# Maintainer: jc_gargma <jc_gargma@iserlohn-fortress.net>
# Maintainer (Arch): Levente Polyak <anthraxx[at]archlinux[dot]org>
# Contributor: Aqua-sama <aqua@iserlohn-fortress.net>
# Contributor (Arch): Daniel Micay <danielmicay@gmail.com>
# Contributor (Arch): Tobias Powalowski <tpowa@archlinux.org>
# Contributor (Arch): Thomas Baechler <thomas@archlinux.org>

# # I maintain this because:
# Arch version patch script does not apply consistently
# Arch version lacks ath9k, bdver2, greysky2, and raid6 patches
# Arch version lacks ck patches
# Arch version allows SEED, SM3, SM4, and Streebog
# Arch version is 300 Hz
# Arch version supports Intel ME
# Arch version is not configured for openrc
# Arch version builds docs using python and graphviz

pkgbase=linux-hardened-ck
_majver=5.0
_minver=10
_pkgver=${_majver}.${_minver}
_hardenedver=a
_ckpatchversion=1
_ckpatch="patch-5.0-ck${_ckpatchversion}"
_gcc_more_v='20180509'
_srcname=linux-${_pkgver}
pkgver=${_pkgver}.${_hardenedver}
pkgrel=1
url='https://github.com/anthraxx/linux-hardened'
#url='http://ck.kolivas.org/patches/'
arch=('x86_64')
license=('GPL2')
makedepends=('xmlto' 'kmod' 'inetutils' 'bc' 'libelf')
conflicts=('linux-libre-hardened-ck')
options=('!strip')
source=(
        https://www.kernel.org/pub/linux/kernel/v5.x/linux-$_pkgver.tar.{xz,sign}
        https://github.com/anthraxx/linux-hardened/releases/download/${pkgver}/linux-hardened-${pkgver}.patch{,.sig}
        remove-excess-ck-extraversion.patch
        modify-ck-for-hardened.patch
        http://ck.kolivas.org/patches/5.0/${_majver}/${_majver}-ck${_ckpatchversion}/${_ckpatch}.xz
        enable_additional_cpu_optimizations-$_gcc_more_v.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/$_gcc_more_v.tar.gz
        bdver2-fix-for-graysky.patch
        ath9k-regdom-hack.patch
        raid6-default-algo.patch
        config.x86_64  # the main kernel config files
        60-linux.hook  # pacman hook for depmod
        90-linux.hook  # pacman hook for initramfs regeneration
        linux.preset   # standard config files for mkinitcpio ramdisk
       )
sha256sums=('ea1c1323c2c7e70bebf5463619b543f9bc353730b44ac62d9efadd4fe5625e76'
            'SKIP'
            'da6aff1ea5e2c39987fea2fc5a67b7ef5419a6ba9ed728c94f89ce888b543a12'
            'SKIP'
            '2a551169f8cbb424900372fe698ae9003fbcad3614a46ca3f56b103f9c1ea763'
            'b6defd1ef672b73631ecfa79fc204d6219175f333b53d86af668c1e1a9b6288e'
            '661f64bbd8bf49afcc7c760c4148b2e2108511a1eadcae917cfe6056a83d8476'
            '226e30068ea0fecdb22f337391385701996bfbdba37cdcf0f1dbf55f1080542d'
            'd35338c92d0dbf27ffedaf100bd852dd13fd9b5d49b12a10b91194a2ae654447'
            'e7ebf050c22bcec0028c0b3c79fd6d3913b0370ecc6a23dfe78ce475630cf503'
            '0f81d6e4158b7beeb0eb514f1b9401f7e23699cb0f7b0d513e25dae1815daaeb'
            '2cfaad4fccd60af062761bba0549f817d2d7efe0c603c529c9b5b2f8bbb9f011'
            'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
            '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
            'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65')
validpgpkeys=(
              'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
              '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
              'E240B57E2C4630BA768E2F26FC1B547C8D8172C8' # Levente Polyak
             )

_kernelname=${pkgbase#linux}
: ${_kernelname:=-hardened}

prepare() {
  cd $_srcname

#  # add upstream patch
#  msg2 "Applying upstream patch"
#  patch -Np1 < ../patch-${_majver}-${_pkgver}

  # Hotfixes
  # msg2 "Applying hotfixes"

  # linux hardened patch
  msg2 "Applying hardened patch"
  patch -Np1 < ../linux-hardened-${pkgver}.patch

  # ck hotfixes
  msg2 "Applying ck patch hotfixes"
  patch -p1 -i ../remove-excess-ck-extraversion.patch "$srcdir/${_ckpatch}"
  patch -p1 -i ../modify-ck-for-hardened.patch "$srcdir/${_ckpatch}"
  sed -i '/-CFLAGS/ s/$/ \$(LIBELF_FLAGS)/' "$srcdir/${_ckpatch}"

  # ck patch
  msg2 "Applying ck patch"
  patch -F 3 -Np1 -i ../${_ckpatch}

  # graysky2 gcc patch
  msg2 "Applying graysky2 cpu patch"
  patch -p1 -i ../kernel_gcc_patch-${_gcc_more_v}/enable_additional_cpu_optimizations_for_gcc_v8.1+_kernel_v4.13+.patch

  # Fix stack warnings and ldconfig segfaults on bdver2 with graysky2 gcc patch
  msg2 "Applying bdver2 fix for graysky2 cpu patch"
  patch -p1 -i ../bdver2-fix-for-graysky.patch

  # Ignore ath9k eeprom patch
  msg2 "Applying ath9k patch"
  patch -p1 -i ../ath9k-regdom-hack.patch

  # Set default raid6 algo patch
  msg2 " Applying raid6 patch"
  patch -p1 -i ../raid6-default-algo.patch


  msg2 "Setting version..."
  sed -e "/^EXTRAVERSION =/s/=.*/= .${_hardenedver}/" -i Makefile
  scripts/setlocalversion --save-scmversion
  echo "-$pkgrel" > localversion.10-pkgrel
  echo "$_kernelname" > localversion.20-pkgname


  msg2 "Setting config..."
  # we are in src/linux-x.yy.zz, looking for a config next to the pkgbuild
  if [ -f ${SRCDEST}/config.hardened-ck.previous ]; then
    cp ${SRCDEST}/config.hardened-ck.previous .config
  else
    cp ../config.x86_64 .config
  fi

  make olddefconfig

  make menuconfig

  # Remove sublevel when no sublevel exists
#   sed -i '/SUBLEVEL = 0/d' Makefile

  make -s kernelrelease > ../version

  # workaround for make -s kernelrelease not applying
  # localversion to version when changed using menuconfig
  grep -Po '(?<=CONFIG_LOCALVERSION=").*(?=")' .config > ../localversion
  echo "$_pkgver" > ../version.temp
  echo ".$_hardenedver" >> ../version.temp
  cat "localversion.10-pkgrel" >> ../version.temp
  cat "localversion.20-pkgname" >> ../version.temp
  cat ../localversion >> ../version.temp
  cat ../version.temp | tr -d "\n" > ../version

  # back up the config
  msg2 "Backing up config..."
  cp .config ${SRCDEST}/config.hardened-ck.previous

  msg2 "Prepared %s version %s" "$pkgbase" "$(<../version)"
}

build() {
  cd $_srcname
  make bzImage modules
}

_package() {
  pkgdesc="The ${pkgbase/linux/Linux} kernel and modules"
  [[ $pkgbase = linux ]] && groups=(base)
  depends=(coreutils linux-firmware kmod mkinitcpio)
  optdepends=('crda: to set the correct wireless channels of your country'
              'usbctl: deny_new_usb control')
  backup=("etc/mkinitcpio.d/$pkgbase.preset")
  install=linux.install

  local kernver="$(<version)"
  local modulesdir="$pkgdir/usr/lib/modules/$kernver"

  cd $_srcname

  msg2 "Installing boot image..."
  install -Dm644 "$(make -s image_name)" "$pkgdir/boot/vmlinuz-$pkgbase"

  msg2 "Installing modules..."
  mkdir -p "$modulesdir"
  make INSTALL_MOD_PATH="$pkgdir/usr" modules_install

  # a place for external modules,
  # with version file for building modules and running depmod from hook
  local extramodules="extramodules$_kernelname"
  local extradir="$pkgdir/usr/lib/modules/$extramodules"
  install -Dt "$extradir" -m644 ../version
  ln -sr "$extradir" "$modulesdir/extramodules"

  # remove build and source links
  rm "$modulesdir"/{source,build}

  msg2 "Installing hooks..."
  # sed expression for following substitutions
  local subst="
    s|%PKGBASE%|$pkgbase|g
    s|%KERNVER%|$kernver|g
    s|%EXTRAMODULES%|$extramodules|g
  "

  # hack to allow specifying an initially nonexisting install file
  sed "$subst" "$startdir/$install" > "$startdir/$install.pkg"
  true && install=$install.pkg

  # fill in mkinitcpio preset and pacman hooks
  sed "$subst" ../linux.preset | install -Dm644 /dev/stdin \
    "$pkgdir/etc/mkinitcpio.d/$pkgbase.preset"
  sed "$subst" ../60-linux.hook | install -Dm644 /dev/stdin \
    "$pkgdir/usr/share/libalpm/hooks/60-$pkgbase.hook"
  sed "$subst" ../90-linux.hook | install -Dm644 /dev/stdin \
    "$pkgdir/usr/share/libalpm/hooks/90-$pkgbase.hook"

  msg2 "Fixing permissions..."
  chmod -Rc u=rwX,go=rX "$pkgdir"
}

_package-headers() {
  pkgdesc="Header files and scripts for building modules for ${pkgbase/linux/Linux} kernel"

  local builddir="$pkgdir/usr/lib/modules/$(<version)/build"

  cd $_srcname

  msg2 "Installing build files..."
  install -Dt "$builddir" -m644 Makefile .config Module.symvers System.map vmlinux
  install -Dt "$builddir/kernel" -m644 kernel/Makefile
  install -Dt "$builddir/arch/x86" -m644 arch/x86/Makefile
  cp -t "$builddir" -a scripts

  # add objtool for external module building and enabled VALIDATION_STACK option
  if [[ -e tools/objtool/objtool ]]; then
    install -Dt "$builddir/tools/objtool" tools/objtool/objtool
  fi

  # add xfs and shmem for aufs building
  mkdir -p "$builddir"/{fs/xfs,mm}

  # ???
  mkdir "$builddir/.tmp_versions"

  msg2 "Installing headers..."
  cp -t "$builddir" -a include
  cp -t "$builddir/arch/x86" -a arch/x86/include
  install -Dt "$builddir/arch/x86/kernel" -m644 arch/x86/kernel/asm-offsets.s

  install -Dt "$builddir/drivers/md" -m644 drivers/md/*.h
  install -Dt "$builddir/net/mac80211" -m644 net/mac80211/*.h

  # http://bugs.archlinux.org/task/13146
  install -Dt "$builddir/drivers/media/i2c" -m644 drivers/media/i2c/msp3400-driver.h

  # http://bugs.archlinux.org/task/20402
  install -Dt "$builddir/drivers/media/usb/dvb-usb" -m644 drivers/media/usb/dvb-usb/*.h
  install -Dt "$builddir/drivers/media/dvb-frontends" -m644 drivers/media/dvb-frontends/*.h
  install -Dt "$builddir/drivers/media/tuners" -m644 drivers/media/tuners/*.h

  msg2 "Installing KConfig files..."
  find . -name 'Kconfig*' -exec install -Dm644 {} "$builddir/{}" \;

  msg2 "Removing unneeded architectures..."
  local arch
  for arch in "$builddir"/arch/*/; do
    [[ $arch = */x86/ ]] && continue
    echo "Removing $(basename "$arch")"
    rm -r "$arch"
  done

  msg2 "Removing documentation..."
  rm -r "$builddir/Documentation"

  msg2 "Removing broken symlinks..."
  find -L "$builddir" -type l -printf 'Removing %P\n' -delete

  msg2 "Removing loose objects..."
  find "$builddir" -type f -name '*.o' -printf 'Removing %P\n' -delete

  msg2 "Stripping build tools..."
  local file
  while read -rd '' file; do
    case "$(file -bi "$file")" in
      application/x-sharedlib\;*)      # Libraries (.so)
        strip -v $STRIP_SHARED "$file" ;;
      application/x-archive\;*)        # Libraries (.a)
        strip -v $STRIP_STATIC "$file" ;;
      application/x-executable\;*)     # Binaries
        strip -v $STRIP_BINARIES "$file" ;;
      application/x-pie-executable\;*) # Relocatable binaries
        strip -v $STRIP_SHARED "$file" ;;
    esac
  done < <(find "$builddir" -type f -perm -u+x ! -name vmlinux -print0)

  msg2 "Adding symlink..."
  mkdir -p "$pkgdir/usr/src"
  ln -sr "$builddir" "$pkgdir/usr/src/$pkgbase-$pkgver"

  msg2 "Fixing permissions..."
  chmod -Rc u=rwX,go=rX "$pkgdir"
}

pkgname=("$pkgbase" "$pkgbase-headers")
for _p in "${pkgname[@]}"; do
  eval "package_$_p() {
    $(declare -f "_package${_p#$pkgbase}")
    _package${_p#$pkgbase}
  }"
done

# vim:set ts=8 sts=2 sw=2 et: