Instead of encrypting my keys directly, I add these keys to KeePassXC, and let it add them to `ssh-agent`. There are some points I want to write down here.

Adding a Encrypted Key to KeePassXC

If the key is encrypted, we should provide the password in the password field of the KeePassXC entry.

According to the behavior of KeePassXC, I think it will decrypt the key, then add it to `ssh-agent`.

Communicating with ssh-agent

To communicate with ssh-agent, we should set SSH_AUTH_SOCK. Instead of setting this variable, I enter the path in the "SSH_AUTH_SOCK override" field and set the IdentityAgent in ~/.ssh/config.

Multiple Keys

I have multiple ssh private keys. By default, ssh will try to use every key to pass the authentication. Too may attempts may fail the login. So, I set IdentitiesOnly to yes. After that, ssh will only use keys specified by IdentityFile and CertificateFile. Working with ssh-agent, there is no private key in the disk. We can set the public key path to IdentityFile.

Required User Confirmation When the Key Is Used

If I check this box in KeePassXC, ssh will fail with error "agent refused operation". During the search, I found that I should install one kind of ssh-askpass program. I installed ksshaskpass while I'm using KWin. At first, I think the program will be used once I have installed it. But, I was wrong. I should set SSH_ASKPASS instead. Because I found this variable in the man page of ssh. I set it before running ssh. Of course, it doesn't work. After an hour fighting with ssh config, KeePassXC setting, private key encryption and decryption, I set the variable before starting ssh_agent. Then, it works. Why doesn't this variable appear in the man page of ssh_agent. Maybe It's a chance to earn a PR.

FINALLY, I EXPRESS MY SINCERE GRATITUDE TO THE LIBRARY FOR PROVIDING FREE WI-FI. THE CONDITIONAL CONNECTION RESET OF SSH CONNECTION MAKE ME LEARN A LOT.

Socat

Socat is a command line based utility that establishes two bidirectional byte streams and
transfers data between them.

From its man page, it is very powerful. It supports a lot of data streams. Here, I will use it to turn the tcp socket to a unix socket on the host. Inside the docker container, I will use it to turn the unix socket back to a tcp socket.

• Host: socat UNIX-LISTEN:/tmp/tcp2unix.sock,fork TCP:localhost:8080
• Container: socat TCP-LISTEN:8080,reuseaddr,fork UNIX-CONNECT:/tmp/tcp2unix.sock

With the socket file mounted into a container, running the command makes the private service accessible inside the container. But it is too invasive. Later, I came up with a method. How about making the socat program a service inside docker network too?

A Socat Container

There is a socat image already: docker.io/alpine/socat. I can create a container with this command: podman container run -d --name socat -v /tmp/tcp2unix.sock:/tmp/tcp2unix.sock alpine/socat TCP-LISTEN:8080,reuseaddr,fork UNIX-CONNECT:/tmp/tcp2unix.sock.

But I can't access the socat container in another container. After running podman network inspect podman, I found both containers are not in the network. Unlike docker, podman won't add the container to the default network by default.

Adding --network podman to the command line, I could access the socat service after that. But I couldn'tt access it with the container name. After inspecting the podman network, I found dns is disabled.

So, I created a new network.

podman network create podman-proxy

podman container run -d --name socat --network podman-proxy -v /tmp/tcp2unix.sock:/tmp/tcp2unix.sock alpine/socat TCP-LISTEN:8080,reuseaddr,fork UNIX-CONNECT:/tmp/tcp2unix.sock

A Socat Systemd Service

To simplify running the command on the host, I create a systemd service.

# /etc/systemd/system/tcp2unix@.service
[Unit]
Description=Relay tcp socket with a unix socket
After=network.target

[Service]
ExecStart=socat UNIX-LISTEN:/run/tcp2unix/tcp2unix-%i.sock,fork TCP:localhost:%i
ExecReload=/usr/bin/kill -USR1 $MAINPID
PIDFile=/run/tcp2unix/tcp2unix-%i.pid
PrivateDevices=yes
RuntimeDirectory=tcp2unix
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target

Unlike the ad-hoc command, after starting the service, the private service can't be accessed. The permission of the socket file is "6755" and it's owned by root. So the file can't be accessed inside the container. In the man page, I found I can add umask to change the permission.

# /etc/systemd/system/tcp2unix@.service
[Unit]
Description=Relay tcp socket with a unix socket
After=network.target

[Service]
ExecStart=socat UNIX-LISTEN:/run/tcp2unix/tcp2unix-%i.sock,fork,umask=0000 TCP:localhost:%i
ExecReload=/usr/bin/kill -USR1 $MAINPID
PIDFile=/run/tcp2unix/tcp2unix-%i.pid
PrivateDevices=yes
RuntimeDirectory=tcp2unix
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target

After that, container inside the podman-proxy network can finally access the private service.

Battle.net

Unlike Diablo IV, we can't run D2R directly through Steam. We need to launch Battle.net first. There are two issues here.

1. we can't add non-steam game in Big-Picture mode.
2. `Battle.net` has recently updated its server certificate, which is now signed by a new root certificate. To communicate with the server properly, we should use Proton 10 or later. Otherwise, running `Battle.net` will show BLZBNTBNA00000005 error.

There are two important points to note:

1. If the Battle.net installer is not run with Proton 10 or later, switching to Proton 10 afterward will not resolve the issue — a complete installation is required.
2. Before installing D2R, you should change the installation path in the Battle.net settings to a location outside the Steam folder. So that we don't need to install D2R again if we remove and install `Battle.net` again.

Windowed of Battle.net

Battle.net may be run in windowed mode, a titlebar and frame is added by KWin. It will make the Battle.net running in a wrong resolution, and the play button won't be shown. We can add a KWin Window Rule to force No titlebar and frame and the minimum size of the window.

Controller

D2R works out of the box with mouse and keyboard. But if you want to play it with a controller, you should enable Steam Input. After the press any button screen is passed, D2R can be controlled by a controller. We can touch the screen, switch the controller to mouse mode, or map a button of the controller to send a input event using keyd(There is no extra key in OneXPlayer 2 Pro controller. The keyboard mode switch key is hardware controlled, and the system can't read that key event.) to pass the press any button screen. It looks like D2R will show press A button screen instead of press any button screen if we don't attach any mouse. We can use a controller to pass that screen.

Enable Steam Input

Steam Input uses uinput to handle the event from controllers. By default, the user running steam doesn't have enough permission. We need to install game-devices-udev` to change the permission of the device.

In Arch Linux, there is an AUR package, install it by running: paru -S game-devices-udev, change paru to the aur helper you are using.

Cursor in Inventory UI with Controller

In the inventory ui, the cursor might be not moved correctly. The position of the cursor is moved, but the cursor surface is not. We can run D2R with gamescope to solve this problem.

1. Install gamescope. Because my steam is installed by flatpak, so I should install gamescope by flatpak too: flatpak --user install org.freedesktop.Platform.VulkanLayer.gamescope, choose the same version of org.freedesktop.Platform needed by steam.
2. Add the bin folder of gamescope to PATH of steam in flatpak settings, the bin folder is /usr/lib/extensions/vulkan/gamescope/bin.
3. Set the launch option

# Ghost editor replace -- with –
gamescope --hide-cursor-delay -1 -- %command%

The cursor surface might not be shown at first, we can move the mouse to make it appear.

Gamescope Error Popups

Launching D2R, there are two gamescope error popup windows: CreateSwapchainKHR and QueuePresentKHR. We can just click OK to pass them. Don't click Cancel, otherwise, D2R will display a black screen. When I disable WSI layer with ENABLE_GAMESCOPE_WSI=0, those popups are gone. The launch option becomes: ENABLE_GAMESCOPE_WSI=0 gamescope --hide-cursor-delay -1 – %command%. When WSI layer is disabled, the cursor in inventory ui becomes laggy.

Unsolved

Steam Freeze

This is an issue of steam. If steam lost-focus(may) or the screen is locked(must), steam will freeze. the game might lose control or be frozen. I'm not sure whether disabling Steam Input will prevent Steam freeze from affecting the game. I'm also not looking into the lost-focus issue — it seems to be related to the KWin compositor's behavior during the game, such as when pressing Alt+Tab.

It looks like even I don't open steam, D2R may freeze too. Not sure if `Battle.net` launcher is the cause in this case.

What a heartbeat moment — playing D2R Hardcore mode and experiencing an unexpected freeze!

Running D2R without Opening Steam

I think I can run D2R directly to avoid the steam freeze problem. I used pstree -plas $PID to find out the parent process running Battle.net, and used cat /proc/$PID/environ | tr '\0' '\n' to print all its environment variables. I kept almost all variables starting with STEAM. After that, I can run D2R with Proton directly.

Controller Mapping

I found that the controller works out of box opening outside of steam. It looks like steam disables my controller using a SDL environment variable. I am a Nintendo controller guy. Using Xbox controller layout is bit inconvenient for me. Thanks for SDL, I can use a Nintendo controller layout. Here is my controller mapping edited via AntiMicroX:

SDL_GAMECONTROLLERCONFIG="030081b85e0400008e020000080100001118654,Atari Xbox 360 Game Controller,platform:Linux,a:b1,b:b0,x:b3,y:b2,back:b6,start:b7,guide:b8,leftshoulder:b4,rightshoulder:b5,leftstick:b9,rightstick:b10,leftx:a0,lefty:a1,rightx:a3,righty:a4,lefttrigger:a2,righttrigger:a5,dpup:h0.1,dpleft:h0.8,dpdown:h0.4,dpright:h0.2,"

Gamescope

To my surprise, if I run D2R with gamescope nothing will show but the Battle.net is actual running. Comparing the processes between steam-run and direct-run, I found the proton process executed by gamescope will create a child process and exit in direct-run. So, gamescope thinks there is no application running. I finally wrote a script to get the flatpak instance id with (--instance-id-fd) and monitor that instance id with (flatpak ps) to keep the process running.

