Nofuture.go - debian 12 install

Core Components Build Process

sudo apt-get update && sudo apt-get install -y \
    cmake ninja-build gcc ligit clone --depth 1 https://github.com/open-quantum-safe/liboqs && cd liboqs
mkdir build && cd build
cmake -GNinja -DCMAKE_BUILD_TYPE=Release \
    -DOQS_USE_OPENSSL=ON \
    -DOQS_DIST_BUILD=ON \
    -DOQS_OPTIMIZED_BUILD=ON \
    -DCMAKE_INSTALL_PREFIX=/usr/local \
    -DOQS_BUILD_ONLY_LIB=ON ..bssl-dev libtool autoconf

ninja
sudo ninja install
sudo ldconfig

# 4. Configurazione Go environment
export CGO_CFLAGS="-O3 -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=2"
export CGO_LDFLAGS="-Wl,-z,relro,-z,now -loqs -lssl -lcrypto"
export GOFLAGS="-buildvcs=false"

# 5. Inizializzazione modulo Go
sudo -u www-data /usr/local/go/bin/go mod init nofuture
sudo -u www-data /usr/local/go/bin/go get -v \
    github.com/awnumar/[email protected] \
    github.com/open-quantum-safe/liboqs-go@latest \
    golang.org/x/crypto@latest \
    golang.org/x/sys@latest

   
# 6. Compilazione finale
sudo -u www-data /usr/local/go/bin/go build -v \
    -tags="oqs,purego,harden" \
    -trimpath \
    -ldflags="-s -w -extldflags '-Wl,-z,relro,-z,now'" \
    -buildmode=pie \
    -o nofuture 

# 7. Hardening del binario
sudo setcap cap_sys_ptrace,cap_net_admin=ep nofuture
sudo chmod 0700 nofuture    
    

MemGuard Initialization & Configuration:

        memguard.CatchInterrupt()
        memguard.Purge()
        unix.Mlockall(unix.MCL_CURRENT | unix.MCL_FUTURE)

• Secure Memory Locking: Prevents swapping sensitive data to disk
• Interrupt Handling: Automatic memory purge on SIGINT/SIGTERM
• Deep Memory Purge: Secure wiping of allocated buffers

MemGuard in Key Lifecycle Management:

passphrase, _ := memguard.NewImmutableRandom(32)
defer passphrase.Destroy()

• Immutable Buffers: Write-protected memory regions
• Ephemeral Storage: Keys exist only in protected memory
• Automatic Destruction: Guaranteed wipe with defer

Enclave-Based Cryptography:

func deriveEnclaveKey(passphrase *memguard.Enclave) {
passBuf, _ := passphrase.Open()
defer passBuf.Destroy()
}

• Double-Layer Protection: Enclave wrapping + locked buffers
• Controlled Exposure: Temporary buffer access patterns
• Zero-Copy Architecture: Minimize memory exposure

Quantum-Safe Key Exchange:

pubKey, secKey, _ := quantumKEMKeyPair()
defer pubKey.Destroy()
defer secKey.Destroy()

• MemGuard-Protected Keys:
  • Public Key: Immutable locked buffer
  • Private Key: Enclave-wrapped storage
• Zeroization on Completion: Guaranteed key destruction

Secure Session Management:

type QuantumSession struct {
sessionKey   *memguard.Enclave
remotePubKey *memguard.Enclave
}

• Enclave-Wrapped Session Keys: Encrypted memory storage
• Forward Secrecy: Ephemeral session keys
• Compartmentalization: Isolated memory regions per session

Memory-Hardened Cryptography:

lockedKey, _ := memguard.NewImmutableFromBytes(key)
defer lockedKey.Destroy()

• Argon2 in Protected Memory:
  • Memory-hard derivation in locked buffers
  • Secure salt handling
• Multi-Layer Protection:
  • mlock() system calls
  • MADV_DONTDUMP flags
  • Guard pages