#!/bin/bash # BTC-0.2.0.sh - Build Tool Chain # Version: 0.2.0 (Sovereign Sentry Forge / dcosnet-Identity / Swarm-Aware) # Target: Dell Optiplex 3050 Micro Variants & RDIMM Swarm # License: GNU Affero General Public License v3 (AGPL-3.0) # # Notwithstanding any other provision of this License, if you modify # the Program, your modified version must prominently offer all users # interacting with it remotely through a computer network an # opportunity to receive the Corresponding Source of your version. # # Security: CVE-2026-31431 Mitigated | PATH-Pinned | Static-Trust Ready # Persistence: /opt/BTC | Volatile: ramfs # Copyright (C) 2012-2026 Jeremy Anderson (info@dcos.net) # --- 1. AGPL COMPLIANCE & IDENTITY --- function f_agpl_header() { cat <> BTC-0.2.0 "Sovereign Sentry" >> Copyright (C) 2026 Jeremy Anderson >> Licensed under GNU AGPLv3. NO WARRANTY. >> SOURCE: https://dcos.net/git/btc (Official Mirror) >> ----------------------------------------------------- EOF } # --- 2. HARDENED ENVIRONMENT --- # Reset PATH to prevent environment poisoning/hijacking export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" set -euo pipefail # Strict error propagation set -f # Disable globbing to prevent unintended expansion # Toolchain Aliases: Pinning absolute paths to avoid "Copy Fail" hijacked binaries alias rsync='/usr/bin/rsync' alias tar='/usr/bin/tar' alias gcc='/usr/bin/gcc' alias sha256sum='/usr/bin/sha256sum' # --- 3. RECOVERY & CLEANUP --- # Trap ensures ramfs is unmounted even if build fails; prevents persistent memory bloat trap "echo '>> Interrupt: Cleaning ramfs...'; cd / && umount -l ${SOURCES_ACTIVE} 2>/dev/null || true; exit 1" INT TERM # --- 4. GLOBAL CONFIG --- export BTC_DEBUG_LEVEL=1 export BTC_STRIP_MODE=1 export BTC_ARCHIVE=/opt/BTC export SOURCES_ACTIVE=/usr/src export SOURCE_CACHE=${BTC_ARCHIVE}/src export v_glibc='glibc-2.41' export v_gcc='gcc-14.2.0' export v_binutils='binutils-2.46' export v_linux='linux-7.1' export NEWROOT=${SOURCES_ACTIVE}/BTC-Forge export LOGS=${NEWROOT}/LOGS export DISTRO="DCOSNET-LEAD" # --- 5. SILICON IDENTITY & MITIGATION --- function f_silicon_probe() { echo ">> [IDENTITY] Interrogating Silicon..." # Mitigate CVE-2026-31431: Disable vulnerable crypto socket before forge starts if [[ -f /proc/modules ]] && grep -q "algif_aead" /proc/modules; then echo ">> [SECURITY] Disabling algif_aead (Copy Fail mitigation)..." rmmod algif_aead || true fi local RAW_ARCH=$(/usr/bin/gcc -march=native -Q --help=target | grep -m1 "march=" | awk '{print $2}') [[ -z "$RAW_ARCH" || "$RAW_ARCH" == "x86-64" ]] && export TARGET_ARCH="hsw" || export TARGET_ARCH="bdw" export ISA_TAG="AVX2" export OPT_TAG="LTO" export SYS_LABEL="DCOSNET-${TARGET_ARCH^^}-${ISA_TAG}-${OPT_TAG}" export TARGET="x86_64-dcosnet-linux-gnu" # Calculate thread depth: 2GB RAM floor per core for LTO safety local total_ram=$(/usr/bin/free -m | awk '/^Mem:/{print $2}') export v_threads="-j$(( (total_ram / 2048) < $(nproc) ? (total_ram / 2048) : $(nproc) ))" # Aggressive Forge Profile: O3 + LTO + Hardened Stack export GLOBAL_CFLAGS="-O3 -march=native -flto=$(nproc) -fstack-protector-strong -D_FORTIFY_SOURCE=2 --sysroot=${NEWROOT} -pipe" export GLOBAL_LDFLAGS="-Wl,-O1 -Wl,--as-needed -flto=$(nproc) --sysroot=${NEWROOT}" export CCACHE_DIR="${BTC_ARCHIVE}/cache/${SYS_LABEL}" mkdir -p "${CCACHE_DIR}" } # --- 6. DCOSNET FORENSIC STAMPING (ELF & XATTR) --- function f_stamp_binary() { local target_bin="$1" local log_base="$2" # Inject Immutable ELF Note (The Silicon DNA) cat < btc_stamp.s .section .note.BTC,"a" .align 4 .long 4f - 1f .long 3f - 2f .long 1 1: .asciz "DCOSNET" 2: .ascii "Org: dcos.net|K:7.1|I:${ISA_TAG}|O:${OPT_TAG}|T:${DISTRO}|F:${HOSTNAME}" 3: .align 4 4: EOF /usr/bin/gcc -c btc_stamp.s -o btc_stamp.o objcopy --add-section .note.BTC=btc_stamp.o "${target_bin}" rm btc_stamp.s btc_stamp.o # Rapid Audit Metadata for Fapolicyd/eBPF verification local bin_hash=$(sha256sum "${target_bin}" | awk '{print $1}') setfattr -n user.btc.identity -v "BTC-${SYS_LABEL}-${v_linux}-dcosnet" "${target_bin}" setfattr -n user.btc.hash -v "${bin_hash}" "${target_bin}" # Extract debug symbols to LeadNode archive before thinning binary if [[ "${BTC_STRIP_MODE}" -eq 1 ]]; then mkdir -p "${BTC_ARCHIVE}/symbols/${SYS_LABEL}" objcopy --only-keep-debug "${target_bin}" "${BTC_ARCHIVE}/symbols/${SYS_LABEL}/${log_base}.debug" strip --strip-unneeded "${target_bin}" objcopy --add-gnu-debuglink="${BTC_ARCHIVE}/symbols/${SYS_LABEL}/${log_base}.debug" "${target_bin}" fi } # --- 7. THE INVISIBLE GUARD --- function f_guard() { local max_temp=85 local min_mem=800 while true; do local cur_temp=$(cat /sys/class/thermal/thermal_zone*/temp | head -n1 | awk '{print $1/1000}') local cur_mem=$(/usr/bin/free -m | awk '/^Mem:/{print $7}') if (( cur_temp > max_temp )); then echo ">> [THERMAL PAUSE] ${cur_temp}°C - Cooling..." sleep 10 elif (( cur_mem < min_mem )); then echo ">> [MEMORY PAUSE] ${cur_mem}MB - Waiting for LTO clearance (RDIMM)..." sleep 30 else break fi done } function f_entropy_shield() { local cur_ent=$(cat /proc/sys/kernel/random/entropy_avail) if (( cur_ent < 250 )); then echo ">> [ENTROPY SHIELD] Low Pool. Generating Jitter for 7.1 Signing..." find /bin /sbin -type f -exec ls -l {} + > /dev/null 2>&1 & sleep 2 && kill $! 2>/dev/null || true fi } # --- 8. EXECUTION ENGINE (FORENSIC) --- function f_exec_log() { local cmd="$1" local log_base="$2" local mode="${3:-build}" f_entropy_shield f_guard if [[ "$mode" == "install" ]]; then # Audit FS changes via installwatch; triggers binary stamping stdbuf -oL -eL installwatch -o "${LOGS}/${log_base}.iw" bash -c "$cmd" | \ pv -t -r -b -N "${log_base}" >> "${LOGS}/${log_base}.log" 2>&1 find ${NEWROOT} -type f -executable -exec bash -c ' file "$1" | grep -q "ELF" && f_stamp_binary "$1" "'"${log_base}"'" ' _ {} \; else # Standard build: pipe stdout through pv for telemetry; separate stderr stdbuf -oL -eL bash -c "${cmd}" | \ pv -t -r -b -N "${log_base}" | \ tee -a "${LOGS}/${log_base}.log" > /dev/null \ 2> >(tee -a "${LOGS}/${log_base}.err" >> "${LOGS}/${log_base}.log") fi } function f_setup() { # Mount Volatile Ramfs: The "Forge Stage" Cleanroom local ram_kb=$(grep MemTotal /proc/meminfo | awk '{print $2}') mount -t ramfs -o size=$((ram_kb/2/1024))M ramfs ${SOURCES_ACTIVE} mkdir -p ${NEWROOT}/{bin,lib,lib64,sbin,etc,usr,boot} ${LOGS} ln -sf lib ${NEWROOT}/lib64 # Tmux dashboard for real-time telemetry observation if [[ -n "${TMUX:-}" ]]; then