claude-noether/marfrit-packages
1
0
Fork 0
forked from marfrit/marfrit-packages
Code Pull Requests Activity

mesa-panvk-bifrost: iter10 polish — drop sandbox bypass, pin sha256, tighten loader select

Browse Source 
iter10 of the panvk-bifrost campaign. Eliminates the cosmetic
'--disable-gpu-sandbox' warning at brave-vulkan launch + pins the
Mesa tarball hash + makes the Vulkan ICD selection deterministic
across filesystems.

PKGBUILD changes (pkgrel: 1 -> 2):
  - install ICD JSON at /usr/share/vulkan/icd.d/00-panvk-bifrost.json
    (was: /usr/lib/panvk-bifrost/icd.json — required VK_ICD_FILENAMES,
    which the GPU sandbox would strip, forcing --disable-gpu-sandbox)
  - libvulkan_panfrost.so install path unchanged at /usr/lib/panvk-bifrost/
  - sha256sums[0] pinned to 1d3c3b8a8363b8cc354175bb4a684ad8b035211cc1d6fa17aeb9b9623c513f89
    (mesa-26.0.6.tar.xz from archive.mesa3d.org); patches + brave-vulkan +
    icd.json remain SKIP since they're in-tree (git-tracked)

brave-vulkan changes:
  - dropped --no-sandbox + --disable-gpu-sandbox: env vars MESA_VK_VERSION_OVERRIDE
    and PAN_I_WANT_A_BROKEN_VULKAN_DRIVER survive the GPU sandbox boundary
    (Mesa loader reads them pre-seccomp-lockdown)
  - dropped VK_ICD_FILENAMES (loader auto-picks via icd.d/ directory scan)
  - added VK_LOADER_DRIVERS_SELECT='00-panvk-bifrost*' for deterministic
    ICD selection — Vulkan loader's readdir order is implementation-defined
    per Khronos LoaderDriverInterface, so the '00-' filename prefix is
    not spec-backed (ext4 happens to give insertion-order, other filesystems
    may not). VK_LOADER_DRIVERS_SELECT short-circuits readdir ambiguity.
    (Phase 5 review hardening.)

Test result on ohm (pre-push validation):
  - brave-vulkan launches Brave without sandbox bypass
  - seccomp-bpf sandboxes activate normally for utility/renderer processes
  - 'panvk is not a conformant Vulkan implementation' fires ONCE (loader-select
    excluded stock ICD from enumeration — only patched driver loads)
  - GPU process boots, no 'Exiting GPU process' error
  - Brave runs through full test timeout cleanly

README updated to reflect the new install layout + simplified wrapper.

Campaign artifacts: ~/src/panvk-bifrost/{phase0_findings_iter10.md,
phase8_iteration9_close.md (which iter10 polishes)}.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Markus Fritsche
2026-05-20 12:28:29 +02:00
parent 489d6e3862
commit a36cf85e06
3 changed files with 43 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
arch/mesa-panvk-bifrost/PKGBUILD
+16 -7
View File
@@ -31,7 +31,7 @@
pkgname=mesa-panvk-bifrost
_mesaver=26.0.6
pkgver=26.0.6.r2
pkgrel=1
pkgrel=2
pkgdesc="Patched Mesa libvulkan_panfrost.so exposing Bifrost-gen Mali to Vulkan apps (panvk-bifrost campaign)"
arch=('aarch64')
url="https://github.com/marfrit/panvk-bifrost"
@@ -83,7 +83,7 @@ source=(
"icd.json"
)
sha256sums=(
'SKIP' # TODO: pin once we know the upstream tarball is stable. archive.mesa3d.org tarballs are stable, so we can hash-pin in iter10.
'1d3c3b8a8363b8cc354175bb4a684ad8b035211cc1d6fa17aeb9b9623c513f89' # mesa-26.0.6.tar.xz from archive.mesa3d.org, pinned 2026-05-20 (iter10)
'SKIP'
'SKIP'
'SKIP'
@@ -142,15 +142,24 @@ package() {
cd "${srcdir}/mesa-${_mesaver}"
# Patched lib — co-install path, NOT /usr/lib (to avoid clashing
# with stock mesa's libvulkan_panfrost.so).
# with stock mesa's libvulkan_panfrost.so binary).
install -Dm755 build/src/panfrost/vulkan/libvulkan_panfrost.so \
"$pkgdir/usr/lib/panvk-bifrost/libvulkan_panfrost.so"
# Custom ICD JSON. NOT under /usr/share/vulkan/icd.d/ (the default
# loader search path) — the user has to opt in via VK_ICD_FILENAMES.
# ICD JSON at the standard Vulkan loader search path. The '00-'
# filename prefix gives optical priority but is NOT spec-backed —
# Vulkan loader readdir-order is implementation-defined per Khronos
# LoaderDriverInterface. The brave-vulkan wrapper sets
# VK_LOADER_DRIVERS_SELECT='00-panvk-bifrost*' to make the selection
# deterministic across filesystems. This avoids the VK_ICD_FILENAMES
# full-path override (whose GPU-sandbox survival is fragile) while
# still letting the loader work normally. iter10 result + Phase 5
# hardening.
install -Dm644 "$srcdir/icd.json" \
"$pkgdir/usr/lib/panvk-bifrost/icd.json"
"$pkgdir/usr/share/vulkan/icd.d/00-panvk-bifrost.json"
# The brave-vulkan launcher wires up env + flags.
# The brave-vulkan launcher wires up env + flags. iter10: no longer
# sets VK_ICD_FILENAMES, no longer passes --no-sandbox /
# --disable-gpu-sandbox.
install -Dm755 "$srcdir/brave-vulkan" "$pkgdir/usr/bin/brave-vulkan"
}