Arch Linux User Repository

Adding

scripts/config --disable CONFIG_IMA_ARCH_POLICY

to myconfig does solve the "Failed to insert module 'nvidia': Key was rejected by service" problem.

Anyone who configured secure boot using sbctl and want to load dkms modules can try this solution.

This package have several variables to enable/disable features.

##
## The following variables can be customized at build time. Use env or export to change at your wish
##
##   Example: env _microarchitecture=98 use_numa=n use_tracers=n makepkg -sc
##
## Look inside 'choose-gcc-optimization.sh' to choose your microarchitecture
## Valid numbers between: 0 to 99
## Default is: 0 => generic
## Good option if your package is for one machine: 98 (Intel native) or 99 (AMD native)
if [ -z ${_microarchitecture+x} ]; then
  _microarchitecture=0
fi

## Disable NUMA since most users do not have multiple processors. Breaks CUDA/NvEnc.
## Archlinux and Xanmod enable it by default.
## Set variable "use_numa" to: n to disable (possibly increase performance)
##                             y to enable  (stock default)
if [ -z ${use_numa+x} ]; then
  use_numa=y
fi

## Since upstream disabled CONFIG_STACK_TRACER (limits debugging and analyzing of the kernel)
## you can enable them setting this option. Caution, because they have an impact in performance.
## Stock Archlinux has this enabled. 
## Set variable "use_tracers" to: n to disable (possibly increase performance, XanMod default)
##                                y to enable  (Archlinux default)
if [ -z ${use_tracers+x} ]; then
  use_tracers=n
fi

# Unique compiler supported upstream is GCC
## Choose between GCC and CLANG config (default is GCC)
## Use the environment variable "_compiler=clang"
if [ "${_compiler}" = "clang" ]; then
  _compiler_flags="CC=clang HOSTCC=clang LLVM=1 LLVM_IAS=1"
fi

# Choose between the 4 main configs for stable branch. Default x86-64-v1 which use CONFIG_GENERIC_CPU2:
# Possible values: config_x86-64-v1 (default) / config_x86-64-v2 / config_x86-64-v3 / config_x86-64-v4
# This will be overwritten by selecting any option in microarchitecture script
# Source files: https://github.com/xanmod/linux/tree/5.17/CONFIGS/xanmod/gcc
if [ -z ${_config+x} ]; then
  _config=config_x86-64-v1
fi

# Compress modules with ZSTD (to save disk space)
if [ -z ${_compress_modules+x} ]; then
  _compress_modules=n
fi

# Compile ONLY used modules to VASTLY reduce the number of modules built
# and the build time.
#
# To keep track of which modules are needed for your specific system/hardware,
# give module_db script a try: https://aur.archlinux.org/packages/modprobed-db
# This PKGBUILD read the database kept if it exists
#
# More at this wiki page ---> https://wiki.archlinux.org/index.php/Modprobed-db
if [ -z ${_localmodcfg} ]; then
  _localmodcfg=n
fi

# Tweak kernel options prior to a build via nconfig
if [ -z ${_makenconfig} ]; then
  _makenconfig=n
fi

Personally I'm running now xanmod kernel compiled with this:

env _microarchitecture=98 use_tracers=n use_numa=n _localmodcfg=y _compress_modules=y makepkg -sic

Also, you can now create the file myconfig in your local repo to build this package with a custom config or use ${XDG_CONFIG_HOME}/linux-xanmod/myconfig. This file can be a full kernel config or be a script with several entries to add/remove options (you have several examples in PKGBUILD by using scripts/config):

Code involved:

  for _myconfig in "${SRCDEST}/myconfig" "${HOME}/.config/linux-xanmod/myconfig" "${XDG_CONFIG_HOME}/linux-xanmod/myconfig" ; do
    if [ -f "${_myconfig}" ] && [ "$(wc -l <"${_myconfig}")" -gt "0" ]; then
      if grep -q 'scripts/config' "${_myconfig}"; then
        # myconfig is a partial file. Executing as a script
        msg2 "Applying myconfig..."
        bash -x "${_myconfig}"
      else
        # myconfig is a full config file. Replacing default .config
        msg2 "Using user CUSTOM config..."
        cp -f "${_myconfig}" .config
      fi
      echo
      break
    fi
  done

Could you add bootsplash patches from manjaro kernel? https://gitlab.manjaro.org/packages/core/linux58

Running into an issue with "(builtin)"

loading packages... warning: linux-xanmod-5.8.0-2 is up to date -- reinstalling warning: linux-xanmod-headers-5.8.0-2 is up to date -- reinstalling resolving dependencies... looking for conflicting packages...

Packages (2) linux-xanmod-5.8.0-2 linux-xanmod-headers-5.8.0-2

Total Installed Size: 458.28 MiB Net Upgrade Size: 0.00 MiB

:: Proceed with installation? [Y/n] y (2/2) checking keys in keyring [###############################################] 100% (2/2) checking package integrity [###############################################] 100% (2/2) loading package files [###############################################] 100% (2/2) checking for file conflicts [###############################################] 100% (2/2) checking available disk space [###############################################] 100% :: Running pre-transaction hooks... (1/1) Save Linux kernel modules :: Processing package changes... (1/2) reinstalling linux-xanmod [###############################################] 100% (2/2) reinstalling linux-xanmod-headers [###############################################] 100% :: Running post-transaction hooks... (1/5) Arming ConditionNeedsUpdate... (2/5) Updating module dependencies... (3/5) Updating linux initcpios... ==> Building image from preset: /etc/mkinitcpio.d/linux-xanmod.preset: 'default' -> -k /boot/vmlinuz-linux-xanmod -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-xanmod.img ==> Starting build: 5.8.0-xanmod2-2-xanmod -> Running build hook: [base] -> Running build hook: [udev] -> Running build hook: [autodetect] -> Running build hook: [modconf] -> Running build hook: [block] ==> WARNING: Possibly missing firmware for module: xhci_pci -> Running build hook: [keyboard] -> Running build hook: [keymap] -> Running build hook: [encrypt] -> Running build hook: [lvm2] -> Running build hook: [openswap] -> Running build hook: [resume] -> Running build hook: [filesystems] cp: cannot stat '(builtin)': No such file or directory ==> Generating module dependencies ==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-xanmod.img ==> WARNING: errors were encountered during the build. The image may not be complete. ==> Building image from preset: /etc/mkinitcpio.d/linux-xanmod.preset: 'fallback' -> -k /boot/vmlinuz-linux-xanmod -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-xanmod-fallback.img -S autodetect ==> Starting build: 5.8.0-xanmod2-2-xanmod -> Running build hook: [base] -> Running build hook: [udev] -> Running build hook: [modconf] -> Running build hook: [block] ==> WARNING: Possibly missing firmware for module: xhci_pci -> Running build hook: [keyboard] -> Running build hook: [keymap] -> Running build hook: [encrypt] -> Running build hook: [lvm2] -> Running build hook: [openswap] -> Running build hook: [resume] -> Running build hook: [filesystems] cp: cannot stat '(builtin)': No such file or directory ==> Generating module dependencies ==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-xanmod-fallback.img ==> WARNING: errors were encountered during the build. The image may not be complete. error: command failed to execute correctly (4/5) Updating Grub-Bootmenu Generating grub configuration file ... Found theme: /usr/share/grub/themes/manjaro/theme.txt Found linux image: /boot/vmlinuz-linux-xanmod Found initrd image: /boot/amd-ucode.img /boot/initramfs-linux-xanmod.img Found initrd fallback image: /boot/initramfs-linux-xanmod-fallback.img Found linux image: /boot/vmlinuz-5.6-x86_64 Found initrd image: /boot/amd-ucode.img /boot/initramfs-5.6-x86_64.img Found initrd fallback image: /boot/initramfs-5.6-x86_64-fallback.img Adding boot menu entry for UEFI Firmware Settings ... Found memtest86+ image: /boot/memtest86+/memtest.bin done (5/5) Restore Linux kernel modules

==> Warning: -> This computer hasn't been restarted for a while. -> You are running an old kernel. In order to use a -> new version of the kernel, please restart your -> computer as soon as possible.

The git clone procedure worked. It pulls a new 0001-ZEN...patch file.

The problem that I have been reporting here is that the PKGBUILD file is downloading an older 0001-ZEN...patch file. So if one starts just with a PKGBUILD file makepkg will fail because of that old 0001-ZEN...patch file.

Usually, you need to clone the repo and build:

$ git clone https://aur.archlinux.org/linux-xanmod.git
$ cd linux-xanmod
$ makepkg -sic

that way you build standard package. If you want custom options:

_microarchitecture=42 use_numa=n use_tracers=n use_ns=y makepkg -sic

When a new release came up, just:

$ cd linux-xanmod
$ git pull
$ makepkg -sic

@figue:

I do not know what to do. I take the latest PKGBUILD here from this webpage: https://aur.archlinux.org/packages/linux-xanmod/

It downloads a patch file which is not working:

    '0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch::https://aur.archlinux.org/cgit/aur.git/plain/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch?h=linux-ck&id=616ec1bb1f2c0fc42b6fb5c20995996897b4f43b')

@mabod please update your local repo, I have fixed the patch a few days ago... Compare sums:

figue@pluto ~/packages-figue/linux-xanmod
 % LC_ALL=C makepkg -g
==> Retrieving sources...
  -> Found linux-5.8.tar.xz
  -> Found linux-5.8.tar.sign
  -> Found patch-5.8.0-xanmod2.xz
  -> Found choose-gcc-optimization.sh
  -> Found 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch
==> Generating checksums for source files...
sha256sums=('e7f75186aa0642114af8f19d99559937300ca27acaf7451b36d4f9b0f85cf1f5'
            'SKIP'
            'c4f5fea00eed0dd0809f5ce7cefff1af0a6ab70a27c9f9cceade88f3c2ba531d'
            '2c7369218e81dee86f8ac15bda741b9bb34fa9cefcb087760242277a8207d511'
            '6c66dba73251440352f93ff32b72f5dd49536d0f17ef9347867660fd3a626991')

for xanmod kernel 5.8 the patch 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch is giving an error:

-> Applying patch 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch... patching file init/Kconfig Hunk #1 succeeded at 1153 (offset 35 lines). patching file kernel/fork.c Hunk #2 succeeded at 1867 (offset 83 lines). Hunk #3 succeeded at 2971 (offset 126 lines). patching file kernel/sysctl.c Hunk #1 FAILED at 110. Hunk #2 succeeded at 1882 (offset 1336 lines). 1 out of 2 hunks FAILED -- saving rejects to file kernel/sysctl.c.rej patching file kernel/user_namespace.c ==> ERROR: A failure occurred in prepare(). Aborting...

The rejection looks like this:

--- kernel/sysctl.c +++ kernel/sysctl.c @@ -110,6 +110,9 @@ extern int core_uses_pid; extern char core_pattern[]; extern unsigned int core_pipe_limit; #endif +#ifdef CONFIG_USER_NS +extern int unprivileged_userns_clone; +#endif extern int pid_max; extern int pid_max_min, pid_max_max; extern int percpu_pagelist_fraction;

Compiling Xanmod 5.8 with use_ns=y results in an error.

@figue Could you update this to Linux Xanmod 5.8?