Release: version 0.3.0
This commit is contained in:
parent
5728ebd148
commit
bf8d1e9549
171
BTC.sh
171
BTC.sh
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/bash
|
||||
# BTC-0.2.0.sh - Build Tool Chain
|
||||
# Version: 0.2.0 (Sovereign Sentry Forge / dcosnet-Identity / Swarm-Aware)
|
||||
# Target: Dell Optiplex 3050 Micro Variants & RDIMM Swarm
|
||||
# ==============================================================================
|
||||
# BTC-0.3.0.sh - Sovereign Sentry Forge
|
||||
# Identity: dcosnet / dcos.net | Swarm: Broadwell-HS / Haswell-EP
|
||||
# License: GNU Affero General Public License v3 (AGPL-3.0)
|
||||
#
|
||||
# Notwithstanding any other provision of this License, if you modify
|
||||
|
|
@ -9,35 +9,37 @@
|
|||
# interacting with it remotely through a computer network an
|
||||
# opportunity to receive the Corresponding Source of your version.
|
||||
#
|
||||
# Profile: Ghost / Virt / Base - Multi-Target Hardened Kernel & eBPF
|
||||
# Security: CVE-2026-31431 Mitigated | PATH-Pinned | Static-Trust Ready
|
||||
# Persistence: /opt/BTC | Volatile: ramfs
|
||||
# Copyright (C) 2012-2026 Jeremy Anderson (info@dcos.net)
|
||||
# ==============================================================================
|
||||
|
||||
# --- 1. AGPL COMPLIANCE & IDENTITY ---
|
||||
function f_agpl_header() {
|
||||
cat <<EOF
|
||||
>> BTC-0.2.0 "Sovereign Sentry"
|
||||
>> BTC-0.3.0 "Sovereign Sentry"
|
||||
>> Copyright (C) 2026 Jeremy Anderson
|
||||
>> Licensed under GNU AGPLv3. NO WARRANTY.
|
||||
>> SOURCE: https://dcos.net/git/btc (Official Mirror)
|
||||
>> SOURCE: https://git.dcos.net/jeremy/btc (Official Mirror)
|
||||
>> -----------------------------------------------------
|
||||
EOF
|
||||
}
|
||||
|
||||
# --- 2. HARDENED ENVIRONMENT ---
|
||||
# Reset PATH to prevent environment poisoning/hijacking
|
||||
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
set -euo pipefail # Strict error propagation
|
||||
set -f # Disable globbing to prevent unintended expansion
|
||||
set -euo pipefail
|
||||
set -f
|
||||
|
||||
# Expand aliases for non-interactive bash to ensure absolute paths run correctly
|
||||
shopt -s expand_aliases
|
||||
|
||||
# Toolchain Aliases: Pinning absolute paths to avoid "Copy Fail" hijacked binaries
|
||||
alias rsync='/usr/bin/rsync'
|
||||
alias tar='/usr/bin/tar'
|
||||
alias gcc='/usr/bin/gcc'
|
||||
alias sha256sum='/usr/bin/sha256sum'
|
||||
|
||||
# --- 3. RECOVERY & CLEANUP ---
|
||||
# Trap ensures ramfs is unmounted even if build fails; prevents persistent memory bloat
|
||||
trap "echo '>> Interrupt: Cleaning ramfs...'; cd / && umount -l ${SOURCES_ACTIVE} 2>/dev/null || true; exit 1" INT TERM
|
||||
|
||||
# --- 4. GLOBAL CONFIG ---
|
||||
|
|
@ -58,7 +60,6 @@ export DISTRO="DCOSNET-LEAD"
|
|||
function f_silicon_probe() {
|
||||
echo ">> [IDENTITY] Interrogating Silicon..."
|
||||
|
||||
# Mitigate CVE-2026-31431: Disable vulnerable crypto socket before forge starts
|
||||
if [[ -f /proc/modules ]] && grep -q "algif_aead" /proc/modules; then
|
||||
echo ">> [SECURITY] Disabling algif_aead (Copy Fail mitigation)..."
|
||||
rmmod algif_aead || true
|
||||
|
|
@ -72,11 +73,9 @@ function f_silicon_probe() {
|
|||
export SYS_LABEL="DCOSNET-${TARGET_ARCH^^}-${ISA_TAG}-${OPT_TAG}"
|
||||
export TARGET="x86_64-dcosnet-linux-gnu"
|
||||
|
||||
# Calculate thread depth: 2GB RAM floor per core for LTO safety
|
||||
local total_ram=$(/usr/bin/free -m | awk '/^Mem:/{print $2}')
|
||||
export v_threads="-j$(( (total_ram / 2048) < $(nproc) ? (total_ram / 2048) : $(nproc) ))"
|
||||
|
||||
# Aggressive Forge Profile: O3 + LTO + Hardened Stack
|
||||
export GLOBAL_CFLAGS="-O3 -march=native -flto=$(nproc) -fstack-protector-strong -D_FORTIFY_SOURCE=2 --sysroot=${NEWROOT} -pipe"
|
||||
export GLOBAL_LDFLAGS="-Wl,-O1 -Wl,--as-needed -flto=$(nproc) --sysroot=${NEWROOT}"
|
||||
|
||||
|
|
@ -89,7 +88,6 @@ function f_stamp_binary() {
|
|||
local target_bin="$1"
|
||||
local log_base="$2"
|
||||
|
||||
# Inject Immutable ELF Note (The Silicon DNA)
|
||||
cat <<EOF > btc_stamp.s
|
||||
.section .note.BTC,"a"
|
||||
.align 4
|
||||
|
|
@ -105,12 +103,10 @@ EOF
|
|||
objcopy --add-section .note.BTC=btc_stamp.o "${target_bin}"
|
||||
rm btc_stamp.s btc_stamp.o
|
||||
|
||||
# Rapid Audit Metadata for Fapolicyd/eBPF verification
|
||||
local bin_hash=$(sha256sum "${target_bin}" | awk '{print $1}')
|
||||
setfattr -n user.btc.identity -v "BTC-${SYS_LABEL}-${v_linux}-dcosnet" "${target_bin}"
|
||||
setfattr -n user.btc.hash -v "${bin_hash}" "${target_bin}"
|
||||
|
||||
# Extract debug symbols to LeadNode archive before thinning binary
|
||||
if [[ "${BTC_STRIP_MODE}" -eq 1 ]]; then
|
||||
mkdir -p "${BTC_ARCHIVE}/symbols/${SYS_LABEL}"
|
||||
objcopy --only-keep-debug "${target_bin}" "${BTC_ARCHIVE}/symbols/${SYS_LABEL}/${log_base}.debug"
|
||||
|
|
@ -157,7 +153,6 @@ function f_exec_log() {
|
|||
f_guard
|
||||
|
||||
if [[ "$mode" == "install" ]]; then
|
||||
# Audit FS changes via installwatch; triggers binary stamping
|
||||
stdbuf -oL -eL installwatch -o "${LOGS}/${log_base}.iw" bash -c "$cmd" | \
|
||||
pv -t -r -b -N "${log_base}" >> "${LOGS}/${log_base}.log" 2>&1
|
||||
|
||||
|
|
@ -165,7 +160,6 @@ function f_exec_log() {
|
|||
file "$1" | grep -q "ELF" && f_stamp_binary "$1" "'"${log_base}"'"
|
||||
' _ {} \;
|
||||
else
|
||||
# Standard build: pipe stdout through pv for telemetry; separate stderr
|
||||
stdbuf -oL -eL bash -c "${cmd}" | \
|
||||
pv -t -r -b -N "${log_base}" | \
|
||||
tee -a "${LOGS}/${log_base}.log" > /dev/null \
|
||||
|
|
@ -174,13 +168,11 @@ function f_exec_log() {
|
|||
}
|
||||
|
||||
function f_setup() {
|
||||
# Mount Volatile Ramfs: The "Forge Stage" Cleanroom
|
||||
local ram_kb=$(grep MemTotal /proc/meminfo | awk '{print $2}')
|
||||
mount -t ramfs -o size=$((ram_kb/2/1024))M ramfs ${SOURCES_ACTIVE}
|
||||
mkdir -p ${NEWROOT}/{bin,lib,lib64,sbin,etc,usr,boot} ${LOGS}
|
||||
ln -sf lib ${NEWROOT}/lib64
|
||||
|
||||
# Tmux dashboard for real-time telemetry observation
|
||||
if [[ -n "${TMUX:-}" ]]; then
|
||||
tmux split-window -h -p 35 "tail -F ${LOGS}/*.log 2>/dev/null"
|
||||
tmux split-window -v -p 66 "watch -n 2 'ss -tunp | grep -E \"gcc|make|configure|ld\" | grep -v \"127.0.0.1\"'"
|
||||
|
|
@ -197,20 +189,17 @@ function f_package() {
|
|||
mkdir -p "${PKG_PATH}"
|
||||
|
||||
echo ">> [AGPL-EXPORT] Compressing Forge State to Archive..."
