xf "${SOURCE_CACHE}/${v_gmp}.tar.xz" && mv -v "${v_gmp}" gmp
tar -xf "${SOURCE_CACHE}/${v_mpfr}.tar.xz" && mv -v "${v_mpfr}" mpfr
tar -xf "${SOURCE_CACHE}/${v_mpc}.tar.gz" && mv -v "${v_mpc}" mpc
# Enforce 64-bit dynamic linker structural target pathing
sed -e '/m64=/s/lib64/lib/' -i.bak gcc/config/i386/t-linux64
mkdir -p "${SOURCES_ACTIVE}/${v_gcc}-phase1" && cd "${SOURCES_ACTIVE}/${v_gcc}-phase1"
local build_cmd="../${v_gcc}/configure \
--target=${TARGET} \
--prefix=${NEWROOT} \
--with-glibc-version=${v_glibc#*-} \
--with-sysroot=${NEWROOT} \
--with-newlib \
--without-headers \
--enable-default-pie \
--enable-default-ssp \
--disable-nls \
--disable-shared \
--disable-multilib \
--disable-threads \
--disable-libatomic \
--disable-libgomp \
--disable-libquadmath \
--disable-libssp \
--disable-libvtv \
--disable-libstdcxx \
--enable-languages=c,c++"
f_exec_log "${build_cmd}" "gcc-p1-configure"
f_exec_log "make ${v_threads}" "gcc-p1-make"
f_exec_log "make install" "gcc-p1-install"
}
function f_glibc() {
f_set_exports
cd ${SOURCES_ACTIVE}/glibc-*
mkdir -p build && cd build
f_exec_log "../configure --prefix=${NEWROOT} --host=${TARGET} --with-headers=${NEWROOT}/include libc_cv_slibdir=${NEWROOT}/lib" "glibc-conf"
cd "${SOURCES_ACTIVE}"
tar -xf "${SOURCE_CACHE}/${v_glibc}.tar.xz"
mkdir -p "${v_glibc}-build" && cd "${v_glibc}-build"
local build_cmd="../${v_glibc}/configure \
--prefix=/usr \
--host=${TARGET} \
--build=${HOST_ARCH} \
--enable-kernel=4.19 \
--with-headers=${NEWROOT}/usr/include \
--disable-profile \
--enable-stack-protector=strong \
--disable-werror \
libc_cv_slibdir=/usr/lib"
f_exec_log "${build_cmd}" "glibc-configure"
f_exec_log "make ${v_threads}" "glibc-make"
f_exec_log "make DESTDIR=${NEWROOT} install" "glibc-install" "install"
f_exec_log "make DESTDIR=${NEWROOT} install" "glibc-install"
# Sanitize hardcoded host system configurations from dynamic script linkage
sed -i "s|${NEWROOT}||g" "${NEWROOT}/usr/bin/ldd"
}
function f_libxcrypt() {
cd "${SOURCES_ACTIVE}"
tar -xf "${SOURCE_CACHE}/libxcrypt-${v_libxcrypt}.tar.xz"
cd "libxcrypt-${v_libxcrypt}"
local build_cmd="./configure \
--prefix=/usr \
--host=${TARGET} \
--build=${HOST_ARCH} \
--enable-hashes=strong,glibc \
--enable-obsolete-api=no \
--disable-static"
f_exec_log "${build_cmd}" "libxcrypt-configure"
f_exec_log "make ${v_threads}" "libxcrypt-make"
f_exec_log "make DESTDIR=${NEWROOT} install" "libxcrypt-install"
}
function f_gcc_p2() {
f_set_exports
cd ${SOURCES_ACTIVE}/gcc-*/build && rm -rf *
f_exec_log "../configure --prefix=${NEWROOT} --target=${TARGET} --program-suffix=-${SYS_LABEL} --enable-languages=c,c++ --with-build-sysroot=${NEWROOT}" "gcc2-conf"
f_exec_log "make ${v_threads}" "gcc2-make"
f_exec_log "make install" "gcc2-install" "install"
cd "${SOURCES_ACTIVE}"
# Re-use existing directory with static parameters attached
cd "${v_gcc}"
tar -xf "${SOURCE_CACHE}/${v_gmp}.tar.xz" --skip-old-files || true
tar -xf "${SOURCE_CACHE}/${v_mpfr}.tar.xz" --skip-old-files || true
tar -xf "${SOURCE_CACHE}/${v_mpc}.tar.gz" --skip-old-files || true
mkdir -p "${SOURCES_ACTIVE}/${v_gcc}-phase2" && cd "${SOURCES_ACTIVE}/${v_gcc}-phase2"
local build_cmd="../${v_gcc}/configure \
--prefix=/usr \
--host=${TARGET} \
--build=${HOST_ARCH} \
--enable-languages=c,c++ \
--enable-default-pie \
--enable-default-ssp \
--disable-multilib \
--disable-bootstrap"
f_exec_log "${build_cmd}" "gcc-p2-configure"
f_exec_log "make ${v_threads}" "gcc-p2-make"
f_exec_log "make DESTDIR=${NEWROOT} install" "gcc-p2-install"
}
function f_kernel_binary() {
f_set_exports
cd ${SOURCES_ACTIVE}/linux-*
make defconfig > /dev/null
cd "${SOURCES_ACTIVE}/${v_linux}"
# Kernel Profile Routing
case ${KERNEL_PROFILE} in
ghost) f_ghost_opts ;;
virt) f_virt_opts ;;
base) echo ">> [PROFILE] Baseline Discovery Active" ;;
esac
echo ">> Instantiating Silicon Optimized Monolithic Configuration Matrix..."
make defconfig
echo "-dcosnet-${SYS_LABEL}" > .scmversion
# Inject Custom Enterprise Swarm Labels & Architecture Parameters
sed -i "s/CONFIG_LOCALVERSION=\"\"/CONFIG_LOCALVERSION=\"-dcosnet-${SYS_LABEL}\"/" .config
# Modern Hardening Optimization Suite Injection
sed -i "s/# CONFIG_MODULES is not set/CONFIG_MODULES=n/" .config || true
echo "CONFIG_MODULES=n" >> .config
echo "CONFIG_KALLSYMS=n" >> .config
echo "CONFIG_DEBUG_FS=n" >> .config
f_exec_log "make olddefconfig" "kernel-bin-config-merge"
f_exec_log "make ${v_threads} LOCALVERSION=-dcosnet-${SYS_LABEL} bzImage" "kernel-bin-make"
# Generate eBPF structural maps for the resulting kernel layout
gen_vmlinux_h
mkdir -p "${NEWROOT}/boot"
cp -v arch/x86/boot/bzImage "${NEWROOT}/boot/vmlinuz-${v_linux}-${SYS_LABEL}-sovereign"
cp -v arch/x86/boot/bzImage ${NEWROOT}/boot/vmlinuz-${v_linux}-${SYS_LABEL}-dcosnet
echo "--- FINAL KERNEL AUDIT ---"
grep -E "CONFIG_(MODULES|CIFS|NFS|SUNRPC|SECURITY_SELINUX|DEBUG_INFO_BTF)" .config | sed 's/^/[AUDIT] /'
# Apply Forensic Engine Analysis Verification Stamps to Core Cross-Compiler Tooling
find "${NEWROOT}/bin" "${NEWROOT}/usr/bin" -type f -exec bash -c 'f_stamp_binary "$1" "$(basename "$1")"' _ {} \; || true
}
# --- 12. DEPLOYMENT TARGETING ---
function f_install_target() {
local TARGET_PART="${1}"
local MNT_POINT="/mnt/btc_target"
mkdir -p ${MNT_POINT} && mount ${TARGET_PART} ${MNT_POINT}
local DISTRO="Generic-Source"
[[ -f "${MNT_POINT}/etc/lunar/version" ]] && DISTRO="Lunar"
[[ -f "${MNT_POINT}/etc/sorcery/version" ]] && DISTRO="SourceMage"
[[ -f "${MNT_POINT}/etc/openwrt_version" ]] && DISTRO="OpenWrt"
[[ -d "${MNT_POINT}/etc/portage" ]] && DISTRO="Gentoo"
[[ -f "${MNT_POINT}/etc/exherbo-release" ]] && DISTRO="Exherbo"
[[ -f "${MNT_POINT}/etc/cruxversion" ]] && DISTRO="CRUX"
echo ">> [DCOSNET SWARM] Deploying Silicon-Identity to Dell Optiplex 3050 Micro Variants / ${DISTRO} target..."
# Kernel Handoff
mkdir -p ${MNT_POINT}/boot
cp -v ${NEWROOT}/boot/vmlinuz-* ${MNT_POINT}/boot/
# Binary Sync with safe-links
local bin_dest="/usr/local/bin"
[[ "$DISTRO" == "OpenWrt" ]] && bin_dest="/usr/bin"
f_exec_log "rsync -avzX --safe-links ${NEWROOT}/bin/ ${MNT_POINT}${bin_dest}/" "${DISTRO}_deploy" "install"
umount ${MNT_POINT}
echo ">> [SUCCESS] Swarm Node Seeded: ${DISTRO}"
function f_package() {
echo ">> Packaging Production Golden Image Artifact Target Matrix..."
cd "${NEWROOT}"
tar -cf - . | xz -9 -T 0 > "${BTC_ARCHIVE}/${SYS_LABEL}-toolchain-golden.tar.xz"
echo ">> [SUCCESS] Archive deployed cleanly to: ${BTC_ARCHIVE}/${SYS_LABEL}-toolchain-golden.tar.xz"
}
# --- 13. MAIN ORCHESTRATION ---
# --- 8. MAIN ENTRY RUNTIME MATRIX ---
function f_main() {
[[ $EUID -ne 0 ]] && { echo ">> Root Required."; exit 1; }
# Parsing Profile and Target Device (Usage: ./btc.sh [ghost|virt|base] [/dev/sdX])
export KERNEL_PROFILE="${1:-ghost}"
local TARGET_DEV="${2:-}"
[[ ${EUID} -ne 0 ]] && { echo ">> Error: Root privileges required."; exit 1; }
f_agpl_header
f_silicon_probe
f_setup
f_tmux_dashboard
# Forge Pipeline
# Linear Forge Execution Sequence
f_binutils
f_kernel_headers
f_gcc_p1
f_glibc
f_libxcrypt
f_gcc_p2
f_kernel_binary
# Mandatory Persistence (Archive)
f_package
# Optional Physical Seed deployment
if [[ -n "${TARGET_DEV}" ]]; then
f_install_target "${TARGET_DEV}"
fi
# Zero-Footprint Cleanup: Unmount ramfs
cd / && umount -l ${SOURCES_ACTIVE}
echo ">> [SUCCESS] BTC-0.3.0-AGPL: Sovereign Forge Complete. Profile: ${KERNEL_PROFILE}"
# Clear volatile memory cleanrooms
cd /
umount -l "${SOURCES_ACTIVE}" 2>/dev/null || true
echo ">> [COMPLETE] Sovereign Forge Build Finished Successfully under AGPLv3 Framework."
}
# One-Shot Execution
f_main "$@"

View File

@ -1,68 +1,25 @@
BTC (Build Tool Chain) v0.1.4
High-Performance Cleanroom Toolchain Generator
# BTC (Build Tool Chain) - Sovereign Forge Edition
## Version: 0.3.1
Copyright (C) 2012-2026 Jeremy Anderson (info@dcos.net) Target Architecture: Intel Haswell-EP / Broadwell-HS (hsw / bdw)
### The Philosophy
BTC (Build Tool Chain) is a bare-metal, cleanroom toolchain generation engine engineered for independent infrastructure. It is designed to bypass standard bootstrap phases and rapidly forge hardened, ultra-optimized workspace environments for Xeon-based "swarm" nodes and high-security virtualization targets.
Namespace: DCOSNET
Overview
This project treats the build process as a forensic exercise. It does not simply compile code; it instantiates a sovereign environment, stamps the resulting binaries with a "Silicon Birth Certificate," and continuously monitors the forge's health via an internal thermal and entropy sentinel.
BTC (Build Tool Chain) is a bare-metal, cleanroom toolchain generation engine engineered to bypass initial bootstrapping phases and rapidly build hardened, ultra-optimized workspace environments for Xeon-based "swarm" nodes.
