feat: add nvidia-open in build

.gitignore

@@ -19,10 +19,16 @@ src/*
 pkg/*
 */linux-5*/
 *.myfrag
-logs/*
+*.mypatch
+logs/
+*log.txt
 kernel_updates
 gnupg/
 *sha256sum*
 current_env
 linux-kernel.git/
 linux-src-git/
+kernelconfig.new
+minimal-modprobed.db
+*-tkg-userpatches/
+BIG_UGLY_FROGMINER

PKGBUILD

@@ -61,6 +61,7 @@ else
   pkgbase=linux"${_basever}"-tkg-"${_cpusched}"${_compiler_name}
 fi
 pkgname=("${pkgbase}" "${pkgbase}-headers")
+[ "$_nvidia_open" = "true" ] && pkgname+=("${pkgbase}-nvidia-open")
 pkgver="${_basekernel}"."${_sub}"
 pkgrel=273
 pkgdesc='Linux-tkg'
@@ -71,6 +72,17 @@ makedepends=('bison' 'xmlto' 'docbook-xsl' 'inetutils' 'bc' 'libelf' 'pahole' 'p
 if [ "$_compiler_name" = "-llvm" ]; then
   makedepends+=( 'lld' 'clang' 'llvm')
 fi
+
+# nvidia-open: source tarball and patches from Frogging-Family/nvidia-all
+_nv_open_pkg="NVIDIA-kernel-module-source-${_nvidia_open_version}"
+if [ "$_nvidia_open" = "true" ]; then
+  source+=(
+    "https://download.nvidia.com/XFree86/NVIDIA-kernel-module-source/${_nv_open_pkg}.tar.xz"
+    "0001-Enable-atomic-kernel-modesetting-by-default.patch::https://raw.githubusercontent.com/Frogging-Family/nvidia-all/master/patches/0001-Enable-atomic-kernel-modesetting-by-default.diff"
+    "0002-Add-IBT-support.patch::https://raw.githubusercontent.com/Frogging-Family/nvidia-all/master/patches/0002-Add-IBT-support.diff"
+  )
+  sha256sums+=('SKIP' 'SKIP' 'SKIP')
+fi
 optdepends=('schedtool')
 options=('!strip' 'docs')
 
@@ -87,11 +99,40 @@ prepare() {
   source "$_where"/BIG_UGLY_FROGMINER
   source "$_where"/linux-tkg-config/prepare
 
+  # Sanity checks for nvidia-open compatibility
+  if [ "$_nvidia_open" = "true" ] && { [ "$_numadisable" = "true" ] || [ "$_preempt_rt" = "1" ] || [ "$_preempt_rt_force" = "1" ]; }; then
+    [ "$_numadisable" = "true" ] && error "_nvidia_open=\"true\" requires _numadisable=\"false\" (NUMA enabled) for CUDA/NvEnc to work."
+    { [ "$_preempt_rt" = "1" ] || [ "$_preempt_rt_force" = "1" ]; } && error "_nvidia_open=\"true\" cannot be combined with PREEMPT_RT due to licensing issues."
+    return 1
+  fi
+
   rm -rf $pkgdir # Nuke the entire pkg folder so it'll get regenerated clean on next build
 
   ln -s "${_kernel_work_folder_abs}" "${srcdir}"
 
   _tkg_srcprep
+
+  # Apply nvidia-open patches if requested
+  if [ "$_nvidia_open" = "true" ]; then
+    local _nv_open_src="${srcdir}/${_nv_open_pkg}"
+    msg2 "NVIDIA-open-module source version ${_nvidia_open_version} will be built and installed alongside this kernel."
+    msg2 "Applying NVIDIA-open-module patches (${_nvidia_open_version})..."
+    patch -Np1 -i "${srcdir}/0001-Enable-atomic-kernel-modesetting-by-default.patch" -d "${_nv_open_src}/kernel-open"
+    patch -Np1 -i "${srcdir}/0002-Add-IBT-support.patch" -d "${_nv_open_src}"
+    # Kernel-version-specific NVIDIA build fix patch (e.g. 6.19, 7.0)
+    local _nv_open_fix
+    _nv_open_fix="$(find "$srcdir" -maxdepth 1 -name '*-nvidia-build-fix.patch' -print -quit)"
+    if [ -n "$_nv_open_fix" ]; then
+      msg2 "Applying NVIDIA-open-module build fix patch for ${_basekernel}..."
+      patch -Np1 -i "$_nv_open_fix" -d "${_nv_open_src}"
+    fi
+  fi
+
+  # Clone v4l2loopback source if requested
+  if [ "$_v4l2loopback" = "true" ]; then
+    msg2 "Cloning v4l2loopback source..."
+    git clone --depth=1 https://github.com/v4l2loopback/v4l2loopback.git "${srcdir}/v4l2loopback"
+  fi
 }
 