Then comes the second surprise. Unlike steam-run, all windows (Battle.net launcher and D2R) are running inside a window. Actually, the direct-run behavior is what I would expect based on my understanding. It is what a nested compositor should do. But the scale of the cursor is wrong and I must manually set the resolution. I really want the steam-run behavior. Comparing the environment variables, I found Display is set to :0 in steam-run and Display is set to :1. So, all windows of steam-run is drawing directly by Kwin. But why does the cursor in the inventory ui affects?

During the search, I found that gamescope actually doesn't work with the builtin Proton. I should install com.valvesoftware.Steam.CompatibilityTool.Proton-GE. After that, all windows of steam-run will run inside the window of gamescope. And those error popups disappear. But the cursor in the inventory ui doesn't move. After adding `--force-grab-cursor`, the cursor moves but it twinkles.

Scripts

Here are my scripts:

• run-steam-battlenet

#! /usr/bin/env bash

set_envs() {
    set -a
    STEAM_BASE_FOLDER=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam
    STEAM_CLIENT_CONFIG_FILE=$HOME/.var/app/com.valvesoftware.Steam/.local/share/steam.cfg
    STEAM_COMPAT_APP_ID=0
    STEAM_COMPAT_CLIENT_INSTALL_PATH=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam
    STEAM_COMPAT_DATA_PATH=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/compatdata/$EX_STEAM_GAME_ID
    STEAM_COMPAT_LIBRARY_PATHS=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps
    STEAM_COMPAT_MEDIA_PATH=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/shadercache/$EX_STEAM_GAME_ID/fozmediav1
    STEAM_COMPAT_MOUNTS="$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/Proton - Experimental":$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/SteamLinuxRuntime_sniper
    STEAM_COMPAT_PROTON=1
    STEAM_COMPAT_TOOL_PATHS="$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/Proton - Experimental":$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/SteamLinuxRuntime_sniper
    STEAM_COMPAT_TRANSCODED_MEDIA_PATH=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/shadercache/$EX_STEAM_GAME_ID
    STEAM_EXTRA_COMPAT_TOOLS_PATHS=/app/share/steam/compatibilitytools.d:/app/utils/share/steam/compatibilitytools.d
    STEAM_FOSSILIZE_DUMP_PATH=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/shadercache/$EX_STEAM_GAME_ID/fozpipelinesv6/steamapprun_pipeline_cache
    STEAM_RUNTIME_LIBRARY_PATH=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/pinned_libs_32:$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/pinned_libs_64:/app/lib/i386-linux-gnu/GL/default/lib:/app/lib32:/app/lib/i386-linux-gnu:/lib64:/app/lib:/usr/lib/x86_64-linux-gnu/GL/default/lib:/usr/lib/x86_64-linux-gnu/openh264/extra:/usr/lib/x86_64-linux-gnu:$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/lib/i386-linux-gnu:$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/usr/lib/i386-linux-gnu:$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/lib/x86_64-linux-gnu:$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/usr/lib/x86_64-linux-gnu:$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/lib:$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/usr/lib
    STEAM_ZENITY=/usr/bin/zenity
    DISPLAY=${DISPLAY_BEFORE_GAMESCOPE:-$DISPLAY}
    PROTON_ENABLE_WAYLAND=1
    set +a
}

set_controller_mapping() {
    set -a
    SDL_GAMECONTROLLERCONFIG="030081b85e0400008e020000080100001118654,Atari Xbox 360 Game Controller,platform:Linux,a:b1,b:b0,x:b3,y:b2,back:b6,start:b7,guide:b8,leftshoulder:b4,rightshoulder:b5,leftstick:b9,rightstick:b10,leftx:a0,lefty:a1,rightx:a3,righty:a4,lefttrigger:a2,righttrigger:a5,dpup:h0.1,dpleft:h0.8,dpdown:h0.4,dpright:h0.2,"
    set +a
}

start_bottle_net() {
    # Create a temp file for storing the instance id
    tmpfile_instance_id=$(mktemp /tmp/run-steam-battlenet-instance-id.XXXXXX)
    echo "Steam instance id will be stored at $tmpfile_instance_id"

    exec 3>"$tmpfile_instance_id"

    /usr/bin/flatpak run --instance-id-fd=3 --branch=stable --arch=x86_64 --command="$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/Proton - Experimental/proton" com.valvesoftware.Steam waitforexitandrun "$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/compatdata/$EX_STEAM_GAME_ID/pfx/drive_c/Program Files (x86)/Battle.net/Battle.net Launcher.exe"

    exec 3>&-
    set +e

    read instance_id < "$tmpfile_instance_id"
    echo "Running as Battle.net as Steam Instance[$instance_id]"

    while flatpak ps --columns=instance | grep -qx "$instance_id"; do
        sleep 1
    done
}

delete_file() {
    if [ -n "$1" ]
    then
        if [ -f "$1" ]
        then
            rm "$1"
        fi
    fi
}

clean_up() {
    delete_file "$tmpfile_instance_id"
}

EX_STEAM_GAME_ID=3494142050

set -e
tmpfile_instance_id=""
trap 'clean_up' EXIT

set_envs
set_controller_mapping
start_bottle_net

• run-steam-battlenet-with-gamescope. Since kwin 6.5.2, we can run D2R under Wayland. The cursor works almost out of box in the inventory ui. It disappears if we move the cursor too fast. In kwin 6.5.1, the cursor won't disappear after we close the inventory ui.

#! /usr/bin/env bash

export DISPLAY_BEFORE_GAMESCOPE="$DISPLAY"

/usr/bin/gamescope --hide-cursor-delay=-1 -- "$(dirname $0)/run-steam-battlenet"

Maybe Perfect Solution (20260129)

During the Christmas sale, I bought a second copy of D2R. However, when two instances of D2R are running at the same time, the cursor stops working properly.

Unlike the cursor controlled by a mouse, which is drawn directly by the Wayland compositor, the cursor controlled by a game controller is rendered by the game itself via the Wayland protocol. My guess is that when two applications call the relevant API simultaneously, they interfere with each other, causing the cursor to flicker or malfunction.

Based on this assumption, a possible solution would be to run each game instance in its own standalone compositor. Yes, gamescope is back again.

Run A Game with gamescope XWayland

In the last testing, we replace the gamescope XWayland socket with the one created by KWin. This also causes the "Error Popups". But this time, I should run the game inside the one created by gamescope. The cursor's behavior isn't perfect.

What if I run gamescope inside flatpak. In the previous testing, the gamescope running inside flatpak doesn't work. Proton exits without waiting the game to start. It makes gamescope think that there is no application. This also happens in the gamescope outside flatpak, and I created a script to wait the game to exit. Why is proton run by steam different? After reading the source code of proton, I need to set SteamGameId to output logs. Right after that, the game suddenly shows, and the cursor behaves more better.

Controller Events Effect Even in a Unfocused Window

I opened two instances of D2R. To my surprise, both characters move when I move the stick. I found this issue. The game would be unfocused inside gamescope XWayland, and it will handle controller events.

I remember that steam uses SDL_ environment variables to deal with controller. After some research, I found SDL_GAMECONTROLLER_IGNORE_DEVICES_EXCEPT. I can use this to make the game to handle controller events from specified controllers only. What if I use uinput to create different controllers for different games? Finally, I created Non-Steam Launcher.

Here are my script:

#! /usr/bin/env bash

set_envs() {
    set -a
    # SteamGameId is needed otherwise proton will open nothing
    SteamGameId=$EX_STEAM_GAME_ID
    STEAM_BASE_FOLDER=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam
    STEAM_CLIENT_CONFIG_FILE=$HOME/.var/app/com.valvesoftware.Steam/.local/share/steam.cfg
    STEAM_COMPAT_APP_ID=0
    STEAM_COMPAT_CLIENT_INSTALL_PATH=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam
    STEAM_COMPAT_DATA_PATH=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/compatdata/$EX_STEAM_GAME_ID
    STEAM_COMPAT_LIBRARY_PATHS=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps
    STEAM_COMPAT_MEDIA_PATH=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/shadercache/$EX_STEAM_GAME_ID/fozmediav1
    STEAM_COMPAT_MOUNTS="$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/Proton - Experimental":$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/SteamLinuxRuntime_sniper
    STEAM_COMPAT_PROTON=1
    STEAM_COMPAT_TOOL_PATHS="$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/Proton - Experimental":$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/SteamLinuxRuntime_sniper
    STEAM_COMPAT_TRANSCODED_MEDIA_PATH=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/shadercache/$EX_STEAM_GAME_ID
    STEAM_EXTRA_COMPAT_TOOLS_PATHS=/app/share/steam/compatibilitytools.d:/app/utils/share/steam/compatibilitytools.d
    STEAM_FOSSILIZE_DUMP_PATH=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/shadercache/$EX_STEAM_GAME_ID/fozpipelinesv6/steamapprun_pipeline_cache
    STEAM_RUNTIME_LIBRARY_PATH=$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/pinned_libs_32:$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/pinned_libs_64:/app/lib/i386-linux-gnu/GL/default/lib:/app/lib32:/app/lib/i386-linux-gnu:/lib64:/app/lib:/usr/lib/x86_64-linux-gnu/GL/default/lib:/usr/lib/x86_64-linux-gnu/openh264/extra:/usr/lib/x86_64-linux-gnu:$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/lib/i386-linux-gnu:$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/usr/lib/i386-linux-gnu:$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/lib/x86_64-linux-gnu:$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/usr/lib/x86_64-linux-gnu:$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/lib:$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/ubuntu12_32/steam-runtime/usr/lib
    STEAM_ZENITY=/usr/bin/zenity
    #PROTON_LOG=1
    #PROTON_LOG_DIR=/home/fortime/ws/game
    #PROTON_ENABLE_WAYLAND=1
    set +a
}

set_controller_mapping() {
    local guid vendor_product
    guid="$1"
    vendor_product="$2"