|
||||
# Section 13 Note: This archive constitutes part of the "Corresponding Source"
|
||||
tar -cJpf "${PKG_PATH}/${PKG_NAME}" -C "${NEWROOT}" .
|
||||
|
||||
local pkg_hash=$(sha256sum "${PKG_PATH}/${PKG_NAME}" | awk '{print $1}')
|
||||
setfattr -n user.btc.pkg_hash -v "${pkg_hash}" "${PKG_PATH}/${PKG_NAME}"
|
||||
|
||||
# Preserve forensic logs for the LeadNode database
|
||||
mkdir -p "${BTC_ARCHIVE}/logs"
|
||||
cp -rv "${LOGS}" "${BTC_ARCHIVE}/logs/${SYS_LABEL}_$(date +%Y%m%d)"
|
||||
echo ">> [SUCCESS] Artifact preserved at ${PKG_PATH}/${PKG_NAME}"
|
||||
}
|
||||
|
||||
function f_set_exports() {
|
||||
# Pivot build tools to the DCOSNET sovereign toolchain
|
||||
export CC="ccache ${NEWROOT}/bin/${TARGET}-gcc-${SYS_LABEL}"
|
||||
export CXX="ccache ${NEWROOT}/bin/${TARGET}-g++-${SYS_LABEL}"
|
||||
export AR="${NEWROOT}/bin/${TARGET}-gcc-ar-${SYS_LABEL}"
|
||||
|
|
@ -221,7 +210,59 @@ function f_set_exports() {
|
|||
export LDFLAGS="${GLOBAL_LDFLAGS}"
|
||||
}
|
||||
|
||||
# --- 10. CORE BUILD STAGES ---
|
||||
# --- 10. KERNEL PROFILE INJECTION ---
|
||||
function f_ghost_opts() {
|
||||
echo ">> [PROFILE] Applying Ghost Hardening (Physical/Tuned)..."
|
||||
{
|
||||
echo "CONFIG_MODULES=n"
|
||||
echo "CONFIG_KALLSYMS=n"
|
||||
echo "CONFIG_COMPAT=n"
|
||||
echo "CONFIG_PROC_KCORE=n"
|
||||
echo "CONFIG_CIFS=n"
|
||||
echo "CONFIG_NFS_FS=n"
|
||||
echo "CONFIG_SUNRPC=n"
|
||||
echo "CONFIG_ATM=n"
|
||||
echo "CONFIG_SYSVIPC=n"
|
||||
echo "CONFIG_SECURITY_SELINUX=n"
|
||||
echo "CONFIG_SECURITY_APPARMOR=n"
|
||||
echo "CONFIG_LSM=\"bpf,capability\""
|
||||
echo "CONFIG_BPF_LSM=y"
|
||||
echo "CONFIG_DEBUG_INFO_BTF=y"
|
||||
echo "CONFIG_E1000E=y"
|
||||
echo "CONFIG_R8169=y"
|
||||
} >> .config
|
||||
make olddefconfig > /dev/null
|
||||
}
|
||||
|
||||
function f_virt_opts() {
|
||||
echo ">> [PROFILE] Applying Weightless Profile (VirtIO/Classic Guest)..."