tmux split-window -h -p 35 "tail -F ${LOGS}/*.log 2>/dev/null" tmux split-window -v -p 66 "watch -n 2 'ss -tunp | grep -E \"gcc|make|configure|ld\" | grep -v \"127.0.0.1\"'" tmux split-window -v -p 50 "watch -n 2 'echo \"ENTROPY: \$(cat /proc/sys/kernel/random/entropy_avail)\"; iostat -dx 1 2 | awk \"/avg-cpu/ {getline; print \\\$4 \\\"% iowait\\\"}\"'" tmux select-pane -t 0 echo ">> BTC Dashboard Synchronized..." fi } # --- 9. PERSISTENCE BRIDGE (PACKAGING) --- function f_package() { local PKG_NAME="dcosnet-baseline-${SYS_LABEL}-${v_linux}.tar.xz" local PKG_PATH="${BTC_ARCHIVE}/completed" mkdir -p "${PKG_PATH}" echo ">> [AGPL-EXPORT] Compressing Forge State to Archive..." # Section 13 Note: This archive constitutes part of the "Corresponding Source" tar -cJpf "${PKG_PATH}/${PKG_NAME}" -C "${NEWROOT}" . local pkg_hash=$(sha256sum "${PKG_PATH}/${PKG_NAME}" | awk '{print $1}') setfattr -n user.btc.pkg_hash -v "${pkg_hash}" "${PKG_PATH}/${PKG_NAME}" # Preserve forensic logs for the LeadNode database mkdir -p "${BTC_ARCHIVE}/logs" cp -rv "${LOGS}" "${BTC_ARCHIVE}/logs/${SYS_LABEL}_$(date +%Y%m%d)" echo ">> [SUCCESS] Artifact preserved at ${PKG_PATH}/${PKG_NAME}" } function f_set_exports() { # Pivot build tools to the DCOSNET sovereign toolchain export CC="ccache ${NEWROOT}/bin/${TARGET}-gcc-${SYS_LABEL}" export CXX="ccache ${NEWROOT}/bin/${TARGET}-g++-${SYS_LABEL}" export AR="${NEWROOT}/bin/${TARGET}-gcc-ar-${SYS_LABEL}" export NM="${NEWROOT}/bin/${TARGET}-gcc-nm-${SYS_LABEL}" export RANLIB="${NEWROOT}/bin/${TARGET}-gcc-ranlib-${SYS_LABEL}" export CFLAGS="${GLOBAL_CFLAGS}" export CXXFLAGS="${GLOBAL_CFLAGS}" export LDFLAGS="${GLOBAL_LDFLAGS}" } # --- 10. CORE BUILD STAGES --- function f_binutils() { cd ${SOURCES_ACTIVE} tar -axf ${SOURCE_CACHE}/${v_binutils}* cd binutils-* && mkdir -p build && cd build f_exec_log "../configure --prefix=${NEWROOT} --target=${TARGET} --with-sysroot=${NEWROOT} --program-suffix=-${SYS_LABEL} --disable-nls --disable-multilib" "binutils-conf" f_exec_log "make ${v_threads}" "binutils-make" f_exec_log "make install" "binutils-install" "install" } function f_kernel_headers() { cd ${SOURCES_ACTIVE} tar -axf ${SOURCE_CACHE}/${v_linux}* cd linux-* f_exec_log "make mrproper && make headers" "kernel-headers" cp -rv usr/include/* ${NEWROOT}/include } function f_gcc_p1() { cd ${SOURCES_ACTIVE} tar -axf ${SOURCE_CACHE}/${v_gcc}* cd gcc-* for lib in gmp mpfr mpc; do tar -xf ${SOURCE_CACHE}/${lib}*; mv -v ${lib}-* ${lib}; done mkdir -p build && cd build f_exec_log "../configure --target=${TARGET} --prefix=${NEWROOT} --with-sysroot=${NEWROOT} --program-suffix=-${SYS_LABEL} --without-headers --disable-shared --disable-threads --enable-languages=c,c++" "gcc1-conf" f_exec_log "make ${v_threads}" "gcc1-make" f_exec_log "make install" "gcc1-install" "install" } function f_glibc() { f_set_exports cd ${SOURCES_ACTIVE}/glibc-* mkdir -p build && cd build f_exec_log "../configure --prefix=${NEWROOT} --host=${TARGET} --with-headers=${NEWROOT}/include libc_cv_slibdir=${NEWROOT}/lib" "glibc-conf" f_exec_log "make ${v_threads}" "glibc-make" f_exec_log "make DESTDIR=${NEWROOT} install" "glibc-install" "install" } function f_gcc_p2() { f_set_exports cd ${SOURCES_ACTIVE}/gcc-*/build && rm -rf * f_exec_log "../configure --prefix=${NEWROOT} --target=${TARGET} --program-suffix=-${SYS_LABEL} --enable-languages=c,c++ --with-build-sysroot=${NEWROOT}" "gcc2-conf" f_exec_log "make ${v_threads}" "gcc2-make" f_exec_log "make install" "gcc2-install" "install" } function f_kernel_binary() { f_set_exports cd ${SOURCES_ACTIVE}/linux-* echo "-dcosnet-${SYS_LABEL}" > .scmversion f_exec_log "make ${v_threads} LOCALVERSION=-dcosnet-${SYS_LABEL} bzImage" "kernel-bin-make" cp -v arch/x86/boot/bzImage ${NEWROOT}/boot/vmlinuz-${v_linux}-${SYS_LABEL}-dcosnet } # --- 11. DEPLOYMENT & BOOT CONFIGURATION --- function f_install_target() { local TARGET_PART="${1}" local MNT_POINT="/mnt/btc_target" mkdir -p ${MNT_POINT} && mount ${TARGET_PART} ${MNT_POINT} local DISTRO="Generic-Source" [[ -f "${MNT_POINT}/etc/lunar/version" ]] && DISTRO="Lunar" [[ -f "${MNT_POINT}/etc/sorcery/version" ]] && DISTRO="SourceMage" [[ -f "${MNT_POINT}/etc/openwrt_version" ]] && DISTRO="OpenWrt" [[ -d "${MNT_POINT}/etc/portage" ]] && DISTRO="Gentoo" [[ -f "${MNT_POINT}/etc/exherbo-release" ]] && DISTRO="Exherbo" [[ -f "${MNT_POINT}/etc/cruxversion" ]] && DISTRO="CRUX" echo ">> [DCOSNET SWARM] Deploying Silicon-Identity to Dell Optiplex 3050 Micro Variants / ${DISTRO} target..." # Kernel Handoff mkdir -p ${MNT_POINT}/boot cp -v ${NEWROOT}/boot/vmlinuz-* ${MNT_POINT}/boot/ # Binary Sync with safe-links local bin_dest="/usr/local/bin" [[ "$DISTRO" == "OpenWrt" ]] && bin_dest="/usr/bin" f_exec_log "rsync -avzX --safe-links ${NEWROOT}/bin/ ${MNT_POINT}${bin_dest}/" "${DISTRO}_deploy" "install" umount ${MNT_POINT} echo ">> [SUCCESS] Swarm Node Seeded: ${DISTRO}" } function f_boot_deploy() { local TYPE="${1:-grub2-legacy-style}" local TARGET_PART="${2:-/dev/sda3}" local KERNEL_IMG="vmlinuz-${v_linux}-${SYS_LABEL}-dcosnet" echo ">> BTC-0.2.0: Deploying ${TYPE} config..." case ${TYPE} in grub1) cat < /boot/grub/menu.lst title BTC SourceMage [${SYS_LABEL}] root (hd0,2) kernel /boot/${KERNEL_IMG} root=${TARGET_PART} rw quiet EOF ;; lilo) cat < /etc/lilo.conf boot=/dev/sda image=/boot/${KERNEL_IMG} label=BTC-SM root=${TARGET_PART} read-only EOF /sbin/lilo ;; grub2-legacy-style) cat < /etc/grub.d/40_custom #!/bin/sh exec tail -n +3 \$0 menuentry 'SourceMage [Silicon: ${SYS_LABEL}]' { set root='(hd0,gpt3)' linux /boot/${KERNEL_IMG} root=${TARGET_PART} rw quiet } EOF grub-mkconfig -o /boot/grub/grub.cfg ;; syslinux) cat < /boot/syslinux/syslinux.cfg LABEL btc LINUX ../${KERNEL_IMG} APPEND root=${TARGET_PART} rw EOF ;; esac } # --- 12. MAIN ORCHESTRATION --- function f_main() { [[ $EUID -ne 0 ]] && { echo ">> Root Required."; exit 1; } local TARGET_DEV="${1:-}" f_agpl_header # Display license status to all interacting users f_silicon_probe f_setup # Forge Pipeline f_binutils f_kernel_headers f_gcc_p1 f_glibc f_gcc_p2 f_kernel_binary # 1. Mandatory Persistence (Archive) f_package # 2. Optional Physical Seed & Boot deployment if [[ -n "${TARGET_DEV}" ]]; then f_install_target "${TARGET_DEV}" f_boot_deploy "grub2-legacy-style" "${TARGET_DEV}" fi # 3. Final Zero-Footprint Cleanup: Unmount ramfs cd / && umount -l ${SOURCES_ACTIVE} echo ">> [SUCCESS] BTC-0.2.0-AGPL: Sovereign Forge Complete." } # One-Shot Execution f_main "$@"