    set -a
    # it isn't guid, it accepts vid/pid pair
    SDL_GAMECONTROLLER_IGNORE_DEVICES_EXCEPT="${vendor_product}"
    SDL_GAMECONTROLLERCONFIG="
${guid},Microsoft Xbox 360,platform:Linux,a:b1,b:b0,x:b3,y:b2,back:b6,start:b7,guide:b8,leftshoulder:b4,rightshoulder:b5,leftstick:b9,rightstick:b10,leftx:a0,lefty:a1,rightx:a3,righty:a4,lefttrigger:a2,righttrigger:a5,dpup:h0.1,dpleft:h0.8,dpdown:h0.4,dpright:h0.2,
"
    set +a
}

start_bottle_net() {
    /usr/bin/flatpak run --branch=stable --arch=x86_64 --command="/usr/lib/extensions/vulkan/gamescope/bin/gamescope" com.valvesoftware.Steam --backend wayland --force-grab-cursor -b -W 2560 -H 1520 -s 1.5 -- "/app/share/steam/compatibilitytools.d/Proton-GE/proton" waitforexitandrun "$HOME/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/compatdata/$EX_STEAM_GAME_ID/pfx/drive_c/Program Files (x86)/Battle.net/Battle.net Launcher.exe"
}

if [ "$EX_STEAM_INSIDE_INHIBIT" != "yes" ]
then
    export EX_STEAM_INSIDE_INHIBIT=yes
    systemd-inhibit --what=idle:sleep --who="Battle.net" --why="Playing games" $0 "$@"
else
    EX_STEAM_GAME_ID=${1}

    set -e
    set_envs

    new_controller_resp=$(busctl --user --json=pretty call fyi.fortime.NonSteamLauncher /fyi/fortime/NonSteamLauncher/Controller fyi.fortime.NonSteamLauncher.Controller1 NewController)
    controller_slot=$(echo $new_controller_resp | jq -r '.data[0]')
    controller_guid=$(echo $new_controller_resp | jq -r '.data[1]')
    controller_vendor_product=$(echo $new_controller_resp | jq -r '.data[2]')
    set_controller_mapping "$controller_guid" "$controller_vendor_product"

    # Use a default config in case of the log level in the user config is debug
    old_manual_mode=$(FCITX5_OSK_CONFIG=/tmp/null fcitx5-osk get-property manual_mode)
    fcitx5-osk set-property manual_mode true
    set +e

    # Not exit even it is failed, so the controller is always removed
    start_bottle_net

    # remove controller
    busctl --user call fyi.fortime.NonSteamLauncher /fyi/fortime/NonSteamLauncher/Controller fyi.fortime.NonSteamLauncher.Controller1 RemoveController y $controller_slot

    fcitx5-osk set-property manual_mode $old_manual_mode

fi

It will create a virtual controller via dbus api and set SDL_GAMECONTROLLER_IGNORE_DEVICES_EXCEPT.

TODO Gamescope doesn't Support Wayland Text Input Protocol

Recently, I've been using my portable PC in public places. It's not safe to enter my password in such environments, so I came up with a solution that doesn't rely on biometric login: TOTP (Time-based One-Time Password).

Step

1. Install oath-toolkit to support totp
2. Setup up the TOTP

Generate a seed for the totp.

openssl rand -hex 10

Create a config file for oath-toolkit at ${HOME}/.config/oath_toolkit.

# Option User Prefix Seed
HOTP/T30/6 ${REPLACE WITH THE USER NAME} - ${REPLACE WITH THE OUTPUT OF OPENSSL}

Change the permission of the config file.

chmod 600 "${HOME}/.config/oath_toolkit"

3. Setup the pam config for kde screen locker

Insert following lines before the first `auth` line of file /etc/pam.d/kde.

# Try the password, if it is a valid totp, pass the auth
auth     sufficient                  pam_oath.so              try_first_pass usersfile=${HOME}/.config/oath_toolkit window=30 digits=6

• sufficient means it will skip following auths if this auth passed. It will continue the auth process if it failed.
• The try_first_pass option means pam_oath.so will use the previously entered password without prompting for it again.
• If the password is longer than 6 characters, pam_oath.so will treat the last 6 characters as the TOTP code. It will then remove those 6 characters and use the remaining part as the password for the subsequent authentication process. So if you want to log in using your password, you can enter your password followed by any 6 characters.

Work with SDDM

In my design, the login of sddm must use a password. So I don't change the pam file of sddm. If you want to use totp in sddm, you should:

1. Create a separate config file for oath-toolkit which can be accessed by the user of sddm.
2. Update the pam file of sddm: /etc/pam.d/sddm, and use the correct usersfile.

Permission Issue

During my research, pam has the root permission. But if the config file set to read-only for root, the pam_oath.so can't read the config file.

Reference

• https://wiki.archlinux.org/title/Pam_oath

Internal speaker of OneXPlayer 2 Pro doesn't work. There is a long thread discussing this issue. From this thread, it seems that the AMP isn't initialized correctly. Someone found that the speaker works after rebooting from Windows. So I came out an idea: What if initializing the AMP with Windows in a virtual machine.

PCI passthrough

To let Windows initialize the AMP, I must let the virtual machine access the hardware directly. This will need VFIO driver in the Linux kernel. I unbind the hardware from snd_hda_intel driver, then bind the hardware to vfio-pci driver. After that, the virtual machine can use the hardware.

PCI slot name

Firstly, I should find out the name of the pci slot connected by the audio device.

# lspci -D: always print domain numbers
# grep -i audio: show only audio related hardware
# grep -v Radeon: remove the hdmi audio device
lspci -D|grep -i audio|grep -v Radeon

The output is like:

0000:64:00.6 Audio device: Advanced Micro Devices, Inc. [AMD] Family 17h/19h HD Audio Controller

0000:64:00.6 is the pci slot name.

Bind/unbind vfio-pci driver

• bind

echo '0000:64:00.6' | sudo tee /sys/bus/pci/drivers/vfio-pci/unbind
echo '0000:64:00.6' | sudo tee /sys/bus/pci/drivers/snd_hda_intel/bind

• unbind

echo '0000:64:00.6' | sudo tee /sys/bus/pci/drivers/snd_hda_intel/unbind
echo '0000:64:00.6' | sudo tee /sys/bus/pci/drivers/vfio-pci/bind

Create a virtual device with the Windows partition

In the previous research, I found that the internal speaker won't work in a new Windows too. But I have the original Windows partition. Each time I installed Linux on a new machine, I would keep the Windows partition not touching. After some researches, I finally start a vm with the Windows partition. Avoiding to mass the original Windows partition, I used dd to clone the partition.

# I have shrinked the size of the partition to 89GB.
dd if=/dev/nvme0n1p3 of=/var/cache/oxp2p-win11.img

Keep the partition layout

I kept the partition layout of the Windows partition and partitions before it to avoid any implicit issue.

• Use the following command to print the layout.

fdisk -l /dev/nvme0n1

The output is like:

/dev/nvme0n1p1       2048     206847     204800   100M EFI System
/dev/nvme0n1p2     206848     468991     262144   128M Microsoft reserved
/dev/nvme0n1p3     468992  187191295  186722304    89G Microsoft basic data

A sector equals to 512 bytes.

• Create an image to simulate those two partitions before the Windows partition.

dd if=/dev/zero of=part1.img bs=512 count=468992

• Create an image for margin after the Windows partition.

dd if=/dev/zero of=part3.img bs=1M count=100

I don't know why. But it seems there should be some addtitional spaces after the Windows partition.

• Create a device mapper.

Use losetup to set the image file as a block device, and then use dmsetup to create a mapper.

loop1_file=part1.img
loop2_file=/var/cache/oxp2p-win11.img
loop3_file=part3.img

disk_name=oxp2p-win11

loop1=$(sudo losetup -f)
sudo losetup $loop1 $loop1_file
loop1_size=$(sudo blockdev --getsz $loop1)
loop2=$(sudo losetup -f)
sudo losetup $loop2 $loop2_file
loop2_size=$(sudo blockdev --getsz $loop2)
loop3=$(sudo losetup -f)
sudo losetup $loop3 $loop3_file
loop3_size=$(sudo blockdev --getsz $loop3)


sudo dmsetup create $disk_name <<EOF
0 $loop1_size linear $loop1 0
$loop1_size $loop2_size linear $loop2 0
$(expr $loop1_size + $loop2_size) $loop3_size linear $loop3 0
EOF

Run with qemu

• Create an empty file for persisting UEFI variables

dd if=/dev/zero conv=sync bs=1M count=4 of=ovmf_vars.fd

• Run with qemu

# The path of /usr/share/edk2/x64/OVMF_CODE.4m.fd will be different in different distro.
# This should be run after binding the `vfio-pci` driver.
qemu-system-x86_64 -m 4096M -smp 4 -accel kvm -cpu host -drive file=/usr/share/edk2/x64/OVMF_CODE.4m.fd,if=pflash,format=raw,readonly=on -drive file=./ovmf_vars.fd,if=pflash,format=raw -drive file=/dev/mapper/oxp2p-win11,media=disk,format=
raw -device usb-ehci -device usb-kbd -device usb-mouse -device usb-tablet -usb -monitor stdio -device vfio-pci,host=64:00.6

• Force closing the vm after the sound came out in the login screen.
• Unbind the vfio-pci driver.

Advance(hda-verb)

TO BE CONTINUED

Reference

• https://jianmin.dev/2020/jul/19/boot-your-windows-partition-from-linux-using-kvm/
• https://www.qemu.org/docs/master/devel/vfio-iommufd.html
• https://null-src.com/posts/qemu-vfio-pci/

Partition with encryption

In case of after-sales service, I kept windows partitions. I deleted D: partition and shrink C: partition. I create two partitions: /boot and /. I will use btrfs on /, so instead of using paritions, I will use subvolume for /home.

Encryption was applied exclusively to / partition, and I enabled Secure Boot to make EFI partition and /boot partition safe.

• Encrypt / partition.

  # Don't forget to back up the password.
  cryptsetup luksFormat /dev/nvme0n1p5
  cryptsetup open /dev/nvme0n1p5 root
  

• Create a btrfs file system and mount it to /mnt.

  mkfs.btrfs /dev/mapper/root
  mount /dev/mapper/root /mnt
  

After that, follow Installation Guide.

Bootloader

As a old linux user, I have used GRUB for a long time. In this installation, I still use GRUB. OneXPlayer 2 Pro is bit heavy. I don't want to bring the keyboard cover everywhere. So, I need the partition to be automatically decrypted when booting from GRUB by integrating the use of Secure Boot and TPM.

At first, I used GRUB. But at the time I am writing this article, I found my plan is not secure enough. According to this article, an attacker can get the decryption key of the partition.

A rogue partition with metadata copied from the real root filesystem (such as partition UUID) can mimic the original partition. Then, initramfs will attempt to mount the rogue partition as the root filesystem (decryption failure will fall back to password entry), leaving pre-boot PCRs unchanged. The rogue root filesystem with files controlled by an attacker is still able to receive the decryption key for the real root partition.

To prevent this attack, we need to make sure: 1. PCRs are changed before leaving initramfs. 2. only trusted initramfs can be booted.

With a signed unified kernel image (UKI), we can make sure that initramfs can't be modified. systemd provides systemd-pcrphase-initrd.service to modify the value of PCR 11 in the state of entering and leaving initramfs. The service works in a systemd based initramfs.

Why not GRUB? UKI is actually a EFI bootloader. GRUB can only load Secure Boot keys signed EFI bootloaders. But, we can't load our own Secure Boot to a OneXPlayer 2 Pro. After researching, I found that rEFInd supports Secure Boot keys and MOK keys signed EFI bootloaders.

Enable Secure Boot

There are three methods to enable Secure Boot for a linux system: CA Keys and Shim and Preloader.

• CA Keys: Create a pair of private and public keys, then load the public key into the BIOS in setup mode. After that, only bootloaders signed by the private key can be booted.
• Shim: A binary signed by Microsoft. Since the shim binary is signed by Microsoft, it is validated and accepted by the firmware when verifying against certificates already present in firmware. It uses MOKManager to enroll a custom user public key, and then a user can use the corresponding private key to sign the bootloader and the kernel. It can also enroll the hash of a file.
• Preloader: Like Shim, but it verifies the bootloader and the kernel with a hash instead of a signature.

On a OneXPlayer 2 Pro, each time you change Secure Boot into setup mode, it will load the default certificates after start. So, we can't use CA Keys.

Enable Secure Boot with Shim

1. Install shim-signed from AUR.

2. Mount ESP.

   mkdir /boot-efi
   # the default efi partition is /dev/nvme0n1p1 on a OneXPlayer 2 Pro
   mount /dev/nvme0n1p1 /boot-efi
   

3. Copy the efi files to ESP.

   cp /usr/share/shim-signed/shimx64.efi /boot-efi/EFI/BOOT/
   cp /usr/share/shim-signed/mmx64.efi /boot-efi/EFI/BOOT/
   

4. Create a NVRAM entry for Shim.

   efibootmgr --unicode --disk /dev/nvme0n1 --part 1 --create --label "Shim" --loader /EFI/BOOT/shimx64.efi
   

5. Install rEFInd.

   pacman -S refind
   
   refind-install --shim /usr/share/shim-signed/shimx64.efi --localkeys
   

6. Use openssl to create the mok keypair.

   cd /etc/refind.d/keys/
   openssl req -newkey rsa:2048 -nodes -keyout refind_local.key -new -x509 -sha256 -days 3650 -subj "/CN=onexplayer2pro-fortime/" -out refind_local.crt
   openssl x509 -outform DER -in refind_local.crt -out refind_local.cer
   cp refind_local.cer /boot/
   

7. Create a custom config of mkinitcpio.

   cat <<EOF > /etc/mkinitcpio.conf.d/lkus.conf
   # allow usb keyboard to input password for decryption in boot time.
   MODULES=(usbhid xhci_hcd)
   HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole plymouth block sd-encrypt filesystems fsck)
   EOF
   

8. Create the config file of ukify.

   cat <<EOF >/etc/kernel/ukify.conf
   [UKI]
   Microcode=/boot/amd-ucode.img
   OSRelease=@/etc/os-release
   SecureBootPrivateKey=/etc/refind.d/keys/refind_local.key
   SecureBootCertificate=/etc/refind.d/keys/refind_local.crt
   EOF
   

9. Create cmdline files for kernel parameters.

   # rd.luks.name: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX=name, Specify the name of the mapped device after the LUKS partition is open, where XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX is the UUID of the LUKS partition.
   # rd.luks.options: Set options for the device specified by it UUID or, if not specified, for all UUIDs not specified elsewhere (e.g., crypttab). 
   # resume: Specify the root device for hibernation.
   # resume_offset: Specify the offset of the swap file. The offset of swap file in a btrfs file system should be calculated by `btrfs inspect-internal map-swapfile`. Refer to [Hibernation](#Hibernation)
   # video: Set the video kernel parameter to rotate the builtin screen from portrait to landscape in the start of the system.
   # usbcore.autosuspend: USB Ports / Controller stops working after Device Disconnect.
   cat <<EOF >/etc/kernel/cmdline
   rd.luks.name=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX=root rd.luks.options=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX=tpm2-device=auto root=/dev/mapper/root rw resume=/dev/mapper/root resume_offset=yyyyyyy quiet splash video=eDP-1:panel_orientation=left_side_up usbcore.autosuspend=-1
   EOF
   

10. Create a mkinitcpio post hook.

    cat <<EOF >/etc/initcpio/post/ukify
    #!/usr/bin/env bash
    
    kernel="\$1"
    initramfs="\$2"
    [ -n "\$kernel" ] || exit 0
    [ -n "\$initramfs" ] || exit 0
    
    initramfs_filename=\$(basename "\$initramfs")
    
    cmdline=""
    uki=""
    ukify_log=""
    case "\$initramfs_filename" in
        "initramfs-linux.img")
            cmdline=/etc/kernel/cmdline
            uki="/boot/arch-linux.efi"
            ukify_log="/etc/refind.d/keys/ukify.log"
            ;;
        "initramfs-linux-fallback.img")
            cmdline=/etc/kernel/cmdline-fallback
            uki="/boot/arch-linux-fallback.efi"
            ukify_log="/etc/refind.d/keys/ukify-fallback.log"
            ;;
        *)
            exit 0
            ;;
    esac
    
    # it is hard to measure the value of PCR 11 with the uki file, we keep the log for getting the value of PCR 11. 
    ukify build --config=/etc/kernel/ukify.conf --linux="\$kernel" --initrd="\$initramfs" --cmdline="@\$cmdline" --measure --output="\$uki" >"\$ukify_log" 2>&1
    
    if [ "\$initramfs_filename" = "initramfs-linux.img" ]
    then
      pcr11=\$(grep "11:sha256" "\$ukify_log" | sed '1!d;s/.*=//')
      if [ \$? -eq 0 ]
      then
          # use PCR 7, PCR 11 and PCR 14 to protect the key in tpm2, and use a recovery key to decrypt the partition.
          systemd-cryptenroll /dev/nvme0n1p5 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs="7+11:sha256=\$pcr11+14" --unlock-key-file=/etc/refind.d/keys/disk-encrypt.txt
      fi
    fi
    EOF
    
    chmod 700 /etc/initcpio/post/ukify
    EOF
    

11. Sign the grub bootloader and the kernel.

    refind-install --shim /usr/share/shim-signed/shimx64.efi --localkeys
    

12. Enroll the refind_local.cer.

Reboot and enable Secure Boot. If shim does not find the certificate grubx64.efi is signed with in MokList it will launch MokManager (mmx64.efi).

In MokManager select Enroll key from disk, find refind-local.cer and add it to MokList. When done select Continue boot and your boot loader will launch and it will be capable launching any binary signed with your Machine Owner Key.

Secure path

Issues

• Don't forget to check if refind.efi(it is renamed to grubx64.efi) and its drivers are signed by sbsign. If its drivers aren't signed, they won't be loaded and related volumes won't be able to scanned.

Hibernation

To enable hibernation, we should create a swap partition or a swap file. Using swap file in btrfs is different with other file system. We should use utils provided by btrfs to create a swap file.

• Create a swap file.

  btrfs filesystem mkswapfile /var/cache/swapfile -s 16g
  

• Calculate the offset of the swapfile.

  btrfs inspect-internal map-swapfile /var/cache/swapfile
  

• Add a swap item in /etc/fstab.

  # swapfile for hiberation
  /var/cache/swapfile     none            swap            defaults        0 0
  

• Add resume and resume_offset to kernel cmdline.

TPM issue in hibernation

Measurement of PCR 11 in hibernation is different from normal boot. In hibernation, there is no measurement of leave-initrd before leaving initrd. The leaving of initrd happens in systemd-hibernate-resume.service.

I created a temporarily fix by stopping systemd-pcrphase-initrd.service before systemd-hibernate-resume.service.

• Create a initcpio install hook, create /etc/initcpio/install/pcrphase-fix.

  #!/bin/bash
  
  build() {
      printf '[Service]\nExecStartPre=/usr/bin/systemctl stop systemd-pcrphase-initrd.service' | add_systemd_drop_in systemd-hibernate-resume.service override
  }
  
  help() {
      cat << EOF
  Fix the issue of no stop of systemd-pcrphase-initrd.service in resume.
  EOF
  }
  

• Update the custom config of mkinitcpio.

  cat <<EOF > /etc/mkinitcpio.conf.d/lkus.conf
  # allow usb keyboard to input password for decryption in boot time.
  MODULES=(usbhid xhci_hcd)
  HOOKS=(base systemd pcrphase-fix autodetect microcode modconf kms keyboard sd-vconsole plymouth block sd-encrypt filesystems fsck)
  EOF
  

Mapping buttons

There is no volume up/down button of this machine. As a handheld game console, this is unforgivable. So, I want to map the x1/x2 button to volume up/down button. After using evtest monitoring the key events, these two buttons trigger a key combo instead of a single keycode. I can't use hwdb to map keys. Here, i use keyd to finish this work.

• Install and enable keyd.

  pacman -S keyd
  systemctl enable keyd
  

• Create a file /etc/keyd/oxp2p.conf.

  [ids]
  0001:0001
  
  [main]
  leftmeta+d = volumedown
  leftcontrol+leftmeta+o = volumeup
  

• Restart keyd.

  systemctl start keyd
  

Foldable bluetooth keyboard

The key in the removable keyboard cover is too small. I buy a foldable bluetooth keyboard. Everything is ok, but Fn keys are function keys by default. I use Fn keys a lot in vim. It makes me very inconvenient. So, I add a hwdb file to switch Fn key and function key.

• Add a hwdb file /etc/udev/hwdb.d/90-custom-keyboard.hwdb.

  evdev:input:b0005v0A5Cp8503e011B*
    KEYBOARD_KEY_700e2=leftmeta
    KEYBOARD_KEY_700e3=leftalt
    KEYBOARD_KEY_700e6=rightmeta
    KEYBOARD_KEY_700e7=rightalt
    KEYBOARD_KEY_c0223=esc
    KEYBOARD_KEY_70029=homepage
    KEYBOARD_KEY_c0221=f1
    KEYBOARD_KEY_7003a=search
    KEYBOARD_KEY_7003b=back
    KEYBOARD_KEY_7003c=forward
    KEYBOARD_KEY_7003d=brightnessdown
    KEYBOARD_KEY_7003e=brightnessup
    KEYBOARD_KEY_c00b6=f6
    KEYBOARD_KEY_7003f=previoussong
    KEYBOARD_KEY_c00cd=f7
    KEYBOARD_KEY_70040=playpause
    KEYBOARD_KEY_c00b5=f8
    KEYBOARD_KEY_70041=nextsong
    KEYBOARD_KEY_c00b5=f8
    KEYBOARD_KEY_70041=nextsong
    KEYBOARD_KEY_c00e2=f9
    KEYBOARD_KEY_70042=mute
    KEYBOARD_KEY_c00ea=f10
    KEYBOARD_KEY_70043=volumedown
    KEYBOARD_KEY_c00e9=f11
    KEYBOARD_KEY_70044=volumeup
    KEYBOARD_KEY_c0030=f12
    KEYBOARD_KEY_70045=power
  

• But its f2, f3, f4 and f5 send a key combo instead of a single key. I use keyd again. Add a keyd config file.

  [ids]
  0a5c:8503
  
  [main]
  leftalt+a = f2
  leftalt+c = f3
  leftalt+v = f4
  leftalt+x = f5
  

Auto rotation

The accelerator sensor showed in Windows device manager is bmi160. But the bmi160 driver in Linux can't work. After some research, I found that the bmi260 driver also matches the acpi device id 10EC5280. So, I try this driver, and it works.
Install bmi260-dkms from AUR.

# iio-sensor-proxy: Proxies sensor devices (accelerometers, light sensors, compass) to applications through D-Bus.
paru -S bmi260-dkms iio-sensor-proxy

Wrong direction

After installing bmi260-dkms, the auto-rotate works, but the screen is 90 degrees clockwise rotated. We can use udev rules to fix it.

• Create a file /etc/udev/hwdb.d/90-custom-oxp.hwdb with following content.

  sensor:modalias:acpi:10EC5280*:dmi:*:rnONEXPLAYER2PROARP23P:rvrVersion1.0:*
    ACCEL_MOUNT_MATRIX=0, -1, 0; -1, 0, 0; 0, 0, 1
  

• Update hwdb and trigger udev to update the device.

  sudo systemd-hwdb update && sudo udevadm trigger
  # It seems like we should restart iio-sensor-proxy too
  sudo systemctl restart iio-sensor-proxy.service
  

I'm not sure since when and which package. It should be before 2026-03-13. We don't need a custom hwdb file. The orientation of KWin is correct out-of-box. Comparing the output of monitor-sensor, the custom hwdb file actually works. After searching in the KWin git commit log, I think this fix(b380e32193b0d373515b7ea003d8e2a6cb94a21f) is the cause, and the tracking issue is 513156.

KDE touch mode

Be default, kde disables touch mode if there is any pointer device. I use keyd to map buttons, and keyd creates a virtual pointer device which will make kde disables touch mode all the time. After reviewing the source code of kwin, I found we can add a tag kwin-ignore-tablet-mode to the keyd pointer device to let kde ignore the device.

• Create a file /etc/udev/rules.d/90-tablet-mode.rules.

  ACTION=="remove", GOTO="kwin_ignore_tablet_mode_end"
  
  SUBSYSTEM=="input", KERNEL=="event*", ATTRS{id/vendor}=="0fac", ATTRS{id/product}=="1ade", TAG+="kwin-ignore-tablet-mode"
  
  LABEL="kwin_ignore_tablet_mode_end"
  

Audio

Internal Speaker Of OneXPlayer 2 Pro (8840) In Linux

Multi-touch

TODO

Drop of signal with external monitor

I have two external monitors, a portable monitor and a Philips 279C9. Both of them have signal drop issue when I'm playing games.

The portable monitor

I occasionally turn off Free Sync of the portable monitor, and the issue disappeared. In a later research, I found the cause. I'm using wayland and I often connect to other monitors, overriding edid is not a good enough solution, so I still keep Free Sync off.

The Philips 279C9

At first, I think this is the same as the portable monitor. But there are no setting of Free Sync in the menu the monitor. After some research, I found that there will be a dropdown option in KDE Display Configuration if the monitor supports Free Sync.

To check if the monitor supports Free Sync, I install wxedid to inspect the edid info the monitor.

sudo get-edid -b ${bus_id} > /tmp/philips-edid.bin
wxedid /tmp/philips-edid.bin

When I was checking the edid info, I noticed that only 4k@30 is used even if the monitor supports 4k@60. Why? So I enable the drm debug log.

# enable all kinds of drm debug log
echo 0x1BF > /sys/module/drm/parameters/debug

# disable all drm debug log
echo 0x0 > /sys/module/drm/parameters/debug

# what does 0x1BF mean, it is flags of debug category.
modinfo -p drm

In the debug log, it showed something like:

[drm:create_validate_stream_for_sink [amdgpu]] Mode 3840x2160 (clk 533250) failed DC validation with error 10 (No DP link bandwidth)

All modelines with pixel clock of 533250 are rejected. But when I switched to Windows, 4k@60 is supported. It shouldn't be a quality issue of the cable. When I was trying to add more debug log, I occasionally found a comment of Philips 279C9. It said that 4k@60 can only be used after switching usb3.2 to usb2.0 in the monitor menu when it is connected to a Mac OS. I tried this and the option of 4k@60 appeared. When I'm using 4k@60, the signal drop issue disappear too. I think it is because it will reduce the estimated bandwidth of a DP link if the type-c port is used as a usb3.2 hub.
I can’t believe I spent 10 hours troubleshooting during national day vacation! And it can be solved just by changing a setting like this. At last, I still don't know why this cause the signal drop issue, and why 4k@60 can be used in Windows even if usb3.2 is using. ~~If the signal drop issue exists if I am using 4k@30 and usb2.0.~~The signal drop issue disappers after switching to usb2.0.

Reference

• https://wiki.archlinux.org/title/Dm-crypt/
• https://wiki.archlinux.org/title/Dm-crypt/System_configuration
• https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LUKS_on_a_partition_with_TPM2_and_Secure_Boot
• https://wiki.ubuntu.com/UEFI/SecureBoot
• https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
• https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu/tree/debian/build-efi-images
• https://wiki.archlinux.org/title/Plymouth
• https://btrfs.readthedocs.io/en/latest/Swapfile.html
• https://github.com/ublue-os/bazzite/issues/440
• https://wiki.archlinux.org/title/Variable_refresh_rate#Monitor_occasionally_drops_signal_with_FreeSync_enabled

After popup windows is added in vim 8.2, we can display documentation provided by ycm in a popup window. Different from display documentation in a preview window, it won't change the layout. But there is one disadvantage, I can't scroll the popup window by keyboard. It is not vim-style enough.

Enable the Completion Popup Window

Add the following line in the vimrc file.

set completeopt+=popup

Scroll the Popup Window

dedowsdi provide a solution about how to scroll a popup window here. There is another problem now. Not like coc, the popup window triggered by ycm may be far away from the cursor. If I follow this solution, I must let vim to scan over the whole screen to find the popup window. It is too slow.
After looking into VIM REFERENCE MANUAL and doing some tests, I thought I can use popup_findinfo to get the id of the completion popup window. But, I'm not sure it is the correct way. So I have the following code:

nnoremap <C-e> :call ScrollPopup(1)<CR>
nnoremap <C-y> :call ScrollPopup(0)<CR>

function ScrollPopup(down)
    let winid = popup_findinfo()
    if winid == 0
        return 0
    endif

    " The popup window has been hidden in the normal mode, we should make it show again.
    call popup_show(winid)
    let pp = popup_getpos(winid)
    call popup_setoptions( winid,
                \ {'firstline' : pp.firstline + ( a:down ? 1 : -1 ) } ) 

    return 1
endfunction

Then, I can read and scroll the completion popup window in normal mode. It isn't good enough still: 1. I must switch to normal mode which will close the completion popup menu. If the selection isn't the one I want, I must delete it and trigger completion again. 2. After scrolling to the bottom, the height of the popup window will reduce to one, if I keep pressing CTRL-e.

Scroll the Popup Window without Closing the Popup Menu

Firstly, I should change nnoremap to inoremap. So the key-binding will work in insert mode.

inoremap <C-e> :call ScrollPopup(1)<CR>
inoremap <C-y> :call ScrollPopup(0)<CR>

I haven't spend much time with vimscript even if I have used vim for years. Instead of calling ScrollPopup, it just inserts ":call ScrollPopup(1)\n". Finally, I find out how map works.

map {lhs} {rhs}

It just maps the left hand side keystrokes to the right hand side keystrokes. If I want to run something, I should add <expr>.

map <expr> {lhs} {rhs}

The {rhs} is evaluated to obtain the right hand side keystrokes.

inoremap <expr> <C-e> ScrollPopup(3) ? '' : '<C-e>'
inoremap <expr> <C-y> ScrollPopup(-3) ? '' : '<C-y>'

If scroll happened, it maps CTRL-e/CTRL-y to non-operation. Otherwise, it doesn't change the keystrokes.

Stop after Reaching the bottom

ScrollPopup should stop changing firstline after the bottom of the buffer has showed. But, how does it know that? With popup_getpos, we have following properties:

col         screen column of the popup, one-based
line        screen line of the popup, one-based
width       width of the whole popup in screen cells
height      height of the whole popup in screen cells
core_col    screen column of the text box
core_line   screen line of the text box
core_width  width of the text box in screen cells 
core_height height of the text box in screen cells 
firstline   line of the buffer at top (1 unless scrolled) (not the value of the "firstline" property)
lastline    line of the buffer at the bottom (updated when the popup is redrawn)
scrollbar   non-zero if a scrollbar is displayed
visible     one if the popup is displayed, zero if hidden

At a glance, a formula has come up: lastline - firstline < height. But it doesn't work. lastline is not the lastline of the text. It is the lastline showed in the popup window. After some search, I found I can have the lastline by win_execute(winid, "echo line('$')"). Executing a command in the popup window to get the lastline of the buffer.
It still doesn't work as I thought. Sometimes, it won't scroll down. Occasionally, I show the line number in the popup window. firstline and lastline is the line of the text. height is the line of the window. With wrap on, one line of text will be many lines in the window. Finally, I have:

function! ScrollPopup(down)
    let winid = popup_findinfo()
    if winid == 0
        return 0
    endif

    " if the popup window is hidden, bypass the keystrokes
    let pp = popup_getpos(winid)
    if pp.visible != 1
        return 0
    endif

    let firstline = pp.firstline + a:down
    let buf_lastline = str2nr(trim(win_execute(winid, "echo line('$')")))
    if firstline < 1
        let firstline = 1
    elseif pp.lastline + a:down > buf_lastline
        let firstline = firstline - a:down + buf_lastline - pp.lastline
    endif

    " The appear of scrollbar will change the layout of the content which will cause inconsistent height.
    call popup_setoptions( winid,
                \ {'scrollbar': 0, 'firstline' : firstline } )

    return 1
endfunction

inoremap <expr> <C-e> ScrollPopup(3) ? '' : '<C-e>'
inoremap <expr> <C-y> ScrollPopup(-3) ? '' : '<C-y>'

注意此方法应该只适合编译不需要NDK的包

背景

在Arch上，只能使用网页版微信，但网页版微信又显示不了企业微信的通知（在补这篇博客时，公司已经关了微信显示企业微信消息的功能-_-！，做事不能这么拖延），导致经常晚了回复企业微信的消息（挺好的，可以专注写代码）。所以，我就想到手机上的kdeconnect，为什么微信的通知不能通过kdeconnect显示在电脑上呢？于是，我就把kdeconnect-android的源代码clone下来（一言不合看源代码）。
在代码中，我发现有三种通知（FLAG_FOREGROUND_SERVICE/FLAG_ONGOING_EVENT/FLAG_LOCAL_ONLY）是不会被发到电脑上的，这三种通知不发到电脑上也合理，会不会是张经理有什么特殊想法，要把微信通知标为其中一种呢？那就魔改一下kdeconnect-android。可是，aur上的android-sdk依赖了lib32的包，在我这个清真64位系统上，该怎么办呢？

解决办法

在这里可以看到命令行编译（就魔改一下，不可能去装个AS吧）所需要的工具。我需要通过aur安装的包有android-sdk和android-sdk-build-tools，分别有三个lib32的包被依赖：lib32-gcc-libs、lib32-zlib、lib32-glibc，看了一下两个包的PKGBUILD，发现它们做的事就是去android的官网上去下压缩包并解压，过程中没有编译什么东西，kdeconnect-android也没有用到NDK编译，那么，不依赖这几个包应该也没有问题。不过，我还是把依赖改为这三个包的64位版本。

# android-sdk
depends_x86_64=('java-environment' 'libxtst' 'fontconfig' 'freetype2'
                'lib32-gcc-libs' 'lib32-glibc' 'libx11' 'libxext' 
                'libxrender' 'zlib')
# 改为
depends_x86_64=('java-environment' 'libxtst' 'fontconfig' 'freetype2'
                'gcc-libs' 'glibc' 'libx11' 'libxext' 'libxrender'
                'zlib')

# android-sdk-build-tools
depends_x86_64=('lib32-gcc-libs' 'lib32-zlib')
# 改为
depends_x86_64=('gcc-libs' 'zlib')

安装好了后，去编译了一波kdeconnect-android，还真的编译通过跑起来了。

后记

经过测试，发现微信的通知带了FLAG_LOCAL_ONLY，消息被标为只在本地显示（这会不会是我条同事鱼说微信消息不显示在iWatch上的原因呢？但感觉不太可能，十成是他自己的原因）。
于是，我把是否转发一个应用的只显示在本地的通知作为选项加进kdeconnect-android，并且发起MergeRequest，但kdeconnect-android的开发者们认为这么做过于麻烦，并且认为没有达到修复"bug"的目的（用户还要去选择打开选项，微信通知才会转发），但我又认为把微信hardcode进代码很恶心，也不认同这是bug，所以只能关了MergeRequest，自己维护一份魔改代码。

16年刚进公司的时候，我曾经做了个需求，把请求微信支付改为长连接。我们使用Apache的httpclient，改起来还是很容易。上线后，效果也挺显著，平均请求耗时降低了几十毫秒。可惜好景不长，程序跑了几天后，耗时变得越来越长，比短连接时还慢。
我让运维跑netstat后，发现与微信的连接有好几万条，都是CLOSE-WAIT，一看就是连接泄漏的问题。但这就奇怪了，平常短连接跑的都是好好的，为什么换成长连接就泄漏了？难道短连接关闭的方法，不适用于长连接？于是就去git clone一下httpclient的代码，并git checkout到我们使用的版本（git真好用，为什么我们公司还要用svn呢，每次看着同事切换个分支就感觉麻烦）。经过一个星期各种妙想天开的在代码里找泄漏的原因和尝试，最终还是没有找到，只能用回短连接。
最近，在研究微信商户证书过期更新httpclient对象时，突然想到，双向证书这种情况的长连接是怎么复用的呢？感觉好像可以找到两年前心结的原因，我就把系统配置为长连接，然后发起多次微信退款。每发起一次，连接就增加一条，过一段时间后就会变为CLOSE-WAIT。

连接的state

MainClientExec的execute函数，在获取连接池的连接时，会根据路由和连接的state来选取。这里的state为上下文的userToken。

Object userToken = context.getUserToken();

final ConnectionRequest connRequest = connManager.requestConnection(route, userToken);

MainClientExec的execute函数，在返回response前，会获取userToken，并设置为连接的state。

if (userToken == null) {
    userToken = userTokenHandler.getUserToken(context);
    context.setAttribute(HttpClientContext.USER_TOKEN, userToken);
}
if (userToken != null) {
    connHolder.setState(userToken);
}

// check for entity, release connection if possible
final HttpEntity entity = response.getEntity();
if (entity == null || !entity.isStreaming()) {
    // connection not needed and (assumed to be) in re-usable state
    connHolder.releaseConnection();
    return new HttpResponseProxy(response, null);
} else {
    return new HttpResponseProxy(response, connHolder);

对于双向证书的情况，userToken会是什么呢？

public Object getUserToken(final HttpContext context) {

    final HttpClientContext clientContext = HttpClientContext.adapt(context);

    Principal userPrincipal = null;

    final AuthState targetAuthState = clientContext.getTargetAuthState();
    if (targetAuthState != null) {
        userPrincipal = getAuthPrincipal(targetAuthState);
        if (userPrincipal == null) {
            final AuthState proxyAuthState = clientContext.getProxyAuthState();
            userPrincipal = getAuthPrincipal(proxyAuthState);
        }   
    }   

    if (userPrincipal == null) {
        final HttpConnection conn = clientContext.getConnection();
        if (conn.isOpen() && conn instanceof ManagedHttpClientConnection) {
            final SSLSession sslsession = ((ManagedHttpClientConnection) conn).getSSLSession();
            if (sslsession != null) {
                userPrincipal = sslsession.getLocalPrincipal();
            }   
        }   
    }   

    return userPrincipal;
}

首先，系统会判断连接是否使用了http的鉴权，假如使用了就使用鉴权用户主体。否则，就检查是否有SSLSession，假如有，就取SSLSession的本地证书的subject作为userToken。那么，双向证书的情况就是使用商户证书的subject。

总结

上下文里没有设置userToken，去连接池取连接时，都是取state为空的连接，但由于连接使用过后都会设置连接的state为商户证书的subject。所以每次获取的都是新连接。经过这次的经验，连接泄漏，不一定是由于连接没有归还，也可能是复用没有生效。

解决方案

由于使用双向证书时，都是一个商户生成一个httpclient对象，我们在设置证书的时候可以把商户证书的subject设置为userToken。

消失的网页微信通知

由于firefox用着用着就占越来越多的内存，偶尔需要重启一下，在上面用网页微信的话，又要重新登录，当天的聊天记录又会没有了。所以，我最近用epiphany的app模式使用网页微信。用着用着，发现经常漏消息，通知栏的消息经常会消失。难道是因为webkit2gtk没有实现好libnotify，设置的expire时间不对？