 build() {
@@ -146,6 +187,29 @@ build() {
     time ( make ${_force_all_threads} ${llvm_opt} LOCALVERSION= bzImage modules 2>&1 ) 3>&1 1>&2 2>&3
     return 0
   )
+
+  # Build nvidia-open modules
+  if [ "$_nvidia_open" = "true" ]; then
+    local _nv_open_src="${srcdir}/${_nv_open_pkg}"
+    local _kernuname
+    _kernuname="$(< "${_kernel_work_folder_abs}/include/config/kernel.release")"
+    local MODULE_FLAGS=(
+      KERNEL_UNAME="${_kernuname}"
+      IGNORE_PREEMPT_RT_PRESENCE=1
+      SYSSRC="${_kernel_work_folder_abs}"
+      SYSOUT="${_kernel_work_folder_abs}"
+      IGNORE_CC_MISMATCH=yes
+    )
+    msg2 "Building NVIDIA open kernel modules (${_nvidia_open_version})..."
+    CFLAGS= CXXFLAGS= LDFLAGS= make "${BUILD_FLAGS[@]}" "${MODULE_FLAGS[@]}" \
+      -C "${_nv_open_src}" -j"$(nproc)" modules
+  fi
+
+  # Build v4l2loopback module
+  if [ "$_v4l2loopback" = "true" ]; then
+    msg2 "Building v4l2loopback kernel module..."
+    make ${_force_all_threads} ${llvm_opt} -C "${_kernel_work_folder_abs}" M="${srcdir}/v4l2loopback" modules
+  fi
 }
 
 hackbase() {
@@ -192,6 +256,20 @@ hackbase() {
   # remove build and source links
   rm -f "$modulesdir"/{source,build}
 
