From bf8d1e954937761c8c2a9b0be1f3c1d7a40c9d33 Mon Sep 17 00:00:00 2001 From: Jeremy Anderson Date: Sat, 13 Jun 2026 17:14:19 -0400 Subject: [PATCH] Release: version 0.3.0 --- BTC.sh | 171 +++++++++++++++++++++++++++++++-------------------------- 1 file changed, 92 insertions(+), 79 deletions(-) diff --git a/BTC.sh b/BTC.sh index c23ecf7..cb0cc68 100644 --- a/BTC.sh +++ b/BTC.sh @@ -1,7 +1,7 @@ #!/bin/bash -# BTC-0.2.0.sh - Build Tool Chain -# Version: 0.2.0 (Sovereign Sentry Forge / dcosnet-Identity / Swarm-Aware) -# Target: Dell Optiplex 3050 Micro Variants & RDIMM Swarm +# ============================================================================== +# BTC-0.3.0.sh - Sovereign Sentry Forge +# Identity: dcosnet / dcos.net | Swarm: Broadwell-HS / Haswell-EP # License: GNU Affero General Public License v3 (AGPL-3.0) # # Notwithstanding any other provision of this License, if you modify @@ -9,35 +9,37 @@ # interacting with it remotely through a computer network an # opportunity to receive the Corresponding Source of your version. # +# Profile: Ghost / Virt / Base - Multi-Target Hardened Kernel & eBPF # Security: CVE-2026-31431 Mitigated | PATH-Pinned | Static-Trust Ready # Persistence: /opt/BTC | Volatile: ramfs # Copyright (C) 2012-2026 Jeremy Anderson (info@dcos.net) +# ============================================================================== # --- 1. AGPL COMPLIANCE & IDENTITY --- function f_agpl_header() { cat <> BTC-0.2.0 "Sovereign Sentry" +>> BTC-0.3.0 "Sovereign Sentry" >> Copyright (C) 2026 Jeremy Anderson >> Licensed under GNU AGPLv3. NO WARRANTY. ->> SOURCE: https://dcos.net/git/btc (Official Mirror) +>> SOURCE: https://git.dcos.net/jeremy/btc (Official Mirror) >> ----------------------------------------------------- EOF } # --- 2. HARDENED ENVIRONMENT --- -# Reset PATH to prevent environment poisoning/hijacking export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -set -euo pipefail # Strict error propagation -set -f # Disable globbing to prevent unintended expansion +set -euo pipefail +set -f + +# Expand aliases for non-interactive bash to ensure absolute paths run correctly +shopt -s expand_aliases -# Toolchain Aliases: Pinning absolute paths to avoid "Copy Fail" hijacked binaries alias rsync='/usr/bin/rsync' alias tar='/usr/bin/tar' alias gcc='/usr/bin/gcc' alias sha256sum='/usr/bin/sha256sum' # --- 3. RECOVERY & CLEANUP --- -# Trap ensures ramfs is unmounted even if build fails; prevents persistent memory bloat trap "echo '>> Interrupt: Cleaning ramfs...'; cd / && umount -l ${SOURCES_ACTIVE} 2>/dev/null || true; exit 1" INT TERM # --- 4. GLOBAL CONFIG --- @@ -58,7 +60,6 @@ export DISTRO="DCOSNET-LEAD" function f_silicon_probe() { echo ">> [IDENTITY] Interrogating Silicon..." - # Mitigate CVE-2026-31431: Disable vulnerable crypto socket before forge starts if [[ -f /proc/modules ]] && grep -q "algif_aead" /proc/modules; then echo ">> [SECURITY] Disabling algif_aead (Copy Fail mitigation)..." rmmod algif_aead || true @@ -72,11 +73,9 @@ function f_silicon_probe() { export SYS_LABEL="DCOSNET-${TARGET_ARCH^^}-${ISA_TAG}-${OPT_TAG}" export TARGET="x86_64-dcosnet-linux-gnu" - # Calculate thread depth: 2GB RAM floor per core for LTO safety local total_ram=$(/usr/bin/free -m | awk '/^Mem:/{print $2}') export v_threads="-j$(( (total_ram / 2048) < $(nproc) ? (total_ram / 2048) : $(nproc) ))" - # Aggressive Forge Profile: O3 + LTO + Hardened Stack export GLOBAL_CFLAGS="-O3 -march=native -flto=$(nproc) -fstack-protector-strong -D_FORTIFY_SOURCE=2 --sysroot=${NEWROOT} -pipe" export GLOBAL_LDFLAGS="-Wl,-O1 -Wl,--as-needed -flto=$(nproc) --sysroot=${NEWROOT}" @@ -89,7 +88,6 @@ function f_stamp_binary() { local target_bin="$1" local log_base="$2" - # Inject Immutable ELF Note (The Silicon DNA) cat < btc_stamp.s .section .note.BTC,"a" .align 4 @@ -105,12 +103,10 @@ EOF objcopy --add-section .note.BTC=btc_stamp.o "${target_bin}" rm btc_stamp.s btc_stamp.o - # Rapid Audit Metadata for Fapolicyd/eBPF verification local bin_hash=$(sha256sum "${target_bin}" | awk '{print $1}') setfattr -n user.btc.identity -v "BTC-${SYS_LABEL}-${v_linux}-dcosnet" "${target_bin}" setfattr -n user.btc.hash -v "${bin_hash}" "${target_bin}" - # Extract debug symbols to LeadNode archive before thinning binary if [[ "${BTC_STRIP_MODE}" -eq 1 ]]; then mkdir -p "${BTC_ARCHIVE}/symbols/${SYS_LABEL}" objcopy --only-keep-debug "${target_bin}" "${BTC_ARCHIVE}/symbols/${SYS_LABEL}/${log_base}.debug" @@ -157,7 +153,6 @@ function f_exec_log() { f_guard if [[ "$mode" == "install" ]]; then - # Audit FS changes via installwatch; triggers binary stamping stdbuf -oL -eL installwatch -o "${LOGS}/${log_base}.iw" bash -c "$cmd" | \ pv -t -r -b -N "${log_base}" >> "${LOGS}/${log_base}.log" 2>&1 @@ -165,7 +160,6 @@ function f_exec_log() { file "$1" | grep -q "ELF" && f_stamp_binary "$1" "'"${log_base}"'" ' _ {} \; else - # Standard build: pipe stdout through pv for telemetry; separate stderr stdbuf -oL -eL bash -c "${cmd}" | \ pv -t -r -b -N "${log_base}" | \ tee -a "${LOGS}/${log_base}.log" > /dev/null \ @@ -174,13 +168,11 @@ function f_exec_log() { } function f_setup() { - # Mount Volatile Ramfs: The "Forge Stage" Cleanroom local ram_kb=$(grep MemTotal /proc/meminfo | awk '{print $2}') mount -t ramfs -o size=$((ram_kb/2/1024))M ramfs ${SOURCES_ACTIVE} mkdir -p ${NEWROOT}/{bin,lib,lib64,sbin,etc,usr,boot} ${LOGS} ln -sf lib ${NEWROOT}/lib64 - # Tmux dashboard for real-time telemetry observation if [[ -n "${TMUX:-}" ]]; then tmux split-window -h -p 35 "tail -F ${LOGS}/*.log 2>/dev/null" tmux split-window -v -p 66 "watch -n 2 'ss -tunp | grep -E \"gcc|make|configure|ld\" | grep -v \"127.0.0.1\"'" @@ -197,20 +189,17 @@ function