I forgot stuff

.env

@@ -2,3 +2,4 @@ SECBOOT=true
 TPM=true
 REQSIG=true
 MINOR=00
+DISTURL=none

build/build-image.sh

@@ -10,13 +10,13 @@ export VERSION="$VERSION"
 # This variable gets unset if any security-critical elements are disabled
 SECURESYS=true
 
-echo "========== VERSION ==========="
+echo "=========== VERSION ============"
 echo "Version: $VERSION"
 echo "Distfiles path: $DISTPATH"
 echo -n "Distribution URL: "
-if [ -n "$DISTURL" ]; then echo "Not set, OTA disabled"; DISTURL="none"
+if [ "$DISTURL" == "none" ]; then echo "Not set, OTA disabled";
 else echo "$DISTURL"; fi
-echo "========== SECURITY =========="
+echo "=========== SECURITY ==========="
 echo -en "Secure Boot: \t\t"
 if [ "$SECBOOT" == "true" ]; then echo "Enabled"
 else echo "Disabled"; SECURESYS="false"; fi
@@ -29,7 +29,7 @@ else echo "Disabled"; SECURESYS="false"; fi
 echo -en "Overall security: \t"
 if [  "$SECURESYS" == "true"  ]; then echo "Intact"
 else echo "Degraded"; fi
-echo "=============================="
+echo "================================"
 
 set -x
 
@@ -50,7 +50,7 @@ cp -r /build/include-host/* /
 # squashfs-tools needed for image mksquashfs for image generation
 # gentoolkit needed for euse for setting use flags
 # btrfs-progs needed for mkfs.btrfs for generating usr partition fs
-emerge --quiet @halogenos-host
+#emerge -j "$NPROC" --quiet --noreplace @halogenos-host
 
 # We have to ensure use.disable contains at least one flag
 # Otherwise euse -D will disable all global use flags
@@ -65,8 +65,11 @@ export ROOT="$DISTPATH"
 #emerge -j "$NPROC" --quiet --update --deep --newuse @world
 
 # Emerge all packages
-#emerge -j "$NPROC" --quiet @halogenos-image
+emerge -j "$NPROC" --quiet --noreplace @halogenos-image
-emerge --unmerge portage
+emerge -j "$NPROC" --quiet --update --deep --noreplace @world
+emerge -j "$NPROC" --quiet --autounmask=y sys-kernel/vanilla-kernel
+emerge --depclean
+emerge --unmerge --nodeps portage perl-cleaner
 
 # Include any additional files
 mkdir -p "$DISTPATH"/usr/share/halogenos
@@ -86,6 +89,12 @@ echo "IMAGE_ID=$IMAGE_ID" >> "$DISTPATH"/usr/lib/os-release
 # Install gvisor OCI runtime
 /build/external/gvisor.sh
 
+# Install GrapheneOS hardened malloc
+cd /build/hardened_malloc/
+make
+cd -
+cp /build/hardened_malloc/out/libhardened_malloc.so "$DISTPATH"/usr/local/lib/libhardened_malloc.so
+
 # Require inclusion of public key if $REQSIG is true
 if [ "$REQSIG" == "true" ]; then
     # This will cause an exit if the key is missing
@@ -112,9 +121,7 @@ SECURESYS=$SECURESYS" > "$DISTPATH"/usr/share/halogenos/release.meta
 
 # Remove unwanted files
 rm "$DISTPATH"/usr/etc/gentoo-release
-rm -r "$DISTPATH"/usr/lib/gentoo
+rm -rf "$DISTPATH"/usr/lib/gentoo
-rm -r "$DISTPATH"/usr/lib/portage
-rm -r "$DISTPATH"/usr/share/portage
 
 # Create images dir and img files
 mkdir -p /build/images
@@ -123,13 +130,11 @@ dd if=/dev/zero of=/build/images/usr.img bs=1 count=0 seek=2G
 mkfs.btrfs /build/images/usr.img
 dd if=/dev/zero of=/build/images/verity.img bs=1 count=0 seek=2000M 
 
-# Create squashfs
-mksquashfs "$DISTPATH" /build/artifacts/usr.squashfs
-
 # Install squashfs filesystem onto usr img
 mkdir -p /mnt/usr
 mount /build/images/usr.img /mnt/usr
-cp /build/artifacts/usr.squashfs /mnt/usr
+mksquashfs "$DISTPATH" /mnt/usr/usr.sfs
+sync /mnt/usr/usr.sfs
 umount /mnt/usr
 
 # Build verity

build/include-host/etc/portage/package.use/kernel

@@ -0,0 +1 @@
+sys-kernel/vanilla-kernel amd64

build/include-host/usr/src/initramfs/init

@@ -0,0 +1,11 @@
+#!/bin/busybox sh
+
+# 1. Locate the UUID of System Partition A
+# 2. Locate the UUID of System Partition B
+# 3. Determine which partition has the highest nonzero counter
+# 4. Perform verity checks
+# 5. If check succeeds, continue. Else decrement and reboot.
+# 6. If System Partition B does not exist, create it.
+# 7. If the root partition does not exist, create it.
+# 8. Mount /usr and create essential link files
+# 9. Switch root and run true init (OpenRC)

build/include-image/usr/etc/docker/ld.so.preload

@@ -0,0 +1 @@
+/usr/local/lib/libhardened_malloc.so

build/include-image/usr/etc/sysctl.d/hardened_malloc.conf

@@ -0,0 +1 @@
+vm.max_map_count = 1048576

compose.yml

@@ -10,6 +10,7 @@ services:
       SECBOOT: ${SECBOOT}
       TPM: ${TPM}
       REQSIG: ${REQSIG}
+      DISTURL: ${DISTURL}
     secrets:
       - signing_key_public
     volumes: