From Scratch to Three Bare-Metal Boots

Border Cyber Group | May 2026

There's a moment in every from-scratch Linux build where the system stops being a project and becomes a platform. For SableLinux™, that moment happened twice in the same week — and the second time, it happened on hardware we'd never touched before.

As of May 2026, SableLinux boots cleanly as a live USB on three separate bare-metal machines: an ASUS Q503UA (Skylake, 2015 vintage), an HP Pavilion (Coffee Lake i3-8100, Intel UHD 630), and our primary development rig — a Gigabyte Z890 Aorus Elite X ICE with an Intel Core Ultra 5 245K and an AMD RX 9070 XT. Three architecturally distinct machines. One ISO. No virtual machines. No safety net.

That's the milestone. Here's how we got there.

What SableLinux Is

SableLinux is a custom Linux distribution built from the Linux From Scratch 12.4-systemd book — meaning every package, every library, every config file was compiled and installed by hand. No package manager. No upstream distro underneath. It's a source-built OS with a commercial goal: a security research and AI inference platform designed for professional red teamers, binary analysts, and AI practitioners who need their toolchain to be auditable, portable, and theirs.

The target use cases are deliberate:

  • Penetration testing and red team operations — with a growing stack of network recon, web app, exploitation, and reverse engineering tools
  • Local AI/LLM inference — GPU-accelerated, air-gappable, privacy-hardened
  • Binary analysis and reverse engineering — Ghidra headless, radare2, GDB/pwndbg, the full chain
  • Virtualization — QEMU/KVM with full acceleration, multiple OS images staged and ready
  • Gaming — RDNA4/Vulkan ready, Steam forthcoming

The longer-term commercial thesis: SableLinux ships with a proprietary AI-assisted penetration testing automation and report-writing layer — local inference, no cloud, no data leakage — that becomes the acquisition story for Border Cyber Group.

The Build: Nine Months of Ground Truth

Starting from a clean LFS 12.4-systemd base, the BLFS phase covered approximately 200 packages built from source. Highlights:

The display stack was the first major hurdle. Getting from a bare console to a working Wayland compositor on RDNA4 (gfx1201 — a GPU that was barely supported by any distro at build time) required LLVM 19, Mesa 25.0.1 with RADV Vulkan, and wlroots/Sway built against a carefully sequenced dependency graph. KDE Plasma 6.4.0 was attempted, fully built, and ultimately abandoned after SDDM/logind session registration failures on LFS proved intractable without a prohibitive amount of patching. Sway 1.10 is the permanent primary desktop.

The AI inference stack came together cleanly once we abandoned the idea of building ROCm from source. TheRock, AMD's full ROCm source tree, requires north of 32GB RAM to compile — the amd-llvm stage OOM-kills on our 32GB machine regardless of job count. The solution: extract ROCm 7.2.2 directly from AMD's official Ubuntu 24.04 .deb packages, fix RPATHs with patchelf, and drop the tree into /opt/rocm-7.2.2. glibc forward-compatibility does the rest. llama.cpp built with HIP targeting gfx1201 runs DeepSeek-R1 14B at 147 tokens per second. The inference endpoint runs as a systemd service, localhost-only, with a hardened audit trail.

The security stack is the most direct expression of the platform's commercial purpose. Metasploit, nmap, tshark, sqlmap, ffuf, gobuster, nikto, masscan, aircrack-ng, hashcat, radare2, Ghidra 12.0.4 (headless), pwndbg, pwntools, AFL++, frida, mitmproxy, nuclei, dalfox, commix, wapiti3, angr — the list is long and still growing. The pentest stack is substantially complete. The recon and OSINT tier is the current gap.

The live ISO is where months of infrastructure work became something distributable. The architecture: a GRUB standalone EFI bootloader, a squashfs root (xz-compressed, no-xattrs), overlayfs over tmpfs for a writable live environment, a busybox-based initramfs that finds the SABLELINUX labeled ext4 partition and switches root into systemd. First successful boot was May 2, 2026 on the HP Pavilion. The ASUS Q503UA followed. WiFi works on all three platforms — RTL8821CE on the HP, Intel 7265D on the ASUS, MT7925 on the Z890 — with firmware staged in the initramfs to handle the timing window before squashfs pivot.

Three platforms. One image. That's distribution.

