Improve UEFI x86 current and edge defconfigs

[igorpecovnik]

Description

• synchronize x86 config with Ubuntu kernel

How Has This Been Tested?

• Build XFCE and Gnome image and booted on Intel laptop and Khadas Mind
• Sound output
• Video acceleration

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings
• Any dependent changes have been merged and published in downstream modules

[coderabbitai]

## Walkthrough

The changes update two Linux kernel configuration files for x86 UEFI and edge variants, switching the kernel compression algorithm from LZ4 to ZSTD and enabling full tickless operation (NO_HZ_FULL). They enable numerous hardware drivers and subsystems including PC104, ISA bus, Bluetooth extensions, PCI, storage, sensors, power management, and platform-specific support. Security features such as Landlock, SLS mitigation, and livepatch are enabled alongside debugging tools like KGDB, UBSAN, and latencytop. The kernel timer frequency is set to 250 Hz. Filesystem enhancements include BCACHEFS with quota and erasure coding, ZSTD compression, and RPCSEC GSS Kerberos encryption. Virtualization, networking, and cryptography capabilities are also extended.

## Suggested labels

`Ready to merge`, `Build`

## Suggested reviewers

- rpardini  
- janprunk  
- krachlatte  
- leggewie  
- sgjava  
- AGM1968  
- teknoid  
- TheSnowfield  
- Tonymac32  
- JohnTheCoolingFan  
- pyavitz  
- NicoD-SBC  
- schwar3kat

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0026666 and 7f536b2.

📒 Files selected for processing (2)

• config/kernel/linux-uefi-x86-current.config (181 hunks)
• config/kernel/linux-uefi-x86-edge.config (180 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• config/kernel/linux-uefi-x86-edge.config
• config/kernel/linux-uefi-x86-current.config

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch x86

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai auto-generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

config/kernel/linux-uefi-x86-edge.config (2)

155-156: Enabling the legacy ISA bus widens attack-surface

CONFIG_ISA_BUS=y re-opens a class of 16-bit PIO device drivers that have been dormant for years. None of the target x86-UEFI devices (Khadas Mind, modern laptops) expose an ISA bridge; the option just pulls in piles of unsigned in-tree code.

Recommend reverting unless you have a concrete ISA-needs board.

---

6078-6090: Heavy debug/sanitiser set will slow runtime & explode image size

DWARF5 (DEBUG_INFO_DWARF5), BTF, UBSAN, DYNAMIC_DEBUG, KGDB, KDB, LATENCYTOP, STACK_TRACER, etc. add ~30 MiB to the vmlinuz and keep a lot of code permanently built-in. This is excellent for development but hurts boot time and memory on production images.

If the edge flavour targets end-users rather than kernel hackers, consider moving these to a separate -dbg build.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3a9babe and d52adfd.

📒 Files selected for processing (2)

• config/kernel/linux-uefi-x86-current.config (180 hunks)
• config/kernel/linux-uefi-x86-edge.config (178 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: EvilOlaf
PR: armbian/build#8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Learnt from: rpardini
PR: armbian/build#8044
File: patch/u-boot/v2025.04/cmd-fileenv-read-string-from-file-into-env.patch:76-86
Timestamp: 2025-03-31T22:20:48.475Z
Learning: For the Armbian build project, maintaining consistency with existing patches across U-Boot versions (such as between 2025.01 and 2025.04) is prioritized over refactoring individual patches for code improvements.

Learnt from: rpardini
PR: armbian/build#8044
File: patch/u-boot/v2025.04/cmd-fileenv-read-string-from-file-into-env.patch:73-75
Timestamp: 2025-03-31T22:20:41.849Z
Learning: When porting patches between U-Boot versions (like from 2025.01 to 2025.04), rpardini prefers to maintain patches as-is rather than introducing refactoring changes, even when potential improvements are identified. This approach prioritizes consistency and reduces the risk of introducing new issues.

Learnt from: libiunc
PR: armbian/build#8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Learnt from: pyavitz
PR: armbian/build#8361
File: config/kernel/linux-sunxi64-edge.config:594-597
Timestamp: 2025-07-06T16:27:45.349Z
Learning: In Armbian sunxi64-edge kernel configurations, PCI/PCIe support may be enabled for future-proofing purposes to support upcoming Allwinner SoCs like the T536 that include PCIe Gen2 interfaces, even if current primary targets like H616 lack PCIe controllers. This forward-looking approach prepares the configuration for next-generation hardware in the same SoC family.

