mesa-panvk-bifrost: iter10 polish — drop sandbox bypass, pin sha256, tighten loader select

iter10 of the panvk-bifrost campaign. Eliminates the cosmetic
'--disable-gpu-sandbox' warning at brave-vulkan launch + pins the
Mesa tarball hash + makes the Vulkan ICD selection deterministic
across filesystems.

PKGBUILD changes (pkgrel: 1 -> 2):
  - install ICD JSON at /usr/share/vulkan/icd.d/00-panvk-bifrost.json
    (was: /usr/lib/panvk-bifrost/icd.json — required VK_ICD_FILENAMES,
    which the GPU sandbox would strip, forcing --disable-gpu-sandbox)
  - libvulkan_panfrost.so install path unchanged at /usr/lib/panvk-bifrost/
  - sha256sums[0] pinned to 1d3c3b8a8363b8cc354175bb4a684ad8b035211cc1d6fa17aeb9b9623c513f89
    (mesa-26.0.6.tar.xz from archive.mesa3d.org); patches + brave-vulkan +
    icd.json remain SKIP since they're in-tree (git-tracked)

brave-vulkan changes:
  - dropped --no-sandbox + --disable-gpu-sandbox: env vars MESA_VK_VERSION_OVERRIDE
    and PAN_I_WANT_A_BROKEN_VULKAN_DRIVER survive the GPU sandbox boundary
    (Mesa loader reads them pre-seccomp-lockdown)
  - dropped VK_ICD_FILENAMES (loader auto-picks via icd.d/ directory scan)
  - added VK_LOADER_DRIVERS_SELECT='00-panvk-bifrost*' for deterministic
    ICD selection — Vulkan loader's readdir order is implementation-defined
    per Khronos LoaderDriverInterface, so the '00-' filename prefix is
    not spec-backed (ext4 happens to give insertion-order, other filesystems
    may not). VK_LOADER_DRIVERS_SELECT short-circuits readdir ambiguity.
    (Phase 5 review hardening.)

Test result on ohm (pre-push validation):
  - brave-vulkan launches Brave without sandbox bypass
  - seccomp-bpf sandboxes activate normally for utility/renderer processes
  - 'panvk is not a conformant Vulkan implementation' fires ONCE (loader-select
    excluded stock ICD from enumeration — only patched driver loads)
  - GPU process boots, no 'Exiting GPU process' error
  - Brave runs through full test timeout cleanly

README updated to reflect the new install layout + simplified wrapper.

Campaign artifacts: ~/src/panvk-bifrost/{phase0_findings_iter10.md,
phase8_iteration9_close.md (which iter10 polishes)}.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitea/workflows/build.yml

@@ -1092,3 +1092,121 @@ jobs:
       - name: wipe secrets
         if: always()
         run: rm -f /root/.ssh/id_ed25519_hertz
+
+  # -------------------------------------------------------------------------
+  # mesa-panvk-bifrost (aarch64 only) — patched Mesa libvulkan_panfrost.so
+  # for Bifrost-gen Mali (panvk-bifrost campaign iter9). Co-installs at
+  # /usr/lib/panvk-bifrost/ so stock mesa stays intact; opt-in via the
+  # brave-vulkan launcher this package also ships.
+  #
+  # Build is slow (~30-60min on actrunner-aarch64): full Mesa-from-source.
+  # Standalone job — no `needs:` since it doesn't depend on the fourier
+  # codec stack. continue-on-error so a build hiccup doesn't block other
+  # jobs in the same workflow run.
+  # -------------------------------------------------------------------------
+  mesa-panvk-bifrost-aarch64:
+    runs-on: arch-aarch64
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: bootstrap runner (idempotent)
+        run: |
+          set -e
+          retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
+          retry pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo
+
+      - name: import signing key
+        env:
+          PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
+          PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
+        run: |
+          set -e
+          gpgconf --homedir /root/.gnupg --kill all 2>/dev/null || true
+          rm -rf /root/.gnupg /root/repo_pass
+          mkdir -m700 -p /root/.gnupg
+          printf '%s' "$PASS" > /root/repo_pass
+          chmod 600 /root/repo_pass
+          printf '%s\n' "$PRIV" | gpg --batch --import
+          echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
+
+      - name: install deploy ssh key
+        env:
+          KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
+        run: |
+          mkdir -m700 -p /root/.ssh
+          printf '%s\n' "$KEY" > /root/.ssh/id_ed25519
+          chmod 600 /root/.ssh/id_ed25519
+          ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null
+
+      - name: makepkg mesa-panvk-bifrost
+        run: |
+          set -e
+          rm -rf /tmp/build-mesa-panvk-bifrost
+          cp -r arch/mesa-panvk-bifrost /tmp/build-mesa-panvk-bifrost
+          chown -R builder:builder /tmp/build-mesa-panvk-bifrost
+          cd /tmp/build-mesa-panvk-bifrost
+          # MAKEFLAGS for parallel build; runner is multi-core.
+          # --skipinteg because sha256sums=SKIP in PKGBUILD (matches the
+          # fourier-fork PKGBUILD convention).
+          sudo -u builder -H env MAKEFLAGS="-j60" \
+            makepkg --nocheck --noconfirm --syncdeps --cleanbuild --skipinteg
+          ls -la *.pkg.tar.* | grep -v "\.sig$"
+
+      - name: sign mesa-panvk-bifrost
+        run: |
+          set -e
+          cd /tmp/build-mesa-panvk-bifrost
+          for f in *.pkg.tar.xz *.pkg.tar.zst *.pkg.tar.gz; do
+            [ -f "$f" ] || continue
+            gpg --batch --pinentry-mode loopback --passphrase-file /root/repo_pass \
+                --detach-sign --yes -u 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C "$f"
+          done
+
+      - name: update aarch64 repo db
+        run: |
+          set -e
+          mkdir -p /tmp/arch-stage-mesa-panvk
+          cd /tmp/arch-stage-mesa-panvk
+          rm -f *
+          for f in marfrit.db.tar.gz marfrit.db.tar.gz.sig marfrit.files.tar.gz marfrit.files.tar.gz.sig; do
+            curl -sSLf "https://packages.reauktion.de/arch/aarch64/$f" -o "$f" || rm -f "$f"
+          done
+          for ext in xz zst gz; do
+            ls /tmp/build-mesa-panvk-bifrost/*.pkg.tar.$ext 2>/dev/null && \
+              mv /tmp/build-mesa-panvk-bifrost/*.pkg.tar.$ext /tmp/build-mesa-panvk-bifrost/*.pkg.tar.$ext.sig .
+          done || true
+          export GNUPGHOME=/root/.gnupg
+          printf 'pinentry-mode loopback\npassphrase-file /root/repo_pass\n' > /root/.gnupg/gpg.conf
+          printf 'allow-loopback-pinentry\n' > /root/.gnupg/gpg-agent.conf
+          gpg-connect-agent reloadagent /bye
+          pkgs=()
+          for ext in xz zst gz; do
+            for f in *.pkg.tar.$ext; do [ -f "$f" ] && pkgs+=("$f"); done
+          done
+          if [ -f marfrit.db.tar.gz ]; then
+            for f in "${pkgs[@]}"; do
+              name=$(echo "$f" | sed -E 's/-[0-9].*//')
+              repo-remove --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \
+                marfrit.db.tar.gz "$name" 2>/dev/null || true
+            done
+          fi
+          repo-add --new --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \
+            --verify marfrit.db.tar.gz "${pkgs[@]}"
+          ln -sf marfrit.db.tar.gz        marfrit.db
+          ln -sf marfrit.files.tar.gz     marfrit.files
+          ln -sf marfrit.db.tar.gz.sig    marfrit.db.sig
+          rm -f marfrit.files.sig
+
+      - name: publish to aarch64
+        run: |
+          set -e
+          retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
+          cd /tmp/arch-stage-mesa-panvk
+          retry rsync -avL --copy-unsafe-links \
+            -e 'ssh -i /root/.ssh/id_ed25519' \
+            ./ mfritsche@nc.reauktion.de:arch/aarch64/
+
+      - name: wipe secrets
+        if: always()
+        run: rm -f /root/repo_pass /root/.ssh/id_ed25519