+  # Re-sign modules after stripping (INSTALL_MOD_STRIP removes embedded signatures)
+  if [[ "$_RESIGN_AFTER_STRIP" == "true" ]] && [[ "$_STRIP" == "true" ]] && grep -q 'CONFIG_MODULE_SIG=y' "${_kernel_work_folder_abs}/.config"; then
+    msg2 "Re-signing kernel modules after strip..."
+    local sign_script="${_kernel_work_folder_abs}/scripts/sign-file"
+    local sign_key
+    sign_key="$(grep -Po 'CONFIG_MODULE_SIG_KEY="\K[^"]*' "${_kernel_work_folder_abs}/.config")"
+    [[ "$sign_key" =~ ^/ ]] || sign_key="${_kernel_work_folder_abs}/${sign_key}"
+    local sign_cert="${_kernel_work_folder_abs}/certs/signing_key.x509"
+    local hash_algo
+    hash_algo="$(grep -Po 'CONFIG_MODULE_SIG_HASH="\K[^"]*' "${_kernel_work_folder_abs}/.config")"
+    find "${modulesdir}" -type f -name '*.ko' \
+      -exec "${sign_script}" "${hash_algo}" "${sign_key}" "${sign_cert}" '{}' \;
+  fi
+
   # install cleanup pacman hook and script
   sed -e "s|cleanup|${pkgbase}-cleanup|g" "${srcdir}"/90-cleanup.hook |
     install -Dm644 /dev/stdin "${pkgdir}/usr/share/libalpm/hooks/90-${pkgbase}.hook"
@@ -219,6 +297,51 @@ hackbase() {
     msg2 "Installing udev rule for ntsync"
     install -Dm644 "${srcdir}"/ntsync.rules "${pkgdir}/etc/udev/rules.d/ntsync.rules"
   fi
+
+  # v4l2loopback
+  if [ "$_v4l2loopback" = "true" ]; then
+    msg2 "Installing v4l2loopback module..."
+    install -dm755 "${modulesdir}/extramodules"
+    install -m644 "${srcdir}/v4l2loopback/v4l2loopback.ko" "${modulesdir}/extramodules/"
+
+    # Strip module
+    local strip_bin="strip"
+    [ "$_compiler_name" = "-llvm" ] && strip_bin="llvm-strip"
+    "${strip_bin}" --strip-debug "${modulesdir}/extramodules/v4l2loopback.ko"
+
+    # Sign module
+    if [[ "$_v4l2loopback_sign_modules" == "true" ]]; then
+      if ! grep -q 'CONFIG_MODULE_SIG=y' "${_kernel_work_folder_abs}/.config"; then
+        warning "_v4l2loopback_sign_modules is enabled but CONFIG_MODULE_SIG=y is not set in .config — skipping module signing."
+      else
+        local sign_script="${_kernel_work_folder_abs}/scripts/sign-file"
+        local sign_key
+        sign_key="$(grep -Po 'CONFIG_MODULE_SIG_KEY="\K[^"]*' "${_kernel_work_folder_abs}/.config")"
+        [[ "$sign_key" =~ ^/ ]] || sign_key="${_kernel_work_folder_abs}/${sign_key}"
+        local sign_cert="${_kernel_work_folder_abs}/certs/signing_key.x509"
+        local hash_algo
+        hash_algo="$(grep -Po 'CONFIG_MODULE_SIG_HASH="\K[^"]*' "${_kernel_work_folder_abs}/.config")"
+
+        if [[ ! -f "$sign_key" ]]; then
+          warning "Module signing key not found: ${sign_key} — skipping module signing."
+        elif [[ ! -f "$sign_cert" ]]; then
+          warning "Module signing certificate not found: ${sign_cert} — skipping module signing."
+        else
+          msg2 "Signing v4l2loopback kernel module..."
+          "${sign_script}" "${hash_algo}" "${sign_key}" "${sign_cert}" "${modulesdir}/extramodules/v4l2loopback.ko"
+        fi
+      fi
+    fi
+
+    # Compress module
+    zstd --rm -19 -T0 "${modulesdir}/extramodules/v4l2loopback.ko"
+
+    # Auto-load v4l2loopback at boot
+    echo "v4l2loopback" | install -Dm644 /dev/stdin "${pkgdir}/etc/modules-load.d/v4l2loopback-${pkgbase}.conf"
+
+    # Clean up cloned source
+    rm -rf "${srcdir}/v4l2loopback"
+  fi
 }
 
 hackheaders() {
@@ -245,6 +368,12 @@ hackheaders() {
   install -Dt "$builddir/arch/x86" -m644 arch/x86/Makefile
   cp -t "$builddir" -a scripts
 
+  # Module signing keys for later out-of-tree module signing
+  if [[ "$_signing_keys" == "true" ]] && [[ -f "certs/signing_key.pem" ]]; then
+    msg2 "Installing module signing keys..."
+    install -Dt "$builddir/certs" -m 400 certs/signing_key.pem certs/signing_key.x509
+  fi
+
   # add objtool for external module building and enabled VALIDATION_STACK option
   install -Dt "$builddir/tools/objtool" tools/objtool/objtool
 
@@ -316,11 +445,74 @@ hackheaders() {
     strip -v $STRIP_STATIC "$builddir/vmlinux"
   fi
 
-  if [ "$_NUKR" = "true" ]; then
+  # Skip srcdir cleanup if nvidia-open package still needs it (runs after headers)
+  if [ "$_NUKR" = "true" ] && [ "$_nvidia_open" != "true" ]; then
     rm -rf "$srcdir" # Nuke the entire src folder so it'll get regenerated clean on next build
   fi
 }
 