Learnt from: EvilOlaf
PR: armbian/build#8330
File: config/sources/families/sun55iw3.conf:32-36
Timestamp: 2025-06-25T03:42:09.086Z
Learning: In Armbian build system configuration files like config/sources/families/*.conf, KERNELSOURCE is explicitly declared when using unofficial or 3rd party kernel repositories (like the "dev" branch using https://github.com/apritzel/linux), but can be omitted when using the standard mainline kernel (like the "edge" branch) since it will fall back to the default mainline source.

Learnt from: EvilOlaf
PR: armbian/build#0
File: :0-0
Timestamp: 2025-06-16T03:24:00.458Z
Learning: In Armbian board configuration files (.csc), the standard pattern is to have only one line as a comment describing the board hardware specifications. This single-line description typically includes the SoC model, core count, RAM options, and key features like connectivity options, storage interfaces, and special features.

config/kernel/linux-uefi-x86-edge.config (5)

undefined

<retrieved_learning>
Learnt from: libiunc
PR: #8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.
</retrieved_learning>

<retrieved_learning>
Learnt from: pyavitz
PR: #8361
File: config/kernel/linux-sunxi64-edge.config:594-597
Timestamp: 2025-07-06T16:27:45.349Z
Learning: In Armbian sunxi64-edge kernel configurations, PCI/PCIe support may be enabled for future-proofing purposes to support upcoming Allwinner SoCs like the T536 that include PCIe Gen2 interfaces, even if current primary targets like H616 lack PCIe controllers. This forward-looking approach prepares the configuration for next-generation hardware in the same SoC family.
</retrieved_learning>

<retrieved_learning>
Learnt from: EvilOlaf
PR: #8330
File: config/sources/families/sun55iw3.conf:32-36
Timestamp: 2025-06-25T03:42:09.086Z
Learning: In Armbian build system configuration files like config/sources/families/*.conf, KERNELSOURCE is explicitly declared when using unofficial or 3rd party kernel repositories (like the "dev" branch using https://github.com/apritzel/linux), but can be omitted when using the standard mainline kernel (like the "edge" branch) since it will fall back to the default mainline source.
</retrieved_learning>

<retrieved_learning>
Learnt from: EvilOlaf
PR: armbian/build#0
File: :0-0
Timestamp: 2025-06-16T03:24:00.458Z
Learning: In Armbian board configuration files (.csc), the standard pattern is to have only one line as a comment describing the board hardware specifications. This single-line description typically includes the SoC model, core count, RAM options, and key features like connectivity options, storage interfaces, and special features.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8235
File: packages/bsp/mvebu/helios4/helios4-wol.service:0-0
Timestamp: 2025-05-29T01:56:01.604Z
Learning: For ARM-based devices like Helios4 that use DeviceTree, the expected systemd network interface naming scheme is "end[0-9]+" (DeviceTree alias index), making the regex "^(eth|en[do])[0-9]+" appropriate as it covers traditional "eth", PCI on-board "eno", and DeviceTree "end" interfaces without unnecessary "enp" (PCI slot) support.
</retrieved_learning>

config/kernel/linux-uefi-x86-current.config (4)

undefined

<retrieved_learning>
Learnt from: libiunc
PR: #8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.
</retrieved_learning>

<retrieved_learning>
Learnt from: pyavitz
PR: #8361
File: config/kernel/linux-sunxi64-edge.config:594-597
Timestamp: 2025-07-06T16:27:45.349Z
Learning: In Armbian sunxi64-edge kernel configurations, PCI/PCIe support may be enabled for future-proofing purposes to support upcoming Allwinner SoCs like the T536 that include PCIe Gen2 interfaces, even if current primary targets like H616 lack PCIe controllers. This forward-looking approach prepares the configuration for next-generation hardware in the same SoC family.
</retrieved_learning>

<retrieved_learning>
Learnt from: EvilOlaf
PR: armbian/build#0
File: :0-0
Timestamp: 2025-06-16T03:24:00.458Z
Learning: In Armbian board configuration files (.csc), the standard pattern is to have only one line as a comment describing the board hardware specifications. This single-line description typically includes the SoC model, core count, RAM options, and key features like connectivity options, storage interfaces, and special features.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8235
File: packages/bsp/mvebu/helios4/helios4-wol.service:0-0
Timestamp: 2025-05-29T01:56:01.604Z
Learning: For ARM-based devices like Helios4 that use DeviceTree, the expected systemd network interface naming scheme is "end[0-9]+" (DeviceTree alias index), making the regex "^(eth|en[do])[0-9]+" appropriate as it covers traditional "eth", PCI on-board "eno", and DeviceTree "end" interfaces without unnecessary "enp" (PCI slot) support.
</retrieved_learning>

🔇 Additional comments (6)

config/kernel/linux-uefi-x86-edge.config (4)

7-8: NO_HZ _FULL is a specialist option – confirm runtime isolation strategy

CONFIG_NO_HZ_FULL=y turns all non-housekeeping CPUs into full-tickless mode.
Without the matching boot parameters (nohz_full=<cpu-list>, isolcpus=, rcu_nocbs= …) users will see higher latency, scheduler stalls and RCU warnings.

Please double-check that the image generator injects the proper kernel command-line dynamically or consider keeping only CONFIG_NO_HZ (dyn-tick) for generic images.

---

158-162: KVM_WERROR stops the build on any new GCC/Clang warning

While useful for CI on upstream, CONFIG_KVM_WERROR=y makes distribution builds brittle (new compiler versions ‑> fail). Consider switching it off for release artefacts.

-CONFIG_KVM_WERROR=y
+# CONFIG_KVM_WERROR is not set

---

166-168: 32-bit and compat ASLR entropy maxed – verify userspace

ARCH_MMAP_RND_BITS=32 / ARCH_MMAP_RND_COMPAT_BITS=16 are the absolute maxima.
Some 32-bit Wine / proprietary binaries still choke on >8 bits entropy.
If legacy 32-bit support matters, consider dialing this back (e.g. 24 / 8).

---

5749-5778: BCACHEFS is still marked experimental – shipping it as a module needs tooling

Enabling:

CONFIG_BCACHEFS_FS=m
CONFIG_BCACHEFS_{QUOTA,ERASURE_CODING,POSIX_ACL}=y

is fine, but:

1. mkfs.bcachefs is not in Debian/Ubuntu main – the rootfs builder must add the userspace package from upstream.
2. Upstreams warn about on-disk format churn until v1.0 lands.

Please confirm you really want to expose this to end-users now.

config/kernel/linux-uefi-x86-current.config (2)

70-76: Re-evaluate CONFIG_MAXSMP; huge memory overhead for little gain.

CONFIG_MAXSMP bumps NR_CPUS to the architecture maximum (8192 on x86_64) and disables a number of static optimisations.
Result: larger .text, bigger per-CPU memory allocations and longer boot on modest HW, with zero benefit on typical x86 devices (< 64 CPUs).

Unless you explicitly need >512 logical cores, prefer the regular CONFIG_NR_CPUS=<reasonable> setting used by Ubuntu’s generic kernel.

---

6125-6135: Heavy debug options enabled – check that they are intended for release kernels.

CONFIG_BOOT_PRINTK_DELAY, extensive CONFIG_DYNAMIC_DEBUG, CONFIG_DEBUG_INFO_DWARF5, CONFIG_GDB_SCRIPTS, CONFIG_UBSAN, CONFIG_KGDB*, etc. are all on.
These bloat the image, grow DWARF to ~hundreds MB, and can hit boot time.
If the goal is strict parity with Ubuntu-generic, confirm that each of these flags is really supposed to stay enabled.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

config/kernel/linux-uefi-x86-edge.config (2)

6083-6086: Debug flags left enabled in production build

CONFIG_BOOT_PRINTK_DELAY, CONFIG_DYNAMIC_DEBUG, and DWARF-5/BTF symbols make sense for bring-up but bloat the image and slow boot on released images.

-CONFIG_BOOT_PRINTK_DELAY=y
-CONFIG_DYNAMIC_DEBUG=y
-CONFIG_DEBUG_INFO_DWARF5=y
-CONFIG_DEBUG_INFO_BTF=y
+# CONFIG_BOOT_PRINTK_DELAY is not set
+# CONFIG_DYNAMIC_DEBUG is not set
+# CONFIG_DEBUG_INFO_DWARF5 is not set
+# CONFIG_DEBUG_INFO_BTF is not set

---

7-8: NO_HZ_FULL enabled without isolcpus – check scheduler knobs

CONFIG_NO_HZ_FULL=y gives full tickless operation only to CPUs listed in isolcpus=/nohz_full= kernel cmdline. Without that, every CPU still gets regular ticks but pays the overhead of the slower fast-path. Make sure build scripts append a proper nohz_full= mask (typically the housekeeping cores).

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c73bc5a and f8b380d.

📒 Files selected for processing (2)

• config/kernel/linux-uefi-x86-current.config (181 hunks)
• config/kernel/linux-uefi-x86-edge.config (179 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• config/kernel/linux-uefi-x86-current.config

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: EvilOlaf
PR: armbian/build#8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Learnt from: rpardini
PR: armbian/build#8044
File: patch/u-boot/v2025.04/cmd-fileenv-read-string-from-file-into-env.patch:76-86
Timestamp: 2025-03-31T22:20:48.475Z
Learning: For the Armbian build project, maintaining consistency with existing patches across U-Boot versions (such as between 2025.01 and 2025.04) is prioritized over refactoring individual patches for code improvements.

Learnt from: rpardini
PR: armbian/build#8044
File: patch/u-boot/v2025.04/cmd-fileenv-read-string-from-file-into-env.patch:73-75
Timestamp: 2025-03-31T22:20:41.849Z
Learning: When porting patches between U-Boot versions (like from 2025.01 to 2025.04), rpardini prefers to maintain patches as-is rather than introducing refactoring changes, even when potential improvements are identified. This approach prioritizes consistency and reduces the risk of introducing new issues.

Learnt from: libiunc
PR: armbian/build#8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Learnt from: pyavitz
PR: armbian/build#8361
File: config/kernel/linux-sunxi64-edge.config:594-597
Timestamp: 2025-07-06T16:27:45.349Z
Learning: In Armbian sunxi64-edge kernel configurations, PCI/PCIe support may be enabled for future-proofing purposes to support upcoming Allwinner SoCs like the T536 that include PCIe Gen2 interfaces, even if current primary targets like H616 lack PCIe controllers. This forward-looking approach prepares the configuration for next-generation hardware in the same SoC family.

config/kernel/linux-uefi-x86-edge.config (7)

undefined

<retrieved_learning>
Learnt from: libiunc
PR: #8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.
</retrieved_learning>

<retrieved_learning>
Learnt from: pyavitz
PR: #8361
File: config/kernel/linux-sunxi64-edge.config:594-597
Timestamp: 2025-07-06T16:27:45.349Z
Learning: In Armbian sunxi64-edge kernel configurations, PCI/PCIe support may be enabled for future-proofing purposes to support upcoming Allwinner SoCs like the T536 that include PCIe Gen2 interfaces, even if current primary targets like H616 lack PCIe controllers. This forward-looking approach prepares the configuration for next-generation hardware in the same SoC family.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8287
File: config/bootscripts/boot-sunxi.cmd:148-161
Timestamp: 2025-06-12T21:03:39.686Z
Learning: In Armbian U-Boot bootscripts, the ${cpu} environment variable is always pre-set by U-Boot (or defaults to a valid value), so additional guards against it being unset are unnecessary.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8287
File: config/bootscripts/boot-sunxi.cmd:38-44
Timestamp: 2025-06-12T21:14:36.024Z
Learning: In config/bootscripts/boot-sunxi.cmd the unconditional "+1" increment in func_align_addr_next (when align_overlap_oboe_avoidance="on") is intentional. It compensates for a known off-by-one error in U-Boot where the end address is calculated as start+size instead of start+size-1, so the extra page prevents overlap. This behavior should not be “optimized away”.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8166
File: config/bootscripts/boot-mvebu.cmd:38-50
Timestamp: 2025-05-07T20:49:40.969Z
Learning: The 4KB (0x1000) boundary used for device tree size calculations in U-Boot scripts is specific to how the fdt resize command works internally and should remain hardcoded rather than being tied to adjustable alignment variables.
</retrieved_learning>

<retrieved_learning>
Learnt from: EvilOlaf
PR: armbian/build#0
File: :0-0
Timestamp: 2025-06-16T03:24:00.458Z
Learning: In Armbian board configuration files (.csc), the standard pattern is to have only one line as a comment describing the board hardware specifications. This single-line description typically includes the SoC model, core count, RAM options, and key features like connectivity options, storage interfaces, and special features.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8235
File: packages/bsp/mvebu/helios4/helios4-wol.service:0-0
Timestamp: 2025-05-29T01:56:01.604Z
Learning: For ARM-based devices like Helios4 that use DeviceTree, the expected systemd network interface naming scheme is "end[0-9]+" (DeviceTree alias index), making the regex "^(eth|en[do])[0-9]+" appropriate as it covers traditional "eth", PCI on-board "eno", and DeviceTree "end" interfaces without unnecessary "enp" (PCI slot) support.
</retrieved_learning>

🔇 Additional comments (1)

config/kernel/linux-uefi-x86-edge.config (1)

5773-5776: BCACHEFS still tagged EXPERIMENTAL upstream

CONFIG_BCACHEFS_FS is only a few months old in mainline and the on-disk format is not considered stable. Shipping it as a module is fine, but please double-check that users understand the risk (release notes, docs).

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

config/kernel/linux-uefi-x86-edge.config (1)

6096-6105: Heavy-weight debug options compiled into edge kernel

UBSAN, KFENCE, HARDLOCKUP_DETECTOR, LATENCYTOP, TIMERLAT, full DWARF 5 etc. add > 15 MiB and non-trivial runtime overhead. Good for CI, but users may run this kernel in production. Document the perf hit or ship a separate -dbg flavour.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f8b380d and d441ddc.

📒 Files selected for processing (2)

• config/kernel/linux-uefi-x86-current.config (181 hunks)
• config/kernel/linux-uefi-x86-edge.config (179 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• config/kernel/linux-uefi-x86-current.config

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: EvilOlaf
PR: armbian/build#8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Learnt from: rpardini
PR: armbian/build#8044
File: patch/u-boot/v2025.04/cmd-fileenv-read-string-from-file-into-env.patch:76-86
Timestamp: 2025-03-31T22:20:48.475Z
Learning: For the Armbian build project, maintaining consistency with existing patches across U-Boot versions (such as between 2025.01 and 2025.04) is prioritized over refactoring individual patches for code improvements.

Learnt from: rpardini
PR: armbian/build#8044
File: patch/u-boot/v2025.04/cmd-fileenv-read-string-from-file-into-env.patch:73-75
Timestamp: 2025-03-31T22:20:41.849Z
Learning: When porting patches between U-Boot versions (like from 2025.01 to 2025.04), rpardini prefers to maintain patches as-is rather than introducing refactoring changes, even when potential improvements are identified. This approach prioritizes consistency and reduces the risk of introducing new issues.

Learnt from: libiunc
PR: armbian/build#8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Learnt from: pyavitz
PR: armbian/build#8361
File: config/kernel/linux-sunxi64-edge.config:594-597
Timestamp: 2025-07-06T16:27:45.349Z
Learning: In Armbian sunxi64-edge kernel configurations, PCI/PCIe support may be enabled for future-proofing purposes to support upcoming Allwinner SoCs like the T536 that include PCIe Gen2 interfaces, even if current primary targets like H616 lack PCIe controllers. This forward-looking approach prepares the configuration for next-generation hardware in the same SoC family.

config/kernel/linux-uefi-x86-edge.config (7)

undefined

<retrieved_learning>
Learnt from: libiunc
PR: #8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.
</retrieved_learning>

<retrieved_learning>
Learnt from: pyavitz
PR: #8361
File: config/kernel/linux-sunxi64-edge.config:594-597
Timestamp: 2025-07-06T16:27:45.349Z
Learning: In Armbian sunxi64-edge kernel configurations, PCI/PCIe support may be enabled for future-proofing purposes to support upcoming Allwinner SoCs like the T536 that include PCIe Gen2 interfaces, even if current primary targets like H616 lack PCIe controllers. This forward-looking approach prepares the configuration for next-generation hardware in the same SoC family.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8287
File: config/bootscripts/boot-sunxi.cmd:148-161
Timestamp: 2025-06-12T21:03:39.686Z
Learning: In Armbian U-Boot bootscripts, the ${cpu} environment variable is always pre-set by U-Boot (or defaults to a valid value), so additional guards against it being unset are unnecessary.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8287
File: config/bootscripts/boot-sunxi.cmd:38-44
Timestamp: 2025-06-12T21:14:36.024Z
Learning: In config/bootscripts/boot-sunxi.cmd the unconditional "+1" increment in func_align_addr_next (when align_overlap_oboe_avoidance="on") is intentional. It compensates for a known off-by-one error in U-Boot where the end address is calculated as start+size instead of start+size-1, so the extra page prevents overlap. This behavior should not be “optimized away”.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8166
File: config/bootscripts/boot-mvebu.cmd:38-50
Timestamp: 2025-05-07T20:49:40.969Z
Learning: The 4KB (0x1000) boundary used for device tree size calculations in U-Boot scripts is specific to how the fdt resize command works internally and should remain hardcoded rather than being tied to adjustable alignment variables.
</retrieved_learning>

<retrieved_learning>
Learnt from: EvilOlaf
PR: armbian/build#0
File: :0-0
Timestamp: 2025-06-16T03:24:00.458Z
Learning: In Armbian board configuration files (.csc), the standard pattern is to have only one line as a comment describing the board hardware specifications. This single-line description typically includes the SoC model, core count, RAM options, and key features like connectivity options, storage interfaces, and special features.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8235
File: packages/bsp/mvebu/helios4/helios4-wol.service:0-0
Timestamp: 2025-05-29T01:56:01.604Z
Learning: For ARM-based devices like Helios4 that use DeviceTree, the expected systemd network interface naming scheme is "end[0-9]+" (DeviceTree alias index), making the regex "^(eth|en[do])[0-9]+" appropriate as it covers traditional "eth", PCI on-board "eno", and DeviceTree "end" interfaces without unnecessary "enp" (PCI slot) support.
</retrieved_learning>

🔇 Additional comments (3)

config/kernel/linux-uefi-x86-edge.config (3)

7-10: Validate full-tickless + 250 Hz combo on laptops/VMs

CONFIG_NO_HZ_FULL=y together with a 250 Hz base tick is great for deterministic workloads, but interactive laptop & desktop use (and many hypervisors) still expect the default NO_HZ_IDLE model. You must (a) isolate all housekeeping CPUs (rcu_nocbs=, nohz_full=) on the kernel cmdline and (b) ship userspace policies that pin ksoftirqd/RCU threads accordingly; otherwise latency/battery regressions are common.

If the distro doesn’t actively manage this, consider staying with CONFIG_NO_HZ_IDLE only.

Also applies to: 97-99

---

157-160: KVM “S-Protected VM” / “VE prove” options are on, but KVM is a module

Both CONFIG_KVM_SW_PROTECTED_VM=y and CONFIG_KVM_INTEL_PROVE_VE=y become no-ops unless the corresponding modules are loaded very early. If you really need the new security models at boot time (e.g. systemd-nspawn with pKVM), consider building KVM_INTEL/AMD into the kernel instead of as modules.

---

808-812: DEVTMPFS_SAFE=y may break initramfs that expect world-writable /dev

Busybox’s early userspace and a few outdated init scripts still rely on 0666 device nodes. SAFE flips that to 0600. Double-check boot on minimal/rescue images.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

config/kernel/linux-uefi-x86-edge.config (1)

1200-1202: DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING still enabled – provisioning path required
This option forces dm-verity to look in a non-builtin keyring at mount time.
If your initramfs / early-boot does not preload the roothash key, the root FS will fail to mount.

Same concern was raised previously; re-confirm that the boot chain supplies the key or disable the knob:

-CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y
+# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is not set

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b44c302 and 0026666.

📒 Files selected for processing (2)

• config/kernel/linux-uefi-x86-current.config (181 hunks)
• config/kernel/linux-uefi-x86-edge.config (180 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• config/kernel/linux-uefi-x86-current.config

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: EvilOlaf
PR: armbian/build#8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Learnt from: rpardini
PR: armbian/build#8044
File: patch/u-boot/v2025.04/cmd-fileenv-read-string-from-file-into-env.patch:76-86
Timestamp: 2025-03-31T22:20:48.475Z
Learning: For the Armbian build project, maintaining consistency with existing patches across U-Boot versions (such as between 2025.01 and 2025.04) is prioritized over refactoring individual patches for code improvements.

Learnt from: pyavitz
PR: armbian/build#8361
File: config/kernel/linux-sunxi64-edge.config:594-597
Timestamp: 2025-07-06T16:27:45.349Z
Learning: In Armbian sunxi64-edge kernel configurations, PCI/PCIe support may be enabled for future-proofing purposes to support upcoming Allwinner SoCs like the T536 that include PCIe Gen2 interfaces, even if current primary targets like H616 lack PCIe controllers. This forward-looking approach prepares the configuration for next-generation hardware in the same SoC family.

Learnt from: libiunc
PR: armbian/build#8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

config/kernel/linux-uefi-x86-edge.config (8)

undefined

<retrieved_learning>
Learnt from: libiunc
PR: #8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.
</retrieved_learning>

<retrieved_learning>
Learnt from: pyavitz
PR: #8361
File: config/kernel/linux-sunxi64-edge.config:594-597
Timestamp: 2025-07-06T16:27:45.349Z
Learning: In Armbian sunxi64-edge kernel configurations, PCI/PCIe support may be enabled for future-proofing purposes to support upcoming Allwinner SoCs like the T536 that include PCIe Gen2 interfaces, even if current primary targets like H616 lack PCIe controllers. This forward-looking approach prepares the configuration for next-generation hardware in the same SoC family.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8287
File: config/bootscripts/boot-sunxi.cmd:148-161
Timestamp: 2025-06-12T21:03:39.686Z
Learning: In Armbian U-Boot bootscripts, the ${cpu} environment variable is always pre-set by U-Boot (or defaults to a valid value), so additional guards against it being unset are unnecessary.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8287
File: config/bootscripts/boot-sunxi.cmd:38-44
Timestamp: 2025-06-12T21:14:36.024Z
Learning: In config/bootscripts/boot-sunxi.cmd the unconditional "+1" increment in func_align_addr_next (when align_overlap_oboe_avoidance="on") is intentional. It compensates for a known off-by-one error in U-Boot where the end address is calculated as start+size instead of start+size-1, so the extra page prevents overlap. This behavior should not be “optimized away”.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8166
File: config/bootscripts/boot-mvebu.cmd:38-50
Timestamp: 2025-05-07T20:49:40.969Z
Learning: The 4KB (0x1000) boundary used for device tree size calculations in U-Boot scripts is specific to how the fdt resize command works internally and should remain hardcoded rather than being tied to adjustable alignment variables.
</retrieved_learning>

<retrieved_learning>
Learnt from: rpardini
PR: #8044
File: patch/u-boot/v2025.04/cmd-fileenv-read-string-from-file-into-env.patch:73-75
Timestamp: 2025-03-31T22:20:41.849Z
Learning: When porting patches between U-Boot versions (like from 2025.01 to 2025.04), rpardini prefers to maintain patches as-is rather than introducing refactoring changes, even when potential improvements are identified. This approach prioritizes consistency and reduces the risk of introducing new issues.
</retrieved_learning>

<retrieved_learning>
Learnt from: EvilOlaf
PR: armbian/build#0
File: :0-0
Timestamp: 2025-06-16T03:24:00.458Z
Learning: In Armbian board configuration files (.csc), the standard pattern is to have only one line as a comment describing the board hardware specifications. This single-line description typically includes the SoC model, core count, RAM options, and key features like connectivity options, storage interfaces, and special features.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8235
File: packages/bsp/mvebu/helios4/helios4-wol.service:0-0
Timestamp: 2025-05-29T01:56:01.604Z
Learning: For ARM-based devices like Helios4 that use DeviceTree, the expected systemd network interface naming scheme is "end[0-9]+" (DeviceTree alias index), making the regex "^(eth|en[do])[0-9]+" appropriate as it covers traditional "eth", PCI on-board "eno", and DeviceTree "end" interfaces without unnecessary "enp" (PCI slot) support.
</retrieved_learning>

🔇 Additional comments (1)

config/kernel/linux-uefi-x86-edge.config (1)

7-10: Reconsider CONFIG_NO_HZ_FULL in linux-uefi-x86-edge.config

CONFIG_NO_HZ_FULL=y enables full tickless mode on all non-IRQ CPUs, which can increase scheduler overhead and disable hard-lockup detection unless users pass nohz_full=… / rcu_nocbs=… / isolcpus=… on the kernel command line. For a broadly-targeted x86 defconfig, the idle-tick variant is safer:

• File: config/kernel/linux-uefi-x86-edge.config, line 7

Recommended change:

- CONFIG_NO_HZ_FULL=y
# CONFIG_NO_HZ_FULL is not set

Alternatively, move CONFIG_NO_HZ_FULL=y into a dedicated low-latency/real-time defconfig.

[igorpecovnik]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.