Where We Are Right Now

The installed system is a fully operational Wayland desktop with:

  • Kernel 6.16.1 with dm-crypt, WireGuard, NVMe, KVM, and full WiFi/BT module support
  • Sway 1.10, waybar, foot terminal, fuzzel launcher, PipeWire audio, mpv, Firefox
  • WireGuard VPN tunneling through a Linode endpoint with dynamic routing (works over both wired and WiFi)
  • QEMU/KVM with staged images: Windows 80G, Kali 40G, BlackArch 40G, Ubuntu 30G, Alpine 10G
  • DeepSeek-R1 14B and Llama 3.2 1B running locally on RDNA4
  • A hardened SSH configuration, Quad9 DNS-over-TLS, and a local inference pipeline that leaves no query traces on disk

The live ISO adds: sable live user, auto-login, wifi-connect helper, squashfs+overlayfs boot, and confirmed bare-metal boot on three hardware targets.

What's missing: the ISO is distribution-ready in architecture, but not yet in content depth. The security and administration tooling layer — the dozens of CLI utilities that make the difference between "a Linux that has security tools" and "a platform that security people actually choose" — is thin.

What Comes Next: The Micro-Tools Blitz

The next build phase is deliberately different from what came before. Instead of major compilation efforts — LLVM, Mesa, ROCm, Qt6, KDE — we're going wide on small tools. Fast builds. High density. The categories:

System administration and hardware interrogation: dmidecode, pciutils, nvme-cli, hdparm, smartmontools, lm-sensors, acpi, powertop, cpupower, memtester. These are the tools every admin reaches for in the first five minutes on a new machine.

Storage and filesystem forensics: parted, ntfs-3g, exfatprogs, xfsprogs, btrfs-progs, ddrescue, testdisk, foremost, dcfldd, hexedit, sleuthkit. A security distro without a full forensics storage layer is incomplete.

Process and performance monitoring: htop, iotop, iftop, nethogs, atop, sysstat, bpftrace, lsof. Situational awareness during an engagement requires knowing exactly what's touching the network and disk.

Network operations: ethtool, iperf3, macchanger, openvpn, proxychains-ng, dnsmasq, ngrep, dsniff, scapy, bettercap. The recon stack is solid; the manipulation and tunneling tier needs filling out.

Shell and terminal productivity: fzf, ripgrep, fd, bat, eza, delta, zoxide, zsh, fish, starship, ncdu, lf, nnn. These tools matter because an operator spending 40 hours on an engagement lives in their terminal. Friction here has a cost.

Recon and OSINT: theHarvester, recon-ng, sherlock, subfinder (partially present), maltego. The passive recon layer is the gap in the current pentest stack.

Crypto and data utilities: age, gnupg2, rhash, ssdeep, jq, yq, pandoc, taskwarrior. The administrative and tradecraft tier.

Most of these are straightforward ./configure && make -j14 && make install builds. A handful have Python or Go dependencies already in place. None require the days-long compilation cycles that defined earlier phases. The goal is to ship all of them in a single focused session and have a materially denser ISO on the other side.

The Bigger Picture

SableLinux is an unusual thing to build in 2026. Most security platforms are Ubuntu derivatives with extra repositories. Most AI inference setups are Docker containers. Most "custom" distributions stop at the package selection layer.

SableLinux goes further because the commercial thesis requires it. A platform you want to acquire has to be something its acquirer couldn't simply replicate by adding a PPA. That means understanding the system at the level where you made every decision — because you did make every decision. Every library version, every kernel config flag, every PAM module. That depth is defensible. Derivative distributions aren't.

The micro-tools phase fills in the last major gap between "a platform built from scratch" and "a platform professionals would choose over Kali on their primary machine." The ISO is already booting. The inference stack is already running. The pentest tooling is already substantial. What's left is the everyday density that turns a capable system into a productive one.

Jonathan Brown (A.A.Sc., B.Sc) writes about cybersecurity infrastructure, privacy systems, the politics of AI development and many other topics at bordercybergroup.com and aetheriumarcana.org. Border Cyber Group maintains a cybersecurity resource portal at borderelliptic.com . He works from a custom-built Linux platform (SableLinux) which is currently under development and fully documented at https://github.com/black-vajra/sablelinux.

If you would like to support our work, providing useful, well researched and detailed evaluations of current cybersecurity topics at no cost, feel free to buy us a coffee! https://bordercybergroup.com/#/portal/support