From 5728ebd14824cff55f8ee099f75de213327ba0ba Mon Sep 17 00:00:00 2001 From: Jeremy Anderson Date: Sat, 13 Jun 2026 17:13:40 -0400 Subject: [PATCH] Release: version 0.2.0 --- BTC.sh | 274 ++++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 195 insertions(+), 79 deletions(-) diff --git a/BTC.sh b/BTC.sh index a58abc5..c23ecf7 100644 --- a/BTC.sh +++ b/BTC.sh @@ -1,32 +1,79 @@ #!/bin/bash -# BTC-0.1.4.sh - Build Tool Chain (Sovereign Final) -# Identity: dcosnet / dcos.net | Target: Broadwell-HS / Haswell-EP -# Version: 0.1.4 | Persistence: /opt/BTC | Volatile: ramfs +# BTC-0.2.0.sh - Build Tool Chain +# Version: 0.2.0 (Sovereign Sentry Forge / dcosnet-Identity / Swarm-Aware) +# Target: Dell Optiplex 3050 Micro Variants & RDIMM Swarm +# License: GNU Affero General Public License v3 (AGPL-3.0) +# +# Notwithstanding any other provision of this License, if you modify +# the Program, your modified version must prominently offer all users +# interacting with it remotely through a computer network an +# opportunity to receive the Corresponding Source of your version. +# +# Security: CVE-2026-31431 Mitigated | PATH-Pinned | Static-Trust Ready +# Persistence: /opt/BTC | Volatile: ramfs # Copyright (C) 2012-2026 Jeremy Anderson (info@dcos.net) -# --- 1. ARCHITECTURE & RECOVERY --- -set -euo pipefail # Strict exit on error, unset vars, or pipe failure -# Cleanup trap: Ensures ramfs is unmounted even on build failure -trap "echo '>> Interrupt Detected. Cleaning ramfs...'; cd / && umount -l ${SOURCES_ACTIVE} 2>/dev/null || true; exit 1" INT TERM +# --- 1. AGPL COMPLIANCE & IDENTITY --- +function f_agpl_header() { + cat <> BTC-0.2.0 "Sovereign Sentry" +>> Copyright (C) 2026 Jeremy Anderson +>> Licensed under GNU AGPLv3. NO WARRANTY. +>> SOURCE: https://dcos.net/git/btc (Official Mirror) +>> ----------------------------------------------------- +EOF +} -# --- 2. GLOBAL CONFIG & PERSISTENCE --- -export BTC_DEBUG_LEVEL=1 # 0=Silent, 1=Audit (IW), 2=Trace -export BTC_STRIP_MODE=1 # 1=Lean/Strip (Default), 0=Preserve Symbols -export BTC_ARCHIVE=/opt/BTC # Permanent storage for artifacts/logs +# --- 2. HARDENED ENVIRONMENT --- +# Reset PATH to prevent environment poisoning/hijacking +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +set -euo pipefail # Strict error propagation +set -f # Disable globbing to prevent unintended expansion -# --- 3. SILICON IDENTITY & DCOSNET NAMESPACE --- +# Toolchain Aliases: Pinning absolute paths to avoid "Copy Fail" hijacked binaries +alias rsync='/usr/bin/rsync' +alias tar='/usr/bin/tar' +alias gcc='/usr/bin/gcc' +alias sha256sum='/usr/bin/sha256sum' + +# --- 3. RECOVERY & CLEANUP --- +# Trap ensures ramfs is unmounted even if build fails; prevents persistent memory bloat +trap "echo '>> Interrupt: Cleaning ramfs...'; cd / && umount -l ${SOURCES_ACTIVE} 2>/dev/null || true; exit 1" INT TERM + +# --- 4. GLOBAL CONFIG --- +export BTC_DEBUG_LEVEL=1 +export BTC_STRIP_MODE=1 +export BTC_ARCHIVE=/opt/BTC +export SOURCES_ACTIVE=/usr/src +export SOURCE_CACHE=${BTC_ARCHIVE}/src +export v_glibc='glibc-2.41' +export v_gcc='gcc-14.2.0' +export v_binutils='binutils-2.46' +export v_linux='linux-7.1' +export NEWROOT=${SOURCES_ACTIVE}/BTC-Forge +export LOGS=${NEWROOT}/LOGS +export DISTRO="DCOSNET-LEAD" + +# --- 5. SILICON IDENTITY & MITIGATION --- function f_silicon_probe() { - echo ">> BTC-0.1.4: Interrogating Silicon..." - # Auto-detect microarch; fallback to HSW for generic/ES chips - local RAW_ARCH=$(gcc -march=native -Q --help=target | grep -m1 "march=" | awk '{print $2}') + echo ">> [IDENTITY] Interrogating Silicon..." + + # Mitigate CVE-2026-31431: Disable vulnerable crypto socket before forge starts + if [[ -f /proc/modules ]] && grep -q "algif_aead" /proc/modules; then + echo ">> [SECURITY] Disabling algif_aead (Copy Fail mitigation)..." + rmmod algif_aead || true + fi + + local RAW_ARCH=$(/usr/bin/gcc -march=native -Q --help=target | grep -m1 "march=" | awk '{print $2}') [[ -z "$RAW_ARCH" || "$RAW_ARCH" == "x86-64" ]] && export TARGET_ARCH="hsw" || export TARGET_ARCH="bdw" export ISA_TAG="AVX2" export OPT_TAG="LTO" export SYS_LABEL="DCOSNET-${TARGET_ARCH^^}-${ISA_TAG}-${OPT_TAG}" - export TARGET="x86_64-dcosnet-linux-gnu" - # Calculate thread depth: 2GB RAM ceiling per thread to prevent LTO thrashing - local total_ram=$(free -m | awk '/^Mem:/{print $2}') + export TARGET="x86_64-dcosnet-linux-gnu" + + # Calculate thread depth: 2GB RAM floor per core for LTO safety + local total_ram=$(/usr/bin/free -m | awk '/^Mem:/{print $2}') export v_threads="-j$(( (total_ram / 2048) < $(nproc) ? (total_ram / 2048) : $(nproc) ))" # Aggressive Forge Profile: O3 + LTO + Hardened Stack @@ -37,12 +84,12 @@ function f_silicon_probe() { mkdir -p "${CCACHE_DIR}" } -# --- 4. FORENSIC STAMPING (ELF & XATTR) --- +# --- 6. DCOSNET FORENSIC STAMPING (ELF & XATTR) --- function f_stamp_binary() { local target_bin="$1" local log_base="$2" - # Immutable ELF Note: The Silicon Birth Certificate + # Inject Immutable ELF Note (The Silicon DNA) cat < btc_stamp.s .section .note.BTC,"a" .align 4 @@ -54,16 +101,16 @@ function f_stamp_binary() { 3: .align 4 4: EOF - gcc -c btc_stamp.s -o btc_stamp.o + /usr/bin/gcc -c btc_stamp.s -o btc_stamp.o objcopy --add-section .note.BTC=btc_stamp.o "${target_bin}" rm btc_stamp.s btc_stamp.o - # Rapid Audit Metadata (Persistent via rsync -X) + # Rapid Audit Metadata for Fapolicyd/eBPF verification local bin_hash=$(sha256sum "${target_bin}" | awk '{print $1}') setfattr -n user.btc.identity -v "BTC-${SYS_LABEL}-${v_linux}-dcosnet" "${target_bin}" setfattr -n user.btc.hash -v "${bin_hash}" "${target_bin}" - # External Symbol Extraction: Move debug info to LeadNode archive + # Extract debug symbols to LeadNode archive before thinning binary if [[ "${BTC_STRIP_MODE}" -eq 1 ]]; then mkdir -p "${BTC_ARCHIVE}/symbols/${SYS_LABEL}" objcopy --only-keep-debug "${target_bin}" "${BTC_ARCHIVE}/symbols/${SYS_LABEL}/${log_base}.debug" @@ -72,28 +119,35 @@ EOF fi } -# --- 5. THE INVISIBLE GUARD (THERMAL/ENTROPY) --- +# --- 7. THE INVISIBLE GUARD --- function f_guard() { local max_temp=85 local min_mem=800 while true; do local cur_temp=$(cat /sys/class/thermal/thermal_zone*/temp | head -n1 | awk '{print $1/1000}') - local cur_mem=$(free -m | awk '/^Mem:/{print $7}') - # Prevent Broadwell thermal runaway or OOM death during link-time-optimization - if (( cur_temp > max_temp )); then sleep 10; elif (( cur_mem < min_mem )); then sleep 30; else break; fi + local cur_mem=$(/usr/bin/free -m | awk '/^Mem:/{print $7}') + if (( cur_temp > max_temp )); then + echo ">> [THERMAL PAUSE] ${cur_temp}°C - Cooling..." + sleep 10 + elif (( cur_mem < min_mem )); then + echo ">> [MEMORY PAUSE] ${cur_mem}MB - Waiting for LTO clearance (RDIMM)..." + sleep 30 + else + break + fi done } function f_entropy_shield() { - # Ensure secure kernel signing and binary sealing via randomness generation local cur_ent=$(cat /proc/sys/kernel/random/entropy_avail) if (( cur_ent < 250 )); then + echo ">> [ENTROPY SHIELD] Low Pool. Generating Jitter for 7.1 Signing..." find /bin /sbin -type f -exec ls -l {} + > /dev/null 2>&1 & - sleep 2 && kill $! 2>/dev/null + sleep 2 && kill $! 2>/dev/null || true fi } -# --- 6. EXECUTION ENGINE (FORENSIC LOGGING) --- +# --- 8. EXECUTION ENGINE (FORENSIC) --- function f_exec_log() { local cmd="$1" local log_base="$2" @@ -103,7 +157,7 @@ function f_exec_log() { f_guard if [[ "$mode" == "install" ]]; then - # Audit FS changes via installwatch; auto-stamp all resulting executables + # Audit FS changes via installwatch; triggers binary stamping stdbuf -oL -eL installwatch -o "${LOGS}/${log_base}.iw" bash -c "$cmd" | \ pv -t -r -b -N "${log_base}" >> "${LOGS}/${log_base}.log" 2>&1 @@ -119,27 +173,44 @@ function f_exec_log() { fi } -# --- 7. CLEANROOM INFRA (VOLATILE RAMFS) --- -export SOURCES_ACTIVE=/usr/src -export SOURCE_CACHE=${BTC_ARCHIVE}/src -export v_glibc='glibc-2.41' -export v_gcc='gcc-14.2.0' -export v_binutils='binutils-2.46' -export v_linux='linux-7.1' -export NEWROOT=${SOURCES_ACTIVE}/BTC-Forge -export LOGS=${NEWROOT}/LOGS -export DISTRO="DCOSNET" - function f_setup() { - # Speed-of-light compilation via ramfs; strictly temporary + # Mount Volatile Ramfs: The "Forge Stage" Cleanroom local ram_kb=$(grep MemTotal /proc/meminfo | awk '{print $2}') mount -t ramfs -o size=$((ram_kb/2/1024))M ramfs ${SOURCES_ACTIVE} mkdir -p ${NEWROOT}/{bin,lib,lib64,sbin,etc,usr,boot} ${LOGS} ln -sf lib ${NEWROOT}/lib64 + + # Tmux dashboard for real-time telemetry observation + if [[ -n "${TMUX:-}" ]]; then + tmux split-window -h -p 35 "tail -F ${LOGS}/*.log 2>/dev/null" + tmux split-window -v -p 66 "watch -n 2 'ss -tunp | grep -E \"gcc|make|configure|ld\" | grep -v \"127.0.0.1\"'" + tmux split-window -v -p 50 "watch -n 2 'echo \"ENTROPY: \$(cat /proc/sys/kernel/random/entropy_avail)\"; iostat -dx 1 2 | awk \"/avg-cpu/ {getline; print \\\$4 \\\"% iowait\\\"}\"'" + tmux select-pane -t 0 + echo ">> BTC Dashboard Synchronized..." + fi +} + +# --- 9. PERSISTENCE BRIDGE (PACKAGING) --- +function f_package() { + local PKG_NAME="dcosnet-baseline-${SYS_LABEL}-${v_linux}.tar.xz" + local PKG_PATH="${BTC_ARCHIVE}/completed" + mkdir -p "${PKG_PATH}" + + echo ">> [AGPL-EXPORT] Compressing Forge State to Archive..." + # Section 13 Note: This archive constitutes part of the "Corresponding Source" + tar -cJpf "${PKG_PATH}/${PKG_NAME}" -C "${NEWROOT}" . + + local pkg_hash=$(sha256sum "${PKG_PATH}/${PKG_NAME}" | awk '{print $1}') + setfattr -n user.btc.pkg_hash -v "${pkg_hash}" "${PKG_PATH}/${PKG_NAME}" + + # Preserve forensic logs for the LeadNode database + mkdir -p "${BTC_ARCHIVE}/logs" + cp -rv "${LOGS}" "${BTC_ARCHIVE}/logs/${SYS_LABEL}_$(date +%Y%m%d)" + echo ">> [SUCCESS] Artifact preserved at ${PKG_PATH}/${PKG_NAME}" } function f_set_exports() { - # Pivot to the DCOSNET sovereign cross-compiler + # Pivot build tools to the DCOSNET sovereign toolchain export CC="ccache ${NEWROOT}/bin/${TARGET}-gcc-${SYS_LABEL}" export CXX="ccache ${NEWROOT}/bin/${TARGET}-g++-${SYS_LABEL}" export AR="${NEWROOT}/bin/${TARGET}-gcc-ar-${SYS_LABEL}" @@ -150,22 +221,7 @@ function f_set_exports() { export LDFLAGS="${GLOBAL_LDFLAGS}" } -# --- 8. PERSISTENCE BRIDGE (PACKAGING) --- -function f_package() { - local PKG_NAME="dcosnet-baseline-${SYS_LABEL}-${v_linux}.tar.xz" - local PKG_PATH="${BTC_ARCHIVE}/completed" - mkdir -p "${PKG_PATH}" - - echo ">> [DCOSNET] Committing Ramfs to Persistent Archive..." - # Freeze the cleanroom state into a compressed artifact - tar -cJpf "${PKG_PATH}/${PKG_NAME}" -C "${NEWROOT}" . - - # Preserve forensic logs for the LeadNode database - mkdir -p "${BTC_ARCHIVE}/logs" - cp -rv "${LOGS}" "${BTC_ARCHIVE}/logs/${SYS_LABEL}_$(date +%Y%m%d)" -} - -# --- 9. BUILD STAGES (LINEAR) --- +# --- 10. CORE BUILD STAGES --- function f_binutils() { cd ${SOURCES_ACTIVE} tar -axf ${SOURCE_CACHE}/${v_binutils}* @@ -214,33 +270,96 @@ function f_gcc_p2() { function f_kernel_binary() { f_set_exports cd ${SOURCES_ACTIVE}/linux-* - # Sovereign uname/kernel identification echo "-dcosnet-${SYS_LABEL}" > .scmversion f_exec_log "make ${v_threads} LOCALVERSION=-dcosnet-${SYS_LABEL} bzImage" "kernel-bin-make" cp -v arch/x86/boot/bzImage ${NEWROOT}/boot/vmlinuz-${v_linux}-${SYS_LABEL}-dcosnet } +# --- 11. DEPLOYMENT & BOOT CONFIGURATION --- function f_install_target() { local TARGET_PART="${1}" local MNT_POINT="/mnt/btc_target" mkdir -p ${MNT_POINT} && mount ${TARGET_PART} ${MNT_POINT} - [[ -f "${MNT_POINT}/etc/sorcery/version" ]] && export DISTRO="SourceMage" - [[ -f "${MNT_POINT}/etc/lunar/version" ]] && export DISTRO="Lunar" + local DISTRO="Generic-Source" + [[ -f "${MNT_POINT}/etc/lunar/version" ]] && DISTRO="Lunar" + [[ -f "${MNT_POINT}/etc/sorcery/version" ]] && DISTRO="SourceMage" + [[ -f "${MNT_POINT}/etc/openwrt_version" ]] && DISTRO="OpenWrt" + [[ -d "${MNT_POINT}/etc/portage" ]] && DISTRO="Gentoo" + [[ -f "${MNT_POINT}/etc/exherbo-release" ]] && DISTRO="Exherbo" + [[ -f "${MNT_POINT}/etc/cruxversion" ]] && DISTRO="CRUX" - echo ">> [DCOSNET SWARM] Seeding ${TARGET_PART}..." - f_exec_log "rsync -avzX ${NEWROOT}/bin/ ${MNT_POINT}/usr/local/bin/" "deploy" "install" + echo ">> [DCOSNET SWARM] Deploying Silicon-Identity to Dell Optiplex 3050 Micro Variants / ${DISTRO} target..." + + # Kernel Handoff + mkdir -p ${MNT_POINT}/boot + cp -v ${NEWROOT}/boot/vmlinuz-* ${MNT_POINT}/boot/ + + # Binary Sync with safe-links + local bin_dest="/usr/local/bin" + [[ "$DISTRO" == "OpenWrt" ]] && bin_dest="/usr/bin" + + f_exec_log "rsync -avzX --safe-links ${NEWROOT}/bin/ ${MNT_POINT}${bin_dest}/" "${DISTRO}_deploy" "install" umount ${MNT_POINT} + echo ">> [SUCCESS] Swarm Node Seeded: ${DISTRO}" } -# --- 10. MAIN (ONE-SHOT) --- +function f_boot_deploy() { + local TYPE="${1:-grub2-legacy-style}" + local TARGET_PART="${2:-/dev/sda3}" + local KERNEL_IMG="vmlinuz-${v_linux}-${SYS_LABEL}-dcosnet" + + echo ">> BTC-0.2.0: Deploying ${TYPE} config..." + + case ${TYPE} in + grub1) + cat < /boot/grub/menu.lst +title BTC SourceMage [${SYS_LABEL}] + root (hd0,2) + kernel /boot/${KERNEL_IMG} root=${TARGET_PART} rw quiet +EOF + ;; + lilo) + cat < /etc/lilo.conf +boot=/dev/sda +image=/boot/${KERNEL_IMG} + label=BTC-SM + root=${TARGET_PART} + read-only +EOF + /sbin/lilo + ;; + grub2-legacy-style) + cat < /etc/grub.d/40_custom +#!/bin/sh +exec tail -n +3 \$0 +menuentry 'SourceMage [Silicon: ${SYS_LABEL}]' { + set root='(hd0,gpt3)' + linux /boot/${KERNEL_IMG} root=${TARGET_PART} rw quiet +} +EOF + grub-mkconfig -o /boot/grub/grub.cfg + ;; + syslinux) + cat < /boot/syslinux/syslinux.cfg +LABEL btc + LINUX ../${KERNEL_IMG} + APPEND root=${TARGET_PART} rw +EOF + ;; + esac +} + +# --- 12. MAIN ORCHESTRATION --- function f_main() { [[ $EUID -ne 0 ]] && { echo ">> Root Required."; exit 1; } - local TARGET_DEV="${1:-}" # Optional physical seed target + local TARGET_DEV="${1:-}" + f_agpl_header # Display license status to all interacting users f_silicon_probe f_setup + # Forge Pipeline f_binutils f_kernel_headers f_gcc_p1 @@ -248,22 +367,19 @@ function f_main() { f_gcc_p2 f_kernel_binary - #Stage 1: Persistence - f_package + # 1. Mandatory Persistence (Archive) + f_package - #Stage 2: Optional Seed + # 2. Optional Physical Seed & Boot deployment if [[ -n "${TARGET_DEV}" ]]; then - if [[ -b "${TARGET_DEV}" ]]; then - f_install_target "${TARGET_DEV}" - else - echo ">> [ERROR] ${TARGET_DEV} is not a valid block device." - exit 1 - fi + f_install_target "${TARGET_DEV}" + f_boot_deploy "grub2-legacy-style" "${TARGET_DEV}" fi - #Stage 3: Zero-Footprint Cleanup - cd / && umount ${SOURCES_ACTIVE} - echo ">> [SUCCESS] BTC-0.1.4: Sovereign Swarm Artifacts Persistent in ${BTC_ARCHIVE}." + # 3. Final Zero-Footprint Cleanup: Unmount ramfs + cd / && umount -l ${SOURCES_ACTIVE} + echo ">> [SUCCESS] BTC-0.2.0-AGPL: Sovereign Forge Complete." } +# One-Shot Execution f_main "$@" \ No newline at end of file