+hacknvidia_open() {
+  source "$_where"/BIG_UGLY_FROGMINER
+
+  pkgdesc="NVIDIA open kernel modules (${_nvidia_open_version}) for the $pkgdesc kernel - https://github.com/Frogging-Family/nvidia-all"
+  depends=("${pkgbase}=${pkgver}" "nvidia-utils=${_nvidia_open_version}" 'libglvnd')
+  provides=('NVIDIA-MODULE' 'nvidia-open')
+  conflicts=("${pkgbase}-nvidia" 'nvidia' 'nvidia-dkms' 'nvidia-open' 'nvidia-open-dkms')
+  license=('MIT AND GPL-2.0-only')
+
+  local _nv_open_src="${srcdir}/${_nv_open_pkg}"
+
+  cd "$_kernel_work_folder_abs"
+  local _kernver="$(<version)"
+  local modulesdir="$pkgdir/usr/lib/modules/$_kernver/extramodules"
+
+  install -dm755 "${modulesdir}"
+  install -m644 "${_nv_open_src}"/kernel-open/*.ko "${modulesdir}"
+  install -Dt "$pkgdir/usr/share/licenses/${pkgname}" -m644 "${_nv_open_src}/COPYING"
+
+  # Strip modules
+  local strip_bin="strip"
+  [ "$_compiler_name" = "-llvm" ] && strip_bin="llvm-strip"
+  find "${modulesdir}" -type f -name '*.ko' -exec "${strip_bin}" --strip-debug '{}' \;
+
+  # Sign modules
+  if [[ "$_nvidia_open_sign_modules" == "true" ]]; then
+    if ! grep -q 'CONFIG_MODULE_SIG=y' "${_kernel_work_folder_abs}/.config"; then
+      warning "_nvidia_open_sign_modules is enabled but CONFIG_MODULE_SIG=y is not set in .config — skipping module signing."
+    else
+      local sign_script="${_kernel_work_folder_abs}/scripts/sign-file"
+      local sign_key
+      sign_key="$(grep -Po 'CONFIG_MODULE_SIG_KEY="\K[^"]*' "${_kernel_work_folder_abs}/.config")"
+      [[ "$sign_key" =~ ^/ ]] || sign_key="${_kernel_work_folder_abs}/${sign_key}"
+      local sign_cert="${_kernel_work_folder_abs}/certs/signing_key.x509"
+      local hash_algo
+      hash_algo="$(grep -Po 'CONFIG_MODULE_SIG_HASH="\K[^"]*' "${_kernel_work_folder_abs}/.config")"
+
+      if [[ ! -f "$sign_key" ]]; then
+        warning "Module signing key not found: ${sign_key} — skipping module signing."
+      elif [[ ! -f "$sign_cert" ]]; then
+        warning "Module signing certificate not found: ${sign_cert} — skipping module signing."
+      else
+        msg2 "Signing NVIDIA open kernel modules..."
+        find "${modulesdir}" -type f -name '*.ko' \
+          -exec "${sign_script}" "${hash_algo}" "${sign_key}" "${sign_cert}" '{}' \;
+      fi
+    fi
+  fi
+
+  # Compress modules
+  find "${pkgdir}" -name '*.ko' -exec zstd --rm -19 -T0 {} +
+
+  # Blacklist modules
+  echo -e "blacklist nouveau\nblacklist lbm-nouveau\nblacklist nova_core\nblacklist nova_drm" |
+      install -Dm644 /dev/stdin "${pkgdir}/usr/lib/modprobe.d/${pkgname}-blacklist.conf"
+
+  # nvidia-open is the last package — do deferred srcdir cleanup now
+  if [ "$_NUKR" = "true" ]; then
+    rm -rf "$srcdir"
+  fi
+}
+
 source /dev/stdin <<EOF
 package_${pkgbase}() {
 hackbase
@@ -329,4 +521,5 @@ hackbase
 package_${pkgbase}-headers() {
 hackheaders
 }
+$( [ "$_nvidia_open" = "true" ] && printf 'package_%s-nvidia-open() {\nhacknvidia_open\n}' "${pkgbase}" )
 EOF

customization.cfg

@@ -32,7 +32,7 @@ _git_mirror=""
 # Note: - Leave empty to use PKGBUILD's dir
 #       - Start with a '/' for an absolute path in which `linux-tkg/linux-src-git/` will be created
 #       - This setting can be used to set the work/build folder to a tmpfs folder
-#         - Requires >= 32GB ram when building a full kernel, should work with less ram with modprobed-db
+#         - Requires >= 64GB ram when building a full kernel, should work with less ram with modprobed-db
 _kernel_work_folder=""
 
 # Permanent root folder where to keep the git clone (linux-kernel.git subdir) and fetch new blobs
@@ -109,6 +109,13 @@ _debugdisable="false"
 # Strip the kernel and its modules from debug symbols
 _STRIP="true"
 