arch/linux-pinetab2-danctnix-besser/PKGBUILD

@@ -29,7 +29,7 @@
 
 pkgbase=linux-pinetab2-danctnix-besser
 pkgver=7.0.danctnix1
-pkgrel=5
+pkgrel=6
 pkgdesc='PineTab2 (BESser bes2600 driver patchset, kernel-agent managed)'
 _srcname=linux-pinetab2
 _srctag=v${pkgver%.*}-${pkgver##*.}
@@ -68,7 +68,7 @@ b2sums=('3d9795083c8938f80f480de0d10bfd9c525640e59d5c7f22983de3f12ee42c84c31be90
         'SKIP'
         '71fe98221e802b315e54b4b10d3e8c8f376695a36bae3541d876e5776a37f3fa33c8f8dfa6e51fcbd6f5396add02e5166634165f2351836a0ea0453c172fe56c'
         'SKIP'
-        '50397711a6a3ba522283685a9e7397aeed6663f353f7cba214d4bb88bc98516065b2fca9a36ce13c52644617879f69f39c5305e86db5d9fb25c4dae5434eb9c4'
+        'eb179c03f35a4dbaec2e40036f0033ef04985bb6b14ab22419d68e5caaa5874f2ad14e158f7c5b05added97f60fecde8fb8b7f2a6ced33e031e37352fe776ca6'
         '656a998ab40cb85ee4c00f087b071a91632a6c091da2c84b0f74236b51d2dea6e9db6886625f80ad81dc249d8494ec47cd79d6dd9ea4f5e44f3cde857f861e10')
 
 export KBUILD_BUILD_HOST=archlinux

arch/linux-pinetab2-danctnix-besser/manifest.lock

@@ -4,34 +4,174 @@ baseline:
   upstream_compat: linux-7.0
   url: https://codeberg.org/DanctNIX/linux-pinetab2
 cumulative:
-  b2sum: 50397711a6a3ba522283685a9e7397aeed6663f353f7cba214d4bb88bc98516065b2fca9a36ce13c52644617879f69f39c5305e86db5d9fb25c4dae5434eb9c4
+  b2sum: eb179c03f35a4dbaec2e40036f0033ef04985bb6b14ab22419d68e5caaa5874f2ad14e158f7c5b05added97f60fecde8fb8b7f2a6ced33e031e37352fe776ca6
   path: cumulative.patch
-  size: 162716
+  size: 279554
-generated_at: '2026-05-18T17:16:06.455474+00:00'
+generated_at: '2026-05-19T13:05:46.476359+00:00'
 host: ohm
 ka_promote_version: 1
 manifest:
   path: fleet/ohm.yaml
-  sha256: da59ac2c965e5ad9c5004a115b10a37abf47ed3ecc8b7f5ab426470d2ee7b442
+  sha256: 9ac04ddd3170418b7b2d2cf7b31ac225a31ed19be4f03e8477bf28b585bae257
 resolved_patches:
 - apply_order: 1
   from_series: true
-  include: driver/bes2600/cumulative-c5x-danctnix/0001-bes2600-besser-cumulative-series.patch
+  include: driver/bes2600/factory-series/0001-bes2600-use-request_firmware-for-factory.txt-read.patch
-  sha256: e477a170567487fef84fe13be5b0a1f0498247ff1f201000d0085a2e49ff9026
+  sha256: a1bc2d13b258709fa37c9ff428dfdc0659464b436470fa2ec69b07edf7592f6f
-  size: 148149
+  size: 5456
 - apply_order: 2
   from_series: true
-  include: driver/bes2600/scan-filter-5ghz-danctnix/0001-bes2600-filter-5ghz-scan-and-allow-single-channel.patch
+  include: driver/bes2600/factory-series/0002-bes2600-default-STANDARD_FACTORY_EFUSE_FLAG-off-for-PineTab2.patch
-  sha256: 31e67569e00daead0784214aced1e077d3270cf1407baa0b330d474e17ec3931
+  sha256: 577d7024ce0b342c4381365872fc29e75a93427ad61223907fead8b829b5a86c
-  size: 7735
+  size: 3499
 - apply_order: 3
   from_series: true
-  include: arch/arm64/xor-neon-ffixed-x18-scs-build-fix-danctnix/0001-arm64-xor-neon-ffixed-x18-build-fix.patch
+  include: driver/bes2600/factory-thread-dev/0001-bes2600-thread-struct-device-through-factory-request_firmware.patch
-  sha256: a49c50f0ebffc499970c24908b832c3e61c96ed87de35b3a82178eff587f94f1
+  sha256: e3fac725e6addc11147341836600c2c5cd0116abba960f34ba50bb8094581c75
-  size: 1574
+  size: 4406
 - apply_order: 4
+  from_series: true
+  include: driver/bes2600/pm-gate-on-handshake/0001-bes2600-gate-device-LP-mode-entry-on-successful-handshake.patch
+  sha256: 9842c0dd66f59fe28898041ba5a816be56965b0665f202410cd461c3e6565474
+  size: 3914
+- apply_order: 5
+  from_series: true
+  include: driver/bes2600/remove-chardev-user-interface/0001-bes2600-remove-userspace-dev-bes2600-character-device-interface.patch
+  sha256: c67d340ae5923aada613ea9c5133e3efa3aeb7986749f4bf3619d1752a1b61fb
+  size: 22445
+- apply_order: 6
+  from_series: true
+  include: driver/bes2600/enable-testmode/0001-bes2600-enable-CONFIG_BES2600_TESTMODE-by-default-fix-bitrot.patch
+  sha256: 5dee74e8753d332fd380882994ea43aa907d1ff97466b0c48aedf38d4076e446
+  size: 6152
+- apply_order: 7
+  from_series: true
+  include: driver/bes2600/tx-sdio-dma-oob-danctnix/0001-bes2600-bounce-SDIO-TX-buffers-to-avoid-DMA-OOB-read.patch
+  sha256: 0dce2fe35450b8376c2d2a7c007119f28c888c1c30b489a67841039caedeebfc
+  size: 4544
+- apply_order: 8
+  from_series: true
+  include: driver/bes2600/factory-drop-kernel-write-danctnix/0001-bes2600-drop-kernel_write-persistence-from-factory-cali-save.patch
+  sha256: a7995b38e210af16b73d284a58ab39b8aecac36ff4a671af3d894b1983f961b3
+  size: 5704
+- apply_order: 9
+  from_series: true
+  include: driver/bes2600/drop-dpd-file-paths-danctnix/0001-bes2600-drop-BES2600_WRITE_DPD_TO_FILE-kernel-file-paths.patch
+  sha256: 0cd8780c245c97c65e4845e42d712c6256a0449658641aea18e4c7d400f63e41
+  size: 9661
+- apply_order: 10
+  from_series: true
+  include: driver/bes2600/drop-orphan-file-io-danctnix/0001-bes2600-drop-orphan-DATA_DUMP_OBSERVE-and-access_file-IO.patch
+  sha256: fd8c297223e6a985c2898f919ae1ab27eb56ab44f09f44d84d75eb35a187527b
+  size: 5327
+- apply_order: 11
+  from_series: true
+  include: driver/bes2600/pm-timeout-silence-danctnix/0001-bes2600-demote-wait-pm-ind-timeout-from-bes_err-to-bes_devel.patch
+  sha256: 3a4fd3255facbcef0419e0e0332cb980316529aa5c225b35bcfd244a42736667
+  size: 2332
+- apply_order: 12
+  from_series: true
+  include: driver/bes2600/scan-defer-on-reject-danctnix/0001-bes2600-defer-scan-and-soften-WARN-on-firmware-reject.patch
+  sha256: 55e16c176bc147c371a20f57b3a57da38c719d3b42417e88f9de243e10102d35
+  size: 8393
+- apply_order: 13
+  from_series: true
+  include: driver/bes2600/scan-defer-backoff-tune-danctnix/0001-bes2600-widen-scan-defer-backoff-30s-and-decay-on-quiet.patch
+  sha256: 70a5b25baaf41c8090701b069c30cbad378883d828bdd06e4eb560a35bc077f1
+  size: 4924
+- apply_order: 14
+  from_series: true
+  include: driver/bes2600/lmac-recover-via-mmc-hw-reset-danctnix/0001-bes2600-recover-wedged-firmware-via-mmc_hw_reset-on-link-break.patch