f_package() { mkdir -p "${PKG_PATH}" echo ">> [AGPL-EXPORT] Compressing Forge State to Archive..." - # Section 13 Note: This archive constitutes part of the "Corresponding Source" tar -cJpf "${PKG_PATH}/${PKG_NAME}" -C "${NEWROOT}" . local pkg_hash=$(sha256sum "${PKG_PATH}/${PKG_NAME}" | awk '{print $1}') setfattr -n user.btc.pkg_hash -v "${pkg_hash}" "${PKG_PATH}/${PKG_NAME}" - # Preserve forensic logs for the LeadNode database mkdir -p "${BTC_ARCHIVE}/logs" cp -rv "${LOGS}" "${BTC_ARCHIVE}/logs/${SYS_LABEL}_$(date +%Y%m%d)" echo ">> [SUCCESS] Artifact preserved at ${PKG_PATH}/${PKG_NAME}" } function f_set_exports() { - # Pivot build tools to the DCOSNET sovereign toolchain export CC="ccache ${NEWROOT}/bin/${TARGET}-gcc-${SYS_LABEL}" export CXX="ccache ${NEWROOT}/bin/${TARGET}-g++-${SYS_LABEL}" export AR="${NEWROOT}/bin/${TARGET}-gcc-ar-${SYS_LABEL}" @@ -221,7 +210,59 @@ function f_set_exports() { export LDFLAGS="${GLOBAL_LDFLAGS}" } -# --- 10. CORE BUILD STAGES --- +# --- 10. KERNEL PROFILE INJECTION --- +function f_ghost_opts() { + echo ">> [PROFILE] Applying Ghost Hardening (Physical/Tuned)..." + { + echo "CONFIG_MODULES=n" + echo "CONFIG_KALLSYMS=n" + echo "CONFIG_COMPAT=n" + echo "CONFIG_PROC_KCORE=n" + echo "CONFIG_CIFS=n" + echo "CONFIG_NFS_FS=n" + echo "CONFIG_SUNRPC=n" + echo "CONFIG_ATM=n" + echo "CONFIG_SYSVIPC=n" + echo "CONFIG_SECURITY_SELINUX=n" + echo "CONFIG_SECURITY_APPARMOR=n" + echo "CONFIG_LSM=\"bpf,capability\"" + echo "CONFIG_BPF_LSM=y" + echo "CONFIG_DEBUG_INFO_BTF=y" + echo "CONFIG_E1000E=y" + echo "CONFIG_R8169=y" + } >> .config + make olddefconfig > /dev/null +} + +function f_virt_opts() { + echo ">> [PROFILE] Applying Weightless Profile (VirtIO/Classic Guest)..." + { + echo "CONFIG_VIRTIO_PCI=y" + echo "CONFIG_VIRTIO_NET=y" + echo "CONFIG_VIRTIO_BLK=y" + echo "CONFIG_DRM_VIRTIO_GPU=y" + echo "CONFIG_DRM_CIRRUS_QEMU=y" + echo "CONFIG_DRM_VMWGFX=y" + echo "CONFIG_DEBUG_INFO_BTF=y" + echo "CONFIG_BPF_LSM=y" + echo "CONFIG_LSM=\"bpf,capability\"" + } >> .config + make olddefconfig > /dev/null +} + +function gen_vmlinux_h() { + local EBPF_DIR="${NEWROOT}/ebpf" + mkdir -p "$EBPF_DIR" + + if command -v bpftool >/dev/null 2>&1 && [ -f "./vmlinux" ]; then + echo ">> [EBPF] Generating vmlinux.h for CO-RE portability..." + bpftool btf dump file ./vmlinux format c > "$EBPF_DIR/vmlinux.h" 2>/dev/null || echo ">> [WARN] BTF dump failed." + else + echo ">> [WARN] Skipping vmlinux.h: tool or vmlinux binary missing." + fi +} + +# --- 11. CORE BUILD STAGES --- function f_binutils() { cd ${SOURCES_ACTIVE} tar -axf ${SOURCE_CACHE}/${v_binutils}* @@ -270,12 +311,28 @@ function f_gcc_p2() { function f_kernel_binary() { f_set_exports cd ${SOURCES_ACTIVE}/linux-* + make defconfig > /dev/null + + # Kernel Profile Routing + case ${KERNEL_PROFILE} in + ghost) f_ghost_opts ;; + virt) f_virt_opts ;; + base) echo ">> [PROFILE] Baseline Discovery Active" ;; + esac + echo "-dcosnet-${SYS_LABEL}" > .scmversion f_exec_log "make ${v_threads} LOCALVERSION=-dcosnet-${SYS_LABEL} bzImage" "kernel-bin-make" + + # Generate eBPF structural maps for the resulting kernel layout + gen_vmlinux_h + cp -v arch/x86/boot/bzImage ${NEWROOT}/boot/vmlinuz-${v_linux}-${SYS_LABEL}-dcosnet + + echo "--- FINAL KERNEL AUDIT ---" + grep -E "CONFIG_(MODULES|CIFS|NFS|SUNRPC|SECURITY_SELINUX|DEBUG_INFO_BTF)" .config | sed 's/^/[AUDIT] /' } -# --- 11. DEPLOYMENT & BOOT CONFIGURATION --- +# --- 12. DEPLOYMENT TARGETING --- function f_install_target() { local TARGET_PART="${1}" local MNT_POINT="/mnt/btc_target" @@ -304,58 +361,15 @@ function f_install_target() { echo ">> [SUCCESS] Swarm Node Seeded: ${DISTRO}" } -function f_boot_deploy() { - local TYPE="${1:-grub2-legacy-style}" - local TARGET_PART="${2:-/dev/sda3}" - local KERNEL_IMG="vmlinuz-${v_linux}-${SYS_LABEL}-dcosnet" - - echo ">> BTC-0.2.0: Deploying ${TYPE} config..." - - case ${TYPE} in - grub1) - cat < /boot/grub/menu.lst -title BTC SourceMage [${SYS_LABEL}] - root (hd0,2) - kernel /boot/${KERNEL_IMG} root=${TARGET_PART} rw quiet -EOF - ;; - lilo) - cat < /etc/lilo.conf -boot=/dev/sda -image=/boot/${KERNEL_IMG} - label=BTC-SM - root=${TARGET_PART} - read-only -EOF - /sbin/lilo - ;; - grub2-legacy-style) - cat < /etc/grub.d/40_custom -#!/bin/sh -exec tail -n +3 \$0 -menuentry 'SourceMage [Silicon: ${SYS_LABEL}]' { - set root='(hd0,gpt3)' - linux /boot/${KERNEL_IMG} root=${TARGET_PART} rw quiet -} -EOF - grub-mkconfig -o /boot/grub/grub.cfg - ;; - syslinux) - cat < /boot/syslinux/syslinux.cfg -LABEL btc - LINUX ../${KERNEL_IMG} - APPEND root=${TARGET_PART} rw -EOF - ;; - esac -} - -# --- 12. MAIN ORCHESTRATION --- +# --- 13. MAIN ORCHESTRATION --- function f_main() { [[ $EUID -ne 0 ]] && { echo ">> Root Required."; exit 1; } - local TARGET_DEV="${1:-}" + + # Parsing Profile and Target Device (Usage: ./btc.sh [ghost|virt|base] [/dev/sdX]) + export KERNEL_PROFILE="${1:-ghost}" + local TARGET_DEV="${2:-}" - f_agpl_header # Display license status to all interacting users + f_agpl_header f_silicon_probe f_setup @@ -367,18 +381,17 @@ function f_main() { f_gcc_p2 f_kernel_binary - # 1. Mandatory Persistence (Archive) + # Mandatory Persistence (Archive) f_package - # 2. Optional Physical Seed & Boot deployment + # Optional Physical Seed deployment if [[ -n "${TARGET_DEV}" ]]; then f_install_target "${TARGET_DEV}" - f_boot_deploy "grub2-legacy-style" "${TARGET_DEV}" fi - # 3. Final Zero-Footprint Cleanup: Unmount ramfs + # Zero-Footprint Cleanup: Unmount ramfs cd / && umount -l ${SOURCES_ACTIVE} - echo ">> [SUCCESS] BTC-0.2.0-AGPL: Sovereign Forge Complete." + echo ">> [SUCCESS] BTC-0.3.0-AGPL: Sovereign Forge Complete. Profile: ${KERNEL_PROFILE}" } # One-Shot Execution