+# WARNING: [EXPERIMENTAL] Re-sign all kernel modules after stripping.
+# Note:
+# - INSTALL_MOD_STRIP=1 removes embedded signatures, causing "module verification failed" taints at boot.
+# - When enabled, sign-file is invoked on every .ko after strip, so signatures are intact in the final package.
+# - Requires CONFIG_MODULE_SIG=y in your kernel config (default). Has no effect when _STRIP is not "true".
+_RESIGN_AFTER_STRIP="false"
+
 # LEAVE AN EMPTY VALUE TO BE PROMPTED ABOUT FOLLOWING OPTIONS AT BUILD TIME
 
 # CPU scheduler - Options are "pds", "bmq", "bore", "cfs" (linux 6.5-) or "eevdf" (kernel's default, 6.6+)
@@ -343,3 +350,62 @@ _config_fragments="true"
 
 # Apply all config fragments without confirmation - !!! NOT RECOMMENDED !!!
 _config_fragments_no_confirm="false"
+
+
+#### NVIDIA OPEN MODULE ####
+
+# Build open NVIDIA kernel modules as a separate package e.g. (linux<VER>-tkg-<SCHED>-nvidia-open or _custom_pkgbase="" + "-nvidia-open").
+# Requires Turing+ GPU (RTX 20xx or newer).
+# NOTE: 
+# - Cannot be combined with RT scheduler due to licensing issues.
+# - Requires _preempt_rt and _preempt_rt_force to be "false" or empty.
+# - Requires _numadisable="false" (NUMA enabled) for CUDA/NvEnc to function.
+# Set to "true" to enable, "false" or empty to disable (default: "false").
+_nvidia_open="false"
+
+# NVIDIA open module driver version to use.
+# Required when _nvidia_open="true". Leave empty to be prompted during setup.
+# NOTE:
+# - See https://github.com/Frogging-Family/nvidia-all for available versions.
+# - Recommended for driver version 580.x and newer.
+# Usage: e.g. _nvidia_open_version="580.134.180"
+_nvidia_open_version=""
+
+# WARNING: [EXPERIMENTAL] Sign NVIDIA open kernel modules after building.
+# NOTE:
+# - When enabled, each .ko in the nvidia-open package is signed using the kernel's
+#   module signing key (CONFIG_MODULE_SIG_KEY / certs/signing_key.x509).
+# - Requires CONFIG_MODULE_SIG=y in your kernel config (default).
+# - This is separate from _RESIGN_AFTER_STRIP, which only affects in-tree kernel modules.
+# - Has no effect when _nvidia_open is not "true".
+# Set to "true" to enable, "false" or empty to disable (default: "false").
+_nvidia_open_sign_modules="false"
+
+
+#### WARNING: EXPERIMENTAL OPTIONS ####
+
+# Build the v4l2loopback kernel module (virtual video device).
+# Creates /dev/video* devices that can be used as virtual webcams.
+# Useful for OBS virtual camera, webcam effects, video routing, etc.
+# The module will be included in the main kernel package.
+# See https://github.com/v4l2loopback/v4l2loopback
+_v4l2loopback="false"
+
+# WARNING: [EXPERIMENTAL] Sign v4l2loopback kernel module after building.
+# NOTE:
+# - When enabled, v4l2loopback.ko is signed using the kernel's
+#   module signing key (CONFIG_MODULE_SIG_KEY / certs/signing_key.x509).
+# - Requires CONFIG_MODULE_SIG=y in your kernel config (default).
+# - Useful together with module stripping to prevent unsigned-module taint messages.
+# - Has no effect when _v4l2loopback is not "true".
+# Set to "true" to enable, "false" or empty to disable (default: "false").
+_v4l2loopback_sign_modules="false"
+
+# Install the kernel module signing key and certificate into the headers package.
+# Allows signing out-of-tree modules manually after the build, e.g. for use with
+# Secure Boot. See https://wiki.archlinux.org/title/Signed_kernel_modules
+# NOTE:
+# - The key (signing_key.pem) is sensitive — it is installed with mode 400 (owner read-only).
+# - Has no effect if CONFIG_MODULE_SIG is not enabled in your kernel config.
+# - Does not configure DKMS automatically; key must be referenced manually if needed.
+_signing_keys="false"