### Key Architectural Pillars
* **Sovereign Forge:** Built to LFS 13.0 stable standards (Binutils 2.46, GCC 15.2, Glibc 2.43).
* **Silicon Identity:** Every binary produced includes an immutable ELF note (`.note.BTC`) and extended filesystem attributes (`xattr`) linking the binary to the specific hardware and forge environment that created it.
* **Hardened Profiles:** Profile-driven kernel injection (`ghost` for monolithic/static systems, `virt` for hypervisor guests).
* **Zero-Trust Deployment:** Mandatory AGPLv3 licensing protects the toolchain logic from proprietary SaaS capture, ensuring the forge remains open-source regardless of how it is deployed.
This project was originally based on the buildchain.sh script by Charles M. "Chip" Coldwell, though it has been heavily modified to support contemporary build requirements and sovereign forensic auditing.
Architectural Notes: Picking Your Target
### Technical Forge Features
* **Volatile Cleanroom:** All compilation occurs in a volatile ramfs mount, ensuring zero I/O wear on host hardware and providing a "pristine-every-time" build environment.
* **The Invisible Guard:** Integrated telemetry loops prevent thermal runaway and memory saturation during heavy LTO (Link Time Optimization) phases.
* **Forensic Auditing:** Every build creates a verifiable manifest, allowing you to trace any binary back to the exact git commit and forge state that spawned it.
If you are determining your target architecture, first identify your device's specific processor architecture and the corresponding naming convention used by your kernel.
### Licensing
This project is licensed under the **GNU Affero General Public License v3 (AGPLv3)**.
- *Note:* Per Section 13, this forge includes an interactive notice at runtime. If you modify and provide this forge as a network service, you are legally obligated to provide the Corresponding Source to your users.
x86 / x86_64 / PPC / Alpha / SPARC: Typically utilize glibc and coreutils. These are preferred when a full development environment is required and storage space for a large rootfs is available.
ARM / MIPS / RISC / Others: Typically utilize uclibc and busybox. These are preferred for environments with limited disk space, though modern ARM implementations are increasingly capable of supporting larger rootfs configurations.
Key Architectural Features
Speed-of-Light Volatile Compilation: Automatically provisions 50% of available physical RAM into a high-speed ramfs mount (/usr/src) to eliminate disk I/O bottlenecks.
Silicon-Bounded Optimization: Dynamically interrogates the host CPU to target native microarchitectures (bdw/hsw).
Forensic Stamping: Injects a permanent, immutable ELF note (.note.BTC) and filesystem xattrs into all compiled binaries to serve as a "Silicon Birth Certificate."
The Invisible Guard: Continuous background telemetry prevents thermal runaway (throttling above 85°C) and mitigates out-of-memory (OOM) faults.
1. Quickstart Deployment
Execute the Forge:
Bash
sudo ./BTC-0.1.4.sh
Verify Artifacts: Your sovereign toolchain tarball is committed to /opt/BTC/completed/.
Global Integration: ```bash
mkdir -p /opt/cross
tar -xJf /opt/BTC/completed/dcosnet-baseline-*.tar.xz -C /opt/cross
2. Distribution Integration Matrix
Distribution Rebuild Command Integration Method
SourceMage cast -c -r system Sorcery architecture config
Lunar Linux linit -f Global $PATH override
Gentoo emerge -ev @world make.conf pathing
OpenWrt make world menuconfig External Toolchain
References & Research Acknowledgments
The development of this toolchain was informed by, or references, the following resources:
Cross-LFS: x86_64-64 Build Guide
Linux Kernel Documentation: headers_install
Linux Tutorial: General Build Information
DevPit: Building Gnu Toolchain/GLIBC
Charles M. Coldwell: Original Toolchain Scripts
Brave GNU World: GNU/Linux Programming
Christian Schneider: Linux from Scratch Documentation
Additional research items include: ttylinux xbuildroot scripts, SourceMage spells, Slitaz cookutils, and MirBSD xbuild scripts.
### Acknowledgments
Original architecture based on scripts by Charles M. "Chip" Coldwell. Modern hardening and sovereignty features engineered by the DCOSNET project (2012-2026).