# Maintainer: jc_gargma <jc_gargma@iserlohn-fortress.net>
# Maintainer (Arch): Levente Polyak <anthraxx[at]archlinux[dot]org>
# Contributor: Aqua-sama <aqua@iserlohn-fortress.net>
# Contributor (Arch): Daniel Micay <danielmicay@gmail.com>
# Contributor (Arch): Tobias Powalowski <tpowa@archlinux.org>
# Contributor (Arch): Thomas Baechler <thomas@archlinux.org>

# # I maintain this because:
# Parabola version patch script does not apply consistently
# Parabola version lacks graysky gcc patch
# Parabola version lacks ath9k regdom and raid6 algo patches
# Parabola version is 300 Hz
# Parabola version does not disable lockdown eee
# Parabola version does not disable hdcp
# Parabola version does not disable IME/PSP/TEE/SEV
# Parabola version does not disable insecure filesystems
# Parabola version does not disable VMware and HyperV

_pkgbase=linux-hardened
pkgbase=linux-libre-hardened
_supver=5
_majver=10
_minver=5
_hardenedver=a
_gccpatchver='20201113'
_gccpatchger='10.1'
_gccpatchker='5.8'
  if [ "$_minver" == "0" ]; then
    _pkgver=${_supver}.${_majver}
  else
    _pkgver=${_supver}.${_majver}.${_minver}
  fi
pkgver=${_pkgver}.${_hardenedver}
pkgrel=1
pkgdesc='Security-Hardened Linux-libre'
url='https://github.com/anthraxx/linux-hardened'
arch=(x86_64)
license=(GPL2)
makedepends=(
  bc kmod libelf pahole cpio perl tar xz
  xmlto python-sphinx python-sphinx_rtd_theme graphviz imagemagick
)
#provides=('linux-libre-hardened')
conflicts=('linux-hardened')
options=('!strip')
_srcname=linux-${_supver}.${_majver}
_gnumajver=${_supver}.${_majver}-gnu
_gnupkgver=${_pkgver}-gnu
source=(
  https://linux-libre.fsfla.org/pub/linux-libre/releases/${_gnumajver}/linux-libre-${_gnumajver}.tar.xz{,.sign}
  https://github.com/anthraxx/${_pkgbase}/releases/download/${pkgver}/${_pkgbase}-${pkgver}.patch{,.sig}
  config         # the main kernel config file
  0002-Bluetooth-Fix-attempting-to-set-RPA-timeout-when-unsupported.patch
  0003-HID-quirks-Add-Apple-Magic-Trackpad-2-to-hid_have_special_driver-list.patch
  0004-btrfs-Fix-500-2000-performance-regression-w-5.10.patch
  0005-iwlwifi-Fix-regression-from-UDP-segmentation-support.patch
  0006-ALSA-hda-hdmi-fix-incorrect-mutex-unlock-in-silent_stream_disable.patch
  0007-Revert-drm-amd-display-Fix-memory-leaks-in-S3-resume.patch
  kernel_gcc_patch-${_gccpatchver}.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/${_gccpatchver}.tar.gz
  ath9k-regdom-hack.patch
  raid6-default-algo.patch
)
  if [ "$_minver" != "0" ]; then
    source+=(https://linux-libre.fsfla.org/pub/linux-libre/releases/${_gnupkgver}/patch-${_gnumajver}-${_gnupkgver}.xz{,.sign})
  fi
validpgpkeys=(
  '474402C8C582DAFBE389C427BCB7CF877E7D47A7'  # Alexandre Oliva
  'E240B57E2C4630BA768E2F26FC1B547C8D8172C8'  # Levente Polyak
)
b2sums=('86103699a6bc906e85429430df098b0ddb7cfc8c887f98b37f994498388d634554e119eadb1b15f591bdf4f463e7efb7420e3e370af0029b7ed9e988a5f26b01'
        'SKIP'
        '2789952a07877b9cfca1395b6d6ea247affa01e6570a93b767993e0d1641548214b27c6c763a014aa4a576b0e77f16898d14f7769844374764dac2dc8b60750d'
        'SKIP'
        '07d524ad5cd6470c55f9b3d09939436e8a1649cc142d66ae746d80ae58d09c887519049ee7106e35b3f43ab883d330c1c7a9829d1a913be75ec307f90d181e03'
        '92b212fc863b86e795ce4b122372ebe7feae04e31a39b7edcf9f7f25552f936ad1de4b2c7a226feab9d61868a8590550c39c2bd893f4bdabc62a750fab9cc391'
        'd8297e09f552a2d6bb24c2ba10481fd2b407057f3b24278e72a89233473460d339c83838791989773623178b5af80588fb4c484da2931f1040e313cce7ceca00'
        'b00c189e803e9469cece5906af28f086b10cfb228eec694b95a47625ecbd345a443609349f4fda5b340ef5e9834a41c5cae60400cf8fbdd1c23b6cb24e17dbe3'
        '15d9b32ff1ad4c897b097173de259cdb89bbbf6ab0230faf4557eca511a59c1f2c76b85be30d25cf9534f91e1af43e72d072bc82dbf2219eadf772822f573d38'
        'f5cebaad0bc7188a88444ce3b07f80e98414422d2cc18c251698f8694772ed39a4e22b3fe6702aa21dc4764ff727e4fbebafb501e260b52a36c9feef0fe8537a'
        '6db620d44c908f14fec4dd74b345ee2829fff1fad8783deb3c31cc9c4e298c269711dcc478dfd72c72a5d8b36447d6ff892589eb322bf0811810cd861805d3eb'
        '7f1eb5938472f57748216bd00e0c875feab99fc1c5cb89babfea467ee30ca5c8e9fc5a691efe2e602bef1ea79820c5383822d7cec354b48d23321ccda8ee8127'
        'b6ef77035611139fa9a6d5b8d30570e2781bb4da483bb569884b0bd0129b62e0b82a5a6776fefe43fee801c70d39de1ea4d4c177f7cedd5ac135e3c64f7b895a'
        'fde132f3705d908e6f2147c78a2193289916d72304ca5efa2229d79fc3e57a857314ce94e71425caef2f7f7b6cf87f05ef86335dc8bd4be78e7035afe608005a'
        '32bee208f2692952f3d2d4c9edd312b1d3a6612fa0e041336c81c934e98e59fa5108ebc955482d1b0d9220dd78e74521bd382eb634d15636829783c7f697d7b3'
        'SKIP')

export KBUILD_BUILD_HOST=arc4linux
export KBUILD_BUILD_USER=$pkgbase
export KBUILD_BUILD_TIMESTAMP="$(date -Ru${SOURCE_DATE_EPOCH:+d @$SOURCE_DATE_EPOCH})"

prepare() {
  cd $_srcname

  # add upstream patch
  if [ "$_minver" != "0" ]; then
    echo "Applying upstream patch"
    patch -Np1 < ../patch-${_gnumajver}-${_gnupkgver}
  fi


  # Hotfixes
  echo "Applying hotfixes"
  patch -p1 -i ../0002-Bluetooth-Fix-attempting-to-set-RPA-timeout-when-unsupported.patch
  patch -p1 -i ../0003-HID-quirks-Add-Apple-Magic-Trackpad-2-to-hid_have_special_driver-list.patch
  patch -p1 -i ../0004-btrfs-Fix-500-2000-performance-regression-w-5.10.patch
  patch -p1 -i ../0005-iwlwifi-Fix-regression-from-UDP-segmentation-support.patch
  patch -p1 -i ../0006-ALSA-hda-hdmi-fix-incorrect-mutex-unlock-in-silent_stream_disable.patch
  patch -p1 -i ../0007-Revert-drm-amd-display-Fix-memory-leaks-in-S3-resume.patch


  # linux hardened patch
  echo "Applying hardened patch"
  patch -Np1 < ../linux-hardened-${pkgver}.patch


  # graysky gcc patch
  echo "Applying graysky gcc patch"
  patch -p1 -i ../kernel_gcc_patch-${_gccpatchver}/enable_additional_cpu_optimizations_for_gcc_v${_gccpatchger}+_kernel_v${_gccpatchker}+.patch


  # Ignore ath9k eeprom patch
  echo "Applying ath9k patch"
  patch -p1 -i ../ath9k-regdom-hack.patch

  # Set default raid6 algo patch
  echo " Applying raid6 patch"
  patch -p1 -i ../raid6-default-algo.patch


  echo "Setting version..."
  sed -e "/^EXTRAVERSION =/s/=.*/= .${_hardenedver}/" -i Makefile
  scripts/setlocalversion --save-scmversion
  echo "-$pkgrel" > localversion.10-pkgrel
  echo "${pkgbase#linux}" > localversion.20-pkgname


  echo "Setting config..."
  # we are in src/linux-x.yy.zz, looking for a config next to the pkgbuild
#  if [ -f ${SRCDEST}/config.libre-hardened.previous ]; then
#    cp ${SRCDEST}/config.libre-hardened.previous .config
#  else
    cp ../config .config
#  fi

  make olddefconfig

#  make menuconfig

  # Remove sublevel when no sublevel exists
  if [ "$_minver" == "0" ]; then
    sed -i '/SUBLEVEL = 0/d' Makefile
  fi

  make -s kernelrelease > version

  # workaround for make -s kernelrelease not applying
  # localversion to version when changed using menuconfig
  grep -Po '(?<=CONFIG_LOCALVERSION=").*(?=")' .config > ../localversion
  echo "$_pkgver" > ../version.temp
  echo ".$_hardenedver" >> ../version.temp
  cat "localversion.10-pkgrel" >> ../version.temp
  cat "localversion.20-pkgname" >> ../version.temp
  cat ../localversion >> ../version.temp
  cat ../version.temp | tr -d "\n" > version

  # back up the config
#  echo "Backing up config..."
#  cp .config ${SRCDEST}/config.libre-hardened.previous

  echo "Prepared $pkgbase version $(<version)"
}

build() {
  cd $_srcname
  make all
  make htmldocs
}

_package() {
  pkgdesc="The $pkgdesc kernel and modules"
  depends=(coreutils kmod initramfs)
  optdepends=('crda: to set the correct wireless channels of your country'
              'linux-libre-firmware: firmware images needed for some devices'
              'usbctl-libre: deny_new_usb control')
  provides=(VIRTUALBOX-GUEST-MODULES WIREGUARD-MODULE)
  replaces=(virtualbox-guest-modules-arch wireguard-arch)

  cd $_srcname
  local kernver="$(<version)"
  local modulesdir="$pkgdir/usr/lib/modules/$kernver"

  echo "Installing boot image..."
  # systemd expects to find the kernel here to allow hibernation
  # https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
  install -Dm644 "$(make -s image_name)" "$modulesdir/vmlinuz"

  # Used by mkinitcpio to name the kernel
  echo "$pkgbase" | install -Dm644 /dev/stdin "$modulesdir/pkgbase"

  echo "Installing modules..."
  make INSTALL_MOD_PATH="$pkgdir/usr" INSTALL_MOD_STRIP=1 modules_install

  # remove build and source links
  rm "$modulesdir"/{source,build}
}

_package-headers() {
  pkgdesc="Headers and scripts for building modules for the $pkgdesc kernel"

  cd $_srcname
  local builddir="$pkgdir/usr/lib/modules/$(<version)/build"

  echo "Installing build files..."
  install -Dt "$builddir" -m644 .config Makefile Module.symvers System.map \
    localversion.* version vmlinux
  install -Dt "$builddir/kernel" -m644 kernel/Makefile
  install -Dt "$builddir/arch/x86" -m644 arch/x86/Makefile
  cp -t "$builddir" -a scripts

  # add objtool for external module building and enabled VALIDATION_STACK option
  if [[ -e tools/objtool/objtool ]]; then
    install -Dt "$builddir/tools/objtool" tools/objtool/objtool
  fi

  # add xfs and shmem for aufs building
  mkdir -p "$builddir"/{fs/xfs,mm}

  echo "Installing headers..."
  cp -t "$builddir" -a include
  cp -t "$builddir/arch/x86" -a arch/x86/include
  install -Dt "$builddir/arch/x86/kernel" -m644 arch/x86/kernel/asm-offsets.s

  install -Dt "$builddir/drivers/md" -m644 drivers/md/*.h
  install -Dt "$builddir/net/mac80211" -m644 net/mac80211/*.h

  # http://bugs.archlinux.org/task/13146
  install -Dt "$builddir/drivers/media/i2c" -m644 drivers/media/i2c/msp3400-driver.h

  # http://bugs.archlinux.org/task/20402
  install -Dt "$builddir/drivers/media/usb/dvb-usb" -m644 drivers/media/usb/dvb-usb/*.h
  install -Dt "$builddir/drivers/media/dvb-frontends" -m644 drivers/media/dvb-frontends/*.h
  install -Dt "$builddir/drivers/media/tuners" -m644 drivers/media/tuners/*.h

  echo "Installing KConfig files..."
  find . -name 'Kconfig*' -exec install -Dm644 {} "$builddir/{}" \;

  echo "Removing unneeded architectures..."
  local arch
  for arch in "$builddir"/arch/*/; do
    [[ $arch = */x86/ ]] && continue
    echo "Removing $(basename "$arch")"
    rm -r "$arch"
  done

  echo "Removing documentation..."
  rm -r "$builddir/Documentation"

  echo "Removing broken symlinks..."
  find -L "$builddir" -type l -printf 'Removing %P\n' -delete

  echo "Removing loose objects..."
  find "$builddir" -type f -name '*.o' -printf 'Removing %P\n' -delete

  echo "Stripping build tools..."
  local file
  while read -rd '' file; do
    case "$(file -bi "$file")" in
      application/x-sharedlib\;*)      # Libraries (.so)
        strip -v $STRIP_SHARED "$file" ;;
      application/x-archive\;*)        # Libraries (.a)
        strip -v $STRIP_STATIC "$file" ;;
      application/x-executable\;*)     # Binaries
        strip -v $STRIP_BINARIES "$file" ;;
      application/x-pie-executable\;*) # Relocatable binaries
        strip -v $STRIP_SHARED "$file" ;;
    esac
  done < <(find "$builddir" -type f -perm -u+x ! -name vmlinux -print0)

  echo "Stripping vmlinux..."
  strip -v $STRIP_STATIC "$builddir/vmlinux"

  echo "Adding symlink..."
  mkdir -p "$pkgdir/usr/src"
  ln -sr "$builddir" "$pkgdir/usr/src/$pkgbase"
}

_package-docs() {
  pkgdesc="Documentation for the $pkgdesc kernel"

  cd $_srcname
  local builddir="$pkgdir/usr/lib/modules/$(<version)/build"

  echo "Installing documentation..."
  local src dst
  while read -rd '' src; do
    dst="${src#Documentation/}"
    dst="$builddir/Documentation/${dst#output/}"
    install -Dm644 "$src" "$dst"
  done < <(find Documentation -name '.*' -prune -o ! -type d -print0)

  echo "Adding symlink..."
  mkdir -p "$pkgdir/usr/share/doc"
  ln -sr "$builddir/Documentation" "$pkgdir/usr/share/doc/$pkgbase"
}

pkgname=("$pkgbase" "$pkgbase-headers" "$pkgbase-docs")
for _p in "${pkgname[@]}"; do
  eval "package_$_p() {
    $(declare -f "_package${_p#$pkgbase}")
    _package${_p#$pkgbase}
  }"
done