BuildToolChain/BTC.sh

398 lines
14 KiB
Bash

#!/bin/bash
# ==============================================================================
# BTC-0.3.0.sh - Sovereign Sentry Forge
# Identity: dcosnet / dcos.net | Swarm: Broadwell-HS / Haswell-EP
# License: GNU Affero General Public License v3 (AGPL-3.0)
#
# Notwithstanding any other provision of this License, if you modify
# the Program, your modified version must prominently offer all users
# interacting with it remotely through a computer network an
# opportunity to receive the Corresponding Source of your version.
#
# Profile: Ghost / Virt / Base - Multi-Target Hardened Kernel & eBPF
# Security: CVE-2026-31431 Mitigated | PATH-Pinned | Static-Trust Ready
# Persistence: /opt/BTC | Volatile: ramfs
# Copyright (C) 2012-2026 Jeremy Anderson (info@dcos.net)
# ==============================================================================
# --- 1. AGPL COMPLIANCE & IDENTITY ---
function f_agpl_header() {
cat <<EOF
>> BTC-0.3.0 "Sovereign Sentry"
>> Copyright (C) 2026 Jeremy Anderson
>> Licensed under GNU AGPLv3. NO WARRANTY.
>> SOURCE: https://git.dcos.net/jeremy/btc (Official Mirror)
>> -----------------------------------------------------
EOF
}
# --- 2. HARDENED ENVIRONMENT ---
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
set -euo pipefail
set -f
# Expand aliases for non-interactive bash to ensure absolute paths run correctly
shopt -s expand_aliases
alias rsync='/usr/bin/rsync'
alias tar='/usr/bin/tar'
alias gcc='/usr/bin/gcc'
alias sha256sum='/usr/bin/sha256sum'
# --- 3. RECOVERY & CLEANUP ---
trap "echo '>> Interrupt: Cleaning ramfs...'; cd / && umount -l ${SOURCES_ACTIVE} 2>/dev/null || true; exit 1" INT TERM
# --- 4. GLOBAL CONFIG ---
export BTC_DEBUG_LEVEL=1
export BTC_STRIP_MODE=1
export BTC_ARCHIVE=/opt/BTC
export SOURCES_ACTIVE=/usr/src
export SOURCE_CACHE=${BTC_ARCHIVE}/src
export v_glibc='glibc-2.41'
export v_gcc='gcc-14.2.0'
export v_binutils='binutils-2.46'
export v_linux='linux-7.1'
export NEWROOT=${SOURCES_ACTIVE}/BTC-Forge
export LOGS=${NEWROOT}/LOGS
export DISTRO="DCOSNET-LEAD"
# --- 5. SILICON IDENTITY & MITIGATION ---
function f_silicon_probe() {
echo ">> [IDENTITY] Interrogating Silicon..."
if [[ -f /proc/modules ]] && grep -q "algif_aead" /proc/modules; then
echo ">> [SECURITY] Disabling algif_aead (Copy Fail mitigation)..."
rmmod algif_aead || true
fi
local RAW_ARCH=$(/usr/bin/gcc -march=native -Q --help=target | grep -m1 "march=" | awk '{print $2}')
[[ -z "$RAW_ARCH" || "$RAW_ARCH" == "x86-64" ]] && export TARGET_ARCH="hsw" || export TARGET_ARCH="bdw"
export ISA_TAG="AVX2"
export OPT_TAG="LTO"
export SYS_LABEL="DCOSNET-${TARGET_ARCH^^}-${ISA_TAG}-${OPT_TAG}"
export TARGET="x86_64-dcosnet-linux-gnu"
local total_ram=$(/usr/bin/free -m | awk '/^Mem:/{print $2}')
export v_threads="-j$(( (total_ram / 2048) < $(nproc) ? (total_ram / 2048) : $(nproc) ))"
export GLOBAL_CFLAGS="-O3 -march=native -flto=$(nproc) -fstack-protector-strong -D_FORTIFY_SOURCE=2 --sysroot=${NEWROOT} -pipe"
export GLOBAL_LDFLAGS="-Wl,-O1 -Wl,--as-needed -flto=$(nproc) --sysroot=${NEWROOT}"
export CCACHE_DIR="${BTC_ARCHIVE}/cache/${SYS_LABEL}"
mkdir -p "${CCACHE_DIR}"
}
# --- 6. DCOSNET FORENSIC STAMPING (ELF & XATTR) ---
function f_stamp_binary() {
local target_bin="$1"
local log_base="$2"
cat <<EOF > btc_stamp.s
.section .note.BTC,"a"
.align 4
.long 4f - 1f
.long 3f - 2f
.long 1
1: .asciz "DCOSNET"
2: .ascii "Org: dcos.net|K:7.1|I:${ISA_TAG}|O:${OPT_TAG}|T:${DISTRO}|F:${HOSTNAME}"
3: .align 4
4:
EOF
/usr/bin/gcc -c btc_stamp.s -o btc_stamp.o
objcopy --add-section .note.BTC=btc_stamp.o "${target_bin}"
rm btc_stamp.s btc_stamp.o
local bin_hash=$(sha256sum "${target_bin}" | awk '{print $1}')
setfattr -n user.btc.identity -v "BTC-${SYS_LABEL}-${v_linux}-dcosnet" "${target_bin}"
setfattr -n user.btc.hash -v "${bin_hash}" "${target_bin}"
if [[ "${BTC_STRIP_MODE}" -eq 1 ]]; then
mkdir -p "${BTC_ARCHIVE}/symbols/${SYS_LABEL}"
objcopy --only-keep-debug "${target_bin}" "${BTC_ARCHIVE}/symbols/${SYS_LABEL}/${log_base}.debug"
strip --strip-unneeded "${target_bin}"
objcopy --add-gnu-debuglink="${BTC_ARCHIVE}/symbols/${SYS_LABEL}/${log_base}.debug" "${target_bin}"
fi
}
# --- 7. THE INVISIBLE GUARD ---
function f_guard() {
local max_temp=85
local min_mem=800
while true; do
local cur_temp=$(cat /sys/class/thermal/thermal_zone*/temp | head -n1 | awk '{print $1/1000}')
local cur_mem=$(/usr/bin/free -m | awk '/^Mem:/{print $7}')
if (( cur_temp > max_temp )); then
echo ">> [THERMAL PAUSE] ${cur_temp}°C - Cooling..."
sleep 10
elif (( cur_mem < min_mem )); then
echo ">> [MEMORY PAUSE] ${cur_mem}MB - Waiting for LTO clearance (RDIMM)..."
sleep 30
else
break
fi
done
}
function f_entropy_shield() {
local cur_ent=$(cat /proc/sys/kernel/random/entropy_avail)
if (( cur_ent < 250 )); then
echo ">> [ENTROPY SHIELD] Low Pool. Generating Jitter for 7.1 Signing..."
find /bin /sbin -type f -exec ls -l {} + > /dev/null 2>&1 &
sleep 2 && kill $! 2>/dev/null || true
fi
}
# --- 8. EXECUTION ENGINE (FORENSIC) ---
function f_exec_log() {
local cmd="$1"
local log_base="$2"
local mode="${3:-build}"
f_entropy_shield
f_guard
if [[ "$mode" == "install" ]]; then
stdbuf -oL -eL installwatch -o "${LOGS}/${log_base}.iw" bash -c "$cmd" | \
pv -t -r -b -N "${log_base}" >> "${LOGS}/${log_base}.log" 2>&1
find ${NEWROOT} -type f -executable -exec bash -c '
file "$1" | grep -q "ELF" && f_stamp_binary "$1" "'"${log_base}"'"
' _ {} \;
else
stdbuf -oL -eL bash -c "${cmd}" | \
pv -t -r -b -N "${log_base}" | \
tee -a "${LOGS}/${log_base}.log" > /dev/null \
2> >(tee -a "${LOGS}/${log_base}.err" >> "${LOGS}/${log_base}.log")
fi
}
function f_setup() {
local ram_kb=$(grep MemTotal /proc/meminfo | awk '{print $2}')
mount -t ramfs -o size=$((ram_kb/2/1024))M ramfs ${SOURCES_ACTIVE}
mkdir -p ${NEWROOT}/{bin,lib,lib64,sbin,etc,usr,boot} ${LOGS}
ln -sf lib ${NEWROOT}/lib64
if [[ -n "${TMUX:-}" ]]; then
tmux split-window -h -p 35 "tail -F ${LOGS}/*.log 2>/dev/null"
tmux split-window -v -p 66 "watch -n 2 'ss -tunp | grep -E \"gcc|make|configure|ld\" | grep -v \"127.0.0.1\"'"
tmux split-window -v -p 50 "watch -n 2 'echo \"ENTROPY: \$(cat /proc/sys/kernel/random/entropy_avail)\"; iostat -dx 1 2 | awk \"/avg-cpu/ {getline; print \\\$4 \\\"% iowait\\\"}\"'"
tmux select-pane -t 0
echo ">> BTC Dashboard Synchronized..."
fi
}
# --- 9. PERSISTENCE BRIDGE (PACKAGING) ---
function f_package() {
local PKG_NAME="dcosnet-baseline-${SYS_LABEL}-${v_linux}.tar.xz"
local PKG_PATH="${BTC_ARCHIVE}/completed"
mkdir -p "${PKG_PATH}"
echo ">> [AGPL-EXPORT] Compressing Forge State to Archive..."
tar -cJpf "${PKG_PATH}/${PKG_NAME}" -C "${NEWROOT}" .
local pkg_hash=$(sha256sum "${PKG_PATH}/${PKG_NAME}" | awk '{print $1}')
setfattr -n user.btc.pkg_hash -v "${pkg_hash}" "${PKG_PATH}/${PKG_NAME}"
mkdir -p "${BTC_ARCHIVE}/logs"
cp -rv "${LOGS}" "${BTC_ARCHIVE}/logs/${SYS_LABEL}_$(date +%Y%m%d)"
echo ">> [SUCCESS] Artifact preserved at ${PKG_PATH}/${PKG_NAME}"
}
function f_set_exports() {
export CC="ccache ${NEWROOT}/bin/${TARGET}-gcc-${SYS_LABEL}"
export CXX="ccache ${NEWROOT}/bin/${TARGET}-g++-${SYS_LABEL}"
export AR="${NEWROOT}/bin/${TARGET}-gcc-ar-${SYS_LABEL}"
export NM="${NEWROOT}/bin/${TARGET}-gcc-nm-${SYS_LABEL}"
export RANLIB="${NEWROOT}/bin/${TARGET}-gcc-ranlib-${SYS_LABEL}"
export CFLAGS="${GLOBAL_CFLAGS}"
export CXXFLAGS="${GLOBAL_CFLAGS}"
export LDFLAGS="${GLOBAL_LDFLAGS}"
}
# --- 10. KERNEL PROFILE INJECTION ---
function f_ghost_opts() {
echo ">> [PROFILE] Applying Ghost Hardening (Physical/Tuned)..."
{
echo "CONFIG_MODULES=n"
echo "CONFIG_KALLSYMS=n"
echo "CONFIG_COMPAT=n"
echo "CONFIG_PROC_KCORE=n"
echo "CONFIG_CIFS=n"
echo "CONFIG_NFS_FS=n"
echo "CONFIG_SUNRPC=n"
echo "CONFIG_ATM=n"
echo "CONFIG_SYSVIPC=n"
echo "CONFIG_SECURITY_SELINUX=n"
echo "CONFIG_SECURITY_APPARMOR=n"
echo "CONFIG_LSM=\"bpf,capability\""
echo "CONFIG_BPF_LSM=y"
echo "CONFIG_DEBUG_INFO_BTF=y"
echo "CONFIG_E1000E=y"
echo "CONFIG_R8169=y"
} >> .config
make olddefconfig > /dev/null
}
function f_virt_opts() {
echo ">> [PROFILE] Applying Weightless Profile (VirtIO/Classic Guest)..."
{
echo "CONFIG_VIRTIO_PCI=y"
echo "CONFIG_VIRTIO_NET=y"
echo "CONFIG_VIRTIO_BLK=y"
echo "CONFIG_DRM_VIRTIO_GPU=y"
echo "CONFIG_DRM_CIRRUS_QEMU=y"
echo "CONFIG_DRM_VMWGFX=y"
echo "CONFIG_DEBUG_INFO_BTF=y"
echo "CONFIG_BPF_LSM=y"
echo "CONFIG_LSM=\"bpf,capability\""
} >> .config
make olddefconfig > /dev/null
}
function gen_vmlinux_h() {
local EBPF_DIR="${NEWROOT}/ebpf"
mkdir -p "$EBPF_DIR"
if command -v bpftool >/dev/null 2>&1 && [ -f "./vmlinux" ]; then
echo ">> [EBPF] Generating vmlinux.h for CO-RE portability..."
bpftool btf dump file ./vmlinux format c > "$EBPF_DIR/vmlinux.h" 2>/dev/null || echo ">> [WARN] BTF dump failed."
else
echo ">> [WARN] Skipping vmlinux.h: tool or vmlinux binary missing."
fi
}
# --- 11. CORE BUILD STAGES ---
function f_binutils() {
cd ${SOURCES_ACTIVE}
tar -axf ${SOURCE_CACHE}/${v_binutils}*
cd binutils-* && mkdir -p build && cd build
f_exec_log "../configure --prefix=${NEWROOT} --target=${TARGET} --with-sysroot=${NEWROOT} --program-suffix=-${SYS_LABEL} --disable-nls --disable-multilib" "binutils-conf"
f_exec_log "make ${v_threads}" "binutils-make"
f_exec_log "make install" "binutils-install" "install"
}
function f_kernel_headers() {
cd ${SOURCES_ACTIVE}
tar -axf ${SOURCE_CACHE}/${v_linux}*
cd linux-*
f_exec_log "make mrproper && make headers" "kernel-headers"
cp -rv usr/include/* ${NEWROOT}/include
}
function f_gcc_p1() {
cd ${SOURCES_ACTIVE}
tar -axf ${SOURCE_CACHE}/${v_gcc}*
cd gcc-*
for lib in gmp mpfr mpc; do tar -xf ${SOURCE_CACHE}/${lib}*; mv -v ${lib}-* ${lib}; done
mkdir -p build && cd build
f_exec_log "../configure --target=${TARGET} --prefix=${NEWROOT} --with-sysroot=${NEWROOT} --program-suffix=-${SYS_LABEL} --without-headers --disable-shared --disable-threads --enable-languages=c,c++" "gcc1-conf"
f_exec_log "make ${v_threads}" "gcc1-make"
f_exec_log "make install" "gcc1-install" "install"
}
function f_glibc() {
f_set_exports
cd ${SOURCES_ACTIVE}/glibc-*
mkdir -p build && cd build
f_exec_log "../configure --prefix=${NEWROOT} --host=${TARGET} --with-headers=${NEWROOT}/include libc_cv_slibdir=${NEWROOT}/lib" "glibc-conf"
f_exec_log "make ${v_threads}" "glibc-make"
f_exec_log "make DESTDIR=${NEWROOT} install" "glibc-install" "install"
}
function f_gcc_p2() {
f_set_exports
cd ${SOURCES_ACTIVE}/gcc-*/build && rm -rf *
f_exec_log "../configure --prefix=${NEWROOT} --target=${TARGET} --program-suffix=-${SYS_LABEL} --enable-languages=c,c++ --with-build-sysroot=${NEWROOT}" "gcc2-conf"
f_exec_log "make ${v_threads}" "gcc2-make"
f_exec_log "make install" "gcc2-install" "install"
}
function f_kernel_binary() {
f_set_exports
cd ${SOURCES_ACTIVE}/linux-*
make defconfig > /dev/null
# Kernel Profile Routing
case ${KERNEL_PROFILE} in
ghost) f_ghost_opts ;;
virt) f_virt_opts ;;
base) echo ">> [PROFILE] Baseline Discovery Active" ;;
esac
echo "-dcosnet-${SYS_LABEL}" > .scmversion
f_exec_log "make ${v_threads} LOCALVERSION=-dcosnet-${SYS_LABEL} bzImage" "kernel-bin-make"
# Generate eBPF structural maps for the resulting kernel layout
gen_vmlinux_h
cp -v arch/x86/boot/bzImage ${NEWROOT}/boot/vmlinuz-${v_linux}-${SYS_LABEL}-dcosnet
echo "--- FINAL KERNEL AUDIT ---"
grep -E "CONFIG_(MODULES|CIFS|NFS|SUNRPC|SECURITY_SELINUX|DEBUG_INFO_BTF)" .config | sed 's/^/[AUDIT] /'
}
# --- 12. DEPLOYMENT TARGETING ---
function f_install_target() {
local TARGET_PART="${1}"
local MNT_POINT="/mnt/btc_target"
mkdir -p ${MNT_POINT} && mount ${TARGET_PART} ${MNT_POINT}
local DISTRO="Generic-Source"
[[ -f "${MNT_POINT}/etc/lunar/version" ]] && DISTRO="Lunar"
[[ -f "${MNT_POINT}/etc/sorcery/version" ]] && DISTRO="SourceMage"
[[ -f "${MNT_POINT}/etc/openwrt_version" ]] && DISTRO="OpenWrt"
[[ -d "${MNT_POINT}/etc/portage" ]] && DISTRO="Gentoo"
[[ -f "${MNT_POINT}/etc/exherbo-release" ]] && DISTRO="Exherbo"
[[ -f "${MNT_POINT}/etc/cruxversion" ]] && DISTRO="CRUX"
echo ">> [DCOSNET SWARM] Deploying Silicon-Identity to Dell Optiplex 3050 Micro Variants / ${DISTRO} target..."
# Kernel Handoff
mkdir -p ${MNT_POINT}/boot
cp -v ${NEWROOT}/boot/vmlinuz-* ${MNT_POINT}/boot/
# Binary Sync with safe-links
local bin_dest="/usr/local/bin"
[[ "$DISTRO" == "OpenWrt" ]] && bin_dest="/usr/bin"
f_exec_log "rsync -avzX --safe-links ${NEWROOT}/bin/ ${MNT_POINT}${bin_dest}/" "${DISTRO}_deploy" "install"
umount ${MNT_POINT}
echo ">> [SUCCESS] Swarm Node Seeded: ${DISTRO}"
}
# --- 13. MAIN ORCHESTRATION ---
function f_main() {
[[ $EUID -ne 0 ]] && { echo ">> Root Required."; exit 1; }
# Parsing Profile and Target Device (Usage: ./btc.sh [ghost|virt|base] [/dev/sdX])
export KERNEL_PROFILE="${1:-ghost}"
local TARGET_DEV="${2:-}"
f_agpl_header
f_silicon_probe
f_setup
# Forge Pipeline
f_binutils
f_kernel_headers
f_gcc_p1
f_glibc
f_gcc_p2
f_kernel_binary
# Mandatory Persistence (Archive)
f_package
# Optional Physical Seed deployment
if [[ -n "${TARGET_DEV}" ]]; then
f_install_target "${TARGET_DEV}"
fi
# Zero-Footprint Cleanup: Unmount ramfs
cd / && umount -l ${SOURCES_ACTIVE}
echo ">> [SUCCESS] BTC-0.3.0-AGPL: Sovereign Forge Complete. Profile: ${KERNEL_PROFILE}"
}
# One-Shot Execution
f_main "$@"