没有过期时间的GnomeShell通知实现

通过grep，在WebKitWebView.cpp的webkitWebViewShowNotification下找到了调用libnotify的notify_notification_show的代码。

static gboolean webkitWebViewShowNotification(WebKitWebView*, WebKitNotification* webNotification)
{
#if USE(LIBNOTIFY)
    if (!notify_is_initted())
        notify_init(g_get_prgname());

    NotifyNotification* notification = NOTIFY_NOTIFICATION(g_object_get_data(G_OBJECT(webNotification), gNotifyNotificationID))
;
    if (!notification) {
        notification = notify_notification_new(webkit_notification_get_title(webNotification),
            webkit_notification_get_body(webNotification), nullptr);

        notify_notification_add_action(notification, "default", _("Acknowledge"), NOTIFY_ACTION_CALLBACK(notifyNotificationClic
ked), webNotification, nullptr);
        notify_notification_set_timeout(notification, NOTIFY_EXPIRES_NEVER);

        g_signal_connect_object(notification, "closed", G_CALLBACK(notifyNotificationClosed), webNotification, static_cast<GCon
nectFlags>(0));
        g_signal_connect(webNotification, "closed", G_CALLBACK(webNotificationClosed), nullptr);
        g_object_set_data_full(G_OBJECT(webNotification), gNotifyNotificationID, notification, static_cast<GDestroyNotify>(g_ob
ject_unref));
    } else {
        notify_notification_update(notification, webkit_notification_get_title(webNotification),
            webkit_notification_get_body(webNotification), nullptr);
        notify_notification_set_timeout(notification, NOTIFY_EXPIRES_NEVER);
    }

    notify_notification_show(notification, nullptr);
    return TRUE;
#else
    UNUSED_PARAM(webNotification);
    return FALSE;
    #endif
}

哈哈，果然没有调用libnotify的notify_notification_set_timeout，果断设置为NOTIFY_EXPIRES_NEVER。打包，测试，GG😭。难道不能永久不过期？来一下60秒，打包，测试，GG😭。Google一下，GnomeShell没有实现libnotify的过期😫。难道firefox有什么黑科技，它是怎么实现通知的？

firefox与webkit2gtk的通知实现比较

nsresult
nsAlertsIconListener::ShowAlert(GdkPixbuf* aPixbuf)
{
  if (!mBackend->IsActiveListener(mAlertName, this))
    return NS_OK;

  mNotification = notify_notification_new(mAlertTitle.get(), mAlertText.get(),
                                          nullptr, nullptr);

  if (!mNotification)
    return NS_ERROR_OUT_OF_MEMORY;

  nsCOMPtr<nsIObserverService> obsServ =
      do_GetService("@mozilla.org/observer-service;1");
  if (obsServ)
    obsServ->AddObserver(this, "quit-application", true);

  if (aPixbuf)
    notify_notification_set_icon_from_pixbuf(mNotification, aPixbuf);

  NS_ADDREF(this);
  if (mAlertHasAction) {
    // What we put as the label doesn't matter here, if the action
    // string is "default" then that makes the entire bubble clickable
    // rather than creating a button.
    notify_notification_add_action(mNotification, "default", "Activate",
                                   notify_action_cb, this, nullptr);
  }

  // Fedora 10 calls NotifyNotification "closed" signal handlers with a
  // different signature, so a marshaller is used instead of a C callback to
  // get the user_data (this) in a parseable format.  |closure| is created
  // with a floating reference, which gets sunk by g_signal_connect_closure().
  GClosure* closure = g_closure_new_simple(sizeof(GClosure), this);
  g_closure_set_marshal(closure, notify_closed_marshal);
  mClosureHandler = g_signal_connect_closure(mNotification, "closed", closure, FALSE);
  GError* error = nullptr;
  if (!notify_notification_show(mNotification, &error)) {
    NS_WARNING(error->message);
    g_error_free(error);
    return NS_ERROR_FAILURE;
  }

  if (mAlertListener)
    mAlertListener->Observe(nullptr, "alertshow", mAlertCookie.get());

  return NS_OK;
}

哈，也是没有设置超时。而且还比webkit2gtk少了注册一些回调。如

g_signal_connect(webNotification, "closed", G_CALLBACK(webNotificationClosed), nullptr);

处理网页关闭通知的回调处理。

微信 - Do everything, but not good enough

既然firefox没有黑科技，那我只能继续测试了。每次测试还要找别人发微信消息给我，太麻烦了，自己写个button来触发通知。问题来了，我自己的测试网页发的通知没有消失。是时候看一下微信怎么发消息了。

function c(e, n) { 
    h.length >= M.total && h.shift().close();
    var o, c;
    return g && r() && angular.isString(e) && n && (angular.isString(n.icon) || angular.isObject(n.icon)) && i() === l && (o = t(e, n)), c = a(o), h.push(c), M.autoClose && o && !o.ieVerification && o.addEventListener && o.addEventListener("show", function() {
        var e = c;  
        setTimeout(function() {
            e.close()
        }, M.autoClose)
    }), o
}

心里万马奔腾，我怎么不早点看微信代码。估计是不同平台处理通知的逻辑不一样，微信网页版自己维护了通知列表，并5秒自动失效。由于firefox没有把网页的通知关闭signal转发给libnotify，所以系统的通知没有消失，而由于webkit2gtk实现的完整，所以通知5秒后消失了。这样magic的逻辑，微信应该加个开关啊。

解决方法

F12执行一下angular.element(document.querySelector('html')).injector().get('notificationFactory').config().autoClose=0把超时设置为0，就不会自动消失了。

TODO

1. 如何自动执行F12那行呢？epiphany没有greasemonkey。
2. webkit2gtk通知没有显示icon，怎么去到pixbuf来显示呢？
3. 点击通知，如何bring forth窗口呢？

不能横排的ibus-rime

好像哪次更新ibus后，Google Docs上输入没有候选字。我就想改一下ibus的配置，看看能不能好转。不过，以前我想改一下ibus-rime的方向一直都没有成功过。这次我在default.custom.yaml和输入法的custom.yaml上加style/horizontal: true，嗯，还是没有成功。是不是由于true不对呢？我把各种true都试了，还是不行。
又要施展源代码大法

// rime_settings.c
#include "rime_config.h"
#include <string.h>
#include <ibus.h>
#include <rime_api.h>
#include "rime_settings.h"

static struct ColorSchemeDefinition preset_color_schemes[] = {
  { "aqua", 0xffffff, 0x0a3dfa },
  { "azure", 0xffffff, 0x0a3dea },
  { "ink", 0xffffff, 0x000000 },
  { "luna", 0x000000, 0xffff7f },
  { NULL, 0, 0 }
};

static struct IBusRimeSettings ibus_rime_settings_default = {
  FALSE,
  IBUS_ORIENTATION_SYSTEM,
  &preset_color_schemes[0],
};

struct IBusRimeSettings g_ibus_rime_settings;

static void
select_color_scheme(struct IBusRimeSettings* settings,
		    const char* color_scheme_id)
{
  struct ColorSchemeDefinition* c;
  for (c = preset_color_schemes; c->color_scheme_id; ++c) {
    if (!strcmp(c->color_scheme_id, color_scheme_id)) {
      settings->color_scheme = c;
      g_debug("selected color scheme: %s", color_scheme_id);
      return;
    }
  }
  // fallback to default
  settings->color_scheme = &preset_color_schemes[0];
}

void
ibus_rime_load_settings()
{
  g_ibus_rime_settings = ibus_rime_settings_default;

  RimeConfig config = {0};
  if (!RimeConfigOpen("ibus_rime", &config)) {
    g_error("error loading settings for ibus_rime");
    return;
  }

  Bool inline_preedit = False;
  if (RimeConfigGetBool(&config, "style/inline_preedit", &inline_preedit)) {
    g_ibus_rime_settings.embed_preedit_text = !!inline_preedit;
  }

  Bool horizontal = False;
  if (RimeConfigGetBool(&config, "style/horizontal", &horizontal)) {
    g_ibus_rime_settings.lookup_table_orientation =
      horizontal ? IBUS_ORIENTATION_HORIZONTAL : IBUS_ORIENTATION_VERTICAL;
  }

  const char* color_scheme =
    RimeConfigGetCString(&config, "style/color_scheme");
  if (color_scheme) {
    select_color_scheme(&g_ibus_rime_settings, color_scheme);
  }

  RimeConfigClose(&config);
}

RimeConfigOpen("ibus_rime", &config)不就是读取了rime的配置吗，那是为什么没有生效呢？然后有去看看librime，究竟是怎么加载default.yaml的。看着看着，突然想到"ibus_rime"是不是不是指default.yaml呢？说干就干，创建一个*~/.config/ibus/rime/build/ibus_rime.yaml*，内容为：

style:
    horizontal: True
    inline_preedit: True
    color_scheme: azure

哇，还真生效了，inline_preedit也出来了，颜色也有。在测试的过程中，发现重启系统后，Google Docs是有显示侯选字的，但执行多几次ibus-daemon -drx后，又没有了。所以，这可能是ibus某些很深的逻辑没有处理好。

总结

以上说这么多，其实，就是为了记录：

1. angular.element(document.querySelector('html')).injector().get('notificationFactory').config().autoClose=0
2. ibus-rime的配置文件是ibus_rime.yaml，而且要放build下。

# 先生成CA证书和私钥
openssl req -newkey rsa:2048 -nodes -keyout cakey.pem -x509 -out cacert.cer
# 生成公司csr文件和临时私钥
openssl req -newkey rsa:2048 -nodes -keyout prikey.pem -out co.csr
# 若生成csr文件输的信息包含中文，需要增加参数`-utf8`
openssl req -utf8 -newkey rsa:2048 -nodes -keyout prikey.pem -out co.csr
# 签名并替换公钥
openssl x509 -req -days 2000 -in co.csr -CAkey cakey.pem -CA cacert.cer -force_pubkey true_pubkey.pem -CAcreateserial -out co.cer