+  sha256: 3decf33c9684b3aba64004d5ad97ae3d54e1d6dc176d0b0ae539036c65e6dc6c
+  size: 10604
+- apply_order: 15
+  from_series: true
+  include: driver/bes2600/lmac-recover-via-mmc-hw-reset-danctnix/0002-bes2600-handle-multi-function-SDIO-cards-in-mmc_hw_reset-bus_reset.patch
+  sha256: a1acfcc401afc699a9c3676b6df2ec0f092e78826a32616268f90b509d538e33
+  size: 3321
+- apply_order: 16
+  from_series: true
+  include: driver/bes2600/pm-state-resync-danctnix/0001-bes2600-gate-PM-indication-completion-on-pending-request-and-track-state.patch
+  sha256: 049cf3ff9c01fdd10ff73bd18497e14ef0cd8fd1a65486ba86fbc6c1935a5f8e
+  size: 10269
+- apply_order: 17
+  from_series: true
+  include: driver/bes2600/pm-wake-consume-state-danctnix/0001-bes2600-short-circuit-wake-handshake-when-chip-confirmed-ACTIVE.patch
+  sha256: c9d19a73816f4c82b418dcd18008176bbb0c49fd4138be53cad45ae142224112
+  size: 8100
+- apply_order: 18
+  from_series: true
+  include: driver/bes2600/pm-detect-firmware-unsupported-danctnix/0001-bes2600-self-detect-firmware-does-not-honor-PSM-skip-cycle.patch
+  sha256: 196dc9d51ffea268718a290d434b6237fb60119f10c2b050a58724c8a775c7a8
+  size: 9041
+- apply_order: 19
+  from_series: true
+  include: driver/bes2600/decrypt-storm-fast-recover-danctnix/0001-bes2600-pre-empt-AP-deauth-6-mac80211-reassoc-on-decrypt-fail-storm.patch
+  sha256: b57ed316005f402c95ccae8ab24ac761bdf34162d73f108f5790af8f8ad2d1fe
+  size: 9249
+- apply_order: 20
+  from_series: true
+  include: driver/bes2600/connection-loss-fast-recover-danctnix/0001-bes2600-bus_reset-on-connection-loss-storm-to-dodge-assoc-comeback-blackhole.patch
+  sha256: cd1eaff97c3f08c58e7b1588e19a12200e8bb2a1f39afe554284f1d818610a67
+  size: 12184
+- apply_order: 21
+  from_series: true
+  include: driver/bes2600/cw1200-fix-backports-danctnix/0001-bes2600-replace-atomic_add-with-atomic_inc-cw1200-backport.patch
+  sha256: 3876c9e512f556c7f2e8d4cfaba1d7df2945ee48af8edfab5f8d09d9de9adf23
+  size: 3080
+- apply_order: 22
+  from_series: true
+  include: driver/bes2600/cw1200-fix-backports-danctnix/0002-bes2600-fix-missing-destroy_workqueue-on-error-in-init_common.patch
+  sha256: 2b82ecb127748349780404479205b952337c244e715278e6d40471c6ecad7602
+  size: 2230
+- apply_order: 23
+  from_series: true
+  include: driver/bes2600/cw1200-fix-backports-danctnix/0003-bes2600-fix-concurrency-UAF-in-bes2600_hw_scan-and-sched_scan.patch
+  sha256: 4c1850ad003ddcac543d3d61edd15c18ccd0cc601367cf4c6dd31e1fbb39ab16
+  size: 4476
+- apply_order: 24
+  from_series: true
+  include: driver/bes2600/sdio-rx-no-relay-danctnix/0001-bes2600-drop-sdio_rx_work-relay-IRQ-bh-direct-no-relay-architecture.patch
+  sha256: f1182150c5893f2497f942900b34c9c4aeb8d5901d9786ae2753dcce38ed6c78
+  size: 19313
+- apply_order: 25
+  from_series: true
+  include: driver/bes2600/license-spdx-restore-attribution-danctnix/0001-bes2600-Patch-G-restore-SPDX-identifiers-ST-Ericsson-attribution.patch
+  sha256: 91dadab0b58f8b8ad2dca80fd04796d478ecb83ce94a1e4b6e97ef8634d97ef1
+  size: 41521
+- apply_order: 26
+  from_series: true
+  include: driver/bes2600/ba-lock-atomic-danctnix/0001-bes2600-Patch-D-atomicize-ba_lock-counters-drop-the-spinlock.patch
+  sha256: a5d4ed2bf545458a756e65670c7eed31997bd0be9262344a10313bee31ea4963
+  size: 11987
+- apply_order: 27
+  from_series: true
+  include: driver/bes2600/ps-state-lock-skip-pm-disabled-danctnix/0001-bes2600-Patch-E-skip-ps_state_lock-when-PSM-known-disabled.patch
+  sha256: 18040a563b37cc95c558703f01bfbf6b7fa23a52f2f4f0f8f1254ad4fa0fe0d6
+  size: 3396
+- apply_order: 28
+  from_series: true
+  include: driver/bes2600/rx-list-batch-delivery-danctnix/0001-bes2600-Patch-C2-replace-ieee80211_rx_irqsafe-with-ieee80211_rx_ni.patch
+  sha256: ffeffd085a9d052c126a717b845d50120ea302e76c12e53c0c3c891291cababf
+  size: 8377
+- apply_order: 29
+  from_series: true
+  include: driver/bes2600/bh-c-fossil-cleanup-danctnix/0001-bes2600-Patch-H-bh.c-hygiene-cleanup-drop-fossil-blocks-dead-stubs.patch
+  sha256: 8fb0c799e3a8ee5ad7bfb647fceaf370c6a1a5f24d8621776fd07bf18a976f81
+  size: 21082
+- apply_order: 30
+  from_series: true
+  include: driver/bes2600/scan-filter-5ghz-danctnix/0001-bes2600-filter-5-GHz-scans-at-the-driver-boundary.patch
+  sha256: 31e67569e00daead0784214aced1e077d3270cf1407baa0b330d474e17ec3931
+  size: 7735
+- apply_order: 31
+  from_series: true
+  include: arch/arm64/scs-arm-neon-build-fix/0001-arm64-xor-neon-ffixed-x18-build-fix.patch
+  sha256: 105e32edc54743d8107c4dcd846833ae97d2df5f918aebc9fe3e67d6f23249cc
+  size: 1562
+- apply_order: 32
   from_series: true
   include: driver/bes2600/queue-pending-record-lock-bh-danctnix/0001-bes2600-take-pending-record-lock-with-bh.patch
-  sha256: 089862e5f6da5783ed0db979144e4fa07cff7f743809a0bebd715c75a3bb8eb5
+  sha256: e0894371c43f750590e1704ae3c77b27b6910548afa4a5b61ebc4d9919580ca2
-  size: 5258
+  size: 5270
 schema_version: 1

arch/mesa-panvk-bifrost/0001-panvk-expose-robustness2-nullDescriptor-bifrost.patch

@@ -0,0 +1,57 @@
+From: claude-noether (on behalf of mfritsche)
+Date: 2026-05-19
+Subject: panvk: expose VK_KHR/EXT_robustness2 + nullDescriptor on Bifrost (PAN_ARCH 6/7)
+
+Without this, Mesa's Zink driver refuses to use PanVk-Bifrost as its Vulkan
+backend, falling back silently to llvmpipe (software rasterizer) for all
+GL-via-Zink on Bifrost SBCs. That defeats the entire purpose of having a
+Vulkan driver on Bifrost — GL acceleration via Zink is the most natural
+near-term consumer.
+
+panvk_vX_nir_lower_descriptors.c:1309 and panvk_vX_shader.c:1355 already
+plumb dev->vk.enabled_features.nullDescriptor arch-agnostically — the gate
+at panvk_vX_physical_device.c was set conservatively when Bifrost was
+unmaintained, not because of hardware incapability.
+
+iter1–7 of the panvk-bifrost campaign proved fundamental driver functions
+on Mali-G52 r1 MC1 (PAN_ARCH=7). This patch is the iter8 follow-up.
+
+robustBufferAccess2 and robustImageAccess2 are NOT flipped — they're
+independent rb2 features Zink doesn't require, gated differently
+(robustBufferAccess2 = PAN_ARCH >= 11, robustImageAccess2 = false), and
+out of scope for iter8.
+
+---
+ src/panfrost/vulkan/panvk_vX_physical_device.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/panfrost/vulkan/panvk_vX_physical_device.c b/src/panfrost/vulkan/panvk_vX_physical_device.c
+--- a/src/panfrost/vulkan/panvk_vX_physical_device.c
++++ b/src/panfrost/vulkan/panvk_vX_physical_device.c
+@@ -91,7 +91,7 @@ get_device_extensions(const struct panvk_physical_device *device,
+       .KHR_pipeline_binary = true,
+       .KHR_pipeline_executable_properties = true,
+       .KHR_pipeline_library = true,
+-      .KHR_robustness2 = PAN_ARCH >= 10,
++      .KHR_robustness2 = true,
+       .KHR_sampler_mirror_clamp_to_edge = true,
+       .KHR_sampler_ycbcr_conversion = true,
+       .KHR_separate_depth_stencil_layouts = true,
+@@ -168,7 +168,7 @@ get_device_extensions(const struct panvk_physical_device *device,
+       .EXT_queue_family_foreign = true,
+       .EXT_robustness = pan_arch(device->kmod.dev->props.gpu_id) >= 9,
+       .EXT_image_robustness = true,
+-      .EXT_robustness2 = PAN_ARCH >= 10,
++      .EXT_robustness2 = true,
+       .EXT_sampler_filter_minmax = PAN_ARCH >= 10,
+       .EXT_scalar_block_layout = true,
+       .EXT_separate_stencil_usage = true,
+@@ -493,7 +493,7 @@ get_device_features(const struct panvk_physical_device *device,
+       /* VK_KHR_robustness2 */
+       .robustBufferAccess2 = PAN_ARCH >= 11,
+       .robustImageAccess2 = false,
+-      .nullDescriptor = PAN_ARCH >= 10,
++      .nullDescriptor = true,
+
+       /* VK_KHR_shader_clock */
+       .shaderSubgroupClock = device->kmod.dev->props.gpu_can_query_timestamp,

arch/mesa-panvk-bifrost/0002-panvk-expose-vulkan-1.1-1.2-on-bifrost.patch

@@ -0,0 +1,47 @@
+From: claude-noether (on behalf of mfritsche)
+Date: 2026-05-20
+Subject: panvk: expose Vulkan 1.1 + 1.2 on Bifrost (PAN_ARCH 6/7)
+
+ANGLE (Chromium's GL stack) requires apiVersion >= 1.1 to initialize. Without
+this, Brave / Chromium's GPU process fails at GL info collection:
+
+  vk_renderer.cpp:2659 (initialize): ANGLE Requires a minimum Vulkan device
+                                     version of 1.1
+  Display::initialize error 0: Internal Vulkan error (-9): The requested
+                               version of Vulkan is not supported by the driver
+
+Stack-up with iter8's robustness2 patch enables ANGLE → PanVk-Bifrost →
+Skia (via --enable-features=Vulkan) on Bifrost SBCs.
+
+PanVk-Bifrost already supports the bulk of 1.1-promoted features as extensions
+(multiview, maintenance1-3, descriptor update template, 16-bit storage,
+descriptor update template, sampler ycbcr, variable pointers, etc. — all
+visible in iter0 vulkaninfo). The version bump primarily bundles them.
+
+Risk: Vulkan 1.1 has features beyond what iter1–7 exercised (protected memory,
+full subgroup ops). Specific app failures will be characterizable.
+
+1.2 is also flipped — Brave's Vulkan path may want descriptor indexing,
+buffer device address, etc. (all listed in iter0 vulkaninfo as supported
+extensions, just gated as 1.0-with-extensions, not 1.2-core).
+
+---
+ src/panfrost/vulkan/panvk_vX_physical_device.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/panfrost/vulkan/panvk_vX_physical_device.c b/src/panfrost/vulkan/panvk_vX_physical_device.c
+--- a/src/panfrost/vulkan/panvk_vX_physical_device.c
++++ b/src/panfrost/vulkan/panvk_vX_physical_device.c
+@@ -38,8 +38,8 @@ get_device_extensions(const struct panvk_physical_device *device,
+                       struct vk_device_extension_table *ext)
+ {
+    *ext = (struct vk_device_extension_table){
+-      .KHR_8bit_storage = true,
+-      .KHR_16bit_storage = true,
+-      bool has_vk1_1 = PAN_ARCH >= 10;
+-      bool has_vk1_2 = PAN_ARCH >= 10;
++      .KHR_8bit_storage = true,
++      .KHR_16bit_storage = true,
++      bool has_vk1_1 = true;
++      bool has_vk1_2 = true;
+       *ext = (struct vk_device_extension_table){