|
||||
{
|
||||
echo "CONFIG_VIRTIO_PCI=y"
|
||||
echo "CONFIG_VIRTIO_NET=y"
|
||||
echo "CONFIG_VIRTIO_BLK=y"
|
||||
echo "CONFIG_DRM_VIRTIO_GPU=y"
|
||||
echo "CONFIG_DRM_CIRRUS_QEMU=y"
|
||||
echo "CONFIG_DRM_VMWGFX=y"
|
||||
echo "CONFIG_DEBUG_INFO_BTF=y"
|
||||
echo "CONFIG_BPF_LSM=y"
|
||||
echo "CONFIG_LSM=\"bpf,capability\""
|
||||
} >> .config
|
||||
make olddefconfig > /dev/null
|
||||
}
|
||||
|
||||
function gen_vmlinux_h() {
|
||||
local EBPF_DIR="${NEWROOT}/ebpf"
|
||||
mkdir -p "$EBPF_DIR"
|
||||
|
||||
if command -v bpftool >/dev/null 2>&1 && [ -f "./vmlinux" ]; then
|
||||
echo ">> [EBPF] Generating vmlinux.h for CO-RE portability..."
|
||||
bpftool btf dump file ./vmlinux format c > "$EBPF_DIR/vmlinux.h" 2>/dev/null || echo ">> [WARN] BTF dump failed."
|
||||
else
|
||||
echo ">> [WARN] Skipping vmlinux.h: tool or vmlinux binary missing."
|
||||
fi
|
||||
}
|
||||
|
||||
# --- 11. CORE BUILD STAGES ---
|
||||
function f_binutils() {
|
||||
cd ${SOURCES_ACTIVE}
|
||||
tar -axf ${SOURCE_CACHE}/${v_binutils}*
|
||||
|
|
@ -270,12 +311,28 @@ function f_gcc_p2() {
|
|||
function f_kernel_binary() {
|
||||
f_set_exports
|
||||
cd ${SOURCES_ACTIVE}/linux-*
|
||||
make defconfig > /dev/null
|
||||
|
||||
# Kernel Profile Routing
|
||||
case ${KERNEL_PROFILE} in
|
||||
ghost) f_ghost_opts ;;
|
||||
virt) f_virt_opts ;;
|
||||
base) echo ">> [PROFILE] Baseline Discovery Active" ;;
|
||||
esac
|
||||
|
||||
echo "-dcosnet-${SYS_LABEL}" > .scmversion
|
||||
f_exec_log "make ${v_threads} LOCALVERSION=-dcosnet-${SYS_LABEL} bzImage" "kernel-bin-make"
|
||||
|
||||
# Generate eBPF structural maps for the resulting kernel layout
|
||||
gen_vmlinux_h
|
||||
|
||||
cp -v arch/x86/boot/bzImage ${NEWROOT}/boot/vmlinuz-${v_linux}-${SYS_LABEL}-dcosnet
|
||||
|
||||
echo "--- FINAL KERNEL AUDIT ---"
|
||||
grep -E "CONFIG_(MODULES|CIFS|NFS|SUNRPC|SECURITY_SELINUX|DEBUG_INFO_BTF)" .config | sed 's/^/[AUDIT] /'
|
||||
}
|
||||
|
||||
# --- 11. DEPLOYMENT & BOOT CONFIGURATION ---
|
||||
# --- 12. DEPLOYMENT TARGETING ---
|
||||
function f_install_target() {
|
||||
local TARGET_PART="${1}"
|
||||
local MNT_POINT="/mnt/btc_target"
|
||||
|
|
@ -304,58 +361,15 @@ function f_install_target() {
|
|||
echo ">> [SUCCESS] Swarm Node Seeded: ${DISTRO}"
|
||||
}
|
||||
|
||||
function f_boot_deploy() {
|
||||
local TYPE="${1:-grub2-legacy-style}"
|
||||
local TARGET_PART="${2:-/dev/sda3}"
|
||||
local KERNEL_IMG="vmlinuz-${v_linux}-${SYS_LABEL}-dcosnet"
|
||||
|
||||
echo ">> BTC-0.2.0: Deploying ${TYPE} config..."