        年初的时候买了Nokia 7，那个价位不刷机能够获取原生体验为数不多的机器。当时为了激活Google Now，用了网上提到的，禁止GooglePlayService获取电话的权限，当时想着是不是把它的定位权限也禁止了，这样子它就不知道我的位置了，问题也随之而来。
        用了一个月后，突然发现一个诡异的现象，Google Photos一直卡在准备上传中，一个月时间里拍的照片都没有备份成功。一开始，我以为是由于Nokia 7的GMSCore是中国特供的原因。经历Play Store下载404的问题，知道了services.cn.google.xml的存在，以为Photos也被指向了国内的地址。之后，就一直想办法删除services.cn.google.xml。
        4月初的时候，在xda上发现the_laser能够生成bootloader的解锁文件，不过，那时已经没有名额了。过了一个多月，好像有人卖生成解锁码的工具，我从淘宝上向光卡买了一份解锁文件。解锁后，我把services.cn.google.xml删掉了，以为备份就会正常，Voice Detection和历史位置也可以用了。
        事实证明我太天真了，三个功能都不可以用，历史位置虽然可以开启，但会显示连接不到地图。这都导致我怀疑人生了，以为Nokia 7的GMSCore的底层jar包都是特供的。于是，我在Nokia群里问问，是不是其他人都用不了备份。结果是，只有我用不了😭。这时候，我才怀疑是由于禁止的权限导致的。说干就干，把GooglePlayService的数据清了一下后，Photos的备份可以用了。比较遗憾的是，当时没有定位具体是哪个权限导致的，现在这么多数据的干扰不一定能够找到原因，所以也不去纠结哪个权限了。有个想法：备份前，获取运营商数据，看看是不是可以开无限备份？
        备份功能恢复了，但历史位置及OK Google还是不能用。对于历史位置，比较简单，网上都提到插sim卡前是可以开启的，也提到禁止GooglePlayService的电话权限。经历备份的问题，不想禁止它的权限了，说不定又影响什么功能。既然已经root了，就装了LocationReportEnabler来解决。
        对于OK Google，查了好久，发现需要把GoogleSearchBox装为系统软件，估计是需要什么权限才能获取到CPU随时监听语音的功能吧。
        总结，想在国内用Google全家桶真是不容易啊，以后还是找到Android One的机器来用，运营商编码是不是可以插张境外卡来解决呢？

TL;DR

1. Google Photos若一直卡在准备备份中，可以尝试还原GooglePlayService的权限（电话，定位）。
2. Google的OK Google Detection需要GoogleSearchBox安装在/system/priv-app/下。
3. google的location history单单删了services.cn.google.xml并不足够，需要改运营商编码，装个LocationReportEnabler来解决。

--------------------------------两年后------------------------------------
买了OnePlus 8T刷了氧OS，插上鸭聊佳，真香。不过机器上的国内应用只有微信、支付宝、富途、高德，有点浪费算力。

文档备份

• SM2椭圆曲线公钥密码算法
• SM2椭圆曲线公钥密码算法推荐曲线参数

SM3WITHSM2

SM3WITHSM2与SHA256WITHRSA过程类似，最大的区别在于对消息的Hash值计算，后者是SHA256(MSG)（太天真了），前者是SM3(Z+MSG)，多了一个Z值。（还是太天真了），SHA256WITHRSA的算法公式: RSA.decrypt(PKCS1Padding(DER(OID, SHA256)), PrivateKey)，SM3WITHSM2的是:SM2.sign(SM3(Z+MSG)，PrivateKey)。

Z值计算

Z = Hash₂₅₆(Len(ID) + ID + a + b + x_G + y_G + x_A + y_A

Hash₂₅₆是Hash结果为256位的Hash函数，一般用的是SM3。

长度

SM2参数的域为256bit的整数，公钥(x_A,y_A)是在这范围内的点，私钥d是这个域上随机的一个值，签名结果(r,s)是在这范围内的点，所以私钥长度为64Byte，其他的长度为256bit+256bit，即64Byte。

SM3WITHSM2变种

有些公司对SM2签名的实现是少了计算Z值的，直接就是SM3(MSG)，当签名验证不通过的时候，可以往这方面想。

国密库

• 纯JAVA实现：bcprov-jdk15on（编写本文章时最新版本是1.59，只支持标准SM3WITHSM2，不能改其他Hash函数）
• C实现带JNI：GmSSL（可以使用不同的Hash函数）
• C实现：OpenSSL（应该是1.1.1会有正式支持，编写本文章时是1.1.1_pre）

• ASN.1
  全称Abstract Syntax Notation One，是一种描述数据结构的标记语言。
• X.509
  是基于ASN.1的对于公钥证书结构的标准描述。ASN.1与X.509的关系可以理解为，ASN.1假如是C，X.509就是用C写的程序。
• PKCS #8
  是RSA Security Inc设计与发布的"Public Key Cryptography Standards"其中之一种标准，是基于ASN.1的对于私钥结构的标准描述。
• DER
  全称Distinguished Encoding Rules，是BER的变种，类似的还有CER。用于为由ASN.1描述的数据结构序列化二进制数据，以便保存。一般文件后缀为.cer，.crt， .der。
• PEM
  全称Privacy-enhanced Electronic Mail，是一种存储数据的格式。为了解决电子邮件只能传输ASCII码的问题。它包含文件头和文件尾来说明数据的种类和限定数据的范围。用于公私钥，一般是对DER文件的Base64编码。

相关版本

jre： 1.6.0_45-b06
httpclient: 4.3.5

背景

公司的线上服务偶尔会出现请求某个地址几秒中的卡顿，刚好那段时间腾讯云的网络经常抖动，我们还以为这是网络抖动造成的。最后，通过抓包，我们发现卡顿都是在httpclient创建ssl socket时发生的。究竟是什么问题呢？

问题分析

httpclient的使用SSLSessionContextImpl（注意，这个类在openjdk6与jdk6中实现是不一样）来创建ssl socket，这个类会把每个创建完成的ssl session存放到sessionCache。
在ClientHandshaker的实现中，当握手完成后，程序会把当前session缓存到sessionCache中，即956行。

// ClientHandshaker缓存session代码
/*  954 */         if (!this.resumingSession) {
/*  955 */             if (this.session.isRejoinable()) {
/*  956 */                 ((SSLSessionContextImpl)this.sslContext.engineGetClientSessionContext()).put(this.session);
/*      */ 
/*      */ 
/*  959 */                 if (ClientHandshaker.debug != null && Debug.isOn("session")) {
/*  960 */                     System.out.println("%% Cached client session: " + this.session);
/*      */                 }              }
/*  962 */             else if (ClientHandshaker.debug != null && Debug.isOn("session")) {
/*  963 */                 System.out.println("%% Didn't cache non-resumable client session: " + this.session);
/*      */ 
/*      */             }
/*      */ 
/*      */         }

sessionCache使用MemoryCache作为缓存实现，它是一个有生命周期、限定容量且同步添加的cache，当添加的时候，它的容量达到最大，它就会进行清理工作。
到这里，估计大家就知道什么触发卡顿了。
MemoryCache的实现比较tricky，这次问题定位发生在一年前，当时我以为它的工作方式是像上面划掉的方式，其实，它可以归纳为三种工作方式：

1. 限定容量，超了进行删除；
2. 不限定容量，依赖SoftReference的特性，由jvm的gc来回收；
3. 不限定容量，也不删除；

// MemoryCache的put操作
/*     */     public synchronized void put(final Object o, final Object o2) {
/* 336 */         this.emptyQueue();
/*     */ 
/*     */ 
/*     */ 
/* 340 */         final CacheEntry cacheEntry = this.cacheMap.put(o, this.newEntry(o, o2, (this.lifetime == 0L) ? 0L : (System.currentTimeMillis() + this.lifetime), this.queue));
/* 341 */         if (cacheEntry != null) {
/* 342 */             cacheEntry.invalidate();
/* 343 */             return;
/*     */         }
/* 345 */         if (this.maxSize > 0 && this.cacheMap.size() > this.maxSize) {
/* 346 */             this.expungeExpiredEntries();
/* 347 */             if (this.cacheMap.size() > this.maxSize) {
/* 348 */                 final Iterator<CacheEntry> iterator = this.cacheMap.values().iterator();
/* 349 */                 final CacheEntry cacheEntry2 = iterator.next();
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/* 354 */                 iterator.remove();
/* 355 */                 cacheEntry2.invalidate();
/*     */             }
/*     */         }
/*     */     

httpclient使用的是SSLSessionContextImpl创建sessionCache时maxSize为0（不限定容量），所以使用MemoryCache第二种工作方式。由于我们系统用的是短链接且请求量和并发量很大，导致我们系统会不断并发创建并缓存ssl session，当某次gc删除的ssl session比较多，this.emptyQueue()操作就会进行比较长时间，其他put调用就会同步等待，这就造成了创建ssl socket的卡顿。

问题总结

这次的问题由以下几个因素共同作用下导致的：

1. MemoryCache的同步put操作；
2. MemoryCache的tricky工作方式；
3. gc回收的不定性，导致this.emptyQueue()操作时间不均匀；
4. 大量创建ssl session，如大量短连接请求；

解决方案

根本的原因是缓存在连接关闭时没有被释放而是由MemoryCache来被动释放。基于这个点，有两个方向：1. 关闭缓存；2. 主动释放，避免this.emptyQueue()出现过长的操作时间；
对于1，查了一下，没有好的关闭方案；
对于2，可以通过手动创建httpclient的ssl context，并通过sslContext.getClientSessionContext().setSessionCacheSize(maxSize);来设定cache的大小。或者，在不改代码的情况下，增加java启动参数-Djavax.net.ssl.sessionCacheSize=maxSize。