arch/mesa-panvk-bifrost/PKGBUILD

@@ -0,0 +1,165 @@
+# Maintainer: Markus Fritsche <fritsche.markus@gmail.com>
+#
+# mesa-panvk-bifrost — patched Mesa libvulkan_panfrost.so that exposes
+# Bifrost-gen Mali (Mali-G31/G52/G72/G76, PAN_ARCH 6/7) to Chromium-family
+# browsers' Vulkan compositor.
+#
+# Campaign: ~/src/panvk-bifrost/ — iter9 close (technical milestone
+# 2026-05-20, operator-confirmed Brave window). Goal close requires
+# this package built + published + installable per the
+# feedback_package_done_means_installable.md 3-point check.
+#
+# What it does:
+#   - Builds Mesa 26.0.6 (matching ohm's stock mesa pkg) with two
+#     patches against src/panfrost/vulkan/panvk_vX_physical_device.c:
+#     (1) expose VK_KHR/EXT_robustness2 + nullDescriptor on PAN_ARCH 6/7
+#     (2) set has_vk1_1/has_vk1_2 to true on Bifrost
+#   - Installs the patched libvulkan_panfrost.so to /usr/lib/panvk-bifrost/
+#     (NOT /usr/lib — co-installs alongside stock mesa).
+#   - Registers a custom ICD JSON at a non-default path so the system
+#     Vulkan loader only picks up our driver when VK_ICD_FILENAMES is set.
+#   - Ships /usr/bin/brave-vulkan launcher that wires up env vars + flags.
+#
+# Co-existence: stock /usr/lib/libvulkan_panfrost.so is untouched. Stock
+# /usr/share/vulkan/icd.d/panfrost_icd.json is untouched. Users opt in
+# via brave-vulkan (or by setting VK_ICD_FILENAMES manually).
+#
+# Build target: arch-aarch64 runner via marfrit-packages Gitea Actions.
+# Mesa build is slow (~30-60min on Cortex-A55). Build deps installed
+# inside the runner via pacman -S in the workflow.
+
+pkgname=mesa-panvk-bifrost
+_mesaver=26.0.6
+pkgver=26.0.6.r2
+pkgrel=2
+pkgdesc="Patched Mesa libvulkan_panfrost.so exposing Bifrost-gen Mali to Vulkan apps (panvk-bifrost campaign)"
+arch=('aarch64')
+url="https://github.com/marfrit/panvk-bifrost"
+license=('MIT')
+
+# We co-install at /usr/lib/panvk-bifrost/ so no conflicts with stock mesa.
+# We DO provide a script that requires brave to be installed.
+depends=(
+    'mesa'              # for shared mesa runtime libs (libgallium-mesa etc.)
+    'libdrm'
+    'wayland'
+    'libxcb'
+    'libx11'
+    'libxshmfence'
+    'zlib'
+    'zstd'
+    'libdisplay-info'
+    'expat'
+    'systemd-libs'      # libudev
+    'spirv-tools'
+)
+optdepends=(
+    'brave-bin: for the brave-vulkan launcher script'
+)
+makedepends=(
+    'meson'
+    'ninja'
+    'pkgconf'
+    'bison'
+    'flex'
+    'python'
+    'python-yaml'
+    'python-mako'
+    'glslang'
+    'spirv-tools'
+    'llvm'
+    'clang'
+    'libclc'
+    'spirv-llvm-translator'
+    'vulkan-headers'
+    'wayland-protocols'
+)
+
+source=(
+    "https://archive.mesa3d.org/mesa-${_mesaver}.tar.xz"
+    "0001-panvk-expose-robustness2-nullDescriptor-bifrost.patch"
+    "0002-panvk-expose-vulkan-1.1-1.2-on-bifrost.patch"
+    "brave-vulkan"
+    "icd.json"
+)
+sha256sums=(
+    '1d3c3b8a8363b8cc354175bb4a684ad8b035211cc1d6fa17aeb9b9623c513f89'  # mesa-26.0.6.tar.xz from archive.mesa3d.org, pinned 2026-05-20 (iter10)
+    'SKIP'
+    'SKIP'
+    'SKIP'
+    'SKIP'
+)
+
+prepare() {
+    cd "mesa-${_mesaver}"
+    # iter8 patch: robustness2 + nullDescriptor exposure on Bifrost.
+    # Three hunks in panvk_vX_physical_device.c. Apply via sed since
+    # the upstream context drifts between Mesa releases and unified-diff
+    # patching is brittle (we hit hunk-rejects during manual application).
+    sed -i 's|\.KHR_robustness2 = PAN_ARCH >= 10,|.KHR_robustness2 = true,|' src/panfrost/vulkan/panvk_vX_physical_device.c
+    sed -i 's|\.EXT_robustness2 = PAN_ARCH >= 10,|.EXT_robustness2 = true,|' src/panfrost/vulkan/panvk_vX_physical_device.c
+    sed -i 's|\.nullDescriptor = PAN_ARCH >= 10,|.nullDescriptor = true,|' src/panfrost/vulkan/panvk_vX_physical_device.c
+    # iter9 patch: bump api version to 1.1/1.2 for Bifrost. NOTE: this only
+    # affects extension exposure flags, NOT the reported apiVersion (which
+    # is set by get_api_version() further down and gated separately).
+    # The brave-vulkan launcher sets MESA_VK_VERSION_OVERRIDE=1.2 at runtime
+    # to deal with the latter — no source change needed for that path.
+    sed -i 's|bool has_vk1_1 = PAN_ARCH >= 10;|bool has_vk1_1 = true;|' src/panfrost/vulkan/panvk_vX_physical_device.c
+    sed -i 's|bool has_vk1_2 = PAN_ARCH >= 10;|bool has_vk1_2 = true;|' src/panfrost/vulkan/panvk_vX_physical_device.c
+
+    # Sanity-check the patches landed.
+    grep -q "KHR_robustness2 = true," src/panfrost/vulkan/panvk_vX_physical_device.c
+    grep -q "EXT_robustness2 = true," src/panfrost/vulkan/panvk_vX_physical_device.c
+    grep -q "nullDescriptor = true," src/panfrost/vulkan/panvk_vX_physical_device.c
+    grep -q "has_vk1_1 = true;" src/panfrost/vulkan/panvk_vX_physical_device.c
+    grep -q "has_vk1_2 = true;" src/panfrost/vulkan/panvk_vX_physical_device.c
+}
+
+build() {
+    cd "mesa-${_mesaver}"
+    # Minimal Mesa build — only the panvk Vulkan driver. No GLES/GLX/EGL/
+    # gallium drivers — keeps the build narrower and avoids pulling in
+    # the entire Mesa runtime in this package's dep graph.
+    meson setup build/ \
+        --prefix=/usr \
+        --libdir=lib \
+        --buildtype=release \
+        -Dvulkan-drivers=panfrost \
+        -Dgallium-drivers= \
+        -Dplatforms=wayland,x11 \
+        -Dglx=disabled \
+        -Degl=disabled \
+        -Dgles1=disabled \
+        -Dgles2=disabled \
+        -Dvulkan-layers= \
+        -Dtools= \
+        -Dgallium-rusticl=false \
+        -Dmicrosoft-clc=disabled
+    meson compile -C build
+}
+
+package() {
+    cd "${srcdir}/mesa-${_mesaver}"
+
+    # Patched lib — co-install path, NOT /usr/lib (to avoid clashing
+    # with stock mesa's libvulkan_panfrost.so binary).
+    install -Dm755 build/src/panfrost/vulkan/libvulkan_panfrost.so \
+        "$pkgdir/usr/lib/panvk-bifrost/libvulkan_panfrost.so"
+
+    # ICD JSON at the standard Vulkan loader search path. The '00-'
+    # filename prefix gives optical priority but is NOT spec-backed —
+    # Vulkan loader readdir-order is implementation-defined per Khronos
+    # LoaderDriverInterface. The brave-vulkan wrapper sets
+    # VK_LOADER_DRIVERS_SELECT='00-panvk-bifrost*' to make the selection
+    # deterministic across filesystems. This avoids the VK_ICD_FILENAMES
+    # full-path override (whose GPU-sandbox survival is fragile) while
+    # still letting the loader work normally. iter10 result + Phase 5
+    # hardening.
+    install -Dm644 "$srcdir/icd.json" \
+        "$pkgdir/usr/share/vulkan/icd.d/00-panvk-bifrost.json"
+
+    # The brave-vulkan launcher wires up env + flags. iter10: no longer
+    # sets VK_ICD_FILENAMES, no longer passes --no-sandbox /
+    # --disable-gpu-sandbox.
+    install -Dm755 "$srcdir/brave-vulkan" "$pkgdir/usr/bin/brave-vulkan"
+}

arch/mesa-panvk-bifrost/README.md

@@ -0,0 +1,86 @@
+# mesa-panvk-bifrost
+
+Patched Mesa `libvulkan_panfrost.so` exposing Bifrost-gen Mali GPUs
+(Mali-G31/G52/G72/G76, PAN_ARCH 6/7) to Chromium-family browsers'
+Vulkan compositor.
+
+Result of the **panvk-bifrost** campaign ([`~/src/panvk-bifrost/`](../../../panvk-bifrost/)),
+iter9 close 2026-05-20 (technical milestone — operator-confirmed Brave
+window) followed by this package as the actual delivery.
+
+## What it solves
+
+Stock Chromium / Brave on Bifrost SBCs (PineTab2, etc.) currently dies
+at GL bindings init:
+
+```
+ERROR: ui/gl/gl_context_egl.cc:120  GLES3 is unsupported and ES version fallback is disabled
+ERROR: ui/gl/init/gl_factory.cc:111  Requested GL implementation not found
+ERROR: components/viz/service/main/viz_main_impl.cc:189  Exiting GPU process due to errors during initialization
+```
+
+This package makes Brave's **Vulkan compositor path** work on Bifrost,
+side-stepping the failing GL stack. Browser chrome and standard page
+rendering work.
+
+## Known limitations (not addressed)
+
+- **WebGL / WebGL2** in-page: blocked. ANGLE needs `VK_EXT_transform_feedback`
+  to expose GLES3 contexts; PanVk-Bifrost doesn't currently support that.
+  Sites using WebGL will degrade or refuse.
+- **VAAPI hardware video decode**: unrelated to this package — see the
+  `libva-v4l2-request-fourier` package for that path.
+
+## Install
+
+```sh
+# Ensure [marfrit] is in /etc/pacman.conf, then:
+sudo pacman -Sy mesa-panvk-bifrost
+```
+
+## Use
+
+```sh
+brave-vulkan                                    # launches Brave with Vulkan
+brave-vulkan https://www.example.com
+brave-vulkan --your-flags-here                  # extra args passed through
+```
+
+The launcher sets:
+
+- `PAN_I_WANT_A_BROKEN_VULKAN_DRIVER=1` (Mesa upstream gate)
+- `MESA_VK_VERSION_OVERRIDE=1.2` (apiVersion bump for ANGLE)
+- Brave flags: `--use-gl=disabled --enable-features=Vulkan --use-vulkan=native --ozone-platform=x11 --ignore-gpu-blocklist`
+
+iter10 dropped `VK_ICD_FILENAMES` (ICD now at `/usr/share/vulkan/icd.d/00-panvk-bifrost.json` so the Vulkan loader auto-picks it, pinned deterministically via `VK_LOADER_DRIVERS_SELECT='00-panvk-bifrost*'`) and `--no-sandbox` / `--disable-gpu-sandbox` (env vars survive the GPU sandbox boundary without bypass).
+
+## What's in the package
+
+- `/usr/lib/panvk-bifrost/libvulkan_panfrost.so` — patched Mesa Vulkan driver (Mesa 26.0.6 + 2 sed-applied patches)
+- `/usr/share/vulkan/icd.d/00-panvk-bifrost.json` — Vulkan ICD JSON pointing at the patched .so (Vulkan loader picks it deterministically via `VK_LOADER_DRIVERS_SELECT='00-panvk-bifrost*'` set by the launcher)
+- `/usr/bin/brave-vulkan` — launcher script
+
+System Mesa's binary `/usr/lib/libvulkan_panfrost.so` is untouched. The
+stock `panfrost_icd.json` is also untouched and continues to enumerate
+the same Mali-G52 device — apps see both drivers in
+`vkEnumeratePhysicalDevices` and pick by index (ANGLE picks first, which
+becomes ours by alphabetical priority).
+
+## Co-existence
+
+Both stock Mesa and this package can be installed. Stock Vulkan apps
+(`vulkaninfo`, `vkcube`, etc.) use the stock driver by default. Only
+apps started via `brave-vulkan` (or with `VK_ICD_FILENAMES` manually
+set to our path) use the patched driver.
+
+## Campaign close criterion
+
+Per [`feedback_package_done_means_installable`](file:///home/mfritsche/.claude/projects/-home-mfritsche-src/memory/feedback_package_done_means_installable.md)
+three-point check:
+
+1. PR merged to `marfrit-packages`
+2. CI green AND `packages.reauktion.de/arch/aarch64/mesa-panvk-bifrost-*.pkg.tar.zst` exists
+3. `pacman -Ss mesa-panvk-bifrost` on a fresh consumer host (e.g. ohm
+   after `pacman -Syu` from clean state) returns the package + brave-vulkan launches
+
+When all three pass, panvk-bifrost iter9 closes.