|
||||
|
||||
case ${TYPE} in
|
||||
grub1)
|
||||
cat <<EOF > /boot/grub/menu.lst
|
||||
title BTC SourceMage [${SYS_LABEL}]
|
||||
root (hd0,2)
|
||||
kernel /boot/${KERNEL_IMG} root=${TARGET_PART} rw quiet
|
||||
EOF
|
||||
;;
|
||||
lilo)
|
||||
cat <<EOF > /etc/lilo.conf
|
||||
boot=/dev/sda
|
||||
image=/boot/${KERNEL_IMG}
|
||||
label=BTC-SM
|
||||
root=${TARGET_PART}
|
||||
read-only
|
||||
EOF
|
||||
/sbin/lilo
|
||||
;;
|
||||
grub2-legacy-style)
|
||||
cat <<EOF > /etc/grub.d/40_custom
|
||||
#!/bin/sh
|
||||
exec tail -n +3 \$0
|
||||
menuentry 'SourceMage [Silicon: ${SYS_LABEL}]' {
|
||||
set root='(hd0,gpt3)'
|
||||
linux /boot/${KERNEL_IMG} root=${TARGET_PART} rw quiet
|
||||
}
|
||||
EOF
|
||||
grub-mkconfig -o /boot/grub/grub.cfg
|
||||
;;
|
||||
syslinux)
|
||||
cat <<EOF > /boot/syslinux/syslinux.cfg
|
||||
LABEL btc
|
||||
LINUX ../${KERNEL_IMG}
|
||||
APPEND root=${TARGET_PART} rw
|
||||
EOF
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
# --- 12. MAIN ORCHESTRATION ---
|
||||
# --- 13. MAIN ORCHESTRATION ---
|
||||
function f_main() {
|
||||
[[ $EUID -ne 0 ]] && { echo ">> Root Required."; exit 1; }
|
||||
local TARGET_DEV="${1:-}"
|
||||
|
||||
f_agpl_header # Display license status to all interacting users
|
||||
# Parsing Profile and Target Device (Usage: ./btc.sh [ghost|virt|base] [/dev/sdX])
|
||||
export KERNEL_PROFILE="${1:-ghost}"
|
||||
local TARGET_DEV="${2:-}"
|
||||
|
||||
f_agpl_header
|
||||
f_silicon_probe
|
||||
f_setup
|
||||
|
||||
|
|
@ -367,18 +381,17 @@ function f_main() {
|
|||
f_gcc_p2
|
||||
f_kernel_binary
|
||||
|
||||
# 1. Mandatory Persistence (Archive)
|
||||
# Mandatory Persistence (Archive)
|
||||
f_package
|
||||
|
||||
# 2. Optional Physical Seed & Boot deployment
|
||||
# Optional Physical Seed deployment
|
||||
if [[ -n "${TARGET_DEV}" ]]; then
|
||||
f_install_target "${TARGET_DEV}"
|
||||
f_boot_deploy "grub2-legacy-style" "${TARGET_DEV}"
|
||||
fi
|
||||
|
||||
# 3. Final Zero-Footprint Cleanup: Unmount ramfs
|
||||
# Zero-Footprint Cleanup: Unmount ramfs
|
||||
cd / && umount -l ${SOURCES_ACTIVE}
|
||||
echo ">> [SUCCESS] BTC-0.2.0-AGPL: Sovereign Forge Complete."
|
||||
echo ">> [SUCCESS] BTC-0.3.0-AGPL: Sovereign Forge Complete. Profile: ${KERNEL_PROFILE}"
|
||||
}
|
||||
|
||||
# One-Shot Execution
|
||||
|
|
|
|||
Loading…
Reference in New Issue