iter10 of the panvk-bifrost campaign. Eliminates the cosmetic
'--disable-gpu-sandbox' warning at brave-vulkan launch + pins the
Mesa tarball hash + makes the Vulkan ICD selection deterministic
across filesystems.
PKGBUILD changes (pkgrel: 1 -> 2):
- install ICD JSON at /usr/share/vulkan/icd.d/00-panvk-bifrost.json
(was: /usr/lib/panvk-bifrost/icd.json — required VK_ICD_FILENAMES,
which the GPU sandbox would strip, forcing --disable-gpu-sandbox)
- libvulkan_panfrost.so install path unchanged at /usr/lib/panvk-bifrost/
- sha256sums[0] pinned to 1d3c3b8a8363b8cc354175bb4a684ad8b035211cc1d6fa17aeb9b9623c513f89
(mesa-26.0.6.tar.xz from archive.mesa3d.org); patches + brave-vulkan +
icd.json remain SKIP since they're in-tree (git-tracked)
brave-vulkan changes:
- dropped --no-sandbox + --disable-gpu-sandbox: env vars MESA_VK_VERSION_OVERRIDE
and PAN_I_WANT_A_BROKEN_VULKAN_DRIVER survive the GPU sandbox boundary
(Mesa loader reads them pre-seccomp-lockdown)
- dropped VK_ICD_FILENAMES (loader auto-picks via icd.d/ directory scan)
- added VK_LOADER_DRIVERS_SELECT='00-panvk-bifrost*' for deterministic
ICD selection — Vulkan loader's readdir order is implementation-defined
per Khronos LoaderDriverInterface, so the '00-' filename prefix is
not spec-backed (ext4 happens to give insertion-order, other filesystems
may not). VK_LOADER_DRIVERS_SELECT short-circuits readdir ambiguity.
(Phase 5 review hardening.)
Test result on ohm (pre-push validation):
- brave-vulkan launches Brave without sandbox bypass
- seccomp-bpf sandboxes activate normally for utility/renderer processes
- 'panvk is not a conformant Vulkan implementation' fires ONCE (loader-select
excluded stock ICD from enumeration — only patched driver loads)
- GPU process boots, no 'Exiting GPU process' error
- Brave runs through full test timeout cleanly
README updated to reflect the new install layout + simplified wrapper.
Campaign artifacts: ~/src/panvk-bifrost/{phase0_findings_iter10.md,
phase8_iteration9_close.md (which iter10 polishes)}.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
iter9 of the panvk-bifrost campaign — operator-confirmed Vulkan output
on PineTab2 (Mali-G52 r1 MC1) 2026-05-20.
Patches Mesa 26.0.6's PanVk Vulkan driver:
- VK_KHR/EXT_robustness2 + nullDescriptor exposed for PAN_ARCH 6/7
- has_vk1_1 / has_vk1_2 = true on Bifrost
Patches applied via sed in PKGBUILD prepare() (cleaner than maintaining
a Mesa fork for two two-line tweaks; upstream context drifts between
Mesa releases would make a literal .patch brittle).
Co-installs at /usr/lib/panvk-bifrost/ — stock mesa untouched. Stock
libvulkan_panfrost.so and its ICD JSON keep working for everyone not
opting into the patched driver.
Ships /usr/bin/brave-vulkan that wires up:
VK_ICD_FILENAMES=/usr/lib/panvk-bifrost/icd.json
PAN_I_WANT_A_BROKEN_VULKAN_DRIVER=1
MESA_VK_VERSION_OVERRIDE=1.2 # ANGLE needs apiVersion>=1.1; the
# has_vk1_x flags don't move it, so
# the env-var override carries that
brave --use-gl=disabled --enable-features=Vulkan --use-vulkan=native
--ozone-platform=x11 --no-sandbox --disable-gpu-sandbox
--ignore-gpu-blocklist "$@"
Side-steps the stock "GLES3 is unsupported / GPU process exits" failure
documented in panvk-bifrost/README's "Consumer-side benefit" section.
Known limitation: WebGL/WebGL2 in-page won't work — ANGLE needs GLES3
which needs VK_EXT_transform_feedback, which PanVk-Bifrost doesn't
currently support. Browser chrome + standard page rendering work fine.
Gitea Actions job mesa-panvk-bifrost-aarch64 added to build.yml,
patterned on libva-v4l2-request-fourier-aarch64. Mesa build is slow
(~30-60min on actrunner-aarch64). Standalone (no needs:),
continue-on-error so it doesn't block other jobs.
Campaign artifacts: ~/src/panvk-bifrost/{README.md, phase8_iteration9_close.md,
phase0_evidence/iter9_brave_vulkan_breakthrough.txt}.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
marfrit