arch/mesa-panvk-bifrost/brave-vulkan

@@ -0,0 +1,68 @@
+#!/bin/bash
+# brave-vulkan — launch Brave with the PanVk-Bifrost Vulkan compositor on
+# Bifrost SBCs (PineTab2 / Mali-G52 r1 MC1 and similar).
+#
+# Side-steps the GL stack failures stock Brave hits on Bifrost
+# (the README "Consumer-side benefit" path of the panvk-bifrost campaign).
+#
+# Provided by the mesa-panvk-bifrost package. See:
+#   /usr/share/doc/mesa-panvk-bifrost/README
+#   ~/src/panvk-bifrost/phase8_iteration{9,10}_close.md
+#
+# Usage: brave-vulkan [brave args...]
+# Equivalent to: brave [VULKAN_FLAGS] [your args]
+#
+# iter10 changes vs iter9:
+#   - dropped VK_ICD_FILENAMES env (ICD now at /usr/share/vulkan/icd.d/
+#     with '00-' prefix so the Vulkan loader auto-picks ours first)
+#   - dropped --no-sandbox / --disable-gpu-sandbox (env vars survive the
+#     GPU sandbox boundary, no bypass needed)
+
+set -e
+
+# Pin the Vulkan ICD selection to our package's ICD. The Vulkan loader's
+# readdir-order in /usr/share/vulkan/icd.d/ is implementation-defined
+# per Khronos LoaderDriverInterface — the '00-' filename prefix is NOT
+# spec-backed. VK_LOADER_DRIVERS_SELECT short-circuits the directory
+# enumeration and picks our ICD deterministically. (Phase 5 review
+# hardening, iter10.)
+export VK_LOADER_DRIVERS_SELECT='00-panvk-bifrost*'
+
+# PanVk's "I know it's not conformant" gate — the patched driver still
+# refuses to enumerate Bifrost without this env var (upstream Mesa choice
+# for v6/v7, kept for compatibility).
+export PAN_I_WANT_A_BROKEN_VULKAN_DRIVER=1
+
+# Override apiVersion to 1.2 — ANGLE (Chromium's GL stack) requires
+# device.apiVersion >= 1.1. Source patches don't move get_api_version()'s
+# PAN_ARCH>=10 hardcode; the env var override does.
+export MESA_VK_VERSION_OVERRIDE=1.2
+
+# Find the live Plasma session's Xauthority. On a fresh boot the suffix
+# is randomized; pgrep the Xwayland args to find the current one.
+if [ -z "${XAUTHORITY:-}" ]; then
+    XAUTHF=$(pgrep -fa Xwayland 2>/dev/null | grep -oE "/run/user/$(id -u)/xauth_[A-Za-z0-9]+" | head -1)
+    if [ -n "$XAUTHF" ]; then
+        export XAUTHORITY="$XAUTHF"
+    fi
+fi
+
+# Standard session env if not already set
+: "${XDG_RUNTIME_DIR:=/run/user/$(id -u)}"
+export XDG_RUNTIME_DIR
+
+# Default to the active Plasma Wayland session if WAYLAND_DISPLAY unset
+: "${WAYLAND_DISPLAY:=wayland-0}"
+export WAYLAND_DISPLAY
+
+# Default to the XWayland :1 unless DISPLAY is set
+: "${DISPLAY:=:1}"
+export DISPLAY
+
+exec brave \
+    --use-gl=disabled \
+    --enable-features=Vulkan \
+    --use-vulkan=native \
+    --ozone-platform=x11 \
+    --ignore-gpu-blocklist \
+    "$@"

arch/mesa-panvk-bifrost/icd.json

@@ -0,0 +1,7 @@
+{
+    "ICD": {
+        "api_version": "1.4.335",
+        "library_path": "/usr/lib/panvk-bifrost/libvulkan_panfrost.so"
+    },
+    "file_format_version": "1.0.1"
+}